.

How to set up Wireshark with machine-in-the-middle PC?

<<

macattack

Newbie
Newbie

Posts: 13

Joined: Tue Dec 28, 2010 9:31 am

Post Tue Dec 28, 2010 10:09 am

How to set up Wireshark with machine-in-the-middle PC?

I'm not skilled in networking, but I have some of the basics.  I need to know how to set up Wireshark so I can analyze the traffic between my Mac and my router.  I have a separate Windows machine I can use for this.  From what I've read here:

http://wiki.wireshark.org/CaptureSetup/Ethernet

I need another NIC card in my Windows machine  in order to complete the setup.  Thing is, I don't really know how to set it up in Wireshark.  It would be great if someone held my hand and stepped it out, but this may be unrealistic.  If so, can someone point me on the direction to learn how to do this?  I've been able to observe the traffic on the Windows machine Wireshark is installed on, but not the Mac.

In case your curious, I believe I may have malware on my Mac connecting to the network, and I want to monitor the traffic to determine if my hunch is correct.

Thanks in advance.
<<

ziggy_567

User avatar

Sr. Member
Sr. Member

Posts: 378

Joined: Tue Dec 30, 2008 1:53 pm

Post Tue Dec 28, 2010 10:34 am

Re: How to set up Wireshark with machine-in-the-middle PC?

Why don't you install Wireshark on your Macintosh? That would be where I began....
--
Ziggy


eCPPT - GSEC - GCIH - GWAPT - GCUX - RHCE - SCSecA - Security+ - Network+
<<

macattack

Newbie
Newbie

Posts: 13

Joined: Tue Dec 28, 2010 9:31 am

Post Tue Dec 28, 2010 11:10 am

Re: How to set up Wireshark with machine-in-the-middle PC?

In my searches, I read somewhere that I should use a separate machine for 'sniffing' the packets.

Perhaps this is due to the possibility of malicious software interfering with the results?  I don't know why it was suggested.

Incidentally, I did install Wireshark on my Mac...but apparently it's quite difficult to get set up properly with the correct permissions.  I read a few blog posts on it and even they seemed cryptic.

Abou that time I read the suggestion for a separate machine, and Wireshark works beautifully on my Windows PC, so I thought I'd go with that setup instead.
<<

eth3real

User avatar

Sr. Member
Sr. Member

Posts: 309

Joined: Wed Feb 27, 2008 10:35 am

Location: US

Post Tue Dec 28, 2010 11:30 am

Re: How to set up Wireshark with machine-in-the-middle PC?

I would also start with getting Wireshark to work on the Mac. But, if you put both machines on a network hub (not a switch), you should be able sniff the packets without two NICs on your PC.
Put that in your pipe and grep it!
<<

ziggy_567

User avatar

Sr. Member
Sr. Member

Posts: 378

Joined: Tue Dec 30, 2008 1:53 pm

Post Tue Dec 28, 2010 11:39 am

Re: How to set up Wireshark with machine-in-the-middle PC?

What type of router/switch are we talking about?

If you have Cisco gear, it's pretty easy to setup a spanning port. If your talking about a Linksys/D-Link (or similiar) router, its a bit more difficult/less reliable.

Do some searches on arp spoofing. You'll find a ton of "how-to's". If you don't want to do arp spoofing, you can route your traffic from the Mac to your Windows box, but I do believe you'll need multiple NIC's on the Windows box at that point.
--
Ziggy


eCPPT - GSEC - GCIH - GWAPT - GCUX - RHCE - SCSecA - Security+ - Network+
<<

rattis

User avatar

Hero Member
Hero Member

Posts: 1172

Joined: Mon Jul 27, 2009 1:25 pm

Post Tue Dec 28, 2010 12:09 pm

Re: How to set up Wireshark with machine-in-the-middle PC?

I think the first question, out of all the ways you could capture the data, why you want to do a man-in-the-middle?

this link will tell you how to bridge the connection, after you get the second wireless card.

http://www.windowsnetworking.com/articl ... brdge.html

Other ways of doing what you want, which will be better in my opinion:

- Use a hub (not a switch), which are harder to get these days, but can be done.

- build a network tap (I like this option the most). Little bit of physical hardware hacking and you can get some neat options.

When you do this, other than the M-I-T-M, you'll probably not want to configure your network interface card. It keeps traffic like arp and the like for the card, out of the capture. Just set the card to unconfigured and let it capture all the traffic coming to it. Promiscuous mode will probably work better.
OSWP, Sec+
<<

macattack

Newbie
Newbie

Posts: 13

Joined: Tue Dec 28, 2010 9:31 am

Post Tue Dec 28, 2010 12:24 pm

Re: How to set up Wireshark with machine-in-the-middle PC?

Thanks for all the advice.  The link to the bridge setup is very helpful.

Can someone recommend a good hub to purchase online?  Preferably a lower-cost one.  Newegg, Amazon, Etc.
<<

prats84

User avatar

Jr. Member
Jr. Member

Posts: 73

Joined: Thu Nov 18, 2010 7:03 pm

Post Wed Dec 29, 2010 8:23 am

Re: How to set up Wireshark with machine-in-the-middle PC?

There are few ways of doing so as already described by many guys
Like getting a Hub
Arpspoof
Span port -- high end routers.

But much before all that you should learn about switching and routing at the least how they work and why a Hub is required to sniff out things. The best learning in hacking is not to just know how to use tools but to know how things work and then how the tools works.

Just a little addition of my experience
Image
<<

macattack

Newbie
Newbie

Posts: 13

Joined: Tue Dec 28, 2010 9:31 am

Post Wed Dec 29, 2010 9:01 am

Re: How to set up Wireshark with machine-in-the-middle PC?

I got Wireshark running (finally) on my Mac.

Sadly, I'm left with more questions than answers.

I've been looking for rare flashes on my router coming from my mac that don't show up on my app firewall reporting tool (Little Snitch).  When it occurred with wireshark, I get a lot of black with red text going to Google of all places:

1 0.000000000 209.85.231.148 192.168.1.2 TCP http > 49194 [FIN, ACK] Seq=1 Ack=1 Win=8190 Len=0

2 0.000099000 192.168.1.2 209.85.231.148 TCP 49194 > http [ACK] Seq=1 Ack=2 Win=65535 Len=0

4 0.166031000 192.168.1.2 72.14.203.102 TCP 49166 > http [ACK] Seq=1 Ack=2 Win=65535 Len=0

5 1.733916000 209.85.231.148 192.168.1.2 TCP https > 49223 [FIN, ACK] Seq=1 Ack=1 Win=128 Len=0 TSV=2459718423 TSER=112577780

6 1.733920000 209.85.231.148 192.168.1.2 TLSv1 [TCP Out-Of-Order] Application Data

7 1.733924000 209.85.231.148 192.168.1.2 TLSv1 [TCP Out-Of-Order] Application Data

8 1.734040000 192.168.1.2 209.85.231.148 TCP 49223 > https [ACK] Seq=1 Ack=4294967199 Win=65535 Len=0 TSV=112580177 TSER=2459478419

9 1.734112000 192.168.1.2 209.85.231.148 TCP 49223 > https [ACK] Seq=1 Ack=4294967260 Win=65528 Len=0 TSV=112580177 TSER=2459718423

10 1.734156000 192.168.1.2 209.85.231.148 TCP 49223 > https [ACK] Seq=1 Ack=2 Win=65523 Len=0 TSV=112580177 TSER=2459718423

11 1.735159000 192.168.1.2 209.85.231.148 TCP 49223 > https [FIN, ACK] Seq=1 Ack=2 Win=65535 Len=0 TSV=112580177 TSER=2459718423

All are red except 1 & 3 (green) and 5 (gray).

Does this seem normal or is it worth looking into more?
<<

rattis

User avatar

Hero Member
Hero Member

Posts: 1172

Joined: Mon Jul 27, 2009 1:25 pm

Post Wed Dec 29, 2010 9:48 am

Re: How to set up Wireshark with machine-in-the-middle PC?

I don't know what the colors mean. Never have. :)

But if you click the packet you can drill down into the details more and see.

I don't know about Macs, but on Linux and Windows you can use tools like Netackview and TPCview to see what is causing the connections in the background.

netstat might do the job from a command line window.

*edit
Not having a mac, I'm not familiar with little snitch, not sure if it has the stream program feature, but even then try netstat -tpan from the cli.

red and black wireshark:
http://www.networkworld.com/community/node/45655
Last edited by rattis on Wed Dec 29, 2010 9:54 am, edited 1 time in total.
OSWP, Sec+
<<

sil

User avatar

Hero Member
Hero Member

Posts: 551

Joined: Thu Mar 20, 2008 8:01 am

Location: ::1

Post Wed Dec 29, 2010 10:31 am

Re: How to set up Wireshark with machine-in-the-middle PC?

Normal traffic but you're not giving enough for anyone to go by. You're entire network capture simply shows a connection between your machine and Google so here is the breakdown of what occurred:


1  0.000000000  209.85.231.148  192.168.1.2  TCP  http > 49194 [FIN, ACK] Seq=1 Ack=1 Win=8190 Len=0

Google is attempting to close the connection to Google via the web... (FIN, ACK)


2  0.000099000  192.168.1.2  209.85.231.148  TCP  49194 > http [ACK] Seq=1 Ack=2 Win=65535 Len=0

Your machine is still trying to connect to Google however, since no SYN is seen, solely another ACK, Google's FIN will never timeout and the connection won't close.


4  0.166031000  192.168.1.2  72.14.203.102  TCP  49166 > http [ACK] Seq=1 Ack=2 Win=65535 Len=0

Your machine is still trying to connect to Google as no SYN is seen, solely another ACK... same as above


5  1.733916000  209.85.231.148  192.168.1.2  TCP  https > 49223 [FIN, ACK] Seq=1 Ack=1 Win=128 Len=0 TSV=2459718423 TSER=112577780

Google is waiting for an HTTPS session to close (maybe GMail or Google talk, one of them) this is evident by the FIN, ACK packet


6  1.733920000  209.85.231.148  192.168.1.2  TLSv1  [TCP Out-Of-Order] Application Data

Google is telling you that you that there is likely packet loss as your packets are arriving "Out of order"


7  1.733924000  209.85.231.148  192.168.1.2  TLSv1  [TCP Out-Of-Order] Application Data

Google is telling you that you that there is likely packet loss as your packets are arriving "Out of order"


8  1.734040000  192.168.1.2  209.85.231.148  TCP  49223 > https [ACK] Seq=1 Ack=4294967199 Win=65535 Len=0 TSV=112580177 TSER=2459478419

Your machine is still trying to connect to Google via https


9  1.734112000  192.168.1.2  209.85.231.148  TCP  49223 > https [ACK] Seq=1 Ack=4294967260 Win=65528 Len=0 TSV=112580177 TSER=2459718423

Your machine is still trying to connect to Google via https


10  1.734156000  192.168.1.2  209.85.231.148  TCP  49223 > https [ACK] Seq=1 Ack=2 Win=65523 Len=0 TSV=112580177 TSER=2459718423

Your machine is still trying to connect to Google via https


11  1.735159000  192.168.1.2  209.85.231.148  TCP  49223 > https [FIN, ACK] Seq=1 Ack=2 Win=65535 Len=0 TSV=112580177 TSER=2459718423

Your machine is trying to close the connection to Google.

Why is your machine trying to send such big windows sizes? In your terminal just type: sudo sysctl -w net.inet.tcp.rfc1323=1

http://en.wikipedia.org/wiki/TCP_window_scale_option
<<

macattack

Newbie
Newbie

Posts: 13

Joined: Tue Dec 28, 2010 9:31 am

Post Wed Dec 29, 2010 11:58 am

Re: How to set up Wireshark with machine-in-the-middle PC?

"...you're not giving enough for anyone to go by."

I was hoping it was enough info to ensure data wasn't being transmitted to a malicious server, possibly through a keylogger or something else.  Does the info provided allow to confirm that isn't happening?

Great description of the traffic BTW.  Thank you very much.

"maybe GMail or Google talk"
Was encrypted search (Beta).  Just left the window open and waited for the led light to flash on my router without Little Snitch reporting it.  Then stopped the capture and examined it.

"Why is your machine trying to send such big windows sizes?"

I have no idea.  This is fresh install of Snow Leopard (on a new machine).  I'm guessing it's the default for Chrome?

On the CL
sysctl net.inet.tcp.rfc1323
Returns:
net.inet.tcp.rfc1323: 1

I will sudo the command though.

"try netstat -tpan from the cli."
Responds with:
netstat: an: unknown or uninstrumented protocol

"But if you click the packet you can drill down into the details more and see."

The only thing interesting I saw was this:
Header checksum: 0x000 Incorrect, should be 0x1da9 (or similar)
This was basically the same for 2, 4, 8, 9, 10, and 11.
<<

sil

User avatar

Hero Member
Hero Member

Posts: 551

Joined: Thu Mar 20, 2008 8:01 am

Location: ::1

Post Wed Dec 29, 2010 12:03 pm

Re: How to set up Wireshark with machine-in-the-middle PC?

macattack wrote:I was hoping it was enough info to ensure data wasn't being transmitted to a malicious server, possibly through a keylogger or something else.  Does the info provided allow to confirm that isn't happening?



There's no definitive way to determine this because of TLS for one, secondly, you didn't give enough data. If you think that "oh, its only Google..." then you're in for a surprise, How do you know someone didn't compromise a machine at Google and client side you? (http://threatpost.com/en_us/blogs/insid ... are-011910) There is no definitive way to determine WHAT data inside of encrypted packets were sent. The LIKELIHOOD of it being something malicious is altogether different. What I can tell is that it's just a funky connection with some packet loss.
<<

macattack

Newbie
Newbie

Posts: 13

Joined: Tue Dec 28, 2010 9:31 am

Post Wed Dec 29, 2010 12:09 pm

Re: How to set up Wireshark with machine-in-the-middle PC?

So perhaps I should log into google via non-https, wait for the LED flash, and check the packets?

Still wouldn't guarantee there isn't a keylogger or something else.

Anti-virus isn't foolproof to find or remove any, either.

I wish there was a way to ensure there are no keyloggers on a computer.  What do organizations do to guarantee they don't have this kind of problem?

Is there a service that can inspect and guarantee removal?

I'm reaching here I guess.
<<

sil

User avatar

Hero Member
Hero Member

Posts: 551

Joined: Thu Mar 20, 2008 8:01 am

Location: ::1

Post Wed Dec 29, 2010 1:01 pm

Re: How to set up Wireshark with machine-in-the-middle PC?

You seemed to be confused about what a keylogger typically does. Most keyloggers record your keystrokes to a FILE located ON your machine and then transfer that file elsewhere. Trying to dissect every single connection that your machine makes would drive you insane. As a test, pick a date that you KNOW you will NOT be using your machine. On that date, start up tcpdump or Wireshark to catch what is going on... Let it run all day if possible, then try making sense of it afterwards. My suggestions, use Netwitness Investigator + Wireshark.

One would be surprised to see the amount of connections coming in and out of a machine without any intervention. If you 'assume' something odd is occurring, throw on Snort as an EXTRUSION detection system, fire up SGUIL. Invert the rules so you can see and log what occurs on outbound connections. This is your best bet to see any truly anomalous connections.
Next

Return to Malware

Who is online

Users browsing this forum: No registered users and 1 guest

cron
.
Powered by phpBB® Forum Software © phpBB Group.
Designed by ST Software