You are on page 1of 90

CEH Lab Manual

Sniffers Module 08

Sniffing a Network
A packet sniffer is a type of program that monitors any bit of information entering or leaving a netirork. It is a type of plug-and-play 1)iretap device attached to a computer that eavesdrops on netirork traffic.
I CON KEY

Lab Scenario
Sniffing is a teclniique used to in terce p t d a ta 111 information security, where many of the tools that are used to secure the network can also be used by attackers to exploit and compromise the same network. The core objective of sniffing is to stea l d ata, such as sensitive information, email text, etc.
N etw ork sniffing involves intercepting network traffic between two target network nodes and capturing network packets exchanged between nodes. A p a c k e t sniffer is also referred to as a network monitor that is used legitimately by a network administrator to monitor the network for vulnerabilities by capuinng the network traffic and should there be any issues, proceeds to troubleshoot the same.

/ Valuable information Test your knowledge

Web exercise Workbook review

m

Similarly, smtfing tools can be used by attackers 111 prom iscuous mode to capmre and analyze all die network traffic. Once attackers have captured the network traffic they can analyze die packets and view the u se r nam e and passw ord information 111 a given network as diis information is transmitted 111 a cleartext format. A11 attacker can easily intnide into a network using tins login information and compromise odier systems on die network. Hence, it is very cnicial for a network administrator to be familiar with netw ork traffic an alyzers and he or she should be able to m aintain and m onitor a network to detect rogue packet sniffers, MAC attacks, DHCP attacks, ARP poisoning, spoofing, or DNS poisoning, and know the types of information that can be detected from the capmred data and use the information to keep the network running smoodilv.

Lab Objectives
The objective of this lab is to familiarize students with how to sniff a network and analyze packets for any attacks on the network. The primary objectives of tins lab are to: ■ Sniff the network ■ Analyze incoming and outgoing packets ■ Troubleshoot the network for performance

C E H L ab M an u al Page 585

E th ical H a ck in g a nd C o untenneasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.

Module 08 - Sniffers

■ Secure the network from attacks ^^Tools
d e m o n stra te d in th is lab a re available in D:\CEHTools\CEHv8 Module 08 Sniffing

Lab Environment
111 tins lab, you need:

■ A web browser with an Internet connection ■ Administrative privileges to mil tools

Lab Duration
Time: 80 Minutes

Overview of Sniffing Network
Sniffing is performed to co lle ct b asic inform ation from the target and its network. It helps to tind vulnerabilities and select exploits for attack. It determines network information, system information, and organizational information.

Lab Tasks
Overview

Pick an organization that you feel is worthy of your attention. Tins could be an educational institution, a commercial company, or perhaps a nonprofit charity. Recommended labs to assist you 111 sniffing the network: ■ Sniffing die network using die C o lasoft P a c k e t B uilder ■ Sniffing die network using die O m niP eek N etw ork A nalyzer ■ Spooling MAC address using SMAC ■ Sniffing the network using die W inA rpA ttacker tool ■ Analyzing the network using the C o laso ft N etw ork A nalyzer ■ Sniffing passwords using W ireshark
■ Performing man-in-tlie-middle attack using Cain & Abel

■ Advanced ARP spoofing detecdon using XArp ■ Detecting Systems running
PromqryUI
111

promiscuous mode

111

a network using

■ Sniffing a password from captured packets using Sniff - O - M atic

Lab Analysis
Analyze and document the results related to the lab exercise. Give your opinion on your target’s secuntv posture and exposure through public and free information.

C E H L ab M an u al Page 586

E th ical H a ck in g a nd C o untenneasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.

Module 08 - Sniffers

PL E A S E TALK T O YO UR I N S T R U C T O R IF YOU HA VE Q U E S T I O N S R E L A T E D T O T H I S LAB.

C E H L ab M an u al Page 587

E th ical H a ck in g a nd C o untenneasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.

Module 08 - Sniffers

Sniffing the Network Using the OmniPeek Network Analyzer
Own/Peek is a standalone network analysis tool used to solve networkproblem.
I CON KEY
/ Valuable information

Lab Scenario
From the previous scenario, now you are aware of the importance of network smtting. As an expert eth ical h a c k e r and penetration te ste r, you must have sound knowledge of sniffing network packets, performing ARP poisoning, spooling the network, and DNS poisoning.

s w m

Test your knowledge W eb exercise Workbook review

Lab Objectives
The objective of tins lab is to reinforce concepts of network security policy, policy enforcement, and policy audits.

Lab Environment
t^ T o o ls
d e m o n stra te d in th is lab a re available in D:\CEHTools\CEHv8 Module 08 Sniffing
111

tins lab, you need:
" O m niPeek N etw ork Analyzer located at D:\CEH-Tools\CEHv8 Module 08 Sniffing\Sniffing Tools\Om niPeek N etw ork Analyzer

■ You can also download the latest version ol O m niPeek N etw ork Analyzer from the link http:// www.wildpackets.com/products/omnipeek network analyzer ■ If you decide to download die la te s t version, dien screenshots shown 111 the lab might differ ■ A computer running Windows Server 2012 as host machine
■ W indows 8 running on virtual machine as target machine

■ A web browser and Microsoft .NET Framework 2.0 or later ■ Double-click O m niPeek682dem o.exe and follow the wizard-driven installation steps to install O m niPeek682dem o.exe
■ A dm inistrative privileges to run tools

C E H L ab M an u al Page 588

E th ical H a ck in g a nd C o untenneasures Copyright © by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.

Module 08 - Sniffers

Lab Duration
Tune: 20 Minutes

Overview of OmniPeekNetwork Analyzer
O m niPeek N etw ork Analyzer gives network engineers real-time visibility and expert

analysis of each and every part ol the network from a single interface, winch includes Ethernet, Gigabit, 10 Gigabit, VoIP, video to remote ottices, and 802.

Lab Tasks
™TASK 1
Installing O m niPeek N etw ork Analyzer

1. Install O m niPeek N etw ork Analyzer on die host machine W indows Server
2012 .

2. Launch the S ta rt menu by hovering die mouse cursor on die lower left corner of die desktop.

F I G U R E 1.1: W in do w s Server 2012 —D esktop view

3. Click die W ildPackets O m niPeek Demo app die tool.
£= 8 = s 1O m n iP e e k E n te rp rise p ro v id e s users w ith the v is ib ility and analysis they need to keep V o ic e and V id e o ap plications and no n-m edia a pplications ru n n in g o p tim a lly o n d ie n e tw ork S ta rt

111

die S tart menu to launch

Administrator ^

M enaqer L *3

Google Chrome

Mo/1110 hretox

<9
rtyp«-V Maruoer

«
Hypw-V Virtual KAvhloo

V

& ____

*‫י‬
WildPock... OmmPwk

*

°‫■־־‬ ‫'־‬

F I G U R E 1.2: W in dow s Server 2012 — Start menu

C E H L ab M anual Page 589

E th ical H a ck in g a nd C ounterm easures Copyright © by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.

Module 08 - Sniffers

m

T o d e p loy and

m ain ta in V o ic e and V id e o o ver I P successfully, yo u need to be able to analyze and tro u b le sh o o t m edia tra ffic sim ultaneously w ith the n e tw o rk the m edia tra ffic is ru n n in g on

4. The main window of W ildPackets O m niPeek Demo appears, as shown 111 die following screenshot.
6mi»e4
^ • t- ‫־‬u *. 2: * x ,, r » ^ : f i j L_ ± t

New Capture *W e• ‫ י* • ״‬OmnPwk!

>

Open Capture File

f

v ‫*׳‬v* Onr!Enor>»4

*

Start M ontor

ffi

Retcat rlit* IntM C aptur■ T«1np<11*1 OtKunanUtlon

Itxalior luullui■ Retouc••

Stmixry Swmwj

•w0>W nV1 •Oalii) Jw liiJ » 1r»«1n QO

!MlMKtDuppan 1 Vm tM fw ar»•U M K *•M m rrMk*W H P artrf*ivnW* CO

^WidPacketj
F I G U R E 1.3: O m n iPe e k m ain screen

5. Launch Windows 8 Virtual Machine. 6. Now, 111 W indows S erver 2012 create an OmniPeek capture window as follows:
S tarting New C apture

a.

Click die New C apture icon on die main screen of OmniPeek.
111

b. Mew die G eneral options box when it appears.

die O m niPeek C apture O ptions dialog

c. Leave die default general settings and click OK.
C ap tu re O p tio n s ‫ ־‬v E th e rn e t (R ea lte k PCIe GBE Fam ily C o n tro lle r - V irtu
General A dapter

‫יח ת‬

General
Capture title: Capture 1

8 02.11
Triggers Filters Statistics O utput A nalysis O ptions f f l l O m n iP e e k N e tw o rk A n a ly z e r o ffe rs real-tim e h ig h -level vie w o f the entire netw ork, expert analyses, and d rill-d o w n to packets, d u rin g capture.

□ Continuous capture O Capture to disk File path: C:\Users\Administratorpocuments\Capture 1File size: | 256 : *~ ] megabytes megabytes ‫ | = ך‬files (2,560 MB)

[I] Stop saving after | 1000
I IKeep most recent I INew file every I ILimit each packet to 10 1 128

3~ | bytes

O Discard duplicate packets Buffer size: | 100 * megabytes

O Show this dialog when creating a new capture

Cancel

Help

F I G U R E 1.4: O m n iPeek capture options - G eneral

C E H L ab M anual Page 590

E th ical H a ck in g a nd C o untenneasures Copyright © by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.

Module 08 - Sniffers

d. Click A dapter and select E thernet
OK.

111

die list for Local m achine. Click

C ap tu re O p tio n s ‫ ־‬E thernet
General | Adapter' 802.11 [ 0 3 N e tw o rk Coverage: W it h the E th e rn e t, G ig a b it, 10G , and wireless capabilities, y o u can n o w effe ctive ly m o n ito r and tro u b le sh o o t services ru n n in g o n yo u r entire netw ork. U s in g the same so lu tio n fo r tro u b le sh o o tin g w ire d and w ireless netw orks reduces the to ta l cost o f o w nership and illu m in ates ne tw ork p ro b le m s that w o u ld otherw ise be d iffic u lt to detect. Triggers Filters Statistics O utput Analysis O ptions

A d a p te r

0 0
> ••0 File
‫ל‬ -a 8 Module: Compass Adapter Local machine: WIN-MSSELCK4K41 M l Local Area Connection* 10 M . E th e rn e t] ■9 vSwitch (Realtek PCIe GBE Family Controller ‫ ־‬Virtual I- ■p vEthernet (Realtek PCIe GBE Family Controller ‫ ־‬Virfa. \ - m vSwitch (Virtual Network Internal Adapter) ■5 vEthernet (Virtual Network Internal Adapter)

<E
Property Device Media Address Link Speed WildPackets API

III

Description Realtek PCIe GBE Family Controller Ethernet DO: 100 Mbits/s No :36

Cancel

Help

F I G U R E 1.5: O m n iPe e k capture options - Adapter

7. Now, click S ta rt C apture to begin capturing packets. The S tart C apture tab changes to Stop C apture and traffic statistics begin to populate the N etw ork D ashboard 111 die capture window of OmniPeek.
■ h ... V V 1' g - »

t* - < \rJ

u

, . B: ;» e IQ E j

F

Wid=

-

‫׳‬OmniPeek

£ Q D ash b oa rds display im p o rta n t data that every n e tw o rk engineer needs to k n o w regarding the n e tw o rk w ith o u t spending lo ts o f tim e analyzing the captured data.

sutn «■ vapt a ltp ackets Utib/itton / M.m.t.• W indow * ( I Smand A v»>r.1u••)

lop Protocol*

F I G U R E 1.6: O m n iPe e k creating a capture w indow

C E H L ab M anual Page 591

E th ical H a ck in g a nd C ounterm easures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.

Module 08 - Sniffers

E Q Q lO n u iiP e e k
P ro fe ssio n a l expands the capabilities o f O m n iP e e k B asic, extending its reach to all sm all businesses and corp orate w orkg ro up s, regardless o f the size o f the n e tw o rk o r the n u m b e r o f em ployees. O m n iP e e k P ro fe ssio n a l pro v id e s su p p o rt fo r m u ltip le n e tw o rk interfaces w h ile still sup p o rtin g up to 2 O m n i E n g in e s acting as b o d i a full-featured n e tw o rk analyzer and con so le fo r rem ote n e tw o rk analysis.

8. The captured statistical analysis of die data is displayed of die navigation bar. * •u-n ., y . 3. *
— w hw fct FlhrhiW Netw-orfc inai/rffh.n ‫ ל‬Minute Window (I Second Average)

011

die C apture tab

!“

a 03-

02■*

1

I
DNS T C P ‫יו‬

L A

20*17* 1522• ■ 206.176.15226

10002 1000$ 173.1■

173 19436 10

2 .0 % 173.1W 36.11

0»«rs 0102!10 ‫ י‬d4.364.:202.63.8.8167.6667.222

OHCPVG 1 QMP

9 Elhcfnct P atJtrts: 1.973

Duutioa: 001:25

F I G U R E 1.7: O m n iPe e k statistical analysis o f die data

9. To view die captured packets, select P a c k e ts D ashboard 111 die left pane ot die window.
r — 1<w— ‫ז‬ tJ u sun?** »*** t,ISO M S' T oo‫״‬ > 3‫ ־‬. ii »5 V N .A 40W H P Ip r 4 ‫ יי‬A i d 0 1 3 * 0 *

111

a C apture section ol die
' ‫ " ־‬,‫■ ״ י‬ WldP.x *• I ‫׳‬OmniPeek

m t.M rd: .{000 N 'lh rh ^] V ‫ ״‬-‫••!<«•׳**״‬ feO > fao.1r4% •4 ■ ‫׳‬11 = L ***** i •* a vote*‫«* ״‬ 3 m 5 €

‫״ * * • "'י ל‬ > a»*»oon 10.0.0.2 173.194.36.4 173.194.36.4 '4 . 125.12S.169 173.194.36.22 3 \ 10.0.9.2 ‫ו‬ 123.176.32.154 10.0.0.2 64 64 118 936 64 64 70 103 64 70 64 184 1s1a 151S si <4 Htj, sue SS 95 64 64 163 64 2870 « * » •r*t 0.0CC0S1CC D writs 0.03:20X19 s m s 0.939*25029 a n rs 0.039S4SCI‫ )׳‬STTrS 0.771222000 0.811S9JCJ0 3TTT* 4.31I23SOOO ana n :s 4.350147CS9 an ss 4.355064CJO 3TTT5 4.SE52S40S9 37TrS 4.$86969029 an?3 4.SS79CMS9 6.097097050 an? €.100119000 HIT? 0.92264>0:0 7.21122*000 O F 7.301449020 O I » 7.55*925029 7.5952990:9 7.asoscccso 0:9‫ י‬. 55290‫ל‬ arirs 5‫ זז ל‬5 «nrs STTTJ 3zc- 443,0*t= •W ....3= 796...

. 1►

19.9.0.2 173.1*4.36.4 19.9.5.2 19.9.:.2 10.9.5.2

3zc- 1769,0st= 443 .u .......3=1486... Src- 13& ,70‫ י‬V - 443 .*....,5-366S... 5rc- 1063, !> 3*‫ ־‬443 •h .......S- 956... 443 14 4 3 'S ^ 443,Dst= 443,D3t- 1051 443.03T1051 Src- 1051,D O T‫ ״‬KJfC=172e . Src- 60.D3T.‫ ־‬1726 S r~ 3=c= SICSrc.I S ... ,3=2007... .&....,3= 94... 94... .A?.. . , 3 9 4 ‫־‬... •fc S-20D7... .A ....,3-2997...

I w c s to r [ Oms 12 13 15

19.9.9.2 173.1M.3C.22 1‫ ־‬3.194.36.22 1‫ י‬3.194.36.22 19.9.0.2 123.1‫■>ל‬32.154 19.1.3.2 19.9.1.5 1‫ נ‬. ‫ נ‬. : . 5 19.9.5.5 1S7.SC.C7.222 15‫ י‬. 5». 67.222 19.9.0.2 19.9.0.2

m

H ie O m n iP e e k Peer

[ C alls W mmK

M a p show s all c o m m u n ica tin g nodes w ith in yo u r ne tw o rk and is d ra w n as a verticallyo rien ted ellipse, able to g ro w to the size necessary. It is easy to read the maps, the d iic k e r the lin e betw een nodes, the greater the traffic; the bigger d ie dot, the m o re tra ffic throu g h that node. T h e nu m b e r o f nodes displayed can also be lim ite d to d ie busiest a n d /o r active nodes, o r to any O m n iP e e k filters that m av be in use.

1ssr
Ltfctto

17 IS IS 21 22 24 2* 27 2» <1— 1 ■

157.56.67.222 157.56.67.222 157.56.67.222 10.0.0.s

C PCKT-1727 31== 1040,D»t= 443 ....3.,3=1830... 31e= 1040,D»t= 443 .& 3=1e30... Src- 1040, D8t- 443 .A P...,3-1830... u. . ,S- 519. . Slaw Server Respe-r.se Tise 10 Src- 443, u*a‫״‬- 1040 ‫ ־־‬SI*... 3ss- 1770,0*t‫ ־‬443 .Xf...,3=3e68... ■‫ ע‬1‫ ז«י״»יוו‬PMM tt: 4000 Ou'Miea .<rx>

!

173.194.36.4

e .0010460:9 an iz #.9C19»X:9

F I G U R E 1.8: O m n iPe e k displaying Packets captured

10. Similarly, you can view Log. Filters. Hierarchy, and P eer Map by selecting die respective options 111 the D ashboard. 11. You can view die N odes and P rotocols from die S ta tistic s section of die Dashboard.

C E H L ab M anual Page 592

E th ical H a ck in g a nd C ounterm easures Copyright © by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.

Module 08 - Sniffers

m

O n -th e -F ly Filters:

Y o u sh o u ld n ’t have to stop y o u r analysis to change w h a t y o u ’re lo o k in g at. O m n iP e e k enables yo u to create filters and ap ply d ie m im m ediately. T h e W ild P a ck e ts “ select related” feature selects the packets relevant to a p articular node, pro to co l, conversation, o r expert diagnosis, w ith a sim ple rig h t c lic k o f d ie m ouse.

F I G U R E 1.9: O m n iPe e k statistical reports o f N odes

12. You can view a complete Sum m ary of your network from tlie S ta tistic s section of the D ashboard.

£ Q A la rm s and N o tific a tio n s: U s in g its advanced alarm s and no tifica tion s, O m n iP e e k u n co ve rs hard-to-diagnose n e tw o rk p ro b le m s and n o tifie s the o ccurrence o f issues im m ediately. O m n iP e e k alarm s query a sp ecified m o n ito r statistics fu n ctio n once p er second, testing fo r user-specified p ro b le m and re solu tion con d ition s. F I G U R E 1.10: O m n iPe e k Summary details

13. To sa v e the result, select File‫ ^־‬S a v e Report.

C E H L ab M anual Page 593

Etliical H a ck in g a nd C ounterm easures Copyright © by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.

Module 08 - Sniffers

OmniPtek F .1 « | fdH u«M0« tooit i ♦ *J T A « L u u i i v w ;j « i J .

- '0

x ’

<rtl 'OmniPvcfc

► ii * u a 3 ‫־׳‬ C ufTW . 5.15/2012 t2rt2:<6 <M L2S
j

-

m

U s in g O m n iP e e k ’s

lo c a l capture capabilities, centrali 2ed console d istributes O m n iE n g in e inte llige n t software probes, O m tiip lia n ce ® , T im e lin e ™ ne tw ork recorders, and E x p e rt Analysis.
‫זז‬ •‫־‬.* *«•»»‫ מיי‬.‫־‬J a w 5»sA( 360.320 0.795

Ltncrnct P.ikfta 2.000

Dum.0 11 001.B

F I G U R E 1.11: O n u iiP e e k saving die results

14. Choose the format of the report type from die S ave R eport window and dien click Save.
Save Report
2e 1R eport type:

pull PDF Report
Q m
E ng ine e rs can

j v

R ep ort folder:

C : \Users \Adm inistrator d o cu m e n ts R e p o rts \C apture 1 R ep ort description PDF reports contain Summary Statistics, Node Statistics, Protocol Statistics, Node/Protocol Detail Statistics, E x p e rt Stream and Application Statistics, Voice and Video, Wireless Node and Channels Statistics, and graphs.

m o n ito r tlie ir entire netw ork, rap id ly tro u b le sh o o t faults, and fix p ro b le m s to m a xim ize n e tw o rk up tim e and user satisfaction.

Save

Cancel

Help

F I G U R E 1.12: O n u iiP e e k Selecting the Report format F K jU K fc . 1.12 (Jmml-‫׳‬eek Selecting the Report tom iat

15. The report can be viewed as a PDF.

C E H L ab M anual Page 594

E th ical H a ck in g a nd C ounterm easures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.

Module 08 - Sniffers

OmniPeek Report ^ f t Dashboard -" tf Statistics t? Summary t? Nodes I? Protocols ®I? Expert I? Summary Flows I? Application Lf Voice & Video “‫ ׳‬Lf Graphs 1 f Packet Sues 1/ Network Utilisation (bits/s) If Network Utilization (percent) (? Address Count Comparisons

OmniPeek Report: 9/15/2012 12:21:22 Start: 9/15/2012 12:02:46, Duration: 0:01:25 Total Bytes: 1014185. Total Packets: 2000

m

C o m p a ss Interactive

D a sh b o a rd o ffers b o th real-tim e and post-capture m o n ito rin g o f h ig h -level n e tw o rk statistics w ith d rill d o w n cap ab ility in to packets fo r the selected tim e range. U s in g the C o m p a ss dashboard, m u ltip le files can be aggregated and analyzed sim ultaneously.
? &

___ L S i£ _ _
Tools B oolcm arfct B* Dashboard - ' t f Statistics IP Summary (? Nodes 1? Protocols Expert 1? Summary (? Flows I? Applications I f Vo«e & Video ® f f Graphs I f Packet Sues I f Network Utilization (bits/s) 1? Network Utilization (percent) I? Address Comparisons f f Application Group. Network Total Bytes Total Packets Total B10.1 dc. 1 st Total Multicast Average Utilisation (percent) Average Utilisation (blts/s) Current Utilisation (percent) Current Utilization (bits/s) Max Utilization (percenl) Max Utilization (bits/s) Group Errors Total CRC Frame Alignment Runt Oversize 1014185 N‫׳‬A 1061 6933 0 096 95989 0 360 360320 0.795 79*656 Start Date Start Time Duration ft“ Summary Statistics. Reported 9/15/2012 12.21.22 Sign Comment .

I? Application

3 i? OmniPeek Report —

63 0096 95989 0 360 360320 0795 794656

0105 0 585 0096 95989 0 360 360320 0.795 794656

0 360 360320 0.796 794656

0 0 0 0 0 0 0 0
0 000 0.000 0.000

F I G U R E 1.13: O m n iPe e k Report in P D F format

Lab Analysis
Analyze and document the results related to the lab exercise.

C E H L ab M anual Page 595

E th ical H a ck in g a nd C ounterm easures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.

Module 08 - Sniffers

T ool/U tility

Information Collected/Objectives Achieved Network Information: ■ ■ " ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ Network Utilization Current Activity L°g Top Talkers bv IP Address Top Protocols Source Destination Size Protocol Total Bytes for a Node Packets Sent Packets Received Broadcast/Multicast Packets General Network Errors Counts Size Distribution

Packets Information:

OmniPeek Network Analyzer

N odes Statistics:

Summary includes Information such as:

PL E A S E TALK T O YO UR I N S T R U C T O R IF YOU HA VE Q U E S T I O N S R E L A T E D T O T H I S LAB.

C E H L ab M an u al Page 596

E th ical H a ck in g a nd C ounterm easures Copyright © by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.

Module 08 - Sniffers

Questions
1. Analyze what 802.1111 adapters are supported 111 OmniPeek Network Analyzer. 2. Determine how you can use the OmniPeek Analyzer to assist with firewall rules. 3. Evaluate how you create a filter to span multiple ports. Internet Connection Required □ Yes Platform Supported 0 Classroom 0 !Labs 0 No

C E H L ab M an u al Page 597

E th ical H a ck in g a nd C ounterm easures Copyright © by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.

Module 08 - Sniffers

Lab

Spoofing MAC Address Using SMAC
SM AC is apon ‫׳‬eif/11and easy-to-use tool that is a M A C address changer (spoofer). The tool can activate a new M A C address right after changing it automatically.
I CON KEY
/ Valuable information Test your knowledge

Lab Scenario
1 11 the previous kb you learned how to use OmmPeek Network Analyzer to capture network packets and analyze the packets to determine it any vulnerability is present 111 the network. If an attacker is able to capture the network packets using such tools, he 01‫ ־‬she can gain information such as packet source and destination, total packets sent and received, errors, etc., which will allow the attacker to analyze the captured packets and exploit all the computers in a network. If an administrator does not have a certain level of working skills of a packet sniffer, it is really hard to defend intrusions. So as an expert ethical h a c k e r and p en etratio n te ste r, you must spoof MAC addresses, sniff network packets, and perform ARP poisoning, network spoofing, and DNS poisoning. 1 11 tins lab you will examine how to spoof a MAC address to remain unknown to an attacker.

H

Web exercise

ffi! Workbook review

Lab Objectives
The objective of tins lab is to reinforce concepts of network security policy, policy enforcement, and policy audits. 1 1 1 tins lab, you will learn how to spoof a MAC address.

Lab Environment
^^Tools
d e m o n stra te d in th is lab a re available in D:\CEHTools\CEHv 8 Module 08 Sniffing
111

the lab, you need:
■ SMAC located at D:\CEH-T0 0 ls\CEHv8 Module 08 Sniffing\MAC Spoofing Tools\SMAC

■ You can also download the latest version ot SMAC from the link http://www.klcconsulting.net/ smac/default.htm#smac27 ■ It you decide to download the la te s t version, then screenshots shown the lab might differ
111

C E H L ab M an u al Page 598

E th ical H a ck in g a nd C ounterm easures Copyright © by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.

Module 08 - Sniffers

■ A computer running W indows Server 2012 as Host and Windows Server 2008 as tun Machine ■ Double-click sm ac 2 7 b e ta _ setu p .ex e installation steps to install SMAC
■ A dm inistrative privileges to run tools

and follow the wizard-driven

■ A web browser with Internet access

Lab Duration
Time: 10 Minutes

Overview of SMAC
f f i s M A C is a p o w e rfu l
yet easy-to-use and in tu itive W in d o w s M A C address m o d ify in g u tility ( M A C address spoofing) w h ic h a llo w s users to change M A C addresses fo r a lm ost any N e tw o r k Interface C a rd s (N IC s) o n the W in d o w s 2003systems, regardless o f w h e th e r die m anufacturers a llo w d iis o ption.

Spoofing a MAC protects personal and individual privacy. Many organizations

track wired or wireless network users via their MAC addresses. 1 11 addition, there are more and more Wi-Fi w ireless connections available these days and wireless networks use MAC addresses to com m unicate. Wireless network security and privacy is all about MAC addresses. Spooling is carried out to perform security vulnerability testin g , penetration testing on MAC address-based au th en ticatio n and authorization systems, i.e. wireless access points. (Disclaimer: Authorization to perform these tests must be obtained from the system’s owner(s)).

Lab Tasks
1. Launch die S ta rt menu by hovering die mouse cursor on die lower-left corner of die desktop.

C Q s m a c w o rk s o n d ie N e tw o r k Interface C a rd (N IC ), w h ic h is o n the M ic ro s o ft hardware c o m p a tib ility lis t (H C L ).

4 Windows Server 2012
*•r Windows Sewer 2012 Rdcttt Cardidatc Datacen!‫׳‬ Evulud’.kn copy Build 8 4 C C

1&

rc ! 1 T ! n ^ H
F I G U R E 2.1: W in do w s Server 2012 —D esktop view

2. Click die SMAC 2.7 app 111 die S ta rt menu to launch die tool.
Q=sJ W h e n yo u start S M A C program , yo u m u st start it as the adm inistrator. Y o u c o u ld d o this b y rig h t clic k o n d ie S M A C p ro g ram ic o n a nd c lic k o n "R u n as A d m in is tra to r i f n o t logged in as an adm inistrator.

C E H L ab M anual Page 599

E th ical H a ck in g a nd C ountem ieasures Copyright © by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.

Module 08 - Sniffers

F I G U R E 2.2: W in dow s Server 2012 — Start menu

£

T A S K

1

3. Tlie SMAC main screen appears. Choose a network adapter to spoof a MAC address. %
File ID View 0017 Yes

Spoofing MAC A ddress

SMAC 2.7 Evaluation Mode - KLC Consulting: www.klcconsulting.net
Options Help
Hyper-V Virtual Ethernet Adapter #2

rriiEiii ■1 ‫ןוי‬
No

| Active I Spoofed I Network Adapter Hyper•V Virtual Ethernet Adaptei #3

EMU^HET
169.254.103.138 01

IP Address

17 Show On^i Active Network Adapters New Spoofed MAC Address Restart Adapter Random Refresh Spoofed MAC Address |Not Spoofed Active MAC Address J A |

Rem ove MAC

\

IPConfig MAC List Exit

Network Connection________________________________ |vEthernet (Realtek POe GBE Famdy Controller •Virtual Switch) Hardware ID______________________________________ |vms_mp

p o -rrr‫■ ־‬

_ > > J

Disclaimer: Use this program at your own risk. We ate not responsible fot any damage that may occur to any system This program is not to be used for any illegal or unethical purpose Do not use this program if you do not agree with

E Q s m a c helps p eople to p ro te ct th e ir priva cy by h id in g d ie ir real M A C A d d resses in the w id ely available W i- F i W ireless N e tw o rk . F I G U R E 2.3: S M A C m ain screen

4. To generate a random MAC address. Random.
Update MAC Restart Adapter Random Refresh Remove MAC IPConfig MAC List Exit

F I G U R E 2.4: S M A C Random button to generate M A C addresses

5. Clicking die Random button also inputs die New Spoofed MAC A ddress to simply MAC address spoofing.

C E H L ab M anual Page 600

Etliical H a ck in g a nd C ounterm easures Copyright © by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.

Module 08 - Sniffers

S M A C 2.7 Evaluation M od e - KLC Consulting: www .klcconsulting.net
File View Options Help 10.0.0.2 DO-l 169.254.103.138 0 0 ■'

‫־‬ ra!
;■ 3 6 -■08

m

S M A C also helps

N e tw o rk and I T Security p rofessionals to tro ub le sh oo t n etw ork p roblem s, test Intrusio n D e te c tio n / P re ve n tio n Systems (ID S /IP S ,) test In cid e nt Response plans, b u ild high-availability solutions, recover ( M A C A d d re ss based) software licenses, and etc.

ID | Active | Spoofed | Netwcnk Adapter 0015 Yes No Hyper-V Virtual Ethernet Adapter 82 0017 Yes No Hyper-V Virtual Ethernet Adapter #3

I* Show Only Active Network Adapteis New Spoofed MAC Address IE - | 05 -|F C - | 63 - | 34 ^ I 07‫ ־‬l x j

Update MAC Restart Adapter Random Refresh |

Remove MAC IPConfig MAC List Exit

|

|SCHENCK PEGASUS CORP. [0005FC] Spoofed MAC Address |Not Spooled Active MAC Address |D 0 -» W « ■-36 A I

— ‫פ‬

Network Connection IvEthemet (Realtek POe GBE Famdy Conliollei •Virtual Switch) Hardware ID______________________________________ |vms_mp

Disclaimer: Use this program at your own risk. We are not responsible 1 0 1 any damage that may occur to any system This program is not to be used for any illegal ot unethical purpose Do not use this progiam if you do not agree with

F I G U R E 2.5: S M A C selecting a new spoofed M A C address

6. The Network Connection 01‫־‬Adapter display dieir respective names. 7. Click die forward arrow button Network A dapter information. r
111

N etwork Connection to display die

Network Connection____________________________________

IvEthemet (Realtek PCIe GBE Family Controller ■Virtual Switch)
F I G U R E 2.6: S M A C N etw ork Connection inform ation

g

£ Q s m ‫ \׳‬c does n o t change d ie hardware b u m e d -in M A C addresses. S M \ C changes the software-based !M A C addresses, and d ie new M A C addresses yo u change are sustained fro m reboots.

Clicking die backward arrow button 111 N etw ork A dapter will again display die N etwork C onnection information. These buttons allow to toggle between die Network Connection and Network Adapter information. r Network Adapter
|Hyper-V Virtual Ethernet Adapter 82
F I G U R E 2.7: S M A C N etw ork Adapter information

g

9. Similarly, die Hardware ID and Configuration ID display dieir respective names. 10. Click die forward arrow button Configuration ID information.
Hardware ID |vms_mp
F I G U R E 28: S M A C Hardware I D display

111

H ardw are

ID to display die

11. Clicking die backward arrow button 111 Configuration ID will again display die H ardw are ID information. These buttons allow to toggle between die Hardware ID and Configuration ID information.
Configuration ID |{C7897B 39-E D BD -4M0-B E 95-511FAE 4588A1}
F I G U R E 2.9: S M A C Configuration I D display

3

C E H L ab M anual Page 601

E th ical H a ck in g a nd C ounterm easures Copyright © by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.

Module 08 - Sniffers

12. To bring up die ipconfig information, click IPConfig.
S
T A S K 2

Viewing IPConfig Inform ation

U pdate MAC R estart A dapter R andom , R efresh

R em ove MAC IPConfig MAC List Exit
j

F I G U R E 2.10: S M A C to view7the inform ation o f IP C o n fig

13. Tlie IPConfig window pops up, and you can also save die information by clicking die File menu at the top of die window. — ‫ם‬
File W indow s IP Configuration Host N a m e Primary Dns S u ffix Node T y p e IP Routing Enabled W INS Proxy Enabled : WIN-MSSELCK4K41 : Hybrid :N o :N o

Ethernet adapter vEthernet (Virtual Network Internal Adapter): Connection-specific DNS Suffix . D escription : Hyper-V Virtual Ethernet Adapter 83 Physical Address :0 0 -08 DHCP Enabled :Y e s Autoconfiguration E n a b le d . . . . : Yes Link-local IPv6 A d d re ss : fe80::6868:8573:b1b6:678a%19(Preferred) Autoconfiguration IPv4 Address. .: 169.254.103.138(Preferred) Subnet M a s k : 255.255.0.0 Default G a te w a y DHCPv6 IA ID : 452990301 DHCPv6 Client D UID : 00-01 -00-01 ■ 1 ‫־‬A- 16- 36 DNS S e rvers : fec0:0:0:ffff::1%1 fec0:0:0:ffff::2%1 Close

C Q t1 1e I P C o n fig in fo rm a tio n w ill show in the " V ie w IP C o n fig W in d o w . Y o u can use the F ile m en u to save o r p rin t the I P C o n fig in fo rm a tio n .

1

F I G U R E 2.11: S M A C IP C o n fig inform ation

14. You can also import the MAC address list into SMAC by clicking MAC List.
Update MAC Restart Adapter Random k . Refresh i Remove MAC IPConfig MAC List Exit

F I G U R E 2.12: S M A C listing M A C addresses

C E H L ab M anual Page 602

E th ical H a ck in g a nd C ounterm easures Copyright © by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.

Module 08 - Sniffers

15. If there is 110 address in die MAC a d d re ss held, click Load List to select a ]MAC address list tile you have created.
MAC List
<- Load List

CQ 1t 1 1e IP C o n fig in fo rm a tio n w ill sh o w in the " V ie w IP C o n fig W in d o w . Y o u can use the F ile m en u to save o r p rin t the I P C o n fig in fo rm a tio n .

Select Close

No List
F I G U R E 2.13 S M A C M A C l is t w indow

16. Select die Sam ple MAC A ddress L ist.txt tile from the Load MAC List window.
Load M A C List
0 2 W h e n chang ing M A C address, yo u M U S T assign M A C addresses a cco rding to I A N A N u m b e r Assig n m e n ts database. F o r exam ple, "00-00-00-00-0000" is n o t a v a lid M A C address, therefore, even th o ug h y o u can update this address, it m ay be rejected b y the N I C device d rive r because it is n o t valid , and T R U E M A C address w ill be used instead. O the rw ise , "00-00-00-0000-00" m ay be accepted by the N I C device driver; how ever, the device w ill n o t fun ction.
Libraries 0 Documents Organize ■ * ■ Desktop
4

■ i.f

ProgramData ► KLC ► SMAC

v

C

Search SMAC

New folder A — Name Date modified 6/6/200811:11 PM
4 /S 0 /2 0 0 6 1:23 PM

‫ ־י‬s m
Type Text Document Text Document

Downloads

jgf Recent places J|. SkyDrive

i-‫־‬l LicenseAgreement.txt
, , Sample_MAC_Address_List.txt

J* Music
f c l Pictures B Videos

Computer U . Local Disk (G )
1 _

j Local Disk (DO

<| File name: |Sample_MAC_Address_List.txt v Text Format (*.txt) Open pr

>

F I G U R E 2.14: S M A C M A C List w indow

C E H L ab M anual Page 603

E th ical H a ck in g a nd C ounterm easures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.

Module 08 - Sniffers

17. A list of MAC addresses will be added to die MAC List 111 SMAC. Choose a MAC A ddress and click S elect. This MAC Address will be copied to New Spoofed MAC A ddress on die main SMAC screen.
m
S M A C is created and m aintained b y C e rtifie d In fo rm a tio n Systems Security P ro fessio nals (CISSPs), C e rtifie d In fo rm a tio n System A u d ito rs (C ISA s), M ic ro s o ft C e rtifie d Systems E n g in e e rs (M C S E s), and pro fe ssio n a l softw are engineers.

%
0D=
OD OD OD :99

MAC List

-E9 ■ E 8
. -E7

m

S M A C displays the

fo llo w in g in fo rm a tio n ab ou t a N e tw o rk Interface C a rd (N IC ). • • • • • • • • • D e v ic e I D A c tiv e Status N I C D e s c rip tio n S p o o fe d status I P A d d re ss A c tiv e M A C address S p o o fe d M \ C A d d re ss N I C H ardw are I D N I C C o n fig u ra tio n I D

C: \Pr ogramD ata\KLC\S MAC\S ample_M AC_Address_List. txt
F I G U R E 2.15: S M A C M A C List w indow

18. To restart Network Adapter, click R esta rt A dapter, which restarts die selected N etw ork A dapter. Restarting die adapter causes a temporary disconnection problem for your Network Adapter.
Update MAC | Restart Adapter Random Refresh IPConfig MAC List Exit

u

F I G U R E 2.16 S M A C Restarting N e tw o rk Adapter

Lab Analysis
Analyze and document die results related to die lab exercise. T ool/U tility Information Collected/Objectives Achieved ■ ■ ■ ■ ■ ■ ■ Host Name Node Type MAC Address IP Address DHCP Enabled Subnet Mask DNS Servers

SMAC

C E H L ab M anual Page 604

E th ical H a ck in g a nd C ounterm easures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.

Module 08 - Sniffers

P L E A SE TALK TO Y O UR I N S T R U C T O R IF YOU HA VE Q U E S T I O N S R E L A T E D T O T H I S LAB.

Questions
1. Evaluate and list the legitimate use of SMAC. 2. Determine whether SMAC changes hardware MAC addresses. 3. Analyze how vou can remove the spoofed MAC address using die SMAC. Internet Connection Required □ Yes Platform Supported 0 Classroom 0 iLabs 0 No

C E H L ab M an u al Page 605

E th ical H a ck in g a nd C ountem ieasures Copyright © by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.

Module 08 - Sniffers

Sniffing a Network Using the WinArpAttacker Tool
WinArpAttacker is aprogram that can scan, attack, detect, andprotect computers on a local area network (LAN ).
I CON
1

KEY

Lab Scenario
You have already learned in the previous lab that you can conceal your identity by spoofing the ]MAC address. A11 attacker too can alter his 01‫ ־‬her MAC address and attempt to evade network intrusion detection systems, bypass access control lists, and impersonate as an authenticated user and can continue to communicate widiin the network when die authenticated user goes offline. Attackers can also push MAC flooding to compromise die security of network switches. As an administrator, it is very important for you to detect odd MAC addresses 011 the network; you must have sound knowledge of footprinting, network protocols and their topology, TCP and UDP services, routing tables, remote access (SSH 01‫־‬ VPN), and authentication mechanisms. You can enable port security 011 the switch to specify one or more MAC addresses tor each port. Another way to avoid attacker sniffing 011 your network is by using static *ARP entries. 1 11 tins lab, you will learn to run the tool WinArpAttacker to smtt a network and prevent it from attacks.

.__ Valuable

information Test your knowledge Web exercise

ea

Workbook review

Lab Objectives
The objectives of tins lab are to:
■ S can . D e te c t. P ro te c t, and A tta c k computers
011

local area networks

(LANs): ■

Scan and show the active hosts period of 2-3 seconds

011

the LAN widiin a very short time

S a v e and load computer list tiles, and save the LAN regularly for a new computer list

■ Update the computer list 111 p a ssiv e m ode using sniffing technolog}‫־‬

C E H L ab M an u al P ag e 606

E th ical H a ck in g a nd C o untenneasures Copyright © by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.

Module 08 - Sniffers

Freely p rovide inform ation regarding die type of operating systems they employ?
access

■ Discover the kind ot firew all, w ire le s s a c c e s s point and re m o te ■ Discover any published information on the topology of the n etw o rk ■ Discover if the site is seeking help for IT p o sitio n s that could give information regarding the network services provided by the organization ■ Identity actual users and discover if they give out too much personal information, which could be used for social engineering purposes

Lab Environment
To conduct the lab you need to have:
■ W inArpAttacker located at D:\CEH-Tools\CEHv8 Module 08 Sniffing\ARP Poisoning Tools\W inArpAttacker

^~Tools
d e m o n stra te d in th is lab a re available in D:\CEHTools\CEHv8 Module 08 Sniffing

■ You can also download the latest version ot W inArpAttacker trom the link http:/ / www.xfocus.net ■ If you decide to download the la te s t version, then screenshots shown in the lab might differ ■ A computer running Windows Server 2012 as host machine ■ W indows 2008 mnning on virtual maclune as target maclune ■ A computer updated with network devices and drivers

Installed version ot W inPcap dnvers

■ Double-click W inA rpA ttacker.exe to launch WinArpAttacker
■ A dm inistrative pnvileges to run tools

Lab Duration
Time: 10 Minutes
W in A R P A tta c k e r w o rk s o n com puters ru m iin g W in d o w s /2003.

Overview of Sniffing
Sniffing is performed to co lle ct b asic inform ation of a target and its network. It helps to find vulnerabilities and to select exploits for attack. It determines network information, system information, and organizational information.

Lab Tasks
* T A S K 1

1. Launch Windows 8 Yutual Maclune. 2. Launch W inArpAttacker 111 the host maclune.

Scanning H osts on th e LAN

C E H L ab M an u al Page 607

E th ical H a ck in g a nd C ountem ieasures Copyright © by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.

Module 08 - Sniffers

Untitled Fite lean Attack Dctect options View Help

WinArpAttackw 3.5 ?0066.4

‫ר ^ ד ־ ־ ק‬

C a u tio n :T h is p ro g ram is dangerous, released just fo r research. A n y p ossible lo ss caused b y this pro g ram bears n o relatio n to the a utho r (unshadow), i f y o u d o n ’t agree w ith this, y o u m u st delete it im m ediately.

D ^ i
Xev op»n

s &ve Ho::^‫ ״‬c

* «» a a *
| Online Snitf 1... Attack

scan

q Attack1 :‫ ״‬stopsendK*««art
Packets

Cpflu‫*׳‬ascut ( T> aff!c(KI ]

ArpSQ | A<pSP | ArpRQ 1 ArpRP |

| AtlHotl

| FftetHovI

| Fff»(tH(Kt2

[ Count | 10.0.01 10.0.0 3 10.004 10.005 10.0.07 10.0.08 10.0.0255 16*254255 255 224.0.0.22 00■• 00000 0 ■ 00‫•־‬ 00 FF-‫״‬ FF-* 01•*

‫*־לש‬ —*W<sA*»<*e'!200««<— I-‫׳‬.-‫־‬ war ! ‫• ג‬lew*! soya, m tsem o reducM te 1 1«ty p>• • : » » 1: CAxSvev try G jea^r/M ac s M L U . p* ‫ ־־‬: » » !: ! C s* : a2 0 L > ‫־‬ c trse terns :• 10 .0 .0 .V tr« pto goir ruy 9 6 !1 19 0 r« 0 c y 16 3 G VV: taao.l Klee D O -fc • - y - 16-3.GW: 1ft(X0.1 On: 0 Off: 0 Sniffing: : On: 0 Off; 0 Snrffmj: Q ,

Q=J W iiiA rp A tta c k e r is a p ro g ram d ia t can scan, attack, detect, and protect com p uters o n a lo c a l area netw ork.

F I G U R E 31: W iiiA rp A ttack e r m ain w ind ow

3. Click die S can option from die toolbar menu and select S can LAN. 4. The scan shows die a ctiv e h o sts (2-3 seconds).
011

die LAN 111 a very short period ol time

5. The S can opUon has two modes: Normal sc a n and Antisniff scan.
Untitled WinArpAttackef 35 ?006 6.4

r~ ‫ ם‬r 5‫ד־‬
Padafa I TufficOq I

ck JL *«[ ✓ | Mofmalitan Hwhmne

L » 9tect

send h « c < ‫׳‬art Cpfluit lkel£

a : cut

I Online I SnrtfL. I Attade

I AipSQ I AmSP I AmW I ArpW PI

0 3 T h e• ‫י‬ o p tio n scan can scan and sh o w the active hosts o n the L A N w ith in a v e ry short time. It has tw o scan m odes, N o r m a l a n d A n tisn iff. T h e second is to fin d w h o is sn iffin g on the I A N .
‫ ן‬. ‫ ־ ־ ן ־‬: ‫ י י ^ מ כ נ נ ־‬1] 1 6a_/!fp_£m rv_C M »ae« MacOO-fc ♦ 16-3,GW:1000.1 ,On: 0 Qff:0 SnrffmyQ , J I Evtnt 1 ActHotl Sff«aHoa2 | Count | 10.0.01 10.0.03 10.0.04 10.0.0 5 10.0.07 10.0.0 a 1000 2SS 1 6 9 •254255.255 224.0.022 1 Mat OO* oa oa 00• D4.♦ 00• FF-► FF-* • -‫־‬ ‫־‬ - - €•03 IE-2D ‫ • ־‬N O E • • ••FF • • ‫ ־‬FF -

F I G U R E 3.2: W u iA rp A ttacker Scan options

6. Scanning saves and loads a computer list die and also scans die LAN regularly for new computer lists.

C E H L ab M anual Page 608

E th ical H a ck in g a nd C ounterm easures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.

Module 08 - Sniffers

Untitled WinArpAmrke r 5 ?006.6.4

&

I n this to o l, attacks

S Fit.‫״‬

.‫־ י‬ 5c»r! A ttack Slop Seni R c c o u w . Optow lfc«-p A O .Kit 1Online 1SnjW i... | AtUcfc | AipSQ | A >pS P | /UpfiQ | fcpBP I 10.0.01 Onlin WN-MSSEICK... Onlin W INOOWSfl Onlin WNDOWS8 Onlin VMN-IXQN3W... Onlin WORKGROUP Onlin AOMN Onlin

33■
‫ד‬ f- l Tr«ffic[IQ T

can p u ll and c o lle ct all the packets o n the L A N .

p p a □ 0 A a 1 □1 1 0 0 0 2
0 □ □ □ □ 1Oil0.3 10004 10:aa5 10007 10008

H ej open Save PAddmi

P*chrt»

|

4-CC *36 *:-06 -:‫־‬09 ‫ » ־‬- 03 E-20 •-0E

2012-09 17 10-4905 2012-09-17104905 2012-09-17 10AOS 2012-09-171049 33 2012 09 17104905 2012 09 1710-1905

I Evtnt N<w_M0« IW.Hotf NmHoU fep.Sun Ne*Hoa N«w.Hok

I AclHoK 10.0.0.7 1000.1 100.0.8 10.0.0.2 10.0.0.4 10.0.0.5

IP I Mflf oof* » 1r * c c 10001 00• *-06 1000.1 00-■ - • —0« 10004 10.01 0.5 00■ ‫ ־ ־‬-:-03 10006 00-1* ‫ ־‬- * C O 04 • 1 O .O lO .7 E 20 10008 10 00.255 • •FF 169.2S i.2S S .2S S

5-3 GV.1: 10.0,0.1

O n: 7 Off: : Sniffing: 0

F I G U R E 3.3: W in A ip A tta c ke r Loading a Com puter l i s t w indow

By performing die attack action, scanning can pnll and collect all die packets on die LAN.
ARP A ttack

Select a host (10.0.0.5 —Windows Server 2008) from the displayed list and select A ttack -> Flood. so ■
Untitled WinArpAttarker 3 5 ?006.6.4

« # » Jp. '‫© ג*י‬ S*nJ Kteiur. ^ ib w U*H> M» j I
] ‫ ■ י‬I W fi- I I I * r a n I * * s * I *■■*a I fc p w l

C Q t1 1e F lo o d o p tio n sends I P c o n flic t packets to target com p uters as fast as possible. I f y o u send to o m any, the target com puters g o dow n.
2012-09 17 10-4905 2012-09•17 104905 2012-09•1710J90S 2012-09-1710 S401 2012-09 17104905 2012 09 1710-4905 E vent N«w_M0* Ncw.Ftotf N««‫־‬HoU /, *p.Sun N«wH0K Ntw.Host 1 ActHotf 10.0.0.7 10.00.1 10.0.0.8 100.0.2 10.0.0.4 10.0.0.5

fc o u rtI

ioooj 10.00.4 10.010.5 10.010.6 10.00.7 10.010* 1000.255 1 &9.2S42SS.2SS

1 0 0 0 1

IP

0 0 -•
0000- • 0000-• 04• 00- • Fr-♦ ‫־‬ FF•*

Mat

K Mlau o f10.9.0.1, m «1 .< •**‫־‬ > nw yt i t

16-3 GW : 100.0.1

O n: 7 O ff■ , 0 SniffmyO

F I G U R E 3.4: W in A ip A tta c ke r A R P A ttack type

9. Scanning acts as another gateway or IP-forwarder without odier user recognition on die LAN, while spoofing ARP tables. 10. All die data sniffed by spoofing and forwarded by die WuiArpAttackerlPforward fiinctions are counted, as shown 111 die main interface.

C E H L ab M anual Page 609

E th ical H a ck in g a nd C ountem ieasures Copyright © by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.

Module 08 - Sniffers

Untitled WinArpAmrk<*r 006.6.4? 5 ‫ד‬

C O lT h e B a n G a te w a y o p tio n tells the gateway w ro n g M A C addresses o f target com puters, so the targets can’t receive p ackets fro m the Internet. T h is attack is to fo rb id d ie targets access the Internet.

r1 8 ■
I 0 0 0 0 0 0 0 203 5 27 4 2‫ו‬ 22 30 0 109 1 1 1 1 1 1■■Iikliq O O O 000 000 0.00 000 0.00 0.00 I

Pi* Scan Attack Q*t*ct Cptio!

E &
0 10001 □ 10002 □ 100103 □ 100.0.4 E10A0 l5 □ 10007 □ 100108

5C*n

• m ■ ** m
Attack

stop

S*r»J !vecoiw .C * 3tow lH«Up At». 88 355 ‫מ‬ s 36 1 41

©
10! 5 0 0 0 0 0

A d f r e t *_____ |Hoitname 00- • • 4-CC 100.0.1 DO 5-36 WN-MSSEICK... 00- « * *-06 WNOOWS8 oc ‫•״ * ־‬-« WN0CWS8 00- • • ♦ •£-03 VMN-UQN3W... D4-» E-2D WORKGROUP 00 . • ^ ‫ ״‬-O E A0M 1N

|O n l i n e jS n i f f 1 . AH«.k Online Not... Normal Online Nor... Online Nor. Online Nor... Normal Online Nor... Online Nor.Online Nor... Normal

I t.p ip j ArpS P I fl.P BQ I flipRP |

I <nv »U<B17KMW& 7012-09• 17 10490: 2012-09•1: 10490‫־‬ ‫־‬ 2012-09-17105401 2012 09 17104905 2012 09 17104*05

Ev*nt N*w_M0* Naw.HoU Pj» H o > 1 A«p Scan Ncw.Host N«*.Host

1 ActHotf 10.00.7 1000.1 1000.8 10. 0.0.2 10.0.0.4 10.0.0.5

[ Court | 10.001 1000.1 10.00.4 10005 10.00.6 10.007 10003 10.00255 169.254.255.255

1Mac 00••

►4CC > * -06 • *•09 ■•‫־‬-03

00--

r r ffOn: 7 Off: ‫׳‬: Sniffing 0 y/\ On: 7 Off: : Sniffiny 0

» r1 9 .0 .0 .1 ,m «pvjrini m ay *

6 -E GA: 10X 1,0.1 6 ■ • GW:10.0.0■I
F I G U R E 3.5: W in A rp A ttacke r data sniffed by spoofing C Q t1 1e o p tio n , IP C o n flic t, like A R P F lo o d , regularlysendsIP c o n flic t packets to target com puters, so that users m ay n o t be able to w o rk because o f regular ip c o n flic t messages. In a d dition, the targets can ’t access the L A N .

11. Click S ave to save the report.

m
File Scan A ttack Detect O ptions View Help ARP^iZ New

U ntitled - W inA rpA ttacker 3.5 2006.6.4

Open

JB

Save

scan

- tm

Attack

-

4m

J Stop

i Send

a S Recount Options

«
Live Up

®
About

F I G U R E 3.6: W iiiA rp A ttack e r toolbar options

12. Select a desired location and click Save die save die report..

Lab Analysis
Analyze and document die scanned, attacked IP addresses discovered 111 die lab. T ool/U tility Inform ation C ollected/O bjectives Achieved ■ ■ ■ ■ ■ ■ ■ Host Name Node Type MAC Address IP Address DHCP Enabled Subnet Mask DNS Servers

W inArpAttacker

PL EA S E TALK T O YOUR I N S T R U C T O R IF YOU HAV E Q U E S T I O N S R E L A T E D T O T H I S L AB .

C E H L ab M anual Page 610

E th ical H a ck in g a nd C o untenneasures Copyright © by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.

Module 08 - Sniffers

Questions
1. WuiArp

Internet C onnection Required □ Yes Platform Supported 0 Classroom 0 !Labs 0 No

C E H L ab M an u al Page 611

E th ical H a ck in g a nd C o untenneasures Copyright © by EC-Comicil All Rights Reserved. Reproduction is Stricdy Prohibited.

Module 08 - Sniffers

Analyzing a Network Using the Capsa Network Analyzer
Capsa Ne/)j ‫׳‬ork Analyser is an easy-to-use Ethernet network analyser (i.e., packet sniffer orprotocol analyser)for network monitoring and troubleshooting.
I CON KEY

Lab Scenario
Using WinArpAttacker you were able to sniff the network to find information like host name, MAC address, IP address, subnet mask, DNS server, etc. An attacker, too, can use tliis tool to gain all such information and can set up a rogue DHCP server serving clients with false details. A DNS attack can be performed using an extension to the DNS protocol. To prevent tins, network administrators must securely configure client systems and use antivirus protection so that the attacker is unable to recnut 111s or her botnet army. Securely configure name servers to reduce the attacker's ability to corrupt a zone hie with die amplification record. As a penetration tester you must have sound knowledge ol sniffing, network protocols and their topology, TCP and UDP services, routing tables, remote access (SSH 01‫־‬YPN), and authentication mechanisms. Tins lab will teach you about using other network analyzers such as Capsa Network Analyzer to capture and analyze network traffic.

/ Valuable
mformation Test your

** Web exercise

m

Workbook r‫׳‬e\

Lab Objectives
The objective of this lab is to obtain information regarding the target organization that includes, but is not limited to: ■ Network traffic analysis, communication monitoring ■ Network communication monitoring ■ Network problem diagnosis ■ Network security analysis ■ Network performance detecting ■ Network protocol analysis

C E H L ab M an u al P ag e 612

E th ical H a ck in g a nd C o untenneasures Copyright © by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.

Module 08 - Sniffers

& T o o ls d e m o n stra te d in th is lab a re available in D:\CEHTools\CEHv8 Module 08 Sniffing

Lab Environment
To earn’ out die lab, you need:
■ C olasoftC apsa N etw ork Analyzer located at D:\CEH-Tools\CEHv8 Module 08 Sniffing\Sniffing Tools\Capsa N etw ork Analyzer

■ You can also download the latest version of C olasoftC apsa Netw ork Analyzer from die link http://www.colasoft.con1 ■ If you decide to download die la te s t version, dien screenshots shown 111 the lab might differ ■ A computer running W indows Server 2012 as host machine ■ Windows 8 running on virtual machine as target machine ■ Double-click capsa_free_7.4.1.2626.exe and follow die wizard-driven installation steps to install Colasoft Capsa Free Network Analyzer
■ A dm inistrative pnvileges to 11111 tools

■ A web browser with an Internet connection
Note: This lab requires an active Internet connection for license key registration
£ Q 1 C o la softC a p sa N e tw o rk A n a ly ze r runs o n Server 2003 /Se rve r 2 0 0 8 /7 w ith 64-bit E d itio n .

Lab Duration
Time: 20 Minutes

Overview of Sniffing
Sniffing is performed to collect b asic inform ation of die target and its network. It helps to find vulnerabilities and select exploits for attack. It determines network information, system information, password information, and organizational information. Sniffing can be A ctive or Passive.

Lab Tasks
3
t a

5 K

1

Analyze N etw ork

1. Launch the S ta rt menu by hovering the mouse cursor on the lower-left corner of the desktop.

Capsa N e tw o rk A n a ly z e r is an easy-to-use E th e rn e t n e tw o rk analyzer (i.e., packet sniffer o r p ro to c o l analyzer) fo r n e tw o rk m o n ito rin g and troubleshooting.
V*r S 3 W in d o w s S e rv e r 2 0 1 2 Windows Server 2012 Release Candidate Datacen!* Evaluation copy. Build 840c

M

■afeLLxjjLtt! I a a
F I G U R E 4.1: W in do w s Server 2012—D esktop view

,“,"J

C E H L ab M anual Page 613

E th ical H a ck in g a nd C ounterm easures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.

Module 08 - Sniffers

2. Click C o laso ft C a p sa 7 F ree N etw ork A nalyzer to launch the Network Analyzer tool.

F I G U R E 4.2: W in dow s Server 2012 — Start menu

3. The C o laso ft C a p sa 7 F ree - A ctivation G uide window will appear. Type the activation key that you receive 111 your registered email and click N ext.
C olasoft Capsa 7 Free - A ctivation G uide
W e lc o m e to Colasoft Capsa 7 Free A c tiv a tio n G uide.

License Information:

User Name: Company: Serial N u m b e r

W indow s User SKM C Groups| 03910-20080-80118-96224-37173

Click here to get your serial number... To activ a te th e p ro d uct now, s e le ct o ne o f th e fo llo w in g and c lick th e N e x t b utton. Please c o n tact capsafree@ colasoft.com fo r any question.

® A ctivate Online (Recommended)

O A ctivate Offline

|

Next >

| |

Cancel"

Help

F I G U R E 4.3: Colasoft Capsa 7 Free N e tw ork Analyzer —A ctivation G u id e w indow

C E H L ab M anual Page 614

E th ical H a ck in g a nd C ounterm easures Copyright © by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.

Module 08 - Sniffers

4. Continue to click N ext on the Activation Guide and click Finish.
C olasoft Capsa 7 Free - A ctivation Guide

Successfully activated!

Finish

Help

F I G U R E 4.4: Colasoft Capsa 7 Free N e tw ork A n a ly ze r—A ctivatio n successful

5. Tlie C o laso ft C a p sa 7 F ree N etw ork A nalyzer main window appears.

Name - \Yued Netmart Adapter(*) □ Ethernet □ Unfcno*« LJ t€lhe<nei (Virtual Network Internal Ada.. □ Jrfcro»n □ Ethernet

IP 10.0.02 127.0.0.1 169254,103... 127.001 10D.02

‫**••י‬.. 1 0 0 0 1

N. 1.232 Kbps Obps 0 bps 0 bps 1232 Kbps

5p"d 1,410.1 Mbps 1.410.1 Mbps 1,41a1 Mbps 1,410.1 Mbps 1010 Mbps

Packets

Byte Uhaari... 0%

A

No adapter selected Capture Filter &

718 170.1a. 08 0 7 1.073 KB 05 0 763 17S.6®_

0% | 0% 0% y

No filter selected, accept all packets. Set Capture Filter Network Profile ^

C Q a s

a n e tw o rk analyzer,

Capsa m ake it easy to m o n ito r and analyze n e tw o rk tra ffic w ith its in tu itive and in fo rm a tio n ric h tab views.

Full Analysis To provide comprehensive analysis of all the applications and network problem! Plugin module loaded: MSN Yahoo Messenger

o
FulAnatyia Traffic Mon to* HTTP Analytic Email Analyst DNSAnalytk

,S. 1 ‫ת‬
FTPAnalyt*

O
iMAntlytit

F I G U R E 4.5: C o la s o ft Capsa N e tw o rk A n a ly z e r m ain screen

C E H L ab M anual Page 615

Etliical H a ck in g a nd C ounterm easures Copyright © by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.

Module 08 - Sniffers

6. 1 11 the C a p tu re tab of the main window, select the E th e rn e t check box 111 A d a p te r and click S ta rt to create a new project.

Name ‫\ ־‬Yi1ed Me:wort Adapter^) ( 3 Ethernet LI UnbK**« □ v€th«1net (Virtual Network InU iimI Ada.. D Unknown D Ethernet

IP 10.0.02 127.01011 169.254.1030 127.010.1 10.0.0.2

Packe...

bp,

Speed Packet‫־‬ 1,4111 Mbps 1,41a i Mbps 1,410.1 Mbps 1.41a1 Mbp: 100.0Mbpi

Byte UNcati...

a

Ethernet Capture Filter ^

9 15.800 Kbps 0 0 bps .‫״‬ 0 bps 0 0 bps 9 IS 800 Kbpi

2424 552/471. 0 08 48 12.156 KB 0B 0 * M 2 S88206-

< * 0% « ON 0% H

r 1

No filter selected, accept all packet*. Set Capture Fitter Network Profile &

1 1 1 1 1 1 iiiiriiinniiRii 11 1 1 I r m i l l lI I 1 1 1 nm M
1 ^ 3 |F‫־‬f= «

!!!!!
II llllllll III! ! f r i s i i i ‫ וווו‬m i i i h r n

iiiiiiiunm

Full Analysis! To provide comprehtntiv* analysis of all the applications and network pioblarm Plugin moduli loaded: MSN Yahoo Messenger

1 1

1-r-m
‫» נ‬4
DNS Analysis FTP Analysis

psps■

%
Ful Analysis

m
Tiafftc Mcnitoi HTTP Analysis Email Analysis

*L

O
IMAnalysis

F I G U R E 4.6: C o la s o ft Capsa N e tw o r k A n a ly z e r creating a N e w Pro ject

7. D ash b o ard provides various graphs and charts of the statistics. You can view the analysis report in a graphical format 111 the D ashboard section ol N ode Explorer. ‫יי ר ק‬
W*I

‫י‬ ‫ע‬r

y a |1r r
‫ וי‬feltings

Analysis P a< k‫׳‬ 0bj«t Butter

<

... 1 ' • Output Output Cc1;.‫־‬-yicr ]‫־‬IPCcoreoatie 4 * Online Resource N ew Capsa v7.6 Released T r y it F ree Q l

Cs;hfec;r3 x [Summary [‫־‬Diagnosis[Protocol]‫־‬Physical EnflpoiTt [ ‫־‬PErvfrr ‫־־‬ -S « t£j Fj■ A 1 ‫־‬ w S ‫«׳‬ j5 S T P lC lO C O l ZfftC'i' (1) 3 9 PhysK^IL^owa 9 I PL > fi ; ‫־‬ e r( 3 |

i tB l- ‫״ז‬
Default Total Traffic by Bytes 116:3 K B

£ Q t1 1e n e tw ork u tiliza tio n rate is d ie ratio o f curren t ne tw o rk tra ffic to the m a x im u m tra ffic that a p o rt can handle. It indicates d ie b a nd w id th use in the netw ork.

9766 K B 4 883 K B

i IjvJL...
Top Application Protocols by Bytes 4tl?IK» »M}KS

live O«no eJ V.lo Is Uitij N etow fcBandw c £ H owto D etect ARP Mtacts jjj H owto DetectN cfw ort:loop H ewto M ontor WM*»sof 4 ) Howto Monts! &S»v«Em ail [M ore Video*.-)

Top IP Total Traffic by Bytes W 389K B M 591K B 44829 K B

.J M w M toi linpluytre• W *b»1 t« 2»2«7K8 03 Icannot ntphwr MI trnW ic. J3I C1cote IrallH .U t4uat.w« U«rt _J [FillJM art 4 W lrvtev. Captive crcatr TrofBcufltrenerchart [H or*• InKnowlt'dgt-thn*•-]

9 7MKB

Ill
/C »f> aj‫׳‬c•Full Ar-**vi5 ^#Eth«nct ' lr an; 00:01:01 ^ 557 P .cad>

F I G U R E 4.7: C o la s o ft Capsa N e tw o rk A n a ly ze r D a sh b o a rd

C E H L ab M anual Page 616

E th ical H a ck in g a nd C ounterm easures Copyright © by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.

Module 08 - Sniffers

The Summary tab provides full general analysis and statistical information o f the selected node in the Node Explorer window.

!‫ ־‬1 ‫ם‬r‫״‬
m I
Node Explorer Sait Stop ----- 1 G eneral . Tattle i Analysis R acket Display ^ Analyse profile

w

*H .‫רזו‬

AJ

Capture >

fJ«wcrtr Profile

m

ut-anon «*,

m

pp5 ni

i

!‫־‬ tic HistoryCho.

!! ! I'! ! !

Farter Buncr (16M6 j

!

/ ‫־‬Qasriccard-1Summary x [‫־‬Qiagnosis [‫־‬Protocol fPhysical fcndpo.m \ IP fcnapp.rv. [ Ccr! ■gsa‫־‬ . cn [‫־‬IPCorrva f«MA«lgte\SUtfctta: | ‫צ‬-:‫־‬

Online Resource

*>•»
U , IT Prrtocd! ■p'crrr (1) S V5 Phv.ka' Lqstorcr (3) ti IP E ■pk*n (4) Fault lluqnmn SUtMki Worrnation Dijgnosfc Ntfcti Diagnosis Woninq Dianne(■ t Critical Ow90 0 -.11 >traffic Total Broadcast Multieeit

N e w C a p s av 7 .6 R e le a s e d T ryftF re e
)N etxnorkHerAM StH'

E O a liigh network utilization rate indicates the network is busy, whereas a low utilization rate indicates the network is idle.

A v « a 9 « P a « k *tS a •

472.954 K B 4J440KS 175.757K 0

0 0 0 1 % .

0 0 0 1 %

.c o . ‫׳‬ .

1252 K bp*. 0 bps 1232 Kbpi

Pxkrt Sar Distribution <*64

W W

128-255 256-SI1 512-1023 1024-1517 >=1518

45.60ft K B 131090 K B 47.542 K B

0 0 0 0 %
0 0 0 1 \
1^32 Kbps 0bps a bp<

u j Monitor Employee* Webwle

Credit Tratlk. UtilUotioii Ourt UJ lEntlSUrt d Wireless Capture J 0‫׳‬eaUTraffkUtliMtion Chat | More m Knowledgebase— 1

Capture - hM Araf>-se

41 tthunct

‫ ־‬ractrve

Duration: 00.14:43

: / £882 ©0 P*iC,

_ _ _____: __ :__ _

FIGU RE 4.8: Colasoft Capsa Network Analyzer Summary

9. The D iagnosis tab provides the real-time diagnosis events o f the global network by groups o f protocol layers or security levels. With tins tab you can view the performance o f the protocols 10. To view the slow response o f TCP, click TCP Slow R esp on se in Transport Layer, which 111 turn will highlight the slowest response
D iagnosis Events.
nalysis ‫ ־‬CoJascft Capsa 7 Free '50 Nodes) » ! ? S jstar U Step 1990. /■trw

111

13S Adapter -ater

S l h g ““
General

“'‫־‬

Starr

CMH

AlarmSetting! •!e‫־‬w rt ‫'־־־‬

^ ‫״‬ J Analysis P acket D isplay O bject Buncr .' ■ Output Ourpur Analy< !5Profile

W ₪ ₪ ₪ M ™

w

w

—! _

P P 5«

limn cH!5 t 07 C ha...

mm

F acK et Buncr n&MBj

•9

E /T o o ls
dem onstrated in this lab are available in D:\CEHTools\CEHv8 Module 08 Sniffing

^ ful Analyse K 'tT Prrtrrcll.p'ererli; S- Si Phv.ka bpkxer (It 0. I‫ ׳־‬E .plc.es (4)

J ,

Diagnosis Item

Diagnosis Address Statistic* | 11 | Ph>«ca1 Address ‫ נ‬Add‫״‬ D O 16+ ‫־‬ 10.0.0.2 O Ck^ M b •:CC 74.1252 Oft» » < - C C 74.1252 1CC 74.1252 OCt^ ♦ • ‫•• ־‬.CC 207218. OCk^■♦ «MkCC 17a255. O C t* ‫־‬ •:CC 178255 oct♦‫״‬- • ‫♦ ׳״‬-CC T 4 1252 O C k •* • ‫ !•־♦־‬C C 74.1252 \>

Diagnosis: \ 10 u 2 ' ^ *£ % *‫׳‬. c i‫־‬iarm tJame Al Diagnosis 1a0A2 8 Appfc-illoo lay** 74.125.256.165 O OMSStrwSlroResponi' 74.125^35.174 O HTTP S«vtr$l0wR«p0nje * 7A12W>6.169 a transport layer 207m2»182 v TCP Retransmission 17*255 81.1 S/ TCP Slow Rcipon.s 178255.SU ± TCP Duplicafrd Aclmowlnlijitnir 741;5J)6.1U S Network layr«r 74.1252J6.165 |> ■ UiagnoMs Events u 6 -W ‫• ע‬ Seventy Type layer Tuniport Tran!port Transport Transport Transport Transport Transport Transport Transport M l

N e w C a p s av 7 .6 R e le a s e d T ryit F re e
)Net\«orkBnrd*M »1> tor IMM elange

J

V V V 4‫׳‬ V 1‫׳‬ V y Capture- KJArvalyse 4#£thc1ntt

Ptiformance Ptrlcrmance Performance Pciformance Periormance P«fcrm3nce Performance ' nactive

OiagnoM lv«‫ ״‬U | 75 | {vent Desenptton • TCP « d P a O .,t::0 ‫׳^־‬m295m4) TCP Slo^v &CIC|Pa(krtI»i] nd Packtt!27]licm 20170 ira) TCP SlowACK(P»cket!47] tnOPacV«;27^f0m 20172 ‫)זמו‬ ndPackct! 1J]fram 22134 ms) TCP SlowA CK 1Packet.>!] ■ TCP SlowACKiPacfceti& 1] and PaeVet:!:from23577 ms; TCP SlowACKtPacket!82] ■ no Pac«st.:.from 23577ms; TCP SlowACKfPacketlU] me Packet; Vfram23577ira) TCP SlowACK(Padrct!219: *‫'׳‬d t>acr«t{l97frcm 2*262 rm) TCP SlowACK!Packet!>13 and PacketJ»3|frcm 26023 m‫־‬l _ V 4.689 < £0 fteady

‫נ‬

j

;‫״‬

_J Monitor Employee* W eirMle

U Create TraIlk. UtMzotion Chart U K |Ent!Start a Wireless Capture J Create Ttaffk U UJattn 0 10 •t | More ■ ‫ ו‬Knowledgebacr... |

1 >

Duration: 00.25:34

FIGURE 4.9: Colasoft Capsa Network Analyzer Diagnoses

C E H L ab M anual Page 617

E th ical H a ck in g a nd C ounterm easures Copyright © by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.

Module 08 - Sniffers

11. Double-click the highlighted D iagnosis Event to view the detailed information o f this event.
*3 Network Group Stop Genera! A * a n r1Setting{ ?lerw crlr ProtU f jc , J T ‫)י==ן‬ ^ Analysis Racket Display . Packet log . L, — -_J' IE .. ^ O bject Buffer ."*‫ י‬O utpirt Output A nalysis Profile Data Storage 1‫ ־‬c r ‫■ ״‬ ‫ל‬ ^. w !5l

^

/a ; a\ //‫״ י‬

HistoryCha.

Packet B !

Node Explorer

x

y'^Jasht :7 3‫־‬f Somrriai/• ] Diagnosis x [‫־‬piotocol f Physical £ndpo!rTfIP snapj ‫־‬ ‫־י‬. [ - •,><*! C. .«ta t.- f IPCorryq Diagnosis Item Dfc*grvosk: 10 & A % *. C ‘iarm ‫־‬ AIDaqnoti* 8 Appfc-itlon l.‫״‬y»f O 0M5 Swvv Slow Report!• O HTTP 5trvtr$l0wR«p0n« • Id Irm poil Layer V KP Petr■inmww V • TCP Skw Rsiponifi ± TCP Duplicated Acknowlmlgtmtnt - Nerworlr layer , Diagnosis Events U Seventy V V is i> V V V V V S ’ Type Puformance Performance P«1formance Paformance Performance Puformance Performance Performance Performance 'inactive layer Tun sport Tranipoit Transport I ransport Transport Transport Transport Transport Transport UiagnoM I .n u j .. j Event Cetenpbon ' TCP S Ioa ACKiPacktf!28] and Packtt:27^,0<n 235 ms) ‫־‬ TCP SlowA CK lPacket :is] and P«ckrt!27]fton1 20170 mt) TCP SlowACK(P»ck«!47]j«d P*ctr«;27]#f0n120172 ms) TCP SlowACKlPacket.W]«rnd Pace*. U Jo ti 22134 1 m) TCP SlowACK^Pacfcrti& l] atd Packe»''’+rom23577 m* TCP SlowACK1P»ck£tl82] no Packet.:.*ram23577an: TCP SlowACK(P«cket|54] me Packet! 5]from 23577rm) TCP SlowACKiPadrer:’ 19: a‫׳‬yJ 62&‫ י‬ms) TCP SlowACK|P>cket:3A3] and f»ack*4J303J?rcm >6623mil ‫׳י‬ 4,689 ~®0 Realty Diagnosis Address u « -‫ ד‬- 2 Name 10002 74.125236.165 74.1252>6.174 741252 J6.169 207216235182 178255 81.1 178255 E32 74125236.182 ‫ י‬4 ‫?ו‬5..‫י‬36.‫ ו‬63 ■ <1 Swtetk* | 11 | Ptyycai Address 0 Addit •• D O ■ 4tU 10.002 0 0 1 + ♦‫• ■• ־‬:cc 74.1252 O ft•► » • ».cc 74.1252 OCt^ 741252 Oft» • ‫־• ♦ ־‬. cc 207218. Oft^ • ‫* ־־‬:CC 178255. O C k* • • ‫• ־‬:cc 178255J • Oft»-«~«k*CC 741252 Oft•‫!• ־• • ־‬CC 74.125.2 |>

Online Resource

‫ד‬
ful Ar^-us H r I f Ptt*orcJt>plctrf<l)

ti ^ l‫־‬ > !.p * 4 )‫)״״‬

SV 5P h v .k aL q sto rc r(3 )

N e w C a p s av 7 .6 R e le a s e d T ryftF re e
Jp‫ )״‬W hoIt L IM n gNel\«orknnrd^tti ‫י‬ M Hawto DatMt N eivw y*: Loop ^rlow to M onitor !MM r*‫•* ״‬ I Mon: VWcov-1

llow(o'•
UJ Monitor EinotuvM Wetaitc

Create Trait*. UtilUdtioii d u rt U |Ent|SUrt a Wireless Capture J Create Traffk Utlteton Chat [ More m Knowledgebase— 1

^ C ap tu t - FtJAiMtyse

41 Ethernet

* Duration: 00:25:34

^AUim btolota

-

FIGU RE 4.10: Analyzing Diagnosis Event

12. The TCP Slow ACK - Data Stream of D iagnostic Information window appears, displaying Absolute Time, Source, Destination, Packet Info, TCP, IP, and other information. ^ a * ^ tre3 ^ 7 D > 3 n 0 itiH 7 0 n ra tto ^ ™ T C P S lo ^ C K ‫׳‬P a cto !2 0 n n 7 P a c^ n = ‫י <־‬

-» M * ‫ ־ י‬i 30•
2 0 7 2 1 8 2 3 5 .1 8 2 : 8 0

:‫־‬

t0g]c20073660 10^02:1406 102320412350 207.2182351182.90 1 0 2 3 2 0 4 1 2 3 9 4 10002:1406 102320412967 10042:1406 I0c232a70«089 102340583003 207218235.18280 102340585578 207.213.235 182:90

207.2I8.2J5.162:80 1010.02:1406 207.2I8.2J5.182:80 207218.235.182:80 10.0.0.2:1406 100.021406 100.0.2:1405 207218.235.182:80 101002:1406 207218.235.182:30 207215235.182:80

Protocol HTTP HTTP

Su> M 66 SB 723

6 6 4 4 -‫־‬ 4 ‫־‬2 8
6 4

Cnodc N*jm»23 .‫־׳־‬y .6 6 NwnaB \.m .M ‫־‬.,r :17 =723

lc n y t h » 6 6

‫־‬6 4 ‫<׳‬ ‫ו‬- ‫־‬ ? V .‫׳‬ .a :i ■ .

Summary S*q.3’80W 5012,Ack. L0000000001F■.. S.l S«n lM6644229,Ack: [3280995013.f =.A_S.,.. S*q»3280»501J.Ack. CG L T ,’online -«ou! .

L l5 4 W 4 4 2 JaF .A -.L .c^M mfeouc.f.

H TTP H TTP H TTP H TTP

U l l Nun»46 Ungth-1.51* 591 Nun»s47 lensw =59l ‫צ‬3 '•‫׳‬.‫ ־ ז‬Len.v 48 =58

l p -:4 8 ---- i& =
. .. =58 ;ngth:58

&H TTP.M .1 2000jC -W TTPtraffic 533 b & Continuation or no 1 Scq=328C995678.Ack‫־‬ = .A ...r,3 2 8 0 9 9 5 6 7 3 : Seq= lSi6646223,Aek: ...F & 154: Seq=328CS95678.Ack: - F=•A__L.46224& 5 4 6 M 6 2 2 4 f = A J _ Seq:1 3280995675. Ac fc :: ?

r1 M 6 t4 6 2 2 3 .F ‫־‬A ‫״‬.- L

E ' “ ?actet lafo:

•-Q p»c*ec K»‫־‬r: :.<^?»creT Lngtfc:

i IO /« J
WgSource Address: & ?rctccol: IP - intarrtBt Protocol iMetgearl ]6/> | Cnteioe ‫־‬. H U M (( ]12/2 [

!1 4 /‫ ננ‬o*rc B y •e s I (14 /11 0 s0 r3 0 (
115/1" 0111 ! 15/ : ‫ י‬osrc l :goore ‫ן‬ IH o Congest scr.( By'.«a1 40( 16/2J[ 1563301 | 15/‫־‬.[ OxOt 116/11

[ > • o irrerenttatM » r / 1» ! c04«1 • •© JrsMjjnrt Protocol w ilt ignoi

1aa/1) o » co _____

J J 0 /1 J O rtC

FIGU RE 4.11: TCP Slow ACK —Data Stream o f Diagnostic Information window

13. The Protocol tab lists statistics o f all protocols used 111 network transactions hierarchically, allowing you to view and analyze the protocols.

C E H L ab M anual Page 618

E th ical H a ck in g a nd C ounterm easures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.

Module 08 - Sniffers

a p « 7 Free [50 Nodes) ^ n a l^ !? P ro ie c ^ r7 u I^ n aly i1 ^ C o !a5 c f^ !

Acaptri Imet

la s f ►U
C apture

Network Croup f\ AlarmSetting] Network Prone Analysis Rarket D isplay Objffl Bun‫זז‬ Analynt Profile

j

kU

4A

Output OJ'piJt Datastorage

FIGU RE 4.12: Colasoft Capsa Network Analyzer Protocol analysis

14. The Physical Endpoint tab lists statistics o f all MAC addresses that communicate 111 the network hierarchically.

*‫י‬

‫׳׳י‬ & yt«* » le<al Srqirrnt local Holt JW no! 6 36 •* 1 1 x0.0.2 8 V 0(k«1**a«eCC <£74.125.128. IN 5 74.125 236.182 S 74.125 135.125 % 74.125.2361163 6 74.125.2361160 3174 125-236.165 ‫־‬£ 74.125.236.174 br Physical Conversation P«ck«t> 8 .YX 3^81 3,281 i* 3 i.U2 1 «‫ל‬ 642 55161 0 97 65 trti P«r S«ond 512 bps 0 bpi 0 bps 0 bps 512 bps Obp‫׳‬. 0 bp: a bps 0 bps ‫ סל‬bps 0 bps 0 bps

U .Y P n * e > ' c H . f * 6 4 t t( I )
& 11 Phy.kal Eiptortf 3) IP ! iplotn (4)

‫׳‬

M ■ ■ | | | |

755.578 K B 755.57BK B 725.485 K B 744.796 K B 224413 K B 172.074 K B 132.652 K B 33.889 K B 22.611 K B 19.740 K B 19278 K B

N e w C a p s av 7 .6 R e le a s e d T ryit F re e
Is LiangNetworkB and/Jd‫י וק‬

(More Videos-1

CLndpcint ‫>• ל‬ 3 D O— & 36 = ? 00‫־‬ & 36 3 0 0 :• - — E .-06 EK » =9 V k■ *00■: - ‫ ־־‬L-06 3P 00; ‫־‬ ‫& ־־‬ 09 8 .-00 ^00!•■ ‫־״‬ laptut MIA*at)-,o mOHitKl

< - Endpoint 2
33: B ■ " -0 3 :‫נ‬ E^ai: * ‫) ־‬:FC 033 ‫ןי‬: M S S ocf OJ5J:—' ):66 33 ? ‫ט‬: ■ mm»w\ ‫ לט‬33! •‫ * —־‬- 0:01 33 * - 0!CF

Ouibon O O rfO O O 0000.00 O & O O O O O ttO C W O O O K JO O O C ftO O O O 000000

74.125.128.189\PhysJul Conversations 177 Bytes-‫י‬ 36C E 360 E 28C B 230 B t ₪ m 82 B 82 8 82 6 82 B 90 B 90 B 90 6 90 6 90 B 90 B >1

_J Monitor Employee* Website VKlt* I cannot capture AIL trailk. why/ *J Create Tratlk: Utllizalion Chart «J lEntlStart a Wireless Capture | More n Knowl«torHn«r . )

f™
Duration:001)0:44if i,405 gO fti*0/

'i n j t t i v t

FIGURE 4.13: Colasoft Capsa Network Analyzer Physical Endpoint analysis

15. The IP Endpoint tab displays statistics o f all IP addresses communicating within the network. 16. O n the IP Endpoint tab, you can easily find the nodes with the highest traffic volumes, and check if there is a multicast storm or broadcast storm 111 your network.

C E H L ab M anual Page 619

E th ical H a ck in g a nd C ounterm easures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.

Module 08 - Sniffers

C Q a s a delicate work, network analysis always requires us to view die original packets and analyze them. However, no t all the network failures can be found in a very short period. Sometimes network analysis requires a long period o f monitoring and must be based on the baseline o f die normal network.

FIGURE 4.14: Colasoft Capsa Network Analyzer IP Endpoint view

17. The Physical C onversation tab presents the conversations between two MAC addresses.
lysis Project 1 • Full 3t5 N «tw o»fc G f0U| — — H^Na»«Ta&lt G*rttni rtwo«* frowr Node Explorer .apsa 7 Fre« [50 Nodes)

,/l-rlp-l

l‫׳‬s» f

Step

Analytlt B artrrt Ditplay Objfrt Bunft A n#ly«n f*ot1lf

Outpirt « >rpm

iu i iu
1 1 1 1 1 3 3 17 13 19 19 1 1 10 «‫ ־‬PU » 1 0 0 0 0 0 0 0 0 0 0 0 0 0 10

/ 0* r 60‫«׳‬U f!>un1m aiy fOiayiom [ Piutotol fPhymai fcndppm t | IPfc r> d tK >n: !?tymallc ■»>«'•■ x|ipc.q ,«! 1 v Online RcSO UrcO lr>dpo<nt 1•> Endpoint r 3 ‫* ״‬J3:FF:&?:00:CF »!} 33:33 :FF:2:00:66‫צ‬ B* ‫גג‬:( 3» ‫ ג‬00:0001 ‫ רש‬5a00< .33;33!00.0 1 33:33:E F :B 2:D O :C F ®‫ ל‬33:3300100:0002 V 33:33.0000:00.02 ‫ ;יש‬01:00:5* 00:00:16 ®5 0 1 :1 X 1 :5L00500:16 ‫ ״ש‬33:530000:00:16 ®3 33:33:0000500:16 33:33:FF:5iOO:66 ® 33:33 ‫ ל‬:FF:B2:00:CF 03 00:67:£‫צ‬:A16:1 ‫ז‬35

• - i

U . Y Prrtrrel (.£ <‫(« ״‬I) & O Phy.kal bptortf (3) II IP ! 1 p*o«r» (4)

C Q t t l tells die router whedier die packet should be dropped if it stays in the network for too long. TTL is initially designed to define a time scope beyond which the packet is dropped. As TTL value is deducted by at least 1 by the router w hen die packet passes through, TTL often indicates the number o f the routers which the packet passed through before it was dropped.

UP oa1M0!AMfc09 co 1 s!y>Aa:«<* CP C01&SftA&<&09 UV COIi».A&« 09 C5C0I550‫!־‬A&«-C« UPC01ScS0‫־‬ .A a:6fc.09 CP C O15:*0:A3:e£Ce CP 001t5c50‫־‬ .A & efe:09 U5 C Oli50‫־‬ JW :6£.06 CPlXH5:50‫־‬ .A&6e09 Ok6?:£S1‫־‬A:16:36 E? (‫־־‬.:eT :Ex1*16:36 SP C015:5ftA3:6£.«

0u(jt(Qn Byt» 00:0000 82 8 00:0000 82 B 00:0000 90 B 0050000 9C 3 00:0000 90 B (0:0006 214 8 214 S 00:00.06 00:0011 936 3 00:00:11 7‫צ‬4 8 00:00:17 1.744 K B 00:00:17 1.744 K B 0000.00 90 8 00:00.00 90 B 00:0000 3.434 K B

B y1*1 •> * ‫ ־‬IV*‫־‬ - P«ek._ 0B B 82 B 0B 90 B 0B » s CB 90 B 0B 214 B 0B 214 B 0B 9te B 0B 7S4 B 0B 1.’44 K B 0B 0B 1.744K B 90 B 0B 90 B 0B 1.797*3 1.684 _ 20

K

N e w C a p s av 7 .6 R e le a s e d T ryit F re e
Is LiangNetworkB and/Jd‫יוק‬

(More Videos-1

-w 4 3 F'tdpoint 1 ■ >

> 1 ‫•ן‬ IP Conversation TCP Conversation [‫״‬UD P Convereatio 1 I 00:1S:SD1A8:6106 < > 33-J3* F:B*D<K3MF Convc~ * o ‫״‬: Duration <- Endpoint Brtes Byres ‫י‬ <• B

L3 Monitor Employee* Weteite toJ I cannot capture A LLtratlk. why? U Create Traffic UttfUation Chart «J lEnt ISUrt d Wirelev* Capture uJ C reate TiaflkUtfittt*n Ourt | More n KnowleAjrhn«r...)

2

‫ ״ ״‬no *‫»«׳•**״׳ ״״•*״» י ״ ״‬--

/^.ap<uc ^u*A r>al>-,6

^fctlHirxt

''!njctivt

" Duration: 0111M?

^12.787 (£0 Ready

.. ..1 ■ ‫״‬ , 1 ‫״‬ ‫" ' "י‬

FIGU RE 4.15: Colasoft Capsa Network Analyzer Physical Conversations

18. The IP C onversation tab presents IP conversations between pairs o f nodes. 19. The lower pane o f the IP conversation section offers U D P and TCP conversation, which you can drill down to analyze.

C E H L ab M anual Page 620

E th ical H a ck in g a nd C ounterm easures Copyright © by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.

Module 08 - Sniffers

leapt. ‫״‬

m Im r et
Capture

‫רו‬ P

a$N«two* Croup —— H^NaawTa&le t\ Alarm Sfitmgi Metwort Protur

Analysis Racket Display Objrrt Buttfi Analynt Profile

j

*W

4A

Output OJ*p<Jt Data storage ‫~|־‬ jd p c .‫׳‬ fM .ta [To^T<epc<•■ |

Node Explorer

< >

Online Resource

Vy ‫־‬ ‫״‬ «A r ^ j . e P rctr ■ r■
E

a ft

Phv.k‫ ־‬E aptorer(3)

A 'J i E n d p o in tI * > 3 1 0 0 .0 2 v1 0 0 .0 3 3 '0 0 .0 .4 a!0 0 .0 2 ‫ז‬ 3 1 0 0 .0 2 3 1 0 0 .0 5 a 10 0 . 0s 3 !0 0 .0 2 ‫ל‬ • *1 0 0 .0 5 3 > a a 1 u 1 0 0 .0 2 •iwo.o

S' < -E n d p o in t2 37 4 . 1 2 5 2 3 6 .1 7 3 ‫ל‬ _ [2 2 1 . 0 . 0 . 2 2 § 52 2 4 . 0 . 0 . 2 2 * a !1 0 0 .0 4 3 1 0 0 .0 .3 S2 3 9 2 5 5 .2 5 5 . 2 5 0 g2 2 4 .0 .0 2 2 9 1 0 0 .0 .5 g2 2 4 .0 .0 2 5 2 ^ 2 2 4 .0 .0 2 5 1 ? 4 1 2 5 . 2 3 6 . 1 6 9 92 S S 2 S S . 2 5 S . 2 S S

D u r a tio n 0 0 0 2 : 2 2 0 0 0 0 :‫וו‬ 0 0 . 0 0 : 1 1 0 a o D : c o 0 0 0 0 :0 0 0 0 0 0 :1 0 0 0 0 0 . 2 2 0 0 0 0 ;0 0 0 0 0 1 :2 9 0 0 0 0 :0 0 0 0 0 2 :3 6 0 0 1 2 : 1 2 ‫יי‬

B > te i B > ‫־‬ t e s-> -9 > t e s X > 7 0 _ 4 « 1 K B2 . 7 5 1K E 2 9 8 6B 9 8 6B 0B 7 S 4B 7 S 1E 0B 2 2 4B 2 2 4E C 3 5 4 6B J 4 6B 0B 0B 4 0 5 1* C B am\ re 4 4 8 E 4 4 8 B 0B 1 1 0B 1 1 0E 0B 1 . 1 S iK B1 . 1 8 S W 0B 0 ‫ ל‬B 0B d 0 5B 4 1 7 4 6 3* : B 1 3 . 7 1 2 —W S 1 7 2 3K B 0B 2 .7 2 3K B2

h *A lia *,*,J P C o n v e n tio n :\5 7\\ P k t s P fc ts > -P ta F ir s tS c r~ 2 4 1 4 1 0 1 0 2 3 : 1 r~ 1 7 1 7 0 1 0 2 9 :5” 1 3 1 3 0 1 0 2 9 :5 2 2 0 1 0 3 0 2 0 1 0 :3 0 2 . 3 3 4 4 0 1 0 3 1 2 7 7 0 1 0 3 1 1 0 1 0 3 1 : 3 1 7 1 7 0 1 0 3 1 : 1 ‫נ‬ 3 0 1 0 :3 4 0 0 3 6 :4 * 2 5 1 3 1 1 8 8 0 1 0 2 9S -

N e w C a p s av 7 .6 R e le a s e d
T ry i t Free

& Who‫״‬

Jang Network £ *.*to rtret r1*rA 0rfc Loop ^ . * ‫ ״‬to D t?esage ^ H O W to tonitor IMN J r i^ to 1More VWcov.. 1 How TO• _J Monitor (mptoyeet Webvlle _J ! cannot capture A LLtraltR. why# _J Create Traffic UtlfeaUon Chart U lEntlSlart a Wirele** Capture J 0 calc TiattfcUtliMtOl Olfft | More m KnowlertoeKntr. |

• IC P C u n w iM tlo n ''lIU PC o n v o lu tio n] A 6 C Lx J p v o it 1 • > <•E n d p o in t2

” 1 2 4 J X 0 2 2 \T C P C o w v v iM tlo n : 10 |T o a o j >2 P a c k e t l>t« P ic te t

•nottrm toAfeffm llia. . . T h * r « «1

II.

>

tC a p tm t

A•EUkjixt

‫ ־‬ractive

D uration: 01:29:49^ 1 4-182& ’0Ready

FIGURE 4.16: Colasoft Capsa Network Analyze! IP Conversations

20. Double-click a conversation 111 the IP Conversation list to view the full analysis o f packets between two IPs. Here we are checking the conversation between 10.0.0.5 and 239.255.255.250. ^naf^i^rojec^^tji^nalyM ^T otaso^aps^^r^'^N ode? ‫נלז־־ל ׳‬
^ | MwviH | » 0 « ‫ד‬ >

Mr
Node Explorer

u s ane ,rai S t e p G
a

‫״‬
i
C‫״‬
«• Endpoint 2

‫ \ ״‬. ‫ ״‬,jj Annlym flarfcet Ditplsy
O bjfrt Buttrr Analym h'ofilr |U O PC

iu
1
ition | Mat«u Online Resource tu• AnatphUPConveivatkNi: f 6 1| .Pto E«t5W ‫״‬ pw»->

*tfH rtp•

O utput output

^

U . Y P rc4c-rcl(.plctef (1 } S 9 Phyikal bfMxv C 3 > U & I? E •pfcan (4)

‫ל‬ 41 2 5 .2 3 6 .1 7 3 3 '0 0 .0 2 1 0 0 .0 3 SI 2 2 4 .0 .0 2 2 31 0 0 .0 1 4 K2 2 4 .0 .0 2 2 ^ IO O C .5
IO O -C l S 3 100.012 100.0^ 3 1O0.0L3 3JCJ5.0J) S 100.01 3 ‫־‬00.06 a ! *00.02 3 100.02 100.02 3 '00 02 *3! 100.0.4 S '010.03 ‫ ] ל‬239.255255.250 g 224.0.022 9 100.0.5 g 224,0.0252 g 224.0.0251 I2J 255255255.255 ^ 2SS2SS.2SS.255 ^ 224.0.022 207218.235.182 S 178255.83.1 U U ‫' י יי־‬

Duration

0 0 0 2 :2 2 0 0 0 0 1 1 0 0 0 0 :1 1
0003:00 0000:00 00(0:10 0000-22 0000:00 000129 00.00:00 0012:13 000002 002018 0000:18

0 0 1 2 :1 2

8/ttt 4«1KB 986 B 7 5 4B 224 B 546 B 4051KB ■ 4 4 8B 110 B 1.185 K B 05‫ ג‬B 2 .7 2 3KB 4.061 K B 128 B 6.748 K B 3.601KB a1 ■ ,''“ ■ ‘‫“ י‬

Bylo •> 2 .7 5 1K6 2 i> ro _ 986 b 0B 7 5 4B 0B 224 E CB 346 B 0B 4051 n C8 448 B 0B 110 B 0B CB 1.185 K B 405 B 0B 2.723 K B 0B 40)61 K B 0B 128 B 0B 1.611KB 5/134_ 1.31CK E Z294_

1 4
2 3 4

17

1 3

1 0 1 0 2 1 :1 0 1 0 2 9 :5 1 ! 0 2 9 :« 0 1
10302 1030 2 '*31=21 1031:1 1031:3 1031:1 1034.0 1029:5 1029:S 1042:1 10232 1043 2

N e w C a p s av 7 .6 R e le a s e d
T ry i t Free

1 17 3 7 2 14 14 “ 1

24 24 ‫“י‬

0 0 C 0 0 0 0 0 0 0 10 10 *'

jg) .vho Is U9ngNetworkB ard*1dt*1? Jb» |H o wto Detect A R P Acta±s jg») H 3wto Detect I'lerA 'arkLoop Jgj H owto M onitor IMM ecsage [More Videos-] How-To's Lai Mwiltor Website

....... IC P Unvei vatkxi " J0P Conveiiabon |
‫ ״‬c (ndpaint ‫ ־‬-> <■Endpoint 2

‫<” ״‬ ’ < 1p C

IOjO j O l <-> 23925S25S2S0MCP Conveiution: Packet & ‫י‬t « Plctc d

LU I cannot capture A LLtraflk. U CreateTrail* Utfeatlon Chart LH lEntlStart a Wlreievt Capture J Cr«U Tialft; Utliution 01«t | More m KnowlrAjrhn**■ .)

w h y ?

Therrareno i«m5»0 thow mthi* ...

*‫־‬

"-"L V J ' " __ :__ _
FIGU RE 4.17: Colasoft Capsa Network Analyzer IP Conversations

21. A window opens displaying full packet analysis between 10.0.0.5 and 239.255.255.250.

C E H L ab M anual Page 621

Etliical H a ck in g a nd C ounterm easures Copyright © by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.

Module 08 - Sniffers

r^ ‫־‬
1031:3* ‫ל‬3 <‫ ל־‬13.04 5:52748 1031.K&1U3S 10.005:52748 . Packet Info:

Analysis Project I • Ttl' ‫׳‬V i a ; ! ; -10.0.0

- ■2}?-2j5-2'52:0 ‫ ־‬Pa:'-:r.s

|- lu

239.255.255.250:3702 239.2SS.25S250:3702

Src=52748;Dst=37Q2;le*=W;Cherte u‫י״‬ S1c=S2748;D1l=3702,Len=999,Checb1

:

SJl‫־‬ :r:

! ‫״‬# r o c t c ‫־‬ -L e s f f s n :

T Ii&eraet T y p e II

j-^Capwred Lesgtfc ‫־‬-@ T i‫ «״‬t - p ‫־‬ !-WDestiracior. ‫"־‬

E Q a backdoor in a computer system (or cryptosystem or algorithm) is a method o f bypassing normal authentication, securing remote access to a computer, obtaining access to plaintext, and so on. While attempting to remain undetected, the backdoor may take the fonn o f an installed program or could be a modification to an existing program or hardware device.

t*met IS<l?vS)) :‫ » ״‬version: ■ k o D--i£«!«=-.ia ‫־‬ .«d SirvicM Ii«ld: : • y :irrcztQt.i‫־‬ ^.d s«rvlc«j Codepolai: • ■ o TK&aport Protocol w in ignore she ‫׳‬ I "O C o e g iin a : 1019 0x0032 000........ .0 .........

112/2]

114/1] 015C (20 B y te s i ( I 4/l | Cx0r ‫ן‬15/1‫ ן‬0* ‫זז‬ 115/11 oxrc (ignore 1 [18/1( 0102

( M oC o n g e s t• .e r . > (IS/'.] O x O l

. . 0 ...

(101• By.ea 1 (K/2) (SO ) t18/2] !20/‫ נ‬j taec [20/1J 0*8C (M ay r1«3c*f-• (39/1] 9*40 (U*V 0 :20/1) ‫ז‬:»‫א‬. ‫־‬. ‫־‬. ‫ו‬x20 1*0 ‫ן‬20/ 2‫נ‬rrr » 00 00 01 11 m ci u 00 00 e* i r rr 1 k «r :0 « so ’ a c k ‫ נד מ‬u 1‫־‬

4s

«‫־‬ ‫ל‬ 36 3€ ?7 6€ 67 2? 92 22 0 ‫ל‬6 CK 6 067 3 « ‫ר יל‬ 36 4‫ל‬ ‫פ‬i 3 0

FIGURE 4.18: Full Packet Analysis o f N odes in IP Conversations

22. The TCP C onversation tab dynamically presents the real-time status o f TCP conversations between pairs oi nodes. 23. Double-click a node to display the full analysis ol packets.
Analysis Project 1 - Full AnaTyjis * Colasoft Capsa 7 Fre»* :'ill Nod?') fcnaVi'i la * 1T Aflaptr. l«n capture Node Explorer Snt*• y S »ep (awni Too* V W w *5 N «t»»o*kG ro f, A la rmSetting *« j *W ]ket D itplay P arket I 6 < 5 mm‫״‬ • output o#fM» *n#ly urtofiK D ata >ta8‫׳‬gt I .. . 1) ( I J ------- ------- '‫־‬ ------1• er ■* ■ ?,. 90• C 1 ! ! ! ! HiitoqrCha ! ! « Po<mBuffrt r c . ‫ י ם‬x , / Hrtp‫ף‬

11 ^

1 ‫־‬ *two* ff0W r

X ■n| P lv>w t«l ConvUlaU on | PC0rtv P Uw iv'afiation X | JDPCorN«tat10n \ M«tm [ ‫ ׳‬k W | L09 f R eport | 4 fr Online Resource « 1w 1t10 (v I C AoatpkMCPCowoe.wtkxi: | W •- E ndpoint 2 B ytes Protocd N ew 3246 K B HTTP S 100.02:1406 3 207.218235.182:80 !34 74.125.236.173:80 “ 2 ‫ צ‬100.021402 1889KB H‫־־‬P T ry i t Free 3 100.02:1403 2 933 K B HTTP 3 7 4 . 1 2 5 . 2 J 6 . 1 7 3 ^ 0 ± •0.0.021405 ‫ל‬51 74.125236.165.80 1.595 <5 HTTP g 100.02:1401 7 4 . 1 2 5 . 2 3 6 . 1 6 5 : 8 0 1*36 K B HTTP 0002:1410 ao.o21411 3 74.125236.174443 00.02:1413 3 T4.125.236.174443 Jgj W hoIs U9ngNetworkBard*td»1» * ‫ב‬ «t oDetect ARPAtta±s 00.021412 3 ?4.125236.174443 1629* K B H'TPS H 3 wt oDetectM er*orfcloap S '4.125.235.169443 5 ‫ סיב‬HTTPS 00.02:1423 JfS\ 4‫«כ‬ to htonrtor IMMessaae 000X1424 35 ‫ םל‬- r ‫־‬p$ 3 74.125.236.169443 H 3‫ ״‬to M onitor &save Emab 00.021426 3 74.125236.169443 1iS4KB HTTPS (More Videos-1 a 74.125.236.160443 00.021422 22475 K B H ‫־‬TP5 00.021425 !31 74.125236.169443 146UKB H'TPS 00.0.2:1434 3 178,255.83.1:80 1666 K B HTTP 00021433 tli ?07.218235.182443 3.3*5 K B rP S L3 Monitor Emvfc>vee* Webwte 00.02:1435 ‘.\l 178255.33.1:50 16W K B HTTP 18*1 K B HTTP 00.02:1436 3 178.255.83.2:80 *J I cannot capture A L Ltraffic, M O ll K B HTTP 00.021437 3 65.54.82.155:30 why? 00.02:1439 3 7 4 . 1 2 5 . 2 3 6 . 1 6 7 4 4 3 ‫ סלז‬B HTTPS U Create Traffic Utftiatlon Chart 00.021441 3 74.125236.167.80 36 0‫ ל‬HTTP U (Ent ISUrt a Wirefe** Capture 3 ‫־‬ 4 1 2 5 .2 1 6 .1 6 3 4 4 ( 00.02:1442 170 8 H TT PS J Cr«aUTiaflk Utliution Ourt 30‫ י‬B HTTPS 00.02:1443 3 ‫ל‬4.125.236.163-443 | Mere m Knowl«l<jrhn*r . | 00.021445 1»4KB HTTPS 3 •'4.125236.163443 1 ‫ י*י ל‬ra http< 7 4Pt.n* I IW 4 4 1

*1

C a p s av 7 .6 R e le a s e d

/;a p tu t ^o*Af^t)-.e

oatK im t

'irwctivt

Dotation: 0115228

V 17.281 ^ 0 Ready

......" _____

_

FIGU RE 4.19: Colasoft Capsa Network Analyzer TCP Conversations

24. A Full A nalysis window is opened displaying detailed inform ation of conversation between two nodes.

C E H L ab M anual Page 622

E th ical H a ck in g a nd C ounterm easures Copyright © by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.

Module 08 - Sniffers

-d • * * * ‫׳‬ No AbsoluteTime ‫_־ __ ־‬: 457 10^6*7466913 47? 11126:53468163 473 10= 26=53466676 474 10J6:S34*S72S 475 10^6:53486972 47S 10^6:53 506597 477 1(126:53506633

*5• 4■ LSSSource 1aaa2:1410 1aa0£1410 1aaa21410 74125.236.174:443 1aaa21410 1Q J10l 21410 74125236.174:443 1aaa21410

D estination 74.125.236.174443 74,125.236.174443 74.125.236.174443 10.0.02:1410 74.125.236.174443 74.125.236.174443 10.0.0.2:1410 74.125.236.174:443

Protocol
https

Sre Oecode 70 66 66 58 64 58

H T T P5 H T T P5 - ‫־‬TP‫־‬ H T T PS H T T PS H T T PS ■ ■ ‫־‬T P*

Summary Se<|->3622P184^A 1 k_[f<Knvnr0.r-. 1 ,.‫־״‬ S eq= 2362281843,A ck= O O O O O O O O O O .F = ..‫״‬S.l S eq;2362281843,A ck= O O O O O O O O O O .F = .,‫״‬S ..L Seq-4?C 412S878,A ck=2362281344.F=.A.S... Seqz23622fi1844,A clc=4204123979.F=. 1 . . . Y l_ Seqz2362281844,Ack=4204123a79.F=.A . F. S«rq:42C 41r£87?.A ck=23622£1i;5 F=.i.. F.. ;rq: 23622ei845,A ck: 4;041233S0.F=. i _ _ "J

B-T Pockct Info: ^ Pasirec h'mb‫־‬r: ^?a=*et Ler.gra: ^Capt4r«l Ler.gth: Tireataap: =■V*Btherr.ct Trpc II a? jcaticatica A2arc33: Q 5c3t» u s r t n : < _p Protocol: ‫־‬V T P ‫ ־‬Internet Protocol o Vc:: ca: 0 . 1 leaser Lcr.gtfa: I ft : :rc*r.: a u : :♦rncti riaia: !‫״‬.© Olffarantiatad S • rvlaM Codapolnt: j•‫ •״‬Transport Protocol will ignore the C C ••••0 C o a ac sz ioc : i ^ l e s a l -cacv.: : # ider'incaiior.: ‫ ־‬S rrag»nt Flag*: |~0 Reserved: i— • ‫־‬raggenc:

1

1

2

462 70 66 2012/0 9 /21 10:2«:44.4fC749 [0/14] D O ! ■ 4 ♦ ‫״‬:C C ct 3:1r D 0J • •• 6:36 [6/e] 0x0800 (Internet TP| IPv4)) [12/2] [14/20] 4 [14/1] C sFO < 21 Byc«9) [24/1] O xO F & 0000 0010 !15/1] :xrr 0000 00.. [15/1] O xFC (Availability) [*-5/13 0x02 ■ 1 1 : Coraraticat [IS/11 CxCi ............0 52 < & 2 Bytes) [16/ 0X & 9D 6 (22998) |18/2| (Don1‫ י‬rr»3*fcm) [20/1] O x E C 010........ 0........... [20/1] O xC O .1.......... ‫ י‬f2Q/11 0»4C____ » “ “ “ ‫״‬ l2 l l‫״‬ M 0‫ ־‬o! 04 ‫ ״‬£ 6.. S . . .......J).

v]

-‫;״‬° U 05 Ei o! a K C D! j ‫“ « « “ ״‬

FIGURE 4.20: Full Packet Analysis o f N odes in TCP Conversations

25. The UDP C onversation tab dynamically presents the real-time status o f U D P conversations between two nodes. 26. The lower pane o f this tab gives you related packets and reconstructed data flow to help you drill down to analyze the conversations.

y ful A n a t> ^ £
- ' PrrtrrclE‫״‬p cm I E‫־‬ Physical aqstorer (3) S . & l f t q ‫־‬k>ra(4)

£ Q In networking, an email worm is a computer worm that can copy itself to the shared folder in a system and keeps sending infected emails to stochastic email addresses. In this way, it spreads fast via SMTP mail servers.

Endpoint 1*> o 1aaa10:56123 *2 1010.02:567*0 3 1010.0.7:5009' ± ‫&ז‬0.0.:: 54463 S 1a0.a1a59606 3 ta0XX10:59655 a ^0.0110*2035 •O l OA10:57766 i Ta0.0-i 56682 S 100A7:51087 Si !00.010:56*45 S 100.0.10:63503 2 ‫ י‬010.017:63315

, . E‫ ״‬apo, » 2 7 . 224.0.0252:5355 2d 202.53^.8:53 ?5 ’’4.0.0252:5355 - j 224.0.0252:5355 ^ 224.00.252:5355 7$ 224.00.252:5355 g 224.0.02S2 53SS 224.0.0.252:5355 3 1 202.53.8.8<53 ?3 224.00.252:5355 ^ 224.00252:5355 /} 224.0 0.252 5355 ^ 224.00.252:5355

Duration O O iW flO O O sO C fc O O 0ftM«) O C sO D .-O O 00:00«0 00!DW » O O tO C fc O O OftM OO 00100900 O O iC K J-O O O O O O O O 00.1X 100 00:1X 100

Byte* &,!‫ ־‬-< < 9 ‫> ־‬tes Pe;«di Pk1i‫>־‬ 136 B 135 B 0B 2 2 217 B 7S B 138 B 2 1 158 B 358 B OB 2 2 158 B 155 B C5 2 2 136 B 336 B OB 2 2 158 B 155 B 0B 2 2 1S8 B 1SS B OB 2 2 136 B 196 B OB 2 2 214 B 81 B 133 B 2 1 158 B 358 B OB 2 2 158 B 155 B 0B 2 2 136 B 13b B OB 2 2 158 B 156 B 0B 2 2

- Ptts 0 1 0 0 0 0 0 0 1 0 0 0 0

Piotcc LDP D M S UDPUDPUDPRIP UDP• UD P DNS FTP UD P UDP• UD P I> < 11 ■

N e w

Capsa v7.6 R eleased T ry i t Free

live Denio

a ‫ ׳־״‬NetworkLoop ‫׳־‬ *-» a ‫׳־״‬ ‫»•׳״‬ I M o r tv k l o t t i ‫״‬

jp t\■o rkBanditti ‫י‬

y

P»flui1 Dau ] > i No. 19 22 4• ^ C ' Abfdut• Tima Sourer 1023:19.625869 10.0.010iS612J ‫ו‬0‫גנ׳‬:‫נ‬00 ‫נ‬4*‫ו‬4 10.0.010:46121 Dfttrfutien 224X >C 252 ‫ל‬35‫נ‬ :.‫־‬4X1‫ ־‬25: 515*

-Jtr

10 0 010 < v 2/4 00WVfarkeH: 1 Prototol U0P U CP

2

‫״‬J Motiltor Ciiitiloveet Wetollc L3 I cannot captara A L LtraMk.

w h y #

CredleTraffic UtH^Uon Chart ICntlSUrt 4 V V ‫״‬ete»» Capture uj C ‫ ׳‬iaU Train; U tlL M U O n Omt | More m Knowl«i<>rbow.. |

XjfAut

at

> ‫י‬
_

FIGURE 4.21: Colasoft Capsa Network Analyzer U D P Conversations

27. Oil the Matrix tab, you can view the nodes communicating network by connecting them 111 lines graphically.

111

the

28. The weight ot the line indicates the volume ot traffic between nodes arranged 111 an extensive ellipse.

C E H L ab M anual Page 623

E th ical H a ck in g a nd C o untenneasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.

Module 08 - Sniffers

29. You can easily navigate and shift between global statistics and details o f specific network nodes by switching the corresponding nodes 111 the Node Explorer window.
1Anay.s Sjstd* Toofe /lew D| X

y=b!o nee we encounter the network malfunction or attack, the most important thing we should pay attention to is the current total network traffic, sent/received traffic, network connection, etc., to get a clear direction to find the problem. All o f these statistics are included in the endpoint tabs in ColasoftCapsa.

ieapter •‫»«י‬

a1 r

:‫*נז‬

y s g “ Stop G enera:

:w it Node Explorer

_ L s**5‫*^ "י׳‬rtings fJ«wortr Protiif

BAnalysis ^ Racket‫ ״‬Ditplay i

P acket log L ^ object Butter . • output Oj‫־‬put v - M Analy!!; Profile Data Storsgf Ur«c*‫־‬

/^T

liO :

ajiSiSiSS;
Fack« Buttrr C6 M B ) Online Resource

jge^t fPtiysic— *Conversation fiP C 0n*ersdt1 0 n‫־‬f TCPComaction fliPP 1

I ?■ V jo. X 1P*0»cl

L ‫ ־‬-■*‫>־‬ V t* fuiAr^alyw
1 4 I f Pretocel Extern < 1 J

Top!00 Physical Conversat*on(Full Analysis)

& VO P h j o k a lE i p t o r v( 3 )I
1 1 ^ IP f 1p4c*rt (4) TcplOOPKytie•!

IK ‫»׳‬ ‫ ׳‬l)n 1 H )
jpl W ho U HungN rlv■wkllnr«l**i» 1‫׳‬ fop IO OIPv4 Convtriation 55:33 00:0000 1 6(7) M H awto Dftf<tM p R n O ft: loop P •ton to M o n rto r IM<*■»‫*׳‬ < ‫■׳‬ I Non! V kJc‫«־‬v... | 0l:0&5fc00*»1 L3 Monitor E1np40ve«> Wetnite L I1 I cannot capture A L Ltralfic. why? Ul Create Trattic UtMzation Chart d (Ent)Start a Wireless Capture J Create TraffcUtli2 ation Oiart [ More ■‫ ו‬Knowledqeb3«e._ J

Io p 1 0 0 # M N o < k
User Hidden nodes( .

B E :D 9 !C 3 :C i‫־‬ C C |1 4 |
:00:5t00.00 F C 1 8 ) 00!15:5&A8:7805<14) D 3A2:5t 17:4F:48®

Invisible Nodes (0)

’Captou fulArdfrse

Etherrxl

‫ ־‬ractivt

Duration: 02:23:4421.665^ ‫־‬ gO

FIGURE 4.22: Colasoft Capsa Network Analyzer Matrix view

30. The P acket tab provides the original inform ation tor any packet. Double-click a packet to view the full analysis information o f packet decode.
%!c* T < x # % —‫ך‬ w Nrtworfc Group jf o t J t . J|

/‫־‬ ‫^־‬
Node Explorer

Analysis Racket Display

**

j
Output Output

jpc-ni fPtiy».u.* Convtf-.ation f 1 P C0nvei.dt1 0n~fTCP Corwettaiian f UDP Corws.* < -> [ ,.U'jo ‫|־‬P«c<cl x ]‫־‬Leg f R«pcrt | * ► Online Resource

“ **A
1‫׳‬t‫־‬v ■ ‫• ־ ;־‬r r E © Physical hptorer (3) B & I? Eiftora (5) 16TC 16 16021? 16C C 1S 160220 160221 160222 160223

JflB Bl # » ‫״‬ ifr ^ S' 1 e 0 2 1 8
IK&42.69S615 1010.0.2:1036 13.-Gi4a.599l 55 04:► J:CC

h* A1 vrfy*s\Pacfcets: | 1iL647 | 74.125.135.125:5222 D O * 36‫־‬ N e w Capsa v7.6 R eleased T ry i t Free

I3 .0 2 4 ‫־‬ a 5 9 9 1 9 4D O :► 3 6 :

•‫־‬

D *l- - - 1 -C C

t y ! Protocols may be implemented by hardware, software, or a combination o f the two. At die lowest level, a protocol defines the behavior o f a hardware connection. A protocol is a formal description of message formats and die rules for exchanging those messages.
K ip lu t f1iA n 1ly.1 s

13:G2:-».101243 ?4.125.135.125:5222 13:02:49.103128 74.125.135.125:5222 I3.-02-.49.103161 1a0.0.2:1036

1001X2:1036 7• -125.155125:5222

llvp 1**110

13.C-249.495250 10.0.0.2:1036

74.125.135.125c5222

-T5 > 3 r*« t inro:
i & Ctpturtd Length:

«•*‫״‬ a ‫׳־״‬

W h i

Jetv.ork M ffA O ffc Loop

‫י‬

IM0‫׳‬ VVW«04™

f

3 0 1 2 /0 9 /2 11):02:<t.4«uv>
( 0 / 1 4 )
881- • • :CC fO/'l LU Motillor (1npfc>ve«t WetoJlc _J I cannot (.■apturv A LLtrttlk.

IlU n w t Typ< 11

0000

*a a <0 40 ‫דג‬ ‫ד‬a aa a0 ‫ל‬ ‫ גש‬4 ‫דג‬ ‫ס‬6 ‫י‬a 4a e4 ‫ ג‬tt o ss » j» ma n oojc 7 ac 4 to to n 3 4 t% 4 30 00 0
001c

00 0) & BA E 24 C CD O6‫ ל‬E6 L AL6 96 06 00 46 00 00 >« U SD 40 00

«J Credit Traffic UtH^Uon Chart UntlSUrt a W 1 rel«*» C«1 *urc ‫״‬J Ot»U T rafficUtliuaon 01-1 | More n Knowl«iqrbale..-1

w h y #

V U w net

‫ ׳‬active

Duration: 02:39^6 ‫־‬ $ 160.24? ‫־‬ gjO Read,

FIGURE 4.23: Colasoft Capsa Network Analyzer Packet information

31. The Packet decode consists o f two major parts: Hex V iew and D ecode
View.

C E H L ab M anual Page 624

Etliical H a ck in g a nd C ountem ieasures Copyright © by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.

Module 08 - Sniffers

£ Q Protocol decoding is the basic functionality as w ell There is a Packet tab, which collect all captured packets or traffic. Select a packet and we can see its hex digits as well as the meaning o f each field. The figure below shows the structure o f an ARP packet. This makes it easy to understand how the packet is encapsulated according to its protocol rule.

FIGU RE 4.24: Full Analysis o f Packet Decode

32. The Log tab provides a Global Log, DNS Log, Email Log, FTP Log, HTTP Log. MSN Log and Yahoo Log. 33. You can view the logs ot TCP con versation s, Web a c c e s s , DNS tran sactions. Email com m unications, etc.

FIGURE 4.25: Colasoft Capsa Network Analyzer Global Log view

C E H L ab M anual Page 625

E th ical H a ck in g a nd C ounterm easures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.

Module 08 - Sniffers

FIGURE 4.26: Colasoft Capsa Network Analyzer HTTP Log view

34. I f you have MSN or Yahoo Messenger running on your system, you can view the MSN and Yahoo logs. -FT*■ 3psa 7 Free C 50 Node■
AnaW, Sjtfcai Tools *Jrtwo'fc Group Adapter -mn

w r

ttart

u 5‫כ‬
Step central * MSNL 09

H ^ N a n w T a & l *
J^AlannSattmg' ffwor* froWf

-...ilym Partrt Display Objftt Buttff A nnly

4‫׳‬

‫״‬

Node Explorer

v »K4An *m

~ 4«#-4

‫ ׳‬y* 3 ‫&״‬ !‫״‬
0at« t.rTM 2012709/2111*5:23 2012/09/21 13:47:4* 2012/09/21 11:48 12 2012/09/21 13:43.32 2012/09/21 11:4342 2012/09/21 13:49:15 2012/09/21 13:492S 2012/09/21 13:49:27 2012/09/21 13:49:39 2012/09/21 13:5003 2012/09/21 13:50:19 2012/09/21 13:50:36 2012 j4 1‫״‬09/21 13:50‫כ‬

r.alion ‫ ן‬IP Convin

6‫ מי‬Phy.ka! Elptortr (3) <9 U . & IPtiptoraf ft) Slofea.
lo g

u ‘|f PirtNd (■plerrr (IJ

N ew Capsa v7.6 R eleased T ry i t Free ‫ •־‬-♦xrtfnailcom saidH ’■ ■ «#tctma1Ua(11 iwtlVIc

‫־^״‬a

•C S v « . C 0 n <

* y e n ?
W hoIs uang NetworkB and<a3tt1> bi\ H owto Detect A R P Attaris h,) H awto Detect N etvuori: Loop ^ H awto M onitor IMm*k.w H 3wto htonitor a Save Ernab I More Videos-.]

‫>♦־‬c4‫׳‬na 1 Lco»ns»aJ am fine Thatika «4%0tmaiLcacn twthcw are you doing? ‫ '־‬glrvfctcfn j*4‫ ־‬arr I ritcc. Z « to tn te - I n youjcinirg us far the party tooigl ^ KtmsiUcom‫ז‬5 1 ecf cowseyes ictmoiLcomsaadi shal ; « you at the party then♦* ot^ ‫׳‬n© iUco»nMtec ‫״‬Tofbusy rcv> * worfc

% ;‫;־‬1
YAHO O

2012/09/21 14:03:14

c4<na<U0mjoined in the chat.

L3 Monitor Employees Weteite why? uJ Credit Traffic UttfUatioa Chart L3 lEnt ISUrt d Wlr«te» Capture uJ Creat* Tiaftk tltllution 01«C |M oIT ■‫ ו‬Knowlrrtfjr ha«r.‫| ״‬

/la p tu t frv*At^afr-,B

^tU KitH l

* ‫־‬injttivt

Duration:03^ 218,1)< 4 ‫־‬ ‫צצו‬:3‫צ‬i pO Ktad>

.....

A

FIGU RE 4.27: Colasoft Capsa Network Analyzer MSN Log view

C E H L ab M anual Page 626

E th ical H a ck in g a nd C ounterm easures Copyright © by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.

Module 08 - Sniffers

35. The Report tab provides 27 statistics reports from the global network to a specific network node.

FIGURE 4.28: Colasoft Capsa Network Analyzer Full Analysis’s Report

36. You can click the respective hyperlinks tor inform ation or you can scroll down to view the complete detailed report.

/ 31 c

-------------------------------------------------‫י‬

Full Analysis's Report
£ Q Almost all Trojans and worms need an access to the network, because they have to return data to the hacker. Only the useful data are sent for the Trojan to accomplish its mission. So it is a good solution to start from the aspect o f traffic analysis and protocol analysis technology.

1
1 ■

S u m m a ry S ta tis tic s D ia g n o s is S ta tis tic s P ro to c o ls S ta tis tic s T o d A D D lica tio n P ro to c o ls T op P h y s ic a l A d d re s s T op IP A d d re s s T op L o c a l IP A d d re s s T o p 1 0 R e m o te IP A d d re s s

1 1 1 1 1
bl

N e w Capsa v7.6

R eleased

19 084 ¥ 10.0.0.2 J 10.0.0.10 99.180 rf 239.2S5.255.250 IC OO C O 9 10.0.0.3 0334 '!# 10.0.0.4 0.070 *J224.0.0-22 1C0.0C0 J 132.168.166.1 24.542 r#224.00 252 i 10.0.0.7 i 10.0.0.23‫כ‬ ICOO C O

■■■■■■■

80.915 0.820 0.000 00.776 99.930 0.000 75.458 0.000 100.300 O.XO

217.550 M ® :96.612 1/4.1 ‫צ‬/ M B 140,218 630.160 K B 1,332 B O O 313 766 K B 311.133 K G 232.822 K B 222 375 K B 112875 K B 176002 <E 140-528 K B 781 3,727 928 2.466 2.566 1.230 3 Top

Try It Free

wv>[*U s* < gHet»o‫׳‬kfenjwdfr? jjj new tocetECtN etyrarkLoop |) H aw» N onter INN tessag; M ew» Nonta &S3/e E nw fc

m₪₪₪₪mm

0.000
1C0.0C0

iJ M onitor tmitoyee* MtbMe ^ I fa‫ י‬not enpture m I traffic, w fcy? J Create Tnfk Utlkzottwi Ctwl . J (tntl^Urt« WveleMlaKu-tJ Cre•* UW ubor Chart [ Mow tl IlMMMlfkittf.. 1

T op 10 R e m o te IP A d d ie s s ** 123.1/6.32.146 1.949 ** 123.176.32. :36 2.272 ** 74 I3S 138 ISO 81.101
, *74.125.236.182 54.993 98-Oil 33-564 M B 34,555 2.330 M 8 2,483 1077 M G 3.600 3.354

1 97.728 18800

--------- -----------------------------

45007 9S4871KB

FIGURE 4.29: Colasoft Capsa Network Analyzer Full Analysis’s Report

C E H L ab M anual Page 627

E th ical H a ck in g a nd C ounterm easures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.

M o d u le 08 - Sniffers

37. Click Stop
A'
Analysis Anatvs

011

toolbar after completing your task.
Analysis Project 1 - Fill Analysis - Colasoft Capsa 7 Free (50 Nodes)
View 1 ‫ף‬ ^ ral
j,

System

m Y
Adapter Flter

► Ti

Network Group Name Table f \ Alarm Settings Data Storage Utilization

Network Profile

FIGURE 4.30: Colasoft Capsa Network Analyzer Stopping process

Lab Analysis
Analyze and document die results related to the lab exercise. Give your opinion your target’s security posture and exposure through public and free information. T o o l/U tility In fo rm atio n C o lle c te d /O b je c tiv e s A chieved D iagnosis: ■ ■ ■ Name Physical Address IP Address
011

P ack e t Info: ■ ■ ■ Packet N um ber Packet Length Captured Length

E th e rn e t T ype: ■ ■ ■ ■ ■ Destination Address Source Address Protocol Physical Endpoint IP E ndpoint

C apsa N e tw o rk I A nalyzer

C onversations: ■ ■ ■ ■ Logs: ■ ■ ■ ■ ■ ■ ■ Global Log D N S Log Email Log FTP Log H TTP Log MSN Log Yahoo Log Physical Conversation IP Conversation TCP Conversation U D P Conversation

C E H L ab M anual P ag e 628

E th ical H a ck in g a nd C o untenneasures Copyright © by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.

Module 08 - Sniffers

PL EA S E TALK T O YOUR I N S T R U C T O R IF YOU HAVE Q U E S T I O N S R E L A T E D T O T H I S LAB.

Questions
1. Analyze how Capsa affects your network traffic, while analyzing the network. 2. What types of instant messages does Capsa monitor? 3. Determine it the packet buffer will affect performance. If yes, then what steps can you take to avoid or reduce its effect on software?

In te rn e t C o n n ectio n R equired 0 Yes P latform S upported 0 C lassroom □ !Labs □ No

C E H L ab M an u al Page 629

E th ical H a ck in g a nd C o untenneasures Copyright © by EC-Comicil All Rights Reserved. Reproduction is Stricdy Prohibited.

Module 08 - Sniffers

Lab

Sniffing Passwords Using Wireshark
Wireshark is a netirorkpacket analy-^er. A. netirork packet analyser nil! try to capture netirork packets and displaypacket data in detail
I CON
1

KEY

Lab Scenario
As 111 the previous lab, you are able to capture TCP and UDP conversations; an attacker, too, can collect tins information and perform attacks 011 a network. Attackers listen to the conversation occurring between two hosts and issue packets using the same source IP address. Attackers will first know the IP address and correct sequence number by monitoring the traffic. Once the attacker has control over the connection, he 01‫ ־‬she then sends counterfeit packets. These sorts of attacks can cause various types o f damage, including die injection into an existing TCP connection of data and the premature closure o f an existing TCP connection by die injection of counterfeit packets with the FIN bit set. As an administrator you can configure a firewall 01‫ ־‬router to prevent the damage caused by such attacks. To be an expert ethical hacker and penetration tester, you must have sound knowledge o f sniffing network packets, performing ARP poisoning, spoofing the network, and DNS poisoning. Another use of a packet analyzer is to sniff passwords, which you will learn about 111 tins lab using die Wireshark packet analyzer.

._ Valuable information Test your knowledge

‫ב‬:

Web exercise

e a Workbook review

Lab Objectives
— Tools dem onstrated in this lab are available in D:\CEHTools\CEHv8 Module 08 Sniffing

The objective of tins lab is to demonstrate the sniffing teclnnque to capture from multiple interfaces and data collection from any network topology.

Lab Environment
111

the lab you will need:
” Wireshark located at D:\CEH-T0 0 ls\CEHv8 Module 08 Sniffing\Sniffing Tools\ Wireshark

C E H L ab M an u al Page 630

E th ical H a ck in g a nd C o untenneasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.

Module 08 - Sniffers

■ ■ ■
/ Y ou can download Wireshark from h ttp ://w w w .wireshark.org.

You can also download die latest version o f WireShark from die link http: / / www.wireshark.org/download.html If you decide to download die latest version, then screenshots shown die k b might differ A computer running Windows Server 2012 as Host (Attacker) machine A virtual machine (Windows 8 or Windows 2008 Server) as a Victim machine A web browser with Internet connection Double-click Wireshark-win64-1.8.2 .exe and follow the wizard-driven installation steps to install WireShark
Administrative privileges to m n tools
111

■ ■ ■

Lab Duration
Time: 20 Minutes

Overview of Password Sniffing
Password sniffing uses various techniques to sniff network and get someone’s password. Networks use broadcast technology to send data. Data transmits dirough die broadcast network, which can be read by anyone on the odier computer present on die network. Usually, all the computers except the recipient of die message will notice diat die m essa g e is not meant for diem, and ignore it. Many computers are programmed to look at even' message on die network. If someone misuses die facility, they can view m essage, which is not intended of odiers.

Lab Tasks
1. Before starting tins lab, login to the virtual machine(s).
Capturing Packet

2.

O n the host machine, launch the Start menu by hovering the mouse cursor on the lower-left corner o f the desktop.

FIGURE 5.1: Windows Server 2012— Desktop view £ Q Wireshark is an open source software project, and is released under the G N U General Public License (GPL)

3.

Click Wireshark to launch the application.

C E H L ab M anual Page 631

E th ical H a ck in g a nd C ounterm easures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.

Module 08 - Sniffers

Start
Server Menaqer Computer Google Chrome Mazilla hretox

Administrator ^

b
Control Pane W Adnneo.. loots

•J
w s

< 9

< ©
H/per-V Virtual

‫'־‬/^ •‫ ׳‬V ‫־‬ fc
W remark

1^
Command Prompt

%

p5 1

‫־‬

OMtap

C Q a network packet analyzer is a kind of measuring device used to examine what is going on inside a network cable, just like a voltmeter is used by an electrician to examine what's going on inside an electric cable (but at a higher level, o f course).

FIGURE 5.2: Windows Server 2012— Desktop view

4. The Wireshark main window appears.
The Wireshark Network Ana!y2 er He £drt Vie* Go Capture Analyze Statistics Telephony [Wireshark 1Z 2 (SVN Rev 44520 from Arunk-1.8)] Hdp Tools Internals

l i t K V
Fitcr.

|B |B |

Q.

E

g 1 ‫ י‬:» I H

v Expiesaon-. Clear Apply S«vc

The World's Most Popular Network Protocol Analyzer

[WIRESHARK
rg.
*HP In t e r f a c e List .\« 1 s y r < cictut ‫•***ויו‬ (towna if<cnro MO(Q

Version 1.8.2 (SVN Rev 44520 from /trunk-1.81

Ei 0 p e n
Open Rcicnt.

opr» a p!»/ojm/ caox/M ‫•ר‬

ft
a
^

W e b s ite van ‫ •יזז‬prater 1 w »t>sn* U se r's G u id e Ih* UW1 Ckna• (kvral 1 /‫י‬

S ta rt
S a m p le C a p tu re s Afen auoonvni of *xanrptc .!put *r» on in* «uj

^ I 0 ‫^י‬vice\NPFJ5F?i7C6675‫־‬E7.43F99‫־‬B72-9447DB2 ‫׳‬ Realteic PCk G0E Farrily Controller: \Dcvice\NPFjfi fcfj \Devie«\NPF_{550021FE-BafiF-41EB-B37E-4CAFBC J<1 n j : — <n, . ^ u p r '

S e cu rity
V/»'k with A'reshirx a!

: — .~ur

C a p tu re O p tio n s

^

H o w t o C a p tu re Sup »/ sea is a su ccessfu l cacure s«xc N e t w o r k M e d ia

Sptcfir tr+ yrvrtcr *o fcscarrg o
Recd> 10 load ci cepturc

FIGURE 5.3: Wireshark Main Window FIGURE 5.3: Wireshark Main Window

D . From the Wireshark m enu bar, select Capture -> Interfaces (Ctrl+I).

C E H L ab M anual Page 632

E th ical H a ck in g a nd C ounterm easures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.

Module 08 - Sniffers

The W ireshark Netw ork Analyzer File |d * View £o Capture Analyze Statute! Telephony Toolt

[Wireshark 1.8 2 (SVN Rev 44520 from /ttunk-1 8)] intermit Help

‫־‬r a ° r s

| f t interface!..

Ctri.l |; Ctrl+K I CtrkE Ctrl+E I CtrkR 1

< * « ¥ 3t p p l < ^€ 1 s ib 5 * 0 p $61 a
| v | Expression.. C« r Apply Save

GQw: 'ireshark is used for:
Network administrators use it to troubleshoot network problems ■ Network security engineers use it to examine security problems ■ Developers use it to debug protocol implementations ■ People use it to learn network protocol internals

M Options.* Start I W ‫קכ?ל‬ m F.estort | g Capture fltm ...

— , Interface List
-VOk t of r‫>־‬ s a n / ( ft;

O pen
Open ‫ נ‬cxcvtoury <sptu>8d *k Open Recent:

.p. Website

13 S t a r t
fctl \D#wc#\NPFJ5F257C66-75F7*43P9-9B72‫־‬W47DB2l2© P.cchck PCIe CBE Family Controller. \Device\NPFj ■

&
fw
r » cscrvr• or 1 ‫״י«חז‬1 ‫ז‬

User1 * Guide
The U:cr's Guide ;total /•‫ ׳‬ton * 1 r,stated

qj Sample Captures
a nrr tw r r# ‫׳‬v

iJI Security
W o‫׳‬k wth Wrcs‫׳‬v » ‫׳‬k a :

0 VD^tf#\MPFJ55002IFE-B03F-4iFB-BrF^CAFBr:
LSI u . . — u r --------hoc n<maran.e v

< L

I

_>]

C a p tu re O p tio n s itxt a :iptrc vth o;-j.1 4 ( S‫נ‬00 ‫י ג‬:

H o w to C a p tu re Step b> ns3 to a sjc:«=tJ caf N e t w o r k M e d ia ^ Soecnc rfowrsecn fy captjri*vg c Profile Default Read/ tc load or capture

FIGURE 5.4: Wireshark Main Window with Interface Option E Q Wireshark Features: ■ Available for UN IX and Windows ‫ י‬Capture live packet data from a network interface ■ Display packets with very detailed protocol information ■ O pen and Save packet data captured ■ Im port and Export packet data from and to a lot o f other capture programs
B i0 .... i Realtek PCIe GBE Family Controller none □ □ @ Microsoft Corporation fe80::686&8573:b1b6:678a fe80::14a6:95a&f534:2b9e Start Stop Description

6. The Wireshark Capture Interface window appears.
Wireshark: Capture Interfaces
IP none Packets Packets/s 0 28 0 0 21 Options 0 9 0 0 2 Details Details Details Details Details Close
‫־‬

& ] Microsoft Corporation Help

‫ף‬

FIGURE 5.5: Wires!!ark Capture Interfaces Window

7. 8.

111 the Wireshark Capture Interfaces dialog box, find and select the Ethernet Driver Interface that is connected to the system. 111 the previous screenshot, it is the R ealtek PCIe GBE Family Controller. The interface should show some packets passing through it, as it is connected to the network. Click Start
111

£ Q Wireshark can capture traffic from many different network media types - and despite its name - including wireless LAN as well.

9.

that interface’s line.

C E H L ab M anual Page 633

E th ical H a ck in g a nd C ounterm easures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.

Module 08 - Sniffers

y j A supported network card for capturing: Ethernet: Any card supported by Windows should work. See the wiki pages on Ethernet capture and offloading for issues that may affect your environment.

Wireshark: Capture Interfaces
Description IP
none

Packets Packets/s

0
340

Details Details Details Details Details Close

0 !®

Realtek PCIe GBE Family Controller

none none

□0 I □I g f O 3 □£ ©
Help

0
4 244 Options

Microsoft Corporation Microsoft Corporation

fe80::6868:8573:b1b6:678a fe80::14a6:95a&f534:2b9e Start
Stop

FIGURE 5.6: Wireshark Capture Interfaces Window —Starting Capture

10. Traffic informs o f packets generated through the com puter while browsing the Internet.

FIGURE 5.7: Wireshark Window with Packets Captured

11. ______________
= T A S K 2

Now, switch to the virtual machine and login to your email ID tor which you would like to sniff the password.

Stop Live Capturing

12. Stop the running live capture by clicking the icon

m on the toolbar.

C E H L ab M anual Page 634

E th ical H a ck in g a nd C ounterm easures Copyright © by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.

Module 08 - Sniffers

fc3Capt1»1ngfron1R11,‫־‬ll.kPCIeGBFFamilyContrallPf:\n™ce\NI>F_(8F?F18B6-B?1V4110-A6Vl-F6»B1M?B8B<>: file £d« l'<w Qo £aptu1r Analyte Sracstki Telephony 10011 Internals Hflp

!Wirfstiark 1.8.2 (SVN Rpv M W ho... 1 ‫־‬

,1 ‫ ־‬,‫י‬

u « tfaT|at
filte: 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137

& e 0 ‫ א‬a 1n, ♦ ♦ «

1

6 1 ‫ זז‬£ ! ‫ י‬q a 3

‫ס‬

|vj bpieiiion.. Clear Apply Scr.t Destination 1 2 .25789T 0 1 0 .0 .0 . 5 202.53.8.8 12.2656640 202. 53. 8 .6 1 0 .0 .0 .5 12. 35B2820 1 0 .0 .0 . 5 7 4 .12S.236.166 1 2 .3 6 8853010.0.0. 5 123.176.32.155 13.15s.140‫־־‬fe80: :b9ea: d o il: 3eoffo2: :1:2 14.0015310f *80:: 5df8:c2d8! 5 b bff02: :1:2 15 .2 9 4 3 1 3 0 1 0 .0 .0 .2 192.168.168.1 IS. 31624 30 192. 168. 168. 1 1 0 .0 .0 .2 18.7433560 fe80: :3d78:efc3:c87ff02: :16 18.7442050 1 0 .0 .0 . 7 224.0.0.22 18.7473350f e 8 0 : : 3 d78:efc3:c87ff02: :16 18.7481220 1 0 .0 .0 .7 224.0.0.22 18.r504S40fe80; 3 ‫ל‬ d78 : e f C3 : C87 f f 02 : :16 18.75 1 2 9 5 0 1 0 .0 .0 .7 224.0.0.22 18. 7 SI2960 f e80: : 3d78: e f CI: C87 f f 02 : :16 Protocol length info dns 75 standard query 0x25f4 a www.seb1.qov.1n DNS 107 StanCarcS queryresponse 0x25f4 A 203.199.12.51 A 124 .247. 2* 3.1 TCP 60 nust-p2p > http [ack] Seq-1494 Ack-7S3 u!1n— 65028 Len-0 TCP 60 must-backplane > http [A CIC] 5e<?-1161 Ack-497 Win-65204Len-0 DM CPV6 ISO S o l ic i t XID: Ox5a82df c :0 : 0001000117e22aab00155da87800 DHCPv6 150 s o l i c i t XID: 0*83*0^9 CID: 0001000117*8*14*00155da87805 NBSS 55 K.65S C ontinuation Message T C P 6 6n1crosoft*ds > isysg-1■ [ac k ] Seq-l A ck-2 w in-62939 Len-0 S L E -1 ICHPv6 9 0 v u 1 tic a st Listener Report Message v2

IG M P v J

6 0vew bershlp R eport ‫ ׳‬L e ave grcxjp 224.0.0.252

icmpv6 IGMPv3 ICMPV6 IGMPv3 ICMPV6

?0 *‫־‬u lt le a st Listener 60 vesbership Report 90 v u ltlc a sr L istener 60 veabership Report 90 v u ltlc a sr lis te n e r

Report Message v2 30in group 224.0.0.252 for any sources Report Message v2 Leave group 224.0.0.252 Report Message v2

- Frame 1: 150 bytes on wire (1200 b i t s ) . 150 bytes captured (1200 b i t s ) on in terface 0 - Ethernet I I , Src: M lcro so f.a s:78:05 (0 0 :IS : Sd:a s : 78:05), ost : 1Pv6»ra$r_00:01:00:02 (33:33:00:01:00:02) - internet Protocol version 6 , src: fe80::5df8:c2d8:5bb0:4ef ( fe 8 0 : : 5df8:c?d8:5bfeO:4«f), o st: f f 0 2 : : l: 2 ( f f 0 2 : : l: 2 ) g t ie r Datacra- P rotocol. Src Port: dhcpv6-c11errt (546), Dst Port: dhcpv&-*erv«r (S47) * DHCPV6 0000 iiii 00 01 00 02 00 IS Sd «B 78 OS 86 dd 00 00 33............ ]. x . . . . 0010 00 D O oo 60 11 01 f» 10 00 00 00 00 00 00 5d f« .....................‫• נ‬ 0020 C2d8 5b bO 04 ef ff 02 00 00 00 00 00 00 00 00 . . [ .............................. 0030 0000 00 01 00 02 02 22 02 23 00 60 55 «4 01 83 .............." .«‫׳‬. U.. . 3................ 0010 •0 49 00 08 00 02 00 64 00 01 00 0« 00 01 00 01 . 1............. < O O SO 17e s el 4e 00 IS so a* 78 OS 00 03 00 O C0* 00 . . . N .. ] . X............... 0060 15 5d 00 00 00 00 00 00 00 00 00 27 00 Oa 00 08 . J.................... ....... 0070 41 64 6d 69 6 • 2d 50 4 3 00 10 00 Oe 00 00 01 37 Adnin-PC...............7 0080 00 08 4d S3 46 S4 20 35 2 • 30 00 06 00 08 00 18. . M SFT S .0 ............ .......... ‫״‬ 0090 00 17 00 II 00 27

Fea*rerPC<58€=3r-tyC0n»1c le‫׳‬: 'Device'.-.

P ackets: 1335D

J ! 1335 M arked: 0

FIGURE 5.8: Wireshark Window—Stopping Live Capture

13. You may save the captured packets from File ‫ ^־־‬S ave As, provide a name lor the file, and save it in the desired location kJ Capturing from Realtek PCIe GBE Family Controller: \Device\NPFJ8F?F 18B6-B215 4110 A&59 F6BFB84?BB89J [Wireshark 1 82 (SVN Rev 44520 fro... ' ‫ ־‬I r r ‫־‬
Saving Captured Files
IQ p«ft...

Op e o & C M n l M«9f-

c trt.ok * * e >^ ± |@ ]r
Q F«p*e‫׳‬,won... Cleat Ort»W 202.53.8.8 1 0 .0 .0 .5 . ‫ ] ל‬74.125 . 236 . 166 It.Ctrt.S | 123.176.32.155 ‫ כי‬f f02: :1:2 ►3 ff0 2 : :1:2 75 107 60 60 150 150 S*v< Standard query 0x2Sf4 A wvrw.sebf. gov. in Standard query response 0x25*4 A 203.199.12. SI A 124.247.233.134 aust-p7p ‫ ׳‬http [ACK] S#Q— 1494 ACk-7SJ win-65028 t #n»0 aust backplane > http [ack] s e q - l161 ack-497 win-65204 1eo-0 S o lic it XTO : 0x5a*?ctf CtD: 0001000117e?2aab00155da87800 S o lic it )CO: 0x83e049 CIO: 0001000117«8el4•00155d487805 ‫ לל‬NBSS Continuation Message 66 ■ icrosoft-d s > lsysg-1■ ' ack] se q -l Ack-2 win-62939 Len-0 & le- 1 ‘‫״‬w 90 M ulticast Listener Report Message v2 60 Membership Report Leave group 224.0.0.252 M ulticast Listener Report Message v2 90 Membership Report 60 ‫ '׳‬:o ln group 224.0.0.252 for any sources M ulticast Listener Report Message v2 90 Membership Report / Leave group 60 224.0.0.252 M ulticast Listener Report Message v2 90

Up&it S p«c41«dPackctw F>p0fTPse■< «0 itiMiem Expo* Stieced Pacui fiytts. L«pct SSLScuton *x>1 . ca « O aT ‫־‬

0M CPv6 0HCPv6 NBSS ICM PV6 I<7‫ ׳‬Pv3 ICVPv6 1®‫׳‬PV3 ICf‫ ׳‬Pv3 IO‫׳‬Pv6

C trt*H

ff0 2 : : 16 224.0.0.22 f f 02::16 224.0.0.22 7 f f0 2 : :16 cui- p 224.0.0.22 7 f f0 2 ::16

P ra -te 1: ISO bytes o n wire (1200 bits). 150 bytes captured (1200 bits) on irterface 0 r Ethernet II, src: M lcrosof_a8:78:05 (00:15:5d:aa:78:05), O st: lP v6m cast_00:01:00:02 (33:33:00:01:00:02) - internet protocol version 6, src: fe80::5df8:c2d8:5bb0:4ef (feS O ::S <JfS :c2dS :5bbO :4ef), ost: ff02::l:2 (ff02::l:2) * user oatagra■ protocol, src port: dhcpv6-cl1ent (546), ost port: dhcpv6-server (547) -D H C P i6 ‫׳‬ O O O O 33 33 00 01 00 02 O O 15 5d a8 78 05 86 dd 60 00 33 ] .X ...' . 0 0 1 0 0 00 00 06 01 10 1 fe 8 0 0 0O OO O0 00 00 05 d f8 ].
0020 c2 d8 Sb bO 04 0030 00 00 00 01 00 0040 eO 49 00 08 00 0050 17 e8 0060 15 5d 00 00 00 0070 41 64 6d 69 6e 0080 00 08 0090 00 17 00 11 00 e f f f 02 00 O O O O00 00 00 00 00 ..[ 02 02 22 02 23 O O 60 55 ea 01 83 " 02 O O 64 00 01 00 Oe 00 01 O O 01 .1 d el 4e 00 O O 00 00 O O 00 27 00 Oa O O 08 .] 2d SO 43 00 10 O O 0« 00 00 01 37 Adnrin-PC 4<J S3 27 .......... ‫־‬ ‫־‬U ... ‫־‬ 00 15 7 46 54 5d 20 a8 35 78 2e 05 O O 3000 03 06 00 00

I

Uk

,

tUbb01>pl»yrJ: I M M«1 UJ. U

0

FIGURE 5.9: WireShark —Saving the Captured Packets

14. Now, go to Edit and click Find P acket...
f f i Wireshark: can save packets captured in a large number o f formats o f other capture programs.

C E H L ab M anual P ag e 635

E th ical H a ck in g a nd C ounterm easures Copynght © by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.

Module 08 - Sniffers

Tc!«WS).pcapno |W 1‫׳‬p5ha‫׳‬t C opy I * Fm dPacket..‫ ז‬1. findN ext Nc RndP*Q0MB n11*;X Statistics T«l«phony look Internals Udp » I ‫ ד‬jl @ P i : q Ctrt.B Ctri+M Shift*Ct»l*M 166 Ctrl.Alt-M | 155 Shift♦Ctri-N Shift.Ctrl.B 1.1 Ctrt*X Shift*Ct(1+Alt*X Shrft.CtrWX Ctll.T Ctri+Alt*7 Ctrl-Alt-N Ctrl*Alt »B Shift.Ctrl.T

(SVN Rev •MVO trom

1.SJ!

n

‫״‬

(‫ ג‬ei ‫ס‬

* ‫ז‬/ ‫* י י‬

a

Q E>p»essioo.. O m Appt/ Si.( Protocol length Info * n ONS ?5 Standard query 0x2>f4 A m v iv .. se b i. gov. in DNS 10? Standard c 1 .ery response 0x25f4 A 203.199.12. 51 A 124.247.233.134 TCP 60 ■ust-p2p > h ttp [ACKl seq=1494 ACk753- ‫ ־‬w1n=65028 Len=o tcp 60 ■ust-backplare > h u p [ ack] seq-1161 Ack-497 w1n-65204 Leo-0 dhcpv6 150 S o lic it XTD: Ox5aS2df CIO: 0001000117e22aab00155da87800 DHCPv6 150 S o lic it XID: 0x836049 CID: 000l0001l7e8el4e001s5da87805 NBSS 55 NBSS Continuation Message TCP 66 ■Icrosoft-ds > lsysg-1■ [ack] se q -l Ack-2 w1n-62939 Len-0 sle-1 sreict‫ ׳‬pv6 90 M ulticast Listener Report Message v2 I<*‫׳‬Pv3 60 Membership Report / Leave group 224.0.0.232 ICMPv6 90 M ulticast Listener Report Message v2 Itypv3 60 Mwrbership Report ( 301n group 224.0.0.252 for any sources 1a‫״‬Pv6 90 M ulticast Listener Report Message v2 io ‫״‬pv 3 60 Membership Report / Leave group 224.0.0.252 ICMPv6 90 M ulticast Listener Report Message v2

M ark Pacte (toggle} MiAAJ D isplayedPxkcts Jnrr-ait A DDaptr,‫־‬ed Packets Find Nee Msrlc Snd P»e.icvs LUt ignorePacket(toggle] ignore tfcp(?yedP ackets(toggle] Un-ignore Al P acket! 0 SetTntfidaaKt Jc^lt] IM-Time Reference A ll Packets find Prsviov>Tane R*#e!rr-ce © T.‫ *״‬S hift-iT titter Add P«ck«t Com m ent..

^ W ir e s h a r k is not an intrusion detection system. I t will not warn you when someone does strange things on your network that he/she isn't allowed to do. However, if strange tilings happen, Wireshark might help you figure out what is really going on.

31 00 (2 00 eO 17 li 41 00 00

31 00 dl 00 49 e8 5d & 4 08 17

O D01 00 00 60 11 SbbO 04 00 01 00 00 08 00 c l 4« 00 00 00 00 6d69 6« 4d 53 46 00 11 00

07 00 15‫־‬ 01 ft 80 *f ft 0? 02 02 22 02 00 64 IS 5d 48 O OO O 00 2d SO 43 54 20 35 27

5(1 *8 00 00

0 0o o o o 0 00 00 00 00 0
00 O O O O27 00 Oa O O 08 00 10 O O 0« O O 00 01 37 2 • 30 O O 06 00 08 00 18

Shift* Ctrl tP 7805 8G dd 60 00 0000 00 00 Sd f 8

02 23 O O 60 55 ea 01 83 0 00 10 0 O e0 00 1O O 0 1 .1..... a......... 78 05 00 03 00 Oc Oc 00 . . . N . . ] . X.............

I Ready to k

2266Displayed: 2266 Marked. 0 On

FIGURE 5.10: Wireshark —Finding Packet Option

15. The Wireshark: Find P acket window appears.
Wireshark: Find Packet
By: ® Display filter O Hex value O String Filter Search In ® Packet list O Packet details O Packet bytes Help String Options ‫ ח‬Case sensitive Character set ASCII Unicode & Non-Unicode Find v Cancel Direction
O Up

®

Down

FIGU RE 5.11: Wireshark —Find Packet Window

16. 111 Find By, select String, type pwd 111 the Filter field, select the radio button for P acket d eta ils under Search In and select ASCII Unicode & Non-Unicode trom the Character s e t drop-down list. Click Find.
Wireshark: Find Packet
fl=J. Wireshark will not manipulate things on the network, it will only "measure" things from it. Wireshark doesn't send packets on the network or do other active tilings (except for name resolutions, but even that can be disabled).

‫ם‬

Find By:

O

Display filter pwd|

O

Hex value ® String

FHter:

Search In

String Options □ Case sensitive

Direction

O

Packet list

O
V

Up

• Packet details Packet bytes Help

Character set: ASCII Unicode & Non-Unicode Find

• Down

Cancel

FIGURE 5.12: Wireshark —Selecting Options in Find Packet Window

C E H L ab M anual Page 636

E th ical H a ck in g a nd C ounterm easures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.

Module 08 - Sniffers

17. Wireshark will now display die sniffed password from die captured packets. '-!‫קם‬ ‫ט‬ Test(WS).pcapng [Wireshark 1Z 2 CSVN Rev 44520 from /trurk-1.8)|
flc £d«r y<vr £0 £«paxc Arvjlyre Sratiaks Telephony Tools Jnternab ijdp

!»«<»«» = >e 8 ‫ א‬a ‫ ו‬N

7 4 ilals e, £ t e. e 4 * wa a
[vj Lipifetict Protocol L L L^NR L L M N R I » ‫ ׳‬Pv3 IO‫׳־‬Pv6 TCP TCP

Observe the Password

Destination Time S ource 1 19.1610310 f e 8 0 :: 3<Jr 8:efc3 C 8 7 f f 0 2 ::l:3 2 19.16 1 8 8 8 0 1 0 .0 .0 .7 224.0.0.252 3 19.198S190 10.0.0. 7 4 19.1993230 fe80: :3<J78;efc3 ;c87 ff0 2 :;16 5 20. 49 >1660 10.0. 0. 5 123. 176.3 2 . 1 5 5 6 20. 58 56390 12 3 .176. 32.155 10.0.0.5 7 20.58651 4 0 1 0 .0 .0 . 5 123.176.32.155 8 20. S870180 10.0 . 0. 5 123.176.32.155 9 20.5960500123.176.32.155 10.0.0.5 O 20.6078200 74.125.128. 189 10 .0 .0 . 2 1 2 0 .65 ‫ל‬1600 1 0 .0 .0 .2 74.125.128.180 2 20.6974400123.176.32.155 10.0.0. S 1 ?0.6982220 1 2 3 .1‫ ל‬6 . 32 . 155 10.0.0. 5 4 20.698520 0 1 0 .0 .0 .5 123.176. 32.155 5 20.7011130 1 0 .0 .0 . 5 123.108.40. 33

n fo
5 standard query OxaSfl any win-039mr5hl9e4 5 Standard query OxaSfl A M Y WIN-D39mr5hl9E4 ‫ כ‬Membership Reporr / ‫נ‬01‫ וו‬grc-up 224.0.0.252 fo r any sources )M u ltica st L istener Report vessage v2

-•1

6502-ll-iapp > http [syk] seq^o w ln= 8192 L e n = o vss= 1460u s= * sack_p6i
5 http > 502-11-1app [5 >n . *ck] seq-0 Ack-1 wlrv-14600 ten -0 mss-1460 : 0 802-11-‫ י‬app > http [ACK] Seq^l Ack^l Win=65700 Len-0 ? post '1 og1 river 1f y . pfcp k ttp /1 .1 (app‫־‬ McaTlon/x-v\VAv-for«1-ur1encoded) I [) h ttp > 802-11 ‫ י‬app [ACKj 5e q -l Ack-819 win-16236 Lcn-0 9 A pplication Data 1 kvT v l j ip > https [ackJ 5eq-l *ck-56 win-63361 te n-0 1 ITCP s«3‫«־‬ » ‫־־‬t of a r « u s« * b ltd P0C 1J 1 m ttp / 1.1 102 Moved Tet‫י‬porarl‫ ו‬y D 802 11 ‫ ו‬app > http [ACK] 5«q-819 Ack-1481 wl 11-65700 Lcii-0 b a r tif a c t ‫**־‬g > http fSYN] s#q-0 w1ruai92 1*n-0 Mss-1460 ws-4 sack_pi

lin e based te*t data: appl1catton/x-www-form-ur‫ ו‬encoded »a 38 31 39 32 74 69 72 6e Od 0i 67 6S 32 30 2d 6f 6C 74 Oa oa «4 3d 37 31 61 61 3b 38 39 & 4 79 6 • 2f 65 6e 2d 4c I 40 33 36 20 35 70 7B 63 65 2* 36 64 5f 2e 65 2d 6f 6e b« 62 63 77 35 3a 77 64 67 6r te ‫׳» י ם‬y 40 ^0 ‫ ^ל‬n 41 37 34 36 34 66 31 63 33 31 63 32 64 32 32 62 65 38 31 31 38 73 3d 31 33 34 38 32 33 Od Oa 43 6f Ge 74 65 6e 20 61 70 70 6c 69 63 61 74 77 77 2d 66 6 f 72 6d 2d 75 65 64 Od Oa 43 6f 6e 74 65 74 6fl 3a 20 31 30 32 Od Oa

l*la6dcc 2d22bea 1 92a; _wl 8S-13482 20895.53 ..Conten t -Type: ap|51‫ ו‬cat rlencode d ..c o n te -Lengt h: 102..

C O Wireshark media types are supported depends on many tilings like the operating system you are using.

P acketc 2260 Dia

Ptcf le D e+auit

FIGU RE 5.13: Wireshark —Sniffed Password in Captured Packet

18. If you are working 011 iLabs environment, then use the Test(WS) sample capUired file located at D:\CEH-T0 0 ls\CEHv8 Module 08
Sniffing\Sniffing Tools\Wireshark\Wireshark Sam ple Capture files to

sniff the password.

Lab Analysis
Analyze and document die results related to die lab exercise. Give your opinion 011 your target’s security posture and “exposure” through public and free information. T o o l/U tility In fo rm atio n C o lle c te d /O b je c tiv e s A chieved ■ ■ ■ ■ ■ ■ ■ ■ ■ Time Source Destination Protocol Length Info Internet Protocol TCP, Source Port Info User ID and Password

W ireshark

C E H L ab M anual Page 637

E th ical H a ck in g a nd C ounterm easures Copyright © by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.

Module 08 - Sniffers

PL EA S E TALK T O YOUR I N S T R U C T O R IF YOU HAVE Q U E S T I O N S R E L A T E D T O T H I S L AB .

Questions
1. Evaluate die protocols that are supported bv Wireshark. 2. Determine the devices Wireshark uses to capture packets. In te rn e t C o n n ectio n R eq u ired 0 Yes P latform S upported 0 C lassroom □ !Labs □ No

C E H L ab M an u al Page 638

E th ical H a ck in g a nd C ounterm easures Copyright © by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.

Module 08 - Sniffers

Performing Man-in-the-Middle Attack Using Cain & Abel
Cain (&AbeZ is apassword recovery tool that a/Zorn recovery of passwords by sniffing the network, cracking encryptedpasswords.
I CON KEY
Valuable mformation Test your Web exercise m Workbook re\

Lab Scenario
You have learned 111 die previous lab how you can get user name and password information using Wireshark. By merely capturing enough packets, attackers can extract the user name and password if the victim authenticates themselves 111 a public network especially into a website without an HTTPS connection. Once the password is hacked, an attacker can simply log into the victim’s email account or use that password to log 111 to their PayPal and drain dieir bank account. They can even change die password for the email. Attackers can use Wireshark to decrypt the frames with the victim’s password they already have. As preventive measures an administrator 111 an organization should always advise employees not provide sensitive information 111 public networks without an HTTPS connection. VPN and SSH tunneling must be used to secure the network connection. As an expert ethical hacker and penetration tester you must have sound knowledge of sniffing, network protocols and their topology, TCP and UDP services, routing tables, remote a c c e s s (SSH or \T*N), authentication mechanism, and encryption techniques. Another method through which you can gain user name and password information is by using Cain & Abel to perform a man-in-the-middle attack.

Lab Objectives
The objective o f tins lab to accomplish the following inform ation regarding the target organization that includes, but is not limited to: ■ ■ ■ Smtt network traffic and perform ARP poisoning Launch a man-in-the-middle attack Sniff the network for the password

C E H L ab M an u al Page 639

E th ical H a ck in g a nd C o untenneasures Copyright © by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.

Module 08 - Sniffers

Lab Environment
^^T o o ls
dem onstrated in this lab are available in D:\CEHTools\CEHv8 Module 08 Sniffing

To carry-out the kb, you need:
‫י‬ Cain & Abel located at D:\CEH-Tools\CEHv8 Module 08 Sniffing\ARP Poisoning Tools\Cain & Abel

You can also download the latest version ol Cain & Abel from h ttp ://www.oxid.it

■ If you decide to download the latest version, then screenshots shown 111 the lab might differ ■ A computer running Windows Server 2012 as host machine

■ Windows 8 running on virtual macliuie as attacker machine

■ Windows 2008 Server running on virtual machine as the victim machine ■ ■ ■ A web browser with Internet connection Double-click ca_setup.exe and follow die wizard-driven installation steps to install Cain & Abel Administrative privileges to run tools

Lab Duration
Time: 20 !Minutes

Overview of Man-ln-The-Middle Attack
£ Q y ou can download Cain & Abel from http: / / www. oxid.it.

A man-in-the-middle attack (AflTM) is a form ol active eavesdropping 111 which the attacker makes independent connections with the victims and relays messages between them, making them believe that they are talking directly to each other over a private connection, when 111 fact the entire conversation is controlled by the attacker. Man-in-the-middle attacks come 111 many variations and can be carried out on a sw itched LAN.

Lab Tasks
TASK 1
Man-ln-The-Middle Attack

1. Launch your W indows 2008 Server virtual machine (Victim Machine). 2. Launch your W indows 8 virtual machine (Attacker Machine). 3. O n the host machine (Windows Server 2012), launch the Start m enu by hovering the mouse cursor on the lower-left corner o f the desktop.

C E H L ab M an u al Page 640

E th ical H a ck in g a nd C ounterm easures Copyright © by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.

Module 08 - Sniffers

fl=JM an in die Middle attacks has the potential to eavesdrop on a switched LAN to sniff for clear-text data (McClure, Scambray). It can also be used for substitution attacks diat can actively manipulate data.

FIGURE 6.1: Windows Server 2012 — Desktop view

4. Click Cain in the Start m enu to launch Cai11& Abel.

Start
Serve* Menaqer Google Chrome Muzilld hretox

Administrator ^

G31 Cain & Abel covers some security aspects/weakness intrinsic o f protocol's standards, audientication methods and caching mechanisms.

k
Control Pane

tj £
Command Prompt FT 1

*
H)P«-V Manager

< ©
Hypei-V Virtual

W
Adnnett... fools

%
1 Uninstall Cain

%

|H
*n a g *

2P

Ownop

W

FIGURE 6.2: Windows Server 2012 —Desktop view

5. ‫־‬1
J

The mam window o f Cain & Abel appears.
rie View Configure Took y Help

@ SK

IS! ?ar +

3
Troceroute I E l c c c i m Airelcss |1V) Query |

|< < g , Decodgi | *

Mrtwyt I f f i Suffc |,_ / Ciackcr

, Cached Passwords Protected Storage >£ LSA Secrets Wireless Passwords

Pressthe * button on the toolbar to dump the Protected Storage

0 I F 7 P a c c A 0 r c k
Windows Mail Passwords Dialup Passwords Edit Boxes % Enterprise Maneyci f * C edeotid Manage

E Q r eplay attacks can also be used to resend a sniffed password hash to authenticate an unauthorized user.

| http/.'vrww■0iid.it

FIGURE 6.3: Cain & Abel Main Window

6. W hen you hrst open Cain & Abel, you will notice a series ol tabs near the top o f the window. 7. To configure the Ethernet card, click Configure from the m enu bar.
C E H L ab M anual Page 641 E th ical H a ck in g a nd C ounterm easures Copyright © by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.

Module 08 - Sniffers

©
_ J
C Q a PR-SSHI can capture and decrypt SSH version 1 session that are then saved toa text file. APR-HTTPS can intercept and forge digital certificates on the fly but becauses trusted authority does not sign these certificates a warning message will be displayed to die end user.

_ a *

?‫ו‬#

| Took

H»lp

&S M L inW + «/ ! ° 0 “‫ ״‬B B S!
Nctvwtk Sniffer

m

o

0 © ‫ ף‬J.

|4I Dccodaj u

|sf C1

Troccioutc I IBB CCCU 1"ft" Airclcs:. |j*») Query I

, Cachcd Piuivoidi Protected Storage jgT L5A Secrets Wireless Passwords * 2

Press the ‫ •י‬button on the toolbar 0‫ ז‬dump the Protected Storage

I E 7 P a i 5 A 0 r 0 5£
W in de r Mail Passmores Dialup Passwords F Edit Boxes■ ‫ ן*ך‬Enterprise Maneger Gedentid Vaiace ^

http// wvyw.Oiid.it

FIGU RE 6.4: Cain & Abel Configuration Option FIGURE 6.4: Cain & Abel Configuration Option

8. The Configuration Dialog window appears. 9. Tlie Configuration Dialog window consists o f several tabs. Click the Sniffer tab to select the sniffing adapter. 10. Select Adapter and click Apply and then OK.
Configuration Dialog
Filters and ports Sniffer I | HTTP Fields | | |

‫היי‬
Traceroute Challenge Spoofing

Certificate Spoofing

Certificates Collector

C O lFor IP and MAC spoofing you have to choose addresses that are not already present on die network. By default Cain uses die spoofed MAC "001122334455" for two reasons: first that address can be easily identified for troubleshooting and second it is not supposed to exist in your network. N ote: You cannot have on the same Layer-2 network two or more Cain machines using APR's MAC spoofing and die same Spoofed MAC address.

APR ( Arp Poison Routing )

Adapter IP address | Subnet Mask £& \Device\N PFJ8F2F18B... 192.168 168.110 255.255.255.0 i&\Device\NPF .{5F237C6... 0.0.00 0.0.00 10.0.0.2 255.255.255.01 *i>\Device\NPF_{35DD21... 0.0.00 0.0.0.0 £ ) \Device\N PFJ36D19C... 0.0.00 0.0.00 <| 1 1 1

l>l

Winpcap Version 4.1.0.2001 Current Network Adapter

WARNING !!! Only ethemet adapters supported Options F Start Sniffer on startup F Start APR on startup

f~

Don! use Promiscuous mode

OK

Cancel

Apply

Help

FIGU RE 6.5: Cain & Abel Configuration Dialog Window

11. Click the Start/Stop Sniffer icon

011

the toolbar.

C E H L ab M anual Page 642

E th ical H a ck in g a nd C ountem ieasures Copyright © by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.

Module 08 - Sniffers

_ a ‫א‬
£il# Vi*w Configur* Took H#lp

-jffel® K ‫־‬ J ils i; W ! +y s
"<£ DcZTdcfi | ^ VJcUwt , Cachcd Piuivoidi j f Protected Storage* ■ JT L5A Secrets Wireless Passwords

°‫“ ״‬Q B B Sra ₪ B a O ®

Q

0■?

Smffcr \ ± f Ciackct |4 Q Troceioutc |K 3 CCDU |'f l

Anglos |.A) Query |

IE7Pa«TA0rd5 £
^ Windows Mail Passmores Dialup Passwords )££( F Edit Boxes■ ‫ ן*ך‬Eitc‫!־‬prise Manege Gedentid Vaiace * 1

CQt1 1e most crucial item in that list is the radioactive hazard APR. It is in this window that we select our victim(s).

Activate / Dcactnale the Sniffer

FIGURE 6.6: Cain & Abel Configuration Dialog Window FIGU RE 6.6: Cain & Abel Configuration Dialog Window

Note: I f you get Cam W arning pop-up, click OK.

12. N ow click the Sniffer tab. 5I
-‫וג‬
£ i« Vie* C2 nf»gur« Took H«lp

>{ > S fa

1S

m

+

kf *b
| OUi fingerprint Netgear, Inc.

,u

ES
Traccroutc | Q

O

W

2‫ ?׳‬/ I
B... B .. Bi | Or | MO M l Mi

■£. Dc:cdtf: I j

Nct.v‫־‬a7r MAC address C0095BAE24CC

CCDU

W rd «ii | *>) Query |

4ii~ Be warned diat there is the possibility that you will cause damages an d /o r loss o f data using this software and that in no events shall the audior be liable for such damages or loss o f data.

5b M° 5tl m : kPR |^ » Routing | Lost packptt: C%

Paaaworda

FIGURE 6.7: Sniffer tab

13. Click the Plus (+) icon or right-click in the window and select Scan MAC A d d resses to scan the network for hosts. 14. The MAC A ddress Scanner window appears. Select All h o sts in my su bn et and check the All T e sts check box. Click OK.

C E H L ab M anual Page 643

E th ical H a ck in g a nd C o untenneasures Copyright © by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.

Module 08 - Sniffers

TH
J
C Q a p r -r d p can capture and decrypt Microsoft’s Remote D esktop Protocol as well.
!61

_ i« Vi ew Canfi ■rfiguM gur• Tool* Tool{ H*>P H«lp £

r,

© aw Si 89 ]+[»‫^ ׳׳‬
Meteoric Sniffer \ ± / Cracker | MAC address | OUl fingerprint 00095BAE24CC Nctgear, Inc.

‫בג‬
MAC Address Scanner
I '• All hosto n C Range Fiom subnet |

O t Jl
| ‫ )> ב‬Que>y~| | R.. | B8 | Gr | MO | M l 1 M3 |

|,c^ Deccder:

Promiscuous Mod© Scanner-----W !7 P F F W ARP Test (Broa^cad 31■bf) ARP Tss!. (3roaJcart ' &trt) ARP Te* (Broadcast 8-bi' APP Test (jD tp Sit) ARP Tort (Multbaet gioup 0] ARP Test (Multcest oioud 1

PA || P T-- (M ulfccit Q -o u pJ

0 <
•41 Hosts

J© VPR |4 Routing | ^ \

Passwords ~| ^

VoIP |

Lost packets 0%

FIGU RE 6.8: Cain & Abel —MAC Address Scanner Window FIGU RE 6.8: Cain & Abel —MAC Address Scanner Window

15. Cain & Abel starts scanning for MAC addresses and lists all found MAC address.
£5 ‫ ־‬Speeding up packet capture speed by wireless packet injection

GQlN ote that Cain & Abel program does no t exploit any software vulnerabilities or bugs that could not be fixed with litde effort.

FIGU RE 6.9: Cain & Abel —Scanning MAC Addresses Window

16. After scanning is com pleted, a list o f detected MAC a d d r esses is displayed. 17. Click the APR tab at the bottom o f the main window.

C E H L ab M anual Page 644

Etliical H a ck in g a nd C ounterm easures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.

Module 08 - Sniffers

£1•

Vi •* 1

Cgrfi gur* 1

Took

Help 3 » 0 ‫נ‬ ‫י‬ ‫י‬ 8 ‫י‬ © t Jl d CCDU | ' < Q Wireless | q ► )Query | I Fatkets -> 1 <- Packets I MAC address

|ta[*e*BIII‫־‬ J+*|lB
Decoders |

^ Network | ^

Sniffer

\±/ Cracker
1 IP address

Traceroutc |

E E Q aPR state HalfRouting means that APRis
routing the traffic correctly but only in one direction (ex: Client-> Server or Server->Client). This can happen if one o f the two hosts cannot be poisoned or if asymmetric routing is used on the LAN. In this state the sniffer loses all packets o f an entire direction so it cannot grab authentications that use a challenge-response mechanism.

©a S APR-Cat
APR-SSH-1 (01 - l i APR-HTTPS (0) APR Prox/HTTPS (0) 5 g APF-PXP(G)

Status

I MAC address

I IP address

m

4 , APR-DNS

3

13 APR-FTPS (0) l i APR-P0P3S (0) APR-IMAPS (0) APR-IDAPS APR-SIPS (0)

3 3

Status

| IP address

| MAC address

| packets -> | <- Packets | MAC address

| IP address

tfi)

<

III

>

Configuration

JRouted Packets
| J * VoIP |

|

■44 Hosts | (X APR || *J* Routing | lest packets: 0%

Passv/ords

FIGU RE 6.10: Cain & Abel ARP Tab FIGU RE 6.10: Cain & Abel ARP Tab

18. Click anywhere 111 the Configuration/Routed P a c k e ts window o f APR to activate the Plus icon.
m j * File \£«w © & Cjn f < jj 1z Tools Help % i s‫״‬ y 1 1 1 B a 3 @ i a O ‫ ׳ ^ ׳‬S O f j ‫־‬ n x

ra !‫־‬ #

f+ ] a

<&, Decoders I 2 Network | ^ l Sniffer I ■ / Cracker I ‫״‬ Ci Traeeroute |KS CCDU 1 1 ©APR Q J j, ■ ^ APR-Ccit APR DNS APRSSH-1 (01 APR-HTTPS (0) status | IP address | MAC address

Wireless 1_Y Query | | IP address

Packets ■> | <• Packets | MAC address

,3 AP-: P‫־‬cx>HITPS(0) 9 8 APR-ROP 10( 13 APR‫־‬FTPS(0)

L=U-.APR state FullRouting means that the IP traffic between two hosts has been completely hijacked and APR is working in FULLDUPLEX, (ex: Serverc> Client). The sniffer will grab authentication information accordingly to the sniffer filters set.

3 3 !3 3

APR-POP3S(0) APR IMAPS(0) APR LDAPS (0) APR-SPS 01

Status

| IP address

| MAC address

Packets -> | <- Packets | MAC address

| P address

>

1 ■

‫ג‬ Pastwords | ^ VoIP [

-£■! HoCt | Q * P R | | * Routing | Los: packets; 0%

FIGURE 6.11: Cain & Abel ARP Tab

19. Click the Plus (+) icon; the N ew ARP Poison Routing window opens from which you can add die IPs to listen to traffic.

C E H L ab M anual Page 645

E th ical H a ck in g a nd C ounterm easures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.

Module 08 - Sniffers

M
j *‫® © ׳‬ a m es
Decoders | Q APR 1 - 0 APR Ceft(0> L APR-DNS U fi hS : 51 if i

_u

+

y

is q. y 1
Nft^odLJ

1 ‫*׳‬s a
Snifle

O t fl
Trarfrmiif

il

I‫׳‬.‫ "ו‬C xuktt 1*6

1 8 5 !. m

I'• ‫־‬ jc . I

N ew ARP Poison Routing

m mSS+t ( 0 )

UJ H ie Protected Store is a storage facility provided as part o f Microsoft CryptoAPI. It's primarily use is to securely store private keys that have been issued to a user.

APR-HTTPS (0} APR-PirayHITR APR RDP 10) APS-FTPSm APSPOP3S(0) : 3 APR IMAPSP) j- 1S APSLCAPStUl L APR-SI PS |0)

APR 3notlccyou to hijack IP traffic betvv3en 1 W 3 coloctod host !> n•h3 left let aid al elected hosts on the nc^it let inboth dite^licm It a ?elected hoit hai roiling cap3biltet WAN frafhc wil be nierreDted a: wel Peare note !hat ?mceyaur 11wchire has not the *are performance of a router you could cause DaS *you u‫<־‬APR te:*een your Delaul Gateway and oil ether host! or >0u1 LAN.

IP 3dere« 10.0.01 10.0.03 1U 004 10 005 10.3.07 10.0010 10.0.011 10.0.012 1110013

| MAC | Hostrair* C0095BAE24CC C0155DA9BE06 C0155DA8SE09 CD155DA95E 03 D4BED3C3CE2D D40ED3C3C3CC C0155DAG7005 C0155D/S87800 C0155DA8/8Q4

IF acHe^r

vtiC

Hottname

<L___________ ______!‫ _________________״‬1 >

111

;

‫&| ~ ן‬

Configuration /Routed Packets Pattwowk

I

HortT"|^flPB | *j* ~'rnr r r |

FIGU RE 6.12: Cain & Abel ARP Tab FIGU RE 6.12: Cain & Abel ARP Tab

20. To m onitor the traffic between two computers, select 10.0.0.3 (Windows 8 virtual machine) and 10.0.0.5 (Windows 2008 Server virtual machine). Click OK.
New ARP Poison Routing
WARNING !I! APR enables you to hiiack IP traffic between the selected host on the left list and al selected hosts on the light list in both directions If a selected host has routing capabilities WAN traffic will be mteicepted as well Please note that since youi machine has not the same performance of a router you could cause DoS if you set APR between youi Default Gateway and all other hosts on your LAN.

Q All o f the information in the Protected Store is encrypted, using a key that is derived from the user's logon password. Access to the information is tighdy regulated so that only the owner o f the material can access it

IP address 10.001 10.0.0.3 T: u u 4 100.05 10.0.0.7 10.0.010 100.0.11 10.0,0.12 100 013 <|

I MAC | Hostname 00095BAE24CC 00155DA86E06 I 00155DA8SE09 00155DA86E03 D4BED9C3CE2D D4BED9C3C3CC 00155DA87805 00155DA87800 00155DA87804
III

IP address 10.0.0.13 100.0.12 10.0.0.11 10.0.0.10 10.0.0.7 10.0.0.5 10.0.0.4 10.0.0.1 <]________

I MAC I Hostname 00155DA87804 00155DA87800 00155DA87805 D4BED9C3C3CC D4BED9C3CE2D I 00155DA86E03 00155DA86E09 00095BAE24CC
1 1 1

‫כ‬

<

_________ | >

FIGURE 6.13: Cain & Abel ARP Tab FIGURE 6.13: Cain & Abel ARP Tab

21. Select the added IP address in the Configuration/Routed packets and click the Start/Stop APR icon.
Note: I f the Couldn’t bind HTTPS acceptor socket pop-up appears, click OK

C E H L ab M anual Page 646

E th ical H a ck in g a nd C ounterm easures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.

Module 08 - Sniffers

k J Many Windows applications use this feature; Internet Explorer, O utlook and Outlook Express for example store user names and passwords using this service.

FIGU RE 6.14: Cain & Abel ARP Poisoning

22. N ow launch the com m and prom pt in W indows 2008 Server and type ftp 10.0.0.3 (IP address o f Windows 8 machine) and press Enter
UJ There is also another set used for credentials that should persist on the local machine only and cannot be used in roaming profiles, this is called "Local Credential Set" and it refers to the file: \D ocum ents and Settings\% Username% \Lo cal Settings\Applicatio 11 Data\M icrosoft\Credential s\% UserSID% \Credentials

23. W hen prom pted tor Username type “Martin’’ and press Enter and for password type “apple ' and press Enter.
: >' A d m i n i s t r a t o r C : \ W i n d o w s \ s y s t e m 3 2 \ c m d . e x e - ftp 10.0.0.3

M i c r o s o f t Windows L U e r s io n 6 . 0 . 6 0 0 1 J C o p y r i g h t <c> 2 0 0 6 M i c r o s o f t C o r p o r a t i o n . C :SU sers\A d m in istra to r> ftp 1 0 . 0 . 0 . 3 C onnected to 1 0 . 0 . 0 . 3 . 2 2 0 M i c r o s o f t FTP S e r v i c e U se r < 1 0 . 0 . 0 . 3 : ( n o n e ) ) : M artin 331 Password r e q u ir e d Password: 230 U ser lo g g e d i n . ftp> _

A ll rig h ts reserved.

FIGURE 6.15: Start ftp://10.0.0.3

24. Now, on the host machine, observe the tool listing some packets exchange.

C E H L ab M anual Page 647

E th ical H a ck in g a nd C ounterm easures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.

Module 08 - Sniffers

|C ] File /■cm J Configuie SS + Tools ‫׳‬ Help ti O « fl

‫־‬

°

»

6

8

&

B

Derofleri I i

Nrt‫־‬ a/yl |i&l Sr>ifler | Y Crafker 1" 3 Traceroiiti0 || ‫ !־‬CCOU 171 Statu* ^Poison,rg | IP address 10.0.0.3 | MAC address 001SSDA&6EQS

W»fle<5 | _v Cue^ | >‫ ־‬Packets 7 MAC oddress 001S5DA86&03 | IP address 100.0.S

© E S 3 j-

Packets ‫<־‬ |5

₪ APR Cot )0( )0(

!- APR-DNS ,4 APR-SSH-I ■

i - £ APR-HTTPS(Dj i- S t i?5-Fror>nnPS )0( APR-RDP )0(

£ 7 Credentials are stored in the registry under die key HKEY_CURRENT_USER \Softw are\M icrosoft\Prote cted Storage System Provider\

i - f l APR‫־‬FTPS)0( ^ ]APR-POP3SP )APR IMAPSP 3 : j- 1S APR LCAPSOl APR-SIPS(O £ _ ! ( Status | IP addrecc | MAC address Packets-> < - Packet; | MAC address \ IP addrest

>1

•‫י‬

1<

Configuration / Routed Packets Passwords | VoIP |

f‫־‬

Horn | 0 APR •$* Rout ng | j \ Lc»t packets. C%

|

__________________ FIGU RE

6 .1 6 :

Sniffer window with more packets exchanged__________________

FIGU RE 6.16: Sniffer window with more packets exchanged

25. Click the P assw ord s tab as shown 111 the following screenshot to view the sniffed password for ftp 10.0.0.3.
‫>־‬ ‫ם‬

1

Fie j

Jfo• ia

Configure Toob + '■y

Help | B ‫״‬ U ■ BSS sa

6

®

W t SB

‫ם‬

«

a

o

t

11

Dwodfrs | $ Net■vryfc [ l& Satffer 1! 1 ' Crack** | *Q Tncernntf | R T 3 9 CCDIJ | A ?\ Passwords Timestamp 18/09/2012 10.0.0.5 | FTP server 10.0.0.3 | Client 15:54:10 ‫־‬

Wrelfss | . V r ! Username Mditin

.0 ‫'׳‬, J
Password

1 !4-*‫׳‬a u j
^ HTTP (17) igl MAP (0)

(apple

fit This set o f credentials is stored in the file \D ocum ents and Settings\% Username% \Ap plication D ata\M icrosoft\Credentials \% U serSID%\Credentials

SJ .OAP(O) ’ (*‫ ׳‬HO) *+ SMS (3) ■ Telnet (0) :- | XNCO) j 5V: TDS(0) j• §fc TVS (0) = J ! SMTP (0) : f f mn tpo; I- g§ DCE/RPC (01 S 0 MSKe*5-PreAja■ ^ Radijs-Kcr: 10) C Radius-Useis (0) ‫־‬ jg CQ(0) S KE-PSK .01 i-ifc MySGL (0) 3 SNWI>(0) ( 4 SP(0) i <[ III > FTP | | )\ Passwords

—I Hosts | < S >APR | • J * Routng
Lost peckels C%

II

1/0IP

1

FIGU RE 6.17: Sniffer window with more packets exchanged

Lab Analysis
Analyze and document the results related to die lab exercise. Give your opinion on your target’s security posture and “exposure” through public and free information.

C E H L ab M anual Page 648

E th ical H a ck in g a nd C ounterm easures Copyright © by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.

Module 08 - Sniffers

T o o l/U tility

In fo rm atio n C o lle c te d /O b je c tiv e s A chieved IP A ddress —10.0.0.3 MAC A ddress - 00155DA86E06 P ack e ts Sent —5

C ain & A bel

P ack ets R eceived —7 F T P Server — 10.0.0.3 U sern am e —Martin P assw ord —apple

P L E A S E TALK T O Y OU R I N S T R U C T O R IF YOU HAV E Q U E S T I O N S R E L A T E D T O T H I S L AB .

Questions
1. Determine how you can defend against ARP cache poisoning in a network. 2. 3. How can you easily find the password captured using only Notepad or some other text editor?
111

an E D P MITM attack

How can one protect a Windows Server against RDP MITM attacks?

In te rn e t C o n n ectio n R eq u ired 0 Yes P latform S upported 0 C lassroom 0 iLabs □ No

C E H L ab M an u al Page 649

E th ical H a ck in g a nd C o untenneasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.

Module 08 - Sniffers

Lab

Delecting ARP Attacks with the XArp Tool
AL4/p is a security application that uses advanced techniques to detectAKP-based
attacks.
I CON KEY
Valuable mformation Test your Web exercise m Workbook re\

Lab Scenario
You have already learned in the previous lab to capmre user name and password information using Cain & Abel. Similarly, attackers, too, can sniff the username and password o f a user. Once attackers have a user name and password, they can simply gain access to a network’s database and perform illegitimate activities. If that account has administrator permissions, attackers can disable firewalls and load fatal vimses and worms on die computer and spread diat onto the network. They can also perform different types o f attacks such as denial-of-service attacks, spoofing, buffer overflow, heap overflow, etc. W hen using a wireless connection, as an administrator you must use the strongest security supported by vour wireless devices and also advise other employees to use a strong password. The passwords must be changed weekly or monthly. Another method attackers can implement is ARP attacks through which they can snoop 01‫ ־‬manipulate all your data passing over the network. Tliis includes documents, emails, and YoicelP conversations. ARP attacks go undetected by firewalls; hence, 111 tins lab you will be guided to use the XArp tool, which provides advanced techniques to detect ARP attacks to prevent vour data.

Lab Objectives
The objective o f tins lab to accomplish the following regarding the target organization that includes, but is not limited to: ■ To detect ARP attacks

C E H L ab M an u al Page 650

E th ical H a ck in g a nd C o untenneasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.

Module 08 - Sniffers

C /T o o ls dem onstrated in this lab are available in D:\CEHTools\CEHv8 Module 08 Sniffing

Lab Environment
To carry-out die lab, you need:
■ XArp is located at D:\CEH-Tools\CEHv8 Module 08 Sniffing\ARP Spoofing Detection Tools\XArp

■ ■ ■ ■ ■

You can also download the latest version ol XArp from http: / / www.clrasmc.de / development/xarp / 1ndex.html If you decide to download die latest version, dien screenshots shown in the lab might differ A computer running Windows Server 2012 as host machine Double-click xarp-2.2.2-win.exe and follow the wizard-driven installation steps to install XArp Administrative privileges to run tools

Lab Duration
Tune: 10 Minutes

Overview of XArp
XArp helps users to detect ARP attacks and keep dieir data private. Administrators can use XArp to monitor whole subnets for ARP attacks. Different security levels and fine-tuning possibilities allow normal and power users to efficiendy use XArp to detect ARP attacks.

Lab Tasks
B T A S K 1

1. Launch the Start m enu by hovering the mouse cursor on the lower-left corner o f the desktop.

Launching the XArp tool

FIGURE 7.1: Windows Server 2012 —Desktop view

2.

Click XArp 111 the Start m enu to launch the XArp tool.

C E H L ab M anual Page 651

E th ical H a ck in g a nd C ounterm easures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.

Module 08 - Sniffers

Server Mereger

Computer

Google Chrome

Mj/illa hretox

e .

‫ני‬ g s

< 9
rt)P*f-V Manager

<$
H/per-V Virtual Machine.

-

C 7 Address Resolution Protocol (ARP) poisoning is a type o f attack where the Media Access Control (MAC) address is changed by tlie attacker.
CM nap

‫י י‬
XAip

FIGURE 7.2: Windows Server 2012— Apps

Tlie main W indow o f XArp appears with a list o f IPs, ]MAC addresses, and other inform ation for machines 111 the network.
XArp - unregistered version
File XArp Professional Help

Status: no ARP attacks

Security level set to: high
aggressive The high security level adds better network discovery which results in a higher detection rate but sends out more discovery packets into the network. Aggressive inspection modules are employed which might give false alerts in some environments.

Read the Hyidino ARP attacks' help XArp loaSe high

basic Get XArp Professional now! ReosterXArp Professional mnmai

IP 10.0.0.1 10.0.0.2

| MAC 00-09-5... dO-67-e... 00-15-5... d4-be-... 00-15-5... d4-be-... 00-15-5... 00-15-5...

| Host 10.0.0.1 WIN-MSSELCK... AD M IN-PC WIN-D39MR5... ADM IN WIN-2N9STOS... WINDOWS8 WIN-EGBHISG...

| Vendor Netgear, Inc. unknown M icrosoft Cor... unknown M icrosoft Cor... unknown M icrosoft Cor... M icrosoft Cor...

I Interface 0x11 - M icroso... 0x11 - M icroso... 0x11 - M icroso... 0x11 - M icroso... 0x11 - M icroso... 0x11 - M icroso... 0x11 - M icroso... 0x11 - M icroso...

| O nline yes yes yes yes yes yes yes yes

| Cache yes no yes yes yes yes yes yes

| First seen 9/20/2012 14:22:55 9/20/2012 14:22:55 9/20/2012 14:22:55 9/20/2012 14:22:55 9/20/2012 14:22:55 9/20/2012 14:22:55 9/20/2012 14:22:55 9/20/2012 14:22:55

| Last see 9/20/20 9/20/20 9/20/20 9/20/20 9/20/20 9/20/20 9/20/20 9/20/20

&

10.0.0.6 10.0.0.7 10.0.0.8 10.0.0.10

& A MAC address is a unique identifier for network nodes on a LAN. MAC addresses are associated to network adapter that connects devices to networks. The MAC address is critical to locating networked hardware devices because it ensures that data packets go to the correct place. ARP tables, or cache, are used to correlate network devices’ IP addresses to their MAC addresses.

&

10.0.0.12 10.0.0.13

XArp 22 2 * 8 m appings - 2 interfaces - 0 alerts

FIGURE 7.3: XArp status when security level set to high

4.

O n the host machine, XArp displays no ARP attacks.

Note: If you observe the same results, log in to a virtual maclune and run Cain

& c Abel to initiate ARP poisoning to the host machine.
5. By default the security level is set to high. Set the Security level to a g g r e ssiv e on the XArp screen.

C E H L ab M anual Page 652

Etliical H a ck in g a nd C ounterm easures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.

Module 08 - Sniffers

XArp ‫ ־‬unregistered version
File XArp Professional Help

r=r?■

Status: no ARP attacks
• • • Read the Viandlina ARP attacks' heb View XAtd kxifile

Security level set to: aggressive
1 - ‫׳׳‬
agg ressive The aggressive security level enables all ARP packet inspection modules and sends out discovery packets in high frequency. Using this level might give false attack alerts as it operates on a highly aggressive packet inspection philosophy.

high basic

Get XAtd Professional now! Reaister XAtd Professional m‫ ״ ״‬al

& An attacker can alter the MAC address o f the device that is used to connect the network to Internet and can disable access to the web and other external networks.

IP 10.0.0.1 10.0.0.2 10.0.0.6 10.0.0.7 10.0.0.8 10.0.0.10 10.0.0.12 10.0.0.13

| MAC 00-09• 5... d0-67-e... 00 • 15‫ ־‬5... d4-be-... 00-15-5... d4-be-... 00-15-5... 00-15-5...

| Host 10.0.0.1 WIN-MSSELCK... AD M IN-PC WIN-D39MR5... ADM IN WIN-2N9STOS... W IND0W S8 WIN-EGBHISG...

| Vendor Netgear, Inc. unknown M icrosoft Cor... unknown M icrosoft Cor... unknown M icrosoft Cor... M icrosoft Cor...

j Interface 0x11 • Microso... 0x11 • Microso... 0x11 - Microso... 0x11 - Microso... 0x11 - Microso... 0x11 • Microso... 0x11 • Microso... 0x11 - M icroso...

| O nline yes yes yes yes yes yes yes yes

| Cache yes no yes yes yes yes yes yes

| First seen 9/20/2012 14:22 55 9/20/2012 14:22 55 9/20/2012 14:22 55 9/20/2012 14:22 55 9/20/2012 14:22 55 9/20/2012 14:22 55 9/20/201214:22 55 9/20/2012 14:22 55

| Last see 9/20/20 9/20/20 9/20/20 9/20/20 9/20/20 9/20/20 9/20/20 9/20/20

>
XArp

222

- 8 m appings - 2 interfaces - 0 alerts

FIGURE 7.4: XArp status when security level set to aggressive

6. Log 111 to W indows 2008 Server, and nan Cain & Abel to initiate an ARP attack on a Windows 2012 host machine. 7. The XArp pop-up appears displaying the alerts.

£5" XArp allows alert filtering for excluding specific hosts. Another feature includes settings for alerting intensity and how the alerts are presented. Also allows sending alerts through email and detailed alerting configuration.

9/20/2012

14

DirectedRequestfilter: targeted request, destination mac o f arp request not set to broadcast/invalid address

In te r fa c e : [e th e rn e t] s o u r c e m ac: d e s t mac : ty p e : C arp] d ir e c t io n : ty p e : s o u rc e ip : d e s t ip : s o u r c e m ac; d e s t mac :

0x11

dO 000x806

-36
-c c

out re q u e s t 1 0 .0 .0 .2 I-* o o o H * d000-

FIGURE 7.5: XArp displaying Alerts

Now, the XArp S tatu s changes to ARP a tta ck s d etected .

C E H L ab M anual Page 653

E th ical H a ck in g a nd C ounterm easures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.

Module 08 - Sniffers

XArp ‫ ־‬unregistered version

Status: ARP attacks detected!
• • • View detected attacks Read the *Handling ARP attacks' help View XArp loqfite

Security level set to: aggressive
The aggressive security level enables all ARP packet inspection modules and sends out discovery packets in high frequency. Using this level might give false attack alerts as it operates on a highly aggressive packet inspection philosophy.

£ 7 Tlie simplest form o f certification is tlie use o f static, read-only entries for critical services in die ARP cache o f a host. This only prevents simple attacks and does no t scale on a large network, since the mapping has to be set for each pair o f machines resulting in (n*n) ARP caches that have to be configured. AntiARP also provides Windowsbased spoofing prevention at the kernel level.

Get XArp Professional now! Register XArp Professional

IP 10.0.0.1 10.0.0.2 10.0.0.3 10.0.0.4 10.0.0.5 10.0.0.6 10.0.0.7 10.0.0.8 10.0.0.10 10.0.0.12 10.0.0.13

MAC 00-09■5... dO-67-e... 00-15-5... 00-15-5... 00-15-5... 00-15-5... d4-be-.‫״‬ 00-15-5... d4-be-.‫״‬ 00-15-5... 00-15-5...

| Host 10.0.0.1 WIN-MSSELCK. 10.0.0.3 W indows8 10.0.0.5 AD M IN-PC WIN-D39MR5... ADM IN WIN-2N9STOS.. WINDOWS8 WIN-EGBHISG..

| Vendor Netgear, Inc. unknown M icrosoft Cor... M icrosoft Cor... M icrosoft Cor... M icrosoft Cor... unknown M icrosoft Cor... unknown M icrosoft Cor... M icrosoft Cor...

j Interface 0x11 • Microso... 0x11 • Microso... 0x11 - Microso... 0x11 - Microso... 0x11 - Microso... 0x11 • Microso... 0x11 • Microso... 0x11 - M icroso... 0x11 - M icroso... 0x11 - M icroso... 0x11 ‫ ־‬Microso...

| O nline yes yes yes yes yes yes yes yes yes yes yes

| Cache yes no yes yes yes yes yes yes yes yes yes

| First seen 9/20/2012 14 22:55 9/20/2012 14 22:55 9/20/2012 14 25:06 9/20/2012 14 25:08 9/20/2012 14 25:54 9/20/2012 14 22:55 9/20/2012 14 22:55 9/20/2012 14 22:55 9/20/2012 14 22:55 9/20/2012 14 22:55 9/20/2012 14 22:55

| Last see 9/20/20 9/20/20 9/20/20 9/20/20 9/20/20 9/20/20 9/20/20 9/20/20 9/20/20 9/20/20 9/20/20

* X X
* * V

-y 'S V

< XArp 2.22 - 11 m appin gs - 2 interfaces - 25 alerts

Ill

I

>

FIGURE 7.6: XArp — ARP attacks detected

Lab Analysis
Analyze and document die results related to die lab exercise. T o o l/U tility In fo rm atio n C o lle c te d /O b je c tiv e s A chieved Interface [E th ern et]: 0x11 Source M ac: dO-xx-xx-xx-xx-36 D e stin atio n M ac: 00-xx-xx-xx-xx-cc T y p e [arp]: 0x806 XArp D irection: O ut Source IP: 10.0.0.2 D e stin atio n IP: 10.0.0.1 H o st: 10.0.0.1 V endor: Netgear, Inc.

C E H L ab M anual Page 654

E th ical H a ck in g a nd C ountem ieasures Copyright © by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.

Module 08 - Sniffers

PL EA S E TALK T O YOUR I N S T R U C T O R IF YOU HAVE Q U E S T I O N S R E L A T E D T O T H I S LAB.

Questions
1. Determine how you can defend against ARP cache poisoning 111 a network.

In tern et C o n n ectio n R eq u ired 0 Yes P latform S upported 0 C lassroom 0 !Labs □ No

C E H L ab M an u al Page 655

E th ical H a ck in g a nd C o untenneasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.

Module 08 - Sniffers

Delecting Systems Running in Promiscuous Mode in a Network Using PromqryUI
Pron/qiyUI is a tool with a 'Windonsgraphical interface that can be used to detect network interfaces that are rnnning inpromiscuous /node.
I CON KEY

Lab Scenario
With an ARP storm attack, an attacker collects the IP address and MAC address of the machines 111 a network for future attacks. An attacker can send ARP packets to attack a network. If an ARP packet with a forged gateway MAC address is pushed to the LAN, all communications within the LAN may fail. Tins attack uses all resources of both victim and non-victim computers. As a network administrator you must always diagnose die network traffic using a network analyzer and configure routers to prevent ARP flooding. Using a specific technique with a protocol analyzer you should be able to identify the cause o f the broadcast storm and a method to resolve the storm. Identify susceptible points 011 the network and protect them before attackers discover and exploit the vulnerabilities, especially 011 ARP-enabled LAN systems, a protocol with known security loopholes that allow attackers to conduct various ARP attacks. Attackers may also install network interfaces to 11111111 promiscuous mode to capture all the packets that pass over a network. As an expert ethical hacker and penetration tester you must be aware of die tools to detect network interfaces running 111 promiscuous mode as it might be a network sniffer. 111 tins lab you will learn to use die tool PromqryUI to detect such network interfaces running 111 promiscuous mode.

/ Valuable information Test your knowledge

Web exercise Workbook review

m

Lab Objectives
The objective o f tins lab to accomplish: ■ To detect promiscuous systems
111

a network

C E H L ab M an u al Page 656

E th ical H a ck in g a nd C o untenneasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.

Module 08 - Sniffers

& T o o ls dem onstrated in this lab are available in D:\CEHTools\CEHv8 Module 08 Sniffing

Lab Environment
To carry-out die kb, you need:
■ PromqryUI is located at D:\CEH-Tools\CEHv8 Module 08 Snrffing\Promiscuous Detection Tools\PromqryUI

■ ■ ■ ■

You can also download the latest version ol PromqryUI from h ttp :// www.m 1crosolt.com /en-us/download/deta11s.aspx?1d= 16883 If you decide to download die latest version, dien screenshots shown 111 the lab might differ A computer running Windows 2008 Server Administrative privileges to run tools

Lab Duration
Time: 10 Minutes

Overview of PromqryUI
PromqryUI can accurately determine if a modern managed Windows system has network interfaces in promiscuous mode. If a system has network interfaces 111 promiscuous mode, it may indicate die presence o f a network sniffer running on die system. PromqryUI cannot detect standalone sniffers or sniffers running on non-Windows operating systems.

Lab Tasks
5 t a s k

1

1. 2.

G o to the tool location at Z:\CEHv8 Module 08 Sniffing\Prom iscuous
D etection Tools\PromqryUI.

Running PromqryUI

Double-click promqryui.exe, and click Run.
Open File - Security Warning

‫ י‬3|

Do you want to run tNs file?
Name Publisher Type From .. ,misojous Detection T o o lfro m a rv U I 1 o r omarvui.exe

Microsoft Corporation Application
Z:\CEHv8 Module 08 Sniffers^rom iscuous D etectio...

Run

Cancel

I * Always ask before opening this file

J

While files from the Internet can be useful. this file type can potentially harm your computer. Only run software from publishers you trust. W hat's the risk7

FIGURE 8.1: PromqryUI —Run prompt

C E H L ab M anual Page 657

E th ical H a ck in g a nd C ounterm easures Copyright © by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.

Module 08 - Sniffers

3.

Click Y es

111

the PromqryUI L icense A greem ent window.

P rom q ryU I

Please read the following license agreement. Press the PAGE DOWN key to see the rest of the agreement. END-USER LICENSE AGREEMENT FOR PROMQRY and PROMQRYUI IMPORTANT-READ CAREFULLY: This End-User Ucense Agreement fE U L A l is a legal agreement between you (either an individual or a single entity) and Microsoft Corporation for the Microsoft software Product identified above, which includes computer software f SOFTWARE!. The terms and conditions of this EULA are separate and apart from those contained in any other agreement between Microsoft Corporation and you. BY INSTALLING. COPYING OR OTHERWISE USING THE PRODUCT (AS DEFINED BELOW). YOU AGREE TO BE BOUND BY THE TERMS OF THIS EULA. IF YOU DO NOT AGREE TO THE TERMS OF THIS EULA. DO NOT INSTALL. COPY OR USE THE PRODUCT. Do you accept all of the terms of the preceding Ucense Agreement7 If you choose No, Install will close. To install you must accept this agreement. Yes
FIGURE 8.2: PromqryUI —License Agreement dialog box

In a network, promiscuous mode allows a network device to intercept and read each network packet that arrives in its entirety.

No

4. The WinZip Self-Extractor dialog box appears. Browse to a desired location (default location is c:\promqryui) to save the unzipped folder and click Unzip.
W inZ ip Self E x tra c to r - PROMQR~l.EXE To unzip all files in P R O M O R 'I.E X E tothe specified folder press the Unzip button. Unzio to folder: Browse... F7 Overwrite files without prompting Gose About Help Unzip Run WinZip |5

In a network, promiscuous mode allows a network device to intercept and read each network

FIGURE 8.3: PromqryUI — WinZip Self-Extractor dialog box

packet diat arrives in its
entirety.

5.

Click OK a f te r

t ile U liz ip is s u c c e s s fu l.

2 file(s) unzipped successfully

OK

FIGURE 8.4: WinZip Self-Extractor dialog box

C E H L ab M anual Page 658

E th ical H a ck in g a nd C o untenneasures Copyright © by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.

Module 08 - Sniffers

6. Now, click C lose to close the WinZip Self-Extractor dialog box.
WinZip Self Extractor - PROMQR~l.EXE

To unzip all files in PR0MQR~1.EXE to the specified folder press the Unzip button. Unzip to folder:
Unzip to folder allows you to browse and select a destination o f your choice to save die setup file.

Unzip

Run WinZip Browse. Close
About

w

Overwrite files without prompting

Help 2 file(s) unzipped successfully
FIGURE 8.5: PromqryUI — WinZip Self-Extractor dialog box

7. Now, install .NET Framework 1.1 by double-clicking the d o tn etfx .ex e file located at Z:\CEHv8 Module 08 Sniffing\Prom iscuous D etection
Tools\PromqryUI.

z t ask

2

8‫ ־‬Click Run

111

the Open File - Security Warning dialog box.

Running .NET Framework 1.1

Open File - Security Warning

Do you wart to run this file? Name Publisher Type From ... omiscuous Detection T001from ar vUI \dotnetfx. exe
Microsoft Corporation

Application Z: \CEHv8 Module 08 Sniffers promiscuous Detectio,..

Run W Always ask before opening this file

Cancel

f

While files from the Internet can be useful. this file type can potentially harm your computer. Only run software from publishers you trust. What's the risk7

FIGURE 8.6: .NET Framework - Run dialog box The .N ET Framework version 1.1 redistributable package that includes everything you need to run applications developed using die .NET Framework.

9.

Click Y es to initiate the .N ET Framework installation in the Setup dialog box.
Microsoft .NET Framework 1.1 Setup
‫־‬

31

1 C J 1 Would you like to install Microsoft .NET Framework 1.1 Package?

Yes

No

FIGURE 8.7: .NET Framework— Install dialog box

C E H L ab M anual Page 659

E th ical H a ck in g a nd C ounterm easures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.

Module 08 - Sniffers

10. Wliile attempting to install .N ET Framework 1.1, you will get a Program Compatibility A ssista n t dialog box. Click Run Program.
& P ro g ra m C o m p a tib ility A s s is ta n t 2 < j|

T h is p ro g ra m h a s k n o w n c o m p a tib ilit y is su e s Check online to see if solutions are available from the Microsoft website. I f solutions are found, Windows will automaticaly display a website th at lists steps you can take.

I

e—

— -‫ו‬

Proaram: Microsoft .NFT Framework 1.1 Publisher: Microsoft Location: Not Available

Ths software has known incompatibility with IIS services on this platform.

I a J rtd e d e ta te IDon't show this message ag a n

Check for solutions onlne

|

Run program

||

Cancel

|

FIGURE 8.8: .NET Framework —Program Compatibility’Assistant dialog box
“ T A S K 3

11. Select the radio button for I agree and click Install in the L icense A greem ent dialog box.
j'J! M ic r o s o f t .NET F r a m e w o r k 1.1 S e t u p

Installing .NET Framework 1.1

||

License Agreement
(A copy of this license is available for printing at http: 7go.microsoft.com fwlink'?LinkId=122S3 )

Microsoft‫׳‬,

.1n e i [

SUPPLEM ENTAL E N D USER LICENSE AGREEM ENT F O R \TTrpn<;nFT ^oftwart;
I have read, understood and agree to the terms of the End User License Agreement and so signify by clicking "I agree" and proceeding to use this product.

zi

1 II

(• |i agree

r

I do not agree

Install

Cancel

FIGURE 8.9: .NET Framework — License Agreement dialog box

12. Once the installation is complete, click OK in the Microsoft .NET Framework 1.1 Setup dialog box.
j'^r M ic ro s o ft .NET F ra m e w o rk 1.1 S e tu p

J3EH
_ 1u 1 11

1fc<4A1>.z**nc.'1 * ■aiM I

*v

.- i

Installation of N licrosoft .NET Ft;imework1.1 is complete.

OK

|

H

T A S K

3

FIGURE 8.10: .NET Framework - Installation complete message box

Installing PromqryUI

13. Now, go to C:\promqryui and double-click pqsetup.m si and follow the installation wizard to install PromqryUI.

C E H L ab M anual Page 660

E th ical H a ck in g a nd C ounterm easures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.

Module 08 - Sniffers

14. Once installation is complete, go to Start and click Promqry to launch the program.

a
S ' Promiscuous mode can be used in a malicious way to sniff on a network. 111 promiscuous mode, some software might send responses to frames even though they were addressed to another machine. However, experienced sniffers can prevent this by using carefully designed firewall settings.

Server M anager Command Prom pt

Administrator Mozilla Firefox Documents

©

Ease of Access Center Computer

J Notepad
Network Internet Explorer Control Panel Windows Update Administrative Tools Help and Support Services Run... ►

I

‫״יי‬ ‫■׳‬

Password Changer for Windows •'‫ ־‬Paint ► All Programs

l^ ta r t Search

© »I

I Ja. M

FIGURE 8.11: Windows 2008 Server —Start menu

15. The main window o f Prom qryUI appears. Click Add.
_-j..Jii

W ith the PromqryUI tool, you can add either a single system or multiple systems to query. FIGURE 8.12: PromqryUI —Main window

16. The S e le c t Addition Type dialog box will appear. Click Add Single
System .

C E H L ab M anual Page 661

E th ical H a ck in g a nd C ounterm easures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.

Module 08 - Sniffers

.Add Single System

Add Multiple Systems

FIGURE 8.13: PromqryUI — Adding system

17. Type the IP address o f the system you want to check for promiscuous mode in the IP A ddress held 111 the Add System to Query dialog box and click Save.

IP Address:


Host Name:

Cancel

For systems that you need to query, a range o f IP addresses can be provided. Also, you can just carry a query for a local system.

FIGURE 8.14: PromqtyUI — Add System to Query

18. Select the added IP address
Start Query.
f t Promqry I me Cdt hcb Systems To Query Star. IF ocdrcss ₪ 10.0.02 End IF address Query S'.atus

111

the S y stem s To Query section and click

Query Results

FIGURE 8.15: PromqtyUI —Querying system

C E H L ab M anual Page 662

E th ical H a ck in g a nd C ountem ieasures Copyright © by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.

Module 08 - Sniffers

19. Results will be displayed 111 Query R esults.
_ |f‫ | ־‬x ] Pie fcrtt help Systems To Query Start IP dodress ₪ 110 .0.2 | Enc IPaodress Query Status done :positive! | 3 uer, Resjlts |3uery star. tine. 9/20/20 38.48. 11 2‫ ־‬PV pinging 10.0.0.2. .success Querying 10.0.0.2... Active. True InstaiceName. WAN Mhiport (P» NEGATIVE Prorriscuojs mode currently NOT enabed Active. True InstaiceNamc. Hyper-V Vitual Sw tcl Extenson Adapter NEGATT/E Prormcuous mode currently NOT enabed Active. True bwlMoeNflme Ilypei-V Vxtual 3»v<ci Cxtenson Adapter #2 NCGATI/C Prorrocuous mode currently NOT enabed -1

£ ‫ ״‬Query results will let you know if the system is promiscuous mode or not and provides other information like Computer name, Domain, Computer Model, Manufacturer, Owner, etc.
Start IP address ₪ 10.00.2

Active. True InstaiceNomc Teredo Turncfcnj P*evdo-fc15er,ace NtOATT/C Promscuous mode currently NOT enabed

zl

Systems To Quer,‫׳‬ End IP 3ddrees | Guery Statue dDne: postive! j NEGATIVE‫ ־‬Pronisanus mode cjrrenty SOT enabled Active True hstanceNarne: WAN Miniport (Network Vlailcr) NEGATIVE: P totwcudus node carrenty NOT enabled Active True hstanceNarne: Hyper-V Vrtua Etiemei Adapter #2 NEGATIVE: P toiwcudus mode carrenty NOT enabled Systen Surm»‫׳‬y POSflVE at least one rterface on systen was found ir prorriscuous m ode Conputer name VYN-039MR5HL9E4 Dona‫ ״‬: WORKGROUP Conputer manufacturer Del He. Conputer m odel: CptPtex 390 Primary owner: wnajws iser user currenny Dggec or: v/r*-039WRSML9fe4\Admn1strator Opci a'.iiiL system M ijo s o l Windows Server 2012 Release Candidate Datacenter Organza'Jon

FIGURE 8.16: PromqryUI —Query Results

Lab Analysis
Analyze and document die results related to die lab exercise. T o o l/U tility In fo rm atio n C o lle c te d /O b je c tiv e s A chieved C o m p u ter n am e: W IN-D39M R5HL9E4 D om ain: W O R K G R O U P C o m p u ter m an u factu rer: Dell Inc. C o m p u ter m odel: OptiPlex 390 P rom qryU I P rim ary ow ner: Windows User U ser currently lo g g ed on: W IND 39M R 5H L9E4\Adm inistrator O p e ratin g system : M icrosoft Windows Server 2012 Release Candidate Datacenter

C E H L ab M anual Page 663

E th ical H a ck in g a nd C o untenneasures Copyright © by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.

Module 08 - Sniffers

PL EA S E TALK T O YOUR I N S T R U C T O R IF YOU HAVE Q U E S T I O N S R E L A T E D T O T H I S L AB .

Questions
1. Determine how you can defend against ARP cache poisoning 111 a network

In te rn e t C o n n ectio n R eq u ired 0 Yes P latform S upported 0 C lassroom 0 !Labs □ No

C E H L ab M an u al Page 664

E th ical H a ck in g a nd C ounterm easures Copyright © by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.

Module 08 - Sniffers

Lab

Sniffing Password from Captured Packets using Sniff - O - Matic
Sniff —O —Matic is a network protocol analyser and' packet suffer nith a clear and intuitive inteiface.
I CON KEY
Valuable information Test your Web exercise m Workbook re\

Lab Scenario
Attackers may install a sniffer 111 a tmsted network to capture packets and will be able to view even* single packet that is going across the network, if the network uses a hub o r a router for data transmission. With the captured packets, attackers can learn about vulnerabilities and sniff the user name and password and log in to die network as an authenticated user. Once logged 111 successfully to a network, die hacker can easily install vinises and Trojans to steal data, sensitive information, and cause serious damage to that network. As an expert ethical hacker and penetration tester you should have sound knowledge of sniffing, network protocols, and audientication mechanisms and encryption techniques. You should also regularly check your network and close die unnecessary ports diat are open. Always ensure diat if any sensitive data is required to be sent over the network, you use an encrypted protocol to minimize the data leakage.

Lab Objectives
The objective o f this lab to sniff passwords using the tool Sniff - O - Matic through captured packets.

Lab Environment
To carry-out the lab, you need:
■ Sniff - O - Matic is located at D:\CEH-Tools\CEHv8 Module 08 Sniffing\Sniffing Tools\Sniff-0-Matic

You can also download the latest version of Sniff - O - Matic from http://www.kwakkeltlap.com/ smffer.html

C E H L ab M an u al Page 665

E th ical H a ck in g a nd C ounterm easures Copyright © by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.

Module 08 - Sniffers


[?!/Tools dem onstrated in this lab are available in D:\CEHTools\CEHv8 Module 08 Sniffing

If you decide to download die latest version, dien screenshots shown 111 die k b might ditter A computer running Windows Server 2012 as host machine Double-click snifftrial.exe and follow die wizard-driven installation steps to install Sniff - O - Matic Administrative privileges to run tools

■ ■ ■

Lab Duration
Time: 10 Minutes

Overview of Sniff - O - Matic
Sniff —O —Matic captures network traffic and enables you to analyze die data. Detailed packet information is available 111 a tree structure or a raw data view of die packet data. Sniff —O —Matic's button and columnar data display logically and succincdy presents the collected network traffic data.

Lab Tasks
1. Launch the Start m enu by hovering the mouse cursor on the lower left corner o f the desktop.

*d.

T A S K

1

FIGURE 9.1: Windows Server 2012 —Desktop view

Launching the Sniff-O-Matic tool

2. Click Sniff - O - Matic in the Start menu to launch the Sniff — O Matic tool.

C E H L ab M anual Page 666

E th ical H a ck in g a nd C ounterm easures Copyright © by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.

Module 08 - Sniffers

S ' Sniff-O-Matic a packet sniffer is a computer program or a piece o f computer hardware that can intercept and log traffic passing over a digital network or part o f a network.

FIGURE 9.2: Windows Server 2012— Desktop view

3. The main Sniff - O - Matic window appears; select the adapter from the drop-down list and click the Start Capture

±1 button.

3 TASK 2
Sniff-O-Matic: Start Packet Capture

FIGURE 9.3: Sniff-O-Matic —Start capture
‘ TT’ 1 * *‫ ״‬i v j u i u ^ / . J . ’ 1 1 1

4. W hen the tool starts capturing the packets, launch a browser and log to your email account. 5. Then, click the Stop Capture

111

ill

button to view the captured packets.

C E H L ab M anual Page 667

E th ical H a ck in g a nd C ounterm easures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.

Module 08 - Sniffers

r File Capture Options Help

Sniff O ‫ ־‬Malic 1.07 Trial Version

| J

n

f x

'

| 1^1 I I \ m \ Pocko! 1 2 3 4 5 5 7 3 3 10 11 12 n <1___

Hvoer-VVrtualEtherne‫־‬Adaoter 82 .owes 1ao.a7 10QQ7 74.125.236175 10.0.Q7 10.0.Q7 10.0.Q7 10.D.Q7 123.176.32153 10.0.07 12317632153 10.0.Q7 123.176.32155 17k 171 ‫^ ו ל ד‬ Domination 123.176.32.13 74125 236175 10.Q0.7 123.176.32.13 123.176.32.153 123.176.32.153 123.176.32.153 10.Q0.7 123.176.32.153 10.00.7 123.176.32.195 10.Q0.7 1nnn7 III Size 66 55 66 66 54 54 54 54 54 54 726 54

b

v l

< 1 ‫ !־‬M

‫| «| ה‬ Tmo

c .1 11 Port 8 1c 2773 2749 80 2773 2762 2763 2762 80 2763 80 2753 80 ‫תה‬ > A ‫־‬

Prolog TCP TCP TCP TCP TCP TCP TCP TCP TCP TCP TCP TCP TCP

Packet capture is die act o f capturing data packets crossing a computer network.

qn

03/24/12 14:25:16 09/24/12 14‫־‬25‫־‬16 03/24/12 14.25.16 03/24/12 14:25:19 09/24/12 14:25:20 03/24/12 14:25:20 03/24/1214:25:20 09/24/1214:25:20 03/24/12 14:25:20 03/24/1214 25 20 03/24/12 14.25.23 03/24/1214:25:23 m n A n iu '& n

_

<

|> hllo: / / W V W V .<wakkeNao. con

F TC tI JRF. 9.4: SniflF-O-Matic — Stoo ra‫חרז‬ire FIGURE 9.4: SnifF-O-Matic —Stop capture

6.

111 the list o f captured packets, select a packet to view detailed information.
Sniff - O ‫ ־‬Matic 1.07 Trial Version
File C«pture Options Help

HioerWrtual Elhemet Adapter 82 Doc'inoticn 10.0.Q7 1000 7 74.125 236 175 100.C7 10.0.G7 10.0.C7 10.0.Q 7 ___ 100.07 12317632153 10.0.Q7 12117632155 12312632155 0 0 CO 2 S 00 00 07 1 1 3 9 OS 123.176.32.13 74125236175 10.Q0.7 123.176.32.13 123.176.32.153 123.176.32.153 123.176.32.153 123.176.32.153 10.00.7 123.176.32.1S 10.Q0.7

_vj

o u \

p g | cj
Tm • Port 0 1 2773 2749 80 2773 2762 2763 2762 2763 03/24/12 14:25:16 09/24/1214-25*16 05/24/1214.25.T6 03/24/12 14:25:19 09/24/121I:2>:20 03/24; 12 14:25:20 05/24/1214:2520 03/24/12 14:25:20 03/24/1214‫־‬25‫־‬20 03/24/12 14.25.23 03/24/12 14:25:23 IP Hcadtr O Version * 4 Header Length ■ 5 (20 byte*) f t Type Of Service ■ 0x00 O Total Longth - 40 99 Idertifcation ■ OcABDB 1 ‫ יי‬Rags • 0(03

TCP TCP TCP TCP TCP TCP TCP TCP TCP TCP T fP 3D 06 9A 3B

F ra g m e n l

•0 x 0 0 0 0

From the captured packets, detailed information such as Header Length, Protocol, Header Checksum, Source IP, Destination IP, etc. can be viewed by selecting a particular packet.

U

1nnn7
III AB D3 0 0 0 0 0 0 5 0 0A CA 7 7 2 9 OO 0 0

m /7 4 /1 ?

OXCOOO *»5 OXCOIO OA 0X 0020 50

O Time To Live - 61 H F T O tO C O l ■ 6 (FCP) @ Header Checksim ‫ ־‬Qx2BA5 ]P Soiree IP -123.17S.32.153 )P Cest. IP 10.0.0.7 ‫־‬ TCP Header • « Soiree Port = 80 (HTTP) 0 ‫ ״‬Destination Pat - 2762 « Seq Nurrber = (&9/1CBE781 ■e /CK Number = QcFDD7CE13 €> 0ff93t 20) 5 ‫ ־‬bytes• j® Rags = C b c l1 8 Windows Size = 1450} @ Checksum = 0(7728 O Urgent Pointer - QxX>X)

I

LiJ_______

0722T
FTGIIRF. 9.5: SnifF-O-Matir — Vifrcrina oarker information FIGURE 9.5: SnifF-O-Matic — Viewing packet information

hl!p;!VwM!watotftto.rcn

7.

111 the right pane, select items from the tree and the data for the respective item will be liighlighted 111 red.

C E H L ab M anual Page 668

E tliical H a ck in g and C ounterm easures Copyright © by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.

Module 08 - Sniffers

Sniff - O - Matic 1.07 Trial Version
File £«pture Options Help

Hvoer-V Virtual Etherne Pack©* 1 2 3 4 5 5 7 | 3 3 10 11 12 $0«C9 10.0.CL7 10 00 7 74.125.23e.175 10.D.Q7 10.0.Q7 10.0.Q7 10.3.Q7 123.176.32153 10.3.C7 12317632153 10.0.0.7 123.17632155 Declination 123.176.32.13 71125 236175 10.00.7 123.176.32.13 123.176.32.153 123.176.32.153 123.176.32.153 10.00.7 IZ3.175.32.I53 10.00.7 123.176.32.1S

E v j 1!wJ a_*J c j
Sizo 68 55 Protosoi TCP TCP TCP TCP TCP TCP TCP T mo 03/24/1214:25:16 03/24/12 14‫־‬25‫־‬16 03/24/12 14.25.16 03/24/1214:25:79 03/24/12 11:25:20 03/24/12 14:25:20 03/24,1214:25:20 03/24,1214:25:20 03/24/1 2 ‫ ו‬4:25:‫סי‬ 03/24/12112520 03/24/12 14.25.23 03/24/12 14:25:23 Port #« 2773 2749 80 2773 2762 2763 2762 80 80 2753 80

|

1 * 1►! ‫ ׳‬Adaoter 82

®F r a g m e n to fe e t*C k t O O O O
? ■ ■ ■ •© Time To Live = 61 r~ ® Protocol 6‫( ־‬TCP) @ Header Checksmi = (kc?BA5 ]P Soira IP -123.17S.32.153 •‫] ״‬p Cest. IP = 10.0.0.7 ! Qj TCP Header ‫ © ־‬Destination Pat - 2762 ;‫ »•••״‬Seq Njrrber = Qt9ACBE781 U « fiCK NLim ber ‫) ־‬VFDD7CE13 )Cffost - 5 (20 bytes 9 B f Rags =0<1l 1 P FIN■ ••• ‫ ־‬1 ‫ן‬ ‫ מ‬syn = 0 p RST * 0 ‫ ■ ״ ״‬PUSH • 0 - p ACK- 1 P URG- 0 p ECE - 0 ... p C W R - 0 A Window! S17# - 1460D Choskaum 3 ( ‫) ־‬k7723 ... » Urgent Pointer ■ IKQ090

66
66 54 54 54

< 1
‫ן‬

n

in ’finvi

mao.7
1nnn7 III

T C P TCP T C P TCP T C P

oxoooo 0X 0010 0X 0020

4 5 00 00 2e AB D3 OO OO OA 0 0 GO 0 7 | ‫ כ‬0 5 ‫ | כ‬o a c a SO 11 39 08 7 00 0 0 2 8 ‫ל‬

BO 20 99 D7 CE 1 3

........... P . . . P . 9 .w ( . .

& Port numbers can occasionally be seen in a w eb or other service. By default, HTTP u se s port 80 and HTTPS u se s port 443, but a URL http://www.examp le.com:8080/path/ sp ecifies that the w eb resource be served by the HTTP server on port 8080

FIGURE 9.6: Sniff-O-Matic —Viewing packet information

8. Now, perform a search for the data in captured frames. Select Options
‫ »־‬Find.

r‫־‬
Re Capture I Options | Help

Sniff - O - Matic 1.07 Trial \

l*kJ :,I ± ‫"־‬°
Pack.1 S ,K «

-w™
^

_ v j o u \ o«| c jj a j
— Siio 66 55 66 66 54 54 54 54 54 54 726 54 qn Protocd TCP TCP TCP TCP TCP TCP TCP TCP TCP TCP TCP TCP TCP Tmo 03/24/1214:25:16 09/24/1214/516 03/24/12 14 25 ‫ז‬6 03/24/1214 25:‫ז‬9 03/24/12 11:25:20 03/24/12 14:25:20 03/24/1214:25:20 03/24/12 14:25:20 03/24/12 14:25:20 03/24/12 14 25 20 03/24/12 14.25.23 03/24/12 14:25:23 ‫ח‬9/‫ל‬4 ‫ לה‬11 ^ ‫ <׳‬3 P0»t 9IC 2773 2749 80 2773 2762 2763 2762 80 2763 80 2753 80 fin ■ ■ ■ ■ • Fragm ent offett ‫ ־‬Q cO O O O O Time To Livo ■ 61 B FTO toool ■6 (TCP) 0 Header Checksim ■ 0x?BA5 )p S oltco IP-123.17S.32.153 )P Ces. IP ■ 10.0.0.7 I TCP Header O « « O l‫״‬f

16.32.13 236175 74 7 6.32.13 6.32.153 10.1[‫ ״‬EncbJ« Tocttipo 10. LIU/ I2J. 1/6.32.153 10.0.G7 123.176 32.153 123.176.32153 10.Q0.7 10.0.CL7 123.175.32.153 12317632153 10Q0.7 10.0.0.7 123.176.32.155 10.Q0.7 12117632155 171176 3 ‫ ל‬1»‫מ‬ III

mi

101 f j

Slatiatcs

1 0 .1 ie o n g s

”M miliiiEl Destination Pat 2762 ‫־‬

in on?___

,0

OXCOOO ■45 OXCOIO OA 0X 0020 50

OO0 0 26 00 00 07 11 39 08

AB D3 OO OO DO 5 0 OA CA 77 23 00 00

Seq Njrrber ■ &9ACBE78I ACK NLimber« (kFDD7CEl3 Offoat - 5 (20 byt©8‫׳‬ Rags 1 1 )0 ‫־‬ i ‫ ני|י‬FIN 1 ‫־‬ ‫ן‬ ‫| מ‬syn = 0 i P rs t =0 ‫ יין‬PUSH 0‫־‬ h ‫ מן‬ACK= 1 | ‫ מן‬URG-0 ‫ מן‬ECE = 0 p cw r‫־‬o f t Windows Size = 14503 O Chcckaum - Qc7728 » Urgent Pointer = Q cO O O O

F T C tT I R F 9 7 ■ S n i f f - O . M a t i r - P e r f o r m i n g s r a r r h

FIGURE 9.7: Sniff-O-Matic - Performing search

9. The Find pop-up box appears; type pwd to search for the password information.

C E H L ab M anual Page 669

E th ical H a ck in g a nd C ounterm easures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.

Module 08 - Sniffers

Sniff 0
File Ce^Xurc Options Help

Motic 1.07 Tri3‫ ׳‬Version

► !* L d

HjpeA’ Titual EfamotAcfoptdi &2 □ eihnaton mo.o.7 123106.40.33 1Q0.0.7 123 108 40 33 12313810 33 1QCL0.7 123 108.40.33 10.0.0.7 1Q0.0.7 123 176.32 1*6 74.125.236.1S4 1QC.0.7 1 n n n 7 _______

~H Yj jJ U ] 9_«J Cj JEj
Si2e Piota^ol TCP TCP TCP TCP ‫ ז‬cp TCP Time 03/24/12142523 03/24/12142523 03/24/12142523 03/24/12142523 09^24/1214 25‫־‬ 23 09/24/12142523 ;-•#* Version = 4 !*••■ •* Header Length ‫ ־‬b/esj 20( 5 £&‫ •־־־‬T>peOf Service ‫) ־‬kOO j-• A Total Len^h = 1600 j‫ ••• ״‬Identification = foD5E1 S ip Flags =O cO O i - A Fragment offset = C b c O O O O |‫ ®״״‬Time To Lwe = 54 :-• )A Protocol - C(TCP i @ Hocdor Chsckajm ‫ ־‬€FBA< 1 I Jp Sou-ce IP ‫ ־‬123.108.40.33 | i- J p Dost. IP ‫ ־‬10.0.0.7 i p TCP Header Fnd )A Soiree Port - 80 (HTTP A Dcatinction Port - 2723 Cercel I j‫••״‬# Seq Nurbst - QxOC177B.\D j - • • ACK Humbw ‫ ־‬k8DE73610 — :•‫■״‬ )A Offset * 5 (20bjrtes P . S ................... HT P Flags 5T ■P &/1 10.1 20 0 O K ..D a te : M i-■ • Widows Size» 5918 o n , 24 Sep 20 1 2 ® Qiockajtn ■ &181F 0 3 : 5 6 : 0 3 3 M T ..3 e ’•‫ יי•״‬Uroert Ponter ‫)) י‬MXXX : r e t : A p « = h e .. E x Cwa 3 < p i c e s : T h u , 19 N ‫ ׳‬- • Data length ■ 1460 o v 1981 0 3 :3 2 :0 0 GMT. .C a c J lc - C o n : r o l : r .0 - 3 C 0 r e , n Pent trc 2753 83 2723 83 83 2723

£ 7 Detailed packet information is available in a tree structure or a raw data view o f the packet data.

29

< 1 ^ 0X 0000
0X 0010 0X 0020 0X 0030 0X 0040 0X 0050 0X 0060 0X 0070 0X 0030 0X 0090 OXOOAO

12a 176.32.155 54 1514 10.0.0.7 54 12a 1C840.33 1514 10 0 07 1514 10 0 0.7 54 123.1C8 40.33 10.0.0.7 74.125.235.1( 123.176 32.1 • P^d: jpAcj 10 0 07 10.0.0.7 < *■ Asci 123176 32.1 ‫י‬1 ■ :‫ ש‬:‫ רד‬1. ‫־‬ C Hex Ill D5 E l OO 00 SO OA 1e I F OO 20 4F 4B 32 34 2 0 36 3A 3 0 3A 20 41 73 3A 2 0 39 33 31 OD OA 43 20 «E 6F

Find

r

Match case

1

‫״‬-

<s 00 cs
OA SO 20 6r 30 72 70 6r 20 72 00 10 32 6E 33 76 69 76 47 6r GO 26 30 2C 3A 65 72 20 4D <C BE 30 20 35 72 65 31 34 3A

r 00 OD S3 39 70 54 20 61 2D 48 OA 65 20 61 60 30 63 73 S* 44 70 47 63 75 36 68 74 54 61 20 4D 63 2C 3A 63 6F SO 74 32 34 €5 20 33 2D 72 2F 65 30 OD OD 31 32 43 63 31 3A 31 OA OA 39 3A 6T 2C

=5 2E 20 32 53 45 20 30 6E 20

31 4D 20 65 7e 4E 30 74 6E

httiy/Vwww LwakkellUon

FIGURE 9.8: Stiiff-O-Matic —Performing password search
r i L r U K t V.b: bnilt-U -M atrc — i'eitorming password search

10. An icon w (packets with binoculars) will appear for the found packets, as shown 111 the following screenshot. 1_‫ ם־‬Sniff O Matic 1.07 Trial Vers on
Pie Capture Opbcns Help Hypd-V V«(ud Etncmot Adaptor tl2

S a u c e
&■ Sniff-O-Matic’s key features include: • Capture IP packets on your LAN without packet loss • M onitor network activity in real time • Filters to show only the packets you want • Real-time checksum calculation • Save and load captured packets • Auto start capturing and continuous capture • Traffic charts with filter info
74125.236.1G2 74125.236.162 1000.7 74125236 182 1000 7 123.176.32.156 123.176.32.156 10G0.7 123.176.3213J 10CC.7 2025388 10Q0.7

vj ou\ a«| e)
I 5re Protocd

__ in n n ?

Destination 1Q0.0.7 1Q0.0.7 74.123 236.182 10007 12317632156 1Q0.0.7 1Q0.0.7 123176.32.155 1Q0.0.7 202 53 8 8 1Q00.7 123108.40.33 1 ‫ ד ל ו‬na d i m

IKW

IP

TCP TCP

UDP UDP TCP TfP

ffW in7

09/24/1214:25:55 < 02/24/12 14.25.55 a 09/24/12 14.25.55 1 09/24/12 1 4 5 5 ‫־‬25‫ ־‬t. 09/24/121425-56 2 09/24/1 ‫ י‬1425:56 8' 09/24/12 14:25:56 8! 09/24/121425.55 2 09/24/121425.55 & 09/24/121425:55 5 09/24/12 142556 5 09/24/121425:55 2

2

CXOODO 45 00 00 23 9E CO 00 00 0 X 0 0 1 0 OA 00 00 07 0 1 BS 04 19 CX0020 50 10 FF FF FE 3B 00 00

I IP Header « Version 4 ‫י‬ A Header length ■ 5 C ?0 I • H TypeOf Servce ■ tttOO •A Total Length 40 ‫י‬ • A IdantficiHon ■ Q&96C0 I p Flags ‫ י‬O kO O •A ► ragm^nt ott«*t = 0*0000 ■A Lime To La /• ■ 66 • A Protocol 6 ‫( ״‬TCP) Header Cherkeum -10*205 JP Souee IP = 74 125.236.182 JP Dect. IP - 10.0.07 | TCP Header A Soiree Pert - 443 (HTTPS) A Deetinatbn Port - 1049 A Scq Number - {k<€897BC4C A ACK Number 9339& ‫ ־‬AF1C O Oflfce: - 5 (20 bytes) ] P Flags-Gc10 • A Windows Site = 55535 Checksur - (kFE3B • O Uigcnt Porter - 3x0030

f*to://www.kwakKeI!laD. con

FIGURE 9.9: Siiiff-O-Matic - Password search results

11. Select the found packet and scroll down the data list for the information, which will be indicated in blue.

C E H L ab M anual P ag e 670

E th ical H a ck in g a nd C ounterm easures Copyright © by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.

Module 08 - Sniffers

Sniff 0
FJe Rapture Opt cm Help

Matic 1.07 Trial Vers on

I‫ “ ' ־‬T7 "

► la l- d

H>p9«V Vkud Ethernet Adapter M2 Version 4 ‫־‬ Header Length = 5 (20 bytes) Type Of 5 efvce = Q fOO Total Length = 729 dentfication = C b (7B8C Rags = (MU Fragment ofiset = 09(0000 Time To Live = 128 Protocol = 6 (TCP) Header Cherkeun - itOOX p S otree IP = 10 0 0.7 p Dest. IP = 123.176.32 155 TCP Header ft Source Pert - 2753 ft Dectinatbn P ort • 80 (HTTP) ft Sea Number - &B85A34D4 ft ACK Number-&c5G19rCA3 ft O ffoci - 5 (20bytes) P Hogo 18& ‫־‬ ft VW ndowj Sire - 63751 ?3 Checksum ■ &A31 D ft Urgent Porta ‫ ־‬foOOX) Date f t Data length ■ 683 a ft « ft ft P ft ft ft

& Packets captured using Sniff-O-Matic allow s you to sniff the password available in cleartext format. If an attacker is able to capture th e se packets, he can easily identify the password and login to the network a s an authenticated user. Attackers will have an advantage if they discover the sam e password is being used for all the computers.

65 60 69 74 61 6D 26 3D 70

37. 2 0 39 34 0D 3D 69 6 9 6C 61 6 9 6C 67 72 69 7 7 64

;q « 0 . 3 . .C c o k i• : €‫ ל‬ir .ld « a c 6 5 7 3 f1 » v 9 rd 2 a k S 7 a 4 d l7 u i4 . . . . f_ » o u rc « r« c ‫ ״‬h c C F % 3 A % 2 F « 2 F n a il . ± r .. c o » % 2 F a c v » a i l% 2 F 1 a b o x .p h p tlg f m ‫ ־‬n a 1 1 s £ _ id ‫ ־‬r1 a i B a c c b e v o i f Jp w d ]

FIGURE 9.10: Sniff-O-Matic —Password search results

12. To mark the packets, right-click the selected packet and click Mark.
Sniff O Matic 1.07 Trial Vers on
FJe ► Capture !* Id Optcrts Help

H>pe»V Vjrtud Ethernet Adopter tt2

-

vj

o w

I a w l e j 1J
I? Header 9 h Version ■ ■ ■ ; ■4 )I•••ft Header length ■ 5 (20 bytes l-il • f t Type Of Swvce ■ O cO O ft Total Length •••! • 40 {•••ft IdantficaHon ■ Q x7BBD B P Hag• ■ 0kQ4( |- f t (■mgm#rt otturt ■ (kOOOO J ‫ •״‬f t Tim To Lw« ■ 128 •■ ■ •)f t Protocol * 6 (TCP He*d»r Ch*5kcu‫׳‬n * 4 )0030 JP Source IP - 1000.7 I-J P Deet. IP - 123.176.32 155 Qj TCP Heodor f t Source Pert - 2753 ; )f t Destination Port - 80 (HTTP f t Scq Number - &B85A3785 | f t ACK Number -&c561A0268 )f t Offset — 5 (20bytes Flags - &c10 ^ ₪ f t Windows Sice : 54243 !‫? ־־‬Checksum - (k!\56C 3 f t Urgent Porter - (h{X{{0

0X 0 0 0 0 <5 0X 0 0 1 0 TB 0X 0 0 2 0 50

03 00 23 7B BD 40 3 0 20 93 DA C l 00 10 FA FO A6 6C 00

00 80 0 6 00 OO GA 00 00 07 50 33 5a 37 B5 56 1A 02 63 { ............. P . 27 00 P. . . . 1 . .

httpy/www.KwaKKelllflD■com

FIGURE 9.11: Sniff-O-Matic — Marking a packet

13. Once the packets are marked, they will have a different icon.

C E H L ab M anual Page 671

E th ical H a ck in g a nd C ountem ieasures Copyright © by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.

Module 08 - Sniffers

Sniff 0
Fie Rapture gpbcro Help » v j

Matic 1.07 Trio! Vers on

I‫־‬

‫ ם‬T x

►l*Ld
Pack* ‫ ־‬09 &170 171 _ _ 172 U 74‫ר‬ 175 176 177 178 173 180 - fi > CXOOOO 0X 0010 0X 0020 0x003a

H>p01V VkucJ Efcio root Adaptor tt2 Sauce 74125.236.182 10CC.7 123.176.32.125 123176 32 155 10GO 7 123.176.32.135 1000.7 202.53.3.8 10QG.7 1QQC.7 IOQO.7 10Q0.7 17117k ‫_ רו מי‬ 45 0 0 00 cz. 50 19 56 3D 2S 6 9 Destination 1Q0.0.7 123176.32.155 1Q0.0.7 100.0.7 12317632.155 100.0.7 202.53.88 100.0.7 123108.40.33 123108.40.33 123 175.32.13 12317S.32.13 1nnn7 ‫יי‬ 15 ‫ ד‬4 00 00 0 0 50 021 C l 98 52 00 00 2E €3 6 F €D

o u

Q »a|

e j 3J Pat sic 443 2753 eo eo 2753 £0 5377C 53 2776 2777 2775 2775 Port a 104! 00 275: 275: 80 [••• 9 \-m 1 4 1 -H 1 ■H I - •* 0- ^ Version 4 ‫־‬ Heacter lenrjth 20) 5 ‫ ־‬b*es> Type Of Servce = O cO O Total Length 60 ‫־‬ tientfication = (&1574 flags = 0x00 A

S ' O ne o f the features o f the tool includes, protocol and port data, the program displays source and destination IP addresses, and raw packet information. The program offers no IP address to domain name conversion..

| Protocd 1 Size 97 TCP 743 TCP 54 TCP 1514 TCP 54 TCP 74 TCP 71 UDP B7 UDP 56 TCP B 6 TCP 52 TCP 54 TCP ___C2_ _ ____1CP____ 3D 56 35 0D 06 171 20 OA Cl 02 €4 0D

_

| T«*>! 09/24/1214:25:55 09/24/121425.55 09/24/12 14.25.55 09/24/121*25 55 09/24/121*25-55 09/24/121*25:55 09/24/12 14:25:55 09/24/12 14.25.55 09/24/12 14.25.55 09/24/12 14:25:56 0S125-57*24/121‫׳‬ 09/24/121*25:57 ‫ ו ל‬4-‫ל‬5-» ‫ה‬ 7

0 00 0

3C 07 D1 61

F€ •7B 3 0 20 57 B 6 5‫ ג‬3 ‫ד‬ 6F CD 61 €9 0A

_^ T*im & To l K /& — ^ 53 1 —d Protocol = 6 (TCP) 537 ; ‫ ״‬l@ fleacter Checkeum = (ktC1F6 80 |‫ ״‬P Source IP = 123.176.32.155 80 L ) P Deet. IP = 10.0.07 80 9 TCP Header 80 © Source Pat - 80 (HTTP) ?77! v < 1 ! a Sea Number - fc561AG257 93 E . . r . . = . . . { . . | O ACK Number - QcB85A3785 8 5 _____ P. . V . . W. Z 7 . O Offset - 5 (20byte*) €Z P . X . R. d o n a in 0 P flog# - C b c l8 * . i n ,. coaa. . j O YWrdowa Size - 22737 ■ ® Checksum » to&352 •••• ® Uigorrt Ponler • C biO O M 9 Dete o Data length ■ 20

BEEU i

=

‫ם‬

l<

>11

FIGURE 9.12: Sniff-O-Matic — Marked packets

Lab Analysis
Analyze and document die results related to die lab exercise. T o o l/U tility In fo rm atio n C o lle c te d /O b je c tiv e s A chieved H e a d e r L ength: 5 T im e T o Live: 61 Protocol: 6 H e a d e r C hecksum : 0xC lF6 Sniff-O -M atic Source IP: 123.176.32.155 D est. IP: 10.0.0.7 Source P ort: 80 (HTTP) D e stin atio n P ort: 2753 U sern am e an d p assw o rd

PL EA S E TALK T O Y OUR I N S T R U C T O R IF YOU HAVE Q U E S T I O N S R E L A T E D T O T H I S L AB .

Questions
1. Determine how you can defend against ARP cache poisoning 111 a network.

C E H L ab M anual Page 672

E th ical H a ck in g a nd C ounterm easures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.

Module 08 - Sniffers

In te rn e t C o n n ectio n R equired
0 Y es

□ No

P latform S upported 0 C lassroom 0 iLabs

C E H L ab M an u al Page 673

E th ical H a ck in g a nd C o untenneasures Copyright © by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.