1
00:00:00,080 --> 00:00:03,500
So let's examine the packets and protocols with Wireshark.

2
00:00:03,770 --> 00:00:10,100
Wireshark is a free open source, and it's a world's foremost network packet analyzer.

3
00:00:10,100 --> 00:00:14,450
And it's also the de facto standard across system and network administrators.

4
00:00:14,480 --> 00:00:21,140
Wireshark has the ability to listen and record traffic as well as contain some pretty advanced filtering

5
00:00:21,140 --> 00:00:22,430
and reviewing options.

6
00:00:22,980 --> 00:00:30,780
So first I'm going to visit an Http website and then an Https website.

7
00:00:32,380 --> 00:00:34,690
Let's go to Cali and run Wireshark.

8
00:00:35,650 --> 00:00:39,130
You can open a terminal screen and type Wireshark to start it.

9
00:00:40,650 --> 00:00:45,150
So these are the network interfaces that Wireshark is able to listen to.

10
00:00:46,030 --> 00:00:52,180
You open another terminal screen and run the ifconfig command to see the network interfaces.

11
00:00:52,420 --> 00:00:59,740
So as you know, if config stands for network interface configuration, so if we use the command without

12
00:00:59,740 --> 00:01:03,550
any parameter, it will list all the interfaces available.

13
00:01:04,480 --> 00:01:08,020
We have eth0 as a network interface to listen to.

14
00:01:09,190 --> 00:01:14,620
So now I'll turn back to Wireshark and double click Eth0 to select it.

15
00:01:15,380 --> 00:01:19,730
Now Wireshark starts to listen to the Ethernet interface of Kali.

16
00:01:20,480 --> 00:01:26,300
And to create some traffic, I'll open a web browser and just visit an arbitrary website.

17
00:01:36,500 --> 00:01:38,510
And now we have enough packets to examine.

18
00:01:38,510 --> 00:01:44,150
So I'll click the stop button at the upper left corner of Wireshark to stop listening to the traffic.

19
00:01:44,240 --> 00:01:51,080
So first we have some DNS packets to find out the IP address of the visited site.

20
00:01:51,290 --> 00:01:56,850
We'll look at these kinds of packets soon, but right now let's just have a brief look.

21
00:01:56,870 --> 00:02:00,890
So a DNS query for the IP version four.

22
00:02:01,690 --> 00:02:04,930
Another DNS query for IP version six.

23
00:02:04,960 --> 00:02:06,550
Don't worry about the versions right now.

24
00:02:06,550 --> 00:02:08,440
We'll cover them soon, I promise.

25
00:02:08,770 --> 00:02:15,160
These DNS queries are transferred as UDP packets in transport layer.

26
00:02:15,190 --> 00:02:17,710
The destination port is 53.

27
00:02:18,290 --> 00:02:23,300
This is the IP packet with the source and the destination IP addresses.

28
00:02:23,850 --> 00:02:31,060
So we'll go through the layers one by one and we'll see all these packets datagrams and frames in detail.

29
00:02:31,080 --> 00:02:32,430
So we'll keep going.

30
00:02:33,640 --> 00:02:36,820
This is the structure of the Ethernet frame.

31
00:02:41,120 --> 00:02:46,470
First, there are two DNS queries for Dub Dub Dub Hacker Academy UK.

32
00:02:47,180 --> 00:02:53,120
One for the IPV four address and the other one is for the IPV six address.

33
00:02:53,120 --> 00:03:00,650
And because the website is redirected to Hacker Academy UK, there are two more DNS requests for this

34
00:03:00,650 --> 00:03:01,370
address.

35
00:03:02,330 --> 00:03:06,350
Next DNS packets are the DNS query responses.

36
00:03:06,380 --> 00:03:12,200
This response is type A, That means it's an answer for the IPV four request.

37
00:03:12,810 --> 00:03:14,460
And here's the answer.

38
00:03:14,700 --> 00:03:16,680
The IP address of the website.

39
00:03:18,500 --> 00:03:27,050
Now DNS response packet uses UDP at the transport layer, IP at the network layer, etcetera.

40
00:03:27,900 --> 00:03:32,760
Here we have a TCP handshake between Kali and the Web server.

41
00:03:32,790 --> 00:03:35,520
We'll also see this in detail later on.

42
00:03:36,780 --> 00:03:38,070
A syn packet.

43
00:03:38,220 --> 00:03:44,100
A synack as a reply and an ack packet to complete the handshake.

44
00:03:45,760 --> 00:03:49,360
This is an Http get request.

45
00:03:49,660 --> 00:03:55,780
We learn the IP address of the website and now the system is ready to receive the web page.

46
00:03:57,490 --> 00:04:00,670
Http protocol and application layer.

47
00:04:01,120 --> 00:04:04,750
Now you can see the headers and the parameters of the request.

48
00:04:06,090 --> 00:04:08,620
TCP Protocol and transport layer.

49
00:04:08,640 --> 00:04:10,800
Source Port destination.

50
00:04:10,800 --> 00:04:12,870
Port flags, etcetera.

51
00:04:14,090 --> 00:04:16,579
IP protocol in network layer.

52
00:04:17,560 --> 00:04:20,560
Here are the source and destination addresses.

53
00:04:21,620 --> 00:04:24,200
And Ethernet frame in layer two.

54
00:04:25,870 --> 00:04:31,030
These are the TCP packets which will build the Http response.

55
00:04:31,030 --> 00:04:33,670
So in this example, it's the web page.

56
00:04:33,700 --> 00:04:40,390
In other words, the response is transferred between the web server and our system as fragmented packets

57
00:04:40,390 --> 00:04:41,860
in transport layer.

58
00:04:43,960 --> 00:04:46,030
Here's the Http response.

59
00:04:46,030 --> 00:04:46,850
200.

60
00:04:46,870 --> 00:04:52,600
Okay, So the Web page is received and here's the data, which is our Web page.

61
00:04:53,830 --> 00:04:58,780
These are the response details, response type headers, etcetera.

62
00:05:00,870 --> 00:05:01,380
Here.

63
00:05:01,380 --> 00:05:08,010
There's additional information produced by Wireshark which says that the Http response is created by

64
00:05:08,010 --> 00:05:11,820
reassembling five TCP segments or packets.

65
00:05:12,350 --> 00:05:19,370
So now I'd like to show you the difference between that and https traffic.

66
00:05:20,480 --> 00:05:24,770
So I'll go to the browser and visit an https page now.

67
00:05:26,010 --> 00:05:29,160
But before visiting the page, let's start Wireshark.

68
00:05:29,340 --> 00:05:30,870
Here's a start button.

69
00:05:31,050 --> 00:05:32,640
Continue without saving.

70
00:05:34,310 --> 00:05:36,200
Okay, now we have a clean sheet.

71
00:05:36,810 --> 00:05:39,360
So I'll go to the browser and hit enter.

72
00:05:39,450 --> 00:05:39,900
Wow.

73
00:05:39,930 --> 00:05:41,640
Lots of packets in milliseconds.

74
00:05:41,640 --> 00:05:44,430
So we've got plenty of packets to investigate.

75
00:05:44,430 --> 00:05:46,380
Just click the stop button once again.

76
00:05:47,370 --> 00:05:51,150
Okay, So the DNS request and the response packets.

77
00:05:51,150 --> 00:05:55,830
First here is a response with an IPV four address.

78
00:05:57,420 --> 00:06:04,590
Here there is a TCP three way handshake between Carly and Port 443 of Google's Web server.

79
00:06:05,310 --> 00:06:06,500
And now a client.

80
00:06:06,510 --> 00:06:07,100
Hello.

81
00:06:07,110 --> 00:06:12,810
TLS packet to start the TLS handshake again between Kali and Google Server.

82
00:06:13,920 --> 00:06:16,830
Now to get rid of the other traffic records.

83
00:06:16,830 --> 00:06:22,230
I'd like to filter the results by the IP address of the Google server.

84
00:06:23,130 --> 00:06:30,840
Now while the mouse pointer is on the server IP address, right click and go to apply as filter and

85
00:06:30,840 --> 00:06:33,240
select the selected option.

86
00:06:34,050 --> 00:06:41,100
So as you can see here in the filter bar, the IP address is assigned as the destination IP address.

87
00:06:41,340 --> 00:06:48,750
Now, we only have to see the traffic where the destination is the Google server, but we'd like to

88
00:06:48,750 --> 00:06:57,360
see both the incoming and the outgoing traffic, so I'll change the DST part of the filter to addr and

89
00:06:57,360 --> 00:06:59,940
click the blue arrow to activate the new filter.

90
00:07:00,060 --> 00:07:03,090
Now we can see the traffic in both directions.

91
00:07:04,100 --> 00:07:08,210
Okay, so here we are at the Hello TLS message.

92
00:07:09,020 --> 00:07:10,940
Here are the details of the message.

93
00:07:11,190 --> 00:07:15,470
TLS uses TCP protocol in transport layer.

94
00:07:16,040 --> 00:07:18,610
The Google server replies a server.

95
00:07:18,620 --> 00:07:22,520
Hello message as the second step of the TLS handshake.

96
00:07:23,240 --> 00:07:28,250
Then comes the certificate and server key exchange and the server.

97
00:07:28,250 --> 00:07:28,640
Hello.

98
00:07:28,640 --> 00:07:30,860
Done message is sent by the server.

99
00:07:32,200 --> 00:07:34,590
Kylie sends the client key exchange.

100
00:07:34,600 --> 00:07:37,300
Google server sends a new session ticket.

101
00:07:38,170 --> 00:07:41,080
And the encrypted communication starts.

102
00:07:43,140 --> 00:07:48,180
Here are some encrypted application data which is meaningless for others who listen to the traffic.

103
00:07:49,510 --> 00:07:54,010
And as you can see here, the message is encrypted at the application layer.

104
00:07:54,310 --> 00:07:59,230
So you can still see the source and the destination addresses the ports, etcetera.