1
00:00:01,160 --> 00:00:06,570
And this lecture we're going to talk about a tool called wire shark wire shark is a network protocol

2
00:00:06,630 --> 00:00:07,680
analyzer.

3
00:00:07,770 --> 00:00:14,160
It's not designed for hackers and it's not designed for hacking and spying on other people on the network.

4
00:00:14,160 --> 00:00:19,170
It's designed for network administrators so that they can see what's happening in their network and

5
00:00:19,170 --> 00:00:24,330
make sure that everything is working properly and that nobody's doing anything bad or doing anything

6
00:00:24,330 --> 00:00:25,770
suspicious on the network.

7
00:00:27,060 --> 00:00:33,570
The way that whale shark works is it allows you to select an interface and then logs all the packets

8
00:00:33,630 --> 00:00:36,840
or all the traffic that flows through that interface.

9
00:00:36,930 --> 00:00:39,790
So you're selecting an interface that could be a wireless card.

10
00:00:39,870 --> 00:00:46,050
It could be a wild card on your on your current computer and then it'll start logging all the information

11
00:00:46,140 --> 00:00:48,770
that flow through that interface.

12
00:00:48,780 --> 00:00:55,410
It also has a really nice graphical interface that allow you to analyze this traffic so allows you to

13
00:00:55,410 --> 00:01:02,070
filter these packets based on the protocol using them like HDTV TGP and all that but also allow you

14
00:01:02,070 --> 00:01:06,900
to look for certain things for example if you're looking for cookies or if you're looking for post or

15
00:01:06,900 --> 00:01:08,380
get requests.

16
00:01:08,460 --> 00:01:12,030
And it also allows you to search through these packets.

17
00:01:12,030 --> 00:01:16,860
It can you can you can search through the information that's stored in the packets and find the things

18
00:01:16,860 --> 00:01:17,670
that you're looking for.

19
00:01:18,030 --> 00:01:21,600
It's a really really big tool and you need a whole course for it.

20
00:01:21,600 --> 00:01:26,670
So in this course we're actually going to use it in a few lectures just covering the basics or the things

21
00:01:26,700 --> 00:01:34,150
that's related to us so the main idea here is why a shark is not a hacking tool.

22
00:01:34,150 --> 00:01:41,200
It only allows you to capture the traffic that flows through your own computer through your own interface.

23
00:01:42,710 --> 00:01:45,350
I'm going to use it now and it's going to become more clear to you.

24
00:01:45,350 --> 00:01:48,600
So I'm just gonna go to college and we're going to start to our shark.

25
00:01:48,600 --> 00:01:54,410
You can run wild shark from the command prompt or you can just go on all applications and tripwire shark

26
00:01:54,680 --> 00:02:00,410
and it'll show up right here I'm gonna click that and that's going to load the program for me.

27
00:02:00,410 --> 00:02:01,790
This is just the normal error.

28
00:02:01,790 --> 00:02:09,060
Just ignore this error and this is the main interface of where shark.

29
00:02:09,140 --> 00:02:13,970
So first of all you can actually just go to the file and go to the open.

30
00:02:14,360 --> 00:02:18,580
And in here it will allow you to open a file that you've already captured.

31
00:02:18,580 --> 00:02:25,280
So for example if you captured packets using a different sniffer use an arrow dump or use in man in

32
00:02:25,280 --> 00:02:30,220
the middle left or using key shark which is the command prompt part of the shark.

33
00:02:30,260 --> 00:02:35,420
So if you captured packets using any of these programs and you started it in a file you can just come

34
00:02:35,420 --> 00:02:38,190
in here open it and start analyzing that file.

35
00:02:38,210 --> 00:02:43,760
This is really handy because sometimes you don't really want to analyze the traffic on the fly so sometimes

36
00:02:43,760 --> 00:02:48,560
you just want to capture it if you're sometimes you're capturing from small laptop or your small capture

37
00:02:48,570 --> 00:02:53,570
in from your phone and you're not even at home you're in somewhere else doing your pen test and then

38
00:02:53,570 --> 00:02:58,550
you go back home and then you want to analyze what you captured then you can still do that in a file

39
00:02:58,700 --> 00:03:04,920
and then just come here go to the file open and open the file that you want to analyze.

40
00:03:04,920 --> 00:03:10,350
So what I want to show you here is the idea that while shark is not a hacking tool it's not going to

41
00:03:10,350 --> 00:03:13,200
capture things happening in a in another device.

42
00:03:13,200 --> 00:03:18,260
It will only capture things that flow through your own interface.

43
00:03:18,270 --> 00:03:22,690
So right here we can see that we have all the interfaces in my computer so we can see that we have 88

44
00:03:22,720 --> 00:03:23,420
0.

45
00:03:23,460 --> 00:03:29,100
We have any which is just any and we have all the other ones that some of them are created by virtual

46
00:03:29,100 --> 00:03:29,850
box.

47
00:03:29,850 --> 00:03:36,800
So the main one here is if you're 0 which is the virtual interface connected to my not network and you

48
00:03:36,800 --> 00:03:42,020
can see that there is no traffic flowing through there so you can see that it's this is constant and

49
00:03:42,020 --> 00:03:43,770
nothing's happened in.

50
00:03:43,840 --> 00:03:48,910
So what I'm going to do now is I'm just gonna make this a little bit smaller and I'm going to open my

51
00:03:48,910 --> 00:03:54,430
browser here and I'm just gonna go to a normal Web site I'm just gonna go to Google dot com

52
00:03:57,450 --> 00:04:03,090
now as you can see right here you can see the traffic 80 heads euro is a spike in up so there was some

53
00:04:03,090 --> 00:04:05,700
traffic generated through it it's Europe.

54
00:04:05,820 --> 00:04:12,780
So for sniffing on this we'll be able to capture these packets that were sent over 88 0.

55
00:04:12,940 --> 00:04:17,530
Now what I'm going to do is I'm gonna go through my windows machine just to prove that point and I'm

56
00:04:17,530 --> 00:04:22,660
going to browse the Web site here and you'll see that 88 0 will not be affected and the traffic that's

57
00:04:22,660 --> 00:04:28,570
generated on this Windows machine which is in the same network as the Kelly machine it will not be captured

58
00:04:28,570 --> 00:04:29,440
by the Cally machine.

59
00:04:29,440 --> 00:04:36,900
So if I just go to Google again here you'll see that nothing happened in 88 0.

60
00:04:36,910 --> 00:04:39,460
So there is no traffic flowing through this.

61
00:04:39,460 --> 00:04:46,910
It's still constant and we can only capture packets that go through 88 0.

62
00:04:47,190 --> 00:04:51,900
So now you'll probably ask then why why are sharks so useful why are we even talking about it if we

63
00:04:51,900 --> 00:04:52,560
can't read.

64
00:04:52,680 --> 00:04:56,890
If we can only see things that go through our own computer why are we talking about it.

65
00:04:56,910 --> 00:05:02,280
Well we're talking about it because we see there is a large number of ways that you can become the man

66
00:05:02,280 --> 00:05:03,520
in the middle.

67
00:05:03,570 --> 00:05:09,270
We learned how to do this using a Sharpie spoofing and in future lectures I'm gonna show you how to

68
00:05:09,270 --> 00:05:15,440
do it by creating a fake access point so when we are the man in the middle.

69
00:05:15,690 --> 00:05:20,280
If we start sniffing on the interface that's used to become the man in the middle.

70
00:05:20,370 --> 00:05:26,550
We'll be able to capture all the traffic generated by the people that were targeting in our mind in

71
00:05:26,550 --> 00:05:27,370
the middle attack.

72
00:05:27,750 --> 00:05:34,580
So if you if you started the fake access point you can start sniffing on the interface that's broadcasting

73
00:05:34,620 --> 00:05:40,860
the signal and you can capture all the packets sent or received to anyone who's connected to that fake

74
00:05:40,950 --> 00:05:46,350
access point if you became the man in the middle using AARP spoofing.

75
00:05:46,450 --> 00:05:53,050
Then just select the interface that you used when you launched your AARP spoofing attack.

76
00:05:54,310 --> 00:05:58,630
So for now I'm going to become the man in the middle using AARP spoofing.

77
00:05:58,990 --> 00:06:03,160
You can use AARP spoof or Buttercup as I showed you earlier.

78
00:06:03,160 --> 00:06:07,880
But I'm going to use Buttercup using the exact same command that we used to do.

79
00:06:07,990 --> 00:06:14,230
So we're literally just doing Buttercup followed by the interface that is connected to my target network

80
00:06:14,230 --> 00:06:21,970
which is 88 0 and I'm launching my couplet the spoof couplet so that it can figures the AARP spoof module

81
00:06:22,180 --> 00:06:30,430
and runs it for me to put me in the middle of the connection so I'm gonna hit enter and as you can see

82
00:06:30,520 --> 00:06:32,360
it's working as expected.

83
00:06:32,380 --> 00:06:36,950
So right now I should be in the middle of the connection intercepting anything.

84
00:06:36,970 --> 00:06:41,540
The target Windows machine sends or receives.

85
00:06:41,880 --> 00:06:45,540
Now let's go to the Windows machine and see if I do anything here.

86
00:06:45,540 --> 00:06:51,000
If it's going to affect the traffic in 88 0 so we'll see if Fairchild could be able to capture traffic

87
00:06:51,240 --> 00:06:53,110
generated by this computer.

88
00:06:53,160 --> 00:06:54,840
So let's write anything here.

89
00:06:54,840 --> 00:06:58,530
I'm just going to google it or I'm just gonna go to a different Web site I'm just gonna go to Bing

90
00:07:01,420 --> 00:07:07,790
and if we come back here you'll see that we have traffic being generated here and we can see that 88

91
00:07:07,840 --> 00:07:13,530
zero is actually capturing whatever that's happening in a completely different device and a device that's

92
00:07:13,540 --> 00:07:16,080
not even connected to our network.

93
00:07:16,090 --> 00:07:21,670
This is happening because when we are the man in the middle all the packets that's generated by the

94
00:07:21,670 --> 00:07:26,890
Windows device has actually been redirected to my own computer right here to the Kali and then wired

95
00:07:26,890 --> 00:07:33,070
shark is sniffing that from the Kali machine it's infinite from my own local machine it's not sniffing

96
00:07:33,070 --> 00:07:36,850
it from the network it's not sniffing it from the target computer.

97
00:07:36,910 --> 00:07:41,410
So again if you're doing this with the fake access point then just listen on the interface that you're

98
00:07:41,420 --> 00:07:46,750
broadcasting if you're doing this with a real wireless network if you're connected to your home wireless

99
00:07:46,750 --> 00:07:51,790
network using land zero then you can just do this with land zero but with AARP spoofing you have to

100
00:07:51,790 --> 00:07:54,810
first redirect the traffic then you can use wire shack.

101
00:07:54,910 --> 00:07:57,960
Now this is just to show you what why a shark is and how it works.

102
00:07:58,030 --> 00:08:01,620
And I just wanted to stress the idea that our shark is not a hacking tool.

103
00:08:01,720 --> 00:08:07,060
It's only a program that allows you to log packets flowing through a certain interface and then analyze

104
00:08:07,060 --> 00:08:08,380
these packets.

105
00:08:08,380 --> 00:08:12,580
So in the next video we'll see how we can sniff and analyze packets using wire shark.