Kali-Lab 02: Package Sniffing
In this lab, you will learn how to use Wireshark to sniff packets, then analyze the network protocol via its graphical user interface.
- Wireshark documentation, including user manual and videos, https://wireshark.org/docs/
- How to Use Wireshark to Capture, Filter and Inspect Packets
For this lab, you will need the following systems on the Virtual Machine.
- Kali Linux
- Metasploitable 2
We will run Wireshark on the Kali Linux Virtual Machine.
Exp #2.1 Basic Packet Sniffing with Wireshark
- Launch the Virtual Machine program (VMware or Virtual Box), then boot up the Kali Linux VM. Do not boot the Metasploitable VM yet.
- Start Wireshark from the Applications menu under 09-Sniffing & Spoofing folder, or by opening a terminal and typing . The Wireshark may show some warning dialogs, just click Past. Then, maximize the Wireshark window.
- In the Wireshark GIU, select the eth0 network interface from the interface list. If no interfaces are listed in the Wireshark, you may make some mistaken in the network setup. Double check the network settings in the Virtual Machine program.
- Click on Start under the Capture menu to start sniffing the network.
- Let Wireshark collect packets for 3 (or more) minutes, enough time to get at least 20 packets, then go to the Capture menu and select Stop.
- The packets are listed one per line in the top pane of the Wireshark GUI, and it provides some packet information:
- No: shows the packet number.
- Time: shows time elapsed since packet sniffing began.
- Source and Destination: show the source and destination MAC or IP address, depending on the type of protocol.
- Protocol: shows the protocol of each packet.
- Length: shows packet size.
- Info: provides a brief description of the meaning of the packet.
- Which protocols do you see in your captured packets? List all of them.
- Which IP address (source and destination) do you see in the captured packets?
- Enter ARP packets in the top column. Which addresses are being looked up in the ARP packets?
in the entry box in the to tell Wireshark to show only
- In the Capture menu, click on Restart to clear the list of the packets and being capturing again.
Lookup your Metasploitable2 VMs IP and MAC addresses, then boot that VM.
Watch for packets from the Metasploitable VM's IP or MAC address in Wireshark as Metasploitable2 boots. When a machine boots, it will send packets using one or more network protocols to provide information about itself to servers or to obtain information. DHCP is an example of a protocol used at boot time.
- List each protocol received and the information revealed or obtained by that protocol from Metasploitable VM in below:
Exp #2.2 Sniffing an HTTP Connection
- Start a web browser on the Kali Linux VM, open a new tab page, and close the homepage tab. In the Wireshark GUI, click the Start from Capture menu. Enter as your filter in the Filter toolbar. Type in the browser's location bar to load the AirSupplyLab home page, creating a number of HTTP requests. Once the home page is loaded, stop capturing packets.
- Open a terminal and enter to find the IP address of the Kali Linux VM. Record the IP address here:
To limit Wireshark』s display to only packets sent or received by your Kali Linux VM, you can type an expression in the Filter text entry area. We can type AND operation followed by a protocol specifier, e.g. , after the IP address specifier.in the Filter text entry area to show only packets to or from your Kali Linux VM. If needed, you can further limit the display of packets by protocol by adding a logical
- Enter HTTP-GET requests (not packets) do you observe from starting your browser? Write the number, and right-click on the first HTTP-GET requested packet and select Copy ➤ Summary as Text, and paste it in the box below:
in the Filter text entry area. (change the IP address to your Kali Linux IP address). How many
- Number of HTTP-GET requested:
- Select one of the HTTP-GET requests, then go to the Packet Details (middle) pane and click on Hypertext Transport Protocol to view the HTTP request headers. What version of your web browser is running on your system (User-Agent)? Write the browser version and the list of compatible browser versions contained in the header in the box below.
- Wireshark can extract files from captured packets and save them for further examination. To do this, go to the File menu, select the Export Objects submenu, and select HTTP from there. Select a jpeg image file that you want to examine, then save it under /home/kali directory.
- Minimize Wireshark, verify that you can view the image with eog application. If your system does not have eog application, you can enter
command to install it. Compute the SHA-256 checksum for the file and paste it into the box below.