Capturing HTTP Traffic

Using NMAP, TCP Dump, and Wireshark to interpret network traffic on a Linux system

let's start by capturing information using a servers IP
we will also put this information into a file to document and access later. 

Notice how we are not using any commands with the Nmap. why? this is not for hacking activities. but can be used for configuration troubleshoots and vulnerabilities scans of a server or network :)

We can see port 22 and port 80 are open on this server

22 is used for secure shell SSH and uses TCP as the transfer protocol

80 is Hypertext Transfer Protocol HTTP also using TCP 

let's choose a target - port 80 !

let's open a web browser window with this IP and see what we are looking for 

We confirm it is up and running and it is an Apache2 server installed on an ubuntu system

In a Linux platform (KALI) let's run a tcpdump to capture packets on this server

After creating the TCP dump let's make some noise for it to listen to. Hopping back onto the web browser we can simply refresh the page and this allows us to have new packets to intercept.

Let's refresh the server website on the web browser! 

now we can see some packets with our packet capture!

When I say noise... What am I talking about? Well when a server and client talk to each other, they use protocols to determine the way they talk, specifically UDP or TCP. TCP or transmission control protocol is simply the protocol of organization of that connection and is used to ensure a 3-way handshake to allow for confirmed delivery of data. This is how packets of data are sent between the network layer and the application layer. Below is a picture that represents this structure.

To recap, TCP confirms a connection using the 3-way handshake below and is connection full. UDP does not have this strong connection

(UDP is like someone yelling in a supermarket and others can hear it if they wanted to)

below we can see how this 3 way handshake works

It goes as this.

host (hey server are you awake?)

server ( hi host, yes I'm awake)

host (I'm sending you a request for information, can you send me the information back please?)

server (yeah! for sure, here you go. please let me know if you received it)

Host (yes, I received it. thank you.. we can close down this connection now)

server (confirmed you received it! awesome, goodbye)

We can view this on a tcpdump. it is not the most user-friendly for viewing tho. take a look! 

We cancel our tcpdump task on our terminal and it is now ready to view!

This is ALOT of info, lets's use Wireshark to clear this info up. We saved this packet capture as a file also! So we can simply open the file in wire shark and view it. 

We can view in the wire shark packet and see the entire 3-way handshake... But let's open the HTTP packet that was received. 

We can see the packet size, the physical layer (MAC) information, the virtual layer (IP) information, and the protocols used to transmit the data.

Looking further we see HTTP- let's go deeper

And we now see the traffic! remember, we simply refreshed the web browser page. This established a connection with that specific server and we can now see that connection in plain text! Not encrypted! 

What does this mean?? If we have traffic (DATA) being sent on an open port that is unsecured (this is not good) we are using tcp as well on this HTTP open port 80. So that means that if traffic is intercepted as the TcpDump provided, everything will be viewable for human reading.

This can be a simple troubleshooting technique to determine if firewalls have proper port configurations on a server. Ports can be configured to allow secure traffic through a connection data transfer to the user. Allowing (FRAMES) that hold a (PACKET of data) to be decrypted by the desired end users system.