philb19
asked on
Can a packet sniffer view the contents of a user opening a word doc - see the contecnt of a file
Basic question around packet sniffer and applications - Can a sniffer pick up and read the content of a word document as an example. - Our storage (data at rest) is not encrypted
So if i use a good sniffer and can capture the data in-line, can I then in any way use a quality packet sniifer to see the content of say a word document being opened by a user?
So if i use a good sniffer and can capture the data in-line, can I then in any way use a quality packet sniifer to see the content of say a word document being opened by a user?
If encryption isn't enabled then yes you can. Install Wireshark on your PC and see what it captures.
Should be able for non encrypted traffic and even offline pcap analysis example networkminer
https://www.netresec.com/?page=networkminer
Extract files from FTP, TFTP, HTTP, SMB, SMB2, SMTP, POP3 and IMAP traffic
Extract X.509 certificates from SSL encrypted traffic like HTTPS, SMTPS, IMAPS, POP3S, FTPS etc
Likewise for Wireshark, you can drill down in the packet you want, depending on the protocol.
Right click > Export selected bytes
https://www.netresec.com/?page=networkminer
Extract files from FTP, TFTP, HTTP, SMB, SMB2, SMTP, POP3 and IMAP traffic
Extract X.509 certificates from SSL encrypted traffic like HTTPS, SMTPS, IMAPS, POP3S, FTPS etc
Likewise for Wireshark, you can drill down in the packet you want, depending on the protocol.
Right click > Export selected bytes
ASKER
ok I have wireshark on my pc - If I open a word document how do I see the content of this file in wireshark please?
Just kick off opening a word document across the network, start capturing packets, then stop once the document is open. (try to do this quickly, to minimize the number of packets to sort through). Filter on port 445, and start viewing packets. It would be difficult to reconstruct the entire document, but you should see recognisable fragments of text.
ASKER
thanks if I filter on 445 - I see nothing - if I filter on smb2 I see traffic - when I view analyse tcp stream I see doc heading/name in clear text somewhere in the gibberish - what I need to know is the way to go about it - is smb2 the best filter - how do I capture the whole document - presuming no encryption - which there isn't? - do I need to dump all the wireshark data into another product - or is it just not possible?
cheers
cheers
In short:
-attackers have a very hard time, any way you put it. You don't expect an attacker to have access to the mirror port of a network switch, do you (do you know, what a mirror port is? Please inform about that)?
-without a mirror port, sniffing works with arp poisoning/IP spoofing (whatever you like to call it). If the legitimate target for the data is running, an attacker will be able to get that IP but the attack will not get by unnoticed - try it out. The legitimate computer will get unbearably slow. Try it.
-Countermeasures have been mentioned: SMBv3 (by default: encryption is off!), IPsec (secure firewall rules using the windows firewall with kerberos authentication)
->if the data is encrypted at the server drive or not does not matter.
-attackers have a very hard time, any way you put it. You don't expect an attacker to have access to the mirror port of a network switch, do you (do you know, what a mirror port is? Please inform about that)?
-without a mirror port, sniffing works with arp poisoning/IP spoofing (whatever you like to call it). If the legitimate target for the data is running, an attacker will be able to get that IP but the attack will not get by unnoticed - try it out. The legitimate computer will get unbearably slow. Try it.
-Countermeasures have been mentioned: SMBv3 (by default: encryption is off!), IPsec (secure firewall rules using the windows firewall with kerberos authentication)
->if the data is encrypted at the server drive or not does not matter.
ASKER
Thanks Mcknife for comments. Yes I realise its difficult for attackers. The question is not around how difficult it might be. The question is
around demonstrating that I can in fact rebuild a document using wireshark myself (having all the access to ports etc that I require).
smb encryption is off (yes) - So can I use a sniffing tool to see the entire contents of a document I open across the network? and how do I go about it?
lets say for argument sake that an insider threat exists (that insider is a domain and full network admin) with all the access he requires.
Thanks all
around demonstrating that I can in fact rebuild a document using wireshark myself (having all the access to ports etc that I require).
smb encryption is off (yes) - So can I use a sniffing tool to see the entire contents of a document I open across the network? and how do I go about it?
lets say for argument sake that an insider threat exists (that insider is a domain and full network admin) with all the access he requires.
Thanks all
No, you can't do that unless you are an expert in this attack type. Just wireshark alone will not let you reconstruct text.
There is past sharing of carving the file but it is also not straightforward
https://chrissanders.org/2011/11/packet-carving-with-smb-and-smb2/
https://osqa-ask.wireshark.org/questions/9618/reconstructcreate-a-stream-file-from-pcap
Or consider trying out other tool in my earlier post
https://www.netresec.com/?page=Blog&month=2017-03&post=Enable-file-extraction-from-PCAP-with-NetworkMiner-in-six-st
https://chrissanders.org/2011/11/packet-carving-with-smb-and-smb2/
https://osqa-ask.wireshark.org/questions/9618/reconstructcreate-a-stream-file-from-pcap
Or consider trying out other tool in my earlier post
https://www.netresec.com/?page=Blog&month=2017-03&post=Enable-file-extraction-from-PCAP-with-NetworkMiner-in-six-st
This question needs an answer!
Become an EE member today
7 DAY FREE TRIALMembers can start a 7-Day Free trial then enjoy unlimited access to the platform.
View membership options
or
Learn why we charge membership fees
We get it - no one likes a content blocker. Take one extra minute and find out why we block content.
https://www.geeksforgeeks.org/computer-network-ip-security-ipsec/
And even less so if IPSec is enabled and SMB v3 is used with encryption enabled.
https://docs.microsoft.com/en-us/windows-server/storage/file-server/smb-security
However, if someone has attached and dug in on your wired network to a point where they can put a packet sniffer on it for any length of time, then all bets about security are off because one of your employees is corrupt and they've already handed over all the information they can about your network.