CEH v8 Labs Module 08 Sniffers PDF

CEH Lab Manual
Sniffers
Module 08
Sniffing a Network
A packet sniffer is a type of program that monitors any bit of information entering
or leaving a netirork. It is a type of plug-and-play 1)iretap device attached to a
computer that eavesdrops on netirork traffic.
I CON KEY Lab Scenario
/ Valuable
information
Sniffing is a teclniique used to in terce p t d a ta 111 information security, where many
of the tools that are used to secure the network can also be used by attackers to
Test your exploit and compromise the same network. The core objective of sniffing is to stea l
knowledge
d ata, such as sensitive information, email text, etc.
Web exercise
N etw ork sniffing involves intercepting network traffic between two target network
m Workbook review nodes and capturing network packets exchanged between nodes. A p a c k e t sniffer
is also referred to as a network monitor that is used legitimately by a network
administrator to monitor the network for vulnerabilities by capuinng the network
traffic and should there be any issues, proceeds to troubleshoot the same.
Similarly, smtfing tools can be used by attackers 111 prom iscuous mode to capmre
and analyze all die network traffic. Once attackers have captured the network traffic
they can analyze die packets and view the u se r nam e and passw ord information 111
a given network as diis information is transmitted 111 a cleartext format. A11 attacker
can easily intnide into a network using tins login information and compromise odier
systems on die network.
Hence, it is very cnicial for a network administrator to be familiar with netw ork
traffic an alyzers and he or she should be able to m aintain and m onitor a network
to detect rogue packet sniffers, MAC attacks, DHCP attacks, ARP poisoning,
spoofing, or DNS poisoning, and know the types of information that can be
detected from the capmred data and use the information to keep the network
running smoodilv.
Lab Objectives
The objective of this lab is to familiarize students with how to sniff a network
and analyze packets for any attacks on the network.
The primary objectives of tins lab are to:
Sniff the network
Analyze incoming and outgoing packets
Troubleshoot the network for performance
C E H L ab M an u al Page 585 E th ical H a ck in g a nd C o untenneasures Copyright by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited.
Module 08 - Sniffers
Secure the network from attacks

^^Tools
d e m o n stra te d in
Lab Environment
th is lab a re 111 tins lab, you need:
available in
D:\CEH- A web browser with an Internet connection
Tools\CEHv8
Administrative privileges to mil tools
Module 08
Sniffing
Lab Duration
Time: 80 Minutes
Overview of Sniffing Network

Sniffing is performed to co lle ct b asic inform ation from the target and its network.
It helps to tind vulnerabilities and select exploits for attack. It determines network
information, system information, and organizational information.
Lab Tasks
Pick an organization that you feel is worthy of your attention. Tins could be an
Overview educational institution, a commercial company, or perhaps a nonprofit charity.
Recommended labs to assist you 111 sniffing the network:
Sniffing die network using die C o lasoft P a c k e t B uilder
Sniffing die network using die O m niP eek N etw ork A nalyzer
Spooling MAC address using SMAC
Sniffing the network using die W inA rpA ttacker tool
Analyzing the network using the C o laso ft N etw ork A nalyzer
Sniffing passwords using W ireshark
Performing man-in-tlie-middle attack using Cain & Abel
Advanced ARP spoofing detecdon using XArp

Detecting Systems running 111 promiscuous mode 111 a network using
PromqryUI
Sniffing a password from captured packets using Sniff - O - M atic
Lab Analysis
Analyze and document the results related to the lab exercise. Give your opinion on
your targets secuntv posture and exposure through public and free information.

PL E A S E TALK T O YO UR I N S T R U C T O R IF YOU HA VE Q U E S T I O N S
R E L A T E D T O T H I S LAB.

Sniffing the Network Using the

OmniPeek Network Analyzer
Own/Peek is a standalone network analysis tool used to solve networkproblem.
/ Valuable
information From the previous scenario, now you are aware of the importance of network
smtting. As an expert eth ical h a c k e r and penetration te ste r, you must have sound
s Test your knowledge of sniffing network packets, performing ARP poisoning, spooling the
knowledge
network, and DNS poisoning.
w W eb exercise
m Workbook review
Lab Objectives
The objective of tins lab is to reinforce concepts of network security policy, policy
enforcement, and policy audits.
Lab Environment
t^ T o o ls 111 tins lab, you need:
" O m niPeek N etw ork Analyzer located at D:\CEH-Tools\CEHv8 Module 08
th is lab a re
Sniffing\Sniffing Tools\Om niPeek N etw ork Analyzer
available in
D:\CEH- You can also download the latest version ol O m niPeek N etw ork Analyzer
Tools\CEHv8 from the link
Module 08 http:// www.wildpackets.com/products/omnipeek network analyzer
Sniffing
If you decide to download die la te s t version, dien screenshots shown 111
the lab might differ
A computer running Windows Server 2012 as host machine
W indows 8 running on virtual machine as target machine
A web browser and Microsoft .NET Framework 2.0 or later

Double-click O m niPeek682dem o.exe and follow the wizard-driven
installation steps to install O m niPeek682dem o.exe
A dm inistrative privileges to run tools

All Rights Reserved. Reproduction is Stricdy Prohibited.
Lab Duration
Tune: 20 Minutes
Overview of OmniPeekNetwork Analyzer

O m niPeek N etw ork Analyzer gives network engineers real-time visibility and expert
analysis of each and every part ol the network from a single interface, winch
includes Ethernet, Gigabit, 10 Gigabit, VoIP, video to remote ottices, and 802.
Lab Tasks
TASK 1 1. Install O m niPeek N etw ork Analyzer on die host machine W indows Server
2012 .
Installing
O m niPeek 2. Launch the S ta rt menu by hovering die mouse cursor on die lower left
N etw ork Analyzer corner of die desktop.
F I G U R E 1.1: W in do w s Server 2012 D esktop view
3. Click die W ildPackets O m niPeek Demo app 111 die S tart menu to launch
die tool.
=8=s1O m n iP e e k E n te rp rise
Administrator ^
p ro v id e s users w ith the S ta rt
v is ib ility and analysis they
need to keep V o ic e and
V id e o ap plications and Google Mo/1110
Menaqer Chrome hretox
no n-m edia a pplications
ru n n in g o p tim a lly o n d ie L *3 <9
n e tw ork rtyp-V Hypw-V
Maruoer Virtual
KAvhloo
&
V ____ *
WildPock...
OmmPwk
'
F I G U R E 1.2: W in dow s Server 2012 Start menu
C E H L ab M anual Page 589 E th ical H a ck in g a nd C ounterm easures Copyright by EC-Council

4. The main window of W ildPackets O m niPeek Demo appears, as shown 111

m T o d e p loy and
m ain ta in V o ic e and V id e o die following screenshot.
o ver I P successfully, yo u
need to be able to analyze 6mie4
^ t- u *. 2: * x ,, r ^ : f i j L_ t
and tro u b le sh o o t m edia
tra ffic sim ultaneously w ith
the n e tw o rk the m edia
tra ffic is ru n n in g on
>
New Capture
f
Open Capture File
*
v*v* Onr!Enor>4
ffi
Start Montor
*We * OmnPwk!
Retcat rlit* Itxalior Stmixry
IntM Captur T1np<11*1 luullui Swmwj
OtKunanUtlon Retouc
w0>WnV1Oalii) JwliiJ
!MlMKtDuppan
1 Vm tMfwarUMK*MmrrMk*WHPartrf*ivnW* CO 1r1n QO
^WidPacketj
F I G U R E 1.3: O m n iPe e k m ain screen
5. Launch Windows 8 Virtual Machine.

6. Now, 111 W indows S erver 2012 create an OmniPeek capture window as
follows:
S tarting New
C apture a. Click die New C apture icon on die main screen of OmniPeek.
b. Mew die G eneral options 111 die O m niPeek C apture O ptions dialog
box when it appears.
c. Leave die default general settings and click OK.
C ap tu re O p tio n s v E th e rn e t (R ea lte k PCIe GBE Fam ily C o n tro lle r - V irtu
General
General
A dapter
802.11 Capture title: Capture 1
Triggers
Continuous capture
Filters
Statistics O utput O Capture to disk
A nalysis O ptions File path:

C:\Users\Administratorpocuments\Capture 1-
f f l l O m n iP e e k N e tw o rk
A n a ly z e r o ffe rs real-tim e File size: | 256 : *~] megabytes
h ig h -level vie w o f the entire
netw ork, expert analyses, [I] Stop saving after | 1000 megabytes
and d rill-d o w n to packets,
d u rin g capture. I IKeep most recent 10 | = files (2,560 MB)
I INew file every 1
I ILimit each packet to 128 3~| bytes
O Discard duplicate packets
Buffer size: | 100 * megabytes
O Show this dialog when creating a new capture
Cancel Help
F I G U R E 1.4: O m n iPeek capture options - G eneral
C E H L ab M anual Page 590 E th ical H a ck in g a nd C o untenneasures Copyright by EC-Council

d. Click A dapter and select E thernet 111 die list for Local m achine. Click
OK.
C ap tu re O p tio n s E thernet
General
A d a p te r
| Adapter'
802.11 0 0
[ 0 3 N e tw o rk Coverage: Triggers > 0 File
W it h the E th e rn e t, G ig a b it, Filters Module: Compass Adapter
10G , and wireless Statistics O utput -a 8 Local machine: WIN-MSSELCK4K41
capabilities, y o u can n o w Analysis O ptions M l Local Area Connection* 10
effe ctive ly m o n ito r and M . E th e rn e t]
tro u b le sh o o t services 9 vSwitch (Realtek PCIe GBE Family Controller Virtual
ru n n in g o n yo u r entire I- p vEthernet (Realtek PCIe GBE Family Controller Virfa.
netw ork. U s in g the same \ - m vSwitch (Virtual Network Internal Adapter)
so lu tio n fo r 5 vEthernet (Virtual Network Internal Adapter)
tro u b le sh o o tin g w ire d and
w ireless netw orks reduces
the to ta l cost o f o w nership <E III
and illu m in ates ne tw ork Property Description

p ro b le m s that w o u ld
Device Realtek PCIe GBE Family Controller
otherw ise be d iffic u lt to
Media Ethernet
detect.
Address DO: :36
Link Speed 100 Mbits/s
WildPackets API No
Cancel Help
F I G U R E 1.5: O m n iPe e k capture options - Adapter
7. Now, click S ta rt C apture to begin capturing packets. The S tart C apture

tab changes to Stop C apture and traffic statistics begin to populate the
N etw ork D ashboard 111 die capture window of OmniPeek.
Wid= - OmniPeek
h ... V V 1' g - t* - <\ r J u , . B: ; e IQ E j F
Q D ash b oa rds display sutn vapt altpackets
im p o rta n t data that every

Utib/itton / M.m.t. Window* ( I Smand Av>r.1u)
n e tw o rk engineer needs to
k n o w regarding the
n e tw o rk w ith o u t spending
lo ts o f tim e analyzing the
captured data.
lop Protocol*
F I G U R E 1.6: O m n iPe e k creating a capture w indow

8. The captured statistical analysis of die data is displayed 011 die C apture tab
EQQlO n u iiP e e k of die navigation bar.
P ro fe ssio n a l expands the
capabilities o f O m n iP e e k
B asic, extending its reach * u-n ., y . 3. *
to all sm all businesses and
corp orate w orkg ro up s, w hw fct FlhrhiW
regardless o f the size o f the Netw-orfc inai/rffh.n Minute Window (I Second Average)
n e tw o rk o r the n u m b e r o f
I
em ployees. O m n iP e e k
!
a 03-
P ro fe ssio n a l pro v id e s
su p p o rt fo r m u ltip le
02*
1 L A
n e tw o rk interfaces w h ile
still sup p o rtin g up to 2
O m n i E n g in e s acting as
b o d i a full-featured
n e tw o rk analyzer and
con so le fo r rem ote
n e tw o rk analysis.
2.0%
20*17* 1522 10002 1000$ 173 19436 10 173.1W36.11 0rs
206.176.15226 173.1 0102!10 d4.364.:202.63.8.8167.6667.222 DNS TCP OHCPVG 1QMP
9 Elhcfnct PatJtrts: 1.973 Duutioa: 001:25
F I G U R E 1.7: O m n iPe e k statistical analysis o f die data
9. To view die captured packets, select P a c k e ts 111 a C apture section ol die

D ashboard 111 die left pane ot die window.
' " ,
r 1<w *** t,ISOMS' Too VN.A40W HPIp WldP.x * I OmniPeek
tJ u > 3 . r 4 A i d 0 1 3 * 0 *
sun?**
5
ii
mt.Mrd: .{000 * * "' .

V -!<** N 'lh rh ^] 1
feO>fao.1r4% 4 11 = L - >
vote** ***** i* a a*oon Htj, sue * r*t
19.9.0.2 SS 0.0CC0S1CCD writs

3 173.1*4.36.4 10.0.0.2 95 0.03:20X19 s m s 3zc- 443,0*t= W ....3= 796...
m 5 19.9.5.2 173.194.36.4 64 0.939*25029 a n rs 3zc- 1769,0st= 443 .u.......3=1486...
19.9.:.2 173.194.36.4 64 0.039S4SCI )STTrS Src- 13&,70 V- 443 .*....,5-366S...
163 0.771222000
10.9.5.2 '4 . 125.12S.169 64 0.811S9JCJ0 3TTT* 5rc- 1063, !>3* 443 h.......S- 956...
2870 4.31I23SOOO
I w c s to r 19.9.9.2 173.194.36.22 ana 443 .I S ...,3=2007...
3 n :s S r~ 14 4 3 'S ^
12 173.1M.3C.22 64 4.350147CS9 an ss 3=c= 443,Dst= .&....,3= 94...
[ Oms 13 1 3.194.36.22 \ 64 4.355064CJO 3TTT5 SIC- 443,D3t- 1051 94...
118 4.SE52S40S9 37TrS Src- 443.03T-
15 1 3.194.36.22 10.0.9.2 936 4.$86969029 an?3 1051 .A?.. . , 3 9 4 ...
64 4.SS79CMS9 Src- 1051,DOT- fc S-20D7...
[ Calls 17 19.9.0.2 123.176.32.154 64 6.097097050 an? KJfC=172e .
m H ie O m n iP e e k Peer IS
IS
123.1>32.154 10.0.0.2 70
103
.100119000 HIT?
0.92264>0:0
Src- 60.D3T. 1726 .A ....,3-2997...
WmmK
M a p show s all 1ssr
Ltfctto
21
22
19.1.3.2
19.9.1.5 157.56.67.222
64
70
7.21122*000 O F
7.301449020 O I
C PCKT-1727
31== 1040,Dt= 443 ....3.,3=1830...
c o m m u n ica tin g nodes
24 1 . . : . 5 157.56.67.222 64 7.55*925029 arirs 31e= 1040,Dt= 443 .& 3=1e30...
w ith in yo u r ne tw o rk and is 2* 19.9.5.5 157.56.67.222 184 7.5952990:9 5 5 Src- 1040, D8t- 443 .A P...,3-1830...
1S7.SC.C7.222 1s1a 7.asoscccso nrs u. . ,S- 519. . Slaw Server Respe-r.se Tise 10
d ra w n as a vertically- 27 15 . 5. 67.222 10.0.0.s 151S 0:9 . 55290 STTTJ Src- 443, u*a- 1040 SI*...
o rien ted ellipse, able to
g ro w to the size necessary. <1 1
2 19.9.0.2
19.9.0.2 ! 173.194.36.4 si
<4
e .0010460:9 an iz
#.9C19X:9
3ss- 1770,0*t 443 .Xf...,3=3e68...
1 PMMtt: 4000 Ou'Miea .<rx>

It is easy to read the maps,
the d iic k e r the lin e betw een
nodes, the greater the F I G U R E 1.8: O m n iPe e k displaying Packets captured
traffic; the bigger d ie dot,
the m o re tra ffic throu g h 10. Similarly, you can view Log. Filters. Hierarchy, and P eer Map by selecting
that node. T h e nu m b e r o f die respective options 111 the D ashboard.
nodes displayed can also be
lim ite d to d ie busiest
a n d /o r active nodes, o r to
11. You can view die N odes and P rotocols from die S ta tistic s section of die
any O m n iP e e k filters that Dashboard.
m av be in use.

m O n -th e -F ly Filters:
Y o u sh o u ld n t have to stop
y o u r analysis to change
w h a t y o u re lo o k in g at.
O m n iP e e k enables yo u to
create filters and ap ply
d ie m im m ediately. T h e
W ild P a ck e ts select
related feature selects the
packets relevant to a
p articular node, pro to co l,
conversation, o r expert
diagnosis, w ith a sim ple
rig h t c lic k o f d ie m ouse.
F I G U R E 1.9: O m n iPe e k statistical reports o f N odes
12. You can view a complete Sum m ary of your network from tlie S ta tistic s
section of the D ashboard.
Q A la rm s and
N o tific a tio n s: U s in g its
advanced alarm s and
no tifica tion s, O m n iP e e k
u n co ve rs hard-to-diagnose
n e tw o rk p ro b le m s and
n o tifie s the o ccurrence o f
issues im m ediately.
O m n iP e e k alarm s query a
sp ecified m o n ito r statistics
fu n ctio n once p er second,
testing fo r user-specified
p ro b le m and re solu tion
con d ition s.
F I G U R E 1.10: O m n iPe e k Summary details
13. To sa v e the result, select File ^S a v e Report.
C E H L ab M anual Page 593 Etliical H a ck in g a nd C ounterm easures Copyright by EC-Council

OmniPtek - '0 x
F.1 | fdH uM0 tooit <rtl 'OmniPvcfc
i *J T A L u u i i v w ;j i J .

ii * u a 3 j
CufTW. -
5.15/2012
t2rt2:<6
<ML2S
m U s in g O m n iP e e k s
lo c a l capture capabilities,
centrali 2ed console
d istributes O m n iE n g in e 360.320
0.795
inte llige n t software probes, .J a w 5sA(
O m tiip lia n ce ,
T im e lin e ne tw ork
recorders, and E x p e rt

Analysis. .* *-
Ltncrnct P.ikfta 2.000 Dum.011 001.B
F I G U R E 1.11: O n u iiP e e k saving die results
14. Choose the format of the report type from die S ave R eport window and
dien click Save.
Save Report
2e 1R eport type:
pull PDF Report j v
Q R ep ort folder:
C : \Users \Adm inistrator d o cu m e n ts R e p o rts \C apture 1

m E ng ine e rs can
m o n ito r tlie ir entire
netw ork, rap id ly
R ep ort description
tro u b le sh o o t faults, and fix PDF reports contain Summary Statistics, Node Statistics, Protocol
p ro b le m s to m a xim ize
Statistics, Node/Protocol Detail Statistics, E x p e rt Stream and Application
n e tw o rk up tim e and user
Statistics, Voice and Video, Wireless Node and Channels Statistics, and
satisfaction.
graphs.
Save Cancel Help
F I G U R E 1.12: O n u iiP e e k Selecting the Report format
F K jU K fc . 1.12 (Jmml-eek Selecting the Report tom iat
15. The report can be viewed as a PDF.

OmniPeek Report: 9/15/2012 12:21:22

OmniPeek Report
^ f t Dashboard Start: 9/15/2012 12:02:46, Duration: 0:01:25
-" tf Statistics
t? Summary Total Bytes: 1014185. Total Packets: 2000
t? Nodes
I? Protocols
I? Expert
I? Summary
Flows
I? Application
Lf Voice & Video
Lf Graphs
1f Packet Sues
1/ Network
Utilisation
(bits/s)
If Network
Utilization
m C o m p a ss Interactive (percent)
(? Address
D a sh b o a rd o ffers b o th Count
real-tim e and post-capture Comparisons
I? Application
m o n ito rin g o f h ig h -level
___ LSi__
n e tw o rk statistics w ith d rill
d o w n cap ab ility in to
packets fo r the selected Tools Sign Comment .
tim e range. U s in g the Boolcmarfct Summary Statistics. Reported 9/15/2012 12.21.22

C o m p a ss dashboard, B* ft
?
m u ltip le files can be 3 i? OmniPeek Report
aggregated and analyzed & Dashboard
- ' t f Statistics
sim ultaneously. Start Date
IP Summary
Start Time
(? Nodes Duration
1? Protocols
Expert
Group. Network
1? Summary
(? Flows Total Bytes 1014185
Total Packets NA
I? Applications Total B10.1dc.1st 1061 0105
I f Voe & Video Total Multicast 6933 63 0 585
Average Utilisation (percent) 0 096 0096 0096
f f Graphs Average Utilisation (blts/s) 95989 95989 95989
I f Packet Sues Current Utilisation (percent) 0 360 0 360 0 360 0 360
I f Network Current Utilization (bits/s) 360320 360320 360320 360320
Max Utilization (percenl) 0.795 0795 0.795 0.796
Utilization Max Utilization (bits/s) 79*656 794656 794656 794656
(bits/s)
1? Network
Utilization Group Errors
(percent)
I? Address
Total
CRC
00000000
Frame Alignment 0 000
Comparisons Runt 0.000
f f Application Oversize 0.000
F I G U R E 1.13: O m n iPe e k Report in P D F format
Lab Analysis
Analyze and document the results related to the lab exercise.

T ool/U tility Information Collected/Objectives Achieved

Network Information:
Network Utilization
Current Activity
" Lg
Top Talkers bv IP Address
Top Protocols
Packets Information:
Source
Destination
Size
OmniPeek Protocol
Network Analyzer N odes Statistics:
Total Bytes for a Node
Packets Sent
Packets Received
Broadcast/Multicast Packets
Summary includes Information such as:
General
Network
Errors
Counts
Size Distribution
PL E A S E TALK T O YO UR I N S T R U C T O R IF YOU HA VE Q U E S T I O N S
C E H L ab M an u al Page 596 E th ical H a ck in g a nd C ounterm easures Copyright by EC-Council

Questions
1. Analyze what 802.1111 adapters are supported 111 OmniPeek Network
Analyzer.
2. Determine how you can use the OmniPeek Analyzer to assist with firewall
rules.
3. Evaluate how you create a filter to span multiple ports.
Internet Connection Required

Yes 0 No
Platform Supported
0 Classroom 0 !Labs

Lab
Spoofing MAC Address Using SMAC

SM AC is apon eif/11and easy-to-use tool that is a M A C address changer (spoofer).
The tool can activate a new M A C address right after changing it automatically.
/ Valuable
111 the previous kb you learned how to use OmmPeek Network Analyzer to capture
information
network packets and analyze the packets to determine it any vulnerability is present
Test your 111 the network. If an attacker is able to capture the network packets using such tools,
knowledge
he 01 she can gain information such as packet source and destination, total packets
H Web exercise sent and received, errors, etc., which will allow the attacker to analyze the captured
packets and exploit all the computers in a network.
ffi! Workbook review
If an administrator does not have a certain level of working skills of a packet sniffer,
it is really hard to defend intrusions. So as an expert ethical h a c k e r and
p en etratio n te ste r, you must spoof MAC addresses, sniff network packets, and
perform ARP poisoning, network spoofing, and DNS poisoning. 111 tins lab you will
examine how to spoof a MAC address to remain unknown to an attacker.
Lab Objectives
The objective of tins lab is to reinforce concepts of network security policy, policy
enforcement, and policy audits.
111 tins lab, you will learn how to spoof a MAC address.
Lab Environment
^^Tools 111 the lab, you need:
th is lab a re SMAC located at D:\CEH-T0 0 ls\CEHv8 Module 08 Sniffing\MAC Spoofing
available in Tools\SMAC
D:\CEH- You can also download the latest version ot SMAC from the link
Tools\CEHv 8 http://www.klcconsulting.net/ smac/default.htm#smac27
Module 08
Sniffing It you decide to download the la te s t version, then screenshots shown 111

A computer running W indows Server 2012 as Host and Windows Server

2008 as tun Machine
Double-click sm ac 2 7 b e ta _ setu p .ex e and follow the wizard-driven
installation steps to install SMAC
A dm inistrative privileges to run tools
A web browser with Internet access
Lab Duration
Time: 10 Minutes
Overview of SMAC
f f i s M A C is a p o w e rfu l
Spoofing a MAC protects personal and individual privacy. Many organizations
yet easy-to-use and in tu itive
W in d o w s M A C address track wired or wireless network users via their MAC addresses. 111 addition, there are
m o d ify in g u tility ( M A C
more and more Wi-Fi w ireless connections available these days and wireless
address spoofing) w h ic h
a llo w s users to change networks use MAC addresses to com m unicate. Wireless network security and
M A C addresses fo r a lm ost
privacy is all about MAC addresses.
any N e tw o r k Interface
C a rd s (N IC s) o n the
W in d o w s 2003systems,
Spooling is carried out to perform security vulnerability testin g , penetration testing
regardless o f w h e th e r die on MAC address-based au th en ticatio n and authorization systems, i.e. wireless
m anufacturers a llo w d iis
o ption.
access points. (Disclaimer: Authorization to perform these tests must be obtained
from the systems owner(s)).
Lab Tasks
1. Launch die S ta rt menu by hovering die mouse cursor on die lower-left
corner of die desktop.
C Q s m a c w o rk s o n d ie
N e tw o r k Interface C a rd
(N IC ), w h ic h is o n the
M ic ro s o ft hardware
c o m p a tib ility lis t (H C L ).
4 Windows Server 2012
Windows Sewer 2012 Rdcttt Cardidatc Datacen!
*r
Evulud.kn copy Build 84CC
1& rc ! 1 T ! n ^ H
F I G U R E 2.1: W in do w s Server 2012 D esktop view
2. Click die SMAC 2.7 app 111 die S ta rt menu to launch die tool.
Q=sJ W h e n yo u start S M A C
program , yo u m u st start it
as the adm inistrator. Y o u
c o u ld d o this b y rig h t clic k
o n d ie S M A C p ro g ram
ic o n a nd c lic k o n "R u n as
A d m in is tra to r i f n o t logged
in as an adm inistrator.
C E H L ab M anual Page 599 E th ical H a ck in g a nd C ountem ieasures Copyright by EC-Council

T A S K 1 3. Tlie SMAC main screen appears. Choose a network adapter to spoof a

MAC address.
Spoofing MAC % SMAC 2.7 Evaluation Mode - KLC Consulting: www.klcconsulting.net

File View Options Help
A ddress ID | Active I Spoofed I Network Adapter IP Address
rriiEiii 1 Hyper-V Virtual Ethernet Adapter #2 EMU^HET
0017 Yes No HyperV Virtual Ethernet Adaptei #3 169.254.103.138 01
17 Show Onî Active Network Adapters

Rem ove MAC
New Spoofed MAC Address
Restart Adapter \ IPConfig
Random MAC List
Refresh Exit
Spoofed MAC Address Network Connection________________________________

|Not Spoofed J |vEthernet (Realtek POe GBE Famdy Controller Virtual Switch)
Active MAC Address Hardware ID______________________________________ _>>J

p o -rrr A | |vms_mp
Disclaimer: Use this program at your own risk. We ate not responsible fot any damage that may occur to any system
This program is not to be used for any illegal or unethical purpose Do not use this program if you do not agree with
E Q s m a c helps p eople to
p ro te ct th e ir priva cy by
h id in g d ie ir real M A C F I G U R E 2.3: S M A C m ain screen
A d d resses in the w id ely
available W i- F i W ireless 4. To generate a random MAC address. Random.
N e tw o rk .
Update MAC Remove MAC
Restart Adapter IPConfig
Random MAC List
Refresh Exit
F I G U R E 2.4: S M A C Random button to generate M A C addresses
5. Clicking die Random button also inputs die New Spoofed MAC A ddress to
simply MAC address spoofing.

S M A C 2.7 Evaluation M od e - KLC Consulting: www .klcconsulting.net r a !

File View Options Help
ID | Active | Spoofed | Netwcnk Adapter
m S M A C also helps 0015 Yes No Hyper-V Virtual Ethernet Adapter 82 10.0.0.2 DO-l ;36
N e tw o rk and I T Security 0017 Yes No Hyper-V Virtual Ethernet Adapter #3 169.254.103.138 00 ' -08
p rofessionals to
tro ub le sh oo t n etw ork
p roblem s, test Intrusio n
D e te c tio n / P re ve n tio n
Systems (ID S /IP S ,) test
In cid e nt Response plans, I* Show Only Active Network Adapteis Update MAC Remove MAC |
b u ild high-availability New Spoofed MAC Address ^ I
Restart Adapter | IPConfig
solutions, recover ( M A C IE - | 05 -|F C - | 63 - | 34 - 07 l x j
Random MAC List
A d d re ss based) software
licenses, and etc.
|SCHENCK PEGASUS CORP. [0005FC] Refresh Exit
Spoofed MAC Address Network Connection

|Not Spooled IvEthemet (Realtek POe GBE Famdy Conliollei Virtual Switch)
Active MAC Address Hardware ID______________________________________

|D 0 - W -36 A I |vms_mp
Disclaimer: Use this program at your own risk. We are not responsible 101 any damage that may occur to any system
This program is not to be used for any illegal ot unethical purpose Do not use this progiam if you do not agree with
F I G U R E 2.5: S M A C selecting a new spoofed M A C address
6. The Network Connection 01Adapter display dieir respective names.

7. Click die forward arrow button 111 N etwork Connection to display die
Network A dapter information.
r
Network Connection____________________________________
IvEthemet (Realtek PCIe GBE Family Controller Virtual Switch)
g
F I G U R E 2.6: S M A C N etw ork Connection inform ation
Clicking die backward arrow button 111 N etw ork A dapter will again display
Q s m \c does n o t die N etwork C onnection information. These buttons allow to toggle
change d ie hardware between die Network Connection and Network Adapter information.
b u m e d -in M A C addresses.
S M \ C changes the r Network Adapter
software-based !M A C
addresses, and d ie new |Hyper-V Virtual Ethernet Adapter 82
M A C addresses yo u change
g
are sustained fro m reboots. F I G U R E 2.7: S M A C N etw ork Adapter information
9. Similarly, die Hardware ID and Configuration ID display dieir respective

names.
10. Click die forward arrow button 111 H ardw are ID to display die
Configuration ID information.
Hardware ID
|vms_mp
F I G U R E 28: S M A C Hardware I D display
11. Clicking die backward arrow button 111 Configuration ID will again display
die H ardw are ID information. These buttons allow to toggle between die
Hardware ID and Configuration ID information.
Configuration ID
|{C7897B 39-E D BD -4M0-B E 95-511FAE 4588A1}
3
F I G U R E 2.9: S M A C Configuration I D display

12. To bring up die ipconfig information, click IPConfig.

S T A S K 2
U pdate MAC R em ove MAC

Viewing IPConfig
Inform ation R estart A dapter IPConfig
R andom MAC List
, R efresh Exit j
F I G U R E 2.10: S M A C to view7the inform ation o f IP C o n fig
13. Tlie IPConfig window pops up, and you can also save die information by
clicking die File menu at the top of die window.

File
W indow s IP Configuration
Host N a m e : WIN-MSSELCK4K41
Primary Dns S u ffix
Node T y p e : Hybrid
IP Routing Enabled :N o
W INS Proxy Enabled :N o
Ethernet adapter vEthernet (Virtual Network Internal Adapter):
Connection-specific DNS Suffix .

D escription : Hyper-V Virtual Ethernet Adapter 83
Physical Address :0 0 - -08
C Q t 11e I P C o n fig
DHCP Enabled :Y e s
in fo rm a tio n w ill show in
Autoconfiguration E n a b le d . . . . : Yes
the " V ie w IP C o n fig
Link-local IPv6 A d d re ss : fe80::6868:8573:b1b6:678a%19(Preferred)
W in d o w . Y o u can use the
Autoconfiguration IPv4 Address. .: 169.254.103.138(Preferred)
F ile m en u to save o r p rin t
Subnet M a s k : 255.255.0.0
the I P C o n fig in fo rm a tio n .
Default G a te w a y
DHCPv6 IA ID : 452990301
DHCPv6 Client D UID : 00-01 -00-01 1 - A- 16- 36
DNS S e rvers : fec0:0:0:ffff::1%1
fec0:0:0:ffff::2%1
Close
1
F I G U R E 2.11: S M A C IP C o n fig inform ation
14. You can also import the MAC address list into SMAC by clicking MAC List.
Update MAC Remove MAC
Restart Adapter IPConfig
Random MAC List
k. Refresh i Exit
F I G U R E 2.12: S M A C listing M A C addresses

15. If there is 110 address in die MAC a d d re ss held, click Load List to select a
]MAC address list tile you have created.
MAC List
<- Load List
C Q 1 t 11e IP C o n fig
in fo rm a tio n w ill sh o w in
the " V ie w IP C o n fig
W in d o w . Y o u can use the
F ile m en u to save o r p rin t
the I P C o n fig in fo rm a tio n .
Select
Close
No List
F I G U R E 2.13 S M A C M A C l is t w indow
16. Select die Sam ple MAC A ddress L ist.txt tile from the Load MAC List
window.
Load M A C List
0 2 W h e n chang ing M A C
i.f ProgramData KLC SMAC v C Search SMAC
address, yo u M U S T assign
M A C addresses a cco rding
to I A N A N u m b e r
Organize
* New folder s m
Assig n m e n ts database. F o r Desktop A Name Date modified Type
exam ple, "00-00-00-00-00- 4 Downloads
i-l LicenseAgreement.txt 6/6/200811:11 PM Text Document
00" is n o t a v a lid M A C jgf Recent places
, , Sample_MAC_Address_List.txt 4 /S 0 /2 0 0 6 1:23 PM Text Document
address, therefore, even J|. SkyDrive
th o ug h y o u can update this
address, it m ay be rejected
Libraries
b y the N I C device d rive r
because it is n o t valid , and 0 Documents
T R U E M A C address w ill J* Music
be used instead. f c l Pictures
O the rw ise , "00-00-00-00- B Videos
00-00" m ay be accepted by
the N I C device driver;
Computer
how ever, the device w ill
n o t fun ction. U . Local Disk (G )
1_ j Local Disk (DO
<| >
File name: |Sample_MAC_Address_List.txt v Text Format (*.txt)
Open pr
F I G U R E 2.14: S M A C M A C List w indow

17. A list of MAC addresses will be added to die MAC List 111 SMAC. Choose a
MAC A ddress and click S elect. This MAC Address will be copied to New
Spoofed MAC A ddress on die main SMAC screen.
m S M A C is created and
m aintained b y C e rtifie d % MAC List
In fo rm a tio n Systems
Security P ro fessio nals
(CISSPs), C e rtifie d
0D= :99
In fo rm a tio n System
OD -E9
A u d ito rs (C ISA s), OD E8
M ic ro s o ft C e rtifie d Systems OD . -E7
E n g in e e rs (M C S E s), and
pro fe ssio n a l softw are
engineers.
m S M A C displays the
fo llo w in g in fo rm a tio n C: \Pr ogramD ata\KLC\S MAC\S ample_M AC_Address_List. txt
ab ou t a N e tw o rk Interface
C a rd (N IC ).
F I G U R E 2.15: S M A C M A C List w indow
D e v ic e I D
A c tiv e Status 18. To restart Network Adapter, click R esta rt A dapter, which restarts die
N I C D e s c rip tio n selected N etw ork A dapter. Restarting die adapter causes a temporary
S p o o fe d status disconnection problem for your Network Adapter.
I P A d d re ss
Update MAC
A c tiv e M A C address
S p o o fe d M \ C A d d re ss | Restart Adapter IPConfig

N I C H ardw are I D
Random MAC List
N I C C o n fig u ra tio n I D
Refresh Exit u
F I G U R E 2.16 S M A C Restarting N e tw o rk Adapter
Lab Analysis
Analyze and document die results related to die lab exercise.
T ool/U tility Information Collected/Objectives Achieved

Host Name
Node Type
MAC Address
SMAC IP Address
DHCP Enabled
Subnet Mask
DNS Servers

P L E A SE TALK TO Y O UR I N S T R U C T O R IF YOU HA VE Q U E S T I O N S
Questions
1. Evaluate and list the legitimate use of SMAC.
2. Determine whether SMAC changes hardware MAC addresses.
3. Analyze how vou can remove the spoofed MAC address using die SMAC.
Internet Connection Required

Yes 0 No
Platform Supported
0 Classroom 0 iLabs
C E H L ab M an u al Page 605 E th ical H a ck in g a nd C ountem ieasures Copyright by EC-Council

Sniffing a Network Using the

WinArpAttacker Tool
WinArpAttacker is aprogram that can scan, attack, detect, andprotect computers
on a local area network (LAN ).
1.__ Valuable
You have already learned in the previous lab that you can conceal your identity by
information
spoofing the ]MAC address. A11 attacker too can alter his 01 her MAC address and
Test your attempt to evade network intrusion detection systems, bypass access control lists,
knowledge
and impersonate as an authenticated user and can continue to communicate widiin
Web exercise the network when die authenticated user goes offline. Attackers can also push MAC
flooding to compromise die security of network switches.
ea Workbook review
As an administrator, it is very important for you to detect odd MAC addresses 011
the network; you must have sound knowledge of footprinting, network protocols
and their topology, TCP and UDP services, routing tables, remote access (SSH 01
VPN), and authentication mechanisms. You can enable port security 011 the switch
to specify one or more MAC addresses tor each port. Another way to avoid attacker
sniffing 011 your network is by using static *ARP entries. 111 tins lab, you will learn to
run the tool WinArpAttacker to smtt a network and prevent it from attacks.
Lab Objectives
The objectives of tins lab are to:
S can . D e te c t. P ro te c t, and A tta c k computers 011 local area networks
(LANs):
Scan and show the active hosts 011 the LAN widiin a very short time
period of 2-3 seconds
S a v e and load computer list tiles, and save the LAN regularly for a new
computer list
Update the computer list 111 p a ssiv e m ode using sniffing technolog}
C E H L ab M an u al P ag e 606 E th ical H a ck in g a nd C o untenneasures Copyright by EC-Council

Freely p rovide inform ation regarding die type of operating systems they
employ?
Discover the kind ot firew all, w ire le s s a c c e s s point and re m o te
access
Discover any published information on the topology of the n etw o rk

Discover if the site is seeking help for IT p o sitio n s that could give
information regarding the network services provided by the
organization
Identity actual users and discover if they give out too much personal
information, which could be used for social engineering purposes
Lab Environment
To conduct the lab you need to have:
W inArpAttacker located at D:\CEH-Tools\CEHv8 Module 08 Sniffing\ARP
Poisoning Tools\W inArpAttacker
You can also download the latest version ot W inArpAttacker trom the link
http:/ / www.xfocus.net
^~Tools
d e m o n stra te d in If you decide to download the la te s t version, then screenshots shown in
th is lab a re the lab might differ
available in
D:\CEH-
Tools\CEHv8 W indows 2008 mnning on virtual maclune as target maclune
Module 08
Sniffing A computer updated with network devices and drivers
Installed version ot W inPcap dnvers
Double-click W inA rpA ttacker.exe to launch WinArpAttacker
A dm inistrative pnvileges to run tools
Lab Duration
Time: 10 Minutes
W in A R P A tta c k e r
w o rk s o n com puters
Overview of Sniffing
ru m iin g W in d o w s /2003.
Sniffing is performed to co lle ct b asic inform ation of a target and its network. It
helps to find vulnerabilities and to select exploits for attack. It determines network
information, system information, and organizational information.
Lab Tasks
* T A S K 1 1. Launch Windows 8 Yutual Maclune.
Scanning H osts 2. Launch W inArpAttacker 111 the host maclune.
on th e LAN
C E H L ab M an u al Page 607 E th ical H a ck in g a nd C ountem ieasures Copyright by EC-Council

Untitled WinArpAttackw 3.5 ?0066.4 ^

Fite lean Attack Dctect options View Help
C a u tio n :T h is p ro g ram D ^ i
Xev opn s &ve
* a a * scan
q
Attack1: stopsendK*art Cpflu*ascut
is dangerous, released just Ho::^ c | Online Snitf 1... Attack ArpSQ | A<pSP | ArpRQ 1 ArpRP | Packets ( T>aff!c(KI ]
fo r research. A n y p ossible
lo ss caused b y this pro g ram
bears n o relatio n to the
a utho r (unshadow), i f y o u
d o n t agree w ith this, y o u
m u st delete it im m ediately.
| AtlHotl | FftetHovI | Fff(tH(Kt2 [ Count |

10.0.01 00
10.0.0 3 00-
10.004 00-
10.005 00
10.0.07 00
10.0.08 00
10.0.0255 FF-
16*254255 255 FF-*
224.0.0.22 01*
* *W<sA*<*e'!200<
I-.- w a r ! lew*! soya, m tsemo reducMte 11ty
p> : 1: CAxSvev try Gjea^r/Mac s MLU.
p* : !: ! Cs* : a20L>c trse terns : 10.0.0.V tr ptogoir ruy 96! 1190r0cy
16 3 GVV: taao.l On: 0 Off: 0 Sniffing: :
Klee DO-fc - y- 16-3.GW: 1ft(X0.1 On: 0 Off; 0 Snrffmj: Q ,
Q=J W iiiA rp A tta c k e r is a F I G U R E 31: W iiiA rp A ttack e r m ain w ind ow
p ro g ram d ia t can scan,

attack, detect, and protect 3. Click die S can option from die toolbar menu and select S can LAN.
com p uters o n a lo c a l area
netw ork. 4. The scan shows die a ctiv e h o sts 011 die LAN 111 a very short period ol time
(2-3 seconds).
5. The S can opUon has two modes: Normal sc a n and Antisniff scan.
Untitled WinArpAttackef 35 ?006 6.4 r~ r 5
ck L9tect send hc<art Cpfluit lkel a : cut
JL*[ | Mofmalitan Hwhmne I Online I SnrtfL. I Attade I AipSQ I AmSP I AmW I ArpWP I Padafa I TufficOq I
0 3 T h e o p tio n scan can

I Evtnt 1 ActHotl SffaHoa2 | Count | 1 Mat
scan and sh o w the active
10.0.01 OO*
hosts o n the L A N w ith in a 10.0.03 oa -
10.0.04 oa
v e ry short time. It has tw o 10.0.0 5 00 - - 03
10.0.07 D4. - IE-2D
scan m odes, N o r m a l 10.0.0a 00 NOE
1000 2SS FF- FF
a n d A n tisn iff. T h e second is 169254255.255 FF-* FF
224.0.022 -
to fin d w h o is sn iffin g on
the I A N .
. : ^ 1] 1 6a_/!fp_mrv_CMae
MacOO-fc - 16-3,GW:1000.1 ,On: 0 Qff:0 SnrffmyQ , J
F I G U R E 3.2: W u iA rp A ttacker Scan options
6. Scanning saves and loads a computer list die and also scans die LAN
regularly for new computer lists.

& I n this to o l, attacks SFit.

Untitled WinArpAmrke r 5 ?006.6.4
.
33 f- l
can p u ll and c o lle ct all the p p a

Hej open Save 5cr! Attack Slop Seni Rccouw. Optow lfc-p AO.Kit
packets o n the L A N . PAddmi 1Online 1SnjWi... | AtUcfc | AipSQ | A>pSP | /UpfiQ | fcpBP I P*chrt | Trffic[IQ T

1100A
00a12 4-CC
*36
10.0.01 Onlin
WN-MSSEICK... Onlin
0 1Oil0.3 *:-06 WINOOWSfl Onlin
10004 -:09 WNDOWS8 Onlin
10:aa5 - 03 VMN-IXQN3W... Onlin
10007 E-20 WORKGROUP Onlin
10008 -0E AOMN Onlin
I Evtnt I AclHoK IP I Mflf

2012-09 17 10-4905 N<w_M0 10.0.0.7 10001 oof* 1r * c c
2012-09-17104905 IW.Hotf 1000.1 1000.1 00 *-06
2012-09-17 10AOS NmHoU 100.0.8 10004 00- - 0
2012-09-171049 33 fep.Sun 10.0.0.2 10.010.5 00- -:-03
2012 09 17104905 Ne*Hoa 10.0.0.4 10006 00-1* - * CO
2012 09 1710-1905 Nw.Hok 10.0.0.5 1O.OlO.7 04 E 20
10008
10 00.255 FF
169.2Si.2SS.2SS
5-3 GV.1: 10.0,0.1 On: 7 Off: : Sniffing: 0
F I G U R E 3.3: W in A ip A tta c ke r Loading a Com puter l i s t w indow
By performing die attack action, scanning can pnll and collect all die packets
on die LAN.
ARP A ttack
Select a host (10.0.0.5 Windows Server 2008) from the displayed list and
select A ttack -> Flood.
so Untitled WinArpAttarker 3 5 ?006.6.4
S*nJ
#Kteiur. Jp. ' *
^ ib w U*H> M j I
] I W fi- I I I * r a n I * * s * I **a I fc p w l
C Q t 11e F lo o d o p tio n
sends I P c o n flic t packets to
target com p uters as fast as
possible. I f y o u send to o
m any, the target com puters
Event 1 ActHotf fcourtI IP Mat
g o dow n. 2012-09 17 10-4905
2012-0917 104905
Nw_M0*
Ncw.Ftotf
10.0.0.7
10.00.1
10001
ioooj
00-
00-
2012-091710J90S NHoU 10.0.0.8 10.00.4 00-
2012-09-1710 S401 /,*p.Sun 100.0.2 10.010.5 00-
2012-09 17104905 NwH0K 10.0.0.4 10.010.6 00-
2012 09 1710-4905 Ntw.Host 10.0.0.5 10.00.7 04
10.010* 00-
1000.255 Fr-
1&9.2S42SS.2SS FF*
K Mlau of10.9.0.1, m1.<**>nwy tit
16-3 GW: 100.0.1 On: 7 Off

, 0 SniffmyO
F I G U R E 3.4: W in A ip A tta c ke r A R P A ttack type
9. Scanning acts as another gateway or IP-forwarder without odier user

recognition on die LAN, while spoofing ARP tables.
10. All die data sniffed by spoofing and forwarded by die WuiArpAttackerlP-
forward fiinctions are counted, as shown 111 die main interface.

C O lT h e Pi* Scan Attack Q*t*ct Cptio!

Untitled WinArpAmrk<*r 006.6.4? 5 r 18
B a n G a te w a y o p tio n tells the
E & 5C*n
m ** m
Attack stop

S*rJ !vecoiw. C*3tow lHUp At.
gateway w ro n g M A C
Adfret*_____ |Hoitname |Online jSniff1. AH.k I t.p ip j ArpSP I fl.PBQ I flipRP | I 1Iikliq I
addresses o f target 0 10001 00- 4-CC 100.0.1 Online Not... Normal 88 10! 203 0 0 OOO
10002 DO 5-36 WN-MSSEICK... Online Nor... 355 5 5 109 0 000
com puters, so the targets 100103 00- * *-06 WNOOWS8 Online Nor. 0 27 1 0 000
100.0.4 oc * - WN0CWS8 Online Nor... Normal s 0 4 1 0 0.00
cant receive p ackets fro m E10A0 l5 00- -03 VMN-UQN3W... Online Nor... 36 0 2 1 0 000
the Internet. T h is attack is 10007 D4- E-2D WORKGROUP Online Nor.- 1 0 22 1 0 0.00
100108 00 . ^ -OE A0M1N Online Nor... Normal 41 0 30 1 0 0.00
to fo rb id d ie targets access
the Internet.
I <nv Ev*nt 1 ActHotf [ Court | 1Mac

U<B17KMW& N*w_M0* 10.00.7 10.001 00 4CC
7012-09 17 10490: Naw.HoU 1000.1 1000.1 > * -06
2012-091: 10490 Pj H o>1 1000.8 10.00.4 *09
2012-09-17105401 Ap Scan 10.0.0.2 10005 -03
2012 09 17104905 Ncw.Host 10.0.0.4 10.00.6 00--
2012 09 17104*05 N*.Host 10.0.0.5 10.007
10003
10.00255
169.254.255.255
rr-
ff-
r 19.0.0.1, mpvjrini may *
6-E GA: 10X1,0.1 On: 7 Off: : Sniffing 0 y/\
6 GW:10.0.0I On: 7 Off: : Sniffiny 0
F I G U R E 3.5: W in A rp A ttacke r data sniffed by spoofing
C Q t 11e o p tio n , 11. Click S ave to save the report.

IP C o n flic t, like A R P F lo o d ,
regularlysendsIP c o n flic t m U ntitled - W inA rpA ttacker 3.5 2006.6.4
packets to target
com puters, so that users File Scan A ttack Detect O ptions View Help
m ay n o t be able to w o rk ARPîZ
because o f regular ip
New
JB
Open

Save scan
- tm
Attack
- 4m Stop
J i
Send
a S
Recount Options

Live Up

About
c o n flic t messages. In
a d dition, the targets can t
F I G U R E 3.6: W iiiA rp A ttack e r toolbar options
access the L A N .
12. Select a desired location and click Save die save die report..
Lab Analysis
Analyze and document die scanned, attacked IP addresses discovered 111 die lab.
T ool/U tility Inform ation C ollected/O bjectives Achieved

Host Name
Node Type
MAC Address
W inArpAttacker IP Address
DHCP Enabled
Subnet Mask
DNS Servers
PL EA S E TALK T O YOUR I N S T R U C T O R IF YOU HAV E Q U E S T I O N S

R E L A T E D T O T H I S L AB .

Questions
1. WuiArp
Internet C onnection Required

Yes 0 No
Platform Supported
0 Classroom 0 !Labs
C E H L ab M an u al Page 611 E th ical H a ck in g a nd C o untenneasures Copyright by EC-Comicil

Analyzing a Network Using the

Capsa Network Analyzer
Capsa Ne/)j ork Analyser is an easy-to-use Ethernet network analyser (i.e., packet
sniffer orprotocol analyser)for network monitoring and troubleshooting.

/ Valuable Using WinArpAttacker you were able to sniff the network to find information like
mformation
host name, MAC address, IP address, subnet mask, DNS server, etc. An attacker,
Test your too, can use tliis tool to gain all such information and can set up a rogue DHCP
server serving clients with false details. A DNS attack can be performed using an
** Web exercise extension to the DNS protocol.
m Workbook re\ To prevent tins, network administrators must securely configure client systems and
use antivirus protection so that the attacker is unable to recnut 111s or her botnet
army. Securely configure name servers to reduce the attacker's ability to corrupt a
zone hie with die amplification record. As a penetration tester you must have sound
knowledge ol sniffing, network protocols and their topology, TCP and UDP
services, routing tables, remote access (SSH 01YPN), and authentication
mechanisms. Tins lab will teach you about using other network analyzers such as
Capsa Network Analyzer to capture and analyze network traffic.
Lab Objectives
The objective of this lab is to obtain information regarding the target
organization that includes, but is not limited to:
Network traffic analysis, communication monitoring
Network communication monitoring
Network problem diagnosis
Network security analysis
Network performance detecting
Network protocol analysis
C E H L ab M an u al P ag e 612 E th ical H a ck in g a nd C o untenneasures Copyright by EC-Council

& T o o ls Lab Environment

d e m o n stra te d in To earn out die lab, you need:
th is lab a re
available in C olasoftC apsa N etw ork Analyzer located at D:\CEH-Tools\CEHv8 Module
D:\CEH- 08 Sniffing\Sniffing Tools\Capsa N etw ork Analyzer
Tools\CEHv8
You can also download the latest version of C olasoftC apsa Netw ork
Module 08
Analyzer from die link http://www.colasoft.con1
Sniffing
If you decide to download die la te s t version, dien screenshots shown 111
A computer running W indows Server 2012 as host machine
Windows 8 running on virtual machine as target machine
Double-click capsa_free_7.4.1.2626.exe and follow die wizard-driven
installation steps to install Colasoft Capsa Free Network Analyzer
A dm inistrative pnvileges to 11111 tools
A web browser with an Internet connection

Note: This lab requires an active Internet connection for license key registration
Q 1 C o la softC a p sa
N e tw o rk A n a ly ze r runs o n
Lab Duration
Server 2003 /Se rve r
2 0 0 8 /7 w ith 64-bit E d itio n . Time: 20 Minutes
Overview of Sniffing
Sniffing is performed to collect b asic inform ation of die target and its network. It
helps to find vulnerabilities and select exploits for attack. It determines network
information, system information, password information, and organizational
information.
Sniffing can be A ctive or Passive.
Lab Tasks
3 t a 5 K 1 1. Launch the S ta rt menu by hovering the mouse cursor on the lower-left
corner of the desktop.
Analyze N etw ork
Capsa N e tw o rk
A n a ly z e r is an easy-to-use
E th e rn e t n e tw o rk analyzer
(i.e., packet sniffer o r
p ro to c o l analyzer) fo r S 3 W in d o w s S e rv e r 2 0 1 2
n e tw o rk m o n ito rin g and

Windows Server 2012 Release Candidate Datacen!*
troubleshooting. V*r
Evaluation copy. Build 840c
M afeLLxjjLtt! I a a ,,"J
F I G U R E 4.1: W in do w s Server 2012D esktop view

2. Click C o laso ft C a p sa 7 F ree N etw ork A nalyzer to launch the Network

Analyzer tool.
3. The C o laso ft C a p sa 7 F ree - A ctivation G uide window will appear.

Type the activation key that you receive 111 your registered email and
click N ext.
C olasoft Capsa 7 Free - A ctivation G uide
W e lc o m e to Colasoft Capsa 7 Free A c tiv a tio n G uide.
License Information:
User Name: W indow s User
Company: SKM C Groups|
Serial N u m b e r 03910-20080-80118-96224-37173
Click here to get your serial number...
To activ a te th e p ro d uct now, s e le ct o ne o f th e fo llo w in g and c lick th e

N e x t b utton. Please c o n tact capsafree@ colasoft.com fo r any
question.
A ctivate Online (Recommended)
O A ctivate Offline
| Next > | | Cancel" Help
F I G U R E 4.3: Colasoft Capsa 7 Free N e tw ork Analyzer A ctivation G u id e w indow

4. Continue to click N ext on the Activation Guide and click Finish.

C olasoft Capsa 7 Free - A ctivation Guide
Successfully activated!
Finish Help
F I G U R E 4.4: Colasoft Capsa 7 Free N e tw ork A n a ly ze rA ctivatio n successful
5. Tlie C o laso ft C a p sa 7 F ree N etw ork A nalyzer main window appears.
Name IP **.. N. Packets Byte Uhaari... A No adapter selected

- \Yued Netmart Adapter(*) 5p"d
Capture Filter &
Ethernet 10.0.02 1 1.232 Kbps 1,410.1 Mbps 718 170.1a. 0%
Unfcno* 127.0.0.1 0 Obps 1.410.1 Mbps 0 08 No filter selected, accept all
LJ tlhe<nei (Virtual Network Internal Ada.. 169254,103... 0 0 bps 1,41a1 Mbps 7 1.073 KB 0% | packets.
Set Capture Filter
Jrfcron 127.001 0 0 bps 1,410.1 Mbps 0 05 0%
Ethernet 10D.02 1 1232 Kbps 1010 Mbps 763 17S.6_ 0% y Network Profile ^
Full Analysis
To provide comprehensive
C Q a s a n e tw o rk analyzer, analysis of all the applications
and network problem!
Capsa m ake it easy to
Plugin module loaded:
m o n ito r and analyze MSN
Yahoo Messenger
n e tw o rk tra ffic w ith its
in tu itive and in fo rm a tio n -
ric h tab views.
o
1,S.
O
FulAnatyia Traffic Mon to* HTTP Analytic Email Analyst DNSAnalytk FTPAnalyt* iMAntlytit
F I G U R E 4.5: C o la s o ft Capsa N e tw o rk A n a ly z e r m ain screen

6. 111 the C a p tu re tab of the main window, select the E th e rn e t check box
111 A d a p te r and click S ta rt to create a new project.
Name IP Packe... bp, Speed Packet Byte UNcati... a Ethernet

\ Yi1ed Me:wort Adapter^)
( 3 Ethernet 10.0.02 9 15.800 Kbps 1,4111 Mbps 2424 552/471. < * r Capture Filter ^
No filter selected, accept all
LI UnbK** 127.01011 0 0 bps 1,41a i Mbps 0 08 0%
vth1net (Virtual Network InU iimI Ada.. 169.254.1030 . 0 bps 1,410.1 Mbps 48 12.156 KB 1 packet*.
Set Capture Fitter
D Unknown 127.010.1 0 0 bps 1.41a1 Mbp: 0 0B ON
D Ethernet 10.0.0.2 9 IS 800 Kbpi 100.0Mbpi * M 2 S88206- 0% H Network Profile &
111111
!!!!! Full Analysis!
To provide comprehtntiv*
analysis of all the applications
iiiiiiiunm II llllllll and network pioblarm
m
III! !fris
1111iiiiriiinniiRii iiihrin
ii Plugin moduli loaded:
Irm illlII111nm M 11 MSN

Yahoo Messenger
1 ^ 3 |Ff= 1-r-m psps
% m *L
4 O
Ful Analysis Tiafftc Mcnitoi HTTP Analysis Email Analysis DNS Analysis FTP Analysis IMAnalysis
F I G U R E 4.6: C o la s o ft Capsa N e tw o r k A n a ly z e r creating a N e w Pro ject
7. D ash b o ard provides various graphs and charts of the statistics. You can
view the analysis report in a graphical format 111 the D ashboard section
ol N ode Explorer.
W*I
r y a |1r r <
Analysis Pa<k ...
feltings 0bjt Butter 1' Output Output
Cs;hfec;r3 x [Summary [Diagnosis[Protocol]Physical EnflpoiTt [PErvfrr Cc1;.-yicr ]IPCcoreoatie 4 * Online Resource

-S i tB l-
tj Fj A1wSj5 Default N ew Capsa v7.6
S T PlClOCOl ZfftC'i' (1) Released
Total Traffic by Bytes
3 9 PhysKÎLôwa
T r y it F ree Q l
9 IPL>fi;er(3|
116:3 KB
Q t 11e n e tw ork 9766 KB i live Ono
4 883 KB
u tiliza tio n rate is d ie ratio
IjvJL... eJ V.lo Is Uitij NetowfcBandwc
o f curren t ne tw o rk tra ffic Howto Detect ARP Mtacts
jjj Howto DetectNcfwort:loop
to the m a x im u m tra ffic that Top IP Total Traffic by Bytes Top Application Protocols by Bytes Hewto Montor WM*sof
4 ) Howto Monts! &SvEmail
a p o rt can handle. It [ More Video*.-)
W 389KB 4tl?IK
indicates d ie b a nd w id th use
M 591KB M}KS
in the netw ork.
44829 KB .J MwMtoi linpluytre W*b1t
227K8
03 Icannot ntphwr MI trnWic.
J3I C1cote IrallH. Ut4uat.w Urt

_J [FillJMart 4 Wlrvtev. Captive
9 7MKB crcatr TrofBcufltrenerchart
Ill [ Hor* InKnowlt'dgt-thn*-]
/ Cf>ajcFull Ar-**vi5 ^#Ethnct ' lr an; 00:01:01 ^ 557 P.cad>
F I G U R E 4.7: C o la s o ft Capsa N e tw o rk A n a ly ze r D a sh b o a rd

The Summary tab provides full general analysis and statistical

information o f the selected node in the Node Explorer window.
! 1r
m I Sait
Capture
Stop
----- 1
General .
Tattle
fJwcrtr Profile
w i
Analysis Racket Display ^
Analyse profile
*H
.
AJ
m ut-anon *,
m pp5 ni
i !!!I'!!!
!tic HistoryCho.
!
Farter Buncr (16M6j
Node Explorer > / Qasriccard-1Summary x [Qiagnosis [Protocol fPhysical fcndpo.m \ IP fcnapp.rv. [ Ccr! gsa. cn [IPCorrva Online Resource
fMAlgte\SUtfctta: | -:
*> NewCapsav7.6
U, IT Prrtocd! p'crrr (1)
Released
S V5 Phv.ka' Lqstorcr (3)
ti IP Epk*n (4) TryftFree
Fault
lluqnmn SUtMki
Worrnation Dijgnosfc
Ntfcti Diagnosis
Woninq Dianne(t )NetxnorkHerAMStH'
Critical Ow900-.11
>traffic
Total 472.954 KB 0001%. 1252 Kbp*.
Broadcast 4J440KS . co.. 0 bps
E O a liigh network Multieeit 175.757K0 0001% 1232 Kbpi
utilization rate indicates the Ava9Pak*tSa
Pxkrt Sar Distribution
network is busy, whereas a <*64 45.60ft KB 0000%
low utilization rate WW
128-255
131090 KB
47.542 KB 0001\ 1^32 Kbps
u j Monitor Employee* Webwle
indicates the network is 256-SI1 0bps

512-1023 a bp< Credit Tratlk. UtilUotioii Ourt
idle. 1024-1517 UJ lEntlSUrt d Wireless Capture
>=1518 J 0eaUTraffkUtliMtion Chat
| More m Knowledgebase1
Capture - hM Araf>-se 41 tthunct ractrve Duration: 00.14:43 : / 882 0 P*iC,

__ _____:__ :__ _
FIGU RE 4.8: Colasoft Capsa Network Analyzer Summary
9. The D iagnosis tab provides the real-time diagnosis events o f the global
network by groups o f protocol layers or security levels. With tins tab
you can view the performance o f the protocols
10. To view the slow response o f TCP, click TCP Slow R esp on se in
Transport Layer, which 111 turn will highlight the slowest response 111
D iagnosis Events.
nalysis CoJascft Capsa 7 Free '50 Nodes)
! ? Sjstar 1990. /trw
13S U S l h g ' ^ J W M
Adapter -ater Starr Step General Analysis Packet Display
CMH
AlarmSetting!
!ew rt '
Object Buncr
Analy<!5Profile
.' Output Ourpur
w w ! _ PP5
mm
limn cH!5t07Cha... FacKet Buncr n&MBj
9 J, Diagnosis Item Diagnosis Address

^ ful Analyse ^ * % *. c - Diagnosis: \ 10 u i- 2 ' Statistic* | 11 | NewCapsav7.6
E /T o o ls
K 'tT Prrtrrcll.p'ererli; iarm tJame Ph>ca1 Address Add Released
S- Si Phv.ka bpkxer (It
0. I E.plc.es (4)
Al Diagnosis
8 Appfc-illoo lay**
1a0A2
74.125.256.165
DO 16+ -
OCk^ M b :CC
10.0.0.2
74.1252
Tryit Free
dem onstrated in O OMSStrwSlroResponi' 74.125^35.174 Oft < - CC 74.1252
O HTTP Svtr$l0wRp0nje * 7A12W>6.169 1CC 74.1252
this lab are a transport layer
v TCP Retransmission
207m2182
17*255 81.1
OCt^ .CC
OCk^ MkCC
207218.
17a255.
available in S/ TCP Slow Rcipon.s 178255.SU OCt* :CC

oct- -CC
178255 J )Net\orkBnrd*M1>
TCP Duplicafrd Aclmowlnlijitnir 741;5J)6.1U T4 1252
S Network layrr 74.1252J6.165 OCk* !CC 74.1252 tor IMMelange
D:\CEH- |> \>
UiagnoMs Events
Tools\CEHv8 u 6 -W OiagnoM lv U | 75 |
Seventy Type layer {vent Desenptton
Module 08 Tuniport TCP d P a O .,t::0 ^m295m4)

j
;
_J Monitor Employee* WeirMle

Tran!port TCP Slo^v &CIC|Pa(krtIi] nd Packtt!27]licm 20170 ira)
Sniffing V
V
Ptiformance
Ptrlcrmance
Transport
Transport
TCP SlowACK(Pcket!47] tnOPacV;27^f0m 20172 )
TCP SlowACK1Packet.>!] ndPackct! 1J]fram 22134 ms)
V Performance Transport TCP SlowACKiPacfceti&1] and PaeVet:!:from23577 ms; U Create TraIlk. UtMzotion Chart
UK |Ent!Start a Wireless Capture
4 Pciformance Transport TCP SlowACKtPacket!82] no Pacst.:.from 23577ms;
J Create Ttaffk UUJattn 010 t
V Periormance Transport TCP SlowACKfPacketlU] me Packet; Vfram23577ira)
| More Knowledgebacr... |
1 Pfcrm3nce Transport TCP SlowACK(Padrct!219: *'d t>acrt{l97frcm 2*262 rm)
V Performance Transport TCP SlowACK!Packet!>13 and PacketJ3|frcm 26023 ml
Ml
_ 1>
y Capture- KJArvalyse 4#thc1ntt ' nactive Duration: 00.25:34 V 4.689 <0 fteady
FIGURE 4.9: Colasoft Capsa Network Analyzer Diagnoses

11. Double-click the highlighted D iagnosis Event to view the detailed

information o f this event.
*3 Network Group jc , J T )==
Stop Genera!
^ ^
Analysis Racket Display . Packet log . L,
/a ; a\ //
-_J' IE .. ^
A*anr1Setting{ Object Buffer ."* Outpirt Output
?lerwcrlr ProtUf Analysis Profile Data Storage 1 c r ^ . w !5l HistoryCha. Packet B!
Node Explorer x y'^Jasht :7 3f Somrriai/ ] Diagnosis x [piotocol f Physical ndpo!rTfIP snapj . [ - ,><*! C. .ta t.- f IPCorryq Online Resource
Diagnosis Item Diagnosis Address
ful Ar^-us & A % *. C - Dfc*grvosk: 10 u - - 2 - Swtetk* | 11 | NewCapsav7.6
Hr I f Ptt*orcJt>plctrf<l)
S V5Phv.ka Lqstorcr(3)
iarm Name Ptyycai Address 0 Addit Released
ti ^ l!>.p*4)) AIDaqnoti*
8 Appfc-itlon l.yf
10002
74.125236.165
DO 4tU
001+ :cc
10.002
74.1252
TryftFree
O 0M5 Swvv Slow Report! 74.1252>6.174 Oft .cc 74.1252
O HTTP 5trvtr$l0wRp0n 741252 J6.169 OCt^ 741252
Id Irm poil Layer 207216235182 Oft . cc 207218.
V KP Petrinmww 178255 81.1 Oft^ * :CC 178255.
Jp )WhoIt LIMngNel\orknnrd^tti
V TCP Skw Rsiponifi 178255 E32 OCk* :cc 178255J
TCP Duplicated Acknowlmlgtmtnt 74125236.182 Oft-~k*CC 741252 M Hawto DatMt Neivwy*: Loop
- Nerworlr layer 4 ?5..36. 63 Oft! CC 74.125.2 ^rlow to Monitor !MMr**
, <1 |>
I Mon: VWcov-1
Diagnosis Events
U S UiagnoM I .n u j .. j llow(o'
Seventy Type layer Event Cetenpbon '
V Puformance Tun sport TCP SIoa ACKiPacktf!28] and Packtt:27^,0<n 235 ms) UJ Monitor EinotuvM Wetaitc
V Performance Tranipoit TCP SlowACKlPacket :is] and Pckrt!27]fton1 20170 mt)
is P1formance Transport TCP SlowACK(Pck!47]jd P*ctr;27]#f0n120172 ms)
i> Paformance I ransport TCP SlowACKlPacket.W]rnd Pace*. U Jo ti 22134 1m)
V Performance Transport TCP SlowACK^Pacfcrti&l] atd Packe''+rom23577 m* Create Trait*. UtilUdtioii d u rt
Transport U |Ent|SUrt a Wireless Capture
V Puformance TCP SlowACK1Pcktl82] no Packet.:.*ram23577an:
J Create Traffk Utlteton Chat
V Performance Transport TCP SlowACK(Pcket|54] me Packet! 5]from 23577rm)
[ More m Knowledgebase1
V Performance Transport TCP SlowACKiPadrer: 19: ayJ 62& ms)
V Performance Transport TCP SlowACK|P>cket:3A3] and fack*4J303J?rcm >6623mil
*
^ C ap tu t - FtJAiMtyse 41 Ethernet 'inactive Duration: 00:25:34 4,689 ~0 Realty ÂUim btolota -
FIGU RE 4.10: Analyzing Diagnosis Event
12. The TCP Slow ACK - Data Stream of D iagnostic Information window
appears, displaying Absolute Time, Source, Destination, Packet Info,
TCP, IP, and other information.
^TCPSlo^CKPacto!20nn7Pac^ â*^tre3^7D>3n0itiH70nratto n = <
-M* i 30
Protocol Su> Cnodc Summary
t0g]c20073660 10^02:1406 207.2I8.2J5.162:80 HTTP M N*jm23 .y .6 6 S*q.380W5012,Ack. L0000000001F.. S.l
102320412350 207.2182351182.90 1010.02:1406 HTTP 66 NwnaB lcnyth66 Sn lM6644229,Ack: [3280995013.f =.A_S.,..
102320412394 10002:1406 207.2I8.2J5.182:80 SB \.m .M S*q3280501J.Ack. Ll54W442JaF.A-.L-
102320412967 10042:1406 207218.235.182:80 723 .,r :17 =723 C GLT ,online -ou! .c^Mmfeouc.f. .
: I0c232a70089 207218235.182:80 10.0.0.2:1406 6644-4 28 64 <- ?V
..a:i
.
102340583003 207218235.18280 100.021406 U l l Nun46 Ungth-1.51* & HTTP.M.1 2000jC
102340585578 207.213.235 182:90 100.0.2:1405 591 Nuns47 lensw =59l & Continuation or no 1-WTTPtraffic 533 b
207218.235.182:80 HTTP 3 '. Len.v 48 =58 Scq=328C995678.Ack r1M6t46223.FA.- L
101002:1406 HTTP 64 lp-:48---- i&= Seq= lSi6646223,Aek: ...F=.A...r,3280995673:
207218.235.182:30 HTTP . .. =58 Seq=328CS95678.Ack: - F=A__L.46224&&154:
207215235.182:80 HTTP ;ngth:58 Seq:1 546M6224fAc
3280995675. =AfcJ: : ? _
E ' ?actet lafo:
-Qpc*ec Kr:
:.<^?creT Lngtfc:
i IO/J
WgSource Address: iMetgearl ]6/> |
& ?rctccol: Cnteioe . H U M (( ]12/2 [
IP - intarrtBt Protocol
!14/ o*rc
ByesI (14/11 0s0r 30(
115/1" 0111
[ > o irrerenttatM r / 1 ! c041 ! 15/ : osrc
JrsMjjnrt Protocol w ilt ignoi l :goore
IHo Congest scr.( | 15/.[ OxOt
By'.a1 40( 116/11
16/2J[ 1563301
JJ0/1J OrtC
1aa/1) oco_____
FIGU RE 4.11: TCP Slow ACK Data Stream o f Diagnostic Information window
13. The Protocol tab lists statistics o f all protocols used 111 network
transactions hierarchically, allowing you to view and analyze the
protocols.

^nal^!?Proiec^r7uI^nalyi1^Co!a5cf^!a p 7 Free [50 Nodes)

Network Croup
las f U
Acaptri Imet
*
Analysis Rarket Display
j kU 4A
f\ AlarmSetting] Objffl Bun Output OJ'piJt
Capture Network Prone Analynt Profile Datastorage
FIGU RE 4.12: Colasoft Capsa Network Analyzer Protocol analysis
14. The Physical Endpoint tab lists statistics o f all MAC addresses that
communicate 111 the network hierarchically.
*
&yt* Pckt> trti Pr Sond
NewCapsav7.6
U. Y Pn*e>'cH.f*64tt(I) le<al Srqirrnt 8.YX 512 bps
Released
&
11
Phy.kal Eiptortf 3)
IP ! iplotn (4)
br local Holt
JW no! 6 36
755.578 KB
755.57BKB
3^81
3,281
0 bpi
0 bps Tryit Free
* 11x0.0.2 725.485 KB i* 3 0 bps
8 V 0(k1**aeCC 744.796 KB i.U2 512 bps
<74.125.128. IN M 224413 KB 1 Obp.
5 74.125 236.182 172.074 KB 642 0 bp:
S 74.125 135.125 132.652 KB 55- a bps Is LiangNetworkBand/Jd
% 74.125.2361163 | 33.889 KB 161 0 bps
6 74.125.2361160 | 22.611 KB 0 bps
3174 125-236.165 | 19.740 KB 97 0 bps
74.125.236.174 | 19278 KB 65 0 bps
(More Videos-1
Physical Conversation
C- 74.125.128.189\PhysJul Conversations 177
Lndpcint > <- Endpoint 2 Ouibon Bytes- _J Monitor Employee* Website
3 DO &36 33: B " -0 3 : OOrfOOO 36C E 360 E VKlt*
= ? 00 &36 0000.00 28C B 230 B t m I cannot capture AIL trailk.
Eâi: * ) :FC
3 0 0 : - E.-06 033 : M S S ocf O&OOOO 82 B 82 8 why/
*J Create Tratlk: Utllizalion Chart
=9 Vk EK OJ5J:' ):66 OttOCWO 82 6 82 B J lEntlStart a Wireless Capture
*00: - L-06 33 ? : mmw\ OOKJOOO 90 B 90 B
3P 00; & 09 33! * - 0:01 CftOOOO 90 6 90 6 | More n KnowltorHnr . )
^00! 8.-00 33 * - 0!CF 000000 90 B 90 B
f >1
laptut MIA*at)-,o mOHitKl ' injttivt Duration:001)0:44if i,405 gO fti*0/
FIGURE 4.13: Colasoft Capsa Network Analyzer Physical Endpoint analysis
15. The IP Endpoint tab displays statistics o f all IP addresses

communicating within the network.
16. O n the IP Endpoint tab, you can easily find the nodes with the highest
traffic volumes, and check if there is a multicast storm or broadcast
storm 111 your network.

C Q a s a delicate work,
network analysis always
requires us to view die
original packets and analyze
them. However, no t all the
network failures can be
found in a very short
period. Sometimes network
analysis requires a long
period o f monitoring and
must be based on the
baseline o f die normal
network.
FIGURE 4.14: Colasoft Capsa Network Analyzer IP Endpoint view
17. The Physical C onversation tab presents the conversations between

two MAC addresses.
lysis Project 1 Full .apsa 7 Fre [50 Nodes)
,/l-rlp-l
ls f
3t5 Ntwofc Gf0U|
H^NaTa&lt
iu
i
Step G*rttni
rtwo* frowr
Analytlt Bartrrt Ditplay
Objfrt Bunft
An#lyn f*ot1lf
Outpirt >rpm iu
Node Explorer / 0* r 60U f!>un1maiy fOiayiom [ Piutotol fPhymai fcndppmt | IPfcr>dtK>n: !?tymallc >' x|ipc.q ,! 1 v Online RcSOUrcO
lr>dpo<nt 1> - i
Endpoint 0u(jt(Qn Byt By1*1 > * IV*- Pek._ PU 1
NewCapsav7.6
U. Y Prrtrrel (. <( I) r 3 * J3:FF:&?:00:CF 00:0000 82 8 K B 0B 1 0 -
Released
& O Phy.kal bptortf (3)
II IP ! 1p*or (4)
UP oa1M0!AMfc09
co 1s!y>Aa:<*
!} 33:33:FF:2:00:66
B* :( 3 00:0001
00:0000
00:0000
82 B
90 B
82 B
90 B
0B
0B
1
1
0
0 Tryit Free
CP C01&SftA&<&09 5a00<.33;33!00.-01 0050000 9C 3 s CB 1 0
UV COIi.A& 09 33:33:EF:B2:DO:CF 00:0000 90 B 90 B 0B 1 0
C5C0I550!A&-C 33:3300100:0002 (0:0006 214 8 214 B 0B 3 0
UPC01ScS0.Aa:6fc.09 V 33:33.0000:00.02 00:00.06 214 S 214 B 0B 3 0
CP CO15:*0:A3:eCe ;01:00:5* 00:00:16 00:0011 936 3 9te B 0B 17 0 Is LiangNetworkBand/Jd
CP 001t5c50.A&efe:09 5 01:1X1:5L00500:16 00:00:11 74 8 7S4 B 0B 13 0
C Q t t l tells die router U5 COli50JW:6.06 33:530000:00:16 00:00:17 1.744 KB 1.44 KB 0B 19 0
CPlXH5:50.A&6e09 3 33:33:0000500:16 00:00:17 1.744 KB 1.744KB 0B 19 0
whedier die packet should Ok6?:S1A:16:36 33:33:FF:5iOO:66 0000.00 90 8 90 B 0B 1 0
(More Videos-1
E? (.:eT:Ex1*16:36 33:33 :FF:B2:00:CF 00:00.00 90 B 90 B 0B 1 0
be dropped if it stays in the SP C015:5ftA3:6. 03 00:67::A16:135 00:0000 3.434 KB 1.797*3 1.684 _ 20 10 10
network for too long. TTL
IP Conversation TCP Conversation [UDP Convereatio 1 >1
is initially designed to I 00:1S:SD1A8:6106 < > 33-J3* F:B*D<K3MF Convc~ * o :
L3 Monitor Employee* Weteite
-w 4 3
define a time scope beyond F'tdpoint 1
> <- Endpoint 2 Duration Brtes Byres < B toJ I cannot capture ALLtratlk.
why?
which the packet is U Create Traffic UttfUation Chart
J lEnt ISUrt d Wirelev* Capture
dropped. As TTL value is no *** * -- uJ Create TiaflkUtfittt*n Ourt
| More n KnowleAjrhnr...)
deducted by at least 1 by
the router w hen die packet "
passes through, TTL often
indicates the number o f the
/^.ap<uc û*Ar>al>-,6 ^fctlHirxt ''!njctivt Duration: 0111M? ^12.787 (0 Ready
.. ..1
,1" ' "
routers which the packet FIGU RE 4.15: Colasoft Capsa Network Analyzer Physical Conversations
passed through before it
was dropped. 18. The IP C onversation tab presents IP conversations between pairs o f
nodes.
19. The lower pane o f the IP conversation section offers U D P and TCP
conversation, which you can drill down to analyze.

m Imret
leapt.
a$Ntwo* Croup
H^NaawTa&le *
Analysis Racket Display
j *W 4A
P t\ Alarm Sfitmgi Objrrt Buttfi Output OJ*p<Jt
Capture Metwort Protur Analynt Profile Data storage
Node Explorer ~|jd p c . fM .ta [To^T<epc< | <> Online Resource

A 'J i S' h*Alia*,*,JPConvention: \ 57\\
Vy Ar^j.e EndpointI *> <-Endpoint2 Duration B>tei B
>tes-> -9>tes Pkts Pfcts-> -Pta FirstScr~
NewCapsav7.6
E
P rctrr
Phv.k Eaptorer(3)
3 100.02
v 100.03
3 74.125236.173
[_221.0.0.22
0002:22
0000:
41KB 2.751KE 2X>70_
986B 986B 0B
2-4
17
14
17
10 1023:1r~
0 1029:5 Released
a ft 3 '00.0.4 5224.0.0.22 00.00:11 7S4B 7S1E 0B 13 13 0 1029:5 T ry i t Free
a!00.02 *a! 100.04 0aoD:co 224B 224 E C3 2 2 0 10302
3 100.02 3 100.0.3 0000:00 546B J46B 0B 3 3 0 10:302.
3 100.05 S 239255.255.250 0000:10 4051*C B am\ re 0B 4 4 0 1031-2
a 100.0s g 224.0.022 0000.22 448B 4 48 E 0B 7 7 0 10311
3 !00.02 9 100.0.5 0000;00 110B 110E 0B 0 1031:3 & Who Jang Network
*100.05 g 224.0.0252 0001:29 1.1SiKB 1.18SW 0B 17 17 0 1031:1 *.*to
3 >aa1u ^ 224.0.0251 0000:00 d05B 40 B 0B 3 0 10:340 ^ . * to Drtret r1*rA0rfc Loop
100.02 ?4125.236.169 0002:36 17463*:B 13.712 WS1- *2 51 31 1036:4 ^ HOWto tonitor IMNt?esage
J r i^ to
iwo.o 9 2SS2SS.25S.2SS 0012:12 2.723KB 2723KB 0B 8 8 0 1029S-
1More VWcov.. 1

ICPCunwiMtlon ''lIUPConvolution] 1 How TO
A 6 C | Toaoj >224JX022\TCPCowvviMtlon: 10
LxJpvoit 1> <Endpoint2 Packet l>t Pictet _J Monitor (mptoyeet Webvlle
_J ! cannot capture ALLtraltR.

why#
_J Create Traffic UtlfeaUon Chart
nottrmtoAfeffmllia. . .
Th*r1 U lEntlSlart a Wirele** Capture
J 0 calc TiattfcUtliMtOl Olfft
| More m KnowlertoeKntr. |
II. >
tCaptmt AEUkjixt ractive Duration: 01:29:49^ 14-182&
0Ready
FIGURE 4.16: Colasoft Capsa Network Analyze! IP Conversations
20. Double-click a conversation 111 the IP Conversation list to view the full
analysis o f packets between two IPs. Here we are checking the
conversation between 10.0.0.5 and 239.255.255.250.
^nafî^rojec^^tji^nalyM^Totasoâps^^r^'^Node?
^ | MwviH | 0> *tfHrtp
Mr uStep sGane,rai \ . ,jj iu
Annlym flarfcet Ditplsy 1
Objfrt Buttrr Output output
Analym h'ofilr
Node Explorer | UOPC ition | Matu Online Resource

a ^ i C tu AnatphUPConveivatkNi: f 61|
Endpoint 2
4125.236.173
Duration
0002:22
8/ttt
41KB
Bylo >
2.751K6 2i>ro_
pw->
14
.Pto Et5W
10 1021:1 NewCapsav7.6
U. Y Prc4c-rcl(.plctef (1}
S 9 Phyikal bfMxv C3>
3 '00.02
100.03 S I 224.0.022 000011 986 B 986 b 0B 17 0 1029:51! Released
U & I? Epfcan (4) 3 100.014 K 224.0.022 0000:11 754B 754B 0B 13 0 1029: T ry i t Free
100.02 *3! 100.0.4 0003:00 224 B 224 E CB 2 0 10302
3 '00 02 S '010.03 0000:00 546 B 346 B 0B 3 0 1030 2
^ IOOC.5 ] 239.255255.250 00(0:10 4051KB 4051 n C8 4 C '*31=21
IOO-ClS g 224.0.022 0000-22 448 B 448 B 0B 0 1031:1
3 100.012 9 100.0.5 0000:00 110 B 110 B 0B 1 0 1031:3 jg) .vho Is U9ngNetworkBard*1dt*1?
" 100.0^ g 224,0.0252 000129 1.185 KB 1.185 KB CB 17 0 1031:1 Jb| Howto Detect ARP Actas
3 1O0.0L3 g 224.0.0251 00.00:00 05 B 405 B 0B 3 0 1034.0 jg) H3wto Detect I'lerA'arkLoop
3JCJ5.0J) I2J 255255255.255 0012:12 2.723KB 2.723 KB 0B 0 1029:5 Jgj Howto Monitor IMMecsage
S 100.01 ^ 2SS2SS.2SS.255 0012:13 4.061 KB 40)61 KB 0B 7 0 1029:S
1042:1 [More Videos-]
3 00.06 ^ 224.0.022 000002 128 B 128 B 0B 2 0
a ! *00.02 207218.235.182 002018 6.748 KB 1.611KB 5/134_ 24 14 10 10232
3 100.02 S 178255.83.1 0000:18 3.601KB 1.31CKE Z294_ 24 14 10 1043 2 How-To's
UU ' a1 ,''
....... 1 *' < Lai Mwiltor Website
ICPUnvei vatkxi "J0P Conveiiabon | <1 p
LU I cannot capture ALLtraflk.
IOjOjOl <-> 23925S25S2S0MCP Conveiution: C
c why?
(ndpaint -> <Endpoint 2 Packet &t Plctc d U CreateTrail* Utfeatlon Chart
LH lEntlStart a Wlreievt Capture
J CrU Tialft; Utliution 01t
Therrareno im50 thow mthi* | More m KnowlrAjrhn** .)
*
...
"-"LVJ' "__ :__ _

FIGU RE 4.17: Colasoft Capsa Network Analyzer IP Conversations
21. A window opens displaying full packet analysis between 10.0.0.5 and
239.255.255.250.

Analysis Project I Ttl' V i a ; ! ; -10.0.0 - 2}?-2j5-2'52:0 Pa:'-:r.s |- lu

r^
1031:3* 3 < 13.04 5:52748 239.255.255.250:3702 Src=52748;Dst=37Q2;le*=W;Cherte u

1031.K&1U3S 10.005:52748 239.2SS.25S250:3702 S1c=S2748;D1l=3702,Len=999,Checb1
. Packet Info:
: SJl:r:
!# roctc-Lesffsn:
j-^Capwred Lesgtfc
-@ T i t - p
T Ii&eraet Type II
!-WDestiracior. "
t*met IS<l?vS)) 112/2]

E Q a backdoor in a
: version: 114/1] 015C
computer system (or (20 Bytesi ( I4/l | Cx0r
k o D--i!=-.ia .d SirvicM Iild: 15/1 0*
cryptosystem or algorithm) : y :irrcztQt.i^.d srvlcj Codepolai: 115/11 oxrc
o TK&aport Protocol w in ignore she (ignore 1 [18/1( 0102
is a method o f bypassing I "O C o e g iin a : (M
oCongest.er.> (IS/'.] OxOl
normal authentication, 1019 (101 By.ea 1 (K/2)
0x0032 (SO) t18/2]
securing remote access to a 000........ !20/ j taec
[20/1J 0*8C
computer, obtaining access .0 ......... (May r13c*f- (39/1] 9*40
to plaintext, and so on. ..0... (U*V 0 :20/1) :. . . x20
1*0 20/ 2rrr
While attempting to remain 00 00 01 11 m ci u 00 00 e* i r rr
4s
undetected, the backdoor 1 k r :0 so a c k u 1
may take the fonn o f an
installed program or could 3 63 ? 76 6 72 ?922 20 6CK 60 6 73 3 64 i 30
be a modification to an
existing program or
FIGURE 4.18: Full Packet Analysis o f N odes in IP Conversations
hardware device.
22. The TCP C onversation tab dynamically presents the real-time status o f
TCP conversations between pairs oi nodes.
23. Double-click a node to display the full analysis ol packets.
Analysis Project 1 - Full AnaTyjis * Colasoft Capsa 7 Fre* :'ill Nod?') x
fcnaVi'i Snt* Too* VWw , / Hrtp

y *5 Nto*kGro 11 ^
la * 1T * j *W I
Aflaptr. ln Sep (awni ]ket Ditplay Parket I 6<5 .. . 1) ( I J
f, AlarmSetting mm output o#fM ------- ------- '------- ! ! ! ! ! !
capture 1*two* ff0Wr *n#ly urtofiK Data >ta8gt 1 er * ?,. 90 C1 HiitoqrCha Po<mBuffrt r c.
Node Explorer X n| Plv>wtl ConvUlaUon | PC0rtv1w1t10(v I CP Uwiv'afiation X | JDPCorNtat10n \ Mtm [ k W | L09 f Report | 4 fr Online Resource
*1
AoatpkMCPCowoe.wtkxi: | W
- Endpoint 2 Bytes Protocd
N ew Capsav7.6
S 100.02:1406
2 100.021402
3 207.218235.182:80
!34 74.125.236.173:80
3246 KB HTTP
1889KB HP Released
3 100.02:1403 3 74.125.2J6.173-^0 2 933 KB HTTP T ry i t Free
0.0.021405 51 74.125236.165.80 1.595 <5 HTTP
g 100.02:1401 74.125.236.165:80 1*36 KB HTTP
0002:1410
ao.o21411 3 74.125236.174443
00.02:1413 3 T4.125.236.174443 Jgj WhoIs U9ngNetworkBard*td1
00.021412 3 ?4.125236.174443 1629* KB H'TPS *toDetect ARPAttas
00.02:1423 S '4.125.235.169443 5 HTTPS H3wtoDetectMer*orfcloap
000X1424 3 74.125.236.169443 35 - r p$ JfS\ 4 to htonrtor IMMessaae
H3 to Monitor &save Emab
00.021426 3 74.125236.169443 1iS4KB HTTPS
a 74.125.236.160443 (More Videos-1
00.021422 22475 KB HTP5
00.021425 !31 74.125236.169443 146UKB H'TPS
00.0.2:1434 3 178,255.83.1:80 1666 KB HTTP
00021433 tli ?07.218235.182443 3.3*5 KB r P S
00.02:1435 .\l 178255.33.1:50 16W KB HTTP L3 Monitor Emvfc>vee* Webwte
00.02:1436 3 178.255.83.2:80 18*1 KB HTTP
*J I cannot capture ALLtraffic,
00.021437 3 65.54.82.155:30 MOll KB HTTP why?
00.02:1439 3 74.125.236.167443 B HTTPS U Create Traffic Utftiatlon Chart
00.021441 3 74.125236.167.80 36 0 HTTP U (Ent ISUrt a Wirefe** Capture
00.02:1442 3 4125.216.16344( 170 8 HTTPS J CraUTiaflk Utliution Ourt
00.02:1443 3 4.125.236.163-443 30 B HTTPS | Mere m Knowll<jrhn*r . |
00.021445 3 '4.125236.163443 14KB HTTPS
74Pt.n* IIW 441 1 * ra http<
......"_____ _
/;a p tu t ô*Af^t)-.e oatK im t 'irwctivt Dotation: 0115228 V 17.281 ^ 0 Ready
FIGU RE 4.19: Colasoft Capsa Network Analyzer TCP Conversations
24. A Full A nalysis window is opened displaying detailed inform ation of

conversation between two nodes.

-d * ** *5 4 LSS-
No AbsoluteTime Source Destination Protocol Sre Oecode Summary
_ __ : 1aaa2:1410 74.125.236.174443 https Se<|->3622P184Â1 k_[f<Knvnr0.r-. 1,.
457 10^6*7466913 1aa01410 74,125.236.174443 HTTP5 70 Seq=2362281843,Ack=OOOOOOOOOO.F=..S.l
47? 11126:53468163 1aaa21410 74.125.236.174443 HTTP5 66 Seq;2362281843,Ack=OOOOOOOOOO.F=.,S..L
473 10=26=53466676 74125.236.174:443 10.0.02:1410 - TP 66 Seq-4?C412S878,Ack=2362281344.F=.A.S...
474 10J6:S34*S72S 1aaa21410 74.125.236.174443 HTTPS Seqz23622fi1844,Aclc=4204123979.F=.1...Yl_
475 10^6:53486972 1QJ10l21410 74.125.236.174443 HTTPS 58 Seqz2362281844,Ack=4204123a79.F=.A. F.
47S 10^6:53 506597 74125236.174:443 10.0.0.2:1410 HTTPS 64 Srq:42C41r87?.Ack=236221i;5 F=.i.. F..
477 1(126:53506633 1aaa21410 74.125.236.174:443 TP* 58 ;rq: 23622ei845,Ack: 4;041233S0.F=. i __
B-T Pockct Info: "J

^ Pasirec h'mbr: 462
^?a=*et Ler.gra: 70
^Capt4rl Ler.gth: 66
Tireataap: 2012/0 9/21 10:2:44.4fC749
=V*Btherr.ct Trpc II [0/14]
a? jcaticatica A2arc33: D O ! 4 :CC ct 3:1r
Q 5c3t u s r t n : D0J 6:36 [6/e]
<_p Protocol: 0x0800 (Internet TP| IPv4)) [12/2]
V TP Internet Protocol [14/20]
o Vc:: ca: 1 4 [14/1] CsFO
0 .1leaser Lcr.gtfa: & <21 Byc9) [24/1] OxOF
1 2
I ft : :rc*r.: a u : :rncti riaia: 0000 0010 !15/1] :xrr
!. Olffarantiatad S rvlaM Codapolnt: 0000 00.. [15/1] OxFC
j Transport Protocol will ignore the CC (Availability) [*-5/13 0x02
0 Coaacszioc: ............0 11: Coraraticat [IS/11 CxCi
i ^ l e s a l -cacv.: 52 <&2 Bytes) [16/
: # ider'incaiior.: 0X&9D6 (22998) |18/2|
S rragnt Flag*: 010........ (Don1 rr3*fcm) [20/1] OxEC
|~0 Reserved: 0........... [20/1] OxCO
i raggenc: .1.......... f2Q/11 04C____ v]
6.. S . . .......J).
-; U 05 Ei o! a K CD ! j l 2 ll M 0 o! 04
FIGURE 4.20: Full Packet Analysis o f N odes in TCP Conversations
25. The UDP C onversation tab dynamically presents the real-time status o f
U D P conversations between two nodes.
26. The lower pane o f this tab gives you related packets and reconstructed
data flow to help you drill down to analyze the conversations.
y ful Anat>^
- ' PrrtrrclEp cm I
Endpoint 1*>
o 1aaa10:56123
, . E apo, 2
7 . 224.0.0252:5355
Duration
OOiWflO
Byte* &,! -< < 9 > tes Pe;di Pk1i>
136 B 135 B 0B 2 2
- Ptts
0
Piotcc
LDP
New Capsa v7.6
2d 202.53^.8:53 OOsOCfcOO 217 B 7S B 138 B 2 1 1 DMS R eleased
E Physical aqstorer (3) *2 1010.02:567*0
S. & l f t q k>ra(4) 3 1010.0.7:5009' ?5 4.0.0252:5355 0ftM) 158 B 358 B OB 2 2 0 UDP- T ry i t Free
&0.0.:: 54463 - j 224.0.0252:5355 OCsOD.-OO 158 B 155 B C5 2 2 0 UDP-
S 1a0.a1a59606 ^ 224.00.252:5355 00:000 136 B 336 B OB 2 2 0 UDP-
3 ta0XX10:59655 7$ 224.00.252:5355 00!DW 158 B 155 B 0B 2 2 0 RIP live Denio
a ^0.0110*2035 g 224.0.02S2 53SS OOtOCfcOO 1S8 B 1SS B OB 2 2 0 UDP
OlOA10:57766 224.0.0.252:5355 OftMOO 136 B 196 B OB 2 2 0 UDP jpt\orkBanditti
Q In networking, an i Ta0.0-i 56682
S 100A7:51087
3 1 202.53.8.8<53
?3 224.00.252:5355
00100900
OOiCKJ-OO
214 B 81 B 133 B
158 B 358 B OB
2
2
1
2 0
1 DNS
FTP
a*-
NetworkLoop
email worm is a computer a
worm that can copy itself
Si !00.010:56*45
S 100.0.10:63503
^ 224.00252:5355
/} 224.0 0.252 5355
OOOOOO
00.1X100
158 B 155 B
136 B 13b B
0B
OB
2
2
2
2
0
0
UDP
UDP
IMortvklotti
2 010.017:63315 ^ 224.00.252:5355 00:1X100 156 B 158 B 0B 2 2 0 UDP
to the shared folder in a
I>
system and keeps sending y Pflui1 Dau ] <1 1
infected emails to -Jtr > i 4 ^ C ' 10 0 010 < v 2/4 00WVfarkeH: 1 2 J Motiltor Ciiitiloveet Wetollc
stochastic email addresses. No. Abfdut Tima Sourer Dfttrfutien Prototol L3 I cannot captara ALLtraMk.
19 1023:19.625869 10.0.010iS612J 224X>C252 35 U0P why#
In this way, it spreads fast 22 0:00 4*4 10.0.010:46121 :.4X1 25: 515* UCP CredleTraffic UtHÛon Chart
ICntlSUrt 4 VVete Capture
via SMTP mail servers. u j CiaU Train; UtlLMUOn Omt
| More m Knowli<>rbow.. |
XjfAut at
>
_
FIGURE 4.21: Colasoft Capsa Network Analyzer U D P Conversations
27. Oil the Matrix tab, you can view the nodes communicating 111 the
network by connecting them 111 lines graphically.
28. The weight ot the line indicates the volume ot traffic between nodes
arranged 111 an extensive ellipse.

29. You can easily navigate and shift between global statistics and details o f
specific network nodes by switching the corresponding nodes 111 the
Node Explorer window.
1- D| X
Anay.s Sjstd* Toofe /lew
a1 r yStop Gsenera:g BAnalysis

^ Racket Ditplay i /^T ajiSiSiSS;
y=b!o nee we encounter
the network malfunction or
ieapter
:w it
:*
_Ls**5*^ "rtings
fJwortr Protiif
object Butter
Analy!!; Profile
Packet log L
. output Ojput v- M
Data Storsgf
^
Urc*
liO : Fack Buttrr C6MB)
attack, the most important Node Explorer *Conversation fiP C0n*ersdt10nf TCPComaction fliPP 1
jge^t fPtiysic I ?Vjo. X 1P*0cl Online Resource
thing we should pay LVt*fuiArâlyw

-*>
Top!00 Physical Conversat*on(Full Analysis)
attention to is the current 14 I f Pretocel Extern <1J
& VO PhjokalEiptorv(3)I
total network traffic, 11 ^ IP f 1p4c*rt (4) TcplOOPKytie!
sent/received traffic,
network connection, etc., IKl)n1H)
to get a clear direction to jpl Who U HungNrlvwkllnrl**i1
find the problem. All o f fop IOOIPv4 M Hawto Dftf<tMpRnOft: loop
Convtriation P ton to Monrtor IM<*<*
these statistics are included
55:33 00:0000 16(7)
in the endpoint tabs in I Non! VkJcv... |
Iop100#MNo<k
ColasoftCapsa. BE:D9!C3:CiCC|14| 0l:0&5fc00*1
User Hidden nodes( .
:00:5t00.00 FC18) L3 Monitor E1np40ve> Wetnite
LI1 I cannot capture ALLtralfic.

00!15:5&A8:7805<14) why?
D3A2:5t 17:4F:48 Ul Create Trattic UtMzation Chart
d (Ent)Start a Wireless Capture
J Create TraffcUtli2ation Oiart
Invisible Nodes (0) [ More Knowledqeb3e._ J
Captou fulArdfrse Etherrxl ractivt Duration: 02:23:4421.665^ gO
FIGURE 4.22: Colasoft Capsa Network Analyzer Matrix view
30. The P acket tab provides the original inform ation tor any packet.
Double-click a packet to view the full analysis information o f packet
decode.
%!c* T<x#% w
Nrtworfc Group jf o t J t . J|
/ ^ **
Analysis Racket Display
j
Output Output
Node Explorer jpc-ni fPtiy.u.* Convtf-.ation f 1P C0nvei.dt10n~fTCP Corwettaiian f UDP Corws.* <-> [ ,.U'jo |Pc<cl x ]Leg f Rpcrt | * Online Resource
**A JflB Bl # ifr ^ S' h* A1vrfy*s\Pacfcets: | 1iL647 |
N e w Capsa v7.6
1tv - ;r r 16TC16 IK&42.69S615 1010.0.2:1036 74.125.135.125:5222
16021? 13.-Gi4a.599l 55 04: - J:CC DO* 36 R eleased
E Physical hptorer (3)
B & I? Eiftora (5) 1e0218 I3.024a599194 DO
:36: D*l- - - 1-CC T ry i t Free
16CC1S 13:G2:-.101243 ?4.125.135.125:5222
160220 13:02:49.103128 74.125.135.125:5222 1001X2:1036
t y ! Protocols may be 160221 I3.-02-.49.103161 1a0.0.2:1036 7 -125.155125:5222 llvp 1**110
160222
implemented by hardware, 160223 Whi Jetv.ork
13.C-249.495250 10.0.0.2:1036 74.125.135.125c5222 *
software, or a combination MffAOffc Loop
- T 5>3r*t inro: a
o f the two. At die lowest
level, a protocol defines the IM0VVW04
i & Ctpturtd Length:
behavior o f a hardware 3012/09/211):02:<t.4uv>
connection. A protocol is a f IlU n w t Typ< 11 (0/14)
881- - :CC fO/'l LU Motillor (1npfc>vet WetoJlc
formal description of _J I cannot (.apturv ALLtrttlk.
message formats and die why#
0000 00 0) &B AE 24 CC DO6 E6 LAL6 96 06 00 46 00 00 > U SD 40 00 J Credit Traffic UtHÛon Chart
001c *a a<04 0 aa aa0 4 6 a4 ae 4 tt os s j ma n
rules for exchanging those oojc 7ac4 to to n 34t% 4300 00 UntlSUrt a W1rel* C1*urc
J OtU TrafficUtliuaon 01-1
messages. | More n Knowliqrbale..-1
K ip lu t f1iA n1ly.1s V U w net active Duration: 02:39^6 $ 160.24? gjO Read,
FIGURE 4.23: Colasoft Capsa Network Analyzer Packet information
31. The Packet decode consists o f two major parts: Hex V iew and D ecode
View.
C E H L ab M anual Page 624 Etliical H a ck in g a nd C ountem ieasures Copyright by EC-Council

Q Protocol decoding is
the basic functionality as
w ell There is a Packet tab,
which collect all captured
packets or traffic. Select a
packet and we can see its
hex digits as well as the
meaning o f each field. The
figure below shows the
structure o f an ARP packet.
This makes it easy to
understand how the packet
is encapsulated according
to its protocol rule.
FIGU RE 4.24: Full Analysis o f Packet Decode
32. The Log tab provides a Global Log, DNS Log, Email Log, FTP Log,
HTTP Log. MSN Log and Yahoo Log.
33. You can view the logs ot TCP con versation s, Web a c c e s s , DNS
tran sactions. Email com m unications, etc.
FIGURE 4.25: Colasoft Capsa Network Analyzer Global Log view

FIGURE 4.26: Colasoft Capsa Network Analyzer HTTP Log view
34. I f you have MSN or Yahoo Messenger running on your system, you can
view the MSN and Yahoo logs.
3psa 7 Free C50 Node -FT*
AnaW, Sjtfcai Tools
w r
Adapter -mn ttart
u 5
Step central
*Jrtwo'fc Group
H^NanwTa&l* 4
-...ilym Partrt Display
JÂlannSattmg' Objftt Buttff
ffwor* froWf Annly
Node Explorer r.alion IP Convin
~ 4#-4 * MSNL09 y *3 !&

v-K4An *m 0at t.rTM
N ew Capsa v7.6
u |f PirtNd (plerrr (IJ 2012709/2111*5:23
6 Phy.ka! Elptortr (3) <9 2012/09/21 13:47:4*
2012/09/21 11:48 12
R eleased
T ry i t Free
U. & IPtiptoraf ft) Slofea.
log 2012/09/21 13:43.32 -xrtfnailcom saidH
2012/09/21 11:4342 #tctma1Ua(11 iwtlVIc
â 2012/09/21 13:49:15
2012/09/21 13:492S
CSv.C0n< *yen?
>c4na 1LconsaJ am fine Thatika
2012/09/21 13:49:27 4%0tmaiLcacn twthcw are you doing? WhoIs uang NetworkBand<a3tt1>
2012/09/21 13:49:39 'glrvfctcfn j*4 arr I ritcc. bi\ Howto Detect ARP Attaris
2012/09/21 13:5003 Z to tn te - I n youjcinirg us far the party tooigl h,) Hawto Detect Netvuori: Loop
2012/09/21 13:50:19 ^ KtmsiUcom51ecf cowseyes ^ Hawto Monitor IMm*k.w
H3wto htonitor a Save Ernab
2012/09/21 13:50:36 ictmoiLcomsaadi shal ; you at the party then*
I More Videos-.]
2012j4109/21 13:50 ot^ niUconMtec Tofbusy rcv> * worfc
%
2012/09/21 14:03:14 c4<na<U0mjoined in the chat.
;;1 L3 Monitor Employees Weteite
why?
uJ Credit Traffic UttfUatioa Chart
YAHOO L3 lEnt ISUrt d Wlrte Capture
uJ Creat* Tiaftk tltllution 01C
| MoIT Knowlrrtfjr har.|
/la p tu t frv*Atâfr-,B ^tU KitH l *injttivt Duration:03^ 218,1)<4 :3i pO Ktad>

..... A
FIGU RE 4.27: Colasoft Capsa Network Analyzer MSN Log view

35. The Report tab provides 27 statistics reports from the global network to
a specific network node.
FIGURE 4.28: Colasoft Capsa Network Analyzer Full Analysiss Report
36. You can click the respective hyperlinks tor inform ation or you can
scroll down to view the complete detailed report.
/ 31 c -------------------------------------------------
Full Analysis's Report
Q Almost all Trojans and

worms need an access to 1 S u m m a ry S ta tis tic s
the network, because they
1 D ia g n o s is S ta tis tic s
have to return data to the
P ro to c o ls S ta tis tic s
hacker. Only the useful
data are sent for the Trojan 1 T o d A D D lica tio n P ro to c o ls
to accomplish its mission. 1 T op P h y s ic a l A d d re s s

So it is a good solution to 1 T op IP A d d re s s
start from the aspect o f
traffic analysis and protocol
1 T op L o c a l IP A d d re s s
analysis technology.
1 T o p 1 0 R e m o te IP A d d re s s
bl
N e w Capsa v7.6
Released
19 084 Try It Free
10.0.0.2 80.915 217.550 M :96.612
J 10.0.0.10 99.180 0.820 1/4.1 / MB 140,218
rf 239.2S5.255.250 ICOOCO 0.000 630.160 KB 1,332
9 10.0.0.3 0334 00.776 313 766 KB BOO
wv>[*Us*<gHetokfenjwdfr?
'!# 10.0.0.4 0.070 99.930 311.133 KG 781
*J224.0.0-22 1C0.0C0 mmm 0.000 232.822 KB 3,727 jjj new tocetECtNetyrarkLoop
J 132.168.166.1 24.542 75.458 222 375 KB 928 | ) Haw Nonter INNtessag;
Mew Nonta &S3/e Enwfc
r#224.00 252 ICOOCO 0.000 112875 KB 2.466
i 10.0.0.7 0.000 100.300 176002 <E 2.566
i 10.0.0.23 1C0.0C0 O.XO 140-528 KB 1.230
3 Top iJ Monitor tmitoyee* MtbMe
T op 10 R e m o te IP A d d ie s s ^ I fa not enpture m I traffic,
wfcy?
J Create Tnfk Utlkzottwi Ctwl
** 123.1/6.32.146 1.949 98-Oil 33-564 MB 34,555 . J (tntlÛrt WveleMlaKu-t-
J Cre* UWubor Chart
** 123.176.32. :36 2.272 1 97.728 2.330 M8 2,483 [ Mow tl IlMMMlfkittf.. 1
** 74 I3S 138 ISO 81.101 18800 1077 MG 3.600
, *74.125.236.182 54.993 45007 9S4871KB 3.354
--------- -----------------------------
FIGURE 4.29: Colasoft Capsa Network Analyzer Full Analysiss Report

M o d u le 08 - Sniffers
37. Click Stop 011 toolbar after completing your task.

A' Analysis Project 1 - Fill Analysis - Colasoft Capsa 7 Free (50 Nodes)
Analysis
Anatvs System View
1 Network Group
m Y
Adapter Flter
Ti ^ Name Table
ral j,
f \ Alarm Settings
Network Profile Data Storage Utilization
FIGURE 4.30: Colasoft Capsa Network Analyzer Stopping process
Lab Analysis
Analyze and document die results related to the lab exercise. Give your opinion 011
your targets security posture and exposure through public and free information.
T o o l/U tility In fo rm atio n C o lle c te d /O b je c tiv e s A chieved

D iagnosis:
Name
Physical Address
IP Address
P ack e t Info:
Packet N um ber
Packet Length
Captured Length
E th e rn e t T ype:
Destination Address
Source Address
Protocol
Physical Endpoint
C apsa
I N e tw o rk
IP E ndpoint
A nalyzer
C onversations:
Physical Conversation
IP Conversation
TCP Conversation
U D P Conversation
Logs:
Global Log
D N S Log
Email Log
FTP Log
H TTP Log
MSN Log
Yahoo Log
C E H L ab M anual P ag e 628 E th ical H a ck in g a nd C o untenneasures Copyright by EC-Council

PL EA S E TALK T O YOUR I N S T R U C T O R IF YOU HAVE Q U E S T I O N S

Questions
1. Analyze how Capsa affects your network traffic, while analyzing the
network.
2. What types of instant messages does Capsa monitor?
3. Determine it the packet buffer will affect performance. If yes, then what
steps can you take to avoid or reduce its effect on software?
In te rn e t C o n n ectio n R equired
0 Yes No
P latform S upported
0 C lassroom !Labs
C E H L ab M an u al Page 629 E th ical H a ck in g a nd C o untenneasures Copyright by EC-Comicil

Lab
Sniffing Passwords Using

Wireshark
Wireshark is a netirorkpacket analy-êr. A. netirork packet analyser nil! try to
capture netirork packets and displaypacket data in detail
._ Valuable
1
information
As 111 the previous lab, you are able to capture TCP and UDP conversations; an
attacker, too, can collect tins information and perform attacks 011 a network.
Test your Attackers listen to the conversation occurring between two hosts and issue packets
knowledge
using the same source IP address. Attackers will first know the IP address and
: Web exercise correct sequence number by monitoring the traffic. Once the attacker has control
over the connection, he 01 she then sends counterfeit packets. These sorts of attacks
e a Workbook review
can cause various types o f damage, including die injection into an existing TCP
connection of data and the premature closure o f an existing TCP connection by die
injection of counterfeit packets with the FIN bit set.
As an administrator you can configure a firewall 01 router to prevent the damage
caused by such attacks. To be an expert ethical hacker and penetration tester,
you must have sound knowledge o f sniffing network packets, performing ARP
poisoning, spoofing the network, and DNS poisoning. Another use of a packet
analyzer is to sniff passwords, which you will learn about 111 tins lab using die
Wireshark packet analyzer.
Lab Objectives
Tools The objective of tins lab is to demonstrate the sniffing teclnnque to capture from
dem onstrated in
multiple interfaces and data collection from any network topology.
this lab are
available in
D:\CEH-
Lab Environment
Tools\CEHv8 111 the lab you will need:
Module 08
Sniffing Wireshark located at D:\CEH-T0 0 ls\CEHv8 Module 08 Sniffing\Sniffing
Tools\ Wireshark

You can also download die latest version o f WireShark from die link
http: / / www.wireshark.org/download.html
If you decide to download die latest version, then screenshots shown 111
die k b might differ
A computer running Windows Server 2012 as Host (Attacker) machine
/ Y ou can download A virtual machine (Windows 8 or Windows 2008 Server) as a Victim

Wireshark from machine
h ttp ://w w w .wireshark.org.
A web browser with Internet connection
Double-click Wireshark-win64-1.8.2 .exe and follow the wizard-driven
installation steps to install WireShark
Administrative privileges to m n tools
Lab Duration
Time: 20 Minutes
Overview of Password Sniffing

Password sniffing uses various techniques to sniff network and get someones
password. Networks use broadcast technology to send data. Data transmits
dirough die broadcast network, which can be read by anyone on the odier
computer present on die network. Usually, all the computers except the recipient of
die message will notice diat die m essa g e is not meant for diem, and ignore it.
Many computers are programmed to look at even' message on die network. If
someone misuses die facility, they can view m essage, which is not intended of
odiers.
Lab Tasks
1. Before starting tins lab, login to the virtual machine(s).
Capturing Packet 2. O n the host machine, launch the Start menu by hovering the mouse
cursor on the lower-left corner o f the desktop.
FIGURE 5.1: Windows Server 2012Desktop view

Q Wireshark is an open
source software project, 3. Click Wireshark to launch the application.
and is released under the
G N U General Public
License (GPL)

Start Administrator ^
Server Computer Google Mazilla

b J <9 <
Control
Pane
w s '/^ V H/per-V
Virtual
W
1^ fc
Adnneo.. Command W remark
loots Prompt
% p5 1
OMtap

C Q a network packet
analyzer is a kind of
4. The Wireshark main window appears.
measuring device used to
examine what is going on The Wireshark Network Ana!y2 er [Wireshark 1Z 2 (SVN Rev 44520 from Arunk-1.8)]
inside a network cable, just He drt Vie* Go Capture Analyze Statistics Telephony Tools Internals Hdp
like a voltmeter is used by l i t K V |B |B | Q. E g 1 : I H
an electrician to examine Fitcr. v Expiesaon-. Clear Apply Svc
what's going on inside an
electric cable (but at a The World's Most Popular Network Protocol Analyzer
higher level, o f course). [WIRESHARK Version 1.8.2 (SVN Rev 44520 from /trunk-1.81
rg.
*HP
In t e r f a c e List
.\ 1s y r < cictut ***
Ei 0pen opr a p!/ojm/ caox/M
ft W e b s ite
van prater 1 wt>sn*
(towna if<cnro MO(Q
Open Rcicnt.
U se r's G u id e
S ta rt a Ih* UW1 Ckna (kvral 1/
S a m p le C a p tu re s
Afen auoonvni of *xanrptc .!put *r on in* uj ^ S e cu rity
^ I 0 ^vice\NPFJ5F?i7C6675E7.43F99B72-9447DB2
V/'k with A'reshirx a!
Realteic PCk G0E Farrily Controller: \Dcvice\NPFjfi
fcfj \Devie\NPF_{550021FE-BafiF-41EB-B37E-4CAFBC
J<1 n :.~ur j : <n, . ^ u p r '
C a p tu re O p tio n s
^ H o w t o C a p tu re
Sup / sea is a successful cacure sxc
N e t w o r k M e d ia
Sptcfir tr+yrvrtcr *ofcscarrg o
Recd> 10 load ci cepturc
FIGURE 5.3: Wireshark Main Window
FIGURE 5.3: Wireshark Main Window
D. From the Wireshark m enu bar, select Capture -> Interfaces (Ctrl+I).

The W ireshark Netw ork Analyzer [Wireshark 1.8 2 (SVN Rev 44520 from /ttunk-1 8)] r a r s
File |d * View o Capture Analyze Statute! Telephony Toolt intermit Help
| f t interface!.. Ctri.l |; <* 3t p p l < ^ 1 s ib 5 * 0 p $61 a
M Options.- Ctrl+K I
GQw:'ireshark is used for: * Start CtrkE
| v | Expression.. C r Apply Save
I W ? Ctrl+E I
Network administrators use m F.estort CtrkR 1
it to troubleshoot network | g Capture fltm ...
problems
Network security
, Interface List O pen .p. Website
engineers use it to -VOk t of r>s a n / ( ft; Open cxcvtoury <sptu>8d *k
examine security
Open Recent: User1* Guide
problems
13 S t a r t & The U:cr's Guide ;total / ton * 1r,stated
qj Sample Captures
Developers use it to fctl \D#wc#\NPFJ5F257C66-75F7*43P9-9B72W47DB2l2-
a nrr tw r r# v fw r cscrvr or 11 iJI Security
debug protocol P.cchck PCIe CBE Family Controller. \Device\NPFj
Wok wth Wrcsvk a:
implementations 0 VD^tf#\MPFJ55002IFE-B03F-4iFB-BrF^CAFBr:
LSI u . . u r --------hoc n<maran.e v
People use it to learn

<L I _>]
network protocol C a p tu re O p tio n s
itxt a :iptrc vth o;-j.14(S00 :
internals
H o w to C a p tu re
Step b> ns3 to a sjc:=tJ caf
N e t w o r k M e d ia
^ Soecnc rfowrsecn fy captjri*vg c
Read/ tc load or capture Profile Default
FIGURE 5.4: Wireshark Main Window with Interface Option
E Q Wireshark Features: 6. The Wireshark Capture Interface window appears.

Available for UN IX and
Windows Wireshark: Capture Interfaces
Capture live packet data Description IP Packets Packets/s
from a network interface
none 0 0 Details
Display packets with i0.... iB
very detailed protocol Realtek PCIe GBE Family Controller 28 9 Details
information
none 0 0 Details
O pen and Save packet
data captured Microsoft Corporation fe80::686&8573:b1b6:678a 0 0 Details
@
Im port and Export
& ] Microsoft Corporation fe80::14a6:95a&f534:2b9e Details
packet data from and to
a lot o f other capture
21 2

programs Help Start Stop Options Close
FIGURE 5.5: Wires!!ark Capture Interfaces Window
7. 111 the Wireshark Capture Interfaces dialog box, find and select the
Ethernet Driver Interface that is connected to the system.
8. 111 the previous screenshot, it is the R ealtek PCIe GBE Family
Controller. The interface should show some packets passing through it,
as it is connected to the network.
9. Click Start 111 that interfaces line.
Q Wireshark can capture
traffic from many different
network media types - and
despite its name - including
wireless LAN as well.

Wireshark: Capture Interfaces

y j A supported network
card for capturing: Description IP Packets Packets/s
Ethernet: Any card
supported by Windows none 0 Details
should work. See the wiki
0 ! Realtek PCIe GBE Family Controller none 340 Details
pages on Ethernet capture
and offloading for issues
that may affect your
0 none 0 Details
environment. I I g f Microsoft Corporation fe80::6868:8573:b1b6:678a 4 Details
3
O Microsoft Corporation fe80::14a6:95a&f534:2b9e 244 Details
Help Start Stop Options Close
FIGURE 5.6: Wireshark Capture Interfaces Window Starting Capture
10. Traffic informs o f packets generated through the com puter while
browsing the Internet.
FIGURE 5.7: Wireshark Window with Packets Captured
11. Now, switch to the virtual machine and login to your email ID tor
______________ which you would like to sniff the password.
= T A S K 2
Stop Live 12. Stop the running live capture by clicking the icon m on the toolbar.
Capturing

fc3Capt11ngfron1R11,ll.kPCIeGBFFamilyContrallPf:\nce\NI>F_(8F?F18B6-B?1V4110-A6Vl-F6B1M?B8B<>: !Wirfstiark 1.8.2 (SVN Rpv M W ho... 1 , 1 ,

file d l'<w Qo aptu1r Analyte Sracstki Telephony 10011 Internals Hflp
u tfaT|at & e 0 a 1n, 1 61 ! q a 3
filte: |vj bpieiiion.. Clear Apply Scr.t
Destination Protocol length info
123 1 2 .25789T0 1 0 .0 .0 . 5 202.53.8.8 dns 75 standard query 0x25f4 a www.seb1.qov.1n
124 12.2656640 202. 53. 8 .6 1 0 .0 .0 .5 DNS 107 StanCarcS queryresponse 0x25f4 A 203.199.12.51 A 124 .247. 2* 3.1
125 12. 35B2820 1 0 .0 .0 . 5 7 4 .12S.236.166 TCP 60 nust-p2p > http [ack] Seq-1494 Ack-7S3 u!1n65028 Len-0
126 1 2 .3 6 8853010.0.0. 5 123.176.32.155 TCP 60 must-backplane > http [ACIC] 5e<?-1161 Ack-497 Win-65204Len-0
127 13.15s.140fe80: :b9ea: d o il: 3eoffo2: :1:2 DMCPV6 ISO S o l ic i t XID: Ox5a82df c :0 : 0001000117e22aab00155da87800
128 14.0015310f *80:: 5df8:c2d8! 5 b bff02: :1:2 DHCPv6 150 s o l i c i t XID: 0*83*0^9 CID: 0001000117*8*14*00155da87805
129 15 .2 9 4 3 1 3 0 1 0 .0 .0 .2 192.168.168.1 NBSS 55 K.65S C ontinuation Message
130 IS. 31624 30 192. 168. 168. 1 1 0 .0 .0 .2 TCP 66n1crosoft*ds > isysg-1 [ack] Seq-l Ack-2 win-62939 Len-0 SLE-1
131 18.7433560 fe80: :3d78:efc3:c87ff02: :16 ICHPv6 9 0 v u 1 tic a st Listener Report Message v2
132 18.7442050 1 0 .0 .0 . 7 224.0.0.22 IGMPvJ 60vewbershlp Report Leave grcxjp 224.0.0.252
133 18.7473350f e 8 0 : : 3 d78:efc3:c87ff02: :16 icmpv6 ?0 *u lt le a st Listener Report Message v2
134 18.7481220 1 0 .0 .0 .7 224.0.0.22 IGMPv3 60 vesbership Report 30in group 224.0.0.252 for any sources
135 18.r504S40fe80; 3 d78 : e f C3 : C87 f f 02 : :16 ICMPV6 90 v u ltlc a sr L istener Report Message v2
136 18.75 1 2 9 5 0 1 0 .0 .0 .7 224.0.0.22 IGMPv3 60 veabership Report Leave group 224.0.0.252
137 18. 7 SI2960 f e80: : 3d78: e f CI: C87 f f 02 : :16 ICMPV6 90 v u ltlc a sr lis te n e r Report Message v2
- Frame 1: 150 bytes on wire (1200 b i t s ) . 150 bytes captured (1200 b i t s ) on in terface 0
- Ethernet I I , Src: M lcro so f.a s:78:05 (0 0 :IS : Sd:a s : 78:05), ost : 1Pv6ra$r_00:01:00:02 (33:33:00:01:00:02)
- internet Protocol version 6 , src: fe80::5df8:c2d8:5bb0:4ef ( fe 8 0 : : 5df8:c?d8:5bfeO:4f), o st: f f 0 2 : : l: 2 ( f f 0 2 : : l: 2 )
g t ie r Datacra- P rotocol. Src Port: dhcpv6-c11errt (546), Dst Port: dhcpv&-*ervr (S47)
* DHCPV6
0000 iiii 00 01 00 02 00 IS Sd B 78 OS 86 dd 00 00 33............ ]. x . . . .
0010 00 DO oo 60 11 01 f 10 00 00 00 00 00 00 5d f .....................
0020 C2d8 5b bO 04 ef ff 02 00 00 00 00 00 00 00 00 . . [ ..............................
0030 0000 00 01 00 02 02 22 02 23 00 60 55 4 01 83 .............." .. U.. .
0010 0 49 00 08 00 02 00 64 00 01 00 0 00 01 00 01 . 1............. <3................
OOSO 17e s el 4e 00 IS so a* 78 OS 00 03 00 OC0* 00 . . . N .. ] . X...............
0060 15 5d 00 00 00 00 00 00 00 00 00 27 00 Oa 00 08 . J.................... .......
0070 41 64 6d 69 6 2d 50 4 3 00 10 00 Oe 00 00 01 37 Adnin-PC...............7
0080 00 08 4d S3 46 S4 20 35 2 30 00 06 00 08 00 18. . MSFT S .0 ............
0090 00 17 00 II 00 27 ..........
Fea*rerPC<58=3r-tyC0n1c le: 'Device'.-. Packets: 1335D J! 1335 Marked: 0
FIGURE 5.8: Wireshark WindowStopping Live Capture
13. You may save the captured packets from File ^S ave As, provide a
name lor the file, and save it in the desired location
kJ Capturing from Realtek PCIe GBE Family Controller: \Device\NPFJ8F?F 18B6-B215 4110 A&59 F6BFB84?BB89J [Wireshark 1 82 (SVN Rev 44520 fro... ' I r r
Saving Captured I Qpft... ctrt.ok * * e>^ |@]r

Opeo&CMnl
M9f- Q Fp*e,won... Cleat S*v<
Files 75 Standard query 0x2Sf4 A wvrw.sebf. gov. in
OrtW 202.53.8.8
1 0 .0 .0 .5 107 Standard query response 0x25*4 A 203.199.12. SI A 124.247.233.134
. ] 74.125 . 236 . 166 60 aust-p7p http [ACK] S#Q1494 ACk-7SJ win-65028 t #n0
It.Ctrt.S | 123.176.32.155 60 aust backplane > http [ack] s e q - l161 ack-497 win-65204 1eo-0
f f02: :1:2 0MCPv6 150 S o lic it XTO: 0x5a*?ctf CtD: 0001000117e?2aab00155da87800
3 ff0 2 : :1:2 0HCPv6 150 S o lic it )CO: 0x83e049 CIO: 00010001178el400155d487805
NBSS NBSS Continuation Message
Up&it Spc41dPackctw 66 icrosoft-d s > lsysg-1 ' ack] se q -l Ack-2 win-62939 Len-0 &le- 1 w -
F>p0fTPse<0 itiMiem ff0 2 : : 16 ICMPV6 90 M ulticast Listener Report Message v2
Expo* Stieced Pacui fiytts. Ctrt*H 224.0.0.22 I<7 Pv3 60 Membership Report Leave group 224.0.0.252
Lpct SSLScuton *x>1 . f f 02::16 ICVPv6 M ulticast Listener Report Message v2 90
224.0.0.22 1PV3 Membership Report 60 ':o ln group 224.0.0.252 for any sources
7 f f0 2 : :16 M ulticast Listener Report Message v2 90
ca cui- p 224.0.0.22 ICf Pv3 Membership Report / Leave group 60 224.0.0.252
7 f f0 2 ::16 IOPv6 M ulticast Listener Report Message v2 90
OaT
Pra-te 1: ISO bytes on wire (1200 bits). 150 bytes captured (1200 bits) on irterface 0
r Ethernet II, src: Mlcrosof_a8:78:05 (00:15:5d:aa:78:05), Ost: lPv6mcast_00:01:00:02 (33:33:00:01:00:02)
- internet protocol version 6, src: fe80::5df8:c2d8:5bb0:4ef (feSO::S<JfS:c2dS:5bbO:4ef), ost: ff02::l:2 (ff02::l:2)
* user oatagra protocol, src port: dhcpv6-cl1ent (546), ost port: dhcpv6-server (547)
- DHCPi6
OOOO 33 33 00 01 00 02 OO 15 5d a8 78 05 86 dd 60 00 33 ] .X ...' .
0010 00 00 00 60 11 01 fe 80 00 OOOO00 00 00 5d f8 ].
0020 c2 d8 Sb bO 04 e f f f 02 00 OO OO00 00 00 00 00 ..[
0030 00 00 00 01 00 02 02 22 02 23 OO 60 55 ea 01 83 " U ...
0040 eO 49 00 08 00 02 OO 64 00 01 00 Oe 00 01 OO 01 .1 d
0050 17 e8 el 4e 00 15 5d a8 78 05 OO 03 00
0060 15 5d 00 00 00 00 OO 00 00 OO 00 27 00 Oa OO 08 .]
0070 41 64 6d 69 6e 2d SO 43 00 10 OO 0 00 00 01 37 Adnrin-PC 7
0080 00 08 4<J S3 46 54 20 35 2e 3000 06 00
0090 00 17 00 11 00 27 ..........
I Uk , tUbb01>plyrJ: I M M1UJ. U 0
FIGURE 5.9: WireShark Saving the Captured Packets
14. Now, go to Edit and click Find P acket...
f f i Wireshark: can save

packets captured in a large
number o f formats o f other
capture programs.
C E H L ab M anual P ag e 635 E th ical H a ck in g a nd C ounterm easures Copynght by EC-Council

Tc!WS).pcapno |W1p5hat (SVN Rev MVO trom 1.SJ! n

n11*;X Statistics Tlphony look Internals Udp
Copy I jl @ P i : q ( ei * / * a
I * FmdPacket..-
1. findNext Q E>pessioo.. O m Appt/ Si.(
Nc RndP*Q0MB Ctrt.B Protocol length Info *n
Mark Pacte (toggle} ONS ?5 Standard query 0x2>f4 A mviv.. se b i. gov. in
Ctri+M
DNS 10? Standard c 1.ery response 0x25f4 A 203.199.12. 51 A 124.247.233.134
MiAAJ DisplayedPxkcts Shift*Ctl*M 166 TCP 60 ust-p2p > h ttp [ACKl seq=1494 ACk753- w1n=65028 Len=o
Jnrr-ait ADDaptr,ed Packets Ctrl.Alt-M | 155 tcp 60 ust-backplare > h u p [ ack] seq-1161 Ack-497 w1n-65204 Leo-0
Find Nee Msrlc ShiftCtri-N dhcpv6 150 S o lic it XTD: Ox5aS2df CIO: 0001000117e22aab00155da87800
Snd Pe.icvs LUt Shift.Ctrl.B DHCPv6 150 S o lic it XID: 0x836049 CID: 000l0001l7e8el4e001s5da87805
1.1 NBSS 55 NBSS Continuation Message
ignorePacket(toggle] Ctrt*X TCP 66 Icrosoft-ds > lsysg-1 [ack] se q -l Ack-2 w1n-62939 Len-0 sle-1 sre-
ignore tfcp(?yedPackets(toggle] Shift*Ct(1+Alt*X ict pv6 90 M ulticast Listener Report Message v2
^ W ir e s h a r k is not an Un-ignore Al Packet! Shrft.CtrWX I<*Pv3 60 Membership Report / Leave group 224.0.0.232
ICMPv6 90 M ulticast Listener Report Message v2
intrusion detection system. 0 SetTntfidaaKt Jc^lt] Ctll.T Itypv3
1aPv6
60 Mwrbership Report ( 301n group 224.0.0.252 for any sources
90 M ulticast Listener Report Message v2
IM-Time Reference All Packets Ctri+Alt*7
I t will not warn you when Ctrl-Alt-N io pv 3 60 Membership Report / Leave group 224.0.0.252
ICMPv6 90 M ulticast Listener Report Message v2
find Prsviov>Tane R*#e!rr-ce Ctrl*Alt B
someone does strange T. *Shift-- Shift.Ctrl.T
things on your network iT titter Add Pckt Comment..
that he/she isn't allowed to
do. However, if strange Shift* Ctrl tP
31 31 OD01 00 07 00 15 5(1 *8 7805 8G dd 60 00
00 00 00 60 11 01 ft 80 00 00 0000 00 00 Sd f 8
tilings happen, Wireshark (2 dl SbbO 04 *f ft 0? 00 oo oo00 00 00 00 00
might help you figure out
00
eO
17
00
49
e8
00 01 00
00 08 00
c l 4 00
02 02 22
02 00 64
IS 5d 48
0001 00Oe0001O O01 .1..... a.........
02 23 OO60 55 ea 01 83
78 05 00 03 00 Oc Oc 00 . . . N . . ] . X.............
what is really going on. li 5d 00 00 00 OO OO 00 00 OO OO27 00 Oa OO 08
41 &4 6d69 6 2d SO 43 00 10 OO0 OO 00 01 37
00 08 4d 53 46 54 20 35 2 30 OO06 00 08 00 18
00 17 00 11 00 27
I Ready to k 2266Displayed: 2266 Marked. 0 On
FIGURE 5.10: Wireshark Finding Packet Option
15. The Wireshark: Find P acket window appears.

Wireshark: Find Packet
By: Display filter O Hex value O String
Filter
Search In String Options Direction

Packet list Case sensitive O Up
O Packet details Character set Down
O Packet bytes ASCII Unicode & Non-Unicode v
Help Find Cancel
FIGU RE 5.11: Wireshark Find Packet Window
16. 111 Find By, select String, type pwd 111 the Filter field, select the radio
button for P acket d eta ils under Search In and select ASCII Unicode &
Non-Unicode trom the Character s e t drop-down list. Click Find.
Wireshark: Find Packet
fl=J. Wireshark will not

manipulate things on the
Find
network, it will only By: O Display filter O Hex value String
"measure" things from it.
Wireshark doesn't send
FHter: pwd|
packets on the network or
do other active tilings
(except for name Search In String Options Direction
resolutions, but even that
can be disabled).
O Packet list Case sensitive O Up
Packet details Character set: Down
Packet bytes ASCII Unicode & Non-Unicode V
Help Find Cancel
FIGURE 5.12: Wireshark Selecting Options in Find Packet Window

17. Wireshark will now display die sniffed password from die captured
packets.
Test(WS).pcapng [Wireshark 1Z 2 CSVN Rev 44520 from /trurk-1.8)| '-!
flc dr y<vr 0 paxc Arvjlyre Sratiaks Telephony Tools Jnternab ijdp
!< =>e 8 a N 7 4 ilals e, t e. e 4 * wa a
[vj Lipifetict
Time Source Destination Protocol L nfo -1
1 19.1610310 f e 8 0 :: 3<Jr 8:efc3 C 8 7 f f 0 2 ::l:3 LL^NR 5 standard query OxaSfl any win-039mr5hl9e4
2 19.16 1 8 8 8 0 1 0 .0 .0 .7 224.0.0.252 LLMNR 5 Standard query OxaSfl AMY WIN-D39mr5hl9E4
3 19.198S190 10.0.0. 7 I Pv3 Membership Reporr / 01 grc-up 224.0.0.252 fo r any sources
4 19.1993230 fe80: :3<J78;efc3 ;c87 ff0 2 :;16 IOPv6 )M u ltica st L istener Report vessage v2
5 20.49 >1660 10.0. 0. 5 123. 176.3 2 . 155 TCP 6502-ll-iapp > http [syk] seqô wln=8192 Len=o vss=1460us=* sack_p6i
6 20. 58 56390 12 3 .176. 32.155 10.0.0.5 TCP 5 http > 502-11-1app [5>n . *ck] seq-0 Ack-1 wlrv-14600 ten -0 mss-1460 :
Observe the 7 20.58651 4 0 1 0 .0 .0 . 5
8 20. S870180 10.0 . 0. 5
123.176.32.155
123.176.32.155
0 802-11- app > http [ACK] Seq^l Ack^l Win=65700 Len-0
? post '1 og1 river 1f y . pfcp k ttp /1 .1 (appMcaTlon/x-v\VAv-for1-ur1encoded) I
9 20.5960500123.176.32.155 10.0.0.5 [) h ttp > 802-11 app [ACKj 5e q -l Ack-819 win-16236 Lcn-0
Password O 20.6078200 74.125.128. 189
1 2 0 .65 1600 1 0 .0 .0 .2
10.0 .0 .
74.125.128.180
2 9 A pplication Data
1 kvT v l j ip > https [ackJ 5eq-l *ck-56 win-63361 te n-0
2 20.6974400123.176.32.155 10.0.0. S 1 ITCP s3t of a r u s * b ltd P0C1J
1 ?0.6982220 1 2 3 .1 6 . 32 . 155 10.0.0. 5 1 m ttp / 1.1 102 Moved Tetporarl y
4 20.698520 0 1 0 .0 .0 .5 123.176. 32.155 D 802 11 app > http [ACK] 5q-819 Ack-1481 wl 11-65700 Lcii-0
5 20.7011130 1 0 .0 .0 . 5 123.108.40. 33 b a r tif a c t **g > http fSYN] s#q-0 w1ruai92 1*n-0 Mss-1460 ws-4 sack_pi
lin e based te*t data: appl1catton/x-www-form-ur encoded
a 0i oa 4 40 2* b 6r te y 40 ^0 ^n 41
38 67 3d 37 33 36 62 37 34 36 34 66 31 63 33 31
31 6S 31 61 36 64 63 63 32 64 32 32 62 65 38 31 l*la6dcc 2d22bea1
39 32 61 3b 20 5f 77 31 38 73 3d 31 33 34 38 32 92a; _wl 8S-13482
32 30 38 39 35 2e 35 33 Od Oa 43 6f Ge 74 65 6e 20895.53 ..Conten
74 2d &4 79 70 65 3a 20 61 70 70 6c 69 63 61 74 t -Type: ap|51 cat
69 6f 6 2f 7B 2d 77 77 77 2d 66 6 f 72 6d 2d 75
72 6C 65 6e 63 6f 64 65 64 Od Oa 43 6f 6e 74 65 rlencode d ..c o n te
6e 74 2d 4c 65 6e 67 74 6fl 3a 20 31 30 32 Od Oa -Lengt h: 102..
Od Oa I
C O Wireshark media types

are supported depends on
many tilings like the Packetc 2260 Dia Ptcf le De+auit
operating system you are

using. FIGU RE 5.13: Wireshark Sniffed Password in Captured Packet
18. If you are working 011 iLabs environment, then use the Test(WS)
sample capUired file located at D:\CEH-T0 0 ls\CEHv8 Module 08
Sniffing\Sniffing Tools\Wireshark\Wireshark Sam ple Capture files to
sniff the password.
Lab Analysis
Analyze and document die results related to die lab exercise. Give your opinion 011

Time
Source
Destination
Protocol
W ireshark Length
Info
Internet Protocol
TCP, Source Port Info
User ID and Password


Questions
1. Evaluate die protocols that are supported bv Wireshark.
2. Determine the devices Wireshark uses to capture packets.
In te rn e t C o n n ectio n R eq u ired
0 Yes No
0 C lassroom !Labs

Performing Man-in-the-Middle
Attack Using Cain & Abel
Cain (&AbeZ is apassword recovery tool that a/Zorn recovery of passwords by
sniffing the network, cracking encryptedpasswords.

Valuable You have learned 111 die previous lab how you can get user name and password
mformation
information using Wireshark. By merely capturing enough packets, attackers can
Test your extract the user name and password if the victim authenticates themselves 111 a
public network especially into a website without an HTTPS connection. Once the
Web exercise password is hacked, an attacker can simply log into the victims email account or use
that password to log 111 to their PayPal and drain dieir bank account. They can even
m Workbook re\ change die password for the email. Attackers can use Wireshark to decrypt the
frames with the victims password they already have.
As preventive measures an administrator 111 an organization should always advise
employees not provide sensitive information 111 public networks without an HTTPS
connection. VPN and SSH tunneling must be used to secure the network
connection. As an expert ethical hacker and penetration tester you must have
sound knowledge of sniffing, network protocols and their topology, TCP and UDP
services, routing tables, remote a c c e s s (SSH or \T*N), authentication mechanism,
and encryption techniques.
Another method through which you can gain user name and password information
is by using Cain & Abel to perform a man-in-the-middle attack.
Lab Objectives
The objective o f tins lab to accomplish the following inform ation regarding the
target organization that includes, but is not limited to:
Smtt network traffic and perform ARP poisoning
Launch a man-in-the-middle attack
Sniff the network for the password

Lab Environment
To carry-out the kb, you need:
^^T o o ls
dem onstrated in Cain & Abel located at D:\CEH-Tools\CEHv8 Module 08 Sniffing\ARP
this lab are Poisoning Tools\Cain & Abel
available in
You can also download the latest version ol Cain & Abel from
D:\CEH-
Tools\CEHv8
h ttp ://www.oxid.it
Module 08 If you decide to download the latest version, then screenshots shown 111
Sniffing the lab might differ
Windows 8 running on virtual macliuie as attacker machine
Windows 2008 Server running on virtual machine as the victim machine

A web browser with Internet connection
Double-click ca_setup.exe and follow die wizard-driven installation steps
to install Cain & Abel
Administrative privileges to run tools
Lab Duration
Time: 20 !Minutes
Overview of Man-ln-The-Middle Attack

Q y ou can download
A man-in-the-middle attack (AflTM) is a form ol active eavesdropping 111 which
Cain & Abel from
http: / / www. oxid.it. the attacker makes independent connections with the victims and relays messages
between them, making them believe that they are talking directly to each other over
a private connection, when 111 fact the entire conversation is controlled by the
attacker.
Man-in-the-middle attacks come 111 many variations and can be carried out on a
sw itched LAN.
Lab Tasks
TASK 1 1. Launch your W indows 2008 Server virtual machine (Victim Machine).
Man-ln-The-Middle 2. Launch your W indows 8 virtual machine (Attacker Machine).

Attack 3. O n the host machine (Windows Server 2012), launch the Start m enu by
hovering the mouse cursor on the lower-left corner o f the desktop.

fl=JM an in die Middle

attacks has the potential to
eavesdrop on a switched FIGURE 6.1: Windows Server 2012 Desktop view
LAN to sniff for clear-text
data (McClure, Scambray). 4. Click Cain in the Start m enu to launch Cai11& Abel.
It can also be used for
substitution attacks diat
can actively manipulate
data. Start Administrator ^
Serve* Google Muzilld

G31 Cain & Abel covers k tj * <

some security Control H)P-V Hypei-V
Pane Manager Virtual
aspects/weakness intrinsic
o f protocol's standards, W %
audientication methods and Adnnett... Command 1 1 Uninstall
caching mechanisms. fools Prompt Cain
% FT
|H 2P
*n a g *
Ownop W
FIGURE 6.2: Windows Server 2012 Desktop view
5. The mam window o f Cain & Abel appears.

1 rie View Configure Took Help
J @ SK IS! ?ar + y 3
|<<g, Decodgi | * Mrtwyt I f f i Suffc |,_ / Ciackcr Troceroute I E l c c c i m Airelcss |1V) Query |
, Cached Passwords
Protected Storage Pressthe * button on the toolbar to dump the Protected Storage
> LSA Secrets
Wireless Passwords
0 IF7PaccA0rck
Windows Mail Passwords
Dialup Passwords
Edit Boxes
% Enterprise Maneyci
f * C edeotid Manage
E Q r eplay attacks can also

be used to resend a sniffed
password hash to
authenticate an
unauthorized user.
| http/.'vrww0iid.it
FIGURE 6.3: Cain & Abel Main Window
6. W hen you hrst open Cain & Abel, you will notice a series ol tabs near
the top o f the window.
7. To configure the Ethernet card, click Configure from the m enu bar.

?# | Took Hlp
_ a *
_J & SMLinW + / ! 0 BBS! m o 0 J.

C Q a PR-SSHI can
|4I Dccodaj u Nctvwtk Sniffer |sf C1 Troccioutc I IBB CCCU 1"ft" Airclcs:. |j*) Query I
, Cachcd Piuivoidi
capture and decrypt SSH Protected Storage Press the button on the toolbar 0 dump the Protected Storage
version 1 session that are jgT L5A Secrets
Wireless Passwords * 2
then saved toa text file. IE7Pai5A0r05
APR-HTTPS can intercept ^ W in de r Mail Passmores
Dialup Passwords
and forge digital certificates F Edit Boxes
on the fly but becauses *Enterprise Maneger
Gedentid Vaiace
trusted authority does not
sign these certificates a
warning message will be
displayed to die end user.
http// wvyw.Oiid.it
FIGU RE 6.4: Cain & Abel Configuration Option
FIGURE 6.4: Cain & Abel Configuration Option
8. The Configuration Dialog window appears.

9. Tlie Configuration Dialog window consists o f several tabs. Click the
Sniffer tab to select the sniffing adapter.
10. Select Adapter and click Apply and then OK.
Configuration Dialog
Filters and ports | HTTP Fields | Traceroute
Certificate Spoofing | Certificates Collector
C O lFor IP and MAC Sniffer I APR ( Arp Poison Routing ) | Challenge Spoofing
spoofing you have to
Adapter IP address | Subnet Mask
choose addresses that are
not already present on die & \Device\N PFJ8F2F18B... 192.168 168.110 255.255.255.0
network. By default Cain i&\Device\NPF .{5F237C6... 0.0.00 0.0.00
uses die spoofed MAC 10.0.0.2 255.255.255.01
"001122334455" for two *i>\Device\NPF_{35DD21... 0.0.00 0.0.0.0
reasons: first that address ) \Device\N PFJ36D19C... 0.0.00 0.0.00
can be easily identified for <| 111
troubleshooting and second
l>l
it is not supposed to exist Winpcap Version
in your network. 4.1.0.2001
N ote: You cannot have on

Current Network Adapter
the same Layer-2 network
two or more Cain machines
using APR's MAC spoofing
and die same Spoofed WARNING !!! Only ethemet adapters supported
MAC address. Options
F Start Sniffer on startup f~ Don! use Promiscuous mode
F Start APR on startup
OK Cancel Apply Help
FIGU RE 6.5: Cain & Abel Configuration Dialog Window
11. Click the Start/Stop Sniffer icon 011 the toolbar.

_ a
il# Vi*w Configur* Took H#lp
-jffel KJ ilsi; W! + y s Q BBS r a B a O Q 0?
"< DcZTdcfi | ^ VJcUwt Smffcr \ f Ciackct |4 Q Troceioutc |K 3 CCDU |'f l Anglos |.A) Query |
, Cachcd Piuivoidi
j f Protected Storage*
JT L5A Secrets
Wireless Passwords
IE7PaTA0rd5
^ Windows Mail Passmores
Dialup Passwords )(
F Edit Boxes
C Q t 11e most crucial item *Eitc!prise Manege
in that list is the radioactive Gedentid Vaiace * 1
hazard APR. It is in this

window that we select our
victim(s).
Activate / Dcactnale the Sniffer
FIGURE 6.6: Cain & Abel Configuration Dialog Window
FIGU RE 6.6: Cain & Abel Configuration Dialog Window
Note: I f you get Cam W arning pop-up, click OK.

12. N ow click the Sniffer tab.
5I i Vie* C2 nfgur Took Hlp
- >{ >
S fa 1S m + kf *b ,u ES O W 1 2 ?/ I
. Dc:cdtf: I j Nct.va7r Traccroutc | Q CCDU W rd ii | *>) Query |
MAC address | OUi fingerprint B... B .. Bi | Or | MO M l Mi

C0095BAE24CC Netgear, Inc.
4ii~ Be warned diat there is

the possibility that you will
cause damages an d /o r loss
o f data using this software
and that in no events shall
the audior be liable for
such damages or loss o f
data.
5b M 5tl m : kPR |^ Routing | Paaaworda
Lost packptt: C%
FIGURE 6.7: Sniffer tab
13. Click the Plus (+) icon or right-click in the window and select Scan
MAC A d d resses to scan the network for hosts.
14. The MAC A ddress Scanner window appears. Select All h o sts in my
su bn et and check the All T e sts check box. Click OK.

r,
TH i Vi ew rfiguM
Canfi Tool{ H*>P
gur Tool* Hlp

_
J !61 aw Si 89 ]+[^ O t Jl
MAC Address Scanner
|,c^ Deccder: Meteoric Sniffer \ / Cracker | )> Que>y~|
| MAC address | OUl fingerprint | R.. | B8 | Gr | MO | M l 1 M3 |

C Q a p r -r d p can capture 00095BAE24CC Nctgear, Inc. I ' All hosto n subnet |
C Range
and decrypt Microsofts
Fiom
Remote D esktop Protocol
as well.
Promiscuous Mod Scanner------

W ARP Test (Broa^cad 31bf)
!7 ARP Tss!. (3roaJcart ' &trt)
P ARP Te* (Broadcast 8-bi'
F APP Test (jD tp Sit)
F ARP Tort (Multbaet gioup 0]
W ARP Test (Multcest oioud 1
P A|| PT-- (Mulfccit Q-oupJ
0<
41 Hosts J VPR |4 Routing | ^ \ Passwords ~| ^ VoIP |
Lost packets 0%
FIGU RE 6.8: Cain & Abel MAC Address Scanner Window
FIGU RE 6.8: Cain & Abel MAC Address Scanner Window
15. Cain & Abel starts scanning for MAC addresses and lists all found MAC
address.
5 Speeding up packet
capture speed by wireless
packet injection
GQlN ote that Cain & Abel

program does no t exploit
any software vulnerabilities
or bugs that could not be
fixed with litde effort.
FIGU RE 6.9: Cain & Abel Scanning MAC Addresses Window
16. After scanning is com pleted, a list o f detected MAC a d d r esses is

displayed.
17. Click the APR tab at the bottom o f the main window.

1 Vi * Cgrfi gur* Took Help
|ta[*e*BIIIJ+*|lB 1 1 3 0 8 t Jl
Decoders | ^ Network | ^ Sniffer \/ Cracker Traceroutc | d CCDU | '<Q Wireless |q)Query |
a Status 1 IP address I MAC address I Fatkets -> 1 <- Packets I MAC address IIP address
EEQaPR state Half- S APR-Cat
Routing means that APRis
4 , APR-DNS
mAPR-SSH-1 (01
routing the traffic correctly - l i APR-HTTPS (0)
but only in one direction 3APR Prox/HTTPS (0)
5 g APF-PXP(G)
(ex: Client-> Server or 13 APR-FTPS (0)
Server->Client). This can l i APR-P0P3S (0)
happen if one o f the two 3 APR-IMAPS (0) Status | IP address | MAC address | packets -> | <- Packets | MAC address | IP address
APR-IDAPS tfi)
hosts cannot be poisoned 3 APR-SIPS (0)
or if asymmetric routing is
used on the LAN. In this
state the sniffer loses all
packets o f an entire
direction so it cannot grab
authentications that use a
challenge-response < III > Configuration JRouted Packets |
mechanism. 44 Hosts | (X APR || *J* Routing | Passv/ords | J * VoIP |
lest packets: 0%
FIGU RE 6.10: Cain & Abel ARP Tab
18. Click anywhere 111 the Configuration/Routed P a c k e ts window o f APR

to activate the Plus icon.
m n x
File \w Cjn f < jj1z Tools Help
j * & r a ! # f+ ] a % i s y 1 1 1 B a 3 @ i a O ^ S O f j
<&, Decoders I 2 Network | ^ l Sniffer I / Cracker I Ci Traeeroute |KS CCDU 1 1 Wireless 1_Y Query |
APR status | IP address | MAC address Packets > | < Packets | MAC address | IP address
Q APR-Ccit
J j, APR DNS
APRSSH-1 (01
^ APR-HTTPS (0)
,3 AP-: Pcx>HITPS(0)
9 8 APR-ROP 10(
13 APRFTPS(0)
3 APR-POP3S(0)
3 APR IMAPS(0) Status | IP address | MAC address Packets -> | <- Packets | MAC address | P address
L=U-.APR state Full- !3 APR LDAPS (0)
Routing means that the IP 3 APR-SPS 01
traffic between two hosts

has been completely
hijacked and APR is
working in FULL-
DUPLEX, (ex: Serverc-
> Client). The sniffer will
grab authentication
information accordingly to > 1
the sniffer filters set. -! HoCt | Q * P R | | * Routing | Pastwords | ^ VoIP [
Los: packets; 0%
FIGURE 6.11: Cain & Abel ARP Tab
19. Click the Plus (+) icon; the N ew ARP Poison Routing window opens
from which you can add die IPs to listen to traffic.

_u
M
j * a m es + y is q. y 1 1 *s a O t fl
Decoders | NftôdLJ il Snifle I. "C xuktt 1*6 Trarfrmiif 185!. m I'jc.I
Q APR N ew ARP Poison Routing
1 - 0 APR Ceft(0>
L APR-DNS
APR 3notlccyou to hijack IP traffic betvv3en 1W3 coloctod host !>nh3 left let aid al elected hosts on the ncît let inboth
m mSS+t (0) dite^licm It a ?elected hoit hai roiling cap3biltet WAN frafhc wil be nierreDted a: wel Peare note !hat ?mceyaur
U fi APR-HTTPS (0} 11wchire has not the *are performance of a router you could cause DaS *you u<APR te:*een your Delaul Gateway and
hS APR-PirayHITR oil ether host! or >0u1 LAN.
: 51 APR RDP 10)
if i APS-FTPSm
APSPOP3S(0)
IP 3dere | MAC | Hostrair* IF acHe^r vtiC Hottname
UJ H ie Protected Store is a : 3 APR IMAPSP)
10.0.01 C0095BAE24CC
j- 1S APSLCAPStUl 10.0.03 C0155DA9BE06
storage facility provided as L APR-SI PS |0) 1U 004 C0155DA8SE09
part o f Microsoft 10 005 CD155DA95E 03
10.3.07 D4BED3C3CE2D
CryptoAPI. It's primarily 10.0010
10.0.011
D40ED3C3C3CC
C0155DAG7005
use is to securely store 10.0.012 C0155D/S87800
1110013 C0155DA8/8Q4
private keys that have been
<L___________ ______! _________________1 > 111 ;
issued to a user.
&| ~ Configuration /Routed Packets I
HortT"|^flPB | *j* ~'rnr r r | Pattwowk

20. To m onitor the traffic between two computers, select 10.0.0.3

(Windows 8 virtual machine) and 10.0.0.5 (Windows 2008 Server
virtual machine). Click OK.
New ARP Poison Routing
WARNING !I!
APR enables you to hiiack IP traffic between the selected host on the left list and al selected hosts on the light list in both
directions If a selected host has routing capabilities WAN traffic will be mteicepted as well Please note that since youi
machine has not the same performance of a router you could cause DoS if you set APR between youi Default Gateway and
all other hosts on your LAN.
Q All o f the information IP address I MAC | Hostname IP address I MAC I Hostname

in the Protected Store is 10.001 00095BAE24CC 10.0.0.13 00155DA87804
encrypted, using a key that 10.0.0.3 00155DA86E06 I 100.0.12 00155DA87800
is derived from the user's T: u u 4 00155DA8SE09 10.0.0.11 00155DA87805
100.05 00155DA86E03 10.0.0.10 D4BED9C3C3CC
logon password. Access to 10.0.0.7 10.0.0.7
D4BED9C3CE2D D4BED9C3CE2D
the information is tighdy 10.0.010 D4BED9C3C3CC 10.0.0.5 I 00155DA86E03
regulated so that only the 100.0.11 00155DA87805 10.0.0.4 00155DA86E09
owner o f the material can 10.0,0.12 00155DA87800 10.0.0.1 00095BAE24CC
100 013 00155DA87804
access it
<| III < <]________ 111 _________ | >

21. Select the added IP address in the Configuration/Routed packets and

click the Start/Stop APR icon.
Note: I f the Couldnt bind HTTPS acceptor socket pop-up appears, click
OK

k J Many Windows
applications use this
feature; Internet Explorer,
O utlook and Outlook
Express for example store
user names and passwords
using this service.
FIGU RE 6.14: Cain & Abel ARP Poisoning
22. N ow launch the com m and prom pt in W indows 2008 Server and type
ftp 10.0.0.3 (IP address o f Windows 8 machine) and press Enter
23. W hen prom pted tor Username type Martin and press Enter and for
UJ There is also another password type apple ' and press Enter.
set used for credentials that
should persist on the local : >' A d m i n i s t r a t o r C : \ W i n d o w s \ s y s t e m 3 2 \ c m d . e x e - ftp 10.0.0.3
machine only and cannot M i c r o s o f t Windows L U e r s io n 6 . 0 . 6 0 0 1 J
be used in roaming profiles, C o p y r i g h t <c> 2 0 0 6 M i c r o s o f t C o r p o r a t i o n . A ll rig h ts reserved.
this is called "Local C :SU sers\A d m in istra to r> ftp 1 0 . 0 . 0 . 3
Credential Set" and it refers C onnected to 1 0 . 0 . 0 . 3 .
to the file: 2 2 0 M i c r o s o f t FTP S e r v i c e
U se r < 1 0 . 0 . 0 . 3 : ( n o n e ) ) : M artin
\D ocum ents and 331 Password r e q u ir e d
Settings\% Username% \Lo Password:
cal Settings\Applicatio 11 230 U ser lo g g e d i n .
ftp> _
Data\M icrosoft\Credential
s\% UserSID% \Credentials
FIGURE 6.15: Start ftp://10.0.0.3
24. Now, on the host machine, observe the tool listing some packets
exchange.

|C ]
File /cm Configuie Tools Help
J 6 8 & B SS + ti O fl
Derofleri I i Nrta/yl |i&l Sr>ifler | Y Crafker 1" 3 Traceroiiti0 || !CCOU 171 Wfle<5 | _v Cue^ |

j-
ES3 APR Cot )0(
Statu* | IP address | MAC address Packets < > Packets MAC oddress | IP address
^Poison,rg 10.0.0.3 001SSDA&6EQS |5 7 001S5DA86&03 100.0.S
!- APR-DNS ,4
APR-SSH-I )0(
i - APR-HTTPS(Dj
i- S t i?5-Fror>nnPS )0(
APR-RDP )0(
i - f l APRFTPS)0(
7 Credentials are stored in ^ ]APR-POP3SP
the registry under die key )APR IMAPSP 3 :
j- 1S APR LCAPSOl
HKEY_CURRENT_USER APR-SIPS(O _ ! (
\Softw are\M icrosoft\Prote Status | IP addrecc | MAC address Packets-> < - Packet; | MAC address \ IP addrest
cted Storage System

Provider\
Configuration / Routed Packets f

>1 1<
|
Horn | 0 APR $* Rout ng | j \ Passwords | VoIP |
Lct packets. C%
__________________ FIGU RE 6 .1 6 : Sniffer window with more packets exchanged__________________
FIGU RE 6.16: Sniffer window with more packets exchanged
25. Click the P assw ord s tab as shown 111 the following screenshot to view
the sniffed password for ftp 10.0.0.3.

>
1
Fie Jfo Configure Toob Help
j 6 ia W t SB + 'y | B U BSS sa a o t 11
Dwodfrs | $ Netvryfc [ l& Satffer 1! 1' Crack** | *Q Tncernntf | RT39 CCDIJ | A Wrelfss | . V r ! .0', J
?\ Passwords Timestamp | FTP server | Client Username Password
1 !4-*a u j 18/09/2012 10.0.0.5 10.0.0.3 15:54:10 Mditin (apple
^ HTTP (17)
igl MAP (0)
SJ .OAP(O)
fit This set o f credentials is i (* HO)
stored in the file *+ SMS (3)
Telnet (0)
\D ocum ents and :- | XNCO)
Settings\% Username% \Ap j 5V: TDS(0)
plication j fc TVS (0) =
J ! SMTP (0)
D ata\M icrosoft\Credentials : f f mn tpo;
\% U serSID%\Credentials I- g DCE/RPC (01
S 0 MSKe*5-PreAja
^ Radijs-Kcr: 10)
C Radius-Useis (0)
jg CQ(0)
S KE-PSK .01
i-ifc MySGL (0)
3 SNWI>(0)
( 4 SP(0)
FTP |
<[ III >
I Hosts |<S>APR | J* Routng | )\ Passwords II 1/0IP 1

Lost peckels C%
FIGU RE 6.17: Sniffer window with more packets exchanged
Lab Analysis
Analyze and document the results related to die lab exercise. Give your opinion on


IP A ddress 10.0.0.3
MAC A ddress - 00155DA86E06
P ack e ts Sent 5
C ain & A bel P ack ets R eceived 7
F T P Server 10.0.0.3
U sern am e Martin
P assw ord apple
P L E A S E TALK T O Y OU R I N S T R U C T O R IF YOU HAV E Q U E S T I O N S

Questions
1. Determine how you can defend against ARP cache poisoning in a network.
2. How can you easily find the password captured 111 an E D P MITM attack
using only Notepad or some other text editor?
3. How can one protect a Windows Server against RDP MITM attacks?
0 Yes No
0 C lassroom 0 iLabs

Lab
Delecting ARP Attacks with the

XArp Tool
AL4/p is a security application that uses advanced techniques to detectAKP-based
attacks.

Valuable You have already learned in the previous lab to capmre user name and password
mformation
information using Cain & Abel. Similarly, attackers, too, can sniff the username and
Test your password o f a user. Once attackers have a user name and password, they can simply
gain access to a networks database and perform illegitimate activities. If that account
Web exercise has administrator permissions, attackers can disable firewalls and load fatal vimses
and worms on die computer and spread diat onto the network. They can also
m Workbook re\ perform different types o f attacks such as denial-of-service attacks, spoofing, buffer
overflow, heap overflow, etc.
W hen using a wireless connection, as an administrator you must use the strongest
security supported by vour wireless devices and also advise other employees to use a
strong password. The passwords must be changed weekly or monthly.
Another method attackers can implement is ARP attacks through which they can
snoop 01 manipulate all your data passing over the network. Tliis includes
documents, emails, and YoicelP conversations. ARP attacks go undetected by
firewalls; hence, 111 tins lab you will be guided to use the XArp tool, which provides
advanced techniques to detect ARP attacks to prevent vour data.
Lab Objectives
The objective o f tins lab to accomplish the following regarding the target
organization that includes, but is not limited to:
To detect ARP attacks

C /T o o ls Lab Environment
dem onstrated in To carry-out die lab, you need:
this lab are
available in XArp is located at D:\CEH-Tools\CEHv8 Module 08 Sniffing\ARP Spoofing
D:\CEH- Detection Tools\XArp
Tools\CEHv8
You can also download the latest version ol XArp from
Module 08
http: / / www.clrasmc.de / development/xarp / 1ndex.html
Sniffing
If you decide to download die latest version, dien screenshots shown in
Double-click xarp-2.2.2-win.exe and follow the wizard-driven installation
steps to install XArp
Lab Duration
Tune: 10 Minutes
Overview of XArp
XArp helps users to detect ARP attacks and keep dieir data private. Administrators
can use XArp to monitor whole subnets for ARP attacks. Different security levels
and fine-tuning possibilities allow normal and power users to efficiendy use XArp to
detect ARP attacks.
Lab Tasks
B T A S K 1 1. Launch the Start m enu by hovering the mouse cursor on the lower-left
corner o f the desktop.
Launching the
XArp tool
FIGURE 7.1: Windows Server 2012 Desktop view
2. Click XArp 111 the Start m enu to launch the XArp tool.

Server Computer Google Mj/illa

Mereger Chrome hretox
e . <9 <$
rt)P*f-V H/per-V
- g s Manager Virtual
Machine.
C 7 Address Resolution

Protocol (ARP) poisoning
XAip
is a type o f attack where
the Media Access Control
(MAC) address is changed
by tlie attacker.
CMnap
FIGURE 7.2: Windows Server 2012Apps
Tlie main W indow o f XArp appears with a list o f IPs, ]MAC addresses,
and other inform ation for machines 111 the network.
XArp - unregistered version
File XArp Professional Help
Status: no ARP attacks Security level set to: high
aggressive The high security level adds better

network discovery which results in a
Read the Hyidino ARP attacks' help
higher detection rate but sends out
XArp loaSe high more discovery packets into the
network. Aggressive inspection
modules are employed which might
basic give false alerts in some
Get XArp Professional now! environments.
ReosterXArp Professional mnmai
IP | MAC | Host | Vendor I Interface | O nline | Cache | First seen | Last see
10.0.0.1 00-09-5... 10.0.0.1 Netgear, Inc. 0x11 - M icroso... yes yes 9/20/2012 14:22:55 9/20/20
10.0.0.2 dO-67-e... WIN-MSSELCK... unknown 0x11 - M icroso... yes no 9/20/2012 14:22:55 9/20/20
10.0.0.6 00-15-5... AD M IN-PC M icrosoft Cor... 0x11 - M icroso... yes yes 9/20/2012 14:22:55 9/20/20
& 10.0.0.7 d4-be-... WIN-D39MR5... unknown 0x11 - M icroso... yes yes 9/20/2012 14:22:55 9/20/20
10.0.0.8 00-15-5... ADM IN M icrosoft Cor... 0x11 - M icroso... yes yes 9/20/2012 14:22:55 9/20/20
10.0.0.10 d4-be-... WIN-2N9STOS... unknown 0x11 - M icroso... yes yes 9/20/2012 14:22:55 9/20/20
& A MAC address is a
& 10.0.0.12 00-15-5... WINDOWS8 M icrosoft Cor... 0x11 - M icroso... yes yes 9/20/2012 14:22:55 9/20/20
unique identifier for 10.0.0.13 00-15-5... WIN-EGBHISG... M icrosoft Cor... 0x11 - M icroso... yes yes 9/20/2012 14:22:55 9/20/20
network nodes on a LAN.
MAC addresses are
associated to network
adapter that connects
devices to networks. The
MAC address is critical to
locating networked XArp 22 2 * 8 m appings - 2 interfaces - 0 alerts
hardware devices because it

ensures that data packets FIGURE 7.3: XArp status when security level set to high
go to the correct place.
ARP tables, or cache, are 4. O n the host machine, XArp displays no ARP attacks.
used to correlate network
devices IP addresses to Note: If you observe the same results, log in to a virtual maclune and run Cain
their MAC addresses.
&c Abel to initiate ARP poisoning to the host machine.
5. By default the security level is set to high. Set the Security level to
a g g r e ssiv e on the XArp screen.

XArp unregistered version r=r?

File XArp Professional Help
Status: no ARP attacks Security level set to: aggressive
1- agg ressive The aggressive security level enables

all ARP packet inspection modules
Read the Viandlina ARP attacks' heb
and sends out discovery packets in
View XAtd kxifile high high frequency. Using this level might
give false attack alerts as it operates
on a highly aggressive packet
basic inspection philosophy.
Get XAtd Professional now!
Reaister XAtd Professional m al
& An attacker can alter IP | MAC | Host | Vendor j Interface | O nline | Cache | First seen | Last see
10.0.0.1 00-09 5... 10.0.0.1 Netgear, Inc. 0x11 Microso... yes yes 9/20/2012 14:22 55 9/20/20
the MAC address o f the
10.0.0.2 d0-67-e... WIN-MSSELCK... unknown 0x11 Microso... yes no 9/20/2012 14:22 55 9/20/20
device that is used to 10.0.0.6 00 15 5... AD M IN-PC M icrosoft Cor... 0x11 - Microso... yes yes 9/20/2012 14:22 55 9/20/20
connect the network to 10.0.0.7 d4-be-... WIN-D39MR5... unknown 0x11 - Microso... yes yes 9/20/2012 14:22 55 9/20/20
10.0.0.8 00-15-5... ADM IN M icrosoft Cor... 0x11 - Microso... yes yes 9/20/2012 14:22 55 9/20/20
Internet and can disable
10.0.0.10 d4-be-... WIN-2N9STOS... unknown 0x11 Microso... yes yes 9/20/2012 14:22 55 9/20/20
access to the web and other 10.0.0.12 00-15-5... W IND0W S8 M icrosoft Cor... 0x11 Microso... yes yes 9/20/201214:22 55 9/20/20
external networks. 10.0.0.13 00-15-5... WIN-EGBHISG... M icrosoft Cor... 0x11 - M icroso... yes yes 9/20/2012 14:22 55 9/20/20
>
XArp 222 - 8 m appings - 2 interfaces - 0 alerts
FIGURE 7.4: XArp status when security level set to aggressive
6. Log 111 to W indows 2008 Server, and nan Cain & Abel to initiate an
ARP attack on a Windows 2012 host machine.
7. The XArp pop-up appears displaying the alerts.
5" XArp allows alert

filtering for excluding
specific hosts. Another
feature includes settings for
9/20/2012 14
alerting intensity and how
the alerts are presented. DirectedRequestfilter: targeted request,
Also allows sending alerts destination mac o f arp request not set to
through email and detailed broadcast/invalid address
alerting configuration.
In te r fa c e : 0x11
[e th e rn e t]
s o u r c e m ac: dO - -36
d e s t mac : 00- -c c
ty p e : 0x806
C arp]
d ir e c t io n : out
ty p e : re q u e s t
s o u rc e ip : 1 0 .0 .0 .2
H*
I-*
d e s t ip :
o
o
o
s o u r c e m ac; d0-
d e s t mac : 00-
FIGURE 7.5: XArp displaying Alerts
Now, the XArp S tatu s changes to ARP a tta ck s d etected .

XArp unregistered version
Status: ARP attacks detected! Security level set to: aggressive
View detected attacks The aggressive security level enables

all ARP packet inspection modules
Read the *Handling ARP attacks' help
and sends out discovery packets in
View XArp loqfite high frequency. Using this level might
7 Tlie simplest form o f give false attack alerts as it operates
on a highly aggressive packet
certification is tlie use o f inspection philosophy.
Get XArp Professional now!
static, read-only entries for Register XArp Professional
critical services in die ARP
cache o f a host. This only
prevents simple attacks and IP MAC | Host | Vendor j Interface | O nline | Cache | First seen | Last see
does no t scale on a large 10.0.0.1 00-095... 10.0.0.1 Netgear, Inc. 0x11 Microso... yes yes 9/20/2012 14 22:55 9/20/20
network, since the mapping * 10.0.0.2 dO-67-e... WIN-MSSELCK. unknown 0x11 Microso... yes no 9/20/2012 14 22:55 9/20/20
has to be set for each pair X 10.0.0.3 00-15-5... 10.0.0.3 M icrosoft Cor... 0x11 - Microso... yes yes 9/20/2012 14 25:06 9/20/20
X 10.0.0.4 00-15-5... W indows8 M icrosoft Cor... 0x11 - Microso... yes yes 9/20/2012 14 25:08 9/20/20
o f machines resulting in 10.0.0.5 00-15-5... 10.0.0.5 M icrosoft Cor... 0x11 - Microso... yes yes 9/20/2012 14 25:54 9/20/20
*
(n*n) ARP caches that have * 10.0.0.6 00-15-5... AD M IN-PC M icrosoft Cor... 0x11 Microso... yes yes 9/20/2012 14 22:55 9/20/20
to be configured. AntiARP V 10.0.0.7 d4-be-. WIN-D39MR5... unknown 0x11 Microso... yes yes 9/20/2012 14 22:55 9/20/20
10.0.0.8 00-15-5... ADM IN M icrosoft Cor... 0x11 - M icroso... yes yes 9/20/2012 14 22:55 9/20/20
also provides Windows-
-y 10.0.0.10 d4-be-. WIN-2N9STOS.. unknown 0x11 - M icroso... yes yes 9/20/2012 14 22:55 9/20/20
based spoofing prevention 'S 10.0.0.12 00-15-5... WINDOWS8 M icrosoft Cor... 0x11 - M icroso... yes yes 9/20/2012 14 22:55 9/20/20
at the kernel level. V 10.0.0.13 00-15-5... WIN-EGBHISG.. M icrosoft Cor... 0x11 Microso... yes yes 9/20/2012 14 22:55 9/20/20
Ill
< I >
XArp 2.22 - 11 m appin gs - 2 interfaces - 25 alerts
FIGURE 7.6: XArp ARP attacks detected
Lab Analysis

Interface [E th ern et]: 0x11
Source M ac: dO-xx-xx-xx-xx-36
D e stin atio n M ac: 00-xx-xx-xx-xx-cc
T y p e [arp]: 0x806
XArp D irection: O ut
Source IP: 10.0.0.2
D e stin atio n IP: 10.0.0.1
H o st: 10.0.0.1
V endor: Netgear, Inc.


Questions
1. Determine how you can defend against ARP cache poisoning 111 a network.
In tern et C o n n ectio n R eq u ired

0 Yes No
0 C lassroom 0 !Labs

Delecting Systems Running in

Promiscuous Mode in a Network
Using PromqryUI
Pron/qiyUI is a tool with a 'Windonsgraphical interface that can be used to detect
network interfaces that are rnnning inpromiscuous /node.

/ Valuable With an ARP storm attack, an attacker collects the IP address and MAC address of
information
the machines 111 a network for future attacks. An attacker can send ARP packets to
Test your attack a network. If an ARP packet with a forged gateway MAC address is pushed
knowledge to the LAN, all communications within the LAN may fail. Tins attack uses all
Web exercise resources of both victim and non-victim computers.
m Workbook review As a network administrator you must always diagnose die network traffic using a
network analyzer and configure routers to prevent ARP flooding. Using a specific
technique with a protocol analyzer you should be able to identify the cause o f the
broadcast storm and a method to resolve the storm. Identify susceptible points 011
the network and protect them before attackers discover and exploit the
vulnerabilities, especially 011 ARP-enabled LAN systems, a protocol with known
security loopholes that allow attackers to conduct various ARP attacks.
Attackers may also install network interfaces to 11111111 promiscuous mode to capture
all the packets that pass over a network. As an expert ethical hacker and
penetration tester you must be aware of die tools to detect network interfaces
running 111 promiscuous mode as it might be a network sniffer. 111 tins lab you will
learn to use die tool PromqryUI to detect such network interfaces running 111
promiscuous mode.
Lab Objectives
The objective o f tins lab to accomplish:
To detect promiscuous systems 111 a network

& T o o ls Lab Environment

dem onstrated in To carry-out die kb, you need:
this lab are
available in PromqryUI is located at D:\CEH-Tools\CEHv8 Module 08
D:\CEH- Snrffing\Promiscuous Detection Tools\PromqryUI
Tools\CEHv8
You can also download the latest version ol PromqryUI from
Module 08
h ttp :// www.m 1crosolt.com /en-us/download/deta11s.aspx?1d= 16883
Sniffing
If you decide to download die latest version, dien screenshots shown 111
A computer running Windows 2008 Server
Lab Duration
Time: 10 Minutes
Overview of PromqryUI
PromqryUI can accurately determine if a modern managed Windows system has
network interfaces in promiscuous mode. If a system has network interfaces 111
promiscuous mode, it may indicate die presence o f a network sniffer running on die
system.
PromqryUI cannot detect standalone sniffers or sniffers running on non-Windows

operating systems.
Lab Tasks
5 t a s k 1 1. G o to the tool location at Z:\CEHv8 Module 08 Sniffing\Prom iscuous
Running D etection Tools\PromqryUI.
PromqryUI 2. Double-click promqryui.exe, and click Run.
Open File - Security Warning
3|
Do you want to run tNs file?
Name .. ,misojous Detection T o o lfro m a rv U I 1o r omarvui.exe

Publisher Microsoft Corporation
Type Application
From Z:\CEHv8 Module 08 Sniffers^rom iscuous D etectio...
Run Cancel
I * Always ask before opening this file
While files from the Internet can be useful. this file type can
J potentially harm your computer. Only run software from publishers
you trust. W hat's the risk7
FIGURE 8.1: PromqryUI Run prompt

3. Click Y es 111 the PromqryUI L icense A greem ent window.

P rom q ryU I
Please read the following license agreement. Press the PAGE DOWN key
to see the rest of the agreement.
END-USER LICENSE AGREEMENT FOR

PROMQRY and PROMQRYUI
IMPORTANT-READ CAREFULLY: This End-User Ucense

Agreement fE U L A l is a legal agreement between you (either an
individual or a single entity) and Microsoft Corporation for the Microsoft
In a network,
software Product identified above, which includes computer software
promiscuous mode allows a
f SOFTWARE!. The terms and conditions of this EULA are separate
network device to intercept and apart from those contained in any other agreement between
and read each network Microsoft Corporation and you. BY INSTALLING. COPYING OR
packet that arrives in its OTHERWISE USING THE PRODUCT (AS DEFINED BELOW). YOU
entirety.
AGREE TO BE BOUND BY THE TERMS OF THIS EULA. IF YOU
DO NOT AGREE TO THE TERMS OF THIS EULA. DO NOT
INSTALL. COPY OR USE THE PRODUCT.
Do you accept all of the terms of the preceding Ucense Agreement7 If you
choose No, Install will close. To install you must accept this agreement.
Yes No
FIGURE 8.2: PromqryUI License Agreement dialog box
4. The WinZip Self-Extractor dialog box appears. Browse to a desired

location (default location is c:\promqryui) to save the unzipped folder
and click Unzip.
W inZ ip Self E x tra c to r - PROMQR~l.EXE |5
To unzip all files in P R O M O R 'I.E X E tothe Unzip

specified folder press the Unzip button.
Run WinZip
Unzio to folder:
Browse... Gose
F7 Overwrite files without prompting About
Help
In a network,

promiscuous mode allows a
network device to intercept FIGURE 8.3: PromqryUI WinZip Self-Extractor dialog box
and read each network
packet diat arrives in its 5. Click OK a f te r t ile U liz ip is s u c c e s s fu l.
entirety.
2 file(s) unzipped successfully
OK
FIGURE 8.4: WinZip Self-Extractor dialog box

6. Now, click C lose to close the WinZip Self-Extractor dialog box.
WinZip Self Extractor - PROMQR~l.EXE
To unzip all files in PR0MQR~1.EXE to the Unzip

specified folder press the Unzip button.
Run WinZip
Unzip to folder:
Unzip to folder allows
you to browse and select a Browse. Close
destination o f your choice
to save die setup file. w Overwrite files without prompting About
Help
2 file(s) unzipped successfully
FIGURE 8.5: PromqryUI WinZip Self-Extractor dialog box
7. Now, install .NET Framework 1.1 by double-clicking the d o tn etfx .ex e

file located at Z:\CEHv8 Module 08 Sniffing\Prom iscuous D etection
Tools\PromqryUI.
z t ask 2 8 Click Run 111 the Open File - Security Warning dialog box.
Open File - Security Warning
Running .NET
Framework 1.1 Do you wart to run this file?
Name ... omiscuous Detection T001from ar vUI \dotnetfx. exe

Publisher Microsoft Corporation
Type Application
From Z: \CEHv8 Module 08 Sniffers promiscuous Detectio,..
Run Cancel
W Always ask before opening this file
While files from the Internet can be useful. this file type can
f potentially harm your computer. Only run software from publishers
you trust. What's the risk7
FIGURE 8.6: .NET Framework - Run dialog box

The .N ET Framework
version 1.1 redistributable 9. Click Y es to initiate the .N ET Framework installation in the Setup
package that includes
everything you need to run
dialog box.
applications developed
using die .NET Microsoft .NET Framework 1.1 Setup 31
Framework.
1C J 1 Would you like to install Microsoft .NET Framework 1.1 Package?
Yes No
FIGURE 8.7: .NET FrameworkInstall dialog box

10. Wliile attempting to install .N ET Framework 1.1, you will get a

Program Compatibility A ssista n t dialog box. Click Run Program.
& P ro g ra m C o m p a tib ility A s s is ta n t 2 < j|
T h is p ro g ra m h a s k n o w n c o m p a tib ilit y is su e s
Check online to see if solutions are available from the Microsoft website. I f solutions are found, Windows will
automaticaly display a website th at lists steps you can take.
I e - Proaram: Microsoft .NFT Framework 1.1

Publisher: Microsoft
Location: Not Available
Ths software has known incompatibility with IIS services on this platform.
I a J rtd e d e ta te Check for solutions onlne | Run program || Cancel |
I- Don't show this message ag a n
FIGURE 8.8: .NET Framework Program CompatibilityAssistant dialog box
T A S K 3
11. Select the radio button for I agree and click Install in the L icense
A greem ent dialog box.
Installing .NET
j'J! M ic r o s o f t .NET F r a m e w o r k 1.1 S e t u p
Framework 1.1
|| License Agreement

Microsoft, (A copy of this license is available for printing at
http: 7go.microsoft.com fwlink'?LinkId=122S3 )
.1n e i [ SUPPLEM ENTAL E N D USER
LICENSE AGREEM ENT F O R
\TTrpn<;nFT ôftwart; zi
I have read, understood and agree to the terms of the
End User License Agreement and so signify by clicking
"I agree" and proceeding to use this product.
1I I ( |i agree
r I do not agree
Install Cancel
FIGURE 8.9: .NET Framework License Agreement dialog box
12. Once the installation is complete, click OK in the Microsoft .NET

Framework 1.1 Setup dialog box.
j'^r M ic ro s o ft .NET F ra m e w o rk 1.1 S e tu p J3EH

1fc<4A1>.z**nc.'1 * aiMI *v .- i _ 1u 1 11
Installation of Nlicrosoft .NET Ft;imework1.1 is complete.
OK |
H T A S K 3 FIGURE 8.10: .NET Framework - Installation complete message box
Installing 13. Now, go to C:\promqryui and double-click pqsetup.m si and follow the
PromqryUI installation wizard to install PromqryUI.

14. Once installation is complete, go to Start and click Promqry to launch

the program.
a Server M anager
Command Prom pt
Administrator
Mozilla Firefox
Documents
S ' Promiscuous mode can
be used in a malicious way
Ease of Access Center
Computer
to sniff on a network. 111
J Notepad
promiscuous mode, some Network
software might send
responses to frames even Internet Explorer
Control Panel
though they were addressed
to another machine. Windows Update
Administrative Tools
However, experienced
sniffers can prevent this by
Help and Support
using carefully designed
firewall settings.
Services Run...
I
Password Changer for Windows
' Paint
All Programs
l^ ta r t Search
I Ja. M I
FIGURE 8.11: Windows 2008 Server Start menu
15. The main window o f Prom qryUI appears. Click Add.

_-j..Jii
W ith the PromqryUI

tool, you can add either a
single system or multiple
systems to query.
FIGURE 8.12: PromqryUI Main window
16. The S e le c t Addition Type dialog box will appear. Click Add Single
System .

.Add Single Add Multiple

System Systems
FIGURE 8.13: PromqryUI Adding system
17. Type the IP address o f the system you want to check for promiscuous
mode in the IP A ddress held 111 the Add System to Query dialog box
and click Save.
IP Address:
Host Name:
Cancel
For systems that you
need to query, a range o f IP
FIGURE 8.14: PromqtyUI Add System to Query
addresses can be provided.
Also, you can just carry a
query for a local system.
18. Select the added IP address 111 the S y stem s To Query section and click
Start Query.
f t Promqry
I me Cdt hcb
Systems To Query Query Results

Star. IF ocdrcss End IF address Query S'.atus
10.0.02
FIGURE 8.15: PromqtyUI Querying system

19. Results will be displayed 111 Query R esults.

_ |f | x ]
Pie fcrtt help
Systems To Query 3 uer, Resjlts

Start IP dodress | Enc IPaodress Query Status |3uery star. tine. 9/20/20 38.48. 11 2 PV -1
110 .0.2 done :positive! |
pinging 10.0.0.2. .success
Querying 10.0.0.2...
Active. True
InstaiceName.
WAN Mhiport (P
NEGATIVE Prorriscuojs mode currently NOT enabed
Active. True
InstaiceNamc.
Hyper-V Vitual Sw tcl Extenson Adapter
NEGATT/E Prormcuous mode currently NOT enabed
Active. True
bwlMoeNflme
Ilypei-V Vxtual 3v<ci Cxtenson Adapter #2
NCGATI/C Prorrocuous mode currently NOT enabed
Active. True
Query results will let InstaiceNomc
Teredo Turncfcnj P*evdo-fc15er,ace
you know if the system is
promiscuous mode or not
NtOATT/C Promscuous mode currently NOT enabed
zl
and provides other
information like Computer
name, Domain, Computer
Model, Manufacturer,
Owner, etc. Systems To Quer,
Start IP address End IP 3ddrees | Guery Statue NEGATIVE Pronisanus mode cjrrenty SOT enabled
10.00.2 dDne: postive! j
Active True
hstanceNarne:
WAN Miniport (Network Vlailcr)
NEGATIVE: Ptotwcudus node carrenty NOT enabled
Active True
hstanceNarne:
Hyper-V Vrtua Etiemei Adapter #2
NEGATIVE: Ptoiwcudus mode carrenty NOT enabled
Systen Surmy
POSflVE at least one rterface on systen was found ir prorriscuous mode
Conputer name VYN-039MR5HL9E4

Dona : WORKGROUP
Conputer manufacturer Del He.
Conputer model: CptPtex 390
Primary owner: wnajws iser
user currenny Dggec or: v/r*-039WRSML9fe4\Admn1strator
Opci a'.iiiL system M ijo s o l Windows Server 2012 Release Candidate Datacenter
Organza'Jon
FIGURE 8.16: PromqryUI Query Results
Lab Analysis

C o m p u ter n am e: W IN-D39M R5HL9E4
D om ain: W O R K G R O U P
C o m p u ter m an u factu rer: Dell Inc.
C o m p u ter m odel: OptiPlex 390
P rom qryU I P rim ary ow ner: Windows User
U ser currently lo g g ed on: W IN-
D 39M R 5H L9E4\Adm inistrator
O p e ratin g system : M icrosoft Windows Server
2012 Release Candidate Datacenter


Questions
1. Determine how you can defend against ARP cache poisoning 111 a network
0 Yes No
0 C lassroom 0 !Labs

Lab
Sniffing Password from Captured

Packets using Sniff - O - Matic
Sniff O Matic is a network protocol analyser and'packet suffer nith a clear
and intuitive inteiface.

Valuable Attackers may install a sniffer 111 a tmsted network to capture packets and will be
information
able to view even* single packet that is going across the network, if the network uses
Test your a hub o r a router for data transmission. With the captured packets, attackers can
learn about vulnerabilities and sniff the user name and password and log in to die
Web exercise network as an authenticated user. Once logged 111 successfully to a network, die
hacker can easily install vinises and Trojans to steal data, sensitive information, and
m Workbook re\ cause serious damage to that network.
As an expert ethical hacker and penetration tester you should have sound
knowledge of sniffing, network protocols, and audientication mechanisms and
encryption techniques. You should also regularly check your network and close die
unnecessary ports diat are open. Always ensure diat if any sensitive data is required
to be sent over the network, you use an encrypted protocol to minimize the data
leakage.
Lab Objectives
The objective o f this lab to sniff passwords using the tool Sniff - O - Matic
through captured packets.
Lab Environment
To carry-out the lab, you need:
Sniff - O - Matic is located at D:\CEH-Tools\CEHv8 Module 08
Sniffing\Sniffing Tools\Sniff-0-Matic
You can also download the latest version of Sniff - O - Matic from
http://www.kwakkeltlap.com/ smffer.html

If you decide to download die latest version, dien screenshots shown 111
die k b might ditter
[?!/Tools
dem onstrated in
this lab are Double-click snifftrial.exe and follow die wizard-driven installation steps to
available in install Sniff - O - Matic
D:\CEH-
Tools\CEHv8 Administrative privileges to run tools
Module 08
Sniffing Lab Duration
Time: 10 Minutes
Overview of Sniff - O - Matic

Sniff O Matic captures network traffic and enables you to analyze die data.
Detailed packet information is available 111 a tree structure or a raw data view of die
packet data. Sniff O Matic's button and columnar data display logically and
succincdy presents the collected network traffic data.
Lab Tasks
1. Launch the Start m enu by hovering the mouse cursor on the lower left
corner o f the desktop.
*d. T A S K 1 FIGURE 9.1: Windows Server 2012 Desktop view
Launching the 2. Click Sniff - O - Matic in the Start menu to launch the Sniff O
Sniff-O-Matic tool Matic tool.

S ' Sniff-O-Matic a packet

sniffer is a computer
program or a piece o f
computer hardware that
can intercept and log traffic
passing over a digital
network or part o f a
network.
3. The main Sniff - O - Matic window appears; select the adapter from the
drop-down list and click the Start Capture 1 button.
3 TASK 2
Sniff-O-Matic:
Start Packet
Capture
FIGURE 9.3: Sniff-O-Matic Start capture
TT 1 * * i v j u i u ^ / . J . 1 1 1
4. W hen the tool starts capturing the packets, launch a browser and log 111
to your email account.
5. Then, click the Stop Capture ill button to view the captured packets.

r | J n f x '
Sniff O Malic 1.07 Trial Version
File Capture Options Help
| 1^1 I I \ m \ Hvoer-VVrtualEtherneAdaoter 82 b v l <1 !M | | c .1 11
Pocko! .owes Domination Size Prolog Tmo Port 81c

1 1ao.a7 123.176.32.13 66 TCP 03/24/12 14:25:16 2773
2 10QQ7 74125 236175 55 TCP 09/24/12 142516 2749
3 74.125.236175 10.Q0.7 66 TCP 03/24/12 14.25.16 80
4 10.0.Q7 123.176.32.13 66 TCP 03/24/12 14:25:19 2773
5 10.0.Q7 123.176.32.153 54 TCP 09/24/12 14:25:20 2762
5 10.0.Q7 123.176.32.153 54 TCP 03/24/12 14:25:20 2763
7 10.D.Q7 123.176.32.153 54 TCP 03/24/1214:25:20 2762
3 123.176.32153 10.Q0.7 54 TCP 09/24/1214:25:20 80
3 10.0.07 123.176.32.153 54 TCP 03/24/12 14:25:20 2763
10 12317632153 10.00.7 54 TCP 03/24/1214 25 20 80
11 10.0.Q7 123.176.32.195 726 TCP 03/24/12 14.25.23 2753
12 123.176.32155 10.Q0.7 54 TCP 03/24/1214:25:23 80 _
Packet capture is die n 17k 171 ^ 1nnn7 qn TCP m n A n iu '& n
<1___ III >
act o f capturing data A
packets crossing a
computer network.
< |>
hllo: / / WVWV.<wakkeNao. con
F TC tI JRF. 9.4: SniflF-O-Matic Stoo raire
FIGURE 9.4: SnifF-O-Matic Stop capture
6. 111 the list o f captured packets, select a packet to view detailed

information.
Sniff - O Matic 1.07 Trial Version
File Cpture Options Help
HioerWrtual Elhemet Adapter 82 _vj o u \ p g | cj

Doc'inoticn Tm Port 01 IP Hcadtr
10.0.Q7 123.176.32.13 03/24/12 14:25:16 2773 O Version * 4
1000 7 74125236175 TCP 09/24/1214-25*16 2749 Header Length 5 (20 byte*)
74.125 236 175 f t Type Of Service 0x00
10.Q0.7 TCP 05/24/1214.25.T6 80
O Total Longth - 40
100.C7 123.176.32.13 TCP 03/24/12 14:25:19 2773
99 Idertifcation OcABDB
10.0.G7 123.176.32.153 TCP 09/24/121I:2>:20 2762
1 Rags 0(03
10.0.C7 123.176.32.153 TCP 03/24; 12 14:25:20 2763 Fragmenl 0x0000
10.0.Q 7 ___ 123.176.32.153 TCP 05/24/1214:2520 2762 O Time To Live - 61
H FTOtOCOl 6 (FCP)
100.07 123.176.32.153 TCP 03/24/12 14:25:20 2763 @ Header Checksim Qx2BA5
From the captured 12317632153 10.00.7 TCP 03/24/12142520 ]P Soiree IP -123.17S.32.153
10.0.Q7 123.176.32.1S TCP 03/24/12 14.25.23 )P Cest. IP 10.0.0.7
packets, detailed
12117632155 10.Q0.7 TCP 03/24/12 14:25:23 TCP Header
information such as Header 12312632155 1nnn7 T fP m/74/1? Soiree Port = 80 (HTTP)
Length, Protocol, Header U III 0 Destination Pat - 2762
OXCOOO *5 0 0 CO 2 S AB D3 0 0 0 0 3D 06 Seq Nurrber = (&9/1CBE781
Checksum, Source IP, OXCOIO OA 00 00 07 0 0 5 0 0A CA 9A 3B e /CK Number = QcFDD7CE13
0X 0020 50 1 1 3 9 OS 7 7 2 9 OO 0 0 > 0ff93t 20) 5 bytes
Destination IP, etc. can be j Rags = Cbcl 1
viewed by selecting a 8 Windows Size = 1450}
@ Checksum = 0(7728
particular packet. O Urgent Pointer - QxX>X)
LiJ_______
I 0722T hl!p;!VwM!watotftto.rcn
FTGIIRF. 9.5: SnifF-O-Matir Vifrcrina oarker information

FIGURE 9.5: SnifF-O-Matic Viewing packet information
7. 111 the right pane, select items from the tree and the data for the
respective item will be liighlighted 111 red.
C E H L ab M anual Page 668 E tliical H a ck in g and C ounterm easures Copyright by EC-Council

Sniff - O - Matic 1.07 Trial Version

File pture Options Help
Hvoer-V Virtual Etherne E v j 1!wJ a_*J c j | 1* 1! Adaoter 82
Pack* $0C9 Declination Sizo Protosoi T mo Port # Fragm

entofeet*C
ktO
OO
O
1 10.0.CL7 123.176.32.13 68 TCP 03/24/1214:25:16 2773 ? Time To Live = 61
2 10 00 7 71125 236175 55 TCP 03/24/12 142516 2749 r~ Protocol 6( TCP)
@ Header Checksmi = (kc?BA5
3 74.125.23e.175 10.00.7 66 TCP 03/24/12 14.25.16 80
]P Soira IP -123.17S.32.153
4 10.D.Q7 123.176.32.13 66 TCP 03/24/1214:25:79 2773
!] p Cest. IP = 10.0.0.7
5 10.0.Q7 123.176.32.153 54 TCP 03/24/12 11:25:20 2762
Qj TCP Header
5 10.0.Q7 123.176.32.153 54 TCP 03/24/12 14:25:20 2763
7 10.3.Q7 123.176.32.153 54 TCP 03/24,1214:25:20 2762 Destination Pat - 2762
| 3 123.176.32153 10.00.7 03/24,1214:25:20 80 ; Seq Njrrber = Qt9ACBE781
3 10.3.C7 IZ3.175.32.I53 TCP 03/24/1 2 4:25: U fiCK NLimber ) VFDD7CE13
10 12317632153 10.00.7 TCP 03/24/12112520 80 )Cffost - 5 (20 bytes 9
11 10.0.0.7 123.176.32.1S TCP 03/24/12 14.25.23 2753 B f Rags =0<1l
12 123.17632155 mao.7 TCP 03/24/12 14:25:23 80 1P FIN 1
n in finvi 1nnn7 TCP syn = 0
<1 III p RST * 0
oxoooo 4 5 00 00 2e AB D3 OO OO BO 20 99 PUSH 0
0X 0010 OA 0 0 GO 0 7 | 0 5 | o a c a D7 CE 1 3 ........... P . . . - p ACK- 1
0X 0020 SO 11 39 08 7 00 0 0 2 8 P . 9 .w ( . . P URG- 0
p ECE - 0
... p C W R - 0
A Window! S17# - 1460D
Choskaum 3 ( ) k7723
... Urgent Pointer IKQ090
& Port numbers

can occasionally
be seen in a w eb
FIGURE 9.6: Sniff-O-Matic Viewing packet information
or other service.
By default, HTTP 8. Now, perform a search for the data in captured frames. Select Options
u se s port 80 and Find.
HTTPS u se s port
r Sniff - O - Matic 1.07 Trial \
443, but a URL - Re Capture I Options | Help
http://www.examp l*kJ :,I " _vj o u \ o| cj jaj

le.com:8080/path/ Pack.1 -w
S ,K ^ Siio Protocd Tmo P0t 9IC Fragment offett QcOOOO
mi 16.32.13 66 TCP 03/24/1214:25:16 2773 O Time To Livo 61
B FTOtoool 6 (TCP)
sp ecifies that the 101 f j
74
Slatiatcs
7
236175 55
66
TCP
TCP
09/24/1214/516
03/24/12 14 25 6
2749
80 0 Header Checksim 0x?BA5
w eb resource be 10.1 ieongs 6.32.13 66 TCP 03/24/1214 25:9 2773

)p Soltco IP-123.17S.32.153
)P Ces. IP 10.0.0.7
10.1[ EncbJ Tocttipo 6.32.153 54 TCP 03/24/12 11:25:20 2762
I TCP Header
served by the 10. LIU/
10.0.G7
I2J. 1/6.32.153
123.176 32.153
54
54
TCP
TCP
03/24/12 14:25:20
03/24/1214:25:20
2763
2762 M miliiiEl
O
Destination Pat 2762
HTTP server on 123.176.32153
10.0.CL7
10.Q0.7
123.175.32.153
54
54
TCP
TCP
03/24/12 14:25:20
03/24/12 14:25:20
80
2763

Seq Njrrber &9ACBE78I
ACK NLimber (kFDD7CEl3
port 8080 12317632153
10.0.0.7
10Q0.7
123.176.32.155
54
726
TCP
TCP
03/24/12 14 25 20
03/24/12 14.25.23
80
2753 lf
O Offoat - 5 (20 byt8
Rags 11) 0
12117632155 10.Q0.7 54 TCP 03/24/12 14:25:23 80 i |FIN 1
171176 3 1
III
in on?___ qn TCP 9/4 11 ^ <3 fin ,0 | syn = 0
i P rs t =0
OXCOOO 45 OO0 0 26 AB D3 OO OO PUSH 0
OXCOIO OA 00 00 07 DO 5 0 OA CA h ACK= 1
0X 0020 50 11 39 08 77 23 00 00 | URG-0
ECE = 0
p cw ro
f t Windows Size = 14503
O Chcckaum - Qc7728
Urgent Pointer = QcOOOO
F T C tT I R F 9 7 S n i f f - O . M a t i r - P e r f o r m i n g s r a r r h
FIGURE 9.7: Sniff-O-Matic - Performing search
9. The Find pop-up box appears; type pwd to search for the password
information.

Sniff 0 Motic 1.07 Tri3 Version

File Ce^Xurc Options Help
!* L d HjpeA Titual EfamotAcfoptdi &2 ~H Yj jJ U ] 9_J Cj JEj

eihnaton Si2e Piotaôl Time Pent trc ;-#* Version = 4
mo.o.7 12a 176.32.155 54 TCP 03/24/12142523 2753 !** Header Length b/esj 20( 5
123106.40.33 10.0.0.7 1514 TCP 03/24/12142523 83 & T>peOf Service ) kOO
j- A Total Len^h = 1600
1Q0.0.7 12a 1C840.33 54 TCP 03/24/12142523 2723
j Identification = foD5E1
123 108 40 33 10 0 07 1514 TCP 03/24/12142523 83
S ip Flags =OcOO
12313810 33 10 0 0.7 1514 cp 09^24/1214 2523 83
i - A Fragment offset = CbcOOOO
1QCL0.7 123.1C8 40.33 54 TCP 09/24/12142523 2723 | Time To Lwe = 54
123 108.40.33 10.0.0.7
Find :- )A Protocol - C(TCP
10.0.0.7 74.125.235.1( i @ Hocdor Chsckajm FBA<1
1Q0.0.7 123.176 32.1 I Jp Sou-ce IP 123.108.40.33
P^d: jpAcj |
123 176.32 1*6 10 0 07 i- J p Dost. IP 10.0.0.7
7 Detailed packet 74.125.236.1S4 10.0.0.7 i p TCP Header
information is available in a 29 1QC.0.7 123176 32.1 <* Asci r Match case Fnd 1 )A Soiree Port - 80 (HTTP
1 n n n 7 _______ 1 : : 1. C Hex - A Dcatinction Port - 2723
tree structure or a raw data <01X^0 0 0 0 <s 00 cs
Ill
D5 E l OO
Cercel I
j# Seq Nurbst - QxOC177B.\D
j - ACK Humbw k8DE73610
view o f the packet data. 0X 0010 OA 00 GO 00 SO OA r =5 :)A Offset * 5 (20bjrtes
0X 0020 SO 10 26 BE 1e I F OO 00 48 S* 54 SO 2F 31 2E 31 P . S ...................
P FlagsH T5 TP&/1 10.1
0X 0030 20 32 30 30 20 4F 4B OD OA 44 61 74 65 3A 20 4D 20 0 O K ..D a te : M i- Widows Size 5918
0X 0040 6r 6E 2C 20 32 34 2 0 S3 65 70 20 32 30 31 32 20 o n , 24 Sep 20 1 2 Qiockajtn &181F
0X 0050 30 33 3A 35 36 3A 3 0 39 20 47 4D 34 OD OA 53 65 0 3 : 5 6 : 0 3 3 M T ..3 e Uroert Ponter )) MXXX
0X 0060 72 76 65 72 3A 20 41 70 61 63 63 5 OD OA 45 7e : r e t : A p = h e .. E x Cwa 3 <
0X 0070 70 69 72 65 73 3A 2 0 54 60 75 2C 20 31 39 20 4E p i c e s : T h u , 19 N - Data length 1460
0X 0030 6r 76 20 31 39 33 31 20 30 36 3A 33 32 3A 30 30 o v 1981 0 3 :3 2 :0 0
0X 0090 20 47 4D 34 OD OA 43 61 63 68 63 2D 43 6T 6E 74 GMT. .C a c J lc - C o n :
OXOOAO 72 6r <C 3A 20 E 6F 2D 73 74 6F 72 63 2C 20 6E r o l : r .0 - 3 C 0 r e , n
httiy/Vwww LwakkellUon
FIGURE 9.8: Stiiff-O-Matic Performing password search
r i L r U K t V.b: bnilt-U -M atrc i'eitorming password search
10. An icon w (packets with binoculars) will appear for the found packets,
as shown 111 the following screenshot.
Sniff O Matic 1.07 Trial Vers on 1_ -
Pie Capture Opbcns Help
Hypd-V V(ud Etncmot Adaptor tl2 vj ou\ a| e)

Sauce Destination I 5re Protocd IKW IP I IP Header
Version 4
74125.236.1G2 1Q0.0.7 09/24/1214:25:55 <
74125.236.162 1Q0.0.7 02/24/12 14.25.55 a A Header length 5 C?0
1000.7 I H TypeOf Servce tttOO
74.123 236.182 09/24/12 14.25.55 1
& Sniff-O-Matics key 74125236 182 10007 09/24/12 1 4 5 5 25 t.
A Total Length 40
A IdantficiHon Q&96C0
features include: 1000 7 12317632156 09/24/121425-56 2
I p Flags OkOO
123.176.32.156 1Q0.0.7 TCP 09/24/1 1425:56 8' A ragm^nt ott*t = 0*0000
Capture IP packets 123.176.32.156 1Q0.0.7 TCP 09/24/12 14:25:56 8! A Lime To La/ 66
on your LAN 10G0.7 123176.32.155 09/24/121425.55 2 A Protocol 6 ( TCP)
123.176.3213J 1Q0.0.7 09/24/121425.55 & Header Cherkeum -10*205
without packet loss 10CC.7 202 53 8 8 UDP 09/24/121425:55 5 JP Souee IP = 74 125.236.182
2025388 1Q00.7 UDP 09/24/12 142556 5 JP Dect. IP - 10.0.07
M onitor network 10Q0.7 123108.40.33 TCP 09/24/121425:55 2
activity in real time innn?__ 1 na d i m TfP ffWin7 2 | TCP Header
A Soiree Pert - 443 (HTTPS)
A Deetinatbn Port - 1049
Filters to show only CXOODO 45 00 00 23 9E CO 00 00 A Scq Number - {k<897BC4C
0 X 0 0 1 0 OA 00 00 07 0 1 BS 04 19 A ACK Number 9339& AF1C
the packets you CX0020 50 10 FF FF FE 3B 00 00 O Oflfce: - 5 (20 bytes)
want ] P Flags-Gc10
A Windows Site = 55535
Real-time checksum Checksur - (kFE3B
O Uigcnt Porter - 3x0030
calculation
Save and load
captured packets
Auto start capturing f*to://www.kwakKeI!laD. con
and continuous
capture
FIGURE 9.9: Siiiff-O-Matic - Password search results
Traffic charts with
filter info
11. Select the found packet and scroll down the data list for the
information, which will be indicated in blue.
C E H L ab M anual P ag e 670 E th ical H a ck in g a nd C ounterm easures Copyright by EC-Council

Sniff 0 Matic 1.07 Trial Vers on I ' T7 "

FJe Rapture Opt cm Help
la l- d H>p9V Vkud Ethernet Adapter M2
a Version 4
ft Header Length = 5 (20 bytes)
Type Of 5efvce = QfOO
ft Total Length = 729
ft dentfication = Cb(7B8C
P Rags = (MU
ft Fragment ofiset = 09(0000
ft Time To Live = 128
ft Protocol = 6 (TCP)
& Packets Header Cherkeun - itOOX
p Sotree IP = 10 0 0.7
p Dest. IP = 123.176.32 155
captured using TCP Header
ft Source Pert - 2753
Sniff-O-Matic ft Dectinatbn Port 80 (HTTP)
ft Sea Number - &B85A34D4
allow s you to sniff 65
60
37. 2 0
39
;q 0 . 3 . .C c o k i :
ir .ld a c 6 5 7 3 f1 v 9
ft ACK Number-&c5G19rCA3
ft Offoci - 5 (20bytes)
69 34 0D rd 2 a k S 7 a 4 d l7 u i4 .
the password 74 3D 69 . . . f_ o u rc r c h
P Hogo 18&
ft VWndowj Sire - 63751
61 6 9 6C c C F % 3 A % 2 F 2 F n a il ?3 Checksum &A31 D
available in 6D 61 6 9 . r .. c o % 2 F a c v a i ft Urgent Porta foOOX)
26 6C 67 l% 2 F 1 a b o x .p h p tlg Date
cleartext format. 3D
70
72 69
7 7 64
f m n a 1 1 s _ id r1
a i B a c c b e v o i f Jp w d ]
f t Data length 683
If an attacker is
able to capture
th e se packets, he
can easily identify FIGURE 9.10: Sniff-O-Matic Password search results
the password and 12. To mark the packets, right-click the selected packet and click Mark.
login to the
Sniff O Matic 1.07 Trial Vers on
network a s an FJe Capture Optcrts Help
authenticated !* Id H>peV Vjrtud Ethernet Adopter tt2 - vj o w I a w l e j 1J

user. Attackers I? Header 9
h Version ; 4
)Ift Header length 5 (20 bytes
will have an l-il f t Type Of Swvce OcOO
ft Total Length ! 40
advantage if they {ft IdantficaHon Qx7BBD
B P Hag 0kQ4(
discover the sam e |- f t (mgm#rt otturt (kOOOO
J f t Tim To Lw 128
password is being )f t Protocol * 6 (TCP

He*dr Ch*5kcun * 4 )0030
JP Source IP - 1000.7
used for all the I-J P Deet. IP - 123.176.32 155
Qj TCP Heodor
computers. f t Source Pert - 2753
; )f t Destination Port - 80 (HTTP
0X 0 0 0 0 <5 03 00 23 7B BD 40 00 80 0 6 00 OO GA 00 00 07 f t Scq Number - &B85A3785
0X 0 0 1 0 TB 3 0 20 93 DA C l 00 50 33 5a 37 B5 56 1A 02 63 { ............. P . 27 | f t ACK Number -&c561A0268
0X 0 0 2 0 50 10 FA FO A6 6C 00 00 P. . . . 1 . . )f t Offset 5 (20bytes
Flags - &c10 ^
f t Windows Sice : 54243
!? Checksum - (k!\56C 3
f t Urgent Porter - (h{X{{0
httpy/www.KwaKKelllflDcom
FIGURE 9.11: Sniff-O-Matic Marking a packet
13. Once the packets are marked, they will have a different icon.

Sniff 0 Matic 1.07 Trio! Vers on I T x

Fie Rapture gpbcro Help
l*Ld H>p01V VkucJ Efcioroot Adaptor tt2 v j o u Q a| e j 3J
Pack* Sauce Destination 1 Size | Protocd _ | T*>! Pat sic Port a [ 9

\-m
Version 4
Heacter lenrjth 20) 5 b*es>
A
09 74125.236.182 1Q0.0.7 97 TCP 09/24/1214:25:55 443 104!
&170 10CC.7 123176.32.155 743 TCP 09/24/121425.55 2753 00 141- H Type Of Servce = OcOO
1Q0.0.7 54 1 H Total Length 60
171 123.176.32.125 TCP 09/24/12 14.25.55 eo 275:
I - * tientfication = (&1574
__ 172 123176 32 155 100.0.7 1514 TCP 09/24/121*25 55 eo 275:
0- ^ flags = 0x00
10GO 7 12317632.155 54 TCP 09/24/121*25-55 2753 80
U 74 123.176.32.135 100.0.7 74 TCP 09/24/121*25:55 0 BEEU i _^ T*im& To l K/& ^
175 1000.7 202.53.88 71 UDP 09/24/12 14:25:55 5377C 53 1d Protocol = 6 (TCP)
176 202.53.3.8 100.0.7 B7 UDP 09/24/12 14.25.55 53 537 ; l@ fleacter Checkeum = (ktC1F6
177 10QG.7 123108.40.33 56 TCP 09/24/12 14.25.55 2776 80 | P Source IP = 123.176.32.155
S ' O ne o f the features o f 178 1QQC.7 123108.40.33 B6 TCP 09/24/12 14:25:56 2777 80 L ) P Deet. IP = 10.0.07
173 IOQO.7 123 175.32.13 52 TCP 0S125-57*24/121 2775 80 9 TCP Header =
the tool includes, protocol 180 10Q0.7 12317S.32.13 54 TCP 09/24/121*25:57 2775 80 Source Pat - 80 (HTTP)
and port data, the program - fi 17117k _ 1nnn7 ___C2__ ____1CP____ 4-5-7 ?77! v
> < 1 ! a Sea Number - fc561AG257
displays source and CXOOOO 45 0 0 00 3C 15 4 00 00 3D 06 Cl F 7B 3 0 20 93 E . . r . . = . . . { . . -
destination IP addresses, 0X 0010 cz. 0000 07 0 0 50 021 C l 56 171 02 57 B 6 5 3 8 5 _____ P. . V . . W. Z 7 .
| O ACK Number - QcB85A3785
O Offset - 5 (20byte*)
0X 0020 50 19 56 D1 98 52 00 00 35 20 4 6F CD 61 9 Z P . X . R. d o n a in 0 P flog# - Cbcl 8
and raw packet 0x003a 3D 2S 6 9 61 2E 3 6 F D 0D OA 0D 0A * . i n ,. coaa. . j O YWrdowa Size - 22737
Checksum to&352
information. The program Uigorrt Ponler CbiOOM
offers no IP address to 9 Dete
domain name conversion..

o Data length 20
l< >11
FIGURE 9.12: Sniff-O-Matic Marked packets
Lab Analysis

H e a d e r L ength: 5
T im e T o Live: 61
Protocol: 6
H e a d e r C hecksum : 0xC lF6
Sniff-O -M atic Source IP: 123.176.32.155
D est. IP: 10.0.0.7
Source P ort: 80 (HTTP)
D e stin atio n P ort: 2753
U sern am e an d p assw o rd
PL EA S E TALK T O Y OUR I N S T R U C T O R IF YOU HAVE Q U E S T I O N S

Questions
1. Determine how you can defend against ARP cache poisoning 111 a network.

In te rn e t C o n n ectio n R equired
0 Y es No
0 C lassroom 0 iLabs


CEH v8 Labs Module 08 Sniffers PDF

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

CEH v8 Labs Module 08 Sniffers PDF

Uploaded by

Copyright:

Available Formats

CEH Lab Manual

C E H L ab M an u al Page 585 E th ical H a ck in g a nd C o untenneasures Copyright by EC-Council

Secure the network from attacks

Overview of Sniffing Network

Advanced ARP spoofing detecdon using XArp

C E H L ab M an u al Page 586 E th ical H a ck in g a nd C o untenneasures Copyright by EC-Council

C E H L ab M an u al Page 587 E th ical H a ck in g a nd C o untenneasures Copyright by EC-Council

Sniffing the Network Using the

A web browser and Microsoft .NET Framework 2.0 or later

C E H L ab M an u al Page 588 E th ical H a ck in g a nd C o untenneasures Copyright by EC-Council

Overview of OmniPeekNetwork Analyzer

F I G U R E 1.1: W in do w s Server 2012 D esktop view

F I G U R E 1.2: W in dow s Server 2012 Start menu

C E H L ab M anual Page 589 E th ical H a ck in g a nd C ounterm easures Copyright by EC-Council

4. The main window of W ildPackets O m niPeek Demo appears, as shown 111

Retcat rlit* Itxalior Stmixry

IntM Captur T1np<11*1 luullui Swmwj

5. Launch Windows 8 Virtual Machine.

A nalysis O ptions File path:

I INew file every 1

I ILimit each packet to 128 3~| bytes

O Discard duplicate packets

Buffer size: | 100 * megabytes

O Show this dialog when creating a new capture

F I G U R E 1.4: O m n iPeek capture options - G eneral

C E H L ab M anual Page 590 E th ical H a ck in g a nd C o untenneasures Copyright by EC-Council

and illu m in ates ne tw ork Property Description

F I G U R E 1.5: O m n iPe e k capture options - Adapter

7. Now, click S ta rt C apture to begin capturing packets. The S tart C apture

Q D ash b oa rds display sutn vapt altpackets

im p o rta n t data that every

F I G U R E 1.6: O m n iPe e k creating a capture w indow

C E H L ab M anual Page 591 E th ical H a ck in g a nd C ounterm easures Copyright by EC-Council

9 Elhcfnct PatJtrts: 1.973 Duutioa: 001:25

F I G U R E 1.7: O m n iPe e k statistical analysis o f die data

9. To view die captured packets, select P a c k e ts 111 a C apture section ol die

mt.Mrd: .{000 * * "' .

19.9.0.2 SS 0.0CC0S1CCD writs

1 PMMtt: 4000 Ou'Miea .<rx>

C E H L ab M anual Page 592 E th ical H a ck in g a nd C ounterm easures Copyright by EC-Council

F I G U R E 1.9: O m n iPe e k statistical reports o f N odes

13. To sa v e the result, select File ^S a v e Report.

C E H L ab M anual Page 593 Etliical H a ck in g a nd C ounterm easures Copyright by EC-Council

Ltncrnct P.ikfta 2.000 Dum.011 001.B

F I G U R E 1.11: O n u iiP e e k saving die results

pull PDF Report j v

C : \Users \Adm inistrator d o cu m e n ts R e p o rts \C apture 1

Save Cancel Help

F I G U R E 1.12: O n u iiP e e k Selecting the Report format

F K jU K fc . 1.12 (Jmml-eek Selecting the Report tom iat

15. The report can be viewed as a PDF.

C E H L ab M anual Page 594 E th ical H a ck in g a nd C ounterm easures Copyright by EC-Council

OmniPeek Report: 9/15/2012 12:21:22

tim e range. U s in g the Boolcmarfct Summary Statistics. Reported 9/15/2012 12.21.22

F I G U R E 1.13: O m n iPe e k Report in P D F format

C E H L ab M anual Page 595 E th ical H a ck in g a nd C ounterm easures Copyright by EC-Council

T ool/U tility Information Collected/Objectives Achieved

C E H L ab M an u al Page 596 E th ical H a ck in g a nd C ounterm easures Copyright by EC-Council

Internet Connection Required

C E H L ab M an u al Page 597 E th ical H a ck in g a nd C ounterm easures Copyright by EC-Council

Spoofing MAC Address Using SMAC

C E H L ab M an u al Page 598 E th ical H a ck in g a nd C ounterm easures Copyright by EC-Council

A computer running W indows Server 2012 as Host and Windows Server

C O lT h e Pi* Scan Attack Qtct Cptio!