Find brute attacks using Wireshark and Prevention measures
Before discussing how to find brute attacks using Wireshark and the preventive measures, you have to understand what exactly Wireshark is.
Wireshark is the world’s leading and most used “network protocol” analyser. It is an open-source tool used to study website traffic at its most microscopic level. This is why this article has been dedicated to find brute attacks using Wireshark.
The process is simple. What happens is that Wireshark captures the network packets. Once captured, these packets can be broken down. Then these can be used for offline analysis or even real-time analysis. The real-time analysis means that the analysis is done as soon as traffic starts coming.
In other words, when you try to find brute attacks using Wireshark, you get to see the traffic on your website at the microscopic level. Next, it allows you to filter according to your requirements and lastly, you can drill and zoom into what are the reasons that lead to problems. Once the issues are identified, you get to have assistance in analysing the network and improving the network security.
In short, Wireshark helps you see the smallest changes happening in the network, both de facto and de jure depending on various institutions, including commercial, non-profit, government and educational. So, let’s start the process of finding brute attacks using Wireshark.
Note: “De facto means a state of affairs that is true in fact, but that is not officially sanctioned. In contrast, de jure means a state of affairs that is in accordance with law (i.e., that is officially sanctioned).”
The remainder of this article will talk about how to detect the network attacks using the filters of Wireshark or simply to find brute attacks using Wireshark. These methods are both actionable and practical.
Wireshark is one of the best options to detect brute force and prevent attacks.
Brute Force, what is it?
In order to know about the brute force attack detection using Wireshark, first, we need to understand what a brute force attack really is.
A brute force attack is a technique that the attackers use to find the right combination of the users’ credentials. This is basically a trial-and-error method. So, the different combinations are used until they are able to correct the right ones. in simple terms, brute force attack detection using Wireshark needs concentration and time.
The brute force attackers want to find the right combination of the credentials so that they will be able to steal the information which is sensitive and is not available for everyone to see. The issue is severe as with the right credentials in the wrong hands can make the network compromised.
Now we will be looking at the scenarios the attackers will use and how Wireshark can help. The issues can be any one of these:
- Denial of service
- Wireless attacks
- And other host discovery techniques
Here are the various detections to find brute attacks using Wireshark:
Detection of host discovery
When the attackers are trying to find the alive systems on your network, the following you can easily detect different kinds of “network discovery scans, ping sweeps”, and so on.
The following table shows the summary with details:
First, we have ARP scanning:
Here Wireshark will use the following filter:
The above figure shows what ARP scanning looks like when the attacker makes a large number of RP requests.
The above figure will be shown, and here, the attacker’s second column of the IP address is.
Here the IP address of the attacker is 192.168.0.53.
So, if a lot of requests are made from a specific IP address in a short duration, then it is an attacker trying to steal credentials and other data from your website.
Next, we have the IP Protocol Scan. The Wireshark filter for this is:
icmp.type==3 and icmp.code==2
the IP protocol scan will look like the following figure:
This technique is all about finding the network protocols of the operating system that the attacker is targeting.
When the IP protocol scanning is being done, many “ICMP type 3 (Destination unreachable) code 2 (Protocol unreachable)” messages will be seen. The reason is basically that the attacker will use different protocol numbers to send packets in large numbers.
The host discovery technique known as ICMP ping sweeps is next.
To detect the ICMP ping sweeps, the following filter of Wireshark will be used:
icmp.type==8 or icmp.type==0
the ICMP ping sweeps can be seen as follows when using Wireshark:
If you see a lot of similar requests within a short span of time, then be sure that the attacker is trying to target and identify all the live IP addresses that are running in your network.
Now about the Detection of network attacks:
Another way to find brute attacks using Wireshark in such scenarios is in the form of:
- Poisoning attacks
- VLA hoping
- Flooding and so on
The summary of filters in Wireshark that are useful for the identification of such attacks are summarized in the below table:
Let us start from the ARP poisoning (the 1st technique mentioned in the above table) to find brute attacks using Wireshark.
To detect ARP poisoning, the following is the filter by Wireshark that will help:
arp.duplicate-address-detected or arp.duplicate-address-frame
If one IP address is seen to be used by more than one address (MAC), then this filter will display it. In case such an issue arises, this is because of the likely presence of ARP poisoning.
ARP poisoning is also called ARP spoofing. This is a specific technique that is used for intercepting the traffic in the network. The intercept occurs between the clients and the router when on the local network. This way, the attackers can attack through MitM or the man-in-the-middle. This attack is made on computers on the local network in the neighbourhood by using tools like the “arpspoof and ettercap”.
Moving on, the next attacking technique is the ICMP flood. Another name for this attacking technique is the “denial of service technique”.
The following Wireshark filter is used here:
icmp and data.len > 48
When you use Wireshark then, the following image will be how you will see the ICMP flood:
Normally, the ICMP ping will be seen sending packets whether the ping command is on Windows or Linux with 32 bytes and 48 bytes of data, respectively.
By someone is dong the ICMP flooding, they will do so by sending a huge amount of data. This is why we will be using the filter for the packets that are more than 48 bytes in data size. This is an effective method to find brute attacks using Wireshark.
To execute the ICMP flooding, the rivals will be using tools including fping and hping.
Next, we have VLAN hoping on the network.
For VLAN hoping, the following Wireshark filter will be used to detect it:
DTP or vlan.too_many_tags
In Wireshark, VLAN Hoping will be seen as the following:
This technique, VLAN Hoping, is used for bypassing the network controls, or the NAC, which the attackers use so that various VLANs can be exploited using the “misconfigurations of the Cisco switches”.
If the DTP packet(s) are tagged with the VLAN tags, you get a solid proof of VLAN hoping. So when you see such packets in your network, know that someone is attempting to attack using the VLAN hoping technique. Frogger and Yersinia are examples in this case.
The unexplained packet loss is the next in line when you are trying to find the brute attacks using Wireshark
The filter used if you want to detect the unexplained packet loss on the network using Wireshark is shown below:
TCP.analysis.lost_segment or TCP.analysis.retransmission
In case you see several “packet re-transmissions” along with network communication gaps. It is an indication that the network has crucial issues because of the Denial of Service Attack.
The Second Part of This Article is About the Prevention Methods Against The Brute Attacks Made on Computer Networks
A few methods that can be used to prevent brute attacks include:
Lock Out Accounts
One of the most apparent methods to find brute attacks using Wireshark and prevent these attacks on the networks is the lock-out accounts method. This means that when many incorrect passwords are used multiple times, then the account will lock out whoever was trying to use brute force.
The lockout of accounts can carry on for the set time as finalized by you.
This set time can be 1 hour or more.
Another way is to continue the lock-out of accounts until the administrator themselves unlock it manually.
This method is not one of the most reliable ones. The reason is that the attackers can easily bypass such security measures.
Sometimes, the websites are attacked so often that the actual customers of the websites get locked out.
The Cookies of the Device being used
When an IP address already does a successful login, it usually means that there is no attack. This way, the cookies of the device on which the website was opened before can be used as a mechanism to identify safe IP addresses.
This method is effective and easier comparatively. The device cookies method is even less susceptible to DoS attacks.
Some other ways to make sure that the brute attacks are minimized include:
- Make sure that the users can only log in through specific IP addresses.
- Give priority to unique login URLs so that different users will not use the same URLs.
- Using CAPTCHA is another which will help prevent “automated attacks”.
Yes, the attacks can be avoided, but the truth is preventing such attacks completely does not have a high possibility. But using the different techniques in a combined way can help in limiting the brute attacks, especially if you are able to find brute attacks using Wireshark.
In the concluding remarks, we (as hostonfox) would like to share that Wireshark is one of the most powerful tools which are used in analysing the networks you are using. This is a famous tool because the ability to use filters and find the brute attacks using Wireshark is amazing.