Never Ending Security

It starts all here

Traffic Analysis and Capture Passwords


It is known that Wireshark is a powerful tool that goes far beyond a simple sniffer. What many do not know is that there are several ways to harness the potential of this tool, readers, this article will introduce. Let us learn to sniff the network effectively, create filters to find only the information we want, see it as a black hat would use this tool to steal passwords and finally, how to use Wireshark to diagnose network problems or if a firewall is blocking packets correctly.


Your password is hard to be broken? Has many characters and you trade with a certain regularity and one day you’re surprised to receive allegations of invasion. Evidence indicates that the invasions third party accounts departed from your account and you have no idea what is happening. That is, someone may have made use of your account and performed such acts as you. How could this have happened? A strong possibility is that you have been the victim of an attack of “sniffer”.


What are Sniffers? Well… Are very useful software, so great is the use of them, even the IDS systems are made based sniffers. A sniffer is a program that can capture all traffic passing in a segment of a network.

Programs that allow you to monitor network activity recording names (username and password) each time they access other computers on the network.

These programs are monitoring (“sniffing”) network traffic to capture access to network services, such as remote mail service (IMAP, POP), remote access (telnet, rlogin, etc.), file transfer (FTP) etc.. Accesses made, captured packets. Always aiming to get identification for access the user’s account.

When we called the HUB computer and send information from one computer to another, in reality these data are for all ports of the HUB, and therefore for all machines. It turns out that only the machine on which the information was intended to send the operating system.

If a sniffer was running on other computers, even without these systems send the information travels there for the operating system, the sniffer will intercede at the network layer, data capturing and displaying them to the user, unfriendly way. Generally the data are organized by type of protocol (TCP, UDP, FTP, ICMP, etc…) and each package shown may have read your content.


Many local area networks (LANs) are configured sharing the same Ethernet segment. Virtually any computer of the network can run a “sniffer” program to “steal” users passwords. “Sniffers” work monitoring the flow of communication between computers on the network to find out when someone uses the network services previously mentioned. Each of these services uses a protocol that defines how a session is established, such as your account is identified and authenticated and how to use the service.

To have access to these services, you first have to have a “log in”. Is the login sequence – the part of these authentication protocols, which occurs at the beginning of each session – the “sniffers” are concerned, because it is this part that is your password. Therefore, it is the only filter “strings” keys that the password is obtained.


Currently, almost all environments using switches and not hubs, which makes sniffing a little more difficult because the switches do not send the data to all ports as a hub does, it sends directly to the port where the host destination, so if you try to sniff a network switch you will only hear what is broadcast, or its own connection. To be able to hear everything without being the gateway of the network, an ARP spoof attack is necessary, or burst the CAM table of the switch.

Basic Usage

Now let’s put our hands dirty: I’m assuming you already have the program installed, if you do not download. When starting Wireshark, the displayed screen will look something like Figure 1:

Figure 1) Wireshark.

Before you can start capturing packets, we have to define which interface will “listen” to the traffic. Click Capture > Interfaces

Figure 2) Interfaces.

From there, a new window will appear with the list of automatically detected interfaces, simply select the desired interface by clicking the box next to the name of the interface, as in figure 3:

Figure 3) Capture Interfaces.

If you click Start, it will begin automatically captures. You can only select the interface and only then start the capture if necessary.

When the capture process starts, you will see several packets traversing the screen Wireshark (varying according to the traffic of your machine / network). Will look something like the figure 4:

Figure 4) Capturing.

To stop the capture, simply click the button, “Stop the running live capture”.

Figure 5) Stop.

It is important to remember that you must take care if your network is busy, the data stream may even lock your machine, then it is not advisable to leave the Wireshark capture for a long time, as we will see, we will leave it running only during the process debug a connection. The greater the amount of packets, the longer it takes to apply a filter, find a package, etc.

With this we have the basics of the program, we can set the capture interface, start and stop the capture. The next step is to identify what interests among many packages. For this, we will start using filters.

Using Filters

There is a plethora of possible filters, but at this moment we will see just how to filter by IP address, port and protocol.

The filters can be constructed by clicking on “Filter“, then selecting the desired filter (there is a short list of pre-defined filters), or by typing directly into the text box. After you create your filter, just click “Apply“, if you wanted to see the entire list of packages again just click “Clear“, this will remove the filter previously applied.

Figure 6) Filter.

I will use a small filter list as an example:

Figure 7) Example by Rafael Souza (RHA Infosec).

It is also possible to group the filters, for example:

ip.src == && tcp.dstport==80 OR ip.src == and tcp.dstport==80

Source address

And destination port 80


Now we will see how you can capture passwords easily, just by listening to traffic. For this example we will use the POP3 protocol, which sends the data in clear text over the network. To do this, start capturing packets normally and start a session with your server pop3 email. If you use a safer as imaps or pop3s and I just wanted to see the functioning of the mechanism, protocol is possible to connect via telnet pop3 without having to add / modify your account, simply run the following:

telnet 110 user pass rhainfosecpasswd

Now stop the capture, filter and put “pop” and then click “Apply“. That done, you see only the packets of pop3 connection. Now click on any of them right, and then click “Follow TCP Stream“.

Figure 8) POP3.

With this he will open a new window with the entire contents of the ASCII connection. As the pop3 protocol sends everything in plain text, you can see all the commands executed, including the password.

Figure 9) Pass.

This can be transported to any connection in plain text, such as ftp, telnet, http, etc.. Just to let you change the filter and examine the contents of the connection.

Importing External Captures

Usually in servers, there is no graphical environment installed and with that you cannot use Wireshark directly. If you want to analyze traffic on this server and you cannot install Wireshark, or if you do not have to capture this traffic elsewhere, the best one can do is write traffic with tcpdump locally and then copy this dump to a machine with Wireshark for a more detailed analysis is made.

We will capture everything that comes or goes to the host with destination port 80 and save content in capturerafaelsouzarhainfosec.pcap file from the local folder where the command was executed. Run the server:

tcpdump -i eth0 host and dst port 80 -w capturerafaelsouzarhainfosec.pcap   Once you’re finished capturing, simply use CTRL + C to copy the file to the machine Wireshark capture and import by clicking on File -> Import. Once imported, you can use the program normally as if the capture had occurred locally.


Why steal your password?

There are various reasons that lead people to steal passwords from simply to annoy someone (sending email as you) up to perform illegal activities (invasion on other computers, theft of information, etc.) An attractive to crackers is the ability to use the identity of others in these activities.

One of the main reasons that attackers try to break systems and install “sniffers” is able to quickly capture the maximum possible accounts. Thus, the more accounts this attacker has , the easier it is to hide your stash.

How can you protect yourself?

Do not be thinking that “sniffers” can make all the insecure Internet. Not so. You need to be aware of where the risk is , when you’re at risk and what to do to be safe .

When you have your stolen credit card or suspect that someone may be using it improperly, you cancel the card and asks another. Likewise, as passwords can be stolen, it’s critical that you replace regularly. This precaution limited the amount of time that a stolen password can be used by an attacker.

Never share your password with others. This sharing makes it difficult to know where your password is being used (exposed) and is harder to detect unauthorized use.

Never give your password to anyone claiming access your account needs to fix some problem or want to investigate a breach of the system. This trick is one of the most effective methods of hacking, known as “social engineering.”

Use networks you can trust

Another aspect you should take into consideration is what network you can trust and which cannot. If you’re traveling and need to access their computers remotely organization. For example, pick any file in your home directory and you have available is a “LanHouse” or network of another organization . Are you sure you can trust the network?

If you have no alternative for secure remote access and only have available resources such as telnet, for example, you can “mitigate” this effect by changing the password at the end of each session. Remember that only the first packet (200-300 bytes)of each session carry information from your “login”. Therefore, to always change your password before logging out, this will not be captured and password before it was exposed to the network is no longer valid. Of course it is possible to capture everything going across the network, but has no intention of attacking fill the file system quickly and so easily discovered.

Why networks remain vulnerable to “sniffers” long?

There are several reasons and there is no quick solution to the problem.

Part of the problem is that companies tend to invest in more new features than add security. New security features can leave the most difficult systems to configure and less convenient to use.

Another part of the problem is related to added costs for Ethernet switches, hubs, network interfaces that do not support the particular “promiscuous” that sniffers can use.


The question that remains is how can we protect ourselves from this threat…

  • ü Network cards that cannot be put into “promiscuous” mode. Thus, computers cannot be mastered and transformed into “sniffers”.
  • ü Typically, the Ethernet interface only passes packets to the highest level protocol that are intended for local machine. This interface into promiscuous mode allows all packets are accepted and passed to the higher layer of the protocol stack. This allows the selection you want.
  • ü Packages that encrypt data in transit over the network, thus avoiding to flow passwords “in the clear”.

I would remind you that the safest is to adopt and encourage the use of software which enable remote access encrypted sessions, help much to make your environment more secure.

One fairly common encryption technology currently in secure communication between remote machines SSH (Secure Shell). SSH is available for different platforms. Its use does not prevent the password captured, but as this is not encrypted serve to the attacker. SSH negotiates connections using RSA algorithm. Once the service is authenticated, all subsequent traffic is encrypted using IDEA technology. This type of encryption is very strong.

In the future, security will increasingly intrinsic to the systems and infrastructure networks. No use having all the “apparatus” of security you need, but do not use them. Security is not something that can be completely secure. Remember, no one is 100% secure.

Leave a Reply

Please log in using one of these methods to post your comment: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s