WEBVTT 1 00:00:00.000 --> 00:00:02.640 All right, let's dive in today. We're going deep into 2 00:00:02.640 --> 00:00:06.080 the world of network security with wire Shark. We'll be 3 00:00:06.160 --> 00:00:10.480 using wire Shark Network Security by Puche Verma as our guide. 4 00:00:10.640 --> 00:00:13.000 Oh yeah, ps Verma. He's a pretty sharp guy, a 5 00:00:13.080 --> 00:00:14.640 real security pro book. 6 00:00:14.640 --> 00:00:16.719 Book's got some serious endorsements too, right. 7 00:00:16.719 --> 00:00:19.399 Yeah, people like David who's a hardware expert over at 8 00:00:19.600 --> 00:00:22.359 ARM And then there's Jap he's been a core wire 9 00:00:22.399 --> 00:00:24.960 Shark developer for like over two decades. 10 00:00:25.000 --> 00:00:27.600 Wow. So we're talking about folks who really know their stuff. 11 00:00:27.839 --> 00:00:30.879 Definitely not your average beginner's guide. 12 00:00:31.039 --> 00:00:34.159 So the goal today is to give everyone a solid 13 00:00:34.240 --> 00:00:37.399 understanding of what wire Shark can do, especially when it 14 00:00:37.439 --> 00:00:39.920 comes to sniffing out security threats exactly. 15 00:00:40.159 --> 00:00:42.439 We're going to go beyond the basics. We'll dig into 16 00:00:42.439 --> 00:00:45.000 the tools and the techniques, you know, really get into 17 00:00:45.039 --> 00:00:45.799 the nitty gritty. 18 00:00:45.920 --> 00:00:48.600 Love it. So let's start with the foundation. What is 19 00:00:48.600 --> 00:00:50.240 sniffing and why should anyone care? 20 00:00:50.560 --> 00:00:54.560 Sniffing is basically capturing and then analyzing those little data 21 00:00:54.600 --> 00:00:57.000 packets that you know, flow through a network. 22 00:00:57.039 --> 00:01:00.640 Okay, so it's like listening in on the conversation happening 23 00:01:00.719 --> 00:01:02.200 between devices on the network. 24 00:01:02.359 --> 00:01:04.640 You got it. It's kind of like having a secret 25 00:01:04.680 --> 00:01:08.719 listen device. It's super important for both network admins and 26 00:01:08.799 --> 00:01:09.799 for security folks. 27 00:01:10.040 --> 00:01:13.319 So admins use it to like diagnose network problems. 28 00:01:13.400 --> 00:01:15.920 Yeah yeah, like a doctor using a stethoscope, you know, 29 00:01:16.000 --> 00:01:19.120 to listen to a patient's heartbeat. And security analyst while 30 00:01:19.120 --> 00:01:22.079 they use sniffing to detect anything suspicious. 31 00:01:21.599 --> 00:01:23.959 Like a detective analyzing clues at a crime scene. 32 00:01:24.000 --> 00:01:26.680 Exactly. But there are other tools out there too, right, 33 00:01:26.760 --> 00:01:32.400 You've got TCP dump, Naggio's network analyzer, even omnipeak. 34 00:01:32.120 --> 00:01:35.439 Right, right, So what makes wire sharks stand out from 35 00:01:35.480 --> 00:01:35.879 the crowd. 36 00:01:36.040 --> 00:01:39.200 Well, for starters, it's free and open source, and it's 37 00:01:39.239 --> 00:01:41.519 super user friendly. You can use it on pretty much 38 00:01:41.560 --> 00:01:42.159 any platform. 39 00:01:42.239 --> 00:01:43.799 Cross platform always a plus. 40 00:01:44.079 --> 00:01:46.879 And it supports a huge number of protocols, like a 41 00:01:46.920 --> 00:01:49.799 really wide range. Means it can understand pretty much any 42 00:01:49.840 --> 00:01:51.319 network conversation out there. 43 00:01:51.480 --> 00:01:54.599 Okay, that's impressive, But what really sets wireshark apart. 44 00:01:54.760 --> 00:01:58.640 It's got this incredibly powerful filtering system. 45 00:01:58.840 --> 00:02:01.560 Filtering like Instagram filters that make you look younger. 46 00:02:02.519 --> 00:02:05.879 No, not quite like that. With wire Shark. These filters 47 00:02:06.640 --> 00:02:09.599 they let you sort through mountains of data and pinpoint 48 00:02:09.639 --> 00:02:13.439 exactly what you're looking for. You can filter by IP address, protocol, 49 00:02:13.840 --> 00:02:15.520 even specific data patterns. 50 00:02:15.680 --> 00:02:17.960 Oh wow, So if I'm trying to track down all 51 00:02:18.000 --> 00:02:22.439 the traffic going to say a suspicious website, I can 52 00:02:22.479 --> 00:02:23.439 do that with wire shark. 53 00:02:23.520 --> 00:02:25.080 You got it. Or let's say you want to see 54 00:02:25.120 --> 00:02:27.560 all the traffic using a specific protocol. You can isolate 55 00:02:27.599 --> 00:02:27.960 that too. 56 00:02:28.159 --> 00:02:30.800 So it's like having a search engine, but specifically for 57 00:02:30.919 --> 00:02:32.599 network traffic. That's amazing. 58 00:02:32.759 --> 00:02:34.840 And for those who prefer the command line, there are 59 00:02:34.879 --> 00:02:39.039 tools like t shark, capinfos, edit cap, and merge cap. 60 00:02:39.199 --> 00:02:39.879 What can those do? 61 00:02:40.120 --> 00:02:42.759 They give you more specialized control, you know, like t 62 00:02:42.919 --> 00:02:45.759 shark it's a command line version of wire shark, perfect 63 00:02:45.840 --> 00:02:49.319 for scripting and automation. Capinfos it gives you a quick 64 00:02:49.319 --> 00:02:52.439 summary of a capture file. Edit cap lets you modify 65 00:02:52.439 --> 00:02:54.840 those files. And merge cap well, that one lets you 66 00:02:54.879 --> 00:02:56.319 combine multiple files into one. 67 00:02:56.439 --> 00:02:58.919 Wow, that's a lot of power at your fingertips. Yeah, okay, 68 00:02:59.000 --> 00:03:01.599 so we've got our sniffing two tools ready, But what 69 00:03:01.719 --> 00:03:05.240 exactly are we looking for? What kind of threats might 70 00:03:05.280 --> 00:03:06.560 be lurking on a network? 71 00:03:06.800 --> 00:03:10.439 Well, one of the most common and surprisingly dangerous is 72 00:03:10.560 --> 00:03:15.080 clear text traffic. Sending sensitive information without encrypting it. It's 73 00:03:15.120 --> 00:03:15.919 a huge risk. 74 00:03:16.319 --> 00:03:18.800 Really, Like, what kind of protocols are we talking about. 75 00:03:18.879 --> 00:03:23.960 You've got FTP, Telnet, even HTTP. These older protocols, they 76 00:03:23.960 --> 00:03:27.759 often send data in plain text, which means anyone sniffing 77 00:03:27.800 --> 00:03:29.439 the network could just read that data. 78 00:03:29.560 --> 00:03:31.560 Oh wow, So it's like sending a postcard with your 79 00:03:31.599 --> 00:03:32.879 credit card number written on it. 80 00:03:33.120 --> 00:03:35.879 Pretty much anyone who handles it can see your info. 81 00:03:36.360 --> 00:03:40.080 That's why using HTTPS is so so important. It encrypts 82 00:03:40.120 --> 00:03:43.240 the data, keeps it safe from prying eyes, and with 83 00:03:43.319 --> 00:03:46.800 wireshark you can actually see the difference between plaintext and 84 00:03:46.960 --> 00:03:47.719 encrypted data. 85 00:03:48.000 --> 00:03:51.039 So plaintext is bad, got it? What else should we 86 00:03:51.120 --> 00:03:51.879 be on the lookout for. 87 00:03:52.159 --> 00:03:55.639 Another common attack is well, actually it's sniffing itself, but 88 00:03:55.719 --> 00:03:56.599 done maliciously. 89 00:03:56.719 --> 00:03:58.719 Wait, I thought all sniffing was bad. We're talking about 90 00:03:58.800 --> 00:04:00.439 using it for good here, right. 91 00:04:00.560 --> 00:04:03.680 But there's a difference between passive sniffing and active sniffing. 92 00:04:03.719 --> 00:04:05.439 Okay, explain that passive. 93 00:04:05.080 --> 00:04:07.879 Sniffing is just capturing traffic that's already out there flowing 94 00:04:07.919 --> 00:04:11.199 through the network. But active sniffing, well, that's when the 95 00:04:11.240 --> 00:04:14.599 attacker is actively trying to intercept traffic that wasn't meant 96 00:04:14.599 --> 00:04:14.879 for them. 97 00:04:14.960 --> 00:04:18.160 Oh I see. So passive sniffing is like overhearing a 98 00:04:18.240 --> 00:04:21.279 conversation in a public place, and active sniffing is like 99 00:04:21.319 --> 00:04:22.439 tapping someone's phone. 100 00:04:22.560 --> 00:04:24.439 Yeah, that's a good way to put it, and attackers 101 00:04:24.519 --> 00:04:26.759 use all sorts of tricks to do that, like MAC 102 00:04:26.920 --> 00:04:29.079 flooding and ARP poisoning. 103 00:04:29.240 --> 00:04:31.120 Those sound intense. What are they? Exactly? 104 00:04:31.240 --> 00:04:34.560 Mac flooding it's like overloading a network switch with too 105 00:04:34.600 --> 00:04:37.680 many ANGS addresses. That can force the switch to just 106 00:04:37.720 --> 00:04:41.000 start broadcasting everything to all ports, which makes it easy 107 00:04:41.000 --> 00:04:42.360 for the attacker to grab it all. 108 00:04:42.600 --> 00:04:45.160 Oh wow, So it's like creating a traffic jam, forcing 109 00:04:45.160 --> 00:04:47.120 all the data to go through the attacker's computer. 110 00:04:47.360 --> 00:04:50.720 Exactly. Now. ARP poisoning that's a bit different. It's about 111 00:04:50.759 --> 00:04:52.480 manipulating the ARP table. 112 00:04:52.560 --> 00:04:53.879 The ARP table, what's that? 113 00:04:54.199 --> 00:04:56.360 So when your computer wants to send a message to 114 00:04:56.399 --> 00:04:59.519 another device, it knows the IP address, but it needs 115 00:04:59.519 --> 00:05:03.160 the EMMY address to actually deliver it. The ARP table 116 00:05:03.279 --> 00:05:05.839 is like a phone book that maps IP addresses to 117 00:05:06.079 --> 00:05:07.000 MC addresses. 118 00:05:07.360 --> 00:05:09.920 Oh okay, so it translates the IP address into a 119 00:05:10.000 --> 00:05:10.600 mac key. 120 00:05:10.519 --> 00:05:14.519 Address, right, And ARP poisoning it tricks your computer into 121 00:05:14.600 --> 00:05:16.800 using the wrong MC address. 122 00:05:16.480 --> 00:05:18.839 So it's like changing someone's number in your phone, so 123 00:05:18.879 --> 00:05:20.519 when you call them, you end up talking to the 124 00:05:20.560 --> 00:05:21.800 attacker exactly. 125 00:05:22.240 --> 00:05:25.639 And wireshark can help you spot these ARP poisoning attacks 126 00:05:25.879 --> 00:05:29.360 by showing you those ARP requests and responses, so we. 127 00:05:29.319 --> 00:05:32.360 Can see if there are any suspicious entries, like a 128 00:05:32.399 --> 00:05:38.079 security camera pointed at the ARP table. That's pretty clever. Okay, 129 00:05:38.120 --> 00:05:40.920 so we've covered clear text traffic and sniffing attacks. 130 00:05:41.720 --> 00:05:45.240 What else, Let's talk about reconnaissance. You know, it's like 131 00:05:45.279 --> 00:05:47.600 when a thief cases a house before they break in. 132 00:05:47.920 --> 00:05:50.839 Attackers use all sorts of tools to gather information about 133 00:05:50.879 --> 00:05:53.759 a network, look for weaknesses they can exploit. 134 00:05:53.439 --> 00:05:55.160 So they do their homework before they strike. 135 00:05:55.480 --> 00:05:57.519 Makes sense, and one of the most common tactics they 136 00:05:57.639 --> 00:06:00.639 use is port scanning. They'll use tools like map to 137 00:06:00.680 --> 00:06:01.720 scan for open. 138 00:06:01.560 --> 00:06:04.600 Ports, so they're checking for unlocked doors yep. 139 00:06:04.759 --> 00:06:08.480 Basically, they're also looking for specific services running on those ports, 140 00:06:08.519 --> 00:06:11.759 which can tell them things like what operating system you're using, 141 00:06:11.879 --> 00:06:14.920 maybe what software you're running, and even what vulnerabilities might 142 00:06:15.000 --> 00:06:15.480 be present. 143 00:06:16.040 --> 00:06:18.600 Oh man, So it's like they're peaking in the windows, 144 00:06:18.680 --> 00:06:22.040 checking out what valuables you've got inside. Not good, not. 145 00:06:22.000 --> 00:06:24.120 Good at all. And wireshark can help you detect this 146 00:06:24.240 --> 00:06:25.360 port scanning activity. 147 00:06:25.439 --> 00:06:25.959 Oh really? 148 00:06:26.160 --> 00:06:28.439 How it shows you those scan requests coming from the 149 00:06:28.480 --> 00:06:29.480 attackers machine. 150 00:06:29.720 --> 00:06:31.959 So like a security system that tells you when someone's 151 00:06:32.000 --> 00:06:32.560 jiggling the. 152 00:06:32.480 --> 00:06:36.199 Doorknobs exactly, and once they find a weakness, they can 153 00:06:36.279 --> 00:06:39.959 launch more targeted attacks like trying to crack your passwords. 154 00:06:40.240 --> 00:06:43.279 Speaking of passwords, what can wire shark tell us about 155 00:06:43.399 --> 00:06:44.839 password cracking attempts? 156 00:06:45.360 --> 00:06:48.040 Quite a bit? Actually, it can show you the usernames 157 00:06:48.040 --> 00:06:51.160 and passwords being tried, the techniques being used, even the 158 00:06:51.199 --> 00:06:52.279 speed of those attempts. 159 00:06:52.680 --> 00:06:56.639 So we can see the attackers' keystrokes as they're trying 160 00:06:56.680 --> 00:06:57.120 to break in. 161 00:06:57.360 --> 00:07:00.759 Not literally, but you can see the data being which 162 00:07:00.879 --> 00:07:04.399 often includes that username and password being attempted, and the 163 00:07:04.480 --> 00:07:08.000 timing can be a big giveaway. Humans can't type that fast, 164 00:07:08.199 --> 00:07:08.560 So if. 165 00:07:08.439 --> 00:07:10.680 We see a bunch of log in attempts in rapid 166 00:07:10.720 --> 00:07:15.279 succession with different usernames and passwords, that's a clear sign 167 00:07:15.319 --> 00:07:17.480 of a password cracking attack exactly. 168 00:07:17.920 --> 00:07:20.560 And wireshot can show you which protocol is being targeted, 169 00:07:20.560 --> 00:07:24.519 like FTP or POP three or HTTP. This helps understand 170 00:07:24.519 --> 00:07:25.560 the attackers' methods. 171 00:07:25.680 --> 00:07:27.680 Okay, so we've covered a lot of ground here. It's 172 00:07:27.759 --> 00:07:30.480 amazing how much wire Shark can reveal about what's happening 173 00:07:30.519 --> 00:07:31.160 on a network. 174 00:07:31.279 --> 00:07:35.079 It's pretty powerful. But we're just getting started. Next time 175 00:07:35.199 --> 00:07:38.879 we'll dig into email espionage, see how to uncover secrets 176 00:07:38.879 --> 00:07:42.839 and email attachments, and even analyze malware traffic. It's going 177 00:07:42.879 --> 00:07:44.680 to get really interesting looking. 178 00:07:44.480 --> 00:07:47.199 Forward to it. All Right, So before we went on 179 00:07:47.240 --> 00:07:49.319 our little break, we were talking about how Wireshark can 180 00:07:49.360 --> 00:07:52.959 be used to like spot the suspicious activities happening on 181 00:07:52.959 --> 00:07:56.000 our networks. So now let's shift our focus to email, 182 00:07:56.040 --> 00:07:58.199 shall we. I mean, it's not just for shopping lists 183 00:07:58.199 --> 00:08:00.120 and like cat videos anymore. 184 00:08:00.199 --> 00:08:03.519 Oh, definitely not. Email is still a prime target for attackers. 185 00:08:03.560 --> 00:08:06.680 You know. It's a common way to spread those phishing attacks, malware, 186 00:08:06.759 --> 00:08:08.399 even stuff like corporate espionage. 187 00:08:08.800 --> 00:08:12.160 Espionage huh sounds kind of like a spy movie. So 188 00:08:12.240 --> 00:08:17.759 are we talking like secret messages hidden in plain text emails? 189 00:08:18.120 --> 00:08:21.199 It's not too far off. You see traditional email protocols, 190 00:08:21.240 --> 00:08:24.639 things like SMTP, pop three and IMAP. They were designed 191 00:08:24.639 --> 00:08:27.680 way back when security wasn't such a big concern, So 192 00:08:27.920 --> 00:08:31.000 they often send data in plaintext, which means, you know, 193 00:08:31.079 --> 00:08:33.440 if anyone is sniffing the network, well, they could potentially 194 00:08:33.519 --> 00:08:34.360 read those emails. 195 00:08:34.440 --> 00:08:37.000 Wait really, so it's like sending a super confidential letter 196 00:08:37.039 --> 00:08:41.279 on a postcard. Not exactly secure. But people aren't still 197 00:08:41.360 --> 00:08:42.879 using those old protocols, are they? 198 00:08:42.960 --> 00:08:46.080 You'd be surprised. While a lot of email providers they 199 00:08:46.080 --> 00:08:49.200 do use encryption nowadays by default, but you still have 200 00:08:49.279 --> 00:08:53.039 some legacy systems and configurations out there that might be vulnerable. Plus, 201 00:08:53.120 --> 00:08:55.679 let's face it, attackers they're always finding new ways to 202 00:08:55.679 --> 00:08:58.840 get around those security measures, right, and that's why analyzing 203 00:08:58.879 --> 00:09:01.600 email traffic with wiresh it can be so valuable. 204 00:09:01.759 --> 00:09:04.919 Okay, so what exactly should we be looking for when 205 00:09:04.919 --> 00:09:08.279 we're analyzing email traffic with wireshark, Like, what are the 206 00:09:08.279 --> 00:09:11.120 red flags that scream, hey, something fishy's going on here? 207 00:09:11.360 --> 00:09:14.519 Well, one of the most obvious signs is seeing sensitive information, 208 00:09:14.679 --> 00:09:18.200 stuff like passwords or financial details being sent in plain text. Right, 209 00:09:18.279 --> 00:09:21.159 that's a big no no. But like I said, attackers 210 00:09:21.200 --> 00:09:24.440 are getting smarter. They're using all sorts of techniques you know, 211 00:09:24.600 --> 00:09:28.399 to hide their tracks, things like encoding messages or hiding 212 00:09:28.480 --> 00:09:29.600 data and attachments. 213 00:09:30.000 --> 00:09:33.000 Encoding messages is that like writing in some kind of 214 00:09:33.039 --> 00:09:35.639 secret code, like only the person who's supposed to get 215 00:09:35.639 --> 00:09:37.240 the message can decipher it. 216 00:09:37.240 --> 00:09:40.279 It's similar to that, you see. One method they use 217 00:09:40.399 --> 00:09:44.039 is called quoted printable encoding. It's meant to handle special 218 00:09:44.120 --> 00:09:46.919 characters and emails, converts them into a format that can 219 00:09:46.960 --> 00:09:50.720 be transmitted safely. But attackers can twist that use it 220 00:09:50.759 --> 00:09:53.679 to like camouflage their messages, make them harder to spot. 221 00:09:53.799 --> 00:09:55.879 Okay, so it's like hiding a message in plain sight 222 00:09:55.960 --> 00:09:58.960 right now using this code that looks innocent, but really 223 00:09:58.960 --> 00:10:02.720 it's got something secret inside. And what about attachments? How 224 00:10:02.759 --> 00:10:05.039 can attackers use those to hide data? 225 00:10:05.240 --> 00:10:08.960 Attachments? Yeah, they're a popular way to deliver malware or 226 00:10:09.039 --> 00:10:11.840 you know, to sneak out stolen data. They might make 227 00:10:11.879 --> 00:10:15.120 these malicious files look like harmless documents, you know, like 228 00:10:15.200 --> 00:10:19.480 PDFs or spreadsheets, or they might go even further, hiding 229 00:10:19.559 --> 00:10:22.559 data within the actual structure of a file, you know, 230 00:10:22.759 --> 00:10:24.600 using techniques like steganography. 231 00:10:24.840 --> 00:10:28.240 Steganography, Wow, that sounds like something straight out of a 232 00:10:28.240 --> 00:10:29.200 spine nobyl. 233 00:10:29.039 --> 00:10:32.720 It is pretty cool. Actually, it's the art of concealing 234 00:10:32.799 --> 00:10:36.320 a message like within another message, or a file. Imagine 235 00:10:36.320 --> 00:10:39.200 you're embedding a secret message within the pixels of an image. 236 00:10:39.240 --> 00:10:41.919 So to the naked eye, the image looks totally normal, right, 237 00:10:42.279 --> 00:10:44.679 but that hidden message is there. You just need to 238 00:10:44.679 --> 00:10:45.679 know how to extract it. 239 00:10:45.919 --> 00:10:48.159 That's amazing. It's like something you'd see in a James 240 00:10:48.159 --> 00:10:51.480 Bond movie. So wire Shark can actually help us uncover 241 00:10:51.600 --> 00:10:52.639 these hidden messages. 242 00:10:52.840 --> 00:10:57.120 Absolutely. Wireshark can't decrypt encrypted messages, but it can definitely 243 00:10:57.120 --> 00:10:59.720 give us those clues. For example, it can tell us 244 00:10:59.759 --> 00:11:02.120 the file type of an attachment, you know, even if 245 00:11:02.120 --> 00:11:04.559 someone tried to change the file extension to disguise it. 246 00:11:05.080 --> 00:11:07.039 And we can also look at the size and structure 247 00:11:07.039 --> 00:11:09.559 of the attachment see if it matches what we'd expect. 248 00:11:09.799 --> 00:11:11.759 So like if we see a file that's supposed to 249 00:11:11.799 --> 00:11:14.720 be a PDF but it's like way too big, or 250 00:11:14.759 --> 00:11:16.840 if it's structure is all messed up, that's. 251 00:11:16.720 --> 00:11:19.320 A bad sign exactly, could be a sign that something's 252 00:11:19.360 --> 00:11:21.960 hiding in that file. Plus, wireshirt can help us track 253 00:11:22.000 --> 00:11:25.519 where that attachment came from, where it's going, any servers 254 00:11:25.559 --> 00:11:26.720 it passed through along the way. 255 00:11:26.840 --> 00:11:30.080 It's like a trail of digital breadcrumbs right leading us 256 00:11:30.120 --> 00:11:32.360 back to the source of the attack, or maybe the 257 00:11:32.399 --> 00:11:34.960 destination of that stolen data precisely. 258 00:11:35.639 --> 00:11:39.159 Now, speaking of email espionage, there's a really interesting example 259 00:11:39.200 --> 00:11:42.759 in the book Wireshark Network Security. The author he lays 260 00:11:42.759 --> 00:11:46.200 out this challenge, calls it corporate espionage, where someone's trying 261 00:11:46.240 --> 00:11:49.159 to steal a secret car prototype design and they're using 262 00:11:49.279 --> 00:11:50.120 email to do it. 263 00:11:50.200 --> 00:11:53.080 Oooh, this sounds juicy. How did they try to pull 264 00:11:53.080 --> 00:11:53.360 it off? 265 00:11:53.440 --> 00:11:55.720 Well, they didn't just send the image directly. Yeah, I'd 266 00:11:55.720 --> 00:11:58.879 be way too obvious. Instead, they embedded it inside an 267 00:11:59.000 --> 00:12:02.200 RTF file, a rich text format file, and attached it 268 00:12:02.200 --> 00:12:05.360 to the email. And to make things even trickier, they 269 00:12:05.480 --> 00:12:08.440 encoded the email using that quoted printable method we talked 270 00:12:08.480 --> 00:12:09.120 about earlier. 271 00:12:09.399 --> 00:12:11.879 So they made the image look like a harmless document 272 00:12:12.200 --> 00:12:15.919 and then scrambled the email itself. Pretty sneaky it is. 273 00:12:16.000 --> 00:12:19.200 But luckily with wire Shark we can put the pieces 274 00:12:19.200 --> 00:12:21.360 together expose their little scheme. 275 00:12:21.559 --> 00:12:24.440 Okay, I'm hooked, walk me through it. What did wire 276 00:12:24.480 --> 00:12:25.120 Shark reveal? 277 00:12:25.279 --> 00:12:27.399 Well, first off, we looked at the email headers right, 278 00:12:27.480 --> 00:12:30.720 those tell you the sender, recipient, subject line, even the 279 00:12:30.799 --> 00:12:34.159 encoding method used. So when we saw an attachment with 280 00:12:34.200 --> 00:12:37.759 a name like project xdesign DOT or TF and a 281 00:12:37.799 --> 00:12:41.360 subject line that said confidential, do not share. Well, that 282 00:12:41.519 --> 00:12:42.759 definitely raised a red flag. 283 00:12:42.840 --> 00:12:45.039 Yeah, not exactly trying to be subtle, are they? What 284 00:12:45.080 --> 00:12:45.799 else did you find? 285 00:12:46.159 --> 00:12:49.679 That quoted printable encoding? That was another clue. Like I said, 286 00:12:49.720 --> 00:12:52.399 it's not unusual to use that encoding, but in this context, 287 00:12:52.440 --> 00:12:54.600 it was definitely something to look into. And then, of 288 00:12:54.639 --> 00:12:57.039 course there's the actual content of the email itself. Once 289 00:12:57.080 --> 00:12:59.519 we decoded it, it had instructions on how to get 290 00:12:59.559 --> 00:13:02.679 that hidden image out of the RTF file and get this. 291 00:13:03.159 --> 00:13:05.519 It even had details about a secret meeting where they 292 00:13:05.519 --> 00:13:07.200 were going to hand off the stolen designs. 293 00:13:07.360 --> 00:13:10.720 Wow, so not only did you catch the spy, but 294 00:13:10.799 --> 00:13:15.159 you also busted their entire plan. That's some seriously impressive 295 00:13:15.279 --> 00:13:16.559 digital detective work. 296 00:13:16.639 --> 00:13:19.279 It's pretty satisfying, right, And this is just one example 297 00:13:19.279 --> 00:13:22.240 of how wireshark can be used to, you know, investigate 298 00:13:22.279 --> 00:13:25.399 email espionage. There are other techniques they used to like 299 00:13:25.559 --> 00:13:28.399 SMTP enumeration, relay attack stuff like that. 300 00:13:28.679 --> 00:13:32.399 SMTP enumeration. It sounds a bit technical, it is. 301 00:13:32.559 --> 00:13:35.720 It's a technique attackers used to gather intel about an 302 00:13:35.720 --> 00:13:39.639 email server and its users. They basically send probes to 303 00:13:39.799 --> 00:13:42.840 the server trying to figure out which email addresses are valid. 304 00:13:43.080 --> 00:13:44.919 It's kind of like a thief going door to door, 305 00:13:45.120 --> 00:13:47.000 you know, checking which houses are occupied. 306 00:13:47.080 --> 00:13:49.480 Oh okay, so they're basically scoping out the place looking 307 00:13:49.519 --> 00:13:50.600 for potential victims. 308 00:13:50.679 --> 00:13:53.679 Exactly, and wire shirt it can help us detect these probes. 309 00:13:53.919 --> 00:13:56.759 We just look for those specific SMTP commands they use, 310 00:13:56.879 --> 00:14:00.679 like vrfy, EXPN and RCPC, you know, commands that are 311 00:14:00.679 --> 00:14:04.480 typically used to like verify email addresses or expand mailing lists. 312 00:14:04.559 --> 00:14:07.120 So it's like those footprints in the sand, right, revealing 313 00:14:07.159 --> 00:14:09.679 that someone's been snooping around where they shouldn't be. Okay, 314 00:14:09.759 --> 00:14:11.639 so what about those relay attacks you mentioned? 315 00:14:11.720 --> 00:14:15.759 Ah, yes, SMTP relay attacks. That's when they exploit a 316 00:14:15.799 --> 00:14:18.879 mail server to send out spam or malware. You know, 317 00:14:19.159 --> 00:14:21.919 they trick the server into relaying their messages so it 318 00:14:21.960 --> 00:14:24.200 looks like those messages are coming from a legit source. 319 00:14:24.840 --> 00:14:27.120 So like sending a letter with a fake return address, right, 320 00:14:27.519 --> 00:14:29.840 tricking people into thinking it's from someone they trust. 321 00:14:30.039 --> 00:14:34.200 Exactly, and wire shark it can help us spop these attext. 322 00:14:34.360 --> 00:14:37.720 We look for unusual sending patterns like a sudden increase 323 00:14:37.759 --> 00:14:41.679 in emails from a single IP address or mismatches between 324 00:14:41.679 --> 00:14:44.159 the sender's address and you know the actual source of 325 00:14:44.200 --> 00:14:44.679 the email. 326 00:14:44.840 --> 00:14:48.279 So whether it's spying, phishing, or spamming, wire Shark gives 327 00:14:48.360 --> 00:14:51.519 us the power to like break down those email conversations 328 00:14:51.559 --> 00:14:54.200 and see what's really going on. But what about malware? 329 00:14:54.440 --> 00:14:57.639 How can wire Shark help us fight against those malicious programs? 330 00:14:57.759 --> 00:15:00.840 Ah, malware, That's a great question, and that's exactly what 331 00:15:00.840 --> 00:15:01.960 we'll be diving into next. 332 00:15:02.279 --> 00:15:04.600 So let's talk about malware. I mean, it's basically the 333 00:15:04.840 --> 00:15:07.960 like the Boogeyman of the digital world, isn't it always 334 00:15:08.000 --> 00:15:10.399 lurking in the shadows waiting to, you know, pounce. 335 00:15:10.639 --> 00:15:13.200 Yeah, malware is a serious threat for sure, but you know, 336 00:15:13.200 --> 00:15:15.000 the more we learn about how it works, the better 337 00:15:15.000 --> 00:15:17.759 we can defend against it. That's where wire Shark comes in. 338 00:15:17.919 --> 00:15:20.480 It's like having a microscope, you know, for your network traffic. 339 00:15:20.519 --> 00:15:24.200 You can examine these these little malicious programs in detail, 340 00:15:24.720 --> 00:15:25.039 so we. 341 00:15:24.960 --> 00:15:28.679 Can actually see this malware like crawling around in our networks. 342 00:15:28.960 --> 00:15:31.120 That's kind of freaky but also pretty cool. What can 343 00:15:31.159 --> 00:15:35.480 wire shark tell us about like malware infections? 344 00:15:35.960 --> 00:15:38.279 Well, we can analyze the traffic pattern, see how the 345 00:15:38.360 --> 00:15:40.919 malware is communicating, you know, maybe with its command and 346 00:15:40.919 --> 00:15:44.559 control servers. We can see what files its downloading or uploading. 347 00:15:44.639 --> 00:15:47.519 We can even figure out which vulnerabilities it's exploiting. 348 00:15:48.080 --> 00:15:50.600 So it's like having a security camera that shows us 349 00:15:50.720 --> 00:15:53.440 not just the break in, but also what the burglar did, 350 00:15:53.519 --> 00:15:55.480 what they took everything exactly. 351 00:15:55.919 --> 00:15:58.399 And there's this really interesting case study in the book 352 00:15:58.440 --> 00:16:02.600 wire Shark Network Security. It's about the black Hole exploit kit, 353 00:16:03.039 --> 00:16:08.000 which was notorious for how effective it was at compromising systems. 354 00:16:08.039 --> 00:16:11.080 Sploit kits just the name sounds scary. What are they? Exactly? 355 00:16:11.240 --> 00:16:14.840 Imagine a toolkit for hackers, ready made with all sorts 356 00:16:14.879 --> 00:16:18.799 of exploits, you know, designed to target specific vulnerabilities, could 357 00:16:18.840 --> 00:16:22.399 be in software, web browsers, operating systems, you name it. 358 00:16:22.399 --> 00:16:24.960 It's like a master key that can unlock any door, 359 00:16:25.480 --> 00:16:26.279 but for hackers. 360 00:16:26.679 --> 00:16:28.759 So instead of having to create their own exploits, they 361 00:16:28.759 --> 00:16:30.720 can just buy one of these kits and start hacking. 362 00:16:31.080 --> 00:16:35.480 That's unsettling. So how does wire Shark help us deal 363 00:16:35.519 --> 00:16:36.759 with these exploit kits? 364 00:16:36.960 --> 00:16:39.679 Wire Shark was crucial in figuring out how black Hole 365 00:16:39.759 --> 00:16:42.000 worked and then you know, developing ways to stop it. 366 00:16:42.480 --> 00:16:45.200 By analyzing the network traffic, we can actually see the 367 00:16:45.279 --> 00:16:48.120 kit in action. We can see that exploit code being delivered, 368 00:16:48.440 --> 00:16:52.000 see which vulnerabilities are targeted, even see those malicious payloads 369 00:16:52.000 --> 00:16:52.679 being installed. 370 00:16:53.080 --> 00:16:55.600 Okay, so walk me through that analysis. What kind of 371 00:16:55.600 --> 00:16:57.000 clues did wire shark uncover. 372 00:16:57.320 --> 00:17:00.600 First we find the IP address of the infected you know, 373 00:17:00.679 --> 00:17:03.360 that's usually where the suspicious requests are coming from. Then 374 00:17:03.399 --> 00:17:07.079 we look for any any unusual port numbers. Malware often 375 00:17:07.160 --> 00:17:10.400 uses non standard ports to talk to its command and 376 00:17:10.400 --> 00:17:12.240 control server, so that's a big red flag. 377 00:17:12.400 --> 00:17:14.759 So like finding a secret door behind a bookshelf, Right, 378 00:17:15.200 --> 00:17:16.880 something's not quite right exactly. 379 00:17:17.599 --> 00:17:20.720 We also look for any signs that a website's been compromised. 380 00:17:21.240 --> 00:17:25.880 A lot of times malware infections start with visiting a 381 00:17:25.920 --> 00:17:29.200 website that's been hacked. You know, it's like walking into 382 00:17:29.359 --> 00:17:31.839 a store that looks normal, but it's actually a front 383 00:17:31.839 --> 00:17:32.680 for something shady. 384 00:17:33.000 --> 00:17:35.640 So it's all about noticing the things that don't add up. Yeah, 385 00:17:35.640 --> 00:17:38.720 those little inconsistencies in the network traffic exactly. 386 00:17:39.160 --> 00:17:42.039 And then of course there's the malware itself. With wireshark, 387 00:17:42.079 --> 00:17:44.480 we can pull those malicious files right out of the 388 00:17:44.519 --> 00:17:47.319 network traffic, so we can analyze them. It's like catching 389 00:17:47.319 --> 00:17:50.720 the burglar with the stolen goods, you know, solid evidence. 390 00:17:50.799 --> 00:17:52.599 And in this black hole case, what did you find? 391 00:17:52.960 --> 00:17:55.440 We found that Java exploit file, the one used in 392 00:17:55.480 --> 00:17:58.680 the initial attack, and we also found three different executable 393 00:17:58.680 --> 00:18:01.759 payloads that were downloaded and installed on the victims machine. 394 00:18:02.160 --> 00:18:05.039 Those payloads, they contain the actual malware that would carry 395 00:18:05.039 --> 00:18:08.279 out the attack, you know, steal data, spy on the user, 396 00:18:08.720 --> 00:18:09.799 launch other attacks. 397 00:18:10.000 --> 00:18:13.440 So wire sharks like a detective, gathering evidence, helping us 398 00:18:13.519 --> 00:18:17.039 understand the attacker's methods and the damage they've done. That's incredible. 399 00:18:17.160 --> 00:18:19.920 It is a powerful tool, and that information is crucial 400 00:18:20.039 --> 00:18:23.680 for you know, patching those vulnerabilities and preventing future attacks. 401 00:18:24.880 --> 00:18:27.839 Okay, now let's shift gears a bit. Let's talk about botnets. 402 00:18:27.880 --> 00:18:30.200 I always think of them as these like armies of 403 00:18:30.279 --> 00:18:31.759 zombie computers botnets. 404 00:18:31.839 --> 00:18:35.039 Yeah, yeah, sounds scary. Can you explain, like what they 405 00:18:35.079 --> 00:18:38.240 are exactly and how they use our computers against us. 406 00:18:38.960 --> 00:18:43.960 A botnet is a network of compromised computers called bots. 407 00:18:44.279 --> 00:18:47.039 They're all controlled remotely by an attacker, often without the 408 00:18:47.079 --> 00:18:51.039 owner even realizing it your computer basically becomes a zombie, 409 00:18:51.119 --> 00:18:53.880 you know, following orders from this malicious mastermind. 410 00:18:54.000 --> 00:18:56.440 That's a creepy thought. And you mentioned earlier that IRC 411 00:18:56.599 --> 00:18:59.000 is often used in these botnet operations, right right. 412 00:18:59.200 --> 00:19:03.680 IRC Internet Relay Chat. It's communication channel, and it's commonly 413 00:19:03.799 --> 00:19:05.839 used by botnets. It's like a back channel for the 414 00:19:05.880 --> 00:19:09.799 attacker to send commands to the bot army and receive 415 00:19:09.880 --> 00:19:12.440 data that's been stolen. So like a secret meeting place 416 00:19:12.440 --> 00:19:16.079 where the criminals hangout, plan their next move and swap 417 00:19:16.079 --> 00:19:16.759 stolen goods. 418 00:19:16.839 --> 00:19:19.960 A perfect analogy. And with wire Shark, we can listen 419 00:19:19.960 --> 00:19:23.799 in on those IRC conversations. We can see those commands, 420 00:19:23.880 --> 00:19:27.799 the stolen data, even identify the botmaster, the one in control. 421 00:19:28.039 --> 00:19:29.920 Wait, so we can actually find out who these cyber 422 00:19:29.960 --> 00:19:31.920 criminals are, where they're located. 423 00:19:32.319 --> 00:19:35.000 Potentially, Yes, we can see what kind of attacks the 424 00:19:35.039 --> 00:19:38.240 botnet is launching, what they're stealing, who they're targeting, even 425 00:19:38.880 --> 00:19:41.599 maybe even the geographical location of the botmaster. This is 426 00:19:41.640 --> 00:19:46.440 super valuable information for law enforcement and security researchers, you know, 427 00:19:46.599 --> 00:19:49.480 those trying to take down these botnets and catch the criminals. 428 00:19:49.680 --> 00:19:52.359 It's like having a spy on the inside, giving US 429 00:19:52.400 --> 00:19:54.079 intel on the enemy. That's amazing. 430 00:19:54.279 --> 00:19:56.720 And with wire Shark, we can also analyze the botnets, 431 00:19:56.759 --> 00:19:59.920 traffic patterns, see which machines are infected, see how they 432 00:20:00.039 --> 00:20:02.440 talk to each other into those command and control servers. 433 00:20:02.640 --> 00:20:03.960 It's fascinating stuff. 434 00:20:04.039 --> 00:20:06.559 So it's not just about catching the bad guys, it's 435 00:20:06.599 --> 00:20:09.359 about understanding how they operate so we can disrupt. 436 00:20:09.000 --> 00:20:11.759 Them, stop them exactly. And this brings up a really 437 00:20:11.799 --> 00:20:14.880 important point. You know, we've been talking about security threats, 438 00:20:15.319 --> 00:20:18.759 but wire Shark isn't just for cybersecurity experts. It's also 439 00:20:18.880 --> 00:20:23.599 really useful for troubleshooting those everyday network performance issues. You know, 440 00:20:23.680 --> 00:20:26.000 things like can be just as frustrating as a cyber attech. 441 00:20:26.079 --> 00:20:29.119 Oh yeah, totally. So like wire Shark can help me 442 00:20:29.160 --> 00:20:33.119 figure out why my internet slow, why downloads take forever, 443 00:20:33.440 --> 00:20:35.240 why my video calls keep dropping. 444 00:20:35.359 --> 00:20:39.240 Absolutely, it can pinpoint those bottlenecks, see if you're losing packets, 445 00:20:39.359 --> 00:20:42.880 analyze those latency issues, diagnose all sorts of problems that 446 00:20:42.920 --> 00:20:45.599 slow things down. It's like having a diagnostic tool for 447 00:20:45.640 --> 00:20:46.640 your network. 448 00:20:46.319 --> 00:20:49.319 Like a mechanic for my network. I like that. So 449 00:20:49.400 --> 00:20:51.799 the book mentioned some real world examples of this. 450 00:20:51.839 --> 00:20:54.920 Right, it does there's one about slow Internet speeds caused 451 00:20:54.960 --> 00:20:58.720 by too much bit torrent traffic, and another one about 452 00:20:58.759 --> 00:21:01.720 sluggish downloads because because of some misconfigured devices. 453 00:21:01.920 --> 00:21:03.960 So wire Shark's kind of like a Swiss army knife 454 00:21:03.960 --> 00:21:06.319 for network analysis. You can help us with all kinds 455 00:21:06.359 --> 00:21:07.480 of problems, big or small. 456 00:21:07.680 --> 00:21:10.720 I like that analogy, and you know, the key takeaway 457 00:21:10.720 --> 00:21:13.599 here is that anyone can use wire shark, no matter 458 00:21:13.640 --> 00:21:17.599 their technical skill level. Whether you're a network admin, security pro, 459 00:21:17.759 --> 00:21:20.599 or just someone curious about how their network works. Wire 460 00:21:20.640 --> 00:21:24.200 Shark gives you the power to analyze traffic, diagnose problems, 461 00:21:24.359 --> 00:21:26.680 and make your network more secure and reliable. 462 00:21:27.119 --> 00:21:29.880 It's like having a superpower, you know, being able to 463 00:21:29.920 --> 00:21:32.960 see what's normally invisible, to understand all that digital chatter 464 00:21:33.000 --> 00:21:35.960 going on around us, and with that knowledge we can 465 00:21:36.000 --> 00:21:39.039 protect ourselves and our networks. We're not just sitting ducks. 466 00:21:38.880 --> 00:21:43.039 Anymore, well said. I encourage everyone to check out wire Shark. 467 00:21:43.200 --> 00:21:47.920 The official website's got tons of resources like sample capture files, tutorials, 468 00:21:48.160 --> 00:21:51.000 even a community forum where you can connect with other users. 469 00:21:51.039 --> 00:21:53.599 Who knows you might just discover some mysteries lurking in 470 00:21:53.640 --> 00:21:56.599 your own network traffic. Wire Shark gives you the key 471 00:21:56.759 --> 00:21:59.960 to unlock those secrets. Well that's about it for our 472 00:22:00.119 --> 00:22:02.519 deep dive into the world of wire Shark. Thanks for 473 00:22:02.599 --> 00:22:05.920 joining us, and until next time, stay curious, stay safe, 474 00:22:06.119 --> 00:22:07.240 and happy networking.