Any internet traffic works through sending and receiving packets. So Snooping can be done to troubleshoot a network or acquire user information like usage type, passwords, emails, chats and basically anything being sent or received through packets on a network.
Snooping is done through many packet capturers and analyzers. Widely used amongst these are tcpdump and wireshark. A video embedded below will give us more idea about when and why they came into existence and what made them so important.
(video source : RiverbedTechnology Channel - Youtube)
Getting Started
(Installing tcpdump and wireshark)
(Installing tcpdump and wireshark)
tcpdump>>
$ sudo apt-get install tcpdumpor go to : http://www.tcpdump.org/
wireshark>>
$ sudo apt-get install wiresharkor go to http://www.wireshark.org/
Now there are two steps to do snooping
- Capturing
"promiscuous mode or promisc mode is a mode for a network interface controller (NIC) that causes the NIC to pass all traffic it receives to the central processing unit (CPU) rather than just passing frames the NIC is intended to receive." - WikipediaTo activate promiscuous mode, we start a packet analyzer with root user access.
- Analyzing
By counting the number of different types of packets i.e TCP, HTTP, ICMP, ARP etc one can have an idea about the kind of data transfer across the network.
The information sent through the packages are often encrypted so exact user information like the site being visited or emails,chats and passwords are difficult. Though extracting HTML passwords is simpler and one can extract them easily as shown below using wireshark :)
CAPTURING
(using TCPDUMP and WIRESHARK)
(using TCPDUMP and WIRESHARK)
- TCPDUMP
Starting capturing through tcpdump:
$ sudo tcpdump
note : tcpdump does not give us an option to later save or export the dumped packets. We need to give the tcpdump command followed by '-w ' to write the captured packets in a file for later analysis.
Both wireshark and tcpdump allow filtered capturing of packets according to need. Wireshark provides listed options to filter capturing. Tcpdump has varied syntax options since it is shell based packet analyzer.
exploring options in tcpdump:
capturing packets in very verbose(-vv) mode for capturing more information and saving it to file 'capturefile.txt':
- WIRESHARK
Starting wireshark:
$ sudo wireshark
To start capture in wireshark:
Click on capture option on the toolbar and then click on start to capture packets. Following window will appear on the screen.
Capture filter:
They are used to select the data to record in the capture logs. They are defined before capturing the packets. this type of filter limits the size of captured data to avoid generating a log too big in size.
The steps to configure a capture filter are the following:
select Capture> Option > fill the captured field > click on ‘start’
Syntax : <protocol><direction><host><value><logical
operation><other exp>
(picture source : http://openmaniak.com/wireshark_filters.php)
After capture is complete:
go to FILE(menu) and click at SAVE(button) to save the capture
We performed a 30 minutes network trace to dump packets in files provided below for download. :)
30 minutes dump by TCPDUMP:
http://www.megaupload.com/?d=9QHFF6BC
30 minutes dump by Wireshark:
http://www.megaupload.com/?d=DE2RNCB
Analysis
(using TCPDUMP and WIRESHARK)
(using TCPDUMP and WIRESHARK)
- TCPDUMP
We can have a look at the raw data of captured packets by:
$ sudo tcpdump -r <filename>
(click on the image to view enlarged)
But that is a lot of information and analyzing it just by looking at it is not easy.
So one can use functions like 'wc' and 'grep/sed/awk':
note : The packets captured through TCPDUMP can also be analyzed using Wireshark as it is easier using an analyzer with GUI. Just open the dump file from TCPDUMP through Wireshark by going to FILE(menu) and clicking OPEN.
- WIRESHARK
The screen is divided into three windows :
i) Packet-content windows
It displays one line summary of captured packets . each packet is highlighted by a particular colour acc.to a colour code
ii) Packet-header window
It dis plays information about the selected packetin the above window iin tree format from physical layer , datalink layer , Ethernet etc.
iii) Packet-content
It displays the detailed description of the content of the packet in ASCII or hexadecimal form. It generally contains the source and destination IP and MAC address of the captured packets
Display filter:
To select packets based on protocol type, write the desired protocol in the Filter: field in the filter tool box and press enter. The following shows an eg. of packet containg tcp protocol.
We can filter on any protocol that wireshark understand . eg.to narrow down the packet list down to only those packet list that has been sent to or received from IP address 192.168.0.1 , use , ip.addr==192.168.0.1
Syntax: <protocol<string1><string2><comparison operator><value><logical operations><other exp>
(picture source : http://openmaniak.com/wireshark_filters.php)
HTML PASSWORD
(extraction using Wireshark)
(extraction using Wireshark)
NOTE: Method shown below are done on self. Doing any such task on somebody else' network is illegal and punishable. Use carefully.
First we start capturing by wireshark (click on images to enlarge)
Open a website (here : Warez-bb) and write username password in their respective feilds.
Now, go to wireshark and stop cature. Type http in filter field to apply the filter, which enables us to view only http protocol packets. Then search for a packet with info : POST /login.
Double click on the packet. Go to 'line based text data' and now we can see the username password entered :)
I tried the same for :
www.gmail.com
www.facebook.com
www.imdb.com
but was not able to apply the same as the packets sent for these sites are encoded and cannot be viewed easily. The above way works for only simple html sites.
Blog Post by:
Archit Agarwal (2011030)
Prerna Jaiswal (2011081)
No comments:
Post a Comment