1
00:00:00,390 --> 00:00:05,040
‫So we're going to use Carly for this demonstration, and we're going to need another system.

2
00:00:05,280 --> 00:00:13,080
‫So here I have OWASP Broken Web Applications VM, which is one of my VMS, and it has a web application

3
00:00:13,080 --> 00:00:15,300
‫and the web server is running by default.

4
00:00:15,840 --> 00:00:24,090
‫So first, I want to sniff the entire traffic passing through the eith zero interface, right?

5
00:00:25,170 --> 00:00:29,010
‫TCPDUMP is embedded into Carly, so we're ready to use it.

6
00:00:30,200 --> 00:00:35,210
‫If you type tcpdump and then hit enter, it starts to listen to the traffic.

7
00:00:35,840 --> 00:00:42,830
‫And by default, it listens to the interface of the use zero and that's exactly what we want right here.

8
00:00:44,020 --> 00:00:47,920
‫So, right, there's no traffic at the moment, so let's make some noise.

9
00:00:49,630 --> 00:00:52,990
‫I'll go to the OWASP CWA and Ping Carly.

10
00:00:54,560 --> 00:01:02,240
‫Now, turn back to Carly, and yes, here we have the packets caused by the Pinkman ICMP Echo requests

11
00:01:02,240 --> 00:01:03,200
‫and replies.

12
00:01:04,250 --> 00:01:10,580
‫And there are some other packets too and of course, our request and the responses before them.

13
00:01:12,300 --> 00:01:17,820
‫So we can limit the number of receive packets using the C parameter.

14
00:01:18,210 --> 00:01:21,870
‫The command stops when it receives specified number of packets.

15
00:01:21,900 --> 00:01:24,330
‫And here it stops after the fifth packet.

16
00:01:25,870 --> 00:01:31,810
‫And having a look at the results, we see the domain names of the source and the destination systems

17
00:01:32,590 --> 00:01:39,130
‫is especially good for remote systems outside the network, but we may want to see the IP addresses

18
00:01:39,130 --> 00:01:41,890
‫of the systems instead of the domain name.

19
00:01:41,900 --> 00:01:45,280
‫So to do this, we can use the end parameter.

20
00:01:46,360 --> 00:01:50,020
‫And now the computers are listed with their IP addresses.

21
00:01:50,590 --> 00:01:53,770
‫OK, so let's turn back to the first example.

22
00:01:54,580 --> 00:02:01,840
‫We were listening to the eth0 zero interface and like I said before, it listens to this interface of

23
00:02:01,840 --> 00:02:03,790
‫the interface is not specified.

24
00:02:04,910 --> 00:02:10,070
‫And we can specify the interface we want to listen to by using the AI parameter.

25
00:02:10,640 --> 00:02:18,290
‫Use AI with the name of the specified interface is zero in this example and hit enter.

26
00:02:21,000 --> 00:02:28,020
‫Now, the second example, let's sniff only the TCP traffic between us and a target host.

27
00:02:29,400 --> 00:02:38,970
‫TCPDUMP is the command itself, host parameters specify that the target, host and TCP is a protocol

28
00:02:38,970 --> 00:02:39,420
‫we want.

29
00:02:39,540 --> 00:02:39,930
‫Listen.

30
00:02:41,720 --> 00:02:46,550
‫So it started to listen to the TCP packets between Cali and OWASP Speedway.

31
00:02:47,150 --> 00:02:51,770
‫We have no TCP traffic at the moment, so let's create some.

32
00:02:53,590 --> 00:02:58,900
‫So I'll open a browser window and visit a Web page hosted on OWASP BBWAA.

33
00:02:59,530 --> 00:03:07,390
‫Now turn back to the terminal screen and whoa, we have a lot of TCP packets caused by HTTP requests

34
00:03:07,390 --> 00:03:08,350
‫and responses.

35
00:03:08,710 --> 00:03:15,880
‫Now we didn't use the end parameters, so we see the domain names and the service type, such as HTTP

36
00:03:16,210 --> 00:03:18,430
‫instead of the port numbers.

37
00:03:19,520 --> 00:03:23,620
‫Now let's run the same command once again, but with the end parameter.

38
00:03:24,970 --> 00:03:30,070
‫So I'll go to the application and just click an arbitrary link to create some traffic.

39
00:03:33,990 --> 00:03:40,800
‫Now back to the Terminal C, look at traffic with IP addresses and their port numbers.

40
00:03:44,070 --> 00:03:45,210
‫So in the third example.

41
00:03:46,350 --> 00:03:51,900
‫Let's have a look only at the VIP traffic received from the target host.

42
00:03:53,700 --> 00:04:00,090
‫And right, if we don't enter any parameter, we will see the IP packets received from the target host,

43
00:04:00,100 --> 00:04:04,230
‫however, we see a lot of different packets here as well.

44
00:04:04,840 --> 00:04:05,130
‫Hmm.

45
00:04:05,490 --> 00:04:09,510
‫So now I'll show you how to filter the received packets.

46
00:04:10,590 --> 00:04:15,930
‫So to see only the received packets from the target host, we use SIRC.

47
00:04:16,530 --> 00:04:20,790
‫So it's basically a keyword as our see before the host parameter.

48
00:04:21,990 --> 00:04:28,170
‫Now the host IP and the IP keyword to filter the IP packets.

49
00:04:29,780 --> 00:04:35,330
‫And look at that as soon as we hit enter, we start to receive some packets because the ping command

50
00:04:35,330 --> 00:04:37,340
‫in the Iowa Speedway is still running.

51
00:04:38,150 --> 00:04:47,270
‫We see the ICMP Echo requests, but we don't see the ICMP responses because we used these RC key word

52
00:04:47,270 --> 00:04:48,260
‫before the host.

53
00:04:48,590 --> 00:04:54,380
‫And we wanted to see only the received packets from the target host, so that's as it should be.

54
00:04:55,860 --> 00:05:00,690
‫Now, let's go to the Web app and click any link to create some HDTV traffic.

55
00:05:01,020 --> 00:05:04,250
‫And here are the IP packets of the HDTV requests.

56
00:05:06,620 --> 00:05:10,220
‫Now you can press control and Siki to stop the command.

57
00:05:11,890 --> 00:05:19,180
‫So in this next example, lit filter the TCP traffic of the entire network generated by HTTP requests

58
00:05:19,180 --> 00:05:20,290
‫and responses.

59
00:05:23,410 --> 00:05:28,120
‫So the net parameter to define the network, specify the network.

60
00:05:28,300 --> 00:05:36,820
‫And here it's one seven two one six nine nine zero slash two four and a filter the HTTP traffic we can

61
00:05:37,150 --> 00:05:39,310
‫specify Port 80.

62
00:05:40,300 --> 00:05:44,380
‫So here we assume that the applications are using the default port, which is 80.

63
00:05:45,790 --> 00:05:47,440
‫OK, so we'll start to listen.

64
00:05:52,460 --> 00:05:57,740
‫Now we'll go to the Web browser and click any link to create the HTTP request.

65
00:05:58,100 --> 00:06:05,150
‫And here is all the TCP traffic sent to or received from the default port 80.

66
00:06:05,720 --> 00:06:10,660
‫So what would happen if we didn't use the port parameter?

67
00:06:11,830 --> 00:06:17,800
‫Well, as you can see here, we would see the expected requests and replies as well because the ping

68
00:06:17,800 --> 00:06:19,660
‫command is still running.

69
00:06:19,930 --> 00:06:22,150
‫India was building a system.

70
00:06:23,310 --> 00:06:30,300
‫So lastly, let's see the SS age traffic from a specified host to another one.

71
00:06:32,190 --> 00:06:41,760
‫First, I'll go back to OWASP, BWR and check of the stage services running U.S Service Associate status

72
00:06:41,760 --> 00:06:42,300
‫to check it.

73
00:06:42,630 --> 00:06:42,860
‫Yup.

74
00:06:43,410 --> 00:06:46,400
‫As I say, services running on OWASP bw.

75
00:06:47,010 --> 00:06:54,570
‫So to see the port that SAGE listens to, you can use the netstat TI and LP command.

76
00:06:55,460 --> 00:07:02,600
‫And as you see here, the top of the screen as state listens to the port to the default port for a sec.

77
00:07:03,590 --> 00:07:10,990
‫So in Cali, I'll open another terminal screen and create an SSA connection between Cali and OWASP BW,

78
00:07:11,000 --> 00:07:18,800
‫a type sage root at the IP address of OWASP, BW and hit enter.

79
00:07:19,880 --> 00:07:27,560
‫And of the password of the user of OWASP BWB, which is remember, OWASP beetle hua is as long as you

80
00:07:27,560 --> 00:07:28,250
‫haven't changed it.

81
00:07:28,670 --> 00:07:31,580
‫And here we have an SS age connection.

82
00:07:33,000 --> 00:07:36,810
‫So I'll go to the other terminal screen to create the tcpdump command.

83
00:07:39,160 --> 00:07:41,830
‫As our co-host to specify the source host.

84
00:07:44,850 --> 00:07:48,780
‫And DST host to specify the destination host.

85
00:07:50,010 --> 00:07:50,700
‫And Port.

86
00:07:52,850 --> 00:07:58,940
‫So now go to the SS age connection and send something to the Ottawa Speedway.

87
00:08:00,080 --> 00:08:04,490
‫Hey, look at that, see, so we capture the packets in every keystroke.

88
00:08:05,300 --> 00:08:14,660
‫The packets are from Carly to the poor 22 of a Wasp BWP, and I'm sure you saw it like I did because

89
00:08:14,930 --> 00:08:21,980
‫we wanted to see the traffic only if the source host is Carly and the destination host is OWASP bw.

90
00:08:22,490 --> 00:08:30,890
‫We don't see the S.H. packets received from OWASP BWR to see both sent and received packets.

91
00:08:31,790 --> 00:08:34,910
‫We can change the command to something like this.

92
00:08:35,540 --> 00:08:42,500
‫TCPDUMP hosted one seven two one six nine nine two one three nine and Port 22.

93
00:08:45,530 --> 00:08:49,820
‫Now we'll see you receive packets as well as the scent packets.