To capture packets, we're going to run the following command in the terminal: sudo tcpdump -i wlan0 -w testcapture.pcap (note the name of the pcap file can be anything you want).

1. sudo - Runs the command with root privileges, which is necessary for capturing network traffic.

2. tcpdump - The command-line tool used for network packet capture.

3. -i wlan0 - Specifies the network interface to capture packets from (wlan0 is the wireless interface). I have my interface blocked out in the image because it may not be the same as your interface. 

4. -w testcapture.pcap - writes the captured packets to the file instead of displaying them in the terminal.

I'm going to open up a web browser and go to Bowtiedcyber.xyz/wp-admin/.

 Notice in the address bar there is a lock with a diagonal red line through it. This indicates that the site is unsafe and, most importantly, unencrypted. If it were encrypted, I wouldn't have captured anything meaningful.

 I'm going to enter my username and password, which, for this demonstration, is a made-up set of credentials. Once I've done this I'm going to go back to the terminal and hit CTRL + C to stop the packet capture. 

To analyze the pcap file, we're going to enter the following command: wireshark testcapture.pcap (if it is not installed then sudo apt install wireshark). 

Running the previous command will load our pcap file into Wireshark for us to analyze.

From here, you can see the different tabs at the top, like Ethernet, IPv4, IPv6, TCP, and UDP. For this demonstration, I am focused on TCP. You can right-click on any of these to apply the conversation as a filter (Right-click --> Apply as filter --> Selected --> A <-> B). That will populate it on the main page with the filtered packets. 

If you go through enough TCP streams you will find the log in information which is highlighted in the image above. I successfully captured the username of "admin" and the password of "youjustgothacked".