Wireshark 301: Spying on what people are downloading (Part 1 of 2)

Wireshark can’t make sense of encrypted traffic which is why we should also make sure sensitive traffic is encrypted.  Wait.. wait.. there is one way to view encrypted traffic in Wireshark.  If the attack was able to acquire the private key file, he or she could easily decrypted the TCP streams, reassemble and view the decrypted segments.  How?  It’s just a matter of pressing Shift + Ctrl + p, scrolling down to SSL in the protocol list and browsing to the stolen private key file.  Scary but true.

Anyone can do this.  It isn’t rocket science.

But it’s worse than that.  Since most people aren’t encrypting their traffic these days, it’s super easy to see exactly what files are being downloaded by users.

You can see what videos people are watching.  What images people are downloading and what songs people are streaming.  It’s all in the capture and I’m about to show you how easy it is to do this.

Before we get started I want to warn you that you shouldn’t use this for illicit purposes.  The reason I’m showing you how to do this is because I’m trusting you’ll use the informatoin I share to fortify your network and implement the correct controls to strengthen it.  Under no circumstances am I espousing Blackhat hacking.  By continuing to read you’re promising me you won’t use this to violate the privacy of your peers.  Remember, don’t do anything to anyone that you wouldn’t want them to do to you.

Yes I’m loading you up with guilt to prevent your own ruin.  I hope it worked.

This is by far going to be one of the most interesting articles you read all week.  Why? Because I”m going to show you how to:

  • See the images a person downloaded
  • See the video a user streamed
  • See the password a user typed
  • See encrypted traffic on Wireshark

Yup, we’re going to break encryption.  Get ready to rumble dood because this article is about to kick your ass.  Let’s go!

Before we start spying on downloaded traffic we need to setup a few things in Wireshark.

First things first

First capture the traffic, then find your HTTP traffic, right click one instance, go to Protocol Preferences and make the following are checked:

  • Reassemble HTTP headers spanning multiple TCP segments
  • Reassemble HTTP bodies spanning multiple TCP segments
  • Reassemble chunked transfer-coded bodies

Then right click a TCP segment, go to Protocol Preferences and choose Allow subdissector to reassemble TCP streams.

Once you’ve got that you’re ready to bang.

Seeing the images a user downloaded

Seeing what a user downloaded is easier than easy.

Load the packet capture, choose File, go to Export Objects and choose HTTP.

Wireshark Export Objects

Now we’ll see all the HTTP objects.  All of them for the session.

All CSS scripts.  All Javascript files.  All HTTP documents.  But also all images.

Watch this.

If you sort  by the Content Type column you can quickly identify all the image/jpeg files.

Clicking it makes Wireshark skip to the packet number in the output.  In the HTTP object list dialog box, you can see the file name is taylor-swift_416x416.jpg.

HTTP objects in Wireshark

But what if you actually wanted to see that image?  Can you do that in Wireshark?  After all just because someone downloaded a picture of Taylor Swift doesn’t mean they didn’t anything wrong.

To view the image, click Save As in the HTTP object list.

Save the file to your Desktop and double click it to what the user downloaded.

Saving a captured HTTP object


Viewing the HTTP object in Wireshark

It’s seriously that easy.  Scary but true again.

If you wanted to find out the exact user who downloaded this file just open the Ethernet Frame and look at the MAC address.

Viewing the MAC address of the user who downloaded the frame

You can see a user with MAC address 52:54:00:12:35:02 downloaded the image.

Now on the Cisco switch just type:

show mac-addr | include 3502

All you need are the last four digits of the MAC.  It’ll tell you the switchport the user is physically connected to so you can hunt down that person and have an awkward conversation.

Pew… crazy stuff.

Alright I can’t believe I just shared that with you.  Let’s keep going.  It get’s worse.

See what videos a user was streaming

You can do the same trick with video.  Viewing Youtube video streams in Wireshark is a little complicated though because Google no longer relies on .FLV files for Youtube.  HTML5 is the new standard and thus is a bit harder to reassemble.  But that doesn’t mean you can’t capture any video traffic.

For example, look at what happen when I kicked open a video at watchop.com.  You can actually see the video filename

op689ut.mp4 and the type of content which is video/mp4

Wireshark Video Captures

Now I can save it to my computer as a .MP4 and kick it open in VLC Player.


The Bottom Line

Wireshark is a truth teller.  It’s the serum that reveals the facts.  The network doesn’t like and Wireshark can peer into all the details without any problems.

In the next part of this eye opening series on capturing packets I’m not only going to show you how easy it is to capture passwords but also view encrypted traffic.

Yup, we’re about to do the impossible.  Check back tomorrow.


Connect with Vonnie on Twitter

Posted in Linux, Mac OS X 10.10 Yosemite, Mac OS X 10.8 Mountain Lion, Samsung Galaxy S4, Windows, Windows 10, Windows 7, Windows 8, Windows 8.1, Windows Vista, Windows XP Tagged with: , , , ,