1
00:00:00,300 --> 00:00:05,550
OK, so let's capture some of the protocols, I'm going to start a capture on this link because this

2
00:00:05,550 --> 00:00:06,390
is my server 

3
00:00:07,590 --> 00:00:11,610
and I want to capture the traffic going to the server, what I'll do on the router

4
00:00:12,850 --> 00:00:13,540
is

5
00:00:14,540 --> 00:00:20,580
make sure that the router can ping the server, so the IP address is 10.1.1.1.

6
00:00:21,080 --> 00:00:23,270
So on the riouter ping 10.1.1.1,

7
00:00:24,370 --> 00:00:26,770
ping succeeds. So in Wireshark

8
00:00:28,330 --> 00:00:36,820
let's filter for ICMP, ping uses the ICMP protocol, and there you go, you can see we've got a ping

9
00:00:36,820 --> 00:00:40,000
or echo request message and then an echo reply.

10
00:00:40,570 --> 00:00:47,350
So the router IP address 10.1.1.254 is pinging the server and the servers replying back

11
00:00:47,920 --> 00:00:50,530
so we can see that the ping succeeded.

12
00:00:51,160 --> 00:00:54,110
We'll be able to see information about the ping.

13
00:00:54,850 --> 00:00:57,140
Now, I'm not worried too much about that here.

14
00:00:57,610 --> 00:01:07,320
What I want to do is capture traffic from the router to the server and specifically traffic like TFTP.

15
00:01:08,530 --> 00:01:13,720
So what I'm going to do is save the routers configuration and let's say the administrator of this router

16
00:01:13,720 --> 00:01:16,060
wants to back up the configuration.

17
00:01:17,100 --> 00:01:23,790
So copy startup config, so copy the saved configuration to a TFTP server IP address will be

18
00:01:23,790 --> 00:01:27,230
this will set to the destination name as that.

19
00:01:27,240 --> 00:01:30,960
So the destination filename is that configuration has been copied.

20
00:01:31,650 --> 00:01:37,920
So the route administrator's happy his router configuration has been copied to the TFTP server

21
00:01:38,430 --> 00:01:42,090
but the problem is that.

22
00:01:43,250 --> 00:01:51,740
You have captured that whole session, so notice we can see router sending traffic to the server using

23
00:01:51,890 --> 00:01:54,500
TFTP destination filename is this.

24
00:01:55,130 --> 00:01:58,580
We're getting acknowledgments, we're seeing various information.

25
00:01:59,060 --> 00:02:03,110
But what I'm going to do here is follow

26
00:02:04,570 --> 00:02:08,979
the UDP Stream TFTP uses UDP, so notice what I can see.

27
00:02:09,360 --> 00:02:17,830
I can see the full running configuration of the router, including the DHCP pool information, can

28
00:02:17,830 --> 00:02:23,050
see IP addresses, I can see passwords.

29
00:02:23,620 --> 00:02:28,830
So notice there's the telnet password scrolling up user made a big mistake.

30
00:02:28,840 --> 00:02:34,830
The enable password is in clear text, so they used the enabled password rather than the secret password.

31
00:02:35,710 --> 00:02:37,540
Secret is encrypted or hashed.

32
00:02:38,020 --> 00:02:40,900
Whereas the enabled password is in clear text.

33
00:02:41,590 --> 00:02:50,410
So just by capturing traffic on the wire, I was able to grab the passwords of the router and the full

34
00:02:50,410 --> 00:02:51,870
configuration of the router.

35
00:02:52,300 --> 00:02:56,320
Be careful using TFTP in a network.

36
00:02:57,090 --> 00:02:59,590
OK, so what I'll do is stop that.

37
00:03:00,550 --> 00:03:03,070
And save it so that you've got it.

38
00:03:04,830 --> 00:03:05,880
So TFTP