Wireshark-users: Re: [Wireshark-users] from the past

From: M K <gedropi@xxxxxxxxx>
Date: Thu, 25 Mar 2010 07:10:37 -0800
Martin
I believe that I am seeing WS's very own DNS when I start a capture.
It's true that one expects DNS at the beginning when one logs on.  Now
that you  mention it, however, occasionally there are a few stray,
smaller DNS episodes later on.  I will check into those to see what
lies beneath the surface.  Thanks for the tip.


On 3/24/10, Martin Visser <martinvisser99@xxxxxxxxx> wrote:
> Right at the start of this thread you talked about "DNS Authentication". Is
> this to do with what you see? DNS doesn't normally have any authentication
> requirement.
>
> If you are seeing DNS packets that contains something that looks like a
> username or password, I suspect you have a very clever little trojan
> installed that is sending some nice data off to the bad guys almost covertly
> via DNS.
>
> Regards, Martin
>
> MartinVisser99@xxxxxxxxx
>
>
> On Thu, Mar 25, 2010 at 8:29 AM, M K <gedropi@xxxxxxxxx> wrote:
>
>> Closer to #2.  The etherXXXX file is only created when I start a WS
>> capture.  It is apparent to me now that this tmp file is pretty
>> identical to the capture inside WS.  OK.  But, I guess this exercise
>> still brings home the problem of who is (off and on) pulling my
>> password information, from where and where is it going?  I know this
>> isn't a WS problem.  WS was only doing its job.
>>
>> About the transfer of authentication data, why isn't it encrypted?
>> What can I do to make this happen?
>>
>> It doesn't do a lick of good to harden your computer if your
>> authentication data is all over the place in clear text.
>>
>> Thanks
>>
>> On 3/24/10, Gianluca Varenni <gianluca.varenni@xxxxxxxxxxxx> wrote:
>> > Now I'm a bit confused (I'm probably missing something here). In your
>> > original email you said
>> >
>> >>>>>>>>>>>> The second issue, however, is still a big concern.  The
>> >>>>>>>>>>>> etherXXXXa
>> >>>>>>>>>>>> file always contains the complete (passwords included)
>> >>>>>>>>>>>> authentication
>> >>>>>>>>>>>> data plus more.  Again, this unsaved (by me) login
>> >>>>>>>>>>>> information
>> >>>>>>>>>>>> was
>> >>>>>>>>>>>> sent over the wire in the past (PPP PAP), yet it is being
>> saved
>> >>>>>>>>>>>> (by
>> >>>>>>>>>>>> ?)
>> >>>>>>>>>>>> and put into this file in the present. How can I prevent this
>> >>>>>>>>>>>> login
>> >>>>>>>>>>>> info from being saved?  How can I encrypt this login info?
>> This
>> >>>>>>>>>>>> is
>> >>>>>>>>>>>>
>> >>>>>>>>>>>> a
>> >>>>>>>>>>>> security risk.
>> >
>> > I don't understand if
>> >
>> > 1. the file etherXXXX "magically" appears even when you do not start
>> > wireshark and you do not start a capture
>> >
>> > or
>> >
>> > 2. you do open wireshark and start a capture (in this case wireshark
>> > does
>> > create an etherXXXX file), and you see packets containing your username
>> and
>> > password (and other sensitive data) that were exchanged with your
>> ISP/proxy
>> > *well before* you started to capture with wireshark.
>> >
>> > Which one is the right one?
>> >
>> > GV
>> >
>> >
>> >
>> >
>> >
>> > --------------------------------------------------
>> > From: "M K" <gedropi@xxxxxxxxx>
>> > Sent: Wednesday, March 24, 2010 1:48 PM
>> > To: "Community support list for Wireshark" <
>> wireshark-users@xxxxxxxxxxxxx>
>> > Subject: Re: [Wireshark-users] from the past
>> >
>> >> The etherXXXX file is only a tmp file written in hex.  I believe that
>> >> it would be impossible to open within WS because the only time the
>> >> ethernet file exists is when you are already in the middle of a
>> >> capture.  And it vanishes when you stop the capture or shut down WS, I
>> >> believe.  Opening another file while performing a capture is not
>> >> enabled.  Unless if you had multiple instances of WS perhaps.
>> >>
>> >> On 3/24/10, Gianluca Varenni <gianluca.varenni@xxxxxxxxxxxx> wrote:
>> >>>
>> >>>
>> >>> --------------------------------------------------
>> >>> From: "M K" <gedropi@xxxxxxxxx>
>> >>> Sent: Wednesday, March 24, 2010 1:29 PM
>> >>> To: "Community support list for Wireshark"
>> >>> <wireshark-users@xxxxxxxxxxxxx>
>> >>> Subject: Re: [Wireshark-users] from the past
>> >>>
>> >>>> The WS  capture file does have time stamps.  The etherXXXXa file
>> >>>> lives
>> >>>> at:  \Documents and Settings\Administrator\Local Settings\Temp within
>> >>>> Windows.  This tmp file does not appear to have obvious timestamps.
>> >>>> Machine name, Administrator User name, packet source/dest and at
>> >>>> times, also the passwords to Windows and ISP.
>> >>>
>> >>> Wait... is this a pcap file or not? Can you open it with wireshark?
>> >>>
>> >>> Have a nice day
>> >>> GV
>> >>>
>> >>>
>> >>>>
>> >>>> On 3/24/10, Gianluca Varenni <gianluca.varenni@xxxxxxxxxxxx> wrote:
>> >>>>>
>> >>>>>
>> >>>>> --------------------------------------------------
>> >>>>> From: "M K" <gedropi@xxxxxxxxx>
>> >>>>> Sent: Wednesday, March 24, 2010 12:45 PM
>> >>>>> To: "Community support list for Wireshark"
>> >>>>> <wireshark-users@xxxxxxxxxxxxx>
>> >>>>> Subject: Re: [Wireshark-users] from the past
>> >>>>>
>> >>>>>> Sorry.  I got called away.
>> >>>>>>
>> >>>>>> The etherXXXX tmp file doesn't appear to have timestamps.  But
>> within
>> >>>>>
>> >>>>> If it's a valid capture file, the packets must have a timestamp, if
>> you
>> >>>>> open
>> >>>>> the file with wireshark.
>> >>>>>
>> >>>>> GV
>> >>>>>
>> >>>>>
>> >>>>>> WS, the LLC (Layer 2) & PPP LCP protocols are the first protocols
>> >>>>>> to
>> >>>>>> show up in the trace at the time the login info is captured inside
>> the
>> >>>>>> tmp file.
>> >>>>>>
>> >>>>>> I suspect that this info is being passed to the tmp file.  Possible
>> >>>>>> suspects: the OS or networking appliances.
>> >>>>>>
>> >>>>>> Yes, the interface is:  Adapter for generic dialup and VPN
>> >>>>>>
>> >>>>>> And thanks for this feedback and help.
>> >>>>>>
>> >>>>>> On 3/24/10, Gianluca Varenni <gianluca.varenni@xxxxxxxxxxxx> wrote:
>> >>>>>>> You didn't answer my questions:
>> >>>>>>>
>> >>>>>>> 1. what is the timestamp of those packets?
>> >>>>>>> 2. what interface are you capturing from?
>> >>>>>>>
>> >>>>>>> Are capturing from what is called "Adapter for generic dialup and
>> VPN
>> >>>>>>> capture"?
>> >>>>>>>
>> >>>>>>> Have a nice day
>> >>>>>>> GV
>> >>>>>>>
>> >>>>>>>
>> >>>>>>>
>> >>>>>>> --------------------------------------------------
>> >>>>>>> From: "M K" <gedropi@xxxxxxxxx>
>> >>>>>>> Sent: Wednesday, March 24, 2010 9:25 AM
>> >>>>>>> To: "Community support list for Wireshark"
>> >>>>>>> <wireshark-users@xxxxxxxxxxxxx>
>> >>>>>>> Subject: Re: [Wireshark-users] from the past
>> >>>>>>>
>> >>>>>>>> That is exactly what I am doing.  I log onto my Windows machine,
>> >>>>>>>> then
>> >>>>>>>> my ISP, then my proxy.  Then maybe go to a few websites, for
>> >>>>>>>> example.
>> >>>>>>>> Then maybe after a half hour, I may then start up a WS capture.
>> >>>>>>>> Still, even after all that time between logons and actually
>> starting
>> >>>>>>>>
>> >>>>>>>> a
>> >>>>>>>> capture, the etherXXXXa tmp file still contains this private
>> >>>>>>>> info.
>> >>>>>>>>
>> >>>>>>>> According to Jeff, the etherXXXXa file only captures what is not
>> >>>>>>>> encrypted.  That makes this even more scary.  That means that not
>> >>>>>>>> only
>> >>>>>>>> is the info being captured but it isn't even being protected by
>> even
>> >>>>>>>> low-grade encryption.
>> >>>>>>>>
>> >>>>>>>> On 3/24/10, Gianluca Varenni <gianluca.varenni@xxxxxxxxxxxx>
>> wrote:
>> >>>>>>>>>
>> >>>>>>>>>
>> >>>>>>>>> --------------------------------------------------
>> >>>>>>>>> From: "M K" <gedropi@xxxxxxxxx>
>> >>>>>>>>> Sent: Wednesday, March 24, 2010 9:11 AM
>> >>>>>>>>> To: "Community support list for Wireshark"
>> >>>>>>>>> <wireshark-users@xxxxxxxxxxxxx>
>> >>>>>>>>> Subject: Re: [Wireshark-users] from the past
>> >>>>>>>>>
>> >>>>>>>>>> That is the question.  I am saying that some program (?) is
>> >>>>>>>>>> capturing
>> >>>>>>>>>> my unsaved login info.  Then at a later point, when I start a
>> >>>>>>>>>> WS
>> >>>>>>>>>> capture, that login info from the past is put into that
>> >>>>>>>>>> EtherxXXXXa
>> >>>>>>>>>> tmp file.
>> >>>>>>>>>
>> >>>>>>>>> What happens if you log into your ISP and proxy, wait let's say
>> >>>>>>>>> 5
>> >>>>>>>>> minutes
>> >>>>>>>>> and then start wireshark? Do those packets still show up? what
>> >>>>>>>>> is
>> >>>>>>>>> their
>> >>>>>>>>> tiemstamp?
>> >>>>>>>>>
>> >>>>>>>>> GV
>> >>>>>>>>>
>> >>>>>>>>>>
>> >>>>>>>>>> On 3/24/10, Gianluca Varenni <gianluca.varenni@xxxxxxxxxxxx>
>> >>>>>>>>>> wrote:
>> >>>>>>>>>>> Are you saying that when you start Wireshark, wireshark itself
>> >>>>>>>>>>> starts
>> >>>>>>>>>>> capturing, *before* you click the start capture button on it?
>> >>>>>>>>>>> Which adapter is wireshark capturing from?
>> >>>>>>>>>>>
>> >>>>>>>>>>>
>> >>>>>>>>>>> Have a nice day
>> >>>>>>>>>>> GV
>> >>>>>>>>>>>
>> >>>>>>>>>>>
>> >>>>>>>>>>> --------------------------------------------------
>> >>>>>>>>>>> From: "M K" <gedropi@xxxxxxxxx>
>> >>>>>>>>>>> Sent: Wednesday, March 24, 2010 8:12 AM
>> >>>>>>>>>>> To: <wireshark-users@xxxxxxxxxxxxx>
>> >>>>>>>>>>> Subject: [Wireshark-users] from the past
>> >>>>>>>>>>>
>> >>>>>>>>>>>> Jeff Morriss suggested that I pose this question to you
>> >>>>>>>>>>>> folks.
>> >>>>>>>>>>>>
>> >>>>>>>>>>>> Here is what I wrote:
>> >>>>>>>>>>>> First:
>> >>>>>>>>>>>> I first log onto Windows machine
>> >>>>>>>>>>>> I log onto my Isp
>> >>>>>>>>>>>> I log into my proxy
>> >>>>>>>>>>>> Maybe do a few things online (eg. go to a few websites)
>> >>>>>>>>>>>> Then log into Wireshark
>> >>>>>>>>>>>>
>> >>>>>>>>>>>> Next:
>> >>>>>>>>>>>> When launching WS, immediately the capture starts a DNS
>> >>>>>>>>>>>> authentication
>> >>>>>>>>>>>> trace
>> >>>>>>>>>>>> and an etherXXXXa* file with Windows & ISP usernames AND
>> >>>>>>>>>>>> passwords
>> >>>>>>>>>>>> is
>> >>>>>>>>>>>> created.
>> >>>>>>>>>>>> Since I expect WS to be literal, I would expect that those
>> >>>>>>>>>>>> actions
>> >>>>>>>>>>>> that
>> >>>>>>>>>>>> had
>> >>>>>>>>>>>> taken place in the past (logons & DNS authentication) would
>> not
>> >>>>>>>>>>>> be
>> >>>>>>>>>>>> captured
>> >>>>>>>>>>>> since WS had not been started when I logged on.  That means
>> that
>> >>>>>>>>>>>> this
>> >>>>>>>>>>>> information is being cached or worse somewhere.  For my peace
>> of
>> >>>>>>>>>>>> mind,
>> >>>>>>>>>>>> please
>> >>>>>>>>>>>> can you tell me about this security issue?  Thank you.
>> >>>>>>>>>>>> ......................
>> >>>>>>>>>>>>
>> >>>>>>>>>>>> Here is what Jeff wrote:
>> >>>>>>>>>>>> Anyway, a brief answer: Wireshark on Windows relies on
>> >>>>>>>>>>>> WinPCAP
>> >>>>>>>>>>>> to
>> >>>>>>>>>>>> do
>> >>>>>>>>>>>> the
>> >>>>>>>>>>>> capturing.  I'm pretty sure WinPCAP won't start capturing
>> until
>> >>>>>>>>>>>> you
>> >>>>>>>>>>>> ask
>> >>>>>>>>>>>> it
>> >>>>>>>>>>>>
>> >>>>>>>>>>>> to
>> >>>>>>>>>>>> do so.  And I'm pretty sure that the OS's TCP/IP stack isn't
>> >>>>>>>>>>>> going
>> >>>>>>>>>>>> to
>> >>>>>>>>>>>> cache
>> >>>>>>>>>>>> stuff to give to WinPCAP after the fact.
>> >>>>>>>>>>>>
>> >>>>>>>>>>>> (BTW, the etherXXX file is just the temporary PCAP file that
>> >>>>>>>>>>>> contains
>> >>>>>>>>>>>> the
>> >>>>>>>>>>>> packets that were captured--and what Wireshark displays for
>> you.
>> >>>>>>>>>>>> The
>> >>>>>>>>>>>> fact
>> >>>>>>>>>>>>
>> >>>>>>>>>>>> that
>> >>>>>>>>>>>> your password, etc., are in there just indicate that your
>> >>>>>>>>>>>> password,
>> >>>>>>>>>>>> etc.,
>> >>>>>>>>>>>> were
>> >>>>>>>>>>>> sent over the wire unencrypted.)
>> >>>>>>>>>>>> ..............
>> >>>>>>>>>>>> What Jeff described is what I expected but I believe that I
>> >>>>>>>>>>>> understand
>> >>>>>>>>>>>> now what I am seeing.  WS does its own DNS.  So, that
>> >>>>>>>>>>>> explains
>> >>>>>>>>>>>> the
>> >>>>>>>>>>>> first question.
>> >>>>>>>>>>>>
>> >>>>>>>>>>>> The second issue, however, is still a big concern.  The
>> >>>>>>>>>>>> etherXXXXa
>> >>>>>>>>>>>> file always contains the complete (passwords included)
>> >>>>>>>>>>>> authentication
>> >>>>>>>>>>>> data plus more.  Again, this unsaved (by me) login
>> >>>>>>>>>>>> information
>> >>>>>>>>>>>> was
>> >>>>>>>>>>>> sent over the wire in the past (PPP PAP), yet it is being
>> saved
>> >>>>>>>>>>>> (by
>> >>>>>>>>>>>> ?)
>> >>>>>>>>>>>> and put into this file in the present. How can I prevent this
>> >>>>>>>>>>>> login
>> >>>>>>>>>>>> info from being saved?  How can I encrypt this login info?
>> This
>> >>>>>>>>>>>> is
>> >>>>>>>>>>>>
>> >>>>>>>>>>>> a
>> >>>>>>>>>>>> security risk.
>> >>>>>>>>>>>>
>> >>>>>>>>>>>>
>> >>>>>>>>>>>> --
>> >>>>>>>>>>>> All that is necessary for evil to succeed is that good men do
>> >>>>>>>>>>>> nothing.
>> >>>>>>>>>>>>
>> >>>>>>>>>>>>              ~Edmund Burke
>> >>>>>>>>>>>>
>> ___________________________________________________________________________
>> >>>>>>>>>>>> Sent via:    Wireshark-users mailing list
>> >>>>>>>>>>>> <wireshark-users@xxxxxxxxxxxxx>
>> >>>>>>>>>>>> Archives:    http://www.wireshark.org/lists/wireshark-users
>> >>>>>>>>>>>> Unsubscribe:
>> >>>>>>>>>>>> https://wireshark.org/mailman/options/wireshark-users
>> >>>>>>>>>>>>
>> >>>>>>>>>>>> mailto:wireshark-users-request@xxxxxxxxxxxxx
>> ?subject=unsubscribe
>> >>>>>>>>>>>
>> >>>>>>>>>>>
>> ___________________________________________________________________________
>> >>>>>>>>>>> Sent via:    Wireshark-users mailing list
>> >>>>>>>>>>> <wireshark-users@xxxxxxxxxxxxx>
>> >>>>>>>>>>> Archives:    http://www.wireshark.org/lists/wireshark-users
>> >>>>>>>>>>> Unsubscribe:
>> >>>>>>>>>>> https://wireshark.org/mailman/options/wireshark-users
>> >>>>>>>>>>>
>> >>>>>>>>>>> mailto:wireshark-users-request@xxxxxxxxxxxxx
>> ?subject=unsubscribe
>> >>>>>>>>>>>
>> >>>>>>>>>>
>> >>>>>>>>>>
>> >>>>>>>>>> --
>> >>>>>>>>>> All that is necessary for evil to succeed is that good men do
>> >>>>>>>>>> nothing.
>> >>>>>>>>>>
>> >>>>>>>>>>              ~Edmund Burke
>> >>>>>>>>>>
>> ___________________________________________________________________________
>> >>>>>>>>>> Sent via:    Wireshark-users mailing list
>> >>>>>>>>>> <wireshark-users@xxxxxxxxxxxxx>
>> >>>>>>>>>> Archives:    http://www.wireshark.org/lists/wireshark-users
>> >>>>>>>>>> Unsubscribe:
>> https://wireshark.org/mailman/options/wireshark-users
>> >>>>>>>>>>
>> >>>>>>>>>> mailto:wireshark-users-request@xxxxxxxxxxxxx
>> ?subject=unsubscribe
>> >>>>>>>>>
>> >>>>>>>>>
>> ___________________________________________________________________________
>> >>>>>>>>> Sent via:    Wireshark-users mailing list
>> >>>>>>>>> <wireshark-users@xxxxxxxxxxxxx>
>> >>>>>>>>> Archives:    http://www.wireshark.org/lists/wireshark-users
>> >>>>>>>>> Unsubscribe:
>> https://wireshark.org/mailman/options/wireshark-users
>> >>>>>>>>>
>> >>>>>>>>> mailto:wireshark-users-request@xxxxxxxxxxxxx?subject=unsubscribe
>> >>>>>>>>>
>> >>>>>>>>
>> >>>>>>>>
>> >>>>>>>> --
>> >>>>>>>> All that is necessary for evil to succeed is that good men do
>> >>>>>>>> nothing.
>> >>>>>>>>
>> >>>>>>>>              ~Edmund Burke
>> >>>>>>>>
>> ___________________________________________________________________________
>> >>>>>>>> Sent via:    Wireshark-users mailing list
>> >>>>>>>> <wireshark-users@xxxxxxxxxxxxx>
>> >>>>>>>> Archives:    http://www.wireshark.org/lists/wireshark-users
>> >>>>>>>> Unsubscribe:
>> https://wireshark.org/mailman/options/wireshark-users
>> >>>>>>>>
>> >>>>>>>> mailto:wireshark-users-request@xxxxxxxxxxxxx?subject=unsubscribe
>> >>>>>>>
>> >>>>>>>
>> ___________________________________________________________________________
>> >>>>>>> Sent via:    Wireshark-users mailing list
>> >>>>>>> <wireshark-users@xxxxxxxxxxxxx>
>> >>>>>>> Archives:    http://www.wireshark.org/lists/wireshark-users
>> >>>>>>> Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
>> >>>>>>>
>> >>>>>>> mailto:wireshark-users-request@xxxxxxxxxxxxx?subject=unsubscribe
>> >>>>>>>
>> >>>>>>
>> >>>>>>
>> >>>>>> --
>> >>>>>> All that is necessary for evil to succeed is that good men do
>> nothing.
>> >>>>>>
>> >>>>>>              ~Edmund Burke
>> >>>>>>
>> ___________________________________________________________________________
>> >>>>>> Sent via:    Wireshark-users mailing list
>> >>>>>> <wireshark-users@xxxxxxxxxxxxx>
>> >>>>>> Archives:    http://www.wireshark.org/lists/wireshark-users
>> >>>>>> Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
>> >>>>>>
>> >>>>>> mailto:wireshark-users-request@xxxxxxxxxxxxx?subject=unsubscribe
>> >>>>>
>> >>>>>
>> ___________________________________________________________________________
>> >>>>> Sent via:    Wireshark-users mailing list
>> >>>>> <wireshark-users@xxxxxxxxxxxxx>
>> >>>>> Archives:    http://www.wireshark.org/lists/wireshark-users
>> >>>>> Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
>> >>>>>
>> >>>>> mailto:wireshark-users-request@xxxxxxxxxxxxx?subject=unsubscribe
>> >>>>>
>> >>>>
>> >>>>
>> >>>> --
>> >>>> All that is necessary for evil to succeed is that good men do
>> >>>> nothing.
>> >>>>
>> >>>>              ~Edmund Burke
>> >>>>
>> ___________________________________________________________________________
>> >>>> Sent via:    Wireshark-users mailing list
>> >>>> <wireshark-users@xxxxxxxxxxxxx>
>> >>>> Archives:    http://www.wireshark.org/lists/wireshark-users
>> >>>> Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
>> >>>>
>> >>>> mailto:wireshark-users-request@xxxxxxxxxxxxx?subject=unsubscribe
>> >>>
>> >>>
>> ___________________________________________________________________________
>> >>> Sent via:    Wireshark-users mailing list <
>> wireshark-users@xxxxxxxxxxxxx>
>> >>> Archives:    http://www.wireshark.org/lists/wireshark-users
>> >>> Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
>> >>>
>> >>> mailto:wireshark-users-request@xxxxxxxxxxxxx?subject=unsubscribe
>> >>>
>> >>
>> >>
>> >> --
>> >> All that is necessary for evil to succeed is that good men do nothing.
>> >>
>> >>              ~Edmund Burke
>> >>
>> ___________________________________________________________________________
>> >> Sent via:    Wireshark-users mailing list <
>> wireshark-users@xxxxxxxxxxxxx>
>> >> Archives:    http://www.wireshark.org/lists/wireshark-users
>> >> Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
>> >>
>> >> mailto:wireshark-users-request@xxxxxxxxxxxxx?subject=unsubscribe
>> >
>> >
>> ___________________________________________________________________________
>> > Sent via:    Wireshark-users mailing list <wireshark-users@xxxxxxxxxxxxx
>> >
>> > Archives:    http://www.wireshark.org/lists/wireshark-users
>> > Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
>> >
>> > mailto:wireshark-users-request@xxxxxxxxxxxxx?subject=unsubscribe
>> >
>>
>>
>> --
>> All that is necessary for evil to succeed is that good men do nothing.
>>
>>              ~Edmund Burke
>> ___________________________________________________________________________
>> Sent via:    Wireshark-users mailing list <wireshark-users@xxxxxxxxxxxxx>
>> Archives:    http://www.wireshark.org/lists/wireshark-users
>> Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
>>             mailto:wireshark-users-request@xxxxxxxxxxxxx
>> ?subject=unsubscribe
>>
>


-- 
All that is necessary for evil to succeed is that good men do nothing.

              ~Edmund Burke