1
00:00:01,110 --> 00:00:06,540
And this lecture we're going to talk about a tool called whale shark why a shark is a network protocol

2
00:00:06,570 --> 00:00:07,550
analyzer.

3
00:00:07,740 --> 00:00:14,060
It's not designed for hackers and it's not designed for hacking and spying on other people on the network.

4
00:00:14,100 --> 00:00:19,110
It's designed for network administrators so that they can see what's happening in their network and

5
00:00:19,110 --> 00:00:24,270
make sure that everything is working properly and that nobody is doing anything bad or doing anything

6
00:00:24,270 --> 00:00:31,500
suspicious on the network the way that whale shark works is it allows you to select an interface and

7
00:00:31,500 --> 00:00:36,870
then logs all the packets or all the traffic that flows through that interface.

8
00:00:36,900 --> 00:00:39,760
So you're selecting an interface it could be a wireless card.

9
00:00:39,840 --> 00:00:45,990
It could be a wired card on your on your current computer and then it'll start logging all the information

10
00:00:46,080 --> 00:00:48,720
that flow through that interface.

11
00:00:48,720 --> 00:00:54,570
It also has a really nice graphical interface that allow you to analyze this traffic.

12
00:00:54,570 --> 00:01:00,720
So it allows you to filter these packets based on the protocol using them like HDTV TGP and all that

13
00:01:01,060 --> 00:01:05,820
but also allow you to look for certain things for example if you're looking for cookies or if you're

14
00:01:05,820 --> 00:01:08,190
looking for post or get requests.

15
00:01:08,430 --> 00:01:14,520
And it also allow you to search through these packets it can you can you can search through the information

16
00:01:14,550 --> 00:01:17,930
that's stored in the packets and find the things that you're looking for.

17
00:01:17,970 --> 00:01:21,570
It's a really really big tool and you need a whole course for it.

18
00:01:21,570 --> 00:01:26,640
So in this course we're actually gonna use it in a few lectures just covering the basics or the things

19
00:01:26,670 --> 00:01:35,280
that's related to us so the main idea here is why shark is not a hacking tool it only allows you to

20
00:01:35,280 --> 00:01:43,290
capture the traffic that flows through your own computer through your own interface I'm going to use

21
00:01:43,290 --> 00:01:45,300
it now and it's going to become more clear to you.

22
00:01:45,300 --> 00:01:48,570
So I'm just gonna go to Carly and we're going to start to our shark.

23
00:01:48,570 --> 00:01:54,360
You can run wild shark from the command prompt or you can just go on all applications and type via shark

24
00:01:54,630 --> 00:02:00,340
and it'll show up right here I'm going to click that and that's going to load the program for me.

25
00:02:00,340 --> 00:02:01,750
This is just the normal error.

26
00:02:01,750 --> 00:02:09,030
Just ignore this error and this is the main interface of where shark.

27
00:02:09,110 --> 00:02:15,860
So first of all you can actually just go to the file and go to the open and in here it'll allow you

28
00:02:15,860 --> 00:02:22,030
to open a file that you've already captured so for example if you captured packets using a different

29
00:02:22,040 --> 00:02:28,460
sniffer use an error dump or use in man in the middle left or using teh shark which is the command prompt

30
00:02:28,490 --> 00:02:30,200
part of the shark.

31
00:02:30,200 --> 00:02:35,390
So if you captured packets using any of these programs and you started it in a file you can just come

32
00:02:35,390 --> 00:02:38,150
in here open it and start analyzing that file.

33
00:02:38,150 --> 00:02:43,730
This is really handy because sometimes you don't really want to analyze the traffic on the fly so sometimes

34
00:02:43,730 --> 00:02:48,520
you just want to capture it if you're sometimes you capture it from small laptop or your small capture

35
00:02:48,530 --> 00:02:53,540
and from your phone and you're not even at home you're in somewhere else doing your pen test and then

36
00:02:53,540 --> 00:02:58,490
you go back home and then you want to analyze what you captured then you can still do that in a file

37
00:02:58,670 --> 00:03:04,870
and then just come here go to the file open and open the file that you want to analyze.

38
00:03:04,880 --> 00:03:10,310
So what I want to show you here is the idea that while shark is not a hacking tool it's not going to

39
00:03:10,310 --> 00:03:13,160
capture things happening in a in another device.

40
00:03:13,160 --> 00:03:18,200
It will only capture things that flow through your own interface.

41
00:03:18,230 --> 00:03:22,700
So right here we can see that we have all the interfaces in my computer so we can see that we have 88

42
00:03:22,700 --> 00:03:29,060
0 we have any which is just any and we have all the other ones that some of them are created by virtual

43
00:03:29,060 --> 00:03:29,810
box.

44
00:03:29,810 --> 00:03:36,910
So the main one here is a zero which is the virtual interface connected to my not network and you can

45
00:03:36,910 --> 00:03:42,340
see that there is no traffic flowing through this so you can see that this is constant and nothing's

46
00:03:42,340 --> 00:03:43,720
happened in.

47
00:03:43,790 --> 00:03:48,860
So what I'm going to do now is I'm just gonna make this a little bit smaller and I'm going to open my

48
00:03:48,860 --> 00:03:54,410
browser here and I'm just gonna go to a normal Web site I'm just gonna go to Google dot com

49
00:03:57,380 --> 00:04:03,050
now as you can see right here you can see the traffic 80 heads euro is a spike in up so there was some

50
00:04:03,050 --> 00:04:05,680
traffic generated through 88 0.

51
00:04:05,770 --> 00:04:12,780
So for sniffing on this we'll be able to capture these packets that were sent over 88 0.

52
00:04:12,890 --> 00:04:17,590
Now what I'm gonna do is I'm gonna go through my windows machine just to prove that point and I'm going

53
00:04:17,590 --> 00:04:23,330
to browse the Web site here and you'll see that 88 0 will not be affected and the traffic that's generated

54
00:04:23,360 --> 00:04:28,520
on this Windows machine which is in the same network as the killing machine it will not be captured

55
00:04:28,520 --> 00:04:29,390
by the Cally machine.

56
00:04:29,390 --> 00:04:36,660
So if I just go to Google again here you'll see that nothing happened in 88 0.

57
00:04:36,860 --> 00:04:39,410
So there is no traffic flowing through this.

58
00:04:39,410 --> 00:04:40,590
It's still constant.

59
00:04:40,790 --> 00:04:46,770
And we can only capture packets that go through 88 0.

60
00:04:47,140 --> 00:04:51,570
So now you'll probably ask then why why are sharks so useful why are we even talking about it.

61
00:04:51,570 --> 00:04:56,840
If we can 3D if we can only see things that go through our own computer why are we talking about it.

62
00:04:56,860 --> 00:05:02,260
Well we're talking about it because we see there is a large number of ways that you can become the man

63
00:05:02,260 --> 00:05:03,460
in the middle.

64
00:05:03,520 --> 00:05:06,560
We learned how to do this using a Sharpie spoofing.

65
00:05:06,560 --> 00:05:14,330
And in future lectures I'm gonna show you how to do it by creating a fake access point so when we are

66
00:05:14,330 --> 00:05:15,410
the man in the middle.

67
00:05:15,650 --> 00:05:20,330
If we start sniffing on the interface that's used to become the man in the middle.

68
00:05:20,330 --> 00:05:26,510
We'll be able to capture all the traffic generated by the people that were targeting in our mind in

69
00:05:26,510 --> 00:05:27,320
the middle attack.

70
00:05:27,710 --> 00:05:34,580
So if you if you started the fake access point you can start sniffing on the interface that's broadcasting

71
00:05:34,580 --> 00:05:38,270
the signal and you can capture all the packets sent or received.

72
00:05:38,270 --> 00:05:45,740
To anyone who's connected to that fake access point if you became the man in the middle using a peaceful

73
00:05:45,740 --> 00:05:53,010
spoofing then just select the interface that you used when you launched your IP spoofing attack.

74
00:05:54,270 --> 00:05:58,920
So for now I'm going to become the man in the middle using AARP spoofing.

75
00:05:58,920 --> 00:06:05,190
You can use AARP spoof or Buttercup as I showed you earlier but I'm going to use Buttercup using the

76
00:06:05,190 --> 00:06:07,950
exact same command that we used to do.

77
00:06:07,950 --> 00:06:14,190
So we're literally just doing Buttercup followed by the interface that is connected to my target network

78
00:06:14,190 --> 00:06:17,610
which is 88 0 and I'm launch in my couplet.

79
00:06:17,700 --> 00:06:24,720
The spoof couplet so that it can figures the AARP spoof module and runs it for me to put me in the middle

80
00:06:24,720 --> 00:06:29,120
of the connection so I'm gonna hit enter.

81
00:06:29,360 --> 00:06:32,330
And as you can see it's working as expected.

82
00:06:32,330 --> 00:06:36,910
So right now I should be in the middle of the connection intercepting anything.

83
00:06:36,920 --> 00:06:41,510
The target Windows machine sends or receives.

84
00:06:41,840 --> 00:06:45,500
Now let's go to the Windows machine and see if I do anything here.

85
00:06:45,500 --> 00:06:50,960
If it's going to affect the traffic in 88 0 so we'll see if Fairchild could be able to capture traffic

86
00:06:51,200 --> 00:06:53,070
generated by this computer.

87
00:06:53,120 --> 00:06:54,770
So let's write anything here.

88
00:06:54,770 --> 00:06:58,490
I'm just going to Google or I'm just gonna go to a different Web site I'm just gonna go to Bing

89
00:07:01,370 --> 00:07:07,730
and if we come back here you'll see that we have traffic being generated here and we can see that 88

90
00:07:07,790 --> 00:07:12,290
zero is actually capturing whatever that's happening in a completely different device.

91
00:07:12,320 --> 00:07:17,930
This is happening because when we are the man in the middle all the packets that's generated by the

92
00:07:17,930 --> 00:07:23,150
Windows device has actually been redirected to my own computer right here to the Kali and then wired

93
00:07:23,150 --> 00:07:29,330
shark is sniffing that from the Kali machine sniffing it from my own local machine it's not sniffing

94
00:07:29,330 --> 00:07:33,140
it from the network is not sniffing it from the target computer.

95
00:07:33,140 --> 00:07:37,640
So again if you're doing this with the fake access point then just listen on the interface that you're

96
00:07:37,640 --> 00:07:43,010
broadcasting if you're doing this with a real wireless network if you're connected to your home wireless

97
00:07:43,010 --> 00:07:47,930
network using land zero then you can just do this with land zero but with a peaceful thing you have

98
00:07:47,930 --> 00:07:51,090
to first redirect the traffic then you can use wire shark.

99
00:07:51,170 --> 00:07:54,230
Now this is just to show you what why a shark is and how it works.

100
00:07:54,290 --> 00:07:57,730
And I just wanted to stress the idea that our shark is not a hacking tool.

101
00:07:57,980 --> 00:08:03,290
It's only a program that allows you to log packets flowing through a certain interface and then analyze

102
00:08:03,290 --> 00:08:04,590
these packets.

103
00:08:04,640 --> 00:08:08,840
So in the next video we'll see how we can sniff and analyze packets using wire shark.