Would you like to inspect the original subtitles? These are the user uploaded subtitles that are being translated: 1 00:00:01,110 --> 00:00:06,540 And this lecture we're going to talk about a tool called whale shark why a shark is a network protocol 2 00:00:06,570 --> 00:00:07,550 analyzer. 3 00:00:07,740 --> 00:00:14,060 It's not designed for hackers and it's not designed for hacking and spying on other people on the network. 4 00:00:14,100 --> 00:00:19,110 It's designed for network administrators so that they can see what's happening in their network and 5 00:00:19,110 --> 00:00:24,270 make sure that everything is working properly and that nobody is doing anything bad or doing anything 6 00:00:24,270 --> 00:00:31,500 suspicious on the network the way that whale shark works is it allows you to select an interface and 7 00:00:31,500 --> 00:00:36,870 then logs all the packets or all the traffic that flows through that interface. 8 00:00:36,900 --> 00:00:39,760 So you're selecting an interface it could be a wireless card. 9 00:00:39,840 --> 00:00:45,990 It could be a wired card on your on your current computer and then it'll start logging all the information 10 00:00:46,080 --> 00:00:48,720 that flow through that interface. 11 00:00:48,720 --> 00:00:54,570 It also has a really nice graphical interface that allow you to analyze this traffic. 12 00:00:54,570 --> 00:01:00,720 So it allows you to filter these packets based on the protocol using them like HDTV TGP and all that 13 00:01:01,060 --> 00:01:05,820 but also allow you to look for certain things for example if you're looking for cookies or if you're 14 00:01:05,820 --> 00:01:08,190 looking for post or get requests. 15 00:01:08,430 --> 00:01:14,520 And it also allow you to search through these packets it can you can you can search through the information 16 00:01:14,550 --> 00:01:17,930 that's stored in the packets and find the things that you're looking for. 17 00:01:17,970 --> 00:01:21,570 It's a really really big tool and you need a whole course for it. 18 00:01:21,570 --> 00:01:26,640 So in this course we're actually gonna use it in a few lectures just covering the basics or the things 19 00:01:26,670 --> 00:01:35,280 that's related to us so the main idea here is why shark is not a hacking tool it only allows you to 20 00:01:35,280 --> 00:01:43,290 capture the traffic that flows through your own computer through your own interface I'm going to use 21 00:01:43,290 --> 00:01:45,300 it now and it's going to become more clear to you. 22 00:01:45,300 --> 00:01:48,570 So I'm just gonna go to Carly and we're going to start to our shark. 23 00:01:48,570 --> 00:01:54,360 You can run wild shark from the command prompt or you can just go on all applications and type via shark 24 00:01:54,630 --> 00:02:00,340 and it'll show up right here I'm going to click that and that's going to load the program for me. 25 00:02:00,340 --> 00:02:01,750 This is just the normal error. 26 00:02:01,750 --> 00:02:09,030 Just ignore this error and this is the main interface of where shark. 27 00:02:09,110 --> 00:02:15,860 So first of all you can actually just go to the file and go to the open and in here it'll allow you 28 00:02:15,860 --> 00:02:22,030 to open a file that you've already captured so for example if you captured packets using a different 29 00:02:22,040 --> 00:02:28,460 sniffer use an error dump or use in man in the middle left or using teh shark which is the command prompt 30 00:02:28,490 --> 00:02:30,200 part of the shark. 31 00:02:30,200 --> 00:02:35,390 So if you captured packets using any of these programs and you started it in a file you can just come 32 00:02:35,390 --> 00:02:38,150 in here open it and start analyzing that file. 33 00:02:38,150 --> 00:02:43,730 This is really handy because sometimes you don't really want to analyze the traffic on the fly so sometimes 34 00:02:43,730 --> 00:02:48,520 you just want to capture it if you're sometimes you capture it from small laptop or your small capture 35 00:02:48,530 --> 00:02:53,540 and from your phone and you're not even at home you're in somewhere else doing your pen test and then 36 00:02:53,540 --> 00:02:58,490 you go back home and then you want to analyze what you captured then you can still do that in a file 37 00:02:58,670 --> 00:03:04,870 and then just come here go to the file open and open the file that you want to analyze. 38 00:03:04,880 --> 00:03:10,310 So what I want to show you here is the idea that while shark is not a hacking tool it's not going to 39 00:03:10,310 --> 00:03:13,160 capture things happening in a in another device. 40 00:03:13,160 --> 00:03:18,200 It will only capture things that flow through your own interface. 41 00:03:18,230 --> 00:03:22,700 So right here we can see that we have all the interfaces in my computer so we can see that we have 88 42 00:03:22,700 --> 00:03:29,060 0 we have any which is just any and we have all the other ones that some of them are created by virtual 43 00:03:29,060 --> 00:03:29,810 box. 44 00:03:29,810 --> 00:03:36,910 So the main one here is a zero which is the virtual interface connected to my not network and you can 45 00:03:36,910 --> 00:03:42,340 see that there is no traffic flowing through this so you can see that this is constant and nothing's 46 00:03:42,340 --> 00:03:43,720 happened in. 47 00:03:43,790 --> 00:03:48,860 So what I'm going to do now is I'm just gonna make this a little bit smaller and I'm going to open my 48 00:03:48,860 --> 00:03:54,410 browser here and I'm just gonna go to a normal Web site I'm just gonna go to Google dot com 49 00:03:57,380 --> 00:04:03,050 now as you can see right here you can see the traffic 80 heads euro is a spike in up so there was some 50 00:04:03,050 --> 00:04:05,680 traffic generated through 88 0. 51 00:04:05,770 --> 00:04:12,780 So for sniffing on this we'll be able to capture these packets that were sent over 88 0. 52 00:04:12,890 --> 00:04:17,590 Now what I'm gonna do is I'm gonna go through my windows machine just to prove that point and I'm going 53 00:04:17,590 --> 00:04:23,330 to browse the Web site here and you'll see that 88 0 will not be affected and the traffic that's generated 54 00:04:23,360 --> 00:04:28,520 on this Windows machine which is in the same network as the killing machine it will not be captured 55 00:04:28,520 --> 00:04:29,390 by the Cally machine. 56 00:04:29,390 --> 00:04:36,660 So if I just go to Google again here you'll see that nothing happened in 88 0. 57 00:04:36,860 --> 00:04:39,410 So there is no traffic flowing through this. 58 00:04:39,410 --> 00:04:40,590 It's still constant. 59 00:04:40,790 --> 00:04:46,770 And we can only capture packets that go through 88 0. 60 00:04:47,140 --> 00:04:51,570 So now you'll probably ask then why why are sharks so useful why are we even talking about it. 61 00:04:51,570 --> 00:04:56,840 If we can 3D if we can only see things that go through our own computer why are we talking about it. 62 00:04:56,860 --> 00:05:02,260 Well we're talking about it because we see there is a large number of ways that you can become the man 63 00:05:02,260 --> 00:05:03,460 in the middle. 64 00:05:03,520 --> 00:05:06,560 We learned how to do this using a Sharpie spoofing. 65 00:05:06,560 --> 00:05:14,330 And in future lectures I'm gonna show you how to do it by creating a fake access point so when we are 66 00:05:14,330 --> 00:05:15,410 the man in the middle. 67 00:05:15,650 --> 00:05:20,330 If we start sniffing on the interface that's used to become the man in the middle. 68 00:05:20,330 --> 00:05:26,510 We'll be able to capture all the traffic generated by the people that were targeting in our mind in 69 00:05:26,510 --> 00:05:27,320 the middle attack. 70 00:05:27,710 --> 00:05:34,580 So if you if you started the fake access point you can start sniffing on the interface that's broadcasting 71 00:05:34,580 --> 00:05:38,270 the signal and you can capture all the packets sent or received. 72 00:05:38,270 --> 00:05:45,740 To anyone who's connected to that fake access point if you became the man in the middle using a peaceful 73 00:05:45,740 --> 00:05:53,010 spoofing then just select the interface that you used when you launched your IP spoofing attack. 74 00:05:54,270 --> 00:05:58,920 So for now I'm going to become the man in the middle using AARP spoofing. 75 00:05:58,920 --> 00:06:05,190 You can use AARP spoof or Buttercup as I showed you earlier but I'm going to use Buttercup using the 76 00:06:05,190 --> 00:06:07,950 exact same command that we used to do. 77 00:06:07,950 --> 00:06:14,190 So we're literally just doing Buttercup followed by the interface that is connected to my target network 78 00:06:14,190 --> 00:06:17,610 which is 88 0 and I'm launch in my couplet. 79 00:06:17,700 --> 00:06:24,720 The spoof couplet so that it can figures the AARP spoof module and runs it for me to put me in the middle 80 00:06:24,720 --> 00:06:29,120 of the connection so I'm gonna hit enter. 81 00:06:29,360 --> 00:06:32,330 And as you can see it's working as expected. 82 00:06:32,330 --> 00:06:36,910 So right now I should be in the middle of the connection intercepting anything. 83 00:06:36,920 --> 00:06:41,510 The target Windows machine sends or receives. 84 00:06:41,840 --> 00:06:45,500 Now let's go to the Windows machine and see if I do anything here. 85 00:06:45,500 --> 00:06:50,960 If it's going to affect the traffic in 88 0 so we'll see if Fairchild could be able to capture traffic 86 00:06:51,200 --> 00:06:53,070 generated by this computer. 87 00:06:53,120 --> 00:06:54,770 So let's write anything here. 88 00:06:54,770 --> 00:06:58,490 I'm just going to Google or I'm just gonna go to a different Web site I'm just gonna go to Bing 89 00:07:01,370 --> 00:07:07,730 and if we come back here you'll see that we have traffic being generated here and we can see that 88 90 00:07:07,790 --> 00:07:12,290 zero is actually capturing whatever that's happening in a completely different device. 91 00:07:12,320 --> 00:07:17,930 This is happening because when we are the man in the middle all the packets that's generated by the 92 00:07:17,930 --> 00:07:23,150 Windows device has actually been redirected to my own computer right here to the Kali and then wired 93 00:07:23,150 --> 00:07:29,330 shark is sniffing that from the Kali machine sniffing it from my own local machine it's not sniffing 94 00:07:29,330 --> 00:07:33,140 it from the network is not sniffing it from the target computer. 95 00:07:33,140 --> 00:07:37,640 So again if you're doing this with the fake access point then just listen on the interface that you're 96 00:07:37,640 --> 00:07:43,010 broadcasting if you're doing this with a real wireless network if you're connected to your home wireless 97 00:07:43,010 --> 00:07:47,930 network using land zero then you can just do this with land zero but with a peaceful thing you have 98 00:07:47,930 --> 00:07:51,090 to first redirect the traffic then you can use wire shark. 99 00:07:51,170 --> 00:07:54,230 Now this is just to show you what why a shark is and how it works. 100 00:07:54,290 --> 00:07:57,730 And I just wanted to stress the idea that our shark is not a hacking tool. 101 00:07:57,980 --> 00:08:03,290 It's only a program that allows you to log packets flowing through a certain interface and then analyze 102 00:08:03,290 --> 00:08:04,590 these packets. 103 00:08:04,640 --> 00:08:08,840 So in the next video we'll see how we can sniff and analyze packets using wire shark. 11923