Monday, May 23, 2011

Wireshark - The Swiss Army Knife of Downloading Tools

In the Information Security industry, there are a wide variety of tools that can be used both for the forces of good and for evil.  One of these tools is called a packet sniffer which has the capability to listen in on the traffic passing along on the network that the system is connected to.  This can be extremely useful from a troubleshooting standpoint, or extremely dangerous as a vector of attack.  Over the last decade or so, most network environments have migrated from hubbed to switched, meaning network devices will only send traffic to the designated recipient system as opposed to blasting the traffic to all connected systems with the recipient system going, "Oh hey, that's meant for me."  This is definitely a good step for security, but also easily defeated with techniques like Address Resolution Protocol (ARP) poisoning, where an attacker can trick the network devices into sending traffic meant for someone else to them, listen in with a packet sniffer, and then forward the traffic along to the actual recipient.  This is accomplished by tricking both parties to update their ARP tables to map an IP address to an incorrect MAC address.  Another term for it is a Man-in-the-Middle attack.  One of the easier methods to do this is via a freely downloadable tool called Cain & Abel.  But I digress...

One of the absolute best packet sniffers available is another free tool called Wireshark.  This is a GUI tool with such an incredible amount of functionality built-in, that I feel like I'm still just starting to scratch the surface of everything that you can do with it.  I recently attended a SANS Voice-over-IP (VoIP) security course down in Orlando back in March where we were able to take a packet capture of network traffic and pull out the actual audio of bi-drectional calls that were being made with VoIP using this application.  Those of you using Vonage, magicJack, or any other consumer-grade VoIP product should probably be aware (or beware) that if you're on a shared network segment of any kind, e.g. cable modem, it's absolutely possible for someone to listen in on your conversations, capture touch tones (e.g. credit card numbers, PINS, etc.), and even listen to or inject audio into the conversation in real-time.  Scary stuff.

Anyway, enough with my security soap boxing, on to the good stuff.  Wireshark comes with the ability to pull files out of a network stream and save them out for later use.  Meaning you can fire up Wireshark, load up an mp3 in Grooveshark or a video in YouTube for example, and once it's done buffering, pull the file out of the packet capture, and listen to or watch that content as much as you want from your local hard drive, offline.  Intrigued yet?  First you'll need to download and install Wireshark.
  1. Click on the link above, and download the latest stable release for your system's architecture, currently at version 1.4.6.  Launch the installer, click through a bunch of Nexts, and don't forget to install WinPcap which makes the magic happen.
  2. Once it's installed, fire it up, and click on the first icon in the toolbar to "List the available capture interfaces..." Alternatively you can select Capture --> Interfaces from the menu.  Click the Start button next to the corresponding network connection that you want to listen in on.  Depending on your setup, there could just be one, but if not, typically it's the one that shows the most Packets passing through.
  3. Now load up Grooveshark/YouTube, select a song/video, and wait for the buffering to complete.  You do NOT need to wait and listen to/watch the whole thing, but you do need for the whole thing to buffer up first.  Just the buffering is enough.
  4. Once it's done buffering, in Wireshark, click on the fourth icon in the toolbar to "Stop the running live capture."  Alternatively you can select Capture --> Stop from the menu.
  5. Now navigate to File --> Export --> Objects --> HTTP.  You will see a TON of files from different sites listed, but there's only one that you're interested in.  For a Grooveshark song, it should have a Hostname, an audio/mpeg Content Type, a stream.php Filename, and likely it should be the largest in size (Bytes).  For a YouTube video, it should have, video/x-flv, videoplayback?something, and should also likely be the largest in size listed.
  6. Click on the entry, and you'll see a Processing window pop-up briefly and disappear.  Then click the Save As button in the lower right of the window.  Navigate to a location where you want to save the song/video and change it from stream.php to whatever-you-want.mp3 or for the YouTube video, whatever-you-want.flv.  Go ahead and play it.  You know you want to.  For the mp3s, you should find that any available meta-data came down with the file as well, like artist/song information, and album art.  For the videos, use whatever program you prefer to play flash videos.  I'm partial to VLC myself.
And now back to my soap box.  With tools like these that make eavesdropping on the network as easy as point-and-click, you really need to be aware of what you're doing on the Internet and what kind of security risks it comprises.  A few things to consider:
  • Never click on links in your emails.  Yes, this is more of a piece of phishing advice, but those links could lead you to a fake version of a site that you thought you were clicking to which can capture your information with something like Wireshark, and then pass you on to the real site, without you ever realizing it.  It can be done, I've done it for a security awareness demonstration before.  Always type in the website address yourself and do your best to validate that it is properly secured with SSL (that little padlock that says communication between you and the site is encrypted, even though this too can be faked).
  • Never give out sensitive information like your credit card number or PIN over the phone to someone that called you, especially if you're using consumer-grade VoIP at home.  There are even tools out there that can pull the corresponding numbers to (Wireshark) captured tone sounds, even if you never verbally spoke those numbers.  Always call the bank/credit card company directly yourself.
  • If your work requires you to send files back and forth electronically with another party, make sure to use encryption on the connection (SSH/SFTP/SCP/SSL), on the file with a password (PGP/GPG/AES), or ideally both.  Now that you've seen how easy it is to pull a file out of the network stream when it's not encrypted, it should be obvious to you that protocols like Telnet/FTP/HTTP just aren't going to cut it anymore when it comes to security.
Anyway, I hope that this post has served both to educate, entertain, and horrify.  Until next time. :)

No comments:

Post a Comment