LAB A - Wireshark Familiarisation

 

 

In this lab exercise you will use Wireshark to capture data from the network.

The lab duration will be 15 minutes.

Start the Kali Linux, Windows 7 and Metasploitable TR VMs.

• Log into the Kali VM with username root and password toor

Step 1 – Starting a capture

• Open Wireshark on the Kali VM.
• Double-click on eth0.

Step 2 – Generate some traffic using ping

• Open a terminal
• Generate some ICMP traffic by typing:

                             ping 192.168.1.99

• After a few seconds, stop the pinging by entering Ctrl-C.

NOTE: Ping is a useful network troubleshooting tool. It is commonly used to check network connectivity. We can ping a device by IP address (send an echo request) and it the device is connected and configured to response, we will receive an echo reply.

• Return to Wireshark and click the red square to stop the capture.
• Apply a filter by typing icmp in the filter bar.
• Review the data.

Find a ping from your machine to 192.168.1.99. What type number is given to an ICMP Echo Request?

Find a reply from 192.168.1.99. What type number is given to an ICMP Echo Reply?

Step 3 – Generate some ARP traffic

NOTE: ARP is used to resolve a MAC address from an IP address. On an Ethernet network, data is sent between devices using MAC addresses. The computer needs to be able to find the MAC address that is associated with an IP address – this is achieved using the Address Resolution Protocol (ARP).

• Open a terminal.
• Flush the ARP table held by the Kali Linux VM by typing:

ip -s -s neigh flush all

NOTE: The aim of deleting the ARP table is to demonstrate that to communicate on the network your computer will now need to use the ARP protocol to find the MAC addresses associated with an IP address.

• Start a new capture in Wireshark.
• Generate some more ICMP data by typing, in a terminal:

                                                                        ping 192.168.1.99

NOTE: In order to send the ping, your computer needs the MAC address of the device you are trying to pint – if it can’t find the answer in the ARP table, it will have used ARP to ask the network.

• After a few seconds, enter Ctrl-C to stop pinging.
• Return to Wireshark and stop the capture.
• Clear the ICMP filter if it is still applied – by clicking the x in the filter bar.
• Apply a filter for ARP by typing arp in the filter bar.

Look at the traffic - you should see some ARP. Can you identify the ARP request and the ARP reply?

Note: ARP requests are broadcast to the entire network (as the sending device does not have the MAC address of the receiver yet). You should be able to see the broadcast MAC- FF:FF:FF:FF:FF:FF: Because ARP is broadcast, Wireshark will capture all ARP requests on the local network.

• Confirm that your ARP table has been populated by returning to the terminal and typing:

arp -n

Step 4 – Generate some HTTP traffic

• On the Kali VM Start/restart a new Wireshark capture.
• Open the Kali browser and visit http://192.168.1.99/dvwa
• Enter the username admin and the password: password
• Click the Login button.

Stop the capture.

Press Ctrl+F to open the search tool.

• Change the search options using the drop downs to packet bytes and
• Enter the either the password or username you attempted to log in with.
• Click Find.

You should be able to find the username and password in clear in the data.

Note: This demonstrates the danger of using HTTP – anyone able to intercept the traffic will be able to read the contents, which will include information like usernames and passwords.

Wireshark can export objects such as images from the HTTP data stream.

• Click File > Export Objects > HTTP.

The resulting pop-up will show all the objects in the HTTP stream.

• Find an image to export or choose to export all to a folder of your choice.
• Browse to the folder and view the exported objects.

Step 5 – Generate some HTTPS traffic

• On the Windows Server host, open Wireshark and Start a new capture.
• Open a browser and visit a website of your choice.
• Return to Wireshark, stop the capture.
• Filter for TLS.

What can you notice?

You should be able to see the connection to the website and the encryption set-up process. After set-up, the data is all encrypted.

Note that the packet headers are intact as are the TLS segment headers, it is important to note that HTTPS provides, integrity and privacy but not anonymity.