Basic forensics using Wireshark
Wireshark is a free, open-source, packet analyzer that can be used both to capture packets and to read packet captures. Now this may sound like no big deal, so what if you can see some
packets on the network right? Not at all, using wireshark you are able to intercept passwords, re-create files that were transferred so that you know what the file is, even read emails that
were sent while Wireshark was running. It is also used to identify network performance issues to help decrease lag across your network.
Sound a bit more useful now?
Contents in this tutorial:
1. Setting up Wireshark-A few things to do
2. What does this mean? How to read a packet
2.5 Interesting packets, packets that mean something
3. TCP Stream
4. Extracting Data
5. Not Wireshark-But we have to finish!
6. In closing
Download the packet we will be using the this tutorial: Here.
1. Setting up Wireshark
This is assuming you have wireshark installed and have a capture file to examine. Feel free to download the capture provided with this tutorial so that you can follow along.
First things first, after opening it up you see something like this:
Now starting from the left we have different columns that we can use to help us sort through all of this info. In order to read packets better you should go to Edit > Preferences > Columns and add Destination Port (unresolved) as a column. That tells us which port the packet is connecting on, 25 for smtp, 80 for http, and so on. This will help you identify what's going on and if a program is connecting through the correct port. Not so useful in the confines of this example packet or tutorial, but definitely worth having farther down the road. Feel free to sort the columns into whatever order you prefer, though personally i think it's helpful to keep the NO. column on the left. Please do so for this tutorial as I will be referencing packets by number.
2. How to Read a Packet
Now that we have our packets opened up, we'll sort them by number in descending order. Referring to the image above you can see that wireshark gives us a lot of info about each packet. The source and destination IP's tell you whether the packet came from the host (your computer for example) or the server/computer/website your connecting to. If we look at packet one, we see that our host is 192.168.0.150 and our destination is 192.168.0.100. From that alone we can tell that these two computers are on the same network, and assuming the subnetmask is 255.255.255.0 (the most common on home networks) then we can tell they are on the same subnet within the network. For a more detailed explanation check out "Networking-The Basics" - Part 1 - Here, Part 2 - Here or Here.
The next columns we see are the destination port, and the protocol. The destination port tells you what port the packet went through, which if you use the list of ports found Here can tell you a lot about the program being used. Again, not so useful within our example capture however. The protocol column tells you what protocol it's using:
-TCP is the protocol that controls any inter-electronics communication, it uses a 3 way handshake using SYN, SYN/ACK, and ACK packets to talk and is it's own tutorial by itself. Just know that it exists, and is SUPER important to how computers talk to each other. For more info, Here.
-FTP is used for file sharing
-SMTP is used for email.
-HTTP is used for web browser's
For a full list of protocols check Here. This tutorial is mostly concerned with the SMTP protocol in our capture file.
The final two columns are length and info, length tells you how large the packet is in bytes and info tells you all the juicy stuff. Just take a minute to scroll through and see what's going on in the Info column. Idk how to explain it, it just makes enough sense if you read english so that you can tell whether or not it's worth looking at (at least it does for me)
2.5 Interesting packets
Lets take a quick look at a few interesting packets, and why I consider them interesting:
This one has the word login. Need I say more? In this case it's not so important, but LOGIN is always worth looking out for
This one has the word telnet, the original computer to computer protocol. And telnet is never encrypted
Again though, not important in this tutorial, but always worth looking out for.
Ah ha! Mail From. That's what were looking for
Now lets look at the surrounding packets so we can see what all is going on here.
So from this block of packets, we can see that an email was sent from <root@localhost.local> to <postmaster@localhost.local> (both machines are on the same network remember)
Now that we have identified what we're looking for, time for the next step....
3. TCP Stream
Next step is to view the TCP stream, right click on any of those packets in that SMTP block and go to follow tcp stream. This also applies a filter to the top of your main wireshark screen which you need to clear after your finished reading the TCP Stream in order to get back to the entire capture. More on that later.
You should see a screen like this:
What's that? a backup password?? Must be important, take note of it.
4. Extracting Data
Now we continue looking through our stream, however instead of looking through the whole thing again for interesting packets, lets sort by source type and scroll down to the SMTP protocols.
Don't forget to clear your filter!
All those packets labeled data fragment? That means that data was sent over the SMTP protocol, in other words an attachment of some sort. Now don't stress just because it says fragment, it's sent in fragments but our trusty Follow TCP Stream will show us the whole thing. Right click on one of those packets and follow the stream.
Unfortunately it's not sent in plain text like the message earlier. But if it's not in plain text then how does the recipient know how to view the file? Is it some super secret code he knows? Negative. The secret lies right here:
The encoding is Base64. Now this could mean many things, and if your first guess is to use a Base 64 decoder online then you wouldn't be the only one. However that won't work, as this isn't some algorithm but rather a way for the computer to translate the attachment into data that can then be interpreted into Binary and sent over the network. So rather than decoding, we simply hit Save As. in any folder you like, any name you like.
Another good guess would be to then open this file by right clicking > open with > 7zip (or your preferred unzipping program) as the file was labeled Backup.rar (right above where the encoding was) and .rar is the extension for zipped files. Again though, this won't work. The thing to remember is that this packet was sent by email, and in order for an email client to do that it first has to convert the data into a form that the client can read. So that confusing block of text that looked like a super secret code? is actually how the client interprets the computers interpretation of the data.
Confusing to read, but a simple solution. Open this file in an email client!! (i used Thunderbird, not sure if it will work on hotmail or any web-based email program. but just open it with Outlook if your on windows) However, you cant do an open with > thunderbird or your client will read it as an attachment. When in fact it's a saved message. Instead open up your client and go to file > open saved message. Make sure you have all files selected instead of saved message, then select your extracted file:
Open it up and we have a blank message, with an attachment called backup.rar!!! Save that attachment, and then run 7zip (or whatever you use) to extract the files from that .rar file and you will be prompted for a password. Remember the first SMTP protocol packets that we looked at? Try typing in that password, and voi la!!! We have the files! Congratulations, you have just completed your first attempt at forensics using Wireshark.
These files are worthless btw, don't spend 10 mins trying to read something important out of them
6. In closing
Wireshark is one hell of a program, I fell in love with the simple GUI and the readability of it. I also find it extremely simple to use, and while there are many other packet capture programs out there, I won't be switching anytime soon. If you want practice with it, simply start a capture and connect to the internet or send an email then save the capture and try to see what info you can extract from it (FB uses an SSL so you won't be grabbing plain text login info. sorry to dissapoint ) Or check out sites with hacking challenges and attempt to do their forensics challenges, it's good practice.
Also, big thanks to RedBullAddicted who helped me learn how to use Wireshark and continues to help me better understand networking and protocols. And thanks to you for reading this tutorial, perhaps as I become more comfortable/fluent with Wireshark I will write a more advanced guide that covers the complexities of this program.
Enjoy :)
Wireshark is a free, open-source, packet analyzer that can be used both to capture packets and to read packet captures. Now this may sound like no big deal, so what if you can see some
packets on the network right? Not at all, using wireshark you are able to intercept passwords, re-create files that were transferred so that you know what the file is, even read emails that
were sent while Wireshark was running. It is also used to identify network performance issues to help decrease lag across your network.
Sound a bit more useful now?
Contents in this tutorial:
1. Setting up Wireshark-A few things to do
2. What does this mean? How to read a packet
2.5 Interesting packets, packets that mean something
3. TCP Stream
4. Extracting Data
5. Not Wireshark-But we have to finish!
6. In closing
Download the packet we will be using the this tutorial: Here.
1. Setting up Wireshark
This is assuming you have wireshark installed and have a capture file to examine. Feel free to download the capture provided with this tutorial so that you can follow along.
First things first, after opening it up you see something like this:
Now starting from the left we have different columns that we can use to help us sort through all of this info. In order to read packets better you should go to Edit > Preferences > Columns and add Destination Port (unresolved) as a column. That tells us which port the packet is connecting on, 25 for smtp, 80 for http, and so on. This will help you identify what's going on and if a program is connecting through the correct port. Not so useful in the confines of this example packet or tutorial, but definitely worth having farther down the road. Feel free to sort the columns into whatever order you prefer, though personally i think it's helpful to keep the NO. column on the left. Please do so for this tutorial as I will be referencing packets by number.
2. How to Read a Packet
Now that we have our packets opened up, we'll sort them by number in descending order. Referring to the image above you can see that wireshark gives us a lot of info about each packet. The source and destination IP's tell you whether the packet came from the host (your computer for example) or the server/computer/website your connecting to. If we look at packet one, we see that our host is 192.168.0.150 and our destination is 192.168.0.100. From that alone we can tell that these two computers are on the same network, and assuming the subnetmask is 255.255.255.0 (the most common on home networks) then we can tell they are on the same subnet within the network. For a more detailed explanation check out "Networking-The Basics" - Part 1 - Here, Part 2 - Here or Here.
The next columns we see are the destination port, and the protocol. The destination port tells you what port the packet went through, which if you use the list of ports found Here can tell you a lot about the program being used. Again, not so useful within our example capture however. The protocol column tells you what protocol it's using:
-TCP is the protocol that controls any inter-electronics communication, it uses a 3 way handshake using SYN, SYN/ACK, and ACK packets to talk and is it's own tutorial by itself. Just know that it exists, and is SUPER important to how computers talk to each other. For more info, Here.
-FTP is used for file sharing
-SMTP is used for email.
-HTTP is used for web browser's
For a full list of protocols check Here. This tutorial is mostly concerned with the SMTP protocol in our capture file.
The final two columns are length and info, length tells you how large the packet is in bytes and info tells you all the juicy stuff. Just take a minute to scroll through and see what's going on in the Info column. Idk how to explain it, it just makes enough sense if you read english so that you can tell whether or not it's worth looking at (at least it does for me)
2.5 Interesting packets
Lets take a quick look at a few interesting packets, and why I consider them interesting:
This one has the word login. Need I say more? In this case it's not so important, but LOGIN is always worth looking out for
This one has the word telnet, the original computer to computer protocol. And telnet is never encrypted
Again though, not important in this tutorial, but always worth looking out for.Ah ha! Mail From. That's what were looking for
Now lets look at the surrounding packets so we can see what all is going on here.
So from this block of packets, we can see that an email was sent from <root@localhost.local> to <postmaster@localhost.local> (both machines are on the same network remember)
Now that we have identified what we're looking for, time for the next step....
3. TCP Stream
Next step is to view the TCP stream, right click on any of those packets in that SMTP block and go to follow tcp stream. This also applies a filter to the top of your main wireshark screen which you need to clear after your finished reading the TCP Stream in order to get back to the entire capture. More on that later.
You should see a screen like this:
What's that? a backup password?? Must be important, take note of it.
4. Extracting Data
Now we continue looking through our stream, however instead of looking through the whole thing again for interesting packets, lets sort by source type and scroll down to the SMTP protocols.
Don't forget to clear your filter!
All those packets labeled data fragment? That means that data was sent over the SMTP protocol, in other words an attachment of some sort. Now don't stress just because it says fragment, it's sent in fragments but our trusty Follow TCP Stream will show us the whole thing. Right click on one of those packets and follow the stream.
Unfortunately it's not sent in plain text like the message earlier. But if it's not in plain text then how does the recipient know how to view the file? Is it some super secret code he knows? Negative. The secret lies right here:
The encoding is Base64. Now this could mean many things, and if your first guess is to use a Base 64 decoder online then you wouldn't be the only one. However that won't work, as this isn't some algorithm but rather a way for the computer to translate the attachment into data that can then be interpreted into Binary and sent over the network. So rather than decoding, we simply hit Save As. in any folder you like, any name you like.
Another good guess would be to then open this file by right clicking > open with > 7zip (or your preferred unzipping program) as the file was labeled Backup.rar (right above where the encoding was) and .rar is the extension for zipped files. Again though, this won't work. The thing to remember is that this packet was sent by email, and in order for an email client to do that it first has to convert the data into a form that the client can read. So that confusing block of text that looked like a super secret code? is actually how the client interprets the computers interpretation of the data.
Confusing to read, but a simple solution. Open this file in an email client!! (i used Thunderbird, not sure if it will work on hotmail or any web-based email program. but just open it with Outlook if your on windows) However, you cant do an open with > thunderbird or your client will read it as an attachment. When in fact it's a saved message. Instead open up your client and go to file > open saved message. Make sure you have all files selected instead of saved message, then select your extracted file:
Open it up and we have a blank message, with an attachment called backup.rar!!! Save that attachment, and then run 7zip (or whatever you use) to extract the files from that .rar file and you will be prompted for a password. Remember the first SMTP protocol packets that we looked at? Try typing in that password, and voi la!!! We have the files! Congratulations, you have just completed your first attempt at forensics using Wireshark.
These files are worthless btw, don't spend 10 mins trying to read something important out of them
6. In closing
Wireshark is one hell of a program, I fell in love with the simple GUI and the readability of it. I also find it extremely simple to use, and while there are many other packet capture programs out there, I won't be switching anytime soon. If you want practice with it, simply start a capture and connect to the internet or send an email then save the capture and try to see what info you can extract from it (FB uses an SSL so you won't be grabbing plain text login info. sorry to dissapoint ) Or check out sites with hacking challenges and attempt to do their forensics challenges, it's good practice.
Also, big thanks to RedBullAddicted who helped me learn how to use Wireshark and continues to help me better understand networking and protocols. And thanks to you for reading this tutorial, perhaps as I become more comfortable/fluent with Wireshark I will write a more advanced guide that covers the complexities of this program.
Enjoy :)
No comments:
Post a Comment