Wireshark-users: Re: [Wireshark-users] from the past

From: M K <gedropi@xxxxxxxxx>
Date: Wed, 24 Mar 2010 13:29:55 -0800
Closer to #2.  The etherXXXX file is only created when I start a WS
capture.  It is apparent to me now that this tmp file is pretty
identical to the capture inside WS.  OK.  But, I guess this exercise
still brings home the problem of who is (off and on) pulling my
password information, from where and where is it going?  I know this
isn't a WS problem.  WS was only doing its job.

About the transfer of authentication data, why isn't it encrypted?
What can I do to make this happen?

It doesn't do a lick of good to harden your computer if your
authentication data is all over the place in clear text.

Thanks

On 3/24/10, Gianluca Varenni <gianluca.varenni@xxxxxxxxxxxx> wrote:
> Now I'm a bit confused (I'm probably missing something here). In your
> original email you said
>
>>>>>>>>>>>> The second issue, however, is still a big concern.  The
>>>>>>>>>>>> etherXXXXa
>>>>>>>>>>>> file always contains the complete (passwords included)
>>>>>>>>>>>> authentication
>>>>>>>>>>>> data plus more.  Again, this unsaved (by me) login information
>>>>>>>>>>>> was
>>>>>>>>>>>> sent over the wire in the past (PPP PAP), yet it is being saved
>>>>>>>>>>>> (by
>>>>>>>>>>>> ?)
>>>>>>>>>>>> and put into this file in the present. How can I prevent this
>>>>>>>>>>>> login
>>>>>>>>>>>> info from being saved?  How can I encrypt this login info? This
>>>>>>>>>>>> is
>>>>>>>>>>>>
>>>>>>>>>>>> a
>>>>>>>>>>>> security risk.
>
> I don't understand if
>
> 1. the file etherXXXX "magically" appears even when you do not start
> wireshark and you do not start a capture
>
> or
>
> 2. you do open wireshark and start a capture (in this case wireshark does
> create an etherXXXX file), and you see packets containing your username and
> password (and other sensitive data) that were exchanged with your ISP/proxy
> *well before* you started to capture with wireshark.
>
> Which one is the right one?
>
> GV
>
>
>
>
>
> --------------------------------------------------
> From: "M K" <gedropi@xxxxxxxxx>
> Sent: Wednesday, March 24, 2010 1:48 PM
> To: "Community support list for Wireshark" <wireshark-users@xxxxxxxxxxxxx>
> Subject: Re: [Wireshark-users] from the past
>
>> The etherXXXX file is only a tmp file written in hex.  I believe that
>> it would be impossible to open within WS because the only time the
>> ethernet file exists is when you are already in the middle of a
>> capture.  And it vanishes when you stop the capture or shut down WS, I
>> believe.  Opening another file while performing a capture is not
>> enabled.  Unless if you had multiple instances of WS perhaps.
>>
>> On 3/24/10, Gianluca Varenni <gianluca.varenni@xxxxxxxxxxxx> wrote:
>>>
>>>
>>> --------------------------------------------------
>>> From: "M K" <gedropi@xxxxxxxxx>
>>> Sent: Wednesday, March 24, 2010 1:29 PM
>>> To: "Community support list for Wireshark"
>>> <wireshark-users@xxxxxxxxxxxxx>
>>> Subject: Re: [Wireshark-users] from the past
>>>
>>>> The WS  capture file does have time stamps.  The etherXXXXa file lives
>>>> at:  \Documents and Settings\Administrator\Local Settings\Temp within
>>>> Windows.  This tmp file does not appear to have obvious timestamps.
>>>> Machine name, Administrator User name, packet source/dest and at
>>>> times, also the passwords to Windows and ISP.
>>>
>>> Wait... is this a pcap file or not? Can you open it with wireshark?
>>>
>>> Have a nice day
>>> GV
>>>
>>>
>>>>
>>>> On 3/24/10, Gianluca Varenni <gianluca.varenni@xxxxxxxxxxxx> wrote:
>>>>>
>>>>>
>>>>> --------------------------------------------------
>>>>> From: "M K" <gedropi@xxxxxxxxx>
>>>>> Sent: Wednesday, March 24, 2010 12:45 PM
>>>>> To: "Community support list for Wireshark"
>>>>> <wireshark-users@xxxxxxxxxxxxx>
>>>>> Subject: Re: [Wireshark-users] from the past
>>>>>
>>>>>> Sorry.  I got called away.
>>>>>>
>>>>>> The etherXXXX tmp file doesn't appear to have timestamps.  But within
>>>>>
>>>>> If it's a valid capture file, the packets must have a timestamp, if you
>>>>> open
>>>>> the file with wireshark.
>>>>>
>>>>> GV
>>>>>
>>>>>
>>>>>> WS, the LLC (Layer 2) & PPP LCP protocols are the first protocols to
>>>>>> show up in the trace at the time the login info is captured inside the
>>>>>> tmp file.
>>>>>>
>>>>>> I suspect that this info is being passed to the tmp file.  Possible
>>>>>> suspects: the OS or networking appliances.
>>>>>>
>>>>>> Yes, the interface is:  Adapter for generic dialup and VPN
>>>>>>
>>>>>> And thanks for this feedback and help.
>>>>>>
>>>>>> On 3/24/10, Gianluca Varenni <gianluca.varenni@xxxxxxxxxxxx> wrote:
>>>>>>> You didn't answer my questions:
>>>>>>>
>>>>>>> 1. what is the timestamp of those packets?
>>>>>>> 2. what interface are you capturing from?
>>>>>>>
>>>>>>> Are capturing from what is called "Adapter for generic dialup and VPN
>>>>>>> capture"?
>>>>>>>
>>>>>>> Have a nice day
>>>>>>> GV
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> --------------------------------------------------
>>>>>>> From: "M K" <gedropi@xxxxxxxxx>
>>>>>>> Sent: Wednesday, March 24, 2010 9:25 AM
>>>>>>> To: "Community support list for Wireshark"
>>>>>>> <wireshark-users@xxxxxxxxxxxxx>
>>>>>>> Subject: Re: [Wireshark-users] from the past
>>>>>>>
>>>>>>>> That is exactly what I am doing.  I log onto my Windows machine,
>>>>>>>> then
>>>>>>>> my ISP, then my proxy.  Then maybe go to a few websites, for
>>>>>>>> example.
>>>>>>>> Then maybe after a half hour, I may then start up a WS capture.
>>>>>>>> Still, even after all that time between logons and actually starting
>>>>>>>>
>>>>>>>> a
>>>>>>>> capture, the etherXXXXa tmp file still contains this private info.
>>>>>>>>
>>>>>>>> According to Jeff, the etherXXXXa file only captures what is not
>>>>>>>> encrypted.  That makes this even more scary.  That means that not
>>>>>>>> only
>>>>>>>> is the info being captured but it isn't even being protected by even
>>>>>>>> low-grade encryption.
>>>>>>>>
>>>>>>>> On 3/24/10, Gianluca Varenni <gianluca.varenni@xxxxxxxxxxxx> wrote:
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> --------------------------------------------------
>>>>>>>>> From: "M K" <gedropi@xxxxxxxxx>
>>>>>>>>> Sent: Wednesday, March 24, 2010 9:11 AM
>>>>>>>>> To: "Community support list for Wireshark"
>>>>>>>>> <wireshark-users@xxxxxxxxxxxxx>
>>>>>>>>> Subject: Re: [Wireshark-users] from the past
>>>>>>>>>
>>>>>>>>>> That is the question.  I am saying that some program (?) is
>>>>>>>>>> capturing
>>>>>>>>>> my unsaved login info.  Then at a later point, when I start a WS
>>>>>>>>>> capture, that login info from the past is put into that
>>>>>>>>>> EtherxXXXXa
>>>>>>>>>> tmp file.
>>>>>>>>>
>>>>>>>>> What happens if you log into your ISP and proxy, wait let's say 5
>>>>>>>>> minutes
>>>>>>>>> and then start wireshark? Do those packets still show up? what is
>>>>>>>>> their
>>>>>>>>> tiemstamp?
>>>>>>>>>
>>>>>>>>> GV
>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> On 3/24/10, Gianluca Varenni <gianluca.varenni@xxxxxxxxxxxx>
>>>>>>>>>> wrote:
>>>>>>>>>>> Are you saying that when you start Wireshark, wireshark itself
>>>>>>>>>>> starts
>>>>>>>>>>> capturing, *before* you click the start capture button on it?
>>>>>>>>>>> Which adapter is wireshark capturing from?
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>> Have a nice day
>>>>>>>>>>> GV
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>> --------------------------------------------------
>>>>>>>>>>> From: "M K" <gedropi@xxxxxxxxx>
>>>>>>>>>>> Sent: Wednesday, March 24, 2010 8:12 AM
>>>>>>>>>>> To: <wireshark-users@xxxxxxxxxxxxx>
>>>>>>>>>>> Subject: [Wireshark-users] from the past
>>>>>>>>>>>
>>>>>>>>>>>> Jeff Morriss suggested that I pose this question to you folks.
>>>>>>>>>>>>
>>>>>>>>>>>> Here is what I wrote:
>>>>>>>>>>>> First:
>>>>>>>>>>>> I first log onto Windows machine
>>>>>>>>>>>> I log onto my Isp
>>>>>>>>>>>> I log into my proxy
>>>>>>>>>>>> Maybe do a few things online (eg. go to a few websites)
>>>>>>>>>>>> Then log into Wireshark
>>>>>>>>>>>>
>>>>>>>>>>>> Next:
>>>>>>>>>>>> When launching WS, immediately the capture starts a DNS
>>>>>>>>>>>> authentication
>>>>>>>>>>>> trace
>>>>>>>>>>>> and an etherXXXXa* file with Windows & ISP usernames AND
>>>>>>>>>>>> passwords
>>>>>>>>>>>> is
>>>>>>>>>>>> created.
>>>>>>>>>>>> Since I expect WS to be literal, I would expect that those
>>>>>>>>>>>> actions
>>>>>>>>>>>> that
>>>>>>>>>>>> had
>>>>>>>>>>>> taken place in the past (logons & DNS authentication) would not
>>>>>>>>>>>> be
>>>>>>>>>>>> captured
>>>>>>>>>>>> since WS had not been started when I logged on.  That means that
>>>>>>>>>>>> this
>>>>>>>>>>>> information is being cached or worse somewhere.  For my peace of
>>>>>>>>>>>> mind,
>>>>>>>>>>>> please
>>>>>>>>>>>> can you tell me about this security issue?  Thank you.
>>>>>>>>>>>> ......................
>>>>>>>>>>>>
>>>>>>>>>>>> Here is what Jeff wrote:
>>>>>>>>>>>> Anyway, a brief answer: Wireshark on Windows relies on WinPCAP
>>>>>>>>>>>> to
>>>>>>>>>>>> do
>>>>>>>>>>>> the
>>>>>>>>>>>> capturing.  I'm pretty sure WinPCAP won't start capturing until
>>>>>>>>>>>> you
>>>>>>>>>>>> ask
>>>>>>>>>>>> it
>>>>>>>>>>>>
>>>>>>>>>>>> to
>>>>>>>>>>>> do so.  And I'm pretty sure that the OS's TCP/IP stack isn't
>>>>>>>>>>>> going
>>>>>>>>>>>> to
>>>>>>>>>>>> cache
>>>>>>>>>>>> stuff to give to WinPCAP after the fact.
>>>>>>>>>>>>
>>>>>>>>>>>> (BTW, the etherXXX file is just the temporary PCAP file that
>>>>>>>>>>>> contains
>>>>>>>>>>>> the
>>>>>>>>>>>> packets that were captured--and what Wireshark displays for you.
>>>>>>>>>>>> The
>>>>>>>>>>>> fact
>>>>>>>>>>>>
>>>>>>>>>>>> that
>>>>>>>>>>>> your password, etc., are in there just indicate that your
>>>>>>>>>>>> password,
>>>>>>>>>>>> etc.,
>>>>>>>>>>>> were
>>>>>>>>>>>> sent over the wire unencrypted.)
>>>>>>>>>>>> ..............
>>>>>>>>>>>> What Jeff described is what I expected but I believe that I
>>>>>>>>>>>> understand
>>>>>>>>>>>> now what I am seeing.  WS does its own DNS.  So, that explains
>>>>>>>>>>>> the
>>>>>>>>>>>> first question.
>>>>>>>>>>>>
>>>>>>>>>>>> The second issue, however, is still a big concern.  The
>>>>>>>>>>>> etherXXXXa
>>>>>>>>>>>> file always contains the complete (passwords included)
>>>>>>>>>>>> authentication
>>>>>>>>>>>> data plus more.  Again, this unsaved (by me) login information
>>>>>>>>>>>> was
>>>>>>>>>>>> sent over the wire in the past (PPP PAP), yet it is being saved
>>>>>>>>>>>> (by
>>>>>>>>>>>> ?)
>>>>>>>>>>>> and put into this file in the present. How can I prevent this
>>>>>>>>>>>> login
>>>>>>>>>>>> info from being saved?  How can I encrypt this login info? This
>>>>>>>>>>>> is
>>>>>>>>>>>>
>>>>>>>>>>>> a
>>>>>>>>>>>> security risk.
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>> --
>>>>>>>>>>>> All that is necessary for evil to succeed is that good men do
>>>>>>>>>>>> nothing.
>>>>>>>>>>>>
>>>>>>>>>>>>              ~Edmund Burke
>>>>>>>>>>>> ___________________________________________________________________________
>>>>>>>>>>>> Sent via:    Wireshark-users mailing list
>>>>>>>>>>>> <wireshark-users@xxxxxxxxxxxxx>
>>>>>>>>>>>> Archives:    http://www.wireshark.org/lists/wireshark-users
>>>>>>>>>>>> Unsubscribe:
>>>>>>>>>>>> https://wireshark.org/mailman/options/wireshark-users
>>>>>>>>>>>>
>>>>>>>>>>>> mailto:wireshark-users-request@xxxxxxxxxxxxx?subject=unsubscribe
>>>>>>>>>>>
>>>>>>>>>>> ___________________________________________________________________________
>>>>>>>>>>> Sent via:    Wireshark-users mailing list
>>>>>>>>>>> <wireshark-users@xxxxxxxxxxxxx>
>>>>>>>>>>> Archives:    http://www.wireshark.org/lists/wireshark-users
>>>>>>>>>>> Unsubscribe:
>>>>>>>>>>> https://wireshark.org/mailman/options/wireshark-users
>>>>>>>>>>>
>>>>>>>>>>> mailto:wireshark-users-request@xxxxxxxxxxxxx?subject=unsubscribe
>>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> --
>>>>>>>>>> All that is necessary for evil to succeed is that good men do
>>>>>>>>>> nothing.
>>>>>>>>>>
>>>>>>>>>>              ~Edmund Burke
>>>>>>>>>> ___________________________________________________________________________
>>>>>>>>>> Sent via:    Wireshark-users mailing list
>>>>>>>>>> <wireshark-users@xxxxxxxxxxxxx>
>>>>>>>>>> Archives:    http://www.wireshark.org/lists/wireshark-users
>>>>>>>>>> Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
>>>>>>>>>>
>>>>>>>>>> mailto:wireshark-users-request@xxxxxxxxxxxxx?subject=unsubscribe
>>>>>>>>>
>>>>>>>>> ___________________________________________________________________________
>>>>>>>>> Sent via:    Wireshark-users mailing list
>>>>>>>>> <wireshark-users@xxxxxxxxxxxxx>
>>>>>>>>> Archives:    http://www.wireshark.org/lists/wireshark-users
>>>>>>>>> Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
>>>>>>>>>
>>>>>>>>> mailto:wireshark-users-request@xxxxxxxxxxxxx?subject=unsubscribe
>>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> --
>>>>>>>> All that is necessary for evil to succeed is that good men do
>>>>>>>> nothing.
>>>>>>>>
>>>>>>>>              ~Edmund Burke
>>>>>>>> ___________________________________________________________________________
>>>>>>>> Sent via:    Wireshark-users mailing list
>>>>>>>> <wireshark-users@xxxxxxxxxxxxx>
>>>>>>>> Archives:    http://www.wireshark.org/lists/wireshark-users
>>>>>>>> Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
>>>>>>>>
>>>>>>>> mailto:wireshark-users-request@xxxxxxxxxxxxx?subject=unsubscribe
>>>>>>>
>>>>>>> ___________________________________________________________________________
>>>>>>> Sent via:    Wireshark-users mailing list
>>>>>>> <wireshark-users@xxxxxxxxxxxxx>
>>>>>>> Archives:    http://www.wireshark.org/lists/wireshark-users
>>>>>>> Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
>>>>>>>
>>>>>>> mailto:wireshark-users-request@xxxxxxxxxxxxx?subject=unsubscribe
>>>>>>>
>>>>>>
>>>>>>
>>>>>> --
>>>>>> All that is necessary for evil to succeed is that good men do nothing.
>>>>>>
>>>>>>              ~Edmund Burke
>>>>>> ___________________________________________________________________________
>>>>>> Sent via:    Wireshark-users mailing list
>>>>>> <wireshark-users@xxxxxxxxxxxxx>
>>>>>> Archives:    http://www.wireshark.org/lists/wireshark-users
>>>>>> Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
>>>>>>
>>>>>> mailto:wireshark-users-request@xxxxxxxxxxxxx?subject=unsubscribe
>>>>>
>>>>> ___________________________________________________________________________
>>>>> Sent via:    Wireshark-users mailing list
>>>>> <wireshark-users@xxxxxxxxxxxxx>
>>>>> Archives:    http://www.wireshark.org/lists/wireshark-users
>>>>> Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
>>>>>
>>>>> mailto:wireshark-users-request@xxxxxxxxxxxxx?subject=unsubscribe
>>>>>
>>>>
>>>>
>>>> --
>>>> All that is necessary for evil to succeed is that good men do nothing.
>>>>
>>>>              ~Edmund Burke
>>>> ___________________________________________________________________________
>>>> Sent via:    Wireshark-users mailing list
>>>> <wireshark-users@xxxxxxxxxxxxx>
>>>> Archives:    http://www.wireshark.org/lists/wireshark-users
>>>> Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
>>>>
>>>> mailto:wireshark-users-request@xxxxxxxxxxxxx?subject=unsubscribe
>>>
>>> ___________________________________________________________________________
>>> Sent via:    Wireshark-users mailing list <wireshark-users@xxxxxxxxxxxxx>
>>> Archives:    http://www.wireshark.org/lists/wireshark-users
>>> Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
>>>
>>> mailto:wireshark-users-request@xxxxxxxxxxxxx?subject=unsubscribe
>>>
>>
>>
>> --
>> All that is necessary for evil to succeed is that good men do nothing.
>>
>>              ~Edmund Burke
>> ___________________________________________________________________________
>> Sent via:    Wireshark-users mailing list <wireshark-users@xxxxxxxxxxxxx>
>> Archives:    http://www.wireshark.org/lists/wireshark-users
>> Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
>>
>> mailto:wireshark-users-request@xxxxxxxxxxxxx?subject=unsubscribe
>
> ___________________________________________________________________________
> Sent via:    Wireshark-users mailing list <wireshark-users@xxxxxxxxxxxxx>
> Archives:    http://www.wireshark.org/lists/wireshark-users
> Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
>
> mailto:wireshark-users-request@xxxxxxxxxxxxx?subject=unsubscribe
>


-- 
All that is necessary for evil to succeed is that good men do nothing.

              ~Edmund Burke