Wireshark and Recognizing Exploits

This week on HakTip, Shannon pinpoints an exploitation using Wireshark.

Working on the shoulders of last week's episode, this week we'll discuss what exploits look like in Wireshark. The example I'm sharing is from Practical Packet Analysis, a book by Chris Sanders about Wireshark.

Our example packet shows what happens when a user visits a malicious site using a bad version of IE. This is called spear phishing. First, we have HTTP traffic on port 80. We notice there is a 302 moved response from the malicious site and the location is all sorts of weird. Then a bunch of data gets transferred from the new site to the user. Click Follow TCP Stream. If you scroll down, you see some weird gibberish that doesn't make sense and an iframe script. In this case, it's the exploit being sent to the user.

Scroll down to packet 21 and take a look at the .gif GET request. Lastly, Follow packet 25's TCP Stream. This shows us a windows command shell, and the attacker gaining admin priveledges to view our user's files. FREAKY. But now a network admin could use their intrusion detection system to set up a new alarm whenever an attack of this nature is seen.

If someone is trying to do a MITM attack on a user, it might look like our next example packet. 54 and 55 are just ARP packets being sent back and forth, but in packet 56 the attacker sends another ARP packet with a different MAC address for the router, thereby sending the user's data to the attacker then to the router. Compare 57 to 40, and you see the same IP address, but different macs for the destination. This is ARP cache Poisoning.

Let me know what you think. Send me a comment below or email us at tips@hak5.org. And be sure to check out our sister show, Hak5 for more great stuff just like this. I'll be there, reminding you to trust your technolust.