Professional Documents
Culture Documents
CEH v8 Labs Module 08 Sniffers PDF
CEH v8 Labs Module 08 Sniffers PDF
Sniffers
Module 08
Sniffing a Network
A packet sniffer is a type of program that monitors any bit of information entering
or leaving a netirork. It is a type of plug-and-play 1)iretap device attached to a
computer that eavesdrops on netirork traffic.
I CON KEY Lab Scenario
/ Valuable
information
Sniffing is a teclniique used to in terce p t d a ta 111 information security, where many
of the tools that are used to secure the network can also be used by attackers to
Test your exploit and compromise the same network. The core objective of sniffing is to stea l
knowledge
d ata, such as sensitive information, email text, etc.
Web exercise
N etw ork sniffing involves intercepting network traffic between two target network
m Workbook review nodes and capturing network packets exchanged between nodes. A p a c k e t sniffer
is also referred to as a network monitor that is used legitimately by a network
administrator to monitor the network for vulnerabilities by capuinng the network
traffic and should there be any issues, proceeds to troubleshoot the same.
Similarly, smtfing tools can be used by attackers 111 prom iscuous mode to capmre
and analyze all die network traffic. Once attackers have captured the network traffic
they can analyze die packets and view the u se r nam e and passw ord information 111
a given network as diis information is transmitted 111 a cleartext format. A11 attacker
can easily intnide into a network using tins login information and compromise odier
systems on die network.
Hence, it is very cnicial for a network administrator to be familiar with netw ork
traffic an alyzers and he or she should be able to m aintain and m onitor a network
to detect rogue packet sniffers, MAC attacks, DHCP attacks, ARP poisoning,
spoofing, or DNS poisoning, and know the types of information that can be
detected from the capmred data and use the information to keep the network
running smoodilv.
Lab Objectives
The objective of this lab is to familiarize students with how to sniff a network
and analyze packets for any attacks on the network.
The primary objectives of tins lab are to:
Sniff the network
Analyze incoming and outgoing packets
Troubleshoot the network for performance
Lab Tasks
Pick an organization that you feel is worthy of your attention. Tins could be an
Overview educational institution, a commercial company, or perhaps a nonprofit charity.
Recommended labs to assist you 111 sniffing the network:
Sniffing die network using die C o lasoft P a c k e t B uilder
Sniffing die network using die O m niP eek N etw ork A nalyzer
Spooling MAC address using SMAC
Sniffing the network using die W inA rpA ttacker tool
Analyzing the network using the C o laso ft N etw ork A nalyzer
Sniffing passwords using W ireshark
Performing man-in-tlie-middle attack using Cain & Abel
Lab Analysis
Analyze and document the results related to the lab exercise. Give your opinion on
your targets secuntv posture and exposure through public and free information.
PL E A S E TALK T O YO UR I N S T R U C T O R IF YOU HA VE Q U E S T I O N S
R E L A T E D T O T H I S LAB.
m Workbook review
Lab Objectives
The objective of tins lab is to reinforce concepts of network security policy, policy
enforcement, and policy audits.
Lab Environment
t^ T o o ls 111 tins lab, you need:
d e m o n stra te d in
" O m niPeek N etw ork Analyzer located at D:\CEH-Tools\CEHv8 Module 08
th is lab a re
Sniffing\Sniffing Tools\Om niPeek N etw ork Analyzer
available in
D:\CEH- You can also download the latest version ol O m niPeek N etw ork Analyzer
Tools\CEHv8 from the link
Module 08 http:// www.wildpackets.com/products/omnipeek network analyzer
Sniffing
If you decide to download die la te s t version, dien screenshots shown 111
the lab might differ
A computer running Windows Server 2012 as host machine
W indows 8 running on virtual machine as target machine
Lab Duration
Tune: 20 Minutes
Lab Tasks
TASK 1 1. Install O m niPeek N etw ork Analyzer on die host machine W indows Server
2012 .
Installing
O m niPeek 2. Launch the S ta rt menu by hovering die mouse cursor on die lower left
N etw ork Analyzer corner of die desktop.
3. Click die W ildPackets O m niPeek Demo app 111 die S tart menu to launch
die tool.
=8=s1O m n iP e e k E n te rp rise
Administrator ^
p ro v id e s users w ith the S ta rt
v is ib ility and analysis they
need to keep V o ic e and
V id e o ap plications and Google Mo/1110
Menaqer Chrome hretox
no n-m edia a pplications
ru n n in g o p tim a lly o n d ie L *3 <9
n e tw ork rtyp-V Hypw-V
Maruoer Virtual
KAvhloo
&
V ____ *
WildPock...
OmmPwk
'
*We * OmnPwk!
OtKunanUtlon Retouc
w0>WnV1Oalii) JwliiJ
!MlMKtDuppan
1 Vm tMfwarUMK*MmrrMk*WHPartrf*ivnW* CO 1r1n QO
^WidPacketj
F I G U R E 1.3: O m n iPe e k m ain screen
Cancel Help
d. Click A dapter and select E thernet 111 die list for Local m achine. Click
OK.
C ap tu re O p tio n s E thernet
General
A d a p te r
| Adapter'
802.11 0 0
[ 0 3 N e tw o rk Coverage: Triggers > 0 File
W it h the E th e rn e t, G ig a b it, Filters Module: Compass Adapter
10G , and wireless Statistics O utput -a 8 Local machine: WIN-MSSELCK4K41
capabilities, y o u can n o w Analysis O ptions M l Local Area Connection* 10
effe ctive ly m o n ito r and M . E th e rn e t]
tro u b le sh o o t services 9 vSwitch (Realtek PCIe GBE Family Controller Virtual
ru n n in g o n yo u r entire I- p vEthernet (Realtek PCIe GBE Family Controller Virfa.
netw ork. U s in g the same \ - m vSwitch (Virtual Network Internal Adapter)
so lu tio n fo r 5 vEthernet (Virtual Network Internal Adapter)
tro u b le sh o o tin g w ire d and
w ireless netw orks reduces
the to ta l cost o f o w nership <E III
Cancel Help
lop Protocol*
8. The captured statistical analysis of die data is displayed 011 die C apture tab
EQQlO n u iiP e e k of die navigation bar.
P ro fe ssio n a l expands the
capabilities o f O m n iP e e k
B asic, extending its reach * u-n ., y . 3. *
to all sm all businesses and
corp orate w orkg ro up s, w hw fct FlhrhiW
regardless o f the size o f the Netw-orfc inai/rffh.n Minute Window (I Second Average)
n e tw o rk o r the n u m b e r o f
I
em ployees. O m n iP e e k
!
a 03-
P ro fe ssio n a l pro v id e s
su p p o rt fo r m u ltip le
02*
1 L A
n e tw o rk interfaces w h ile
still sup p o rtin g up to 2
O m n i E n g in e s acting as
b o d i a full-featured
n e tw o rk analyzer and
con so le fo r rem ote
n e tw o rk analysis.
2.0%
20*17* 1522 10002 1000$ 173 19436 10 173.1W36.11 0rs
206.176.15226 173.1 0102!10 d4.364.:202.63.8.8167.6667.222 DNS TCP OHCPVG 1QMP
m O n -th e -F ly Filters:
Y o u sh o u ld n t have to stop
y o u r analysis to change
w h a t y o u re lo o k in g at.
O m n iP e e k enables yo u to
create filters and ap ply
d ie m im m ediately. T h e
W ild P a ck e ts select
related feature selects the
packets relevant to a
p articular node, pro to co l,
conversation, o r expert
diagnosis, w ith a sim ple
rig h t c lic k o f d ie m ouse.
12. You can view a complete Sum m ary of your network from tlie S ta tistic s
section of the D ashboard.
Q A la rm s and
N o tific a tio n s: U s in g its
advanced alarm s and
no tifica tion s, O m n iP e e k
u n co ve rs hard-to-diagnose
n e tw o rk p ro b le m s and
n o tifie s the o ccurrence o f
issues im m ediately.
O m n iP e e k alarm s query a
sp ecified m o n ito r statistics
fu n ctio n once p er second,
testing fo r user-specified
p ro b le m and re solu tion
con d ition s.
F I G U R E 1.10: O m n iPe e k Summary details
OmniPtek - '0 x
F.1 | fdH uM0 tooit <rtl 'OmniPvcfc
i *J T A L u u i i v w ;j i J .
ii * u a 3 j
CufTW. -
5.15/2012
t2rt2:<6
<ML2S
m U s in g O m n iP e e k s
lo c a l capture capabilities,
centrali 2ed console
d istributes O m n iE n g in e 360.320
0.795
inte llige n t software probes, .J a w 5sA(
O m tiip lia n ce ,
T im e lin e ne tw ork
recorders, and E x p e rt
Analysis. .* *-
14. Choose the format of the report type from die S ave R eport window and
dien click Save.
Save Report
2e 1R eport type:
Q R ep ort folder:
Lab Analysis
Analyze and document the results related to the lab exercise.
PL E A S E TALK T O YO UR I N S T R U C T O R IF YOU HA VE Q U E S T I O N S
R E L A T E D T O T H I S LAB.
Questions
1. Analyze what 802.1111 adapters are supported 111 OmniPeek Network
Analyzer.
2. Determine how you can use the OmniPeek Analyzer to assist with firewall
rules.
3. Evaluate how you create a filter to span multiple ports.
Lab
Lab Objectives
The objective of tins lab is to reinforce concepts of network security policy, policy
enforcement, and policy audits.
111 tins lab, you will learn how to spoof a MAC address.
Lab Environment
^^Tools 111 the lab, you need:
d e m o n stra te d in
th is lab a re SMAC located at D:\CEH-T0 0 ls\CEHv8 Module 08 Sniffing\MAC Spoofing
available in Tools\SMAC
D:\CEH- You can also download the latest version ot SMAC from the link
Tools\CEHv 8 http://www.klcconsulting.net/ smac/default.htm#smac27
Module 08
Sniffing It you decide to download the la te s t version, then screenshots shown 111
the lab might differ
Lab Duration
Time: 10 Minutes
Overview of SMAC
f f i s M A C is a p o w e rfu l
Spoofing a MAC protects personal and individual privacy. Many organizations
yet easy-to-use and in tu itive
W in d o w s M A C address track wired or wireless network users via their MAC addresses. 111 addition, there are
m o d ify in g u tility ( M A C
more and more Wi-Fi w ireless connections available these days and wireless
address spoofing) w h ic h
a llo w s users to change networks use MAC addresses to com m unicate. Wireless network security and
M A C addresses fo r a lm ost
privacy is all about MAC addresses.
any N e tw o r k Interface
C a rd s (N IC s) o n the
W in d o w s 2003systems,
Spooling is carried out to perform security vulnerability testin g , penetration testing
regardless o f w h e th e r die on MAC address-based au th en ticatio n and authorization systems, i.e. wireless
m anufacturers a llo w d iis
o ption.
access points. (Disclaimer: Authorization to perform these tests must be obtained
from the systems owner(s)).
Lab Tasks
1. Launch die S ta rt menu by hovering die mouse cursor on die lower-left
corner of die desktop.
C Q s m a c w o rk s o n d ie
N e tw o r k Interface C a rd
(N IC ), w h ic h is o n the
M ic ro s o ft hardware
c o m p a tib ility lis t (H C L ).
4 Windows Server 2012
Windows Sewer 2012 Rdcttt Cardidatc Datacen!
*r
Evulud.kn copy Build 84CC
1& rc ! 1 T ! n ^ H
F I G U R E 2.1: W in do w s Server 2012 D esktop view
2. Click die SMAC 2.7 app 111 die S ta rt menu to launch die tool.
Q=sJ W h e n yo u start S M A C
program , yo u m u st start it
as the adm inistrator. Y o u
c o u ld d o this b y rig h t clic k
o n d ie S M A C p ro g ram
ic o n a nd c lic k o n "R u n as
A d m in is tra to r i f n o t logged
in as an adm inistrator.
Disclaimer: Use this program at your own risk. We ate not responsible fot any damage that may occur to any system
This program is not to be used for any illegal or unethical purpose Do not use this program if you do not agree with
E Q s m a c helps p eople to
p ro te ct th e ir priva cy by
h id in g d ie ir real M A C F I G U R E 2.3: S M A C m ain screen
A d d resses in the w id ely
available W i- F i W ireless 4. To generate a random MAC address. Random.
N e tw o rk .
Update MAC Remove MAC
Refresh Exit
5. Clicking die Random button also inputs die New Spoofed MAC A ddress to
simply MAC address spoofing.
Disclaimer: Use this program at your own risk. We are not responsible 101 any damage that may occur to any system
This program is not to be used for any illegal ot unethical purpose Do not use this progiam if you do not agree with
Clicking die backward arrow button 111 N etw ork A dapter will again display
Q s m \c does n o t die N etwork C onnection information. These buttons allow to toggle
change d ie hardware between die Network Connection and Network Adapter information.
b u m e d -in M A C addresses.
S M \ C changes the r Network Adapter
software-based !M A C
addresses, and d ie new |Hyper-V Virtual Ethernet Adapter 82
M A C addresses yo u change
g
are sustained fro m reboots. F I G U R E 2.7: S M A C N etw ork Adapter information
Hardware ID
|vms_mp
11. Clicking die backward arrow button 111 Configuration ID will again display
die H ardw are ID information. These buttons allow to toggle between die
Hardware ID and Configuration ID information.
Configuration ID
|{C7897B 39-E D BD -4M0-B E 95-511FAE 4588A1}
3
F I G U R E 2.9: S M A C Configuration I D display
, R efresh Exit j
13. Tlie IPConfig window pops up, and you can also save die information by
clicking die File menu at the top of die window.
File
W indow s IP Configuration
Host N a m e : WIN-MSSELCK4K41
Primary Dns S u ffix
Node T y p e : Hybrid
IP Routing Enabled :N o
W INS Proxy Enabled :N o
Close
1
F I G U R E 2.11: S M A C IP C o n fig inform ation
14. You can also import the MAC address list into SMAC by clicking MAC List.
k. Refresh i Exit
F I G U R E 2.12: S M A C listing M A C addresses
15. If there is 110 address in die MAC a d d re ss held, click Load List to select a
]MAC address list tile you have created.
MAC List
C Q 1 t 11e IP C o n fig
in fo rm a tio n w ill sh o w in
the " V ie w IP C o n fig
W in d o w . Y o u can use the
F ile m en u to save o r p rin t
the I P C o n fig in fo rm a tio n .
Select
Close
No List
F I G U R E 2.13 S M A C M A C l is t w indow
16. Select die Sam ple MAC A ddress L ist.txt tile from the Load MAC List
window.
Load M A C List
0 2 W h e n chang ing M A C
i.f ProgramData KLC SMAC v C Search SMAC
address, yo u M U S T assign
M A C addresses a cco rding
to I A N A N u m b e r
Organize
* New folder s m
Assig n m e n ts database. F o r Desktop A Name Date modified Type
exam ple, "00-00-00-00-00- 4 Downloads
i-l LicenseAgreement.txt 6/6/200811:11 PM Text Document
00" is n o t a v a lid M A C jgf Recent places
, , Sample_MAC_Address_List.txt 4 /S 0 /2 0 0 6 1:23 PM Text Document
address, therefore, even J|. SkyDrive
th o ug h y o u can update this
address, it m ay be rejected
Libraries
b y the N I C device d rive r
because it is n o t valid , and 0 Documents
T R U E M A C address w ill J* Music
be used instead. f c l Pictures
O the rw ise , "00-00-00-00- B Videos
00-00" m ay be accepted by
the N I C device driver;
Computer
how ever, the device w ill
n o t fun ction. U . Local Disk (G )
1_ j Local Disk (DO
<| >
Open pr
17. A list of MAC addresses will be added to die MAC List 111 SMAC. Choose a
MAC A ddress and click S elect. This MAC Address will be copied to New
Spoofed MAC A ddress on die main SMAC screen.
m S M A C is created and
m aintained b y C e rtifie d % MAC List
In fo rm a tio n Systems
Security P ro fessio nals
(CISSPs), C e rtifie d
0D= :99
In fo rm a tio n System
OD -E9
A u d ito rs (C ISA s), OD E8
M ic ro s o ft C e rtifie d Systems OD . -E7
E n g in e e rs (M C S E s), and
pro fe ssio n a l softw are
engineers.
m S M A C displays the
fo llo w in g in fo rm a tio n C: \Pr ogramD ata\KLC\S MAC\S ample_M AC_Address_List. txt
ab ou t a N e tw o rk Interface
C a rd (N IC ).
F I G U R E 2.15: S M A C M A C List w indow
D e v ic e I D
A c tiv e Status 18. To restart Network Adapter, click R esta rt A dapter, which restarts die
N I C D e s c rip tio n selected N etw ork A dapter. Restarting die adapter causes a temporary
S p o o fe d status disconnection problem for your Network Adapter.
I P A d d re ss
Update MAC
A c tiv e M A C address
Lab Analysis
Analyze and document die results related to die lab exercise.
P L E A SE TALK TO Y O UR I N S T R U C T O R IF YOU HA VE Q U E S T I O N S
R E L A T E D T O T H I S LAB.
Questions
1. Evaluate and list the legitimate use of SMAC.
2. Determine whether SMAC changes hardware MAC addresses.
3. Analyze how vou can remove the spoofed MAC address using die SMAC.
Lab Objectives
The objectives of tins lab are to:
S can . D e te c t. P ro te c t, and A tta c k computers 011 local area networks
(LANs):
Scan and show the active hosts 011 the LAN widiin a very short time
period of 2-3 seconds
S a v e and load computer list tiles, and save the LAN regularly for a new
computer list
Update the computer list 111 p a ssiv e m ode using sniffing technolog}
Freely p rovide inform ation regarding die type of operating systems they
employ?
Discover the kind ot firew all, w ire le s s a c c e s s point and re m o te
access
Lab Environment
To conduct the lab you need to have:
W inArpAttacker located at D:\CEH-Tools\CEHv8 Module 08 Sniffing\ARP
Poisoning Tools\W inArpAttacker
You can also download the latest version ot W inArpAttacker trom the link
http:/ / www.xfocus.net
^~Tools
d e m o n stra te d in If you decide to download the la te s t version, then screenshots shown in
th is lab a re the lab might differ
available in
A computer running Windows Server 2012 as host machine
D:\CEH-
Tools\CEHv8 W indows 2008 mnning on virtual maclune as target maclune
Module 08
Sniffing A computer updated with network devices and drivers
Installed version ot W inPcap dnvers
Double-click W inA rpA ttacker.exe to launch WinArpAttacker
A dm inistrative pnvileges to run tools
Lab Duration
Time: 10 Minutes
W in A R P A tta c k e r
w o rk s o n com puters
Overview of Sniffing
ru m iin g W in d o w s /2003.
Sniffing is performed to co lle ct b asic inform ation of a target and its network. It
helps to find vulnerabilities and to select exploits for attack. It determines network
information, system information, and organizational information.
Lab Tasks
* T A S K 1 1. Launch Windows 8 Yutual Maclune.
Scanning H osts 2. Launch W inArpAttacker 111 the host maclune.
on th e LAN
C a u tio n :T h is p ro g ram D ^ i
Xev opn s &ve
* a a * scan
q
Attack1: stopsendK*art Cpflu*ascut
is dangerous, released just Ho::^ c | Online Snitf 1... Attack ArpSQ | A<pSP | ArpRQ 1 ArpRP | Packets ( T>aff!c(KI ]
fo r research. A n y p ossible
lo ss caused b y this pro g ram
bears n o relatio n to the
a utho r (unshadow), i f y o u
d o n t agree w ith this, y o u
m u st delete it im m ediately.
6. Scanning saves and loads a computer list die and also scans die LAN
regularly for new computer lists.
By performing die attack action, scanning can pnll and collect all die packets
on die LAN.
ARP A ttack
Select a host (10.0.0.5 Windows Server 2008) from the displayed list and
select A ttack -> Flood.
so Untitled WinArpAttarker 3 5 ?006.6.4
S*nJ
#Kteiur. Jp. ' *
^ ib w U*H> M j I
] I W fi- I I I * r a n I * * s * I **a I fc p w l
C Q t 11e F lo o d o p tio n
sends I P c o n flic t packets to
target com p uters as fast as
possible. I f y o u send to o
m any, the target com puters
Event 1 ActHotf fcourtI IP Mat
g o dow n. 2012-09 17 10-4905
2012-0917 104905
Nw_M0*
Ncw.Ftotf
10.0.0.7
10.00.1
10001
ioooj
00-
00-
2012-091710J90S NHoU 10.0.0.8 10.00.4 00-
2012-09-1710 S401 /,*p.Sun 100.0.2 10.010.5 00-
2012-09 17104905 NwH0K 10.0.0.4 10.010.6 00-
2012 09 1710-4905 Ntw.Host 10.0.0.5 10.00.7 04
10.010* 00-
1000.255 Fr-
1&9.2S42SS.2SS FF*
12. Select a desired location and click Save die save die report..
Lab Analysis
Analyze and document die scanned, attacked IP addresses discovered 111 die lab.
Questions
1. WuiArp
m Workbook re\ To prevent tins, network administrators must securely configure client systems and
use antivirus protection so that the attacker is unable to recnut 111s or her botnet
army. Securely configure name servers to reduce the attacker's ability to corrupt a
zone hie with die amplification record. As a penetration tester you must have sound
knowledge ol sniffing, network protocols and their topology, TCP and UDP
services, routing tables, remote access (SSH 01YPN), and authentication
mechanisms. Tins lab will teach you about using other network analyzers such as
Capsa Network Analyzer to capture and analyze network traffic.
Lab Objectives
The objective of this lab is to obtain information regarding the target
organization that includes, but is not limited to:
Network traffic analysis, communication monitoring
Network communication monitoring
Network problem diagnosis
Network security analysis
Network performance detecting
Network protocol analysis
Q 1 C o la softC a p sa
N e tw o rk A n a ly ze r runs o n
Lab Duration
Server 2003 /Se rve r
2 0 0 8 /7 w ith 64-bit E d itio n . Time: 20 Minutes
Overview of Sniffing
Sniffing is performed to collect b asic inform ation of die target and its network. It
helps to find vulnerabilities and select exploits for attack. It determines network
information, system information, password information, and organizational
information.
Sniffing can be A ctive or Passive.
Lab Tasks
3 t a 5 K 1 1. Launch the S ta rt menu by hovering the mouse cursor on the lower-left
corner of the desktop.
Analyze N etw ork
Capsa N e tw o rk
A n a ly z e r is an easy-to-use
E th e rn e t n e tw o rk analyzer
(i.e., packet sniffer o r
p ro to c o l analyzer) fo r S 3 W in d o w s S e rv e r 2 0 1 2
M afeLLxjjLtt! I a a ,,"J
F I G U R E 4.1: W in do w s Server 2012D esktop view
License Information:
Serial N u m b e r 03910-20080-80118-96224-37173
O A ctivate Offline
Successfully activated!
Finish Help
Full Analysis
To provide comprehensive
C Q a s a n e tw o rk analyzer, analysis of all the applications
and network problem!
Capsa m ake it easy to
Plugin module loaded:
m o n ito r and analyze MSN
Yahoo Messenger
n e tw o rk tra ffic w ith its
in tu itive and in fo rm a tio n -
ric h tab views.
o
1,S.
O
FulAnatyia Traffic Mon to* HTTP Analytic Email Analyst DNSAnalytk FTPAnalyt* iMAntlytit
6. 111 the C a p tu re tab of the main window, select the E th e rn e t check box
111 A d a p te r and click S ta rt to create a new project.
111111
!!!!! Full Analysis!
To provide comprehtntiv*
analysis of all the applications
iiiiiiiunm II llllllll and network pioblarm
m
III! !fris
1111iiiiriiinniiRii iiihrin
ii Plugin moduli loaded:
% m *L
4 O
Ful Analysis Tiafftc Mcnitoi HTTP Analysis Email Analysis DNS Analysis FTP Analysis IMAnalysis
7. D ash b o ard provides various graphs and charts of the statistics. You can
view the analysis report in a graphical format 111 the D ashboard section
ol N ode Explorer.
W*I
r y a |1r r <
Analysis Pa<k ...
feltings 0bjt Butter 1' Output Output
F I G U R E 4.7: C o la s o ft Capsa N e tw o rk A n a ly ze r D a sh b o a rd
Capture
Stop
----- 1
General .
Tattle
fJwcrtr Profile
w i
Analysis Racket Display ^
Analyse profile
*H
.
AJ
m ut-anon *,
m pp5 ni
i !!!I'!!!
!tic HistoryCho.
!
Farter Buncr (16M6j
Node Explorer > / Qasriccard-1Summary x [Qiagnosis [Protocol fPhysical fcndpo.m \ IP fcnapp.rv. [ Ccr! gsa. cn [IPCorrva Online Resource
fMAlgte\SUtfctta: | -:
*> NewCapsav7.6
U, IT Prrtocd! p'crrr (1)
Released
S V5 Phv.ka' Lqstorcr (3)
ti IP Epk*n (4) TryftFree
Fault
lluqnmn SUtMki
Worrnation Dijgnosfc
Ntfcti Diagnosis
Woninq Dianne(t )NetxnorkHerAMStH'
Critical Ow900-.11
>traffic
Total 472.954 KB 0001%. 1252 Kbp*.
Broadcast 4J440KS . co.. 0 bps
E O a liigh network Multieeit 175.757K0 0001% 1232 Kbpi
utilization rate indicates the Ava9Pak*tSa
Pxkrt Sar Distribution
network is busy, whereas a <*64 45.60ft KB 0000%
low utilization rate WW
128-255
131090 KB
47.542 KB 0001\ 1^32 Kbps
u j Monitor Employee* Webwle
9. The D iagnosis tab provides the real-time diagnosis events o f the global
network by groups o f protocol layers or security levels. With tins tab
you can view the performance o f the protocols
10. To view the slow response o f TCP, click TCP Slow R esp on se in
Transport Layer, which 111 turn will highlight the slowest response 111
D iagnosis Events.
nalysis CoJascft Capsa 7 Free '50 Nodes)
! ? Sjstar 1990. /trw
13S U S l h g ' ^ J W M
Adapter -ater Starr Step General Analysis Packet Display
CMH
AlarmSetting!
!ew rt '
Object Buncr
Analy<!5Profile
.' Output Ourpur
w w ! _ PP5
mm
limn cH!5t07Cha... FacKet Buncr n&MBj
Stop Genera!
^ ^
Analysis Racket Display . Packet log . L,
/a ; a\ //
-_J' IE .. ^
A*anr1Setting{ Object Buffer ."* Outpirt Output
?lerwcrlr ProtUf Analysis Profile Data Storage 1 c r ^ . w !5l HistoryCha. Packet B!
Node Explorer x y'^Jasht :7 3f Somrriai/ ] Diagnosis x [piotocol f Physical ndpo!rTfIP snapj . [ - ,><*! C. .ta t.- f IPCorryq Online Resource
Diagnosis Item Diagnosis Address
ful Ar^-us & A % *. C - Dfc*grvosk: 10 u - - 2 - Swtetk* | 11 | NewCapsav7.6
Hr I f Ptt*orcJt>plctrf<l)
S V5Phv.ka Lqstorcr(3)
iarm Name Ptyycai Address 0 Addit Released
ti ^ l!>.p*4)) AIDaqnoti*
8 Appfc-itlon l.yf
10002
74.125236.165
DO 4tU
001+ :cc
10.002
74.1252
TryftFree
O 0M5 Swvv Slow Report! 74.1252>6.174 Oft .cc 74.1252
O HTTP 5trvtr$l0wRp0n 741252 J6.169 OCt^ 741252
Id Irm poil Layer 207216235182 Oft . cc 207218.
V KP Petrinmww 178255 81.1 Oft^ * :CC 178255.
Jp )WhoIt LIMngNel\orknnrd^tti
V TCP Skw Rsiponifi 178255 E32 OCk* :cc 178255J
TCP Duplicated Acknowlmlgtmtnt 74125236.182 Oft-~k*CC 741252 M Hawto DatMt Neivwy*: Loop
- Nerworlr layer 4 ?5..36. 63 Oft! CC 74.125.2 ^rlow to Monitor !MMr**
, <1 |>
I Mon: VWcov-1
Diagnosis Events
U S UiagnoM I .n u j .. j llow(o'
Seventy Type layer Event Cetenpbon '
V Puformance Tun sport TCP SIoa ACKiPacktf!28] and Packtt:27^,0<n 235 ms) UJ Monitor EinotuvM Wetaitc
V Performance Tranipoit TCP SlowACKlPacket :is] and Pckrt!27]fton1 20170 mt)
is P1formance Transport TCP SlowACK(Pck!47]jd P*ctr;27]#f0n120172 ms)
i> Paformance I ransport TCP SlowACKlPacket.W]rnd Pace*. U Jo ti 22134 1m)
V Performance Transport TCP SlowACK^Pacfcrti&l] atd Packe''+rom23577 m* Create Trait*. UtilUdtioii d u rt
Transport U |Ent|SUrt a Wireless Capture
V Puformance TCP SlowACK1Pcktl82] no Packet.:.*ram23577an:
J Create Traffk Utlteton Chat
V Performance Transport TCP SlowACK(Pcket|54] me Packet! 5]from 23577rm)
[ More m Knowledgebase1
V Performance Transport TCP SlowACKiPadrer: 19: ayJ 62& ms)
V Performance Transport TCP SlowACK|P>cket:3A3] and fack*4J303J?rcm >6623mil
*
^ C ap tu t - FtJAiMtyse 41 Ethernet 'inactive Duration: 00:25:34 4,689 ~0 Realty ^AUim btolota -
12. The TCP Slow ACK - Data Stream of D iagnostic Information window
appears, displaying Absolute Time, Source, Destination, Packet Info,
TCP, IP, and other information.
^TCPSlo^CKPacto!20nn7Pac^ ^a*^tre3^7D>3n0itiH70nratto n = <
-M* i 30
Protocol Su> Cnodc Summary
t0g]c20073660 10^02:1406 207.2I8.2J5.162:80 HTTP M N*jm23 .y .6 6 S*q.380W5012,Ack. L0000000001F.. S.l
102320412350 207.2182351182.90 1010.02:1406 HTTP 66 NwnaB lcnyth66 Sn lM6644229,Ack: [3280995013.f =.A_S.,..
102320412394 10002:1406 207.2I8.2J5.182:80 SB \.m .M S*q3280501J.Ack. Ll54W442JaF.A-.L-
102320412967 10042:1406 207218.235.182:80 723 .,r :17 =723 C GLT ,online -ou! .c^Mmfeouc.f. .
: I0c232a70089 207218235.182:80 10.0.0.2:1406 6644-4 28 64 <- ?V
..a:i
.
102340583003 207218235.18280 100.021406 U l l Nun46 Ungth-1.51* & HTTP.M.1 2000jC
102340585578 207.213.235 182:90 100.0.2:1405 591 Nuns47 lensw =59l & Continuation or no 1-WTTPtraffic 533 b
207218.235.182:80 HTTP 3 '. Len.v 48 =58 Scq=328C995678.Ack r1M6t46223.FA.- L
101002:1406 HTTP 64 lp-:48---- i&= Seq= lSi6646223,Aek: ...F=.A...r,3280995673:
207218.235.182:30 HTTP . .. =58 Seq=328CS95678.Ack: - F=A__L.46224&&154:
207215235.182:80 HTTP ;ngth:58 Seq:1 546M6224fAc
3280995675. =AfcJ: : ? _
E ' ?actet lafo:
-Qpc*ec Kr:
:.<^?creT Lngtfc:
i IO/J
WgSource Address: iMetgearl ]6/> |
& ?rctccol: Cnteioe . H U M (( ]12/2 [
IP - intarrtBt Protocol
!14/ o*rc
ByesI (14/11 0s0r 30(
115/1" 0111
[ > o irrerenttatM r / 1 ! c041 ! 15/ : osrc
JrsMjjnrt Protocol w ilt ignoi l :goore
IHo Congest scr.( | 15/.[ OxOt
By'.a1 40( 116/11
16/2J[ 1563301
JJ0/1J OrtC
1aa/1) oco_____
FIGU RE 4.11: TCP Slow ACK Data Stream o f Diagnostic Information window
13. The Protocol tab lists statistics o f all protocols used 111 network
transactions hierarchically, allowing you to view and analyze the
protocols.
14. The Physical Endpoint tab lists statistics o f all MAC addresses that
communicate 111 the network hierarchically.
*
&yt* Pckt> trti Pr Sond
NewCapsav7.6
U. Y Pn*e>'cH.f*64tt(I) le<al Srqirrnt 8.YX 512 bps
Released
&
11
Phy.kal Eiptortf 3)
IP ! iplotn (4)
br local Holt
JW no! 6 36
755.578 KB
755.57BKB
3^81
3,281
0 bpi
0 bps Tryit Free
* 11x0.0.2 725.485 KB i* 3 0 bps
8 V 0(k1**aeCC 744.796 KB i.U2 512 bps
<74.125.128. IN M 224413 KB 1 Obp.
5 74.125 236.182 172.074 KB 642 0 bp:
S 74.125 135.125 132.652 KB 55- a bps Is LiangNetworkBand/Jd
% 74.125.2361163 | 33.889 KB 161 0 bps
6 74.125.2361160 | 22.611 KB 0 bps
3174 125-236.165 | 19.740 KB 97 0 bps
74.125.236.174 | 19278 KB 65 0 bps
(More Videos-1
Physical Conversation
C- 74.125.128.189\PhysJul Conversations 177
Lndpcint > <- Endpoint 2 Ouibon Bytes- _J Monitor Employee* Website
3 DO &36 33: B " -0 3 : OOrfOOO 36C E 360 E VKlt*
= ? 00 &36 0000.00 28C B 230 B t m I cannot capture AIL trailk.
E^ai: * ) :FC
3 0 0 : - E.-06 033 : M S S ocf O&OOOO 82 B 82 8 why/
*J Create Tratlk: Utllizalion Chart
=9 Vk EK OJ5J:' ):66 OttOCWO 82 6 82 B J lEntlStart a Wireless Capture
*00: - L-06 33 ? : mmw\ OOKJOOO 90 B 90 B
3P 00; & 09 33! * - 0:01 CftOOOO 90 6 90 6 | More n KnowltorHnr . )
^00! 8.-00 33 * - 0!CF 000000 90 B 90 B
f >1
laptut MIA*at)-,o mOHitKl ' injttivt Duration:001)0:44if i,405 gO fti*0/
C Q a s a delicate work,
network analysis always
requires us to view die
original packets and analyze
them. However, no t all the
network failures can be
found in a very short
period. Sometimes network
analysis requires a long
period o f monitoring and
must be based on the
baseline o f die normal
network.
ls f
3t5 Ntwofc Gf0U|
H^NaTa<
iu
i
Step G*rttni
rtwo* frowr
Analytlt Bartrrt Ditplay
Objfrt Bunft
An#lyn f*ot1lf
Outpirt >rpm iu
Node Explorer / 0* r 60U f!>un1maiy fOiayiom [ Piutotol fPhymai fcndppmt | IPfcr>dtK>n: !?tymallc >' x|ipc.q ,! 1 v Online RcSOUrcO
lr>dpo<nt 1> - i
Endpoint 0u(jt(Qn Byt By1*1 > * IV*- Pek._ PU 1
NewCapsav7.6
U. Y Prrtrrel (. <( I) r 3 * J3:FF:&?:00:CF 00:0000 82 8 K B 0B 1 0 -
Released
& O Phy.kal bptortf (3)
II IP ! 1p*or (4)
UP oa1M0!AMfc09
co 1s!y>Aa:<*
!} 33:33:FF:2:00:66
B* :( 3 00:0001
00:0000
00:0000
82 B
90 B
82 B
90 B
0B
0B
1
1
0
0 Tryit Free
CP C01&SftA&<&09 5a00<.33;33!00.-01 0050000 9C 3 s CB 1 0
UV COIi.A& 09 33:33:EF:B2:DO:CF 00:0000 90 B 90 B 0B 1 0
C5C0I550!A&-C 33:3300100:0002 (0:0006 214 8 214 B 0B 3 0
UPC01ScS0.Aa:6fc.09 V 33:33.0000:00.02 00:00.06 214 S 214 B 0B 3 0
CP CO15:*0:A3:eCe ;01:00:5* 00:00:16 00:0011 936 3 9te B 0B 17 0 Is LiangNetworkBand/Jd
CP 001t5c50.A&efe:09 5 01:1X1:5L00500:16 00:00:11 74 8 7S4 B 0B 13 0
C Q t t l tells die router U5 COli50JW:6.06 33:530000:00:16 00:00:17 1.744 KB 1.44 KB 0B 19 0
CPlXH5:50.A&6e09 3 33:33:0000500:16 00:00:17 1.744 KB 1.744KB 0B 19 0
whedier die packet should Ok6?:S1A:16:36 33:33:FF:5iOO:66 0000.00 90 8 90 B 0B 1 0
(More Videos-1
E? (.:eT:Ex1*16:36 33:33 :FF:B2:00:CF 00:00.00 90 B 90 B 0B 1 0
be dropped if it stays in the SP C015:5ftA3:6. 03 00:67::A16:135 00:0000 3.434 KB 1.797*3 1.684 _ 20 10 10
network for too long. TTL
IP Conversation TCP Conversation [UDP Convereatio 1 >1
is initially designed to I 00:1S:SD1A8:6106 < > 33-J3* F:B*D<K3MF Convc~ * o :
L3 Monitor Employee* Weteite
-w 4 3
define a time scope beyond F'tdpoint 1
> <- Endpoint 2 Duration Brtes Byres < B toJ I cannot capture ALLtratlk.
why?
which the packet is U Create Traffic UttfUation Chart
J lEnt ISUrt d Wirelev* Capture
dropped. As TTL value is no *** * -- uJ Create TiaflkUtfittt*n Ourt
| More n KnowleAjrhnr...)
deducted by at least 1 by
the router w hen die packet "
passes through, TTL often
indicates the number o f the
/^.ap<uc ^u*Ar>al>-,6 ^fctlHirxt ''!njctivt Duration: 0111M? ^12.787 (0 Ready
.. ..1
,1" ' "
routers which the packet FIGU RE 4.15: Colasoft Capsa Network Analyzer Physical Conversations
passed through before it
was dropped. 18. The IP C onversation tab presents IP conversations between pairs o f
nodes.
19. The lower pane o f the IP conversation section offers U D P and TCP
conversation, which you can drill down to analyze.
m Imret
leapt.
a$Ntwo* Croup
H^NaawTa&le *
Analysis Racket Display
j *W 4A
P t\ Alarm Sfitmgi Objrrt Buttfi Output OJ*p<Jt
Capture Metwort Protur Analynt Profile Data storage
II. >
tCaptmt AEUkjixt ractive Duration: 01:29:49^ 14-182&
0Ready
20. Double-click a conversation 111 the IP Conversation list to view the full
analysis o f packets between two IPs. Here we are checking the
conversation between 10.0.0.5 and 239.255.255.250.
^naf^i^rojec^^tji^nalyM^Totaso^aps^^r^'^Node?
^ | MwviH | 0> *tfHrtp
Mr uStep sGane,rai \ . ,jj iu
Annlym flarfcet Ditplsy 1
Objfrt Buttrr Output output
Analym h'ofilr
21. A window opens displaying full packet analysis between 10.0.0.5 and
239.255.255.250.
. Packet Info:
: SJl:r:
!# roctc-Lesffsn:
j-^Capwred Lesgtfc
-@ T i t - p
T Ii&eraet Type II
!-WDestiracior. "
Node Explorer X n| Plv>wtl ConvUlaUon | PC0rtv1w1t10(v I CP Uwiv'afiation X | JDPCorNtat10n \ Mtm [ k W | L09 f Report | 4 fr Online Resource
*1
AoatpkMCPCowoe.wtkxi: | W
- Endpoint 2 Bytes Protocd
N ew Capsav7.6
S 100.02:1406
2 100.021402
3 207.218235.182:80
!34 74.125.236.173:80
3246 KB HTTP
1889KB HP Released
3 100.02:1403 3 74.125.2J6.173-^0 2 933 KB HTTP T ry i t Free
0.0.021405 51 74.125236.165.80 1.595 <5 HTTP
g 100.02:1401 74.125.236.165:80 1*36 KB HTTP
0002:1410
ao.o21411 3 74.125236.174443
00.02:1413 3 T4.125.236.174443 Jgj WhoIs U9ngNetworkBard*td1
00.021412 3 ?4.125236.174443 1629* KB H'TPS *toDetect ARPAttas
00.02:1423 S '4.125.235.169443 5 HTTPS H3wtoDetectMer*orfcloap
000X1424 3 74.125.236.169443 35 - r p$ JfS\ 4 to htonrtor IMMessaae
H3 to Monitor &save Emab
00.021426 3 74.125236.169443 1iS4KB HTTPS
a 74.125.236.160443 (More Videos-1
00.021422 22475 KB HTP5
00.021425 !31 74.125236.169443 146UKB H'TPS
00.0.2:1434 3 178,255.83.1:80 1666 KB HTTP
00021433 tli ?07.218235.182443 3.3*5 KB r P S
00.02:1435 .\l 178255.33.1:50 16W KB HTTP L3 Monitor Emvfc>vee* Webwte
00.02:1436 3 178.255.83.2:80 18*1 KB HTTP
*J I cannot capture ALLtraffic,
00.021437 3 65.54.82.155:30 MOll KB HTTP why?
00.02:1439 3 74.125.236.167443 B HTTPS U Create Traffic Utftiatlon Chart
00.021441 3 74.125236.167.80 36 0 HTTP U (Ent ISUrt a Wirefe** Capture
00.02:1442 3 4125.216.16344( 170 8 HTTPS J CraUTiaflk Utliution Ourt
00.02:1443 3 4.125.236.163-443 30 B HTTPS | Mere m Knowll<jrhn*r . |
00.021445 3 '4.125236.163443 14KB HTTPS
74Pt.n* IIW 441 1 * ra http<
......"_____ _
/;a p tu t ^o*Af^t)-.e oatK im t 'irwctivt Dotation: 0115228 V 17.281 ^ 0 Ready
-d * ** *5 4 LSS-
No AbsoluteTime Source Destination Protocol Sre Oecode Summary
_ __ : 1aaa2:1410 74.125.236.174443 https Se<|->3622P184^A1 k_[f<Knvnr0.r-. 1,.
457 10^6*7466913 1aa01410 74,125.236.174443 HTTP5 70 Seq=2362281843,Ack=OOOOOOOOOO.F=..S.l
47? 11126:53468163 1aaa21410 74.125.236.174443 HTTP5 66 Seq;2362281843,Ack=OOOOOOOOOO.F=.,S..L
473 10=26=53466676 74125.236.174:443 10.0.02:1410 - TP 66 Seq-4?C412S878,Ack=2362281344.F=.A.S...
474 10J6:S34*S72S 1aaa21410 74.125.236.174443 HTTPS Seqz23622fi1844,Aclc=4204123979.F=.1...Yl_
475 10^6:53486972 1QJ10l21410 74.125.236.174443 HTTPS 58 Seqz2362281844,Ack=4204123a79.F=.A. F.
47S 10^6:53 506597 74125236.174:443 10.0.0.2:1410 HTTPS 64 Srq:42C41r87?.Ack=236221i;5 F=.i.. F..
477 1(126:53506633 1aaa21410 74.125.236.174:443 TP* 58 ;rq: 23622ei845,Ack: 4;041233S0.F=. i __
25. The UDP C onversation tab dynamically presents the real-time status o f
U D P conversations between two nodes.
26. The lower pane o f this tab gives you related packets and reconstructed
data flow to help you drill down to analyze the conversations.
y ful Anat>^
- ' PrrtrrclEp cm I
Endpoint 1*>
o 1aaa10:56123
, . E apo, 2
7 . 224.0.0252:5355
Duration
OOiWflO
Byte* &,! -< < 9 > tes Pe;di Pk1i>
136 B 135 B 0B 2 2
- Ptts
0
Piotcc
LDP
New Capsa v7.6
2d 202.53^.8:53 OOsOCfcOO 217 B 7S B 138 B 2 1 1 DMS R eleased
E Physical aqstorer (3) *2 1010.02:567*0
S. & l f t q k>ra(4) 3 1010.0.7:5009' ?5 4.0.0252:5355 0ftM) 158 B 358 B OB 2 2 0 UDP- T ry i t Free
&0.0.:: 54463 - j 224.0.0252:5355 OCsOD.-OO 158 B 155 B C5 2 2 0 UDP-
S 1a0.a1a59606 ^ 224.00.252:5355 00:000 136 B 336 B OB 2 2 0 UDP-
3 ta0XX10:59655 7$ 224.00.252:5355 00!DW 158 B 155 B 0B 2 2 0 RIP live Denio
a ^0.0110*2035 g 224.0.02S2 53SS OOtOCfcOO 1S8 B 1SS B OB 2 2 0 UDP
OlOA10:57766 224.0.0.252:5355 OftMOO 136 B 196 B OB 2 2 0 UDP jpt\orkBanditti
Q In networking, an i Ta0.0-i 56682
S 100A7:51087
3 1 202.53.8.8<53
?3 224.00.252:5355
00100900
OOiCKJ-OO
214 B 81 B 133 B
158 B 358 B OB
2
2
1
2 0
1 DNS
FTP
a*-
NetworkLoop
email worm is a computer a
worm that can copy itself
Si !00.010:56*45
S 100.0.10:63503
^ 224.00252:5355
/} 224.0 0.252 5355
OOOOOO
00.1X100
158 B 155 B
136 B 13b B
0B
OB
2
2
2
2
0
0
UDP
UDP
IMortvklotti
2 010.017:63315 ^ 224.00.252:5355 00:1X100 156 B 158 B 0B 2 2 0 UDP
to the shared folder in a
I>
system and keeps sending y Pflui1 Dau ] <1 1
infected emails to -Jtr > i 4 ^ C ' 10 0 010 < v 2/4 00WVfarkeH: 1 2 J Motiltor Ciiitiloveet Wetollc
stochastic email addresses. No. Abfdut Tima Sourer Dfttrfutien Prototol L3 I cannot captara ALLtraMk.
19 1023:19.625869 10.0.010iS612J 224X>C252 35 U0P why#
In this way, it spreads fast 22 0:00 4*4 10.0.010:46121 :.4X1 25: 515* UCP CredleTraffic UtH^Uon Chart
ICntlSUrt 4 VVete Capture
via SMTP mail servers. u j CiaU Train; UtlLMUOn Omt
| More m Knowli<>rbow.. |
XjfAut at
>
_
27. Oil the Matrix tab, you can view the nodes communicating 111 the
network by connecting them 111 lines graphically.
28. The weight ot the line indicates the volume ot traffic between nodes
arranged 111 an extensive ellipse.
29. You can easily navigate and shift between global statistics and details o f
specific network nodes by switching the corresponding nodes 111 the
Node Explorer window.
1- D| X
:w it
:*
_Ls**5*^ "rtings
fJwortr Protiif
object Butter
Analy!!; Profile
Packet log L
. output Ojput v- M
Data Storsgf
^
Urc*
liO : Fack Buttrr C6MB)
attack, the most important Node Explorer *Conversation fiP C0n*ersdt10nf TCPComaction fliPP 1
jge^t fPtiysic I ?Vjo. X 1P*0cl Online Resource
30. The P acket tab provides the original inform ation tor any packet.
Double-click a packet to view the full analysis information o f packet
decode.
%!c* T<x#% w
Nrtworfc Group jf o t J t . J|
/ ^ **
Analysis Racket Display
j
Output Output
Node Explorer jpc-ni fPtiy.u.* Convtf-.ation f 1P C0nvei.dt10n~fTCP Corwettaiian f UDP Corws.* <-> [ ,.U'jo |Pc<cl x ]Leg f Rpcrt | * Online Resource
N e w Capsa v7.6
1tv - ;r r 16TC16 IK&42.69S615 1010.0.2:1036 74.125.135.125:5222
16021? 13.-Gi4a.599l 55 04: - J:CC DO* 36 R eleased
E Physical hptorer (3)
B & I? Eiftora (5) 1e0218 I3.024a599194 DO
:36: D*l- - - 1-CC T ry i t Free
16CC1S 13:G2:-.101243 ?4.125.135.125:5222
160220 13:02:49.103128 74.125.135.125:5222 1001X2:1036
t y ! Protocols may be 160221 I3.-02-.49.103161 1a0.0.2:1036 7 -125.155125:5222 llvp 1**110
160222
implemented by hardware, 160223 Whi Jetv.ork
13.C-249.495250 10.0.0.2:1036 74.125.135.125c5222 *
software, or a combination MffAOffc Loop
- T 5>3r*t inro: a
o f the two. At die lowest
level, a protocol defines the IM0VVW04
i & Ctpturtd Length:
behavior o f a hardware 3012/09/211):02:<t.4uv>
connection. A protocol is a f IlU n w t Typ< 11 (0/14)
881- - :CC fO/'l LU Motillor (1npfc>vet WetoJlc
formal description of _J I cannot (.apturv ALLtrttlk.
message formats and die why#
0000 00 0) &B AE 24 CC DO6 E6 LAL6 96 06 00 46 00 00 > U SD 40 00 J Credit Traffic UtH^Uon Chart
001c *a a<04 0 aa aa0 4 6 a4 ae 4 tt os s j ma n
rules for exchanging those oojc 7ac4 to to n 34t% 4300 00 UntlSUrt a W1rel* C1*urc
J OtU TrafficUtliuaon 01-1
messages. | More n Knowliqrbale..-1
31. The Packet decode consists o f two major parts: Hex V iew and D ecode
View.
Q Protocol decoding is
the basic functionality as
w ell There is a Packet tab,
which collect all captured
packets or traffic. Select a
packet and we can see its
hex digits as well as the
meaning o f each field. The
figure below shows the
structure o f an ARP packet.
This makes it easy to
understand how the packet
is encapsulated according
to its protocol rule.
32. The Log tab provides a Global Log, DNS Log, Email Log, FTP Log,
HTTP Log. MSN Log and Yahoo Log.
33. You can view the logs ot TCP con versation s, Web a c c e s s , DNS
tran sactions. Email com m unications, etc.
34. I f you have MSN or Yahoo Messenger running on your system, you can
view the MSN and Yahoo logs.
3psa 7 Free C50 Node -FT*
AnaW, Sjtfcai Tools
w r
Adapter -mn ttart
u 5
Step central
*Jrtwo'fc Group
H^NanwTa&l* 4
-...ilym Partrt Display
J^AlannSattmg' Objftt Buttff
ffwor* froWf Annly
why?
uJ Credit Traffic UttfUatioa Chart
YAHOO L3 lEnt ISUrt d Wlrte Capture
uJ Creat* Tiaftk tltllution 01C
| MoIT Knowlrrtfjr har.|
35. The Report tab provides 27 statistics reports from the global network to
a specific network node.
36. You can click the respective hyperlinks tor inform ation or you can
scroll down to view the complete detailed report.
/ 31 c -------------------------------------------------
Full Analysis's Report
analysis technology.
1 T o p 1 0 R e m o te IP A d d re s s
bl
N e w Capsa v7.6
Released
19 084 Try It Free
10.0.0.2 80.915 217.550 M :96.612
J 10.0.0.10 99.180 0.820 1/4.1 / MB 140,218
rf 239.2S5.255.250 ICOOCO 0.000 630.160 KB 1,332
9 10.0.0.3 0334 00.776 313 766 KB BOO
wv>[*Us*<gHetokfenjwdfr?
'!# 10.0.0.4 0.070 99.930 311.133 KG 781
*J224.0.0-22 1C0.0C0 mmm 0.000 232.822 KB 3,727 jjj new tocetECtNetyrarkLoop
J 132.168.166.1 24.542 75.458 222 375 KB 928 | ) Haw Nonter INNtessag;
Mew Nonta &S3/e Enwfc
r#224.00 252 ICOOCO 0.000 112875 KB 2.466
i 10.0.0.7 0.000 100.300 176002 <E 2.566
i 10.0.0.23 1C0.0C0 O.XO 140-528 KB 1.230
3 Top iJ Monitor tmitoyee* MtbMe
T op 10 R e m o te IP A d d ie s s ^ I fa not enpture m I traffic,
wfcy?
J Create Tnfk Utlkzottwi Ctwl
** 123.1/6.32.146 1.949 98-Oil 33-564 MB 34,555 . J (tntl^Urt WveleMlaKu-t-
J Cre* UWubor Chart
** 123.176.32. :36 2.272 1 97.728 2.330 M8 2,483 [ Mow tl IlMMMlfkittf.. 1
** 74 I3S 138 ISO 81.101 18800 1077 MG 3.600
, *74.125.236.182 54.993 45007 9S4871KB 3.354
--------- -----------------------------
1 Network Group
m Y
Adapter Flter
Ti ^ Name Table
ral j,
f \ Alarm Settings
Network Profile Data Storage Utilization
Lab Analysis
Analyze and document die results related to the lab exercise. Give your opinion 011
your targets security posture and exposure through public and free information.
Questions
1. Analyze how Capsa affects your network traffic, while analyzing the
network.
2. What types of instant messages does Capsa monitor?
3. Determine it the packet buffer will affect performance. If yes, then what
steps can you take to avoid or reduce its effect on software?
In te rn e t C o n n ectio n R equired
0 Yes No
P latform S upported
0 C lassroom !Labs
Lab
information
As 111 the previous lab, you are able to capture TCP and UDP conversations; an
attacker, too, can collect tins information and perform attacks 011 a network.
Test your Attackers listen to the conversation occurring between two hosts and issue packets
knowledge
using the same source IP address. Attackers will first know the IP address and
: Web exercise correct sequence number by monitoring the traffic. Once the attacker has control
over the connection, he 01 she then sends counterfeit packets. These sorts of attacks
e a Workbook review
can cause various types o f damage, including die injection into an existing TCP
connection of data and the premature closure o f an existing TCP connection by die
injection of counterfeit packets with the FIN bit set.
As an administrator you can configure a firewall 01 router to prevent the damage
caused by such attacks. To be an expert ethical hacker and penetration tester,
you must have sound knowledge o f sniffing network packets, performing ARP
poisoning, spoofing the network, and DNS poisoning. Another use of a packet
analyzer is to sniff passwords, which you will learn about 111 tins lab using die
Wireshark packet analyzer.
Lab Objectives
Tools The objective of tins lab is to demonstrate the sniffing teclnnque to capture from
dem onstrated in
multiple interfaces and data collection from any network topology.
this lab are
available in
D:\CEH-
Lab Environment
Tools\CEHv8 111 the lab you will need:
Module 08
Sniffing Wireshark located at D:\CEH-T0 0 ls\CEHv8 Module 08 Sniffing\Sniffing
Tools\ Wireshark
You can also download die latest version o f WireShark from die link
http: / / www.wireshark.org/download.html
If you decide to download die latest version, then screenshots shown 111
die k b might differ
A computer running Windows Server 2012 as Host (Attacker) machine
Lab Duration
Time: 20 Minutes
Lab Tasks
1. Before starting tins lab, login to the virtual machine(s).
Capturing Packet 2. O n the host machine, launch the Start menu by hovering the mouse
cursor on the lower-left corner o f the desktop.
Start Administrator ^
b J <9 <
Control
Pane
w s '/^ V H/per-V
Virtual
W
1^ fc
Adnneo.. Command W remark
loots Prompt
% p5 1
OMtap
rg.
*HP
In t e r f a c e List
.\ 1s y r < cictut ***
Ei 0pen opr a p!/ojm/ caox/M
ft W e b s ite
van prater 1 wt>sn*
(towna if<cnro MO(Q
Open Rcicnt.
U se r's G u id e
S ta rt a Ih* UW1 Ckna (kvral 1/
S a m p le C a p tu re s
Afen auoonvni of *xanrptc .!put *r on in* uj ^ S e cu rity
^ I 0 ^vice\NPFJ5F?i7C6675E7.43F99B72-9447DB2
V/'k with A'reshirx a!
Realteic PCk G0E Farrily Controller: \Dcvice\NPFjfi
fcfj \Devie\NPF_{550021FE-BafiF-41EB-B37E-4CAFBC
J<1 n :.~ur j : <n, . ^ u p r '
C a p tu re O p tio n s
^ H o w t o C a p tu re
Sup / sea is a successful cacure sxc
N e t w o r k M e d ia
Sptcfir tr+yrvrtcr *ofcscarrg o
Recd> 10 load ci cepturc
D. From the Wireshark m enu bar, select Capture -> Interfaces (Ctrl+I).
The W ireshark Netw ork Analyzer [Wireshark 1.8 2 (SVN Rev 44520 from /ttunk-1 8)] r a r s
File |d * View o Capture Analyze Statute! Telephony Toolt intermit Help
| f t interface!.. Ctri.l |; <* 3t p p l < ^ 1 s ib 5 * 0 p $61 a
M Options.- Ctrl+K I
GQw:'ireshark is used for: * Start CtrkE
| v | Expression.. C r Apply Save
I W ? Ctrl+E I
Network administrators use m F.estort CtrkR 1
problems
Network security
, Interface List O pen .p. Website
engineers use it to -VOk t of r>s a n / ( ft; Open cxcvtoury <sptu>8d *k
examine security
Open Recent: User1* Guide
problems
13 S t a r t & The U:cr's Guide ;total / ton * 1r,stated
qj Sample Captures
Developers use it to fctl \D#wc#\NPFJ5F257C66-75F7*43P9-9B72W47DB2l2-
a nrr tw r r# v fw r cscrvr or 11 iJI Security
debug protocol P.cchck PCIe CBE Family Controller. \Device\NPFj
Wok wth Wrcsvk a:
implementations 0 VD^tf#\MPFJ55002IFE-B03F-4iFB-BrF^CAFBr:
LSI u . . u r --------hoc n<maran.e v
H o w to C a p tu re
Step b> ns3 to a sjc:=tJ caf
N e t w o r k M e d ia
^ Soecnc rfowrsecn fy captjri*vg c
Read/ tc load or capture Profile Default
7. 111 the Wireshark Capture Interfaces dialog box, find and select the
Ethernet Driver Interface that is connected to the system.
8. 111 the previous screenshot, it is the R ealtek PCIe GBE Family
Controller. The interface should show some packets passing through it,
as it is connected to the network.
9. Click Start 111 that interfaces line.
Q Wireshark can capture
traffic from many different
network media types - and
despite its name - including
wireless LAN as well.
3
O Microsoft Corporation fe80::14a6:95a&f534:2b9e 244 Details
10. Traffic informs o f packets generated through the com puter while
browsing the Internet.
11. Now, switch to the virtual machine and login to your email ID tor
______________ which you would like to sniff the password.
= T A S K 2
Stop Live 12. Stop the running live capture by clicking the icon m on the toolbar.
Capturing
- Frame 1: 150 bytes on wire (1200 b i t s ) . 150 bytes captured (1200 b i t s ) on in terface 0
- Ethernet I I , Src: M lcro so f.a s:78:05 (0 0 :IS : Sd:a s : 78:05), ost : 1Pv6ra$r_00:01:00:02 (33:33:00:01:00:02)
- internet Protocol version 6 , src: fe80::5df8:c2d8:5bb0:4ef ( fe 8 0 : : 5df8:c?d8:5bfeO:4f), o st: f f 0 2 : : l: 2 ( f f 0 2 : : l: 2 )
g t ie r Datacra- P rotocol. Src Port: dhcpv6-c11errt (546), Dst Port: dhcpv&-*ervr (S47)
* DHCPV6
0000 iiii 00 01 00 02 00 IS Sd B 78 OS 86 dd 00 00 33............ ]. x . . . .
0010 00 DO oo 60 11 01 f 10 00 00 00 00 00 00 5d f .....................
0020 C2d8 5b bO 04 ef ff 02 00 00 00 00 00 00 00 00 . . [ ..............................
0030 0000 00 01 00 02 02 22 02 23 00 60 55 4 01 83 .............." .. U.. .
0010 0 49 00 08 00 02 00 64 00 01 00 0 00 01 00 01 . 1............. <3................
OOSO 17e s el 4e 00 IS so a* 78 OS 00 03 00 OC0* 00 . . . N .. ] . X...............
0060 15 5d 00 00 00 00 00 00 00 00 00 27 00 Oa 00 08 . J.................... .......
0070 41 64 6d 69 6 2d 50 4 3 00 10 00 Oe 00 00 01 37 Adnin-PC...............7
0080 00 08 4d S3 46 S4 20 35 2 30 00 06 00 08 00 18. . MSFT S .0 ............
0090 00 17 00 II 00 27 ..........
13. You may save the captured packets from File ^S ave As, provide a
name lor the file, and save it in the desired location
kJ Capturing from Realtek PCIe GBE Family Controller: \Device\NPFJ8F?F 18B6-B215 4110 A&59 F6BFB84?BB89J [Wireshark 1 82 (SVN Rev 44520 fro... ' I r r
I Uk , tUbb01>plyrJ: I M M1UJ. U 0
Filter
16. 111 Find By, select String, type pwd 111 the Filter field, select the radio
button for P acket d eta ils under Search In and select ASCII Unicode &
Non-Unicode trom the Character s e t drop-down list. Click Find.
17. Wireshark will now display die sniffed password from die captured
packets.
Test(WS).pcapng [Wireshark 1Z 2 CSVN Rev 44520 from /trurk-1.8)| '-!
flc dr y<vr 0 paxc Arvjlyre Sratiaks Telephony Tools Jnternab ijdp
!< =>e 8 a N 7 4 ilals e, t e. e 4 * wa a
[vj Lipifetict
Time Source Destination Protocol L nfo -1
1 19.1610310 f e 8 0 :: 3<Jr 8:efc3 C 8 7 f f 0 2 ::l:3 LL^NR 5 standard query OxaSfl any win-039mr5hl9e4
2 19.16 1 8 8 8 0 1 0 .0 .0 .7 224.0.0.252 LLMNR 5 Standard query OxaSfl AMY WIN-D39mr5hl9E4
3 19.198S190 10.0.0. 7 I Pv3 Membership Reporr / 01 grc-up 224.0.0.252 fo r any sources
4 19.1993230 fe80: :3<J78;efc3 ;c87 ff0 2 :;16 IOPv6 )M u ltica st L istener Report vessage v2
5 20.49 >1660 10.0. 0. 5 123. 176.3 2 . 155 TCP 6502-ll-iapp > http [syk] seq^o wln=8192 Len=o vss=1460us=* sack_p6i
6 20. 58 56390 12 3 .176. 32.155 10.0.0.5 TCP 5 http > 502-11-1app [5>n . *ck] seq-0 Ack-1 wlrv-14600 ten -0 mss-1460 :
Observe the 7 20.58651 4 0 1 0 .0 .0 . 5
8 20. S870180 10.0 . 0. 5
123.176.32.155
123.176.32.155
0 802-11- app > http [ACK] Seq^l Ack^l Win=65700 Len-0
? post '1 og1 river 1f y . pfcp k ttp /1 .1 (appMcaTlon/x-v\VAv-for1-ur1encoded) I
9 20.5960500123.176.32.155 10.0.0.5 [) h ttp > 802-11 app [ACKj 5e q -l Ack-819 win-16236 Lcn-0
Password O 20.6078200 74.125.128. 189
1 2 0 .65 1600 1 0 .0 .0 .2
10.0 .0 .
74.125.128.180
2 9 A pplication Data
1 kvT v l j ip > https [ackJ 5eq-l *ck-56 win-63361 te n-0
2 20.6974400123.176.32.155 10.0.0. S 1 ITCP s3t of a r u s * b ltd P0C1J
1 ?0.6982220 1 2 3 .1 6 . 32 . 155 10.0.0. 5 1 m ttp / 1.1 102 Moved Tetporarl y
4 20.698520 0 1 0 .0 .0 .5 123.176. 32.155 D 802 11 app > http [ACK] 5q-819 Ack-1481 wl 11-65700 Lcii-0
5 20.7011130 1 0 .0 .0 . 5 123.108.40. 33 b a r tif a c t **g > http fSYN] s#q-0 w1ruai92 1*n-0 Mss-1460 ws-4 sack_pi
a 0i oa 4 40 2* b 6r te y 40 ^0 ^n 41
38 67 3d 37 33 36 62 37 34 36 34 66 31 63 33 31
31 6S 31 61 36 64 63 63 32 64 32 32 62 65 38 31 l*la6dcc 2d22bea1
39 32 61 3b 20 5f 77 31 38 73 3d 31 33 34 38 32 92a; _wl 8S-13482
32 30 38 39 35 2e 35 33 Od Oa 43 6f Ge 74 65 6e 20895.53 ..Conten
74 2d &4 79 70 65 3a 20 61 70 70 6c 69 63 61 74 t -Type: ap|51 cat
69 6f 6 2f 7B 2d 77 77 77 2d 66 6 f 72 6d 2d 75
72 6C 65 6e 63 6f 64 65 64 Od Oa 43 6f 6e 74 65 rlencode d ..c o n te
6e 74 2d 4c 65 6e 67 74 6fl 3a 20 31 30 32 Od Oa -Lengt h: 102..
Od Oa I
18. If you are working 011 iLabs environment, then use the Test(WS)
sample capUired file located at D:\CEH-T0 0 ls\CEHv8 Module 08
Sniffing\Sniffing Tools\Wireshark\Wireshark Sam ple Capture files to
sniff the password.
Lab Analysis
Analyze and document die results related to die lab exercise. Give your opinion 011
your targets security posture and exposure through public and free information.
Questions
1. Evaluate die protocols that are supported bv Wireshark.
2. Determine the devices Wireshark uses to capture packets.
In te rn e t C o n n ectio n R eq u ired
0 Yes No
P latform S upported
0 C lassroom !Labs
Performing Man-in-the-Middle
Attack Using Cain & Abel
Cain (&AbeZ is apassword recovery tool that a/Zorn recovery of passwords by
sniffing the network, cracking encryptedpasswords.
Lab Objectives
The objective o f tins lab to accomplish the following inform ation regarding the
target organization that includes, but is not limited to:
Smtt network traffic and perform ARP poisoning
Launch a man-in-the-middle attack
Sniff the network for the password
Lab Environment
To carry-out the kb, you need:
^^T o o ls
dem onstrated in Cain & Abel located at D:\CEH-Tools\CEHv8 Module 08 Sniffing\ARP
this lab are Poisoning Tools\Cain & Abel
available in
You can also download the latest version ol Cain & Abel from
D:\CEH-
Tools\CEHv8
h ttp ://www.oxid.it
Module 08 If you decide to download the latest version, then screenshots shown 111
Sniffing the lab might differ
A computer running Windows Server 2012 as host machine
Windows 8 running on virtual macliuie as attacker machine
Lab Duration
Time: 20 !Minutes
Lab Tasks
TASK 1 1. Launch your W indows 2008 Server virtual machine (Victim Machine).
% FT
|H 2P
*n a g *
Ownop W
J @ SK IS! ?ar + y 3
|<<g, Decodgi | * Mrtwyt I f f i Suffc |,_ / Ciackcr Troceroute I E l c c c i m Airelcss |1V) Query |
, Cached Passwords
Protected Storage Pressthe * button on the toolbar to dump the Protected Storage
> LSA Secrets
Wireless Passwords
0 IF7PaccA0rck
Windows Mail Passwords
Dialup Passwords
Edit Boxes
% Enterprise Maneyci
f * C edeotid Manage
| http/.'vrww0iid.it
6. W hen you hrst open Cain & Abel, you will notice a series ol tabs near
the top o f the window.
7. To configure the Ethernet card, click Configure from the m enu bar.
?# | Took Hlp
_ a *
http// wvyw.Oiid.it
Configuration Dialog
Filters and ports | HTTP Fields | Traceroute
Certificate Spoofing | Certificates Collector
C O lFor IP and MAC Sniffer I APR ( Arp Poison Routing ) | Challenge Spoofing
spoofing you have to
Adapter IP address | Subnet Mask
choose addresses that are
not already present on die & \Device\N PFJ8F2F18B... 192.168 168.110 255.255.255.0
network. By default Cain i&\Device\NPF .{5F237C6... 0.0.00 0.0.00
uses die spoofed MAC 10.0.0.2 255.255.255.01
"001122334455" for two *i>\Device\NPF_{35DD21... 0.0.00 0.0.0.0
reasons: first that address ) \Device\N PFJ36D19C... 0.0.00 0.0.00
can be easily identified for <| 111
troubleshooting and second
l>l
it is not supposed to exist Winpcap Version
in your network. 4.1.0.2001
_ a
il# Vi*w Configur* Took H#lp
"< DcZTdcfi | ^ VJcUwt Smffcr \ f Ciackct |4 Q Troceioutc |K 3 CCDU |'f l Anglos |.A) Query |
, Cachcd Piuivoidi
j f Protected Storage*
JT L5A Secrets
Wireless Passwords
IE7PaTA0rd5
^ Windows Mail Passmores
Dialup Passwords )(
F Edit Boxes
C Q t 11e most crucial item *Eitc!prise Manege
in that list is the radioactive Gedentid Vaiace * 1
- >{ >
S fa 1S m + kf *b ,u ES O W 1 2 ?/ I
. Dc:cdtf: I j Nct.va7r Traccroutc | Q CCDU W rd ii | *>) Query |
Lost packptt: C%
13. Click the Plus (+) icon or right-click in the window and select Scan
MAC A d d resses to scan the network for hosts.
14. The MAC A ddress Scanner window appears. Select All h o sts in my
su bn et and check the All T e sts check box. Click OK.
r,
TH i Vi ew rfiguM
Canfi Tool{ H*>P
gur Tool* Hlp
_
J !61 aw Si 89 ]+[^ O t Jl
MAC Address Scanner
|,c^ Deccder: Meteoric Sniffer \ / Cracker | )> Que>y~|
0<
Lost packets 0%
15. Cain & Abel starts scanning for MAC addresses and lists all found MAC
address.
5 Speeding up packet
capture speed by wireless
packet injection
|ta[*e*BIIIJ+*|lB 1 1 3 0 8 t Jl
Decoders | ^ Network | ^ Sniffer \/ Cracker Traceroutc | d CCDU | '<Q Wireless |q)Query |
a Status 1 IP address I MAC address I Fatkets -> 1 <- Packets I MAC address IIP address
EEQaPR state Half- S APR-Cat
Routing means that APRis
4 , APR-DNS
mAPR-SSH-1 (01
routing the traffic correctly - l i APR-HTTPS (0)
but only in one direction 3APR Prox/HTTPS (0)
5 g APF-PXP(G)
(ex: Client-> Server or 13 APR-FTPS (0)
Server->Client). This can l i APR-P0P3S (0)
happen if one o f the two 3 APR-IMAPS (0) Status | IP address | MAC address | packets -> | <- Packets | MAC address | IP address
APR-IDAPS tfi)
hosts cannot be poisoned 3 APR-SIPS (0)
or if asymmetric routing is
used on the LAN. In this
state the sniffer loses all
packets o f an entire
direction so it cannot grab
authentications that use a
challenge-response < III > Configuration JRouted Packets |
lest packets: 0%
m n x
File \w Cjn f < jj1z Tools Help
j * & r a ! # f+ ] a % i s y 1 1 1 B a 3 @ i a O ^ S O f j
<&, Decoders I 2 Network | ^ l Sniffer I / Cracker I Ci Traeeroute |KS CCDU 1 1 Wireless 1_Y Query |
APR status | IP address | MAC address Packets > | < Packets | MAC address | IP address
Q APR-Ccit
J j, APR DNS
APRSSH-1 (01
^ APR-HTTPS (0)
,3 AP-: Pcx>HITPS(0)
9 8 APR-ROP 10(
13 APRFTPS(0)
3 APR-POP3S(0)
3 APR IMAPS(0) Status | IP address | MAC address Packets -> | <- Packets | MAC address | P address
L=U-.APR state Full- !3 APR LDAPS (0)
Routing means that the IP 3 APR-SPS 01
Los: packets; 0%
19. Click the Plus (+) icon; the N ew ARP Poison Routing window opens
from which you can add die IPs to listen to traffic.
_u
M
j * a m es + y is q. y 1 1 *s a O t fl
Decoders | Nft^odLJ il Snifle I. "C xuktt 1*6 Trarfrmiif 185!. m I'jc.I
Q APR N ew ARP Poison Routing
1 - 0 APR Ceft(0>
L APR-DNS
APR 3notlccyou to hijack IP traffic betvv3en 1W3 coloctod host !>nh3 left let aid al elected hosts on the nc^it let inboth
m mSS+t (0) dite^licm It a ?elected hoit hai roiling cap3biltet WAN frafhc wil be nierreDted a: wel Peare note !hat ?mceyaur
U fi APR-HTTPS (0} 11wchire has not the *are performance of a router you could cause DaS *you u<APR te:*een your Delaul Gateway and
hS APR-PirayHITR oil ether host! or >0u1 LAN.
: 51 APR RDP 10)
if i APS-FTPSm
APSPOP3S(0)
IP 3dere | MAC | Hostrair* IF acHe^r vtiC Hottname
UJ H ie Protected Store is a : 3 APR IMAPSP)
10.0.01 C0095BAE24CC
j- 1S APSLCAPStUl 10.0.03 C0155DA9BE06
storage facility provided as L APR-SI PS |0) 1U 004 C0155DA8SE09
part o f Microsoft 10 005 CD155DA95E 03
10.3.07 D4BED3C3CE2D
CryptoAPI. It's primarily 10.0010
10.0.011
D40ED3C3C3CC
C0155DAG7005
use is to securely store 10.0.012 C0155D/S87800
1110013 C0155DA8/8Q4
private keys that have been
<L___________ ______! _________________1 > 111 ;
issued to a user.
WARNING !I!
APR enables you to hiiack IP traffic between the selected host on the left list and al selected hosts on the light list in both
directions If a selected host has routing capabilities WAN traffic will be mteicepted as well Please note that since youi
machine has not the same performance of a router you could cause DoS if you set APR between youi Default Gateway and
all other hosts on your LAN.
k J Many Windows
applications use this
feature; Internet Explorer,
O utlook and Outlook
Express for example store
user names and passwords
using this service.
22. N ow launch the com m and prom pt in W indows 2008 Server and type
ftp 10.0.0.3 (IP address o f Windows 8 machine) and press Enter
23. W hen prom pted tor Username type Martin and press Enter and for
UJ There is also another password type apple ' and press Enter.
set used for credentials that
should persist on the local : >' A d m i n i s t r a t o r C : \ W i n d o w s \ s y s t e m 3 2 \ c m d . e x e - ftp 10.0.0.3
machine only and cannot M i c r o s o f t Windows L U e r s io n 6 . 0 . 6 0 0 1 J
be used in roaming profiles, C o p y r i g h t <c> 2 0 0 6 M i c r o s o f t C o r p o r a t i o n . A ll rig h ts reserved.
this is called "Local C :SU sers\A d m in istra to r> ftp 1 0 . 0 . 0 . 3
Credential Set" and it refers C onnected to 1 0 . 0 . 0 . 3 .
to the file: 2 2 0 M i c r o s o f t FTP S e r v i c e
U se r < 1 0 . 0 . 0 . 3 : ( n o n e ) ) : M artin
\D ocum ents and 331 Password r e q u ir e d
Settings\% Username% \Lo Password:
cal Settings\Applicatio 11 230 U ser lo g g e d i n .
ftp> _
Data\M icrosoft\Credential
s\% UserSID% \Credentials
24. Now, on the host machine, observe the tool listing some packets
exchange.
|C ]
File /cm Configuie Tools Help
J 6 8 & B SS + ti O fl
Derofleri I i Nrta/yl |i&l Sr>ifler | Y Crafker 1" 3 Traceroiiti0 || !CCOU 171 Wfle<5 | _v Cue^ |
j-
ES3 APR Cot )0(
Statu* | IP address | MAC address Packets < > Packets MAC oddress | IP address
^Poison,rg 10.0.0.3 001SSDA&6EQS |5 7 001S5DA86&03 100.0.S
!- APR-DNS ,4
APR-SSH-I )0(
i - APR-HTTPS(Dj
i- S t i?5-Fror>nnPS )0(
APR-RDP )0(
i - f l APRFTPS)0(
7 Credentials are stored in ^ ]APR-POP3SP
the registry under die key )APR IMAPSP 3 :
j- 1S APR LCAPSOl
HKEY_CURRENT_USER APR-SIPS(O _ ! (
\Softw are\M icrosoft\Prote Status | IP addrecc | MAC address Packets-> < - Packet; | MAC address \ IP addrest
Lct packets. C%
25. Click the P assw ord s tab as shown 111 the following screenshot to view
the sniffed password for ftp 10.0.0.3.
>
1
Fie Jfo Configure Toob Help
j 6 ia W t SB + 'y | B U BSS sa a o t 11
Dwodfrs | $ Netvryfc [ l& Satffer 1! 1' Crack** | *Q Tncernntf | RT39 CCDIJ | A Wrelfss | . V r ! .0', J
?\ Passwords Timestamp | FTP server | Client Username Password
1 !4-*a u j 18/09/2012 10.0.0.5 10.0.0.3 15:54:10 Mditin (apple
^ HTTP (17)
igl MAP (0)
SJ .OAP(O)
fit This set o f credentials is i (* HO)
stored in the file *+ SMS (3)
Telnet (0)
\D ocum ents and :- | XNCO)
Settings\% Username% \Ap j 5V: TDS(0)
plication j fc TVS (0) =
J ! SMTP (0)
D ata\M icrosoft\Credentials : f f mn tpo;
\% U serSID%\Credentials I- g DCE/RPC (01
S 0 MSKe*5-PreAja
^ Radijs-Kcr: 10)
C Radius-Useis (0)
jg CQ(0)
S KE-PSK .01
i-ifc MySGL (0)
3 SNWI>(0)
( 4 SP(0)
FTP |
<[ III >
Lab Analysis
Analyze and document the results related to die lab exercise. Give your opinion on
your targets security posture and exposure through public and free information.
Questions
1. Determine how you can defend against ARP cache poisoning in a network.
2. How can you easily find the password captured 111 an E D P MITM attack
using only Notepad or some other text editor?
3. How can one protect a Windows Server against RDP MITM attacks?
In te rn e t C o n n ectio n R eq u ired
0 Yes No
P latform S upported
0 C lassroom 0 iLabs
Lab
Lab Objectives
The objective o f tins lab to accomplish the following regarding the target
organization that includes, but is not limited to:
To detect ARP attacks
C /T o o ls Lab Environment
dem onstrated in To carry-out die lab, you need:
this lab are
available in XArp is located at D:\CEH-Tools\CEHv8 Module 08 Sniffing\ARP Spoofing
D:\CEH- Detection Tools\XArp
Tools\CEHv8
You can also download the latest version ol XArp from
Module 08
http: / / www.clrasmc.de / development/xarp / 1ndex.html
Sniffing
If you decide to download die latest version, dien screenshots shown in
the lab might differ
A computer running Windows Server 2012 as host machine
Double-click xarp-2.2.2-win.exe and follow the wizard-driven installation
steps to install XArp
Administrative privileges to run tools
Lab Duration
Tune: 10 Minutes
Overview of XArp
XArp helps users to detect ARP attacks and keep dieir data private. Administrators
can use XArp to monitor whole subnets for ARP attacks. Different security levels
and fine-tuning possibilities allow normal and power users to efficiendy use XArp to
detect ARP attacks.
Lab Tasks
B T A S K 1 1. Launch the Start m enu by hovering the mouse cursor on the lower-left
corner o f the desktop.
Launching the
XArp tool
2. Click XArp 111 the Start m enu to launch the XArp tool.
e . <9 <$
rt)P*f-V H/per-V
- g s Manager Virtual
Machine.
C 7 Address Resolution
Protocol (ARP) poisoning
XAip
is a type o f attack where
the Media Access Control
(MAC) address is changed
by tlie attacker.
CMnap
Tlie main W indow o f XArp appears with a list o f IPs, ]MAC addresses,
and other inform ation for machines 111 the network.
XArp - unregistered version
File XArp Professional Help
IP | MAC | Host | Vendor I Interface | O nline | Cache | First seen | Last see
10.0.0.1 00-09-5... 10.0.0.1 Netgear, Inc. 0x11 - M icroso... yes yes 9/20/2012 14:22:55 9/20/20
10.0.0.2 dO-67-e... WIN-MSSELCK... unknown 0x11 - M icroso... yes no 9/20/2012 14:22:55 9/20/20
10.0.0.6 00-15-5... AD M IN-PC M icrosoft Cor... 0x11 - M icroso... yes yes 9/20/2012 14:22:55 9/20/20
& 10.0.0.7 d4-be-... WIN-D39MR5... unknown 0x11 - M icroso... yes yes 9/20/2012 14:22:55 9/20/20
10.0.0.8 00-15-5... ADM IN M icrosoft Cor... 0x11 - M icroso... yes yes 9/20/2012 14:22:55 9/20/20
10.0.0.10 d4-be-... WIN-2N9STOS... unknown 0x11 - M icroso... yes yes 9/20/2012 14:22:55 9/20/20
& A MAC address is a
& 10.0.0.12 00-15-5... WINDOWS8 M icrosoft Cor... 0x11 - M icroso... yes yes 9/20/2012 14:22:55 9/20/20
unique identifier for 10.0.0.13 00-15-5... WIN-EGBHISG... M icrosoft Cor... 0x11 - M icroso... yes yes 9/20/2012 14:22:55 9/20/20
network nodes on a LAN.
MAC addresses are
associated to network
adapter that connects
devices to networks. The
MAC address is critical to
locating networked XArp 22 2 * 8 m appings - 2 interfaces - 0 alerts
& An attacker can alter IP | MAC | Host | Vendor j Interface | O nline | Cache | First seen | Last see
10.0.0.1 00-09 5... 10.0.0.1 Netgear, Inc. 0x11 Microso... yes yes 9/20/2012 14:22 55 9/20/20
the MAC address o f the
10.0.0.2 d0-67-e... WIN-MSSELCK... unknown 0x11 Microso... yes no 9/20/2012 14:22 55 9/20/20
device that is used to 10.0.0.6 00 15 5... AD M IN-PC M icrosoft Cor... 0x11 - Microso... yes yes 9/20/2012 14:22 55 9/20/20
connect the network to 10.0.0.7 d4-be-... WIN-D39MR5... unknown 0x11 - Microso... yes yes 9/20/2012 14:22 55 9/20/20
10.0.0.8 00-15-5... ADM IN M icrosoft Cor... 0x11 - Microso... yes yes 9/20/2012 14:22 55 9/20/20
Internet and can disable
10.0.0.10 d4-be-... WIN-2N9STOS... unknown 0x11 Microso... yes yes 9/20/2012 14:22 55 9/20/20
access to the web and other 10.0.0.12 00-15-5... W IND0W S8 M icrosoft Cor... 0x11 Microso... yes yes 9/20/201214:22 55 9/20/20
external networks. 10.0.0.13 00-15-5... WIN-EGBHISG... M icrosoft Cor... 0x11 - M icroso... yes yes 9/20/2012 14:22 55 9/20/20
>
XArp 222 - 8 m appings - 2 interfaces - 0 alerts
6. Log 111 to W indows 2008 Server, and nan Cain & Abel to initiate an
ARP attack on a Windows 2012 host machine.
7. The XArp pop-up appears displaying the alerts.
In te r fa c e : 0x11
[e th e rn e t]
s o u r c e m ac: dO - -36
d e s t mac : 00- -c c
ty p e : 0x806
C arp]
d ir e c t io n : out
ty p e : re q u e s t
s o u rc e ip : 1 0 .0 .0 .2
H*
I-*
d e s t ip :
o
o
o
s o u r c e m ac; d0-
d e s t mac : 00-
Ill
< I >
XArp 2.22 - 11 m appin gs - 2 interfaces - 25 alerts
Lab Analysis
Analyze and document die results related to die lab exercise.
Questions
1. Determine how you can defend against ARP cache poisoning 111 a network.
m Workbook review As a network administrator you must always diagnose die network traffic using a
network analyzer and configure routers to prevent ARP flooding. Using a specific
technique with a protocol analyzer you should be able to identify the cause o f the
broadcast storm and a method to resolve the storm. Identify susceptible points 011
the network and protect them before attackers discover and exploit the
vulnerabilities, especially 011 ARP-enabled LAN systems, a protocol with known
security loopholes that allow attackers to conduct various ARP attacks.
Attackers may also install network interfaces to 11111111 promiscuous mode to capture
all the packets that pass over a network. As an expert ethical hacker and
penetration tester you must be aware of die tools to detect network interfaces
running 111 promiscuous mode as it might be a network sniffer. 111 tins lab you will
learn to use die tool PromqryUI to detect such network interfaces running 111
promiscuous mode.
Lab Objectives
The objective o f tins lab to accomplish:
To detect promiscuous systems 111 a network
Lab Duration
Time: 10 Minutes
Overview of PromqryUI
PromqryUI can accurately determine if a modern managed Windows system has
network interfaces in promiscuous mode. If a system has network interfaces 111
promiscuous mode, it may indicate die presence o f a network sniffer running on die
system.
Lab Tasks
5 t a s k 1 1. G o to the tool location at Z:\CEHv8 Module 08 Sniffing\Prom iscuous
Running D etection Tools\PromqryUI.
PromqryUI 2. Double-click promqryui.exe, and click Run.
Open File - Security Warning
3|
Do you want to run tNs file?
Run Cancel
While files from the Internet can be useful. this file type can
J potentially harm your computer. Only run software from publishers
you trust. W hat's the risk7
Please read the following license agreement. Press the PAGE DOWN key
to see the rest of the agreement.
Do you accept all of the terms of the preceding Ucense Agreement7 If you
choose No, Install will close. To install you must accept this agreement.
Yes No
Help
In a network,
promiscuous mode allows a
network device to intercept FIGURE 8.3: PromqryUI WinZip Self-Extractor dialog box
and read each network
packet diat arrives in its 5. Click OK a f te r t ile U liz ip is s u c c e s s fu l.
entirety.
OK
Help
z t ask 2 8 Click Run 111 the Open File - Security Warning dialog box.
Open File - Security Warning
Running .NET
Framework 1.1 Do you wart to run this file?
Type Application
From Z: \CEHv8 Module 08 Sniffers promiscuous Detectio,..
Run Cancel
While files from the Internet can be useful. this file type can
f potentially harm your computer. Only run software from publishers
you trust. What's the risk7
Yes No
T h is p ro g ra m h a s k n o w n c o m p a tib ilit y is su e s
Check online to see if solutions are available from the Microsoft website. I f solutions are found, Windows will
automaticaly display a website th at lists steps you can take.
Ths software has known incompatibility with IIS services on this platform.
T A S K 3
11. Select the radio button for I agree and click Install in the L icense
A greem ent dialog box.
Installing .NET
j'J! M ic r o s o f t .NET F r a m e w o r k 1.1 S e t u p
Framework 1.1
|| License Agreement
Microsoft, (A copy of this license is available for printing at
http: 7go.microsoft.com fwlink'?LinkId=122S3 )
.1n e i [ SUPPLEM ENTAL E N D USER
LICENSE AGREEM ENT F O R
\TTrpn<;nFT ^oftwart; zi
I have read, understood and agree to the terms of the
End User License Agreement and so signify by clicking
"I agree" and proceeding to use this product.
1I I ( |i agree
r I do not agree
Install Cancel
OK |
Installing 13. Now, go to C:\promqryui and double-click pqsetup.m si and follow the
PromqryUI installation wizard to install PromqryUI.
a Server M anager
Command Prom pt
Administrator
Mozilla Firefox
Documents
S ' Promiscuous mode can
be used in a malicious way
Ease of Access Center
Computer
to sniff on a network. 111
J Notepad
promiscuous mode, some Network
software might send
responses to frames even Internet Explorer
Control Panel
though they were addressed
to another machine. Windows Update
Administrative Tools
However, experienced
sniffers can prevent this by
Help and Support
using carefully designed
firewall settings.
Services Run...
I
Password Changer for Windows
' Paint
All Programs
l^ ta r t Search
I Ja. M I
FIGURE 8.11: Windows 2008 Server Start menu
16. The S e le c t Addition Type dialog box will appear. Click Add Single
System .
17. Type the IP address o f the system you want to check for promiscuous
mode in the IP A ddress held 111 the Add System to Query dialog box
and click Save.
IP Address:
Host Name:
Cancel
For systems that you
need to query, a range o f IP
FIGURE 8.14: PromqtyUI Add System to Query
addresses can be provided.
Also, you can just carry a
query for a local system.
18. Select the added IP address 111 the S y stem s To Query section and click
Start Query.
f t Promqry
I me Cdt hcb
Querying 10.0.0.2...
Active. True
InstaiceName.
WAN Mhiport (P
NEGATIVE Prorriscuojs mode currently NOT enabed
Active. True
InstaiceNamc.
Hyper-V Vitual Sw tcl Extenson Adapter
NEGATT/E Prormcuous mode currently NOT enabed
Active. True
bwlMoeNflme
Ilypei-V Vxtual 3v<ci Cxtenson Adapter #2
NCGATI/C Prorrocuous mode currently NOT enabed
Active. True
Query results will let InstaiceNomc
Teredo Turncfcnj P*evdo-fc15er,ace
you know if the system is
promiscuous mode or not
NtOATT/C Promscuous mode currently NOT enabed
zl
and provides other
information like Computer
name, Domain, Computer
Model, Manufacturer,
Owner, etc. Systems To Quer,
Start IP address End IP 3ddrees | Guery Statue NEGATIVE Pronisanus mode cjrrenty SOT enabled
10.00.2 dDne: postive! j
Active True
hstanceNarne:
WAN Miniport (Network Vlailcr)
NEGATIVE: Ptotwcudus node carrenty NOT enabled
Active True
hstanceNarne:
Hyper-V Vrtua Etiemei Adapter #2
NEGATIVE: Ptoiwcudus mode carrenty NOT enabled
Systen Surmy
POSflVE at least one rterface on systen was found ir prorriscuous mode
Lab Analysis
Analyze and document die results related to die lab exercise.
Questions
1. Determine how you can defend against ARP cache poisoning 111 a network
In te rn e t C o n n ectio n R eq u ired
0 Yes No
P latform S upported
0 C lassroom 0 !Labs
Lab
Lab Objectives
The objective o f this lab to sniff passwords using the tool Sniff - O - Matic
through captured packets.
Lab Environment
To carry-out the lab, you need:
Sniff - O - Matic is located at D:\CEH-Tools\CEHv8 Module 08
Sniffing\Sniffing Tools\Sniff-0-Matic
You can also download the latest version of Sniff - O - Matic from
http://www.kwakkeltlap.com/ smffer.html
If you decide to download die latest version, dien screenshots shown 111
die k b might ditter
[?!/Tools
A computer running Windows Server 2012 as host machine
dem onstrated in
this lab are Double-click snifftrial.exe and follow die wizard-driven installation steps to
available in install Sniff - O - Matic
D:\CEH-
Tools\CEHv8 Administrative privileges to run tools
Module 08
Sniffing Lab Duration
Time: 10 Minutes
Lab Tasks
1. Launch the Start m enu by hovering the mouse cursor on the lower left
corner o f the desktop.
Launching the 2. Click Sniff - O - Matic in the Start menu to launch the Sniff O
Sniff-O-Matic tool Matic tool.
3. The main Sniff - O - Matic window appears; select the adapter from the
3 TASK 2
Sniff-O-Matic:
Start Packet
Capture
TT 1 * * i v j u i u ^ / . J . 1 1 1
4. W hen the tool starts capturing the packets, launch a browser and log 111
to your email account.
5. Then, click the Stop Capture ill button to view the captured packets.
r | J n f x '
Sniff O Malic 1.07 Trial Version
File Capture Options Help
< |>
hllo: / / WVWV.<wakkeNao. con
LiJ_______
I 0722T hl!p;!VwM!watotftto.rcn
7. 111 the right pane, select items from the tree and the data for the
respective item will be liighlighted 111 red.
F T C tT I R F 9 7 S n i f f - O . M a t i r - P e r f o r m i n g s r a r r h
9. The Find pop-up box appears; type pwd to search for the password
information.
httiy/Vwww LwakkellUon
10. An icon w (packets with binoculars) will appear for the found packets,
as shown 111 the following screenshot.
Sniff O Matic 1.07 Trial Vers on 1_ -
Pie Capture Opbcns Help
a Version 4
ft Header Length = 5 (20 bytes)
Type Of 5efvce = QfOO
ft Total Length = 729
ft dentfication = Cb(7B8C
P Rags = (MU
ft Fragment ofiset = 09(0000
ft Time To Live = 128
ft Protocol = 6 (TCP)
& Packets Header Cherkeun - itOOX
p Sotree IP = 10 0 0.7
p Dest. IP = 123.176.32 155
captured using TCP Header
ft Source Pert - 2753
Sniff-O-Matic ft Dectinatbn Port 80 (HTTP)
ft Sea Number - &B85A34D4
allow s you to sniff 65
60
37. 2 0
39
;q 0 . 3 . .C c o k i :
ir .ld a c 6 5 7 3 f1 v 9
ft ACK Number-&c5G19rCA3
ft Offoci - 5 (20bytes)
69 34 0D rd 2 a k S 7 a 4 d l7 u i4 .
the password 74 3D 69 . . . f_ o u rc r c h
P Hogo 18&
ft VWndowj Sire - 63751
61 6 9 6C c C F % 3 A % 2 F 2 F n a il ?3 Checksum &A31 D
available in 6D 61 6 9 . r .. c o % 2 F a c v a i ft Urgent Porta foOOX)
26 6C 67 l% 2 F 1 a b o x .p h p tlg Date
cleartext format. 3D
70
72 69
7 7 64
f m n a 1 1 s _ id r1
a i B a c c b e v o i f Jp w d ]
f t Data length 683
If an attacker is
able to capture
th e se packets, he
can easily identify FIGURE 9.10: Sniff-O-Matic Password search results
the password and 12. To mark the packets, right-click the selected packet and click Mark.
login to the
Sniff O Matic 1.07 Trial Vers on
network a s an FJe Capture Optcrts Help
httpy/www.KwaKKelllflDcom
13. Once the packets are marked, they will have a different icon.
l< >11
Lab Analysis
Analyze and document die results related to die lab exercise.
Questions
1. Determine how you can defend against ARP cache poisoning 111 a network.
In te rn e t C o n n ectio n R equired
0 Y es No
P latform S upported
0 C lassroom 0 iLabs