the data you have captured. One such
view is the protocol hierarchy, as you can see in
Figure 2-7
.
Figure 2-7. Protocol hierarchy in Wireshark
The protocol hierarchy view is good for, among other things, quickly identifying pro‐
tocols that you don’t recognize. It also helps you to determine
which protocols are the
most used. If you believe, for instance, that you are using a lot of UDP-based attacks,
but UDP is a small fraction of the total number of messages sent, you may want to do
some further investigation.
Wireshark
comes installed out of the box, so to speak, with Kali Linux. However, it
can also be installed on other operating systems such as Windows and macOS as well
as other Linux distributions. I can’t emphasize enough the value of this particular tool
and the amount of work it can save after you get the hang of using it. Being able to
completely decode application layer protocols so it can
give you a little summary of
what is happening with the application can be invaluable.
Poisoning Attacks
One of the challenges we have is that most networks are switched. The device you are
connecting to sends messages only to the network port where your recipient is loca‐
ted. In the old days, we used hubs. Whereas a switch is a unicast device, a hub is a
broadcast device. Any message that came into a hub was sent
out to all other ports in
68 | Chapter 2: Network Security Testing Basics
the hub, letting the endpoints figure out who the frame belonged to, based on the
MAC address. There was no intelligence in the hub at all. It was simply a repeater.
A switch changes all that. The switch reads the layer 2 header to determine the desti‐
nation MAC address. It knows the port where the system that owns that MAC
address is. It determines this by watching traffic coming into each port.
The source
MAC address gets attached to the port. The switch will commonly store these map‐
pings in content addressable memory (CAM). Rather than having to scan through an
entire table, the switch looks up the details by referring directly to the MAC address.
This is the content that becomes the address the switch refers to in order to get the
port information.
Why is this relevant here? Because you will sometimes want to collect information
from a system that you don’t have access to. If you owned the network and had access
to
the switch, you may be able to configure the switch to forward traffic from one or
more ports to another port. This would be a mirror, rather than a redirection. The
recipient gets the traffic, but also a monitoring device or someone capturing traffic
for analysis would get the packets.
To obtain the messages you need if you can’t
get legitimate access to them, you can
use a spoofing attack. In a
spoofing attack
, you pretend to be someone you are not in
order to get traffic. There are a couple of ways to do that, and we’ll take a look at these
different attacks.
