Start sniffing packets
Capture and analyse data packets moving across your target.
Now that you’re hopefully connected to your target network, you can indulge in the gentle art of packet sniffing. This term describes the process of intercepting and logging packets of data across a network.
The chief challenge when it comes to packet sniffing is the huge amount of data moved across networks, using various protocols. It can be hard to detect, for instance, if a user has visited a certain website or has downloaded a certain type of file. Thankfully, your task is made much easier through using the preinstalled packet analyser Wireshark (see also LXF218, LXF191). Wireshark can capture data on a network and enables you to filter it down. Most importantly, you can capture data for a certain time and save it to a file, making it possible for you to perform a more in-depth analysis.
Wireshark uses a colour coding system to represent different kinds of traffic. For instance, TCP is shown in green, DNS traffic is in dark blue, and light blue represents UDP. You can launch Wireshark from Kali by going to Applications> Wireless attacks. You’ll be asked if you want to monitor a specific network interface such as wlan0, or all network traffic.
Remember that your Kali instance needs to be connected to the network in question to be able to monitor traffic. For best results use a wireless card that supports ‘promiscuous mode’. The TP-Link USB dongle mentioned in the Art of wardriving section ( seepage32) is suitable for this.
On first run, Wireshark will begin automatically capturing live data over the network. Use a device connected to the network to visit a few sites such as www.linuxformat.com so you can practise your packet analysis skills later on.
You can click the Stop Capture button any time and choose File>Save to store captured data later. Simply choose File>Open on any capture files.
The layout of Wireshark is quite simple. The “No” common is the assigned number for each data packet. The second columns shows the number of seconds that have passed since you started capturing data. The third and fourth columns list the source and destination IP addresses, respectively. The fifth column lists the protocol that sent the packet, such as TCP or UDP. The Display Filter bar at the top is used to pare down particular kinds of data packets.
The full list of parameters you can choose here is available in the Wireshark manual ( www.wireshark.org/docsdref). For now, try a simple filter to check if anyone has accessed the Linux Format website by typing http.host contains “linuxformat.com”. Press Return to see any matching traffic.
If your data capture includes unencrypted protocols such as FTP, you can even access passwords. For example, type ftp in the display filter to show only unecrypted connections via FTP, then right-click the list of captured packets. Choose Follow>TCP Stream to see the username and password. If the authentication has been encrypted, you’ll need the private key used to encode the data to read it easily.
Even if you can’t read certain kinds of data, you can easily search for it. In its simplest usage, you can type ssl into the display filter to see encrypted traffic.
Wireshark can also be used to detect certain kinds of traffic running on various ports. For instance, the Tor protocol, which is deliberately designed to hide browsing activity, runs over TCP on Port 9001. Type tcp.dsport == 9001.
Capturing and analysing data this way is an acquired skill and it takes time to learn how to use all of Wireshark’s filter options. Don’t despair! With time, you’ll see the layout and parameters are extremely simple and logical.