Ceh v8 labs module 08 sniffers

CEH Lab Manual

SniffersM o d u l e 0 8

S n iffin g a N e tw o rkA packet sniffer is a type of program that monitors any bit of information entering or leaving a netirork. It is a type of plug-and-play wiretap device attached to a computer that eavesdrops on netirork traffic.

Lab ScenarioSniffing is a teclnnque used to in tercep t d ata 111 information security, where many of the tools that are used to secure the network can also be used by attackers to exploit and compromise the same network. The core objective of sniffing is to steal data, such as sensitive information, email text, etc.N etw o rk sniffing involves intercepting network traffic between two target network nodes and capturing network packets exchanged between nodes. A packet sniffer is also referred to as a network monitor that is used legitimately by a network administrator to monitor the network for vulnerabilities by capuinng the network traffic and should there be any issues, proceeds to troubleshoot the same.Similarly, sniffing tools can be used by attackers 111 promiscuous mode to capmre and analyze all die network traffic. Once attackers have captured the network traffic they can analyze die packets and view the user nam e and password information 111 a given network as diis information is transmitted 111 a cleartext format. A11 attacker can easily mtmde into a network using tins login information and compromise odier systems on die network.Hence, it is very cnicial for a network administrator to be familiar with netw ork tra ffic analyzers and he or she should be able to m aintain and m onitor a network to detect rogue packet sniffers, MAC attacks, DHCP attacks, ARP poisoning, spoofing, or DNS poisoning, and know the types of information that can be detected from the capmred data and use the information to keep the network running smoodilv.

Lab ObjectivesThe objective of this lab is to familiarize students with how to sniff a network and analyze packets for any attacks on the network.The primary objectives of tins lab are to:

■ Sniff the network■ Analyze incoming and outgoing packets■ Troubleshoot the network for performance

ICON KEY/ ValuableinformationTest yourknowledge

— Web exercisem Workbook review

Ethical Hacking and Countenneasures Copyright © by EC-CouncilAll Rights Reserved. Reproduction is Stricdy Prohibited.

C EH Lab Manual Page 585

Module 08 - Sniffers

■ Secure the network from attacks

Lab Environment111 tins lab, you need:

■ A web browser with an Internet connection■ Administrative privileges to run tools

Lab DurationTime: 80 Minutes

Overview of Sniffing NetworkSniffing is performed to co llect basic inform ation from the target and its network. It helps to find vulnerabilities and select exploits for attack. It determines network information, system information, and organizational information.

Lab TasksPick an organization that you feel is worthy of your attention. This could be an educational institution, a commercial company, or perhaps a nonprofit charity.Recommended labs to assist you 111 sniffing the network:

■ Sniffing die network using die C o laso ft P a c k e t B u ilder

■ Sniffing die network using die O m n iP eek N e tw o rk A n a lyzer

■ Spooling MAC address using SM AC

■ Sniffing the network using die W in A rp A tta ck er tool■ Analyzing the network using the C o laso ft N e tw o rk A n a lyze r

■ Sniffing passwords using W iresh ark

■ Performing man-in-the-middle attack using C ain & Abel

■ Advanced ARP spoofing detection using XArp

■ Detecting Systems running 111 promiscuous mode 111 a network using P rom qryU I

■ Sniffing a password from captured packets using S n iff - O - M a tic

Lab AnalysisAnalyze and document the results related to the lab exercise. Give your opinion on your target’s security״ posture and exposure through, public and free information.

^^Tools dem onstrated in th is lab are availab le in D:\CEH- Tools\CEHv8 M odule 08 Sniffing

O verview

Ethical Hacking and Countermeasures Copyright © by EC-CouncilAll Rights Reserved. Reproduction is Stricdy Prohibited.



PLEASE TALK TO YOUR INSTRUCTOR IF YOU HAVE QUESTIONS RELATED TO THIS LAB.




S n iffin g th e N e tw o rk U s in g th e

O m n iP e e k N e tw o rk A n a ly z e rOwn/Peek is a standalone network analysis tool used to solve network problem.

Lab ScenarioFrom the previous scenario, now you are aware of the importance of network smtting. As an expert eth ica l h acker and penetration tester, you must have sound knowledge of sniffing network packets, performing ARP poisoning, spoofing the network, and DNS poisoning.

Lab ObjectivesTlie objective of tins lab is to reinforce concepts of network security policy, policy enforcement, and policy audits.

Lab Environment111 tins lab, you need:

" O m niPeek N etw o rk Analyzer located at D:\CEH-Tools\CEHv8 Module 08 Sniffing\Sniffing Tools\Om niPeek N etw o rk Analyzer

■ You can also download the latest version ot O m niPeek N etw o rk Analyzer from the 1111khttp://www.w11dpackets.com/products/om111peek network analyzer

■ If you decide to download die la tes t version, then screenshots shown 111 the lab might differ

■ A computer mnmng W indows Server 20 12 as host machine■ W indows 8 running on virtual machine as target machine■ A web browser and Microsoft .NET Framework 2.0 or later■ Double-click O m niPeek682dem o.exe and follow the wizard-driven

installation steps to install O m niP eek682dem o.exe

■ A dm inistrative privileges to run tools

ICON KEY/ ValuableinformationTest yourknowledge

w W eb exercisem Workbook review

t^Tools dem onstrated in th is lab are availab le in D:\CEH- Tools\CEHv8 Module 08 Sniffing


C EH Lab Manual 88

http://www.w11dpackets.com/products/om111peek


Lab DurationTune: 20 Minutes

Overview of OmniPeekNetwork AnalyzerO m niPeek N etw o rk A nalyzer gives network engineers real-time visibility and expert analysis of each and every part ol the network from a single interface, winch includes Ethernet, Gigabit, 10 Gigabit, VoIP, video to remote offices, and 802.

Lab Tasks1. Install O m niPeek N etw o rk A nalyzer on die host machine W indows Server

2012.2. Launch the S tart menu by hovering die mouse cursor on die lower left

corner of die desktop.

FIG U R E 1.1: Windows Server 2012 — Desktop view

3. Click die W ildPackets O m niPeek Demo app 111 die Start menu to launch die tool.

S t a r t Administrator ^

Menaqer Google Mo/1110Chrome hretox

L *3 <9 «

&rtyp«-V Hypw-V Maruoer Virtual KAvhloo

V ____ * יWildPock...OmmPwk*

'־■־־°

™TASK 1

Installing O m niPeek

N etw o rk Analyzer

£=8=s1 OmniPeek Enterp rise provides users with die visibility and analysis they need to keep Voice and Video applications and non-media applications running optimally on die network

FIG U R E 1.2: Windows Server 2012 — Start menu




4. The main window of W ildPackets O m niPeek Demo appears, as shown 111 die following screenshot.

6mi»e4^ • t- ־ u *. 2: * x ,, r » : f i j L _± t

> f * ffiNew Capture Open Capture File View OiwiEngines Start Mon tor

*We• •״ י׳י OmnPwk!

Ret cat r lit* Itxalior Stmixfy

IntM Captui■ T«1np<11*1 luullui■ Swmwj

OtKunanUtlon R»kh«c»*

• •M •m 3wt«J OuiM !MlMKtDuppan1 Vm tMfwar» •UMK* •MmrrM k* WHPartrf* rvnWto CO » 1 r.aii QO

WidPacketjFIG U R E 1.3: OmniPeek main screen

5. Launch Windows 8 Virtual Machine.6. Now, 111 W indows Server 20 12 create an OmniPeek capture window as

follows:a. Click die N ew Capture icon on die main screen of OmniPeek.b. Mew die General options 111 die O m niPeek Capture Options dialog

box when it appears.c. Leave die default general settings and click OK.

m To deploy and maintain Voice and Video over IP successfully, you need to be able to analyze and troubleshoot media traffic simultaneously with the network the media traffic is running on

Starting N ew Capture

ת ח Cי ap tu re O p tio n s v ־ E th e rn e t (R ea ltek PCIe GBE F am ily C o n tro lle r - V irtu

G enera l

Capture title: Capture 1

□

□ Continuous capture

O Capture to diskFile path:C:\Users\Administratorpocuments\Capture 1-

File size: | 256 : *~] megabytes

megabytes[ I] Stop saving after | 1000

ך = | files (2,560 MB)I I Keep most recent 10

I I New file every 1

I I Limit each packet to 128 3~| bytes

O Discard duplicate packets

Buffer size: | 100 * megabytes

O Show this dialog when creating a new capture

HelpCancel

GeneralAdapter802.11TriggersFiltersStatistics Output Analysis Options

f f l l OmniPeek Network Analyzer offers real-time high-level view of the entire network, expert analyses, and drill-down to packets, during capture.

FIG U R E 1.4: OmniPeek capture options - General




d. Click A dapter and select E thernet 111 die list for Local m achine. Click OK.

C ap tu re O p tio n s E ־ the rne t

A d a p te r

0 0>••0 File Module: Compass Adapter ל-a 8 Local machine: WIN-MSSELCK4K41

Ml Local Area Connection* 10 M . Ethernet]■9 vSwitch (Realtek PCIe GBE Family Controller ־ Virtual

I- ■p vEthernet (Realtek PCIe GBE Family Controller ־ Virti \-m vSwitch (Virtual Network Internal Adapter)

■5 vEthernet (Virtual Network Internal Adapter)

III<E

Help

Property DescriptionDevice Realtek PCIe GBE Family ControllerMedia EthernetAddress DO: :36Link Speed 100 Mbits/sWildPackets API No

Cancel

General | Adapter'802.11TriggersFiltersStatistics Output Analysis Options

[0 3 Network Coverage: W ith the Ethernet, Gigabit, 10G, and wireless capabilities, you can now effectively monitor and troubleshoot services running on your entire network. Using the same solution fortroubleshooting wired and wireless networks reduces the total cost o f ownership and illuminates network problems that would otherwise be difficult to detect.

FIG U R E 1.5: OmniPeek capture options - Adapter

7. Now, click S tart Capture to begin capturing packets. The S tart Capture tab changes to Stop Capture and traffic statistics begin to populate the N etw o rk Dashboard 111 die capture window of OmniPeek.

WldPack ׳OmniPeek■ h . . . V V 1' g - » t* - <\ r J u , . B: ;» e IQ E j F

sutn «■ vapt all packets

Utib/itton / M.m.t.• WtiMtow ( I Sm and Av»>r.1u••)

lop Protocol*

£ Q Dashboards display important data that every network engineer needs to know regarding the network without spending lots of time analyzing the captured data.

FIG U R E 1.6: OmniPeek creating a capture window

Ethical Hacking and Countermeasures Copyright © by EC-CouncilAll Rights Reserved. Reproduction is Strictly Prohibited.



8. The captured statistical analysis of die data is displayed 011 die Capture tab of die navigation bar.

• u-n ., y . 3 . *

— whw fct FlhrhiW Netw-orfc inai/rffh.n ל Minute Window (I Second Average)

L AI1! “a 03- 02■*

OHCPV6 1QMPDNS TCP יו

2.0%r« 17* 152 2• 10002 1000$ 173 194 36 10 173.1W36.11 0»«rs

■ 206.17H5226 ■ 10002 ■173.1d4.364 .:202.63.8.8 167.6667.222

9 Etlwnet PatJtrts: 1.973 Ountion: 001:25

FIG U R E 1.7: OmniPeek statistical analysis of die data

9. To view die captured packets, select Packets 111 a Capture section ol die Dashboard 111 die left pane ol die window.

r — 1<w— »*** t, ISOMS' Too״ VN.A40W ״rip' ־,״י " ■

WldP.xkct. ׳OmniPeekt J u < 3־ . * r 4 יי A id G i J h O a

1 sun?**mt.Mrd: .{000 ii »5 Adapt 41 OKVrti Mr! <**«• .

V״ ••!>»•׳**״- m u 1n< N'lhrh^] 1►fevhfao.iftfs •4■ ׳11 =L- y

vote*״ *« ***** i•*a H tj, sue Oct*••* •r*t

m3

1a.1.g.2 173.194.3(.< 10.0.0.2

ss o.oooasiosa 95 0.93:20X19

writssms 3zc- 413,0*t= • W....3= 796...

5€

13.3.0.2 19.9.:.210.9.S.2

173.194.36.4173.194.36.4'4.125.12S.169

64 0.939*25029 64 0.93994SCI9

163 0.771222000 64 0.811S9JCJ9

2870 4.31e23SCS3

arirsSTTrS3TTT*

3zc- 1769, Ost= Src- 1770, 03V-5rc- 1063, 03*־

443443443

.u..... 3=1406...

.*....,5-366S...■ h..... S- 956...

Iwcstor 13.9.9.2 \173.194.36.22 S5S5S!: ״an an :s Sr~ 1443'S^

443 .13...,3=2007...

[ Oms1213

1 3.194.36.221~3.194.36.22 \

ו64 4.350147029 64 4.355964CJO

118 4.SE52S4CS0anss3TTT5 37T? S

3=c= 443,Dst= SIC- 443,03t_ Src- 443.03T-

1051.&....,3= 94... .*....,S- 94...

15 1י3.194.36.22 10.0.9.2 936 4.566969090 64 4.SS70CMS0

an?3Src- 10S1.D3T—

1951 .A?... ,3 9 4 ...־ • fc S-20D7...

[ Calls WmmK

17ISIS

13.9.0.2123.176.32.154

123.176.32.15410.0.0.2

64 6.097997090 70 €.100119000

103 C.922643C:3an?HIT?

. KJfC=172e ״Src- 50,031.־ 1726 .h ....,3-2997...

1 Er 21 19.1.3.2 64 7.21122*000 O F C PCKT-1727Ltfctto 22 19.9.1.6 157.56.67.222 70 7.301449029 O I» 31== 1040,D»t= 443 ....3.,3=1030...

24מ27

19.9.1.519.9.5.5 1S7.SC.C7.222 157.56.67.222

157.56.67.222157.56.67.22210.0.0.s

64 7.55*925023 184 7.5952930:9

ISIS 7.ISOSCCCSO 151S 7.952900:9ל

arirs5זזל5

«nrsSTTTJ

31 e= 1040,D»t= Src- 1040,031—Src- 443,0a־״־

143443

1040

3=1e30....AP...,3-1630...

,S- 519. . Slaw Server Respc-r.se T13* 10...*SI ־־

2» 19.9.0.219.9.0.3 !173.194.36.4 >5 e.901946029

<4 t.0c10»»600an iz 3ss- 1770,0*t־ 443 .LB... ,30069...

<1—11 ■J> llh«rn«! P*a»U: 2.000 OU'M'ea .׳y j i

FIG U R E 1.8: OmniPeek displaying Packets captured

10. Similarly, you can view Log. Filters. H ierarchy, and Peer Map by selecting die respective options 111 the Dashboard.

11. You can view die Nodes and Protocols from die S tatistics section of die Dashboard.

EQQl OmniPeek Professional expands the capabilities of OmniPeek Basic, extending its reach to all small businesses and corporate workgroups, regardless of the size of die network or die number of employees. OmniPeek Professional provides support for multiple network interfaces while still supporting up to 2 Omni Engines acting as bodi a full-featured network analyzer and console for remote network analysis.

m H ie OmniPeek Peer Map shows all communicating nodes within your network and is drawn as a vertically- oriented ellipse, able to grow to the size necessary. It is easy to read the maps, the diicker the line between nodes, the greater the traffic; the bigger die dot, the more traffic through that node. The number of nodes displayed can also be limited to die busiest and/or active nodes, or to any OmniPeek filters that mav be in use.




FIG U R E 1.9: OmniPeek statistical reports of Nodes

12. You can view a complete Sum m ary of your network from the S tatistics section of the Dashboard.

m On-the-Fly Filters: You shouldn’t have to stop your analysis to change what you’re looking at. OmniPeek enables you to create filters and apply them immediately. The WildPackets “ select related” feature selects the packets relevant to a particular node, protocol, conversation, or expert diagnosis, with a simple right click of the mouse.

£ Q Alarms and Notifications: Using its advanced alarms and notifications, OmniPeek uncovers hard-to-diagnose network problems and notifies the occurrence of issues immediately. OmniPeek alarms query a specified monitor statistics function once per second, testing for user-specified problem and resolution conditions.

FIG U R E 1.10: OmniPeek Summary details

13. To save the result, select File־^ S ave Report.




- '0 x ’*Hi 'OmnlPrck

►ii * u a3 i ־׳

CufTW. -

OmniPtek

T A « L u u ! i i v w .!j O ! J .u«M0« tooit

i ♦ * J

5.15/2012 t2rt2:<6 <ML2S

360.3200.795

F.1« | fdH

Jaw.מיי ־

זז■ ».־

Ltncrnct 2.000 lM1.V0a 001.B

FIG U R E 1.11: OmniPeek saving die results

14. Choose the format of the report type from die Save Report window and then click Save.

Save Report

2e 1 R ep o rt typ e :

fiy!!..PDF:.Report j v

Q R ep o rt fo lde r:

C : \Users \A dm in is tra to r d o c u m e n ts R e p o r ts \C aptu re 1

R ep o rt descrip tion

PDF re po rts conta in Summary S ta tis tics , Node S ta tis tics , P rotocol S ta tis tics , N ode/R rotocol Detail S ta tis tics , E xp e rt S tream and A pplication S ta tis tics , Voice and V ideo, W ireless Node and Channels S ta tis tics , and graphs.

HelpCancelSave

FIG U R E 1.12: OmniPeek Selecting the Report format

MCjUKfc 1.12: (Jmnil-'eek Selecting the Report tonnat

15. The report can be viewed as a PDF.

m Using OmniPeek’s local capture capabilities, centrali2ed console distributes OmniEngine intelligent software probes, Omnipliance®, T im eline™ network recorders, and Expert Analysis.

m Engineers can monitor dieir entire network, rapidly troubleshoot faults, and fix problems to maximize network uptime and user satisfaction.




OmniPeek Report: 9/15/2012 12:21:22

Start: 9/15/2012 12:02:46, Duration: 0:01:25

Total Bytes: 1014185. Total Packets: 2000

Tools Sign Comment .

0 360 360320 0.796 794656

0 000 0000 0 000 0.000 0.000

0105 0 585 0096 95989 0 360 360320 0.795 794656

630096959890 3603603200795794656

Summary Statistics. Reported 9/15/2012 12.21.22

Start Date Start Time Duration

Group. Network

Total Bytes 1014185Total Packets N׳ATotal B10.1dc.1st 1061Total Multicast 6933Average Utilisation (percent) 0 096Average Utilisation (blts/s) 95989Current Utilisation (percent) 0 360Current Utilization (bits/s) 360320Max Utilization (percent) 0.795Max Utilization (bits/s) 79*656

Group Errors

TotalCRCFrame AlignmentRuntOversize

OmniPeek Report ^ f t Dashboard

-"tf Statistics t? Summaryt? Nodes I? Protocols

®I? Expert I? Summary

Flows I? Application

Lf Voice & Video Lf Graphs ׳“

1f Packet Sues 1/ Network

Utilisation(bits/s)

If Network Utilization (percent)

(? Address CountComparisons

I? Application___ LSi£__

Bookmark(

? B* f t “3 i? OmniPeek Report —& Dashboard

- 't f StatisticsIP Summary(? Nodes1? ProtocolsExpert1? Summary(? FlowsI? Applications

If Vo«e & Video®ff Graphs

If Packet SuesIf Network

Utilization(bits/s)

1? NetworkUtilization(percent)

I? Address

Comparisonsff Application

m Compass Interactive Dashboard offers both real-time and post-capture monitoring o f high-level network statistics widi drill down capability into packets for the selected time range. Using the Compass dashboard, multiple files can be aggregated and analyzed simultaneously.

F IG U R E 1.13: OmniPeek Report in PD F format

Lab AnalysisAnalyze and document the results related to the lab exercise.




Tool/Utility Information Collected/Objectives AchievedNetwork Information:

■ Network Utilization■ Current Activity" L °g■ Top Talkers bv IP Address■ Top Protocols

Packets Information:■ Source■ Destination■ Size

OmniPeek ■ ProtocolNetwork Analyzer Nodes Statistics:

■ Total Bytes for a Node■ Packets Sent■ Packets Received■ Broadcast/Multicast Packets

Summary includes Information such as:■ General■ Network■ Errors■ Counts■ Size Distribution





Questions1. Analyze what 802.1111 adapters are supported 111 OmniPeek Network

Analyzer.2. Determine how you can use the OmniPeek Analyzer to assist with firewall

rules.3. Evaluate how you create a filter to span multiple ports.

0 NoInternet Connection Required

□ YesPlatform Supported

0 !Labs0 Classroom




Lab

S p o o fin g M A C A d d re s s U s in g S M A CS M A C is apon ׳eif/11 and easy-to-use tool that is a M A C address changer (spoofer). The tool can activate a new M A C address right after changing it automatically.

Lab Scenario111 the previous kb you learned how to use OmmPeek Network Analyzer to capture network packets and analyze the packets to determine it any vulnerability is present 111 the network. If an attacker is able to capmre the network packets using such tools, he 01־ she can gain information such as packet source and destination, total packets sent and received, errors, etc., which will allow the attacker to analyze the captured packets and exploit all the computers in a network.If an administrator does not have a certain level of working skills of a packet sniffer, it is really hard to defend intrusions. So as an expert eth ica l hacker and penetration tester, you must spoof MAC addresses, sniff network packets, and perform ARP poisoning, network spoofing, and DNS poisoning. 111 tins lab you will examine how to spoof a MAC address to remain unknown to an attacker.

Lab ObjectivesThe objective of tins lab is to reinforce concepts of network security policy, policy enforcement, and policy audits.111 tins lab, you will learn how to spoof a MAC address.

Lab Environment111 the lab, you need:

■ SMAC located at D:\CEH-T00ls\CEHv8 Module 08 Sniffing\MAC Spoofing Tools\SMAC

■ You can also download the latest version ot SMAC from the link http://www.klcconsulting.net/ smac/default.htm#smac27

■ It you decide to download the la tes t version, then screenshots shown 111 the lab might differ

I C O N K E Y

/ ValuableinformationTest yourknowledge

H Web exerciseffi! Workbook review

^^Tools dem onstrated in th is lab are availab le in D:\CEH- Tools\CEHv8 Module 08 Sniffing



http://www.klcconsulting.net/


■ A computer running W indows Server 20 12 as Host and Windows Server 2008 as tun Machine

■ Double-click sm ac27beta_setup.exe and follow the wizard-driven installation steps to install SMAC

■ Adm inistrative privileges to run tools■ A web browser with Internet access


Overview of SMACSpoofing a MAC protects personal and individual privacy. Many organizations track wired or wireless network users via their MAC addresses. 111 addition, there are more and more Wi-Fi w ireless connections available diese days and wireless networks use MAC addresses to com m unicate. Wireless network security and privacy is all about MAC addresses.Spoofing is carried out to perform security vulnerability testing, penetration testing on MAC address-based authentication and authorization systems, i.e. wireless access points. (Disclaimer: Authorization to perform these tests must be obtained from the system’s owner(s)).

Lab Tasks1. Launch die S tart menu by hovering die mouse cursor on die lower-left

corner of die desktop.

*•r

4 Windows Server 2012

Windows Sewer 2012 Rdrat Cardidatc Datacen!׳ Evulud’.kn copy Build 84CC

1 & rc !1 T !n ^ HFIG U R E 2.1: Windows Server 2012 — Desktop view

2. Click die SMAC 2 .7 app 111 die S tart menu to launch die tool.

ffisMAC is a powerful yet easy-to-use and intuitive Windows MAC address modifying utility (MAC address spoofing) which allows users to change M AC addresses for almost any Network Interface Cards (N ICs) on die Windows 2003systems, regardless o f whether die manufacturers allow diis option.

[® S M A C works on die Network Interface Card (N IC ), which is on the Microsoft hardware compatibility list (HCL).

Q=sJ When you start SMAC program, you must start it as the administrator. You could do this by right click on die SMAC program icon and click on "Run as Administrator if not logged in as an administrator.





3. The SMAC main screen appears. Choose a network adapter to spoof a MAC address.

SMAC 2.7 Evaluation Mode - KLC Consulting: www.klcconsulting.net%File View Options Help

IP AddressEMU^HET169.254.103.138 01

ID | Active I Spoofed I Network AdapterHyper-V Virtual Ethernet Adapter #2Hyper•V Virtual Ethernet Adaptei #3

rriiEiii ■1 וי ן0017 Yes No

Remove MACRestart Adapter \ IPConfig

Random MAC ListRefresh Exit

17 Show On i Active Network Adapters New Spoofed MAC Address

_>>JNetwork Connection_______________________________

J |vEthernet (Realtek POe GBE Famdy Controller • Virtual Switch)Hardware ID_____________________________________

A | |vms_mp

Spoofed MAC Address |Not SpoofedActive MAC Address |D0-r*a־ r׳£Disclaimer: Use this program at your own risk. We ate not responsible fot any damage that may occur to any system This program is not to be used for any illegal or unethical purpose Do not use this program if you do not agree with

FIG U R E 2.3: SMAC main screen

4. To generate a random MAC address. Random.

U p d a te M A C R e m o v e M A C

R e s ta r t A d a p te r IP C o n f ig

R a n d o m M A C List

R e f re s h Ex it

FIG U R E 2.4: SMAC Random button to generate MAC addresses

5. Clicking die Random button also inputs die N ew Spoofed MAC Address to simply MAC address spoofing.

Ethical Hacking and Countemieasures Copyright © by EC-CouncilAll Rights Reserved. Reproduction is Strictly Prohibited.

£ T A S K 1

Spoofing MAC Address

d s M A C helps people to protect their privacy by hiding their real MAC Addresses in the widely available W i-Fi Wireless Network.


http://www.klcconsulting.net


r־ a !SMAC 2.7 Evaluation Mode - KLC Consulting: www.klcconsulting.net

;■36-■08

10.0.0.2 DO-l169.254.103.138 00■ '

File View Options HelpID | Active | Spoofed | Network Adapter

Hyper ■V Virtual Ethernet Adapter 82 Hyper-V Virtual Ethernet Adapter #3

0015 Yes No0017 Yes No

Update MAC Remove MAC |Restart Adapter | IPConfig

Random MAC ListRefresh Exit

I* Show Only Active Network Adapteis New Spoofed MAC Address ^ I

IE -| 05 - |F C -| 63 -| 34 - ־07 l xj

— פNetwork ConnectionIvEthernet (Realtek PCIe GBE Famdy Conliollei • Virtual Switch)Hardware ID_____________________________________

A I |vms_mp

|SCHENCK PEGASUS CORP. [0005FC]

Spoofed MAC Address|Not SpooledActive MAC Address |D0-»W « ■-36

Disclamer Use this program at your own risk. We are not responsible 101 any damage that may occur to any system This program is not to be used for any illegal ot unethical purpose Do not use this program if you do not agree with

FIG U R E 2.5: SMAC selecting a new spoofed MAC address

6. Tlie Network Connection 01־ Adapter display their respective names.7. Click tlie forward arrow button 111 N etw o rk Connection to display die

N etw o rk A dapter information.r gN e tw o rk C o n n e c t io n _______________________________________________________

Iv E th e rn e t (R e a l t e k P C Ie G B E Fam ily Contro ller ■ V irtua l S w itc h )

FIG U R E 2.6: SMAC Network Connection information

Clicking die backward arrow button 111 N etw o rk A dapter will again display die N etw o rk Connection information. These buttons allow to toggle between die Network Connection and Network Adapter information.

rgN e tw o rk A d a p te r

|H yper-V V irtu a l E th e rn e t A d a p te r 8 2

FIG U R E 2.7: SMAC Network Adapter information

9. Similarly, die Hardware ID and Configuration ID display dieir respective names.

10. Click die forward arrow button 111 H ardw are ID to display die Configuration ID information.

H a rd w a re ID

|vm s_m p

FIG U R E 28: SMAC Hardware ID display

11. Clicking die backward arrow button 111 Configuration ID will again display die H ardw are ID inform ation. These buttons allow to toggle between die Hardware ID and Configuration ID information.

3C o n fig u ra tio n ID

|{C 7 8 9 7 B 39-E D B D - 4 M 0 - B E 95-511F A E 4 5 8 8 A 1 }

FIG U R E 2.9: SMAC Configuration ID display

m SMAC also helps Network and IT Security professionals to troubleshoot network problems, test Intrusion Detection / Prevention Systems (ID S/IPS,) test Incident Response plans, build high-availability solutions, recover (MAC Address based) software licenses, and etc.

CQ Is m a c does not change die hardware bumed-in M AC addresses. SM \C changes the software-based !MAC addresses, and die new M AC addresses you change are sustained from reboots.



http://www.klcconsulting.net


12. To bring up die ipconfig information, click IPConfig.S T A S K 2

View ing IPConfig Inform ation

13. Tlie IPConfig window pops up, and you can also save the information by clicking die File menu at the top of die window.

C Q t 11 eIPConfig information w ill show in the "View IPConfig Window. You can use the File menu to save or print the IPConfig information.

14. You can also import the MAC address list into SMAC by clicking MAC List.

Update MAC Remove MAC

Restart Adapter IPConfig

Random MAC List

Refresh k. i ExitFIG U R E 2.12: SMAC listing MAC addresses

— ם

File

Windows IP Configuration

Host N am e : WIN-MSSELCK4K41Primary Dns S u ff ix Node T yp e : HybridIP Routing Enabled :N oWINS Proxy Enabled :N o

Ethernet adapter vEthernet (Virtual Network Internal Adapter):

Connection-specific DNS Suffix .Description : Hyper-V Virtual Ethernet Adapter 83Physical Address :00 - -08DHCP Enabled :YesAutoconfiguration Enabled. . . . : YesLink-local IPv6 Address : fe80::6868:8573:b1b6:678a%19(Preferred)Autoconfiguration IPv4 Address. . : 169.254.103.138(Preferred)Subnet M a sk : 255.255.0.0Default Gateway DHCPv6 I A ID : 452990301DHCPv6 Client DUID : 00-01 -00-01 ■ 1 -A־ - 16- 36DNS Servers : fec0:0:0:ffff::1%1

fec0:0:0:ffff::2%1

1Close

FIG U R E 2.11: SMAC IPConfig information

Update MAC Remove MACRestart Adapter IPConfig

Random MAC List, Refresh Exit j

FIG U R E 2.10: SMAC to view7 the information of IPConfig




15. If there is 110 address in die MAC address held, click Load List to select a ]MAC address list tile you have created.

MAC List

<- Load List

S e lect

Close

No List

FIG U R E 2.13 SMAC MAC lis t window

16. Select die Sam ple MAC Address L is t.tx t file from the Load MAC Listwindow.

Load MAC List

v C Search SMAC■i.f ” ProgramData ► KLC ► SMAC

s ־י mOrganize ■* New folder

■ Desktop A Name Date modified Type4 Downloads

jgf Recent places Jf SkyDrive

— i-־l LicenseAgreement.txt 6/6/200811:11 PM Text Document, , Sample_MAC_Address_List.txt 4/S0/20061:23 PM Text Document

Libraries0 Documents J* Music fc l Pictures B Videos

ComputerU . Local Disk (G )1_ j Local Disk (DO <| >

v Text Format (*.txt)File name: | Sample_MAC_Address_List.txt

Open pr

CQ1t 11 e IPConfig information will show in the "View IPConfig Window. You can use the File menu to save or print the IPConfig information.

Q 2 When changing MAC address, you M UST assign MAC addresses according to IA N A Number Assignments database. For example, "00-00-00-00-00- 00" is not a valid MAC address, therefore, even though you can update this address, it may be rejected by the N IC device driver because it is not valid, and T R U E MAC address will be used instead.Otherwise, "00-00-00-00- 00-00" may be accepted by the N IC device driver; however, the device will not function.

F IG U R E 2.14: SMAC MAC List window




17. A list of MAC addresses will be added to die MAC List 111 SMAC. Choose a MAC Address and click Select. This MAC Address will be copied to N ew Spoofed MAC Address oil die main SMAC screen.

MAC List%:99 -E9 ■E8

. -E7

00 = OD OD OC■

C: \ P r og ram D a t a \ K L C \ S M A C \ S a m p le _ M A C _ A d d re s s _ L is t . txt

FIG U R E 2.15: SMAC MAC List window

18. To restart Network Adapter, click R estart Adapter, which restarts die selected N etw o rk Adapter. Restarting die adapter causes a temporary disconnecdon problem for your Network Adapter.

U p d a te M A C

| R e s ta r t A d a p te r IP C o n f ig

R a n d o m M A C List

R e f re s h Ex it u

FIG U R E 2.16 SMAC Restarting Network Adapter

Lab AnalysisAnalyze and document die results related to die lab exercise.

Tool/Utility Information Collected/Objectives Achieved■ Host Name■ Node Type■ MAC Address

SMAC ■ IP Address■ DHCP Enabled■ Subnet Mask■ DNS Servers

m SMAC is created and maintained by Certified Information Systems Security Professionals (CISSPs), Certified Information System Auditors (CISAs),Microsoft Certified Systems Engineers (MCSEs), and professional software engineers.

m SMAC displays the following information about a Network Interface Card (N IC ).

• Device ID• Active Status• N IC Description• Spoofed status• IP Address• Active M AC address• Spoofed MAC Address• N IC Hardware ID• N IC Configuration ID





Questions1. Evaluate and list the legitimate use ot SMAC.2. Determine whether SMAC changes hardware MAC addresses.3. Analyze how you can remove the spoofed MAC address using die SM\C.

Internet Connection Required□ Yes 0 No

Platform Supported 0 Classroom 0 iLabs

Ethical Hacking and Countenneasures Copyright © by EC-CouncilAll Rights Reserved. Reproduction is Strictly Prohibited.



S n iffin g a N e tw o rk U s in g th e

W in A rp A tta c k e r T o o lWinArpAttacker is a program that can scan, attack, detect, and protect computers on a local area network (LAN).

Lab ScenarioYou have already learned in the previous lab that you can conceal your identity by spooling the ]MAC address. An attacker too can alter 111s or her MAC address and attempt to evade network intrusion detection systems, bypass access control lists, and impersonate as an authenticated user and can continue to communicate widiin the network when die authenticated user goes offline. Attackers can also push MAC flooding to compromise die security of network switches.As an administrator, it is very important for you to detect odd MAC addresses 011 the network; you must have sound knowledge of footprinting, network protocols and their topology, TCP and UDP services, routing tables, remote access (SSH 01־ VPN), and authentication mechanisms. You can enable port security 011 the switch to specify one or more MAC addresses lor each port. Another way to avoid attacker sniffing 011 your network is by using static *ARP entries. 111 tins lab, you will learn to run the tool WinArpAttacker to sniff a network and prevent it from attacks.

Lab ObjectivesThe objectives of tins lab are to:

■ Scan. D e tec t. P ro tec t, and A tta c k computers 011 local area networks (LANs):

■ Scan and show the active hosts 011 the LAN widiin a very short time period of 2-3 seconds

■ S ave and load computer list files, and save the LAN regularly for a new computer list

■ Update the computer list 111 passive m ode using sniffing technolog}־

C EH Lab Manual Page 606 Ethical Hacking and Countemieasures Copyright © by EC-CouncilAll Rights Reserved. Reproduction is Stricdy Prohibited.

ICON KEY1._ Valuable

uifonnationTest yourknowledgeWeb exercise

ea Workbook review


■ Freely p rovide in fo rm ation regarding die rype of operating systems they employ?

■ Discover the kind ot f ire w a ll, w ire le s s a c ce ss poin t and re m o te access

■ Discover any published information on the topology of the n e tw o rk

■ Discover if the site is seeking help for IT positions that could give information regarding the network services provided by the organization

■ Identity actual users and discover if they give out too much personal information, which could be used for social engineering purposes

Lab EnvironmentTo conduct the lab you need to have:

■ W inA rpA ttacker located at D:\CEH-Tools\CEHv8 M odule 08 Sniffing\ARP Poisoning Tools\W inArpAttacker

■ You can also download the latest version ot W inA rpA ttacker trom the link http://www.xtocus.net

■ If you decide to download the la tes t version, then screenshots shown in the lab might differ

■ A computer running W indows Server 2012 as host machine■ W indows 2008 running on virtual machine as target machine■ A computer updated with network devices and drivers■ Installed version ot W inPcap drivers■ Double-click W inA rpA ttacker.exe to launch WinArpAttacker■ Adm inistrative privileges to run tools


Overview of SniffingSniffing is performed to co llect basic inform ation of a target and its network. Ithelps to tind vulnerabilities and to select exploits for attack. It determines networkinformation, system information, and organizational information.

Lab Tasks1. Launch Windows 8 Virtual Machine.2. Launch W inA rpA ttacker 111 the host maclinie.

^~Tools dem onstrated in th is lab are availab le in D:\CEH- Tools\CEHv8 M odule 08 Sniffing

WinARPAttacker works on computers rumiing Windows /2003.

* T A S K 1

Scanning Hosts on th e LAN



http://www.xtocus.net


ק ־ ־ ד ^ Untitled WinArpAttackei 3.5 ?0066.4רFite lean Attacfc Dctect options View Help

D ^ i * «» a a * qXev op»n s &ve scan Attack 1:״ stop send h*e*art Cpflu׳* as cut

ArpSQ | A<pSP | ArpRQ 1 ArpRP | Packets ( T>aff!c(KI ]| Online Snrfli... Attack

10.0.01 00■•10.0.0 3 00-10.004 00-10.005 00■

10.0.07 00•־10.0.08 0010.0.0 255 FF-״IM 254.255 255 FF•*224.0.0.22 01•*

| ActHoit | FftetHovI | Fff»(tH(Kt2 [ Count |

—>»»W<sA*»<*e'!200*— *־לשI-־-.׳ w a r lew*! soya, m tse mo reducMte 1• ג! 1«typ>• •:»» 1: CAxSvev try Gjear/Mac s ML U.p* ־־ :» » ! : ! Cs* : a20L>־c trse terns :• 10.0.0.V tr* ptogoir ruy 96! 1190r«0cy

16 3 GVV: iaao.1 On: 0 Off: 0 Sniffing; :

Klee DO-fc • - y- 16-3.GW: 1ft(X0.1 On: 0 Off; 0 Snrffmj: Q ,

FIG U R E 31: WiiiArpAttacker main window

3. Click die Scan option from die toolbar menu and select Scan LAN.

4. The scan shows die ac tive hosts 011 die LAN in a very short period ot time (2-3 seconds).

5. The Scan option has two modes: Norm al scan and Antisniff scan.

rUntitled WinArpAttackef 35 ?006 6.4~ ם r 5ד־

ek Detect send h«c<׳art CpHcit lke1£ a: cutHwhmne I Online I SnrtfL. I Attade I AipSQ I An»5P I AmW I ArpWP I Padafa I TufficQq I_E*c| V׳ | Mofmalitan

1 Mat

- €•03 IE-2D

• NOE

10.0.01 (X>* •10.0.03 oa •10.0.04 0a ־10.0.0 5 00• -10.0.07 D4.♦ -10.0.0a 00• ־10.0.0255 FF-► • • ••FF169• 254 255.255 FF-* • • • •FF224.0.022 -

MacOO-fc ♦ - 16-3,GW 1a0J3.1 ,On: 0 Qff:0 SnrffmyQ , J

Sff«aHpq2 | Count |1 ActHotlI EvtnC

6a_/!fp_£mrv_CM»ae «1]1־.ן כננ־:־־ן מ ^ יי

FIG U R E 3.2: WinArpAttackei Scan options

6. Scanning saves and loads a computer list tile and also scans die LAN regularly for new computer lists.

Caution:This program is dangerous, released just for research. Any possible loss caused by this program bears no relation to the author (unshadow), if you don’t agree with this, you must delete it immediately.

Q=J WiiiArpAttacker is a program diat can scan, attack, detect, and protect computers on a local area network.

0 3 The י• option scan can scan and show the active hosts on the LA N within a very short time. It has two scan modes, Normal andAntisniff. The second is to find who is sniffing on the IA N .




3 3 ■Untitled WinArpAmrkf r 5 ?006.6.4Fit S״. י. ־ ד

p p aHe j open Save 5c»r! MaCk Slop Seni Rccouw. Optow lfc«-p AtKKit| AipSQ | A>pSP | /UpfiQ | frp«P I P«cfc«t» | Tr«ffic[IQ T1 Online 1 SnjWi... | AtUtfc־| Ho»ln<PAddmi

10.0.01 OnlinWN-MSSEICK... Onlin WlNOOWSfl Onlin WINDOWS8 Onlin VMN-IXQN3W... Onlin

E-20 WORKGROUP Onlin AOMN Onlin

4-CC*36*:-06

־:-09־ -«03

•-0E

□ 10Aa1□ 10*02 0 1 Oil 0.3□ 10A04□ 10:aa5□ 10ixa7□ 10*08

I MflfIPI ActHotfI Evtntoof* • 1r *•cc 00• • • •-06 00■■ - • —0«

00■• ־ ־ -:-0300-•* - • • -M 0 4• E 20

• -FF

ז 0.010.110.001 1000.4 100105 10.00.6 10.010.7 10.00810 00.255 169.2Si.2SS.2SS

1000.7 10.0.0.11000.8 10.0.0.210.0.0.410.0.0.5

2012-09 17 104*05 New_Ho* 2012*09• 17 104905 IW.Hotf 2012-09-17 10 AOS Nm HoU 2012-09-171049 33 Aip Sun 2012-09■ 17104905 New.Hox 2012 09 17104905 New.Hox

5-3 GV«: 100.0I On: 7 Off: ■: Sniffing: 0iz-FIG U R E 3.3: WinArpAttacker Loading a Computer lis t window

By performing die attack action, scanning can puU and collect all die packets on die LAN.Select a host (10.0.0.5 — Windows Server 2008) from the displayed list and select A tta ck -> Flood.

s o ■Untitled WinArpAttarlc<*r 3 5 ?006.6.4

«#» E3 ג*י׳ ©S*nJ Kttiur. ibw U*H> M»j II An.au I fcpso I *■pUC I fcpwl]~ I wt \t

MatIPf Court I1 ActHotfEvent10.001 00-•10.00.1 00-10.004 00- •10A0.5 00-10006 00-•10.00.7 04•10.008 00- •1000.255 ff•*■169.2S4 2SS.2SS FF-*־

16-3 GW: 100.01 On: 7 Off■. 0 SniffmyO

1000.7100.0.110.0.0.8100.0.210.0.0.410.0.0.5

2012-09 17 104*05 N«w_M0*2012-09• 17 10 4905 N*v״_Mo»*2012-09• 1710J90S ^ Hoa־2012-09-17105401 14p St*n 2012-09 17104905 N«w Ho* 2012 09 17104905 Me*.Hex

K Mlau of 10.9.0.1, m« 1. <•**־> nuy tit

& I n this tool, attacks can pull and collect all the packets on the LAN.

ARP A tta ck

C Q t 11 e Flood option sends IP conflict packets to target computers as fast as possible. I f you send too many, the target computers go down.

FIG U R E 3.4: WinArpAttacker ARP Attack type

9. Scanning acts as another gateway or IP-torwarder without odier user recognition on die LAN, while spoofing ARP tables.

10. All die data sniffed by spoofing and forwarded by die WinArpAttackerIP- forward functions are counted, as shown in die main interface.




r 18■Umitlpd WinArpAmrk<*r 006.6.4? 5 דPi* Scan Attack Q*t*ct Cptio!

I 1.ז» II t .p ip j ArpSP I fl.PBQ I flipRP I

• m ■ ** m ©5C*n Attack stop S*f»J !vecoiw. C*3tow lH«Up At».AAfrm____ | Hoitname | Online j Sniff 1. AH«.k

E &□1000.1 00- • • 4-CC 100.0.1 Online Not... Normal 88 10! 203 0 0 OOO□ 10002 DO 5-36 WN-MSSEICK... Online Nor... 355 5 5 109 0 aoo□ 100103 00- « * *-06 WNOOWS8 Online Nor. מ 0 27 1 0 000□ 100.0.4 oc ־ * -•״09 WN0CWS8 Online Nor... Normal 5 0 4 1 0 0.00E10A0l5 00- • • ♦ •£-03 VMN-UQN3W... Online Nor... 36 0 2ו 1 0 000□ 10007 D4-» E-20 WORKGROUP Online Nor.- 1 0 22 1 0 0.00□ 100108 00 . • ^*-OE AOMIN Online Nor... Normal 41 0 30 1 0 0.00

1 Mac[ Court |1 ActHotfEv*ntI <nv► 4CC> *-06 • *•09

■ -־•03

00••10.00110.001 10.00.4 10005 1000.6 10007 10003 1000255 rr-169.2S4.2S5.2SS FF-

00--

1000.7 1000.11000.8 100.0.210.0.0.410.0.0.5

19.0.0.1, m« pvjrini may *

2012-09*171049(05 N*w_M0* 7012-09• 17 10490: Naw.MoU2012-09• 17I0j»05 Pj»H o>1 2012-09-17105401 A«p Scan 2012 09 17104905 Ncw.Hest 2012 09 17104905 N«*.Host

6-E G A: 10X1,0.1 On: 7 Off: ׳: Sniffing 0 y/\

5■• GW: 10.0.0■I On: 7 Off: : Sniffiny 0

FIG U R E 3.5: WinArpAttacker data sniffed by spoofing

11. Click Save to save the report.m U n tit le d - W in A rp A tta cke r 3.5 2006.6.4

File Scan Attack Detect Options View Help

□ J BNew Open

■Save

ARP iZ- t m - 4 m

scan AttackJ i a S « ®

Stop Send Recount Options Live Up About

FIG U R E 3.6: WinArpAttacker toolbar options

12. Select a desired location and click Save die save die report..

Lab AnalysisAnalyze and document die scanned, attacked IP addresses discovered 111 die lab.

Tool/Utility Information Collected/Objectives Achieved■ Host Name■ Node Type■ MAC Address

WinArpAttacker ■ IP Address■ DHCP Enabled■ Subnet Mask■ DNS Servers


COlTheBanGatewayoption tells the gateway wrong MAC addresses of target computers, so the targets can’t receive packets from the Internet. This attack is to forbid die targets access the Internet.

C Q t 11 e option,IPConflict, like A RP Flood, regularlysendsIP conflict packets to target computers, so that users may not be able to work because of regular ip conflict messages. In addition, the targets can’t access the LAN .




Questions1. WuiArp

Internet Connection Required□ Yes

Platform Supported0 Classroom

0 No

0 !Labs




A n a ly z in g a N e tw o rk U s in g th e

C a p s a N e tw o rk A n a ly z e rCapsa Ne/)j ׳ork Analyser is an easy-to-use Ethernet network analyser (i.e., packet sniffer or protocol analyser) for network monitoring and troubleshooting.

Lab ScenarioUsing WinArpAttacker you were able to sniff the network to tind information like host name, MAC address, IP address, subnet mask, DNS server, etc. An attacker, too, can use tliis tool to gain all such information and can set up a rogue DHCP server serving clients with false details. A DNS attack can be performed using an extension to the DNS protocol.To prevent tins, network administrators must securely configure client systems and use antivirus protection so that the attacker is unable to recnut 111s or her botnet army. Securely configure name servers to reduce the attacker's ability to corrupt a zone tile with die amplification record. As a penetration tester you must have sound knowledge ot sniffing, network protocols and their topology, TCP and UDP services, routing tables, remote access (SSH 01־ YPN), and authentication mechanisms. Tins lab will teach you about using other network analyzers such as Capsa Network Analyzer to capture and analyze network traffic.

Lab ObjectivesThe objective ot this lab is to obtain information regarding the target organization that includes, but is not limited to:

■ Network traffic analysis, communication monitoring■ Network communication monitoring■ Network problem diagnosis■ Network security analysis■ Network performance detecting■ Network protocol analysis

ICON KEY/ Valuable mformationTest your

** Web exercise m Workbook r׳e\

C EH Lab Manual Page 612 Ethical Hacking and Countenneasures Copyright © by EC-CouncilAll Rights Reserved. Reproduction is Stricdy Prohibited.


Lab EnvironmentTo earn’ out die lab, you need:

■ ColasoftCapsa N etw o rk A nalyzer located at D:\CEH-Tools\CEHv8 Module 08 Sniffing\Sniffing Tools\Capsa N etw o rk A nalyzer

■ You can also download the latest version of ColasoftCapsa N etw ork Analyzer from die link http://www.colasoft.com

■ If you decide to download die la tes t version, dien screenshots shown 111 the lab might differ

■ A computer running W indows Server 20 12 as host machine■ Windows 8 running on virtual machine as target machine■ Double-click capsa_free_7.4.1.2626 .exe and follow die wizard-driven

installation steps to install Colasoft Capsa Free Network Analyzer■ Adm inistrative pnvileges to run tools■ A web browser with an Internet connection

Note: This lab requires an active Internet connection for license key registration


Overview of SniffingSniffing is performed to co llect basic inform ation of die target and its network. It helps to tind vulnerabilities and select exploits for attack. It determines network information, system information, password information, and organizational information.Sniffing can be A ctive or Passive.

Lab Tasks1. Launch the S ta rt menu by hovering the mouse cursor on the lower-left

corner of the desktop.

V*r

S 3 W in d o w s S e rv e r 2012

Windows Server 2012 Release Candidate Datacen!* Evaluation copy. Build 84CC

M ■afeLLxjjLtt! I a a ,“,"JFIG U R E 4.1: Windows Server 2012—Desktop view

& T o o ls dem onstrated in th is lab are availab le in D:\CEH- Tools\CEHv8 M odule 08 Sniffing

£Q1 ColasoftCapsa Network Analyzer runs on Server 2003 /Server 2008/7 with 64-bit Edition.

3 t a s k 1

Analyze N etw o rk

Capsa Network Analyzer is an easy-to-use Ethernet network analyzer (i.e., packet sniffer or protocol analyzer) for network monitoring and troubleshooting.



http://www.colasoft.com


2. Click C o laso ft C apsa 7 F ree N e tw o rk A n a lyze r to launch the Network Analyzer tool.


3. The C o laso ft C apsa 7 F ree - A c tiv a tio n G uide window will appear. Type the activation key that you receive 111 your registered email and click N ext.

C olaso ft Capsa 7 Free - A c tiva tio n G uide

Welcom e to Colasoft Capsa 7 Free Activation Guide.

License Information:

Windows User

SKMC Groups|

03910-20080-80118-96224-37173

User Name:

Company:

Serial Number

Click here to get your serial number...

To activate the product now, select one of the following and click the Next button. Please contact [email protected] for any question.

® Activate Online (Recommended)

O Activate Offline

Help| Next > | | Cancel"

FIG U R E 4.3: Colasoft Capsa 7 Free Network Analyzer — Activation Guide window



mailto:[email protected]

4. Continue to click N e x t on the Activation Guide and click Finish.


Help

Colasoft Capsa 7 Free - Activation Guide

Successfully activated!

Finish

F IG U R E 4.4: Colasoft Capsa 7 Free Network Analyzer—Activation successful

5. Tlie C o laso ft C apsa 7 F ree N e tw o rk A n a lyze r main window appears.

No adapter selected

Capture Filter &

No filter selected, accept allpackets.

Set Capture Filter

Network Profile ^

Full AnalysisTo provide comprehensive analysis of all the applications and network problem!Plugin module loaded:MSNYahoo Messenger

Name IP - \Yued Netmart Adapter(*)

..**••י * 5p״ d Packets Byte UHizatu. A

□ Ethernet 10.0.02 1 1.232 Kbps 1,410.1 Mbps 718 170.1a. 0%□ Unfcno*« 127.0.0.1 0 Obps 1.410.1 Mbps 0 0 8LJ t€lhe<nel (Virtual Network Internal Ada.. 169254,103... 0 0 bps 1,41 a1 Mbps 7 1.073 KB 0% |□ Jrfcro»n 127.001 0 0 bps 1,410.1 Mbps 0 0 5 0%□ Ethernet 10D.02 1 1232 Kbps 1010 Mbps 763 17S.6®_ 0% y

OiMAntlytit

,S.1 תoFulAnatyia Traffic Mon to* HTTP Analytic Email Analyst DNSAnalytk FTPAnalyt*

CQas a network analyzer, Capsa make it easy to monitor and analyze network traffic with its intuitive and information- rich tab views.

F IG U R E 4.5: Colasoft Capsa Network Analyzer main screen




6. 111 the C aptu re tab of the main window, select the E th ern et check box 111 A d a p te r and click S ta rt to create a new project.

EthernetCapture Filter ^

No filter selected, accept all packet*.

Set Capture Fitter

Network Profile &

NameYi1ed Me: wort Adapter\ ־ )

IP Packe... bp, Speed Packets Byte UNcati... a

< * r( 3 Ethernet 10.0.02 9 15.800 Kbps 1,4111 Mbps 2424 552/471.LI UnbK**« 127.01011 0 0 bps 1,41 ai Mbps 0 0 8 0%□ v€th«<net (Virtual Network InU1n4l Ada.. 1 6 9 .2 5 4 .1 0 3 0 ״. 0 bps 1,410.1 Mbps 48 12.156 KB « 1D Unknown 127.010.1 0 0 bps 1.41a1 Mbps 0 0 B OND Ethernet 10.0.0.2 9 IS 800 Kb pi 100.0 Mbpt *M2 S88206- 0% H

Full Analysis!To provide (omprehtntiv* analysis of all the applicationsand network pioblarm Plugin moduli loaded:MSNYahoo Messenger

!!!!!111111iiiiiiiunm II lllllllliiiirninniiPiinm nti III!m !frisiii1 111Irmilll II 111 iiihrn 111וווו

1 ^ 3 |F־f=« 1—r-m psps■

% m *L4 » נ OFul Analysis Tiafftc Mcnitoi HTTP Analysis Email Analysis DNS Analysis FTP Analysis IM Analysis

F IG U R E 4.6: Colasoft Capsa Network Analyzer creating a New Project

7. Dashboard provides various graphs and charts of the statistics. You can view the analysis report in a graphical format 111 the Dashboard section ot N ode Explorer.

יירקW*I

r r Analysis Pa<k׳__------------ ...waitings 0bJ«t Buffe! t • Output Outputat# f y a II

Cs5hfec;r3 x [Summary \ Diagnosis[Protocol]־Physical Enflporw [־PEridpr Cc-.ft-ancr ]־ IP C coreoatie 4 * Online Resource

N e w C apsa v 7 .6 R e le a se dTry it Free Q l

live D«woeJ VJho Is Usrw NetawfcBandwc £ How to Detect ARP Mtacts jjj How to Detect Ncfwort: loop Hew to Montor W M?saaqf

How to Mon to! ft Sf vein ■41 [ More VkI«u> .. )

. J MwMtoi linpluytre• W*b»1t«

03 I cannot ntphwr AlI trnWir. wby»J3I C1 cote I rail״. Utiltuit.״.. U«rt

_J [FntJMart a Captatr.•crratr TrofBc ut<inner chart [ Hor*• In Knowlt'dgt-thn*•- ]

i tB l- ״זDefaultTotal Traffic by Bytes

iIjvJL...

116:3 KB 9766 KB 4 883 KB

Top Application Protocols by BytesTop IP Total Traffic by Bytes

48i?«k»

SO 0*5 ICS

2»2«7K8

9 7MKBIll

W 389 KB M 591 KB44 829 KB

Mi - -ht£j F j■ A1־wS׳«j 5S T Piciocol zjfk i' (1) 3 9 PhysttJtsW® 9 IP L>f i;־er (3|

an; 00:01:01 557 P.ea J>/ C»f>aj׳c •Full Ara*yi5 #Eth«nct ' lr

£ Q t 11 e network utilization rate is the ratio of current network traffic to the maximum traffic that a port can handle. It indicates die bandwidth use in the network.

F IG U R E 4.7: Colasoft Capsa Network Analyzer Dashboard




The S um m ary tab provides full general analysis and statistical information of the selected node in the Node E xp lo rer window.

־1 ם ! r״m I □ 5ךל יי1*״׳״׳ “׳“׳

----- 1 TableSait Stop General .« i

Analysis Racket Display ^*H AJ

m m i !!!I'!!! !Capture fJ«wcrtr Promt Analyse profile רזו. ut«anon <7%, pp!i'i .tic History Cho!־ Factcr Buncr (16 M6j

Online Resource

N e w C apsa v 7 .6 R e le a s e d

Try f t F ree

) Network HerAMStH'

uj Monitor Employee* Website

Create Traffic UtilUotioii Ourt UJ lEntlSUrt a Wireless CaptureJ Create TiaftkUU 12aUn Chat

[ More m Knowledgebase— 1

/ ] .Protocol fPhysical fcndpo.m \IP fcnapo.rv־] Qiagnosis־] Qasnccard•1 Summary x־ Ccr! ■esa־.cn [־IPCorrvaf«MA«lgte\SUtfctta: | ־:-צ

1252 Kbp*.0 bps

1232 Kbpi

0001%.0.000%0001%

472.954 KB 4J440KS 175.757 K0

1 32 Kbps 0 bps a bp<

0000%0001%

45.60ft KB 131090 KB 47.542 KB

FaultDuqnmit SWMili

Worrnation Oijgnosk Ntfcti Diagnosis Wuninq r!a<jnot. t Critical Ow900-.11

> trafficTotalBroadcastMukiceitAv«a9«Pa«k*tSa•

Pxkrt Sar Ifcttributaon<*64WW128-255256-SI1512-10231024-1517>=1518

Node Explorer >

ד *>«< !*>•»U, IT Protocol ! ■p'crrr (1)S V5 Phv.ka' Lqstorcr (3) tfc IP E ■pk*n (4)

______ ractrve Duration: 00.14:43 't ־___:__: f 2J» 2 ©0 P*iC,Captue - hM Arat>-se 41 Ethernet

F IG U R E 4.8: Colasoft Capsa Network Analyzer Summary

9. The D iagnosis tab provides the real-time diagnosis events of the global network by groups of protocol layers or security levels. With tins tab you can view the performance of the protocols

10. To view the slow response of TCP, click TCP S low Response in T ran sp o rt Layer, which 111 turn will highlight the slowest response in D iagnosis Events.

» ! ?

13S

Sj •ae• Too;! /!«m

U S l h g “ “ “ ' ־ ^ ״ J

nalysis ־ CoJascft Capsa 7 Free '50 Nodes)

■ ■ W ₪ ₪ ₪ M ™Adapter F«er Starr Step General Alarm Setting!

C M H *-.׳= V־־v\־Jr־

Analysis Packet Display Object Buncr .' ■

Analysis ProfileOutput Ovrpur 1€ ־ ב £ - ־ צ

w w —1_ pp5» limnm mcH!5to7Cho... FacKct Buncr n&MBj


Try i t F ree

)Neh«orkBnrd*M»1>

(or IM MP«1n$e

_ J Monitor Employee* WebMte

U Create TraIlk. UtMzotion Chart UK (Ent)Start a Wireievs CaptureJ Create Tratfl; U U Jattn O'.01׳.

| More ■ו Knowledge bacr... |

Diagnosis Item Diagnosis Address

& U & C - Dogrvosk: \ 10 ד ע 6- - 2 ' Statistks: | 11 |•lamc flame Ph>«ca1 Address ״Add נ

MDbqnotx 1010:02 DO ־ - «c36 10.01028 Applet !on layer 74.125.256.165 OCt M •:CC 74.1252

O DNS S«rvw Slow Response 74.125 35.174 Oft» » < - CC 74.1252O HTTP Sttvtr Slow Response * 74,125 56.169 1 CC 74.1252

a transport Layer 20721 ft. 235.162 OCt ♦ • ־ ־• .CC 207218.v tCPRctrantm.st.en 178.255 SI.י Ott*-♦ «MKC 17»J55.S/ TCP Slow Rcipon.s 17&255.8« cc•: גס • ״♦ 17825 5 J± TCP Duplicated Aclmowlidgtnwr 74125J36.1U oct♦- ♦•**cc M1252

S Network lay««r■ | > 74 125י. ?6.16? CC !•-♦־• ♦00 74.125 2 |>

Uiagnosis Eventsu 6-W ע• OiagnoM l««nU | 75 |Seventy Type layer {vent Drtcnptton •

T unipoit TCP

נj״;

1ndPaO.,t:: rom295m4)Tran !port TCP SIckv iC K1F'«ke!:is] nd Pad.rt!27]f1cm 20I7D ■m)

V Pttformance Transport TCP Slow ACK(P«cket!<7] tnO PacV«;27 f0nt 20172 זמו)V Ptrlcrmance Transport TCP Slow ACK1P*cket >:] ■nd Pat.rf. 1 Wrom 22134 ms)V Performance Transport TCP Slow ACK1:P»cket!a1] and PaeVrt:!:from 23577 ms:Performance ׳4 Transport TCP Slow ACKtPacket|S2] me Pac*a.;.?rom 23577ms;V Performance Transport TCP Slow ACKfPacketlU] me Packet' 3:from23577ns)Performance ׳1 Transport TCP Slow ACK(Padrct!219:*6 (dcrtllW^rcrn 2*262 m5? רV Performance Transport TCP Slow ACK! Packet !>13 and ?״cketJ303Jfn:m >6023 m־l ׳>

Ml _ 1>

•9 J,^ ful AnalyseK ' f Prrtrrcll.pererli;S- Si Phv. ka bpkxer (It0. I׳־ E .plc.fr (4)

y Captue- KJArvalyse *)Ethernet ' nactive Duration: 00.25:34 t f •4,689 <£ 0 fteady

F IG U R E 4.9: Colasoft Capsa Network Analyzer Diagnoses

E O a liigh network utilization rate indicates the network is busy, whereas a low utilization rate indicates die network is idle.

E/Tools dem onstrated in th is lab are availab le in D:\CEH- Tools\CEHv8 Module 08 Sniffing




11. Double-click the highlighted D iagnosis E vent to view the detailed information of this event.

History Cha Packet B!

Online Resource


Try f t F ree

Jp) Who U Using Net\« or k nnrd^tti י

M (to* to Detect Networi: Loop ^ *tow to Monitor IM Me.rif*•

I More• VWcov-1

llow (o'•UJ Monitor EinotuvM Wetaitc

Create Trait*. UtilUotioii Ourt U |Ent|SUrt a Wireteu CaptureJ Create Traffk Utlteton Chat

[ More m Knowledge bacr... |

*5 Network Group jc , J T י==ן)^ ** J l rj /A : AX /F "Stop Generai Anslyiii Packet Display . Packet log . L, — -_J' IE .. ^A*anr1 Setting* object Butter output Output

?lerwcr* Profile Analy5!5 Profile Datastorage it !c r W151: ..<■ ־*

x y '"3^rL,I~T [Somma1y-] Diagnosis x (־piotocol f Physical £ndpo ifTf IP snap j ] . .y,<alC - ] .־י־ IP Corryq

Diagnosis Item Diagnosis Address

& A % * . C - Dfc*grvosk: 10 » - ד ע - 2 - StaeKtk | 11 |*Um«

־Mame Ptv/SKii Addrcu 0 Addit ••

AIDaqnoti* 1Q0A2 DO ■ •t J6 10.01028 A|>f1S(jtion 1 jy»־» 74,125.2 .165 OCt ־♦ •■ •>.cc 74.1252

O OtIS 5«vv Slow Response a >6.174ן 74.25 Oft•► » • ».cc 74.125.2Q HTTP 5trvtr$l0wR«p0n« • 741252 J6.69י OCt 741252

Id Irmpoit Layer 20721 ft.235.82 י Oft» • CC.־ 207218.V TCP Retrsntmiiiion ו 78255 ו.נ« Oft • cc:* ־־ 178J55.

178255J •V• TCP Skw RsKWlifi 173255 E32 o • ־ ► •:CC± TCP Duplicated Acknowlwlqemerrt ’4 125.2 36.182 0ft»-«~«k*CC 741252

- Nerworlr layer י4 1?5י.56ר.65 Oft• ־ • ־• •!CC 74.125.2, ■ I l» <1 ■ |>

Otagnosis EventsW S ’ UiaqnoM I u j .. j.״Seventy Type layer Event Ce«npt>en •

V Pt»(0rm4nce Tun sport TCP Slow ACK1Pack«!281 and Packtt:27 ,om 235 ms) ־V Performance I rampart TCP Slow ACKlPacket:46] and P«ckrt!27]l10n1 20170 1m)is Performance Transport TCP Slow ACK(P»ek«!47]j«d PacVft:'7 (ty^ 20172 ms׳i> Performance Transport TCP Slow ACmPacket.W]«od Packet! 13:4re*n 22131 ms)V Performance Transport TCP Slow ACKt:Packet]31] »*d Pack (*'■'from 23577r»«V Performance Transport TCP Slow ACKtP*ck£tl82] me Packet.:.*ram23577ms:V Performance Transport TCP Slow ACK(P«tket|54] nc Pac ■rt' 5] from 23577 rm)V Performance Transport TCP Slow ACKiPadcer!’ 19: v * ?ac.rtlir^m (ms י&62 V Performance Transport TCP Slow ACK)P>dcet:343] and ?״ck*t(30i(‘rcm >6623 mil

*

Node Explorerדfol Anat>-i«

Hr I f Pft*orc4t>f>4ctM<l) S V5 Phv. ka Lqstorcr (3)li !־»!. P*4) ״״)

r Alatm fcxotofo -^Captut - FtJAiMtyse 41 Ethernet ''racttve Duration: 00:25:34 4,689 <£0 Rea<ty

F IG U R E 4.10: Analysing Diagnosis Event

12. The TCP S low AC K - D a ta S tre am of D iag n ostic In fo rm atio n window appears, displaying Absolute Time, Source, Destination, Packet Info, TCP, IP, and other information.

n= *7«73>ס3ח0!זג70?ח8זז0>־ י ^3ז ™ T C PS lo^C K ^Pacto!20nn7Pac׳-»M * י ־ i 30•

L0000000001F■.. S.l f 32899950I3.F = A..5.... L154W442JaF.A-.L- 1w0״I,״.R״ o״k־h .

i-HTTPtraffic 533 b

Su> Cnodc SummaryM N*jm»23 e״gT*.«6 S*q«3’ 80995012.Acl״66 NwnaB lenyth»#6 Sen lM6644229,Ack:SB \.m .M S«q«328099S013 Ack.

־27 ־. ..: =r 723,.־ 723 C GLT ,’online -«ou!5644)- ־4 ־28 .64 -ו>׳ ־- ?V.׳.a:i■. U i l \c r4 6 Ungth-1.51* & HTTP/1.1 2M0K ־

591 \crr47־ lensw = 59l i Continuation or no

ProtocolHTTPHTTP

207.2I8.2J5.162:80 1010.02:1400 207.2I8.2J5.182:80

r1M6t46223.F־A״ .L-: 32B099S673,F = ■*..*.: 154&&46224.F= L.« 1S46M6224T1.A.R..

Seq=328C995673.Aa־ Seq=lSi6646223,Aek:

. -v =53 S*q=328CS95673.Ack־;ngth:58 Seq: 3280995675. Ack:

58= .:•48 Lenצ3 ז.׳•' ־ &=i-----64 lp- :48

HTTPHTTPHTTPHTTP

207218.235.182:8010.0.0.2:1406100.021406100.0.2:1405 207218.235.182:8010.0.0.2:1405 207218.235.182:30 207.218.235.182:80

<00.02:1406207.218235.182:80100.02:1406100JX21406207218235.182:80207213235.182:30207.213.235 182:90

»Ck2J-2007J«80 1023 Ja412350 1023204123941&2J 2041296■ I0c232a70«089102340533003ICf2340 535573

i (0/«]iMetgearl (6/<|Cnteioe־. IP(IPri)) [12/2]

(14/ij o*rc(20 By'.vsl (14/11 0s0r 115/11 0111 osrc נ:/118l :goore 1] ןV1J 0*02 I Ha Consent: cr.1 |15/0 [.־x0: (40 By1 ;/116 •*.־(8(3301 [18/2J(J0/1J OrtC1aa/1) o»co

E ' “ ?actet lafo:: ©?acWT V3e־r: :.<^?»creT Uzgv.z

« Source Address:& Protocol:IP - intarrtBt Protocol

• ו! C i r r « : « 5 1*.■*1. ז1*1נ< *»v.c:*־״ :[ > • ?1 ff״rfflt־.»*/fl 5«rr1 eta C04«|

• •O JrsMjjnrt Pretoeet w ill igno!

F IG U R E 4.11: TCP Slow A C K — Data Stream of Diagnostic Information window

13. The Protoco l tab lists statistics of all protocols used 111 network transactions hierarchically, allowing you to view and analyze the protocols.




ap« 7 Free [50 Nodes)^nal^!?Proiec^r7uI^nalyi1^Co!a5cf^!

las fAeaptfi I met

► UNetwork Croup

f\ Alarm 4<tt1ngi*» j

Analysis Rsrket Display Objfrt Bifftfr

k U 4 A

Output OJ'piJtCapture Mttwort Prone Analynt Profile Datastorage

F IG U R E 4.12: Colasoft Capsa Network Analyzer Protocol analysis

14. The Physical Endpoin t tab lists statistics of all MAC addresses that communicate 111 the network hierarchically.


Try it F ree

Is Liang Network Band/Jd וק י

(More Videos-1

* ׳׳י י&yt«* » P«ck«t> trti P»r S«o׳kJ

le«l Srqirrnt ׳• S.W4 512 bpsbr local Holt 1.578 KB! ?צ i281 0 bpi

JW no! 6 36 755.578 KB 3,281 0 bps•* 110.0.2 725.485 KB i * 3 0 bps

8 *8 oo:««^^*:cc 744.796 KB 3.242 512 bps<£74.125.128. IN M 224413 KB .׳Obp ל»15 74.12S.2361182 ■ 172.074 KB 642 0 bp:S 74.125 135.125 ■ 132.652 KB 554 0 bps

% 74.12.צ23ו&63 | 33.889 KB 161 0 bps6 74.125 2 361160 | 22.611 KB bps סל 031 74.125-2361165 | 19.740 KB 97 0 bps74.12 £ | S.236.174־ 19278 KB 65 0 bps

74125.128.189\PhysicJ Conversation 177Physical Conversation

C-Lndpomt 1 •> < - Endpoint 2 Ouibon Bytes-י _J Monitor Employees Website3 DO — 6:36 33: B ■ " נ:03- OOrfOOO 36C E 360 E VKlt«

?=00־ &36 FC:( ־ * :01^ 000*00 28C B 230 B m m m I cannot capture AIL traffic300:• - — E.-06 M :ןי 033 S S ocf OttOOOO 82 B 82 8 why/

*J Create Traffic UtiBzaUon Chari «J lEnt(Start a Wireless Capture=9 Vk ■ EK» B J j* — ):66 OttOCWO 82 6 82 6

*00■: - 06-L ־־ ?ט 33: - •—־■0:01 CfcOOOO 90 B 90 B3P 00; ־ ־־ &09 לט 33:־•—* :נ־01 000000 90 6 90 6 | More n Knowledge )*OQ:•■ 8.-00 0 - CF!ס5 33 * QOOQOO 90 B 90 B

™f ־״ >1

U. Y Pn*e>'cH.f*64tt (I)& Phy.kal Eiptortf 3)U IP E 1f4c»n (4)

I S M ■ ■laptut MIA*at)-,o OtOHitKl *־injttivt Dotation:0044 צו0נ '^MO* gO ftt*0/

F IG U R E 4.13: Colasoft Capsa Network Analyzer Physical Endpoint analysis

15. The IP Endpoint tab displays statistics of all IP addresses communicating within the network.

16. On the IP Endpoint tab, you can easily find the nodes with the highest traffic volumes, and check if there is a multicast storm or broadcast storm 111 your network.




F IG U R E 4.14: Colasoft Capsa Network Analyzer IP Endpoint view

17. The Physical C onversatio n tab presents the conversations between two MAC addresses.

,/ITIP-1

iuiiu

.apsa 7 Fre« [50 Nodes)lysis Project 1 • Full

Output «> rpm

3t5 N«two»fc Gf0U| —— H^Na»«Ta&ltl׳s» f

Analytlt Bartrrt Ditplay Objfrt Bun ft

rrwo«* frowr AniHym f otilf

Step G*rttni

/ 0* r U f!>un1maiy fpiayiont [ Piutotol fPhymai fcndppml | IP fcr>dtK> n: !?tymallc ■»>«'•■ x|ipc.q ,«! 1 v Online Resource»׳60

N e w C apsa v7.6 Released

Try i t F ree

Is Liang Network B and/Jd יוק

(More Videos-1

L3 Monitor Employee* Weteite

toJ I cannot capture ALL traffic, why?

U Create TraHk. UttfUation Chart «J lEnt IStart d Wirelev* CaptureuJ Create Tiaflk Utfittt*n Ourt

| More n Knowledge hn«e...)

lr>dpo<nt 1 •> • - Endpoint i 0u(jt(Qn Byt» Byte* •> * ־ IV*־- P«ek._ «PU־» 1r ״ 3 *J3:FF:&?:00:CF o&oooo 82 8 82 b 0 8 1 0-

up oa1M0!AMfc09 »!} 33:3 3: FF:2:00:66צ 00:0000 82 8 82 B 0 8 1 0co 1s!y>Aa:«<* B* ):גג3ג«00:0001 00:0000 90 B 90 B 0 B 1 0

CP C01&SftA&<&09 01.-00!33;33<.5a00 רש 00500.00 90 3 » s C 8 1 0UV COIi».A&« 09 33:33:EF:B2:DO:CF 00:0000 90 B 90 B 0 B 1 0CPCCM5:50:A&«0« ל® 33:330000:0002 (0:0006 214 8 214 B 0 8 3 0UP C015:S&A3:6fc.09 V 33:33.0000:00.02 00:00.06 214 8 214 B e 8 3 0UP CO l5:*0:A3:ef Ce ;יש 01:00:5*00:00:16 00:0011 936 3 966 B 0 B 17 0CP 0015c50־.A&efe:09 ®5 01:00:5L00:00:16 00:00:11 7צ4 8 7S4 B 0 8 13 0UP CO li50־JW:6£.06 ״ש 33:530000:00:16 00:00:17 1.744 KB 1 .’ 44 KB 0 B 19 0CPC0I5:50!A3««9 ®5 33:33:0000500:16 00:00:17 1.744 KB 1.744 KB 0 8 19 0

Ok6?:£S1־A:16-.36 33:33:FF:5iOO:66 00:00.00 90 8 90 B 0 8 1 0UP (־־.:eT: Ex 1*16:36 FF:B2:DO:CF:ל 33:33® 00:00.00 90 B 90 B 0 8 1 0SP C015:5ftA3:6£.« 03 00:67:צ£:A 16:1ז 35 00:0000 3.434 KB 1.79713 1.684 _ 20 10 10

IP Conversation TCP Conversation [״UDP Convereatio 1 <1 •ן

-w 4 3 | 00:1 S:SD:A8:6106 < >33-J3* F:B*D<K3MF Conve~*on:F'tdpoint 1 ■> < - Endpoint 2 Duration Brtes Byres י <• B

״ * • ״ * ״ ״״*o •״״*־ •

"

Node Explorer

U. Y Prrtr fell .£<״ «<!)& O Phy.kal bptortf (3)II 16( IP ! 1p*o«r» (4)

/...1״■,1"י״ ' " .ap<uc u*Ar>al>-,6 ^Ethernet ''!njctivt Puntion: 0111M? 12.787 (£0 Ready

F IG U R E 4.15: Colasoft Capsa Network Analyzer Physical Conversations

18. The IP C onversa tio n tab presents IP conversations between pairs of nodes.

19. The lower pane of the IP conversation section offers UDP and TCP conversation, which you can drill down to analyze.

CQas a delicate work, network analysis always requires us to view the original packets and analyze them. However, not all the network failures can be found in a very short period. Sometimes network analysis requires a long period of monitoring and must be based on the baseline of the normal network.

C Q t t l tells die router whedier die packet should be dropped if it stays in the network for too long. T TL is initially designed to define a time scope beyond which the packet is dropped. As T T L value is deducted by at least 1 by the router when die packet passes through, TT L often indicates the number of the routers which the packet passed through before it was dropped.




m rAcaptri I met

ו ר a$N«two* Croup —— H NaawTa&le

P t\ Alarm Sfitmgi*» j

Analysis Rsrket Display Objrrt B lift rr

* W 4AOutput OJ*p<Jt

Capture Metwort Protttr Analynt Profile Data storagejdp~|־ c fM ׳. .ta [To T<epc<•■ | < > Online Resource


Try i t F ree

& ..ho־״ Jang Networkto ..״כ £

^ . * ״ toDr tret Network Loop^ HOWto tenitor IM Nt?esage

I More Vtdeov.. 1

How To־•

_ J Monitor Employees Wetis4le

_J ! cannot capture ALL traltR. why#

_J Create Traffic Ut«Uon Owrt U |Ent|Sldrt d Wlwletk CaptureJ C׳e«U Trattt: UtliiaUXl 01«t

| More m Knowlr<iorKncr . |

A 'J i S' h*A״a*j»e.JPConversation: \ 57 \\Endpoint I *> < - Endpoint 2 Duration B>tei B>־tes -> - 9>tes Pkts Pfcts-> -Pta First Scr 3 100.02 3 74.125236.173 0002:22 4«1KB 2.751 KE 2470 _ 24 14 10 1023:1 r~V 100.03 ]_ל 224.0.022 0000וו: 986 B 986 B 0 B 17 17 0 1029:5 ”3 '00.0.4 §5 224.0.0.22 00.00:11 7S4 B 7S1 E 0 B 13 13 0 1029:5a!00.02ז *a! 100.04 0010D:C0 224 B 224 E C 3 2 2 0 103023 100.02 3 100.0.3 0000:00 546 B J46 B 0 B 3 3 0 10:30.22 100.05 S 239255.255.250 0000:10 4051 *CB am\ re 0 B 4 4 0 10312a 100.0s g 224.0.022 0000.22 448B 448 E 0 B 7 7 0 103113 !0002 9 tao.o.5 0000:00 110 B 110 E 0 B 0 1031:3

*•ל 100.05 ^ 224.0JX252 0001:29 1.18S M 1.18S M 0 B 17 17 0 1031:13 >aa1u ^ 224.0.02S1 0000:00 40S B 405 B 0 B נ 3 0 10:340

!00.02 74.125.2 36.169 0002:36 17/*? KB 13.712— WS1- *2 51 31 1036:4•iwo.o 9 2SSiSS.2SS.2SS 0012:12 2723 KB 2723 KB 0 B 8 8 0 1029 S -

יי• ICP ConwiMtlon ''llOP Convolution ] ”1A 6 C 1 10043 > 224JX022NTCP CowvvtMtion: 1 0

I xJpowit 1 •> < • Endpoint 2 Packet I-.to Prctoc

Th*1«a1•nottrmtoAfeff mttia...

II. >

Node Explorer

Ar-a .e ״־» Vy--Prctr■r ■

(3) Eaptorer ־E Phv.k(4) :■***» a 5* P

t Captmt 4#LUkjixt ־ ractive Duration: 01:29:49 14-182 &’ 0 Ready

F IG U R E 4.16: Colasoft Capsa Network Analyze! IP Conversations

20. Double-click a conversation 111 the IP C o nversation list to view the full analysis of packets between two IPs. Here we are checking the conversation between 10.0.0.5 and 239.255.255.250.

^naf^i^rojec^^tji^nalyM ^Totaso^aps^^r^'^Node?

״ ^ ״ \ ״. ,jjHrtp*

iu1נלז־־ל׳------

^ | AnaVit | » TEH

M r u s ,output cxrpar

Annlym flartet Ditplsy Objrrt Buftrr

Analym h'otilr

Step Ganarai

Online Resourceltcn|MaUu| UOPC


Try i t F ree

jg) .vho Is U9ng Network BardAidtti? Jb»| How to Detect ARP Acta±s jg») H3w to Detect MerA'ark Loop Jgj How to Monitor IM Messaoe

[More Videos-]

How-To's

Lai Mwiltor Employee* WetowteLU I cannot capture ALL traflk.

why?U Create Traffic UlMLtaUuti Chart LH [Ent(Start a W1 relevs CaptureJ Cr«t» Ttaftk. Utliution 01«t

| More m Knowlrri rhn**■ .)

A ^ i C ״ tu• A<u»}>hOP Conversation: \־M \«• tndpomt 2 Duration 8/ttt Bylo •> pw»-> •Pta f« t iw ״

3 ' 00.02 74 125.236.173 0002:22 4«1 KB 2.751 KB 2X>70_ 14 10 1021:1100.03 S I 224.0.022 0000:11 986 B 986 b 0 B 17 0 1029:51 ־

3 '010 0.4 ^ 224.0.022 0000:11 7S4 B 754 B 0B 13 0 1029:«100.02 |׳ל 100.0.4 OOOOOO 224 B 224 E C B 2 0 10302

3 100.02 S 1010.03 0000:00 546 B 346 B 0B 3 0 10302.^ 100 05 ל 239.255255.250 ] 00(0:10 4051KB 4051 n C8 4 C I03Ma lOO.OS g 224.0.022 000022 448 B 448 B 0 B 0 1031:13 • 00.012 9 100.0.5 0000:00 110 B 110 B 0 B 1 0 1031:3"± 100.05 g 224.0.02S2 000129 1.185 KB 1.185 KB C B 17 0 1031:13 1O0.0L3 g 224.0.0251 00.00:00 405 B 4C־׳> B 0 B 3 0 1034.03JCJ5.0J) I2J 255 255255.255 0012:12 2.723 KB 2723 KE 0 B 0 1029:5S 100.01 ^ 2SS2SS.2SS.2S5 0012:13 4.061 KB 4061KB 0 B 7 0 1029S

3 ־00.06 ^ 224.0.022 000002 128 B 128 B 0 B 2 0 1042:1a! *00.02 ^Si 207218.235.182 002018 6.748 KB 1.614 KB 5/134 _ 24 14 10 102323 10002 S 178255.83.1 0000:18 3.601KB 1.31C KE Z294_ 24 14 10 1043 2

.........י ־ ' 1._ יי a1 ■,''“ “ י‘■ “1 '* ״”>’

ICP Conveivatkxi ״J0P Conversation | <1 P

c ״ 10.0.0. <-> 23925S2SS2S0MCP Conversation: CIndpomt ־ -> <■ Endpoint 2 Packet י& Prctccd

Therrare no i«m5»0 thow mthi** ־

...

Node Lxplorer

U. Y Prc4e.rcl(.plctrf (I)S 9 Phyikal bfMxv C3>U 3f* IPE1pio>«<4)

"-"LVJt "__:___F IG U R E 4.17: Colasoft Capsa Network Analyzer IP Conversations

21. A window opens displaying tiill packet analysis between 10.0.0.5 and 239.255.255.250.




|-luAnalysis Project I • Ttl' ׳V ia ;!; -10.0.0 - ■2}?-2j5-2'52:0 ־ Pa:'-:r.sr ^ ־

Src= 52748;Dst= 37Q2;le*= W;Cherte u 1031:3* ל3־>7 13.04 50:37025:52748 239.255.255.2י״S1c= S2748;D1l=3702,Len=999,Checb1239.2SS.25S250:37021&3U4&4X13S 10.005:52748

4s

t*met IS<l?vS)) 112/2]

114/1] 015C(20 Byteal (I4/l| Cx0r

ן15/1ן 0זז*115/11 oxrc(ignore 1 [18/1( 0102(Mo Congest•. er.> (IS/'.] OxOl(101• By.ea 1 (K/2)(SO) t18/2]120/'.J OIEC [20/ 1J 0*8C(May r1«3c*f-• (39/1] 9*40(U*V 0 :20/1) ו.־.־.א«:זx201*0 ן20/2נ rrr

» 00 00 01 11 m c i u 00 00 e* i r r r

1 k «r :0 « so ’ a c k מ נד u ־1

10190x0032000.....0...........0.......

. Packet Info:: S J l :r:־#״! roctc־- Lesffsn: j- Capwred Lesgtfc ״T@-־ « t - p ־

T Ii&eraet Type I I!-WDestiracior. ־"

״: » version:

■k o D--i£«!«=-.ia־.«d SirvicM Ii«ld:: • y :irrcztQt.i־ .d s«rvlc«« Codepolai:• ■ o nmtport Protocol win ignore she ׳I "O Coegiina:

30 i 6 60 6 73 » יל ר3 64 פלC Kל־3 63 ?€ 76 €6 72 ?9 22 20 ל «

F IG U R E 4.18: Full Packet Analysis o f Nodes in IP Conversations

22. The TCP C o n versa tio n tab dynamically presents the real-time status of TCP conversations between pairs ol nodes.

23. Double-click a node to display the full analysis ol packets.Analysis Project 1 - Full AnaTyjis * Colasoft Capsa 7 Fre»* :'ill Nod?') x ם י

fcnaVi'i Snt*• Too* VWw , Hrtp ף /

la* 1T y *5 N«t»»o*k Gro 1 Name Table

Vep Smmi f, Mirm Settingj *W * «

ket Ditplay Paeket I 6<5 .. .1 ) ( I J]mm״ • output ------- ------- ־'-------

I

! ! ! ! ! ! «

I va

*flap*״ l«n

capture two* frowr!־* *n#ly urtofiK Dati-.tamgt 1• e r ■* ■?,. 90• C1 HiitoqrCha !׳»«« iiunrr 1 ׳׳.

Node Explorer X ■n| Phytrcal ConvUiaUon | P C0rtv«1w1t10(v ICP LtKi.■*nation x | JOP Corueatation \ M«t -1 [ PacUt [ Lo? [ Report | 4 fr Online Resource *1N ew C apsa v 7 .6

R e le a s e dTry i t F ree

Jgj Who Is U9ng Network Barda*d»1» to Detect ARP Atta±s »ב*H3w to Detect Mer*orfc loap

JfS\ 4כ« to htonrtor IM Messaae H3״ to Monitor & save Emab (More Videos-1

L3 Monitor Emvfc>vee* Webwte

*J I cannot capture ALL traffic, why?

U Create Traffic Utftiatlon Chart U (Ent ISUrt a Wirefe** CaptureJ Cr«aU Tiaflk Utliution Ourt

| Mere m Knowl«l<jrhn*r . |

HdAmalfUaW CP Comret *atton: | WBytes Protocd

3246 KB HTTP 1889KB H־־P 2 915 KB HTTP 1.595 <5 HTTP 1*36 KB HTTP

• - Endpoint 23 207.218235.182:80 !34 74.125.236.175:80 3 74.125216.173- 0

ל51 74.125236.1653074.125236.165 JO

S 100.021406“2צ 10.0.021402

3 100.021403 ± 1010X21405 g 100.021401

0002:1410

1629* KB H'TPS 5 HTTPS סיב

PS־־P0 5 -r 1iS4KB HTTPS

P5־i22475־־ KB H 146UKB H'TPS

1 666 KB HTTP* . ;5 kb r ps

1 6W KB HTTP 18.921 KB HTTP 1021 KB HTTP

170 8 h ttps 0 6 HTTP3ל 170 8 HTTPS 370 B HTTPS

1»4KB HTTPS >rp־w> rn m■ 1ל

3 74.125236.174443 3 T4.125.236.174443 3 ?4.125236.174443 S '4.125.235.169443 3 74.125.236.169443 3 74.125236.169443 a 74.125.236.160443 !31 74.125236.169443 3 178,255.83.1:80 t l i ?07.218235.182445 ‘.\l 178.255.83.1:80 3 178.255.83.2:80 3 65.54.82.155:80

3 ׳4.125.236.167443 3 ׳4.125.236.167.80

3 ־4125.236.16344)3 ל4.125.236.165-443

3 •'4.125236.163443 74 Pt.n* 1* ו44י

ao.o2141100.02:1413 00.021412 00.02:1423 a0.02l42i 010.021426 00.021422 010.021425Q0.0_2:143400.021433 00021435 00.021436 010.021437 00 02:1439 ao.o2144100.02:144; 00.02:1443 00.021445

..."______ aptutfro*Ar>at)-.e PfcttKMKt 'irwctivt Dotation: 0115228 V;׳■_ 17281 g?0 Ready

F IG U R E 4.19: Colasoft Capsa Network Analyzer TCP Conversations

24. A Full A nalys is window is opened displaying detailed information of conversation between two nodes.

E Q a backdoor in a computer system (or cryptosystem or algorithm) is a method of bypassing normal authentication, securing remote access to a computer, obtaining access to plaintext, and so on. While attempting to remain undetected, the backdoor may take the fonn of an installed program or could be a modification to an existing program or hardware device.




-d • * ׳** - 4■ LSS-No Absolute Time Source Destination Protocol Sre Decode Summary

־ __ :_־ 1aaa2:1410 74.125.236.174443 https A. k_nc0«)rf0T0.r-. ..1\־«er|_ ?3622r.4.־ ־,.467 1&2&47466913 1aaai1410 74,125.236.174443 HTTP5 70 Seq=2362281843,Ack=OOOOOOOOOO.F=..״S.l47? 11126:53468163 1aaa21410 74.125.236.174443 HTTP5 66 Seq;2362281843,Ack=OOOOOOOOOO.F=.,״S..L473 10=26=53466676 74125-236174:443 10.0.02:1410 ־״TP־ 66 Seq-4?C412fi878,Ack=2362281344.F=.A .S...474 10J6:S34*S72S 1aaa21410 74.125.236.174443 HTTPS 5eqz 23622fi1844,Aclc=4204123879. F=.1 ... Yl_475 10 6:53486972 1QJ10l21410 74.125.236.174443 HTTPS 58 Seqz2362281844,Ack=4204123a79.F=.A. F.47S 10 6:53 506597 74125236174:443 10.0.0.2:1410 HTTPS 64 S«rq: 42C41r£87?.Ack = 23622£1i;5 F = .i.. F ..477 10 6:53 506633 100021410 74.125.236.174443 ■ T P ־ 58 ;rq: 23622ei845,Ack: 4;041233S0.F = ___

B-T Pockct Info: "J^ Pasirec h'mb־r: 462^?a= *et Ler.gra:

Captured Ler.gth:7066

Tireataap: 2012 /0 9/ 21 10:26:44.4fC749= ■V*Btherr.ct Trpc II [0/14]

a? jcaticatica A2arc33: D O ! ■ 4 CC ct 3:1r:״♦ Q 5 c3 t» u s r t n : D0J • •• 6:36 [6/e]<_p Protocol: 0x0800 (Tnter&et TP| IPv4)) [12/2]

T׳■ TP ־־ Internet Protocol [14/20]t i Version: 4 [14/1] CxFO0 .1leaser Lcr.gtfa: & <21 Byc«9) [24/1] 3xOF

I ft : 1 :rtr*r.:2a u : :♦ rn c ti riaid: 0000 0010 !15/1] :xrrj -S Olff*r«r.tlat*<l S• rvlc•* Codapoint: 0000 00.. [15/1] OxFCj•״• Transport Protocol will ignore the CC (Availability) [*-5/13 0x02•••• 0 Coaacszioc: ............. 0 ■ 11: Coraraticat [IS/11 CxCi

i ^ l e s a l -cacv.: 52 <&2 Bytes) [16/: # 1der'ir1c*110r.: 0X&9D6 (22998) |18/2|־ S rrag»nt Flag*: 010......... (Don 1 י rr«3*?n־-) [20/1] OxEC

|~0 Reserved: 0............. [20/11 OxCOi—• :Torrent־ .1........... י f2Q/11 0»4C_____ v]

°;״- U 05 Ei o! a K CD ! j ״ “ « « “ « “ “ “ ״ I Z ״ 11 o‘ ״ “ “ M 0־ o! 04 ״ £6 .. S . . ........J) .

F IG U R E 4.20: Full Packet Analysis o f Nodes in TCP Conversations

25. The UDP C onversatio n tab dynamically presents the real-time status of UDP conversations between two nodes.

26. The lower pane of this tab gives you related packets and reconstructed data flow to help you drill down to analyze the conversations.


Try i t F ree

live Denio

jpt\■ ork Banditti י

Network Loop

*•: m,a «-»׳׳־״a «•׳״׳־״

I More Vklotti״

J״ Motiltor Wetollc

L3 1 cannot captara ALL trjMk. why#CredleTraffic UtHUon Chart |Ent|SUrt 4 VV״ete»» Capture

uj C׳iaU Train; UtlLMUOn Omt | More m Knowl«i<>r bow.. |

_

Endpoint 1 *> t2,״apo״E,. Duration Byte* ־!,& >- tes Pe;«di<־9> Pk1i־> Ptts Piotcc ־o 100.010:56123 7. 224.00252:5355 oowoo 136 B 135 B 0B 2 2 0 LDP*2 10l0.02:56740 2d 202.53.8.8.5S OOiM.OO 217 B 7S B 138 B 2 1 1 DMS3 1010.0.7:5009' ?5 224.0.0252:5355 0ftM«) 158 B 158 B OB 2 2 0 UDP-± TtXO.C.7:5443 - j 224.00252:5355 OOOD.OO 158 B 155 B C 5 2 2 0 UDP-3 1a0.a1a59606 ^ 224.0.0252:5355 00:00«0 136 B 136 B OB 2 2 0 UDP-3 100X110:59655 7$ 224.00252:5355 OftlXfcOO 158 B 155 B 0B 2 2 0 RTPa 100.010*2035 g 224.002S2.S3SS 0000.00 1S8 B 158 B OB 2 2 0 UDP•

•00.010:57766 224.0.0252:5355 31202.53.8.8<53

oooooo 136 B 196 B 0B 2 2 0 UDPi 100.02:56632 OOiM.OO 214 B 81 B 133 B 2 1 1 DNSS 100.07:51087 ?3 224.0 0.252:5355 oooa«o 158 B 1SS B 0B 2 2 0 FTP^ !00.010:56*45 ^ 224.00252:5355 OftOOOO 158 B 155 B OB 2 2 0 UDPS 100.010:63503 /} 224.00.2S2 S3SS 0000.00 136 B 13b B OB 2 2 0 UDP•2 100.07:63315 ^ 224.00252:5355 001X100 156 B 158 B OB 2 2 0 UDP

I >y P»flui1 Dau ] <1 1■-Jtr > i 4• ^ C ' 10 0 010 <v 2/4 0 0 WVrarkeH: 1 2

No. Abfdut• Tim« Sourer Df'Ti'UtiCA Prottxol19 1023:19.625869 10.0.010iS6123 224A02S2S3SS U0P22 lftJl:2001A*M 10.0.010!$6I2J 22400242 SMS UCP

י<

y ful Amk,Ui- ' PrrtrrclE״p cm IE־ Physical aqstorer (3) S. & lftq k>ra(4)־

£ Q In networking, an email worm is a computer worm that can copy itself to the shared folder in a system and keeps sending infected emails to stochastic email addresses. In diis way, it spreads fast via SM TP mail servers.

F IG U R E 4.21: Colasoft Capsa Network Analyzer U D P Conversations

27. On the M a tr ix tab, you can view the nodes communicating 111 the network by connecting them 111 lines graphically.

28. The weight ot the line indicates the volume ot traffic between nodes arranged 111 an extensive ellipse.




29. You can easily navigate and shift between global statistics and details of specific network nodes by switching the corresponding nodes 111 the Node E xp lorer window.

y=b!o nee we encounter the network malfunction or attack, the most important thing we should pay attention to is the current total network traffic, sent/received traffic, network connection, etc., to get a clear direction to find the problem. A ll of these statistics are included in the endpoint tabs in ColasoftCapsa.

F IG U R E 4.22: Colasoft Capsa Network Analyzer Matrix view

30. The P a c k e t tab provides the original information tor any packet. Double-click a packet to view the full analysis information of packet decode.

%!c* T<x#% w

U

ך— Nrtworfc Group jfo t J t , J| ־־/ ** j

Outpm ojrputAnalytic ftsfket Ditplay

Leg f R«pcrt | * ► Online Resource]־ P«c<cl x־| jpc-nt fPtiy».u.* Convtf-.ation f 1P C0nvei.dt10n~f TCP Corwettaiian f UOP Coerwt.* <-> [ ,.U'jo


T ry i t F ree

llvp Demo

Jetv. ork י

MffAOffc Loop

Whi« ״a ׳־״

IM0׳VVW«04™

LU Motillor (1np40v«m WetoJlc

_ J I camwt (.■apturv ALL trtffk. why#« J Credit Traffic UtH Uon Chart

[Ent|$lart 4 Wireto** C41*urcJ״ Ot»U Traffic Utliuaon 01-1

| More n Knowl«iqrt>a«־... I

h* A1vrfy*s\Pa1fcets: | 1 iL647 |

74.125135-125:5222 DO* 36־D*l- - - 1-CC

10.002:1036 7• -125.155125:5222

Jf lB B l # » ״ifr ^ S'I3.-0242695615 1<X0.0.2:1C36 13.-Gi4a.599l 55 04: ► - }:CC l3.02־Ja5991M DO:► 36: •־ 13:02:49.101243 ?4.125.135.125:522213:02:49.103128 74.125.135.125:5222 I3.-02-.49.103161 1a0.0.2:1036

16TC16 160217 1e0218 16CC1S160220160221160222160223

74.125.135.125c 522213:02.49.495250 100.0.2:1036

<3012/09/21 1: )02<:t.4«uv(0/14)

l>881 [0'׳- - • • :CC •ftb ja ti

- T inro:

i & Ctpturtd Length:

f ItU n w t 1yp< 11

0000 Ofl 068 י A£ 24 CC DO «ל E6 LA L6 96 06 00 46 00 00 >« U SO 40 00001c *a a< 04 0ג ג 4ג סד 6י שלaa aa 0 דד a« ae 4ג t t os s» j» m a noojc 7a c* to to n 34 t% 43 00 00

Node Explorer

“ * * Av־t׳1 ;־ ־■- •r r

E © Ph ike hptorer (3) B & I? Eiftora (5)

Kiplut f1iAn1ly.1s KBtittaml ! active Duration: 02:39 $? ־ 6 ־160.24 gjO Read,

t y ! Protocols may be implemented by hardware, software, or a combination of the two. At die lowest level, a protocol defines the behavior o f a hardware connection. A protocol is a formal description of message formats and die rules for exchanging those messages.

F IG U R E 4.23: Colasoft Capsa Network Analyzer Packet information

31. The Packet decode consists of two major parts: H e x V ie w and D ecode V iew .

55:33 00:00 00 16(7)

0l:0&5f:0<M»1BE:D9!C3:Ci־CC|14|00:5t00.00 FC18)

OGm(M8:7a05(14)D3 A2:5£ 17:4F:48®

JCC׳nt rPtiys'C * Convexation f־!P Conversationf TCP Coruaiation [ UDP i I ?■Vjo. X 1 P*0»cl Online Resource

TcplOO Phytic•!

I K׳«׳ l)n1H)

lop 100 IPv4 Conversation

Iop100#MNo<k

User Hidden nodes( .

Invisible Nodes (0)

> Capline fu«Ara*);e *♦Ethorxl ־ ractive Duration: 02:23:44 21.665 gO ־

jpl Who U Hung Nrlv■ wk llnr«J*»it* ׳

M Haw to Dftf<t MfRnOft: Loop P •ton to Monrtor IM י׳»־*י0׳ •

I Non! VkJcov- |

UI Monitor Employees Website

uJ I cannot capture ALL traffic, why?

UI Create Traffic Utfeation Chart O (Ent)Start a Wireless CaptureJ Create TraflkUtlization Oiart

[ More ■ו Knowledqeb3«e._ J

inay. s Sjstd* Toofe VieM

1 - D | X

WHtlp-|

i / T ״ ^ a1 r y s g “ BAeapter f«cr :a* Stop Gcncrai Analytic Packet Ditplay F cfcct log L 5«hng5 objcct Butter . • output Oirpui v~ M 5"י׳** _Ls * »־ « « : fictwortr Promt Analy!!; Profile Data Storsgf Ur«cl i O :

ajiSiSiSS;F3«ct Buttrr 1'& MB)

T op !00 Physical Conversat*on(Full Analysis)

Node Explorer

L -■*־ ־ >14 I f Protocol (1;& VO Phy׳.K4 Ej*׳*<x«r (3) I11 ^ IP f .p4c»rt (4)




£ Q Protocol decoding is the basic functionality as well There is a Packet tab, which collect all captured packets or traffic. Select a packet and we can see its hex digits as well as the meaning o f each field. The figure below shows the structure of an ARP packet. This makes it easy to understand how the packet is encapsulated according to its protocol rule.

F IG U R E 4.24: Full Analysis of Packet Decode

32. The Log tab provides a G lobal Log, DNS Log, Em ail Log, FTP Log, H TTP Log. MSN Log and Y ahoo Log.

33. You can view the logs ot TCP co n versa tio n s, W eb access , DNS tra n s ac tio n s . E m ail co m m u n ica tio n s , etc.

F IG U R E 4.25: Colasoft Capsa Network Analyzer Global Log view




F IG U R E 4.26: Colasoft Capsa Network Analyzer HTTP Log view

34. If you have MSN or Yahoo Messenger mnning on your system, you can view the MSN and Yahoo logs.

-FT*■3psa 7 Free C50 Node■

Jrtwo'fc Group*4׳ ״

-...ilym Partrt Display f UirmSftting' ODJftt BUttff ffwor* froWf Annly

WuVin Sjtfcai Tools

w r u ־mAOapIrt -mn tort Step Central

r.dlion ן IP Convin

N ew C apsa v 7 .6 R e le a s e d

Try i t F ree

Who Is uang Network Banditti? bi\ How to Detect ARP Attaris h,) Haw to Detect Network Loop ^ Haw to Monitor IM Message

H3w to Monitor a Save Ernab I More Videos-.]

L3 Monitor Employees Website

why?uJ Credit Trdtfk. UtHUdUon Chart L3 lEntISUrt d Wireless CdlHureuJ CreiU Tiaftk tltllution Ourt

| Mo IT ■ו Knowlfrtfjr ha «c. ״ |

xrtfna ilcom aiiH ’■■ «#w4ma1Uan1 iwtlVIc♦- •־• CSvecon< *yen? na 1Lco»n s»aJ am fine Iharka׳c4<♦־«4%otmaiLcocn twthcw are you doing?

.jm I ritec ־glrvfctcfn j*4 '־Z «totn te - In you jcimng us far the party tooigl

msilcom '?•ad cowse yes•***♦■ictmoiUcom iwdd shal ;« you at the patty then

T of busy rev■ * worfc״n©iUco»n «tec^ ot׳

״,&״ y *3 ׳0at« 1״>«2012/09/2111*5.232012/09/21 1*47:4* 2012/09/21 I3:4fl:32 2012/09/2113148:32 2012/09/21 13:4a 42 2012/09/21 13:49:15 2012/09/21 13:49.2S 2012/09/21 13:49:27 2012/09/21 13:49:39 2012/09/21 13:5003 2012/09/21 13:50:19 2012/09/21 13:50:36 2012/09/21 13:50:41

**[PtiyiK.r MSN u>g

Node Explorer

~ 4«#-4

c4<na<U0m joined ״י the chA2012/09/21 14:03:14

<9310b*109

a־״cl?'£%■n

YAHOO

V-* K4An * mu ‘|f PirtNtl (■plerrr (IJ6 מי Phv.k* Elptortr (3) U. & IPtiptoraf ft)

..... A /qjl) Etad03:צצו3צ ^218,1>(4 ־:iimtivt Duration־, lap<ut MiAfvifr.c tUKitHt/

F IG U R E 4.27: Colasoft Capsa Network Analyzer M SN Log view

Ethical Hacking and Countemieasures Copyright © by EC-CouncilAll Rights Reserved. Reproduction is Stricdy Prohibited.



35. The R eport tab provides 27 statistics reports from the global network to a specific network node.

F IG U R E 4.28: Colasoft Capsa Network Analyzer Full Analysis’s Report

36. You can click the respective hyperlinks tor information or you can scroll down to view the complete detailed report./ 31 c ---------------------------------------------------י

Full Analysis's Report

1 Summary Statistics1 Diagnosis Statistics

■ Protocols Statistics1 Tod ADDlication Protocols1 Top Physical Address1 Top IP Address1 Top Local IP Address1 Top 10 Remote IP Address

£ Q Almost all Trojans and worms need an access to the network, because they have to return data to the hacker. Only the useful data are sent for the Trojan to accomplish its mission. So it is a good solution to start from the aspect of traffic analysis and protocol analysis technology.

New Capsa v7.6Released

Try It Free

wv> [* Uong Het»o׳k fenjwdfr?

jjj new to cetECtNetMwkLoop | ) Haw » Non ter IN Ntessag;

Mew » Non to־ &Sa/« Emafc

i J Monitor tmitoyee* MtbMe ^ I fa י not enpture m I traffic.

wfcy?J Create Tnfk Utlkzottwi Ctwl . J (tnt|»un <1 J Ota* TfalBc UWubor Chart

[ Mow tl lnn««Wi)rk11r. 1

¥ 10.0.0.2 19 084 80.915 217.550 M®]96.612J 10.0.0.10 99.180 0.020 174.157 MB 140.il•rf 239.2S5.255.250 ICO OCO י■■■■■■ 0.000 630.140 KB 1,3329 10.0.0.3 0334 00.776 313 766 KB BOO'!# 10.0.0.4 0.070 99.930 311.133 KB 781*J 224.0.0-22 100.000 m₪₪₪₪mm 0.300 232.822 KB 3,727J 132.168.166.1 24.542 75.458 222375 KB 928r# 224.00 252 ICO OCO 0.000 112875 KB 2.466i 10.0.0.7 0.000 100.300 176002 <E 2.566i כ 10.0.0.23 100.000 O.XO 140-528 KB 1.230

3 TopTop 10 Remote IP Addiess

** 123.1/0.32.146 1.949 98051 33-564 MB 34.555** 123.176.32. :36 2.272 1 97.728 2.330 MB 2.483** 74 I3S 138 ISO 81.101 18800 1077 MG 3.600**74.125.236.182 54.993 ---- ------------- 45007 9S4B71KB 3.354

F IG U R E 4.29: Colasoft Capsa Network Analyzer Full Analysis’s Report




37. Click Stop 011 toolbar after completing your task.A '

Analysis System

►TiAnatvs

Analysis Project 1 - Fill Analysis - Colasoft Capsa 7 Free (50 Nodes)

Data Storage Utilization

View Network Group ף1

^ Name Tableral j,f \ Alarm Settings Network Profile

m YAdapter Flter

F IG U R E 4.30: Colasoft Capsa Network Analyzer Stopping process

Lab AnalysisAnalyze and document die results related to the lab exercise. Give your opinion 011 your target’s security posUire and exposure through public and free information.

Tool/Utility Information Collected/Objectives AchievedDiagnosis:

■ Name■ Physical Address■ IP Address

Packet Info:■ Packet Number■ Packet Length■ Captured Length

Ethernet Type:■ Destination Address■ Source Address■ Protocol

Capsa Network ■ Physical EndpointIAnalyzer ■ IP Endpoint

Conversations:■ Physical Conversation■ IP Conversation■ TCP Conversation■ UDP Conversation

Logs:■ Global Log■ DNS Log■ Email Log■ FTP Log■ HTTP Log■ MSN Log■ Yahoo Log

C EH Lab Manual Page 628 Ethical Hacking and Countenneasures Copyright © by EC-CouncilAll Rights Reserved. Reproduction is Stricdy Prohibited.



Questions1. Analyze how Capsa affects your network traffic, while analyzing the

network.2. What types ol instant messages does Capsa monitor?3. Determine 11 the packet buffer w ill allect performance. If yes, then what

steps can you take to avoid or reduce its effect on software?

Internet Connection Required0 Yes □ No

Platform Supported 0 Classroom □ !Labs




Lab

S n iffin g P a s s w o rd s U s in g

W ire s h a rkWireshark is a nehvork packet analyser. A. nehvork packet analyser mil try to capture nehvork packets and display packet data in detail

Lab ScenarioAs 111 the previous lab, you are able to capture TCP and UDP conversations; an attacker, too, can collect tins information and perform attacks 011 a network. Attackers listen to the conversation occurring between two hosts and issue packets using the same source IP address. Attackers will tirst know the IP address and correct sequence number by monitoring the tralfic. Once the attacker has control over the connection, he 01־ she then sends counterfeit packets. These sorts of attacks can cause various types of damage, including die injection into an existing TCP connection of data and the premature closure of an existing TCP connection by die injection of counterfeit packets with the FIN bit set.As an administrator you can configure a firewall or router to prevent the damage caused by such attacks. To be an expert eth ica l hacker and penetration tester, you must have sound knowledge of sniffing network packets, performing ARP poisoning, spoofing the network, and DNS poisoning. Another use ot a packet analyzer is to sniff passwords, which you w ill learn about 111 tins lab using die Wireshark packet analyzer.

Lab ObjectivesThe objective of tins lab is to demonstrate the sniffing teclnnque to capture from m ultip le interfaces and data collection from any network topology.

Lab Environment111 the lab you w ill need:

” W ireshark located at D:\CEH-T00ls\CEHv8 Module 08 Sniffing\Sniffing Tools\ W ireshark

ICON KEY1._ Valuable

informationTest vourknowledge

:ב Web exerciseeaWorkbook review

— Tools dem onstrated in th is lab are availab le in D:\CEH- Tools\CEHv8 M odule 08 Sniffing

Ethical Hacking and Countenneasures Copyright © by EC-CouncilAll Rights Reserved. Reproduction is Strictly Prohibited.



■ You can also download die latest version of W ireShark from die link http: / / wwww1reshark.org/download.html

■ If you decide to download die la tes t version, then screenshots shown 111 die lab might differ

■ A computer running W indows Server 20 12 as Host (Attacker) machine■ A virtual machine (Windows 8 or Windows 2008 Server) as a Victim

machine■ A web browser with Internet connection■ Double-click W ireshark-w in64-1.8 .2 .exe and follow the wizard-driven

installation steps to install WireShark■ Adm inistrative privileges to mn tools

Lab DurationTime: 20 ]Minutes

Overview of Password SniffingPassword sniffing uses various techniques to sniff network and get someone’s password. Networks use broadcast technology to send data. Data transm its dirough die broadcast network, which can be read by anyone on the odier computer present on die network. Usually, all the computers except the recipient of die message w ill notice diat die m essage is not meant for diem, and ignore it.Many computers are program m ed to look at even' message on die network. If someone misuses die facility, they can view m essage, which is not intended of odiers.

Lab Tasks1. Before starting tins lab, login to the virtual machine(s).2. On the host machine, launch the S ta rt menu by hovering the mouse

cursor on the lower-left corner of the desktop.

FIG U R E 5.1: Windows Server 2012—Desktop view

3. Click W iresh ark to launch the application.

/ You can download Wireshark from http://www. wireshark.org.

Capturing P acket

£ Q Wireshark is an open source software project, and is released under die G N U General Public License (G PL)



http://www



Server Computer Google MazilldMenaqer Chrome hretox

b • J <9 <©

Control w s ׳•/'־ V H/pef-VPane Virtual

W 1 fc־

Adnneo.. Command W remarkloots Prompt% p51 ־

OMtap


4. The Wireshark main window appears.The Wireshark Network Ana!y2er [Wireshark 1Z2 (SVN Rev 44520 from Arunk-1.8)]

He £drt Vie* Go Capture Analyze Statistics Telephony Tools Internals Help

l i t K V |B|B| Q. €1 E g 1 י : » I HFitcr. v Exptesaon-. Clear Apply S«vc

The World's Most Popular Network Protocol AnalyzerVersion 1.8.2 (SVN Rev 44520 from /trunk-1.81

Websitevan יזז• prater 1 w»t>sn*ft

a^ Security

Ei 0penUser's GuideIh* UW1 Ckna• (kvral 1/י

opr» 1 w/ojm/ caox/M ר•

Open Recent

Sample CapturesA fen *ioanww of *xinr ptc .<PUt •n on in* «UJ

V/»'k with A'reshirx a!

[WIRESHARK

rg. Interface List*HP .\« 1£ ־נ cicruw »ז

(towna if<cnro ExOlQ

Start

^ I 0 י^vice\NPFJ5F?i7C6675־E7.43F99־B72-9447DB2 ׳ Rcaltec PCk G0E Family Controller: \Dcvice\NPFjfi

fcfj \Devie«\NPF_{550021FE-BafiF-41EB-B37E-4CAFBC U n :— .~u r j : — \r>-. -xMpr '

Capture Options

^ How to CaptureSue »/ sea 13 a successful cacure s«xc

Network MediaSptcfir r+yrvrtcr *of cscarrg o

Recd> 10 load ci capturc

FIG U R E 5.3: Wireshark Main Window

F IG U R E 5.3: Wireshark Main Window

From die W iresh a rk menu bar, select C ap tu re -> In te rfa c e s (C trl+ I).

C Q a network packet analyzer is a kind of measuring device used to examine what is going on inside a network cable, just like a voltmeter is used by an electrician to examine what's going on inside an electric cable (but at a higher level, o f course).

D.




ra°rsThe Wireshark Network Analyzer [Wireshark 1.8 2 (SVN Rev 44520 from /ttunk-1 8)]־File |d* View £o Capture Analyze Statute! Telephony Toolt intermit Help

<* « ¥ 3t p p l <^€1s ib 5 * 0 p $61 a| v | Expression.. C « r Apply Save

.p. Website

User1* Guideton # 1r,stated/•׳ The Guide ;total&

i J I Security

OpenOpen נ cxcvtoury <sptu>8d *k

Open Recent:

q j S a m p le C apturesa nrr tw rr# v f׳ w r » cscrvr• or 1 ״י»חז1ז

Wo׳k wth Wres׳v»׳k a:

Profile Default

| f t interface!.. Ctri.l |;M Opt iocs.- Ctrl+K I* Start CtrkE

I W קכ?ל Ctrl+E Im F.estort CtrkR 1

| g Capture fiters...

—, Interface List-VO k t of r־>s a n / ( ft;

Start

fctl \D#wc#\NPFJ5F257C66-75F7*43P9-9B72־W47DB2l2- © P.cchck PCIe CBE Family Controller. \Dcvicc\NPF j ■ 0 VD^tf #\MPFJ55002IFE-B03F-4 iFB-BrF^CAFBr: LSI u . . — u r -------hoc n<maran.e v<L ■ I _>]

Capture Options»ta׳t a :iptrc vth dot*i«4 נ00יג :

How to CaptureStep b> ns3 to a sjc:«=tJ caf

Network Media^ Soecnc rfowrsecn fy captjri*vg c

Read/ tc load or capture

ffiw:'ireshark is used for:

Network administrators use it to troubleshoot network problems

■ Network security engineers use it to examine security problems

■ Developers use it to debug protocol implementations

■ People use it to learn network protocol internals

FIG U R E 5.4: Wireshark Main Window with Interface Option

6. The W iresh a rk C ap tu re In te rfa c e window appears.W ir e s h a r k : C a p tu r e In te r fa c e s

־

ף

0 Bi.... iDescription IP

none

Packets Packets/s0 0 Details

Realtek PCIe GBE Family Controller 28 9 Details

none 0 0 Details

□ @ Microsoft Corporation fe80::686&8573:b1b6:678a 0 0 Details

□ &] Microsoft Corporation fe80::14a6:95a&f534:2b9e 21 2 Details

CloseOptionsStopStartHelp

FIG U R E 5.5: Wireshark Capture Interfaces Window

7. 111 the W iresh ark C ap tu re In te rfa c e s dialog box, find and select the E th ern et D river In te rfa c e that is connected to the system.

8. 111 the previous screenshot, it is the R e a lte k P C Ie GBE Fam ily C ontro ller. The interface should show some packets passing through it, as it is connected to the network.

9. Click S ta rt 111 that interface’s lnie.

£ Q Wireshark Features:■ Available for U N IX and

Windows Capture live packet data י

from a network interface■ Display packets with

very detailed protocol information

■ Open and Save packet data captured

■ Import and Export packet data from and to a lot o f other capture programs

£ Q Wireshark can capture traffic from many different network media types - and despite its name - including wireless LA N as well.




Wireshark: Capture InterfacesPackets Packets/s

Details

Details

Details

Details

Details

Close

0

340

0

4

IP

none

Description

none

none

fe80::6868:8573:b1b6:678a

0 ! ® Realtek PCIe GBE Family Controller

fe80::14a6:95a&f534:2b9e 244

I I g f M icrosoft Corporation

O £ 3 M icrosoft Corporation

□ 0

□

□ ©

OptionsStopStartHelp

FIG U R E 5.6: Wireshark Capture Interfaces Window — Starting Capture

10. Traffic informs of packets generated through the computer while browsing the Internet.

y j A supported network card for capturing: Ethernet: Any card supported by Windows should work. See the wiki pages on Ethernet capture and offloading for issues that may affect your environment.

FIG U R E 5.7: Wireshark Window with Packets Captured

11. Now, switch to the virtual machine and login to your email ID lor _____________ which you would like to sniff the password.

= T A S K 2S to p L ive 12. Stop the running live capture by clicking the iconC ap tu rin g

on the toolbar.m




־ , llekPCIeGBFFamilyContrallPf:\n™ce\NI>F_(8F?F18B6-B?1V4110.A6Vl-F6»B1M?B8B<>: !Wirfstwk 1.8.2 (SVN Rpv M־,fc3Capt1mngfron1R11,1י W ho... 1 ־file £d« l'<w Qo £aptu1r Aaalyte Sracstk* Telephony Iools Internals Hflp

u « tfaT|at & e 0 א a 1 n, ♦ ♦ « 1 61 ! זז £ י q a 3 סfille: |v j bpieiiion.. Clear Apply Scr.t

Protocol length infodns 75 standard query 0x25f4 a www.seb1.qov.1nDNS 107 StanCard query response 0x25f4 A 203.199.12. Si A 124.247. 2*3.1TCP 60 nust-p2p > http [ACK] Seq-1494 Ack-7S3 u!1 n—65028 Len-0TCP 60 must-backplane > http [ack] 5eQ-ll<il Ack-497 Win-65204 Len-0DMCPV6 ISO S o l ic i t XID: Ox5aS2df c:0: 0001000117e22aab00155da87800DHCPv6 150 s o l i c i t XID: 0*83*(H9 CID: 0001000117*8*14*00155da87805NBSS 55 K.65S Continuation MessageTCP 66 m icrosoft-ds > isysg-1■ [ack] Seq-l Ack-2 win-62939 Len-0 SLE-1ICHPv6 9 0 v u ltica st Listener Report Message v2IGMPV3 60 veabershlp Report ׳ Leave grcxjp 224.0.0.252ichpv6 ?0 *־u lt lea st Listener Report Message v2IGMPv3 60 vesbership Report 30חד group 224.0.0.252 for any sourcesICMPV6 90 vu ltlca sr L istener Report Message v2IGMPv3 60 veabership Report Leave group 224.0.0.252ICMPV6 90 vu ltlca sr lis te n e r Report Message v2

Destination202.53.8.81 0 .0 .0 .57 4 .L2S.236.166123.176.32.155

123 12 .25789T0 10 .0 .0 . 5124 12.2656640 202. 53. 8 .6125 12. 3582820 10.0.0. 5126 12.363853010.0.0. 5127 13.15sr140fe80::b9ea:do il : 3eoffo2: :1:2128 14.0015310f *80:: 5df8:c2<18! 5bbff 02 i :1:2129 15.294313010.0.0.2 192.168.168.1130 IS. 31624 30 192. 168. 168. 1 10.0.0.2131 18.7433560 fe80: :3d78:efc3;c87ff02; :16132 18.7442030 10.0.0. 7 224.0.0.22133 18.7473350fe 80 :: 3d78:efc3:c87ff02: :16134 18.7481220 10 .0 .0 .7 224.0.0.22135 18.r504S40fe80; 3 לd78 :efC3 :C87ff02 : :16136 18.751295010.0.0.7 224.0.0.22137 18. 7 SI2960 f eSO: : 3d78: ef C 3 : C87 f f 02 : :16

- Frame 1: 150 bytes on wire (1200 b i t s ) . 150 bytes captured (1200 b i ts ) on in terface 0- tthernet I I , Src: M lcrosof_as:78:05 (00:15:5d:a s:78:05), ost: 1Pv6»casr_00:01:00:02 (33:33:00:01:00:02)- internet Protocol version 6 , src: fe80::5df8:c2d8:5bb0:4«f ( fe 8 0 :: 5df8:c2d8:5btoO:4«f), o st: f f0 2 : : l:2 ( f f0 2 : : l:2 ) g t ie r Datacra- P rotocol. Src Port: dhcpv6-c11«rrt (546), Dst Port: dhcpv&-*erv«r (S47)* DHCPV6

0000 i i i i 00 01 00 02 00 IS Sd «B 78 OS 86 dd 00 00 33........... ]. x . . . .0010 00 DO oo 60 11 01 f» 10 00 00 00 00 00 00 sd f« ....................... ]•0070 C2 d8 5b bO 04 ef ff 02 00 00 00 00 00 00 00 00 . . [ ................................U .׳». "................ 83 01 4» 55 60 00 23 02 22 02 02 00 01 00 00 00 0030 .0010 •0 49 00 08 00 02 00 64 00 01 00 0« 00 01 00 01 . I .......d ................ooso 17 es ei 4» 00 IS Sd as 78 OS 00 03 00 Of 0* 00 . . .N . .1 . x...............0060 15 5d 00 00 00 00 00 00 00 00 00 27 00 Oa 00 08 . J.................... .......0070 41 64 6d 69 6• 2d 50 4 3 00 10 00 0« 00 00 01 37 Adnin-PC...............70080 00 08 4d S3 46 S4 20 35 2• 30 00 06 00 08 00 18 . . MSFT S .0 ...........0090 00 17 00 II 00 27 ............״

ii 1335 Marked: 0Fea*rerPC<58€=3r-tyC0n»1c le׳: 'Device'.-. Packets: 1335 D

FIG U R E 5.8: Wireshark Window — Stopping Live Capture

13. You may save the captured packets from F ile ־־ S a v e A s, provide a name tor the file, and save it 111 the desired location

r r ־ ' ...kJ Capturing from ReaHek PCIe GBE Family Controller: \Device\NPFJ8F?F 18B6-B215 4110 A&59 F6&FB84?BB89J [Wireshark 1 82 (SVN Rev 44520 fro־ I

ctrt.o 7 & [IT |re

Q F«p*e׳,won... ■'It* S*v<

t Open... Opeo&cca* M«9f-

75 Standard query 0x2Sf4 A wvrw.sebl. gov. in 107 Standard Outry respons« 0x2St4 A 203.199.12. SI A 124.247.233.134

60 auit-p2p ׳ http [ack] r. *0-1444 Ark-751 win-65028 t #n»0 60 aust backplane > http [ack] se q - l161 Ack-497 w1r>-65?04 1ert-0

150 S o lic it XTO: 0x5a*?ctf CtD: 0001000117e22aab00155da87800 ISO S o lic it X20: 0x83e049 CIO: 0001000117«8«14•001SSd48780S

5 5 nbss continuation Message66 ■ icrosoft-ds > 1sysg-1■ [AC*] seq-l Ack-2 w1n-62939 Len-0 sle-1 *»b1•

Ctr1*W 202.53.8.8 10 .0 .0 .5

. ,-til-S [ 74.125. 236. 166

0MCPv60HCPv6NBSS

It.Ctrt.S | 123.176.32.155 f f02: :1:2 כי

► 3 ff0 2 : :1:2Up&it «d Packctw[■peit Packct 0 itiMiem ff0 2 : : 16 ICMPV6 90 Multicast Listener Report Message v2Expo* Stieced f>4ckd fiytts־ Ct(1*H 224.0.0.22 I<7׳ Pv3 60 Membership Report Leave group 224.0.0.252L«pc t SSL Scauon *x>1 . f f 02::16

224.0.0.22 7 ff0 2 ::16

224.0.0.22 7 ff0 2 ::16

ICVPv6I®׳Pv3

90 Multicast Listener Report Message v2oln group 224.0.0.252 for any sources: 60 '׳ Membership Report

90 Multicast Listener Report Message v2 224.0.0.252 60 Membership Report / Leave group

90 M ulticast Listener Report Message v2ca cui- p IC*׳Pv3

ICVPv6« OaT־ Pra-te 1: ISO bytes on wire (1200 b i t s ) . ISO bytes captured (1200 b its ) on ir terface 0r Ethernet I I , src: Mlcrosof_a8:78:05 (00:15:5d:aa:78:05), Ost: lPv6mcast_00:01:00:02 (33:33:00:01:00:02)- internet protocol version 6, src: fe80::5df8:c2d8:5bb0:4ef (feSO::S<JfS:c2dS:5bbO:4ef), o st: f f0 2 : : l:2 ( f f0 2 ::l:2 ) * user oatagra■ protocol, src port: dhcpv6-cl1ent (546), ost port: dhcpv6-server (547)- DKPv6

OOOO 33 33 00 01 00 02 00 15 5d a8 78 05 86 dd 60 00 33 ] . X . . . ' .0010 00 00 00 60 11 01 f e 80 00 OO OO 00 00 00 5d f8 ] .0020 c2 d8 Sb bO 04 e f f f 02 00 OO OO 00 00 00 00 00 . . [ 0030 00 00 00 01 00 02 02 22 02 23 OO 60 55 ea 01 83 ־ .# '־ . U. . .0040 eO 49 00 08 00 02 OO 64 00 01 00 Oe 00 01 OO 01 .1 d 0050 17 e8 e l 4e 00 15 5d a8 78 05 OO 03 00 Oc Oe 00 . . .N . . ] . x 0060 15 Sd 00 00 00 00 OO 00 00 OO 00 27 00 Oa OO 08 . ] ־ 0070 41 64 6d 69 6e 2d SO 43 00 10 OO 0« 00 00 01 37 Adnrin-PC 70080 00 08 4d S3 46 54 20 35 2e 30 00 06 00 08 00 18 ..MSFT 0. ל ־ 27 00 11 00 17 00 0090

, P«ktU. IM M«1UJ. U D.ppp«d 0

F IG U R E 5.9: WireShark — Saving the Captured Packets

14. Now, go to E d it and click F ind P a c k e t . . .

S av in g C a p tu re d F iles

: can savef f i Wireshark can save packets captured in a large number of formats of other capture programs.




Tc!«WS).pcapno |W1׳p5ha׳t (SVN Rev •MVO from 1.SJ! n ״ n11*;X Statist! ct Td«phony look Internals Udp

I ד jl @ P i : q ג) e i ס * w י ז * a

Q E>p»essioo.. Om Appt/ Si.(Protocol length Info *nONS ?5 Standard c-ery 0x2>f4 A mviv.. seb i. gov. inDNS 10? Standard CL.ery response 0x25f4 A 203.199.12. 51 A 124.247.233.134

166 TCP 60 ■ust-p2p > http [ACKl seq=1494 Ack=753 w1n=65028 Len=o155 tcp 60 ■ust-backplare > hup [ack] seq-1161 Ack-497 w1n-65204 Leo-0

dhcpv6 150 S o lic it XTD: Ox5aS2df CIO: 0001000117e22aab00155da87800DHCPv6 150 S o lic it x i0 :כ x836049 CID: 000l0001l7e8el4e001s5da878051.1 NBSS 55 NBSS Continuation MessageTCP 66 ■Icrosoft-ds > lsysg-1■ [ack] seq-l Ack-2 w1n-62939 Len-0 sle-1 sre-ict׳pv6 90 M ulticast Listener Report Message v2I<*׳Pv3 60 Membership Report / Leave group 224.0.0.232ICMPv6 90 Multicast Listener Report Message v2Itypv3 60 Mwrbership Report ( 301n group 224.0.0.252 for any sources1a״Pv6 90 M ulticast Listener Report Message v2io pv3 60 Membership Report / Leave group 224.0.0.252״ICMPv6 90 M ulticast Listener Report Message v2

Copy »I * Fmd Packet..-

ז 1. find NextNc RndP*Q0MB Ctrt.B

Mark Pscte (toggle} Ctrl+MMiAAJ Displayed Pxkcts Shift-CtiUMJnrr-ai t AD D aptr,־ed Packets Ctrl-AR.M |Find Nee Ms rk Shift* CtH-NSnd P»e.icvs LUt ShifuCtrf.B

[Packet (toggle 5ז׳סי׳: Ctrt*Xignore 06 :■ d Packets (toggle] Shift*Ct(1+Alt*XUn-ignore Al Packet! Shift.CtrWX

0 SetTntfidaaKt Jc^lt] Ctll.TUn-Titne Reference All Packets Ctri+Alt*7

Ctrl-Alt-Nfind Prsviov> Tan* R*#e!rr-ce Ctrf«Alt*B

© T.״* Shift-- Shift* Ctrl *T\f Ettter Add P«ck«t Comment..

.1.......a .............. . .N .. ] . X..........

Shift* CtfitP 5(1 *8 78 05 8G dd 60 0000 00 00 00 00 00 sd f 800 oo oo 00 00 00 00 0002 23 OO 60 55 ea 01 8300 01 00 Oe 00 01 OO 0178 05 00 03 00 Oc Oc 0000 OO OO 27 00 Oa OO 0800 10 OO 0« OO 00 01 372• 30 OO 06 00 08 00 18

f 01 11 60 00 00 1300 33 00 01 00 07 00 15־ t 80c2 d« Sb bO CU e f f t 0?00 00 00 01 00 02 02 22eO 49 00 08 00 0? 00 6417 e8 c l 4« 00 IS 5d 481 ל id 00 00 00 00 OO 0041 64 60 69 6« 2d SO 4300 08 4d 53 46 54 20 3500 17 00 11 00 27

2266 Displayed: 2266 Mailed 0 OnI Ready to k

F IG U R E 5.10: Wireshark — Finding Packet Option

15. The W ire s h a rk : F ind P a c k e t window appears.

W ireshark : F ind Packet

By: ® Display filter O Hex value O String

Filter

Direction

O Up

® Down

String Options

ח Case sensitive Character setASCII Unicode & Non-Unicode v

Search In

® Packet list

O Packet details

O Packet bytes

CancelFindHelp

F IG U R E 5.11: Wireshark — Find Packet Window

16. In F ind By, select S tr in g , type p w d 111 the F il te r field, select the radio button for P a c k e t d e t a i l s under S e a r c h In and select ASCII U n ic o d e & N o n -U n ic o d e trom the C h a r a c t e r s e t drop-down list. Click Find.

Wireshark: Find Packet— ם

F in d

B y : O D is p la y f i l t e r O H e x v a lu e ® S t r in g

FHter: p w d |

S e a r c h In

O P a c k e t lis t

• P a c k e t d e ta i ls

S t r in g O p t io n s

□ C a s e s e n s i t iv e

C h a r a c t e r se t:

D ir e c t io n

O U p

• D o w n

P a c k e t b y t e s A S C I I U n i c o d e & N o n - U n ic o d e V

H e lp F in d C a n c e l

F IG U R E 5.12: Wireshark — Selecting Options in Find Packet Window

^ W iresh ark is not an intrusion detection system. It w ill not warn you when someone does strange things on your network that he/she isn't allowed to do. However, if strange tilings happen, Wireshark might help you figure out what is really going on.

Q=J. Wireshark will not manipulate things on the network, it will only "measure" things from it. Wireshark doesn't send packets on the network or do other active tilings (except for name resolutions, but even that can be disabled).




17. Wireshark will now display the sniffed password from the captured packets.

'- ם! טק Test(WS).pcapng [Wireshark 1S J CSVN Rev 44520 from /trurk-1.8)|flc y<vr £0 £«0*י*ן Analyre Sratisrics Telephony Tools internals iJdp

!»«<»«» => e 8 א a ו N 7 4 ilals e, £t e. e 4 * w a a[vj LipifetiCf

nfo _ -•15 standard query OxaSfl any win-039mr5hl9e45 Standard query OxaSfl AMY WIN-D39mr5hl9E4/ Membership Report כ נ01וו grc-up 224.0.0.252 fo r any sources )M u lticast Listener Report ves5age v26 502-ll-iapp > http [syk] seq^o wln=8192 Len=o vss=1460 us=* sack_p6i 5 http > 50?-11-1app [5>n. ack] seq-0 Ack-1 wlrv-14600 ten-0 mss-1460 :י-802-11 0 app > http [ACK] Seq^l Ack^l Win=65700 Len-0? POST '1 og1 rver 1 fy - p^p m ttp/1.1 (appHcat10n/x-v\vrtv-f0r«i-ur1enc0ded) I [) http > 802-11 י app [ACKj Seq-1 Ack-819 win-16236 Len-0 9 Application Data1 kvT v lj ip > https [ackJ 5eq-l Ack-56 win-63361 1er>-0 1 I TCP !♦q -x-t of a r«u s«*b ltd P0C1J1 mttp/1.1 102 Moved T e t^ r a r l lyD 802 11 ו app > http [ACK] Scq-819 Ack-1481 wl 11-65700 Lcii-0 b *rt1 f*ct־»«g > http [ syn] seq-° w1ruai92 ien-0 uss-U bii ws-4 sack_pi

Protocol L LL NR LLMNR I » PV3׳IO׳־Pv6 TCP TCP

Destination C8־ f f0 2 : :1:3

224.0.0.252

;c87 f f0 2 ::16123.176.32.15510.0 .0 .5123.176.32.155123.176.32.1551 0 .0 .0 .510.0.0. 2 74.125.1?8.18010.0.0. S10.0.0. 5 123.176. 32.155 123.108.40. S3

Time Source1 19.1610310 fe8 0 :: 3<Jr8:efc32 19.161888010.0.0.73 19.198S190 10.0.0. 74 19.1993230 fe80::3d78;efc35 20.49>1660 10.0. 0. 56 20. 58 56390 123.176. 32.1557 20.586514010.0.0. 58 20. S870180 10.0. 0. 59 20.5960500123.176.32.155O 20.6078200 74.125.128. 189

1 0 .0 .0 20ל1600 2. .65 1 20.6974400123.176.32.155 2

155 .6 1 ?0.6982220 123.1ל32.20.698520010.0.0.5 4

10.0 .0 .5 20.7011130 5

lin e based text data: applI cat ton/x-www-form-urlencoded

l*la6dcc 2d22b*a1 92a; _wl 8S-1348? 20895.53 ..Conten t -Type: ap|51 ו catrlencode d..conte

-Lengt h: 102..

oa si oa «4 30 2* b« or te »ים ׳ y 30 0 ל n 3138 67 3d 37 33 36 62 37 34 36 34 66 31 63 33 3131 6S 31 61 36 64 63 63 32 64 32 32 62 65 38 3139 32 61 3b 20 5f 77 31 38 73 3d 31 33 34 38 3232 30 38 39 35 2« 35 33 Od Oa 43 6f Ge 74 65 6e74 2d &4 79 70 65 3a 20 61 70 70 6c 69 63 61 7469 6f 6• 2f 7B 2d 77 77 77 2d 66 6 f 72 6d 2d 7572 6C 65 6e 63 6f 64 65 64 Od Oa 43 6f 6e 74 656e 74 2d 4c 65 6« 67 74 68 3a 20 31 30 32 Od OaOd Oa I

Ptcf le De+auitPack etc 2260 Dia

O b se rv e th e P a s s w o rd

F IG U R E 5.13: Wireshark — Sniffed Password in Captured Packet

18. If you are working 011 iL a b s environment, then use the T es t(W S ) sample capUired file located at D:\CEH-T00ls \C E H v8 M o d u le 08 S n iffin g \S n iffin g T o o ls \W ire s h a rk \W ire s h a rk S a m p le C a p tu re f i le s tosniff the password.

L a b A n a l y s i s

Analyze and document die results related to die lab exercise. Give your opinion 011 your target’s security posture and “exposure” through public and free information.

Q Wireshark media types are supported depends on many tilings like the operating system you are using.

Tool/Utility Information Collected/Objectives Achieved

■ Time■ Source■ Destination■ Protocol

Wireshark ■ Length■ Info■ Internet Protocol■ TCP, Source Port Info■ User ID and Password




P L E A S E T A L K T O Y O U R I N S T R U C T O R I F Y O U H A V E Q U E S T I O N S R E L A T E D T O T H I S L A B .

Q u e s t i o n s

1. Evaluate die protocols that are supported bv Wireshark.

2. Determine the devices Wireshark uses to capture packets.

□ No

Internet Connection Required

0 Yes

Platform Supported

□ !Labs0 Classroom




Performing Man-in-the-Middle Attack Using Cain & AbelC a in & A b e l is a p assw o rd recovery to o l th a t a/Zorn recovery o f p assw o rd s by

sn iffin g the n etw o rk , crack in g encryp tedpassw ords.

L a b S c e n a r i o

You have learned 111 die previous lab how you can get user name and password information using Wireshark. By merely capturing enough packets, attackers can extract the user name and password if the victim authenticates themselves 111 a public network especially into a website without an HTTPS connection. Once the password is hacked, an attacker can simply log into the victim’s email account or use that password to log 111 to their PayPal and drain dieir bank account. They can even change die password for the email. Attackers can use Wireshark to decr\Tpt the frames with the victim’s password they already have.

As preventive measures an administrator 111 an organization should always advise employees not provide sensitive information 111 public networks without an HTTPS connection. VPN and SSH tunneling must be used to secure the network connection. As an expert e th ic a l h a c k e r and p e n e tr a tio n t e s t e r you must have sound knowledge of sniffing, network protocols and their topology, TCP and UDP services, routing tables, re m o te a c c e s s (SSH or \T*N), authentication mechanism, and e n c ry p tio n techniques.

Another method through which you can gain user name and password information is by using Cain & Abel to perform a man-in-the-middle attack.

L a b O b j e c t i v e s

The objective of tins lab to accomplish the following information regarding the target organization that includes, but is not limited to:

■ Sniff network traffic and perform ARP poisoning

■ Launch a man-in-the-middle attack

■ Sniff the network for the password

I C O N K E Y

V a lu a b lemformation

Test your

W eb exercise

m Workbook re\




L a b E n v i r o n m e n t

To carry-out the kb, you need:

C י ain & A bel located at D:\CEH-Tools\CEHv8 M odule 08 Sniffing\A R P P o iso n in g T o o ls\C ain & A bel

■ You can also download die latest version ol C ain & A bel from http:/ /www.ox1d.it

■ If you decide to download the l a t e s t v e rs io n , then screenshots shown 111 the lab might differ

■ A computer running W in d o w s S e rv e r 2012 as host machine

■ W in d o w s 8 nuuiing on virtual macliuie as attacker maclinie

■ W in d o w s 2008 S e rv e r nuuiing on virtual machine as the victim macliuie

■ A web browser with Internet connection

■ Double-click c a _ s e tu p .e x e and follow die wizard-driven installation steps to install Cain & Abel

■ Administrative privileges to run tools

L a b D u r a t i o n

Time: 20 Minutes

O v e r v i e w o f M a n - l n - T h e - M i d d l e A t t a c k

A man-in-die-middle attack (MITM) is a form ot a c t iv e e a v e s d ro p p in g 111 which the attacker makes in d e p e n d e n t connections with the victims and relays messages between them, making them believe that tliev are talking direcdy to each other over a p riv a te c o n n e c t io n , when 111 fact the entire conversation is c o n tro lle d by the attacker.

Man-ui-die-middle attacks come 111 many v a r ia tio n s and can be carried out on a s w itc h e d LAN.

L a b T a s k s

1. Launch your W in d o w s 2008 S e r v e r virtual machine (V ic tim M a c h in e ) .

2. Launch your W in d o w s 8 virtual macliuie ( A t ta c k e r M ac h in e ) .

3. Oil the host machine (Windows Server 2012), launch the S ta r t menu by hovering the mouse cursor oil the lower-left corner of the desktop.

^ ^ T o o ls d e m o n s tr a te d in th is la b a r e a v a ila b le in D:\CEH- T ools\C E H v8 M odule 08 S niffing

£ Q y ou can download Cain & Abel from http: //www. oxid.it.

T A S K 1

M an-ln-T he-M iddleA tta c k



http://www.ox1d.it



4. Click C ain in the S ta r t menu to launch Cain& Abel.


Serve* Google MozillaMenaqer Chrome hretox

k * <©Concorf

£H)P«-V Hyper-V

Pane Manager Virtual

W %

Adnnett... Command 1 1 Uninstallfools Prompt Cain

% FT | H 2P

* n a g *

Ownop W


5. The mam window of Cain & Abel appears.

־1rie View Configure Took Help

J @ SK IS ! ?ar + y 3

|<<g, Decodgi | * Mrtwyt If f i Suffc |,_/ Ciackcr Troccroutc I E l c c c i m Airelcss |ff ) Query |

Press the * button on the toolbar to dump the Protected StorageCached Passwords ,

Protected Storage £> L5A Secrets

Wireless Passwords0 Ih7PatCAO'CK

Windows Mail Passwords Dialup Passwords Edit Boxes

p«bc Maneycr׳% Ente f * Ciedentid Manage

| http/.'vrww ■0iid.it

F IG U R E 6.3: Cain & Abel Main Window

6. When you hrst open Cain & Abel, you will notice a series ot tabs near the top of the window.

7. To configure the E th e r n e t c a r d , click C o n fig u re from the menu bar.

fl= JM an in die Middle attacks has the potential to eavesdrop on a switched LA N to sniff for clear-text data (McClure, Scambray). It can also be used for substitution attacks that can actively manipulate data.

G31 Cain & Abel covers some security aspects/weakness intrinsic of protocol's standards, authentication methods and caching mechanisms.

E Q r eplay attacks can also be used to resend a sniffed password hash to authenticate an unauthorized user.




_ a *

m o .J ף © 0 | Took H»lp

+ «/ ! ° 0 ! BBS ״ “

©#ו?

_J & SM Lin W|4 I Dccodaj u Nctvwtk Sniffer | s f Ci Troccioutc I IBB CCCU 1"ft" A ile lo i |j*») Query I

Press the י• button on the toolbar 0ז dump the Protected StorageCachcd Piuivoidi ,

Protected Storage JT L5A Secrets

2* Wireless Passwords £ IE7Pa«TA0rd5

W inder Mail Passmores Dialup Passwords

■F Edit Boxes Enterprise Manege! ן*ך Gedentid V a nce

http // wvyw.Qiid.it

C Q a PR-SSH I can capture and decrypt SSH version 1 session that are then saved toa text file. APR-HTTPS can intercept and forge digital certificates on the fly but becauses trusted authority does not sign these certificates a warning message will be displayed to die end user.

F IG U R E 6.4: Cain & Abel Configuration Option

F IG U R E 6.4: Cain & Abel Configuration Option

8. The C o n f ig u ra tio n D ia lo g window appears.

9. The C o n f ig u ra tio n D ia lo g window consists of several tabs. Click the S n if fe r tab to select the sniffing adapter.

10. Select A d a p te r and click A pply and then OK.

Configuration Dialogהיי

Filters and ports | HTTP Fields | Traceroute

Certificate Spoofing | Certificates CollectorSniffer I APR ( Arp Poison Routing ) | Challenge Spoofing

Adapter IP address | Subnet Mask£& \Device\N PFJ8F2F18B... 192.168 168.110 255.255.255.0i& \D evice \N PF .{5F237C6... 0.0.00 0.0.00

10.0.0.2 255.255.255.01*i>\Device\NPF_{35DD21... 0.0.00 0.0.0.0£ ) \Device\N P FJ36D19C... 0.0.00 0.0.00

< | 111 l> l

Winpcap Version

4.1.0.2001

Current Network Adapter

WARNING !!! Only ethemet adapters supported

Options

F Start Sniffer on startup f~ Don ז use Promiscuous mode F Start APR on startup

HelpApplyCancelOK

CO lFor IP and MAC spoofing you have to choose addresses that are not already present on the network. By default Cain uses die spoofed MAC "001122334455" for two reasons: first that address can be easily identified for troubleshooting and second it is not supposed to exist in your network.

Note: You cannot have on the same Layer-2 network two or more Cain machines using APR's MAC spoofing and die same Spoofed MAC address.

F IG U R E 6.5: Cain & Abel Configuration Dialog Window

11. Click the S ta r t /S to p S n if fe r icon on the toolbar.




£il# Vi*w Configur* Took H#lp

-jffel® K־J ilsi; W! + y s

- ם א

° ״ “Q BBS r a ₪ B a O ® Q © ף

"<£ DcZTdcfi | ^ VJcUwt Smffcr 1 /* Ciackct |4Q Troceioutc |K3 CCDU |'fl Auctos |.A) Query |

Cachcd Piuivoidi ,Protected Storage

JT L5A Secrets Wireless Passwords

£ IE7Pa«TA0rd5 W in de r Mail Passmores

)££( Dialup Passwords ■F Edit Boxes

prise Manage! ־Eitc ן*ך 1* Gedentid Vaiace

Activate / DcaUnale the Sniffer


C Q t 11 e most crucial item in that list is the radioactive hazard APR. It is in this window that we select our victim(s).


N o te : If you get Cam Warning pop-up, click OK.

12. Now click the S n if fe r tab.

5IES O W 1 © 2 / ?׳ I

i« Vie* C2nf»gur« Took H«lp£

s &» !a m + kt *a *l v> >{ .ג!■£. Dc:cdtf: | j Nctj.־a7T Traccroutc | Q CCDU W rd c ii | *>) Query |

B... B .. B i | Or | MO M l M iMAC address | OUi fingerprint00095BAE24CC Netgear, Inc.

i i M° 5tI m : kPR |^ » Routing | Paaaworda

Lost packets C%

F IG U R E 6.7: Sniffer tab

13. Click the P lu s (+) icon or right-click in the window and select S c a n MAC A d d r e s s e s to scan the network for hosts.

14. The MAC A d d r e s s S c a n n e r window appears. Select All h o s t s in m ys u b n e t and check the All T e s t s check box. Click OK.

4ii~ Be warned diat there is the possibility that you will cause damages and/or loss o f data using this software and that in no events shall the audior be liable for such damages or loss of data.




C Q a p r -r d p can capture and decrypt Microsoft’s Remote Desktop Protocol as well.

15. Cain & Abel starts scanning for MAC addresses and lists all found MAC address.

Speeding up packet ־£5capture speed by wireless packet injection

GQlNote that Cain & Abel program does not exploit any software vulnerabilities or bugs that could not be fixed with litde effort.

16. After scanning is c o m p le te d , a list of detected MAC a d d r e s s e s is displayed.

17. Click the A PR tab at the bottom of the main window.

F IG U R E 6.9: Cain & Abel — Scanning MAC Addresses Window

_ r,TH£i« View Canfigur• Tool* H*>P

ג +[ ^ ב [» J 89 ׳׳ !61 © aw S i

■rfiguM Tool{ H«lp

O t J lMAC Address Scanner

| ב >) Que>y~|

| R.. | B8 | Gr | MO | M l 1 M3 |I '• All hosto n subnet | C Range

Fiom

Promiscuous Mod© Scanner---W ARP Test (Broa^cad 31■bf)!7 ARP Tes!. (BtoaJcart ' &trt)P ARP Te* (Broadcast 8-bi'F ARP Test (3Dtp Sit)F AR P T ort (M ultbaet gioup 0] W ARP Test (Multcest oioud 1P A|| PT-- (Mulfccit Q-oup J

0<

|,c^ Deccder: Meteoric Sniffer \ ± / Cracker

| MAC address | OUI fingerprint00095BAE24CC Nctgear, Inc.

•41 Hosts J© VPR |4 Routing | ^ \ Passwords ~| ^ VoIP |

Lost packets 0%

F IG U R E 6.8: Cain & Abel — MAC Address Scanner Window

F IG U R E 6.8: Cain & Abel — MAC Address Scanner Window




£1• Vi•* Cgrfigur* Took Help

| t a [ * e * B I I I J־ + * | l B 1 1 3 » 0 נ8י י י © t J lDecoders | ^ Network | ^ Sniffer \±/ Cracker Traceroute | d CCDU | '<Q Wireless |q►) Query |

© aS APR-Cat 4 , APR-DNS m APR-SSH-1 (01

- l i APR-HTTPS (0)3 APR Projc/HTTPS (0) 5g APF-PXP(G)13 APR-FTPS (0) l i APR-P0P3S (0)3 APR-IMAPS (0)

APR-IDAPS tfi)3 APR-SIPS (0)

Status 1 IP address I MAC address I Fa:kets -> 1 <- Packes I MAC address I IP address

Status | IP address | MAC address | packets -> | <- Packets | MAC address | IP address

Cortfiguntion J Routed Packets |< III >■44 Hosts | (X APR || *J* Routing | Passv/ords | J* VoIP |

lest packets: 0%

F IG U R E 6.10: Cain & Abel A RP Tab

F IG U R E 6.10: Cain & Abel ARP Tab

18. Click anywhere 111 the C o n f ig u ra tio n /R o u te d P a c k e t s window of APR to activate the P lu s icon.

m ־ n xFile \£«w ConfjJic Tools Help

j * © & r a ! #־ f + ] a % i s״ y 1 1 1 B a 3 @ i a O ׳ ^ ׳ S O f j

<&, Decoders I 2 Nrtwodr |^ l SniFFer 13/ Cracker I ״Ci Traceroute |KS CCDU 1 1 Wireless 1 _Y Query |

© A PRQ APR-Ccit J j , APR DNS ■ APR-SSH-1 (0|^ APR-HTTPS (0),3 APR-PrayMIPMO) 98 APR-ROP 101

APR FTPS (0)3 APR-POP3S(0)3 APS IMAFS (0)!3 APR LDAPS (0)3 APR-SPS 01

status | IP address | MAC address Packets ■> | <• Packets | MAC address | IP address

Status | IP address | MAC address Packets -> | <- Packets | MAC address | P address

< 1■ ג

■Sj HoCc Po rting | Pastwords | ^ VoIP [

Los: packets; 0%

F IG U R E 6.11: Cain & Abel A RP Tab

19. Click the Plus (+) icon; the N e w ARP P o is o n R o u tin g window opens from which you can add the IPs to listen to traffic.

EEQa PR state Half- Routing means that A PR is routing the traffic correctly but only in one direction (ex: Client-> Server or Server->Client). This can happen if one of the two hosts cannot be poisoned or if asymmetric routing is used on the LA N . In this state the sniffer loses all packets of an entire direction so it cannot grab authentications that use a challenge-response mechanism.

L=U-.APR state Full- Routing means that the IP traffic between two hosts has been completely hijacked and A PR is working in FULL- D U PLEX , (ex: Serverc- >Client). The sniffer will grab authentication information accordingly to the sniffer filters set.




_ uM

O t fl1 ׳*s a □j * ׳ © ־» m es + y is q. y 1

Decoders | N ftaadL J i l Snifle I ו.׳" Cxuktt 1*6 Trarfrmiif 185!. m I I \ jc . I ־ New ARP Poison Routing

APR 3natlecyou to hijack IP traffic behv3en 1W3 coloctod host !>n •h3 left let aid al :elect ec hoste on the r lei in both ־!1dite licm It a ?elected hoit hai roiling eap3biitet WAN &athc wil be nierreDted a: wel Peare ncte !hat ?mceyaur11 wchire has not the *are performance of a router you could cause DaS *you u־< te:*een you Delaul Gateway and oil ether host! or >our LAN.

IP 3dere« | MAC | Hostrair* IF acHe r vtiC Hottname10.0.01 C0095BAE24CC10.0.03 C0155DA9BE06 IU 004 C0155DA8SE09 10 005 CDI55CA85E 0310.0.07 D4BED3C3CE2D10.0.010 D40ED3C3C3CC10.0.011 C0155DAG700510.0.012 C0155D/S87800 1110013 C0155DA8/804

<L____________ ______ _______״! ___________ 1 > 111 ;

Q APR1-0 APR Ceft(0>L APR-DNSm m SS-l-t (0)

U f i APR-HTTPS (0} h S APR-PirayHTTR : 51 APR •RDP 10) i f i APS-FTPStO)

APR-POP3S(□): 3 APR IMAPSP) j- 1S APSLCAPStUl L APR-SI PS !0)

ן ־ |& Configuration/Routed Packets IH o rtT "|^ flP B | «fr r 1!r r r | Pattwowk

F IG U R E 6.12: Cain & Abel A RP Tab F IG U R E 6.12: Cain & Abel A RP Tab

20. To monitor the traffic between two computers, select 10.0.0.3 (Windows 8 virtual machine) and 10.0.0.5 (Windows 2008 Server virtual machine). Click OK.

N ew ARP Poison R outing

WARNING !I!APR enables you to hiiack IP traffic between the selected host on the left list and al selected hosts on the light list in both directions If a selected host has !outing capabilities WAN tiaffic will be mteicepted as well Please note that since youi machine has not the same peifotmance of a router you could cause DoS if you set APR between youi Default Gateway and all other hosts on your LAN.

IP address I MAC | Hostname IP address I MAC I Hostname10.0.0.1 00095BAE24CC 10.0.0.13 00155DA8780410.0.0.3 00155DA86E06 I 100.0.12 00155DA87800T: u u 4 00155DA8SE09 10.0.0.11 00155DA8780510.0.0.5 00155DA86E03 10.0.0.10 D4BED9C3C3CC10.00.7 D4BED9C3CE2D 10.0.0.7 D4BED9C3CE2D10.0.010 D4BED9C3C3CC 10.0.0.5 I 00155DA86E03100.0.11 00155DA87805 100.0.4 00155DA86E0910.0,012100013

00155DA87800 00155DA87804

10.0.0.1 00095BAE24CC

< | III כ > <]__________ 111 ____________ | >

F IG U R E 6.13: Cain & Abel A RP Tab F IG U R E 6.13: Cain & Abel A RP Tab

21. Select the added IP address in the C o n f ig u ra tio n /R o u te d packets and click the S ta r t /S to p A PR icon.

N o te : If the Couldn’t bind HTTPS acceptor socket pop-up appears, click OK

U J H ie Protected Store is a storage facility provided as part of Microsoft CryptoAPI. It's primarily use is to securely store private keys that have been issued to a user.

Q A ll o f the information in the Protected Store is encrypted, using a key that is derived from the user's logon password. Access to the information is tighdy regulated so that only the owner of the material can access it




F IG U R E 6.14: Cain & Abel ARP Poisoning

22. Now launch the command prompt 111 Windows 2008 Server and type f tp 10.0.0.3 (IP address of Windows 8 machine) and press E n te r

23. When prompted lor Username type “ M a r tin ’’ and press E n te r and for password type “ a p p le ” and press E n te r .

: >' Adm inistrator C:\Windows\system32\cmd.exe - ftp 10.0.0.3Microsoft Windows LUersion 6.0.6001JCopyright <c> 2006 Microsoft Corporation. All rights reserved.C:SUsers\Administrator>ftp 10.0.0.3 Connected to 10.0.0.3.220 Microsoft FTP Service User <10.0.0.3:(none)): Martin 331 Password required Password:230 User logged in. ftp> _

F IG U R E 6.15: Start ftp://10.0.0.3

24. Now, on the host machine, observe the tool listing some packets exchange.

k J Many Windows applications use this feature; Internet Explorer, Oudook and Outlook Express for example store user names and passwords using this service.

U J There is also another set used for credentials that should persist on the local machine only and cannot be used in roaming profiles, this is called "Local Credential Set" and it refers to the file:\Documents and Settings\%Username%\Lo cal Settings\Applicatio11 Data\Microsoft\Credential s\%UserSID%\Credentials


C EH Lab Manual 7

ftp://10.0.0.3


|C ° ־ [ »File /■cm Config jic Toob Help

J 6 8 & B SS + ׳ ti O « flDerofleri I i Nrt־a/yl |i&l Sr>ifler | Y Crafker 1 "3 Tracerout(0|| ־! CCOU 171 W»fle<5 |_v Cue |

ES3© (0) j- ₪ APR Cot 4, APR-DNS !-

(0) ■ APR-SSH-I i-£ APR-HTTPS(Dj

(0)i- St i?5-Fror>nnPS (0) APR-RDP (0)FTPS־i-fl APR

APR-POP3SP] ^: 3 APR IMAPSP)

j- 1S APR LCAPSOl (£_! APR-SIPS(O

Statu* | 1? odd csj | MAC address Packets >־ ־< Packet* MAC odd res j | IPaJJicsj^Poison,rg 10.0.0.3 001SSDA&6EQS |5 7 001S5DA86&03 100.0.S

Status | IP addrecc | MAC addretc Packets-> <-Packet; | MAC address \ IP addrest

Configuration / Routed Packets f1 י• 1 >־>Horn |0 APR | •$* Roiit rg | j\ Passwords | VoIP |

Lc»t packets. C%

____________________ F IG U R E 6.16: Sniffer window with more packets exchanged____________________

F IG U R E 6.16: Sniffer window with more packets exchanged

25. Click the P a s s w o r d s tab as shown 111 the following screenshot to view the sniffed password for f tp 10.0 .0.3 .

1ם<־

Fie Jfo• Configuie Toob Help

j 6 ® i a m S B + '■y | B״ U ■ BSS sa ם « a o t 11

Dwodfrs | $ Net■vryfc [ l& Satffer 1! 1' Crack** | *Q Tncernntf |RT39 CCDIJ | A Wrelfss | .V r ! ׳0. ', J? \ Passwords Timestamp | FTP server | Client Username Password

a׳*-4!1 u j^ HTTP (17)

Mditin (apple ־ 15:54:10 10.0.0.3 10.0.0.5 18/09/2012

igl MAP (0)S J .OAP(O)

i ’ (HO׳*)*+ SMS (3)■ Tdnet (0)

: - | XNCO) j 5V: TDS(0) j• 3V) TVS (0) =

J ! SMTP (0): ' f m ntpo ;I- g§ DCE/RPC (01 S 0 MSKe*5-PreAja■

^ Radijs-Kcr: 10) C Radius-Useis (OJ jg CQ(0)־S KE-PSK .01

i-ifc MySGL (0) 3 SNWI>(0) (4 SP(0)

< [ III > FTP |

—I Hosts |<S> APR | *$* Routng | )\ Passwords II 1/0IP 1Lost packets. C%

F IG U R E 6.17: Sniffer window with more packets exchanged


Analyze and document the results related to die lab exercise. Give your opinion on your target’s security posture and “exposure” through public and free information.

£7 Credentials are stored in the registry under die key H K EY _C U R R EN T _U SER \Software\Microsoft\Prote cted Storage System Provider\

fit This set of credentials is stored in the file \Documents and Settings\%Username%\Ap plicationData\Microsoft\Credentials \% U serSID%\Credentials





IP Address — 10.0.0.3MAC Address - 00155DA86E06Packets Sent — 5

Cain & Abel Packets Received — 7FTP Server — 10.0.0.3Username — MartinPassword — apple


Q u e s t i o n s

1. Determine how you can defend against ARP cache poisoning in a network.

2. How can you easily find the password captured 111 an EDP A ATM attack using only Notepad or some other text editor?

3. How can one protect a Windows Server against RDP MITM attacks?


0 Yes □ No

Platform Supported

0 Classroom 0 iLabs




Lab

Delecting ARP Attacks with the XArp ToolA L 4 ip is a secu rity ap p lica tio n th a t uses advanced techn iques to detect A K P - b a se d

a ttack s.


You have already learned in die previous lab to capuire user name and password information using Cain & Abel. Similarly, attackers, too, can sniff the username and password of a user. Once attackers have a user name and password, they can simply gain access to a network’s database and perform illegitimate activities. If that account has administrator permissions, attackers can disable firewalls and load fatal vimses and worms 011 die computer and spread diat onto the network. They can also perform different types of attacks such as denial-of-service attacks, spoofing, buffer overflow, heap overflow, etc.

When using a wireless connection, as an administrator vou must use the strongest security supported by vour wireless devices and also advise other employees to use a strong password. The passwords must be changed weekly or monthly.

Another method attackers can implement is ARP attacks through which they can snoop 01־ manipulate all your data passing over the network. This includes documents, emails, and YoicelP conversations. ARP attacks go undetected by firewalls; hence, 111 tins lab you will be guided to use the XArp tool, which provides advanced techniques to detect ARP attacks to prevent your data.


The objective of tins lab to accomplish the following regarding the target organization that includes, but is not limited to:

■ To detect ARP attacks

I C O N K E Y

Valuablemformation

Test your

W eb exercise

m Workbook re\





To carry-out die lab, you need:

■ XArp is located at D:\CEH-Tools\CEHv8 M odule 08 Sniffing\A R P S poo fin g D e te c tio n T ools\X A rp

■ You can also download the latest version ot XArp from http: / / www.chasmc.de / development/xarp / 111dex.html

■ If you decide to download die l a t e s t v e rs io n , then screenshots shown in the lab might differ

■ A computer running Windows Server 2012 as host machine

■ Double-click x a rp -2.2 .2-w in .e x e and follow the wizard-driven installation steps to install XArp



Time: 10 Minutes

O v e r v i e w o f X A r p

XArp helps users to detect ARP attacks and keep dieir data private. Administrators can use XArp to monitor whole subnets for ARP attacks. Different security levels and line-tuning possibilities allow normal and power users to efficiendy use XArp to detect ARP attacks.

L a b T a s k s

1. Launch the S ta r t menu by hovering the mouse cursor on the lower-left corner of the desktop.


2. Click XArp 111 the S ta r t menu to launch the XArp tool.

C /T o o ls d e m o n s tr a te d in th is la b a r e a v a ila b le in D:\CEH- Tools\C E H v8 M odule 08 Sniffing

H T A S K 1

L au n ch in g th e XArp to o l



http://www.chasmc.de


Setvei Computer Mereger

e. ני

Google Mj/illa Chrome hretox

<9 <$

- g s H/pe»-v Manager Virtual

Machine.

ייXAip

CMnap

FIG U R E 7.2: Windows Server 2012—Apps

The main Window of XArp appears with a list of IPs, ]MAC addresses, and other information for machines 111 the network.

XArp - unregistered version

aggressive The high security level adds betternetwork discovery which results in ahigher detection rate but sends out

high more discovery packets into thenetwork. Aggressive inspectionmodules are employed which might

basic give false alerts in someenvironments.

mnmai

Security level set to: high

File XArp Professional Help

Status: no A R P attacks

Read the Hyidino ARP attacks' help XArp loaSe

Get XArp Professional now! ReosterXArp Professional

IP | MAC | Host | Vendor I Interface | Online | Cache | First seen [ Last see10.0.0.1 00-09-5... 10.0.0.1 Netgear, Inc. 0x11 - Microso... yes yes 9/20/2012 14:22:55 9/20/2010.0.0.2 dO-67-e... WIN-MSSELCK... unknown 0x11 - Microso... yes no 9/20/2012 14:22:55 9/20/2010.0.0.6 00-15-5... ADMIN-PC Microsoft Cor... 0x11 - Microso... yes yes 9/20/2012 14:22:55 9/20/20

& 10.0.0.7 d4-be-... WIN-D39MR5... unknown 0x11 - Microso... yes yes 9/20/2012 14:22:55 9/20/2010.0.0.8 00-15-5... ADMIN Microsoft Cor... 0x11 - Microso... yes yes 9/20/2012 14:22:55 9/20/20

& 10.0.0.10 d4-be-... WIN-2N9STOS... unknown 0x11 - Microso... yes yes 9/20/2012 14:22:55 9/20/20& 10.0.0.12 00-15-5... WINDOWS8 Microsoft Cor... 0x11 - Microso... yes yes 9/20/2012 14:22:55 9/20/20& 10.0.0.13 00-15-5... WIN-EGBHISG... Microsoft Cor... 0x11 - Microso... yes yes 9/20/2012 14:22:55 9/20/20

XArp 22 2 * 8 mappings - 2 interfaces - 0 alerts

C 7 Address Resolution Protocol (ARP) poisoning is a type of attack where the Media Access Control (MAC) address is changed by die attacker.

F IG U R E 7.3: XArp status when security level set to high

4. On the host machine, XArp displays no ARP attacks.

N o te : If you observe the same results, log in to a virtual machine and run Cain &c Abel to initiate ARP poisoning to the host machine.

5. Bv default the security level is set to high. Set the S e c u r i ty le v e l toa g g r e s s iv e on the X A rp screen.

& A MAC address is a unique identifier for network nodes on a LAN . MAC addresses are associated to network adapter that connects devices to networks. The MAC address is critical to locating networked hardware devices because it ensures diat data packets go to the correct place. A RP tables, or cache, are used to correlate network devices’ IP addresses to their MAC addresses.




r=r?■XArp ־ unregistered version

Security level set to: aggressive

File XArp Professional Help

Status: no A R P attacks

The aggressive security level enables all ARP packet inspection modules and sends out discovery packets in high frequency. Using this level might give false attack alerts as it operates on a highly aggressive packet inspection philosophy.

• agg ressive ׳׳-1• Read the Viandlina ARP attacks' heb

• View XAtd loofile high

basicGet XAtd Professional now!

Reaister XAtd Professional ™3י " "

IP | MAC | Host | Vendor j Interface | Online | Cache | First seen | Last see10.0.0.1 00-09• 5... 10.0.0.1 Netgear, Inc. 0x11 • Microso... yes yes 9/20/2012 14:22 55 9/20/2010.0.0.2 d0-67-e... WIN-MSSELCK... unknown 0x11 • Microso... yes no 9/20/2012 14:22 55 9/20/2010.0.0.6 00• 15־ 5... ADMIN-PC Microsoft Cor... 0x11 • Microso... yes yes 9/20/2012 14:22 55 9/20/2010.0.0.7 d4*be•״. WIN-D39MR5... unknown 0x11 • Microso... yes yes 9/20/2012 14:22 55 9/20/2010.0.0.8 00-15-5... ADMIN Microsoft Cor... 0x11 • Microso... yes yes 9/20/2012 14:22 55 9/20/2010.0.0.10 d4-be-... WIN-2N9STOS... unknown 0x11 • Microso... yes yes 9/20/2012 14:22 55 9/20/2010.0.0.12 00-15-5... WIND0WS8 Microsoft Cor... 0x11 • Microso... yes yes 9/20/201214:22 55 9/20/2010.0.0.13 00-15-5... WIN-EGBHISG... Microsoft Cor... 0x11 • Microso... yes yes 9/20/2012 14:22 55 9/20/20

>XArp 222 - 8 mappings - 2 interfaces - 0 alerts

FIG U R E 7.4: XArp status when security level set to aggressive

6. Log 111 to Windows 2008 Server, and run Cain & Abel to initiate an ARP attack on a Windows 2012 host machine.

7. The XArp pop-up appears displaying the alerts.

9/20/2012 14

DirectedRequestfilter: targeted request, destination mac of arp request not set to

-36-cc

broadcast/invalid address

In t e r f a c e : 0x11[e th e rn e t ]source mac: dO-d e s t mac : 00-ty p e : 0x806Carp]d i r e c t io n : o u tty p e : re q u e s tsou rce ip : 1 0 .0 .0 .2d e s t ip : I-* o o o H*

sou rce mac; d 0 -d e s t mac : 0 0 -

FIG U R E 7.5: XArp displaying Alerts

Now, the XArp S t a t u s changes to A RP a t t a c k s d e t e c t e d .

& An attacker can alter the MAC address of the device that is used to connect the network to Internet and can disable access to the web and other external networks.

£5" XArp allows alert filtering for excluding specific hosts. Another feature includes settings for alerting intensity and how the alerts are presented. Also allows sending alerts through email and detailed alerting configuration.




£7 Tlie simplest form of certification is tlie use of static, read-only entries for critical services in tlie ARP cache o f a host. This only prevents simple attacks and does not scale on a large network, since the mapping has to be set for each pair of machines resulting in (n*n) A RP caches that have to be configured. AntiARP also provides Windows- based spoofing prevention at the kernel level.


Analyze and document die results related to die lab exercise.


Interface [Ethernet]: 0x11Source Mac: dO-xx-xx-xx-xx-36Destination Mac: 00-xx-xx-xx-xx-ccType [arp]: 0x806

XArp Direction: OutSource IP: 10.0.0.2Destination IP: 10.0.0.1Host: 10.0.0.1Vendor: Netgear, Inc.

Status: A R P attacks detected!

• View detected attacks• Read the *Handling ARP attacks' help• View XArp loqfite

Get XArp Professional now!

Register XArp Professional

IP MAC | Host | Vendor j Interface | Online | Cache | First seen | Last see10.0.0.1 00-09■ 5... 10.0.0.1 Netgear, Inc. 0x11 • Microso... yes yes 9/20/2012 14 22:55 9/20/20

* 10.0.0.2 dO-67-e... WIN-MSSELCK. unknown 0x11 • Microso... yes no 9/20/2012 14 22:55 9/20/20X 10.0.0.3 00-15-5... 10.0.0.3 Microsoft Cor... 0x11 - Microso... yes yes 9/20/2012 14 25:06 9/20/20X 10.0.0.4 00-15-5... Windows8 Microsoft Cor... 0x11 - Microso... yes yes 9/20/2012 14 25:08 9/20/20* 10.0.0.5 00-15-5... 10.0.0.5 Microsoft Cor... 0x11 - Microso... yes yes 9/20/2012 14 25:54 9/20/20* 10.0.0.6 00-15-5... ADMIN-PC Microsoft Cor... 0x11 • Microso... yes yes 9/20/2012 14 22:55 9/20/20V 10.0.0.7 d4-be-.״ WIN-D39MR5... unknown 0x11 • Microso... yes yes 9/20/2012 14 22:55 9/20/20

10.0.0.8 00-15-5... ADMIN Microsoft Cor... 0x11 - Microso... yes yes 9/20/2012 14 22:55 9/20/20- y 10.0.0.10 d4-be-.״ WIN-2N9STOS.. unknown 0x11 - Microso... yes yes 9/20/2012 14 22:55 9/20/20' S 10.0.0.12 00-15-5... WINDOWS8 Microsoft Cor... 0x11 - Microso... yes yes 9/20/2012 14 22:55 9/20/20V 10.0.0.13 00-15-5... WIN-EGBHISG.. Microsoft Cor... 0x11 ־ Microso... yes yes 9/20/2012 14 22:55 9/20/20

< Ill I >XArp 2.22 - 11 mappings - 2 interfaces - 25 alerts

FIG U R E 7.6: XArp — ARP attacks detected

XArp ־ unregistered version

Security level set to: aggressive

The aggressive security level enables all ARP packet inspection modules and sends out discovery packets in high frequency. Using this level might give false attack alerts as it operates on a highly aggressive packet inspection philosophy.





Q u e s t i o n s

1. Determine how you can defend against ARP cache poisoning 111 a network.


0 Yes

Platform Supported

0 Classroom

□ No

0 !Labs




Delecting Systems Running in Promiscuous Mode in a Network Using PromqryUIP ro m q ry U I is a to o l w ith a W in d o w s g ra p h ic a l in te rface th a t can be used to detect

netw ork in terfaces th a t a re rn n n in g in p rom iscuous m ode.


With an ARP storm attack, an attacker collects the IP address and MAC address of the machines in a network for future attacks. An attacker can send ARP packets to attack a network. If an ARP packet with a forged gateway MAC address is pushed to the LAN, all communications within the LAN may fail. This attack uses all resources of both victim and non-victim computers.

As a network administrator you must always diagnose die network traffic using a network analyzer and configure routers to prevent ARP flooding. Using a specific technique widi a protocol analyzer you should be able to identify the cause of the broadcast storm and a method to resolve the storm. Identify susceptible points on the network and protect them before attackers discover and exploit the vulnerabilities, especially 011 ARP-enabled LAN systems, a protocol with known security loopholes that allow attackers to conduct various ARP attacks.

Attackers may also install network interfaces to 11111 in promiscuous mode to capture all the packets that pass over a network. As an expert e th ic a l h a c k e r and p e n e tr a tio n t e s t e r you must be aware of die tools to detect network interfaces nuuiing 111 promiscuous mode as it might be a network sniffer. 111 tins lab you will learn to use die tool PromqryUI to detect such network interfaces running 111 promiscuous mode.


The objective of tins lab to accomplish:

■ To detect promiscuous systems 111 a network

I C O N K E Y

/ Valuableinformation

Test yourknowledge

— Web exercise

m Workbook review





To carry-out die lab, you need:

■ P rom qryU I is located at D:\CEH-Tools\CEHv8 M odu le 08 S n rffin g \P ro m iscu o u s D e te c tio n T oo ls\P rom qryU I

■ You can also download the latest version ot Prom qryU I from http://www.microsott.com/en-us/download/deta11s.aspx?1d= 16883

■ If you decide to download die l a t e s t v e rs io n , dien screenshots shown in the lab might differ

■ A computer running W in d o w s 2008 S e rv e r



Time: 10 Minutes

O v e r v i e w o f P r o m q r y U I

PromqryUI can accurately determine if a modern managed Windows system has network interfaces in promiscuous mode. If a system has network interfaces 111 promiscuous mode, it may indicate die presence of a network sniffer running on die system.

PromqryUI cannot detect standalone sniffers or sniffers running on non-Windows operating systems.

L a b T a s k s

1. Go to the tool location at Z:\C E H v8 M o d u le 08 S n if f in g \P ro m is c u o u s D e te c t io n T o o ls \P ro m q ry U I.

2. Double-click p ro m q ry u i.e x e , and click R un.

Oי3| pen F ile - S e c u r ity W a rn in g

Do you w ant to run tN s f i le ?

.. ,misojous Detection Too lfrom arvU I 1o r omarvui.exe

M ic ro so ft C o rpo ra tio n

Application

Z:\CEHv8 Module 08 Sniffers^romiscuous Detectio...

Name

Publisher

Type

From

CancelF!un

I? Always ask before opening this file

While files from the Internet can be useful. this file type can J potentially harm your computer. Only run software from publishers

you trust. What's the risk7

FIG U R E 8.1: PromqryUI — Run prompt

& T o o l s d e m o n s tr a te d in th is la b a r e a v a ila b le in D:\CEH- Tools\C E H v8 M odule 08 Sniffing

^3 T A S K 1

R unningProm qryU I



http://www.microsott.com/en-us/download/deta11s.aspx?1d=


3. Click Y e s 111 the P ro m q ry U I L ic e n s e A g re e m e n t window.

In a network, promiscuous mode allows a network device to intercept and read each network packet that arrives in its entirety.

4. The W inZ ip S e lf -E x tr a c to r dialog box appears. Browse to a desired location (default location is c :\p ro m q ry u i) to save the unzipped folder and click U nzip .

In a network, promiscuous mode allows a network device to intercept and read each networkpacket diat arrives in its 5. Click OK after tile Ulizip is successful.entirety.

2 f i le (s ) u n z ip p e d s u c c e s s fu lly

O K

FIG U R E 8.4: WinZip Self-Extractor dialog box

WinZip Self Extractor - PROMQR~l.EXE |5

T o unzip all files in P R O M O R ' I . E X E t o t h e sp e c if ie d fo ld e r p re ss th e Unz ip bu tton .

U nz io to fo ld e r:

Unz ip

R u n W in Z ip

—

B ro w s e ... G o s e

F 7 O ve rw rite f iles w ithou t p rom pting A b ou t

H e lp

FIG U R E 8.3: PromqryUI — WinZip Self-Extractor dialog box

PromqryUIP lease read the following license agreem ent. Press th e P A G E D O W N ke y to se e the rest of th e agreem ent.

E N D - U S E R L IC E N S E A G R E E M E N T F O R P R O M Q R Y and P R O M Q R Y U I

IM P O R T A N T - R E A D C A R E F U L L Y : This End-User U cen se Agreem ent f E U L A l is a legal agreem ent b e tw een you (either an individual or a single entity) and Microsoft Corporation for the Microsoft software Product identified ab o ve , w h ich includes com puter software f S O F T W A R E ! . Th e terms and conditions of this E U L A are separate and apart from those contained in an y other agreem ent b etw een Microsoft Corporation and you. B Y IN S T A L L IN G . C O P Y IN G O R O T H E R W IS E U S IN G T H E P R O D U C T (A S D E F IN E D B E L O W ) . Y O U A G R E E TO B E B O U N D B Y T H E T E R M S O F T H IS E U L A . IF Y O U D O N O T A G R E E T O T H E T E R M S O F T H IS E U L A . DO N O T IN S T A L L . C O P Y O R U S E T H E P R O D U C T .

Do you a c c e p t all of th e terms of th e preceding U c e n s e A greem ent7 If you ch o ose No, Install will c lo se. To install you must a ccep t this agreem ent.

NoY e s

FIG U R E 8.2: PromqryUI — License Agreement dialog box



6. Now, click C lo s e to close the W inZ ip S e lf -E x tr a c to r dialog box.


Unzip to folder allows you to browse and select a destination of your choice to save die setup file.

7. Now, install .N ET F ra m e w o rk 1.1 by double-clicking the d o tn e t f x .e x e file located at Z :\C E H v8 M o d u le 08 S n if f in g \P ro m is c u o u s D e te c t io n T o o ls \P ro m q ry ll l .

z x a s k 2 8־ Click R un 111 the O p e n F ile - S e c u r i ty W a rn in g dialog box.

R unning .NET F ra m e w o rk 1.1

The .N ET Framework version 1.1 redistributable package diat includes everything you need to run applications developed using die .N ET Framework.

FIG U R E 8.7: .N ET Framework—Install dialog box

O pen F ile - S e c u r i ty W a rn in g

D o y o u w a n t to ru n th is f i le ?

... omiscuous Detection T 001 f ro m a r vUI \do tn e tfx . exe

M ic ro s o f t C o rp o ra t io n

Application

Z: \CEHv8 Module 08 Sniffers prom iscuous D e tectio ,..

Name

Publisher

Type

From

CancelRun

W Always ask before opening this file

W hile files from the Internet can be useful. this file type can f potentially harm your computer. Only run software from publishers

you trust. W h at's the risk7

FIG U R E 8.6: .N ET Framework - Run dialog box

9. Click Y e s to initiate the .NET Framework installation in the S e tu p dialog box.

3 M־1 ic ro s o f t .NET F ra m e w o rk 1*1 S e tu p

1C J 1 Would you like to install M icrosoft .NET Framework 1.1 Package?

NoYes

W in Z i p S e l f E x t r a c t o r - P R O M Q R ~ l . E X E

Unz ip

R u n W in Z ip

C lo se

A b ou t

H e lp

T o unzip all files in P R 0 M Q R ~ 1 . E X E to th e sp e c if ie d fo ld e r p re ss th e Unz ip bu tton .

Unz ip to fo ld e r:

B ro w s e .

w O ve rw r ite f iles w ithou t prom pting

2 f ile (s ) u n z ip p e d s u c c e s s fu lly

FIG U R E 8.5: PromqryUI — WinZip Self-Extractor dialog box




10. Wliile attempting to install .NET Framework 1.1, you will get a P ro g ra m C o m p a tib i l i ty A s s i s t a n t dialog box. Click R un P ro g ra m .

& Program Compatibility Assistant 2<j|

This program has known compatibility issues

Check online to see if solutions are available from the Microsoft website. If solutions are found, Windows will automaticaly display a website that lists steps you can take.

I e— — Proaram: Microsoft .NFT Framework 1.1 ו-Publisher: Microsoft Location: Not Available

Ths software has known incompatibility with IIS services on this platform.

I a J rtdedetate Check for solutions onlne | Run program | | Cancel |

I- Don't show this message agan

FIG U R E 8.8: .N ET Framework — Program Compatibility’ Assistant dialog box

11. Select the radio button for I a g r e e and click In s ta l l in the L ic e n s e A g re e m e n t dialog box.

j'J! M icrosoft .NET Fram ew ork 1.1 Setup

License Agreement

z i

(A copy of this license is available for printing at http: 7go.microsoft.com fwlink'?LinkId=122S3 )

SUPPLEMENTAL END USER LICENSE AGREEMENT FOR \TTrpn< ;nFT ^ o p tw a rpI have read, understood and agree to the terms of the End User License Agreement and so signify by clicking "I agree" and proceeding to use this product.(• |i agree r I do not agree

■| |

Microsoft׳ ,

.1n e i [■

1I I■

CancelInstall

FIG U R E 8.9: .N ET Framework — License Agreement dialog box

12. Once the installation is complete, click OK in the M ic ro so f t .N ET F ra m e w o rk 1.1 S e tu p dialog box.

j'^r M ic r o s o f t .NET F r a m e w o r k 1 .1 S e tu p J3EH1fc<4A1>.z**nc.'1 * ■ a *.11 ; ־:ו47י » : • * v .- i _1u1 11

Installation of Nlicroso ft .N E T F t;

OK |

im ew ork . 1 . 1 is com plete.

FIG U R E 8.10: .N ET Framework - Installation complete message box

13. Now, go to C :\p ro m q ry u i and double-click p q s e tu p .m s i and follow the installation wizard to install PromqryUI.

“ T A S K 3

In s ta llin g .NET F ra m e w o rk 1.1

H T A S K 3

In s ta llin gP rom qryU I



14. Once installation is complete, go to S ta r t and click P ro m q ry to launch the program.


S ' Promiscuous mode can be used in a malicious way to sniff on a network. 111 promiscuous mode, some software might send responses to frames even though they were addressed to another machine. However, experienced sniffers can prevent this by using carefully designed firewall settings.

FIG U R E 8.11: Windows 2008 Server — Start menu

15. The main window of PromqryUI appears. Click A dd.

W ith the PromqryUI tool, you can add either a single system or multiple systems to query.

16. The S e le c t A d d itio n T y p e dialog box will appear. Click A dd S in g le S y s te m .

_-j.Jii

F IG U R E 8.12: PromqryUI — Main window

Administrator

Documents

Computer

Network

Control Panel

Administrative Tools ►

Help and Support

Run...

©

a Serve r Manager

Command Prompt

Mozilla Firefox

Ease of Access Center©J Notepad

Internet Explorer

Windows Update

ServicesI ׳״יי■

Password Changer for Windows

Paint ־'•

► All Programs

l^ ta rt Search

I Ja. M » I




.Add Single System

Add Multiple Systems

FIG U R E 8.13: PromqryUI — Adding system

17. Type the IP address of the system you want to check for promiscuous mode in the IP A d d re s s held in the A dd S y s te m to Q u e ry dialog box and click S a v e .

IP Address:

1 °

Host Name:

Cancel

FIG U R E 8.14: PromqryUI—Add System to Queiy

18. Select the added IP address 111 the S y s t e m s T o Q u e ry section and click S ta r t Q u ery .

f t Promqry| me edt

Systems To Query Query Results

Star. IF ocdrcss End IF address Query S'.atus₪ 10.0.02

FIG U R E 8.15: PromqtyUI — Querying system

For systems that you need to query, a range of IP addresses can be provided. Also, you can just carry a query for a local system.




19. Results will be displayed 111 Q u e ry R e s u lts .

_ |f ־ | x ]

Pie fcrtt help

Systems To Query Query Resjlts

|3uery star. tine. 9/20/20 38.48. 11 2־ PV -1

pinging 10.0.0.2. .success

Querying 10.0.0.2...Active. TrueInstaiceName.WAN Mhiport (P| —NEGATIVE Prorriscuojs mode currently NDT enabed

Active. TrueInstaiccNamc.Hyper-V Vrtual Sw tcl Extenson AdapterNEGATT/E Ptoimcuous mode currently NOT enabed

Active. TruebwlMoeNflmeHyper-V Vntual Svrtc! Cxtenson Adapter #2NEGATI/C Pioitocuous mode currently NOT enabed

Active. TrueInstai&cNemcTeredo Tumefcnj P*evdo-fc15er,aceNEGA1WE Piomscuous mode currently NOT enabed z J

Start IP dodress | Enc IPaodress Query Status₪ 1 10.0.2 done :positive! |

Systems To Query

NEGATIVE־ Pronisanus mode cjrrenty SOT enabled

Active True hstanceNane:WAN Minooit (Network Vlailcr)NEGATIVE: ProTiscuDus node carrenty NOT enabled

Active True hstanceNaroe:Hyper-V Vrtua Etiemei Adapter #2NEGATIVE: Ptoiwcudus mode carrenty NOT enabled

Systen Summa׳yPOSflVE at least one rterface on systen was found ir prorriscuous mode

Conputer name VYN-039MR5HL9E4 Donam: WORKGROUP Conputer manufacturer Del He.Conputer model: CptPlex 390 Primary owner: wnojws iseruser currenny Dg9ec or: v/r*-039WRSML9fe4\AdrnmstratorOpci a'.iiiL system Microso ד Windows Server 2012 Release Candidate DatacenterOrganza'Jon

Start IP address End IP 3ddrees | Guery Statue₪ 10.00.2 dDne: postive! j

FIG U R E 8.16: PromqryUI — Query Results




PromqryUI

Computer name: W1N-D39MR5HL9E4 Domain: WORKGROUP Computer manufacturer: Dell Inc.Computer model: OptiPlex 390Primary owner: Windows UserUser currently logged on: WIN-D39MR5HL9E4\AdministratorOperating system: Microsoft Windows Server2012 Release Candidate Datacenter

£ Query results will let ״you know if the system is promiscuous mode or not and provides other information like Computer name, Domain, Computer Model, Manufacturer, Owner, etc.





Q u e s t i o n s

1. Determine how you can defend against ARP cache poisoning 111 a network


0 Yes

Platform Supported

0 Classroom

□ No

0 !Labs




Lab

Sniffing Password from Captured Packets using Sniff - O - MaticS n iff — O — M n tic is a netw ork p ro to co l a n a ly se r an d 'p a ck e t s u ffe r n ith a c le a r

an d in tu itiv e in terface .


Attackers may install a sniffer 111 a tmsted network to capture packets and will be able to view even* single packet that is going across the network, if the network uses a hub or a router for data transmission. With the captured packets, attackers can learn about vulnerabilities and sniff the user name and password and log in to die network as an authenticated user. Once logged 111 successfully to a network, die hacker can easily install viruses and Trojans to steal data, sensitive information, and cause serious damage to that network.

As an expert e th ic a l h a c k e r and p e n e tr a t io n t e s t e r you should have sound knowledge of sniffing, network protocols, and audientication mechanisms and encryption techniques. You should also regularly check your network and close die unnecessary ports diat are open. Always ensure diat if any sensitive data is required to be sent over the network, you use an encrypted protocol to minimize the data leakage.


The objective of this lab to sniff passwords using the tool Sniff - O - Matic through captured packets.


To carry-out the lab, you need:

■ Sniff - O - M atic is located at D:\CEH-Tools\CEHv8 M odule 08 Sniffing\Sniffing T ools\Sniff-0 -M atic

■ You can also download the latest version ot Sniff - O - M atic from http://www.kwakkeldap.com/ smffer.html

I C O N K E Y

Valuableinformation

Test your

W eb exercise

m Workbook re\



http://www.kwakkeldap.com/


■ If you decide to download die l a t e s t v e rs io n , then screenshots shown 111 die lab might diller

■ A computer running W in d o w s S e rv e r 2012 as host machine

■ Double-click sn if f tr ia l .e x e and follow die wizard-driven installation steps to install S n iff - O - M atic



Time: 10 Minutes

O v e r v i e w o f S n i f f - O - M a t i c

Sniff — O — Matic capUires network traffic and enables you to analyze die data. Detailed packet information is available 111 a tree structure or a raw data view of die packet data. Sniff — O — Matic's button and columnar data display logically and succincdy presents the collected network traffic data.

L a b T a s k s

1. Launch the S ta r t menu by hovering the mouse cursor on the lower left corner of the desktop.


2. Click S n iff - O - M a tic in the S ta r t menu to launch the Sniff — O Matic tool.

[? !/T o o ls d e m o n s tr a te d in th is la b a r e a v a ila b le in D:\CEH- Tools\C E H v8 M odule 08 Sniffing

*d. T A S K 1

L au n ch in g th e Sniff-O -M atic to o l




S ' Sniff-O-Matic a packet sniffer is a computer program or a piece of computer hardware that can intercept and log traffic passing over a digital network or part of a network.


3. The main S n iff - O - M a tic window appears; select the adapter from the

drop-down list and click the S ta r t C a p tu r e ±1 button.

3 T A S K 2

Sniff-O -M atic: S ta r t P a c k e t

C a p tu re

FIG U R E 9.3: Sniff-O-Matic — Start capture

‘ TT’ ״ * * 1 i v j u i u ^ / . J . ’ 1 1 1

4. When the tool starts capturing the packets, launch a browser and log 111 to your email account.

ill5. Then, click the S to p C a p tu r e button to view the captured packets.




Packet capture is the act of capturing data packets crossing a computer network.

6. 111 the list of captured packets, select a packet to view detailed information.

From the captured packets, detailed information such as Header Length, Protocol, Header Checksum, Source IP , Destination IP , etc. can be viewed by selecting a particular packet.

7. 111 the right pane, select items from the tree and the data for the respective item will be liighlighted 111 red.

Sniff - O ־ Matic 1.07 Trial VersionFile C«pture Options Help

_vj ou\ pg| cjHioerWrtual Elhemet Adapter 82T m• Port 0103/24/12 14:25:16 2773

09/24/1214׳25*16 274905/24/1214.25.T6 8003/24/12 14:25:19 277309/24/1214:25:20 276203/24; 12 14:25:20 276303/24/1214:2520 2762

IP Header O Version * 44) Header Length ■ 5 (20 byte*) f t Type Of Service ■ 0x00 O Total Longth - 40 99 Idertifcation ■ OcABDB Rags • &03 יי!

Fragment off*1«t • 0x0000 O Time To Live - 61 H Rotocol ■ 6 (TCP)@ Header Checksim ־ Qx2BA5 ]P Soiree IP -123.17S.32.153 )P Cest. IP 10.0.0.7 ־TCP Header• « Soiree Port = 80 (HTTP)0 ״ Destination Pat - 2762 « Seq Njrrber = (&9/1CBE781 ■e /CK Number = QcFDD7CE13€> 0ff93t 20) 5 ־ bytes• j® Rags = Cbcl 1 8 Windows Size = 1450}@ Checksum = 0(7728 O Urgent Pointer - QxX>X)

Doc'inolicn

276314:25:20 03/24/12 03/24/1214־ 25־ 20

14.25.23 03/24/1203/24/12 14:25:23 m/74/1?

T CP TCP TCP TCP TCP TCP

TCPTCPTCPTCPTCP

123.176.32.13 74 125236175 10.Q0.7123.176.32.13123.176.32.153123.176.32.153123.176.32.153

123.176.32.153 10.00.7 123.176.32.1S 10.Q0.7 1nnn7III

10.0.07 10007 74.125 236 17510.0.0710.0.G7 100.G710.0.Q 7 ___

100.071231763215310.0.0.7 12117632155 123J2632155

UOXCOOO *»5 0 0 CO 2 S AB D3 0 0 0 0 3D 06OXCOIO OA 00 CO 07 00 50 0A CA 9A 3B0 X 0 0 2 0 5 0 1 1 3 9 OS 7 7 2 9 OO OO

hl!p;!VwM!watotftto.rcnLiJ_______1 wrzsr

FTGIIRF. 9.5: SnifF-O-Matir — Virwino oarker information F IG U R E 9.5: SnifF-O-Matic — Viewing packet inFormation

r Sniff O ־ Malic 1.07 Trial VersionFile Capture Options Help

| 1 1 I I \m\ Hvoer-VVrtualEtherne־ Adaoter 82 b v l M!־1> ה |« | c .1 a |Pocko! .owes Doofinoticn Size Proto56 T mo Port 81c

1 100.07 123.176.32.13 66 TCP 03/24/1214:25:16 2773 ־2 10QQ7 74 126 236.175 55 TCP 09/24/12 14־ 25־16 27493 74.125.236.175 10.Q0.7 66 TCP 03/24/12 14.25.16 804 10.0.07 123.176.32.13 66 TCP 03/24/12 14:25:19 27735 10.0.0.7 123.176.32.153 54 TCP 09/24/12 14:25:20 27625 10.0.CL7 123.176.32.153 54 TCP 03/24/12 14:25:20 27637 10.D.Q7 123.176.32.153 54 TCP 08/24/1214:25:20 27623 123.176.32153 10.Q0.7 54 TCP 09/24/1214:25:20 803 10.0.Q7 123.176.32.153 54 TCP 03/24/12 14:25:20 276310 12317632153 10.00.7 54 TCP 03/24/1214 25 20 8011 10.0.(17 123.176.32.195 726 TCP 03/24/12 14.25.23 275312 123.176.32155 10.00.7 54 TCP 03/24/1214:25:23 80 _n m r m io m 1nnn7 qn TCP *vr-/09ל/4/1ל 14״ תה

<1__ III >A

< | >htlo: // WVWV. < wakkeilao. con

FTGT JRF. 9.4: SniflF-O-Matic — Stoo raחרז ire F IG U R E 9.4: SnifF-O-Matic — Stop capture




Sniff - O - Matic 1.07 Trial Version

E v j 1!w J a_*J c jFile £«pture Options Help

82 Adaoter ׳► !1*1 | Hvoer-V Virtual Etherne

® Fragment ofeet * CktOOOO ?■■■•© Time To Live = 61 r~ ® Protocol 6־ (TCP)

@ Header Checksmi = (kc?BA5 ]P Souoe IP -123.17S.32.153

p[ ״•! Cest. IP = 10.0.0.7 Qj TCP Header

Destination Pat - 2762 © ־ Seq Njrrber = (*9/OE781 »•••״;U « ACK NLimber ־ (VFDD7CE13

9 Cffost - 5 (20 bytes)B f Rags =0<1l

•••■1P FIN 1 ־syn מן = 0p RST * 0

■״״ PUSH •0 - p ACK-ו

p URG - 0 f J ECE - 0

••• ?» CWR-0 A Window! S17# - 1460D (3 Choskaum ־ (k7723

« Urgent Pointer ■ 0(0090

Pack©* $0«C9 Dociinolion Sizo Protosoi T mo P0ft ««1 10.0.CL7 123.176.32.13 68 TCP 0S/24/12 14:25:16 27732 10 007 71125 236175 55 TCP 03/24/I214 25M6 27493 74.125.23e.175 10.00.7 66 TCP 03/24/12 14.25.16 804 10.D.Q7 123.176.32.13 66 TCP 09/24/12 14:25:79 27735 10.0.(17 123.176.32.153 54 TCP 03/24/15 14:25:20 27625 10.0.Q7 123.176.32.153 54 TCP 03/24/12 14:25:20 27637 10.3.Q7 123.176.32.153 54 TCP 03/24,1214:25:20 2762

03/24/1214:25:20 8003/24/12 14:25:20 276303/24/12 14 2520 8003/24/12 14.25.23 275303/24/12 14:25:23 80

BO 20 99D7 CE 13 .......... P . . .

P. 9.w( . .

TCPTCPTCPTCPTCP

10.00.7 123.175.32.153 10.Q0.7 123.176.32.1S mao.71nnn7III

2e AB D3 OO 000 7 | כ0 5כ | o a c aל 28 00 700 08

| 3 123.176.321533 10J.C710 1231763215311 10.0.0.712 123.17632155n in ’finvi

< 1oxoooo 45 00 00 ן

0X0010 OA 00 GO0X0020 SO 11 39

FIG U R E 9.6: Sniff-O-Matic — Viewing packet information

8. Now, perform a search for the data in captured frames. Select O p tio n s

«־ F ind .

Trial \Sniff - O - Matic 1.07r ־Re Capture I Options | Help

± l* k J :,I "־ °Pick״! . fra ~

_Vj O U \ Q « | Cj j&j QcOOOO ־ Fragment offett *>•■■׳

O Time To Live ■ 61 B Protoool ■6 (TCP)0 Header Checksim ■ 0x?BA5 Soltco IP-123.17S.32.153 יי()P Ces. IP ■ 10.0.0.7

I TCP Header

O Deatinotion Pat 2762 ־« Seq Nurrber« 0(9ACBE781 « ACK NLimber« CkFDD7CEl3 O Off oat - 5 (20 byt©8׳

l״f Rags 11) ־ 0i ני|י FIN 1 ־syn | מן = 0i P r s t = 0

j״ push 0־ h מן ACK1־ urg - 0 | מן

ECE = 0 מןcwr=o מן

ft Windows Size = 14503 O Chcckaum - 0(7728 » Urgent Pointer = 0(0030

,0

Siio Protocd Tmo Port SIC66 TCP 03/24/12 1 4:25:16 277355 TCP 09/24/12 14/5-16 274966 TCP 03/24/12 14 25 16 8068 TCP 03/24/1214:25:19 277354 TCP 03/24/12 14:25:20 276254 TCP 03/24/12 14:25:20 276354 TCP 03/24/1214:25:20 276254 TCP 03/24/12 14:25:20 8054 TCP 03/24/12 14:25:20 276354 TCP 03/24/12 14 25 20 80730 TCP 03/24/12 14.25.23 275354 TCP 03/24/12 14:25:23 80qn TCP 09ל/4לה 14 >׳^3 80

-w ™(6.32.13 236175 76.32.13 6.32.153

IU . 176.32.153 123.176 32.153 10.Q0.7 123.175.32.153 10Q0.7 123.176.32.155 10.Q0.7in on?____

1a1101 fj Statutes 7410.1 Seong$10 • [ ^ EncbJ« Tocttipo 10. LIU/10.0.G7 123.176.3215310.0.07 1231763215310.0.0.7 171176 3ל1מ«12117632155

III

OXCOOO ■35 0 0 0 0 26 AB D3 0 0 0 0OXCOIO OA 00 CO 07 DO 50 OA CA0 X 0 0 2 0 5 0 1 1 3 9 0 8 7 7 2 3 0 0 0 0

& P o rt n u m b e rs c a n o c c a s io n a lly b e s e e n in a w e b o r o th e r s e rv ic e . By d e fa u lt, HTTP u s e s p o rt 80 a n d H TTPS u s e s p o rt 443, b u t a URL - h ttp ://w w w .e x a m p le .c o m :8080/p a th / s p e c i f ie s t h a t th e w e b re s o u rc e b e s e rv e d by th e HTTP s e r v e r on p o rt 8080

FTCtT TRF. 9 7• Sniff-O-Matir - Performing search

FIG U R E 9.7: Sniff-O-Matic - Performing search

9. The Find pop-up box appears; type p w d to search for the password information.



http://www.examp


Sniff 0 Motic 1.07 Tri3׳ Version

~H Y j j JU ] 9_«J Cj JEjFile Ce Xurc Options Help

► ! * L d HjpeA’Titual EfainotAdsptdi #2

4 = Version ;-•#*5 (20 b/esj ־ Header Length •* !*••■

kOO) ־ T>peOf 5erv1ce £&־־־•1600 = j-• A Total Len^h

Identification = foD5E1 ״•••j S ip Flags =OcOO i - A Fragment offset = CbcOOOO

54 = Time To Lwe |״״®6 (TCP)־ A Protocol:-•

1<FBA6 ־ i @ Header Chsckajm I Jp Souce IP ־123.108.4033

i-J ־ 10.0.0.7 p Deet. IP IQP TCP Header

A Soiree Port - 80 (HTTP) 2723 - A Dcatinction Port

Seq Nurbst - QxOC177B.\D ״••#j k8DE73610 ־ j - • • ACK Numbw

A Offset * 5 (20b)rles):•״■10■& 5 P Flags

5918 »i-■ • Wlridows Size Checksum ■ &181F ®MXXX)) י Uioent Pomer •יי•״’ <3 Cwa

1460 ■ Data length ׳-•

״ -

□ eihnaton Si2e Protocol Tme R * trc12a 176.32.155 54 TCP 03/24/12142523 275310.0.0.7 1514 TCP 03/24/12142523 8312a 1C8 40.33 54 TCP 03/24/12142523 272310 0 07 1514 FCP 03/24/12142523 8310 0 0.7 1514 TCP 09^24/1214 25־23 83123.1C8 40.33 54 FCP 03/24/12142523 272310.0.0.774.125235.1[

Find

12a 17632.1 ■10 0 07 P d: jpAcj |

10.0.0.7 123176 32.1 <*■ Asci r Match case Fnd 1

י 1 ■ ש: רד: 1 ־.Ill C Hex Cercel I

D5 E l OO 00 SO OA r =5 —

BE 1e IF OO 00 4 8 S* 54 SO 2F 31 2E 3 1 P . 6 ...................... H T T P /1 .130 20 4F 4B OD OA 44 61 74 6 5 3A 2 0 4D 2 0 0 O K . .D a t e : M20 3 2 34 2 0 S3 6 5 70 2 0 32 30 31 32 20 o n , 2 4 S e p 2 0 1 235 36 3A 3 0 3 9 2 0 47 4D 34 OD OA 53 65 0 8 : 5 6 : 0 3 3 M T ..3 e72 3A 2 0 41 70 6 1 63 63 €5 OD OA 45 7e : r e t : A p « = h e . .E x65 7 3 3A 2 0 54 6 0 75 2C 2 0 31 39 2 0 4E p i c e s : T h u , 19 N31 3 9 38 3 1 20 3 0 36 3A 83 32 3A 30 30 0v 1 9 8 1 0 3 : 3 2 : 0 034 OD OA 4 3 61 6 3 68 63 2D 43 6T 6E 74 GMT. . C a c f te -C o n t3A 20 «E 6F 2D 7 3 74 6F 72 63 2C 2 0 6E r o l : r .0 - 3 C 0 r e , n

mo.o.7 123106.40.33 1Q0.0.7 1231(38 40 33 123108 40 33 1QCL0.7 123 1 08.40.33 1Q0.0.7 1QC.0.7 123176 32146 74125.236.1S4 1QC.0.71nnn7_____

<S 30 CS OA 0 0 00 SO 1 0 2 6 2 0 32 30 6 r 6E 2C 3 0 33 3A 7 2 7 6 65 7 0 6 9 72 6 r 7 6 20 2 0 47 4D 72 6 r <C

29

<10 X 0 3 0 00 X 0 3 1 00 X 0 0 2 00 X 0 0 3 00 X 0 0 4 00 X 0 0 5 00 X 0 3 6 00 X 0 0 7 00 X 0 3 3 00 X 0 3 9 0OXG3AO

Nln /ywww IwakkellUon

FIG U R E 9.8: Sniff-O-Matic — Performing password search

riL rU K t V.b: imitr-U-Aiatic — I'ertormmg password search

&■ Detailed packet information is available in a tree structure or a raw data view of the packet data.

10. An icon w (packets with binoculars) will appear for the found packets, as shown 111 the following screenshot.

_ם- 1Sniff O Matic 1.07 Trial Vers on־

I IP Header « Version 4 יA Headsr length■ 5 C?0btfes>

I • H Typ8 Of Seivce ■ tttOO •A Total Length 40 י• A dwrthcatinn ■ Q&96C0

I f) Hag• ■ OkOO• A ►ragmnf ott«*t = 0*0000 ■ A Fim• To La/• ■ 56• A Protocol 6 ״ (TCP)

Header Cherkeun -10*205JP Source IP = 74 125.236.182 JP Deet. IP 10.007־

| TCP Header A Sotrce Pat - 443 (HTTPS) A Deetinatbn Port - 1049 A Scq Number - {k<€897BC4C A ACK Number - Qc9339AF1C O Oflfce: - 5 (20b/te3)

] P Flags-Gc10• A Windows Site = 55535 @ Checksun - (kFE3B

• O Uigcnt Porter - CbiOOOO

PJttD://WWW.Kv akKBlllaD. COT)

vj ou\ a « | e)I in* Ip

09/24/121425:55 402/24/121425.55 409/24/12 1 425.55 109/24/121*25 55 4

09/24/1? 14• 25־ 56 28 09/24/1214:25:56!8 4:25:56 1 09/24/12

2 09/24/121425.55& 09/24/121425.555 14:25:55 09/24/125 « ־ 09/24/12 14־ »

09/24/12 1 4:25:55 2m m n 7 2

Pie Capture Opt cm Help

H*Lrl Hypd-V V«(ud Etncmot Adaptor tt2

I 5re pfotocd

TCPTCP

UDPUDPTCPTfP

Destination1Q0.0.7100.0.7 74.123 236.182 10007 12317632156 1Q0.0.7 1Q0.0.7 123176.32.155100.0.7 202 53 8 8 1000.7 123108.40.33 na4ny1דלו 1

Seuce74125.23C.1G274125.236.1621000.7 74125236 182 1000 7123.178.32.156123.178.32.1561000.7 123.176.32.1S5 10CC.7 2025388 10007innn?____

1—1

9E CO 0 0 00 0 1 BS 04 19 FE 3B 0 0 00

45 0 3 0 0 23 0A 0 3 0 0 07 50 1 3 FF FF

C X 00300 X 0 0 1 0C X 0020

FIG U R E 9.9: Sniff-O-Matic - Password search results

11. Select the found packet and scroll down the data list for the information, which will be indicated in blue.

&■ Sniff-O-Matic’s key features include:

• Capture IP packets on your LA N without packet loss

• Monitor network activity in real time

• Filters to show only the packets you want

• Real-time checksum calculation

• Save and load captured packets

• Auto start capturing and continuous capture

• Traffic charts with filter info




I ־ ' “ T7 "Sniff 0 Matic 1.07 Trial Vers onFJe Rapture Opt cm Help

► l a l - d H>p9« V Vkud Ebiemet Adapter M2

a Version 4 ־ft Heater Length = 5 (?0 byes! « Type Of 5ervce = QfOO ft Total Length = 729 ft dentfication = Cb(7B8C P Rags = (MU ft Fragment ofiset = 09(0000 ft Time To Live = 128 ft Protocol = 6 (TCP)

Header Cherkeun ־ itOOXp So tree IP = 10.0.0.7 p Dest. IP = 123.176.32 155 TCP Header f t Source Pert - 2753 f t Doctinatbn Port • 80 (HTTP) f t Soq Number - &B85A34D4 f t ACK Number-&5G19rCA3 f t Offoci - 5 (20 bytes)P Hogo 18& ־ f t VWndowj Sire - 63751 ?3 Checksum ■ &A31 D f t Urgant Porta ־ foOOW Dataf t Ddtd length ■ 683

65 37. 2 0 ; q « 0 . 3 . .C c o k i • :6 0 7 € 39 i n l d « a c 6 S 7 3 f 1 » v 969 34 0D r d 2 a k S 7 a 4 d l 7 u i4 . 74 3D 69 . . . f _ » o u r c « r « c ״ h61 69 6C cC F % 3A % 2F «2F nail 6D 61 69 . ± r .. c o » % 2 F a c v » a i 2 6 6C 67 l% 2 F 1 a b o x .p h p t lg 3D 7 2 69 f m ־ n a 1 1 s £ _ i d ־ r 17 0 7 7 64 a i B a c c b e v o i f Jpwd]

FIG U R E 9.10: Sniff-O-Matic — Password search results

12. To mark the packets, right-click the selected packet and click M ark.

Sniff O Matic 1.07 Trial Vers on

- vj ow I aw l ej 1JFJe Capture Optcrts Help

► ! * I d H>pwV Vjrtud Efrwoet Adapter tt2

9 I? Header 4 ■ ■■■; h Version

I •••ft Header length ■ 5 C?0 btfes) l-il • f t Type Of Swvce ■ (kOO

40 • •••! f t Total Lenoth f t tfentfieation ■ Qx7BBD{•••

GB P Hag• ■ 0kQ4 f t (■mgm#rt otturt ■ ObtOOOO - |

128 ■ «ft Tim To Lw ״•J ft Protocol *6 (TCP)•■■•

0030)4* n10׳ H**d»r Ch*5kcu 10.00.7- p Source IP

155 123.176.32-I- JP Doet. IP J TCP Heodor)

2753 - ft Source Pert ft Destination Port - 80 (HTTP) ; ft Seq Number - &B85A3785 ft ACK Number -&c561A0268 | ft Offset — 5 (20 bytes)

₪ ^ Flags - &c10 54243 : ft Windows Sice

3 Checksum - QxA56C? !־־0{ft Urgent Porter - 3x00

httt?y/www.KwaKKelllflD■ com

80 0 6 00 OO CA 00 0 0 07 3 . | . . . . . ־ . 3 3 5A 37 B5 56 1A 0 2 63 { P . 27

P . . . . 1 . .

0 X 0 0 0 0 <5 0 3 OG 23 7B BD 4 0 000 X 0 0 1 0 7B 3 0 2G 9 3 DA C l 0 0 500 X 0 0 2 0 50 10 FA FO A6 6C 0 0 00

& P a c k e ts c a p tu r e d u s in g Sniff-O -M atic a llo w s you to sn iff th e p a s s w o rd a v a ila b le in c le a r te x t fo rm a t.If a n a t t a c k e r is a b le to c a p tu r e t h e s e p a c k e t s , h e c a n e a s i ly id en tify th e p a s s w o rd a n d log in to th e n e tw o rk a s a n a u th e n t ic a te d u s e r . A tta c k e rs w ill h a v e a n a d v a n ta g e if th e y d is c o v e r th e s a m e p a s s w o rd is b e in g u s e d fo r a ll th e c o m p u te r s .

FIG U R E 9.11: Sniff-O-Matic — Marking a packet

13. Once the packets are marked, they will have a different icon.




Fie Rapture gpbcro Help

Sniff 0 Matic 1.07 Trio! Vers on I ־ ם T x

► l * L d H>p01 V VkucJ E fcior oot Adaptor tt2 » v j o u Q » a | e j 3 J

Pack* Sauce Destination 1 Size | Protocd ___| Tin*! Pat src Port a [••• 9 Version 4 ־ A־09 74125.236.182 1Q0.0.7 97 TCP 09/24/1214:25:55 443 104! \-m Heacter lenrjth 20) 5 ־ b*es>

&170 10CC.7 123176.32.155 743 TCP 09/24/121425.55 2753 00 141- H Type Of Servce = OcOO171 123.176.32.125 1Q0.0.7 54 TCP 09/24/12 14.25.55 E0 275: 1 ■ H Total Length 60 ־

___172 123176 32 155 100.0.7 1514 TCP 09/24/121*25 55 60 275: I- •* tientfication = (&157410GO 7 12317632.155 54 TCP 09/24/121*25־ 55 2753 80 0- flags = 0x00

U ר 74 123.176.32.135 100.0.7 74 TCP 09/24/121*25:55 £0 B E E U i ^ ^ןן To l K/& — ^175 10QCL7 202.53.88 71 UDP 09/24/12 14:25:55 5377C 53 1— d Protocol = 6 (TCP)176 202.53.3.8 100.0.7 B7 UDP 09/24/12 1 4.25.55 53 537 l@ fleacter Checkeum = (ktC1F6״ ;177 10QG.7 123108.40.33 56 TCP 09/24/12 14.25.55 2776 80 f- p Source IP = 123.176.32.155178 1QQC.7 123108.40.33 B6 TCP 09/24/12 14:25:56 2777 80 L p Deet. IP = 10.0.07173 IOQO.7 123 1 75.32.13 52 TCP 03/24/12 14־25־57 2775 80 9 TCP Header =180 10Q0.7 12317S.32.13 54 TCP 09/24/121425:57 2775 80 © Source Pat - 80 (HTTP)-fi 17117k מי רו__ 1nnn7 ___ C2_______1CP_____ ?77! v < יי > 1 ! O Sea Number - fc561AG257

CXOOOO 45 00 00 3C 15 74 00 00 3D 06 C l F€ 7B 30 20 93 E . . r . . = . . . { . . - | O ACK Number - &B85A37850X0010 CZ. 00 00 07 00 50 021 C l 56 171 02 57 B 6 5 A 37 8 5 ______ P . .V . .W.Z7. O Offset - 5 (20 byte*)0X0020 50 19 56 D1 98 52 0 0 00 3 5 2 0 €4 6F CD 61 €9 €E P .X . . R. d o n a in 0 P flog# - Cbcl 80 x 0 0 3 a 3D 2S 6 9 61 2E €3 6 F €D 0D OA 0D 0A * . i n ,. corn. . j O YWrdowa Size - 22737

■ ® Cheduun » to&352•••• ® Uigorrt Ponlor • CbiOOM

9 Detoo Data length ■ 20 ם

l< > 1 1

FIG U R E 9.12: Sniff-O-Matic — Marked packets




Header Length: 5Time To Live: 61Protocol: 6Header Checksum: 0xClF6

Sniff-O-Matic Source IP: 123.176.32.155Dest. IP: 10.0.0.7Source Port: 80 (HTTP)Destination Port: 2753Username and password


Q u e s t i o n s

1. Determine how you can defend against ARP cache poisoning 111 a network.

&■ One of the features of the tool includes, protocol and port data, the program displays source and destination IP addresses, and raw packet information. The program offers no IP address to domain name conversion..





0 Y e s

Platform Supported

0 Classroom

□ N o

0 iLabs



Ceh v8 labs module 08 sniffers

Technology

Transcript of Ceh v8 labs module 08 sniffers