Welcome back everyone to the deep dive. Today. We're going deep into the world of network security and analysis, like some kind of digital detectives. I like that, And our main tool for this investigation is going to be wire Shark.
Ah Sharks.
There's a fascinating piece of software. You know. When I first heard about it, I was like, wait, you can actually see all the data.
It's pretty amazing. Yeah, all those little packets flying around.
It's mind blowing. So for this deep dive, we're using this book wire Shark for security professionals.
Sounds intense.
It is. The authors, Jesse Bullock and Jef D. Parker, really know their stuff. They go into a lot of detail about how security professionals use wire Shark, even getting into scripting with Lua.
Oh wow, yeah, Loua can be pretty powerful for automating things.
Right, But even if you're not like a hardcore security expert, I think there's a lot to learn here, even for just like understanding how networks work in general.
Absolutely, like you can see how websites low, how emails get sent, all that stuff. It's all broken down into these little packets exactly.
So to kick things off, let's answer those basic questions what exactly is wire shark and why should anyone care?
Well, you can think of wire shark like a microscope, okay, but instead of looking at you know, tiny cells or whatever, it lets you look at the data flowing through your network, like all those individual packets of information.
So we're actually seeing the ones and zeros that make up everything online.
Well not exactly the raw ones and zeros. Wire shark decodes them into a format that's you know, readable. Ah, So you can see where the data is coming from, where it's going, what protocols are being used, even actual contents sometimes.
So I could like see the contents of an email that I'm.
Sending potentially yeah, if it's not encrypted of course.
Okay, starting to see why this could be useful. But can you give me like a real world example.
Sure, let's say your internet is running super slow, oh the worst. You can fire up wire shark and see which applications are hogging all the bandwidth. Or maybe you think you might have malware on your computer.
That's scary.
Wire shark can help you spot any suspicious traffic that's going out.
So it's not just for security professionals then not at all.
It can be a really useful tool for troubleshooting, understanding how things work, all sorts of stuff.
Now, the book mentions the OSI model. I'm vaguely familiar with it, but could you refresh my memory a bit.
Oh, the OSI model. Yeah, it's basically a way of describing how networks communicate. It breaks everything down into seven layers, each with its own specific function.
Okay, and how does that relate to wire Shark.
Well, wire Shark's interface is actually structured around the OSI model really, so as you're looking at the data, you can see how it moves through each layer.
I see. So it's like peeling back the layers of an onion.
Exactly, and that can be super helpful for understanding what's going on, especially if you're trying to pinpoint a problem.
Okay, that makes sense. Now. The book also talks about different protocols like TCP and UDIB. I always get those mixed up.
Yeah, they're the two main ways of sending data over a network, but they work quite differently.
Okay, so what's the difference.
Think of TCP, like sending a package through like a really reliable career service. Okay, they make sure it gets delivered, they track it, the whole way. They make sure everything arrives in the right order.
Sounds like FedEx exactly.
And UDP is more like sending a postcard.
A postcard.
Yeah, it's faster, yeah, but it's not as reliable. There's no guarantee that it'll arrive, and things might arrive out of order.
So why would you ever use UDP?
Well, sometimes speed is more important than reliability, right, Like if you're streaming video for example.
Ah, so if you drop frames here and there, aren't a big.
Deal exactly, But you wouldn't want to use UDP for like sending sensitive financial information.
Definitely not. And wire Shark lets us see which protocol is being used.
Yeah, it shows you all that information. It's pretty cool.
So if I see a bunch of UDP traffic, I know that something's probably streaming most likely. Yeah, this is making me think about the Internet in a whole new way. I never realized there was so much going on behind the scenes.
It's a whole hidden world. Yeah, and wire Shark gives you the keys to explore it now.
The book also mentioned something called well known ports. What are those?
Okay, So imagine a city with a bunch of different ports, Okay, and each port is designated for a specific type of cargo, like.
One port for oil tankers, one for containerships.
That kind of thing, exactly well known ports are kind of like that. They're specific numbers that are assigned to common Internet services.
So if I'm browsing the Web, my traffic is going through a specific port for web traffic. Right.
Web traffic usually uses Port eighty or Port four forty three.
If it's encrypted, and wire Shark shows us which ports are being used.
Yep, it's another piece of the puzzle.
This is starting to feel like a real life CSI episode. Now, how do we actually capture this traffic? The book uses the word sniffing, which sounds kind of a little creepy. Yeah, a little creepy, it is what it is.
Basically, it means cap shuring the network traffic as it goes by, so.
Like we're eavesdropping on the network pretty much.
Yeah, and wire Shark gives us the tools to do that.
Okay, I can see how that would be useful. But what about promiscuous mode. The book mentions that and it sounds a little uh risque, Yeah, a little bit. What does it actually mean?
So normally your network card only sees traffic that's specifically addressed to your computer. Promiscuous mode, let's see all the traffic on the network.
Oh so it's like being able to hear everyone's conversations in a crowded room.
Exactly. It's essential for network analysis because it gives you the full picture.
I'm starting to see how powerful this tool can be. Yeah, but I imagine there are different scenarios for sniffing, right, Like the book talks about wired versus wireless, hubs versus switches.
Oh yeah, definitely. The environment you're in makes a big difference.
Can you unpack that a bit?
So On a wired network, if you're connected to a hub, it's pretty straightfor um, okay, because hubbs broadcast all the traffic to every device connected to them. Everything pretty much. But switches are different. Also, switches are smarter. They learn which devices are connected to each port, and they only forward traffic to the intended recipient.
So sniffing on a switch network is trickier.
It can be. Yeah, you might only see traffic that's meant for your computer, or broadcast traffic.
Is there any way around that?
Sometimes the book talks about.
Span ports span ports.
Yeah, there's special ports on a switch that let you mirror traffic from other ports.
Oh interesting, So you could like designate a port to capture all the traffic from a specific.
Device exactly, or even from a whole section of the network.
Wow, that's pretty powerful stuff. I'm already starting to see how wire Shark can be used for like serious investigations.
Oh yeah, definitely, And we're just getting started.
This is already more than I ever thought i'd know about network analysis. And we haven't even gotten to the really exciting stuff yet, like analyzing attacks.
Oh yeah, that's next. Get ready for some digital forensics.
Yeah.
Wait, all right, so we've talked about how to capture network traffic using wire Shark. Now let's talk about using it to identify and analyze attacks.
Okay, this is where things start to get really interesting.
It does get pretty interesting. The book talks about all sorts of attacks and how wire Shark can help you understand how they.
Work, Like those man in the middle.
Attacks exactly, mid M attacks. They're pretty scary when you think about it, they are.
Can you explain how they work? I always get a little confused about the details.
Sure, So imagine someone's intercepting your mail, right they set up a fake mail box outside your house and they start collecting all your letters before you even get them.
That's sneaky.
Yeah, and that's kind of what a man in the middle attack does. The attacker puts themselves between two parties who think they're communicating directly with.
Each other, so they can eavesdrop on the conversation.
Exactly, and they can potentially even modify the data that's being exchanged.
That's terrifying. So like, if I'm doing online banking and someone's doing a mid am attack.
They could potentially steal your logging credits, your account numbers, all that stuff.
Oh wow, the book mentioned something called ARP poisoning. Is that a type of mid am attack?
It is, Remember we talked about AARP, the Address resolution protocol. It's how devices on a network map IP addresses to mac address runing like a phone book for the network exactly. And in an ARP poisoning attack, the attacker sends out fake ARP messages.
So they're basically creating false entries in that phone book exactly.
They're tricking devices into sending their data to the attacker instead of the intended recipient.
That's so devious. He can wire shark help us detect that kind of attack.
It can wire sharp shows you both the MSc address and the IP address for each packet, right, So if you see conflicting m MASS addresses for the same IP address, that's a big red flag.
Like two different people claim you to have the same phone.
Number, exactly, Something's not right.
Okay, So it's all about looking for those inconsistencies. That makes sense. Now, what about those denial of service attacks. I've heard about those, but I don't really understand how they work.
All right, So imagine a restaurant, right, and they're suddenly flooded with phone calls for reservations. Okay, but none of those callers actually show.
Up, so the restaurant is overwhelmed, but it's.
All fake exactly, And that's kind of what a denial of service attack does. They overload the target server with so many requests that it can't handle legitimate traffic, so it's like crashing the server essentially. Yeah, it makes the service unavailable to legitimate users.
The book mentions syn floods and UDP floods are those types of DOS attacks.
They are, They're different ways of achieving the same goal.
What's the difference.
So syn flood is like making a bunch of those fake restaurant reservations but never confirming them.
So you're tying up the phone lines, but you're not actually taking up any tables.
Exactly, you're exploiting the process of establishing a connection.
Okay, that makes sense. What about a UDP flood.
A UDP flood is more like throwing a massive party outside the restaurant, creating so much noise and chaos that it disrupts the normal operations inside.
So you're just overwhelming the target with a ton of data.
Exactly, it's a brute force approach.
Can wire shark help us identify these kinds of attacks?
Oh? Absolutely. Wire Shark can show you patterns in the traffic that might indicate.
A DOSS attack, Like what kind of patterns.
Well, you might see a huge spike in traffic from a single source or maybe a range of sources.
So it's all about looking for those unusual spikes.
And activity, right, And it can also show you the type of packets being used, which can help you figure out what kind of doss attack it is.
So it's like having a digital magnifying glass letting you see all those tiny details exactly.
It's a powerful tool for analysis. But it's not just DOS and MIM attacks we need to worry about. There are more sophisticated attacks out there, like those advanced persistent threats you mentioned earlier.
Yeah, those sound particularly scary. What makes those different?
Well, imagine a thief breaking into a bank, but instead of stealing everything at once, they are more patient. Exactly, they install a hidden camera and a back door so they can gain access.
Over time, so they're in it for the long haul, right.
Atts are often orchestrated by skilled attackers, sometimes even nation states.
Wow, so they're playing the long game. What are they typically after?
It depends they might be stealing sensitive data like intellectual property or government secrets.
That scary stuff. Can wire shark help us with those kinds of attacks.
Wireshark isn't primarily a threat detection tool, but it can be really useful for analyzing suspicious activities.
So it's like the forensic team coming in after the crime has already happened.
Exactly. It can help you understand how the attack worked, how much damage was done, all that stuff.
Okay, that makes sense now. The book also mentions lua scripting, can you tell us a bit more about that.
Sure, Lua is a scripting language that you can use to extend wire sharks capabilities.
So you can basically write your own custom programs within wire Shark.
Pretty much, it's like adding superpowers to wire shsh The.
Book mentioned some pretty cool examples, like writing scripts to count specific types of packets or even extract files from a network capture.
Yeah, it's pretty amazing what you can do with Lua. It turns wire Shark into an even more powerful tool.
I'm starting to feel like a real cyber detective over here.
It's definitely a skill that takes time and practice to master, but even just understanding the basics can be really helpful.
Well, this has been incredibly insightful. We've covered so much ground today and I feel like I've learned a ton me too.
And we're not even done yet. There's still more to explore in the world of wire Shark.
Can't wait to dive in even deeper. Wow, so much to think about learning about those attacks, like how wire Shark can help analyze them. It's pretty amazing and kind of scary at the same.
Time, you know, Yeah, definitely, there's a whole world of cyber threats out there, but you know, learning how they work, that's how we get better at defending against them.
Speaking of defense, the book also talks about how wire Shark can be used well offensively, like by ethical hackers penetration testers. It kind of threw me off. How can a tool for analyzing traffic be used by someone who's actually trying to break into systems?
Ah, I see where you're coming from. Remember wire shark itself, it's not a hacking tool, doesn't like actively exploit vulnerabilities or anything, but it's a super valuable tool for ethical hackers pen testers, especially during certain stages of their work.
Okay, so how does that work? Exactly?
Imagine a detective, right solving a case. They wouldn't just barge into a suspect's house without doing some recon first.
Right, gather some intel first.
Exactly. Ethical hackers they use wire Shark in a similar way for reconnaissance, you know, gathering information about a target network before they even try to get in.
So it's like a digital detective's toolkit, building a profile of their target.
Yeah, pretty much. Wireshark helps identify like active devices on the network, open ports, even what operating system services are running. It's all about getting a full picture.
Makes sense. It's like scope out the place before making a move. But how else do these ethical hackers use wire shark during say a penetration test.
Another big one is analyzing how effective different attack techniques are. Oh interesting, Yeah, by capturing traffic during a test, you know, they can see how their attacks are being detected blocked by the target's security system. So it's like refine their strategies, fine weaknesses.
So it's not just about getting in, but also about learning and proving their methods, helping organizations build better defenses.
Exactly. Ethical hacking it's all about responsible disclosure, helping organizations fix vulnerabilities before the bad guys can exploit them.
The book even mentions using wier Shark to like verify the success of an attack.
Yeah. So let's say, you know, during appentist, they exploit a vulnerability get access to a system. Wireshark can confirm that the connection is established. You know, they can actually monitor the traffic make sure they achieve their objective.
It's like proof they actually got in can access that sensitive information.
Exactly. It's important, you know, demonstrating the impact of a vulnerability, providing evidence to the client.
This whole idea of offensive wire shark, it's pretty eye opening, you know, shows how the same tools can be used for defense, but also to understand improve attack strategies.
It's all about understanding both sides, the attacker and the defender, right, like knowing your enemy exactly. The more we know how attackers work, the better we can anticipate their moves and defend against them.
Now about that Lewis scripting, we talked about it a bit earlier. I'm really curious about these custom scripts, how they're actually used.
Oh, Lewis scripting is incredibly powerful. It's like, you know, having a toolbox where you can build your own tools for whatever you need.
Right, custom made exactly.
The book is some great examples, like writing scripts to automate repetitive tasks, custom filters, even extracting specific data from those captured packets.
Yeah, I remember that, extracting files from a capture. It's like a digital archaeology, right.
It is shows how Lewis scripting can turn wire Sharks into this highly specialized investigation and analysis tool.
So if you're comfortable with a little coding, the possibilities are pretty much endless.
Pretty much The book even walks you through creating a die sector, which is basically a plug in teaches wire sharp how to interpret a new protocol.
Wow, so you could basically teach wireshark a whole new language.
Yeah, shows how extensible, how deep this tool really is. You're not just stuck with the built in stuff, customize it for your specific needs.
Well, we've covered a ton in this deep dive on wire Shark, from the basics of networks protocols, how it analyzes attacks, even ethical hacking, luis scripting. It's been a fascinating journey absolutely.
You know, it's amazing what you can learn when you really dive deep.
If you're listening and feeling that spark of curiosity, definitely check out wire Shark for security professionals.
Yeah, great resource whether you're a cybersecurity pro or just starting out.
And as always, folks, keep exploring, keep learning, and keep diving deep.