Wireshark and Encrypted Traffic

00:00

Why are shark in encrypted traffic?

00:03

We only have one learning objective here is to understand the difference between encrypted traffic and unencrypted traffic when using wire shark or while using wire shark. So why is this important? Well, as an attacker, we want to know again what our tools do. And if I'm using Net Cat and a pen test and I am exfil trading data. Um I'm doing everything in the clear. A defender can see exactly what data I'm exfil trading, which

00:26

of course is bad. So it's important to know what our tools do and a tool that's like Net Cat is so Cat. So in the new P. W. K. Material that came out last year, they are now introducing the so Cat. So Cats been out longer of course than that. But the the tool is like that cat is a bit more versatile

00:45

And it's a little bit harder to learn how to use. Now we can see here, I'm creating a reverse shell on port 22

00:53

from my windows box connecting to my Cali box. And here is the syntax again not as easy to learn as Net cat.

01:02

So if we look at our packet capture in wire shark we can see the commands that have been issued so we can see that. Who am I command? The I. P. Config command in the output from those commands. And if we look at the actual terminal Windows on my Cali box we see we have that listener set up on port 22 that connection and then of course I'm issuing those commands

01:21

and on my windows box you know I'm using so cat dot E X C two then you know to connect to my Cali box. So that's to say

01:29

we're busted because port 22 is supposed to be ssh it's supposed to be encrypted traffic. So a defender would very quickly pick up what we're doing

01:38

now as far as oh SCP is concerned you know I wouldn't really worry about that but that's to say you know if if we are connecting to um H. T. P. S. We're not gonna be able to see the traffic that we're generating because it's going to be encrypted. So trying to debug something where encryptions involved is gonna be a lot harder for us.

01:57

Now. We can also use so cat to encrypt our traffic as well.

02:01

Um So here is the syntax here again if you have the P. W. K. Or pen 200 materials they kind of walk you through this.

02:09

But again here's our packet capture this time using encryption and again we have no idea what's going on here because we're using encryption.

02:19

So we have our listener uh set up here um on our Cali box. And

02:27

we have we're now connecting to it from uh from my host. So I'm issuing the I. D. Command the I. F. Config command and I'm not seeing any of that output.

02:38

So I want to show you this uh hands on. So let's say let's just use our local host here. So what I'm gonna do is create a Net Cat listener

02:47

and

02:50

Net Cat and see.

02:52

And I'm going to do that on port

02:57

12345.

03:00

Now here I'm going to use Net Cat

03:05

and I am going to

03:07

connect locally

03:10

12345.

03:15

And I'm just going to say hi

03:17

how how are you?

03:24

And we will stop here And let's let's take a look at wire shark.

03:30

So I right click and I follow the TCP stream.

03:34

I can see everything in the clear here. Hi how are you?

03:38

So that's to say when using Net Cat I can see exactly what is going on. Let's try this again.

03:46

But this time let's use we're not gonna use so cat we're gonna use

03:51

and Cat which is made by our friends at the map.

03:57

So we'll do now is we will

04:00

capture again

04:01

and I'll do N. Cat.

04:06

That's where we'll connect to. And here I'll do in Cat again.

04:12

I'm gonna listen on port 12345 Using S. S. L.

04:16

And here I'm going to connect using ssl

04:20

so again. Hi

04:24

how are you?

04:29

So I'll stop this capture and I will do the same thing

04:33

and now I can't see anything. So using ssl here with in Cat

04:38

um We now can't see what's going on.

04:42

Hopefully that practical example makes sense for you.