1 1 00:00:00,670 --> 00:00:01,590 Now in this lecture, 2 2 00:00:01,590 --> 00:00:03,860 I wanna show you how to use Wireshark 3 3 00:00:03,860 --> 00:00:06,790 to discover data sent through forms, 4 4 00:00:06,790 --> 00:00:09,020 whenever someone fills up a form. 5 5 00:00:09,020 --> 00:00:10,780 And obviously, this will allow us 6 6 00:00:10,780 --> 00:00:12,730 to get usernames and passwords 7 7 00:00:12,730 --> 00:00:16,260 if people log in to their accounts. 8 8 00:00:16,260 --> 00:00:18,310 So, I'm already running BetterCAP, 9 9 00:00:18,310 --> 00:00:20,470 so I'm already the man in the middle. 10 10 00:00:20,470 --> 00:00:24,460 And in Wireshark here, I'm just gonna start a new capture. 11 11 00:00:24,460 --> 00:00:27,660 So I'm gonna continue without saving this one. 12 12 00:00:27,660 --> 00:00:30,010 The filter is already set to HTTP 13 13 00:00:30,010 --> 00:00:33,580 so it's only gonna show me HTTP packets in here. 14 14 00:00:33,580 --> 00:00:36,500 And I'm gonna go to a target website in here, 15 15 00:00:36,500 --> 00:00:38,733 so let's go to vulnweb.com. 16 16 00:00:40,470 --> 00:00:42,030 Now keep in mind, like I said, 17 17 00:00:42,030 --> 00:00:44,720 you have to be loggin' in to a HTTP page, 18 18 00:00:44,720 --> 00:00:46,850 but that's fine because we already learned 19 19 00:00:46,850 --> 00:00:51,850 how to bypass HTTPS, and even partially bypass HSTS. 20 20 00:00:52,430 --> 00:00:54,640 So, I'm gonna be logging into a website 21 21 00:00:54,640 --> 00:00:58,700 that just uses HTTP here, because it's just simpler, 22 22 00:00:58,700 --> 00:01:02,470 and we've already learned how to bypass HTTPS and HSTS, 23 23 00:01:02,470 --> 00:01:04,623 so there's no point of repeating that. 24 24 00:01:05,650 --> 00:01:08,560 We're logging in with a username that is set to admin. 25 25 00:01:08,560 --> 00:01:10,410 I'm gonna get the password to 123abc. 26 26 00:01:12,210 --> 00:01:14,400 I'm gonna click on Login, 27 27 00:01:14,400 --> 00:01:17,653 and this should have been captured by Wireshark. 28 28 00:01:18,860 --> 00:01:20,660 Now let's go ahead and actually try this 29 29 00:01:20,660 --> 00:01:22,643 with a website that uses HTTPS. 30 30 00:01:23,570 --> 00:01:26,773 So let's go to stackoverflow.com. 31 31 00:01:29,160 --> 00:01:30,270 Again, as you can see, 32 32 00:01:30,270 --> 00:01:34,030 as long as the website gets downgraded to normal HTTP, 33 33 00:01:34,030 --> 00:01:36,730 then we'll be able to capture the data sent 34 34 00:01:36,730 --> 00:01:38,563 to and from this website. 35 35 00:01:39,610 --> 00:01:42,113 So, we're just going to log in. 36 36 00:01:44,630 --> 00:01:48,447 Put the username, we'll put it to zaid@zedsecurity.org, 37 37 00:01:51,040 --> 00:01:52,910 and then we're gonna put the password. 38 38 00:01:52,910 --> 00:01:57,283 So we'll just do 123123abc. 39 39 00:01:58,460 --> 00:02:00,320 And let's go back to Wireshark, 40 40 00:02:00,320 --> 00:02:03,613 and see how we can discover the username and the password. 41 41 00:02:04,470 --> 00:02:06,673 So first of all, I'm gonna stop the capture. 42 42 00:02:07,860 --> 00:02:11,420 And what we wanna look for is POST requests. 43 43 00:02:11,420 --> 00:02:14,720 So you see in here this request right here was POST, 44 44 00:02:14,720 --> 00:02:17,690 for example, and here it was GET. 45 45 00:02:17,690 --> 00:02:20,340 Now forms are usually sent over POST, 46 46 00:02:20,340 --> 00:02:22,040 especially login forms. 47 47 00:02:22,040 --> 00:02:24,540 So if you're looking for login information, 48 48 00:02:24,540 --> 00:02:26,773 you wanna look for POST in here. 49 49 00:02:27,630 --> 00:02:31,640 So, going down we can see we have a POST request in here. 50 50 00:02:31,640 --> 00:02:34,660 Now I'm gonna click here to actually show less information, 51 51 00:02:34,660 --> 00:02:36,890 so it's easier for us to see. 52 52 00:02:36,890 --> 00:02:39,350 So we can see this POST was sent to Google. 53 53 00:02:39,350 --> 00:02:40,630 We're not interested in that, 54 54 00:02:40,630 --> 00:02:43,530 we're looking for stuff that was sent to Vulnweb. 55 55 00:02:43,530 --> 00:02:44,963 So I'm gonna keep going. 56 56 00:02:46,380 --> 00:02:48,930 We can see we have a POST request here 57 57 00:02:48,930 --> 00:02:52,760 to a login page, so this is definitely interesting. 58 58 00:02:52,760 --> 00:02:56,003 Now, if we look down, let me just make this smaller. 59 59 00:02:57,570 --> 00:03:02,320 So if we look down here, and look at the HTML form data, 60 60 00:03:02,320 --> 00:03:04,650 you can see that we have a username here, 61 61 00:03:04,650 --> 00:03:08,670 submitted to testhtml5.vulnweb.com. 62 62 00:03:08,670 --> 00:03:13,303 The username is admin, and the password is 123abc. 63 63 00:03:15,750 --> 00:03:19,333 Now if we scroll down again looking for POST requests, 64 64 00:03:20,660 --> 00:03:22,810 you can see we have a POST request 65 65 00:03:22,810 --> 00:03:25,270 for a page called users login. 66 66 00:03:25,270 --> 00:03:27,860 So again, very, very interesting. 67 67 00:03:27,860 --> 00:03:31,760 If we click on this, you'll see, if we scroll down, 68 68 00:03:31,760 --> 00:03:36,130 you'll see we have the email, zaid@zedsecurity.org, 69 69 00:03:36,130 --> 00:03:39,870 and the password 123123abc. 70 70 00:03:39,870 --> 00:03:42,230 Again, this just goes to show you 71 71 00:03:42,230 --> 00:03:46,490 that with Wireshark, you'll be able to capture everything. 72 72 00:03:46,490 --> 00:03:48,780 Now this can actually be very, very useful, 73 73 00:03:48,780 --> 00:03:52,040 because I noticed that BetterCAP is great 74 74 00:03:52,040 --> 00:03:53,760 at sniffin' passwords. 75 75 00:03:53,760 --> 00:03:57,020 And it pretty much gets you the passwords all the time, 76 76 00:03:57,020 --> 00:04:00,660 but in the odd cases, sometimes it was failing 77 77 00:04:00,660 --> 00:04:04,050 to filter the username and the password for me. 78 78 00:04:04,050 --> 00:04:08,450 So, with Wireshark you'll actually be able to get everything 79 79 00:04:08,450 --> 00:04:10,783 that passes through your interface. 80 80 00:04:11,740 --> 00:04:15,230 So what you could actually do is you can just go 81 81 00:04:15,230 --> 00:04:19,100 to your caplet that we always use, the spoof caplet. 82 82 00:04:19,100 --> 00:04:20,890 This one right here. 83 83 00:04:20,890 --> 00:04:22,970 Open it with the Text Editor. 84 84 00:04:22,970 --> 00:04:24,940 And as you know, in this caplet, 85 85 00:04:24,940 --> 00:04:27,090 we turn on our sniffer in here, 86 86 00:04:27,090 --> 00:04:29,550 so we set the sniff.local to true, 87 87 00:04:29,550 --> 00:04:31,670 and then we turn it on. 88 88 00:04:31,670 --> 00:04:33,730 But before turning it on, 89 89 00:04:33,730 --> 00:04:38,273 you can actually set the net.sniff.output 90 90 00:04:39,620 --> 00:04:43,970 to a location for a file that'll contain everything 91 91 00:04:43,970 --> 00:04:45,730 that BetterCAP captures. 92 92 00:04:45,730 --> 00:04:48,613 So you won't actually have to start Wireshark 93 93 00:04:48,613 --> 00:04:50,430 while BetterCAP is working. 94 94 00:04:50,430 --> 00:04:53,200 You can just, in here, specify a place. 95 95 00:04:53,200 --> 00:04:58,053 So for example, let's say root/capturefile.cap. 96 96 00:04:59,280 --> 00:05:01,900 And then, when you run your spoof caplet, 97 97 00:05:01,900 --> 00:05:05,340 it'll turn on the probe, turn on the recon, 98 98 00:05:05,340 --> 00:05:07,200 run your spoofing attack, 99 99 00:05:07,200 --> 00:05:09,310 putting you in the middle of the connection. 100 100 00:05:09,310 --> 00:05:11,530 It'll run the sniffer as well, 101 101 00:05:11,530 --> 00:05:16,240 and it'll store everything that BetterCAP captures 102 102 00:05:16,240 --> 00:05:18,580 in a capture file. 103 103 00:05:18,580 --> 00:05:21,570 Then, all you'll have to do is come here, 104 104 00:05:21,570 --> 00:05:26,570 go to File, Open, and open the file that you captured, 105 105 00:05:26,900 --> 00:05:29,333 and analyze it, as I'm doing right now. 106 106 00:05:31,300 --> 00:05:33,720 So this can be very, very useful also 107 107 00:05:33,720 --> 00:05:36,830 if you don't have a lot of resources on your computer, 108 108 00:05:36,830 --> 00:05:39,400 or if you have a small laptop, or even a phone. 109 109 00:05:39,400 --> 00:05:41,650 And you capture data with it, 110 110 00:05:41,650 --> 00:05:43,830 store everything in a capture file, 111 111 00:05:43,830 --> 00:05:47,793 and then just open it in here in Wireshark and analyze it. 112 112 00:05:49,420 --> 00:05:51,740 Now finally, before I finish this lecture, 113 113 00:05:51,740 --> 00:05:55,270 because all we're talkin' about right now is filtering data, 114 114 00:05:55,270 --> 00:05:59,560 a really, really useful feature when filtering data 115 115 00:05:59,560 --> 00:06:02,910 is the Ctrl+F feature, the Find. 116 116 00:06:02,910 --> 00:06:06,560 So you can just press Ctrl+F from your keyboard, 117 117 00:06:06,560 --> 00:06:09,690 this'll open this bar right here, this search bar, 118 118 00:06:09,690 --> 00:06:12,570 which you can use to find anything 119 119 00:06:12,570 --> 00:06:14,653 within the captured packets. 120 120 00:06:15,740 --> 00:06:18,450 So, first of all, I'm gonna set the search 121 121 00:06:18,450 --> 00:06:21,500 to search within the packet details. 122 122 00:06:21,500 --> 00:06:24,270 I'm gonna keep this to Narrow & Wide. 123 123 00:06:24,270 --> 00:06:26,580 In here, I'm gonna set this to Strings, 124 124 00:06:26,580 --> 00:06:29,360 so that it looks for normal text. 125 125 00:06:29,360 --> 00:06:32,150 And for example, let's say I'm looking for logins 126 126 00:06:32,150 --> 00:06:35,270 that a person named Zaid has attempted, 127 127 00:06:35,270 --> 00:06:37,313 all I have to do is just type Zaid. 128 128 00:06:38,320 --> 00:06:40,000 And if I hit Enter. 129 129 00:06:40,000 --> 00:06:43,090 And as you can see, it's taken us to the login attempt 130 130 00:06:43,090 --> 00:06:46,110 when I logged in to Stack Overflow. 131 131 00:06:46,110 --> 00:06:48,270 Or let's say you're looking for login attempts 132 132 00:06:48,270 --> 00:06:52,060 by a person named admin or for a user named admin. 133 133 00:06:52,060 --> 00:06:55,900 Again, if I hit Enter, it's gonna take me to the first time 134 134 00:06:55,900 --> 00:06:58,370 an occurrence of the word admin happened, 135 135 00:06:58,370 --> 00:06:59,370 which is in here. 136 136 00:06:59,370 --> 00:07:02,450 It doesn't really contain any useful information, 137 137 00:07:02,450 --> 00:07:05,420 but I can just click on Find to find the next packet 138 138 00:07:05,420 --> 00:07:07,560 that contained the word admin. 139 139 00:07:07,560 --> 00:07:10,800 Again, this packet doesn't really contain anything useful. 140 140 00:07:10,800 --> 00:07:12,683 We can go next. 141 141 00:07:13,570 --> 00:07:16,530 We'll actually have to go to the end of the file and go up, 142 142 00:07:16,530 --> 00:07:19,300 because that was the first thing that we logged in, 143 143 00:07:19,300 --> 00:07:21,653 so I'm just gonna keep clicking on next. 144 144 00:07:23,320 --> 00:07:27,160 And right here we have the POST request for the admin. 145 145 00:07:27,160 --> 00:07:29,400 And if we go down again, as you can see, 146 146 00:07:29,400 --> 00:07:34,400 we have the username as admin and the password as 123abc. 147 147 00:07:35,050 --> 00:07:37,620 So this feature can be very, very useful 148 148 00:07:37,620 --> 00:07:39,800 to help you find what you're looking for. 149 149 00:07:39,800 --> 00:07:42,630 Whether you're looking for a specific login name. 150 150 00:07:42,630 --> 00:07:45,150 Whether you're looking for a specific tag, 151 151 00:07:45,150 --> 00:07:47,743 a specific file, and so on.