Wireshark-users: Re: [Wireshark-users] from the past
From: M K <gedropi@xxxxxxxxx>
Date: Thu, 25 Mar 2010 07:10:37 -0800
Martin I believe that I am seeing WS's very own DNS when I start a capture. It's true that one expects DNS at the beginning when one logs on. Now that you mention it, however, occasionally there are a few stray, smaller DNS episodes later on. I will check into those to see what lies beneath the surface. Thanks for the tip. On 3/24/10, Martin Visser <martinvisser99@xxxxxxxxx> wrote: > Right at the start of this thread you talked about "DNS Authentication". Is > this to do with what you see? DNS doesn't normally have any authentication > requirement. > > If you are seeing DNS packets that contains something that looks like a > username or password, I suspect you have a very clever little trojan > installed that is sending some nice data off to the bad guys almost covertly > via DNS. > > Regards, Martin > > MartinVisser99@xxxxxxxxx > > > On Thu, Mar 25, 2010 at 8:29 AM, M K <gedropi@xxxxxxxxx> wrote: > >> Closer to #2. The etherXXXX file is only created when I start a WS >> capture. It is apparent to me now that this tmp file is pretty >> identical to the capture inside WS. OK. But, I guess this exercise >> still brings home the problem of who is (off and on) pulling my >> password information, from where and where is it going? I know this >> isn't a WS problem. WS was only doing its job. >> >> About the transfer of authentication data, why isn't it encrypted? >> What can I do to make this happen? >> >> It doesn't do a lick of good to harden your computer if your >> authentication data is all over the place in clear text. >> >> Thanks >> >> On 3/24/10, Gianluca Varenni <gianluca.varenni@xxxxxxxxxxxx> wrote: >> > Now I'm a bit confused (I'm probably missing something here). In your >> > original email you said >> > >> >>>>>>>>>>>> The second issue, however, is still a big concern. The >> >>>>>>>>>>>> etherXXXXa >> >>>>>>>>>>>> file always contains the complete (passwords included) >> >>>>>>>>>>>> authentication >> >>>>>>>>>>>> data plus more. Again, this unsaved (by me) login >> >>>>>>>>>>>> information >> >>>>>>>>>>>> was >> >>>>>>>>>>>> sent over the wire in the past (PPP PAP), yet it is being >> saved >> >>>>>>>>>>>> (by >> >>>>>>>>>>>> ?) >> >>>>>>>>>>>> and put into this file in the present. How can I prevent this >> >>>>>>>>>>>> login >> >>>>>>>>>>>> info from being saved? How can I encrypt this login info? >> This >> >>>>>>>>>>>> is >> >>>>>>>>>>>> >> >>>>>>>>>>>> a >> >>>>>>>>>>>> security risk. >> > >> > I don't understand if >> > >> > 1. the file etherXXXX "magically" appears even when you do not start >> > wireshark and you do not start a capture >> > >> > or >> > >> > 2. you do open wireshark and start a capture (in this case wireshark >> > does >> > create an etherXXXX file), and you see packets containing your username >> and >> > password (and other sensitive data) that were exchanged with your >> ISP/proxy >> > *well before* you started to capture with wireshark. >> > >> > Which one is the right one? >> > >> > GV >> > >> > >> > >> > >> > >> > -------------------------------------------------- >> > From: "M K" <gedropi@xxxxxxxxx> >> > Sent: Wednesday, March 24, 2010 1:48 PM >> > To: "Community support list for Wireshark" < >> wireshark-users@xxxxxxxxxxxxx> >> > Subject: Re: [Wireshark-users] from the past >> > >> >> The etherXXXX file is only a tmp file written in hex. I believe that >> >> it would be impossible to open within WS because the only time the >> >> ethernet file exists is when you are already in the middle of a >> >> capture. And it vanishes when you stop the capture or shut down WS, I >> >> believe. Opening another file while performing a capture is not >> >> enabled. Unless if you had multiple instances of WS perhaps. >> >> >> >> On 3/24/10, Gianluca Varenni <gianluca.varenni@xxxxxxxxxxxx> wrote: >> >>> >> >>> >> >>> -------------------------------------------------- >> >>> From: "M K" <gedropi@xxxxxxxxx> >> >>> Sent: Wednesday, March 24, 2010 1:29 PM >> >>> To: "Community support list for Wireshark" >> >>> <wireshark-users@xxxxxxxxxxxxx> >> >>> Subject: Re: [Wireshark-users] from the past >> >>> >> >>>> The WS capture file does have time stamps. The etherXXXXa file >> >>>> lives >> >>>> at: \Documents and Settings\Administrator\Local Settings\Temp within >> >>>> Windows. This tmp file does not appear to have obvious timestamps. >> >>>> Machine name, Administrator User name, packet source/dest and at >> >>>> times, also the passwords to Windows and ISP. >> >>> >> >>> Wait... is this a pcap file or not? Can you open it with wireshark? >> >>> >> >>> Have a nice day >> >>> GV >> >>> >> >>> >> >>>> >> >>>> On 3/24/10, Gianluca Varenni <gianluca.varenni@xxxxxxxxxxxx> wrote: >> >>>>> >> >>>>> >> >>>>> -------------------------------------------------- >> >>>>> From: "M K" <gedropi@xxxxxxxxx> >> >>>>> Sent: Wednesday, March 24, 2010 12:45 PM >> >>>>> To: "Community support list for Wireshark" >> >>>>> <wireshark-users@xxxxxxxxxxxxx> >> >>>>> Subject: Re: [Wireshark-users] from the past >> >>>>> >> >>>>>> Sorry. I got called away. >> >>>>>> >> >>>>>> The etherXXXX tmp file doesn't appear to have timestamps. But >> within >> >>>>> >> >>>>> If it's a valid capture file, the packets must have a timestamp, if >> you >> >>>>> open >> >>>>> the file with wireshark. >> >>>>> >> >>>>> GV >> >>>>> >> >>>>> >> >>>>>> WS, the LLC (Layer 2) & PPP LCP protocols are the first protocols >> >>>>>> to >> >>>>>> show up in the trace at the time the login info is captured inside >> the >> >>>>>> tmp file. >> >>>>>> >> >>>>>> I suspect that this info is being passed to the tmp file. Possible >> >>>>>> suspects: the OS or networking appliances. >> >>>>>> >> >>>>>> Yes, the interface is: Adapter for generic dialup and VPN >> >>>>>> >> >>>>>> And thanks for this feedback and help. >> >>>>>> >> >>>>>> On 3/24/10, Gianluca Varenni <gianluca.varenni@xxxxxxxxxxxx> wrote: >> >>>>>>> You didn't answer my questions: >> >>>>>>> >> >>>>>>> 1. what is the timestamp of those packets? >> >>>>>>> 2. what interface are you capturing from? >> >>>>>>> >> >>>>>>> Are capturing from what is called "Adapter for generic dialup and >> VPN >> >>>>>>> capture"? >> >>>>>>> >> >>>>>>> Have a nice day >> >>>>>>> GV >> >>>>>>> >> >>>>>>> >> >>>>>>> >> >>>>>>> -------------------------------------------------- >> >>>>>>> From: "M K" <gedropi@xxxxxxxxx> >> >>>>>>> Sent: Wednesday, March 24, 2010 9:25 AM >> >>>>>>> To: "Community support list for Wireshark" >> >>>>>>> <wireshark-users@xxxxxxxxxxxxx> >> >>>>>>> Subject: Re: [Wireshark-users] from the past >> >>>>>>> >> >>>>>>>> That is exactly what I am doing. I log onto my Windows machine, >> >>>>>>>> then >> >>>>>>>> my ISP, then my proxy. Then maybe go to a few websites, for >> >>>>>>>> example. >> >>>>>>>> Then maybe after a half hour, I may then start up a WS capture. >> >>>>>>>> Still, even after all that time between logons and actually >> starting >> >>>>>>>> >> >>>>>>>> a >> >>>>>>>> capture, the etherXXXXa tmp file still contains this private >> >>>>>>>> info. >> >>>>>>>> >> >>>>>>>> According to Jeff, the etherXXXXa file only captures what is not >> >>>>>>>> encrypted. That makes this even more scary. That means that not >> >>>>>>>> only >> >>>>>>>> is the info being captured but it isn't even being protected by >> even >> >>>>>>>> low-grade encryption. >> >>>>>>>> >> >>>>>>>> On 3/24/10, Gianluca Varenni <gianluca.varenni@xxxxxxxxxxxx> >> wrote: >> >>>>>>>>> >> >>>>>>>>> >> >>>>>>>>> -------------------------------------------------- >> >>>>>>>>> From: "M K" <gedropi@xxxxxxxxx> >> >>>>>>>>> Sent: Wednesday, March 24, 2010 9:11 AM >> >>>>>>>>> To: "Community support list for Wireshark" >> >>>>>>>>> <wireshark-users@xxxxxxxxxxxxx> >> >>>>>>>>> Subject: Re: [Wireshark-users] from the past >> >>>>>>>>> >> >>>>>>>>>> That is the question. I am saying that some program (?) is >> >>>>>>>>>> capturing >> >>>>>>>>>> my unsaved login info. Then at a later point, when I start a >> >>>>>>>>>> WS >> >>>>>>>>>> capture, that login info from the past is put into that >> >>>>>>>>>> EtherxXXXXa >> >>>>>>>>>> tmp file. >> >>>>>>>>> >> >>>>>>>>> What happens if you log into your ISP and proxy, wait let's say >> >>>>>>>>> 5 >> >>>>>>>>> minutes >> >>>>>>>>> and then start wireshark? Do those packets still show up? what >> >>>>>>>>> is >> >>>>>>>>> their >> >>>>>>>>> tiemstamp? >> >>>>>>>>> >> >>>>>>>>> GV >> >>>>>>>>> >> >>>>>>>>>> >> >>>>>>>>>> On 3/24/10, Gianluca Varenni <gianluca.varenni@xxxxxxxxxxxx> >> >>>>>>>>>> wrote: >> >>>>>>>>>>> Are you saying that when you start Wireshark, wireshark itself >> >>>>>>>>>>> starts >> >>>>>>>>>>> capturing, *before* you click the start capture button on it? >> >>>>>>>>>>> Which adapter is wireshark capturing from? >> >>>>>>>>>>> >> >>>>>>>>>>> >> >>>>>>>>>>> Have a nice day >> >>>>>>>>>>> GV >> >>>>>>>>>>> >> >>>>>>>>>>> >> >>>>>>>>>>> -------------------------------------------------- >> >>>>>>>>>>> From: "M K" <gedropi@xxxxxxxxx> >> >>>>>>>>>>> Sent: Wednesday, March 24, 2010 8:12 AM >> >>>>>>>>>>> To: <wireshark-users@xxxxxxxxxxxxx> >> >>>>>>>>>>> Subject: [Wireshark-users] from the past >> >>>>>>>>>>> >> >>>>>>>>>>>> Jeff Morriss suggested that I pose this question to you >> >>>>>>>>>>>> folks. >> >>>>>>>>>>>> >> >>>>>>>>>>>> Here is what I wrote: >> >>>>>>>>>>>> First: >> >>>>>>>>>>>> I first log onto Windows machine >> >>>>>>>>>>>> I log onto my Isp >> >>>>>>>>>>>> I log into my proxy >> >>>>>>>>>>>> Maybe do a few things online (eg. go to a few websites) >> >>>>>>>>>>>> Then log into Wireshark >> >>>>>>>>>>>> >> >>>>>>>>>>>> Next: >> >>>>>>>>>>>> When launching WS, immediately the capture starts a DNS >> >>>>>>>>>>>> authentication >> >>>>>>>>>>>> trace >> >>>>>>>>>>>> and an etherXXXXa* file with Windows & ISP usernames AND >> >>>>>>>>>>>> passwords >> >>>>>>>>>>>> is >> >>>>>>>>>>>> created. >> >>>>>>>>>>>> Since I expect WS to be literal, I would expect that those >> >>>>>>>>>>>> actions >> >>>>>>>>>>>> that >> >>>>>>>>>>>> had >> >>>>>>>>>>>> taken place in the past (logons & DNS authentication) would >> not >> >>>>>>>>>>>> be >> >>>>>>>>>>>> captured >> >>>>>>>>>>>> since WS had not been started when I logged on. That means >> that >> >>>>>>>>>>>> this >> >>>>>>>>>>>> information is being cached or worse somewhere. For my peace >> of >> >>>>>>>>>>>> mind, >> >>>>>>>>>>>> please >> >>>>>>>>>>>> can you tell me about this security issue? Thank you. >> >>>>>>>>>>>> ...................... >> >>>>>>>>>>>> >> >>>>>>>>>>>> Here is what Jeff wrote: >> >>>>>>>>>>>> Anyway, a brief answer: Wireshark on Windows relies on >> >>>>>>>>>>>> WinPCAP >> >>>>>>>>>>>> to >> >>>>>>>>>>>> do >> >>>>>>>>>>>> the >> >>>>>>>>>>>> capturing. I'm pretty sure WinPCAP won't start capturing >> until >> >>>>>>>>>>>> you >> >>>>>>>>>>>> ask >> >>>>>>>>>>>> it >> >>>>>>>>>>>> >> >>>>>>>>>>>> to >> >>>>>>>>>>>> do so. And I'm pretty sure that the OS's TCP/IP stack isn't >> >>>>>>>>>>>> going >> >>>>>>>>>>>> to >> >>>>>>>>>>>> cache >> >>>>>>>>>>>> stuff to give to WinPCAP after the fact. >> >>>>>>>>>>>> >> >>>>>>>>>>>> (BTW, the etherXXX file is just the temporary PCAP file that >> >>>>>>>>>>>> contains >> >>>>>>>>>>>> the >> >>>>>>>>>>>> packets that were captured--and what Wireshark displays for >> you. >> >>>>>>>>>>>> The >> >>>>>>>>>>>> fact >> >>>>>>>>>>>> >> >>>>>>>>>>>> that >> >>>>>>>>>>>> your password, etc., are in there just indicate that your >> >>>>>>>>>>>> password, >> >>>>>>>>>>>> etc., >> >>>>>>>>>>>> were >> >>>>>>>>>>>> sent over the wire unencrypted.) >> >>>>>>>>>>>> .............. >> >>>>>>>>>>>> What Jeff described is what I expected but I believe that I >> >>>>>>>>>>>> understand >> >>>>>>>>>>>> now what I am seeing. WS does its own DNS. So, that >> >>>>>>>>>>>> explains >> >>>>>>>>>>>> the >> >>>>>>>>>>>> first question. >> >>>>>>>>>>>> >> >>>>>>>>>>>> The second issue, however, is still a big concern. The >> >>>>>>>>>>>> etherXXXXa >> >>>>>>>>>>>> file always contains the complete (passwords included) >> >>>>>>>>>>>> authentication >> >>>>>>>>>>>> data plus more. Again, this unsaved (by me) login >> >>>>>>>>>>>> information >> >>>>>>>>>>>> was >> >>>>>>>>>>>> sent over the wire in the past (PPP PAP), yet it is being >> saved >> >>>>>>>>>>>> (by >> >>>>>>>>>>>> ?) >> >>>>>>>>>>>> and put into this file in the present. How can I prevent this >> >>>>>>>>>>>> login >> >>>>>>>>>>>> info from being saved? How can I encrypt this login info? >> This >> >>>>>>>>>>>> is >> >>>>>>>>>>>> >> >>>>>>>>>>>> a >> >>>>>>>>>>>> security risk. >> >>>>>>>>>>>> >> >>>>>>>>>>>> >> >>>>>>>>>>>> -- >> >>>>>>>>>>>> All that is necessary for evil to succeed is that good men do >> >>>>>>>>>>>> nothing. >> >>>>>>>>>>>> >> >>>>>>>>>>>> ~Edmund Burke >> >>>>>>>>>>>> >> ___________________________________________________________________________ >> >>>>>>>>>>>> Sent via: Wireshark-users mailing list >> >>>>>>>>>>>> <wireshark-users@xxxxxxxxxxxxx> >> >>>>>>>>>>>> Archives: http://www.wireshark.org/lists/wireshark-users >> >>>>>>>>>>>> Unsubscribe: >> >>>>>>>>>>>> https://wireshark.org/mailman/options/wireshark-users >> >>>>>>>>>>>> >> >>>>>>>>>>>> mailto:wireshark-users-request@xxxxxxxxxxxxx >> ?subject=unsubscribe >> >>>>>>>>>>> >> >>>>>>>>>>> >> ___________________________________________________________________________ >> >>>>>>>>>>> Sent via: Wireshark-users mailing list >> >>>>>>>>>>> <wireshark-users@xxxxxxxxxxxxx> >> >>>>>>>>>>> Archives: http://www.wireshark.org/lists/wireshark-users >> >>>>>>>>>>> Unsubscribe: >> >>>>>>>>>>> https://wireshark.org/mailman/options/wireshark-users >> >>>>>>>>>>> >> >>>>>>>>>>> mailto:wireshark-users-request@xxxxxxxxxxxxx >> ?subject=unsubscribe >> >>>>>>>>>>> >> >>>>>>>>>> >> >>>>>>>>>> >> >>>>>>>>>> -- >> >>>>>>>>>> All that is necessary for evil to succeed is that good men do >> >>>>>>>>>> nothing. >> >>>>>>>>>> >> >>>>>>>>>> ~Edmund Burke >> >>>>>>>>>> >> ___________________________________________________________________________ >> >>>>>>>>>> Sent via: Wireshark-users mailing list >> >>>>>>>>>> <wireshark-users@xxxxxxxxxxxxx> >> >>>>>>>>>> Archives: http://www.wireshark.org/lists/wireshark-users >> >>>>>>>>>> Unsubscribe: >> https://wireshark.org/mailman/options/wireshark-users >> >>>>>>>>>> >> >>>>>>>>>> mailto:wireshark-users-request@xxxxxxxxxxxxx >> ?subject=unsubscribe >> >>>>>>>>> >> >>>>>>>>> >> ___________________________________________________________________________ >> >>>>>>>>> Sent via: Wireshark-users mailing list >> >>>>>>>>> <wireshark-users@xxxxxxxxxxxxx> >> >>>>>>>>> Archives: http://www.wireshark.org/lists/wireshark-users >> >>>>>>>>> Unsubscribe: >> https://wireshark.org/mailman/options/wireshark-users >> >>>>>>>>> >> >>>>>>>>> mailto:wireshark-users-request@xxxxxxxxxxxxx?subject=unsubscribe >> >>>>>>>>> >> >>>>>>>> >> >>>>>>>> >> >>>>>>>> -- >> >>>>>>>> All that is necessary for evil to succeed is that good men do >> >>>>>>>> nothing. >> >>>>>>>> >> >>>>>>>> ~Edmund Burke >> >>>>>>>> >> ___________________________________________________________________________ >> >>>>>>>> Sent via: Wireshark-users mailing list >> >>>>>>>> <wireshark-users@xxxxxxxxxxxxx> >> >>>>>>>> Archives: http://www.wireshark.org/lists/wireshark-users >> >>>>>>>> Unsubscribe: >> https://wireshark.org/mailman/options/wireshark-users >> >>>>>>>> >> >>>>>>>> mailto:wireshark-users-request@xxxxxxxxxxxxx?subject=unsubscribe >> >>>>>>> >> >>>>>>> >> ___________________________________________________________________________ >> >>>>>>> Sent via: Wireshark-users mailing list >> >>>>>>> <wireshark-users@xxxxxxxxxxxxx> >> >>>>>>> Archives: http://www.wireshark.org/lists/wireshark-users >> >>>>>>> Unsubscribe: https://wireshark.org/mailman/options/wireshark-users >> >>>>>>> >> >>>>>>> mailto:wireshark-users-request@xxxxxxxxxxxxx?subject=unsubscribe >> >>>>>>> >> >>>>>> >> >>>>>> >> >>>>>> -- >> >>>>>> All that is necessary for evil to succeed is that good men do >> nothing. >> >>>>>> >> >>>>>> ~Edmund Burke >> >>>>>> >> ___________________________________________________________________________ >> >>>>>> Sent via: Wireshark-users mailing list >> >>>>>> <wireshark-users@xxxxxxxxxxxxx> >> >>>>>> Archives: http://www.wireshark.org/lists/wireshark-users >> >>>>>> Unsubscribe: https://wireshark.org/mailman/options/wireshark-users >> >>>>>> >> >>>>>> mailto:wireshark-users-request@xxxxxxxxxxxxx?subject=unsubscribe >> >>>>> >> >>>>> >> ___________________________________________________________________________ >> >>>>> Sent via: Wireshark-users mailing list >> >>>>> <wireshark-users@xxxxxxxxxxxxx> >> >>>>> Archives: http://www.wireshark.org/lists/wireshark-users >> >>>>> Unsubscribe: https://wireshark.org/mailman/options/wireshark-users >> >>>>> >> >>>>> mailto:wireshark-users-request@xxxxxxxxxxxxx?subject=unsubscribe >> >>>>> >> >>>> >> >>>> >> >>>> -- >> >>>> All that is necessary for evil to succeed is that good men do >> >>>> nothing. >> >>>> >> >>>> ~Edmund Burke >> >>>> >> ___________________________________________________________________________ >> >>>> Sent via: Wireshark-users mailing list >> >>>> <wireshark-users@xxxxxxxxxxxxx> >> >>>> Archives: http://www.wireshark.org/lists/wireshark-users >> >>>> Unsubscribe: https://wireshark.org/mailman/options/wireshark-users >> >>>> >> >>>> mailto:wireshark-users-request@xxxxxxxxxxxxx?subject=unsubscribe >> >>> >> >>> >> ___________________________________________________________________________ >> >>> Sent via: Wireshark-users mailing list < >> wireshark-users@xxxxxxxxxxxxx> >> >>> Archives: http://www.wireshark.org/lists/wireshark-users >> >>> Unsubscribe: https://wireshark.org/mailman/options/wireshark-users >> >>> >> >>> mailto:wireshark-users-request@xxxxxxxxxxxxx?subject=unsubscribe >> >>> >> >> >> >> >> >> -- >> >> All that is necessary for evil to succeed is that good men do nothing. >> >> >> >> ~Edmund Burke >> >> >> ___________________________________________________________________________ >> >> Sent via: Wireshark-users mailing list < >> wireshark-users@xxxxxxxxxxxxx> >> >> Archives: http://www.wireshark.org/lists/wireshark-users >> >> Unsubscribe: https://wireshark.org/mailman/options/wireshark-users >> >> >> >> mailto:wireshark-users-request@xxxxxxxxxxxxx?subject=unsubscribe >> > >> > >> ___________________________________________________________________________ >> > Sent via: Wireshark-users mailing list <wireshark-users@xxxxxxxxxxxxx >> > >> > Archives: http://www.wireshark.org/lists/wireshark-users >> > Unsubscribe: https://wireshark.org/mailman/options/wireshark-users >> > >> > mailto:wireshark-users-request@xxxxxxxxxxxxx?subject=unsubscribe >> > >> >> >> -- >> All that is necessary for evil to succeed is that good men do nothing. >> >> ~Edmund Burke >> ___________________________________________________________________________ >> Sent via: Wireshark-users mailing list <wireshark-users@xxxxxxxxxxxxx> >> Archives: http://www.wireshark.org/lists/wireshark-users >> Unsubscribe: https://wireshark.org/mailman/options/wireshark-users >> mailto:wireshark-users-request@xxxxxxxxxxxxx >> ?subject=unsubscribe >> > -- All that is necessary for evil to succeed is that good men do nothing. ~Edmund Burke
- References:
- [Wireshark-users] from the past
- From: M K
- Re: [Wireshark-users] from the past
- From: Gianluca Varenni
- Re: [Wireshark-users] from the past
- From: M K
- Re: [Wireshark-users] from the past
- From: Gianluca Varenni
- Re: [Wireshark-users] from the past
- From: M K
- Re: [Wireshark-users] from the past
- From: Gianluca Varenni
- Re: [Wireshark-users] from the past
- From: M K
- Re: [Wireshark-users] from the past
- From: Gianluca Varenni
- Re: [Wireshark-users] from the past
- From: M K
- Re: [Wireshark-users] from the past
- From: Martin Visser
- [Wireshark-users] from the past
- Prev by Date: [Wireshark-users] Build wireshark on windows fails, linux works
- Next by Date: [Wireshark-users] Memory question
- Previous by thread: Re: [Wireshark-users] from the past
- Next by thread: Re: [Wireshark-users] from the past
- Index(es):
- Get Wireshark
- Download
- Code of Conduct