Wireshark and Recognizing Exploits; HakTip 138 Video Lecture | Start Using Wireshark: Do Hacking like a Pro - Back-End Programming

this episode of hack tip is brought to
you by citrix gotoassist the number one
global market leader in remote support
welcome to hack tip the show will we
break down concepts tools and techniques
for hackers gurus and IT ninjas I'm
Shannon Morse and today we are checking
out Wireshark with an exploitation
attack now working on the shoulders of
last week's episode this week we'll
discuss what exploits look like in
Wireshark now there are plenty to cover
and I'm just going to do two so just
stick with me and then you can find
other examples on the internets so the
example that i'm going to be sharing is
from the practical packet analysis book
by chris sanders about Wireshark so this
packet is going to show you what happens
when a user visits a really malicious
site that's using a bad version of
Internet Explorer now this malicious
problem was called Aurora it was back
from my belief 2010 now what it's doing
is called spearfishing first we have
HTTP traffic on port 80 so that looks
pretty normal if we go all the way up to
the top so first off if we go all the
way to the top of this streamed packet
number one we see a whole bunch of
traffic going over HTTP port 80 looks
totally normal right now we notice that
there is a 302 moved response right down
here so that's packet number six that's
kind of weird doesn't really happen
everyday it might be something that we
need to look at so that could be a
malicious site and the location is all
sorts of weird if we scroll down a
little bit now if we look at this will
notice that the location right here
that's where you're going to see
something strange so if that looks odd
that might be a red flag now there is a
whole bunch of data that gets
transferred from the new site to the
user after this if I click on follow TCP
stream and I can just do that by
clicking here
I notice that there's going to be a
whole bunch of information up at the top
it looks decently normal and then we
scroll down and we see this thing in a
script command so it's a bunch of
gibberish
that looks pretty odd it doesn't make a
lot of sense and then if we scroll down
all the way to the bottom we see that
there's an iframe attack going on here
so what in the world is this iframe
thing that's going to be a red flag as
well in this case it's the exploit being
sent to the user now I'm going to close
this and I'm going to scroll down a
little bit after I erase that two packet
number 21 and we notice that we're
receiving another get request so this
time if I scroll all the way to the side
it's for a Jif or a gift depending on
who you are so it's a get request for
some kind of image now lastly if we
follow packet 25 which looks like so I'm
going to follow the TCP stream for this
then we really get a red flag so when we
open up this we see that there's a
Windows command shell and the attacker
is getting admin privileges to our users
files like there's a password txt in
here which is pretty kind of scary
okay that's freaky but now a network
admin could use this intrusion detection
system to set up a new alarm whenever an
attack of this nature is actually seen
on their network so it's really really
useful to find out what this stuff looks
like in Wireshark so you can actually
set up some kind of you know cutoff
points so they won't be able to get into
your network now I'm going to be right
back with some more exploits and fun
with Wireshark with go to assist remote
support you can provide live and
unattended support to any computer or
mobile device you can screen share with
employees to diagnose and fix their
support problems faster and more
effectively and you can use go to assist
apps to deliver support anytime anywhere
from your Android your iPhone or your
iPad device now with the new seeit
feature people can stream their
smartphones camera to go to assist so
you can even see whether something's
wrong with the hardware sign up today
for a 30-day free trial no contract no
credit card needed visit GoToAssist comp
and click on
try it free button right now and if you
purchase a go to assist annual plan
before March 31st you'll get a free
Samsung Galaxy Tab 4 as well that's go
to assist com and we would like to thank
them for their support of pack tip we're
back with more exploits in Wireshark now
if someone is trying to do a
man-in-the-middle attack on a user it
might look something like this
so it looks pretty normal right but as
we scroll down in here we notice that
there's also something else interesting
happening here we notice that there is
these three different cases where this
Hewlett Packard this HP device just kind
of shows up out of nowhere that's kind
of weird
so normally when this happens it's going
to be an ARP cache poisoning attack it's
art packets being sent back and forth
but in packet 56 the attacker sends
another art packet with a different MAC
address from the router thereby sending
the users data to the attacker and then
the router so hence man-in-the-middle
attack if we compare number 57 packet
number 57 with the destination IP of
being dot 147 the MAC ID a shows up as
hewlett-packard so this HP computer but
if we look at an earlier one that's
supposed to be sent to the router like
number 40 it's also being sent to IP 147
but the MAC address is for the Cisco
router huh obviously an ARP cache
poisoning attack now I want to know if
you guys have ever seen any kind of
attacks on your system and how you
really were able to notice that it was
there and Wireshark let me know what you
think and of course your comments below
or email us tips at hack 5 org and be
sure to check out our sister show hack 5
for more great stuff just like this I'll
be there reminding you to trust your
techno list