HTTP Packet

Sniffing
Using Wireshark and Ettercap

Cyber Forensics Project

Sep 2017

CYBER FORENSICS PROJECT !1

HTTP Packet Sniffing 1
About 3
Features 3
Abstract 4
Fundamentals 4
Tutorial 5
Installation Procedure - Wireshark 5
Installation Procedure - Ettercap 6
Lets Dive into hacking 6
To Avoid this attack 8
References 8

CYBER FORENSICS PROJECT !2

 Open Source Packet Analyser
About
Wireshark is a free and open source packet analyser. Used for network
troubleshooting, analysis, software and communications
protocol development, and education. Originally named ethereal, the
project was renamed Wireshark in may 2006 due to trademark issues.
Wireshark is cross-platform, using the qt widget toolkit in current releases to
implement its user interface, and using pcap to capture packets. It runs on
Linux, macOS, BSD, Solaris, some other UNIX-like operating systems, and
Microsoft windows.

Features
Wireshark is a data capturing program that "understands" the structure of
different networking protocols. It can parse and display the fields, along
with their meanings as specified by different networking protocols.
Wireshark uses pcap to capture packets, so it can only capture packets on
the types of networks that pcap supports.
Data can be captured "from the wire" from a live network connection or
read from a file of already-captured packets.
Live data can be read from different types of networks, including
Ethernet, IEEE 802.11, PPP, and loopback.
Captured network data can be browsed via a GUI, or via the terminal
(command line) version of the utility, TShark.
Captured files can be programmatically edited or converted via
command-line switches to the "edit-cap" program.
VoIP calls in the captured traffic can be detected. If encoded in a
compatible encoding, the media flow can even be played.
Raw USB traffic can be captured.

CYBER FORENSICS PROJECT !3

 Wireless connections can also be filtered as long as they traverse the
monitored Ethernet.
Wireshark's native network trace file format is the libpcap format
supported by libpcap and WinPcap, so it can exchange captured network
traces with other applications that use the same format, including
tcpdump and CA NetMaster. It can also read captures from other network
analysers, such as snoop, Network General's Sniffer, and Microsoft
Network Monitor.

Abstract
Many sites are switching from http to https and this project is aimed to
portrait the need for https. This project uses the vulnerability in http as it
transfers plain text over the internet. ARP spoofing is done prior to the
attack and all the victim packets are made to transfer through the attacking
machine. Then a packet capture tool such as Wireshark is used to read the
data sent through the network. This project mainly focuses on getting
Victims password when logging in over a http connection.

Fundamentals
HTTP
HTTP works by request and response mechanism. The client which
needs data, sends HTTP request message and the server responds with a
response message. Mainly HTTP requests are of GET and POST types
(Other types are beyond the scope of this tutorial). GET request is sent to
server to retrieve the specified object. POST request is used to send data
such as form entries(even your card details) to server.
ARP
Address resolution protocol is used by your switch to translate IP
address to MAC address. The arriving packet will have your IP address and
the switch you are connected to will have the ARP tables mapping your IP

CYBER FORENSICS PROJECT !4

address to MAC address. This much understanding of ARP is enough for
the hack.

Tutorial

Man in the MiddleAttack

We are going to perform the Man in the Middle attack. Once we are
connected in the same network as of the victim, we fool the switch that we
are the victim and the victim that we are the switch. So, the switch will send
all the victims packets to us and the victim will send all the outgoing
packets to us thinking that were the switch and we simply keep forwarding
the traffic.
Now all the victims traffic will be going through us. Next is to grab a
packet sniffing tool and read the packets transferred via us to get the
victims details.
This nice tool calledEttercap does all the above work for us. Its
available for Linux and Mac. Get it installed through apt, yum or brew on
corresponding platforms.
Connect to the same network as of victim to perform the attack.

Installation Procedure - Wireshark

Step 1 : Add the official PPA, go to terminal by pressingctrl+alt+t
sudo add-apt-repository ppa:wireshark-dev/stable
Step 2 : update the repository
sudo apt-get update
Step 3 : install wireshark 2.0
sudo apt-get install wireshark
Step 4 : run wireshark
sudo wireshark
If you get a errorcouldn't run /usr/bin/dumpcap in child process:
Permission Denied. go to the terminal again and

CYBER FORENSICS PROJECT !5

 sudo dpkg-reconfigure wireshark-common
SayYESto the message box.This adds a wireshark group.Then add
user to the group by typing
sudo adduser $USER wireshark
Then restart your machine and open wireshark.

Installation Procedure - Ettercap

For installing ettercap-graphical, use the command :
sudo apt-get install ettercap-graphical

Lets Dive into hacking

Step 1Find the local IP address of yourvictim

Run the below command to find all the hosts in your network. All the
IP addresses and their corresponding MAC address in your network will be
shown. If not your victim is found try pinging the broadcast address before
the command. The output of the command on my network is on the image
below.batman-pcis the victim and the IP address is 192.168.43.133
arp -a

arp commandoutput

Step 2Get in themiddle

Now its time to call ettercap for the dirty job. Followthisto get to
know the ettercap command basics. The command to fool the ARP is

sudo ettercap -T -M ARP /192.168.43.133///

CYBER FORENSICS PROJECT !6

T is for Text GUI mode. -M is for Man in the middle and replace the IP
address with that of your victim. Now ettercap will do all the magic and the
victims packet will be moving through you. Ettercap will log all the packets
in the terminal. Its nasty and you cannot find your required data.

Step 3Call Wireshark forrescue

InstallWireshark, the cool packet sniffer. open Wireshark and select
the interface youre using. Im on WiFi, selecting WiFi shows all the packets
going through the interface. Still it would be difficult to find the needed
data. Apply filterhttp.request.method==POSTas shown in the
image to view only POST data. Remember client sends data through
POST to server. Login to that website from the other machine and you can
see the packet getting captured in Wireshark.

To inspect the packet right click and select Follow->HTTP

stream. The HTTP message can be read and the credentials can be found
there.

CYBER FORENSICS PROJECT !7

Email and Password entered in the site is displayed in the message body.

To Avoid this attack

HTTPS needs to be ensured before submitting critical data to the
website.
For, web administrators HTTPS needs to be implemented strictly for
the safety of users data.

References
1. Wireshark Official site: https://www.wireshark.org/
2. Ettercap Official sie: https://ettercap.github.io/ettercap/
3. Blog post on this tutorial: https://medium.com/@realramkumar/how-
to-hack-http-57b5dc69590f

CYBER FORENSICS PROJECT !8