1
00:00:00,180 --> 00:00:08,700
It's important to know Wireshark, Wireshark is a core skill for network engineers or anyone who's interested

2
00:00:08,700 --> 00:00:12,330
in networking or network security or ethical hacking.

3
00:00:12,900 --> 00:00:17,790
In this video, I'm going to show you how you can use Wireshark to capture the usernames and passwords

4
00:00:18,210 --> 00:00:27,690
for various protocols such as Telnet, TFTP, FTP, HTTP, in other words, how you can capture the credentials

5
00:00:27,690 --> 00:00:31,530
or read the information in various clear text protocols.

6
00:00:31,830 --> 00:00:35,180
You should be using SSH rather than telnet.

7
00:00:35,190 --> 00:00:39,560
You should be using SSL or TTPS rather than HTTP.

8
00:00:39,870 --> 00:00:47,160
Be careful using clear text protocols in a network because the usernames and passwords and just other

9
00:00:47,160 --> 00:00:50,350
information within those protocols can be captured very easily.

10
00:00:50,940 --> 00:00:54,330
It's important again that you know how to use Wireshark.

11
00:00:54,480 --> 00:01:02,160
But to make it interesting, let's combine Wireshark with ethical hacking and look at how you can learn

12
00:01:02,160 --> 00:01:06,900
both Wireshark and learn ethical hacking as well as network protocols.

13
00:01:06,900 --> 00:01:12,500
At the same time, in this topology, I'm using GNS3 to virtualize a network.

14
00:01:12,930 --> 00:01:14,910
I've got a switch in the middle.

15
00:01:15,600 --> 00:01:16,490
I've got a router.

16
00:01:16,710 --> 00:01:19,030
This is a Cisco iOS V router.

17
00:01:19,470 --> 00:01:22,890
Now, if you're not used to using GNS3, don't worry too much.

18
00:01:23,760 --> 00:01:30,180
Basically, I'm running a Cisco router, cisco switch and Linux devices in this topology.

19
00:01:30,660 --> 00:01:37,050
Another very important skill, if you're interested in being a good network engineer or being a good

20
00:01:37,050 --> 00:01:39,960
ethical hacker is to learn Linux.

21
00:01:39,960 --> 00:01:41,640
You need to know Linux.

22
00:01:42,090 --> 00:01:46,680
Kali Linux is a great version of Linux that can be used for hacking.

23
00:01:47,160 --> 00:01:52,980
But even if you're not interested in becoming a hacker but want to implement network security or be

24
00:01:52,980 --> 00:01:55,620
a good network engineer, you need to learn Linux.

25
00:01:56,010 --> 00:01:58,050
So in this example, I've got Web term.

26
00:01:58,380 --> 00:02:01,470
It's a Linux client, but it's a GUI based client.

27
00:02:01,950 --> 00:02:03,090
So here we go.

28
00:02:04,580 --> 00:02:11,330
This is a GUI based client that will allow me to, for instance, to run Firefox, which gives me

29
00:02:11,330 --> 00:02:16,550
the ability to use HTTP, but it also has a console.

30
00:02:17,210 --> 00:02:21,750
So as an example, if I type if config, I can see the IP address of this device.

31
00:02:22,040 --> 00:02:24,880
So this is a Linux based graphical client.

32
00:02:24,890 --> 00:02:26,650
I've got an Ubuntu clients here.

33
00:02:27,170 --> 00:02:31,270
This Ubuntu client is CLI based.

34
00:02:31,310 --> 00:02:33,860
There's no graphical user interface on this client.

35
00:02:34,190 --> 00:02:37,280
But you can see the IP address is 10.1.1.3.

36
00:02:37,970 --> 00:02:39,740
I've also got a toolbox client.

37
00:02:40,280 --> 00:02:45,440
This toolbox client is basically a server that allows me to run a whole bunch of protocols.

38
00:02:45,710 --> 00:02:49,550
Once again, it's also Linux based IP addresses, 10.1.1.1.

39
00:02:50,540 --> 00:02:52,980
So let's see if we can capture some traffic.

40
00:02:53,270 --> 00:03:00,800
I'll start a Wireshark capture between the switch and the router in this topology, m GNS3 makes us very

41
00:03:00,800 --> 00:03:06,530
easy because you can capture traffic in this virtual environment by simply right clicking on a link.

42
00:03:07,190 --> 00:03:14,300
In the real world, you need to span a port,mirror a port or add a hub to the topology or a network tap,

43
00:03:14,870 --> 00:03:15,290
network 

44
00:03:15,290 --> 00:03:20,810
tap is basically where you inject something in the network so that you can see the traffic going across

45
00:03:20,810 --> 00:03:21,520
a link.

46
00:03:21,950 --> 00:03:23,480
But we don't need to do that here.

47
00:03:24,170 --> 00:03:27,130
GNS3 allows us to monitor traffic very easily.

48
00:03:27,500 --> 00:03:31,610
So as an example, you can see a STP or spanning tree traffic.

49
00:03:31,610 --> 00:03:35,900
You can see dynamic trunk protocol traffic, we can see CDP traffic.

50
00:03:35,900 --> 00:03:39,940
We can already see which devices are in the network.

51
00:03:40,370 --> 00:03:41,510
So as an example.

52
00:03:42,510 --> 00:03:49,350
We can see that there's a device called Switch, which is a Cisco switch, it's using this version of

53
00:03:49,350 --> 00:03:55,830
Cisco iOS, very easy to see information on the network using Wireshark.

54
00:03:56,640 --> 00:04:00,000
But let's do this, on the Ubuntu client, 

55
00:04:01,540 --> 00:04:08,080
the client over here, I'm going to Telnet to the router and log in, so first thing is what is the IP

56
00:04:08,080 --> 00:04:14,950
address of the router show IP interface, brief IP address of the routers 10.1.1.254.

57
00:04:16,420 --> 00:04:23,980
So let's assume that a administrator or a user is telneting to router 1 and you are capturing traffic

58
00:04:23,980 --> 00:04:24,790
on the network.

59
00:04:25,920 --> 00:04:34,530
So telnet 10.1.1.254 password prompt is displayed, I'll put in the password type enable

60
00:04:34,800 --> 00:04:37,320
put in the password type show run.

61
00:04:38,800 --> 00:04:42,740
So this is the running configuration of the Cisco router.

62
00:04:43,240 --> 00:04:46,330
The problem with that is it's in clear text.

63
00:04:46,990 --> 00:04:53,680
So if I filter for Telnet in Wireshark, you can already see details of

64
00:04:54,640 --> 00:05:00,520
the telnet session here, we can see as an example, the source IP address, destination, IP address,

65
00:05:00,520 --> 00:05:04,270
source, port destination port, telnet uses Port 23.

66
00:05:05,320 --> 00:05:11,620
So that's the initial connection from the PC to the router, router replying back, a bunch of information

67
00:05:11,620 --> 00:05:16,390
is displayed here, but notice as an example, we can see the prompt

68
00:05:17,880 --> 00:05:26,400
for the password, so user access verification, carriage return password and now a bunch of stuff negotiated

69
00:05:27,880 --> 00:05:33,910
but notice C I S C O, that is the telnet password.

70
00:05:35,190 --> 00:05:39,360
Bunch of other stuff is now displayed notices the prompt of the router.

71
00:05:40,630 --> 00:05:42,070
User typed E

72
00:05:43,270 --> 00:05:50,500
N, enable, in other words, is prompting for the password notice the source IP address is 10.1

73
00:05:50,500 --> 00:05:51,420
.1.254.

74
00:05:51,610 --> 00:05:55,300
That is the router asking the user for their password.

75
00:05:55,870 --> 00:06:05,620
So in other words, the enable password user type CISCO press on carriage return and then type show

76
00:06:05,950 --> 00:06:09,970
run R U N. run press carriage return.

77
00:06:10,330 --> 00:06:14,350
Router is building the configuration and then displaying the configuration.

78
00:06:14,890 --> 00:06:17,600
Now that's okay, but it's not very easy to read that.

79
00:06:17,620 --> 00:06:25,000
So what I'm simply going to do is go to the first entry and right-click and type follow TCP stream

80
00:06:25,870 --> 00:06:32,380
and notice, there you go, you get all of that information in one screen, so password,

81
00:06:33,930 --> 00:06:38,410
telnet password is Cisco, typed enable password type is Cisco, 

82
00:06:38,460 --> 00:06:44,760
notice we've got blue and red here, so blue is the router prompting the user, red is what the user's

83
00:06:44,760 --> 00:06:45,180
typing.

84
00:06:45,690 --> 00:06:50,150
So what you'll notice is every character is sent individually.

85
00:06:50,190 --> 00:06:57,710
So when you type s h as in show and then r u n as in run notice s h

86
00:06:57,720 --> 00:07:00,200
send individually and then it's echoed back.

87
00:07:00,510 --> 00:07:02,280
So when you're telneting to the router, 

88
00:07:04,610 --> 00:07:11,810
so in this example, let's go back to the Ubuntu client notice on the Ubuntu client, if I type S h,

89
00:07:12,110 --> 00:07:16,610
it's a character that's sent to the router and then it's echoed back so I can see what I'm typing.

90
00:07:16,970 --> 00:07:21,980
That's why when the link is really bad, when you type a character, it takes a long time for it to

91
00:07:21,980 --> 00:07:22,910
display on the screen.

92
00:07:22,910 --> 00:07:24,580
So you have to type s.

93
00:07:24,680 --> 00:07:27,050
It goes all the way to the router and then it echoes back.

94
00:07:27,050 --> 00:07:30,500
S back to you so you can see what you've typed when the link is bad

95
00:07:30,710 --> 00:07:32,870
takes a long time for characters to display

96
00:07:33,620 --> 00:07:37,190
but notice enable password Cisco type show run.

97
00:07:37,520 --> 00:07:41,510
There's the full running configuration captured in Wireshark.

98
00:07:41,990 --> 00:07:46,750
It was as simple as that to capture telnet traffic in the network.

99
00:07:47,330 --> 00:07:49,280
That's why you don't want to use telnet.

100
00:07:50,340 --> 00:07:55,000
If I type exit here the connection is closed once again

101
00:07:56,160 --> 00:08:05,070
I'll follow that TCP stream scroll all the way down to the end, notice I was typing S H and then I

102
00:08:05,070 --> 00:08:09,270
stopped that and typed exit to clear or end the telnet session.

103
00:08:10,060 --> 00:08:16,490
As simple as that, to grab the full running configuration of a Cisco router using telnet.

104
00:08:17,190 --> 00:08:25,800
Do not use telnet today unless you know the network is secure or it's offline or you don't worry too

105
00:08:25,800 --> 00:08:27,540
much about the contents being read.

106
00:08:28,200 --> 00:08:29,040
Simple as that.

107
00:08:29,040 --> 00:08:31,670
To get Telnet traffic off the network.

108
00:08:31,950 --> 00:08:32,610
Be careful.

109
00:08:33,270 --> 00:08:35,429
What I'll do is stop this capture

110
00:08:37,090 --> 00:08:38,020
and I'll save this

111
00:08:40,260 --> 00:08:41,159
as Telnet.

112
00:08:44,270 --> 00:08:49,170
So why don't you download them and import them to Wireshark and see if you can filter for traffic yourself

113
00:08:49,370 --> 00:08:54,800
So why don't you download them and import them to Wireshark and see if you can folta for traffic yourself

114
00:08:55,340 --> 00:09:00,280
and see if you can capture usernames and passwords as well, rather than just watching me do it.