Wireshark mailing list archives
Re: from the past
From: M K <gedropi () gmail com>
Date: Thu, 25 Mar 2010 07:10:37 -0800
Martin I believe that I am seeing WS's very own DNS when I start a capture. It's true that one expects DNS at the beginning when one logs on. Now that you mention it, however, occasionally there are a few stray, smaller DNS episodes later on. I will check into those to see what lies beneath the surface. Thanks for the tip. On 3/24/10, Martin Visser <martinvisser99 () gmail com> wrote:
Right at the start of this thread you talked about "DNS Authentication". Is this to do with what you see? DNS doesn't normally have any authentication requirement. If you are seeing DNS packets that contains something that looks like a username or password, I suspect you have a very clever little trojan installed that is sending some nice data off to the bad guys almost covertly via DNS. Regards, Martin MartinVisser99 () gmail com On Thu, Mar 25, 2010 at 8:29 AM, M K <gedropi () gmail com> wrote:Closer to #2. The etherXXXX file is only created when I start a WS capture. It is apparent to me now that this tmp file is pretty identical to the capture inside WS. OK. But, I guess this exercise still brings home the problem of who is (off and on) pulling my password information, from where and where is it going? I know this isn't a WS problem. WS was only doing its job. About the transfer of authentication data, why isn't it encrypted? What can I do to make this happen? It doesn't do a lick of good to harden your computer if your authentication data is all over the place in clear text. Thanks On 3/24/10, Gianluca Varenni <gianluca.varenni () cacetech com> wrote:Now I'm a bit confused (I'm probably missing something here). In your original email you saidThe second issue, however, is still a big concern. The etherXXXXa file always contains the complete (passwords included) authentication data plus more. Again, this unsaved (by me) login information was sent over the wire in the past (PPP PAP), yet it is beingsaved(by ?) and put into this file in the present. How can I prevent this login info from being saved? How can I encrypt this login info?Thisis a security risk.I don't understand if 1. the file etherXXXX "magically" appears even when you do not start wireshark and you do not start a capture or 2. you do open wireshark and start a capture (in this case wireshark does create an etherXXXX file), and you see packets containing your usernameandpassword (and other sensitive data) that were exchanged with yourISP/proxy*well before* you started to capture with wireshark. Which one is the right one? GV -------------------------------------------------- From: "M K" <gedropi () gmail com> Sent: Wednesday, March 24, 2010 1:48 PM To: "Community support list for Wireshark" <wireshark-users () wireshark org>Subject: Re: [Wireshark-users] from the pastThe etherXXXX file is only a tmp file written in hex. I believe that it would be impossible to open within WS because the only time the ethernet file exists is when you are already in the middle of a capture. And it vanishes when you stop the capture or shut down WS, I believe. Opening another file while performing a capture is not enabled. Unless if you had multiple instances of WS perhaps. On 3/24/10, Gianluca Varenni <gianluca.varenni () cacetech com> wrote:-------------------------------------------------- From: "M K" <gedropi () gmail com> Sent: Wednesday, March 24, 2010 1:29 PM To: "Community support list for Wireshark" <wireshark-users () wireshark org> Subject: Re: [Wireshark-users] from the pastThe WS capture file does have time stamps. The etherXXXXa file lives at: \Documents and Settings\Administrator\Local Settings\Temp within Windows. This tmp file does not appear to have obvious timestamps. Machine name, Administrator User name, packet source/dest and at times, also the passwords to Windows and ISP.Wait... is this a pcap file or not? Can you open it with wireshark? Have a nice day GVOn 3/24/10, Gianluca Varenni <gianluca.varenni () cacetech com> wrote:-------------------------------------------------- From: "M K" <gedropi () gmail com> Sent: Wednesday, March 24, 2010 12:45 PM To: "Community support list for Wireshark" <wireshark-users () wireshark org> Subject: Re: [Wireshark-users] from the pastSorry. I got called away. The etherXXXX tmp file doesn't appear to have timestamps. ButwithinIf it's a valid capture file, the packets must have a timestamp, ifyouopen the file with wireshark. GVWS, the LLC (Layer 2) & PPP LCP protocols are the first protocols to show up in the trace at the time the login info is captured insidethetmp file. I suspect that this info is being passed to the tmp file. Possible suspects: the OS or networking appliances. Yes, the interface is: Adapter for generic dialup and VPN And thanks for this feedback and help. On 3/24/10, Gianluca Varenni <gianluca.varenni () cacetech com> wrote:You didn't answer my questions: 1. what is the timestamp of those packets? 2. what interface are you capturing from? Are capturing from what is called "Adapter for generic dialup andVPNcapture"? Have a nice day GV -------------------------------------------------- From: "M K" <gedropi () gmail com> Sent: Wednesday, March 24, 2010 9:25 AM To: "Community support list for Wireshark" <wireshark-users () wireshark org> Subject: Re: [Wireshark-users] from the pastThat is exactly what I am doing. I log onto my Windows machine, then my ISP, then my proxy. Then maybe go to a few websites, for example. Then maybe after a half hour, I may then start up a WS capture. Still, even after all that time between logons and actuallystartinga capture, the etherXXXXa tmp file still contains this private info. According to Jeff, the etherXXXXa file only captures what is not encrypted. That makes this even more scary. That means that not only is the info being captured but it isn't even being protected byevenlow-grade encryption. On 3/24/10, Gianluca Varenni <gianluca.varenni () cacetech com>wrote:-------------------------------------------------- From: "M K" <gedropi () gmail com> Sent: Wednesday, March 24, 2010 9:11 AM To: "Community support list for Wireshark" <wireshark-users () wireshark org> Subject: Re: [Wireshark-users] from the pastThat is the question. I am saying that some program (?) is capturing my unsaved login info. Then at a later point, when I start a WS capture, that login info from the past is put into that EtherxXXXXa tmp file.What happens if you log into your ISP and proxy, wait let's say 5 minutes and then start wireshark? Do those packets still show up? what is their tiemstamp? GVOn 3/24/10, Gianluca Varenni <gianluca.varenni () cacetech com> wrote:Are you saying that when you start Wireshark, wireshark itself starts capturing, *before* you click the start capture button on it? Which adapter is wireshark capturing from? Have a nice day GV -------------------------------------------------- From: "M K" <gedropi () gmail com> Sent: Wednesday, March 24, 2010 8:12 AM To: <wireshark-users () wireshark org> Subject: [Wireshark-users] from the pastJeff Morriss suggested that I pose this question to you folks. Here is what I wrote: First: I first log onto Windows machine I log onto my Isp I log into my proxy Maybe do a few things online (eg. go to a few websites) Then log into Wireshark Next: When launching WS, immediately the capture starts a DNS authentication trace and an etherXXXXa* file with Windows & ISP usernames AND passwords is created. Since I expect WS to be literal, I would expect that those actions that had taken place in the past (logons & DNS authentication) wouldnotbe captured since WS had not been started when I logged on. That meansthatthis information is being cached or worse somewhere. For my peaceofmind, please can you tell me about this security issue? Thank you. ...................... Here is what Jeff wrote: Anyway, a brief answer: Wireshark on Windows relies on WinPCAP to do the capturing. I'm pretty sure WinPCAP won't start capturinguntilyou ask it to do so. And I'm pretty sure that the OS's TCP/IP stack isn't going to cache stuff to give to WinPCAP after the fact. (BTW, the etherXXX file is just the temporary PCAP file that contains the packets that were captured--and what Wireshark displays foryou.The fact that your password, etc., are in there just indicate that your password, etc., were sent over the wire unencrypted.) .............. What Jeff described is what I expected but I believe that I understand now what I am seeing. WS does its own DNS. So, that explains the first question. The second issue, however, is still a big concern. The etherXXXXa file always contains the complete (passwords included) authentication data plus more. Again, this unsaved (by me) login information was sent over the wire in the past (PPP PAP), yet it is beingsaved(by ?) and put into this file in the present. How can I prevent this login info from being saved? How can I encrypt this login info?Thisis a security risk. -- All that is necessary for evil to succeed is that good men do nothing. ~Edmund Burke___________________________________________________________________________Sent via: Wireshark-users mailing list <wireshark-users () wireshark org> Archives: http://www.wireshark.org/lists/wireshark-users Unsubscribe: https://wireshark.org/mailman/options/wireshark-users mailto:wireshark-users-request () wireshark org?subject=unsubscribe___________________________________________________________________________Sent via: Wireshark-users mailing list <wireshark-users () wireshark org> Archives: http://www.wireshark.org/lists/wireshark-users Unsubscribe: https://wireshark.org/mailman/options/wireshark-users mailto:wireshark-users-request () wireshark org?subject=unsubscribe-- All that is necessary for evil to succeed is that good men do nothing. ~Edmund Burke___________________________________________________________________________Sent via: Wireshark-users mailing list <wireshark-users () wireshark org> Archives: http://www.wireshark.org/lists/wireshark-users Unsubscribe:https://wireshark.org/mailman/options/wireshark-usersmailto:wireshark-users-request () wireshark org?subject=unsubscribe___________________________________________________________________________Sent via: Wireshark-users mailing list <wireshark-users () wireshark org> Archives: http://www.wireshark.org/lists/wireshark-users Unsubscribe:https://wireshark.org/mailman/options/wireshark-usersmailto:wireshark-users-request () wireshark org?subject=unsubscribe-- All that is necessary for evil to succeed is that good men do nothing. ~Edmund Burke___________________________________________________________________________Sent via: Wireshark-users mailing list <wireshark-users () wireshark org> Archives: http://www.wireshark.org/lists/wireshark-users Unsubscribe:https://wireshark.org/mailman/options/wireshark-usersmailto:wireshark-users-request () wireshark org?subject=unsubscribe___________________________________________________________________________Sent via: Wireshark-users mailing list <wireshark-users () wireshark org> Archives: http://www.wireshark.org/lists/wireshark-users Unsubscribe: https://wireshark.org/mailman/options/wireshark-users mailto:wireshark-users-request () wireshark org?subject=unsubscribe-- All that is necessary for evil to succeed is that good men donothing.~Edmund Burke___________________________________________________________________________Sent via: Wireshark-users mailing list <wireshark-users () wireshark org> Archives: http://www.wireshark.org/lists/wireshark-users Unsubscribe: https://wireshark.org/mailman/options/wireshark-users mailto:wireshark-users-request () wireshark org?subject=unsubscribe___________________________________________________________________________Sent via: Wireshark-users mailing list <wireshark-users () wireshark org> Archives: http://www.wireshark.org/lists/wireshark-users Unsubscribe: https://wireshark.org/mailman/options/wireshark-users mailto:wireshark-users-request () wireshark org?subject=unsubscribe-- All that is necessary for evil to succeed is that good men do nothing. ~Edmund Burke___________________________________________________________________________Sent via: Wireshark-users mailing list <wireshark-users () wireshark org> Archives: http://www.wireshark.org/lists/wireshark-users Unsubscribe: https://wireshark.org/mailman/options/wireshark-users mailto:wireshark-users-request () wireshark org?subject=unsubscribe___________________________________________________________________________Sent via: Wireshark-users mailing list <wireshark-users () wireshark org>Archives: http://www.wireshark.org/lists/wireshark-users Unsubscribe: https://wireshark.org/mailman/options/wireshark-users mailto:wireshark-users-request () wireshark org?subject=unsubscribe-- All that is necessary for evil to succeed is that good men do nothing. ~Edmund Burke___________________________________________________________________________Sent via: Wireshark-users mailing list <wireshark-users () wireshark org>Archives: http://www.wireshark.org/lists/wireshark-users Unsubscribe: https://wireshark.org/mailman/options/wireshark-users mailto:wireshark-users-request () wireshark org?subject=unsubscribe___________________________________________________________________________Sent via: Wireshark-users mailing list <wireshark-users () wireshark org Archives: http://www.wireshark.org/lists/wireshark-users Unsubscribe: https://wireshark.org/mailman/options/wireshark-users mailto:wireshark-users-request () wireshark org?subject=unsubscribe-- All that is necessary for evil to succeed is that good men do nothing. ~Edmund Burke ___________________________________________________________________________ Sent via: Wireshark-users mailing list <wireshark-users () wireshark org> Archives: http://www.wireshark.org/lists/wireshark-users Unsubscribe: https://wireshark.org/mailman/options/wireshark-users mailto:wireshark-users-request () wireshark org ?subject=unsubscribe
--
All that is necessary for evil to succeed is that good men do nothing.
~Edmund Burke
___________________________________________________________________________
Sent via: Wireshark-users mailing list <wireshark-users () wireshark org>
Archives: http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
mailto:wireshark-users-request () wireshark org?subject=unsubscribe
Current thread:
- Re: from the past, (continued)
- Re: from the past bart sikkes (Mar 24)
- Re: from the past M K (Mar 24)
- Re: from the past M K (Mar 24)
- Re: from the past Gianluca Varenni (Mar 24)
- Re: from the past M K (Mar 24)
- Re: from the past Gianluca Varenni (Mar 24)
- Re: from the past M K (Mar 24)
- Re: from the past Martin Visser (Mar 24)
- Re: from the past Abhik Sarkar (Mar 24)
- Re: from the past bart sikkes (Mar 25)
- Re: from the past M K (Mar 25)
- Re: from the past Guy Harris (Mar 24)
- Re: from the past Guy Harris (Mar 24)
- Re: from the past M K (Mar 24)