Skip to main content
Home Edwiser Forms CSI Linux Cyber Secrets Media Cyber WAR Investigator's Starting Guide

The CSI Linux Knowledge Base

Completion requirements

Definitions and Descriptions.

Printer-friendly version

Browse the glossary using this index

Special | A | B | C | D | E | F | G | H | I | J | K | L | M | N | O | P | Q | R | S | T | U | V | W | X | Y | Z | ALL

W

WiFiPumkin3

WiFiPumkin3 is a piece of open source software that is used to create fake WiFi access points, also known as "evil twins". An evil twin is a WiFi access point that is designed to mimic a legitimate access point in order to trick users into connecting to it.

Once a user connects to an evil twin, the attacker can then intercept and monitor their internet activity. This can be used for a variety of purposes, including stealing personal information, spreading malware, or launching man-in-the-middle attacks.

WiFiPumkin3 is a tool that allows attackers to easily create and configure evil twin access points. It includes a number of features, such as the ability to spoof the MAC address of the access point, redirect traffic to a specific website, and perform man-in-the-middle attacks.

One example of how WiFiPumkin3 could be used is in a public place, such as a coffee shop or airport. An attacker could set up an evil twin access point with a similar name to the legitimate access point, such as "CoffeeShop WiFi". When users connect to the evil twin, the attacker can intercept and monitor their internet activity.

Another example is in a corporate environment, where an attacker could set up an evil twin access point in order to gain access to sensitive information or plant malware on company devices.

Overall, WiFiPumkin3 is a powerful tool that can be used by attackers to create fake WiFi access points and intercept internet activity. It is important for individuals and organizations to be aware of the risks posed by evil twins and take steps to protect themselves. This can include using a VPN or only connecting to trusted WiFi networks.


Wireshark

Wireshark is an open-source network protocol analyzer widely regarded as the standard across many industries. It provides the means to capture and interactively browse the traffic running on a computer network. It can dissect and display the packet detail of a wide range of protocols spanning from those on the common Ethernet frame to the more specific and lesser-known ones.

Core Features and Capabilities

  • Live Capture and Offline Analysis: Wireshark can capture real-time network traffic directly from Ethernet, IEEE 802.11, PPP/HDLC, ATM, Bluetooth, USB, Token Ring, Frame Relay, FDDI, and others, depending on your platform. It also allows for the analysis of existing capture files.
  • Deep Inspection of Hundreds of Protocols: With support for hundreds of protocols and continuously growing, Wireshark is able to dissect and present data structures of protocols, even those that are less common or proprietary.
  • Multi-Platform: Wireshark runs on Windows, Linux, macOS, Solaris, FreeBSD, NetBSD, and many others, making it accessible to a vast audience of professionals and enthusiasts.
  • Exporting Capabilities: Users can export their analyzed data into XML, PostScript®, CSV, or plain text for reporting purposes or further analysis.
  • Powerful Filtering: The application includes a rich display filter language that allows users to construct precise queries to sift through extensive datasets, focusing only on the traffic of interest.
  • Graphical and Command-Line Interfaces: Wireshark provides a graphical user interface (GUI) for ease of navigation and analysis, as well as a command-line interface (CLI) for automation or batch processing tasks.
  • Coloring Rules: Traffic can be marked with colors based on criteria set by the user, making it easier to identify patterns or issues within the traffic flow.
  • VoIP Analysis: Support for Voice over Internet Protocol (VoIP) analysis allows for the inspection of voice communication on the network, including session initiation and call quality metrics.

Why Wireshark is Essential

Wireshark is an indispensable tool for network administrators, security professionals, and developers for several reasons:

  • Troubleshooting: It helps in identifying network problems by allowing analysts to see the intricacies of network traffic at the most granular level.
  • Security Analysis: Security experts use Wireshark to examine network traffic for signs of malicious activity, unauthorized data exfiltration, and to understand attack signatures.
  • Educational Tool: Wireshark is used in educational institutions to teach students about networking protocols and the inner workings of network traffic.
  • Protocol Development: Developers working on new network protocols or applications that utilize network communication use Wireshark to debug protocol implementations and network interactions.

Privacy and Ethical Considerations

While Wireshark is a powerful tool for network analysis, it also comes with the responsibility to use it ethically and legally. Capturing network traffic can potentially include sensitive or personal information. Users must ensure they have proper authorization before monitoring network traffic to avoid privacy violations or legal issues.

Wireshark provides a comprehensive solution for network analysis with its in-depth inspection capabilities, broad protocol support, and cross-platform availability. Whether it's for securing a network, diagnosing problems, or learning about network communications, Wireshark's robust functionality makes it an essential tool in the field of network administration and cybersecurity. Its contribution to understanding and securing digital communication infrastructures is invaluable, reflecting its pivotal role in today's networked world.


Resources:

Wireshark · Go Deep

Writeblocker

A forensic bridge, also known as a write blocker, is a device that is used in digital forensics to prevent any changes from being made to a storage device, such as a hard drive or USB drive, during the forensic imaging process. Write blockers are used in order to preserve the original evidence in its original state and prevent any contamination of the evidence.

There are two main types of forensic bridges: hardware-based and software-based. Hardware-based forensic bridges are physical devices that are connected between the storage device and the forensic analysis computer. They use hardware-level controls to prevent any changes from being made to the storage device.

Software-based forensic bridges, on the other hand, are programs that are installed on the forensic analysis computer and control access to the storage device. These programs can be used in conjunction with hardware-based forensic bridges to provide an additional layer of protection.

Both hardware-based and software-based forensic bridges work by allowing the forensic analyst to read data from the storage device, but preventing any changes from being made. This is useful in cases where the storage device may contain evidence that could be altered or deleted if access is not properly controlled.

For example, a forensic bridge might be used in the investigation of a cybercrime in order to preserve the contents of a suspect's computer for analysis. By using a forensic bridge, the analyst can ensure that the original evidence is not tampered with and that the integrity of the investigation is maintained.

Overall, forensic bridges are an important tool in digital forensics, as they allow analysts to preserve the original evidence and conduct a thorough analysis without the risk of contamination or alteration.



Prev Section
loader image