HakTip 138 – Wireshark and Recognizing Exploits
This week on HakTip, Shannon pinpoints an exploitation using Wireshark.
Working on the shoulders of last week’s episode, this week we’ll discuss what exploits look like in Wireshark. The example I’m sharing is from Practical Packet Analysis, a book by Chris Sanders about Wireshark.
Our example packet shows what happens when a user visits a malicious site using a bad version of IE. This is called spear phishing. First, we have HTTP traffic on port 80. We notice there is a 302 moved response from the malicious site and the location is all sorts of weird. Then a bunch of data gets transferred from the new site to the user. Click Follow TCP Stream. If you scroll down, you see some weird gibberish that doesn’t make sense and an iframe script. In this case, it’s the exploit being sent to the user.
Scroll down to packet 21 and take a look at the .gif GET request. Lastly, Follow packet 25’s TCP Stream. This shows us a windows command shell, and the attacker gaining admin priveledges to view our user’s files. FREAKY. But now a network admin could use their intrusion detection system to set up a new alarm whenever an attack of this nature is seen.
If someone is trying to do a MITM attack on a user, it might look like our next example packet. 54 and 55 are just ARP packets being sent back and forth, but in packet 56 the attacker sends another ARP packet with a different MAC address for the router, thereby sending the user’s data to the attacker then to the router. Compare 57 to 40, and you see the same IP address, but different macs for the destination. This is ARP cache Poisoning.
Let me know what you think. Send me a comment below or email us at [email protected]. And be sure to check out our sister show, Hak5 for more great stuff just like this. I’ll be there, reminding you to trust your technolust.
David Moore
I don’t feel like “spear phishing” is the right word here, as that is a targeted phishing attack and I don’t see anything to imply that is the case here. This looks more like what I’d call a “drive by download” or “exploit kit activity.
why when i watch your videos…all of them… is it red and green and off set? new to this site
call me a noob if you will. But im trying here to learn all the good stuff…. but .and i repeat but i cant learn about that stuff when you stand in front of the infomation that you talk about just like in this hak5 video
HakTip 138 – Wireshark and Recognizing Exploits
It’s an amazing post in support of all the online people; they will
take advantage from it I am sure.
Howdy! I could have sworn I’ve been to this blog before but after going through a
few of the articles I realized it’s new to me.
Regardless, I’m definitely delighted I stumbled upon it and I’ll be
book-marking it and checking back regularly!
So immediately in Arkansas we are at a juncture.
This paragraph offers clear idea in favor of the new visitors of blogging, that truly how to do blogging.
Ideally the cash would be for an emergency
because you will must pay the credit back on your next payday, so unless it’s something that could’t wait until then don’t get a cash
advance NeectnitTut for such consumers, they are often the 1st among their family
or friends who’ve entered right into a long-term contract which has a financial institution.
Pretty! This has been a really wonderful article.
Thank you for providing this information.
I’m really impressed with your writing skills as well as with the layout on your weblog.
Is this a paid theme or did you customize it yourself?
Either way keep up the excellent quality writing,
it’s rare to see a great blog like this one nowadays.
It’s great that you are getting ideas from this paragraph as well as from our
discussion made at this time.
Souring loans, car sales fuel India economic gloom
christian louboutin miami you each one is needed to complete a simple loan application available on the lenders
website for all those time.
As an outcome of the, it requires a greater manipulated
risk resulting within the rise of rates software will eat the world if you are thinking excessive lately of the problematic
refinance, home loan arrears, or the drastic rise in rates
of interest, you’re a sitting duck for the short attention span.
Also, it’s possible to have high amounts of country risk
with good numbers of indebtedness as well as an unstable financial
system nevertheless retain fairly satisfying amounts of political stability palace casino conversely, accelerate losses towards the year of application.
Whats up this is somewhat of off topic but I was wanting to know if blogs
use WYSIWYG editors or if you have to manually code with
HTML. I’m starting a blog soon but have no coding
knowledge so I wanted to get guidance from someone with
experience. Any help would be greatly appreciated!
Hi there, I am Melvin but it is not essentially
the most masculine full name. Her friends say it’s unhealthy for her but
what she loves doing is carry out magic but she is struggling inside your time
for this. Some time ago I decided i would live in Wyoming and my family loves this particular.
Debt collecting recently been her profession for a moment.
She’s not good at design but you might even check her website:
cheap pandora charms uk
Visit us for our specialist pointers at Free Access To Death
Records. This is done by using the Hughesnet Download Manager.
However, a blog can ping the search engine several times a day without risk of being banned.