WIRESHARK ================================================================ WIRESHARK: ================================================================ Let's look at 2 examples, unencrypted Netcat and encrypted Ncat bind shells using Wireshark. ----------------------------------------------------- NOTE: if you get the "Lua error during loading" set lua error disable = true in the init.lua file: /usr/share/wireshark/init.lua ----------------------------------------------------- First we start Wireshark on the Kali machine and choose to capture Traffic from the Lab VPN interface - this is tap0 in this example. CAPTURE --> OPTIONS --> select tap0 To help filter out unwanted traffic, we will set a capture, filtering wireshark. When selecting the interfaces we can apply filters on the same screen at the bottom. We want to capture traffic to and from the windows 7 lab machine on tcp port 4444. The syntax for this will be: ****CAPTURE FILTER: host 10.11.25.139 and tcp port 4444 Now we recreate the Bind Shell scenario The Listener provides a shell to connect to in a Bind Shell. In this case the listener is setup on Windows to provide a windows shell upon connection. C:\>nc -lvp 4444 -e cmd.exe We then connect to this using Kali. #nc -nv 10.11.25.139 4444 When we go back and follow the TCP stream for the captured traffic, we see that all commands sent and readily visible. Lets now try the same with an encrypted Ncat Shell. First we need to reset the capture in Wireshark. On the Windows machine we will now setup the encrypted Ncat listening, providing a windows shell upon connection - this is a bind shell. C:\>ncat -lvp 4444 -e cmd.exe --ssl On the Kali machine we will use Ncat to connect securely. #ncat -nv 10.11.25.139 4444 --ssl This time when we look at the traffic, it is encrypted and unable to be deciphered.