HakTip 138 – Wireshark and Recognizing Exploits

This week on HakTip, Shannon pinpoints an exploitation using Wireshark.

Download HD | Download MP4

Working on the shoulders of last week’s episode, this week we’ll discuss what exploits look like in Wireshark. The example I’m sharing is from Practical Packet Analysis, a book by Chris Sanders about Wireshark.

Our example packet shows what happens when a user visits a malicious site using a bad version of IE. This is called spear phishing. First, we have HTTP traffic on port 80. We notice there is a 302 moved response from the malicious site and the location is all sorts of weird. Then a bunch of data gets transferred from the new site to the user. Click Follow TCP Stream. If you scroll down, you see some weird gibberish that doesn’t make sense and an iframe script. In this case, it’s the exploit being sent to the user.

Scroll down to packet 21 and take a look at the .gif GET request. Lastly, Follow packet 25’s TCP Stream. This shows us a windows command shell, and the attacker gaining admin priveledges to view our user’s files. FREAKY. But now a network admin could use their intrusion detection system to set up a new alarm whenever an attack of this nature is seen.

If someone is trying to do a MITM attack on a user, it might look like our next example packet. 54 and 55 are just ARP packets being sent back and forth, but in packet 56 the attacker sends another ARP packet with a different MAC address for the router, thereby sending the user’s data to the attacker then to the router. Compare 57 to 40, and you see the same IP address, but different macs for the destination. This is ARP cache Poisoning.

Let me know what you think. Send me a comment below or email us at [email protected]. And be sure to check out our sister show, Hak5 for more great stuff just like this. I’ll be there, reminding you to trust your technolust.


  • Esteban

    I don’t feel like “spear phishing” is the right word here, as that is a targeted phishing attack and I don’t see anything to imply that is the case here. This looks more like what I’d call a “drive by download” or “exploit kit activity.

  • want to learn

    call me a noob if you will. But im trying here to learn all the good stuff…. but .and i repeat but i cant learn about that stuff when you stand in front of the infomation that you talk about just like in this hak5 video
    HakTip 138 – Wireshark and Recognizing Exploits

  • NeectnitTut

    Ideally the cash would be for an emergency
    because you will must pay the credit back on your next payday, so unless it’s something that could’t wait until then don’t get a cash
    advance NeectnitTut for such consumers, they are often the 1st among their family
    or friends who’ve entered right into a long-term contract which has a financial institution.

  • HVAC Simi Valley

    I’m really impressed with your writing skills as well as with the layout on your weblog.

    Is this a paid theme or did you customize it yourself?
    Either way keep up the excellent quality writing,
    it’s rare to see a great blog like this one nowadays.

  • software will eat the world

    As an outcome of the, it requires a greater manipulated
    risk resulting within the rise of rates software will eat the world if you are thinking excessive lately of the problematic
    refinance, home loan arrears, or the drastic rise in rates
    of interest, you’re a sitting duck for the short attention span.

  • palace casino

    Also, it’s possible to have high amounts of country risk
    with good numbers of indebtedness as well as an unstable financial
    system nevertheless retain fairly satisfying amounts of political stability palace casino conversely, accelerate losses towards the year of application.

  • CharleenCRuzicki

    Whats up this is somewhat of off topic but I was wanting to know if blogs
    use WYSIWYG editors or if you have to manually code with
    HTML. I’m starting a blog soon but have no coding
    knowledge so I wanted to get guidance from someone with
    experience. Any help would be greatly appreciated!

  • cheap pandora charms uk

    Hi there, I am Melvin but it is not essentially
    the most masculine full name. Her friends say it’s unhealthy for her but
    what she loves doing is carry out magic but she is struggling inside your time
    for this. Some time ago I decided i would live in Wyoming and my family loves this particular.
    Debt collecting recently been her profession for a moment.
    She’s not good at design but you might even check her website:
    cheap pandora charms uk

  • Susannah

    Visit us for our specialist pointers at Free Access To Death
    Records. This is done by using the Hughesnet Download Manager.
    However, a blog can ping the search engine several times a day without risk of being banned.

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>