This post will demonstrate how to capture packets with tcpdump and analyze them with Wireshark.
I’m going to capture the traffic of me logging into the website http://testphp.vulnweb.com/login.php. It’s an unencrypted communication, so I’ll be able to capture the password.
First, open a terminal in Kali Linux. You need to find the name of the interface you’ll send traffic from.
To do this, run the ifconfig command.
I have 3 interfaces. I’ll break down each:
- eth0 is the first Ethernet interface. This type of interface is usually a NIC (network interface card) connected to the network by a category 5 cable. This is my home’s router.
- lo is the loopback address- you can tell by the IP address, as they’re always 127.0.0.1 (in Ipv4). Networks use this address to send test signals to a network destination, so we can diagnose problems.
- wlan0 is the name of the first wireless network interface on the system. This is my local machine, as it’s wirelessly connected to the network.
To capture packets between my local machine and a website, I’ll run this command:
This command says “capture all traffic from the interface wlan0 and write it to the file ‘infocapture.pcap’”
Hit enter, and you’ll get a confirmation message:
Now I’m going to perform the actions that will be captured and stored in “infocapture.pcap”
I’ll open a web browser and visit testphp.vulnweb.com/login.php
Notice that the site is unencrypted. This is important! If it was encrypted, I couldn’t capture any relevant information in the pcap file.
I logged into the website using the username “test” and the password (we’ll find out what this is in a moment.)
Now, I need to stop the packet capture. I returned to the terminal and hit CTRL+c to stop the capture.
To analyze the pcap with Wireshark, type this command into the terminal:
Wireshark displays three different panes for inspecting packet data. The top pane, the packet list, lists all the packets in the capture. Clicking any packet will change the two bottom panes.
Packet details, the pane on the bottom left corner, shows readable information about the packet.
The bottom right pane, Packet Bytes, shows the packet exactly as it was captured in hexadecimal.
I’ll quickly get a 50,000 foot view of the pcap and figure out what I might want to do next.
I clicked the “Statistics” tab at the top of the page, then clicked “Conversations.” This page appears:
Each tab shows the communications that occurred- at the Ethernet/Data Link layer, IPV4, IPV6, as well as TCP and UDP.
I’ll take a look at the TCP overview:
It would be tedious to look through each of these for the login information, but Wireshark has a wonderful tool to find specific packets: filters.
Filters allow you to display packets that meet a specific criteria. There are capture filters, which instructs Wireshark to capture packets according to the chosen filter.
There are also display filters, which allow us to view packets according to the filter after Wireshark performs the packet capture. I’ll use a display filter to see if I can find the packet containing the login information.
I went to the main Wireshark page and clicked inside the searchbar. I typed: tcp contains “login”
Boom! It shows any TCP packets that contain the word “login” within them.
If I right click the first packet- the one with the HTTP protocol- then click Follow → TCP Stream, I’ll see a readable text printout of the communication that took place.
In this case, it was a POST request. Check out the first line in the second block of text:
There it is! The password (“test”) in cleartext.
This is why it’s key to use HTTPS- it ensures these communications are encrypted.
Thanks for reading!