CEH v8 Labs Module 08 Sniffers PDF

CEH Lab Manual
Sniffers
M o d u le 0 8
S n iffin g a N e tw o r k
A packet s n i f f e ri sa type ofprogram that monitors any b itof information entering or leaving a n etiro rk. Iti sa type ofplug-and-play wiretap d e v i c e attached t oa computer that eavesdrops on netirork t r a f f i c .
I CON KEY /V alu ab le inform ation Testyour kn o w le d g e
Lab Scenario
Sniffing is a teclnnque used to in te rc e p t d a ta 111 information security, where many of the tools that are used to secure the network can also be used by attackers to exploit and compromise the same network. The core objective of sniffing is to ste a l d a ta , such as sensitive information, email text, etc.
N e tw o rk sniffing involves intercepting network traffic between two target network nodes and capturing network packets exchanged between nodes. A p a c k e t sn iffer is also referred to as a network monitor that is used legitimately by a network administrator to monitor the network for vulnerabilities by capuinng the network traffic and should there be any issues, proceeds to troubleshoot the same.
Web e x e rcise W orkbookreview
Similarly, sniffing tools can be used by attackers 111 p ro m iscuo us mode to capmre and analyze all die network traffic. Once attackers have captured the network traffic they can analyze die packets and view the u ser n am e and p assw ord information 111 a given network as diis information is transmitted 111 a cleartext format. A 11 attacker can easily mtmde into a network using tins login information and compromise odier systems on die network. Hence, it is very cnicial for a network administrator to be familiar with n e tw o rk tra ffic an a ly ze rs and he or she should be able to m a in ta in and m o n ito r a network to detect rogue packet sniffers, MAC attacks, DHCP attacks, A R P poisoning, spoofing, or DNS poisoning, and know the types of information that can be detected from the capmred data and use the information to keep the network running smoodilv.
Lab Objectives
The objective of this lab is to familiarize students with how to sniff a network and analyze packets for any attacks on the network. The primary objectives of tins lab are to: Sniff the network Analyze incoming and outgoing packets Troubleshoot the network for performance
C E H Lab Manual Page 585
Ethical Hacking and Countenneasures Copyright by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.
M odule 08 - Sn iffers
Secure the network from attacks ^^Tools

d e m o n s tra te d in th is lab a re a v a ila b le in D:\CEHT oo ls\C E H v 8 M o du le 08 Sniffing
Lab Environment
111
tins lab, you need: A web browser with an Internet connection Administrative privileges to run tools
Lab Duration
Time: 80 Minutes
Overview of Sniffing Network

Sniffing is performed to c o lle c t b asic in fo rm atio n from the target and its network. It helps to find v u ln e ra b ilitie s and select exploits for attack. It determines network information, system information, and organizational information.
Lab Tasks
O v e rv ie w
Pick an organization that you feel is worthy of your attention. This could be an educational institution, a commercial company, or perhaps a nonprofit charity. Recommended labs to assist you 111 sniffing the network: Sniffing die network using die C o la s o ft
P a c k e t B u ild e r N e tw o r k A n a ly z e r
Sniffing die network using die O m n iP e e k Spooling MAC address using S M A C
Sniffing the network using die W in A r p A tta c k e r tool Analyzing the network using the C o la s o ft Sniffing passwords using W ire s h a rk Performing man-in-the-middle attack using C a in Advanced ARP spoofing detection using X A rp Detecting Systems running
P ro m q ry U I & A b el N e tw o r k A n a ly z e r
111
promiscuous mode
111
a network using
Sniffing a password from captured packets using S n iff -
O - M a tic
Lab Analysis
Analyze and document the results related to the lab exercise. Give your opinion on your targets securityposture and exposure through, public and free information.
Ethical Hacking and Countermeasures Copyright by EC-Council A ll Rights Reserved. Reproduction is Stricdy Prohibited.
PLEASE TALK TO YOUR INSTRUCTOR IF YOU HAVE QUESTIONS RELATED TO THIS LAB.
S n iffin g t h e N e tw o r k U s in g t h e O m n iP e e k N e tw o r k A n a ly z e r
Own/Peek i sa standalone network analysis too lused t os o l v e networkproblem.
ICON KEY /Valuable inform ation Testyour k n o w le d g e w We be x e rcise

m
Lab Scenario
From the previous scenario, now you are aware of the importance of network smtting. As an expert e th ic a l h a c k e r and p e n e tra tio n te s te r, you must have sound knowledge of sniffing network packets, performing ARP poisoning, spoofing the network, and DNS poisoning.
W orkbookreview
Lab Objectives
Tlie objective of tins lab is to reinforce concepts of network security policy, policy enforcement, and policy audits.
Lab Environment
t^Tools
111
tins lab, you need:

" O m n iP e ek N e tw o rk A n a ly ze r
located at D:\CEH -Tools\C EHv 8
M o du le 08
S niffing\Sniffing T o o ls\O m n iP ee k N e tw o rk A n a ly ze r
You can also download the latest version ot O m n iP e e k N e tw o rk A n a ly ze r from the 1111k http://www.w11dpackets.com/products/om111peek network analyzer If you decide to download die la te s t the lab might differ A computer mnmng W in d o w s
W in d o w s version,
then screenshots shown 111
S e rv e r 2 0 1 2
as host machine
8 running on virtual machine as target machine
A web browser and Microsoft .NET Framework 2.0 or later Double-click O m n iP e e k 6 8 2 d e m o .e x e and follow the wizard-driven installation steps to install O m n iP e e k 6 8 2 d e m o .e x e
A d m in is tra tiv e
privileges to run tools

Lab Duration
Tune: 20 Minutes
Overview of OmniPeekNetwork Analyzer

gives network engineers real-time visibility and expert analysis of each and every part ol the network from a single interface, winch includes Ethernet, Gigabit, 10 Gigabit, VoIP, video to remote offices, and 802.
O m n iP e e k N e tw o rk A n a ly ze r
Lab Tasks
T A S K 1
In s tallin g O m n iP e e k N e tw o rk A n a ly ze r
1 . Install O m n iP e e k 2012.
N e tw o rk A n a ly ze r
on die host machine W in d ow s
S erve r
2. Launch the S ta rt menu by hovering die mouse cursor on die lower left corner of die desktop.
F IG U R E 1.1: Windows Server 2012 Desktop view
3. Click die W ild P a c k e ts die tool.

== s OmniPeek Enterp rise provides users with die visibility and analysis they need to keep Voice and Video applications and non-media applications running optimally on die network
O m n iP e e k D em o
app 111 die
S ta rt
menu to launch
81
S ta rt
Administrator ^
M e n a q e r L *3
G o o g le C h ro m e <9 rtyp -V M a ru o e r * W ild P o c k ... O m m P w k *
M o / 1 1 1 0 h re to x H y p w V V irtu a l K A v h lo o
____
&
'
F IG U R E 1.2: Windows Server 2012 Start menu
To deploy and maintain Voice and Video over IP successfully, you need to be able to analyze and troubleshoot media traffic simultaneously with the network the media traffic is running on
4. The main window of W ild P a c k e ts die following screenshot.

^ t- u *. 2 : * x ,, r ^ : f i j L _ t
O m n iP e e k D em o
appears, as shown 111

6m ie4
N ewCapture *We OmnPwk!
>
O pen Capture File
ViewOiwiEngines
Start M ontor
ffi
Retcat rlit* IntM C ap tu iT 1 n p < 1 1 * 1 OtKunanUtlon
Itxalior luullui Rkhc *
Stmixfy Swmwj
M m
3w tJ O u iM 1 r.aii QO
!MlMKtDuppan 1 Vm tM fw a r U M K * M m rrMk*W H Partrf*rvnW to CO
^WidPacketj
F IG U R E 1.3: OmniPeek main screen
5.
Launch
Windows 8 Virtual Machine.

W in d o w s S e rv e r
6. Now, 111 follows:

S ta rtin g N e w C a p tu re
2 0 12 create an OmniPeek capture window as
a. Click die N e w
C a p tu re
icon on die main screen of OmniPeek.

111
b. Mew die G en eral options box when it appears.
die
O m n iP e ek C a p tu re O ptions
dialog
c. Leave die default general settings and click OK.

C a p tu re O p tio n s v E th e rn e t (R e a lte k PCIe GBE F a m ily C o n tr o lle r - V irtu General Adapter G e n e ra l
Capture title: Capture 1
8 0 2 .1 1
Triggers Filters Statistics Output Analysis Options f f l l OmniPeek Network Analyzer offers real-time high-level view o f the entire network, expert analyses, and drill-down to packets, during capture.
Continuous capture O Capture to disk File path: C:\Users\Administratorpocuments\Capture 1 File size: | 256 : *~] megabytes |1 0 0 0 10 1 128 3~| bytes megabytes | = files (2,560 MB)
[ I] Stop saving after I I Keep most recent I I New file every I I Limit each packet to
O Discard duplicate packets Buffer size: | 100 * megabytes
O Show this dialog when creating a new capture
Cancel
Help
F IG U R E 1.4: OmniPeek capture options -General
Ethical Hacking and Countermeasures Copyright by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.
d. Click A d a p te r and select E th e rn e t

OK.
111
die list for
L ocal m ach ine.
Click
C a p tu re O p tio n s E th e rn e t General | Adapter' 802.11 [0 3 Network Coverage: W ith the Ethernet, Gigabit, 10G, and wireless capabilities, you can now effectively monitor and troubleshoot services running on your entire network. Using the same solution for troubleshooting wired and wireless networks reduces the total cost o f ownership and illuminates network problems that would otherwise be difficult to detect. Triggers Filters Statistics Output Analysis Options A d a p te r
0 0
>0 File
Module: Compass Adapter
a 8 Local machine: WIN-MSSELCK4K41
M lLocal Area Connection* 10
M . Ethernet] 9 vSwitch (Realtek PCIe GBE Family Controller Virtual I- p vEthernet (Realtek PCIe GBE Family Controller Virti
\-mvSwitch (Virtual Network Internal Adapter) < E

Property Device Media Address Link Speed WildPackets API
III
5 vEthernet (Virtual Network Internal Adapter)
Description Realtek PCIe GBE Family Controller Ethernet DO: 100 Mbits/s No :36
Cancel
Help
F IG U R E 1.5: OmniPeek capture options -Adapter
7. Now, click S ta rt C a p tu re to begin capturing packets. The S ta rt C a p tu re tab changes to Sto p C a p tu re and traffic statistics begin to populate the N e tw o rk Dashboard 111 die capture window of OmniPeek.
WldPack
h ... V V 1' g t* <\ r J u , . B : ; e IQ E j F
OmniPeek
Q Dashboards display important data that every network engineer needs to know regarding the network without spending lots o f time analyzing the captured data.
sutn vapt a llp a c k e ts
Utib/itton / M .m .t. W tiM tow( I Smand A v>r.1u)
lop Protocol*
F IG U R E 1.6: OmniPeek creating a capture window
Ethical Hacking and Countermeasures Copyright by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.
E Q Q lOmniPeek
Professional expands the capabilities o f OmniPeek Basic, extending its reach to all small businesses and corporate workgroups, regardless o f the size o f die network or die number o f employees. OmniPeek Professional provides support for multiple network interfaces while still supporting up to 2 Om ni Engines acting as bodi a full-featured network analyzer and console for remote network analysis.
8. The captured statistical analysis of die data is displayed 011 die C a p tu re tab of die navigation bar.
u-n ., y . 3. *
w hw fct FlhrhiW N etw -o rfc inai/rffh.n Minute Window (I Second Average)
a 03-
0 2 *
L A
r 1 7 *1 5 22 2 0 6 .17 H 52 26
2 .0 % 10002 1000$ 1 7 31 9 43 61 0 1 7 3 .1 W 3 6 .1 1 10002 1 7 3 .1 d 4 .3 6 4 .:2 0 2 .6 3 .8 .8
0rs 1 6 7 .6 6 6 7 .2 2 2
D N S
TCP
O H C PV 6 1 Q M P 9 Etlwnet PatJtrts: 1.973
Ountion: 001:25
F IG U R E 1.7: OmniPeek statistical analysis o f die data
9. To view die captured packets, select P a c k e ts D ashboard 111 die left pane ol die window.
r 1 < w 1 tJ u sun?** ** * t,ISO M S' T o o V N .A 4 0 W rip > 3 . * 5 ii r A dapt 4 1O K V rti y Htj, 10.0.0.2 173.194.36.4 173.194.36.4 '4.125.12S.169 su e ss 9 5 6 4 6 4 1 6 3 6 4 28 7 0 6 4 6 4 1 1 8 9 3 6 6 4 6 4 7 0 1 0 3 6 4 7 0 6 4 1 8 4 ISIS 1 5 1S > 5 < 4 O c t* * r*t o.oooasiosa writs 0.93:20X19 sm s 0.939*25029 arirs 0.93994SCI9 STTrS 0.771222000 0.811S9JCJ9 3T TT * 4.31e23SC S3 an a n :s 4.350147029 anss 4.3 5 5 9 6 4 C JO 3 T T T 5 4.SE52S4CS0 37T?S 4.566969090 an?3 4.SS70CMS0 6.097997090 an? .100119000 HIT? C .922643C:3 4 A i d G iJ h O a
111
a C a p tu re section ol die
' " , WldP.xkct. OmniPeek
m t.M rd : .{0 0 0 m u 1 n < N'lhrh^] V -** < ! fevh fao .iftfs 4 11 =Lvote** ***** i *a 3 m 5
Mr! <** . 1
1a.1.g.2 173.194.3(.< 13.3.0.2 19.9.:.2 10.9.S.2
3zc- 413,0*t=
W....3= 796...
3zc- 1769, O st= 4 4 3 .u..... 3= 1406... Src- 1 7 70 , 03 V - 4 4 3 .*....,5-366S... 5rc- 1 0 63 , 03* 4 4 3 h..... S- 956... 4 4 3 Sr~ 1 443'S^ 3 = c= 443,D st= SIC- 443,03t_ 1 0 5 1 Src- 443.03T1 9 5 1 Src- 10 S1.D 3T KJfC = 172e . Src- 5 0 ,0 3 1 . 1 7 2 6 .1 3...,3= 2007... .&....,3= 94... .*....,S- 94... .A?... ,3 9 4 ... fc S-20D7... .h ....,3-2997...
Iw csto r
13.9.9.2 1 2 1 3 1 5 1^3.194.36.22 1~3.194.36.22 1 3.194.36.22 13.9.0.2 123.176.32.154 19.1.3.2 19.9.1.6 19.9.1.5 19.9.5.5 1S7.SC.C7.222 157.56.67.222 19.9.0.2 19.9.0.3
[
H ie OmniPeek Peer Map shows all communicating nodes within your network and is drawn as a verticallyoriented ellipse, able to grow to the size necessary. It is easy to read the maps, the diicker the line between nodes, the greater the traffic; the bigger die dot, the more traffic through that node. The number o f nodes displayed can also be limited to die busiest and/or active nodes, or to any OmniPeek filters that mav be in use.
Oms
\173.194.36.22 \
!:S 5 S 5 S
[ C a lls W mmK
1 Er
Ltfctto
1 7 IS IS 2 1 2 2 2 4 2 7 2
10.0.9.2 123.176.32.154 10.0.0.2
157.56.67.222 157.56.67.222 157.56.67.222 10.0.0.s
7.21122*000 O F 7.301449029 O I 7.55*925023 arirs 7.5952930:9 5 5 7.ISO SCC C SO nrs 7.952900:9STTTJ e.9 0 1 9 4 6 0 2 9 an iz t.0c10600
C PC K T -1 7 2 7 4 3 ....3.,3=1030... 3 1 = = 1040,D t= 4 3 1e = 1040,D t= 1 4 3 3= 1e30... Src- 1040,031 4 4 3 .AP...,3-1630... ,S- 519. . Slaw Server R e sp cr.se T13* 1 0 Src- 443,0a 1 0 4 0 SI*... 3ss- 1770,0*t 4 4 3 .LB... ,30069... J>llhrn! P*aU: 2 .0 0 0 O U'M 'ea .y j i
< 1 1 1
173.194.36.4
F IG U R E 1.8: OmniPeek displaying Packets captured
10. Similarly, you can view Log. Filters. H ierarch y, and P e e r die respective options 111 the Dashboard. 11. You can view die Dashboard.
N o d es
M ap
by selecting
and P ro to co ls from die S ta tis tic s section of die
On-the-Fly Filters: You shouldnt have to stop your analysis to change what youre looking at. OmniPeek enables you to create filters and apply them immediately. The WildPackets select related feature selects the packets relevant to a particular node, protocol, conversation, or expert diagnosis, with a simple right click o f the mouse.
F IG U R E 1.9: OmniPeek statistical reports o f Nodes
12. You can view a complete section of the Dashboard.
S u m m a ry
of your network from the
S ta tis tic s
Q Alarms and Notifications: Using its advanced alarms and notifications, OmniPeek uncovers hard-to-diagnose network problems and notifies the occurrence of issues immediately. OmniPeek alarms query a specified monitor statistics function once per second, testing for user-specified problem and resolution conditions. F IG U R E 1.10: OmniPeek Summary details
13. To s a v e the result, select F ile ^S a v e
Report.
OmniPtek F .1 | fd H uM0 tooit
'0
*Hi 'OmnlPrck T A L u u ! i i v w .!j O ! J .
* J
ii
ua3 C u fT W . 5 .1 5 / 2 0 1 2 t2 rt2 :< 6 < M L2S
i -
Using OmniPeeks local capture capabilities, centrali ed console distributes OmniEngine intelligent software probes, Om nipliance, T im elin e network recorders, and Expert Analysis.
.Jaw
360.320 0.795
Ltn crn ct
2 .0 0 0
lM1.V0a 001.B
F IG U R E 1.11: OmniPeek saving die results
14. Choose the format of the report type from die then click Save. Save Report
2e 1R e p o rt ty p e : fiy!!..PDF:.Report Q Engineers can monitor dieir entire network, rapidly troubleshoot faults, and fix problems to maximize network uptime and user satisfaction. R e p o rt fo ld e r: j v
S a v e R e p o rt
window and
C : \U se rs \A d m in is tra to r d o c u m e n ts R e p o r ts \C a p tu re 1 R e p o rt d e scrip tio n PDF re p o rts c o n ta in S um m ary S ta tis tic s , N ode S ta tis tic s , P ro to co l S ta tis tic s , N o d e /R ro to c o l D etail S ta tis tic s , E x p e rt S tre a m a nd A p p lic a tio n S ta tis tic s , Voice a n d V ideo, W ire le ss N ode a nd C ha n n els S ta tis tic s , a n d g ra p h s.
Save
C ancel
Help
F IG U R E 1.12: OmniPeek Selecting the Report format MCjUKfc 1.1 (Jmnil-'eek Selecting the Report tonnat
2 :
15. The report can be viewed as a PDF.
OmniPeek Report ^
f t Dashboard
OmniPeek Report: 9/15/2012 12:21:22 Start: 9/15/2012 12:02:46, Duration: 0:01:25 Total Bytes: 1014185. Total Packets: 2000
Compass Interactive Dashboard offers both real-time and post-capture monitoring o f high-level network statistics widi drill down capability into packets for the selected time range. Using the Compass dashboard, multiple files can be aggregated and analyzed simultaneously.
___ L S i _ _
Tools Bookm ark( ? B* ft 3 i? OmniPeek Report Dashboard - 'tf Statistics IP Summary (? Nodes 1? Protocols Expert 1? Summary (? Flows I? Applications If Voe &Video ff Graphs If Packet Sues If Network Utilization (bits/s) 1? Network Utilization (percent) I? Address Comparisons ff Application Summary Statistics. Reported 9/15/2012 12.21.22 Sign Comment .
-"tf Statistics t? Summary t? Nodes I? Protocols I? Expert I? Summary Flows I? Application Lf Voice &Video Lf Graphs 1 f Packet Sues 1/ Network Utilisation (bits/s) If Network Utilization (percent) (? Address Count Comparisons I? Application
&
Start Date Start Time Duration Group. Network Total Bytes Total Packets Total B10.1dc.1st Total Multicast Average Utilisation (percent) Average Utilisation (blts/s) Current Utilisation (percent) Current Utilization (bits/s) Max Utilization (percent) Max Utilization (bits/s) Group Errors Total CRC Frame Alignment Runt Oversize 1014185 NA 1061 6933 0 096 95989 0 360 360320 0.795 79*656
63 0096 95989 0 360 360320 0795 794656
0105 0 585 0096 95989 0 360 360320 0.795 794656
0 360 360320 0.796 794656
0 0 0 0 0 0 0 0 0 0 0 0
0.000 0.000
F IG U R E 1.13: OmniPeek Report in PD F format
Lab Analysis
Analyze and document the results related to the lab exercise.
Tool/Utility
Information Collected/Objectives Achieved Network Information: Network Utilization Current Activity " L g Top Talkers bv IP Address Top Protocols Packets Information: Source Destination Size Protocol Total Bytes for a Node Packets Sent Packets Received Broadcast/Multicast Packets General Network Errors Counts Size Distribution
OmniPeek Network Analyzer
Nodes Statistics:
Summary includes Information such as:
Ethical Hacking and Countenneasures Copyright by EC-Council A ll Rights Reserved. Reproduction is Stricdy Prohibited.
Questions
1 . Analyze what 8 0 2 .1 1 1 1 adapters are supported 111 OmniPeek Network Analyzer. 2. Determine how you can use the OmniPeek Analyzer to assist with firewall rules. 3. Evaluate how you create a filter to span multiple ports. Internet Connection Required Yes Platform Supported 0 Classroom 0 !Labs 0 No
Lab
S p o o fin g M A C A d d re s s U s in g S M A C
SMAC i sapon e i f / 11and easy-to-use toolthat i sa M A C address changer ( s p o o f e r ) . The toolcan a c t i v a t e a new M A C address rig htaft erchanging i tautomatically.
I CON KEY
Lab Scenario
1 1 1the previous kb you learned how to use OmmPeek Network Analyzer to capture network packets and analyze the packets to determine it any vulnerability is present 111 the network. If an attacker is able to capmre the network packets using such tools, he 01 she can gain information such as packet source and destination, total packets sent and received, errors, etc., which will allow the attacker to analyze the captured packets and exploit all the computers in a network. If an administrator does not have a certain level of working skills of a packet sniffer, it is really hard to defend intrusions. So as an expert e th ic a l h a c k e r and p e n e tra tio n te s te r, you must spoof MAC addresses, sniff network packets, and perform ARP poisoning, network spoofing, and DNS poisoning. 1 1 1tins lab you will examine how to spoof a MAC address to remain unknown to an attacker.
/Valuable inform ation Testyour k n o w le d g e H Web e x e rcise orkbookreview ffi! W
Lab Objectives
The objective of tins lab is to reinforce concepts of network security policy, policy enforcement, and policy audits. 1 1 1tins lab, you will learn how to spoof a MAC address.
Lab Environment
^^Tools
d e m o n s tra te d in th is lab a re a v a ila b le in D:\CEHT oo ls\C E H v 8 M o du le 08 Sniffing SM AC
111
the lab, you need: located at D:\CEH-T 00 ls\C EH v 8

M o du le 0 8 S niffing\M A C Spoofing Tools\S M A C
You can also download the latest version ot SM AC from the link http://www.klcconsulting.net/smac/default.htm#smac27 It you decide to download the the lab might differ
la te s t version,
A computer running W in d ow s 2008 as tun Machine
S e rv e r
2 0 12 as Host and Windows Server
Double-click s m a c 2 7 b e ta _ s e tu p .e x e installation steps to install SMAC

and follow the wizard-driven
A web browser with Internet access
Lab Duration
Time: 10 Minutes
Overview of SMAC
is a powerful yet easy-to-use and intuitive Windows M A C address modifying utility (M AC address spoofing) which allows users to change M A C addresses for almost any Network Interface Cards (N IC s) on die Windows 2003systems, regardless o f whether die manufacturers allow diis option.
ffisMAC
protects person al and individual privacy. Many organizations track wired or wireless network users via their MAC addresses. 1 1 1addition, there are more and more Wi-Fi w ire le s s connections available diese days and wireless networks use MAC addresses to c o m m u n ic a te . Wireless network security and privacy is all about MAC addresses.
Spoofing a MAC
Spoofing is carried out to perform security v u ln e ra b ility tes tin g , penetration testing on MAC address-based a u th e n tic a tio n and au th o riza tio n systems, i.e. wireless access points. (Disclaimer: Authorization to perform these tests must be obtained from the systems owner(s)).
Lab Tasks
1 . Launch die S ta rt menu by hovering die mouse cursor on die lower-left corner of die desktop.
[ S M A C works on die Network Interface Card (N IC ), which is on the Microsoft hardware compatibility list (H C L).
4
*r
Windows Server 2012

Windows Sewer 2012 Rdrat Cardidatc Datacen! Evulud .kn copy Build 84C C
1&
rc !1 T !n ^ H
2. Click die SM A C
Q=sJ W hen you start SM AC program, you must start it as the administrator. You could do this by right click on die SM AC program icon and click on "Run as Administrator if not logged in as an administrator.
2 .7
app 111 die S ta rt menu to launch die tool.

T A S K 1
3. The SM AC main screen appears. Choose a network adapter to spoof a MAC address.
%
File ID View
Spoofing MAC Address
SMAC 2.7 Evaluation Mode - KLC Consulting: www.klcconsulting.net

Options Help IP Address
rriiEiii 1
| Active I Spoofed I NetworkAdapter Hyper-VVirtual Ethernet Adapter #2 0017 Yes No HyperVVirtual Ethernet Adaptei #3
EMU^HET
169.254.103.138 0 1
17 Show O nî Active Network Adapters New Spoofed MACAddress Restart Adapter Random Refresh Spoofed MACAddress |Not Spoofed Active MACAddress J
A |
Remove MAC
IPConfig MAC List Exit
Network Connection_______________________________ |vEthernet (Realtek POe GBE Fam dy Controller Virtual Switch) Hardware ID_____________________________________
|vms_mp
| D 0 r * a r
_ > > J
Disclaimer: Use this programat your own risk. We ate not responsible fot any damage that m ay occur to any system This programis not to be used for any illegal or unethical purpose Do not use this programif you do not agree with
d s M A C helps people to protect their privacy by hiding their real M A C Addresses in the widely available W i-Fi Wireless Network.
F IG U R E 2.3: SMAC main screen
4. To generate a random MAC address. Random .

U p d a te M A C R e s ta rt A d a p te r Random R e fre s h Rem o ve M A C I P C o n f ig M A C L is t E x it
F IG U R E
2 . 4 :SM AC Random button to generate M AC addresses

S poofed M AC A d d ress
5. Clicking die Random button also inputs die N e w simply MAC address spoofing.
to
Ethical Hacking and Countemieasures Copyright by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.
SMAC 2.7 Evaluation Mode - KLC Consulting: www.klcconsulting.net

File View Options Help 10.0.0.2 D O l 169.254.103.138 0 0 ' ID | Active | Spoofed | Network Adapter 0015 Yes No Hyper VVirtual Ethernet Adapter 82 0017 Yes No Hyper-VVirtual Ethernet Adapter #3
ra !
; 3 6 - 08
SM AC also helps Network and IT Security professionals to troubleshoot network problems, test Intrusion Detection / Prevention Systems (ID S / IP S ,) test Incident Response plans, build high-availability solutions, recover (M AC Address based) software licenses, and etc.
I* Show Only Active Network Adapteis New Spoofed MACAddress IE -| 05 - |F C -| 63 -| 34 ^ I 0 7 l xj
Update MAC Restart Adapter Random Refresh |
Remove MAC IPConfig MAC List Exit
|SCHENCK PEGASUS CORP. [0005FC] Spoofed MAC Address |Not Spooled Active MACAddress |D0-W -36 AI
Network Connection IvEthernet (Realtek PCIe GBE Fam dy Conliollei Virtual Switch) Hardware ID_____________________________________ |vm s_m p
Disclamer Use this programat your own risk. We are not responsible 1 0 1any damage that m ay occur to any system This programis not to be used for any illegal o t unethical purpose Do not use this programif you do not agree with
F IG U R E 2.5: SM AC selecting a new spoofed MAC address
6. Tlie Network Connection 01Adapter display their respective names. 7. Click tlie forward arrow button N e tw o rk A d a p te r information.
111 N e tw o rk C o n nection
to display die
N e t w o r k C o n n e c t io n _______________________________________________________
I v E t h e r n e t ( R e a l t e k P C I e G B E F a m ily C o n tro lle r V ir tu a l S w i t c h )
F IG U R E 2.6: SM AC Network Connection information
g
g
C Q Is m a c does not change die hardware bumed-in M A C addresses. SM \C changes the software-based !MAC addresses, and die new M A C addresses you change are sustained from reboots.
Clicking die backward arrow button 111 N e tw o rk A d a p te r will again display die N e tw o rk C o n n e ctio n information. These buttons allow to toggle between die Network Connection and Network Adapter information.
N e tw o rk A d a p te r |H y p e r- V V ir t u a l E t h e r n e t A d a p t e r 8 2
F IG U R E 2.7: SM AC Network Adapter information
9. Similarly, die Hardware ID and Configuration ID display dieir respective names. 10. Click die forward arrow button C o n fig uratio n ID information.
H a r d w a r e ID |v m s _ m p
111
H a rd w a re
ID
to display die
F IG U R E 28: SM AC Hardware ID display
11. Clicking die backward arrow button 111 C o n fig uratio n ID will again display die H a rd w a re ID info rm ation . These buttons allow to toggle between die Hardware ID and Configuration ID information.
C o n fig u r a tio n ID | { C 7 8 9 7 B 39 - E D B D - 4 M 0 - B E 9 5 - 5 1 1 F A E 4 5 8 8 A 1 }
F IG U R E 2.9: SMAC Configuration ID display
12. To bring up die ipconfig information, click IPConfig.

T A S K 2
V ie w in g IPConfig In fo rm atio n
Update MAC Restart Adapter Random , Refresh
Remove MAC IPConfig MAC List Exit

j
F IG U R E 2.10: SMAC to view7the information of IPConfig
13. Tlie IPConfig window pops up, and you can also save the information by clicking die F ile menu at the top of die window.

File W indow s IP Configuration Host N a m e Primary Dns S u ffix Node T y p e IP Routing Enabled W INS Proxy Enabled : WIN-MSSELCK4K41 : Hybrid :N o :N o
Ethernet adapter vEthernet (Virtual Network Internal Adapter): Connection-specific DNS Suffix . D escription : Hyper-V Virtual Ethernet Adapter 83 Physical Address :0 0 -08 DHCP Enabled :Y e s Autoconfiguration E n a b le d . . . . : Yes Link-local IPv6 A d d re ss : fe80::6868:8573:b1b6:678a%19(Preferred) Autoconfiguration IPv4 Address. .: 169.254.103.138(Preferred) Subnet M a s k : 255.255.0.0 Default G a te w a y DHCPv6 IA ID : 452990301 DHCPv6 Client D UID : 00-01 -00-01 1 A- 16- 36 DNS S e rvers : fec0:0:0:ffff::1%1 fec0:0:0:ffff::2%1 Close
CQ t1 1 eIPC onfig information w ill show in the "View IPConfig Window. You can use the File menu to save or print the IPConfig information.
1
List.
F IG U R E 2.11: SM AC IPConfig information
14. You can also import the MAC address list into SMAC by clicking MAC Update MAC Restart Adapter Random k . Refresh i Remove MAC IPConfig MAC List Exit
F IG U R E 2.12: SMAC listing M AC addresses
15. If there is 110 address in die M AC ad d ress held, click Load ]MAC address list tile you have created.
MAC List
List
to select a
<- Load List
CQ1t 1 1 e IPConfig information w ill show in the "View IPConfig Window. You can use the File menu to save or print the IPConfig information.
S e le c t
Close
No List F IG U R E 2.13 SMAC M AC lis t window
16. Select die window.

Q 2 W hen changing M AC address, you M U ST assign M A C addresses according to IA N A Number Assignments database. For example, "00-00-00-00-0000" is not a valid M A C address, therefore, even though you can update this address, it may be rejected by the N IC device driver because it is not valid, and T R U E M A C address will be used instead. Otherwise, "00-00-00-0000-00" may be accepted by the N IC device driver; however, the device w ill not function.
S am p le M AC A d d ress L is t.tx t
file from the
Load M AC List
Load MAC List

i.f Organize * Desktop
4 Downloads
ProgramData KLC SMAC
Search SMAC
New folder A Name i-l LicenseAgreement.txt , , Sample_MAC_Address_List.txt Date modified 6/6/200811:11 PM 4/S0/20061:23 PM Type
s m
Text Document Text Document
jgf Recent places Jf SkyDrive
Libraries 0 Documents
J* Music
fc l Pictures B Videos Computer U . Local Disk (G )
1 _ j Local Disk (DO
<| File name: |Sample_MAC_Address_List.txt v Text Format (*.txt) Open pr
>
F IG U R E 2.14: SM AC M AC List window
17. A list of MAC addresses will be added to die MAC List 111 SMAC. Choose a MAC A d d ress and click S e le c t. This MAC Address will be copied to N e w Spoofed M AC A d d ress oil die main SMAC screen.
SM AC is created and maintained by Certified Information Systems Security Professionals (C ISSPs), Certified Information System Auditors (C ISA s), Microsoft Certified Systems Engineers (M C SEs), and professional software engineers.
%
00 = O D O D
OC . :99
MAC List E 9 E 8
- E7
SM AC displays the following information about a Network Interface Card (N IC ). Device ID Active Status N IC Description Spoofed status IP Address Active M A C address Spoofed M AC Address N IC Hardware ID N IC Configuration ID
C: \ P r o g r a m D a t a \ K L C \ S M A C \ S a m p le _ M A C _ A d d r e s s _ L i s t . txt
F IG U R E 2.15: SMAC M AC List window
18. To restart Network Adapter, click R e s ta rt A d ap ter, which restarts die selected N e tw o rk A d ap ter. Restarting die adapter causes a temporary disconnecdon problem for your Network Adapter.
U p d a te M A C | R e s ta rt A d a p te r Random R e fre s h I P C o n f ig M A C L is t E x it
F IG U R E 2.16 SMAC Restarting Network Adapter
Lab Analysis
Analyze and document die results related to die lab exercise. Tool/Utility Information Collected/Objectives Achieved Host Name Node Type MAC Address IP Address DHCP Enabled Subnet Mask DNS Servers
SMAC
Questions
1 . Evaluate and list the legitimate use ot SMAC. 2. Determine whether SMAC changes hardware MAC addresses. 3. Analyze how you can remove the spoofed MAC address using die SM\C. Internet Connection Required Yes Platform Supported 0 Classroom 0 iLabs 0 No
Ethical Hacking and Countenneasures Copyright by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.
S n iffin g a N e tw o r k U s in g th e W in A r p A tta c k e r T o o l
WinArpAttacker i saprogram thatcan scan, a ttack, d e t e c t , andprotect computers on a localarea network (LAN).
ICON KEY 1. _ V alu ab le uifonnation Testyour k n o w le d g e W eb e x e rcise orkbookreview ea W
Lab Scenario
You have already learned in the previous lab that you can conceal your identity by spooling the ]MAC address. An attacker too can alter 1 1 1 sor her MAC address and attempt to evade network intrusion detection systems, bypass access control lists, and impersonate as an authenticated user and can continue to communicate widiin the network when die authenticated user goes offline. Attackers can also push MAC flooding to compromise die security of network switches. As an administrator, it is very important for you to detect odd MAC addresses 011 the network; you must have sound knowledge of footprinting, network protocols and their topology, TCP and UDP services, routing tables, remote access (SSH 01 VPN), and authentication mechanisms. You can enable port security 011 the switch to specify one or more MAC addresses lor each port. Another way to avoid attacker sniffing 011 your network is by using static *ARP entries. 1 1 1tins lab, you will learn to run the tool WinArpAttacker to sniff a network and prevent it from attacks.
Lab Objectives
The objectives of tins lab are to:
S c a n . D e te c t. P ro te c t,
and A tt a c k computers 011 local area networks
(LANs): Scan and show the active hosts 011 the L A N widiin a very short time period of 2-3 seconds
S a v e and lo a d computer list files, and save the LAN regularly for a new computer list p a s s iv e m o d e
Update the computer list 111
using sniffing technolog}
Ethical Hacking and Countemieasures Copyright by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.
Freely p ro v id e employ?
access
in fo rm a tio n
regarding die rype of operating systems they

w ir e le s s a c c e s s p o in t
Discover the kind ot fir e w a ll,
and r e m o te
Discover any published information on the topology of the n e tw o r k Discover if the site is seeking help for IT p o s itio n s that could give information regarding the network services provided by the organization Identity actual users and discover if they give out too much personal information, which could be used for social engineering purposes
Lab Environment
To conduct the lab you need to have:
W in A rp A tta c k e r
located at D :\CEH -Tools\C EHv 8
M o du le 0 8 Sniffing\ARP
P oisoning T o o ls \W in A rp A tta c k e r
^~Tools
You can also download the latest version ot W in A rp A tta c k e r trom the link http://www.xtocus.net If you decide to download the la te s t the lab might differ A computer running W in d o w s
W in d o w s 2 0 0 8 version,
then screenshots shown in
S e rv e r 2 0 1 2
as host machine
running on virtual machine as target machine
A computer updated with network devices and drivers Installed version ot W in P cap drivers Double-click W in A rp A tta c k e r.e x e to launch WinArpAttacker
Lab Duration
Time: 1 0 Minutes
W inARPAttacker works on computers rumiing Windows /2003.
Overview of Sniffing
Sniffing is performed to c o lle c t b asic info rm ation of a target and its network. It helps to tind v u ln e ra b ilitie s and to select exploits for attack. It determines network information, system information, and organizational information.
Lab Tasks
* T A S K 1
1 .
Launch
Windows 8 Virtual Machine.
S can ning H o sts on th e LAN
2. Launch W in A rp A tta c k e r 111 the host maclinie.
U n title dW in A rp A tta c k e i3 .5?0 0 6 6 .4

Fite lean A ttacfc Dctect options View Help
^
Cpflu*ascut Packets ( T > a ff!c(KI ]
Caution:This program is dangerous, released just for research. Any possible loss caused by this program bears no relation to the author (unshadow), if you dont agree with this, you must delete it immediately.
D ^ i
Xev opn
s &ve
* a a *
| Online Snrfli... Attack
scan
q A ttack1: stopsendh*e*art
ArpSQ | A < pSP | ArpRQ 1 ArpRP |
| ActHoit
| FftetHovI
| Fff(tH(Kt2
[ Count | 1 0 .0 .0 1 1 0 .0 .03 1 0.004 10.005 10.0.07 10.0.08 1 0 .0 .02 5 5 IM 2 5 4 .2 5 52 5 5 2 2 4 .0 .0 .2 2 00 0 0 0 0 0 0 00 00 FF- FF* 01*
p> : 1 :C A x S v e vtry G je a ^ r/M a csM L U .
* I.
*W<sA*<*e'!200< w ar ! lew*! soya, m tsem o reducM te 1 1ty
p* : ! : ! C s* : a2 0 L > c trse terns :10.0.0 .V tr* p to g o ir ruy 9 6 !1 1 9 0 r 0 c y 1 6 3G V V : iaao.1 Klee D O fc - y - 16-3.G W :1 ft(X 0.1 O n: 0 O ff: 0 Sniffing; : O n: 0 O ff; 0 Snrffmj: Q ,
Q=J W iiiArpAttacker is a program diat can scan, attack, detect, and protect computers on a local area network.
F IG U R E 31: WiiiArpAttacker main window
3. Click die S ca n option from die toolbar menu and select S ca n 4. The scan shows die a c tiv e (2-3 seconds).
hosts 011
LAN.
die LAN in a very short period ot time

sc a n
5. The S ca n option has two modes: N o rm al
Untitled WinArpAttackef 35 ?006 6.4
and A n tis n iff scan. r~ r5

Padafa I TufficQq I
ek _E*c| V | Mofmalitan
Detect
send h c < art CpHcit lke1
a:
cut
Hwhmne
I Online I SnrtfL. I Attade
I AipSQ I An5P I AmW I A rpW PI
0 3 The option scan can scan and show the active hosts on the L A N within a very short time. It has two scan modes, Normal andAntisniff. The second is to find who is sniffing on the IA N .
EvtnC
1ActHotl
SffaHpq2
| Count | 1 0 .0 .0 1 10 .0.03 10 .0.04 1 0 .0.0 5 10.0.07 10.0.0 a 10.0.0255 1 6 9 2542 5 5 .2 5 5
1Mat (X>* oa 0a 0 0 D4. 00 FF FF-*
- 0 3 IE-2D N O E FF F F
224.0.022
. : ^ 1 ]1
6 a_/!fp _ m rv_C M ae M acO O -fc 16-3,GW 1a0J3.1 ,O n: 0 Qff:0 SnrffmyQ , J
F IG U R E 3.2: WinArpAttackei Scan options
6. Scanning saves and loads a computer list tile and also scans die LAN regularly for new computer lists.
U n title dW in A rp A m rk fr 5?0 0 6 .6 .4
& I n this tool, attacks can pull and collect all the packets on the LA N .
Fit S. .
33
1 0 A a 1 1 0 * 0 2
0 1Oil0.3 10A04
10:aa5 10ixa7
H ej open Save PAddmi
p pa
5cr!
1 0 * 0 8
M aCk Slop Seni R ccouw . Optow lfc-p A tK K it |H oln< 1Online 1SnjW i... | A tUtfc | AipSQ | A >pSP | /UpfiQ | frpP I 10.0.01 Onlin W N-M SSEICK... Onlin *:-06 W lN O O W Sfl Onlin -:0 9 W IN D O W S8 Onlin -03 V M N -IX Q N 3W ... Onlin E-20 W O R K G R O U P Onlin AOMN Onlin -0E 4-CC
Pcfct |
Trffic[IQ T
* 3 6
2012-09 17 104*05 2012*0917 104905 2012-09-17 10AOS 2012-09-171049 33 2012-0917104905 2012 09 17104905
I Evtnt New_Ho* IW.Hotf Nm H oU Aip Sun New.Hox New.Hox
I ActHotf 1 0 .0 .0 .1 1000.8 1 0 .0 .0 .2
1000.7
IP 0 .0 1 0 .1 10.001
IM flf
oof* 1 r *cc 0 0 -06 0 0 - 0 0 0 * - -M
1000.4 100105
1 0 .0 0 .6
10.0.0.4 10.0.0.5
00 -:-03 E20
FF
10.010.7 10.008 1000.255 169.2Si.2SS.2SS
04
iz-
5-3 G V : 100.0I
O n: 7 O ff: : Sniffing: 0
F IG U R E 3.3: WinArpAttacker Loading a Computer lis t window
By performing die attack action, scanning can puU and collect all die packets on die LAN.
ARP A tta c k
Select a host (10.0.0.5 Windows Server 2008) from the displayed list and select A tta c k >Flood. Untitled WinArpAttarlc<*r 3 5 ?006.6.4 so # E3 * S * n JK t t i u r .î bw U* H> ]~Iw t ^\ t I An.au I fcpso I *pUC I fcpwl
M j I
CQt1 1 e Flood option sends IP conflict packets to target computers as fast as possible. I f you send too many, the target computers go down.
Event 2012-09 17 104*05 Nw_M 0* 2012-09 17 104905 N * v _M o * 2012-091710J90S ^ Hoa 2012-09-17105401 14p St*n
2012-09 17104905 2012 09 17104905 Nw Ho* Me*.Hex
1ActHotf 1000.7
1 0 0 .0 .1 1 0 .0 .0 .8 10 0 .0 .2
f Court I
IP
10.001 1 0 .0 0 .1
Mat
00- 0 0 -
10.0.0.4 10.0.0.5
10.004 10A0.5 10006 10.00.7 10.008 1000.255 169.2S42SS.2SS
00- 0000- 04 00-

ff*
FF-*
KMlau of 10.9.0.1, m 1.<** >nuy tit
16-3 G W : 100.01
O n: 7 O ff . 0 SniffmyO
F IG U R E 3.4: WinArpAttacker A R P Attack type
9. Scanning acts as another gateway or IP-torwarder without odier user recognition on die LAN, while spoofing ARP tables. 10. All die data sniffed by spoofing and forwarded by die WinArpAttackerIPforward functions are counted, as shown in die main interface.
CO lThe BanGatewayoption tells the gateway wrong M AC addresses o f target computers, so the targets cant receive packets from the Internet. This attack is to forbid die targets access the Internet.
U m itlp dW in A r p A m r k < * r0 0 6 .6 .4 ? 5
Pi* Scan Attack Q*t*ct Cptio!
r 18
E &
1000.1 10002 100103 100.0.4 E10A0l 5 10007 100108
5C*n
m ** m
Attack
stop
S*fJ !vecoiw . C*3tow lHUp At.
A A frm ____ |H o itn a m e

00- D O 00- oc 00- D4- 00 . 4-CC 5-36 * *-06 * -09 -03 E-20 ^*-OE 100.0.1 W N-M SSEICK... W NOOW S8 W N0CW S8 V M N-UQN3W ... W O R K G R O U P A O M IN
|O n lin ejS n iff. A H .k

Online Online Online Online Online Online Online N ot... N or... N or. N or... N or... Nor.N or... Normal Normal Normal
10! 5 0 0 0 0
0
I t . p ip j ArpSP I fl.PBQ I flipRP I
88 355 5 36 1 41
203 5 27 4 2 22 30
0 109 1 1 1 1 1
0 0 0 0 0 0 0
I1 ^. I O O O
aoo 000 0.00 000
0 .0 0
0.00
I< n v 2012-09*171049(05 7012-09 17 10490: 2012-0917I0j05 2012-09-17105401 2012 09 17104905 2012 09 17104905
Ev*nt N*w_M0* Naw.MoU P j H o > 1 Ap Scan Ncw.Hest N*.Host
1ActHotf
[ Court |
1000.7
1000.1 1000.8 1 0 0 .0 .2
10.0.0.4 10.0.0.5
1 0 .0 0 .4 1 0 0 0 5
10.001 10.001
1Mac 00
4CC > *-06 * 0 9

-03
1 0 0 0 7 1 0 0 0 3 1 0 0 0 2 5 5 r r 1 6 9 .2 S 4 .2 S 5 .2 S S F F -
1 0 0 0 . 6
00--
1 9 .0 .0 .1 ,m pvjrini m ay*
6-E GA: 10X 1,0.1 5 GW : 10.0.0I
On: 7 Off: : Sniffing 0 y/\ On: 7 Off: : Sniffiny 0
F IG U R E 3.5: WinArpAttacker data sniffed by spoofing CQt1 1 e option, IPConflict, like A R P Flood, regularlysendsIP conflict packets to target computers, so that users may not be able to work because o f regular ip conflict messages. In addition, the targets cant access the LA N .
11. Click S a v e to save the report.

m
File Scan Attack Detect Options View Help ARPîZ New J B Open Save scan U n title d - W in A rp A tta c k e r 3.5 2006.6.4
tm
Attack
4m
J Stop
i Send
R e c o u n t Options
Live Up
About
F IG U R E 3.6: WinArpAttacker toolbar options
12. Select a desired location and click S av e die save die report..
Lab Analysis
Analyze and document die scanned, attacked IP addresses discovered 111 die lab. Tool/Utility Information Collected/Objectives Achieved Host Name Node Type MAC Address IP Address DHCP Enabled Subnet Mask DNS Servers
WinArpAttacker
Questions
1 . WuiArp
Internet Connection Required Yes Platform Supported 0 Classroom 0 !Labs 0 No
A n a ly z in g a N e tw o r k U s in g t h e C a p s a N e tw o r k A n a ly z e r
Capsa Ne/)j ork Analyser i san easy-to-useEthernet network analyser ( i . e . ,packet s n i f f e rorprotocol analyser)for network monitoring and tr oubleshooting.
I CON KEY
/V alu ab le
Lab Scenario
Using WinArpAttacker you were able to sniff the network to tind information like host name, MAC address, IP address, subnet mask, DNS server, etc. An attacker, too, can use tliis tool to gain all such information and can set up a rogue DHCP server serving clients with false details. A DNS attack can be performed using an extension to the DNS protocol. To prevent tins, network administrators must securely configure client systems and use antivirus protection so that the attacker is unable to recnut 111s or her botnet army. Securely configure name servers to reduce the attacker's ability to corrupt a zone tile with die amplification record. As a penetration tester you must have sound knowledge ot sniffing, network protocols and their topology, TCP and UDP services, routing tables, remote access (SSH 01YPN), and authentication mechanisms. Tins lab will teach you about using other network analyzers such as Capsa Network Analyzer to capture and analyze network traffic.
m form ation Test your
** Web e x e rcise
m
W orkbook r e \
Lab Objectives
The objective ot this lab is to obtain information regarding the target organization that includes, but is not limited to: Network traffic analysis, communication monitoring Network communication monitoring Network problem diagnosis Network security analysis Network performance detecting Network protocol analysis
& T o o ls d e m o n s tra te d in th is lab a re a v a ila b le in D:\CEHT oo ls\C E H v 8 M o du le 08 Sniffing
Lab Environment
To earn out die lab, you need:
C o laso ftC a p s a N e tw o rk A n a ly ze r
located at D:\CEH -Tools\C EHv 8 M o du le

N e tw o rk
0 8 Sniffing\Sniffing Too ls\C ap sa N e tw o rk A n a ly ze r
You can also download the latest version of C o laso ftC a p s a A n a ly ze r from die link http://www.colasoft.com If you decide to download die la te s t the lab might differ A computer running W in d o w s
version,
dien screenshots shown 111
S e rv e r 2 0 1 2
as host machine
Windows 8 running on virtual machine as target machine Double-click ca p s a _ fre e _ 7 .4 .1 .2 6 2 6 .e x e and follow die wizard-driven installation steps to install Colasoft Capsa Free Network Analyzer
pnvileges to run tools
A web browser with an Internet connection

N ote:
Q1 ColasoftCapsa Network Analyzer runs on Server 2003 /Server 2008/7 with 64-bit Edition.
This lab requires an active Internet connection for license key registration
Lab Duration
Time: 20 Minutes
Overview of Sniffing
Sniffing is performed to c o lle c t b asic in fo rm atio n of die target and its network. It helps to tind v u ln e ra b ilitie s and select exploits for attack. It determines network information, system information, password information, and organizational information. Sniffing can be A c tiv e or P assive.
Lab Tasks
3 t a s k 1
A n alyze N e tw o rk
1 . Launch the S ta r t menu by hovering the mouse cursor on the lower-left corner of the desktop.
Capsa Network Analyzer is an easy-to-use Ethernet network analyzer (i.e., packet sniffer or protocol analyzer) for network monitoring and troubleshooting.
S 3 W in d o w s S e r v e r 2 0 1 2 Windows Server 2012 Release Candidate Datacen!* Evaluation copy. Build 84C C
V *r
afeLLxjjLtt! I a a
F IG U R E 4.1: Windows Server 2012Desktop view
,,"J
2. Click C o la s o ft Analyzer tool.
C a p s a 7 F re e N e tw o r k A n a ly z e r
to launch the Network
3. The C o la s o ft C a p s a 7 F re e - A c tiv a tio n G u id e window will appear. Type the activation key that you receive 111 your registered email and click N e x t.
C o la s o ft C apsa 7 Free - A c tiv a tio n G u id e
W elcom e to Colasoft Capsa 7 Free A ctivation Guide.
License Information: User Name: Company: Serial Number Windows User SKMC Groups| 03910-20080-80118-96224-37173
Click here to get your serial number...

To activate the product now, select one o f the follow ing and click the Next button. Please contact capsafree@ colasoft.com fo r any question.
Activate Online (Recommended)

O Activate Offline
Next >
| |
Cancel"
Help
F IG U R E 4.3: Colasoft Capsa 7 Free Network Analyzer Activation Guide window
4. Continue to click N e x t on the Activation Guide and click

Colasoft Capsa 7 Free -Activation Guide
Successfully activated!
Fin ish .
Finish
Help
F IG U R E 4.4: Colasoft Capsa 7 Free Network AnalyzerActivation successful
5. Tlie
C o la s o ft C a p s a 7 F re e N e tw o r k A n a ly z e r
main window appears.
Name - \Yued Netmart Adapter(*) Ethernet Unfcno* LJ tlhe<nel (Virtual Network Internal Ada.. Jrfcron Ethernet
IP 10.0.02 127.0.0.1 169254,103... 127.001 10D.02
**.. 1 0 0 0 1
* 1.232 Kbps Obps 0 bps 0 bps 1232 Kbps
5p d Packets 1,410.1 Mbps 1.410.1 Mbps 1,41a1 Mbps 1,410.1 Mbps 1010 Mbps
Byte UHizatu.
0% 0% |
No adapter selected
Capture Filter packets. Set Capture Filter Network Profile ^ &
718 170.1a. 08 0 7 1.073 K B 05 0 763 17S.6_
No filter selected, accept all 0% 0% y
CQas a network analyzer,

Capsa make it easy to monitor and analyze network traffic with its intuitive and informationrich tab views.
Full Analysis To provide comprehensive analysis of all the applications

and network problem!
Plugin module loaded: M SN

Yahoo M essenger
o
FulAnatyia Traffic Monto* HTTPAnalytic Em ail Analyst DNSAnalytk
, S. 1
FTPAnalyt*
O
iMAntlytit
F IG U R E 4.5: Colasoft Capsa Network Analyzer main screen
6. 1 1 1the C a p tu re tab of the main window, select the E th e rn e t check box 111 A d a p te r and click S ta r t to create a new project.
Name \ Y i1ed M e:wort Adapter^) ( 3 Ethernet LI UnbK** vth<net (Virtual Network U1n4l Ada.. In D Unknown D Ethernet
IP 10.0.02 127.01011 1 6 9 . 2 5 4 .1 0 3 0 127.010.1 10.0.0.2
Packe...
bp,
Speed Packets 1,4111 Mbps 1,41ai Mbps 1,410.1 Mbps 1.41a1 Mbps 100.0Mbpt
Byte UNcati...
E th e rn e t
Capture Filter ^ No filter selected, accept all packet*. Set Capture Fitter Network Profile
&
9 15.800 Kbps 0 0 bps . 0 bps 0 0 bps 9 IS 800 K bpi
2424 552/471. 0 08 48 12.156 K B 0B 0 *M2 S88206-
< * 0% O N 0% H
r 1
1 1 1 1 1 1 iiiiiiiunm iiiirninniiPii 11 1 1Irmilll II1 1 1nm nti

1^3 |Ff=
!!!!!
II llllllll III! !frisiii m 1 1 1iiihrn
psps
Full Analysis! To provide (omprehtntiv* analysis of all the applications and network pioblarm Plugin moduli loaded: M SN Yahoo Messenger
1 r m
4
D N SAnalysis FTP Analysis
%
Ful Analysis
m
Tiafftc Mcnitoi HTTPAnalysis Em ail Analysis
*L
O
IMAnalysis
F IG U R E 4.6: Colasoft Capsa Network Analyzer creating a New Project
7.
D a s h b o a rd provides various graphs and charts of the statistics. You can view the analysis report in a graphical format 111 the D a s h b o a rd section ot N o d e E x p lo re r.
*I
W
a t #f
Mi -h tj Fj A 1 w S j5
y a II r r
i tB l- D e fa u lt
A n a ly s isP a < k __------------ ... w a itin g s 0b J t B u ffe ! t O u tp u tO u tp u t

Cc-.ft-ancr ]IPCcoreoatie 4 * Online Resource
N e w C a p sa v 7 .6 R e le a s e d Try i t Free Q l
Cs5hfec;r3 x [Sum mary \ Diagnosis[Protocol]Physical Enflporw [ PEridpr
S T Piciocol zjfk i' (1)

3 9 PhysttJtsW 9 IP L> fi; er(3 |
Total Traffic by Bytes

116:3K B
Q t1 1 e network utilization rate is the ratio o f current network traffic to the maximum traffic that a port can handle. It indicates die bandwidth use in the network.
97 66K B 48 8 3K B
i IjvJL...
Top Application Protocols by Bytes
48i?k
liveD w o H o w toD e te c tA R P M ta c ts jjj H o w toD e te c tN c fw o rt:lo o p H e w toM o n to rW M ? s a a q f H o w toM o n to !ftS fvein 4 1 [M o reV k I u >..)
eJ V J h oIs U srwN etaw fcB andw c
Top IP Total Traffic by Bytes
W 3 8 9 K B M5 9 1K B 4 48 2 9K B
S O 0 *5IC S
.J M w M toi linpluytreW*b1t 227K8
Ill
/C f> a jc Full Ara*yi5 ^#Ethnct ' lr
97MKB
03Ic a n n o tn tp h w rA lI trn W ir. w by J 3 IC 1 c o teIrail.U tiltu it...U rt _J [F n tJ M a rta C a p ta tr. crra trT ro fB cu t< in n e rc h a rt [H o r*InK n o w lt'd g t-th n *-]
a n ;0 0 :0 1 :0 1 ^5 5 7
P .e a J >
F IG U R E 4.7: Colasoft Capsa Network Analyzer Dashboard
The S u m m a ry tab provides full general analysis and statistical information of the selected node in the N o d e E x p lo re r window. ! 1 r
m I 5 1 *
Sait Stop ----- 1 G eneral . Table fJwcrtr Promt > i Analysis R acket Display ^ Analyse profile
*H A J
.
Capture
utanon < 7 % ,
pp!i'i
! tic HistoryCho.
!!!I'!!!
Factcr Buncr (16M6j
> < * !* >
Node Explorer
/ Qasnccard1Summary x [Q iagnosis [Protocol fPhysical fcndpo.m \IP fcnapo.rv. [
C cr! esa .cn [IPCorrva fMAlgte\SUtfctta: | -:
Online Resource
U , IT Protocol ! p'crrr (1) S V5 Phv.ka' Lqstorcr (3) tfc IP E pk*n(4) Fault Duqnm it SWMili Worrnation Oijgnosk Ntfcti Diagnosis Wuninq r!a<jnot. t Critical O w 9 00 -.11 >traffic Total Broadcast Mukiceit Ava9Pak*tSa Pxkrt Sar Ifcttributaon
N e w C a p sa v 7 .6 R ele a se d T r y f t F ree
)NetworkH erAM StH'
E O a liigh network utilization rate indicates the network is busy, whereas a low utilization rate indicates die network is idle.
472.954K B 4J440KS 175.757K0
0 0 0 1 % . 0.0 0 0 %
0 0 0 1 % 0 0 0 0 % 0 0 0 1 %
1252 K bp*. 0b p s 1232 Kbpi
WW
128-255 256-SI1 5 1 2 1 0 2 3
<*64
45.60ft K B 1 3 1 0 9 0KB 47.542K B
uj M onitor Em ployee* W ebsite 1^32 Kbps 0 bps
a bp<
1024-1517
> = 1 5 1 8
CreateTraffic UtilUotioii Ourt UJ lEntlSUrt a W ireless Capture J C reateTiaftkUU1 2 aUn Chat [ MoremKnowledgebase 1
Captue - hMArat>-se
41Ethernet
ractrve
Duration: 00.14:43'tf 2 J 2 0 P*iC,
__ ____ : __ : ___
F IG U R E 4.8: Colasoft Capsa Network Analyzer Summary
9. The D ia g n o s is tab provides the real-time diagnosis events of the global network by groups of protocol layers or security levels. With tins tab you can view the performance of the protocols 10. To view the slow response of TCP, click T C P S lo w R e s p o n s e in T ra n s p o rt L a y e r, which 111 turn will highlight the slowest response in
D ia g n o s is E ve n ts .
nalysis CoJascft Capsa 7 Free '50 Nodes) ! ? S jae U Step Too;! /!m W M
13S Adapter Fer
Starr
CMH
S l h g '^ J G eneral Analysis P acket D isplay AlarmSetting! Object Buncr .' Output Ovrpur Jr\vV= .-* A nalysis Profile
mm - l 1 i m n
w w 1_ pp5 Statistks: | 1 1| Ph>ca1Address Add D O - c36 1 0.0102 74.1252 O Ct^ M :CC Oft < - C C 74.1252 1C C 74.1252 O Ct^ .CC 207218. Ott*- MKC 17J55. 178255 octM1252 00 C C 74.1252
cH!5to7Cho...
FacK ct Buncr n&MBj
E/Tools
d e m o n s tra te d in th is lab a re a v a ila b le in D:\CEHToo ls\C E H v 8 M o du le 08 Sniffing
^ ful Analyse K ' f Prrtrrcll.pererli; S- Si Phv.ka bpkxer (It 0. I E .plc.fr (4)
J ,
Diagnosis Item Dogrvosk: \ 10 & U & C lamc MDbqnotx 8 Applet !on layer O DNSSrvwSlowResponse O HTTP Sttvtr SlowResponse * a transport Layer v tCPRctrantm.st.en S / TCP Slow Rcipon.s TC PDuplicated Aclmowlidgtnwr S Network layr Uiagnosis Events Seventy Type
Diagnosis Address 6- - 2 ' flame 1010:02 74.125.256.165 74.125^35.174 74,125^56.169 20721 235.162 178.255SI. 17&255.8 74125J36.1U 74 1 2 5 .? 6.16? N e w C a p sa v 7 .6 R ele a se d T r y i t F ree
f t .
| >
: c c * * c c !
J | >
)N eh o rkBn rd *M 1 > (o r IMM P 1 n$e
u 6-W
V V V 4 V 1 V Pttformance Ptrlcrmance Perform ance Performance Perform ance Perform ance Performance ' nactive
y Captue- KJArvalyse
*)Ethernet
_ Duration: 00.25:34tf 4 ,6 8 9 < 0 fteady
layer Tunipoit Tran!port Transport Transport Transport Transport Transport Transport Transport M l
OiagnoM lnU | 75 | {vent Drtcnptton TC P 1ndPaO.,t::^rom295m4) TC PS Ickv iC K 1 F'ke!:is] nd Pad.rt!27]f1 cm 20I7Dm ) TC PSlowACK(Pcket!<7] tnOPacV;27^f0nt 20172 ) n dPat.rf. 1Wrom22134 m s) TC PSlowACK1 P*cket >:] TC PSlowACK1 :Pcket!a1 ] and PaeVrt:!:from23577m s: e Pac*a.;.?rom23577m s; TC PSlowACKtPacket|S2] m e Packet' 3:from23577ns) TC PSlowACKfPacketlU] m TC PSlowACK(Padrct!219:* 6 ? dcrtllW^rcrn 2*262m5 ) TC PSlowACK!Packet!>13 and ?cketJ303Jfn:m>6023ml
_J M onitor Em ployee* W ebM te U CreateTraIlk. UtM zotionChart UK (Ent)Start a Wireievs Capture J C reateTratfl; U UJattn O '.0 1 . | More Know ledgebacr... |
F IG U R E 4.9: Colasoft Capsa Network Analyzer Diagnoses
; j
< 1 >
11. Double-click the highlighted D ia g n o s is information of this event.

*5 N etw orkG roup Stop G enerai A *a n r1Setting* ?lerwcr* Profile
Event
to view the detailed
Anslyiii Packet D isp lay . object Butter A naly5!5 Profile
jc ,
**
Packet log . L, output Output Datastorage
l^ r j/ A :A X/ F "
-_J' IE ..
it !c r
= = )
*> ..:W 151
H isto ryC ha
Packet B !
Node Explorer
y '"3^rL,I~T [Somma1 y-] Diagnosis x (piotocol f Physical ndpoifTf IPsnapj . [ - y,<alC.. [ IPCorryq Diagnosis Item Diagnosis Address Ptv/SKii Addrcu D O t J6 O Ct^ > .cc O ft .cc O Ct^ Oft .CC Oft^ * :cc o :CC 0ft-~k*CC Oft! CC StaeKtk^ | 1 1| 0 Addit 1 0.0102 74.1252 74.125.2 741252 207218. 178J55. 178255J 741252 74.125.2 |> D fc*grvosk: 10 & A % *. C - - 2 M am e *Um AIDaqnoti* 1 Q0A2 8 A |>f1 S(jtion 1jy 74,125.2^.165 74.25a >6.174 O O tIS 5vv SlowResponse Q HTTP 5trvtr$l0wRp0n 741252J6.69 Id Irmpoit Layer 20721ft.235.82 V TC PRetrsntmiiiion 78255 . V TC P Skw RsKWlifi 173255 E 32 TC PDuplicated Acknowlwlqemerrt 4 1 25 .236.18 2 41 ?5. 56.6 5 - Nerworlr layer , I l <1 Otagnosis Events W S eventy V V is i> V V V V V S Type Pt(0rm 4nce Perform ance Perform ance Perform ance Perform ance Perform ance Perform ance Perform ance Perform ance layer Tunsp o rt I rampart Transport Transport Transport Tran sp o rt T ran sp o rt Transport Transport * ''racttve
Online Resource
fol Anat>-i H r I f Pft*o rc4t> f> 4ctM < l) S V5 Phv.ka Lq sto rcr (3)
li ! ! . P * 4 ) )
N e w C a p sa v 7 .6 R ele a se d T r y f t F ree
Jp) W hoUU singN et\orknnrd^tti M (to*to D etect N etw ori: L oop ^ * towto M onitor IM M e.rif*
IM o re VW cov-1
UiaqnoM I . u j .. j Event Cenpt>en TCP SlowA C K 1Pack!281andPacktt:27^,om2 3 5m s) TC PSlowACKlPacket:46] and Pckrt!27]l1 0 n1201701 m) TC PSlowACK(Pek!47]jd PacVft:'7^ty^ 20172 m s) s) TC PSlowACmPacket.W ]od Packet!13:4re*n22131 m *dPack(*''from 23577r TC PSlowAC Kt:Packet]31] e Packet.:.*ram 2 3 5 7 7 m s: TCP SlowA CKtP*cktl82] m TCP SlowACK(Ptket|54] nc P acrt' 5 ]from 23577rm) TC PSlowACKiPadcer! 19: v * ? a c.rtlir^ m 62& m s) TCP SlowA C K )P> d cet:3 43 ] and?ck*t(30i(rcm > 6 6 2 3mil Duration: 00:25:344,689<0R e a < ty
llo w(o '

UJ Monitor EinotuvM Wetaitc
Create Trait*. UtilUotioii Ourt U |Ent|SUrt a Wireteu Capture J C reateTraffk Utlteton Chat [ More m Knowledgebacr... |
^Captut - FtJAiMtyse
41 Ethernet
rÂlatmfcx o to fo
F IG U R E 4.10: Analysing Diagnosis Event
12. The T C P S lo w A C K - D a ta S tre a m o f D ia g n o s tic In fo rm a tio n window appears, displaying Absolute Time, Source, Destination, Packet Info, TCP, IP, and other information. ^3 * ^ 7 3 ^7 < 3 0 ^! 7 0 ? 8 0 n= < -M * i 30
^ T C P S lo ^ C K Pacto!20 n n7 Pac^ C k 2 J2 0 0 7 J8 0 1 0 2 3Ja41 2 3 5 0 102 3 2 0 4 1 2 3 9 4 1&2J2041296 <00.02:1406 2 0 7 .2 1 8 2 3 5 .1 8 2 :8 0 100.02:1406 1 0 0JX21406 207.2I8.2J5.1 6 2 :8 0 1 0 1 0 .0 2 :1 4 0 0 207.2I8.2J5.1 8 2 :8 0 207218.235.182:80 Protocol H TTP H TTP Su> M 66 S B 7 2 3
I0c232a70089 207218235.182:80
1 0 2 3 4 0 5 3 3 0 0 3 207213235.182:30 IC f23405 3 5 5 7 3 2 0 7 .2 1 3 .2 3 51 8 2 :9 0
10.0.0.2:1406
100.021406 100.0.2:1405 207218.235.182:80 1 0 .0 .0 .2 :1 4 0 5 2 0 7 2 1 8 .2 3 5 .1 8 2 :3 0 2 0 7 .2 1 8 .2 3 5 .1 8 2 :8 0 H TTP H TTP H TTP H TTP
5 6 4 4 ) 4 2 8 .6 4 < - ? V . . a :i .
\c r4 6 Ungth-1.51*
Cnodc N*jm23 eg T *.6 NwnaB lenyth#6 \.m .M .,r 7 2 3 = :.. . 2 7
Sum m ary S*q3 80995012.Acl L 0 0 0 0 0 0 0 0 0 1 F .. S.l S en lM6644229,Ack: f 3 2 8 9 9 9 5 0 I3 .F= A..5.... S q328099S 013Âck.L 1 5 4 W 4 4 2 Ja F .A .L CG LT ,online -ou! 1w0I,.R o k h . & HTTP/1 .1 2M0K i-HTTPtraffic i Continuation or533 no b Seq=328C995673.Aar1 M 6 t4 6 2 2 3 .F A .L2 B 0 9 9 S6 7 3 ,F= *..*. Seq= lSi6646223,A ek::3 S*q=328C S95673.Ack :1 5 4 & & 4 6 2 2 4 .F = L. Seq: 3 2 8 0 9 9 5 6 7 5 .Ack: 1 S4 6M 6 224 T1 .A .R..
U il
591 \crr47 64
lensw=59l
3 '. Len 48.: =5 8
= lp-:48----- i&
. -v =53 ;ngth:58
E ' ?actet lafo:
: ?acW TV 3 er:
:.<^?creT Uzgv.z
i (0 / ]
Source Address: & Protocol: IP - intarrtBt Protocol iMetgearl (6/< | Cnteioe . IP(IP ri)) [12/2] (14/ij o*rc (20 By'.vsl (14/11 0s0r 11 5 /1 1 0111 118/: osrc l :goore1 ] V1J 0*02 IH a Consent: cr.1 |15/0 [. x0: (40 By1;/116 *. (8(3301 [18/2J (J0/1J OrtC 1 aa/1) oco
! C i r r : 5 1*. *1. *:v.c* 1*1> :

[ > ? 1 ffrfflt .*/fl 5rr1 eta C 04| O JrsMjjnrt Pretoeet w ill igno!
F IG U R E 4.11: T C P Slow A C K Data Stream o f Diagnostic Information window
13. The P ro to c o l tab lists statistics of all protocols used 111 network transactions hierarchically, allowing you to view and analyze the protocols.
^nal^!?Proiec^r7uI^nalyi1^Co!a5cf^!a p 7 Free [50 Nodes)
las
NetworkCroup
f\ A larm4<tt1ngi Mttwort Prone
Aeaptfi Imet C apture
A nalysis Rsrket D isplay Objfrt B ifftfr A nalynt Profile
kU
4A
Output OJ'piJt
Datastorage
F IG U R E 4.12: Colasoft Capsa Network Analyzer Protocol analysis
14. The P h y s ic a l E n d p o in t tab lists statistics of all MAC addresses that communicate 111 the network hierarchically.
* U . Y Pn*e>'cH.f*64tt (I) & Phy.kal Eiptortf 3) U IP E1 f4cn(4)
&yt* br lel Srqirrnt local Holt JWno! 63 6 * 110.0.2 8 *8 oo:^^*:cc <74.125. IN 5 7 4.12S .236 11 82 S 74.125 135.125 % 74.12.23&63 6 74.1252361 16 0 31 74.125-2361165 7 4 .1 2 S.236.174 ?!K B1 .5 7 8 7 5 5 .5 7 8KB 725.485K B 7 4 4 .7 9 6K B 224413 K B 1 7 2 .0 7 4KB 1 3 2 .6 5 2KB 3 3 .8 8 9KB 2 2 .6 1 1KB 1 9 .7 4 0KB 1 9 27 8KB Pckt> S.W 4 i281 3,281 i* 3 3.242 642 554 161 97 65 trti P r So kJ 512 bps 0 bpi 0 bps 0 bps 512bps O bp. 0 bp: 0 bps 0 bps bps 0 bps 0b p s N e w C a p sa v 7 .6 R ele a se d T r y it F ree
1 2 8 .
M | | | |
1 0
Is Lia n gN etw o rkBand /Jd
(More Videos-1
Physical Conversation
CLndpomt 1> 3 D O 6:36 =? 00 &3 6 30 0: - E .-0 6 E K =9 Vk *00: - L-06 3P 00; & 09 8 .-0 0 *OQ: f laptut MIA*at)-,o OtOHitKl *injttivt Dotation:0 0 4 4 0^'MO* gO ftt*0/ <- Endpoint 2 3 3 : B " -03: ^ 0 1 : * ) :F C 033 : M S S ocf B J j* ):66 ?33: - 0:0 1 33: * :0 1 0 - * 33 5!C F Ouibon O O rfO O O 000*00 O ttO O O O O ttO C W O C fc O O O O 000000 Q O O Q O O
74125.128.189\PhysicJ Conversation 177 Bytes- 3 6 CE 360 E 28C B 230 B m m m 82 B 82 8 82 6 82 6 90 B 90 B 90 6 90 6 90 B 90 B > 1
_J Monitor Employees Website VKlt I cannot capture AIL traffic why/ *J Create Traffic UtiBzaUon Chari J lEnt(Start a Wireless Capture | More n Knowledge )
IS M
F IG U R E 4.13: Colasoft Capsa Network Analyzer Physical Endpoint analysis
15. The IP E n d p o in t tab displays statistics of all IP addresses communicating within the network. 16. On the IP E n d p o in t tab, you can easily find the nodes with the highest traffic volumes, and check if there is a multicast storm or broadcast storm 111 your network.
as a delicate work, network analysis always requires us to view the original packets and analyze them. However, not all the network failures can be found in a very short period. Sometimes network analysis requires a long period o f monitoring and must be based on the baseline o f the normal network.
CQ
F IG U R E 4.14: Colasoft Capsa Network Analyzer IP Endpoint view
17. The P h y s ic a l C o n v e rs a tio n tab presents the conversations between two MAC addresses.
lysis Project 1 Full .apsa 7 Fre [50 Nodes)
,/ITIP-1 iu Analytlt Bartrrt Ditplay Objfrt Bunft AniHym fôtilf
l s f
Node Explorer
Step
3 t5N tw o fcG f0 U | H^NaTa&lt G*rttni rrwo* frowr
i
Output >rpm iu
/ 0* r 60U f!>un1 maiy fpiayiont [ Piutotol fPhymai fcndppml | IPfc r> d tK >n: !?tymallc >' x|ipc.q ,! 1 v Online Resource lr>dpo<nt 1> - Endpoint i r 3 * J3:FF:&?:00:CF !} 33:33 :F F :2:00:66 B* :(3 00:0001 5a00< .33;33!00.0 1 33:33:E F :B 2:D O :C F 33:330000:0002 V 33:33.0000:00.02 ;01:00:5* 00:00:16 5 01:00:5L00:00:16 33:530000:00:16 5 33:33:0000500:16 3 3 :3 3 :FF:5 iO O :6 6 3 3 :3 3 :FF:B 2 :D O :C F 03 00:67::A1 6:1 3 5 0u(jt(Q n Byt o&oooo 82 8 00:0000 82 8 00:0000 90 B 005 00 .0 0 90 3 00:0000 90 B (0:0006 214 8 214 8 00:00.06 00:0011 936 3 00:0 0:11 74 8 00:00:17 1.744K B 00:00:17 1.744K B 00:00.00 90 8 00:00.00 90 B 00:0000 3.434K B Byte* > * IV* ek._ - P 08 82 b 82 B 08 90 B 0B s C8 90 B 0B 214 B 08 214 B e8 966 B 0B 7S 4B 08 1 . 44K B 0B 08 1.744K B 90 B 08 90 B 08 1.79713 1.684_ 20 PU
U . Y Prrtr fell .<)!<
& O Phy.kal bptortf (3) II 16( IP! 1p*or(4)
C Q t t l tells die router whedier die packet should be dropped if it stays in the network for too long. T T L is initially designed to define a time scope beyond which the packet is dropped. As T T L value is deducted by at least 1 by the router when die packet passes through, T T L often indicates the number o f the routers which the packet passed through before it was dropped.
up oa1M0!AMfc09 co 1 s!y>Aa:<* CP C01&SftA&<&09 UV COIi.A& 09 CPCCM5:50:A&0 UP C 015:S& A3:6fc.09 UP C Ol5:*0:A3:ef C e CP 0015c50 .A & efe:09 UP C Oli50 JW :6.06 CPC0I5:50!A39 Ok6?:S1A :16-.36 UP (.:e T : Ex1*16:36 SP C015:5ftA3:6.
1 1 1 3 3 1 7 13 1 9 1 9 1 1 10
1
1
01
-
0 0 0 0 0 0 0 0 0 0 0 0 10
N e w C a p sa v7.6 Released T r y i t F ree
Is Lia n gN etw o rkBand /Jd
(More Videos-1
-w 4 3 F'tdpoint 1 >
> 1 IPConversation TC PConversation [U D PC onvereatio 1 |0 0 :1S:SD:A8:6106 < > 33-J3* F:B*D<K3MF C onve~*on: D uration <-Endpoint 2 Brtes Byres < B
L3 Monitor Employee* Weteite toJ I cannot capture ALL traffic, why? U Create TraHk. UttfUation Chart J lEnt IStart d Wirelev* Capture uJ C reateTiaflkUtfittt*n Ourt | More n Know ledgehne...)
* o * * *
"
/^.ap<uc û*A r>al>-,6 Êthernet
''!njctivt Puntion: 0111M ?
^12.787 (0 Ready
.. .1 , 1 " ' "
F IG U R E 4.15: Colasoft Capsa Network Analyzer Physical Conversations
18. The IP nodes.
C o n v e rs a tio n
tab presents IP conversations between pairs of
19. The lower pane of the IP conversation section offers UDP and TCP conversation, which you can drill down to analyze.
m r Acaptri I m e t
C ap tu re Node Explorer Vy A r-a^.e
a$Ntwo* Croup * j H^NaawTa&le A n alysis Rsrket D isp la y t\A larmSfitm gi O bjrrt Bliftrr M etw ort Pro tttr Analynt Pro file
*W
4A
O utput O J*p < Jt D ata sto rage ~| jd p c . fM .ta [To^T<epc< | < > Online Resource
P h v .k
Prctr r --
a 5* P :*** )4 (
h*Aa * j e .JP C o n v e rs a tio n : \5 7\ A 'J i S' E n d p o in tI * >< E n d p o in t2 D u r a t io n B > t e i B > t e s> 9 > t e s P k t s P f c t s > -Pta F ir s tS c r^ 4 1 4 1 4 .1 2 5 2 3 6 .1 7 3 0 0 0 2 :2 2 41KB 2 . 7 5 1K E 2 4 7 0 _ 2 0 1 0 2 3 :1 r~ 31 0 0 .0 2 37 V1 0 0 .0 3 _[2 2 4 .0 .0 2 2 0 0 0 0 : 9 8 6B 9 8 6B 0B 1 7 1 7 0 1 0 2 9 :5 3 E E a p t o r e r) ( 3 '0 0 .0 .4 0 0 .0 0 :1 1 7 S 4B 7 S 1E 0B 1 3 1 3 0 1 0 2 9 :5 52 2 4 .0 .0 .2 2 2 2 4B 2 2 4E C3 2 0 0 1 0 D : C 0 2 0 1 0 3 0 2 a!0 0 .0 2 * a !1 0 0 .0 4 0 0 .0 .3 0 0 0 0 :0 0 5 4 6B J4 6B 0B 3 0 1 0 :3 0 .2 31 0 0 .0 2 31 3 4 re 0B 4 0 1 21 0 0 .0 5 S 2 3 9 2 5 5 .2 5 5 .2 5 0 0 0 0 0 :1 0 4 0 5 1* C B am\ 0 3 1 2 4 8E 0B 7 a .s g 2 2 4 .0 .0 2 2 0 0 0 0 .2 2 4 4 8 B 4 7 0 1 0 3 1 1 a o .o .5 0 0 0 0 :0 0 1 1 0B 1 1 0E 0B 0 1 0 3 1 :3 3 !0 0 0 2 9t *1 0 0 .0 5 ^2 0 0 0 1 :2 9 1 0B 1 7 1 7 0 1 0 3 1 :1 2 4 .0 JX 2 5 2 .1 8 SM 1 .1 8 SM 0 0 0 0 :0 0 0 5B 0B 2 4 .0 .0 2 S 1 4 0 SB 4 3 0 1 0 :3 4 0 3> a a 1 u ^2 0 3 6 :4 0 0 2 :3 6 1 3 . 7 1 2 W S1 - * 2 5 1 3 1 1 !0 0 .0 2 7 4 .1 2 5 . 2 3 6 .1 6 9 0 7 / * ?K B 1 7 2 3K B2 7 2 3K B 0B 8 iwo.o 9 2 0 1 2 :1 2 2 8 0 1 0 2 9SS S iS S .2 S S .2 S S 0 IC PC o n w iM tlo n''llO PC o n v o lu tio n] 1 11 0 0 4 3 > 2 2 4 JX 0 2 2 N T C PC o w v v tM tio n :1 0 A 6C Ix Jp o w it1 > P a c k e t < E n d p o in t2 I.to P rc to c
N e w C a p sa v 7 .6 R ele a se d T r y i t F ree
10 0 0
& ho.. JangN e tw o rk .. to rtretN etw o rkL o o p ^ . * toD n ito r IMN t?e sa g e ^ H O W to te IM ore Vtdeov.. 1 How To _J M onitor Em ployees W etis4le
n o ttrm to A feffm ttia... T h *a1
_J ! c a n n o tc a p tu reA L Ltra ltR . w h y # _J C re a teT ra fficU t Û o nO w rt U |E n t|S ld rtd W lw le tkC a p tu re

J C e UT r a t tt :U tliia U X l0 1 t >
| More m Knowlr<iorKncr . |
II.
tC a p tm t
4 # LU k jix t
ra c tiv e D u r a tio n :0 1 :2 9 :4 9 ^1 4 1 8 2 & 0 R e a d y
F IG U R E 4.16: Colasoft Capsa Network Analyze! IP Conversations
20. Double-click a conversation 111 the IP C o n v e rs a tio n list to view the full analysis of packets between two IPs. Here we are checking the conversation between 10.0.0.5 and 239.255.255.250. -----^ n a f^ i^ ro je c ^ ^ tji^ n a ly M ^ T o ta s o ^ a p s ^ ^ r^ '^ N o d e ? ^ | AnaVit | TEH Hrtp*
Mr
Node Lxplorer
us,
Step A ^
G anarai
^
i C tndpom t2 74 125.236.173 S I 224.0.022 ^ 224.0.022 |100.0.4 S 1010.03 ] 239.255255.250 g 224.0.022 9 100.0.5 g 224.0.02S2 g 224.0.0251 I2J 255255255.255 ^ 2 S S 2S S .2S S .2S 5 ^ 224.0.022 ^Si 207218.235.182 S 178255.83.1 1 _. '
A nnlym flartet D itp lsy O bjrrt Buftrr A nalymh'otilr
\ . ,jj
output cxrpar | UOPC
iu
ltcn|M aU u
tuA<u}>hO PC onversation: \ M\ pw-> Pta f t iw 1 4 1 0 1021:1 1 7 0 1029:51 1029: 1 3 0 2 0 10302 0 10302. 3 4 C I03M 0 1031:1 0 1031:3 1 17 0 1031:1 1034.0 3 0 0 1029:5 7 0 1029S 1042:1 0 2 14 24 10 10232 2 4 1 4 1 0 1043 2
Online Resource N e w C a p sa v 7 .6 R ele a se d T r y i t F ree
U . Y Prc4e.rcl(.plctrf (I) S 9 Phyikal bfMxv C 3 > U 3 f* IPE1pio><4)
3 ' 00.02 100.03 3 '0100.4 100.02 3 100.02 ^ 100 05 a lO O .O S 3 00.012 " 100.05 3 1 O 0 .0L 3 3JCJ5.0J) S 100.01 3 00.06 a! *00.02 3 10002
D uratio n 0002:22 0000:11 0000:11 O O O O O O 0000:00 00(0:10 000022 0000:00 000129 00.00:00 0012:12 0012:13 000002 002018 0000:18
......... onversation | ICP Conveivatkxi J0P C c Indpom t > <Endpoint 2
8/ttt 41 K B 986 B 7 S 4B 224 B 546 B 4051KB 448 B 110 B 1.185 K B 405 B 2.723 K B 4.061 K B 128 B 6.748K B 3.601KB a 1 ,''
Bylo > 2 .751 K B 2X>70_ 986 b 0B 754 B 0B 224 E CB 346 B 0B 4051 n C8 448 B 0B 110 B 0B CB 1.185K B 4 C >B 0B 2723 K E 0B 4061KB 0B 128 B 0B 1.614K B 5/134_ 1 .3 1 CK E Z294_
jg) .vh oIs U 9 n gN etw o rkBard A id tti? Jb |H o wtoD etectA RP A cta s jg )H 3 wtoD etectM e rA 'a rkLo o p Jgj H o wtoM o n ito rIMM e ssa o e [More Videos-] How-To's
*'
< < 1P
10.0.0. <-> 23925S2SS2S0MCP C onversation: C Prctccd P acket &
Therra reno im50 thow mthi* ...
L a iM w ilto rE m p lo y e e *W e to w te L UI c a n n o tc a p tu reA L Ltraflk. w h y ? UC re a teT ra fficU lM L ta U u tiC h a rt L H[E n t(S ta rtaW 1 re le v sC a p tu re J C r tT ta ftk .U tliu tio n t
| More m Knowlrri^rhn** .)
0 1
"-"L V Jt " __: ___

F IG U R E 4.17: Colasoft Capsa Network Analyzer IP Conversations
21. A window opens displaying tiill packet analysis between 10.0.0.5 and 239.255.255.250.
Analysis Project I Ttl' V ia ;!; -10.0.0 r ^
-2}?-2j5-2'52:0 Pa:'-:r.s
|-lu
S rc=52748;D st=37Q 2;le*=W;Cherte u S 1 c=S2748;D 1l=3702,Len=999,Checb1
1031:3*3 <7 13.045:52748

1&3U4&4X13S 10.005:52748
239.255.255.250:3702
239.2S S .25S 250:3702
. Packet Info:
j-^Capwred L e s g tfc
-@T t - p T Ii&eraet Type I I !-WDestiracior. "
: S J l :r: !# roctc - Lesffsn:
E Q a backdoor in a computer system (or cryptosystem or algorithm) is a method o f bypassing normal authentication, securing remote access to a computer, obtaining access to plaintext, and so on. W hile attempting to remain undetected, the backdoor may take the fonn o f an installed program or could be a modification to an existing program or hardware device.
t*met IS<l?vS)) : version:

ko D i!= -.ia .d SirvicM Iild: : y :irrcztQt.i ^.d srvlc Codepolai: o nmtport Protocol win ignore she I "O C oegiina: 10 19
112/2]
114/1] 0 1 5 C (20 Byteal (I4/l| Cx0r 15/1 0* 11 5 /1 1 oxrc (ignore 1 [18/1( 0 1 0 2
(M o Congest. er.> (IS/'.] O xO l
0 x 0 0 3 2
0 0 0 ....
.0......... ..0.......
(101 By.ea 1 (K/2) (SO ) t18/2] 120/'.J O IE C [20/ 1J 0* 8C (M ay r13c*f- (39/1] 9*40 (U*V 0 :20/1) : ...x20 20/2rrr
1 * 0
00 00 01 11 m c i u 00 00 e* i r r r 1 k r :0 so a c k u 1
4 s
3 63 ? 76 6 72 ?9 22 20 6C K 60 6 73 3 64 i 30
F IG U R E 4.18: Fu ll Packet Analysis o f Nodes in IP Conversations
22. The T C P C o n v e rs a tio n tab dynamically presents the real-time status of TCP conversations between pairs ol nodes. 23. Double-click a node to display the full analysis ol packets.
Analysis Project 1 - Full AnaTyjis * Colasoft Capsa 7 Fre* :'ill Nod?') fcnaVi'i Snt* y Vep Too* V W w * ]ket Ditplay P aeket I 6 < 5 mm output *n#ly urtofiK Dati-.tamgt *5 N to*k G ro 1 N am eTable Smmi f, Mirm Setting !*two* frowr x , / Hrtp
la* 1 T *flap* l n
capture Node Explorer
j * W
I v a I .. .1 ) ( I J ------- ------- '------1 e r * ?,. 90 C 1 ! ! ! ! HiitoqrCha ! ! ! iiunrr 1 .
PCorueatation \ Mt -1[ PacUt [ Lo? [ Report | 4 X n| Phytrcal ConvUiaUon | PC0rtv1 w1 t1 0 (v ICP LtKi.*nation x | JO - Endpoint 2 3 207.218235.182:80 !34 7 4.125.2 36.175:80
f r Online Resource
S 1 0 0 .0 2 1 4 0 6 2 1 0 .0 .0 2 1 4 0 2 31 0 0 .0 2 1 4 0 3 1 0 1 0 X 2 1 4 0 5 g1 0 0 .0 2 1 4 0 1
0002:1410
ao.o21411
HdAm alfUaWCPC om ret*atton: | W Bytes Protocd 32 46KB H TTP 1889KB HP
* 1
3 74.125216.173-^0
5 17 4 .1 2 5 2 3 6 .1 6 5 3 0
2915 K B H TTP
1.595<5 HTTP
74.125236.165JO
3 74.125236.174443 3 T4.125.236.174443 3 ?4.125236.174443 S '4 .1 2 5 .2 3 5 .1 6 9 4 4 3 3 74.125.236.169443 3 74.125236.169443 a 74.125.236.160443 !31 74.125236.169443 3 178,255.83.1:80 t l i ?07.218235.182445 .\l 1 7 8 .2 5 5 .8 3 .1 :8 0 3 178.255.83.2:80 3 65.54.82.155:80
1*36K B H TTP
Jgj W hoIs U 9 n gN etw o rkBard a *d 1 * toD etectA RP A tta s H 3 wtoD etectM e r*o rfcloap JfS\ 4 toh to n rto rIMM essaae H 3 toM o n ito r&saveEm ab (More Videos-1
0 0 .0 2 :1 4 1 3 0 0 .0 2 1 4 1 2 0 0 .0 2 :1 4 2 3
a0.02l42i
K B H'TPS *1629 H TTP S 5
0 1 0 .0 2 1 4 2 6 0 0 .0 2 1 4 2 2 0 1 0 .0 2 1 4 2 5
Q 0.0_2:1434
P 05 r P S
1iS4KB H TTP S K B H22475iP5 146UKB H'TPS
0 0 .0 2 1 4 3 3 0 0 0 2 1 4 3 5 0 0 .0 2 1 4 3 6 0 1 0 .0 2 1 4 3 7 0 00 2 :1 4 3 9 0 0 .0 2 :1 4 4 ; 0 0 .0 2 :1 4 4 3 0 0 .0 2 1 4 4 5 ; a p tu tfro *A r> a t).e P fc ttK M K t

ao.o21441
K B H T T P666 1
kb r ps 5 * .; 6W K B HTTP 1 K B HTTP 1 8.92 1 K B HTTP 1021 h ttps 8 170 3 HTTP 6 0 H TTP S 8 170 B H TTP S 370 4KB H TTP S 1 1 w> rn mrp>
L3 M onitor Em vfc> vee* W ebwte *J I cannot capture ALL traffic, why? U Create Traffic Utftiatlon Chart U (Ent ISUrt a Wirefe** Capture
3 3 3 3 3
4 .1 2 5 .2 3 6 .1 6 7 4 4 3 4 .1 2 5 .2 3 6 .1 6 7 .8 0 4 1 2 5 .2 3 6 .1 6 3 4 4 ( 4 .1 2 5 .2 3 6 . 1 6 5 4 4 3 '4 .1 2 5 2 3 6 .1 6 3 4 4 3
7 4 Pt.n* 1 * 44
J C r a UT ia flkU tliu tio nO u rt
| Mere m Knowll<jrhn*r . |
'irw ctivt D o t a t io n :0 1 1 5 2 2 8 V1 7 2 8 1g ? 0R e a d y
..." ______ _
F IG U R E 4.19: Colasoft Capsa Network Analyzer T C P Conversations
24. A F ull A n a ly s is window is opened displaying detailed information of conversation between two nodes.
-d * * * No Absolute Time _ _ _ : 467 1&2&47466913 47? 11126:53468163 473 10=26=53466676 474 10J6:S34*S72S 475 10^6:53486972 47S 10^6:53 506597 477 10^6:53 506633
- 4 LSSSource 1aaa2:1410 1aaai1410 1aaa21410 74125-236174:443 1aaa21410 1Q J10l 21410 74125236174:443 100021410 Destination 74.125.236.174443 74,125.236.174443 74.125.236.174443 10.0.02:1410 74.125.236.174443 74.125.236.174443 10.0.0.2:1410 74.125.236.174443 Protocol
https
Sre Decode 70 66 66 58 64 58
HTTP5 HTTP5 TP HTTPS HTTPS HTTPS TP
Summary .er|_ ?3622r.4\A. k_nc0)rf0T0.r-. ..1 ., Seq=2362281843,A ck=O O O O O O O O O O .F=..S.l Seq;2362281843,A ck=O O O O O O O O O O .F=.,S..L Seq-4?C412fi878,Ack=2362281344.F=.A .S... 5eqz 23622fi1844,Aclc=4204123879.F=.1 ...Y l_ Seqz2362281844,Ack=4204123a79.F=.A. F. Srq: 42C41r87?.Ack=236221i;5 F=.i.. F .. ;rq: 23622ei845,Ack: 4;041233S0.F=^ ___
B-T Pockct Info:

^ Pasirec h'mbr: ^? a = * e t Ler.gra: Captured Ler.gth: Tireataap: =V*Btherr.ct Trpc II a ? jcatic atic a A2arc33: Q 5 c 3 t u s r t n : <_p Protocol: T TP Internet Protocol t i Version: 0 . 1 leaser Lcr.gtfa: I ft : 1 :rtr*r.: 2a u : : r n c ti riaid: j- S Olff*rr.tlat*<l S rvlc* Codapoint: j Transport Protocol will ignore the C C 0 Coaacszioc: i ^ l e s a l -cacv.: : # 1der'ir1c*110r.: S rragnt Flag*: |~0 Reserved: i Torrent: -; U 05 Ei o! a K C D! j 462 70
"J
6 6
2012 /0 9/ 21 10:26:44.4fC749 [0/14] D O ! 4 :C C ct 3:1r D0J 6:36 [6/e] 0x0800 (Tnter&et TP| IPv4)) [12/2] [14/20] 4 [14/1] C xFO <21 Byc9) [24/1] 3xOF & 0000 0010 !15/1] :xrr 0000 00.. [15/1] O xFC (Availability) [*-5/13 0x02 11: Coraraticat [IS/11 CxCi ............. 0 52 < & 2 Bytes) [16/ 0X & 9D 6 (22998) |18/2| (Don1 rr3*?n -) [20/1] O 010......... xE C 0............. [20/11 O xC O .1........... f2Q/11 04C_____
I Z
v]
6 .. S . . ........J).
1 1
M 0 o! 04
F IG U R E 4.20: Full Packet Analysis o f Nodes in T C P Conversations
25. The U D P C o n v e rs a tio n tab dynamically presents the real-time status of UDP conversations between two nodes. 26. The lower pane of this tab gives you related packets and reconstructed data flow to help you drill down to analyze the conversations.
y ful Amk,Ui - ' PrrtrrclEpcm I E Physical aq sto rer(3) S. & lf t q k> ra(4)
Endpoint 1* >
,. E a p o ,t2 o 1 0 0 .0 1 0 :5 6 1 2 3 7. 2 2 4 .0 0 2 5 2 :5 3 5 5 *2 1 0 l 0 .0 2 :5 6 7 4 0 2 d202.53.8.8.5S 31 0 1 0 .0 .7 :5 0 0 9 ' ?5 224.0.0252:5355 T tX O .C .7 :5 4 4 ^ 3 - j 224.00252:5355 3 1a0.a1a59606 ^ 224.0.0252:5355 3 100X110:59655 7$ 224.00252:5355

a 100.010*2035 0 0 .0 1 0 :5 7 7 6 6 i 100.02:56632 S 1 0 0 .0 7 :5 1 0 8 7 ^ !00 .0 10:5 6*4 5 g 22 4.00 2S2.S3 SS 2 2 4 .0 .0 2 5 2 :5 3 5 5 3120 2 .5 3 .8 .8 < 5 3 ?3224.00.252:5355 ^ 2 2 4 .0 0 2 5 2 :5 3 5 5 /} 2 2 4 .0 0 .2 S 2 S 3 S S ^ 2 2 4 .0 0 2 5 2 :5 3 5 5
D u ratio n
Q In networking, an email worm is a computer worm that can copy itself to the shared folder in a system and keeps sending infected emails to stochastic email addresses. In diis way, it spreads fast via SM T P mail servers.
O O iM .O O 217 B 0ftM) 1 5 8B O O O D . O O 158 B 0 0 :000 1 3 6B O f t lX f c O O 158 B 0 0 0 0 .0 0 1S8 B o o o o o o 136 B O O iM .O O 214 B o o o a o 158 B
te s Byte* &,! < <9> o o w o o 1 3 6B 1 3 5B 0B 7 SB 1 5 8B 1 5 5B 1 3 6B 1 5 5B 1 5 8B 1 9 6B 8 1B 1 SS B 1 3 8B OB C5 OB 0B 0B 1 3 3B 0B
Pe;di Pk1i >Ptts Piotcc
2
2 2 2 2 2 2 2 2 2
2
1 2 2 2 2
0L D P
2 2 1 2
O B
S 1 0 0 .0 1 0 :6 3 5 0 3 21 0 0 .0 7 :6 3 3 1 5
5 5B O f t O O O O1 5 8B 1 0 0 0 0 .0 0 1 3 6B 1 3 bB 0 0 1 X 1 0 0 156 B 1 5 8B
1 0 0 0 0 0 0 1 0
D M S UDPUDPUDPRTP UDP U D P
live Denio
D N S
FTP
y Pflui1 Dau ] -Jtr > i 4 ^ C '

N o.
1 9
1 0 2 3 :1 9 .6 2 5 8 6 91 0 .0 .0 1 0 iS 6 1 2 3
lftJl:2001A*M 10.0.01 0 !$ 6 I2 J
AbfdutTim Sourer
0U D P 0U D P 0U D P I> < 11 1 000 1 0<v2 / 4 WVrarkeH: 12 D f'Ti'UtiCA P ro ttx o l 2 2 4 A 0 2 S 2 S 3 S S U0P
O B O B O B
2 2 2
2 2 2
a - a
*: m,
jpt\orkBanditti N etw o rkL o o p
I MoreVklotti
0 0
J Motiltor
Wetollc
L3 1cannot captara ALL trjMk. w hy#
2 2
22400242 SMS
U CP
C re d le T ra fficU tH Û o nC h a rt |Ent|SUrt 4 V V ete Capture uj C ia UT ra in ;U tlL M U O nO m t

| More mK no w li< > rbow.. |
>
_
F IG U R E 4.21: Colasoft Capsa Network Analyzer U D P Conversations
27. On the M a tr ix tab, you can view the nodes communicating 111 the network by connecting them 111 lines graphically. 28. The weight ot the line indicates the volume ot traffic between nodes arranged 111 an extensive ellipse.
29. You can easily navigate and shift between global statistics and details of specific network nodes by switching the corresponding nodes 111 the N o d e E x p lo re r window.
1inay. s Sjstd* T o o fe VieM
D| X WHtlp-|
y=b!o nee we encounter the network malfunction or attack, the most important thing we should pay attention to is the current total network traffic, sent/received traffic, network connection, etc., to get a clear direction to find the problem. A ll o f these statistics are included in the endpoint tabs in ColasoftCapsa.
a1 r ^
A eap ter fcr
y sg :a*
Stop G cncrai
B^
fictw ortr Prom t Node Explorer
L s_* *5 "hng5 A naly!!; Pro file
i A nalytic Packet D itp lay F^ cfc ct log L objcct Butter . output Oirpui v ~ M 5 D ata Storsgf Urc :*
/^T liO
I ? V jo. X 1P*0cl
ajiSiSiSS; :
F3ct Buttrr 1 '&M B )
Online Resource
JC C nt rPtiys'C^* Convexation f!P ConversationfTC PCoruaiation [ U D Pi
L -*>
1 4 I f Protocol (1; TcplO OPhytic!
T o p !00 Physical Conversat*on(Full Analysis)
&V OP hy.K4 E j** < x r(3) I 1 1 ^ IPf .p4crt (4)
IK l)n 1 H )
jpl W hoU H u n gN rlv w kllnrJ*it* M H a wtoDftf< tM fR n O ft:Lo o p P to ntoM o n rto r IM*0
lop 100IPv4
C onversation
55:33 00:0000 1 6 (7 )
Iop100#MNo<k User Hidden nodes( . BE:D 9!C 3:C iC C |1 4 | 00:5t00.00 F C 1 8 ) OGm(M8:7a05(14) D 3A 2:51 7 :4F:48 Invisible Nodes (0) 0 l:0& 5f:0< M 1
I Non! VkJcov- |
UI M onitor Em ployees W ebsite uJ I cannot captureALL traffic, UI CreateTraffic Utfeation Chart O (Ent)Start a WirelessCapture
why?
J C r e a t eT r a flk U t liz a t io nO ia rt
[ More Know ledqeb3e._J
> C a p lin e fu A ra*);e * E th o rx l
ra c tiv e D u r a tio n :0 2 :2 3 :4 4 2 1 .6 6 5 ^ g O
F IG U R E 4.22: Colasoft Capsa Network Analyzer Matrix view
30. The P a c k e t tab provides the original information tor any packet. Double-click a packet to view the full analysis information of packet decode.
% !c* T < x # % w N rtw orfc Group jfo
t J t
, J|
/ ^
Node Explorer
A nalytic ftsfket D itplay
**
j
Outpm ojrput
jpc-nt fPtiy.u.* Convtf-.ation f 1P C 0nvei.dt1 0 n~fTC PCorwettaiian f U O PCoerwt.* < -> [ ,.U'jo |Pc<cl x ]Leg f Rpcrt | * Online Resource
**A
1 tv ; r B & I? Eiftora (5) r
Jf lB B l # ifr ^
1 6 T C 1 6 160217
S'
h* A 1vrfy*s\Pa1 fcets: | 1 iL 647 | 74.125135-125:5222 D O * 36 N e w C a p sa v 7 .6 R ele a se d T r y i t F ree
E Phîke hptorer (3)
1 e 0 2 1 8
1 6 C C 1 S 1 6 0 2 2 0
t y ! Protocols may be implemented by hardware, software, or a combination o f the two. A t die lowest level, a protocol defines the behavior o f a hardware connection. A protocol is a formal description of message formats and die rules for exchanging those messages.
Kiplut f1iAn 1 ly.1s
1 6 0 2 2 1
160222
I3.-0242695615 13.-G i4a.599l 55 l3 .0 2 Ja5991M 13:02:49.101243 1 3 :0 2 :4 9 .1 0 3 1 2 8
1 < X 0 .0 .2 :1 C 3 6 04: }:C C D O :3 6 : ?4.125.135.125:5222 7 4 .1 2 5 .1 3 5 .1 2 5 :5 2 2 2
D*l- - - 1-C C 10.002:1036

7-125.155125:5222
I3 .-02-.49.103161 1a0.0.2:1036
llvp Demo
W hi J e tv .ork M ffA O ffcL o o p
160223
1 3 :0 2 .4 9 .4 9 5 2 5 01 0 0 .0 .2 :1 0 3 6
inro:
74.125.135.125c5222
- T
IM 0 V V W 0 4
i & Ctpturtd Length:
f ItU n w t 1yp< 11 t.4uv <:02: ) 1 3012/09/21< ) 0/14( ftb ja ti C C : - - 881 ] 0>'lLU Motillor (1np40vmWetoJlc _ J I camwt (. a p tu rvALL trtffk. 0000 001c oojc O fl 068 A 24 C CD O E6 LA L6 96 06 00 46 00 00 > U S O 40 00 *a a< 04 0 aa aa 0 4 6 a ae 4 t t os s j m a n 7a c* to to n 3 4 t% 4 30 0 0 0 J Credit Traffic UtHÛon Chart [Ent|$lart 4W ireto** C 41*urc J OtU T rafficUtliuaon 01-1
w h y #
|M ore n Knowliqrt>a... I
KBtittaml
!active
D uration: 0 2 :3 9 ^ 6 $1 6 0 .2 4 ? gjO Read,
F IG U R E 4.23: Colasoft Capsa Network Analyzer Packet information
31. The Packet decode consists of two major parts: H e x

V ie w .
V ie w
and D e c o d e
Q Protocol decoding is the basic functionality as w ell There is a Packet tab, which collect all captured packets or traffic. Select a packet and we can see its hex digits as well as the meaning o f each field. The figure below shows the structure o f an A R P packet. This makes it easy to understand how the packet is encapsulated according to its protocol rule.
F IG U R E 4.24: Full Analysis o f Packet Decode
32. The Log tab provides a G lo b a l Log, D N S H T T P Log. M SN Log and Y a h o o Log. 33. You can view the logs ot T C P
tra n s a c tio n s . E m a il c o m m u n ic a tio n s ,
Log, E m a il Log, F TP Log,
c o n v e rs a tio n s , W e b a c c e s s , D N S
etc.
F IG U R E 4.25: Colasoft Capsa Network Analyzer Global Log view
F IG U R E 4.26: Colasoft Capsa Network Analyzer H T T P Log view
34. If you have MSN or Yahoo Messenger mnning on your system, you can view the MSN and Yahoo logs. -FT*
3psa 7 Free C 50 Node WuVin Sjtfcai T o o ls A O apIrt -mn
w r u m
tort
*Jrtw o'fcGroup
Central fÛirmSftting' ffw or* froWf
Step
-...ilym Partrt D isp la y O D Jftt BUttff A n n ly
Node Explorer
V * K4An * m u |f PirtNtl ( p lerrr (IJ Phv.k* Elptortr (3) U . & IPtiptoraf ft)
~4 # 4
**[PtiyiK.
rM SNu>g
y* 3 & , 0at 1>

2012/09/2111*5.23
2012/09/21 1*47:4* 2012/09/21 I3:4fl:32 2012/09/2113148:32 2012/09/21 13:4a42 2012/09/21 13:49:15 2012/09/21 13:49.2S 2012/09/21 13:49:27 2012/09/21 13:49:39 2012/09/21 13:5003 2012/09/21 13:50:19 2012/09/21 13:50:36 2012/09/21 1 3 :50 :41
r.dlion IP Convin
31 0b * 109
< 9 ^ a
x r t f n a ilc o m a iiH # w 4 m a 1 U a n 1iwtlVIc

CSvecon< *yen? >c4na1L consaJ amfine Iharka
cl? '
%
4% otm aiLcocntwthcw areyou doing? 'glrvfctcfn j*4 jm I ritec.
***m s ilc o m '? a d c o w s ey e s
Z totn te - In youjcim ngusfar the partytooigl
ictmoiUcomiwddshal ; you at the patty then

ot^ n iU co ntec Tofbusy rev* w o rfc
W hoIs uangN etw o rkBanditti? bi\ H o wtoD etectA RP Attaris h,) H a wtoD etectN etw o rkLo o p ^ H a wtoM o n ito rIMM essa g e H 3 wtoM o n ito ra SaveErn ab
IM o r eV id e o s .]
n
Y A H O O
2 0 1 2 / 0 9 / 2 11 4 :0 3 :1 4
c4 < n a < U 0 m joined the chA
L3 M onitor Employees W ebsite
uJ Credit Trdtfk. UtHUdUonChart L3 lEntISUrt dW ireless CdlHure uJ CreiU TiaftktltllutionOurt |M oIT Knowlfrtfjrhac.|
w h y ?
/ la p < u tM iA fvifr.c ^tUKitHt
,D u r a tio n iim tivt:0 3 :3
.....
F IG U R E 4.27: Colasoft Capsa Network Analyzer M SN Log view
35. The R e p o rt tab provides 27 statistics reports from the global network to a specific network node.
F IG U R E 4.28: Colasoft Capsa Network Analyzer Full Analysiss Report
36. You can click the respective hyperlinks tor information or you can scroll down to view the complete detailed report.
/ 31 c
---------------------------------------------------
Full Analysis's R eport

Q Alm ost all Trojans and worms need an access to the network, because they have to return data to the hacker. O nly the useful data are sent for the Trojan to accomplish its mission. So it is a good solution to start from the aspect o f traffic analysis and protocol analysis technology.
1 Summary Statistics 1 Diagnosis Statistics

Protocols Statistics
od
1 T ADDlication Protocols 1 Top Physical Address 1 Top IP Address 1 Top Local IP Address 1 Top 10 Remote IP Address
New Capsa v7.6
Released 1 9 0 8 4 1 0 .0 .0 . 2 1 0 .0 .0 . 1 0 9 9 .1 8 0 rf2 3 9 .2 S 5 .2 5 5 .2 5 0IC OO C O 91 0 .0 .0 .3 0 3 3 4 '!#1 0 .0 .0 .4 0 .0 7 0 *J2 2 4 .0 .0 2 2 1 0 0 . 0 0 0 J1 3 2 .1 6 8 .1 6 6 .1 2 4 .5 4 2 r # 2 2 4 .0 02 5 2 IC OO C O 1 0 .0 .0 .7 0 . 0 0 0 i1 0 .0 .0 .2 3 1 0 0 . 0 0 0
m m m
8 0 .9 1 52 1 7 .5 5 0M ]9 6 .6 1 2 0 .0 2 01 7 4 .1 5 7M B1 4 0 .il 0 .0 0 06 3 0 .1 4 0K B 1 ,3 3 2 O O 0 0 .7 7 63 1 37 6 6K B B 9 9 .9 3 03 1 1 .1 3 3K B 7 8 1 0 .3 0 02 3 2 .8 2 2K B 3 ,7 2 7 7 5 .4 5 82 2 2 3 7 5K B 9 2 8 0 .0 0 01 1 2 8 7 5K B 2 .4 6 6 1 0 0 .3 0 01 7 6 0 0 2< E 2 .5 6 6 O .X O1 4 0 5 2 8K B 1 .2 3 0 3T o p
Try It Free
w v>[* U o n gH eto kfenjw dfr? jjj n ewtocetEC tN etM w k Lo o p |) H a w N o nte r INN te s s a g ; M e w N o nto &Sa/E m a fc
iJ M onitor tm itoyee* MtbMe ^ I fa not enpturemI traffic. w fcy? J C reate Tnfk U tlkzo ttw i Ctwl . J (tnt|un < 1 J Ota* T fa lB cU W ubor C h a rt [ Mowtl lnnW i)rk11r. 1
Top 10 Remote IP Addiess * *1 2 3 .1 / 0 .3 2 .1 4 6 1 .9 4 9 * *1 2 3 .1 7 6 .3 2 .:3 6 2 .2 7 2 1 .1 0 1 * *7 4I3 S1 3 8IS O8 * * 7 4 .1 2 5 .2 3 6 .1 8 25 4 .9 9 3 9 8 0 5 13 3 5 6 4M B3 4 .5 5 5 19 7 .7 2 8 2 .3 3 0M B 2 .4 8 3 1 8 8 0 0 1 0 7 7M G 3 .6 0 0 4 5 0 0 79 S 4 B 7 1 K B 3 .3 5 4
---- -------------
F IG U R E 4.29: Colasoft Capsa Network Analyzer Full Analysiss Report
Module 08 - Sniffers
37. Click S to p
A '
Analysis Anatvs
011
toolbar after completing your task.

Analysis Project 1 - Fill Analysis - Colasoft Capsa 7 Free (50 Nodes)
System
A d a p te rF lte r
T i
V ie w 1 N e tw o r kG r o u p ^N a m eT a b le
r a lj f, \ Alarm Settings
N e t w o r kP r o file
D a taS t o r a g e
U tiliz a tio n
F IG U R E 4.30: Colasoft Capsa Network Analyzer Stopping process
Lab Analysis
Analyze and document die results related to the lab exercise. Give your opinion 011 your targets security posUire and exposure through public and free information. Tool/Utility Information Collected/Objectives Achieved Diagnosis: Name Physical Address IP Address Packet Info: Packet Number Packet Length Captured Length Ethernet Type: Logs: Global Log DNS Log Email Log FTP Log HTTP Log MSN Log Yahoo Log Destination Address Source Address Protocol Physical Endpoint IP Endpoint Physical Conversation IP Conversation TCP Conversation UDP Conversation
Capsa Network I Analyzer
Conversations:
Questions
1 . Analyze how Capsa affects your network traffic, while analyzing the network. 2. What types ol instant messages does Capsa monitor? 3. Determine 11 the packet buffer w ill allect performance. If yes, then what steps can you take to avoid or reduce its effect on software? Internet Connection Required 0 Yes Platform Supported 0 Classroom !Labs No
Lab
S n iffin g P a s s w o rd s U s in g W ir e s h a r k
Wireshark i sa nehvorkpacket analyser. A. nehvorkpacket analyser mil try t o capture nehvorkpackets and displaypacket data in detail
I CON KEY 1. _ Valuable inform ation Test vour kn o w le d g e : Web e x e rcise
Lab Scenario
As 111 the previous lab, you are able to capture TCP and UDP conversations; an attacker, too, can collect tins information and perform attacks 011 a network. Attackers listen to the conversation occurring between two hosts and issue packets using the same source IP address. Attackers will tirst know the IP address and correct sequence number by monitoring the tralfic. Once the attacker has control over the connection, he 01she then sends counterfeit packets. These sorts of attacks can cause various types of damage, including die injection into an existing TCP connection of data and the premature closure of an existing TCP connection by die injection of counterfeit packets with the FIN bit set. As an administrator you can configure a firewall or router to prevent the damage caused by such attacks. To be an expert e th ic a l h a c k e r and p e n e tra tio n te s te r, you must have sound knowledge of sniffing network packets, performing ARP poisoning, spoofing the network, and DNS poisoning. Another use ot a packet analyzer is to sniff passwords, which you w ill learn about 111 tins lab using die Wireshark packet analyzer.
ea Workbookreview
Lab Objectives
Tools d e m o n s tra te d in th is lab a re a v a ila b le in D:\CEHT oo ls\C E H v 8 M o du le 08 Sniffing W ire s h a rk
The objective of tins lab is to demonstrate the sniffing teclnnque to capture from m u ltip le interfaces and data collection from any network topology.
Lab Environment
111
the lab you w ill need: located at D:\CEH-T 00 ls\C EH v 8

M o du le 0 8 S niffing\Sniffing Tools\ W iresh a rk
Ethical Hacking and Countenneasures Copyright by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.
You can also download die latest version of http: //wwww1reshark.org/download.html If you decide to download die die lab might differ A computer running W in d o w s
/ You can download Wireshark from http://www.wireshark.org.
W ire S h a rk
from die link
la te s t version,
S e rv e r 2 0 1 2
as Host (Attacker) machine
A virtual machine (Windows 8 or Windows 2008 Server) as a Victim machine A web browser with Internet connection Double-click W ire s h a rk -w in 6 4 -1 .8 . 2 .e x e and follow the wizard-driven installation steps to install WireShark
privileges to mn tools
Lab Duration
Time: 20 ]Minutes
Overview of Password Sniffing

Password sniffing uses various techniques to sniff network and get someones password. Networks use b ro a d c a s t technology to send data. Data tra n s m its dirough die broadcast network, which can be read by anyone on the odier computer present on die network. Usually, all the computers except the recipient of die message w ill notice diat die m e s s a g e is not meant for diem, and ignore it. Many computers are p ro gram m ed to look at even' message on die network. If someone misuses die facility, they can view m e ss ag e, which is not intended of odiers.
Lab Tasks
1 . Before starting tins lab, login to the virtual machine(s).
C aptu rin g P a c k e t
2. On the host machine, launch the S ta r t menu by hovering the mouse cursor on the lower-left corner of the desktop.
F IG U R E 5.1: Windows Server 2012Desktop view Q Wireshark is an open source software project, and is released under die G N U General Public License (G P L )
3. Click W ire s h a rk to launch the application.
S ta rt
Administrator ^
S e r v e r M e n a q e r
b
C o m p u t e r
J ws
1^
G o o g le C h r o m e
M a z illd
hretox
< 9
'/ ^ V fc
<
Virtual
C o n t r o l
Pane
H / p e f V
W
Adnneo..
lo o t s
%
C o m m a n d P r o m p t
p5 1
W r e m a r k
OM tap
C Q a network packet analyzer is a kind of measuring device used to examine what is going on inside a network cable, just like a voltmeter is used by an electrician to examine what's going on inside an electric cable (but at a higher level, o f course).
4. The Wireshark main window appears.

The Wireshark Network Ana!y er [Wireshark 1Z 2 (SVN Rev 44520 from Arunk-1.8)] He drt Vie* Go Capture Analyze Statistics Telephony Tools Internals Help
l i t K V
Fitcr.
|B|B|
Q . 1 E g 1 : I H
v Exptesaon-. Clear Apply Svc
[WIRESHARK
rg. Interface List
*HP .\ 1 cicruw (towna if<cnro ExOlQ
The World's Most Popular Network Protocol Analyzer

Version 1.8.2 (SVN Rev 44520 from /tru n k -1.81
Ei 0 p e n
Open Recent
opr 1 w/ojm/ caox/M
ft a
^
Website
van prater1 w t> sn*
Start Sample Captures

^ I0 ^vice\NPFJ5F?i7C6675E7.43F99B72-9447DB2 Afen *ioanww of *xinrp tc .<PUt n onin* UJ
User's Guide
Ih* UW 1 C kn a(kvral 1/
Security
V/'kw ith A'reshirxa !
Rcaltec PCk G0E Family Controller: \Dcvice\NPFjfi fcfj \Devie\NPF_{550021FE-BafiF-41EB-B37E-4CAFBC U n : .~ u r j : \r>-.^-xMpr '
Capture Options
How to Capture
Sue / sea 13a successful cacure sxc
Network Media
Sptcfir r+yrvrtcr *o fcscarrg o
Recd> 10 load ci capturc
F IG U R E 5.3: Wireshark Main Window F IG U R E 5.3: Wireshark Main Window
D . From die W ire s h a rk menu bar, select C a p tu re
-> In te r fa c e s (C trl+ I).
T h e W ir e s h a r kN e t w o r k A n a ly z e r[ W ir e s h a r k1 . 8 2( S V N R e v 4 4 5 2 0 f r o m / t t u n k 1 8 ) ]
File |d* View o Capture Analyze Statute! Telephony Toolt | f t interface!.. M Optiocs.* Start I W ? m F.estort | g Capture fiters... Ctri.l Ctrl+K CtrkE Ctrl+E CtrkR |; I I 1 intermit Help
rars
< * 3t p p l <^1s ib 5 * 0
| v | Expression.. C r Apply Save
$61 a
ffiw: 'ireshark is used for:

Network administrators use it to troubleshoot network problems Network security engineers use it to examine security problems Developers use it to debug protocol implementations People use it to learn network protocol internals
, Interface List
-VOk t of r > sa n / ( ft;
Open
Open cxcvtoury < s p tu > 8 d*k Open Recent:
.p. Website User1 * Guide

G uide ;to tal
Start
q j
&
or 11
fctl \D#wc#\NPFJ5F257C66-75F7*43P9-9B72W47DB2l2 P.cchck PCIe CBE Family Controller. \Dcvicc\NPFj
S a m p le C a p tu r e s a nrr tw rr#v f w r cscrvr
i J I Security
W ok wth W resv k a:
0 VD^tf#\MPFJ55002IFE-B03F-4 iFB-BrF^CAFBr: LSI u . . u r ------- hoc n<maran.e v
< L
_>]
Capture Options
tat a :iptrc vth dot*i4 00 :
How to Capture
Step b >ns3to a sjc:=tJ caf
Network Media
^ Soecnc rfowrsecn fy captjri*vg c
Read/ tc load or capture
Profile Default
F IG U R E 5.4: Wireshark Main Window with Interface Option Q Wireshark Features: Available for U N IX and Windows Capture live packet data from a network interface Display packets with very detailed protocol information Open and Save packet data captured Im port and Export packet data from and to a lot o f other capture programs
0 B i .... i
6. The W ire s h a rk
C a p tu re In te r fa c e
window appears.
W ir e s h a r k : C a p t u r e In te r f a c e s
Description
IP
none
Packets Packets/s
0 0
Details Details Details Details Details Close
Realtek PCIe GBE Family Controller

none
28
0
9
0 0
@ &]
Help
Microsoft Corporation Microsoft Corporation
fe80::686&8573:b1b6:678a fe80::14a6:95a&f534:2b9e
Start Stop
0 2 1 Options
F IG U R E 5.5: Wireshark Capture Interfaces Window
7. 1 1 1the W ire s h a rk
C a p tu re In te r fa c e s
E th e rn e t D riv e r In te r fa c e
dialog box, find and select the that is connected to the system.
8. 1 1 1the previous screenshot, it is the R e a lte k P C Ie G B E F a m ily C o n tro lle r. The interface should show some packets passing through it, as it is connected to the network.
Q Wireshark can capture traffic from many different network media types - and despite its name - including wireless L A N as well.
9. Click S ta r t
111
that interfaces lnie.
y j A supported network card for capturing: Ethernet: Any card supported by Windows should work. See the wiki pages on Ethernet capture and offloading for issues that may affect your environment.
Wireshark: Capture Interfaces

Description IP none 0 ! Realtek PCIe GBE Family C ontroller none none M icrosoft Corporation fe80::6868:8573:b1b6:678a fe80::14a6:95a&f534:2b9e Packets Packets/s
0
340
Details Details Details Details Details
0
I I gf
0
4 244
O 3 M icrosoft Corporation Help
Start
Stop
Options
Close
F IG U R E 5.6: Wireshark Capture Interfaces Window Starting Capture
10. Traffic informs of packets generated through the computer while browsing the Internet.
F IG U R E 5.7: Wireshark Window with Packets Captured
11. _____________
= T A S K 2
Now, switch to the virtual machine and login to your email ID lor which you would like to sniff the password. on the toolbar.
S to p L ive C a p tu rin g
12. Stop the running live capture by clicking the icon m
fc3Capt1mngfron1R11,llekPCIeGBFFamilyContrallPf:\nce\NI>F_(8F?F18B6-B?1V4110.A6Vl-F6B1M?B8B<>:
!W irfstwk 1.8.2 (SVN Rpv M W ho... 1
,1 ,
u tfaT |at
fille:
file d l'<w Qo aptu1r Aaalyte Sracstk* Telephony Iools Internals Hflp
&e 0 a 1n ,
6 1 ! q a 3
|vj bpieiiion.. Clear Apply Scr.t Protocol length info dns 75 standard query 0x25f4 a www.seb1.qov.1n DNS 107 StanCard query response 0x25f4 A 203.199.12. Si A 124.247. 2* 3.1 TCP 60 nust-p2p > http [ACK] Seq-1494 Ack-7S3 u!1n 65028 Len-0 TCP 60 must-backplane > http [ack] 5eQ-ll<il Ack-497 Win-65204 Len-0 DM CPV6 ISO S o l ic i t XID: Ox5aS2df c :0 : 0001000117e22aab00155da87800 DHCPv6 150 s o l i c i t XID: 0*83*(H9 CID: 0001000117*8*14*00155da87805 NBSS 55 K.65S Continuation Message TCP 66 m icrosoft-ds > isysg-1 [ ack] Seq-l Ack-2 win-62939 Len-0 SLE-1 ICHPv6 9 0 v u ltic a s t Listener Report Message v2 IGM PV3 60 veabershlp Report Leave grcxjp 224.0.0.252 ichpv6 ?0 *u lt le a st Listener Report Message v2 IGMPv3 60 vesbership Report 30 group 224.0.0.252 for any sources ICMPV6 90 v u ltlc a sr L istener Report Message v2 IGMPv3 60 veabership Report Leave group 224.0.0.252 ICMPV6 90 v u ltlc a sr lis te n e r Report Message v2
Destination 123 1 2 .25789T 0 1 0 .0 .0 . 5 202.53.8.8 124 12.2656640 202. 53. 8 .6 1 0 .0 .0 .5 125 12. 3582820 10.0.0. 5 7 4 .L2S.236.166 126 1 2 .3 6 3853010.0.0. 5 123.176.32.155 127 13.15sr140fe80::b9ea: do i l : 3eoffo2: :1:2 128 14.0015310f *80:: 5df8:c2<18! 5bbff 02 i :1:2 129 15 .2 9 4 3 1 3 0 1 0 .0 .0 .2 192.168.168.1 130 IS . 31624 30 192. 168. 168. 1 10.0.0.2 131 18.7433560 fe80: :3d78:efc3;c87ff02; :16 132 18.7442030 10.0.0. 7 224.0.0.22 133 18.7473350fe 8 0 :: 3d78:efc3:c87ff02: :16 134 18.7481220 1 0 .0 .0 .7 224.0.0.22 135 18.r504S40fe80; 3 d78 :efC3:C87ff02 : :16 136 18.75 1 2 9 5 0 1 0 .0 .0 .7 224.0.0.22 137 18. 7SI2960 f eSO: : 3d78: ef C3: C87f f 02 : :16
- Frame 1: 150 bytes on wire (1200 b i t s ) . 150 bytes captured (1200 b i t s ) on in terface 0 - tth ernet I I , Src: M lcrosof_as:78:05 (0 0 :15:5d:a s : 78:05), ost: 1Pv6casr_00:01:00:02 (33:33:00:01:00:02) - internet Protocol version 6 , src: fe80::5df8:c2d8:5bb0:4f ( fe 8 0 : : 5df8:c2d8:5btoO:4f), o st: f f 0 2 : : l: 2 ( f f 0 2 : : l: 2 ) g t i e r Datacra- P rotocol. Src Port: dhcpv6-c11rrt (546), Dst Port: dhcpv&-*ervr (S47) * DHCPV6 0000 i i i i 00 01 00 02 00 IS Sd B 78 OS 86 dd 00 00 33........... ]. x . . . . 0010 00 D O oo 60 11 01 f 10 00 00 00 00 00 00 sd f ....................... ] 0070 C2d8 5b bO 04 ef ff 02 00 00 00 00 00 00 00 00 . . [ .............................. 0030 0000 00 01 00 02 02 22 02 23 00 60 55 4 01 83 ................" .. U.. . 0010 0 49 00 08 00 02 00 64 00 01 00 0 00 01 00 01 . I ....... d ................ ooso 17e s ei 4 00 IS Sd a s 78 OS 00 03 00 Of 0* 00 ...N ..1 . x............... 0060 15 5d 00 00 00 00 00 00 00 00 00 27 00 Oa 00 08 . J.................... ....... 0070 41 64 6d 69 6 2d 50 4 3 00 10 00 0 00 00 01 37 Adnin-PC...............7 0080 00 08 4d S3 46 S4 20 35 2 30 00 06 00 08 00 18 ..M SFT S .0 ........... 0090 00 17 00 II 00 27 ............
Fea*rerPC< 58=3r-tyC0n1c le: 'D evice'.-. Packets: 1 3 3 5D
ii 1335 M arked: 0
F IG U R E 5.8: Wireshark Window Stopping Live Capture
13. You may save the captured packets from F ile ^S a v e name tor the file, and save it 111 the desired location
kJ Capturing from ReaHek PCIe GBE Family Controller: \Device\NPFJ8F?F 18B6-B215 4110 A&59 F6&FB84?BB89J t O pen... Opeo&cca* M9fctrt.o 7 & [IT |r e S *v<
A s,
provide a
r r
[Wireshark 1 82 (SVN Rev 44520 fro... ' I
S a v in g C a p tu r e d F ile s
Q F p*e,won... 'It* C tr1*W 202.53.8.8 1 0 .0 .0 .5 . , -til-S [ 74.125. 236. 166 It.Ctrt.S | 123.176.32.155 f f02: :1:2 3 ff0 2 : :1:2
Up&it d Packctw [peit Packct 0 itiMiem Expo* Stieced f>4ckdfiytts L pct SSLScauon *x>1 . ca O aT
0M CPv6 0HCPv6 NBSS ICM PV6 I<7 Pv3 ICVPv6 IPv3 IC * Pv3 ICVPv6
ff0 2 : : 16 C t(1*H 224.0.0.22 f f 02::16 224.0.0.22 7 f f0 2 : :16 cui- p 224.0.0.22 ff0 2 ::16
75 Standard query 0x2Sf4 A wvrw.sebl. gov. in 107 Standard Outry respons 0x2St4 A 203.199.12. SI A 124.247.233.134 60 auit-p2p http [ack] r.*0-1444 Ark-751 win-65028 t #n0 60 aust backplane > http [ ack] s e q - l161 Ack-497 w1r>-65?04 1ert-0 150 S o lic it XTO : 0x5a*?ctf CtD: 0001000117e22aab00155da87800 ISO S o lic it X20: 0x83e049 CIO: 0001000117814001SSd48780S 5 5 nbss continuation Message 66 icrosoft-d s > 1sysg-1 [AC*] se q -l Ack-2 w1n-62939 Len-0 sle-1 * b 1 90 M ulticast Listener Report Message v2 60 Membership Report Leave group 224.0.0.252 M ulticast Listener Report Message v2 90 Membership Report 60 ': oln group 224.0.0.252 for any sources M ulticast Listener Report Message v2 90 Membership Report / Leave group 60 224.0.0.252 M ulticast Listener Report Message v2 90
Pra-te 1: ISO bytes on wire (1200 b i t s ) . ISO bytes captured (1200 b its ) on ir te r fa c e 0 r Ethernet I I , src: Mlcrosof_a8:78:05 (00:15:5d:aa:78:05), Ost: lPv6mcast_00:01:00:02 (33:33:00:01:00:02) - internet protocol version 6, src: fe80::5df8:c2d8:5bb0:4ef (feSO::S<JfS:c2dS:5bbO:4ef), o st: f f0 2 : : l:2 ( f f 0 2 : :l: 2 ) * user oatagra pro to co l, src port: dhcpv6-cl1ent (546), ost port: dhcpv6-server (547) - DKPv6 O O O O 33 33 00 01 00 02 00 15 5d a8 78 05 86 dd 60 00 33 ] . X ...'. 0010 0000 00 60 11 01 f e 80 00 O OO O 00 00 00 5d f8 ]. 0020 c2 d8 Sb bO 04 e f f f 02 00 O OO O 00 00 00 00 00 . . [ 0030 00 00 00 01 00 02 02 22 02 23 O O 60 55 ea 01 83 '.# . U. . . 0040 eO 49 00 08 00 02 O O 64 00 01 00 Oe 00 01 O O 01 .1 d 0050 17 e8 e l 4e 00 15 5d a8 78 05 O O 03 00 Oc Oe 00 ...N ..] . x 0060 15 Sd 00 00 00 00 O O 00 00 O O 00 27 00 Oa O O 08 . ] 0070 41 64 6d 69 6e 2d SO 43 00 10 O O 0 00 00 01 37 Adnrin-PC 7 0080 00 08 4d S3 46 54 20 35 2e 30 00 06 00 08 00 18 ..MSFT 0. 0090 00 17 00 11 00 27
, PktU.
IM M1UJ. UD.pppd 0
F IG U R E 5.9: WireShark Saving the Captured Packets
14. Now, go to
: can save f f i Wireshark packets captured in a large number o f formats o f other capture programs.
E d it
and click F in d
P a c k e t...
Tc!WS).pcapno |W 1p5hat C opy I * Fm dP a ck e t..1 . findN ex t N c RndP*Q0MB n1 1 *;X Statist!ct Tdphony look Internals Udp I @ P i : q
(SVN Rev MVO from ( e i *
1.SJ! a
j l
Q E>pessioo.. Om Appt/ Si.( Ctrt.B C trl+ M Shift-CtiUM 166 Ctrl-AR.M | 155 Shift*CtH-N ShifuCtrf.B C trt*X Shift*C t(1+ A lt*X Shift.CtrW X Ctll.T C tri+ A lt*7 Ctrl-Alt-N CtrfAlt*B Shift*C trl *T
P ro to c o l le n g th In fo
ONS DNS TCP
tcp dhcpv6
* n
M ark Pscte (toggle} MiAAJ D isplayedPxkcts Jnrr-ait A DDaptr, edPackets FindNee Msrk Snd Pe.icvsLUt :5 Packet(toggle[ ignore 06: dPackets (toggle] U n-igno reAl Packet! 0 SetTntfidaaKt Jc^lt] U n-TitneReferenceA ll Packets findPrsviov>Tan* R *# e !rrce T. *S h ift\f Ettter AddPckt Com m ent..
1 . 1
^ W ire s h a rk is not an intrusion detection system. It w ill not warn you when someone does strange things on your network that he/she isn't allowed to do. However, if strange tilings happen, Wireshark might help you figure out what is really going on.
DHCPv6 NBSS TCP ictpv6 I<*Pv3 ICMPv6 Itypv3 aPv6 io pv 3 ICMPv6
?5 Standard c -ery 0x2>f4 A m v iv .. se b i. gov. in 10? Standard CL.ery response 0x25f4 A 203.199.12. 51 A 124.247.233.134 60 ust-p2p > http [ACKl seq=1494 Ack=753 w1n=65028 Len=o 60 ust-backplare > hup [ ack] seq-1161 Ack-497 w1n-65204 Leo-0 150 S o lic it XTD: Ox5aS2df CIO: 0001000117e22aab00155da87800 150 S o lic it x i 0 : x836049 CID: 000l0001l7e8el4e001s5da87805 55 NBSS Continuation Message 66 Icrosoft-ds > lsysg-1 [ack] seq-l Ack-2 w1n-62939 Len-0 sle -1 sre90 M ulticast Listener Report Message v2 60 Membership Report / Leave group 224.0.0.232 90 M ulticast Listener Report Message v2 60 Mwrbership Report ( 301n group 224.0.0.252 for any sources 90 M ulticast Listener Report Message v2 60 Membership Report / Leave group 224.0.0.252 90 M ulticast Listener Report Message v2
13 33 00 01 00 07 00 15 0 000 0060 11 01 f t 80 c2 d SbbO C U e f f t 0? 17 e8
0 00 00 0 0 10 00 20 22 2 eO 49 0008 00 0? 00 64
41 64 00 08 00 17
5(1 00 00 02
c l 4 00 IS 5d 48 78 1 id 0 0 0 00 00 0O O0 0 00
05 O O 6069 6 2d SO 43 00 10 4d 53 46 54 20 35 30 00 11 00 27
0 00 1 0 0 O e0 00 1O O0 1
*8 00 oo 23
Shift* CtfitP 7805 8G dd 0000 00 00 oo00 00 00 O O 60 55 ea 0003 O O 27 O O 0 O O 06 00 Oc 00 Oa O O 00 00 08
60 sd 00 01
00 f8 00 83
Oc 00 O O 08 01 37 00 18
.1.......a ............. .. .N .. ]. X..........
I Readytok
2266Displayed: 2266 Mailed 0 O n
F IG U R E 5.10: Wireshark Finding Packet Option
15. The
W ir e s h a r k : F in d P a c k e t
window appears.
W ire s h a rk : F ind P a cket
By: Filter
Display filter O
Hex value O
String
Search In O O Packet list Packet details Packet bytes Help
String Options Case sensitive
Direction
O Up
v Cancel Down
Character set ASCII Unicode & Non-Unicode Find
F IG U R E 5.11: Wireshark Find Packet Window
16. In F in d By, select S tr in g , type p w d 111 the F il te r field, select the radio button for P a c k e t d e t a i l s under S e a r c h In and select A SC II U n ic o d e N o n -U n ic o d e trom the C h a r a c t e r s e t drop-down list. Click F in d .
Wireshark: Find Packet
Q=J. Wireshark will not manipulate things on the network, it w ill only "measure" things from it. Wireshark doesn't send packets on the network or do other active tilings (except for name resolutions, but even that can be disabled).
F in d By:
&
D is p la y f ilte r
H e x v a lu e
S tr in g
FHter:
S e a r c h In
pwd|
S tr in g O p t io n s C a s e s e n s itiv e
D ir e c tio n
P a c k e t lis t P a c k e t d e ta ils P a c k e t b yte s
O
N o n - U n ic o d e
V
Up Down
C h a r a c t e r s e t: A S C II U n ic o d e &
H e lp
F in d
Cancel
F IG U R E 5.12: Wireshark Selecting Options in Find Packet Window
17. Wireshark will now display the sniffed password from the captured packets.
Test(WS).pcapng [Wireshark 1S J CSVN Rev 44520 from /trurk-1.8)| y<vr 0 0 * *Analyre Sratisrics Telephony Tools internals iJdp
'- !
!< = >e 8 a N
flc
7 4 ilals e, t e. e 4 * wa a
[vj LipifetiCf Protocol L LL^NR LLM NR I PV3 IOPv6 TCP TCP nfo _ -1 5 standard query OxaSfl any win -039mr5hl9e4 5 Standard query OxaSfl A M Y WIN-D39mr5hl9E4 Membership Report / 01 grc-up 224.0.0.252 fo r any sources )M u ltica st L istener Report ves5age v2 5 02-ll-iap p > http [syk] seqô wln=8192 Len=o vss=1460 us=* sack_p6i 5 http > 50?-11-1app [5>n. ack] seq-0 Ack-1 wlrv-14600 ten -0 mss-1460 : 0 802-11- app > http [ACK] Seq^l Ack^l Win=65700 Len-0 ? POST '1 og1 rver 1fy - p^p m ttp/1.1 (appHcat10n/x-v\vrtv-f0ri-ur1enc0ded) I [) http > 802-11 app [ACKj Seq-1 Ack-819 win-16236 Len-0 9 A pplication Data 1 kvT v lj ip > https [ackJ 5eq-l Ack-56 win-63361 1er>-0 1 ITCP !q -x-t of a r u s * b ltd P0C 1J 1 m ttp/1.1 102 Moved T e t ^ r a r lly D 802 11 app > http [ACK] Scq-819 Ack-1481 wl 11-65700 Lcii-0 b * r t1 f* c tg > http [ syn] seq - w1ruai92 ie n -0 uss-U b ii ws-4 sack_pi
O b s e rv e t h e P a ssw o rd
D estination Tim e Source 1 19.1610310 fe 8 0 :: 3 < Jr8:efc3 C8 f f 0 2 : :1:3 2 19.161888010.0.0.7 2 24.0.0.252 3 19.198S190 10.0.0. 7 4 19.1993230 fe80::3d78;efc3 ;c87 f f 0 2 ::16 5 20.49>1660 10.0. 0. 5 123.176.32.155 6 20. 5856390 123.176. 32.155 1 0 .0 .0 .5 7 20.586514010.0.0. 5 123.176.32.155 20. S870180 10.0 . 0. 5 123.176.32.155 9 20.5960500123.176.32.155 1 0 .0 .0 .5 O 20.6078200 74.125.128. 189 10.0.0. 2 74.125.1?8.180 1 2 0 .65 1600 1 0 .0 .0 .2 2 20.6974400123.176.32.155 10.0.0. S 1 ?0.6982220 1 2 3 .1 6 . 32. 155 10.0.0. 5 4 20.698520010.0.0.5 123.176. 32.155 5 20.7011130 1 0 .0 .0 .5 123.108.40. S 3
lin e based text data: applI cat ton/x-www-form-urlencoded oa 38 31 39 32 74 69 72 e Od si 67 6S 32 30 2d 6f 6C 74 Oa oa 4 3d 37 31 61 61 3b 38 39 & 4 79 6 2f 65 6e 2d 4c I 30 33 36 20 35 70 7B 63 65 2* 36 64 5f 2 65 2d 6f 6 b 62 63 77 35 3a 77 64 67 or te y 30 ^0 ^n 3 1 37 34 36 34 66 31 63 33 31 63 32 64 32 32 62 65 38 31 31 38 73 3d 31 33 34 38 32 33 Od Oa 43 6f Ge 74 65 6e 20 61 70 70 6c 69 63 61 74 77 77 2d 66 6 f 72 6d 2d 75 65 64 Od Oa 43 6f 6e 74 65 74 68 3a 20 31 30 32 Od Oa
l*la6dcc 2d22 b*a1 92a; _wl 8S-1348? 20895.53 ..Conten t -Type: ap|51 cat rlencode d..conte -Lengt h: 102..
Q Wireshark media types are supported depends on many tilings like the operating system you are using.
Packetc 2260 Dia
Ptcf le D e+auit
F IG U R E 5.13: Wireshark Sniffed Password in Captured Packet
18. If you are working 011 iL a b s environment, then use the T e s t(W S ) sample capUired file located at D :\C EH -T 00ls\C E H v 8 M o d u le 08
S n iffin g \S n iffin g T o o ls \W ir e s h a r k \W ir e s h a r k S a m p l e C a p t u r e f i l e s
to
sniff the password.

L a b A n a ly s is
Analyze and document die results related to die lab exercise. Give your opinion 011 your targets security posture and exposure through public and free information. Tool/U tility Information Collected/Objectives Achieved Time Source Destination Protocol Length Info Internet Protocol TCP, Source Port Info User ID and Password
Wireshark
PLE A SE
TA LK
TO
Y O U R IN S T R U C T O R IF Y O U R E L A T E D TO T H IS LAB.
H A V E
Q U E ST IO N S
u e s t io n s
1. Evaluate die protocols that are supported bv Wireshark. 2. Determine the devices Wireshark uses to capture packets. Internet Connection Required
Yes
No
Platform Supported 0 Classroom !Labs
Performing Man-in-the-Middle Attack Using Cain &Abel

C a in & A b e l is a p a ssw o rd reco very to o l th a t a/Zorn reco very o f p assw o rd s b y s n iffin g th e n e tw o rk , cra c k in g en cryp ted p assw o rd s.
IC O N
V a lu a b le
K EY
L a b
S c e n a r io
mformation Test your
W eb exercise
W orkbook re\
You have learned 111 die previous lab how you can get user name and password information using Wireshark. By merely capturing enough packets, attackers can extract the user name and password if the victim authenticates themselves 111 a public network especially into a website without an HTTPS connection. Once the password is hacked, an attacker can simply log into the victims email account or use that password to log 111 to their PayPal and drain dieir bank account. They can even change die password for the email. Attackers can use Wireshark to decr\T pt the frames with the victims password they already have. As preventive measures an administrator 111 an organization should always advise employees not provide sensitive information 111 public networks without an HTTPS connection. VPN and SSH tunneling must be used to secure the network connection. As an expert e th i c a l h a c k e r and p e n e tr a ti o n t e s t e r you must have sound knowledge of sniffing, network protocols and their topology, TCP and UDP services, routing tables, r e m o te a c c e s s (SSH or \T*N), authentication mechanism, and e n c r y p tio n techniques. Another method through which you can gain user name and password information is by using Cain & Abel to perform a man-in-the-middle attack.
L a b O b je c t iv e s
The objective of tins lab to accomplish the following information regarding the target organization that includes, but is not limited to: Sniff network traffic and perform ARP poisoning Launch a man-in-the-middle attack Sniff the network for the password
L a b
E n v ir o n m
e n t
^ ^ T o o ls
To carry-out the kb, you need:

C a in & A b e l located at D :\C EH -Tools\C EH v 8 M o d u le P o is o n in g T o o ls\C a in & A b el
d e m o n s tr a t e d in t h i s la b a r e a v a ila b le in D:\CEHT o o ls\C E H v 8 M o d u le 08 S n iffin g
08 Sniffing\A R P
You can also download die latest version ol C a in http:/ / www.ox1d.it If you decide to download the l a t e s t the lab might differ A computer running W in d o w s
W in d o w s W in d o w s v e rs io n ,
& A b el
from
S erv e r
2012 as host machine
8 nuuiing on virtual macliuie as attacker maclinie 2008

S e rv e r
nuuiing on virtual machine as the victim macliuie
A web browser with Internet connection Double-click c a _ s e t u p .e x e and follow die wizard-driven installation steps to install Cain & Abel Administrative privileges to run tools
L a b D u r a t io n
Time: 20 Minutes
O
Q y ou can download Cain & Abel from http://www. oxid.it.
v e r v ie w
o f
M a n - ln - T h e - M id d le A
t t a c k
A man-in-die-middle attack (MITM) is a form ot a c t i v e e a v e s d r o p p in g 111 which the attacker makes in d e p e n d e n t connections with the victims and relays messages between them, making them believe that tliev are talking direcdy to each other over a p r iv a te c o n n e c tio n , when 111 fact the entire conversation is c o n tr o lle d by the attacker. Man-ui-die-middle attacks come 111 many v a r ia tio n s and can be carried out on a s w it c h e d LAN.
L a b T a s k s
T A SK
1. Launch your W in d o w s 2008
S e rv e r
virtual machine
(V ic tim M a c h in e ).
M an-ln-T he-M id d le A tta c k
2. Launch your W in d o w s 8 virtual macliuie
( A t t a c k e r M a c h in e ).
3. Oil the host machine (Windows Server 2012), launch the S t a r t menu by hovering the mouse cursor oil the lower-left corner of the desktop.
Ethical Hacking and Countemieasures Copyright by EC-Council A ll Rights Reserved. Reproduction is Stricdy Prohibited.
fl= JM an in die Middle attacks has the potential to eavesdrop on a switched L A N to sniff for clear-text data (McClure, Scambray). It can also be used for substitution attacks that can actively manipulate data.
4. Click C a in in the
S ta rt
S ta r t
menu to launch Cain& Abel.

Administrator ^
S e rve * M en aq er
Google Chrome
Mozilla hretox
G31 Cain & Abel covers some security aspects/weakness intrinsic o f protocol's standards, authentication methods and caching mechanisms.
k
C o n c o rf
Pane
*
H)P-V
Manager
<
Hyper-V Virtual
W Adnnett... fools Command Prompt 1 % 1 Uninstall Cain
%
O w n o p
FT
|H
*n a g *
2 P
5. The mam window of Cain & Abel appears.

1
J rie View Configure + Took y Help 3 Troccroutc I E l c c c i m Airelcss | ff ) Query |
@ S K I S ! ?ar
|< < g , Decodgi | *
Mrtwyt I f f i Suffc |,_/ Ciackcr
, Cached Passwords Protected Storage L5A Secrets > Wireless Passwords Ih7PatCAO'CK 0 Windows Mail Passwords Dialup Passwords Edit Boxes Ente % pbc Maneycr f * Ciedentid Manage
Press the * button on the toolbar to dump the Protected Storage
E Q r eplay attacks can also be used to resend a sniffed password hash to authenticate an unauthorized user.
| http/.'vrww 0iid.it
F IG U R E 6.3: Cain & Abel Main W indow
6. When you hrst open Cain & Abel, you will notice a series ot tabs near the top of the window. 7. To configure the
E th e rn e t c a rd ,
click C o n f ig u r e from the menu bar.
_J
C Q a PR -SSH I can capture and decrypt SSH version 1 session that are then saved toa text file. A PR -H TT PS can intercept and forge digital certificates on the fly but becauses trusted authority does not sign these certificates a warning message w ill be displayed to die end user.
_ ?# | Took Hlp
& SM Lin W
Nctvwtk
+ / !
0 B B S!
mo
J.
Sniffer | s f CiTroccioutcII B B CCCU 1"ft" A ile lo i |j*) Query I
|4 I Dccodaj u
, Cachcd Piuivoidi Protected Storage JT L5A Secrets Wireless Passwords * 2 IE7PaTA0rd5 ^ W in d er Mail Passmores Dialup Passwords F Edit Boxes ! *Enterprise Manege Gedentid V a n c e
Press the button on the toolbar 0 dump the Protected Storage
h ttp // wvyw.Qiid.it
F IG U R E 6.4: Cain & Abel Configuration Option F IG U R E 6.4: Cain & Abel Configuration Option
8. The 9. The
C o n f ig u r a tio n D ia lo g C o n f ig u r a tio n D ia lo g
window appears.
S n if f e r
window consists of several tabs. Click the tab to select the sniffing adapter.
OK.
10. Select A d a p t e r and click A p p ly and then

Configuration Dialog
Filters and ports Sniffer Adapter & \Device\N PFJ8F2F18B... I | HTTP Fields | | |
Traceroute Challenge Spoofing | Subnet Mask 255.255.255.0 0.0.00 255.255.255.01 0.0.0.0 0.0.00 l> l
Certificate Spoofing
Certificates Collector
C O lFo r IP and M AC spoofing you have to choose addresses that are not already present on the network. B y default Cain uses die spoofed M AC "001122334455" for two reasons: first that address can be easily identified for troubleshooting and second it is not supposed to exist in your network. N ote: You cannot have on the same Layer-2 network two or more Cain machines using A PR 's M A C spoofing and die same Spoofed M A C address.
APR ( Arp Poison Routing ) IP address
192.168 168.110 10.0.0.2
i& \D e v ic e \N P F .{5F237C6... 0.0.00 *i>\Device\NPF_{35DD21... 0.0.00 0.0.00
) \Device\N PFJ36D 19C...

<| 1 1 1
Winpcap Version 4.1.0.2001 Current Network Adapter
WARNING !!! Only ethemet adapters supported Options F F Start Sniffer on startup Start APR on startup
f~ Don use Promiscuous mode
OK
Cancel
Apply
Help
F IG U R E 6.5: Cain & Abel Configuration Dialog W indow
11. Click the S t a r t / S t o p
S n if f e r
icon on the toolbar.
- il# Vi*w Configur* Took H#lp
-jffel K J ilsi; W! + y
"< DcZTdcfi | ^ VJcUwt , Cachcd Piuivoidi Protected Storage JT L5A Secrets Wireless Passwords IE7PaTA0rd5 ^ W in d e r Mail Passmores Dialup Passwords )( F Edit Boxes *Eitc !prise Manage Gedentid V a iace * 1
Q BBS r a B a O
Smffcr 1^/* Ciackct |4Q Troceioutc |K3 CCDU |'fl
Auctos |.A) Query |
CQt1 1 e most crucial item in that list is the radioactive hazard A PR . It is in this window that we select our victim(s).
Activate / DcaUnale the Sniffer
F IG U R E 6.6: Cain & Abel Configuration Dialog Window F IG U R E 6.6: Cain & Abel Configuration Dialog Window
N o te :
If you get Cam Warning pop-up, click OK.

S n if f e r
Took Hlp
12. Now click the

5I
i Vie* C2 nfgur
tab.
s & ! am
Mi
. !>{
> * a *l
v
Nctj.a7T
ES O
Traccroutc | Q | OUi fingerprint Netgear, Inc. CCDU
1
W rd c ii
2 ?
/I
kt
. D c:cdtf: | j
| *>) Query | B .. B i | Or | MO M l
MAC address 00095BAE24CC
B...
Be warned diat there is the possibility that you will cause damages and/or loss o f data using this software and that in no events shall the audior be liable for such damages or loss o f data.
4 i~
ii M 5tI m
: kPR |^ Routing |
Paaaworda
Lost packets C%
F IG U R E 6.7: Sniffer tab
13. Click the 14. The
P lu s
MAC A d d r e s s e s
(+) icon or right-click in the window and select to scan the network for hosts.
T e s ts
S can
MAC A d d r e s s S c a n n e r
su b n et
and check the All
window appears. Select check box. Click OK.
All h o s t s in m y
TH
J
_ i View Canfigur rfiguM Tool* Tool{ H*>P Hlp
r,
!61 aw S i 89
Meteoric
] + [
MAC Address Scanner
O t
Jl
|,c^ Deccder:
Sniffer \ / Cracker | OUI fingerprint Nctgear, Inc.
| )> Que>y~| | R.. | B8 | Gr | MO | M l 1 M3 |
C Q a p r -r d p can capture and decrypt Microsofts Remote Desktop Protocol as well.
| MAC address 00095BAE24CC
I ' All hosto n C Range Fiom
subnet |
Promiscuous ModScanner--W !7 P F F W P ARP Test (Broa^cad 31 b f) ARP Tes!. (BtoaJcart ' &trt) ARP Te* (Broadcast 8 b i' ARP Test (3Dtp Sit) AR P Tort (Multbaet gioup0] ARP Test (Multcest oioud 1 A|| PT-- (Mulfccit Q-oup J
0 <
41 Hosts
VPR
|4 Routing | ^ \
Passwords ~| ^
VoIP |
Lost packets 0%
F IG U R E 6.8: Cain & Abel M A C Address Scanner W indow F IG U R E 6.8: Cain & Abel M A C Address Scanner W indow
15. Cain & Abel starts scanning for MAC addresses and lists all found MAC address.
5 Speeding up packet capture speed by wireless packet injection
G Q lN ote that Cain & Abel program does not exploit any software vulnerabilities or bugs that could not be fixed with litde effort.
F IG U R E 6.9: Cain & Abel Scanning M A C Addresses W indow
16. After scanning is c o m p l e t e d , a list of detected displayed.
MAC a d d r e s s e s
is
17. Click the A P R tab at the bottom of the main window.
Vi*
Cgrfigur*
Took
Help
|t a [* e * B III J + * | l B
3
Sniffer \/ Cracker 1 IP address
Jl
Decoders | ^ Network | ^
Traceroute | d
CCDU | '< Q Wireless |q) Query | I Fa:kets -> 1 < - Packes I MAC address I IP address
EEQ a P R state HalfRouting means that A P R is routing the traffic correctly but only in one direction (ex: Client-> Server or Server->Client). This can happen if one o f the two hosts cannot be poisoned or if asymmetric routing is used on the LA N . In this state the sniffer loses all packets o f an entire direction so it cannot grab authentications that use a challenge-response mechanism.
a S APR-Cat 4 , APR-DNS
Status
I MAC address
APR-SSH-1 (01 - l i APR-HTTPS (0) 3 APR Projc/HTTPS (0) 5g APF-PXP(G) 13 APR-FTPS (0) l i APR-P0P3S (0) 3 APR-IMAPS (0) APR-IDAPS tfi) 3 APR-SIPS (0)
Status
| IP address
| MAC address
| packets -> | < - Packets | MAC address
| IP address
< III > 4 4Hosts | (X A PR|| *J* Routing

lest packets: 0%
Cortfiguntion J Routed Packets | Passv/ords |
J*
VoIP |
F IG U R E 6.10: Cain & Abel A R P Tab F IG U R E 6.10: Cain & Abel A R P Tab
18. Click anywhere 111 the C o n f ig u r a tio n /R o u te d to activate the P lu s icon.

m j * File \w & C on fjJic Tools Help % i s y 1 1 1 B a 3 @ i a O ^ S O f j
P a c k e ts
window of APR
r a ! #
f+ ] a
< & , Decoders I 2 Nrtwodr | ^ l SniFFer 13/ A PR Q Jj, ^ APR-Ccit APR DNS APR-SSH-1 (0| APR-HTTPS (0) status
Cracker I Ci Traceroute |KS CCDU 1 1 | IP address | MAC address
Wireless 1_Y Query | | IP address
Packets >|< Packets | MAC address
,3 APR-PrayMIPMO) 98 APR-ROP 1 0 1 APR FTPS (0)
L=U-.APR state FullRouting means that the IP traffic between two hosts has been completely hijacked and A P R is working in FU LLD U P L E X , (ex: Serverc>Client). The sniffer will grab authentication information accordingly to the sniffer filters set.
3 3 !3 3
APR-POP3S(0) APS IMAFS (0) APR LDAPS (0) 1 APR-SPS 0
Status
| IP address
| MAC address
Packets -> | < - Packets | MAC address
| P address
> Sj HoCc
Po rting | Pastwords | ^ VoIP [
Los: packets; 0%
F IG U R E 6.11: Cain & Abel A R P Tab
19. Click the Plus (+) icon; the N e w A R P P o is o n R o u tin g window opens from which you can add the IPs to listen to traffic.
M
j * m es
Decoders | Q APR 1 -0 APR Ceft(0> L APR-DNS m SS-l- t (0) U f i APR-HTTPS (0} h S APR-PirayHTTR : 51 APRRDP 10) i f i APS-FTPStO) APR-POP3S() : 3 APR IMAPSP) j- 1S APSLCAPStUl L APR-SI PS !0)
_ u
is
q. y 1
1 *s
O t
fl
I\ jc .I
N ftaadLJ i l Snifle I . "Cxuktt 1*6 Trarfrm iif 185!. m N ew ARP Poison Routing
APR 3natlecyou tohijack IP traffic behv3en 1 W 3coloctod host !> n h 3left let aid al :electec hoste on the r^1!lei inboth dite^licm It a ?elected hoit hai roiling eap3biitet WAN &athc wil be nierreDteda: wel Peare ncte !hat ?mceyaur 11wchire has not the *are perform ance of a router you could cause DaS *you u< te:*een you Delaul Gateway and oil ether host! or >our LAN.
U J H ie Protected Store is a storage facility provided as part o f Microsoft CryptoAPI. It's primarily use is to securely store private keys that have been issued to a user.
IP 3dere 10.0.01 10.0.03 IU 004 1 0 005 10.0.07 10.0.010 10.0.011 10.0.012 1110013
| MAC | Hostrair* C0095BAE24CC C0155DA9BE06 C0155DA8SE09 CDI55CA85E 0 3 D4BED3C3CE2D D40ED3C3C3CC C0155DAG7005 C 0155D /S87800 C0155DA8/804
IF acHe^r
vtiC
Hottnam e
<L____________ ______ ! ___________ _______1 >
1 1
H o r tT "|^ flP B | fr
&|
C o n fig u ra tio n / R o u te dP a c k e ts I
Pattwowk
r 1!r r r |
20. To monitor the traffic between two computers, select 10.0.0.3 (Windows 8 virtual machine) and 10.0.0.5 (Windows 2008 Server virtual machine). Click OK.
N e w ARP P oison R o u tin g
WARNING !I! APR enables you to hiiack IP traffic between the selected host on the left list and al selected hosts on the light list in both directions If a selected host has !outing capabilities WAN tiaffic will be mteicepted as well Please note that since youi machine has not the same peifotmance of a router you could cause DoS if you set APR between youi Default Gateway and all other hosts on your LAN.
Q A ll o f the information in the Protected Store is encrypted, using a key that is derived from the user's logon password. Access to the information is tighdy regulated so that only the owner o f the material can access it
IP address 10.0.0.1 10.0.0.3 T: u u 4 10.0.0.5 10.00.7 10.0.010 100.0.11 10.0,012 100013 <|
I MAC
| Hostname
IP address 10.0.0.13 100.0.12 10.0.0.11 10.0.0.10 10.0.0.7 10.0.0.5 100.0.4 10.0.0.1
I MAC 00155DA87804 00155DA87800 00155DA87805 D4BED9C3C3CC D4BED9C3CE2D I 00155DA86E03 00155DA86E09 00095BAE24CC
I Hostname
00095BAE24CC 00155DA86E06 I 00155DA8SE09 00155DA86E03 D4BED9C3CE2D D4BED9C3C3CC 00155DA87805 00155DA87800 00155DA87804 III <
<]__________
1 1 1
____________ | >
21. Select the added IP address in the click the S t a r t / S t o p A P R icon.

N o te : OK
C o n f ig u r a tio n /R o u te d
packets and
If the Couldnt bind HTTPS acceptor socket pop-up appears, click
k J Many Windows applications use this feature; Internet Explorer, Oudook and Outlook Express for example store user names and passwords using this service.
F IG U R E 6.14: Cain & Abel A R P Poisoning
22. Now launch the command prompt 111 Windows 2008 Server and type f tp 10 . 0 . 0.3 (IP address of Windows 8 machine) and press E n t e r
U J There is also another set used for credentials that should persist on the local machine only and cannot be used in roaming profiles, this is called "Local Credential Set" and it refers to the file: \Documents and Settings\%Usernam e%\Lo cal Settings\Applicatio Data\Microsoft\Credential s\%UserSID %\Credentials
23. When prompted lor Username type M a r tin and press password type a p p l e and press E n te r.
:> ' A d m in istra to r C:\W indows\system 32\cm d.exe - ftp 10.0.0.3
E n te r
and for
Microsoft Windows LUersion 6.0.6001J Copyright <c> 2006 Microsoft Corporation. C:SUsers\Administrator>ftp 10.0.0.3 Connected to 10.0.0.3. 220 Microsoft FTP Service User <10.0.0.3:(none)): Martin 331 Password required Password: 230 User logged in. ftp> _
All rights reserved.
11
F IG U R E 6.15: Start ftp://10.0.0.3
24. Now, on the host machine, observe the tool listing some packets exchange.
|C ]
File
/ c m

Configjic Toob Help
J 6 8 & B
SS
+
Statu*
ti
O
CCOU | MAC address 001SSDA&6EQS Packets < |5 > Packet* 7
fl
MAC oddresj 001S5DA86&03
D e ro fle ri I i N rt a/yl |i&l S r > ifle r| ES3 j - A P RCot )0 ( ! -A P R D N S ,4 A P R S S H I )0 ( i- A P R H T T P S (D j i - i?5-Fror> nnPS)0 ( A P R R D P)0 ( i-fl A P R FTPS)0 ( ^ ]A P R PO P 3 SP )A P RIM APSP 3 : j -1 SA P RLC A PSO l A P R S IP S (O _!(
^Poison,rg
YCrafker 1"3 Tracerout(0|| !

|1 ?o d dcsj
10.0.0.3
1 7 1 W fle < 5 |_v C u e ^| | IPaJJicsj

100.0.S
S t
7 Credentials are stored in the registry under die key H K EY _C U R R EN T _U SER \Software\Microsoft\Prote cted Storage System Provider\
Status
| IP addrecc
| MAC addretc
Packets-> <-Packet; | MAC address
\ IP addrest
> 1
Horn
Configuration /Routed Packets f 1< |0 A P R | $ *R o iitrg | j\ P a s s w o rd s | V o IP |
Lct packets. C%
____________________ F IG U R E 6.16: Sniffer window with more packets exchanged____________________ F IG U R E 6.16: Sniffer window with more packets exchanged
25. Click the P a s s w o r d s tab as shown 111 the following screenshot to view the sniffed password for f t p 10 . 0 . 0 . 3 .
> 1 Fie j 6 Jfo ia m Configuie SB + Toob 'y Help | B U BSS sa
11
Dwodfrs | $ N et vryfc [ l& Satffer 1! 1' Crack** | *Q Tncernntf |R T 3 9 CCDIJ | A ? \ Passwords 1!4-*a u j ^ HTTP (17) igl MAP (0) Timestamp 18/09/2012 10.0.0.5 | FTP server 10.0.0.3 | Client 15:54:10
Wrelfss | .V r ! .0', J Username Mditin Password (apple
fit This set o f credentials is stored in the file \Documents and Settings\%Usernam e%\Ap plication Data\Microsoft\Credentials \ % U serSID%\Credentials
S J .OAP(O) (* HO) *+ SMS (3) Tdnet (0) :-| XNCO) j 5V: TDS(0) j 3V) TVS (0) = J ! SMTP (0) : ' f m ntpo ; I- g DCE/RPC (0 1 S 0 MSKe*5-PreAja ^ Radijs-Kcr: 1 0 ) C Radius-Useis (OJ jg CQ(0) S KE-PSK .0 1 i-ifc MySGL (0) 3 SNWI>(0) ( 4 SP(0) i <[ III > FTP |
I Hosts | < S >APR

Lost packets. C%
| *$* Routng | )\ Passwords
I I
1 /0 IP
F IG U R E 6.17: Sniffer window with more packets exchanged
L a b
A n a ly s is
Analyze and document the results related to die lab exercise. Give your opinion on your targets security posture and exposure through public and free information.
Tool/Utility
Information Collected/Objectives Achieved IP Address 10.0.0.3 MAC Address - 00155DA86E06 Packets Sent 5 Packets Received 7 FTP Server 10.0.0.3 Username Martin Password apple
Cain & Abel
P LE A S E
TA LK
TO
H A V E
Q U E ST IO N S
u e s t io n s
1. Determine how you can defend against ARP cache poisoning in a network. 2. How can you easily find the password captured using only Notepad or some other text editor?
111
an EDP AATM attack
3. How can one protect a Windows Server against RDP MITM attacks? Internet Connection Required 0 Yes Platform Supported 0 Classroom 0 iLabs No
Lab
Delecting ARP Attacks with the XArp Tool

A L 4 ip is a se cu rity a p p lic a tio n th a t uses ad van ced tech n iq u es to d etect A K P - b a s e d
a tta c k s .
ICON KEY
L a b
S c e n a r io
Valuable mformation Test your
W eb exercise
W orkbook re\
You have already learned in die previous lab to capuire user name and password information using Cain & Abel. Similarly, attackers, too, can sniff the username and password of a user. Once attackers have a user name and password, they can simply gain access to a networks database and perform illegitimate activities. If that account has administrator permissions, attackers can disable firewalls and load fatal vimses and worms 011 die computer and spread diat onto the network. They can also perform different types of attacks such as denial-of-service attacks, spoofing, buffer overflow, heap overflow, etc. When using a wireless connection, as an administrator vou must use the strongest security supported by vour wireless devices and also advise other employees to use a strong password. The passwords must be changed weekly or monthly. Another method attackers can implement is ARP attacks through which they can snoop 01 manipulate all your data passing over the network. This includes documents, emails, and YoicelP conversations. ARP attacks go undetected by firewalls; hence, 111 tins lab you will be guided to use the XArp tool, which provides advanced techniques to detect ARP attacks to prevent your data.
The objective of tins lab to accomplish the following regarding the target organization that includes, but is not limited to: To detect ARP attacks
C /T o o ls d e m o n s tr a t e d in th i s la b a r e a v a ila b le in D:\CEHT oo ls\C E H v 8 M o d u le 08 S n iffin g
L a b
E n v ir o n m
e n t
To carry-out die lab, you need:

X Arp is located at D :\C EH -Tools\C EH v 8 M o d u le D e te c tio n T o o ls\X A rp
08 S niffing\A R P
S p o o fin g
You can also download the latest version ot X Arp from http: / / www.chasmc.de / development/xarp / 111dex.html If you decide to download die l a t e s t the lab might differ
v e rs io n ,
then screenshots shown in
A computer running Windows Server 2012 as host machine Double-click x a rp - 2 .2 .2 -w in .e x e and follow the wizard-driven installation steps to install XArp Administrative privileges to run tools
Time: 10 Minutes
O v e r v ie w o f X A r p
XArp helps users to detect ARP attacks and keep dieir data private. Administrators can use XArp to monitor whole subnets for ARP attacks. Different security levels and line-tuning possibilities allow normal and power users to efficiendy use XArp to detect ARP attacks.
L a b T a s k s
T A S K
1. Launch the S t a r t menu by hovering the mouse cursor on the lower-left corner of the desktop.
L a u n c h in g t h e X Arp to o l
2. Click X A rp
111 the S t a r t
menu to launch the XArp tool.
Setvei Mereger
Computer
Google Chrome
Mj/illa hretox
e. C 7Address Resolution Protocol (A R P) poisoning is a type o f attack where the Media Access Control (M A C ) address is changed by die attacker.
C M nap
g s
<9
Manager
<$
H/pe-v Virtual Machine.
XAip
F IG U R E 7.2: Windows Server 2012Apps
The main Window of XArp appears with a list of IPs, ]MAC addresses, and other information for machines 111 the network.
XArp - unregistered version
File XArp Professional Help
Status: no A R P attacks
Security level set to: high

aggressive The high security level adds better network discovery which results in a higher detection rate but sends out more discovery packets into the network. Aggressive inspection modules are employed which might give false alerts in some environments.
Read the Hyidino ARP attacks' help XArp loaSe high basic Get XArp Professional now! ReosterXArp Professional mnmai
IP 10.0.0.1 10.0.0.2 & 10.0.0.6 10.0.0.7 10.0.0.8 10.0.0.10 10.0.0.12 10.0.0.13
| MAC 00-09-5... dO-67-e... 00-15-5... d4-be-... 00-15-5... d4-be-... 00-15-5... 00-15-5...
| Host 10.0.0.1 WIN-MSSELCK... ADMIN-PC WIN-D39MR5... ADMIN WIN-2N9STOS... WINDOWS8 WIN-EGBHISG...
| Vendor Netgear, Inc. unknown Microsoft Cor... unknown Microsoft Cor... unknown Microsoft Cor... Microsoft Cor...
I Interface 0x11 - Microso... 0x11 - Microso... 0x11 - Microso... 0x11 - Microso... 0x11 - Microso... 0x11 - Microso... 0x11 - Microso... 0x11 - Microso...
| Online yes yes yes yes yes yes yes yes
| Cache yes no yes yes yes yes yes yes
| First seen 9/20/2012 14:22:55 9/20/2012 14:22:55 9/20/2012 14:22:55 9/20/2012 14:22:55 9/20/2012 14:22:55 9/20/2012 14:22:55 9/20/2012 14:22:55 9/20/2012 14:22:55
[ Last see 9/20/20 9/20/20 9/20/20 9/20/20 9/20/20 9/20/20 9/20/20 9/20/20
& A M A C address is a unique identifier for network nodes on a LA N . M A C addresses are associated to network adapter that connects devices to networks. The M A C address is critical to locating networked hardware devices because it ensures diat data packets go to the correct place. A R P tables, or cache, are used to correlate network devices IP addresses to their M A C addresses.
& & &
XArp 22 2 * 8 mappings - 2 interfaces - 0 alerts
F IG U R E 7.3: XArp status when security level set to high
4. On the host machine, XArp displays no ARP attacks.

N o te : &c Abel
If you observe the same results, log in to a virtual machine and run Cain to initiate ARP poisoning to the host machine.
S e c u r i t y le v e l
5. Bv default the security level is set to high. Set the a g g r e s s i v e on the X A rp screen.
to
XArp unregistered version

File XArp Professional Help
r=r?
agg ressive The aggressive security level enables all ARP packet inspection modules and sends out discovery packets in high frequency. Using this level might give false attack alerts as it operates on a highly aggressive packet inspection philosophy.
Status: no A R P attacks
Security level set to: aggressive
Read the Viandlina ARP attacks' heb View XAtd loofile
1-
high basic
Get XAtd Professional now! Reaister XAtd Professional " " 3
& A n attacker can alter the M A C address o f the device that is used to connect the network to Internet and can disable access to the web and other external networks.
IP 10.0.0.1 10.0.0.2 10.0.0.6 10.0.0.7 10.0.0.8 10.0.0.10 10.0.0.12 10.0.0.13
| MAC 00-095... d0-67-e... 00155... d4*be. 00-15-5... d4-be-... 00-15-5... 00-15-5...
| Host 10.0.0.1 WIN-MSSELCK... ADMIN-PC WIN-D39MR5... ADMIN WIN-2N9STOS... WIN D0WS8 WIN-EGBHISG...
| Vendor Netgear, Inc. unknown Microsoft Cor... unknown Microsoft Cor... unknown Microsoft Cor... Microsoft Cor...
j Interface 0x11 Microso... 0x11 Microso... 0x11 Microso... 0x11 Microso... 0x11 Microso... 0x11 Microso... 0x11 Microso... 0x11 Microso...
| Online yes yes yes yes yes yes yes yes
| Cache yes no yes yes yes yes yes yes
| First seen 9/20/2012 14:22 55 9/20/2012 14:22 55 9/20/2012 14:22 55 9/20/2012 14:22 55 9/20/2012 14:22 55 9/20/2012 14:22 55 9/20/201214:22 55 9/20/2012 14:22 55
| Last see 9/20/20 9/20/20 9/20/20 9/20/20 9/20/20 9/20/20 9/20/20 9/20/20
>
XArp 2 22 - 8 mappings - 2 interfaces - 0 alerts
F IG U R E 7.4: XArp status when security level set to aggressive
6. Log 111 to Windows 2008 Server, and run Cain & Abel to initiate an ARP attack on a Windows 2012 host machine. 7. The XArp pop-up appears displaying the alerts.
5" XA rp allows alert filtering for excluding specific hosts. Another feature includes settings for alerting intensity and how the alerts are presented. Also allows sending alerts through email and detailed alerting configuration.
9/20/2012
1 4
DirectedRequestfilter: targeted request, destination mac of arp request not set to broadcast/invalid address
In te rfa c e : [e th e rn e t] s o u rc e mac: d e s t mac : ty p e : Carp] d ir e c tio n : ty p e : s o u rc e i p : d es t ip : s o u rc e mac; d e s t mac :
0x11 dO 000x806 out re q u e s t 1 0 .0 .0 .2 I-* o o o H * d000-36
-c c
F IG U R E 7.5: XArp displaying Alerts
Now, the XArp
S ta tu s
changes to
ARP a tt a c k s d e te c te d .
XArp unregistered version

Status: A R P attacks detected! Security level set to: aggressive
View detected attacks Read the *Handling ARP attacks' help View XArp loqfite
7 Tlie simplest form o f certification is tlie use o f static, read-only entries for critical services in tlie A R P cache o f a host. This only prevents simple attacks and does not scale on a large network, since the mapping has to be set for each pair o f machines resulting in (n*n) A R P caches that have to be configured. A ntiA RP also provides Windowsbased spoofing prevention at the kernel level.
The aggressive security level enables all ARP packet inspection modules and sends out discovery packets in high frequency. Using this level might give false attack alerts as it operates on a highly aggressive packet inspection philosophy.
Get XArp Professional now! Register XArp Professional
IP 10.0.0.1 * X X * * V -y 'S V 10.0.0.2 10.0.0.3 10.0.0.4 10.0.0.5 10.0.0.6 10.0.0.7 10.0.0.8 10.0.0.10 10.0.0.12 10.0.0.13
MAC 00-095... dO-67-e... 00-15-5... 00-15-5... 00-15-5... 00-15-5... d4-be-. 00-15-5... d4-be-. 00-15-5... 00-15-5...
| Host 10.0.0.1 WIN-MSSELCK. 10.0.0.3 Windows8 10.0.0.5 ADMIN-PC WIN-D39MR5... ADMIN WIN-2N9STOS.. WINDOWS8 WIN-EGBHISG..
| Vendor Netgear, Inc. unknown Microsoft Cor... Microsoft Cor... Microsoft Cor... Microsoft Cor... unknown Microsoft Cor... unknown Microsoft Cor... Microsoft Cor...
j Interface 0x11 Microso... 0x11 Microso... 0x11 - Microso... 0x11 - Microso... 0x11 - Microso... 0x11 Microso... 0x11 Microso... 0x11 - Microso... 0x11 - Microso... 0x11 - Microso... 0x11 Microso...
| Online yes yes yes yes yes yes yes yes yes yes yes
| Cache yes no yes yes yes yes yes yes yes yes yes
| First seen 9/20/2012 14 22:55 9/20/2012 14 22:55 9/20/2012 14 25:06 9/20/2012 14 25:08 9/20/2012 14 25:54 9/20/2012 14 22:55 9/20/2012 14 22:55 9/20/2012 14 22:55 9/20/2012 14 22:55 9/20/2012 14 22:55 9/20/2012 14 22:55
| Last see 9/20/20 9/20/20 9/20/20 9/20/20 9/20/20 9/20/20 9/20/20 9/20/20 9/20/20 9/20/20 9/20/20
< XArp 2.22 - 11 mappings - 2 interfaces - 25 alerts
Ill
>
F IG U R E 7.6: XArp A R P attacks detected
L a b
A n a ly s is
Analyze and document die results related to die lab exercise. Tool/Utility Information Collected/Objectives Achieved Interface [Ethernet]: 0x11 Source Mac: dO-xx-xx-xx-xx-36 Destination Mac: 00-xx-xx-xx-xx-cc Type [arp]: 0x806 Direction: Out Source IP: 10.0.0.2 Destination IP: 10.0.0.1 Host: 10.0.0.1 Vendor: Netgear, Inc.
XArp
PLE A SE
TA LK
TO
H A V E
Q U E ST IO N S
u e s t io n s
1. Determine how you can defend against ARP cache poisoning 111 a network.
Internet Connection Required 0 Yes Platform Supported 0 Classroom 0 !Labs No
Delecting Systems Running in Promiscuous Mode in a Network Using PromqryUI

P ro m q ry U I is a to o l w ith a W in d o w s g ra p h ic a l in te rfa ce th a t can be u sed to d etect n etw o rk in te rfa ce s th a t a re rn n n in g in p ro m iscu o u s m ode.
ICON KEY L a b S c e n a r io
/ Valuable information Test your knowledge
W eb exercise W orkbook review
With an ARP storm attack, an attacker collects the IP address and MAC address of the machines in a network for future attacks. An attacker can send ARP packets to attack a network. If an ARP packet with a forged gateway MAC address is pushed to the LAN, all communications within the LAN may fail. This attack uses all resources of both victim and non-victim computers. As a network administrator you must always diagnose die network traffic using a network analyzer and configure routers to prevent ARP flooding. Using a specific technique widi a protocol analyzer you should be able to identify the cause of the broadcast storm and a method to resolve the storm. Identify susceptible points on the network and protect them before attackers discover and exploit the vulnerabilities, especially 011 ARP-enabled LAN systems, a protocol with known security loopholes that allow attackers to conduct various ARP attacks. Attackers may also install network interfaces to 11111 in promiscuous mode to capture all the packets that pass over a network. As an expert e th i c a l h a c k e r and p e n e tr a ti o n t e s t e r you must be aware of die tools to detect network interfaces nuuiing 111 promiscuous mode as it might be a network sniffer. 111 tins lab you will learn to use die tool PromqryUI to detect such network interfaces running 111 promiscuous mode.
The objective of tins lab to accomplish: To detect promiscuous systems 111 a network
& T o o ls d e m o n s tr a t e d in th i s la b a r e a v a ila b le in D:\CEHT oo ls\C E H v 8 M o d u le 08 S n iffin g
L a b
E n v ir o n m
e n t
To carry-out die lab, you need:

P ro m q ry U I is located at D :\C EH -Tools\C EH v 8 M o d u le S n rffin g \P ro m is c u o u s D e te c tio n T o o ls\P ro m q ry U I
08
You can also download the latest version ot P ro m q ry U I from http:// www.microsott.com/en-us/download/deta11s.aspx?1d= 16883 If you decide to download die l a t e s t the lab might differ A computer running W in d o w s 2008 Administrative privileges to run tools
v e rs io n ,
dien screenshots shown in
S e rv e r
Time: 10 Minutes
O v e r v ie w o f P r o m q r y U I
PromqryUI can accurately determine if a modern managed Windows system has network interfaces in promiscuous mode. If a system has network interfaces 111 promiscuous mode, it may indicate die presence of a network sniffer running on die system. PromqryUI cannot detect standalone sniffers or sniffers running on non-Windows operating systems.
L a b
^3 T A S K 1
T a s k s
1. Go to the tool location at
Z :\C E H v 8 M o d u le
08
S n if f in g \ P r o m is c u o u s
R u n n in g P ro m q ry U I
D e te c t io n T o o ls \P ro m q ry U I .
2. Double-click p r o m q r y u i.e x e , and click R u n .

O p e n F ile - S e c u r i t y W a r n in g
3|
D o y o u w a n t t o ru n t N s file ? Name Publisher Type From .. ,misojous Detection T o o lfro m a rv U I 1 o r omarvui.exe

M ic r o s o f t C o r p o r a tio n
Application Z:\CEHv8 Module 08 Sniffers^rom iscuous D etectio...
F!un
Cancel
I ? Always ask before opening this file
While files from the Internet can be useful. this file type can potentially harm your computer. Only run software from publishers you trust. W hat's the risk7
F IG U R E 8.1: PromqryUI Run prompt
3. Click Y e s
111 the P ro m q ry U I L i c e n s e A g r e e m e n t
window.
PromqryUI
P le a s e re a d th e follow ing lic e n s e a g re e m e n t. P re s s th e P A G E D O W N k e y to s e e th e rest of th e ag re e m e n t.
E N D - U S E R L IC E N S E A G R E E M E N T F O R P R O M Q R Y and P R O M Q R Y U I I M P O R T A N T - R E A D C A R E F U L L Y : T h is E n d - U s e r U c e n s e A g re e m e n t f E U L A l is a legal a g re e m e n t b e tw e e n y o u (either a n ind ivid ual or a single entity) a n d M icrosoft Corpo ratio n fo r th e M icrosoft so ftw a re P ro d u ct identified a b o v e , w h ic h in c lu d e s co m p u te r s o ftw are f S O F T W A R E ! . T h e term s a n d co n d itio n s of this E U L A a re s e p a ra te a n d ap art from th o s e c o n ta in e d in a n y o th e r a g re e m e n t b e tw e e n M icrosoft Corpo ratio n a n d y o u . B Y IN S T A L L IN G . C O P Y IN G O R IF Y O U O T H E R W I S E U S I N G T H E P R O D U C T (A S D E F I N E D B E L O W ) . Y O U A G R E E T O B E B O U N D B Y T H E T E R M S O F T H IS E U L A . IN S T A L L . C O P Y O R U S E T H E P R O D U C T . D o y o u a c c e p t all of th e term s of th e p re ce d in g U c e n s e A g re e m e n t 7 If y o u c h o o s e N o, Install will c lo s e . T o install y o u m ust a c c e p t this ag re e m e n t. D O N O T A G R E E T O T H E T E R M S O F T H IS E U L A . D O N O T
In a network, promiscuous mode allows a network device to intercept and read each network packet that arrives in its entirety.
Yes
No
F IG U R E 8.2: PromqryUI License Agreement dialog box
4. The W in Z ip S e l f - E x t r a c t o r dialog box appears. Browse to a desired location (default location is c :\p ro m q ry u i) to save the unzipped folder and click U n zip .
WinZip Self Extractor -PROMQR~l.EXE
T o u n z ip all file s in P R O M O R ' I . E X E t o t h e s p e c if ie d f o ld e r p r e s s t h e U n z ip b u tto n . R u n W in Z i p U n z io to f o ld e r : B r o w s e .. . F7 O v e r w r it e f ile s w ith o u t p ro m p tin g G ose U n z ip
|5
About
H e lp
In a network, promiscuous mode allows a network device to intercept and read each network
F IG U R E 8.3: PromqryUI W inZip Self-Extractor dialog box
packet diat arrives inits

entirety.
5. Click OK after tile Ulizip is successful.
2 f i l e ( s ) u n z ip p e d s u c c e s s f u l l y
OK
F IG U R E 8.4: W inZip Self-Extractor dialog box
6. Now, click C lo s e to close the W in Z ip
S e lf-E x tra c to r
dialog box.
W in Z ip S e lf E x t r a c t o r - P R O M Q R ~ l. E X E
T o u n z ip all file s in P R 0 M Q R ~ 1 . E X E to t h e s p e c if ie d f o ld e r p r e s s t h e U n z ip b u tto n .
U n z ip
R u n W in Z ip U n z ip to f o ld e r :
Unzip to folder allows you to browse and select a destination o f your choice to save die setup file.
B ro w s e .
C lo s e
O v e r w r it e f ile s w ith o u t p ro m p tin g
About
H e lp
2 f ile ( s ) u n z ip p e d s u c c e s s f u l l y
F IG U R E 8.5: PromqryUI W inZip Self-Extractor dialog box
7. Now, install .N E T F r a m e w o r k 1.1 by double-clicking the d o t n e t f x . e x e file located at Z :\C E H v 8 M o d u le 08 S n if f in g \ P r o m is c u o u s D e te c t io n

T o o ls \P r o m q r y lll.
z xa s k
8 Click R u n
111
the
O p e n F ile - S e c u r i t y W a rn in g
dialog box.
R u n n in g .N ET F ra m e w o r k 1.1
O p e n F ile - S e c u r it y W a r n in g
D o y o u w a n t t o r u n t h is f ile ?
N am e Publisher Typ e From
... omiscuous D etection T 001 f r o m a r vU I \d o tn e tfx . exe M ic r o s o f t C o r p o r a t io n Application Z: \CEHv8 M odule 08 S niffers prom iscuou s D e te c tio ,..
Run
Cancel
W A lw ays a sk before opening this file
W h ile files from the Internet c a n b e u seful. this file typ e c a n potentially harm yo ur computer. O nly run software from publishers you trust. W h a t's th e risk 7
F IG U R E 8.6: .N ET Framework - Run dialog box The .N E T Framework version 1.1 redistributable package diat includes everything you need to run applications developed using die .N E T Framework.
9. Click Y e s to initiate the .NET Framework installation in the dialog box.

M ic r o s o f t .NET F r a m e w o r k 1*1 S e tu p
3 1
S e tu p
1 C
J 1 W ould you like to install M icrosoft .NET Fram ew ork 1.1 Package?
Yes
No
F IG U R E 8.7: .N ET FrameworkInstall dialog box
10. Wliile attempting to install .NET Framework 1.1, you will get a P r o g r a m C o m p a tib ility A s s i s t a n t dialog box. Click R u n P r o g r a m .
& Program Compatibility Assistant This program has known com patibility issues Check online to see if solutions are available from the Microsoft website. If solutions are found, Windows will automaticaly display a website that lists steps you can take. I e - Proaram: Microsoft .NFT Framework 1.1 Publisher: Microsoft Location: Not Available 2<j|
Ths software has known incompatibility with IIS services on this platform.
I a J rtd e d e ta te IDon't show this message ag an
Check for solutions onlne
Run program
||
Cancel
F IG U R E 8.8: .N ET Framework Program Compatibility Assistant dialog box

T A S K 3
11. Select the radio button for A g r e e m e n t dialog box.
I a g re e
and click
I n s ta ll
in the
L ic e n s e
In s ta llin g .N ET F r a m e w o r k 1.1
j'J! M icro so ft .NET F r a m e w o r k 1.1 S e tu p
|| Microsoft,
.1
License Agreement
n e i[
(A copy of this license is available for printing at http: 7go.microsoft.com fwlink'?LinkId=122S3 )
SUPPLEMENTAL END USER LICENSE AGREEMENT FOR

\TT rp n< ;nFT ^ o p t w a r p
zi
I have read, understood and agree to the term s of the End User License Agreement and so signify by clicking "I agree" and proceeding to use this product.
II
( | i agree r I do not agree
Install
Cancel
F IG U R E 8.9: .N ET Framework License Agreement dialog box
12. Once the installation is complete, click F r a m e w o r k 1.1 S e t u p dialog box.

j'^r M i c r o s o f t .NET F r a m e w o r k 1 .1 S e t u p
OK
in the
M ic r o s o f t .N E T
J3EH
_ 1u 1 1 1
1 f c < 4 A 1 > . z * * n c . ' 1* a *.11 :47; :
* v .- i
In sta lla tio n of Nlic ro s o ft . N E T F t; im e w o r k . 1 . 1 is c o m p le te .
OK
T A S K
F IG U R E 8.10: .N ET Framework - Installation complete message box
In s ta llin g P ro m q ry U I
13. Now, go to C :\p ro m q ry u i and double-click installation wizard to install PromqryUI.
p q s e tu p .m s i
and follow the
14. Once installation is complete, go to the program.
S ta r t
and click
P ro m q ry
to launch
S e rv e r M anager
Command Prom pt Administrator Mozilla Firefox Documents
S ' Promiscuous mode can be used in a malicious way to sniff on a network. promiscuous mode, some software might send responses to frames even though they were addressed to another machine. However, experienced sniffers can prevent this by using carefully designed firewall settings.
Ease of Access Center Computer Network Internet Explorer Control Panel Windows Update Administrative Tools Help and Support Services Run...
111
J Notepad
Password Changer for Windows
'
Paint
All Programs
l^ t a r t Search
I Ja. M
F IG U R E 8.11: Windows 2008 Server Start menu
15. The main window of PromqryUI appears. Click A dd.

_j.Jii
W ith the Prom qryUI tool, you can add either a single system or multiple systems to query. F IG U R E 8.12: PromqryUI Main window
16. The
S e l e c t A d d itio n T y p e S y s te m .
dialog box will appear. Click
A d d S in g le
.A dd Single System
Add Multiple Systems
F IG U R E 8.13: PromqryUI Adding system
17. Type the IP address of the system you want to check for promiscuous mode in the IP A d d r e s s held in the A d d S y s t e m t o Q u e ry dialog box and click S a v e .
IP Address: 1
Host Name:
Cancel
For systems that you need to query, a range o f IP addresses can be provided. Also, you can just carry a query for a local system. F IG U R E 8.14: Prom qryUIAdd System to Queiy
18. Select the added IP address

S t a r t Q u e ry .
f t Promqry | me edt Systems To Query Star. IF ocdrcss 10.0.02 End IF address Query S'.atus
111
the
S y s te m s T o Q u e ry
section and click
Query Results
F IG U R E 8.15: PromqtyUI Querying system
19. Results will be displayed 111 Q u e ry

Pie fcrtt help Systems To Query Start IP dodress 1 10.0.2 | Enc IPaodress Query Status done :positive! |
R e s u lt s .
_ |f | x ]
Query Resjlts |3uery star. tine. 9/20/20 38.48. 11 2 PV pinging 10.0.0.2. .success Querying 10.0.0.2... Active. True InstaiceName. WAN Mhiport (P| NEGATIVE Prorriscuojs mode currently NDT enabed Active. True InstaiccNamc. Hyper-V Vrtual Sw tcl Extenson Adapter NEGATT/E Ptoimcuous mode currently NOT enabed Active. True bwlMoeNflme Hyper-V Vntual Svrtc! Cxtenson Adapter #2 NEGATI/C Pioitocuous mode currently NOT enabed -1
Query results w ill let you know if the system is promiscuous mode or not and provides other information like Computer name, Domain, Computer Model, Manufacturer, Owner, etc.
Start IP address 10.00.2
Active. True Instai&cNemc Teredo Tumefcnj P*evdo-fc15er,ace NEGA1WE Piomscuous mode currently NOT enabed
zJ
Systems To Query End IP 3ddrees | Guery Statue dDne: postive! j NEGATIVE Pronisanus mode cjrrenty SOT enabled Active True hstanceNane: WAN Minooit (Network Vlailcr) NEGATIVE: ProTiscuDus node carrenty NOT enabled Active True hstanceNaroe: Hyper-V Vrtua Etiemei Adapter #2 NEGATIVE: P toiwcudus mode carrenty NOT enabled Systen Summay POSflVE at least one rterface on systen was found ir prorriscuous mode Conputer name VYN-039MR5HL9E4 Donam: WORKGROUP Conputer manufacturer Del He. Conputer model: CptPlex 390 Primary owner: wno jw s iser user currenny Dg9ec or: v/r*-039WRSML9fe4\Adrnmstrator Opci a'.iiiL system Microso Windows Server 2012 Release Candidate Datacenter Organza'Jon
F IG U R E 8.16: PromqryUI Query Results
L a b
A n a ly s is
Analyze and document die results related to die lab exercise. Tool/Utility Information Collected/Objectives Achieved Computer name: W1N-D39MR5HL9E4 Domain: WORKGROUP Computer manufacturer: Dell Inc. Computer model: OptiPlex 390 Primary owner: Windows User User currently logged on: WIND39MR5HL9E4\Administrator Operating system: Microsoft Windows Server 2012 Release Candidate Datacenter
PromqryUI
PLE A SE
TA LK
TO
H A V E
Q U E ST IO N S
u e s t io n s
1. Determine how you can defend against ARP cache poisoning 111 a network
Internet Connection Required
0 0
Yes
No
Platform Supported Classroom
0 !Labs
Lab
Sniffing Password from Captured Packets using Sniff - O- Matic

S n iff O M n tic is a n etw o rk p ro to c o l a n a ly s e r a n d ' p a c k e t s u ffe r n ith a c le a r a n d in tu itiv e in te rfa ce .
ICON KEY L a b S c e n a r io
Valuable information Test your
W eb exercise
W orkbook re\
Attackers may install a sniffer 111 a tmsted network to capture packets and will be able to view even* single packet that is going across the network, if the network uses a hub or a router for data transmission. With the captured packets, attackers can learn about vulnerabilities and sniff the user name and password and log in to die network as an authenticated user. Once logged 111 successfully to a network, die hacker can easily install viruses and Trojans to steal data, sensitive information, and cause serious damage to that network. As an expert e th i c a l h a c k e r and p e n e tr a ti o n t e s t e r you should have sound knowledge of sniffing, network protocols, and audientication mechanisms and encryption techniques. You should also regularly check your network and close die unnecessary ports diat are open. Always ensure diat if any sensitive data is required to be sent over the network, you use an encrypted protocol to minimize the data leakage.
The objective of this lab to sniff passwords using the tool Sniff - O - Matic through captured packets.
L a b E n v ir o n m e n t
To carry-out the lab, you need:

S n iff - O - M a tic is located at D :\C E H -Tools\C E H v 8 M o d u le S n iffin g \S n iffin g T o o ls\S n iff- 0 -M a tic
08
You can also download the latest version ot S n iff http://www.kwakkeldap.com/ smffer.html
O - M a tic
from
If you decide to download die l a t e s t die lab might diller

[? !/T o o ls d e m o n s tr a t e d in th i s la b a r e a v a ila b le in D:\CEHT oo ls\C E H v 8 M o d u le 08 S n iffin g
v e rs io n ,
A computer running W in d o w s
S erv e r
2012 as host machine
Double-click s n if f tr ia l.e x e and follow die wizard-driven installation steps to install S n iff - O - M a tic Administrative privileges to run tools
Time: 10 Minutes
O v e r v ie w o f S n if f O M a t ic
Sniff O Matic capUires network traffic and enables you to analyze die data. Detailed packet information is available 111 a tree structure or a raw data view of die packet data. Sniff O Matic's button and columnar data display logically and succincdy presents the collected network traffic data.
L a b T a s k s
1. Launch the S t a r t menu by hovering the mouse cursor on the lower left corner of the desktop.
*d. T A S K
L a u n c h in g t h e Sniff-O -M atic to o l
2. Click S n iff Matic tool.
- O - M a tic
in the
S ta rt
menu to launch the Sniff O
S ' Sniff-O-Matic a packet sniffer is a computer program or a piece o f computer hardware that can intercept and log traffic passing over a digital network or part o f a network.
3. The main S n if f
- O - M a tic
window appears; select the adapter from the

S ta r t C a p tu re
drop-down list and click the
1 button.
T A S K
S niff-O -M atic: S ta rt P a c k e t C a p tu r e
F IG U R E 9.3: Sniff-O-Matic Start capture

TT 1 * * iv j u iu ^ /.J . 1 1 1
4. When the tool starts capturing the packets, launch a browser and log to your email account. 5. Then, click the
S to p C a p t u r e
111
ill button to view the captured packets.
r File Capture Options Help | 1 ^ 1I I Pocko! 1 2 3 4 5 5 7 3 3 1 0 1 1 1 2 n < 1 _ _
Sniff O Malic 1.07 Trial Version
\ m \ Hvoer-VVrtualEtherneAdaoter 82
.owes 100.07 10QQ7 7 4 .1 2 5 .2 3 6 .1 7 5 10.0.07 1 0 .0 .0 .7 1 0 .0 .C L 7 1 0 .D .Q 7 1 2 3 .1 7 6 .3 2 1 5 3 1 0 .0 .Q 7 12317632153 1 0 .0 .(1 7 1 2 3 .1 7 6 .3 2 1 5 5
m r m io m
b Size 6 6 5 5 6 6 6 6 5 4 5 4 5 4 5 4 5 4 5 4 7 2 6 5 4 qn
vl
< 1 !M
| | c .1 a | Tm o 0 3 /2 4 /1 2 1 4 :2 5 :1 6 0 9 / 2 4 / 1 21 4 2 5 1 6 0 3 /2 4 /1 21 4 .2 5 .1 6 0 3 /2 4 /1 21 4 :2 5 :1 9 0 9 /2 4 /1 21 4 :2 5 :2 0 0 3 /2 4 /1 21 4 :2 5 :2 0 0 8 /2 4 /1 2 1 4 :2 5 :2 0 0 9 /2 4 /1 2 1 4 :2 5 :2 0 0 3 /2 4 /1 21 4 :2 5 :2 0 0 3 /2 4 /1 2 1 42 52 0 0 3 /2 4 /1 21 4 .2 5 .2 3 0 3 /2 4 /1 2 1 4 :2 5 :2 3 0 9/ 4 /1 1 4 / vr* Port 8 1c 2 7 7 3 2 7 4 9 8 0 2 7 7 3 2 7 6 2 2 7 6 3 2 7 6 2 8 0 2 7 6 3 8 0 2 7 5 3 8 0 >
Packet capture is the act o f capturing data packets crossing a computer network.
III
D o o fin o ticn 1 2 3 .1 7 6 .3 2 .1 3 7 41 2 62 3 6 .1 7 5 1 0 .Q 0 .7 1 2 3 .1 7 6 .3 2 .1 3 1 2 3 .1 7 6 .3 2 .1 5 3 1 2 3 .1 7 6 .3 2 .1 5 3 1 2 3 .1 7 6 .3 2 .1 5 3 1 0 .Q 0 .7 1 2 3 .1 7 6 .3 2 .1 5 3 10.00.7 1 2 3 .1 7 6 .3 2 .1 9 5 10.00.7 1nnn7
Proto56 TCP TCP TCP TCP TCP TCP TCP TCP TCP TCP TCP TCP TCP
_ A
<
|>
h tlo ://W V W V . wakkeilao.con
<
FTGT JRF. 9.4: SniflF-O-Matic Stoo raire F IG U R E 9.4: SnifF-O-Matic Stop capture
6.
111 the list of captured packets, select a packet to view detailed information.
Sniff - O Matic 1.07 Trial Version
F ile C p tu re O p tio n s H e lp H ioerW rtual E lh e m e tA d a p te r8 2

Doc'inolicn 10.0.07 10007 74.125 236 175
_ v j ou\ pg| c j
T m
TCP TCP TCP TCP TCP TCP TCP TCP TCP
P o rt 0 1
2 7 7 3 8 0 2 7 7 3 2 7 6 2 2 7 6 3 2 7 6 2
2763
1 0 .0 .0 7
10.0.G7 100.G7 10.0.Q 7 ___ 100.07 12317632153 10.0.0.7 12117632155 123J2632155 0 0 CO 2 S 00 CO 07 1 1 3 9 OS
1 2 3 .1 7 6 .3 2 .1 3 7 4125236175 1 0 .Q 0 .7 1 2 3 .1 7 6 .3 2 .1 3 1 2 3 .1 7 6 .3 2 .1 5 3 1 2 3 .1 7 6 .3 2 .1 5 3 1 2 3 .1 7 6 .3 2 .1 5 3 1 2 3 .1 7 6 .3 2 .1 5 3 10.00.7 123.176.32.1S 1 0 .Q 0 .7

III
0 3 /2 4 /1 21 4 :2 5 :1 6 0 9 /2 4 /1 2 1 4 2 5 * 1 6 05 /2 4 /1 2 1 4 .2 5 .T 6 0 3 / 2 4 / 1 21 4 :2 5 :1 9 09 /2 4 /1 2 1 4 :2 5 :2 0 0 3 /2 4 ;1 21 4 :2 5 :2 0 03/24/1 2 14 :25 2 0 0 3 /2 4 /1 21 4 :2 5 :2 0 0 3 /2 4 /1 2 1 4 2 5 2 0 0 3 /2 4 /1 21 4 .2 5 .2 3 0 3 /2 4 /1 21 4 :2 5 :2 3
From the captured packets, detailed information such as Header Length, Protocol, Header Checksum, Source IP , Destination IP , etc. can be viewed by selecting a particular packet.
1 n n n 7
T C P
TCP
m / 7 4 / 1 ?
OXCOOO *5 OXCOIO OA 0X 0020 50
AB D3 0 0 0 0 3D 0 6 00 50 0A CA 9A 3B 7 7 2 9 OO OO
IP Header O Version * 4 4) Header Length 5 (20 byte*) f t Type Of Service 0x00 O Total Longth - 40 99 Idertifcation OcABDB ! Rags &03 Fragm ent off*1 t 0x0000 O Time To Live - 61 H Rotocol 6 (TCP) @ Header Checksim Qx2BA5 Soiree IP -123.17S.32.153 Cest. IP 10.0.0.7 TCP Header Soiree Port = 80 (HTTP) Destination Pat - 2762 Seq Njrrber =(&9/1CBE781 e /CK Number =QcFDD7CE13 > 0ff93t 20) 5 bytes j Rags =C b c l1 8 Windows Size =1450} @ Checksum =0(7728 O Urgent Pointer - QxX>X)
]P )P
LiJ_______ 1 wrzsr
FTGIIRF. 9.5: SnifF-O-Matir Virwino oarker information F IG U R E 9.5: SnifF-O-Matic Viewing packet inFormation
h l ! p ; ! V w M ! w a t o t f t t o . r c n
7. 1 1 1 the right pane, select items from the tree and the data for the respective item will be liighlighted 111 red.
Sniff -O -Matic 1 .0 7T rial Version

F ile p tu re O p tio n s H e lp
Hvoer-V Virtual Etherne Pack* 1 2 3 4 5 5 7 $0C9 10.0.CL7 10 007 74.125.23e.175 10.D.Q7 10.0.(17 10.0.Q7 10.3.Q7 Dociinolion 123.176.32.13 71125 236175 10.00.7 123.176.32.13 123.176.32.153 123.176.32.153 123.176.32.153 10.00.7 1 23.175.32.153 10.Q0.7 123.176.32.1S
E
Sizo 68 55 66 66 54 54 54
v j 1!w J a _*J c j
Protosoi TCP TCP TCP TCP TCP TCP TCP Tm o 0S/24/12 14:25:16 03/24/I214 25M6 03/24/12 14.25.16 09/24/12 14:25:79 03/24/15 14:25:20 03/24/12 14:25:20 03/24,1214:25:20 03/24/1214:25:20 03/24/12 14:25:20 03/24/12 14 2520 03/24/12 14.25.23 03/24/12 14:25:23 P0ft 2773 2749 80 2773 2762 2763 2762 80 2763 80 2753 80
1 * 1 ! Adaoter 82
Fragm ent ofeet * C k tO O O O ? Tim e To Live =6 1 r ~ Protocol 6( TCP) Header Checksmi = ]P Souoe IP -123.17S.32.153 ! ] p Cest. IP = 10.0.0.7 Qj TCP Header
(k c ? B A 5
|3 3 1 1 1 2 n < 1
10
1 2 3 .1 7 6 .3 2 1 5 3 1 0 J.C 7
T C P
TCP
12317632153
1 0 .0 .0 .7 1 2 3 .1 7 6 3 2 1 5 5 i n finvi
T C P T C P
TCP
mao.7
1nnn7 III
oxoooo 45 2 eA BD 3O O0 0 0X0010 O A0 0G O 0 7 |0 5 | oa ca
0 00 0
0X0020 S O1 13 90 8 70 00 02 8
BO 20 D7 CE
99 13
P. 9.w( . .
.......... P . . .
Destination Pat - 2762 Seq Njrrber = (*9/OE781 ; U ACK NLim ber ( VFDD7CE13 9 Cffost - 5 (20 bytes) B f Rags =0<1l 1 P FIN 1 sy n =0 p RST * 0 PUSH 0 - p ACK- p URG - 0 f J ECE - 0
? C W R -0
A Window! S17# - 1460D (3 Choskaum ( k7723 Urgent Pointer 0(0090
& P o rt n u m b e r s c a n o c c a s io n a lly b e s e e n in a w e b o r o t h e r s e r v ic e . By d e f a u lt, H TTP u s e s p o rt 80 a n d H T T PS u s e s p o rt 443 , b u t a URL h ttp ://w w w .e x a m p le .c o m : 8080 /p a th / s p e c i f ie s t h a t t h e w eb re s o u rc e b e s e r v e d by t h e H TTP s e r v e r o n p o rt 8080
F IG U R E 9.6: Sniff-O-Matic Viewing packet information
8. Now, perform a search for the data in captured frames. Select

F in d .
r
Re C a p tu re I O p tio n s| H e lp l * k J :,I
Pick! .
O p tio n s
Sniff - O - Matic 1.07 Trial \
w fra
"
~
_Vj
OU\
Q | Cj j&j
Tmo 03/24/12 14:25:16 09/24/12 14/5-16 03/24/12 14 25 16 03/24/1214:25:19 03/24/12 14:25:20 03/24/12 14:25:20 03/24/1214:25:20 03/24/12 14:25:20 03/24/12 14:25:20 03/24/12 14 25 20 03/24/12 14.25.23 03/24/12 14:25:23 09/4 14 ^<3 Port SIC 2773 2749 80 2773 2762 2763 2762 80 2763 80 2753 80 80 < * Fragm ent offett Q cO O O O O Tim e To Live 6 1
1 a 1 1 0 1fj S ta tu te s 74 1 0 . 1 S e o n g $ 1 0 .
1 2 3 .1 7 6 .3 2 1 5 3 1 0 .0 .0 7 1 2 3 1 7 6 3 2 1 5 3 1 0 .0 .0 .7 1 2 1 1 7 6 3 2 1 5 5 1 7 1 1 7 6 3 1
OXCOOO 0X 0020
(6.32.13 236175 7 6.32.13 6.32.153 10 [ ^ EncbJ Tocttipo LIU/ I U . 176.32.1 53 10.0.G7 123.176 32.153 10.Q0.7 123.175.32.153 10Q0.7 123.176.32.155 10.Q0.7 III
6 6 6 6 6 8
55 54 54 54 54 54 54 730 54 qn
Siio
Protocd TCP TCP TCP TCP TCP TCP TCP TCP TCP TCP TCP TCP TCP
B P r o t o o o l 6(T C P )
Header Checksim 0x?BA5 ) S o l t c oIP-123.17S.32.153 )P Ces. IP 10.0.0.7 I TCP Header O Deatinotion Pat 2762 Seq Nurrber 0(9ACBE781 ACK NLimber CkFDD7CEl3 O Offoat - 5 (20 byt 8 lf Rags 1 1 )0 i |FIN 1 | sy n =0 i P r s t =0
in on?____
,0
3 5 00 00 2 6 AB D 3 00 00 O X C O IO O A 0 0C O0 7 D O5 0O AC A
50 11 39 08 77 23 00 00
j push 0
h A C K 1
| urg-0 E C E= 0 cwr= o
f t Windows Size =14503 O Chcckaum - 0(7728 Urgent Pointer =0(0030
FTCtTTRF. 9 7 Sniff-O-Matir - Performing search F IG U R E 9.7: Sniff-O-Matic - Performing search
9. The F in d pop-up box appears; type information.
pw d
to search for the password
Sniff 0 M otic 1 .0 7T ri3 V ersion

File Ce^Xurc Options Help !* L d HjpeATitual EfainotAdsptdi #2 eihnaton mo.o.7 123106.40.33 1Q0.0.7 1231(38 40 3 3 123108 40 3 3 1Q CL0.7 123108.40.33 1Q0.0.7 1QC.0.7 123176 32146 74125.236.1S4 1QC.0.7
~H Y j j JU ] 9_J Cj JEj
Si2e Protocol TCP TCP TCP FCP TCP FCP Tme 03/24/12142523 03/24/12142523 03/24/12142523 03/24/12142523 09^ 24/1214 25 23 03/24/12142523 Find ;-#* Version = 4 !** Header Length b/esj 20( 5 & T>peOf 5erv1ce ) kOO j- A Total Len^h = 1600 j Identification = foD5E1 S ip Flags =O cO O i - A Fragment offset = C b c O O O O | Time To Lwe = 5 4 :- A Protocol ) TCP( 6 i @ Header Chsckajm FBA6< 1 I Jp Souce IP 123.108.4033 | i- J p Deet. IP 10.0.0.7 IQ P TCP Header Fnd )A Soiree Port - 80 (HTTP A Dcatinction Port - 2723 Cercel I j# Seq Nurbst - QxOC177B.\D j - ACK Numbw k8DE73610 : )A Offset * 5 (20b)rles P . 6 ...................... HT P /1 P Flags 5T & 10 .1 2 0 0 O K ..D a t e : M i- Wlridows Size 5918 o n , 24 Sep 2012 0 8 : 5 6 : 0 3 3 M T ..3 e U io e n tP o m e r)) M X X X : r e t : A p = h e ..E x p i c e s : T h u , 19 N - D a tale n g t h 1 4 6 0 0v 1 9 8 1 0 3 : 3 2 : 0 0 GMT. . C a c f t e - C o n t r o l : r .0 - 3 C 0 r e , n R * trc 2753 83 2723 83 83 2723
& Detailed packet information is available in a tree structure or a raw data view o f the packet data.
29
< 1 ^
0X 0300 0X 0310 0X 0020 0X 0030 0X 0040 0X 0050 0X 0360 0X 0070 0X 0330 0X 0390 OXG3AO
1nnn7_____
<S OA SO 20 6r 30 72 70 6r 20 72 30 00 10 32 6E 33 76 69 76 47 6r CS 00 26 30 2C 3A 65 72 20 4D <C
12a 176.32.155 54 1514 10.0.0.7 54 12a 1C840.33 1514 10 0 07 1514 10 0 0.7 54 123.1C8 40.33 10.0.0.7 74.125235.1[ 12a 17632.1 P^d: jpAcj 10 0 07 10.0.0.7 < * Asci 123176 32.1 1 : : 1. C Hex Ill D5 E l OO 00 SO OA 1e I F OO 0 0 20 4 F 4B OD 32 3 4 2 0 S3 36 3A 3 0 3 9 3A 20 41 70 73 3A 2 0 54 39 38 31 20 OD OA 4 3 61 20 E 6F 2D
Match case
r 48 OA 65 20 61 60 30 63 73 S* 44 70 47 63 75 36 68 74 54 61 20 4D 63 2C 3A 63 6F SO 74 32 34 5 20 83 2D 72 2F 65 30 OD OD 31 32 43 63 31 3A 31 OA OA 39 3A 6T 2C
BE 30 20 35 72 65 31 34 3A
=5 2E 20 32 53 45 20 30 6E 20
31 4D 20 65 7e 4E 30 74 6E
C h e c k s u m & 1 8 1 F
C w a 3<
Nln /ywww IwakkellUon
F IG U R E 9.8: Sniff-O-Matic Performing password search riL rU K t V.b: imitr-U-Aiatic I'ertormmg password search
10. An icon w (packets with binoculars) will appear for the found packets, as shown 111 the following screenshot.
Sniff Pie Capture Opt cm Help O Matic 1.07 Trial Vers on
1_ -
H*Lrl
Hypd-V V(ud Etncmot Adaptor tt2 Destination 1Q0.0.7 100.0.7 74.123 236.182 10007 12317632156 1Q0.0.7 1Q0.0.7 123176.32.155 100.0.7 202 53 8 8 1000.7 123108.40.33 1na4ny1 I 5re
& Sniff-O-Matics key features include: Capture IP packets on your L A N without packet loss M onitor network activity in real time Filters to show only the packets you want Real-time checksum calculation Save and load captured packets Auto start capturing and continuous capture Traffic charts with filter info
1 1
Seuce 74125.23C.1G2 74125.236.162 1000.7 74125236 182 1000 7 123.178.32.156 123.178.32.156 1000.7 123.176.32.1S5 10CC.7 2025388 10007
vj ou\ a | e) pfotocd I in*

09/24/121425:55 02/24/121425.55 09/24/12 1 425.55 09/24/121*25 55 09/24/1? 14 2 556 09/24/1214:25:56 09/24/12 14:25:56 09/24/121425.55 09/24/121425.55 09/24/12 14:25:55 09/24/12 14 09/24/12 1 4:25:55 m m n7
Ip
4 4 1 4 2 8 8 ! 2 & 5 5 2 2
TCP TCP
innn?____
UDP UDP TCP TfP
C X 0 0 3 0 4 5 0 3 0 0 2 3 9E CO 0 0 00 0 X 0 0 1 0 0A 0 3 0 0 0 7 0 1 BS 0 4 19 C X 0 0 2 0 5 0 1 3 FF FF FE 3B 0 0 00
I IP Header Version 4 A Headsr length 5 C?0btfes> I H Typ8Of Seivce tttO O A Total Length 40 A dwrthcatinn Q &96C0 I H ag O k O O A rag m ^ n f ott*t =0*0000 A Fim To La/ 56 A Protocol 6 Header Cherkeun -10*205 Source IP =74 125.236.182 Deet. IP 10.007 | TCP Header A Sotrce Pat - 443 (HTTPS) A Deetinatbn Port - 1049 A Scq Num ber - {k< 897BC4C A ACK Num ber - Q c9339AF1C O O flfce: - 5 (20b/te3) ] P Flags-Gc10 A Windows Site =55535 @ Checksun - (kFE3B O Uigcnt Porter - C b iO O O O
f)
( T C P )
JP JP
PJttD ://W W W .KvâkKBlllaD .C O T )
F IG U R E 9.9: Sniff-O-Matic - Password search results
11. Select the found packet and scroll down the data list for the information, which will be indicated in blue.
Sniff 0 M atic 1 .0 7T rial V erso n

FJe Rapture Opt cm Help la l- d H>p9V Vkud Ebiemet Adapter M2
I ' T7 "
& P a c k e ts c a p tu r e d u s in g S niff-O -M atic a llo w s y o u to sn iff th e p a ssw o rd a v a ila b le in c l e a r t e x t fo r m a t. If a n a t t a c k e r is a b le t o c a p t u r e th e s e p a c k e ts , he c a n e a s i ly id e n tify th e p a ssw o rd an d lo g in t o t h e n e tw o r k a s a n a u th e n tic a te d u s e r . A tta c k e r s w ill h a v e a n a d v a n t a g e if th e y d is c o v e r th e s a m e p a s s w o r d is b e in g u s e d fo r all t h e c o m p u te rs .
65 60 69 74 61 6D 26 3D 70
37. 7 34 3D 69 61 6C 72 77
20 39 0D 69 6C 69 67 69 64
;q 0 . 3 . .C c o k i : in ld a c 6 S 7 3 f 1 v 9 r d 2 a k S 7 a 4 d l7 u i4 . . . . f_ o u r c r c h c C F % 3A % 2F 2F n ail . r .. c o % 2 F a c v a i l% 2 F 1 a b o x .p h p t l g f m n a 1 1 s _ id r1 a i B a c c b e v o i f Jpw d]
Version 4 Heater Length =5 (?0 byes! Type Of 5ervce =Q fO O Total Length =729 dentfication =C b(7B8C Rags =(MU Fragm ent ofiset =09 (0 0 0 0 Tim e To Live =128 Protocol =6 (TCP) Header Cherkeun itOOX p Sotree IP = 10.0.0.7 p Dest. IP = 123.176.32 155 TCP Header f t Source Pert - 2753 f t Doctinatbn Port 80 (HTTP) f t Soq Number - &B85A34D4 f t ACK Number-&5G19rCA3 ft O ffoci - 5 (20bytes) P Hogo 18& f t VWndowj Sire - 63751 ?3 Checksum &A31 D f t Urgant Porta foOOW Data f t Ddtd length 683
a ft ft ft P ft ft ft
F IG U R E 9.10: Sniff-O-Matic Password search results
12. To mark the packets, right-click the selected packet and click M ark .
Sniff O Matic 1.07 Trial Vers on
FJe Capture !* Id Optcrts Help H>pwV Vjrtud Efrwoet Adapter tt2
- v j o w I a w l ej 1J
I? Header 9 h Version ; 4 )Ift Header length 5 C ?0btfes l-il f t Type Of Swvce (kOO f t Total Lenoth ! 40 {f t tfentfieation Qx7BBD G B P Hag 0kQ 4 | - f t (mgm #rt otturt O b tO O O O J ft Tim To Lw 128 )ft Protocol * 6 (TCP H**dr Ch*5kcu 10n * 4)0030 Source IP - 10.00.7 I- JP D oet. IP - 123.176.32 155 )J TCP Heodor ft Source Pert - 2753 ; )ft D estination Port - 80 (HTTP ft Seq Num ber - &B85A3785 | ft ACK Num ber -&c561A0268 )ft O ffset 5 (20bytes Flags - &c10 ^ ft Windows Sice : 54243 !? Checksum - Q xA 56C 3 ft Urgent Porter - 3x00{ 0
0 X 0000 <5 0 X 0 0 1 0 7B 0 X 0 0 2 0 50
0 3 OG 2 3 7B BD 4 0 3 0 2G 9 3 DA C l 0 0 1 0 FA FO A6 6C 0 0
00 8 0 0 6 0 0 50 3 3 5A 3 7 00
OO CA 0 0 0 0 B5 56 1A 0 2
07 3 . | . . . . . . 63 { P . 27 P. . . . 1. .
httt?y/w w w .Kw aKKelllflDcom
F IG U R E 9.11: Sniff-O-Matic Marking a packet
13. Once the packets are marked, they will have a different icon.
Sniff 0 M atic 1 .0 7T rio !V erso n

Fie Rapture gpbcro Help v j o u Q a| e j 3 J Pat src 443 2753 E0 60 2753 Port a 104! [ 9 \-m 1 4 1 -H 1 H I- * -^ l* L d Pack* 09 &170 1 7 1 ___172 U 74 175 176 177 178 173 180 -fi H>p0 1V VkucJ Efcioroot Adaptor tt2 Sauce 74125.236.182 10CC.7 123.176.32.125 123176 32 155 10GO 7 123.176.32.135 10QCL7 202.53.3.8 10QG.7 1QQC.7 IOQO.7 10Q0.7 17117k __ 45 CZ. 50 3D 00 00 19 2S 00 00 56 69 3C 07 D1 61 Destination 1Q0.0.7 123176.32.155 1Q0.0.7 100.0.7 12317632.155 100.0.7 202.53.88 100.0.7 123108.40.33 123108.40.33 123 175.32.13 12317S.32.13 1nnn7 15 74 00 00 50 021 C l 9 8 52 0 0 00 2E 3 6 F D
I T x
& One o f the features o f the tool includes, protocol and port data, the program displays source and destination IP addresses, and raw packet information. The program offers no IP address to domain name conversion..
| Protocd ___| Size 9 7 TCP 743 TCP 5 4 TCP 1514 TCP 5 4 TCP 7 4 TCP 7 1 UDP B7 UDP 5 6 TCP B6 TCP 52 TCP 5 4 TCP ___ C 2_______ 1CP_____
> CXOOOO 0X0010 0X0020 0x003a
0 0
BEEUi ^ ^To l K / & ^ 5377C 53 1 d Protocol =6 (TCP) 537 53 ; l@ fleacter Checkeum =(ktC1F6 2776 80 f - p Source IP =123.176.32.155 2777 80 L p Deet. IP =10.0.07 2775 80 9 TCP Header 2775 80 Source Pat - 80 (HTTP) ?77! v < ! O Sea Num ber - fc561AG257 3D 06 C l F 7B 30 20 93 E . . r . . = . . . { . . - | O ACK Num ber - &B85A3785 56 1 7 1 02 57 B 6 5A 37 8 5 ______ P . . V . . W . Z 7 . O O ffset - 5 (20byte*) 3 5 2 0 4 6F CD 6 1 9 E P .X . . R. d o n a in 0 P flog# - C b cl8 0D OA 0D 0A * . i n ,. corn . . j O YW rdowa Size - 22737 Cheduun to&352 Uigorrt Ponlor C biO O M 9 Deto o Data length 20
Tin*! 09/24/1214:25:55 09/24/121425.55 09/24/12 14.25.55 09/24/121*25 55 09/24/121* 2555 09/24/121*25:55 09/24/12 14:25:55 09/24/12 14.25.55 09/24/12 14.25.55 09/24/12 14:25:56 03/24/12 1 42557 09/24/121425:57
0 0
275: 275: 80
Version 4 Heacter lenrjth 20) 5 b*es> Type Of Servce =O cO O Total Length 60 tientfication =(&1574 flags =0x00
l<
>11
F IG U R E 9.12: Sniff-O-Matic Marked packets
L a b
A n a ly s is
Analyze and document die results related to die lab exercise. Tool/Utility Information Collected/Objectives Achieved H eader Length: 5 Time To Live: 61 Protocol: 6 H eader Checksum: 0xClF6 Source IP: 123.176.32.155 Dest. IP: 10.0.0.7 Source Port: 80 (HTTP) Destination Port: 2753 Username and password
Sniff-O-Matic
P LE A SE
TA LK
TO
H A V E
Q U E S T IO N S
u e s t io n s
1. Determine how you can defend against ARP cache poisoning 111 a network.
Internet Connection Required

0 Yes N o
Platform Supported 0 Classroom 0 iLabs

CEH v8 Labs Module 08 Sniffers PDF

Hochgeladen von

Dokumentinformationen

Originalbeschreibung:

Originaltitel

Copyright

Verfügbare Formate

Dieses Dokument teilen

Dokument teilen oder einbetten

Freigabeoptionen

Stufen Sie dieses Dokument als nützlich ein?

Sind diese Inhalte unangemessen?

Copyright:

Verfügbare Formate

CEH v8 Labs Module 08 Sniffers PDF

Hochgeladen von

Copyright:

Verfügbare Formate

CEH Lab Manual

I CON KEY /V alu ab le inform ation Testyour kn o w le d g e

Web e x e rcise W orkbookreview

C E H Lab Manual Page 585

Secure the network from attacks ^^Tools

Overview of Sniffing Network

Sniffing die network using die O m n iP e e k Spooling MAC address using S M A C

Sniffing a password from captured packets using S n iff -

C E H Lab Manual Page 586

C E H Lab Manual Page 587

ICON KEY /Valuable inform ation Testyour k n o w le d g e w We be x e rcise

tins lab, you need:

located at D:\CEH -Tools\C EHv 8

then screenshots shown 111

8 running on virtual machine as target machine

privileges to run tools

C E H Lab Manual Page 588

Overview of OmniPeekNetwork Analyzer

on die host machine W in d ow s

F IG U R E 1.1: Windows Server 2012 Desktop view

3. Click die W ild P a c k e ts die tool.

app 111 die

G o o g le C h ro m e <9 rtyp -V M a ru o e r * W ild P o c k ... O m m P w k *

F IG U R E 1.2: Windows Server 2012 Start menu

C E H Lab Manual Page 589

4. The main window of W ild P a c k e ts die following screenshot.

appears, as shown 111

N ewCapture *We OmnPwk!

O pen Capture File

Retcat rlit* IntM C ap tu iT 1 n p < 1 1 * 1 OtKunanUtlon

Itxalior luullui Rkhc *

!MlMKtDuppan 1 Vm tM fw a r U M K * M m rrMk*W H Partrf*rvnW to CO

Windows 8 Virtual Machine.

6. Now, 111 follows:

2 0 12 create an OmniPeek capture window as

icon on die main screen of OmniPeek.

b. Mew die G en eral options box when it appears.

c. Leave die default general settings and click OK.

O Discard duplicate packets Buffer size: | 100 * megabytes

O Show this dialog when creating a new capture

F IG U R E 1.4: OmniPeek capture options -General

C E H Lab Manual Page 590

d. Click A d a p te r and select E th e rn e t

die list for

L ocal m ach ine.

Module: Compass Adapter

a 8 Local machine: WIN-MSSELCK4K41

M lLocal Area Connection* 10

\-mvSwitch (Virtual Network Internal Adapter) < E

5 vEthernet (Virtual Network Internal Adapter)

F IG U R E 1.5: OmniPeek capture options -Adapter

sutn vapt a llp a c k e ts

Utib/itton / M .m .t. W tiM tow( I Smand A v>r.1u)

F IG U R E 1.6: OmniPeek creating a capture window

C E H Lab Manual Page 591

2 .0 % 10002 1000$ 1 7 31 9 43 61 0 1 7 3 .1 W 3 6 .1 1 10002 1 7 3 .1 d 4 .3 6 4 .:2 0 2 .6 3 .8 .8

O H C PV 6 1 Q M P 9 Etlwnet PatJtrts: 1.973

F IG U R E 1.7: OmniPeek statistical analysis o f die data

1a.1.g.2 173.194.3(.< 13.3.0.2 19.9.:.2 10.9.S.2

10.0.9.2 123.176.32.154 10.0.0.2

157.56.67.222 157.56.67.222 157.56.67.222 10.0.0.s

F IG U R E 1.8: OmniPeek displaying Packets captured

!MlMKtDuppan 1 Vm tM fw a r U M K * M m rrMkW H PartrfrvnW to CO