WEBVTT 1 00:00:00.040 --> 00:00:03.279 Welcome back everyone to the deep dive. Today. We're going 2 00:00:03.359 --> 00:00:07.960 deep into the world of network security and analysis, like 3 00:00:08.439 --> 00:00:11.400 some kind of digital detectives. I like that, And our 4 00:00:11.560 --> 00:00:15.080 main tool for this investigation is going to be wire Shark. 5 00:00:15.560 --> 00:00:16.960 Ah Sharks. 6 00:00:16.960 --> 00:00:19.719 There's a fascinating piece of software. You know. When I 7 00:00:19.719 --> 00:00:21.800 first heard about it, I was like, wait, you can 8 00:00:21.839 --> 00:00:23.079 actually see all the data. 9 00:00:23.079 --> 00:00:26.399 It's pretty amazing. Yeah, all those little packets flying around. 10 00:00:26.199 --> 00:00:29.600 It's mind blowing. So for this deep dive, we're using 11 00:00:29.640 --> 00:00:32.359 this book wire Shark for security professionals. 12 00:00:33.000 --> 00:00:33.840 Sounds intense. 13 00:00:34.039 --> 00:00:37.159 It is. The authors, Jesse Bullock and Jef D. Parker, 14 00:00:37.320 --> 00:00:39.399 really know their stuff. They go into a lot of 15 00:00:39.399 --> 00:00:43.640 detail about how security professionals use wire Shark, even getting 16 00:00:43.679 --> 00:00:44.719 into scripting with Lua. 17 00:00:45.000 --> 00:00:48.520 Oh wow, yeah, Loua can be pretty powerful for automating things. 18 00:00:48.600 --> 00:00:52.399 Right, But even if you're not like a hardcore security expert, 19 00:00:53.000 --> 00:00:54.799 I think there's a lot to learn here, even for 20 00:00:54.920 --> 00:00:58.079 just like understanding how networks work in general. 21 00:00:58.159 --> 00:01:00.600 Absolutely, like you can see how websites low, how emails 22 00:01:00.600 --> 00:01:02.560 get sent, all that stuff. It's all broken down into 23 00:01:02.640 --> 00:01:04.640 these little packets exactly. 24 00:01:05.239 --> 00:01:07.959 So to kick things off, let's answer those basic questions 25 00:01:08.840 --> 00:01:12.799 what exactly is wire shark and why should anyone care? 26 00:01:13.239 --> 00:01:17.280 Well, you can think of wire shark like a microscope, okay, 27 00:01:17.280 --> 00:01:20.239 but instead of looking at you know, tiny cells or whatever, 28 00:01:20.480 --> 00:01:22.640 it lets you look at the data flowing through your network, 29 00:01:22.680 --> 00:01:25.519 like all those individual packets of information. 30 00:01:26.239 --> 00:01:28.840 So we're actually seeing the ones and zeros that make 31 00:01:28.920 --> 00:01:30.040 up everything online. 32 00:01:30.120 --> 00:01:33.079 Well not exactly the raw ones and zeros. Wire shark 33 00:01:33.159 --> 00:01:37.079 decodes them into a format that's you know, readable. Ah, 34 00:01:37.280 --> 00:01:39.079 So you can see where the data is coming from, 35 00:01:39.200 --> 00:01:42.480 where it's going, what protocols are being used, even actual 36 00:01:42.519 --> 00:01:44.040 contents sometimes. 37 00:01:43.640 --> 00:01:45.480 So I could like see the contents of an email 38 00:01:45.519 --> 00:01:45.920 that I'm. 39 00:01:45.799 --> 00:01:48.680 Sending potentially yeah, if it's not encrypted of course. 40 00:01:48.799 --> 00:01:51.239 Okay, starting to see why this could be useful. But 41 00:01:51.319 --> 00:01:53.359 can you give me like a real world example. 42 00:01:53.480 --> 00:01:57.319 Sure, let's say your internet is running super slow, oh 43 00:01:57.519 --> 00:02:00.400 the worst. You can fire up wire shark and see 44 00:02:00.439 --> 00:02:03.640 which applications are hogging all the bandwidth. Or maybe you 45 00:02:03.680 --> 00:02:05.640 think you might have malware on your computer. 46 00:02:05.920 --> 00:02:06.480 That's scary. 47 00:02:06.760 --> 00:02:10.199 Wire shark can help you spot any suspicious traffic that's 48 00:02:10.240 --> 00:02:11.039 going out. 49 00:02:11.240 --> 00:02:14.159 So it's not just for security professionals then not at all. 50 00:02:14.199 --> 00:02:17.719 It can be a really useful tool for troubleshooting, understanding 51 00:02:17.719 --> 00:02:19.400 how things work, all sorts of stuff. 52 00:02:19.599 --> 00:02:23.639 Now, the book mentions the OSI model. I'm vaguely familiar 53 00:02:23.719 --> 00:02:26.120 with it, but could you refresh my memory a bit. 54 00:02:26.159 --> 00:02:28.719 Oh, the OSI model. Yeah, it's basically a way of 55 00:02:28.719 --> 00:02:32.960 describing how networks communicate. It breaks everything down into seven layers, 56 00:02:33.039 --> 00:02:34.639 each with its own specific function. 57 00:02:34.919 --> 00:02:36.800 Okay, and how does that relate to wire Shark. 58 00:02:36.960 --> 00:02:40.719 Well, wire Shark's interface is actually structured around the OSI 59 00:02:40.879 --> 00:02:43.400 model really, so as you're looking at the data, you 60 00:02:43.439 --> 00:02:45.000 can see how it moves through each layer. 61 00:02:45.360 --> 00:02:47.120 I see. So it's like peeling back the layers of 62 00:02:47.159 --> 00:02:48.000 an onion. 63 00:02:47.800 --> 00:02:50.680 Exactly, and that can be super helpful for understanding what's 64 00:02:50.719 --> 00:02:53.319 going on, especially if you're trying to pinpoint a problem. 65 00:02:53.479 --> 00:02:57.319 Okay, that makes sense. Now. The book also talks about 66 00:02:57.520 --> 00:03:01.039 different protocols like TCP and UDIB. I always get those 67 00:03:01.039 --> 00:03:01.479 mixed up. 68 00:03:01.560 --> 00:03:03.960 Yeah, they're the two main ways of sending data over 69 00:03:04.000 --> 00:03:05.919 a network, but they work quite differently. 70 00:03:06.039 --> 00:03:07.199 Okay, so what's the difference. 71 00:03:07.560 --> 00:03:10.879 Think of TCP, like sending a package through like a 72 00:03:10.919 --> 00:03:14.840 really reliable career service. Okay, they make sure it gets delivered, 73 00:03:14.879 --> 00:03:17.159 they track it, the whole way. They make sure everything 74 00:03:17.240 --> 00:03:18.439 arrives in the right order. 75 00:03:18.680 --> 00:03:20.400 Sounds like FedEx exactly. 76 00:03:20.800 --> 00:03:23.400 And UDP is more like sending a postcard. 77 00:03:23.719 --> 00:03:24.439 A postcard. 78 00:03:24.520 --> 00:03:27.840 Yeah, it's faster, yeah, but it's not as reliable. There's 79 00:03:27.840 --> 00:03:30.639 no guarantee that it'll arrive, and things might arrive out 80 00:03:30.639 --> 00:03:31.000 of order. 81 00:03:31.319 --> 00:03:32.879 So why would you ever use UDP? 82 00:03:33.639 --> 00:03:37.400 Well, sometimes speed is more important than reliability, right, Like 83 00:03:37.439 --> 00:03:39.280 if you're streaming video for example. 84 00:03:39.520 --> 00:03:41.759 Ah, so if you drop frames here and there, aren't 85 00:03:41.759 --> 00:03:42.240 a big. 86 00:03:42.080 --> 00:03:44.960 Deal exactly, But you wouldn't want to use UDP for 87 00:03:45.280 --> 00:03:47.520 like sending sensitive financial information. 88 00:03:47.759 --> 00:03:50.599 Definitely not. And wire Shark lets us see which protocol 89 00:03:50.680 --> 00:03:51.319 is being used. 90 00:03:51.479 --> 00:03:53.800 Yeah, it shows you all that information. It's pretty cool. 91 00:03:53.840 --> 00:03:55.919 So if I see a bunch of UDP traffic, I 92 00:03:56.000 --> 00:03:59.719 know that something's probably streaming most likely. Yeah, this is 93 00:03:59.719 --> 00:04:02.039 making me think about the Internet in a whole new way. 94 00:04:02.960 --> 00:04:04.879 I never realized there was so much going on behind 95 00:04:04.919 --> 00:04:05.360 the scenes. 96 00:04:05.479 --> 00:04:08.560 It's a whole hidden world. Yeah, and wire Shark gives 97 00:04:08.560 --> 00:04:10.840 you the keys to explore it now. 98 00:04:11.000 --> 00:04:14.520 The book also mentioned something called well known ports. What 99 00:04:14.560 --> 00:04:14.919 are those? 100 00:04:15.240 --> 00:04:18.240 Okay, So imagine a city with a bunch of different ports, Okay, 101 00:04:18.600 --> 00:04:23.000 and each port is designated for a specific type of cargo, like. 102 00:04:23.000 --> 00:04:26.160 One port for oil tankers, one for containerships. 103 00:04:25.480 --> 00:04:27.839 That kind of thing, exactly well known ports are kind 104 00:04:27.879 --> 00:04:30.279 of like that. They're specific numbers that are assigned to 105 00:04:30.279 --> 00:04:31.519 common Internet services. 106 00:04:31.759 --> 00:04:34.879 So if I'm browsing the Web, my traffic is going 107 00:04:34.879 --> 00:04:37.519 through a specific port for web traffic. Right. 108 00:04:37.720 --> 00:04:41.319 Web traffic usually uses Port eighty or Port four forty three. 109 00:04:41.240 --> 00:04:43.560 If it's encrypted, and wire Shark shows us which ports 110 00:04:43.600 --> 00:04:44.160 are being used. 111 00:04:44.240 --> 00:04:45.839 Yep, it's another piece of the puzzle. 112 00:04:46.000 --> 00:04:49.519 This is starting to feel like a real life CSI episode. Now, 113 00:04:49.920 --> 00:04:53.800 how do we actually capture this traffic? The book uses 114 00:04:53.839 --> 00:04:57.519 the word sniffing, which sounds kind of a little creepy. Yeah, 115 00:04:57.560 --> 00:04:58.839 a little creepy, it is what it is. 116 00:04:58.920 --> 00:05:01.519 Basically, it means cap shuring the network traffic as it 117 00:05:01.560 --> 00:05:02.279 goes by, so. 118 00:05:02.439 --> 00:05:04.920 Like we're eavesdropping on the network pretty much. 119 00:05:05.000 --> 00:05:07.120 Yeah, and wire Shark gives us the tools to do that. 120 00:05:07.480 --> 00:05:09.720 Okay, I can see how that would be useful. But 121 00:05:09.759 --> 00:05:13.680 what about promiscuous mode. The book mentions that and it 122 00:05:13.759 --> 00:05:17.560 sounds a little uh risque, Yeah, a little bit. What 123 00:05:17.560 --> 00:05:18.439 does it actually mean? 124 00:05:18.759 --> 00:05:22.199 So normally your network card only sees traffic that's specifically 125 00:05:22.240 --> 00:05:26.319 addressed to your computer. Promiscuous mode, let's see all the 126 00:05:26.399 --> 00:05:27.839 traffic on the network. 127 00:05:27.959 --> 00:05:30.439 Oh so it's like being able to hear everyone's conversations 128 00:05:30.439 --> 00:05:31.319 in a crowded room. 129 00:05:31.439 --> 00:05:34.360 Exactly. It's essential for network analysis because it gives you 130 00:05:34.399 --> 00:05:35.120 the full picture. 131 00:05:35.560 --> 00:05:38.480 I'm starting to see how powerful this tool can be. Yeah, 132 00:05:38.519 --> 00:05:41.079 but I imagine there are different scenarios for sniffing, right, 133 00:05:41.800 --> 00:05:46.000 Like the book talks about wired versus wireless, hubs versus switches. 134 00:05:46.160 --> 00:05:49.160 Oh yeah, definitely. The environment you're in makes a big difference. 135 00:05:49.319 --> 00:05:50.480 Can you unpack that a bit? 136 00:05:50.680 --> 00:05:53.600 So On a wired network, if you're connected to a hub, 137 00:05:53.959 --> 00:05:57.639 it's pretty straightfor um, okay, because hubbs broadcast all the 138 00:05:57.639 --> 00:06:01.439 traffic to every device connected to them. Everything pretty much. 139 00:06:01.639 --> 00:06:05.079 But switches are different. Also, switches are smarter. They learn 140 00:06:05.120 --> 00:06:08.519 which devices are connected to each port, and they only 141 00:06:08.639 --> 00:06:10.879 forward traffic to the intended recipient. 142 00:06:11.279 --> 00:06:13.920 So sniffing on a switch network is trickier. 143 00:06:14.160 --> 00:06:17.079 It can be. Yeah, you might only see traffic that's 144 00:06:17.120 --> 00:06:19.600 meant for your computer, or broadcast traffic. 145 00:06:19.680 --> 00:06:20.680 Is there any way around that? 146 00:06:20.959 --> 00:06:22.759 Sometimes the book talks about. 147 00:06:22.560 --> 00:06:24.800 Span ports span ports. 148 00:06:24.560 --> 00:06:26.800 Yeah, there's special ports on a switch that let you 149 00:06:26.800 --> 00:06:28.319 mirror traffic from other ports. 150 00:06:28.519 --> 00:06:31.079 Oh interesting, So you could like designate a port to 151 00:06:31.120 --> 00:06:33.439 capture all the traffic from a specific. 152 00:06:32.959 --> 00:06:36.000 Device exactly, or even from a whole section of the network. 153 00:06:36.240 --> 00:06:39.759 Wow, that's pretty powerful stuff. I'm already starting to see 154 00:06:39.759 --> 00:06:43.959 how wire Shark can be used for like serious investigations. 155 00:06:44.040 --> 00:06:46.439 Oh yeah, definitely, And we're just getting started. 156 00:06:46.519 --> 00:06:48.279 This is already more than I ever thought i'd know 157 00:06:48.319 --> 00:06:51.279 about network analysis. And we haven't even gotten to the 158 00:06:51.319 --> 00:06:53.839 really exciting stuff yet, like analyzing attacks. 159 00:06:54.199 --> 00:06:57.600 Oh yeah, that's next. Get ready for some digital forensics. 160 00:06:57.759 --> 00:06:58.000 Yeah. 161 00:06:58.040 --> 00:07:00.720 Wait, all right, so we've talked about how to capture 162 00:07:00.759 --> 00:07:04.040 network traffic using wire Shark. Now let's talk about using 163 00:07:04.040 --> 00:07:06.319 it to identify and analyze attacks. 164 00:07:06.639 --> 00:07:09.439 Okay, this is where things start to get really interesting. 165 00:07:09.720 --> 00:07:12.240 It does get pretty interesting. The book talks about all 166 00:07:12.279 --> 00:07:14.720 sorts of attacks and how wire Shark can help you 167 00:07:14.800 --> 00:07:15.720 understand how they. 168 00:07:15.600 --> 00:07:17.680 Work, Like those man in the middle. 169 00:07:17.439 --> 00:07:21.639 Attacks exactly, mid M attacks. They're pretty scary when you 170 00:07:21.639 --> 00:07:22.879 think about it, they are. 171 00:07:23.519 --> 00:07:25.480 Can you explain how they work? I always get a 172 00:07:25.480 --> 00:07:26.920 little confused about the details. 173 00:07:26.959 --> 00:07:30.160 Sure, So imagine someone's intercepting your mail, right they set 174 00:07:30.240 --> 00:07:32.759 up a fake mail box outside your house and they 175 00:07:32.759 --> 00:07:35.360 start collecting all your letters before you even get them. 176 00:07:35.439 --> 00:07:36.160 That's sneaky. 177 00:07:36.319 --> 00:07:38.240 Yeah, and that's kind of what a man in the 178 00:07:38.240 --> 00:07:41.399 middle attack does. The attacker puts themselves between two parties 179 00:07:41.439 --> 00:07:43.439 who think they're communicating directly with. 180 00:07:43.399 --> 00:07:46.240 Each other, so they can eavesdrop on the conversation. 181 00:07:46.000 --> 00:07:49.600 Exactly, and they can potentially even modify the data that's 182 00:07:49.639 --> 00:07:50.560 being exchanged. 183 00:07:50.800 --> 00:07:55.160 That's terrifying. So like, if I'm doing online banking and 184 00:07:55.240 --> 00:07:57.120 someone's doing a mid am attack. 185 00:07:57.360 --> 00:08:01.720 They could potentially steal your logging credits, your account numbers, 186 00:08:01.839 --> 00:08:02.600 all that stuff. 187 00:08:02.720 --> 00:08:07.439 Oh wow, the book mentioned something called ARP poisoning. Is 188 00:08:07.480 --> 00:08:08.800 that a type of mid am attack? 189 00:08:09.040 --> 00:08:12.879 It is, Remember we talked about AARP, the Address resolution protocol. 190 00:08:13.199 --> 00:08:17.639 It's how devices on a network map IP addresses to 191 00:08:18.000 --> 00:08:20.920 mac address runing like a phone book for the network exactly. 192 00:08:21.560 --> 00:08:25.639 And in an ARP poisoning attack, the attacker sends out 193 00:08:25.800 --> 00:08:27.720 fake ARP messages. 194 00:08:27.519 --> 00:08:31.519 So they're basically creating false entries in that phone book exactly. 195 00:08:31.720 --> 00:08:34.919 They're tricking devices into sending their data to the attacker 196 00:08:35.080 --> 00:08:36.639 instead of the intended recipient. 197 00:08:36.720 --> 00:08:40.320 That's so devious. He can wire shark help us detect 198 00:08:40.320 --> 00:08:41.200 that kind of attack. 199 00:08:41.320 --> 00:08:45.159 It can wire sharp shows you both the MSc address 200 00:08:45.360 --> 00:08:48.320 and the IP address for each packet, right, So if 201 00:08:48.320 --> 00:08:51.320 you see conflicting m MASS addresses for the same IP address, 202 00:08:51.360 --> 00:08:52.600 that's a big red flag. 203 00:08:52.799 --> 00:08:54.679 Like two different people claim you to have the same phone. 204 00:08:54.519 --> 00:08:56.279 Number, exactly, Something's not right. 205 00:08:56.320 --> 00:08:59.240 Okay, So it's all about looking for those inconsistencies. That 206 00:08:59.279 --> 00:09:02.200 makes sense. Now, what about those denial of service attacks. 207 00:09:02.279 --> 00:09:04.360 I've heard about those, but I don't really understand how 208 00:09:04.360 --> 00:09:04.759 they work. 209 00:09:04.840 --> 00:09:07.559 All right, So imagine a restaurant, right, and they're suddenly 210 00:09:07.600 --> 00:09:10.799 flooded with phone calls for reservations. Okay, but none of 211 00:09:10.799 --> 00:09:12.279 those callers actually show. 212 00:09:12.200 --> 00:09:14.720 Up, so the restaurant is overwhelmed, but it's. 213 00:09:14.559 --> 00:09:17.720 All fake exactly, And that's kind of what a denial 214 00:09:17.759 --> 00:09:21.159 of service attack does. They overload the target server with 215 00:09:21.320 --> 00:09:25.399 so many requests that it can't handle legitimate traffic, so 216 00:09:25.440 --> 00:09:27.919 it's like crashing the server essentially. Yeah, it makes the 217 00:09:27.960 --> 00:09:30.399 service unavailable to legitimate users. 218 00:09:31.039 --> 00:09:35.879 The book mentions syn floods and UDP floods are those 219 00:09:35.919 --> 00:09:37.120 types of DOS attacks. 220 00:09:37.279 --> 00:09:39.799 They are, They're different ways of achieving the same goal. 221 00:09:40.080 --> 00:09:40.840 What's the difference. 222 00:09:41.039 --> 00:09:44.120 So syn flood is like making a bunch of those 223 00:09:44.200 --> 00:09:46.960 fake restaurant reservations but never confirming them. 224 00:09:47.279 --> 00:09:49.240 So you're tying up the phone lines, but you're not 225 00:09:49.320 --> 00:09:50.799 actually taking up any tables. 226 00:09:50.840 --> 00:09:53.759 Exactly, you're exploiting the process of establishing a connection. 227 00:09:53.960 --> 00:09:56.039 Okay, that makes sense. What about a UDP flood. 228 00:09:56.320 --> 00:09:59.399 A UDP flood is more like throwing a massive party 229 00:09:59.440 --> 00:10:02.600 outside the restaurant, creating so much noise and chaos that 230 00:10:02.679 --> 00:10:05.080 it disrupts the normal operations inside. 231 00:10:05.240 --> 00:10:07.720 So you're just overwhelming the target with a ton of data. 232 00:10:07.799 --> 00:10:09.559 Exactly, it's a brute force approach. 233 00:10:09.759 --> 00:10:12.639 Can wire shark help us identify these kinds of attacks? 234 00:10:12.840 --> 00:10:16.320 Oh? Absolutely. Wire Shark can show you patterns in the 235 00:10:16.360 --> 00:10:18.360 traffic that might indicate. 236 00:10:17.919 --> 00:10:20.200 A DOSS attack, Like what kind of patterns. 237 00:10:20.360 --> 00:10:23.159 Well, you might see a huge spike in traffic from 238 00:10:23.200 --> 00:10:26.519 a single source or maybe a range of sources. 239 00:10:26.639 --> 00:10:29.399 So it's all about looking for those unusual spikes. 240 00:10:29.039 --> 00:10:31.879 And activity, right, And it can also show you the 241 00:10:31.919 --> 00:10:34.440 type of packets being used, which can help you figure 242 00:10:34.440 --> 00:10:36.480 out what kind of doss attack it is. 243 00:10:36.759 --> 00:10:39.240 So it's like having a digital magnifying glass letting you 244 00:10:39.279 --> 00:10:41.000 see all those tiny details exactly. 245 00:10:41.080 --> 00:10:44.159 It's a powerful tool for analysis. But it's not just 246 00:10:44.440 --> 00:10:47.320 DOS and MIM attacks we need to worry about. There 247 00:10:47.360 --> 00:10:51.120 are more sophisticated attacks out there, like those advanced persistent 248 00:10:51.159 --> 00:10:52.320 threats you mentioned earlier. 249 00:10:52.399 --> 00:10:54.759 Yeah, those sound particularly scary. What makes those different? 250 00:10:55.240 --> 00:10:58.480 Well, imagine a thief breaking into a bank, but instead 251 00:10:58.480 --> 00:11:01.600 of stealing everything at once, they are more patient. Exactly, 252 00:11:02.080 --> 00:11:04.799 they install a hidden camera and a back door so 253 00:11:04.840 --> 00:11:06.159 they can gain access. 254 00:11:05.840 --> 00:11:08.320 Over time, so they're in it for the long haul, right. 255 00:11:08.799 --> 00:11:13.600 Atts are often orchestrated by skilled attackers, sometimes even nation states. 256 00:11:14.080 --> 00:11:16.399 Wow, so they're playing the long game. What are they 257 00:11:16.399 --> 00:11:17.080 typically after? 258 00:11:17.399 --> 00:11:21.080 It depends they might be stealing sensitive data like intellectual 259 00:11:21.080 --> 00:11:23.039 property or government secrets. 260 00:11:22.799 --> 00:11:26.120 That scary stuff. Can wire shark help us with those 261 00:11:26.200 --> 00:11:26.960 kinds of attacks. 262 00:11:27.080 --> 00:11:30.519 Wireshark isn't primarily a threat detection tool, but it can 263 00:11:30.559 --> 00:11:33.919 be really useful for analyzing suspicious activities. 264 00:11:33.960 --> 00:11:36.200 So it's like the forensic team coming in after the 265 00:11:36.200 --> 00:11:37.240 crime has already happened. 266 00:11:37.360 --> 00:11:40.279 Exactly. It can help you understand how the attack worked, 267 00:11:40.320 --> 00:11:42.039 how much damage was done, all that stuff. 268 00:11:42.080 --> 00:11:46.000 Okay, that makes sense now. The book also mentions lua scripting, 269 00:11:46.240 --> 00:11:47.720 can you tell us a bit more about that. 270 00:11:47.840 --> 00:11:51.159 Sure, Lua is a scripting language that you can use 271 00:11:51.200 --> 00:11:54.399 to extend wire sharks capabilities. 272 00:11:53.879 --> 00:11:56.759 So you can basically write your own custom programs within 273 00:11:56.840 --> 00:11:57.399 wire Shark. 274 00:11:57.480 --> 00:12:00.879 Pretty much, it's like adding superpowers to wire shsh The. 275 00:12:00.840 --> 00:12:03.919 Book mentioned some pretty cool examples, like writing scripts to 276 00:12:04.000 --> 00:12:07.799 count specific types of packets or even extract files from 277 00:12:07.799 --> 00:12:08.919 a network capture. 278 00:12:09.159 --> 00:12:11.080 Yeah, it's pretty amazing what you can do with Lua. 279 00:12:11.240 --> 00:12:14.039 It turns wire Shark into an even more powerful tool. 280 00:12:14.200 --> 00:12:16.679 I'm starting to feel like a real cyber detective over here. 281 00:12:16.840 --> 00:12:19.480 It's definitely a skill that takes time and practice to master, 282 00:12:20.159 --> 00:12:23.240 but even just understanding the basics can be really helpful. 283 00:12:23.519 --> 00:12:26.039 Well, this has been incredibly insightful. We've covered so much 284 00:12:26.080 --> 00:12:28.159 ground today and I feel like I've learned a ton 285 00:12:28.440 --> 00:12:28.799 me too. 286 00:12:29.320 --> 00:12:31.320 And we're not even done yet. There's still more to 287 00:12:31.360 --> 00:12:33.000 explore in the world of wire Shark. 288 00:12:33.360 --> 00:12:36.279 Can't wait to dive in even deeper. Wow, so much 289 00:12:36.320 --> 00:12:40.759 to think about learning about those attacks, like how wire 290 00:12:40.799 --> 00:12:43.919 Shark can help analyze them. It's pretty amazing and kind 291 00:12:43.960 --> 00:12:44.879 of scary at the same. 292 00:12:44.679 --> 00:12:47.159 Time, you know, Yeah, definitely, there's a whole world of 293 00:12:47.200 --> 00:12:49.679 cyber threats out there, but you know, learning how they work, 294 00:12:49.679 --> 00:12:51.799 that's how we get better at defending against them. 295 00:12:52.399 --> 00:12:55.799 Speaking of defense, the book also talks about how wire 296 00:12:55.840 --> 00:12:59.960 Shark can be used well offensively, like by ethical hackers 297 00:13:00.080 --> 00:13:03.519 penetration testers. It kind of threw me off. How can 298 00:13:03.559 --> 00:13:07.080 a tool for analyzing traffic be used by someone who's 299 00:13:07.120 --> 00:13:08.879 actually trying to break into systems? 300 00:13:09.240 --> 00:13:13.240 Ah, I see where you're coming from. Remember wire shark itself, 301 00:13:13.559 --> 00:13:17.480 it's not a hacking tool, doesn't like actively exploit vulnerabilities 302 00:13:17.559 --> 00:13:22.039 or anything, but it's a super valuable tool for ethical 303 00:13:22.080 --> 00:13:26.159 hackers pen testers, especially during certain stages of their work. 304 00:13:26.240 --> 00:13:28.320 Okay, so how does that work? Exactly? 305 00:13:28.360 --> 00:13:32.320 Imagine a detective, right solving a case. They wouldn't just 306 00:13:32.440 --> 00:13:36.000 barge into a suspect's house without doing some recon first. 307 00:13:35.919 --> 00:13:37.240 Right, gather some intel first. 308 00:13:37.399 --> 00:13:40.919 Exactly. Ethical hackers they use wire Shark in a similar 309 00:13:40.919 --> 00:13:44.679 way for reconnaissance, you know, gathering information about a target 310 00:13:44.720 --> 00:13:46.279 network before they even try to get in. 311 00:13:46.480 --> 00:13:50.399 So it's like a digital detective's toolkit, building a profile 312 00:13:50.440 --> 00:13:51.000 of their target. 313 00:13:51.159 --> 00:13:54.519 Yeah, pretty much. Wireshark helps identify like active devices on 314 00:13:54.559 --> 00:13:58.399 the network, open ports, even what operating system services are running. 315 00:13:58.440 --> 00:14:00.000 It's all about getting a full picture. 316 00:14:00.080 --> 00:14:02.120 Makes sense. It's like scope out the place before making 317 00:14:02.120 --> 00:14:05.200 a move. But how else do these ethical hackers use 318 00:14:05.279 --> 00:14:08.000 wire shark during say a penetration test. 319 00:14:08.240 --> 00:14:12.559 Another big one is analyzing how effective different attack techniques are. 320 00:14:12.799 --> 00:14:15.559 Oh interesting, Yeah, by capturing traffic during a test, you know, 321 00:14:15.600 --> 00:14:18.080 they can see how their attacks are being detected blocked 322 00:14:18.080 --> 00:14:21.639 by the target's security system. So it's like refine their strategies, 323 00:14:21.759 --> 00:14:22.679 fine weaknesses. 324 00:14:23.159 --> 00:14:25.559 So it's not just about getting in, but also about 325 00:14:25.639 --> 00:14:29.840 learning and proving their methods, helping organizations build better defenses. 326 00:14:30.120 --> 00:14:35.519 Exactly. Ethical hacking it's all about responsible disclosure, helping organizations 327 00:14:35.600 --> 00:14:38.840 fix vulnerabilities before the bad guys can exploit them. 328 00:14:39.200 --> 00:14:43.120 The book even mentions using wier Shark to like verify 329 00:14:43.159 --> 00:14:44.279 the success of an attack. 330 00:14:44.639 --> 00:14:47.720 Yeah. So let's say, you know, during appentist, they exploit 331 00:14:47.720 --> 00:14:51.200 a vulnerability get access to a system. Wireshark can confirm 332 00:14:51.200 --> 00:14:53.559 that the connection is established. You know, they can actually 333 00:14:53.639 --> 00:14:56.039 monitor the traffic make sure they achieve their objective. 334 00:14:56.279 --> 00:14:58.879 It's like proof they actually got in can access that 335 00:14:59.039 --> 00:14:59.960 sensitive information. 336 00:15:00.080 --> 00:15:03.200 Exactly. It's important, you know, demonstrating the impact of a vulnerability, 337 00:15:03.279 --> 00:15:04.759 providing evidence to the client. 338 00:15:05.080 --> 00:15:08.960 This whole idea of offensive wire shark, it's pretty eye opening, 339 00:15:09.000 --> 00:15:11.080 you know, shows how the same tools can be used 340 00:15:11.080 --> 00:15:14.759 for defense, but also to understand improve attack strategies. 341 00:15:15.120 --> 00:15:19.480 It's all about understanding both sides, the attacker and the defender, right, 342 00:15:19.559 --> 00:15:22.200 like knowing your enemy exactly. The more we know how 343 00:15:22.200 --> 00:15:24.840 attackers work, the better we can anticipate their moves and 344 00:15:24.879 --> 00:15:25.960 defend against them. 345 00:15:26.039 --> 00:15:28.279 Now about that Lewis scripting, we talked about it a 346 00:15:28.279 --> 00:15:32.279 bit earlier. I'm really curious about these custom scripts, how 347 00:15:32.279 --> 00:15:33.320 they're actually used. 348 00:15:33.720 --> 00:15:37.960 Oh, Lewis scripting is incredibly powerful. It's like, you know, 349 00:15:38.000 --> 00:15:40.559 having a toolbox where you can build your own tools 350 00:15:40.879 --> 00:15:42.080 for whatever you need. 351 00:15:42.000 --> 00:15:43.799 Right, custom made exactly. 352 00:15:44.080 --> 00:15:46.960 The book is some great examples, like writing scripts to 353 00:15:47.000 --> 00:15:51.720 automate repetitive tasks, custom filters, even extracting specific data from 354 00:15:51.720 --> 00:15:52.679 those captured packets. 355 00:15:52.720 --> 00:15:55.360 Yeah, I remember that, extracting files from a capture. It's 356 00:15:55.399 --> 00:15:56.679 like a digital archaeology, right. 357 00:15:56.840 --> 00:16:00.000 It is shows how Lewis scripting can turn wire Sharks 358 00:16:00.360 --> 00:16:04.480 into this highly specialized investigation and analysis tool. 359 00:16:04.679 --> 00:16:07.279 So if you're comfortable with a little coding, the possibilities 360 00:16:07.320 --> 00:16:08.399 are pretty much endless. 361 00:16:08.440 --> 00:16:11.519 Pretty much The book even walks you through creating a 362 00:16:11.639 --> 00:16:15.600 die sector, which is basically a plug in teaches wire 363 00:16:15.639 --> 00:16:17.639 sharp how to interpret a new protocol. 364 00:16:17.879 --> 00:16:20.639 Wow, so you could basically teach wireshark a whole new language. 365 00:16:20.840 --> 00:16:24.360 Yeah, shows how extensible, how deep this tool really is. 366 00:16:24.360 --> 00:16:27.120 You're not just stuck with the built in stuff, customize 367 00:16:27.120 --> 00:16:28.399 it for your specific needs. 368 00:16:29.120 --> 00:16:31.399 Well, we've covered a ton in this deep dive on 369 00:16:31.480 --> 00:16:35.399 wire Shark, from the basics of networks protocols, how it 370 00:16:35.440 --> 00:16:40.039 analyzes attacks, even ethical hacking, luis scripting. It's been a 371 00:16:40.080 --> 00:16:41.960 fascinating journey absolutely. 372 00:16:42.039 --> 00:16:44.159 You know, it's amazing what you can learn when you 373 00:16:44.279 --> 00:16:45.279 really dive deep. 374 00:16:45.440 --> 00:16:48.320 If you're listening and feeling that spark of curiosity, definitely 375 00:16:48.360 --> 00:16:50.519 check out wire Shark for security professionals. 376 00:16:50.600 --> 00:16:53.720 Yeah, great resource whether you're a cybersecurity pro or just 377 00:16:53.840 --> 00:16:54.480 starting out. 378 00:16:54.679 --> 00:16:58.480 And as always, folks, keep exploring, keep learning, and keep 379 00:16:58.519 --> 00:16:59.159 diving deep.