How To Capture Login Passwords Across The Air - Network Traffic Analysis

INTRODUCTION

You use the internet regularly and one day you're surprised to receive allegations of an intrusion. Evidence indicates that the intruders third party accounts departed from your account, and you have no idea what is happening. Someone may have made use of your account and performed such acts as you. How could this have happened? A strong possibility is that you have become the victim of an attack via "sniffer".

THE MAIN CONCEPT

What are "sniffers"? The main purpose of a sniffer is to capture network traffic. They are used for network analysis purposes, however they can also be used by malicious hackers to capture your passwords, and even IDS systems are based on network sniffers.      These programs also allow you to monitor network activity recording data (usernames, passwords; ect.) each time they access other computers on the network.      These programs aim at monitoring ("sniffing") network traffic to capture access to network services, such as remote mail service (IMAP, POP3), remote access (telnet, rlogin, etc.), file transfer (FTP) etc.. accesses made, capturing packets. Always aimed at getting the most relevant information. When we called the HUB computer and send information from one computer to another, in reality this data is for all ports of the HUB, and therefore for all machines. It turns out that only the machine on which the information was intended to send the operating system. If a sniffer were running on other computers, even without these systems sending data it travels there for the operating system, the sniffer will intercept at the network layer, capturing the data and displaying them to the user, in an unfriendly way. Generally the data is organized by type of protocol (TCP, UDP, FTP, ICMP, etc...) and each package read may have show your content.

PASSWORD CAN BE CAPTURED BY SNIFFERS!

Many local area networks (LANs) are configured sharing the same Ethernet segment. Virtually any computer of the network can run a "sniffer" program to "steal" users passwords. "Sniffers" work monitoring the flow of communication between computers on the network to find out when someone uses the network services previously mentioned. Each of these services uses a protocol that defines how a session is established, such as your account is identified and authenticated and how to use the service. To have access to these services, you first have to have a "log in". The login sequence - is part of the authentication protocol, which occurs at the beginning of each session - the "sniffers" are concerned about this, because it is this part that is your password. Therefore, it is only the filter "strings" keys that the password is obtained.

Basic Usage

The program (WireShark) installed, if you do not then download it. When starting WireShark, the displayed screen will look something like Figure 1:

Before you can start capturing packets, we have to define which interface will "listen" to the traffic. Click Capture > Interfaces

From there, a new window will appear with the list of automatically detected interfaces, simply select the desired interface by clicking the box next to the name of the interface, as in figure 3:

If you click Start, it will begin automatically capturing packets. You can select the interface and only then it will start the capture if necessary.When the capture process starts, you will see several packets traversing the screen WireShark (varying according to the traffic of your machine / network). Will look something like the figure 4:

To stop the capture, simply click the button, "Stop the running live capture".

It is important to remember that you must take care if your network is busy, the data stream may even lock your machine, then it is not advisable to leave the WireShark to capture for a long time, as we will see, we will leave it running only during the process to debug a connection. The greater the amount of packets, the longer it takes to apply a filter, find a package, etc.

Using Filters

There are a plethora of possible filters, but at this moment we will see just how to filter by IP address, port and protocol. The filters can be constructed by clicking on "Filter", then selecting the desired filter (there is a short list of pre-defined filters), or by typing directly into the text box. After you create your filter, just click "Apply", if you wanted to see the entire list of packages again just click "Clear", this will remove the filter previously applied.

 I will use a small filter list as an example:

 It is also possible to group the filters, for example: 

ip.src == 10.10.10.1 && tcp.dstport==80 OR ip.src == 10.10.10.1 and tcp.dstport==80 

Source address 10.10.10.1 

And destination port 80

CAPTURING PASSWORDS

Now we will see how you can capture passwords easily, just by listening to traffic. For this example we will use the POP3 protocol, which sends the data in clear text over the network. To do this, start capturing packets normally and start a session with your POP3 email server. If you use a safer protocol like IMPAPS or POP3 and I just wanted to see the functioning of the mechanism, it is possible to connect via telnet to POP3 without having to add / modify your account, simply run the following:

 telnet serveremail.com 110 

user user@abcdef.com 

pass abcdefpasswd      

Now stop the capture, filter and put "pop" and then click "Apply". now thats done, you see only the packets of POP3 connection. Now click on any of them right, and then click "Follow TCP Stream".

With this we will open a new window with the entire contents of the ASCII connection. As the POP3 protocol sends everything in plain text, you can see all the commands executed, including the password.

This can be transported to any connection in plain text, such as FTP, Telnet, HTTP, etc.. Just to let you change the filter and examine the contents of the connection.

Importing External Captures

Usually in servers, there is no graphical environment installed and with that you cannot use WireShark directly. If you want to analyze traffic on this server and you cannot install WireShark, so you have to capture this traffic elsewhere, the best one can do is write traffic with TCPdump locally and then copy this dump to a machine with WireShark from where a more detailed analysis is made.      

We will capture everything that comes and goes from the host 10.10.10.1 with destination port 80 and save content in capturerabcdef.pcap file from the local folder where the command was executed. 

Run the server:

 tcpdump -i eth0 host 10.10.10.1 and dst  

port 80 -w  

capturerabcdef.pcap      

Once you're finished capturing, simply use CTRL + C to copy the file to the machine WireShark capture and import by clicking on File -> Import. Once imported, you can use the program normally as if the capture had occurred locally.