Capture credentials with Wireshark [FREE COURSE CONTENT]


In this video from our ARP Poisoning course we take a look at how we can use Wireshark to capture credentials. This was part of the ARP poisoning attack we were studying in the course, but you can apply these skills in all kinds of scenarios. Have fun! 

In this course, we will conduct an Arp Poisoning/Spoofing attack using Cain and Abel. With this type of attack we can set up a Man-in-the-Middle exploit which allows us to sniff traffic between two or more workstations and capture sensitive information such as credentials.

Module 1 – Setup lab and conduct initial ARP Poisoning

Task 1 – Setup VM workstation lab

In this task, we will setup two virtual machines using Virtual Box. By doing so, we are able to replicate an actual Ethernet LAN that we are able to conduct our lab in. We will be using Windows XP and/or Windows 7 for both victim workstation VM's and as the attacker. An unlicensed copy of Windows XP and 7 will work for this exercise in order to demonstrate ARP Poisoning and the Main-in-the-Middle Attack.

  • Install Virtual Box.
  • Install Operating System (Win XP and/or Windows 7).
  • Setup LAN configuration.

Task 2 – Install Cain and Abel and conduct ARP Poisoning Attack

By using Cain and Abel (CaA), we will conduct an ARP poisoning attack. This allows us to fool the two victim workstations in believing that they are communicating with each other; however, since we have poisoned their ARP cache, we redirect their layer 2 destination address to us as the attacker instead.

  • Initiate Arp Poisoning between to VM's.
  • Conduct Man-in-the-Middle attack and capture plaintext credentials.
  • Replay plaintext credentials for authentication.

 Task 3 – Replay Credentials

In this task, we will replay the credentials that CaA sniffed and recorded for us. We will also crack the hash values of our victims using CaA in order to again authentication to access system resources.

  • Conduct dictionary attack using CaA.
  • Conduct brute force attack using CaA.
  • Capture HTTPS credentials and then conduct replay attack.

Module 2 – Using Wireshark to analyze traffic and steal cookies

Task 1 – Install Wireshark

We will install Wireshark, which is an open application that allows us to analyze network traffic. It can also be used to enhance our MITM attack by sniffing information that we are looking for such as cookies.

  • Install Wireshark. Go to and download and install on attackers computer.
  • Select default location and requirements.
  • Ensure that our interfaces that we using are selected for our VM and not the actual host.

Task 2 – Capturing and analyzing packets.

In this portion, we will use certain filters to allow us to look at only the critical information that we require in order to view and capture cookies.

  • Understand how filters work.
  • Select our virtual interface and apply filters.
  • Select data stream to copy and reference later as we conduct an advanced MITM attack.

Task 3 – Log into a victim VM and surf the internet.

In order for this exploit to work, we will have to create internet activity in order to generate credentials. This allows us to simulate what an actual victim might do.

  • Create a bare-bone Facebook or Gmail account.
  • Ensure your password is simple and not too complex. The more complex your password is, it will take exponentially longer to crack.
  • Active Wireshark and conduct packet inspection.

Module 3 – Select packet and retrieve site cookie information

Task 1 – Select filter in Wireshark

In this portion, we will use our filters in order to segregate the vast amount of data that Wireshark generated. By doing so, we are able to isolate and select the cookie that we need in order to replay a victim’s account.

  • Select virtual interface on the attackers’ workstation.
  • Select and input victim’s IP address and destination to sniff cookies from.
  • Allow Wireshark to conduct packet inspection.

Task 2 – Capture packet inspection

Once traffic has been generated and our filters applied, we will now pull the packet information from Wireshark.

  • Open Wireshark and select packet.
  • Retrieve cookie information from the session layer.
  • Open CaA and crack hashed credentials.

Task 3 – Replay credentials that was cracked by CaA

After we cracked the credentials using CaA, we should be able to access the account now.

  • Go to the accounts’ website such as Facebook or Gmail.
  • Input the cracked credentials.
  • Verify if you are able to successfully log on.

[custom-related-posts title="Related Posts" none_text="None found" order_by="title" order="ASC"]

April 26, 2022
Notify of
Inline Feedbacks
View all comments
© HAKIN9 MEDIA SP. Z O.O. SP. K. 2023