Weaponizing Wireshark

00:00

weaponizing wire shark

00:03

are learning objectives. To understand how to weaponize wire shark packet captures as well as exploiting a host identified with the vulnerability via wire shark. This is the fun stuff here.

00:14

So we've seen from the blue team side of the defenders side, what we can do with packet captures, how if an attacker is not using an encryption, how we can see exactly what they're doing or data, their exfil trading or commands they're running on our victim hosts. Now, let's look at this from the attacker perspective.

00:34

So we're looking at things like client side attacks here and I'm not going to give anything away about P. W. K. The labs or um Oh SCP. But you know, a lot of these vulnerabilities are server side vulnerabilities that we may see

00:49

um on victim host. Now we're actually looking at interacting with a live person, a client, someone who's visiting a website. And we want to see if we can exploit them.

01:00

So in order to do that, we need to look for things like user agent strings, which we saw before, um where the person where we as the attacker printing a user agent string with end map scripting engine.

01:11

Now we're gonna kind of flipped that. And let's say we're intercepting packets over a wire. Maybe we're sniffing packets. Um of course, legally over over wifi, something like that. Or we have our own server and we're having victims visit our server. So we can see what kind of browser they're using. And you'll hear this referred to as

01:32

drive by downloads. So if someone is using a browser that has a vulnerability in it,

01:36

maybe a remote code execution vulnerability, we as the attacker can compromise their system simply by them going to are controlled website.

01:46

So of course there's some fishing involved in that.

01:49

But for example, let's say we have a victim and we we've enticed the victim to go to our website and we're using wire shark to intercept packets.

01:59

So you'll see here the victim visited our site and you'll see the protocol is http, which means we can see it. It's a clear text protocol. It's not H T P s

02:07

and we get their user agent string. Now, google is our friend

02:12

And using Google. We're looking at their user Agent string and it comes back to Internet explorer 8.0, now, realistically, I don't know who's using Internet explorer 8.0, anymore, but here our victim unfortunately for them is using that.

02:24

And again, I'm using a google search here and I find a way to exploit this host.

02:35

So we're going to do now in my Cali vm

02:38

is I'm gonna use medicine, medicine plate framework and you can see here, have a whole lot of options already set, but I'm just gonna launch the municipal IT framework using a module and I'll show you what the info says here,

02:52

but I'm gonna run this

02:53

and it's going to set up a server that I can control. And of course we have to have some fishing involved here

02:59

or maybe we have a cross site scripting vulnerability where we have a victim visit a page and it redirects them to our page.

03:07

But this exploit as you can see, takes advantage of the initialize and script. Activex controls not mark safe for scripting a whole lot of good information here. And you can see just running info. Running info on this module will give us a whole lot of information on what this does.

03:24

So now you can see here that we have

03:28

our server running um port 80 80 and the end point evil. Of course there's a little bit of realism that that is not here. But uh for our sake, we're waiting for the victim to visit this end point. You know, maybe we've emailed them said they could win a whole lot of money.

03:45

So what we're hoping now is that the victim goes to our website. So it's kind of a waiting game at this point.

03:53

So I'm going to wait for our victim and hope that they go to our website

04:00

and we see here that they did.

04:03

Now you'll see uh Medicine Floyd is this module is doing a lot of stuff, It's sending html response.

04:11

We can see the requests were received as setting the exploit.

04:14

It's sending the stage and we can see um interpreter session is open now,

04:18

you know, this is far advanced, Far more advanced and for later in the course, but I want to show you what these drive by download attacks are and how having someone simply go to our website.

04:30

We can now go to this session

04:33

session one.

04:35

I can open up a shell

04:40

and I can see that I am now on the victim's desktop.

04:44

So that's to say that simply by using Wire shark and looking at user agent strings, we can set up an attack to compromise a victim,

04:55

a client side attack to compromise a victim who simply visits our website with an outdated browser.

05:03

So the bottom line here is why our shark is great to use both offensively and defensively. The defensively we've seen as an attacker, how we can use it, how we can view our tools, how we can debug issues with our tools. And we can see defensively how

05:18

the defenders can see our attacks as Attackers if we don't obfuscate or hide our tracks more carefully.

05:26

Um

05:27

so that's to say that,

05:29

you know, the ultimate prize for us, as Attackers is being able to uh do some kind of drive by, download um vulnerable or take advantage of a drive by download vulnerability, so we can compromise victims with a client side attack.

05:45

Mhm.