Beruflich Dokumente
Kultur Dokumente
Sniffers
M o d u le 0 8
S n iffin g a N e tw o r k
A packet s n i f f e ri sa type ofprogram that monitors any b itof information entering or leaving a n etiro rk. Iti sa type ofplug-and-play wiretap d e v i c e attached t oa computer that eavesdrops on netirork t r a f f i c .
Lab Scenario
Sniffing is a teclnnque used to in te rc e p t d a ta 111 information security, where many of the tools that are used to secure the network can also be used by attackers to exploit and compromise the same network. The core objective of sniffing is to ste a l d a ta , such as sensitive information, email text, etc.
N e tw o rk sniffing involves intercepting network traffic between two target network nodes and capturing network packets exchanged between nodes. A p a c k e t sn iffer is also referred to as a network monitor that is used legitimately by a network administrator to monitor the network for vulnerabilities by capuinng the network traffic and should there be any issues, proceeds to troubleshoot the same.
Similarly, sniffing tools can be used by attackers 111 p ro m iscuo us mode to capmre and analyze all die network traffic. Once attackers have captured the network traffic they can analyze die packets and view the u ser n am e and p assw ord information 111 a given network as diis information is transmitted 111 a cleartext format. A 11 attacker can easily mtmde into a network using tins login information and compromise odier systems on die network. Hence, it is very cnicial for a network administrator to be familiar with n e tw o rk tra ffic an a ly ze rs and he or she should be able to m a in ta in and m o n ito r a network to detect rogue packet sniffers, MAC attacks, DHCP attacks, A R P poisoning, spoofing, or DNS poisoning, and know the types of information that can be detected from the capmred data and use the information to keep the network running smoodilv.
Lab Objectives
The objective of this lab is to familiarize students with how to sniff a network and analyze packets for any attacks on the network. The primary objectives of tins lab are to: Sniff the network Analyze incoming and outgoing packets Troubleshoot the network for performance
Ethical Hacking and Countenneasures Copyright by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.
M odule 08 - Sn iffers
Lab Environment
111
tins lab, you need: A web browser with an Internet connection Administrative privileges to run tools
Lab Duration
Time: 80 Minutes
Lab Tasks
O v e rv ie w
Pick an organization that you feel is worthy of your attention. This could be an educational institution, a commercial company, or perhaps a nonprofit charity. Recommended labs to assist you 111 sniffing the network: Sniffing die network using die C o la s o ft
P a c k e t B u ild e r N e tw o r k A n a ly z e r
Sniffing the network using die W in A r p A tta c k e r tool Analyzing the network using the C o la s o ft Sniffing passwords using W ire s h a rk Performing man-in-the-middle attack using C a in Advanced ARP spoofing detection using X A rp Detecting Systems running
P ro m q ry U I & A b el N e tw o r k A n a ly z e r
111
promiscuous mode
111
a network using
O - M a tic
Lab Analysis
Analyze and document the results related to the lab exercise. Give your opinion on your targets securityposture and exposure through, public and free information.
Ethical Hacking and Countermeasures Copyright by EC-Council A ll Rights Reserved. Reproduction is Stricdy Prohibited.
M odule 08 - Sn iffers
PLEASE TALK TO YOUR INSTRUCTOR IF YOU HAVE QUESTIONS RELATED TO THIS LAB.
Ethical Hacking and Countenneasures Copyright by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.
M odule 08 - Sn iffers
S n iffin g t h e N e tw o r k U s in g t h e O m n iP e e k N e tw o r k A n a ly z e r
Own/Peek i sa standalone network analysis too lused t os o l v e networkproblem.
Lab Scenario
From the previous scenario, now you are aware of the importance of network smtting. As an expert e th ic a l h a c k e r and p e n e tra tio n te s te r, you must have sound knowledge of sniffing network packets, performing ARP poisoning, spoofing the network, and DNS poisoning.
W orkbookreview
Lab Objectives
Tlie objective of tins lab is to reinforce concepts of network security policy, policy enforcement, and policy audits.
Lab Environment
t^Tools
d e m o n s tra te d in th is lab a re a v a ila b le in D:\CEHT oo ls\C E H v 8 M o du le 08 Sniffing
111
M o du le 08
S niffing\Sniffing T o o ls\O m n iP ee k N e tw o rk A n a ly ze r
You can also download the latest version ot O m n iP e e k N e tw o rk A n a ly ze r from the 1111k http://www.w11dpackets.com/products/om111peek network analyzer If you decide to download die la te s t the lab might differ A computer mnmng W in d o w s
W in d o w s version,
S e rv e r 2 0 1 2
as host machine
A web browser and Microsoft .NET Framework 2.0 or later Double-click O m n iP e e k 6 8 2 d e m o .e x e and follow the wizard-driven installation steps to install O m n iP e e k 6 8 2 d e m o .e x e
A d m in is tra tiv e
M odule 08 - Sn iffers
Lab Duration
Tune: 20 Minutes
Lab Tasks
T A S K 1
In s tallin g O m n iP e e k N e tw o rk A n a ly ze r
1 . Install O m n iP e e k 2012.
N e tw o rk A n a ly ze r
S erve r
2. Launch the S ta rt menu by hovering die mouse cursor on die lower left corner of die desktop.
O m n iP e e k D em o
S ta rt
menu to launch
81
S ta rt
Administrator ^
M e n a q e r L *3
M o / 1 1 1 0 h re to x H y p w V V irtu a l K A v h lo o
____
&
'
Ethical Hacking and Countenneasures Copyright by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.
M odule 08 - Sn iffers
To deploy and maintain Voice and Video over IP successfully, you need to be able to analyze and troubleshoot media traffic simultaneously with the network the media traffic is running on
O m n iP e e k D em o
>
ViewOiwiEngines
Start M ontor
ffi
Stmixfy Swmwj
M m
3w tJ O u iM 1 r.aii QO
^WidPacketj
F IG U R E 1.3: OmniPeek main screen
5.
Launch
a. Click die N e w
C a p tu re
die
O m n iP e ek C a p tu re O ptions
dialog
8 0 2 .1 1
Triggers Filters Statistics Output Analysis Options f f l l OmniPeek Network Analyzer offers real-time high-level view o f the entire network, expert analyses, and drill-down to packets, during capture.
Continuous capture O Capture to disk File path: C:\Users\Administratorpocuments\Capture 1 File size: | 256 : *~] megabytes |1 0 0 0 10 1 128 3~| bytes megabytes | = files (2,560 MB)
[ I] Stop saving after I I Keep most recent I I New file every I I Limit each packet to
Cancel
Help
Ethical Hacking and Countermeasures Copyright by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.
M odule 08 - Sn iffers
111
Click
C a p tu re O p tio n s E th e rn e t General | Adapter' 802.11 [0 3 Network Coverage: W ith the Ethernet, Gigabit, 10G, and wireless capabilities, you can now effectively monitor and troubleshoot services running on your entire network. Using the same solution for troubleshooting wired and wireless networks reduces the total cost o f ownership and illuminates network problems that would otherwise be difficult to detect. Triggers Filters Statistics Output Analysis Options A d a p te r
0 0
>0 File
M . Ethernet] 9 vSwitch (Realtek PCIe GBE Family Controller Virtual I- p vEthernet (Realtek PCIe GBE Family Controller Virti
Description Realtek PCIe GBE Family Controller Ethernet DO: 100 Mbits/s No :36
Cancel
Help
7. Now, click S ta rt C a p tu re to begin capturing packets. The S ta rt C a p tu re tab changes to Sto p C a p tu re and traffic statistics begin to populate the N e tw o rk Dashboard 111 die capture window of OmniPeek.
WldPack
h ... V V 1' g t* <\ r J u , . B : ; e IQ E j F
OmniPeek
Q Dashboards display important data that every network engineer needs to know regarding the network without spending lots o f time analyzing the captured data.
lop Protocol*
Ethical Hacking and Countermeasures Copyright by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.
M odule 08 - Sn iffers
E Q Q lOmniPeek
Professional expands the capabilities o f OmniPeek Basic, extending its reach to all small businesses and corporate workgroups, regardless o f the size o f die network or die number o f employees. OmniPeek Professional provides support for multiple network interfaces while still supporting up to 2 Om ni Engines acting as bodi a full-featured network analyzer and console for remote network analysis.
8. The captured statistical analysis of die data is displayed 011 die C a p tu re tab of die navigation bar.
u-n ., y . 3. *
w hw fct FlhrhiW N etw -o rfc inai/rffh.n Minute Window (I Second Average)
a 03-
0 2 *
L A
r 1 7 *1 5 22 2 0 6 .17 H 52 26
0rs 1 6 7 .6 6 6 7 .2 2 2
D N S
TCP
Ountion: 001:25
9. To view die captured packets, select P a c k e ts D ashboard 111 die left pane ol die window.
r 1 < w 1 tJ u sun?** ** * t,ISO M S' T o o V N .A 4 0 W rip > 3 . * 5 ii r A dapt 4 1O K V rti y Htj, 10.0.0.2 173.194.36.4 173.194.36.4 '4.125.12S.169 su e ss 9 5 6 4 6 4 1 6 3 6 4 28 7 0 6 4 6 4 1 1 8 9 3 6 6 4 6 4 7 0 1 0 3 6 4 7 0 6 4 1 8 4 ISIS 1 5 1S > 5 < 4 O c t* * r*t o.oooasiosa writs 0.93:20X19 sm s 0.939*25029 arirs 0.93994SCI9 STTrS 0.771222000 0.811S9JCJ9 3T TT * 4.31e23SC S3 an a n :s 4.350147029 anss 4.3 5 5 9 6 4 C JO 3 T T T 5 4.SE52S4CS0 37T?S 4.566969090 an?3 4.SS70CMS0 6.097997090 an? .100119000 HIT? C .922643C:3 4 A i d G iJ h O a
111
a C a p tu re section ol die
' " , WldP.xkct. OmniPeek
m t.M rd : .{0 0 0 m u 1 n < N'lhrh^] V -** < ! fevh fao .iftfs 4 11 =Lvote** ***** i *a 3 m 5
Mr! <** . 1
3zc- 413,0*t=
W....3= 796...
3zc- 1769, O st= 4 4 3 .u..... 3= 1406... Src- 1 7 70 , 03 V - 4 4 3 .*....,5-366S... 5rc- 1 0 63 , 03* 4 4 3 h..... S- 956... 4 4 3 Sr~ 1 443'S^ 3 = c= 443,D st= SIC- 443,03t_ 1 0 5 1 Src- 443.03T1 9 5 1 Src- 10 S1.D 3T KJfC = 172e . Src- 5 0 ,0 3 1 . 1 7 2 6 .1 3...,3= 2007... .&....,3= 94... .*....,S- 94... .A?... ,3 9 4 ... fc S-20D7... .h ....,3-2997...
Iw csto r
13.9.9.2 1 2 1 3 1 5 1^3.194.36.22 1~3.194.36.22 1 3.194.36.22 13.9.0.2 123.176.32.154 19.1.3.2 19.9.1.6 19.9.1.5 19.9.5.5 1S7.SC.C7.222 157.56.67.222 19.9.0.2 19.9.0.3
[
H ie OmniPeek Peer Map shows all communicating nodes within your network and is drawn as a verticallyoriented ellipse, able to grow to the size necessary. It is easy to read the maps, the diicker the line between nodes, the greater the traffic; the bigger die dot, the more traffic through that node. The number o f nodes displayed can also be limited to die busiest and/or active nodes, or to any OmniPeek filters that mav be in use.
Oms
\173.194.36.22 \
!:S 5 S 5 S
[ C a lls W mmK
1 Er
Ltfctto
1 7 IS IS 2 1 2 2 2 4 2 7 2
7.21122*000 O F 7.301449029 O I 7.55*925023 arirs 7.5952930:9 5 5 7.ISO SCC C SO nrs 7.952900:9STTTJ e.9 0 1 9 4 6 0 2 9 an iz t.0c10600
C PC K T -1 7 2 7 4 3 ....3.,3=1030... 3 1 = = 1040,D t= 4 3 1e = 1040,D t= 1 4 3 3= 1e30... Src- 1040,031 4 4 3 .AP...,3-1630... ,S- 519. . Slaw Server R e sp cr.se T13* 1 0 Src- 443,0a 1 0 4 0 SI*... 3ss- 1770,0*t 4 4 3 .LB... ,30069... J>llhrn! P*aU: 2 .0 0 0 O U'M 'ea .y j i
< 1 1 1
173.194.36.4
10. Similarly, you can view Log. Filters. H ierarch y, and P e e r die respective options 111 the Dashboard. 11. You can view die Dashboard.
N o d es
M ap
by selecting
Ethical Hacking and Countermeasures Copyright by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.
M odule 08 - Sn iffers
On-the-Fly Filters: You shouldnt have to stop your analysis to change what youre looking at. OmniPeek enables you to create filters and apply them immediately. The WildPackets select related feature selects the packets relevant to a particular node, protocol, conversation, or expert diagnosis, with a simple right click o f the mouse.
S u m m a ry
S ta tis tic s
Q Alarms and Notifications: Using its advanced alarms and notifications, OmniPeek uncovers hard-to-diagnose network problems and notifies the occurrence of issues immediately. OmniPeek alarms query a specified monitor statistics function once per second, testing for user-specified problem and resolution conditions. F IG U R E 1.10: OmniPeek Summary details
Report.
Ethical Hacking and Countermeasures Copyright by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.
M odule 08 - Sn iffers
'0
* J
ii
i -
Using OmniPeeks local capture capabilities, centrali ed console distributes OmniEngine intelligent software probes, Om nipliance, T im elin e network recorders, and Expert Analysis.
.Jaw
360.320 0.795
Ltn crn ct
2 .0 0 0
lM1.V0a 001.B
14. Choose the format of the report type from die then click Save. Save Report
2e 1R e p o rt ty p e : fiy!!..PDF:.Report Q Engineers can monitor dieir entire network, rapidly troubleshoot faults, and fix problems to maximize network uptime and user satisfaction. R e p o rt fo ld e r: j v
S a v e R e p o rt
window and
C : \U se rs \A d m in is tra to r d o c u m e n ts R e p o r ts \C a p tu re 1 R e p o rt d e scrip tio n PDF re p o rts c o n ta in S um m ary S ta tis tic s , N ode S ta tis tic s , P ro to co l S ta tis tic s , N o d e /R ro to c o l D etail S ta tis tic s , E x p e rt S tre a m a nd A p p lic a tio n S ta tis tic s , Voice a n d V ideo, W ire le ss N ode a nd C ha n n els S ta tis tic s , a n d g ra p h s.
Save
C ancel
Help
F IG U R E 1.12: OmniPeek Selecting the Report format MCjUKfc 1.1 (Jmnil-'eek Selecting the Report tonnat
2 :
Ethical Hacking and Countermeasures Copyright by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.
M odule 08 - Sn iffers
OmniPeek Report ^
f t Dashboard
OmniPeek Report: 9/15/2012 12:21:22 Start: 9/15/2012 12:02:46, Duration: 0:01:25 Total Bytes: 1014185. Total Packets: 2000
Compass Interactive Dashboard offers both real-time and post-capture monitoring o f high-level network statistics widi drill down capability into packets for the selected time range. Using the Compass dashboard, multiple files can be aggregated and analyzed simultaneously.
___ L S i _ _
Tools Bookm ark( ? B* ft 3 i? OmniPeek Report Dashboard - 'tf Statistics IP Summary (? Nodes 1? Protocols Expert 1? Summary (? Flows I? Applications If Voe &Video ff Graphs If Packet Sues If Network Utilization (bits/s) 1? Network Utilization (percent) I? Address Comparisons ff Application Summary Statistics. Reported 9/15/2012 12.21.22 Sign Comment .
-"tf Statistics t? Summary t? Nodes I? Protocols I? Expert I? Summary Flows I? Application Lf Voice &Video Lf Graphs 1 f Packet Sues 1/ Network Utilisation (bits/s) If Network Utilization (percent) (? Address Count Comparisons I? Application
&
Start Date Start Time Duration Group. Network Total Bytes Total Packets Total B10.1dc.1st Total Multicast Average Utilisation (percent) Average Utilisation (blts/s) Current Utilisation (percent) Current Utilization (bits/s) Max Utilization (percent) Max Utilization (bits/s) Group Errors Total CRC Frame Alignment Runt Oversize 1014185 NA 1061 6933 0 096 95989 0 360 360320 0.795 79*656
0 0 0 0 0 0 0 0 0 0 0 0
0.000 0.000
Lab Analysis
Analyze and document the results related to the lab exercise.
Ethical Hacking and Countermeasures Copyright by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.
M odule 08 - Sn iffers
Tool/Utility
Information Collected/Objectives Achieved Network Information: Network Utilization Current Activity " L g Top Talkers bv IP Address Top Protocols Packets Information: Source Destination Size Protocol Total Bytes for a Node Packets Sent Packets Received Broadcast/Multicast Packets General Network Errors Counts Size Distribution
Nodes Statistics:
PLEASE TALK TO YOUR INSTRUCTOR IF YOU HAVE QUESTIONS RELATED TO THIS LAB.
Ethical Hacking and Countenneasures Copyright by EC-Council A ll Rights Reserved. Reproduction is Stricdy Prohibited.
M odule 08 - Sn iffers
Questions
1 . Analyze what 8 0 2 .1 1 1 1 adapters are supported 111 OmniPeek Network Analyzer. 2. Determine how you can use the OmniPeek Analyzer to assist with firewall rules. 3. Evaluate how you create a filter to span multiple ports. Internet Connection Required Yes Platform Supported 0 Classroom 0 !Labs 0 No
Ethical Hacking and Countenneasures Copyright by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.
M odule 08 - Sn iffers
Lab
S p o o fin g M A C A d d re s s U s in g S M A C
SMAC i sapon e i f / 11and easy-to-use toolthat i sa M A C address changer ( s p o o f e r ) . The toolcan a c t i v a t e a new M A C address rig htaft erchanging i tautomatically.
I CON KEY
Lab Scenario
1 1 1the previous kb you learned how to use OmmPeek Network Analyzer to capture network packets and analyze the packets to determine it any vulnerability is present 111 the network. If an attacker is able to capmre the network packets using such tools, he 01 she can gain information such as packet source and destination, total packets sent and received, errors, etc., which will allow the attacker to analyze the captured packets and exploit all the computers in a network. If an administrator does not have a certain level of working skills of a packet sniffer, it is really hard to defend intrusions. So as an expert e th ic a l h a c k e r and p e n e tra tio n te s te r, you must spoof MAC addresses, sniff network packets, and perform ARP poisoning, network spoofing, and DNS poisoning. 1 1 1tins lab you will examine how to spoof a MAC address to remain unknown to an attacker.
Lab Objectives
The objective of tins lab is to reinforce concepts of network security policy, policy enforcement, and policy audits. 1 1 1tins lab, you will learn how to spoof a MAC address.
Lab Environment
^^Tools
d e m o n s tra te d in th is lab a re a v a ila b le in D:\CEHT oo ls\C E H v 8 M o du le 08 Sniffing SM AC
111
You can also download the latest version ot SM AC from the link http://www.klcconsulting.net/smac/default.htm#smac27 It you decide to download the the lab might differ
la te s t version,
Ethical Hacking and Countermeasures Copyright by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.
M odule 08 - Sn iffers
S e rv e r
Lab Duration
Time: 10 Minutes
Overview of SMAC
is a powerful yet easy-to-use and intuitive Windows M A C address modifying utility (M AC address spoofing) which allows users to change M A C addresses for almost any Network Interface Cards (N IC s) on die Windows 2003systems, regardless o f whether die manufacturers allow diis option.
ffisMAC
protects person al and individual privacy. Many organizations track wired or wireless network users via their MAC addresses. 1 1 1addition, there are more and more Wi-Fi w ire le s s connections available diese days and wireless networks use MAC addresses to c o m m u n ic a te . Wireless network security and privacy is all about MAC addresses.
Spoofing a MAC
Spoofing is carried out to perform security v u ln e ra b ility tes tin g , penetration testing on MAC address-based a u th e n tic a tio n and au th o riza tio n systems, i.e. wireless access points. (Disclaimer: Authorization to perform these tests must be obtained from the systems owner(s)).
Lab Tasks
1 . Launch die S ta rt menu by hovering die mouse cursor on die lower-left corner of die desktop.
[ S M A C works on die Network Interface Card (N IC ), which is on the Microsoft hardware compatibility list (H C L).
4
*r
1&
rc !1 T !n ^ H
F IG U R E 2.1: Windows Server 2012 Desktop view
2. Click die SM A C
Q=sJ W hen you start SM AC program, you must start it as the administrator. You could do this by right click on die SM AC program icon and click on "Run as Administrator if not logged in as an administrator.
2 .7
Ethical Hacking and Countenneasures Copyright by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.
M odule 08 - Sn iffers
3. The SM AC main screen appears. Choose a network adapter to spoof a MAC address.
%
File ID View
rriiEiii 1
| Active I Spoofed I NetworkAdapter Hyper-VVirtual Ethernet Adapter #2 0017 Yes No HyperVVirtual Ethernet Adaptei #3
EMU^HET
169.254.103.138 0 1
17 Show O n^i Active Network Adapters New Spoofed MACAddress Restart Adapter Random Refresh Spoofed MACAddress |Not Spoofed Active MACAddress J
A |
Remove MAC
Network Connection_______________________________ |vEthernet (Realtek POe GBE Fam dy Controller Virtual Switch) Hardware ID_____________________________________
|vms_mp
| D 0 r * a r
_ > > J
Disclaimer: Use this programat your own risk. We ate not responsible fot any damage that m ay occur to any system This programis not to be used for any illegal or unethical purpose Do not use this programif you do not agree with
d s M A C helps people to protect their privacy by hiding their real M A C Addresses in the widely available W i-Fi Wireless Network.
F IG U R E
5. Clicking die Random button also inputs die N e w simply MAC address spoofing.
to
Ethical Hacking and Countemieasures Copyright by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.
M odule 08 - Sn iffers
ra !
; 3 6 - 08
SM AC also helps Network and IT Security professionals to troubleshoot network problems, test Intrusion Detection / Prevention Systems (ID S / IP S ,) test Incident Response plans, build high-availability solutions, recover (M AC Address based) software licenses, and etc.
|SCHENCK PEGASUS CORP. [0005FC] Spoofed MAC Address |Not Spooled Active MACAddress |D0-W -36 AI
Network Connection IvEthernet (Realtek PCIe GBE Fam dy Conliollei Virtual Switch) Hardware ID_____________________________________ |vm s_m p
Disclamer Use this programat your own risk. We are not responsible 1 0 1any damage that m ay occur to any system This programis not to be used for any illegal o t unethical purpose Do not use this programif you do not agree with
6. Tlie Network Connection 01Adapter display their respective names. 7. Click tlie forward arrow button N e tw o rk A d a p te r information.
111 N e tw o rk C o n nection
to display die
N e t w o r k C o n n e c t io n _______________________________________________________
g
g
C Q Is m a c does not change die hardware bumed-in M A C addresses. SM \C changes the software-based !MAC addresses, and die new M A C addresses you change are sustained from reboots.
Clicking die backward arrow button 111 N e tw o rk A d a p te r will again display die N e tw o rk C o n n e ctio n information. These buttons allow to toggle between die Network Connection and Network Adapter information.
N e tw o rk A d a p te r |H y p e r- V V ir t u a l E t h e r n e t A d a p t e r 8 2
9. Similarly, die Hardware ID and Configuration ID display dieir respective names. 10. Click die forward arrow button C o n fig uratio n ID information.
H a r d w a r e ID |v m s _ m p
111
H a rd w a re
ID
to display die
11. Clicking die backward arrow button 111 C o n fig uratio n ID will again display die H a rd w a re ID info rm ation . These buttons allow to toggle between die Hardware ID and Configuration ID information.
C o n fig u r a tio n ID | { C 7 8 9 7 B 39 - E D B D - 4 M 0 - B E 9 5 - 5 1 1 F A E 4 5 8 8 A 1 }
Ethical Hacking and Countermeasures Copyright by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.
M odule 08 - Sn iffers
V ie w in g IPConfig In fo rm atio n
13. Tlie IPConfig window pops up, and you can also save the information by clicking die F ile menu at the top of die window.
File W indow s IP Configuration Host N a m e Primary Dns S u ffix Node T y p e IP Routing Enabled W INS Proxy Enabled : WIN-MSSELCK4K41 : Hybrid :N o :N o
Ethernet adapter vEthernet (Virtual Network Internal Adapter): Connection-specific DNS Suffix . D escription : Hyper-V Virtual Ethernet Adapter 83 Physical Address :0 0 -08 DHCP Enabled :Y e s Autoconfiguration E n a b le d . . . . : Yes Link-local IPv6 A d d re ss : fe80::6868:8573:b1b6:678a%19(Preferred) Autoconfiguration IPv4 Address. .: 169.254.103.138(Preferred) Subnet M a s k : 255.255.0.0 Default G a te w a y DHCPv6 IA ID : 452990301 DHCPv6 Client D UID : 00-01 -00-01 1 A- 16- 36 DNS S e rvers : fec0:0:0:ffff::1%1 fec0:0:0:ffff::2%1 Close
CQ t1 1 eIPC onfig information w ill show in the "View IPConfig Window. You can use the File menu to save or print the IPConfig information.
1
List.
14. You can also import the MAC address list into SMAC by clicking MAC Update MAC Restart Adapter Random k . Refresh i Remove MAC IPConfig MAC List Exit
Ethical Hacking and Countermeasures Copyright by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.
M odule 08 - Sn iffers
15. If there is 110 address in die M AC ad d ress held, click Load ]MAC address list tile you have created.
MAC List
List
to select a
CQ1t 1 1 e IPConfig information w ill show in the "View IPConfig Window. You can use the File menu to save or print the IPConfig information.
S e le c t
Close
S am p le M AC A d d ress L is t.tx t
Load M AC List
Search SMAC
New folder A Name i-l LicenseAgreement.txt , , Sample_MAC_Address_List.txt Date modified 6/6/200811:11 PM 4/S0/20061:23 PM Type
s m
Text Document Text Document
Libraries 0 Documents
J* Music
fc l Pictures B Videos Computer U . Local Disk (G )
1 _ j Local Disk (DO
>
Ethical Hacking and Countermeasures Copyright by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.
M odule 08 - Sn iffers
17. A list of MAC addresses will be added to die MAC List 111 SMAC. Choose a MAC A d d ress and click S e le c t. This MAC Address will be copied to N e w Spoofed M AC A d d ress oil die main SMAC screen.
SM AC is created and maintained by Certified Information Systems Security Professionals (C ISSPs), Certified Information System Auditors (C ISA s), Microsoft Certified Systems Engineers (M C SEs), and professional software engineers.
%
00 = O D O D
OC . :99
MAC List E 9 E 8
- E7
SM AC displays the following information about a Network Interface Card (N IC ). Device ID Active Status N IC Description Spoofed status IP Address Active M A C address Spoofed M AC Address N IC Hardware ID N IC Configuration ID
C: \ P r o g r a m D a t a \ K L C \ S M A C \ S a m p le _ M A C _ A d d r e s s _ L i s t . txt
18. To restart Network Adapter, click R e s ta rt A d ap ter, which restarts die selected N e tw o rk A d ap ter. Restarting die adapter causes a temporary disconnecdon problem for your Network Adapter.
U p d a te M A C | R e s ta rt A d a p te r Random R e fre s h I P C o n f ig M A C L is t E x it
Lab Analysis
Analyze and document die results related to die lab exercise. Tool/Utility Information Collected/Objectives Achieved Host Name Node Type MAC Address IP Address DHCP Enabled Subnet Mask DNS Servers
SMAC
Ethical Hacking and Countermeasures Copyright by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.
M odule 08 - Sn iffers
PLEASE TALK TO YOUR INSTRUCTOR IF YOU HAVE QUESTIONS RELATED TO THIS LAB.
Questions
1 . Evaluate and list the legitimate use ot SMAC. 2. Determine whether SMAC changes hardware MAC addresses. 3. Analyze how you can remove the spoofed MAC address using die SM\C. Internet Connection Required Yes Platform Supported 0 Classroom 0 iLabs 0 No
Ethical Hacking and Countenneasures Copyright by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.
M odule 08 - Sn iffers
S n iffin g a N e tw o r k U s in g th e W in A r p A tta c k e r T o o l
WinArpAttacker i saprogram thatcan scan, a ttack, d e t e c t , andprotect computers on a localarea network (LAN).
Lab Scenario
You have already learned in the previous lab that you can conceal your identity by spooling the ]MAC address. An attacker too can alter 1 1 1 sor her MAC address and attempt to evade network intrusion detection systems, bypass access control lists, and impersonate as an authenticated user and can continue to communicate widiin the network when die authenticated user goes offline. Attackers can also push MAC flooding to compromise die security of network switches. As an administrator, it is very important for you to detect odd MAC addresses 011 the network; you must have sound knowledge of footprinting, network protocols and their topology, TCP and UDP services, routing tables, remote access (SSH 01 VPN), and authentication mechanisms. You can enable port security 011 the switch to specify one or more MAC addresses lor each port. Another way to avoid attacker sniffing 011 your network is by using static *ARP entries. 1 1 1tins lab, you will learn to run the tool WinArpAttacker to sniff a network and prevent it from attacks.
Lab Objectives
The objectives of tins lab are to:
S c a n . D e te c t. P ro te c t,
(LANs): Scan and show the active hosts 011 the L A N widiin a very short time period of 2-3 seconds
S a v e and lo a d computer list files, and save the LAN regularly for a new computer list p a s s iv e m o d e
Ethical Hacking and Countemieasures Copyright by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.
M odule 08 - Sn iffers
Freely p ro v id e employ?
access
in fo rm a tio n
and r e m o te
Discover any published information on the topology of the n e tw o r k Discover if the site is seeking help for IT p o s itio n s that could give information regarding the network services provided by the organization Identity actual users and discover if they give out too much personal information, which could be used for social engineering purposes
Lab Environment
To conduct the lab you need to have:
W in A rp A tta c k e r
M o du le 0 8 Sniffing\ARP
P oisoning T o o ls \W in A rp A tta c k e r
^~Tools
d e m o n s tra te d in th is lab a re a v a ila b le in D:\CEHT oo ls\C E H v 8 M o du le 08 Sniffing
You can also download the latest version ot W in A rp A tta c k e r trom the link http://www.xtocus.net If you decide to download the la te s t the lab might differ A computer running W in d o w s
W in d o w s 2 0 0 8 version,
S e rv e r 2 0 1 2
as host machine
A computer updated with network devices and drivers Installed version ot W in P cap drivers Double-click W in A rp A tta c k e r.e x e to launch WinArpAttacker
A d m in is tra tiv e
Lab Duration
Time: 1 0 Minutes
W inARPAttacker works on computers rumiing Windows /2003.
Overview of Sniffing
Sniffing is performed to c o lle c t b asic info rm ation of a target and its network. It helps to tind v u ln e ra b ilitie s and to select exploits for attack. It determines network information, system information, and organizational information.
Lab Tasks
* T A S K 1
1 .
Launch
Ethical Hacking and Countenneasures Copyright by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.
M odule 08 - Sn iffers
^
Cpflu*ascut Packets ( T > a ff!c(KI ]
Caution:This program is dangerous, released just for research. Any possible loss caused by this program bears no relation to the author (unshadow), if you dont agree with this, you must delete it immediately.
D ^ i
Xev opn
s &ve
* a a *
| Online Snrfli... Attack
scan
q A ttack1: stopsendh*e*art
| ActHoit
| FftetHovI
| Fff(tH(Kt2
[ Count | 1 0 .0 .0 1 1 0 .0 .03 1 0.004 10.005 10.0.07 10.0.08 1 0 .0 .02 5 5 IM 2 5 4 .2 5 52 5 5 2 2 4 .0 .0 .2 2 00 0 0 0 0 0 0 00 00 FF- FF* 01*
* I.
p* : ! : ! C s* : a2 0 L > c trse terns :10.0.0 .V tr* p to g o ir ruy 9 6 !1 1 9 0 r 0 c y 1 6 3G V V : iaao.1 Klee D O fc - y - 16-3.G W :1 ft(X 0.1 O n: 0 O ff: 0 Sniffing; : O n: 0 O ff; 0 Snrffmj: Q ,
Q=J W iiiArpAttacker is a program diat can scan, attack, detect, and protect computers on a local area network.
3. Click die S ca n option from die toolbar menu and select S ca n 4. The scan shows die a c tiv e (2-3 seconds).
hosts 011
LAN.
ek _E*c| V | Mofmalitan
Detect
a:
cut
Hwhmne
0 3 The option scan can scan and show the active hosts on the L A N within a very short time. It has two scan modes, Normal andAntisniff. The second is to find who is sniffing on the IA N .
EvtnC
1ActHotl
SffaHpq2
- 0 3 IE-2D N O E FF F F
224.0.022
. : ^ 1 ]1
6. Scanning saves and loads a computer list tile and also scans die LAN regularly for new computer lists.
Ethical Hacking and Countermeasures Copyright by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.
M odule 08 - Sn iffers
U n title dW in A rp A m rk fr 5?0 0 6 .6 .4
& I n this tool, attacks can pull and collect all the packets on the LA N .
Fit S. .
33
1 0 A a 1 1 0 * 0 2
0 1Oil0.3 10A04
10:aa5 10ixa7
p pa
5cr!
1 0 * 0 8
M aCk Slop Seni R ccouw . Optow lfc-p A tK K it |H oln< 1Online 1SnjW i... | A tUtfc | AipSQ | A >pSP | /UpfiQ | frpP I 10.0.01 Onlin W N-M SSEICK... Onlin *:-06 W lN O O W Sfl Onlin -:0 9 W IN D O W S8 Onlin -03 V M N -IX Q N 3W ... Onlin E-20 W O R K G R O U P Onlin AOMN Onlin -0E 4-CC
Pcfct |
Trffic[IQ T
* 3 6
2012-09 17 104*05 2012*0917 104905 2012-09-17 10AOS 2012-09-171049 33 2012-0917104905 2012 09 17104905
I ActHotf 1 0 .0 .0 .1 1000.8 1 0 .0 .0 .2
1000.7
IP 0 .0 1 0 .1 10.001
IM flf
oof* 1 r *cc 0 0 -06 0 0 - 0 0 0 * - -M
1000.4 100105
1 0 .0 0 .6
10.0.0.4 10.0.0.5
00 -:-03 E20
FF
04
iz-
5-3 G V : 100.0I
O n: 7 O ff: : Sniffing: 0
By performing die attack action, scanning can puU and collect all die packets on die LAN.
ARP A tta c k
Select a host (10.0.0.5 Windows Server 2008) from the displayed list and select A tta c k >Flood. Untitled WinArpAttarlc<*r 3 5 ?006.6.4 so # E3 * S * n JK t t i u r .^i bw U* H> ]~Iw t ^\ t I An.au I fcpso I *pUC I fcpwl
M j I
CQt1 1 e Flood option sends IP conflict packets to target computers as fast as possible. I f you send too many, the target computers go down.
Event 2012-09 17 104*05 Nw_M 0* 2012-09 17 104905 N * v _M o * 2012-091710J90S ^ Hoa 2012-09-17105401 14p St*n
2012-09 17104905 2012 09 17104905 Nw Ho* Me*.Hex
1ActHotf 1000.7
1 0 0 .0 .1 1 0 .0 .0 .8 10 0 .0 .2
f Court I
IP
10.001 1 0 .0 0 .1
Mat
00- 0 0 -
10.0.0.4 10.0.0.5
FF-*
16-3 G W : 100.01
O n: 7 O ff . 0 SniffmyO
9. Scanning acts as another gateway or IP-torwarder without odier user recognition on die LAN, while spoofing ARP tables. 10. All die data sniffed by spoofing and forwarded by die WinArpAttackerIPforward functions are counted, as shown in die main interface.
Ethical Hacking and Countermeasures Copyright by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.
M odule 08 - Sn iffers
CO lThe BanGatewayoption tells the gateway wrong M AC addresses o f target computers, so the targets cant receive packets from the Internet. This attack is to forbid die targets access the Internet.
U m itlp dW in A r p A m r k < * r0 0 6 .6 .4 ? 5
Pi* Scan Attack Q*t*ct Cptio!
r 18
E &
1000.1 10002 100103 100.0.4 E10A0l 5 10007 100108
5C*n
m ** m
Attack
stop
10! 5 0 0 0 0
0
88 355 5 36 1 41
203 5 27 4 2 22 30
0 109 1 1 1 1 1
0 0 0 0 0 0 0
I1 ^. I O O O
aoo 000 0.00 000
0 .0 0
0.00
I< n v 2012-09*171049(05 7012-09 17 10490: 2012-0917I0j05 2012-09-17105401 2012 09 17104905 2012 09 17104905
1ActHotf
[ Court |
1000.7
1000.1 1000.8 1 0 0 .0 .2
10.0.0.4 10.0.0.5
1 0 .0 0 .4 1 0 0 0 5
10.001 10.001
1Mac 00
1 0 0 0 7 1 0 0 0 3 1 0 0 0 2 5 5 r r 1 6 9 .2 S 4 .2 S 5 .2 S S F F -
1 0 0 0 . 6
00--
1 9 .0 .0 .1 ,m pvjrini m ay*
F IG U R E 3.5: WinArpAttacker data sniffed by spoofing CQt1 1 e option, IPConflict, like A R P Flood, regularlysendsIP conflict packets to target computers, so that users may not be able to work because o f regular ip conflict messages. In addition, the targets cant access the LA N .
tm
Attack
4m
J Stop
i Send
R e c o u n t Options
Live Up
About
12. Select a desired location and click S av e die save die report..
Lab Analysis
Analyze and document die scanned, attacked IP addresses discovered 111 die lab. Tool/Utility Information Collected/Objectives Achieved Host Name Node Type MAC Address IP Address DHCP Enabled Subnet Mask DNS Servers
WinArpAttacker
PLEASE TALK TO YOUR INSTRUCTOR IF YOU HAVE QUESTIONS RELATED TO THIS LAB.
Ethical Hacking and Countermeasures Copyright by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.
M odule 08 - Sn iffers
Questions
1 . WuiArp
Ethical Hacking and Countermeasures Copyright by EC-Council A ll Rights Reserved. Reproduction is Stricdy Prohibited.
M odule 08 - Sn iffers
A n a ly z in g a N e tw o r k U s in g t h e C a p s a N e tw o r k A n a ly z e r
Capsa Ne/)j ork Analyser i san easy-to-useEthernet network analyser ( i . e . ,packet s n i f f e rorprotocol analyser)for network monitoring and tr oubleshooting.
I CON KEY
/V alu ab le
Lab Scenario
Using WinArpAttacker you were able to sniff the network to tind information like host name, MAC address, IP address, subnet mask, DNS server, etc. An attacker, too, can use tliis tool to gain all such information and can set up a rogue DHCP server serving clients with false details. A DNS attack can be performed using an extension to the DNS protocol. To prevent tins, network administrators must securely configure client systems and use antivirus protection so that the attacker is unable to recnut 111s or her botnet army. Securely configure name servers to reduce the attacker's ability to corrupt a zone tile with die amplification record. As a penetration tester you must have sound knowledge ot sniffing, network protocols and their topology, TCP and UDP services, routing tables, remote access (SSH 01YPN), and authentication mechanisms. Tins lab will teach you about using other network analyzers such as Capsa Network Analyzer to capture and analyze network traffic.
** Web e x e rcise
m
W orkbook r e \
Lab Objectives
The objective ot this lab is to obtain information regarding the target organization that includes, but is not limited to: Network traffic analysis, communication monitoring Network communication monitoring Network problem diagnosis Network security analysis Network performance detecting Network protocol analysis
Ethical Hacking and Countenneasures Copyright by EC-Council A ll Rights Reserved. Reproduction is Stricdy Prohibited.
M odule 08 - Sn iffers
Lab Environment
To earn out die lab, you need:
C o laso ftC a p s a N e tw o rk A n a ly ze r
You can also download the latest version of C o laso ftC a p s a A n a ly ze r from die link http://www.colasoft.com If you decide to download die la te s t the lab might differ A computer running W in d o w s
version,
S e rv e r 2 0 1 2
as host machine
Windows 8 running on virtual machine as target machine Double-click ca p s a _ fre e _ 7 .4 .1 .2 6 2 6 .e x e and follow die wizard-driven installation steps to install Colasoft Capsa Free Network Analyzer
A d m in is tra tiv e
This lab requires an active Internet connection for license key registration
Lab Duration
Time: 20 Minutes
Overview of Sniffing
Sniffing is performed to c o lle c t b asic in fo rm atio n of die target and its network. It helps to tind v u ln e ra b ilitie s and select exploits for attack. It determines network information, system information, password information, and organizational information. Sniffing can be A c tiv e or P assive.
Lab Tasks
3 t a s k 1
A n alyze N e tw o rk
1 . Launch the S ta r t menu by hovering the mouse cursor on the lower-left corner of the desktop.
Capsa Network Analyzer is an easy-to-use Ethernet network analyzer (i.e., packet sniffer or protocol analyzer) for network monitoring and troubleshooting.
S 3 W in d o w s S e r v e r 2 0 1 2 Windows Server 2012 Release Candidate Datacen!* Evaluation copy. Build 84C C
V *r
afeLLxjjLtt! I a a
F IG U R E 4.1: Windows Server 2012Desktop view
,,"J
Ethical Hacking and Countermeasures Copyright by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.
M odule 08 - Sn iffers
C a p s a 7 F re e N e tw o r k A n a ly z e r
3. The C o la s o ft C a p s a 7 F re e - A c tiv a tio n G u id e window will appear. Type the activation key that you receive 111 your registered email and click N e x t.
C o la s o ft C apsa 7 Free - A c tiv a tio n G u id e
W elcom e to Colasoft Capsa 7 Free A ctivation Guide.
License Information: User Name: Company: Serial Number Windows User SKMC Groups| 03910-20080-80118-96224-37173
Next >
| |
Cancel"
Help
Ethical Hacking and Countermeasures Copyright by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.
M odule 08 - Sn iffers
Fin ish .
Finish
Help
5. Tlie
C o la s o ft C a p s a 7 F re e N e tw o r k A n a ly z e r
Name - \Yued Netmart Adapter(*) Ethernet Unfcno* LJ tlhe<nel (Virtual Network Internal Ada.. Jrfcron Ethernet
**.. 1 0 0 0 1
5p d Packets 1,410.1 Mbps 1.410.1 Mbps 1,41a1 Mbps 1,410.1 Mbps 1010 Mbps
Byte UHizatu.
0% 0% |
No adapter selected
Capture Filter packets. Set Capture Filter Network Profile ^ &
o
FulAnatyia Traffic Monto* HTTPAnalytic Em ail Analyst DNSAnalytk
, S. 1
FTPAnalyt*
O
iMAntlytit
Ethical Hacking and Countermeasures Copyright by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.
M odule 08 - Sn iffers
6. 1 1 1the C a p tu re tab of the main window, select the E th e rn e t check box 111 A d a p te r and click S ta r t to create a new project.
Name \ Y i1ed M e:wort Adapter^) ( 3 Ethernet LI UnbK** vth<net (Virtual Network U1n4l Ada.. In D Unknown D Ethernet
Packe...
bp,
Speed Packets 1,4111 Mbps 1,41ai Mbps 1,410.1 Mbps 1.41a1 Mbps 100.0Mbpt
Byte UNcati...
E th e rn e t
Capture Filter ^ No filter selected, accept all packet*. Set Capture Fitter Network Profile
&
< * 0% O N 0% H
r 1
!!!!!
II llllllll III! !frisiii m 1 1 1iiihrn
psps
Full Analysis! To provide (omprehtntiv* analysis of all the applications and network pioblarm Plugin moduli loaded: M SN Yahoo Messenger
1 r m
4
D N SAnalysis FTP Analysis
%
Ful Analysis
m
Tiafftc Mcnitoi HTTPAnalysis Em ail Analysis
*L
O
IMAnalysis
7.
D a s h b o a rd provides various graphs and charts of the statistics. You can view the analysis report in a graphical format 111 the D a s h b o a rd section ot N o d e E x p lo re r.
*I
W
a t #f
Mi -h tj Fj A 1 w S j5
y a II r r
i tB l- D e fa u lt
Q t1 1 e network utilization rate is the ratio o f current network traffic to the maximum traffic that a port can handle. It indicates die bandwidth use in the network.
97 66K B 48 8 3K B
i IjvJL...
Top Application Protocols by Bytes
48i?k
liveD w o H o w toD e te c tA R P M ta c ts jjj H o w toD e te c tN c fw o rt:lo o p H e w toM o n to rW M ? s a a q f H o w toM o n to !ftS fvein 4 1 [M o reV k I u >..)
eJ V J h oIs U srwN etaw fcB andw c
W 3 8 9 K B M5 9 1K B 4 48 2 9K B
S O 0 *5IC S
.J M w M toi linpluytreW*b1t 227K8
Ill
/C f> a jc Full Ara*yi5 ^#Ethnct ' lr
97MKB
03Ic a n n o tn tp h w rA lI trn W ir. w by J 3 IC 1 c o teIrail.U tiltu it...U rt _J [F n tJ M a rta C a p ta tr. crra trT ro fB cu t< in n e rc h a rt [H o r*InK n o w lt'd g t-th n *-]
a n ;0 0 :0 1 :0 1 ^5 5 7
P .e a J >
Ethical Hacking and Countenneasures Copyright by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.
M odule 08 - Sn iffers
The S u m m a ry tab provides full general analysis and statistical information of the selected node in the N o d e E x p lo re r window. ! 1 r
m I 5 1 *
Sait Stop ----- 1 G eneral . Table fJwcrtr Promt > i Analysis R acket Display ^ Analyse profile
*H A J
.
Capture
utanon < 7 % ,
pp!i'i
! tic HistoryCho.
!!!I'!!!
Node Explorer
Online Resource
U , IT Protocol ! p'crrr (1) S V5 Phv.ka' Lqstorcr (3) tfc IP E pk*n(4) Fault Duqnm it SWMili Worrnation Oijgnosk Ntfcti Diagnosis Wuninq r!a<jnot. t Critical O w 9 00 -.11 >traffic Total Broadcast Mukiceit Ava9Pak*tSa Pxkrt Sar Ifcttributaon
N e w C a p sa v 7 .6 R ele a se d T r y f t F ree
E O a liigh network utilization rate indicates the network is busy, whereas a low utilization rate indicates die network is idle.
0 0 0 1 % . 0.0 0 0 %
0 0 0 1 % 0 0 0 0 % 0 0 0 1 %
WW
128-255 256-SI1 5 1 2 1 0 2 3
<*64
a bp<
1024-1517
> = 1 5 1 8
CreateTraffic UtilUotioii Ourt UJ lEntlSUrt a W ireless Capture J C reateTiaftkUU1 2 aUn Chat [ MoremKnowledgebase 1
Captue - hMArat>-se
41Ethernet
ractrve
__ ____ : __ : ___
9. The D ia g n o s is tab provides the real-time diagnosis events of the global network by groups of protocol layers or security levels. With tins tab you can view the performance of the protocols 10. To view the slow response of TCP, click T C P S lo w R e s p o n s e in T ra n s p o rt L a y e r, which 111 turn will highlight the slowest response in
D ia g n o s is E ve n ts .
nalysis CoJascft Capsa 7 Free '50 Nodes) ! ? S jae U Step Too;! /!m W M
Starr
CMH
S l h g '^ J G eneral Analysis P acket D isplay AlarmSetting! Object Buncr .' Output Ovrpur Jr\vV= .-* A nalysis Profile
mm - l 1 i m n
w w 1_ pp5 Statistks: | 1 1| Ph>ca1Address Add D O - c36 1 0.0102 74.1252 O Ct^ M :CC Oft < - C C 74.1252 1C C 74.1252 O Ct^ .CC 207218. Ott*- MKC 17J55. 178255 octM1252 00 C C 74.1252
cH!5to7Cho...
E/Tools
d e m o n s tra te d in th is lab a re a v a ila b le in D:\CEHToo ls\C E H v 8 M o du le 08 Sniffing
J ,
Diagnosis Item Dogrvosk: \ 10 & U & C lamc MDbqnotx 8 Applet !on layer O DNSSrvwSlowResponse O HTTP Sttvtr SlowResponse * a transport Layer v tCPRctrantm.st.en S / TCP Slow Rcipon.s TC PDuplicated Aclmowlidgtnwr S Network layr Uiagnosis Events Seventy Type
Diagnosis Address 6- - 2 ' flame 1010:02 74.125.256.165 74.125^35.174 74,125^56.169 20721 235.162 178.255SI. 17&255.8 74125J36.1U 74 1 2 5 .? 6.16? N e w C a p sa v 7 .6 R ele a se d T r y i t F ree
f t .
| >
: c c * * c c !
J | >
u 6-W
V V V 4 V 1 V Pttformance Ptrlcrmance Perform ance Performance Perform ance Perform ance Performance ' nactive
y Captue- KJArvalyse
*)Ethernet
layer Tunipoit Tran!port Transport Transport Transport Transport Transport Transport Transport M l
OiagnoM lnU | 75 | {vent Drtcnptton TC P 1ndPaO.,t::^rom295m4) TC PS Ickv iC K 1 F'ke!:is] nd Pad.rt!27]f1 cm 20I7Dm ) TC PSlowACK(Pcket!<7] tnOPacV;27^f0nt 20172 ) n dPat.rf. 1Wrom22134 m s) TC PSlowACK1 P*cket >:] TC PSlowACK1 :Pcket!a1 ] and PaeVrt:!:from23577m s: e Pac*a.;.?rom23577m s; TC PSlowACKtPacket|S2] m e Packet' 3:from23577ns) TC PSlowACKfPacketlU] m TC PSlowACK(Padrct!219:* 6 ? dcrtllW^rcrn 2*262m5 ) TC PSlowACK!Packet!>13 and ?cketJ303Jfn:m>6023ml
_J M onitor Em ployee* W ebM te U CreateTraIlk. UtM zotionChart UK (Ent)Start a Wireievs Capture J C reateTratfl; U UJattn O '.0 1 . | More Know ledgebacr... |
; j
< 1 >
Ethical Hacking and Countemieasures Copyright by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.
M odule 08 - Sn iffers
Event
jc ,
**
l^ r j/ A :A X/ F "
-_J' IE ..
it !c r
= = )
H isto ryC ha
Packet B !
Node Explorer
y '"3^rL,I~T [Somma1 y-] Diagnosis x (piotocol f Physical ndpoifTf IPsnapj . [ - y,<alC.. [ IPCorryq Diagnosis Item Diagnosis Address Ptv/SKii Addrcu D O t J6 O Ct^ > .cc O ft .cc O Ct^ Oft .CC Oft^ * :cc o :CC 0ft-~k*CC Oft! CC StaeKtk^ | 1 1| 0 Addit 1 0.0102 74.1252 74.125.2 741252 207218. 178J55. 178255J 741252 74.125.2 |> D fc*grvosk: 10 & A % *. C - - 2 M am e *Um AIDaqnoti* 1 Q0A2 8 A |>f1 S(jtion 1jy 74,125.2^.165 74.25a >6.174 O O tIS 5vv SlowResponse Q HTTP 5trvtr$l0wRp0n 741252J6.69 Id Irmpoit Layer 20721ft.235.82 V TC PRetrsntmiiiion 78255 . V TC P Skw RsKWlifi 173255 E 32 TC PDuplicated Acknowlwlqemerrt 4 1 25 .236.18 2 41 ?5. 56.6 5 - Nerworlr layer , I l <1 Otagnosis Events W S eventy V V is i> V V V V V S Type Pt(0rm 4nce Perform ance Perform ance Perform ance Perform ance Perform ance Perform ance Perform ance Perform ance layer Tunsp o rt I rampart Transport Transport Transport Tran sp o rt T ran sp o rt Transport Transport * ''racttve
Online Resource
fol Anat>-i H r I f Pft*o rc4t> f> 4ctM < l) S V5 Phv.ka Lq sto rcr (3)
li ! ! . P * 4 ) )
N e w C a p sa v 7 .6 R ele a se d T r y f t F ree
Jp) W hoUU singN et\orknnrd^tti M (to*to D etect N etw ori: L oop ^ * towto M onitor IM M e.rif*
IM o re VW cov-1
UiaqnoM I . u j .. j Event Cenpt>en TCP SlowA C K 1Pack!281andPacktt:27^,om2 3 5m s) TC PSlowACKlPacket:46] and Pckrt!27]l1 0 n1201701 m) TC PSlowACK(Pek!47]jd PacVft:'7^ty^ 20172 m s) s) TC PSlowACmPacket.W ]od Packet!13:4re*n22131 m *dPack(*''from 23577r TC PSlowAC Kt:Packet]31] e Packet.:.*ram 2 3 5 7 7 m s: TCP SlowA CKtP*cktl82] m TCP SlowACK(Ptket|54] nc P acrt' 5 ]from 23577rm) TC PSlowACKiPadcer! 19: v * ? a c.rtlir^ m 62& m s) TCP SlowA C K )P> d cet:3 43 ] and?ck*t(30i(rcm > 6 6 2 3mil Duration: 00:25:344,689<0R e a < ty
Create Trait*. UtilUotioii Ourt U |Ent|SUrt a Wireteu Capture J C reateTraffk Utlteton Chat [ More m Knowledgebacr... |
^Captut - FtJAiMtyse
41 Ethernet
r^Alatmfcx o to fo
12. The T C P S lo w A C K - D a ta S tre a m o f D ia g n o s tic In fo rm a tio n window appears, displaying Absolute Time, Source, Destination, Packet Info, TCP, IP, and other information. ^3 * ^ 7 3 ^7 < 3 0 ^! 7 0 ? 8 0 n= < -M * i 30
^ T C P S lo ^ C K Pacto!20 n n7 Pac^ C k 2 J2 0 0 7 J8 0 1 0 2 3Ja41 2 3 5 0 102 3 2 0 4 1 2 3 9 4 1&2J2041296 <00.02:1406 2 0 7 .2 1 8 2 3 5 .1 8 2 :8 0 100.02:1406 1 0 0JX21406 207.2I8.2J5.1 6 2 :8 0 1 0 1 0 .0 2 :1 4 0 0 207.2I8.2J5.1 8 2 :8 0 207218.235.182:80 Protocol H TTP H TTP Su> M 66 S B 7 2 3
I0c232a70089 207218235.182:80
1 0 2 3 4 0 5 3 3 0 0 3 207213235.182:30 IC f23405 3 5 5 7 3 2 0 7 .2 1 3 .2 3 51 8 2 :9 0
10.0.0.2:1406
100.021406 100.0.2:1405 207218.235.182:80 1 0 .0 .0 .2 :1 4 0 5 2 0 7 2 1 8 .2 3 5 .1 8 2 :3 0 2 0 7 .2 1 8 .2 3 5 .1 8 2 :8 0 H TTP H TTP H TTP H TTP
5 6 4 4 ) 4 2 8 .6 4 < - ? V . . a :i .
\c r4 6 Ungth-1.51*
Sum m ary S*q3 80995012.Acl L 0 0 0 0 0 0 0 0 0 1 F .. S.l S en lM6644229,Ack: f 3 2 8 9 9 9 5 0 I3 .F= A..5.... S q328099S 013^Ack.L 1 5 4 W 4 4 2 Ja F .A .L CG LT ,online -ou! 1w0I,.R o k h . & HTTP/1 .1 2M0K i-HTTPtraffic i Continuation or533 no b Seq=328C995673.Aar1 M 6 t4 6 2 2 3 .F A .L2 B 0 9 9 S6 7 3 ,F= *..*. Seq= lSi6646223,A ek::3 S*q=328C S95673.Ack :1 5 4 & & 4 6 2 2 4 .F = L. Seq: 3 2 8 0 9 9 5 6 7 5 .Ack: 1 S4 6M 6 224 T1 .A .R..
U il
591 \crr47 64
lensw=59l
= lp-:48----- i&
. -v =53 ;ngth:58
: ?acW TV 3 er:
:.<^?creT Uzgv.z
i (0 / ]
Source Address: & Protocol: IP - intarrtBt Protocol iMetgearl (6/< | Cnteioe . IP(IP ri)) [12/2] (14/ij o*rc (20 By'.vsl (14/11 0s0r 11 5 /1 1 0111 118/: osrc l :goore1 ] V1J 0*02 IH a Consent: cr.1 |15/0 [. x0: (40 By1;/116 *. (8(3301 [18/2J (J0/1J OrtC 1 aa/1) oco
13. The P ro to c o l tab lists statistics of all protocols used 111 network transactions hierarchically, allowing you to view and analyze the protocols.
Ethical Hacking and Countermeasures Copyright by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.
M odule 08 - Sn iffers
las
NetworkCroup
f\ A larm4<tt1ngi Mttwort Prone
kU
4A
Output OJ'piJt
Datastorage
14. The P h y s ic a l E n d p o in t tab lists statistics of all MAC addresses that communicate 111 the network hierarchically.
&yt* br lel Srqirrnt local Holt JWno! 63 6 * 110.0.2 8 *8 oo:^^*:cc <74.125. IN 5 7 4.12S .236 11 82 S 74.125 135.125 % 74.12.23&63 6 74.1252361 16 0 31 74.125-2361165 7 4 .1 2 S.236.174 ?!K B1 .5 7 8 7 5 5 .5 7 8KB 725.485K B 7 4 4 .7 9 6K B 224413 K B 1 7 2 .0 7 4KB 1 3 2 .6 5 2KB 3 3 .8 8 9KB 2 2 .6 1 1KB 1 9 .7 4 0KB 1 9 27 8KB Pckt> S.W 4 i281 3,281 i* 3 3.242 642 554 161 97 65 trti P r So kJ 512 bps 0 bpi 0 bps 0 bps 512bps O bp. 0 bp: 0 bps 0 bps bps 0 bps 0b p s N e w C a p sa v 7 .6 R ele a se d T r y it F ree
1 2 8 .
M | | | |
1 0
(More Videos-1
Physical Conversation
CLndpomt 1> 3 D O 6:36 =? 00 &3 6 30 0: - E .-0 6 E K =9 Vk *00: - L-06 3P 00; & 09 8 .-0 0 *OQ: f laptut MIA*at)-,o OtOHitKl *injttivt Dotation:0 0 4 4 0^'MO* gO ftt*0/ <- Endpoint 2 3 3 : B " -03: ^ 0 1 : * ) :F C 033 : M S S ocf B J j* ):66 ?33: - 0:0 1 33: * :0 1 0 - * 33 5!C F Ouibon O O rfO O O 000*00 O ttO O O O O ttO C W O C fc O O O O 000000 Q O O Q O O
_J Monitor Employees Website VKlt I cannot capture AIL traffic why/ *J Create Traffic UtiBzaUon Chari J lEnt(Start a Wireless Capture | More n Knowledge )
IS M
15. The IP E n d p o in t tab displays statistics of all IP addresses communicating within the network. 16. On the IP E n d p o in t tab, you can easily find the nodes with the highest traffic volumes, and check if there is a multicast storm or broadcast storm 111 your network.
Ethical Hacking and Countermeasures Copyright by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.
M odule 08 - Sn iffers
as a delicate work, network analysis always requires us to view the original packets and analyze them. However, not all the network failures can be found in a very short period. Sometimes network analysis requires a long period o f monitoring and must be based on the baseline o f the normal network.
CQ
17. The P h y s ic a l C o n v e rs a tio n tab presents the conversations between two MAC addresses.
lysis Project 1 Full .apsa 7 Fre [50 Nodes)
,/ITIP-1 iu Analytlt Bartrrt Ditplay Objfrt Bunft AniHym f^otilf
l s f
Node Explorer
Step
i
Output >rpm iu
/ 0* r 60U f!>un1 maiy fpiayiont [ Piutotol fPhymai fcndppml | IPfc r> d tK >n: !?tymallc >' x|ipc.q ,! 1 v Online Resource lr>dpo<nt 1> - Endpoint i r 3 * J3:FF:&?:00:CF !} 33:33 :F F :2:00:66 B* :(3 00:0001 5a00< .33;33!00.0 1 33:33:E F :B 2:D O :C F 33:330000:0002 V 33:33.0000:00.02 ;01:00:5* 00:00:16 5 01:00:5L00:00:16 33:530000:00:16 5 33:33:0000500:16 3 3 :3 3 :FF:5 iO O :6 6 3 3 :3 3 :FF:B 2 :D O :C F 03 00:67::A1 6:1 3 5 0u(jt(Q n Byt o&oooo 82 8 00:0000 82 8 00:0000 90 B 005 00 .0 0 90 3 00:0000 90 B (0:0006 214 8 214 8 00:00.06 00:0011 936 3 00:0 0:11 74 8 00:00:17 1.744K B 00:00:17 1.744K B 00:00.00 90 8 00:00.00 90 B 00:0000 3.434K B Byte* > * IV* ek._ - P 08 82 b 82 B 08 90 B 0B s C8 90 B 0B 214 B 08 214 B e8 966 B 0B 7S 4B 08 1 . 44K B 0B 08 1.744K B 90 B 08 90 B 08 1.79713 1.684_ 20 PU
C Q t t l tells die router whedier die packet should be dropped if it stays in the network for too long. T T L is initially designed to define a time scope beyond which the packet is dropped. As T T L value is deducted by at least 1 by the router when die packet passes through, T T L often indicates the number o f the routers which the packet passed through before it was dropped.
up oa1M0!AMfc09 co 1 s!y>Aa:<* CP C01&SftA&<&09 UV COIi.A& 09 CPCCM5:50:A&0 UP C 015:S& A3:6fc.09 UP C Ol5:*0:A3:ef C e CP 0015c50 .A & efe:09 UP C Oli50 JW :6.06 CPC0I5:50!A39 Ok6?:S1A :16-.36 UP (.:e T : Ex1*16:36 SP C015:5ftA3:6.
1 1 1 3 3 1 7 13 1 9 1 9 1 1 10
1
1
01
-
0 0 0 0 0 0 0 0 0 0 0 0 10
(More Videos-1
-w 4 3 F'tdpoint 1 >
> 1 IPConversation TC PConversation [U D PC onvereatio 1 |0 0 :1S:SD:A8:6106 < > 33-J3* F:B*D<K3MF C onve~*on: D uration <-Endpoint 2 Brtes Byres < B
L3 Monitor Employee* Weteite toJ I cannot capture ALL traffic, why? U Create TraHk. UttfUation Chart J lEnt IStart d Wirelev* Capture uJ C reateTiaflkUtfittt*n Ourt | More n Know ledgehne...)
* o * * *
"
^12.787 (0 Ready
C o n v e rs a tio n
19. The lower pane of the IP conversation section offers UDP and TCP conversation, which you can drill down to analyze.
Ethical Hacking and Countermeasures Copyright by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.
M odule 08 - Sn iffers
m r Acaptri I m e t
a$Ntwo* Croup * j H^NaawTa&le A n alysis Rsrket D isp la y t\A larmSfitm gi O bjrrt Bliftrr M etw ort Pro tttr Analynt Pro file
*W
4A
O utput O J*p < Jt D ata sto rage ~| jd p c . fM .ta [To^T<epc< | < > Online Resource
P h v .k
Prctr r --
a 5* P :*** )4 (
h*Aa * j e .JP C o n v e rs a tio n : \5 7\ A 'J i S' E n d p o in tI * >< E n d p o in t2 D u r a t io n B > t e i B > t e s> 9 > t e s P k t s P f c t s > -Pta F ir s tS c r^ 4 1 4 1 4 .1 2 5 2 3 6 .1 7 3 0 0 0 2 :2 2 41KB 2 . 7 5 1K E 2 4 7 0 _ 2 0 1 0 2 3 :1 r~ 31 0 0 .0 2 37 V1 0 0 .0 3 _[2 2 4 .0 .0 2 2 0 0 0 0 : 9 8 6B 9 8 6B 0B 1 7 1 7 0 1 0 2 9 :5 3 E E a p t o r e r) ( 3 '0 0 .0 .4 0 0 .0 0 :1 1 7 S 4B 7 S 1E 0B 1 3 1 3 0 1 0 2 9 :5 52 2 4 .0 .0 .2 2 2 2 4B 2 2 4E C3 2 0 0 1 0 D : C 0 2 0 1 0 3 0 2 a!0 0 .0 2 * a !1 0 0 .0 4 0 0 .0 .3 0 0 0 0 :0 0 5 4 6B J4 6B 0B 3 0 1 0 :3 0 .2 31 0 0 .0 2 31 3 4 re 0B 4 0 1 21 0 0 .0 5 S 2 3 9 2 5 5 .2 5 5 .2 5 0 0 0 0 0 :1 0 4 0 5 1* C B am\ 0 3 1 2 4 8E 0B 7 a .s g 2 2 4 .0 .0 2 2 0 0 0 0 .2 2 4 4 8 B 4 7 0 1 0 3 1 1 a o .o .5 0 0 0 0 :0 0 1 1 0B 1 1 0E 0B 0 1 0 3 1 :3 3 !0 0 0 2 9t *1 0 0 .0 5 ^2 0 0 0 1 :2 9 1 0B 1 7 1 7 0 1 0 3 1 :1 2 4 .0 JX 2 5 2 .1 8 SM 1 .1 8 SM 0 0 0 0 :0 0 0 5B 0B 2 4 .0 .0 2 S 1 4 0 SB 4 3 0 1 0 :3 4 0 3> a a 1 u ^2 0 3 6 :4 0 0 2 :3 6 1 3 . 7 1 2 W S1 - * 2 5 1 3 1 1 !0 0 .0 2 7 4 .1 2 5 . 2 3 6 .1 6 9 0 7 / * ?K B 1 7 2 3K B2 7 2 3K B 0B 8 iwo.o 9 2 0 1 2 :1 2 2 8 0 1 0 2 9SS S iS S .2 S S .2 S S 0 IC PC o n w iM tlo n''llO PC o n v o lu tio n] 1 11 0 0 4 3 > 2 2 4 JX 0 2 2 N T C PC o w v v tM tio n :1 0 A 6C Ix Jp o w it1 > P a c k e t < E n d p o in t2 I.to P rc to c
N e w C a p sa v 7 .6 R ele a se d T r y i t F ree
10 0 0
& ho.. JangN e tw o rk .. to rtretN etw o rkL o o p ^ . * toD n ito r IMN t?e sa g e ^ H O W to te IM ore Vtdeov.. 1 How To _J M onitor Em ployees W etis4le
II.
tC a p tm t
4 # LU k jix t
20. Double-click a conversation 111 the IP C o n v e rs a tio n list to view the full analysis of packets between two IPs. Here we are checking the conversation between 10.0.0.5 and 239.255.255.250. -----^ n a f^ i^ ro je c ^ ^ tji^ n a ly M ^ T o ta s o ^ a p s ^ ^ r^ '^ N o d e ? ^ | AnaVit | TEH Hrtp*
Mr
Node Lxplorer
us,
Step A ^
G anarai
^
i C tndpom t2 74 125.236.173 S I 224.0.022 ^ 224.0.022 |100.0.4 S 1010.03 ] 239.255255.250 g 224.0.022 9 100.0.5 g 224.0.02S2 g 224.0.0251 I2J 255255255.255 ^ 2 S S 2S S .2S S .2S 5 ^ 224.0.022 ^Si 207218.235.182 S 178255.83.1 1 _. '
\ . ,jj
output cxrpar | UOPC
iu
ltcn|M aU u
tuA<u}>hO PC onversation: \ M\ pw-> Pta f t iw 1 4 1 0 1021:1 1 7 0 1029:51 1029: 1 3 0 2 0 10302 0 10302. 3 4 C I03M 0 1031:1 0 1031:3 1 17 0 1031:1 1034.0 3 0 0 1029:5 7 0 1029S 1042:1 0 2 14 24 10 10232 2 4 1 4 1 0 1043 2
3 ' 00.02 100.03 3 '0100.4 100.02 3 100.02 ^ 100 05 a lO O .O S 3 00.012 " 100.05 3 1 O 0 .0L 3 3JCJ5.0J) S 100.01 3 00.06 a! *00.02 3 10002
D uratio n 0002:22 0000:11 0000:11 O O O O O O 0000:00 00(0:10 000022 0000:00 000129 00.00:00 0012:12 0012:13 000002 002018 0000:18
8/ttt 41 K B 986 B 7 S 4B 224 B 546 B 4051KB 448 B 110 B 1.185 K B 405 B 2.723 K B 4.061 K B 128 B 6.748K B 3.601KB a 1 ,''
Bylo > 2 .751 K B 2X>70_ 986 b 0B 754 B 0B 224 E CB 346 B 0B 4051 n C8 448 B 0B 110 B 0B CB 1.185K B 4 C >B 0B 2723 K E 0B 4061KB 0B 128 B 0B 1.614K B 5/134_ 1 .3 1 CK E Z294_
jg) .vh oIs U 9 n gN etw o rkBard A id tti? Jb |H o wtoD etectA RP A cta s jg )H 3 wtoD etectM e rA 'a rkLo o p Jgj H o wtoM o n ito rIMM e ssa o e [More Videos-] How-To's
*'
< < 1P
L a iM w ilto rE m p lo y e e *W e to w te L UI c a n n o tc a p tu reA L Ltraflk. w h y ? UC re a teT ra fficU lM L ta U u tiC h a rt L H[E n t(S ta rtaW 1 re le v sC a p tu re J C r tT ta ftk .U tliu tio n t
| More m Knowlrri^rhn** .)
0 1
21. A window opens displaying tiill packet analysis between 10.0.0.5 and 239.255.255.250.
Ethical Hacking and Countermeasures Copyright by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.
M odule 08 - Sn iffers
-2}?-2j5-2'52:0 Pa:'-:r.s
|-lu
S rc=52748;D st=37Q 2;le*=W;Cherte u S 1 c=S2748;D 1l=3702,Len=999,Checb1
239.255.255.250:3702
239.2S S .25S 250:3702
. Packet Info:
j-^Capwred L e s g tfc
-@T t - p T Ii&eraet Type I I !-WDestiracior. "
E Q a backdoor in a computer system (or cryptosystem or algorithm) is a method o f bypassing normal authentication, securing remote access to a computer, obtaining access to plaintext, and so on. W hile attempting to remain undetected, the backdoor may take the fonn o f an installed program or could be a modification to an existing program or hardware device.
112/2]
0 x 0 0 3 2
0 0 0 ....
.0......... ..0.......
(101 By.ea 1 (K/2) (SO ) t18/2] 120/'.J O IE C [20/ 1J 0* 8C (M ay r13c*f- (39/1] 9*40 (U*V 0 :20/1) : ...x20 20/2rrr
1 * 0
00 00 01 11 m c i u 00 00 e* i r r r 1 k r :0 so a c k u 1
4 s
3 63 ? 76 6 72 ?9 22 20 6C K 60 6 73 3 64 i 30
22. The T C P C o n v e rs a tio n tab dynamically presents the real-time status of TCP conversations between pairs ol nodes. 23. Double-click a node to display the full analysis ol packets.
Analysis Project 1 - Full AnaTyjis * Colasoft Capsa 7 Fre* :'ill Nod?') fcnaVi'i Snt* y Vep Too* V W w * ]ket Ditplay P aeket I 6 < 5 mm output *n#ly urtofiK Dati-.tamgt *5 N to*k G ro 1 N am eTable Smmi f, Mirm Setting !*two* frowr x , / Hrtp
la* 1 T *flap* l n
capture Node Explorer
j * W
PCorueatation \ Mt -1[ PacUt [ Lo? [ Report | 4 X n| Phytrcal ConvUiaUon | PC0rtv1 w1 t1 0 (v ICP LtKi.*nation x | JO - Endpoint 2 3 207.218235.182:80 !34 7 4.125.2 36.175:80
f r Online Resource
S 1 0 0 .0 2 1 4 0 6 2 1 0 .0 .0 2 1 4 0 2 31 0 0 .0 2 1 4 0 3 1 0 1 0 X 2 1 4 0 5 g1 0 0 .0 2 1 4 0 1
0002:1410
ao.o21411
* 1
3 74.125216.173-^0
5 17 4 .1 2 5 2 3 6 .1 6 5 3 0
2915 K B H TTP
1.595<5 HTTP
N e w C a p sa v 7 .6 R ele a se d T r y i t F ree
74.125236.165JO
3 74.125236.174443 3 T4.125.236.174443 3 ?4.125236.174443 S '4 .1 2 5 .2 3 5 .1 6 9 4 4 3 3 74.125.236.169443 3 74.125236.169443 a 74.125.236.160443 !31 74.125236.169443 3 178,255.83.1:80 t l i ?07.218235.182445 .\l 1 7 8 .2 5 5 .8 3 .1 :8 0 3 178.255.83.2:80 3 65.54.82.155:80
1*36K B H TTP
Jgj W hoIs U 9 n gN etw o rkBard a *d 1 * toD etectA RP A tta s H 3 wtoD etectM e r*o rfcloap JfS\ 4 toh to n rto rIMM essaae H 3 toM o n ito r&saveEm ab (More Videos-1
0 0 .0 2 :1 4 1 3 0 0 .0 2 1 4 1 2 0 0 .0 2 :1 4 2 3
a0.02l42i
0 1 0 .0 2 1 4 2 6 0 0 .0 2 1 4 2 2 0 1 0 .0 2 1 4 2 5
Q 0.0_2:1434
P 05 r P S
K B H T T P666 1
kb r ps 5 * .; 6W K B HTTP 1 K B HTTP 1 8.92 1 K B HTTP 1021 h ttps 8 170 3 HTTP 6 0 H TTP S 8 170 B H TTP S 370 4KB H TTP S 1 1 w> rn mrp>
L3 M onitor Em vfc> vee* W ebwte *J I cannot capture ALL traffic, why? U Create Traffic Utftiatlon Chart U (Ent ISUrt a Wirefe** Capture
3 3 3 3 3
4 .1 2 5 .2 3 6 .1 6 7 4 4 3 4 .1 2 5 .2 3 6 .1 6 7 .8 0 4 1 2 5 .2 3 6 .1 6 3 4 4 ( 4 .1 2 5 .2 3 6 . 1 6 5 4 4 3 '4 .1 2 5 2 3 6 .1 6 3 4 4 3
7 4 Pt.n* 1 * 44
| Mere m Knowll<jrhn*r . |
'irw ctivt D o t a t io n :0 1 1 5 2 2 8 V1 7 2 8 1g ? 0R e a d y
..." ______ _
24. A F ull A n a ly s is window is opened displaying detailed information of conversation between two nodes.
Ethical Hacking and Countermeasures Copyright by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.
M odule 08 - Sn iffers
-d * * * No Absolute Time _ _ _ : 467 1&2&47466913 47? 11126:53468163 473 10=26=53466676 474 10J6:S34*S72S 475 10^6:53486972 47S 10^6:53 506597 477 10^6:53 506633
- 4 LSSSource 1aaa2:1410 1aaai1410 1aaa21410 74125-236174:443 1aaa21410 1Q J10l 21410 74125236174:443 100021410 Destination 74.125.236.174443 74,125.236.174443 74.125.236.174443 10.0.02:1410 74.125.236.174443 74.125.236.174443 10.0.0.2:1410 74.125.236.174443 Protocol
https
Sre Decode 70 66 66 58 64 58
Summary .er|_ ?3622r.4\A. k_nc0)rf0T0.r-. ..1 ., Seq=2362281843,A ck=O O O O O O O O O O .F=..S.l Seq;2362281843,A ck=O O O O O O O O O O .F=.,S..L Seq-4?C412fi878,Ack=2362281344.F=.A .S... 5eqz 23622fi1844,Aclc=4204123879.F=.1 ...Y l_ Seqz2362281844,Ack=4204123a79.F=.A. F. Srq: 42C41r87?.Ack=236221i;5 F=.i.. F .. ;rq: 23622ei845,Ack: 4;041233S0.F=^ ___
"J
6 6
2012 /0 9/ 21 10:26:44.4fC749 [0/14] D O ! 4 :C C ct 3:1r D0J 6:36 [6/e] 0x0800 (Tnter&et TP| IPv4)) [12/2] [14/20] 4 [14/1] C xFO <21 Byc9) [24/1] 3xOF & 0000 0010 !15/1] :xrr 0000 00.. [15/1] O xFC (Availability) [*-5/13 0x02 11: Coraraticat [IS/11 CxCi ............. 0 52 < & 2 Bytes) [16/ 0X & 9D 6 (22998) |18/2| (Don1 rr3*?n -) [20/1] O 010......... xE C 0............. [20/11 O xC O .1........... f2Q/11 04C_____
I Z
v]
6 .. S . . ........J).
1 1
M 0 o! 04
25. The U D P C o n v e rs a tio n tab dynamically presents the real-time status of UDP conversations between two nodes. 26. The lower pane of this tab gives you related packets and reconstructed data flow to help you drill down to analyze the conversations.
y ful Amk,Ui - ' PrrtrrclEpcm I E Physical aq sto rer(3) S. & lf t q k> ra(4)
Endpoint 1* >
D u ratio n
Q In networking, an email worm is a computer worm that can copy itself to the shared folder in a system and keeps sending infected emails to stochastic email addresses. In diis way, it spreads fast via SM T P mail servers.
2
2 2 2 2 2 2 2 2 2
2
1 2 2 2 2
0L D P
2 2 1 2
O B
S 1 0 0 .0 1 0 :6 3 5 0 3 21 0 0 .0 7 :6 3 3 1 5
5 5B O f t O O O O1 5 8B 1 0 0 0 0 .0 0 1 3 6B 1 3 bB 0 0 1 X 1 0 0 156 B 1 5 8B
1 0 0 0 0 0 0 1 0
D M S UDPUDPUDPRTP UDP U D P
N e w C a p sa v 7 .6 R ele a se d T r y i t F ree
live Denio
D N S
FTP
1 9
1 0 2 3 :1 9 .6 2 5 8 6 91 0 .0 .0 1 0 iS 6 1 2 3
lftJl:2001A*M 10.0.01 0 !$ 6 I2 J
AbfdutTim Sourer
O B O B O B
2 2 2
2 2 2
a - a
*: m,
I MoreVklotti
0 0
J Motiltor
Wetollc
2 2
22400242 SMS
U CP
>
_
27. On the M a tr ix tab, you can view the nodes communicating 111 the network by connecting them 111 lines graphically. 28. The weight ot the line indicates the volume ot traffic between nodes arranged 111 an extensive ellipse.
Ethical Hacking and Countermeasures Copyright by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.
M odule 08 - Sn iffers
29. You can easily navigate and shift between global statistics and details of specific network nodes by switching the corresponding nodes 111 the N o d e E x p lo re r window.
1inay. s Sjstd* T o o fe VieM
D| X WHtlp-|
y=b!o nee we encounter the network malfunction or attack, the most important thing we should pay attention to is the current total network traffic, sent/received traffic, network connection, etc., to get a clear direction to find the problem. A ll o f these statistics are included in the endpoint tabs in ColasoftCapsa.
a1 r ^
y sg :a*
Stop G cncrai
B^
i A nalytic Packet D itp lay F^ cfc ct log L objcct Butter . output Oirpui v ~ M 5 D ata Storsgf Urc :*
/^T liO
I ? V jo. X 1P*0cl
ajiSiSiSS; :
F3ct Buttrr 1 '&M B )
Online Resource
L -*>
1 4 I f Protocol (1; TcplO OPhytic!
IK l)n 1 H )
jpl W hoU H u n gN rlv w kllnrJ*it* M H a wtoDftf< tM fR n O ft:Lo o p P to ntoM o n rto r IM*0
lop 100IPv4
C onversation
55:33 00:0000 1 6 (7 )
Iop100#MNo<k User Hidden nodes( . BE:D 9!C 3:C iC C |1 4 | 00:5t00.00 F C 1 8 ) OGm(M8:7a05(14) D 3A 2:51 7 :4F:48 Invisible Nodes (0) 0 l:0& 5f:0< M 1
I Non! VkJcov- |
UI M onitor Em ployees W ebsite uJ I cannot captureALL traffic, UI CreateTraffic Utfeation Chart O (Ent)Start a WirelessCapture
why?
J C r e a t eT r a flk U t liz a t io nO ia rt
ra c tiv e D u r a tio n :0 2 :2 3 :4 4 2 1 .6 6 5 ^ g O
30. The P a c k e t tab provides the original information tor any packet. Double-click a packet to view the full analysis information of packet decode.
% !c* T < x # % w N rtw orfc Group jfo
t J t
, J|
/ ^
Node Explorer
**
j
Outpm ojrput
jpc-nt fPtiy.u.* Convtf-.ation f 1P C 0nvei.dt1 0 n~fTC PCorwettaiian f U O PCoerwt.* < -> [ ,.U'jo |Pc<cl x ]Leg f Rpcrt | * Online Resource
**A
1 tv ; r B & I? Eiftora (5) r
Jf lB B l # ifr ^
1 6 T C 1 6 160217
S'
1 e 0 2 1 8
1 6 C C 1 S 1 6 0 2 2 0
t y ! Protocols may be implemented by hardware, software, or a combination o f the two. A t die lowest level, a protocol defines the behavior o f a hardware connection. A protocol is a formal description of message formats and die rules for exchanging those messages.
Kiplut f1iAn 1 ly.1s
1 6 0 2 2 1
160222
I3 .-02-.49.103161 1a0.0.2:1036
llvp Demo
W hi J e tv .ork M ffA O ffcL o o p
160223
1 3 :0 2 .4 9 .4 9 5 2 5 01 0 0 .0 .2 :1 0 3 6
inro:
74.125.135.125c5222
- T
IM 0 V V W 0 4
i & Ctpturtd Length:
f ItU n w t 1yp< 11 t.4uv <:02: ) 1 3012/09/21< ) 0/14( ftb ja ti C C : - - 881 ] 0>'lLU Motillor (1np40vmWetoJlc _ J I camwt (. a p tu rvALL trtffk. 0000 001c oojc O fl 068 A 24 C CD O E6 LA L6 96 06 00 46 00 00 > U S O 40 00 *a a< 04 0 aa aa 0 4 6 a ae 4 t t os s j m a n 7a c* to to n 3 4 t% 4 30 0 0 0 J Credit Traffic UtH^Uon Chart [Ent|$lart 4W ireto** C 41*urc J OtU T rafficUtliuaon 01-1
w h y #
|M ore n Knowliqrt>a... I
KBtittaml
!active
V ie w
and D e c o d e
Ethical Hacking and Countermeasures Copyright by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.
M odule 08 - Sn iffers
Q Protocol decoding is the basic functionality as w ell There is a Packet tab, which collect all captured packets or traffic. Select a packet and we can see its hex digits as well as the meaning o f each field. The figure below shows the structure o f an A R P packet. This makes it easy to understand how the packet is encapsulated according to its protocol rule.
32. The Log tab provides a G lo b a l Log, D N S H T T P Log. M SN Log and Y a h o o Log. 33. You can view the logs ot T C P
tra n s a c tio n s . E m a il c o m m u n ic a tio n s ,
c o n v e rs a tio n s , W e b a c c e s s , D N S
etc.
Ethical Hacking and Countermeasures Copyright by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.
M odule 08 - Sn iffers
34. If you have MSN or Yahoo Messenger mnning on your system, you can view the MSN and Yahoo logs. -FT*
3psa 7 Free C 50 Node WuVin Sjtfcai T o o ls A O apIrt -mn
w r u m
tort
*Jrtw o'fcGroup
Central f^UirmSftting' ffw or* froWf
Step
Node Explorer
V * K4An * m u |f PirtNtl ( p lerrr (IJ Phv.k* Elptortr (3) U . & IPtiptoraf ft)
~4 # 4
**[PtiyiK.
rM SNu>g
r.dlion IP Convin
N e w C a p sa v 7 .6 R ele a se d T r y i t F ree
31 0b * 109
< 9 ^ a
cl? '
%
W hoIs uangN etw o rkBanditti? bi\ H o wtoD etectA RP Attaris h,) H a wtoD etectN etw o rkLo o p ^ H a wtoM o n ito rIMM essa g e H 3 wtoM o n ito ra SaveErn ab
IM o r eV id e o s .]
n
Y A H O O
2 0 1 2 / 0 9 / 2 11 4 :0 3 :1 4
uJ Credit Trdtfk. UtHUdUonChart L3 lEntISUrt dW ireless CdlHure uJ CreiU TiaftktltllutionOurt |M oIT Knowlfrtfjrhac.|
w h y ?
.....
Ethical Hacking and Countemieasures Copyright by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.
M odule 08 - Sn iffers
35. The R e p o rt tab provides 27 statistics reports from the global network to a specific network node.
36. You can click the respective hyperlinks tor information or you can scroll down to view the complete detailed report.
/ 31 c
---------------------------------------------------
1 T ADDlication Protocols 1 Top Physical Address 1 Top IP Address 1 Top Local IP Address 1 Top 10 Remote IP Address
m m m
8 0 .9 1 52 1 7 .5 5 0M ]9 6 .6 1 2 0 .0 2 01 7 4 .1 5 7M B1 4 0 .il 0 .0 0 06 3 0 .1 4 0K B 1 ,3 3 2 O O 0 0 .7 7 63 1 37 6 6K B B 9 9 .9 3 03 1 1 .1 3 3K B 7 8 1 0 .3 0 02 3 2 .8 2 2K B 3 ,7 2 7 7 5 .4 5 82 2 2 3 7 5K B 9 2 8 0 .0 0 01 1 2 8 7 5K B 2 .4 6 6 1 0 0 .3 0 01 7 6 0 0 2< E 2 .5 6 6 O .X O1 4 0 5 2 8K B 1 .2 3 0 3T o p
Try It Free
w v>[* U o n gH eto kfenjw dfr? jjj n ewtocetEC tN etM w k Lo o p |) H a w N o nte r INN te s s a g ; M e w N o nto &Sa/E m a fc
iJ M onitor tm itoyee* MtbMe ^ I fa not enpturemI traffic. w fcy? J C reate Tnfk U tlkzo ttw i Ctwl . J (tnt|un < 1 J Ota* T fa lB cU W ubor C h a rt [ Mowtl lnnW i)rk11r. 1
---- -------------
Ethical Hacking and Countermeasures Copyright by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Module 08 - Sniffers
37. Click S to p
A '
Analysis Anatvs
011
System
A d a p te rF lte r
T i
V ie w 1 N e tw o r kG r o u p ^N a m eT a b le
r a lj f, \ Alarm Settings
N e t w o r kP r o file
D a taS t o r a g e
U tiliz a tio n
Lab Analysis
Analyze and document die results related to the lab exercise. Give your opinion 011 your targets security posUire and exposure through public and free information. Tool/Utility Information Collected/Objectives Achieved Diagnosis: Name Physical Address IP Address Packet Info: Packet Number Packet Length Captured Length Ethernet Type: Logs: Global Log DNS Log Email Log FTP Log HTTP Log MSN Log Yahoo Log Destination Address Source Address Protocol Physical Endpoint IP Endpoint Physical Conversation IP Conversation TCP Conversation UDP Conversation
Conversations:
Ethical Hacking and Countenneasures Copyright by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.
M odule 08 - Sn iffers
PLEASE TALK TO YOUR INSTRUCTOR IF YOU HAVE QUESTIONS RELATED TO THIS LAB.
Questions
1 . Analyze how Capsa affects your network traffic, while analyzing the network. 2. What types ol instant messages does Capsa monitor? 3. Determine 11 the packet buffer w ill allect performance. If yes, then what steps can you take to avoid or reduce its effect on software? Internet Connection Required 0 Yes Platform Supported 0 Classroom !Labs No
Ethical Hacking and Countenneasures Copyright by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.
M odule 08 - Sn iffers
Lab
S n iffin g P a s s w o rd s U s in g W ir e s h a r k
Wireshark i sa nehvorkpacket analyser. A. nehvorkpacket analyser mil try t o capture nehvorkpackets and displaypacket data in detail
Lab Scenario
As 111 the previous lab, you are able to capture TCP and UDP conversations; an attacker, too, can collect tins information and perform attacks 011 a network. Attackers listen to the conversation occurring between two hosts and issue packets using the same source IP address. Attackers will tirst know the IP address and correct sequence number by monitoring the tralfic. Once the attacker has control over the connection, he 01she then sends counterfeit packets. These sorts of attacks can cause various types of damage, including die injection into an existing TCP connection of data and the premature closure of an existing TCP connection by die injection of counterfeit packets with the FIN bit set. As an administrator you can configure a firewall or router to prevent the damage caused by such attacks. To be an expert e th ic a l h a c k e r and p e n e tra tio n te s te r, you must have sound knowledge of sniffing network packets, performing ARP poisoning, spoofing the network, and DNS poisoning. Another use ot a packet analyzer is to sniff passwords, which you w ill learn about 111 tins lab using die Wireshark packet analyzer.
ea Workbookreview
Lab Objectives
Tools d e m o n s tra te d in th is lab a re a v a ila b le in D:\CEHT oo ls\C E H v 8 M o du le 08 Sniffing W ire s h a rk
The objective of tins lab is to demonstrate the sniffing teclnnque to capture from m u ltip le interfaces and data collection from any network topology.
Lab Environment
111
Ethical Hacking and Countenneasures Copyright by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.
M odule 08 - Sn iffers
You can also download die latest version of http: //wwww1reshark.org/download.html If you decide to download die die lab might differ A computer running W in d o w s
/ You can download Wireshark from http://www.wireshark.org.
W ire S h a rk
la te s t version,
S e rv e r 2 0 1 2
A virtual machine (Windows 8 or Windows 2008 Server) as a Victim machine A web browser with Internet connection Double-click W ire s h a rk -w in 6 4 -1 .8 . 2 .e x e and follow the wizard-driven installation steps to install WireShark
A d m in is tra tiv e
privileges to mn tools
Lab Duration
Time: 20 ]Minutes
Lab Tasks
1 . Before starting tins lab, login to the virtual machine(s).
C aptu rin g P a c k e t
2. On the host machine, launch the S ta r t menu by hovering the mouse cursor on the lower-left corner of the desktop.
F IG U R E 5.1: Windows Server 2012Desktop view Q Wireshark is an open source software project, and is released under die G N U General Public License (G P L )
Ethical Hacking and Countenneasures Copyright by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.
M odule 08 - Sn iffers
S ta rt
Administrator ^
S e r v e r M e n a q e r
b
C o m p u t e r
J ws
1^
G o o g le C h r o m e
M a z illd
hretox
< 9
'/ ^ V fc
<
Virtual
C o n t r o l
Pane
H / p e f V
W
Adnneo..
lo o t s
%
C o m m a n d P r o m p t
p5 1
W r e m a r k
OM tap
C Q a network packet analyzer is a kind of measuring device used to examine what is going on inside a network cable, just like a voltmeter is used by an electrician to examine what's going on inside an electric cable (but at a higher level, o f course).
l i t K V
Fitcr.
|B|B|
Q . 1 E g 1 : I H
[WIRESHARK
rg. Interface List
*HP .\ 1 cicruw (towna if<cnro ExOlQ
Ei 0 p e n
Open Recent
ft a
^
Website
van prater1 w t> sn*
User's Guide
Ih* UW 1 C kn a(kvral 1/
Security
V/'kw ith A'reshirxa !
Rcaltec PCk G0E Family Controller: \Dcvice\NPFjfi fcfj \Devie\NPF_{550021FE-BafiF-41EB-B37E-4CAFBC U n : .~ u r j : \r>-.^-xMpr '
Capture Options
How to Capture
Sue / sea 13a successful cacure sxc
Network Media
Sptcfir r+yrvrtcr *o fcscarrg o
Ethical Hacking and Countermeasures Copyright by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.
M odule 08 - Sn iffers
T h e W ir e s h a r kN e t w o r k A n a ly z e r[ W ir e s h a r k1 . 8 2( S V N R e v 4 4 5 2 0 f r o m / t t u n k 1 8 ) ]
File |d* View o Capture Analyze Statute! Telephony Toolt | f t interface!.. M Optiocs.* Start I W ? m F.estort | g Capture fiters... Ctri.l Ctrl+K CtrkE Ctrl+E CtrkR |; I I 1 intermit Help
rars
< * 3t p p l <^1s ib 5 * 0
| v | Expression.. C r Apply Save
$61 a
, Interface List
-VOk t of r > sa n / ( ft;
Open
Open cxcvtoury < s p tu > 8 d*k Open Recent:
Start
q j
&
or 11
i J I Security
W ok wth W resv k a:
< L
_>]
Capture Options
tat a :iptrc vth dot*i4 00 :
How to Capture
Step b >ns3to a sjc:=tJ caf
Network Media
^ Soecnc rfowrsecn fy captjri*vg c
Profile Default
F IG U R E 5.4: Wireshark Main Window with Interface Option Q Wireshark Features: Available for U N IX and Windows Capture live packet data from a network interface Display packets with very detailed protocol information Open and Save packet data captured Im port and Export packet data from and to a lot o f other capture programs
0 B i .... i
6. The W ire s h a rk
C a p tu re In te r fa c e
window appears.
W ir e s h a r k : C a p t u r e In te r f a c e s
Description
IP
none
Packets Packets/s
0 0
28
0
9
0 0
@ &]
Help
fe80::686&8573:b1b6:678a fe80::14a6:95a&f534:2b9e
Start Stop
0 2 1 Options
7. 1 1 1the W ire s h a rk
C a p tu re In te r fa c e s
E th e rn e t D riv e r In te r fa c e
dialog box, find and select the that is connected to the system.
8. 1 1 1the previous screenshot, it is the R e a lte k P C Ie G B E F a m ily C o n tro lle r. The interface should show some packets passing through it, as it is connected to the network.
Q Wireshark can capture traffic from many different network media types - and despite its name - including wireless L A N as well.
9. Click S ta r t
111
Ethical Hacking and Countenneasures Copyright by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.
M odule 08 - Sn iffers
y j A supported network card for capturing: Ethernet: Any card supported by Windows should work. See the wiki pages on Ethernet capture and offloading for issues that may affect your environment.
0
340
0
I I gf
0
4 244
Start
Stop
Options
Close
10. Traffic informs of packets generated through the computer while browsing the Internet.
11. _____________
= T A S K 2
Now, switch to the virtual machine and login to your email ID lor which you would like to sniff the password. on the toolbar.
S to p L ive C a p tu rin g
Ethical Hacking and Countermeasures Copyright by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.
M odule 08 - Sn iffers
fc3Capt1mngfron1R11,llekPCIeGBFFamilyContrallPf:\nce\NI>F_(8F?F18B6-B?1V4110.A6Vl-F6B1M?B8B<>:
,1 ,
u tfaT |at
fille:
&e 0 a 1n ,
6 1 ! q a 3
|vj bpieiiion.. Clear Apply Scr.t Protocol length info dns 75 standard query 0x25f4 a www.seb1.qov.1n DNS 107 StanCard query response 0x25f4 A 203.199.12. Si A 124.247. 2* 3.1 TCP 60 nust-p2p > http [ACK] Seq-1494 Ack-7S3 u!1n 65028 Len-0 TCP 60 must-backplane > http [ack] 5eQ-ll<il Ack-497 Win-65204 Len-0 DM CPV6 ISO S o l ic i t XID: Ox5aS2df c :0 : 0001000117e22aab00155da87800 DHCPv6 150 s o l i c i t XID: 0*83*(H9 CID: 0001000117*8*14*00155da87805 NBSS 55 K.65S Continuation Message TCP 66 m icrosoft-ds > isysg-1 [ ack] Seq-l Ack-2 win-62939 Len-0 SLE-1 ICHPv6 9 0 v u ltic a s t Listener Report Message v2 IGM PV3 60 veabershlp Report Leave grcxjp 224.0.0.252 ichpv6 ?0 *u lt le a st Listener Report Message v2 IGMPv3 60 vesbership Report 30 group 224.0.0.252 for any sources ICMPV6 90 v u ltlc a sr L istener Report Message v2 IGMPv3 60 veabership Report Leave group 224.0.0.252 ICMPV6 90 v u ltlc a sr lis te n e r Report Message v2
Destination 123 1 2 .25789T 0 1 0 .0 .0 . 5 202.53.8.8 124 12.2656640 202. 53. 8 .6 1 0 .0 .0 .5 125 12. 3582820 10.0.0. 5 7 4 .L2S.236.166 126 1 2 .3 6 3853010.0.0. 5 123.176.32.155 127 13.15sr140fe80::b9ea: do i l : 3eoffo2: :1:2 128 14.0015310f *80:: 5df8:c2<18! 5bbff 02 i :1:2 129 15 .2 9 4 3 1 3 0 1 0 .0 .0 .2 192.168.168.1 130 IS . 31624 30 192. 168. 168. 1 10.0.0.2 131 18.7433560 fe80: :3d78:efc3;c87ff02; :16 132 18.7442030 10.0.0. 7 224.0.0.22 133 18.7473350fe 8 0 :: 3d78:efc3:c87ff02: :16 134 18.7481220 1 0 .0 .0 .7 224.0.0.22 135 18.r504S40fe80; 3 d78 :efC3:C87ff02 : :16 136 18.75 1 2 9 5 0 1 0 .0 .0 .7 224.0.0.22 137 18. 7SI2960 f eSO: : 3d78: ef C3: C87f f 02 : :16
- Frame 1: 150 bytes on wire (1200 b i t s ) . 150 bytes captured (1200 b i t s ) on in terface 0 - tth ernet I I , Src: M lcrosof_as:78:05 (0 0 :15:5d:a s : 78:05), ost: 1Pv6casr_00:01:00:02 (33:33:00:01:00:02) - internet Protocol version 6 , src: fe80::5df8:c2d8:5bb0:4f ( fe 8 0 : : 5df8:c2d8:5btoO:4f), o st: f f 0 2 : : l: 2 ( f f 0 2 : : l: 2 ) g t i e r Datacra- P rotocol. Src Port: dhcpv6-c11rrt (546), Dst Port: dhcpv&-*ervr (S47) * DHCPV6 0000 i i i i 00 01 00 02 00 IS Sd B 78 OS 86 dd 00 00 33........... ]. x . . . . 0010 00 D O oo 60 11 01 f 10 00 00 00 00 00 00 sd f ....................... ] 0070 C2d8 5b bO 04 ef ff 02 00 00 00 00 00 00 00 00 . . [ .............................. 0030 0000 00 01 00 02 02 22 02 23 00 60 55 4 01 83 ................" .. U.. . 0010 0 49 00 08 00 02 00 64 00 01 00 0 00 01 00 01 . I ....... d ................ ooso 17e s ei 4 00 IS Sd a s 78 OS 00 03 00 Of 0* 00 ...N ..1 . x............... 0060 15 5d 00 00 00 00 00 00 00 00 00 27 00 Oa 00 08 . J.................... ....... 0070 41 64 6d 69 6 2d 50 4 3 00 10 00 0 00 00 01 37 Adnin-PC...............7 0080 00 08 4d S3 46 S4 20 35 2 30 00 06 00 08 00 18 ..M SFT S .0 ........... 0090 00 17 00 II 00 27 ............
ii 1335 M arked: 0
13. You may save the captured packets from F ile ^S a v e name tor the file, and save it 111 the desired location
kJ Capturing from ReaHek PCIe GBE Family Controller: \Device\NPFJ8F?F 18B6-B215 4110 A&59 F6&FB84?BB89J t O pen... Opeo&cca* M9fctrt.o 7 & [IT |r e S *v<
A s,
provide a
r r
S a v in g C a p tu r e d F ile s
Q F p*e,won... 'It* C tr1*W 202.53.8.8 1 0 .0 .0 .5 . , -til-S [ 74.125. 236. 166 It.Ctrt.S | 123.176.32.155 f f02: :1:2 3 ff0 2 : :1:2
Up&it d Packctw [peit Packct 0 itiMiem Expo* Stieced f>4ckdfiytts L pct SSLScauon *x>1 . ca O aT
0M CPv6 0HCPv6 NBSS ICM PV6 I<7 Pv3 ICVPv6 IPv3 IC * Pv3 ICVPv6
ff0 2 : : 16 C t(1*H 224.0.0.22 f f 02::16 224.0.0.22 7 f f0 2 : :16 cui- p 224.0.0.22 ff0 2 ::16
75 Standard query 0x2Sf4 A wvrw.sebl. gov. in 107 Standard Outry respons 0x2St4 A 203.199.12. SI A 124.247.233.134 60 auit-p2p http [ack] r.*0-1444 Ark-751 win-65028 t #n0 60 aust backplane > http [ ack] s e q - l161 Ack-497 w1r>-65?04 1ert-0 150 S o lic it XTO : 0x5a*?ctf CtD: 0001000117e22aab00155da87800 ISO S o lic it X20: 0x83e049 CIO: 0001000117814001SSd48780S 5 5 nbss continuation Message 66 icrosoft-d s > 1sysg-1 [AC*] se q -l Ack-2 w1n-62939 Len-0 sle-1 * b 1 90 M ulticast Listener Report Message v2 60 Membership Report Leave group 224.0.0.252 M ulticast Listener Report Message v2 90 Membership Report 60 ': oln group 224.0.0.252 for any sources M ulticast Listener Report Message v2 90 Membership Report / Leave group 60 224.0.0.252 M ulticast Listener Report Message v2 90
Pra-te 1: ISO bytes on wire (1200 b i t s ) . ISO bytes captured (1200 b its ) on ir te r fa c e 0 r Ethernet I I , src: Mlcrosof_a8:78:05 (00:15:5d:aa:78:05), Ost: lPv6mcast_00:01:00:02 (33:33:00:01:00:02) - internet protocol version 6, src: fe80::5df8:c2d8:5bb0:4ef (feSO::S<JfS:c2dS:5bbO:4ef), o st: f f0 2 : : l:2 ( f f 0 2 : :l: 2 ) * user oatagra pro to co l, src port: dhcpv6-cl1ent (546), ost port: dhcpv6-server (547) - DKPv6 O O O O 33 33 00 01 00 02 00 15 5d a8 78 05 86 dd 60 00 33 ] . X ...'. 0010 0000 00 60 11 01 f e 80 00 O OO O 00 00 00 5d f8 ]. 0020 c2 d8 Sb bO 04 e f f f 02 00 O OO O 00 00 00 00 00 . . [ 0030 00 00 00 01 00 02 02 22 02 23 O O 60 55 ea 01 83 '.# . U. . . 0040 eO 49 00 08 00 02 O O 64 00 01 00 Oe 00 01 O O 01 .1 d 0050 17 e8 e l 4e 00 15 5d a8 78 05 O O 03 00 Oc Oe 00 ...N ..] . x 0060 15 Sd 00 00 00 00 O O 00 00 O O 00 27 00 Oa O O 08 . ] 0070 41 64 6d 69 6e 2d SO 43 00 10 O O 0 00 00 01 37 Adnrin-PC 7 0080 00 08 4d S3 46 54 20 35 2e 30 00 06 00 08 00 18 ..MSFT 0. 0090 00 17 00 11 00 27
, PktU.
IM M1UJ. UD.pppd 0
14. Now, go to
: can save f f i Wireshark packets captured in a large number o f formats o f other capture programs.
E d it
and click F in d
P a c k e t...
Ethical Hacking and Countermeasures Copyright by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.
M odule 08 - Sn iffers
Tc!WS).pcapno |W 1p5hat C opy I * Fm dP a ck e t..1 . findN ex t N c RndP*Q0MB n1 1 *;X Statist!ct Tdphony look Internals Udp I @ P i : q
1.SJ! a
j l
Q E>pessioo.. Om Appt/ Si.( Ctrt.B C trl+ M Shift-CtiUM 166 Ctrl-AR.M | 155 Shift*CtH-N ShifuCtrf.B C trt*X Shift*C t(1+ A lt*X Shift.CtrW X Ctll.T C tri+ A lt*7 Ctrl-Alt-N CtrfAlt*B Shift*C trl *T
P ro to c o l le n g th In fo
ONS DNS TCP
tcp dhcpv6
* n
M ark Pscte (toggle} MiAAJ D isplayedPxkcts Jnrr-ait A DDaptr, edPackets FindNee Msrk Snd Pe.icvsLUt :5 Packet(toggle[ ignore 06: dPackets (toggle] U n-igno reAl Packet! 0 SetTntfidaaKt Jc^lt] U n-TitneReferenceA ll Packets findPrsviov>Tan* R *# e !rrce T. *S h ift\f Ettter AddPckt Com m ent..
1 . 1
^ W ire s h a rk is not an intrusion detection system. It w ill not warn you when someone does strange things on your network that he/she isn't allowed to do. However, if strange tilings happen, Wireshark might help you figure out what is really going on.
?5 Standard c -ery 0x2>f4 A m v iv .. se b i. gov. in 10? Standard CL.ery response 0x25f4 A 203.199.12. 51 A 124.247.233.134 60 ust-p2p > http [ACKl seq=1494 Ack=753 w1n=65028 Len=o 60 ust-backplare > hup [ ack] seq-1161 Ack-497 w1n-65204 Leo-0 150 S o lic it XTD: Ox5aS2df CIO: 0001000117e22aab00155da87800 150 S o lic it x i 0 : x836049 CID: 000l0001l7e8el4e001s5da87805 55 NBSS Continuation Message 66 Icrosoft-ds > lsysg-1 [ack] seq-l Ack-2 w1n-62939 Len-0 sle -1 sre90 M ulticast Listener Report Message v2 60 Membership Report / Leave group 224.0.0.232 90 M ulticast Listener Report Message v2 60 Mwrbership Report ( 301n group 224.0.0.252 for any sources 90 M ulticast Listener Report Message v2 60 Membership Report / Leave group 224.0.0.252 90 M ulticast Listener Report Message v2
0 00 00 0 0 10 00 20 22 2 eO 49 0008 00 0? 00 64
41 64 00 08 00 17
5(1 00 00 02
c l 4 00 IS 5d 48 78 1 id 0 0 0 00 00 0O O0 0 00
05 O O 6069 6 2d SO 43 00 10 4d 53 46 54 20 35 30 00 11 00 27
0 00 1 0 0 O e0 00 1O O0 1
*8 00 oo 23
60 sd 00 01
00 f8 00 83
Oc 00 O O 08 01 37 00 18
I Readytok
15. The
W ir e s h a r k : F in d P a c k e t
window appears.
By: Filter
Display filter O
Hex value O
String
Direction
O Up
v Cancel Down
16. In F in d By, select S tr in g , type p w d 111 the F il te r field, select the radio button for P a c k e t d e t a i l s under S e a r c h In and select A SC II U n ic o d e N o n -U n ic o d e trom the C h a r a c t e r s e t drop-down list. Click F in d .
Wireshark: Find Packet
Q=J. Wireshark will not manipulate things on the network, it w ill only "measure" things from it. Wireshark doesn't send packets on the network or do other active tilings (except for name resolutions, but even that can be disabled).
F in d By:
&
D is p la y f ilte r
H e x v a lu e
S tr in g
FHter:
S e a r c h In
pwd|
S tr in g O p t io n s C a s e s e n s itiv e
D ir e c tio n
O
N o n - U n ic o d e
V
Up Down
C h a r a c t e r s e t: A S C II U n ic o d e &
H e lp
F in d
Cancel
Ethical Hacking and Countermeasures Copyright by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.
M odule 08 - Sn iffers
17. Wireshark will now display the sniffed password from the captured packets.
Test(WS).pcapng [Wireshark 1S J CSVN Rev 44520 from /trurk-1.8)| y<vr 0 0 * *Analyre Sratisrics Telephony Tools internals iJdp
'- !
!< = >e 8 a N
flc
7 4 ilals e, t e. e 4 * wa a
[vj LipifetiCf Protocol L LL^NR LLM NR I PV3 IOPv6 TCP TCP nfo _ -1 5 standard query OxaSfl any win -039mr5hl9e4 5 Standard query OxaSfl A M Y WIN-D39mr5hl9E4 Membership Report / 01 grc-up 224.0.0.252 fo r any sources )M u ltica st L istener Report ves5age v2 5 02-ll-iap p > http [syk] seq^o wln=8192 Len=o vss=1460 us=* sack_p6i 5 http > 50?-11-1app [5>n. ack] seq-0 Ack-1 wlrv-14600 ten -0 mss-1460 : 0 802-11- app > http [ACK] Seq^l Ack^l Win=65700 Len-0 ? POST '1 og1 rver 1fy - p^p m ttp/1.1 (appHcat10n/x-v\vrtv-f0ri-ur1enc0ded) I [) http > 802-11 app [ACKj Seq-1 Ack-819 win-16236 Len-0 9 A pplication Data 1 kvT v lj ip > https [ackJ 5eq-l Ack-56 win-63361 1er>-0 1 ITCP !q -x-t of a r u s * b ltd P0C 1J 1 m ttp/1.1 102 Moved T e t ^ r a r lly D 802 11 app > http [ACK] Scq-819 Ack-1481 wl 11-65700 Lcii-0 b * r t1 f* c tg > http [ syn] seq - w1ruai92 ie n -0 uss-U b ii ws-4 sack_pi
O b s e rv e t h e P a ssw o rd
D estination Tim e Source 1 19.1610310 fe 8 0 :: 3 < Jr8:efc3 C8 f f 0 2 : :1:3 2 19.161888010.0.0.7 2 24.0.0.252 3 19.198S190 10.0.0. 7 4 19.1993230 fe80::3d78;efc3 ;c87 f f 0 2 ::16 5 20.49>1660 10.0. 0. 5 123.176.32.155 6 20. 5856390 123.176. 32.155 1 0 .0 .0 .5 7 20.586514010.0.0. 5 123.176.32.155 20. S870180 10.0 . 0. 5 123.176.32.155 9 20.5960500123.176.32.155 1 0 .0 .0 .5 O 20.6078200 74.125.128. 189 10.0.0. 2 74.125.1?8.180 1 2 0 .65 1600 1 0 .0 .0 .2 2 20.6974400123.176.32.155 10.0.0. S 1 ?0.6982220 1 2 3 .1 6 . 32. 155 10.0.0. 5 4 20.698520010.0.0.5 123.176. 32.155 5 20.7011130 1 0 .0 .0 .5 123.108.40. S 3
l*la6dcc 2d22 b*a1 92a; _wl 8S-1348? 20895.53 ..Conten t -Type: ap|51 cat rlencode d..conte -Lengt h: 102..
Q Wireshark media types are supported depends on many tilings like the operating system you are using.
Ptcf le D e+auit
18. If you are working 011 iL a b s environment, then use the T e s t(W S ) sample capUired file located at D :\C EH -T 00ls\C E H v 8 M o d u le 08
S n iffin g \S n iffin g T o o ls \W ir e s h a r k \W ir e s h a r k S a m p l e C a p t u r e f i l e s
to
Analyze and document die results related to die lab exercise. Give your opinion 011 your targets security posture and exposure through public and free information. Tool/U tility Information Collected/Objectives Achieved Time Source Destination Protocol Length Info Internet Protocol TCP, Source Port Info User ID and Password
Wireshark
Ethical Hacking and Countemieasures Copyright by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.
M odule 08 - Sn iffers
PLE A SE
TA LK
TO
Y O U R IN S T R U C T O R IF Y O U R E L A T E D TO T H IS LAB.
H A V E
Q U E ST IO N S
u e s t io n s
1. Evaluate die protocols that are supported bv Wireshark. 2. Determine the devices Wireshark uses to capture packets. Internet Connection Required
Yes
No
Ethical Hacking and Countemieasures Copyright by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.
M odule 08 - Sn iffers
K EY
L a b
S c e n a r io
W eb exercise
W orkbook re\
You have learned 111 die previous lab how you can get user name and password information using Wireshark. By merely capturing enough packets, attackers can extract the user name and password if the victim authenticates themselves 111 a public network especially into a website without an HTTPS connection. Once the password is hacked, an attacker can simply log into the victims email account or use that password to log 111 to their PayPal and drain dieir bank account. They can even change die password for the email. Attackers can use Wireshark to decr\T pt the frames with the victims password they already have. As preventive measures an administrator 111 an organization should always advise employees not provide sensitive information 111 public networks without an HTTPS connection. VPN and SSH tunneling must be used to secure the network connection. As an expert e th i c a l h a c k e r and p e n e tr a ti o n t e s t e r you must have sound knowledge of sniffing, network protocols and their topology, TCP and UDP services, routing tables, r e m o te a c c e s s (SSH or \T*N), authentication mechanism, and e n c r y p tio n techniques. Another method through which you can gain user name and password information is by using Cain & Abel to perform a man-in-the-middle attack.
L a b O b je c t iv e s
The objective of tins lab to accomplish the following information regarding the target organization that includes, but is not limited to: Sniff network traffic and perform ARP poisoning Launch a man-in-the-middle attack Sniff the network for the password
Ethical Hacking and Countermeasures Copyright by EC-Council A ll Rights Reserved. Reproduction is Stricdy Prohibited.
M odule 08 - Sn iffers
L a b
E n v ir o n m
e n t
^ ^ T o o ls
08 Sniffing\A R P
You can also download die latest version ol C a in http:/ / www.ox1d.it If you decide to download the l a t e s t the lab might differ A computer running W in d o w s
W in d o w s W in d o w s v e rs io n ,
& A b el
from
S erv e r
A web browser with Internet connection Double-click c a _ s e t u p .e x e and follow die wizard-driven installation steps to install Cain & Abel Administrative privileges to run tools
L a b D u r a t io n
Time: 20 Minutes
O
Q y ou can download Cain & Abel from http://www. oxid.it.
v e r v ie w
o f
M a n - ln - T h e - M id d le A
t t a c k
A man-in-die-middle attack (MITM) is a form ot a c t i v e e a v e s d r o p p in g 111 which the attacker makes in d e p e n d e n t connections with the victims and relays messages between them, making them believe that tliev are talking direcdy to each other over a p r iv a te c o n n e c tio n , when 111 fact the entire conversation is c o n tr o lle d by the attacker. Man-ui-die-middle attacks come 111 many v a r ia tio n s and can be carried out on a s w it c h e d LAN.
L a b T a s k s
T A SK
S e rv e r
virtual machine
(V ic tim M a c h in e ).
( A t t a c k e r M a c h in e ).
3. Oil the host machine (Windows Server 2012), launch the S t a r t menu by hovering the mouse cursor oil the lower-left corner of the desktop.
Ethical Hacking and Countemieasures Copyright by EC-Council A ll Rights Reserved. Reproduction is Stricdy Prohibited.
M odule 08 - Sn iffers
fl= JM an in die Middle attacks has the potential to eavesdrop on a switched L A N to sniff for clear-text data (McClure, Scambray). It can also be used for substitution attacks that can actively manipulate data.
4. Click C a in in the
S ta rt
S ta r t
S e rve * M en aq er
Google Chrome
Mozilla hretox
G31 Cain & Abel covers some security aspects/weakness intrinsic o f protocol's standards, authentication methods and caching mechanisms.
k
C o n c o rf
Pane
*
H)P-V
Manager
<
Hyper-V Virtual
%
O w n o p
FT
|H
*n a g *
2 P
@ S K I S ! ?ar
, Cached Passwords Protected Storage L5A Secrets > Wireless Passwords Ih7PatCAO'CK 0 Windows Mail Passwords Dialup Passwords Edit Boxes Ente % pbc Maneycr f * Ciedentid Manage
E Q r eplay attacks can also be used to resend a sniffed password hash to authenticate an unauthorized user.
| http/.'vrww 0iid.it
6. When you hrst open Cain & Abel, you will notice a series ot tabs near the top of the window. 7. To configure the
C E H Lab Manual Page 641
E th e rn e t c a rd ,
Ethical Hacking and Countermeasures Copyright by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.
M odule 08 - Sn iffers
_J
C Q a PR -SSH I can capture and decrypt SSH version 1 session that are then saved toa text file. A PR -H TT PS can intercept and forge digital certificates on the fly but becauses trusted authority does not sign these certificates a warning message w ill be displayed to die end user.
_ ?# | Took Hlp
& SM Lin W
Nctvwtk
+ / !
0 B B S!
mo
J.
Sniffer | s f CiTroccioutcII B B CCCU 1"ft" A ile lo i |j*) Query I
|4 I Dccodaj u
, Cachcd Piuivoidi Protected Storage JT L5A Secrets Wireless Passwords * 2 IE7PaTA0rd5 ^ W in d er Mail Passmores Dialup Passwords F Edit Boxes ! *Enterprise Manege Gedentid V a n c e
h ttp // wvyw.Qiid.it
F IG U R E 6.4: Cain & Abel Configuration Option F IG U R E 6.4: Cain & Abel Configuration Option
8. The 9. The
C o n f ig u r a tio n D ia lo g C o n f ig u r a tio n D ia lo g
window appears.
S n if f e r
window consists of several tabs. Click the tab to select the sniffing adapter.
OK.
Traceroute Challenge Spoofing | Subnet Mask 255.255.255.0 0.0.00 255.255.255.01 0.0.0.0 0.0.00 l> l
Certificate Spoofing
Certificates Collector
C O lFo r IP and M AC spoofing you have to choose addresses that are not already present on the network. B y default Cain uses die spoofed M AC "001122334455" for two reasons: first that address can be easily identified for troubleshooting and second it is not supposed to exist in your network. N ote: You cannot have on the same Layer-2 network two or more Cain machines using A PR 's M A C spoofing and die same Spoofed M A C address.
WARNING !!! Only ethemet adapters supported Options F F Start Sniffer on startup Start APR on startup
OK
Cancel
Apply
Help
S n if f e r
Ethical Hacking and Countermeasures Copyright by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.
M odule 08 - Sn iffers
-jffel K J ilsi; W! + y
"< DcZTdcfi | ^ VJcUwt , Cachcd Piuivoidi Protected Storage JT L5A Secrets Wireless Passwords IE7PaTA0rd5 ^ W in d e r Mail Passmores Dialup Passwords )( F Edit Boxes *Eitc !prise Manage Gedentid V a iace * 1
Q BBS r a B a O
CQt1 1 e most crucial item in that list is the radioactive hazard A PR . It is in this window that we select our victim(s).
F IG U R E 6.6: Cain & Abel Configuration Dialog Window F IG U R E 6.6: Cain & Abel Configuration Dialog Window
N o te :
tab.
s & ! am
Mi
. !>{
> * a *l
v
Nctj.a7T
ES O
Traccroutc | Q | OUi fingerprint Netgear, Inc. CCDU
1
W rd c ii
2 ?
/I
kt
. D c:cdtf: | j
| *>) Query | B .. B i | Or | MO M l
B...
Be warned diat there is the possibility that you will cause damages and/or loss o f data using this software and that in no events shall the audior be liable for such damages or loss o f data.
4 i~
ii M 5tI m
: kPR |^ Routing |
Paaaworda
Lost packets C%
P lu s
MAC A d d r e s s e s
(+) icon or right-click in the window and select to scan the network for hosts.
T e s ts
S can
MAC A d d r e s s S c a n n e r
su b n et
All h o s t s in m y
Ethical Hacking and Countermeasures Copyright by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.
M odule 08 - Sn iffers
TH
J
r,
!61 aw S i 89
Meteoric
] + [
O t
Jl
|,c^ Deccder:
subnet |
Promiscuous ModScanner--W !7 P F F W P ARP Test (Broa^cad 31 b f) ARP Tes!. (BtoaJcart ' &trt) ARP Te* (Broadcast 8 b i' ARP Test (3Dtp Sit) AR P Tort (Multbaet gioup0] ARP Test (Multcest oioud 1 A|| PT-- (Mulfccit Q-oup J
0 <
41 Hosts
VPR
|4 Routing | ^ \
Passwords ~| ^
VoIP |
Lost packets 0%
F IG U R E 6.8: Cain & Abel M A C Address Scanner W indow F IG U R E 6.8: Cain & Abel M A C Address Scanner W indow
15. Cain & Abel starts scanning for MAC addresses and lists all found MAC address.
5 Speeding up packet capture speed by wireless packet injection
G Q lN ote that Cain & Abel program does not exploit any software vulnerabilities or bugs that could not be fixed with litde effort.
MAC a d d r e s s e s
is
Ethical Hacking and Countermeasures Copyright by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.
M odule 08 - Sn iffers
Vi*
Cgrfigur*
Took
Help
|t a [* e * B III J + * | l B
3
Sniffer \/ Cracker 1 IP address
Jl
Decoders | ^ Network | ^
Traceroute | d
CCDU | '< Q Wireless |q) Query | I Fa:kets -> 1 < - Packes I MAC address I IP address
EEQ a P R state HalfRouting means that A P R is routing the traffic correctly but only in one direction (ex: Client-> Server or Server->Client). This can happen if one o f the two hosts cannot be poisoned or if asymmetric routing is used on the LA N . In this state the sniffer loses all packets o f an entire direction so it cannot grab authentications that use a challenge-response mechanism.
a S APR-Cat 4 , APR-DNS
Status
I MAC address
APR-SSH-1 (01 - l i APR-HTTPS (0) 3 APR Projc/HTTPS (0) 5g APF-PXP(G) 13 APR-FTPS (0) l i APR-P0P3S (0) 3 APR-IMAPS (0) APR-IDAPS tfi) 3 APR-SIPS (0)
Status
| IP address
| MAC address
| IP address
J*
VoIP |
F IG U R E 6.10: Cain & Abel A R P Tab F IG U R E 6.10: Cain & Abel A R P Tab
P a c k e ts
window of APR
r a ! #
f+ ] a
< & , Decoders I 2 Nrtwodr | ^ l SniFFer 13/ A PR Q Jj, ^ APR-Ccit APR DNS APR-SSH-1 (0| APR-HTTPS (0) status
L=U-.APR state FullRouting means that the IP traffic between two hosts has been completely hijacked and A P R is working in FU LLD U P L E X , (ex: Serverc>Client). The sniffer will grab authentication information accordingly to the sniffer filters set.
3 3 !3 3
Status
| IP address
| MAC address
| P address
> Sj HoCc
Los: packets; 0%
19. Click the Plus (+) icon; the N e w A R P P o is o n R o u tin g window opens from which you can add the IPs to listen to traffic.
Ethical Hacking and Countermeasures Copyright by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.
M odule 08 - Sn iffers
M
j * m es
Decoders | Q APR 1 -0 APR Ceft(0> L APR-DNS m SS-l- t (0) U f i APR-HTTPS (0} h S APR-PirayHTTR : 51 APRRDP 10) i f i APS-FTPStO) APR-POP3S() : 3 APR IMAPSP) j- 1S APSLCAPStUl L APR-SI PS !0)
_ u
is
q. y 1
1 *s
O t
fl
I\ jc .I
N ftaadLJ i l Snifle I . "Cxuktt 1*6 Trarfrm iif 185!. m N ew ARP Poison Routing
APR 3natlecyou tohijack IP traffic behv3en 1 W 3coloctod host !> n h 3left let aid al :electec hoste on the r^1!lei inboth dite^licm It a ?elected hoit hai roiling eap3biitet WAN &athc wil be nierreDteda: wel Peare ncte !hat ?mceyaur 11wchire has not the *are perform ance of a router you could cause DaS *you u< te:*een you Delaul Gateway and oil ether host! or >our LAN.
U J H ie Protected Store is a storage facility provided as part o f Microsoft CryptoAPI. It's primarily use is to securely store private keys that have been issued to a user.
IP 3dere 10.0.01 10.0.03 IU 004 1 0 005 10.0.07 10.0.010 10.0.011 10.0.012 1110013
| MAC | Hostrair* C0095BAE24CC C0155DA9BE06 C0155DA8SE09 CDI55CA85E 0 3 D4BED3C3CE2D D40ED3C3C3CC C0155DAG7005 C 0155D /S87800 C0155DA8/804
IF acHe^r
vtiC
Hottnam e
1 1
H o r tT "|^ flP B | fr
&|
C o n fig u ra tio n / R o u te dP a c k e ts I
Pattwowk
r 1!r r r |
F IG U R E 6.12: Cain & Abel A R P Tab F IG U R E 6.12: Cain & Abel A R P Tab
20. To monitor the traffic between two computers, select 10.0.0.3 (Windows 8 virtual machine) and 10.0.0.5 (Windows 2008 Server virtual machine). Click OK.
N e w ARP P oison R o u tin g
WARNING !I! APR enables you to hiiack IP traffic between the selected host on the left list and al selected hosts on the light list in both directions If a selected host has !outing capabilities WAN tiaffic will be mteicepted as well Please note that since youi machine has not the same peifotmance of a router you could cause DoS if you set APR between youi Default Gateway and all other hosts on your LAN.
Q A ll o f the information in the Protected Store is encrypted, using a key that is derived from the user's logon password. Access to the information is tighdy regulated so that only the owner o f the material can access it
IP address 10.0.0.1 10.0.0.3 T: u u 4 10.0.0.5 10.00.7 10.0.010 100.0.11 10.0,012 100013 <|
I MAC
| Hostname
I Hostname
00095BAE24CC 00155DA86E06 I 00155DA8SE09 00155DA86E03 D4BED9C3CE2D D4BED9C3C3CC 00155DA87805 00155DA87800 00155DA87804 III <
<]__________
1 1 1
____________ | >
F IG U R E 6.13: Cain & Abel A R P Tab F IG U R E 6.13: Cain & Abel A R P Tab
C o n f ig u r a tio n /R o u te d
packets and
Ethical Hacking and Countemieasures Copyright by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.
M odule 08 - Sn iffers
k J Many Windows applications use this feature; Internet Explorer, Oudook and Outlook Express for example store user names and passwords using this service.
22. Now launch the command prompt 111 Windows 2008 Server and type f tp 10 . 0 . 0.3 (IP address of Windows 8 machine) and press E n t e r
U J There is also another set used for credentials that should persist on the local machine only and cannot be used in roaming profiles, this is called "Local Credential Set" and it refers to the file: \Documents and Settings\%Usernam e%\Lo cal Settings\Applicatio Data\Microsoft\Credential s\%UserSID %\Credentials
23. When prompted lor Username type M a r tin and press password type a p p l e and press E n te r.
:> ' A d m in istra to r C:\W indows\system 32\cm d.exe - ftp 10.0.0.3
E n te r
and for
Microsoft Windows LUersion 6.0.6001J Copyright <c> 2006 Microsoft Corporation. C:SUsers\Administrator>ftp 10.0.0.3 Connected to 10.0.0.3. 220 Microsoft FTP Service User <10.0.0.3:(none)): Martin 331 Password required Password: 230 User logged in. ftp> _
11
24. Now, on the host machine, observe the tool listing some packets exchange.
Ethical Hacking and Countenneasures Copyright by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.
M odule 08 - Sn iffers
|C ]
File
/ c m
Configjic Toob Help
J 6 8 & B
SS
+
Statu*
ti
O
CCOU | MAC address 001SSDA&6EQS Packets < |5 > Packet* 7
fl
MAC oddresj 001S5DA86&03
D e ro fle ri I i N rt a/yl |i&l S r > ifle r| ES3 j - A P RCot )0 ( ! -A P R D N S ,4 A P R S S H I )0 ( i- A P R H T T P S (D j i - i?5-Fror> nnPS)0 ( A P R R D P)0 ( i-fl A P R FTPS)0 ( ^ ]A P R PO P 3 SP )A P RIM APSP 3 : j -1 SA P RLC A PSO l A P R S IP S (O _!(
^Poison,rg
S t
7 Credentials are stored in the registry under die key H K EY _C U R R EN T _U SER \Software\Microsoft\Prote cted Storage System Provider\
Status
| IP addrecc
| MAC addretc
\ IP addrest
> 1
Horn
Lct packets. C%
____________________ F IG U R E 6.16: Sniffer window with more packets exchanged____________________ F IG U R E 6.16: Sniffer window with more packets exchanged
25. Click the P a s s w o r d s tab as shown 111 the following screenshot to view the sniffed password for f t p 10 . 0 . 0 . 3 .
> 1 Fie j 6 Jfo ia m Configuie SB + Toob 'y Help | B U BSS sa
11
Dwodfrs | $ N et vryfc [ l& Satffer 1! 1' Crack** | *Q Tncernntf |R T 3 9 CCDIJ | A ? \ Passwords 1!4-*a u j ^ HTTP (17) igl MAP (0) Timestamp 18/09/2012 10.0.0.5 | FTP server 10.0.0.3 | Client 15:54:10
fit This set o f credentials is stored in the file \Documents and Settings\%Usernam e%\Ap plication Data\Microsoft\Credentials \ % U serSID%\Credentials
S J .OAP(O) (* HO) *+ SMS (3) Tdnet (0) :-| XNCO) j 5V: TDS(0) j 3V) TVS (0) = J ! SMTP (0) : ' f m ntpo ; I- g DCE/RPC (0 1 S 0 MSKe*5-PreAja ^ Radijs-Kcr: 1 0 ) C Radius-Useis (OJ jg CQ(0) S KE-PSK .0 1 i-ifc MySGL (0) 3 SNWI>(0) ( 4 SP(0) i <[ III > FTP |
I I
1 /0 IP
L a b
A n a ly s is
Analyze and document the results related to die lab exercise. Give your opinion on your targets security posture and exposure through public and free information.
Ethical Hacking and Countermeasures Copyright by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.
M odule 08 - Sn iffers
Tool/Utility
Information Collected/Objectives Achieved IP Address 10.0.0.3 MAC Address - 00155DA86E06 Packets Sent 5 Packets Received 7 FTP Server 10.0.0.3 Username Martin Password apple
P LE A S E
TA LK
TO
Y O U R IN S T R U C T O R IF Y O U R E L A T E D TO T H IS LAB.
H A V E
Q U E ST IO N S
u e s t io n s
1. Determine how you can defend against ARP cache poisoning in a network. 2. How can you easily find the password captured using only Notepad or some other text editor?
111
3. How can one protect a Windows Server against RDP MITM attacks? Internet Connection Required 0 Yes Platform Supported 0 Classroom 0 iLabs No
Ethical Hacking and Countenneasures Copyright by EC-Council A ll Rights Reserved. Reproduction is Stricdy Prohibited.
M odule 08 - Sn iffers
Lab
a tta c k s .
ICON KEY
L a b
S c e n a r io
W eb exercise
W orkbook re\
You have already learned in die previous lab to capuire user name and password information using Cain & Abel. Similarly, attackers, too, can sniff the username and password of a user. Once attackers have a user name and password, they can simply gain access to a networks database and perform illegitimate activities. If that account has administrator permissions, attackers can disable firewalls and load fatal vimses and worms 011 die computer and spread diat onto the network. They can also perform different types of attacks such as denial-of-service attacks, spoofing, buffer overflow, heap overflow, etc. When using a wireless connection, as an administrator vou must use the strongest security supported by vour wireless devices and also advise other employees to use a strong password. The passwords must be changed weekly or monthly. Another method attackers can implement is ARP attacks through which they can snoop 01 manipulate all your data passing over the network. This includes documents, emails, and YoicelP conversations. ARP attacks go undetected by firewalls; hence, 111 tins lab you will be guided to use the XArp tool, which provides advanced techniques to detect ARP attacks to prevent your data.
L a b O b je c t iv e s
The objective of tins lab to accomplish the following regarding the target organization that includes, but is not limited to: To detect ARP attacks
Ethical Hacking and Countenneasures Copyright by EC-Council A ll Rights Reserved. Reproduction is Stricdy Prohibited.
M odule 08 - Sn iffers
L a b
E n v ir o n m
e n t
08 S niffing\A R P
S p o o fin g
You can also download the latest version ot X Arp from http: / / www.chasmc.de / development/xarp / 111dex.html If you decide to download die l a t e s t the lab might differ
v e rs io n ,
A computer running Windows Server 2012 as host machine Double-click x a rp - 2 .2 .2 -w in .e x e and follow the wizard-driven installation steps to install XArp Administrative privileges to run tools
L a b D u r a t io n
Time: 10 Minutes
O v e r v ie w o f X A r p
XArp helps users to detect ARP attacks and keep dieir data private. Administrators can use XArp to monitor whole subnets for ARP attacks. Different security levels and line-tuning possibilities allow normal and power users to efficiendy use XArp to detect ARP attacks.
L a b T a s k s
T A S K
1. Launch the S t a r t menu by hovering the mouse cursor on the lower-left corner of the desktop.
L a u n c h in g t h e X Arp to o l
2. Click X A rp
111 the S t a r t
Ethical Hacking and Countermeasures Copyright by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.
M odule 08 - Sn iffers
Setvei Mereger
Computer
Google Chrome
Mj/illa hretox
e. C 7Address Resolution Protocol (A R P) poisoning is a type o f attack where the Media Access Control (M A C ) address is changed by die attacker.
C M nap
g s
<9
Manager
<$
H/pe-v Virtual Machine.
XAip
The main Window of XArp appears with a list of IPs, ]MAC addresses, and other information for machines 111 the network.
XArp - unregistered version
File XArp Professional Help
Status: no A R P attacks
Read the Hyidino ARP attacks' help XArp loaSe high basic Get XArp Professional now! ReosterXArp Professional mnmai
| Vendor Netgear, Inc. unknown Microsoft Cor... unknown Microsoft Cor... unknown Microsoft Cor... Microsoft Cor...
I Interface 0x11 - Microso... 0x11 - Microso... 0x11 - Microso... 0x11 - Microso... 0x11 - Microso... 0x11 - Microso... 0x11 - Microso... 0x11 - Microso...
| First seen 9/20/2012 14:22:55 9/20/2012 14:22:55 9/20/2012 14:22:55 9/20/2012 14:22:55 9/20/2012 14:22:55 9/20/2012 14:22:55 9/20/2012 14:22:55 9/20/2012 14:22:55
[ Last see 9/20/20 9/20/20 9/20/20 9/20/20 9/20/20 9/20/20 9/20/20 9/20/20
& A M A C address is a unique identifier for network nodes on a LA N . M A C addresses are associated to network adapter that connects devices to networks. The M A C address is critical to locating networked hardware devices because it ensures diat data packets go to the correct place. A R P tables, or cache, are used to correlate network devices IP addresses to their M A C addresses.
If you observe the same results, log in to a virtual machine and run Cain to initiate ARP poisoning to the host machine.
S e c u r i t y le v e l
5. Bv default the security level is set to high. Set the a g g r e s s i v e on the X A rp screen.
to
Ethical Hacking and Countenneasures Copyright by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.
M odule 08 - Sn iffers
r=r?
agg ressive The aggressive security level enables all ARP packet inspection modules and sends out discovery packets in high frequency. Using this level might give false attack alerts as it operates on a highly aggressive packet inspection philosophy.
Status: no A R P attacks
1-
high basic
& A n attacker can alter the M A C address o f the device that is used to connect the network to Internet and can disable access to the web and other external networks.
| Host 10.0.0.1 WIN-MSSELCK... ADMIN-PC WIN-D39MR5... ADMIN WIN-2N9STOS... WIN D0WS8 WIN-EGBHISG...
| Vendor Netgear, Inc. unknown Microsoft Cor... unknown Microsoft Cor... unknown Microsoft Cor... Microsoft Cor...
j Interface 0x11 Microso... 0x11 Microso... 0x11 Microso... 0x11 Microso... 0x11 Microso... 0x11 Microso... 0x11 Microso... 0x11 Microso...
| First seen 9/20/2012 14:22 55 9/20/2012 14:22 55 9/20/2012 14:22 55 9/20/2012 14:22 55 9/20/2012 14:22 55 9/20/2012 14:22 55 9/20/201214:22 55 9/20/2012 14:22 55
| Last see 9/20/20 9/20/20 9/20/20 9/20/20 9/20/20 9/20/20 9/20/20 9/20/20
>
XArp 2 22 - 8 mappings - 2 interfaces - 0 alerts
6. Log 111 to Windows 2008 Server, and run Cain & Abel to initiate an ARP attack on a Windows 2012 host machine. 7. The XArp pop-up appears displaying the alerts.
5" XA rp allows alert filtering for excluding specific hosts. Another feature includes settings for alerting intensity and how the alerts are presented. Also allows sending alerts through email and detailed alerting configuration.
9/20/2012
1 4
DirectedRequestfilter: targeted request, destination mac of arp request not set to broadcast/invalid address
-c c
S ta tu s
changes to
ARP a tt a c k s d e te c te d .
Ethical Hacking and Countemieasures Copyright by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.
M odule 08 - Sn iffers
View detected attacks Read the *Handling ARP attacks' help View XArp loqfite
7 Tlie simplest form o f certification is tlie use o f static, read-only entries for critical services in tlie A R P cache o f a host. This only prevents simple attacks and does not scale on a large network, since the mapping has to be set for each pair o f machines resulting in (n*n) A R P caches that have to be configured. A ntiA RP also provides Windowsbased spoofing prevention at the kernel level.
The aggressive security level enables all ARP packet inspection modules and sends out discovery packets in high frequency. Using this level might give false attack alerts as it operates on a highly aggressive packet inspection philosophy.
IP 10.0.0.1 * X X * * V -y 'S V 10.0.0.2 10.0.0.3 10.0.0.4 10.0.0.5 10.0.0.6 10.0.0.7 10.0.0.8 10.0.0.10 10.0.0.12 10.0.0.13
MAC 00-095... dO-67-e... 00-15-5... 00-15-5... 00-15-5... 00-15-5... d4-be-. 00-15-5... d4-be-. 00-15-5... 00-15-5...
| Host 10.0.0.1 WIN-MSSELCK. 10.0.0.3 Windows8 10.0.0.5 ADMIN-PC WIN-D39MR5... ADMIN WIN-2N9STOS.. WINDOWS8 WIN-EGBHISG..
| Vendor Netgear, Inc. unknown Microsoft Cor... Microsoft Cor... Microsoft Cor... Microsoft Cor... unknown Microsoft Cor... unknown Microsoft Cor... Microsoft Cor...
j Interface 0x11 Microso... 0x11 Microso... 0x11 - Microso... 0x11 - Microso... 0x11 - Microso... 0x11 Microso... 0x11 Microso... 0x11 - Microso... 0x11 - Microso... 0x11 - Microso... 0x11 Microso...
| Online yes yes yes yes yes yes yes yes yes yes yes
| Cache yes no yes yes yes yes yes yes yes yes yes
| First seen 9/20/2012 14 22:55 9/20/2012 14 22:55 9/20/2012 14 25:06 9/20/2012 14 25:08 9/20/2012 14 25:54 9/20/2012 14 22:55 9/20/2012 14 22:55 9/20/2012 14 22:55 9/20/2012 14 22:55 9/20/2012 14 22:55 9/20/2012 14 22:55
| Last see 9/20/20 9/20/20 9/20/20 9/20/20 9/20/20 9/20/20 9/20/20 9/20/20 9/20/20 9/20/20 9/20/20
Ill
>
L a b
A n a ly s is
Analyze and document die results related to die lab exercise. Tool/Utility Information Collected/Objectives Achieved Interface [Ethernet]: 0x11 Source Mac: dO-xx-xx-xx-xx-36 Destination Mac: 00-xx-xx-xx-xx-cc Type [arp]: 0x806 Direction: Out Source IP: 10.0.0.2 Destination IP: 10.0.0.1 Host: 10.0.0.1 Vendor: Netgear, Inc.
XArp
Ethical Hacking and Countermeasures Copyright by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.
M odule 08 - Sn iffers
PLE A SE
TA LK
TO
Y O U R IN S T R U C T O R IF Y O U R E L A T E D TO T H IS LAB.
H A V E
Q U E ST IO N S
u e s t io n s
1. Determine how you can defend against ARP cache poisoning 111 a network.
Ethical Hacking and Countermeasures Copyright by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.
M odule 08 - Sn iffers
With an ARP storm attack, an attacker collects the IP address and MAC address of the machines in a network for future attacks. An attacker can send ARP packets to attack a network. If an ARP packet with a forged gateway MAC address is pushed to the LAN, all communications within the LAN may fail. This attack uses all resources of both victim and non-victim computers. As a network administrator you must always diagnose die network traffic using a network analyzer and configure routers to prevent ARP flooding. Using a specific technique widi a protocol analyzer you should be able to identify the cause of the broadcast storm and a method to resolve the storm. Identify susceptible points on the network and protect them before attackers discover and exploit the vulnerabilities, especially 011 ARP-enabled LAN systems, a protocol with known security loopholes that allow attackers to conduct various ARP attacks. Attackers may also install network interfaces to 11111 in promiscuous mode to capture all the packets that pass over a network. As an expert e th i c a l h a c k e r and p e n e tr a ti o n t e s t e r you must be aware of die tools to detect network interfaces nuuiing 111 promiscuous mode as it might be a network sniffer. 111 tins lab you will learn to use die tool PromqryUI to detect such network interfaces running 111 promiscuous mode.
L a b O b je c t iv e s
The objective of tins lab to accomplish: To detect promiscuous systems 111 a network
Ethical Hacking and Countenneasures Copyright by EC-Council A ll Rights Reserved. Reproduction is Stricdy Prohibited.
M odule 08 - Sn iffers
L a b
E n v ir o n m
e n t
08
You can also download the latest version ot P ro m q ry U I from http:// www.microsott.com/en-us/download/deta11s.aspx?1d= 16883 If you decide to download die l a t e s t the lab might differ A computer running W in d o w s 2008 Administrative privileges to run tools
L a b D u r a t io n
v e rs io n ,
S e rv e r
Time: 10 Minutes
O v e r v ie w o f P r o m q r y U I
PromqryUI can accurately determine if a modern managed Windows system has network interfaces in promiscuous mode. If a system has network interfaces 111 promiscuous mode, it may indicate die presence of a network sniffer running on die system. PromqryUI cannot detect standalone sniffers or sniffers running on non-Windows operating systems.
L a b
^3 T A S K 1
T a s k s
Z :\C E H v 8 M o d u le
08
S n if f in g \ P r o m is c u o u s
R u n n in g P ro m q ry U I
D e te c t io n T o o ls \P ro m q ry U I .
3|
F!un
Cancel
While files from the Internet can be useful. this file type can potentially harm your computer. Only run software from publishers you trust. W hat's the risk7
Ethical Hacking and Countermeasures Copyright by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.
M odule 08 - Sn iffers
3. Click Y e s
111 the P ro m q ry U I L i c e n s e A g r e e m e n t
window.
PromqryUI
P le a s e re a d th e follow ing lic e n s e a g re e m e n t. P re s s th e P A G E D O W N k e y to s e e th e rest of th e ag re e m e n t.
E N D - U S E R L IC E N S E A G R E E M E N T F O R P R O M Q R Y and P R O M Q R Y U I I M P O R T A N T - R E A D C A R E F U L L Y : T h is E n d - U s e r U c e n s e A g re e m e n t f E U L A l is a legal a g re e m e n t b e tw e e n y o u (either a n ind ivid ual or a single entity) a n d M icrosoft Corpo ratio n fo r th e M icrosoft so ftw a re P ro d u ct identified a b o v e , w h ic h in c lu d e s co m p u te r s o ftw are f S O F T W A R E ! . T h e term s a n d co n d itio n s of this E U L A a re s e p a ra te a n d ap art from th o s e c o n ta in e d in a n y o th e r a g re e m e n t b e tw e e n M icrosoft Corpo ratio n a n d y o u . B Y IN S T A L L IN G . C O P Y IN G O R IF Y O U O T H E R W I S E U S I N G T H E P R O D U C T (A S D E F I N E D B E L O W ) . Y O U A G R E E T O B E B O U N D B Y T H E T E R M S O F T H IS E U L A . IN S T A L L . C O P Y O R U S E T H E P R O D U C T . D o y o u a c c e p t all of th e term s of th e p re ce d in g U c e n s e A g re e m e n t 7 If y o u c h o o s e N o, Install will c lo s e . T o install y o u m ust a c c e p t this ag re e m e n t. D O N O T A G R E E T O T H E T E R M S O F T H IS E U L A . D O N O T
In a network, promiscuous mode allows a network device to intercept and read each network packet that arrives in its entirety.
Yes
No
4. The W in Z ip S e l f - E x t r a c t o r dialog box appears. Browse to a desired location (default location is c :\p ro m q ry u i) to save the unzipped folder and click U n zip .
WinZip Self Extractor -PROMQR~l.EXE
T o u n z ip all file s in P R O M O R ' I . E X E t o t h e s p e c if ie d f o ld e r p r e s s t h e U n z ip b u tto n . R u n W in Z i p U n z io to f o ld e r : B r o w s e .. . F7 O v e r w r it e f ile s w ith o u t p ro m p tin g G ose U n z ip
|5
About
H e lp
In a network, promiscuous mode allows a network device to intercept and read each network
2 f i l e ( s ) u n z ip p e d s u c c e s s f u l l y
OK
Ethical Hacking and Countermeasures Copyright by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.
M odule 08 - Sn iffers
S e lf-E x tra c to r
dialog box.
W in Z ip S e lf E x t r a c t o r - P R O M Q R ~ l. E X E
U n z ip
R u n W in Z ip U n z ip to f o ld e r :
Unzip to folder allows you to browse and select a destination o f your choice to save die setup file.
B ro w s e .
C lo s e
About
H e lp
2 f ile ( s ) u n z ip p e d s u c c e s s f u l l y
z xa s k
8 Click R u n
111
the
O p e n F ile - S e c u r i t y W a rn in g
dialog box.
R u n n in g .N ET F ra m e w o r k 1.1
O p e n F ile - S e c u r it y W a r n in g
D o y o u w a n t t o r u n t h is f ile ?
... omiscuous D etection T 001 f r o m a r vU I \d o tn e tfx . exe M ic r o s o f t C o r p o r a t io n Application Z: \CEHv8 M odule 08 S niffers prom iscuou s D e te c tio ,..
Run
Cancel
W h ile files from the Internet c a n b e u seful. this file typ e c a n potentially harm yo ur computer. O nly run software from publishers you trust. W h a t's th e risk 7
F IG U R E 8.6: .N ET Framework - Run dialog box The .N E T Framework version 1.1 redistributable package diat includes everything you need to run applications developed using die .N E T Framework.
S e tu p
1 C
J 1 W ould you like to install M icrosoft .NET Fram ew ork 1.1 Package?
Yes
No
Ethical Hacking and Countermeasures Copyright by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.
M odule 08 - Sn iffers
10. Wliile attempting to install .NET Framework 1.1, you will get a P r o g r a m C o m p a tib ility A s s i s t a n t dialog box. Click R u n P r o g r a m .
& Program Compatibility Assistant This program has known com patibility issues Check online to see if solutions are available from the Microsoft website. If solutions are found, Windows will automaticaly display a website that lists steps you can take. I e - Proaram: Microsoft .NFT Framework 1.1 Publisher: Microsoft Location: Not Available 2<j|
Ths software has known incompatibility with IIS services on this platform.
Run program
||
Cancel
I a g re e
and click
I n s ta ll
in the
L ic e n s e
In s ta llin g .N ET F r a m e w o r k 1.1
|| Microsoft,
.1
License Agreement
n e i[
zi
I have read, understood and agree to the term s of the End User License Agreement and so signify by clicking "I agree" and proceeding to use this product.
II
Install
Cancel
OK
in the
M ic r o s o f t .N E T
J3EH
_ 1u 1 1 1
* v .- i
OK
T A S K
In s ta llin g P ro m q ry U I
p q s e tu p .m s i
Ethical Hacking and Countermeasures Copyright by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.
M odule 08 - Sn iffers
S ta r t
and click
P ro m q ry
to launch
S e rv e r M anager
S ' Promiscuous mode can be used in a malicious way to sniff on a network. promiscuous mode, some software might send responses to frames even though they were addressed to another machine. However, experienced sniffers can prevent this by using carefully designed firewall settings.
Ease of Access Center Computer Network Internet Explorer Control Panel Windows Update Administrative Tools Help and Support Services Run...
111
J Notepad
'
Paint
All Programs
l^ t a r t Search
I Ja. M
W ith the Prom qryUI tool, you can add either a single system or multiple systems to query. F IG U R E 8.12: PromqryUI Main window
16. The
S e l e c t A d d itio n T y p e S y s te m .
A d d S in g le
Ethical Hacking and Countemieasures Copyright by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.
M odule 08 - Sn iffers
.A dd Single System
17. Type the IP address of the system you want to check for promiscuous mode in the IP A d d r e s s held in the A d d S y s t e m t o Q u e ry dialog box and click S a v e .
IP Address: 1
Host Name:
Cancel
For systems that you need to query, a range o f IP addresses can be provided. Also, you can just carry a query for a local system. F IG U R E 8.14: Prom qryUIAdd System to Queiy
111
the
S y s te m s T o Q u e ry
Query Results
Ethical Hacking and Countermeasures Copyright by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.
M odule 08 - Sn iffers
R e s u lt s .
_ |f | x ]
Query Resjlts |3uery star. tine. 9/20/20 38.48. 11 2 PV pinging 10.0.0.2. .success Querying 10.0.0.2... Active. True InstaiceName. WAN Mhiport (P| NEGATIVE Prorriscuojs mode currently NDT enabed Active. True InstaiccNamc. Hyper-V Vrtual Sw tcl Extenson Adapter NEGATT/E Ptoimcuous mode currently NOT enabed Active. True bwlMoeNflme Hyper-V Vntual Svrtc! Cxtenson Adapter #2 NEGATI/C Pioitocuous mode currently NOT enabed -1
Query results w ill let you know if the system is promiscuous mode or not and provides other information like Computer name, Domain, Computer Model, Manufacturer, Owner, etc.
Start IP address 10.00.2
Active. True Instai&cNemc Teredo Tumefcnj P*evdo-fc15er,ace NEGA1WE Piomscuous mode currently NOT enabed
zJ
Systems To Query End IP 3ddrees | Guery Statue dDne: postive! j NEGATIVE Pronisanus mode cjrrenty SOT enabled Active True hstanceNane: WAN Minooit (Network Vlailcr) NEGATIVE: ProTiscuDus node carrenty NOT enabled Active True hstanceNaroe: Hyper-V Vrtua Etiemei Adapter #2 NEGATIVE: P toiwcudus mode carrenty NOT enabled Systen Summay POSflVE at least one rterface on systen was found ir prorriscuous mode Conputer name VYN-039MR5HL9E4 Donam: WORKGROUP Conputer manufacturer Del He. Conputer model: CptPlex 390 Primary owner: wno jw s iser user currenny Dg9ec or: v/r*-039WRSML9fe4\Adrnmstrator Opci a'.iiiL system Microso Windows Server 2012 Release Candidate Datacenter Organza'Jon
L a b
A n a ly s is
Analyze and document die results related to die lab exercise. Tool/Utility Information Collected/Objectives Achieved Computer name: W1N-D39MR5HL9E4 Domain: WORKGROUP Computer manufacturer: Dell Inc. Computer model: OptiPlex 390 Primary owner: Windows User User currently logged on: WIND39MR5HL9E4\Administrator Operating system: Microsoft Windows Server 2012 Release Candidate Datacenter
PromqryUI
Ethical Hacking and Countenneasures Copyright by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.
M odule 08 - Sn iffers
PLE A SE
TA LK
TO
Y O U R IN S T R U C T O R IF Y O U R E L A T E D TO T H IS LAB.
H A V E
Q U E ST IO N S
u e s t io n s
1. Determine how you can defend against ARP cache poisoning 111 a network
0 0
Yes
No
0 !Labs
Ethical Hacking and Countenneasures Copyright by EC-Council A ll Rights Reserved. Reproduction is Stricdy Prohibited.
M odule 08 - Sn iffers
Lab
W eb exercise
W orkbook re\
Attackers may install a sniffer 111 a tmsted network to capture packets and will be able to view even* single packet that is going across the network, if the network uses a hub or a router for data transmission. With the captured packets, attackers can learn about vulnerabilities and sniff the user name and password and log in to die network as an authenticated user. Once logged 111 successfully to a network, die hacker can easily install viruses and Trojans to steal data, sensitive information, and cause serious damage to that network. As an expert e th i c a l h a c k e r and p e n e tr a ti o n t e s t e r you should have sound knowledge of sniffing, network protocols, and audientication mechanisms and encryption techniques. You should also regularly check your network and close die unnecessary ports diat are open. Always ensure diat if any sensitive data is required to be sent over the network, you use an encrypted protocol to minimize the data leakage.
L a b O b je c t iv e s
The objective of this lab to sniff passwords using the tool Sniff - O - Matic through captured packets.
L a b E n v ir o n m e n t
08
You can also download the latest version ot S n iff http://www.kwakkeldap.com/ smffer.html
O - M a tic
from
Ethical Hacking and Countemieasures Copyright by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.
M odule 08 - Sn iffers
v e rs io n ,
A computer running W in d o w s
S erv e r
Double-click s n if f tr ia l.e x e and follow die wizard-driven installation steps to install S n iff - O - M a tic Administrative privileges to run tools
L a b D u r a t io n
Time: 10 Minutes
O v e r v ie w o f S n if f O M a t ic
Sniff O Matic capUires network traffic and enables you to analyze die data. Detailed packet information is available 111 a tree structure or a raw data view of die packet data. Sniff O Matic's button and columnar data display logically and succincdy presents the collected network traffic data.
L a b T a s k s
1. Launch the S t a r t menu by hovering the mouse cursor on the lower left corner of the desktop.
*d. T A S K
L a u n c h in g t h e Sniff-O -M atic to o l
- O - M a tic
in the
S ta rt
Ethical Hacking and Countermeasures Copyright by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.
M odule 08 - Sn iffers
S ' Sniff-O-Matic a packet sniffer is a computer program or a piece o f computer hardware that can intercept and log traffic passing over a digital network or part o f a network.
3. The main S n if f
- O - M a tic
1 button.
T A S K
S niff-O -M atic: S ta rt P a c k e t C a p tu r e
4. When the tool starts capturing the packets, launch a browser and log to your email account. 5. Then, click the
S to p C a p t u r e
111
Ethical Hacking and Countermeasures Copyright by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.
M odule 08 - Sn iffers
\ m \ Hvoer-VVrtualEtherneAdaoter 82
.owes 100.07 10QQ7 7 4 .1 2 5 .2 3 6 .1 7 5 10.0.07 1 0 .0 .0 .7 1 0 .0 .C L 7 1 0 .D .Q 7 1 2 3 .1 7 6 .3 2 1 5 3 1 0 .0 .Q 7 12317632153 1 0 .0 .(1 7 1 2 3 .1 7 6 .3 2 1 5 5
m r m io m
b Size 6 6 5 5 6 6 6 6 5 4 5 4 5 4 5 4 5 4 5 4 7 2 6 5 4 qn
vl
< 1 !M
Packet capture is the act o f capturing data packets crossing a computer network.
III
Proto56 TCP TCP TCP TCP TCP TCP TCP TCP TCP TCP TCP TCP TCP
_ A
<
|>
<
FTGT JRF. 9.4: SniflF-O-Matic Stoo raire F IG U R E 9.4: SnifF-O-Matic Stop capture
6.
111 the list of captured packets, select a packet to view detailed information.
Sniff - O Matic 1.07 Trial Version
_ v j ou\ pg| c j
T m
TCP TCP TCP TCP TCP TCP TCP TCP TCP
P o rt 0 1
2 7 7 3 8 0 2 7 7 3 2 7 6 2 2 7 6 3 2 7 6 2
2763
1 0 .0 .0 7
10.0.G7 100.G7 10.0.Q 7 ___ 100.07 12317632153 10.0.0.7 12117632155 123J2632155 0 0 CO 2 S 00 CO 07 1 1 3 9 OS
0 3 /2 4 /1 21 4 :2 5 :1 6 0 9 /2 4 /1 2 1 4 2 5 * 1 6 05 /2 4 /1 2 1 4 .2 5 .T 6 0 3 / 2 4 / 1 21 4 :2 5 :1 9 09 /2 4 /1 2 1 4 :2 5 :2 0 0 3 /2 4 ;1 21 4 :2 5 :2 0 03/24/1 2 14 :25 2 0 0 3 /2 4 /1 21 4 :2 5 :2 0 0 3 /2 4 /1 2 1 4 2 5 2 0 0 3 /2 4 /1 21 4 .2 5 .2 3 0 3 /2 4 /1 21 4 :2 5 :2 3
From the captured packets, detailed information such as Header Length, Protocol, Header Checksum, Source IP , Destination IP , etc. can be viewed by selecting a particular packet.
1 n n n 7
T C P
TCP
m / 7 4 / 1 ?
AB D3 0 0 0 0 3D 0 6 00 50 0A CA 9A 3B 7 7 2 9 OO OO
IP Header O Version * 4 4) Header Length 5 (20 byte*) f t Type Of Service 0x00 O Total Longth - 40 99 Idertifcation OcABDB ! Rags &03 Fragm ent off*1 t 0x0000 O Time To Live - 61 H Rotocol 6 (TCP) @ Header Checksim Qx2BA5 Soiree IP -123.17S.32.153 Cest. IP 10.0.0.7 TCP Header Soiree Port = 80 (HTTP) Destination Pat - 2762 Seq Njrrber =(&9/1CBE781 e /CK Number =QcFDD7CE13 > 0ff93t 20) 5 bytes j Rags =C b c l1 8 Windows Size =1450} @ Checksum =0(7728 O Urgent Pointer - QxX>X)
]P )P
LiJ_______ 1 wrzsr
FTGIIRF. 9.5: SnifF-O-Matir Virwino oarker information F IG U R E 9.5: SnifF-O-Matic Viewing packet inFormation
h l ! p ; ! V w M ! w a t o t f t t o . r c n
7. 1 1 1 the right pane, select items from the tree and the data for the respective item will be liighlighted 111 red.
Ethical Hacking and Countermeasures Copyright by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.
M odule 08 - Sn iffers
E
Sizo 68 55 66 66 54 54 54
v j 1!w J a _*J c j
Protosoi TCP TCP TCP TCP TCP TCP TCP Tm o 0S/24/12 14:25:16 03/24/I214 25M6 03/24/12 14.25.16 09/24/12 14:25:79 03/24/15 14:25:20 03/24/12 14:25:20 03/24,1214:25:20 03/24/1214:25:20 03/24/12 14:25:20 03/24/12 14 2520 03/24/12 14.25.23 03/24/12 14:25:23 P0ft 2773 2749 80 2773 2762 2763 2762 80 2763 80 2753 80
1 * 1 ! Adaoter 82
Fragm ent ofeet * C k tO O O O ? Tim e To Live =6 1 r ~ Protocol 6( TCP) Header Checksmi = ]P Souoe IP -123.17S.32.153 ! ] p Cest. IP = 10.0.0.7 Qj TCP Header
(k c ? B A 5
|3 3 1 1 1 2 n < 1
10
1 2 3 .1 7 6 .3 2 1 5 3 1 0 J.C 7
T C P
TCP
12317632153
1 0 .0 .0 .7 1 2 3 .1 7 6 3 2 1 5 5 i n finvi
T C P T C P
TCP
mao.7
1nnn7 III
oxoooo 45 2 eA BD 3O O0 0 0X0010 O A0 0G O 0 7 |0 5 | oa ca
0 00 0
0X0020 S O1 13 90 8 70 00 02 8
BO 20 D7 CE
99 13
P. 9.w( . .
.......... P . . .
Destination Pat - 2762 Seq Njrrber = (*9/OE781 ; U ACK NLim ber ( VFDD7CE13 9 Cffost - 5 (20 bytes) B f Rags =0<1l 1 P FIN 1 sy n =0 p RST * 0 PUSH 0 - p ACK- p URG - 0 f J ECE - 0
? C W R -0
& P o rt n u m b e r s c a n o c c a s io n a lly b e s e e n in a w e b o r o t h e r s e r v ic e . By d e f a u lt, H TTP u s e s p o rt 80 a n d H T T PS u s e s p o rt 443 , b u t a URL h ttp ://w w w .e x a m p le .c o m : 8080 /p a th / s p e c i f ie s t h a t t h e w eb re s o u rc e b e s e r v e d by t h e H TTP s e r v e r o n p o rt 8080
O p tio n s
w fra
"
~
_Vj
OU\
Q | Cj j&j
Tmo 03/24/12 14:25:16 09/24/12 14/5-16 03/24/12 14 25 16 03/24/1214:25:19 03/24/12 14:25:20 03/24/12 14:25:20 03/24/1214:25:20 03/24/12 14:25:20 03/24/12 14:25:20 03/24/12 14 25 20 03/24/12 14.25.23 03/24/12 14:25:23 09/4 14 ^<3 Port SIC 2773 2749 80 2773 2762 2763 2762 80 2763 80 2753 80 80 < * Fragm ent offett Q cO O O O O Tim e To Live 6 1
1 a 1 1 0 1fj S ta tu te s 74 1 0 . 1 S e o n g $ 1 0 .
1 2 3 .1 7 6 .3 2 1 5 3 1 0 .0 .0 7 1 2 3 1 7 6 3 2 1 5 3 1 0 .0 .0 .7 1 2 1 1 7 6 3 2 1 5 5 1 7 1 1 7 6 3 1
OXCOOO 0X 0020
(6.32.13 236175 7 6.32.13 6.32.153 10 [ ^ EncbJ Tocttipo LIU/ I U . 176.32.1 53 10.0.G7 123.176 32.153 10.Q0.7 123.175.32.153 10Q0.7 123.176.32.155 10.Q0.7 III
6 6 6 6 6 8
55 54 54 54 54 54 54 730 54 qn
Siio
Protocd TCP TCP TCP TCP TCP TCP TCP TCP TCP TCP TCP TCP TCP
B P r o t o o o l 6(T C P )
Header Checksim 0x?BA5 ) S o l t c oIP-123.17S.32.153 )P Ces. IP 10.0.0.7 I TCP Header O Deatinotion Pat 2762 Seq Nurrber 0(9ACBE781 ACK NLimber CkFDD7CEl3 O Offoat - 5 (20 byt 8 lf Rags 1 1 )0 i |FIN 1 | sy n =0 i P r s t =0
in on?____
,0
3 5 00 00 2 6 AB D 3 00 00 O X C O IO O A 0 0C O0 7 D O5 0O AC A
50 11 39 08 77 23 00 00
j push 0
h A C K 1
| urg-0 E C E= 0 cwr= o
f t Windows Size =14503 O Chcckaum - 0(7728 Urgent Pointer =0(0030
pw d
Ethical Hacking and Countermeasures Copyright by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.
M odule 08 - Sn iffers
~H Y j j JU ] 9_J Cj JEj
Si2e Protocol TCP TCP TCP FCP TCP FCP Tme 03/24/12142523 03/24/12142523 03/24/12142523 03/24/12142523 09^ 24/1214 25 23 03/24/12142523 Find ;-#* Version = 4 !** Header Length b/esj 20( 5 & T>peOf 5erv1ce ) kOO j- A Total Len^h = 1600 j Identification = foD5E1 S ip Flags =O cO O i - A Fragment offset = C b c O O O O | Time To Lwe = 5 4 :- A Protocol ) TCP( 6 i @ Header Chsckajm FBA6< 1 I Jp Souce IP 123.108.4033 | i- J p Deet. IP 10.0.0.7 IQ P TCP Header Fnd )A Soiree Port - 80 (HTTP A Dcatinction Port - 2723 Cercel I j# Seq Nurbst - QxOC177B.\D j - ACK Numbw k8DE73610 : )A Offset * 5 (20b)rles P . 6 ...................... HT P /1 P Flags 5T & 10 .1 2 0 0 O K ..D a t e : M i- Wlridows Size 5918 o n , 24 Sep 2012 0 8 : 5 6 : 0 3 3 M T ..3 e U io e n tP o m e r)) M X X X : r e t : A p = h e ..E x p i c e s : T h u , 19 N - D a tale n g t h 1 4 6 0 0v 1 9 8 1 0 3 : 3 2 : 0 0 GMT. . C a c f t e - C o n t r o l : r .0 - 3 C 0 r e , n R * trc 2753 83 2723 83 83 2723
& Detailed packet information is available in a tree structure or a raw data view o f the packet data.
29
< 1 ^
0X 0300 0X 0310 0X 0020 0X 0030 0X 0040 0X 0050 0X 0360 0X 0070 0X 0330 0X 0390 OXG3AO
1nnn7_____
<S OA SO 20 6r 30 72 70 6r 20 72 30 00 10 32 6E 33 76 69 76 47 6r CS 00 26 30 2C 3A 65 72 20 4D <C
12a 176.32.155 54 1514 10.0.0.7 54 12a 1C840.33 1514 10 0 07 1514 10 0 0.7 54 123.1C8 40.33 10.0.0.7 74.125235.1[ 12a 17632.1 P^d: jpAcj 10 0 07 10.0.0.7 < * Asci 123176 32.1 1 : : 1. C Hex Ill D5 E l OO 00 SO OA 1e I F OO 0 0 20 4 F 4B OD 32 3 4 2 0 S3 36 3A 3 0 3 9 3A 20 41 70 73 3A 2 0 54 39 38 31 20 OD OA 4 3 61 20 E 6F 2D
Match case
r 48 OA 65 20 61 60 30 63 73 S* 44 70 47 63 75 36 68 74 54 61 20 4D 63 2C 3A 63 6F SO 74 32 34 5 20 83 2D 72 2F 65 30 OD OD 31 32 43 63 31 3A 31 OA OA 39 3A 6T 2C
BE 30 20 35 72 65 31 34 3A
=5 2E 20 32 53 45 20 30 6E 20
31 4D 20 65 7e 4E 30 74 6E
C h e c k s u m & 1 8 1 F
C w a 3<
F IG U R E 9.8: Sniff-O-Matic Performing password search riL rU K t V.b: imitr-U-Aiatic I'ertormmg password search
10. An icon w (packets with binoculars) will appear for the found packets, as shown 111 the following screenshot.
Sniff Pie Capture Opt cm Help O Matic 1.07 Trial Vers on
1_ -
H*Lrl
Hypd-V V(ud Etncmot Adaptor tt2 Destination 1Q0.0.7 100.0.7 74.123 236.182 10007 12317632156 1Q0.0.7 1Q0.0.7 123176.32.155 100.0.7 202 53 8 8 1000.7 123108.40.33 1na4ny1 I 5re
& Sniff-O-Matics key features include: Capture IP packets on your L A N without packet loss M onitor network activity in real time Filters to show only the packets you want Real-time checksum calculation Save and load captured packets Auto start capturing and continuous capture Traffic charts with filter info
1 1
Seuce 74125.23C.1G2 74125.236.162 1000.7 74125236 182 1000 7 123.178.32.156 123.178.32.156 1000.7 123.176.32.1S5 10CC.7 2025388 10007
Ip
4 4 1 4 2 8 8 ! 2 & 5 5 2 2
TCP TCP
innn?____
C X 0 0 3 0 4 5 0 3 0 0 2 3 9E CO 0 0 00 0 X 0 0 1 0 0A 0 3 0 0 0 7 0 1 BS 0 4 19 C X 0 0 2 0 5 0 1 3 FF FF FE 3B 0 0 00
I IP Header Version 4 A Headsr length 5 C?0btfes> I H Typ8Of Seivce tttO O A Total Length 40 A dwrthcatinn Q &96C0 I H ag O k O O A rag m ^ n f ott*t =0*0000 A Fim To La/ 56 A Protocol 6 Header Cherkeun -10*205 Source IP =74 125.236.182 Deet. IP 10.007 | TCP Header A Sotrce Pat - 443 (HTTPS) A Deetinatbn Port - 1049 A Scq Num ber - {k< 897BC4C A ACK Num ber - Q c9339AF1C O O flfce: - 5 (20b/te3) ] P Flags-Gc10 A Windows Site =55535 @ Checksun - (kFE3B O Uigcnt Porter - C b iO O O O
f)
( T C P )
JP JP
11. Select the found packet and scroll down the data list for the information, which will be indicated in blue.
Ethical Hacking and Countenneasures Copyright by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.
M odule 08 - Sn iffers
I ' T7 "
& P a c k e ts c a p tu r e d u s in g S niff-O -M atic a llo w s y o u to sn iff th e p a ssw o rd a v a ila b le in c l e a r t e x t fo r m a t. If a n a t t a c k e r is a b le t o c a p t u r e th e s e p a c k e ts , he c a n e a s i ly id e n tify th e p a ssw o rd an d lo g in t o t h e n e tw o r k a s a n a u th e n tic a te d u s e r . A tta c k e r s w ill h a v e a n a d v a n t a g e if th e y d is c o v e r th e s a m e p a s s w o r d is b e in g u s e d fo r all t h e c o m p u te rs .
65 60 69 74 61 6D 26 3D 70
37. 7 34 3D 69 61 6C 72 77
20 39 0D 69 6C 69 67 69 64
;q 0 . 3 . .C c o k i : in ld a c 6 S 7 3 f 1 v 9 r d 2 a k S 7 a 4 d l7 u i4 . . . . f_ o u r c r c h c C F % 3A % 2F 2F n ail . r .. c o % 2 F a c v a i l% 2 F 1 a b o x .p h p t l g f m n a 1 1 s _ id r1 a i B a c c b e v o i f Jpw d]
Version 4 Heater Length =5 (?0 byes! Type Of 5ervce =Q fO O Total Length =729 dentfication =C b(7B8C Rags =(MU Fragm ent ofiset =09 (0 0 0 0 Tim e To Live =128 Protocol =6 (TCP) Header Cherkeun itOOX p Sotree IP = 10.0.0.7 p Dest. IP = 123.176.32 155 TCP Header f t Source Pert - 2753 f t Doctinatbn Port 80 (HTTP) f t Soq Number - &B85A34D4 f t ACK Number-&5G19rCA3 ft O ffoci - 5 (20bytes) P Hogo 18& f t VWndowj Sire - 63751 ?3 Checksum &A31 D f t Urgant Porta foOOW Data f t Ddtd length 683
a ft ft ft P ft ft ft
12. To mark the packets, right-click the selected packet and click M ark .
Sniff O Matic 1.07 Trial Vers on
FJe Capture !* Id Optcrts Help H>pwV Vjrtud Efrwoet Adapter tt2
- v j o w I a w l ej 1J
I? Header 9 h Version ; 4 )Ift Header length 5 C ?0btfes l-il f t Type Of Swvce (kOO f t Total Lenoth ! 40 {f t tfentfieation Qx7BBD G B P Hag 0kQ 4 | - f t (mgm #rt otturt O b tO O O O J ft Tim To Lw 128 )ft Protocol * 6 (TCP H**dr Ch*5kcu 10n * 4)0030 Source IP - 10.00.7 I- JP D oet. IP - 123.176.32 155 )J TCP Heodor ft Source Pert - 2753 ; )ft D estination Port - 80 (HTTP ft Seq Num ber - &B85A3785 | ft ACK Num ber -&c561A0268 )ft O ffset 5 (20bytes Flags - &c10 ^ ft Windows Sice : 54243 !? Checksum - Q xA 56C 3 ft Urgent Porter - 3x00{ 0
0 X 0000 <5 0 X 0 0 1 0 7B 0 X 0 0 2 0 50
0 3 OG 2 3 7B BD 4 0 3 0 2G 9 3 DA C l 0 0 1 0 FA FO A6 6C 0 0
00 8 0 0 6 0 0 50 3 3 5A 3 7 00
OO CA 0 0 0 0 B5 56 1A 0 2
07 3 . | . . . . . . 63 { P . 27 P. . . . 1. .
13. Once the packets are marked, they will have a different icon.
Ethical Hacking and Countermeasures Copyright by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.
M odule 08 - Sn iffers
I T x
& One o f the features o f the tool includes, protocol and port data, the program displays source and destination IP addresses, and raw packet information. The program offers no IP address to domain name conversion..
| Protocd ___| Size 9 7 TCP 743 TCP 5 4 TCP 1514 TCP 5 4 TCP 7 4 TCP 7 1 UDP B7 UDP 5 6 TCP B6 TCP 52 TCP 5 4 TCP ___ C 2_______ 1CP_____
0 0
BEEUi ^ ^To l K / & ^ 5377C 53 1 d Protocol =6 (TCP) 537 53 ; l@ fleacter Checkeum =(ktC1F6 2776 80 f - p Source IP =123.176.32.155 2777 80 L p Deet. IP =10.0.07 2775 80 9 TCP Header 2775 80 Source Pat - 80 (HTTP) ?77! v < ! O Sea Num ber - fc561AG257 3D 06 C l F 7B 30 20 93 E . . r . . = . . . { . . - | O ACK Num ber - &B85A3785 56 1 7 1 02 57 B 6 5A 37 8 5 ______ P . . V . . W . Z 7 . O O ffset - 5 (20byte*) 3 5 2 0 4 6F CD 6 1 9 E P .X . . R. d o n a in 0 P flog# - C b cl8 0D OA 0D 0A * . i n ,. corn . . j O YW rdowa Size - 22737 Cheduun to&352 Uigorrt Ponlor C biO O M 9 Deto o Data length 20
Tin*! 09/24/1214:25:55 09/24/121425.55 09/24/12 14.25.55 09/24/121*25 55 09/24/121* 2555 09/24/121*25:55 09/24/12 14:25:55 09/24/12 14.25.55 09/24/12 14.25.55 09/24/12 14:25:56 03/24/12 1 42557 09/24/121425:57
0 0
275: 275: 80
Version 4 Heacter lenrjth 20) 5 b*es> Type Of Servce =O cO O Total Length 60 tientfication =(&1574 flags =0x00
l<
>11
L a b
A n a ly s is
Analyze and document die results related to die lab exercise. Tool/Utility Information Collected/Objectives Achieved H eader Length: 5 Time To Live: 61 Protocol: 6 H eader Checksum: 0xClF6 Source IP: 123.176.32.155 Dest. IP: 10.0.0.7 Source Port: 80 (HTTP) Destination Port: 2753 Username and password
Sniff-O-Matic
P LE A SE
TA LK
TO
Y O U R IN S T R U C T O R IF Y O U R E L A T E D TO T H IS LAB.
H A V E
Q U E S T IO N S
u e s t io n s
1. Determine how you can defend against ARP cache poisoning 111 a network.
Ethical Hacking and Countemieasures Copyright by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.
M odule 08 - Sn iffers
Ethical Hacking and Countermeasures Copyright by EC-Council A ll Rights Reserved. Reproduction is Stricdy Prohibited.