Practical 7

Name : Premsagar Manoj Pawar

Subject : Cyber Security Lab

Class : BE Computer

Section : B

Roll No : 30

Aim: Study of Sniffing and Spoofing Tools in Kali Linux

Wireshark is the world’s foremost network protocol analyzer. It lets you see what’s happening on your network at a microscopic level. It is the de facto (and often de jure) standard across many industries and educational institutions. Wireshark development thrives thanks to the contributions of networking experts across the globe. It is the continuation of a project that started in 1998.

Wireshark has a rich feature set which includes the following:

• Deep inspection of hundreds of protocols, with more being added all the time

• Live capture and offline analysis

• Standard three-pane packet browser

• Multi-platform: Runs on Windows, Linux, OS X, Solaris, FreeBSD, NetBSD, and many others

• Captured network data can be browsed via a GUI, or via the TTY-mode TShark utility

• The most powerful display filters in the industry

• Rich VoIP analysis

• Capture files compressed with gzip can be decompressed on the fly

• Live data can be read from Ethernet, IEEE 802.11, PPP/HDLC, ATM, Bluetooth, USB, Token Ring, Frame Relay, FDDI, and others (depending on your platform)

• Coloring rules can be applied to the packet list for quick, intuitive analysis

• Output can be exported to XML, PostScript®, CSV, or plain text

• Decryption support for many protocols, including IPsec, ISAKMP, Kerberos, SNMPv3, SSL/TLS, WEP, and WPA/WPA2

• Read/write many different capture file formats: tcpdump (libpcap), Pcap NG, Catapult DCT2000, Cisco Secure IDS iplog, Microsoft Network Monitor, Network * General Sniffer® (compressed and uncompressed), Sniffer® Pro, and NetXray®, Network Instruments Observer, NetScreen snoop, Novell LANalyzer, RADCOM WAN/LAN Analyzer, Shomiti/Finisar Surveyor, Tektronix K12xx, Visual Networks Visual UpTime, WildPackets EtherPeek/TokenPeek/AiroPeek, and many others

Source: http://www.wireshark.org/about.html

wireshark – network traffic analyzer

root@kali:~# wireshark -h

Wireshark 2.6.4 (Git v2.6.4 packaged as 2.6.4-1)

Interactively dump and analyze network traffic.

See https://www.wireshark.org for more information.

Usage: wireshark [options] ... [ <infile> ]

Capture interface:

-i <interface> name or idx of interface (def: first non-loopback)

-f <capture filter> packet filter in libpcap filter syntax

-s <snaplen> packet snapshot length (def: appropriate maximum)

-p don't capture in promiscuous mode

-k start capturing immediately (def: do nothing)

-S update packet display when new packets are captured

-l turn on automatic scrolling while -S is in use

-I capture in monitor mode, if available

-B <buffer size> size of kernel buffer (def: 2MB)

-y <link type> link layer type (def: first appropriate)

--time-stamp-type <type> timestamp method for interface

-D print list of interfaces and exit

-L print list of link-layer types of iface and exit

--list-time-stamp-types print list of timestamp types for iface and exit

Capture stop conditions:

-c <packet count> stop after n packets (def: infinite)

-a <autostop cond.> ... duration:NUM - stop after NUM seconds

filesize:NUM - stop this file after NUM KB

files:NUM - stop after NUM files

Capture output:

-b <ringbuffer opt.> ... duration:NUM - switch to next file after NUM secs

filesize:NUM - switch to next file after NUM KB

files:NUM - ringbuffer: replace after NUM files

Input file:

-r <infile> set the filename to read from (no pipes or stdin!)

Processing:

-R <read filter> packet filter in Wireshark display filter syntax

-n disable all name resolutions (def: all enabled)

-N <name resolve flags> enable specific name resolution(s): "mnNtdv"

-d <layer_type>==<selector>,<decode_as_protocol> ...

"Decode As", see the man page for details

Example: tcp.port==8888,http

--enable-protocol <proto_name>

enable dissection of proto_name

--disable-protocol <proto_name>

disable dissection of proto_name

--enable-heuristic <short_name>

enable dissection of heuristic protocol

--disable-heuristic <short_name>

disable dissection of heuristic protocol

User interface:

-C <config profile> start with specified configuration profile

-Y <display filter> start with the given display filter

-g <packet number> go to specified packet number after "-r"

-J <jump filter> jump to the first packet matching the (display)

filter

-j search backwards for a matching packet after "-J"

-m <font> set the font name used for most text

-t a|ad|d|dd|e|r|u|ud output format of time stamps (def: r: rel. to first)

-u s|hms output format of seconds (def: s: seconds)

-X <key>:<value> eXtension options, see man page for details

-z <statistics> show various statistics, see man page for details

Output:

-w <outfile|-> set the output filename (or '-' for stdout)

Miscellaneous:

-h display this help and exit

-v display version info and exit

-P <key>:<path> persconf:path - personal configuration files

persdata:path - personal data files

-o <name>:<value> ... override preference or recent setting

-K <keytab> keytab file to use for kerberos decryption

--display=DISPLAY X display to use

--fullscreen start Wireshark in full screen

Wireshark is a packet sniffing program that administrators can use to isolate and troubleshoot problems on the network. It can also be used to capture sensitive data like usernames and passwords. It can also be used in wrong way (hacking) to ease drop.

Packet sniffing is defined as the process to capture the packets of data flowing across a computer network. The Packet sniffer is a device or software used for the process of sniffing.

Below are the steps for packet sniffing:

• Open the Wireshark Application.

• Select the current interface. Here in this example, interface is Ethernet that we would be using.

• The network traffic will be shown below, which will be continuous. To stop or watch any particular packet, you can press the red button below the menu bar.

Apply the filter by the name 'http.' After the filter is applied, the screen will look as:

The above screen is blank, i.e.; there is no network traffic as of now.

Open the browser. In this example, we have opened the 'Internet Explorer.' You can choose any browser.

As soon as we open the browser, and type any address of the website, the traffic will start showing, and exchange of the packets will also start. The image for this is shown below:

The above process explained is called as packet sniffing.

Whiteshark :