Wireshark

An open source network scanner and monitor traffic and even individual packet
captured from a network interface.
It is the worlds most popular network analyzer.
1. Network administrator use it to isolate and troubleshoot their network
2. Use by attackers by usernames, passwords, email and search history
It is a network analysis tool formerly known as Ethereal, captures packets in real
time and display them in human-readable format.
PACKET SNIFFER
The basic tool for observing the messages exchanged between executing protocol
entities is called a packet sniffer. As the name suggests, a packet sniffer captures
(sniffs) messages being sent/received from/by your computer; it will also typically
store and/or display the contents of the various protocol fields in these captured
messages. A packet sniffer itself is passive. It observes messages being sent and
received by applications and protocols running on your computer, but never sends
packets itself. Similarly, received packets are never explicitly addressed to the
packet sniffer. Instead, a packet sniffer receives a copy of packets

1.
2.
3.
4.
5.
6.

Go to https://www.wireshark.org/download.html and download wireshark

Open wireshark and click on interface list
Or click on capture > interfaces
Select one interface by clicking on checkbox and start
It will show all the traffic in the network
When you want to stop capturing the traffic, press red button on top

7. Go to View > Time Display Format >

8. To view details of a packet, select the packet
Bottom panel will show you lots of information about the packets and protocols
that were used
You can start a new capturing by clicking the button above, it will ask you
whether you want to save current data or not. Then start a new capture
1.
2.
3.
4.
5.

Start the new capture

Go to web browser and open a website
Go to wireshark and stop capturing
Lots of traffic will come in, now use can use filter to keep specific stuff.
In filter, type HTTP and wireshark output will only be limited to HTTP

Filter: specify something. If you understand filters correctly then you understand
90% of wireshark
a. it can specify an address
e.g. host 192.168.0.1
host 10.1.11.24 and host 10.1.11.1
ip.addr==192.168.0.1
ip.src==10.1.11.0

1.

6.
7.
8.
9.

b. it can also specify a protocol

e.g. tcp port http [for tcp protocol (tcp port on which http is running)]
tcp.port==80||tcp.port==3338
tcp.port==80&&tcp.port==3338
c. not broadcast nor multicast
capture unicast messages
Select the packet with source as your mac/ip address and check the bottom
panel (this information can also be seen by double clicking a packet, this will
open a new window)
Under HTTP field, it will display HOST as the sitename you have just opened
User-agent specifies which machine I was accessing this website from
(windows machine, chrome browser)
Outside HTTP, Check below for media type
To check, the traffic from a particular IP, right click that source and select
Apply as filter>and selected then it will apply filter as (HTTP &&
IP.src=12:234:56:67:67:12). This will show me all the traffic between my
system and web.

To check malicious packet:

1. To find malicious packet, check and find RST in info. If no RST, that means
not getting any drop packet. Thats a good signal.
2. Check packet where message is being sent from my computer to some other
place. Check TCP details in below panel, it shows source and destination port.
3. Suppose it is showing multiple RST,that means my computer is blocking the
packet and saying stop talking to me then there is high possibility that
someone is scanning
4. If a request is coming to multiple ports of our system then it can be a network
scan to find out any ports that are open.
5. Whenever data is going out of your system, check the port from which data is
going and check what application/process is running on that port. You cannot
find that in wireshark but you can find process ids on windows, linux and mac
systems and kill those processes.
6. To find what is going on different ports of my computer by command:
7. And kill the processes from task manager
8. You can also change colors by going to view > coloring rules.
9. You can also export by going to file >export
Protocols:
To see details, you can also right click a packet and select Follow TCP Stream.
It will show me all the details.
Red- stuff user sent [more interested in this information]
Blue- stuff user get
For an HTTP,
1. Go to web browser, open some image

2. Then come back to wireshark

3. You will see an get line and then a HTTP line next
4. Get line shows your request. This should be the HTTP GET message that
was sent from your computer(ex. PC1) to the PC2 HTTP server.
5. And next http line shows response from web server
6. Select it, you will see a JPEG or PNG key depending on which type of
image you have opened
7. Select that key and right click. Select option Export Selected Packet
Bytes
8. Save file by giving name and extension e.g. image1.jpg or image1.png
9. You will get the actual file which was opened by the user
10.Or we can also do the same things by right clicking media type of a packet
if you are able to locate it.
So, it gives a good idea when to use HTTP and when to use HTTPS
2. In statistics, go to HTTP [How web surfing, analyze HTTP data]
Packet counter shows how many results google provided on your search and
how much you have opened and traversed
3. Mark packet [you can right click on a packet to mark it]
4. With HTTP packet or header, you can get additional information about the
session and cookies(HTTP 1.1 will not show any information because they are
periodical request made by the browser, no browsing in actual takes place)
otherwise HTTP -> GET -> COOKIE (session cookie)
5. With File -> saveas, You can also save the captured data
Capturing cookies and displaying passwords.
1.
2.
3.
4.
5.
6.

Start wireshark
Open a http website on browser
enter username and password
Stop wireshark
Apply HTTP as filter and locate a POST packet
In below panel, HTTP will show you the cookie

Why cookie is important?

An HTTP cookie (also called web cookie, Internet cookie, browser cookie or
simply cookie) is a small piece of data sent from a website and stored in the
user's web browser while the user is browsing. Cookies were designed to be a
reliable mechanism for websites to remember items added in the shopping
cart in an online store or recording which pages were visited in the past. They
can also be used to remember arbitrary pieces of information that the user
previously entered into form fields such as names, addresses, passwords, and
credit card numbers.

authentication cookies are the most common method used by web servers to
know whether the user is logged in or not, and which account they are logged
in with. Without such a mechanism, the site would not know whether to send
a page containing sensitive information, or require the user to authenticate
themselves by logging in. The security of an authentication cookie generally
depends on the security of the issuing website and the user's web browser,
and on whether the cookie data is encrypted.

With these cookies, attacker can identify to servers that you've already logged in
meaning that if you hijack the right cookie, you can masquerade as someone else without
ever needing their username or password.
Session cookie
A session cookie exists only in temporary memory while the user navigates
the website. Web browsers normally delete session cookies when the user
closes the browser. Unlike other cookies, session cookies do not have an
expiration date assigned to them, which is how the browser knows to treat
them as session cookies.
Persistent cookie
Instead of expiring when the web browser is closed as session cookies do, a
persistent cookie expires at a specific date or after a specific length of time.
For this reason, persistent cookies are sometimes referred to as tracking
cookies because they can be used by advertisers to record information about
a user's web browsing habits over an extended period of time. However, they
are also used for "legitimate" reasons (such as keeping users logged into
their accounts on websites, to avoid re-entering login credentials at every
visit).These cookies are however reset if the expiration time is reached or the
user manually deletes the cookie.
Uses
1. Session management
Cookies were originally introduced to provide a way for users to record items
they want to purchase as they navigate throughout a website (a virtual
"shopping cart" or "shopping basket"). Today, however, the contents of a
user's shopping cart are usually stored in a database on the server, rather
than in a cookie on the client. To keep track of which user is assigned to
which shopping cart, the server sends a cookie to the client that contains a
unique session identifier (typically, a long string of random letters and
numbers). Because cookies are sent to the server with every request the
client makes, that session identifier will be sent back to the server every time

the user visits a new page on the website, which lets the server know which
shopping cart to display to the user.
Another popular use of cookies is for logging into websites. When the user
visits a website's login page, the web server typically sends the client a
cookie containing a unique session identifier. When the user successfully logs
in, the server remembers that that particular session identifier has been
authenticated, and grants the user access to its services.
2. Personalization
Cookies can be used to remember information about the user in order to
show relevant content to that user over time. For example, a web server
might send a cookie containing the username last used to log in to a website
so that it may be filled in automatically the next time the user logs in.
Setting a cookie
Cookies are set using the Set-Cookie HTTP header, sent in an HTTP response
from the web server. This header instructs the web browser to store the
cookie and send it back in future requests to the server (the browser will, of
course, ignore this header if it does not support cookies or has disabled
cookies).
As an example, the browser sends its first request to the homepage of the
www.example.org website:
GET /index.html HTTP/1.1
Host: www.example.org

The server responds with two Set-Cookie headers:

HTTP/1.0 200 OK
Content-type: text/html
Set-Cookie: theme=light
Set-Cookie: sessionToken=abc123; Expires=Wed, 09 Jun 2021 10:18:14 GMT

The server's HTTP response contains the contents of the website's homepage.
But it also instructs the browser to set two cookies. The first, "theme", is
considered to be a session cookie, since it does not have an Expires or MaxAge attribute. Session cookies are intended to be deleted by the browser

when the browser closes. The second, "sessionToken" is considered to be a

persistent cookie, since it contains an Expires attribute, which instructs the
browser to delete the cookie at a specific date and time.
Next, the browser sends another request to visit the spec.html page on the
website. This request contains a Cookie HTTP header, which contains the two
cookies that the server instructed the browser to set:
GET /spec.html HTTP/1.1
Host: www.example.org
Cookie: theme=light; sessionToken=abc123

This way, the server knows that this request is related to the previous one.
The server would answer by sending the requested page, possibly including
more Set-Cookie headers in the response in order to add new cookies, modify
existing cookies, or delete cookies.
Hijacking Session
1. The Session Hijacking attack compromises the session token by stealing or predicting a
valid session token to gain unauthorized access to the Web Server.
2. Cookie contain session ID

Cracking Password:
1. Start wireshark
2. Open a http website on browser
3. E.g. http://www.addictinggames.com/, enter username and password
(gaming248 and forstudents, email:hacking2cyber@gmail.com)
4. Stop wireshark
5. Apply HTTP as filter and locate a POST packet
6. Right click and select Follow TCP Stream
7. Find username and password there
You can also view the same things with the help of network miner
There are also 2 tabs:
1. Credentials
2. Sessions
Also get session Id from here
If want to crack a user account using session ID then paste it in your
browser and there you go.

Q. How to find peoples IP address using wireshark and tell them you know where
they live?
A.
1.
2.
3.
4.
5.
6.
7.
8.

In the filter bar, type UDP

After that you are set to troll people
Open omegle.com
Start chat by typing hey
Type wanna bet I can find where you live
Start a new capture
Open ipaddress.com/search/
Here type the destination address by finding it from wireshark (2.88.12.41)
and press lookup
9. It will provide you the destination country for e.g. Saudi arabia,
Administrative contact and other details