A Logo

Feel free to include my content in your page via my
RSS feed

Help Irongeek.com pay for
bandwidth and research equipment:

Search Irongeek.com:

Social-engineer-training Button
Irongeek Button

Web Hosting:
Dreamhost Logo
Help Irongeek.com pay for bandwidth and research equipment:


Network Sniffers Class for the Kentuckiana ISSA 2011 (Hacking Illustrated Series InfoSec Tutorial Videos)

Network Sniffers Class for the Kentuckiana ISSA 2011


We decided to put on another sniffers class. This time Gary Hampton joins me to impart his knowledge of using Wireshark to diagnose problems on wireless networks. I cover the usual suspects:  TCPDump, Metasploit sniffing with Meterpreter, ARP Poisoning, Ettercap, Cain, NetworkMinor, Firesheep and Xplico. I lost part of Gary's on screen demo when my recording rig froze up, and I apparently did not make a proper sacrifice to the demo gods for my section when I tried to show off Ettercap filters, but I hope you still find it informative.


Part 1: Intro to Sniffers


Download: http://www.archive.org/download/IssaSniffersClass/sniffers1.avi


Part 2: Wireshark and Wireless with Gary Hampton

Download: http://www.archive.org/download/IssaSniffersClass/sniffers2.avi


Part 3: A little more Wireshark, TCPDump, Metasploit sniffing with Meterpreter, ARP Poisoning, Ettercap, Cain, NetworkMinor, Firesheep, Xplico and bridging.



Download: http://www.archive.org/download/IssaSniffersClass/sniffers3.avi 


Adrian's Slides

Gary's Slides

Commands used:

Wireshark Demo

1.       Run Wireshark

2.       Basic start capture

3.       Start capture with options

4.       Drill down OSI

5.       Capture filter options (4.9 in book)
not tcp port 3389
not broadcast and not multicast

6.       Show a packet

7.       Pop a packet out

8.       Sort by columns

9.       Follow stream (web traffic)

10.    Export HTTP Objects

11.    Simple view filters
tcp.port == 80
!(ip.addr ==

12.    Filter builder

13.    Apply filters from different panes (packet vs. details panes).

14.    Save filters

15.     Open a Wiki page

16.    Edit-> Find packet

17.    Analyzers ->Expert Info

18.    Analyzers ->Firewall ACLs

19.    Stats

20.    Color rules

21.    Save capture

22.    Mention Lua


    dumpcap D
    dumpcap -i eth0 -s 0 -f "port 80" -w webtraffic.pcap

Sniffing in Monitor mode

   ifconfig wlan0 down
   iwconfig wlan0 mode monitor
   iwconfig wlan0 channel 1
   ifconfig wlan0 up

Ettercap Demo

1.      ettercap -T q i eth0 -M ARP // //

2.      ettercap -T q i eth0 -M ARP // /

3.      Show ARP traffic

4.      Telnet to

5.      http to

6.      FTP/Telnet/HTTP someplace with a password

7.      Show find sniffers
ettercap G
ettercap T I eth0 P list
ettercap T I eth0 P search_promisc  //

8.      Filters:
     etterfilter ig.filter -o ig.ef
     ettercap -T -q -F ig.ef -M ARP // //

9.      Mention MITM: icmp, dhcp, port filters

10.    driftnet -i eth0

11.    Etherape


Cain Demo

1.      Start poisoning

2.      Telnet to

3.      http to

4.      FTP/Telnet/HTTP someplace with a password

5.      SSL someplace from VM

6.      Sniff RDP

ARPSpoof Demo

   cat /proc/sys/net/ipv4/ip_forward
   echo 1 > /proc/sys/net/ipv4/ip_forward
   arpspoof -i eth0
   arpspoof -i eth0 -t
   dsniff I eth0 -c


1.      TCP fingerprinting

2.      Host details

3.      DHCP finger printing

4.      File capture

5.      Passwords

6.      Plaintext

7.      Open pcap

Bridging in Linux setup

    sudo apt-get install bridge-utils   

Script to setup MAC bridging:

    ifconfig eth0
    ifconfig eth1
    brctl addbr mybridge
    brctl addif mybridge eth0
    brctl addif mybridge eth1
    ifconfig mybridge up

Things to show while bridged

    sudo tcpdump -i mybridge -s 0 -w out.cap
    sudo etherape -i mybridge
    sudo driftnet -i mybridge


   Menu Choices 2, 1, 2 (Google.com), 2, 2, default, no
   <go to page>
   sessions -i 1
   use sniffer
   sniffer_start 2
   sniffer_dump 2 /tmp/all.cap
   <Show in Wireshark>

More at http://www.offensive-security.com/metasploit-unleashed/Packet_Sniffing_With_Meterpreter




Printable version of this article

15 most recent posts on Irongeek.com:

If you would like to republish one of the articles from this site on your webpage or print journal please contact IronGeek.

Copyright 2015, IronGeek
Louisville / Kentuckiana Information Security Enthusiast