Pass ECCouncil CEH 312-50v11 Exam in First Attempt Guaranteed!

All ECCouncil CEH 312-50v11 certification exam dumps, study guide, training courses are Prepared by industry experts. PrepAway's ETE files povide the 312-50v11 Certified Ethical Hacker v11 Exam practice test questions and answers & exam dumps, study guide and training courses help you study and pass hassle-free!

Network Hacking - Post-Connection Attacks - MITM Attacks

12. Wireshark - Basic Overview & How To Use It With MITM Attacks

In this lecture, we're going to talk about a tool called Wireshark. Wireshark is a network protocol analyzer. It's not designed for hackers, and it's not designed for hacking and spying on other people on the network. It's designed for network administrators so that they can see what's happening in their network and make sure that everything is working properly and that nobody's doing anything bad or doing anything suspicious on the network. The way that Wireshark works is that it allows you to select an interface and then logs all the packets or all the traffic that flows through that interface. So you're selecting an interface; it could be a wireless card or a wired card on your current computer, and then it'll start logging all the information that flows through that interface.

It also has a really nice graphical interface that allows you to analyse this traffic. So it allows you to filter these packets based on the protocol using them, like HTTP, TCP, and all that. It also allows you to look for certain things, for example, if you're looking for cookies or if you're looking for posts or getting requests. And it also allows you to search through these packets. You can search through the information that's stored in the packets and find the things that you're looking for. It's a really, really big tool, and you need a whole course for it. So in this course, we're actually going to use it in a few lectures, just covering the basics or the things that are related to us. So the main idea here is that WireShark is not a hacking tool. It only allows you to capture the traffic that flows through your own computer through your own interface. I'm going to use it now, and it's going to become more clear to you. So I'm just going to go to Kelly, and we're going to start Wireshark. You can run Wireshark from the command prompt, or you can just go to all applications and type "wireshark," and it'll show up right here. I'm going to click that, and that's going to load the programme for me. This is just a normal error. Just ignore this error. And this is the main interface of Wireshark.

So first of all, you can actually just go to the file and go to "open." And in here, it'll allow you to open a file that you've already captured. So for example, if you captured packets using a different sniffer, such as Aerodom, Man in the Middle F, or T Shark, which is the command prompt part of Wireshark, So if you captured packets using any of these programmes and stored them in a file, you can just come in here, open it, and start analysing that file. This is really handy because sometimes you don't really want to analyse the traffic on the fly, so sometimes you just want to capture it. If you're sometimes capturing from a small laptop or from your phone, and you're not even at home, You're somewhere else, doing your PPT test. And then you go back home. And then you want to analyse what you captured. Then you can store that in a file, and then just come here, go to the open file, and open the file that you want to analyze. So what I want to show you here is the idea that Wireshark is not a hacking tool. It's not going to capture things happening on another device. It'll only capture things that flow through your own interface.

So right here, we can see that we have all the interfaces in my computer. So we can see that we have ETH 0. We have Any, which is just any, and we have all the others, some of which are created by VirtualBox. So the main one here is ETH Zero, which is the virtual interface connected to my Nat network. And you can see that there is no traffic flowing through this. So you can see that this is constant and nothing is happening. So what I'm going to do now is just make this a little bit smaller, open my browser, and go to a normal website. I'm just going to go to Google.com. Now, as you can see right here, the traffic in ETH Zero is spiking up. So there was some traffic generated through ETH Zero. So for sniffing on this, we'll be able to capture these packets that were sent over ETH Zero. Now what I'm going to do is go to my Windows machine just to prove that point.

And I'm going to browse the website here, and you'll see that ETH Zero will not be affected. And the traffic that's generated on this Windows machine, which is on the same network as the Kali machine, will not be captured by the Kali machine. So if I just go to Google again here, you'll see that nothing happened in ETH Zero. So there is no traffic flowing through here. It's still constant, and we can only capture packets that go through ethical So now you'll probably ask, "Why is Wireshark so useful?" Why are we even talking about it? If we can only see things that go through our own computer, why are we talking about them? Well, we're talking about it because we've seen that there are a large number of ways that you can become the man in the middle. We learned how to do this using ARP spoofing, and in future lectures, I'm going to show you how to do it by creating a fake access point. So when we are the man in the middle, if we start sniffing on the interface that's used to become the man in the middle, we'll be able to capture all the traffic generated by the people that were targeting our man in the toilet attack.

So if you start with a fake access point, you can start sniffing on the interface that's broadcasting the signal, and you can capture all the packets sent or received by anyone who is connected to that fake access point. If you became "the man in the middle" using ARP spoofing, then just select the interface that you used when you launched your ARP spoofing attack. So for now, I'm going to become the man in the middle using ARP spoofing. You can use ARP Spoof or Bettercap, as I showed you earlier, but I'm going to use Bettercap using the exact same command that we used to do. So we're literally just doing Bettercap, followed by the interface that is connected to my target network, which is ethical. And I'm launching my spoof capt so that it configures the ARP spoof module and runs it for me to put me in the middle of the connection. So I'm going to hit enter, and as you can see, it's working as expected. So right now, I should be in the middle of the connection, intercepting anything the target Windows machine sends or receives.

Now let's go to the Windows machine and see if I do anything here that's going to affect the traffic in ETH Zero. So we'll see if Wireshark will be able to capture traffic generated by this computer. So let's write anything here. Or I'm just going to go to a different website. I'm just going to go to Bing. And if we come back here, you'll see that we have traffic being generated here, and we can see that ETH Zero is actually capturing whatever that's happening on a completely different device. This is happening because when we are in the middle, all the packets that are generated by the Windows device have actually been redirected to my own computer right here, to the Kali. And then Wireshark is sniffing that from the Kali machine. It's sniffing it from my own local machine. It's not sniffing it from the network; it's not sniffing it from the target computer. So again, if you're doing this with the fake access point and just listening on the interface that you're broadcasting, if you're doing this with a real wireless network, if you're connected to your home wireless network using Land Zero, then you can just do this with Land Zero.

But with ARP spoofing, you have to first redirect the traffic. Then you can use Wireshark. Now, this is just to show you what Wireshark is and how it works. And I just wanted to stress the idea that Wireshark is not a hacking tool. It's only a programme that allows you to log packets flowing through a certain interface and then analyse these packets. So in the next video, we'll see how we can sniff and analyse packets using wireless scanning.

13. Wireshark - Sniffing & Analysing Data

In the previous video, we saw how we could launch Wireshark and said that we could actually just open a file that contained packets that we had already captured and start analysing them using Wireshark. In this video, I want to start sniffing packets and then generate some traffic on my Windows machine, and then we'll see how we can analyse these packets using Wireshark.

So I'm already the man in the middle. As I said, you first have to be the man in the middle to use Wireshark, and then the traffic that's generated on the Windows machine is actually flowing through ETH 0, as we've seen in the previous video. So before I start capturing the packets, I want to go to the options, and I just want to show you what options we can set. So first, you can see all the interfaces that you have and the traffic generated on them. And you can see Ethzero is actually generating some traffic every now and then because it's actually coming from the Windows machine. So here you can select the interfaces that you want to start capturing on, and you can actually select more than one interface. And all you have to do is just hold the CTRL key and then click other interfaces that you want to listen on. For example, you can just click them like this. But for now, I actually only want to sniff Ethical. Now if we go to the output, you'll see that you have the option to store these packets somewhere.

So again, if you only want to sniff and don't want to analyse things, you can just go on the browse, store the packets that you're going to sniff somewhere, and then analyse them whenever you have the time. At a different time, you can just open them with Wireshark like I showed you in the previous video. You can just go to "File," "Open," and then open the packets and start analysing them. Now I have ETA zero selected, and I'm just going to click on "Start," which will start capturing packets. Anything that's going to flow through Ethical will be captured, and it will be displayed here. Anything—I mean, images, pictures, messages, cookies—that the computer does on the Internet will flow through ETH 0 and therefore will be captured by Wire Shark. So it's not like man in the middle life, where it was only showing us the important information. Right here, will you see anything? all the traffic that's generated. Now I want to go generate some traffic on the target computer so we can analyse it here. But before I do that, I'm going to go back to Bettercap, and I want to start my HSTs. I can downgrade Https to Http, because if everything goes over Http, we won't be able to see or read anything because, like I said, everything will be encrypted. So I'm going to hit enter.

This will work as expected. We'll go back to Wireshark, and let's go to the target computer. I'm going to go to Google, e.g., and let's search for something. So, for example, let's search for "Z" security. And keep in mind that everything is loading over HTTP in here. So that's why we'll be able to read and analyse everything that we're loading right here. Now let's go back to Wireshark and see how we can filter this information and discover the websites, visit the target, see the requests, and all that. So I'm going to click on the stop button to stop this. Now, this is the main interface of Wireshark. And you can see that the first thing we have is each individual record. This is a packet. Now, you'll see the columns. First of all, here is the number of the packet. So you have this one as number one, number two, number three, and number four. And the time you'll see the time when this packet was captured. So zero is when we first started sniffing, and then the time increases as we go down. And it shows when these packets were captured, when they were sent, basically. You can also see the source. So this is the device that the packet was sent from. And you can see that this one was not sent by our target. It's actually coming from the Internet from a server that has this IP.

And it's going to our target computer, which is 1020-14 to six. You can see the protocol. So it's TCP for this one. You can see that it's ICMP in this one. And you can see that it's ARP for this. You can see the length, which is the size. And you can also see information about this packet. Now you can also notice that these packets have different colors. Usually, green is for TCP packets, and dark blue is for DNS packets. And if we go down, we should actually be able to find some of them. And you can see that all of these are DNS packets. Light blue usually is UDP, but we don't have any UDP packets at the moment. And you can also see that we have some black packets, and these are TCP packets that had a problem, that had issues. Now, I know what you're thinking. There are so many packets in here, and a lot of them might not be useful to you, depending on what you're trying to get. But don't worry about this. In the next lecture, I'm going to show you how to filter these packets to only display the relevant ones and then analyse them to extract the useful information.

14. Wireshark - Using Filters, Tracing & Dissecting Packets

In this lecture, I want to spend more time with Wireshark showing you how to filter all of these packets to only display the useful ones, how to trace them, what they mean, and how to display more information about each one of these packets. Now, what we did on the target computer so far is that most of the traffic that we generated was HTTP traffic.

So to get rid of all this information that's hard for us to read, We're just going to type in HTTP here in the filters and hit Enter. And as you can see now, that filtered all the packets to HTTP traffic only. So this is the traffic that was basically sent by the browser and is usually sent by web browsers. They always send traffic over HTTP or HTTPS. And since we're downgrading Https to Http, you want to use the Http filter to see everything that a target person is doing on the browser. Regardless of what they're doing, whether they're browsing websites, watching a video, looking at images, or whatever, it will be loaded over HTTP. So looking at the first record right here, we can see that this request is sent from this IP, which is the IP of my target, to an IP on the Internet. So we can see that this is not a private IP; this is an IP on the Internet. So it's sent to a server. And if we double-click this record, we'll get much more information about the packet itself. So we have information about the frame, which includes the size of the packet. It includes the interface that it was sent on, the time, and all that.

On the Internet, we have information about the source Mac address and the destination Mac address. So where did this packet go from and where did it go to? Remember when I first spoke about packets and how they always travelled from a source Mac to a destination Mac? So this information is all stored here. in the Internet Protocol. We have information about the IPS. So on the Internet, we have information about the Mac addresses. In the Internet Protocol, we have information about the source IP and the destination IP for this particular packet. In the Transmission Protocol, we have information about the port. So we can see that this went from this source port to port 80. This is usually the default port used on web servers. So in most cases, whenever data is sent to a website, it'll always be sent to port 80. But the most important part here is the Hypertext Transfer Protocol, which is basically the data sent over HTTP. Clicking on this will give us information on whatever has been sent over HTTP. And like I said, this would contain everything that was sent to and from a browser.

So right here we can see that this particular packet sent a Get request to a website called Google Inc. Now this is literally what we did when we typed Google, i.e., we didn't search for anything and we didn't really do anything. You can also expand this to see more information about the actual request. And you can even see the HTTP header sent if you want to get more information about this particular request. Now, this whole method of getting information applies to all types of packets. So you can double-click any packet you have and you'll be able to read the data sent within this packet. Now you can also see an arrow, which basically means that this was a request. And the arrow back here marks that this was a response to this request right here. Now, moving down, you can also see requests for images, which you can also do by clicking on any of these packets. For example, going back to this "Get" request, right-click it and go to "Follow HTTP Stream." And this will basically follow the stream that this request has caused all the way down to the response. So if I click it, you'll see the response for this particular request was this right here. You can see that this is a PNG. And literally, the binary content of this PNG image is right here.

So as you can see, we're literally getting the raw data in here. Now I'm going to close this and go back to what we had, which was HTTP. Now, if we keep going down, you will literally see everything that has been sent and received by the target. So for example, again, in here we can see this was a JavaScript file that was loaded by Google. Then in here we can see another "Get" request. And this "Get" request was when we searched for Zsecurity. So you can even see the search term right here. So let me double-click this to show you in more detail. Again, this automatically went to the hypertext protocol part. Like I said, this is the HTTP part, whatever gets sent to the browser. And you can see that this was sent to Google.com first of all, along with the Uri. So whatever went after Google.com was search. And what we were searching for was that security, which is exactly what we typed in here. Again, here you can see the full URL with the search term. This is literally what the user gets in their URL bar here. So as you can see, Wireshark literally shows everything that flows through the interface. In this lecture, I wanted to give you a quick overview of how we can filter data. And don't worry too much about this; we'll actually be using it more in the next lectures, and we'll see how we can easily use it to filter data and discover useful information.

15. Wireshark - Capturing Passwords & Anything Sent By Any Device In The Network

Now, in this lecture, I want to show you how to use Wireshark to discover data sent through forms whenever someone fills up a form. And obviously, this will allow us to get usernames and passwords if people log in to their accounts. So I'm already running better caps. I'm already doing demand in the middle and in Wireshark here. I'm just going to start a new capture. So I'm going to continue without saving this one. The filter is already set to HTTP, so it's only going to show me HTTP packets in here, and I'm going to go to a target website in here. So let's go to vulnerability.com. Now, keep in mind that, like I said, you have to be logged into a HTTP page. But that's fine because we already learned how to bypass HTTPs and even partially bypass HTTPS.

So I'm going to be logging into a website that just uses HTTP here because it's just simpler. And we've already learned how to bypass HTTPs and HSTs. So there's no point in repeating that. We're logging in with the username that is set to admin. I'm going to set the password to 1, 2, 3, or ABC. I'm going to click on Login, and this should have been captured by Wireshark. Now let's go ahead and actually try this with a website that uses HTTP. So let's go to Stackoverflow.com. Again. As you can see, as long as the website gets downgraded to normal HTTP, then we'll be able to capture the data sent to and from this website. So we're just going to log in, put the username, which is [email protected], and then we'll get to put the password.

So we'll just do 123, 12, 3, and ABC, and let's go back to Wireshark and see how we can discover the username and the password. So first of all, I'm going to stop the capture, and what we want to look for are post requests. So you see in here that this request right here was "post," for example. And here it was: Get. Now, forms are usually sent via postal mail, especially login forms. So if you're looking for login information, you want to look for posts in here. So going down, we can see we have a post request in here. Now I'm going to click here to actually show the information, so it's easier for us to see. So we can see this post was sent to Google. We're not interested in that. We're looking for stuff that was sent to Von Web. So I'm going to keep going. We can see we have a post request here to a login page. So this is definitely interesting. Now, if we look down, let me just make this smaller. So if we look down here and look at the HTML format, you can see that we have a username here submitted to testhtml five vonweb.com. The username is admin, and the password is 1, 2, 3, or ABC. Now, if we scroll down again looking for post requests, You can see we have a postrequest for a page called Users Login.

So again, very interesting. If we click on this, you'll see if we scroll down, we have the email [email protected] and the password 12312 three ABC. Again, this just goes to show you that with Wireshark, you'll be able to capture everything. Now this can actually be very, very useful because I learned that BetterCap is great at sniffing passwords and pretty much gets you the passwords all the time. But in the odd cases, sometimes it failed to filter the username and password for me. So with Wireshark, you'll actually be able to see everything that passes through your interface. So what you could actually do is just go to the tablet that we always use, the spoof caplet. This one right here, open it with the text editor. And as you know, in this case, Applet, we turn on our sniffer in here. So we set the sniff local to true, and then we turn it on. But before turning it on, you can actually set the net sniff dot output to a location for a file that will contain everything that Bettercap captures. So you won't actually have to start Wireshark while BetterCap is working.

You can just enter here and specify a place. So for example, let's say root capturefile cap. And then when you run your spoof capt, it will turn on the prop, turn on the recon, and run your spoofing attack, putting you in the middle of the connection. It will run the sniffer as well, and it will store everything that Better captures in a capture file. Then all you'll have to do is come here, go to File > Open, and open the file that you captured and analyse it as I'm doing right now. So this can be very, very useful also if you don't have a lot of resources on your computer, or if you have a small laptop or even a phone and you capture data with it. You can store everything in a capture file and then just open it here in Wireshark and analyse it. Now, finally, before I finish this lecture, because all we're talking about right now is filtering data. A really, really useful feature when filtering data is the Control F feature defined.So you can just press Control F on your keyboard. This will open this bar right here, the search bar, which you can use to find anything within the captured packets. So first of all, I'm going to set the search to search within the packet details. I'm going to keep this too narrow and too wide in here. I'm going to set this to bold so that it looks like normal text. And for example, let's say I'm looking for logins that a person named Zade has attempted.

All I have to do is just type Zade, and if I hit enter, as you can see, it's taking us back to the login attempt when I logged in to Stack Overflow. Or let's say you're looking for login attempts by a person named Admin or by a user named Admin. Again, if I hit Enter, it's going to take me to the first time an occurrence of the word "admin" happened, which is in here. It doesn't really contain any useful information, but I can just click on "Find" to find the next packet that contained the word "administrator." Again, this packet doesn't really contain anything useful. We can go next. We'll actually have to go to the end of the file and go up because that was the first thing that we logged in. So I'm just going to keep clicking on "Next." And right here we have the post request for the admin, and if we go down again, as you can see, we have the username "Admin" and the password "one, two, three, ABC." So this feature can be very, very useful to help you find what you're looking for, whether you're looking for a specific login name, a specific tag, a specific file, and so on.

ECCouncil CEH 312-50v11 practice test questions and answers, training course, study guide are uploaded in ETE Files format by real users. Study and Pass 312-50v11 Certified Ethical Hacker v11 Exam certification exam dumps & practice test questions and answers are to help students.