Ceh v8 labs module 08 sniffers

951 views
900 views

Published on

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
951
On SlideShare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
257
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Ceh v8 labs module 08 sniffers

  1. 1. CEH Lab Manual Sniffers M o d u le 0 8
  2. 2. S n iffin g a N e tw o r k A packet s i f ri a type ofprogram that monitors any b of information entering nfe s it or leaving a n etiro Iti a type ofplug-and-play wiretap d v c attached t a rk. s eie o computer that eavesdrops on netirork t a f c rfi. I CON KEY Lab Scenario /V ab alu le inform ation Sniffing is a teclnnque used to in te rc e p t d a ta 111 information security, where many of the tools that are used to secure the network can also be used by attackers to exploit and compromise the same network. The core objective of sniffing is to ste a l d a ta , such as sensitive information, email text, etc. Testyour kn w d e o le g — Web e e x rcise m W orkbookreview N e tw o rk sniffing involves intercepting network traffic between two target network nodes and capturing network packets exchanged between nodes. A p a c k e t sn iffer is also referred to as a network monitor that is used legitimately by a network administrator to monitor the network for vulnerabilities by capuinng the network traffic and should there be any issues, proceeds to troubleshoot the same. Similarly, sniffing tools can be used by attackers 111 p ro m iscuo us mode to capmre and analyze all die network traffic. Once attackers have captured the network traffic they can analyze die packets and view the u ser n am e and p assw ord information 111 a given network as diis information is transmitted 111 a cleartext format. A 11 attacker can easily mtmde into a network using tins login information and compromise odier systems on die network. Hence, it is very cnicial for a network administrator to be familiar with n e tw o rk tra ffic an a ly ze rs and he or she should be able to m a in ta in and m o n ito r a network to detect rogue packet sniffers, MAC attacks, DHCP attacks, A R P poisoning, spoofing, or DNS poisoning, and know the types of information that can be detected from the capmred data and use the information to keep the network running smoodilv. Lab Objectives The objective of this lab is to familiarize students with how to sniff a network and analyze packets for any attacks on the network. The primary objectives of tins lab are to: ■ Sniff the network ■ Analyze incoming and outgoing packets ■ Troubleshoot the network for performance C E H Lab Manual Page 585 Ethical Hacking and Countenneasures Copyright © by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.
  3. 3. M odule 08 - Sn iffers ■ Secure the network from attacks ^^Tools Lab Environment d e m o n s tra te d in th is lab a re 111 tins lab, you need: a v a ila b le in ■ A web browser with an Internet connection D:CEHT oo lsC E H v 8 ■ Administrative privileges to run tools M o du le 08 Sniffing Lab Duration Time: 80 Minutes Overview of Sniffing Network Sniffing is performed to c o lle c t b asic in fo rm atio n from the target and its network. It helps to find v u ln e ra b ilitie s and select exploits for attack. It determines network information, system information, and organizational information. Lab Tasks Pick an organization that you feel is worthy of your attention. This could be an educational institution, a commercial company, or perhaps a nonprofit charity. O v e rv ie w Recommended labs to assist you 111 sniffing the network: ■ Sniffing die network using die C o la s o ft P a c k e t B u ild e r ■ Sniffing die network using die O m n iP e e k N e tw o r k A n a ly z e r ■ Spooling MAC address using S M A C ■ Sniffing the network using die W in A r p A tta c k e r tool ■ Analyzing the network using the C o la s o ft N e tw o r k A n a ly z e r ■ Sniffing passwords using W ire s h a rk ■ Performing man-in-the-middle attack using C a in & A b el ■ Advanced ARP spoofing detection using X A rp ■ Detecting Systems running 111 promiscuous mode 111 a network using P ro m q ry U I ■ Sniffing a password from captured packets using S n iff - O - M a tic Lab Analysis Analyze and document the results related to the lab exercise. Give your opinion on your target’s security‫״‬posture and exposure through, public and free information. C E H Lab Manual Page 586 Ethical Hacking and Countermeasures Copyright © by EC-Council A ll Rights Reserved. Reproduction is Stricdy Prohibited.
  4. 4. M odule 08 - Sn iffers PLEASE TALK TO YOUR INSTRUCTOR IF YOU HAVE QUESTIONS RELATED TO THIS LAB. C E H Lab Manual Page 587 Ethical Hacking and Countenneasures Copyright © by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.
  5. 5. M odule 08 - Sn iffers S n iffin g t h e N e tw o r k U s in g t h e O m n iP e e k N e tw o r k A n a ly z e r Own/Peek i a standalone network analysis too used t s l e networkproblem. s l o ov ICON KEY /Valuable inform ation Testyour k o le g nw de Lab Scenario From the previous scenario, now you are aware of the importance of network smtting. As an expert e th ic a l h a c k e r and p e n e tra tio n te s te r, you must have sound knowledge of sniffing network packets, performing ARP poisoning, spoofing the network, and DNS poisoning. w We e e b x rcise m W orkbookreview Lab Objectives Tlie objective of tins lab is to reinforce concepts of network security policy, policy enforcement, and policy audits. Lab Environment t^Tools d e m o n s tra te d in th is lab a re 111 tins lab, you need: " a v a ila b le in D:CEHT oo lsC E H v 8 M o du le 08 O m n iP e ek N e tw o rk A n a ly ze r located at D:CEH -ToolsC EHv 8 M o du le 08 S niffingSniffing T o o lsO m n iP ee k N e tw o rk A n a ly ze r ■ You can also download the latest version ot O m n iP e e k N e tw o rk A n a ly ze r from the 1111k http://www.w11dpackets.com/products/om111peek network analyzer Sniffing ■ If you decide to download die la te s t the lab might differ ■ A computer mnmng W in d o w s ■ W in d o w s version, S e rv e r 2 0 1 2 then screenshots shown 111 as host machine 8 running on virtual machine as target machine ■ A web browser and Microsoft .NET Framework 2.0 or later ■ Double-click O m n iP e e k 6 8 2 d e m o .e x e and follow the wizard-driven installation steps to install O m n iP e e k 6 8 2 d e m o .e x e ■ C E H Lab Manual Page 588 A d m in is tra tiv e privileges to run tools Ethical Hacking and Countenneasures Copyright © by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.
  6. 6. M odule 08 - Sn iffers Lab Duration Tune: 20 Minutes Overview of OmniPeekNetwork Analyzer gives network engineers real-time visibility and expert analysis of each and every part ol the network from a single interface, winch includes Ethernet, Gigabit, 10 Gigabit, VoIP, video to remote offices, and 802. O m n iP e e k N e tw o rk A n a ly ze r Lab Tasks ™T A S K 1 1 Install O m n iP e e k . 2012. N e tw o rk A n a ly ze r on die host machine W in d ow s S erve r In s tallin g O m n iP e e k N e tw o rk A n a ly ze r 2. Launch the S ta rt menu by hovering die mouse cursor on die lower left corner of die desktop. F IG U R E 1.1: Windows Server 2012 —Desktop view 3. Click die W ild P a c k e ts die tool. 81 £ = OmniPeek Enterp rise =s provides users with die visibility and analysis they need to keep Voice and Video applications and non-media applications running optimally on die network O m n iP e e k D em o app 111 die G o le og C ro e hm Mn q r eae V menu to launch Administrator ^ S ta rt L S ta rt *3 & ____ M /10 o 11 h to re x <9 « rtyp «-V M ru e a or Hp y wV V a irtu l K v lo Ah o *‫י‬ W P c ... ild o k O mw mPk * °‫'־■־־‬ F IG U R E 1.2: Windows Server 2012 —Start menu C E H Lab Manual Page 589 Ethical Hacking and Countenneasures Copyright © by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.
  7. 7. M odule 08 - Sn iffers m To deploy and maintain Voice and Video over IP successfully, you need to be able to analyze and troubleshoot media traffic simultaneously with the network the media traffic is running on 4. The main window of W ild P a c k e ts die following screenshot. O m n iP e e k D em o appears, as shown 111 6m i»e4 ^ • t- ‫ ־‬u *. 2 : * x ,, r » ^ : > N Capture ew f i j L _± t f * O Capture File pen ffi ViewOiwiEngines Start M tor on *We•‫ י׳י •״‬OmnPwk! Retcat rlit* Itxalior IntM C tu T 1 p 1 * ap i■ « n <11 luullui■ Stmixfy Swmwj OtKunanUtlon ••M• m R»kh«c »* 3w OiM t«J u !MlMKtDuppan 1 Vm tM a • M *• m k*W Partrf*rvnW CO fw r» U K M rrM H to » 1 r.aii QO ^WidPacketj F IG U R E 1.3: OmniPeek main screen 5. Launch Windows 8 Virtual Machine. 6. Now, 111 follows: S ta rtin g N e w C a p tu re W in d o w s S e rv e r a. Click die N e w C a p tu re 2 0 12 create an OmniPeek capture window as icon on die main screen of OmniPeek. b. Mew die G en eral options box when it appears. 111 die O m n iP e ek C a p tu re O ptions dialog c. Leave die default general settings and click OK. C a p tu re O p tio n s ‫ ־‬v E th e rn e t (R e a lte k PCIe GBE F a m ily C o n tr o lle r - V irtu General ‫יחת‬ G e n e ra l Adapter 82 1 0.1 Triggers Filters Capture title: Capture 1 □ Continuous capture Statistics Output f f l l OmniPeek Network Analyzer offers real-time high-level view o f the entire network, expert analyses, and drill-down to packets, during capture. O Capture to disk Analysis Options File path: □ C:UsersAdministratorpocumentsCapture 1 File size: | 256 : *~] megabytes [ I] Stop saving after | 10 00 I I Keep most recent 10 I I New file every megabytes ‫ | = ך‬files (2,560 MB) 1 I I Limit each packet to 128 3~| bytes O Discard duplicate packets Buffer size: | 100 * megabytes O Show this dialog when creating a new capture Cancel Help F IG U R E 1.4: OmniPeek capture options -General C E H Lab Manual Page 590 Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.
  8. 8. M odule 08 - Sn iffers d. Click A d a p te r and select E th e rn e t 111 die list for L ocal m ach ine. Click OK. C a p tu re O p tio n s ‫ ־‬E th e rn e t General A d a p te r | Adapter' 0 0 802.11 Triggers [0 3 Network Coverage: W ith the Ethernet, Gigabit, 10G, and wireless capabilities, you can now effectively monitor and troubleshoot services running on your entire network. Using the same solution for troubleshooting wired and wireless networks reduces the total cost o f ownership and illuminates network problems that would otherwise be difficult to detect. >••0 File Filters ‫ל‬ Statistics Output - 8 Local machine: WIN-MSSELCK4K41 a Module: Compass Adapter M lLocal Area Connection* 10 Analysis Options M . Ethernet] ■9 vSwitch (Realtek PCIe GBE Family Controller ‫ ־‬Virtual I- ■p vEthernet (Realtek PCIe GBE Family Controller ‫ ־‬Virti -mvSwitch (Virtual Network Internal Adapter) ■ 5 vEthernet (Virtual Network Internal Adapter) < E Property III Description Device Realtek PCIe GBE Family Controller Media Ethernet Address DO: Link Speed 100 Mbits/s WildPackets API No :36 Cancel Help F IG U R E 1.5: OmniPeek capture options -Adapter 7. Now, click S ta rt C a p tu re to begin capturing packets. The S ta rt C a p tu re tab changes to Sto p C a p tu re and traffic statistics begin to populate the N e tw o rk Dashboard 111 die capture window of OmniPeek. WldPack ■h £ Q Dashboards display important data that every network engineer needs to know regarding the network without spending lots o f time analyzing the captured data. ... V V 1' g - » t* - < r J u , ‫׳‬OmniPeek . B : ;» e IQ E j F sutn «■ vapt a p c e ll a k ts Utib/itton / M .t.• W tow( I Smand A .m tiM v»>r.1u••) lop Protocol* F IG U R E 1.6: OmniPeek creating a capture window C E H Lab Manual Page 591 Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.
  9. 9. M odule 08 - Sn iffers 8. The captured statistical analysis of die data is displayed 011 die C a p tu re tab of die navigation bar. E QOmniPeek Ql Professional expands the capabilities o f OmniPeek Basic, extending its reach to all small businesses and corporate workgroups, regardless o f the size o f die network or die number o f employees. OmniPeek Professional provides support for multiple network interfaces while still supporting up to 2 Om ni Engines acting as bodi a full-featured network analyzer and console for remote network analysis. •u-n ., y . 3. * — w hw fct FlhrhiW N -o inai/rffh.n ‫ ל‬Minute Window (I Second Average) etw rfc !“ I 1 a 03- 0■ 2* 2 % .0 10002 1000$ 1 31 43 1 7 9 60 1 3 W6 1 7 .1 3 .1 ■10002 ■ 7 .1 4 6 1 3 d .3 4 .:2 2 3 .8 0 .6 .8 r« 1 * 1 22 7 5 • ■2 6 H 26 0 .17 52 0»«rs 17 67 2 6 .6 6 .2 2 DS N L A OC 6 1M H PV QP TCP ‫יו‬ 9 Etlwnet PatJtrts: 1.973 Ountion: 001:25 F IG U R E 1.7: OmniPeek statistical analysis o f die data 9. To view die captured packets, select P a c k e ts D ashboard 111 die left pane ol die window. > 3‫. ־‬ m rd .{0 0 t.M : 0 n V ‫ ••! •׳**״- ״‬u 1 < N'lhrh^] «< m fevh .iftfs fao • ■ ‫= 11׳‬L4 vote*‫«* ״‬ * ' ‫■ ״י, " ־‬ WldP.xkct. ‫׳‬OmniPeek r »5 1 4 ‫ יי‬A i d Mr! <**«• . 1► y Htj, ***** i•*a 1a.1.g.2 173.194.3(.< 10.0.0.2 5 € 13.3.0.2 19.9.:.2 173.194.36.4 173.194.36.4 13.9.9.2 [ Oms 1 2 1 3 1^3.194.36.22 1~3.194.36.22 1 5 m H ie OmniPeek Peer Map shows all communicating nodes within your network and is drawn as a verticallyoriented ellipse, able to grow to the size necessary. It is easy to read the maps, the diicker the line between nodes, the greater the traffic; the bigger die dot, the more traffic through that node. The number o f nodes displayed can also be limited to die busiest and/or active nodes, or to any OmniPeek filters that mav be in use. C E H Lab Manual Page 592 1 3.194.36.22 ‫י‬ 13.9.0.2 123.176.32.154 W K mm 1 7 IS IS Ltfctto 2 1 2 2 2 4 ‫מ‬ 173.194.36.22 19.1.3.2 19.9.1.6 19.9.1.5 19.9.5.5 1S7.SC.C7.222 157.56.67.222 [ Clls a 1 Er 2 7 2 » <1 1 1 — 19.9.0.2 19.9.0.3 ‫ו‬ 10.0.9.2 123.176.32.154 10.0.0.2 157.56.67.222 157.56.67.222 157.56.67.222 10.0.0.s ! su e Ot*• * • c • r*t ss 9 5 '4.125.12S.169 10.9.S.2 Iw csto r G iJ h O a A dapt 4 O V 1 K rti 3 m a C a p tu re section ol die t,ISO S' T o V .A 0 ‫״‬rip M o‫ ״‬N 4 W » ** * tJ u sun?** ii r — 1w <— 111 173.194.36.4 o.oooasiosa writs 0.93:20X19 sm s 6 4 6 4 13 6 6 4 28 0 7 ‫״‬ 6 4 6 4 18 1 96 3 6 4 6 4 7 0 13 0 0.939*25029 arirs 0.93994SCI9 STTrS 0.771222000 0.811S9JCJ9 3T * TT 4.31e23SC S3 an a n :s 4.350147029 anss 4.3 5 6 C 3 T 5 5 9 4 JO T T 4.SE52S4CS0 37T?S 4.566969090 an?3 4.SS70CMS0 6.097997090 an? €.100119000 HIT? C .922643C:3 6 4 7 0 7.21122*000 O F 7.301449029 O I» C PC T 7 7 K -1 2 4 3 = 1040,D 1= »t= 4 3 ....3.,3=1030... 6 4 14 8 ISIS 1 1S 5 7.55*925023 arirs 7.5952930:9 5‫5 זזל‬ 7.ISO C «nrs SCC SO 7.952900:9‫ל‬STTTJ 3 e 1040,D 1= »t= 1 3 4 3= 1e30... Src- 1040,031 4 3 .AP...,3-1630... — 4 ,S- 519. . Slaw Server R sp r.se T13* 1 e c0 Src- 443,0a‫4 1 ״־‬ ‫00 ־‬ ‫ ־־‬SI*... > 5 < 4 e.9 1 4 0 9 an iz 0962 t.0c10»»600 3ss- 1770,0*t‫. 3 4 ־‬LB... ,30069... 4 !:S S S 55 3zc- 413,0*t= • W....3= 796... 3zc- 1769, O st= 4 3 .u..... 3= 4 1406... Src- 1 70 03 - 4 3 .*....,5-366S... 7 , V 4 5rc- 1 63 03*‫■ 3 4 ־‬ 0 , 4 h..... S- 956... 43 4 Sr~ 1 443'S^ 3 c= 443,D = st= SIC- 443,03t_ 1 5 01 Src- 443.03T15 91 Src- 10 3T— S1.D ‫ ״‬KJfC 172e . = Src- 5 ,0 1 1 2 0 3 .‫6 7 ־‬ .1 3...,3= 2007... .&....,3= 94... .*....,S- 94... .A?... ,3 9 4 ‫...־‬ • fc S-20D7... .h ....,3-2997... ■ llh«rn«! P*a»U: 2 0 J> .0 0 O 'ea .‫׳‬y j i U'M F IG U R E 1.8: OmniPeek displaying Packets captured 10. Similarly, you can view Log. Filters. H ierarch y, and P e e r die respective options 111 the Dashboard. 11. You can view die Dashboard. N o d es M ap by selecting and P ro to co ls from die S ta tis tic s section of die Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.
  10. 10. M odule 08 - Sn iffers m On-the-Fly Filters: You shouldn’t have to stop your analysis to change what you’re looking at. OmniPeek enables you to create filters and apply them immediately. The WildPackets “ select related” feature selects the packets relevant to a particular node, protocol, conversation, or expert diagnosis, with a simple right click o f the mouse. F IG U R E 1.9: OmniPeek statistical reports o f Nodes 12. You can view a complete section of the Dashboard. S u m m a ry of your network from the S ta tis tic s £ Q Alarms and Notifications: Using its advanced alarms and notifications, OmniPeek uncovers hard-to-diagnose network problems and notifies the occurrence of issues immediately. OmniPeek alarms query a specified monitor statistics function once per second, testing for user-specified problem and resolution conditions. F IG U R E 1.10: OmniPeek Summary details 13. To s a v e the result, select F ile ‫ ^־‬S a v e C E H Lab Manual Page 593 Report. Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.
  11. 11. M odule 08 - Sn iffers - OmniPtek F « | fd .1 H u«M0« tooit i ii ♦ * J * '0 x ’ *Hi 'OmnlPrck T A « L u u ! i i v w .!j O ! J . ► i - ua3‫׳‬ ‫־‬ C fT . u W 5 52 1 .1 / 0 2 t2 :< rt2 6 < L2S M m Using OmniPeek’s local capture capabilities, centrali ed console distributes OmniEngine intelligent software probes, Om nipliance®, T im elin e™ network recorders, and Expert Analysis. 2 360.320 0.795 ‫־. מיי‬Jaw ‫זז‬ ■‫«.־‬ Ltn ct crn 20 .0 0 lM1.V0a 001.B F IG U R E 1.11: OmniPeek saving die results 14. Choose the format of the report type from die then click Save. S a v e R e p o rt window and Save Report 2e 1R e p o rt ty p e : fiy!!..PDF:.Report Q m Engineers can monitor dieir entire network, rapidly troubleshoot faults, and fix problems to maximize network uptime and user satisfaction. j v R e p o rt fo ld e r: C : U se rs A d m in is tra to r d o c u m e n ts R e p o r ts C a p tu re 1 R e p o rt d e scrip tio n PDF re p o rts c o n ta in S um m ary S ta tis tic s , N ode S ta tis tic s , P ro to co l S ta tis tic s , N o d e /R ro to c o l D etail S ta tis tic s , E x p e rt S tre a m a nd A p p lic a tio n S ta tis tic s , Voice a n d V ideo, W ire le ss N ode a nd C ha n n els S ta tis tic s , a n d g ra p h s. Save C ancel Help F IG U R E 1.12: OmniPeek Selecting the Report format 2 : MCjUKfc 1.1 (Jmnil-'eek Selecting the Report tonnat 15. The report can be viewed as a PDF. C E H Lab Manual Page 594 Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.
  12. 12. M odule 08 - Sn iffers OmniPeek Report ^ -"tf Statistics t? Summary t? Nodes I? Protocols ®I? Expert I? Summary Flows I? Application Lf Voice &Video “‫ ׳‬Lf Graphs 1 Packet Sues f 1/ Network Utilisation (bits/s) If Network Utilization (percent) (? Address Count Comparisons I? Application m Compass Interactive Dashboard offers both real-time and post-capture monitoring o f high-level network statistics widi drill down capability into packets for the selected time range. Using the Compass dashboard, multiple files can be aggregated and analyzed simultaneously. f t Dashboard OmniPeek Report: 9/15/2012 12:21:22 Start: 9/15/2012 12:02:46, Duration: 0:01:25 Total Bytes: 1014185. Total Packets: 2000 ___ Li£ _ S_ Tools Bookm ark( ? & B* ft“ 3 i? OmniPeek Report — Dashboard - 'tf Statistics IP Summary (? Nodes 1? Protocols Expert 1? Summary (? Flows I? Applications If Vo«e &Video ®ff Graphs If Packet Sues If Network Utilization (bits/s) 1? Network Utilization (percent) I? Address Comparisons ff Application Sign Comment . Summary Statistics. Reported 9/15/2012 12.21.22 Start Date Start Time Duration Group. Network Total Bytes Total Packets Total B10.1dc.1st Total Multicast Average Utilisation (percent) Average Utilisation (blts/s) Current Utilisation (percent) Current Utilization (bits/s) Max Utilization (percent) Max Utilization (bits/s) 1014185 N‫׳‬A 1061 6933 0 096 95989 0 360 360320 0.795 79*656 63 0096 95989 0 360 360320 0795 794656 0105 0 585 0096 95989 0 360 360320 0.795 794656 0 360 360320 0.796 794656 Group Errors 00 0 0 00 00 00 00 Total CRC Frame Alignment Runt Oversize 0.000 0.000 F IG U R E 1.13: OmniPeek Report in PD F format Lab Analysis Analyze and document the results related to the lab exercise. C E H Lab Manual Page 595 Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.
  13. 13. M odule 08 - Sn iffers Tool/Utility Information Collected/Objectives Achieved Network Information: ■ Network Utilization ■ Current Activity " L °g ■ Top Talkers bv IP Address ■ Top Protocols Packets Information: OmniPeek Network Analyzer ■ ■ ■ ■ Source Destination Size Protocol Nodes Statistics: ■ ■ ■ ■ Total Bytes for a Node Packets Sent Packets Received Broadcast/Multicast Packets Summary includes Information such as: ■ ■ ■ ■ ■ General Network Errors Counts Size Distribution PLEASE TALK TO YOUR INSTRUCTOR IF YOU HAVE QUESTIONS RELATED TO THIS LAB. C E H Lab Manual Page 596 Ethical Hacking and Countenneasures Copyright © by EC-Council A ll Rights Reserved. Reproduction is Stricdy Prohibited.
  14. 14. M odule 08 - Sn iffers Questions 1 Analyze what 8 2 1 1 adapters are supported 111 OmniPeek Network . 0 .1 1 Analyzer. 2. Determine how you can use the OmniPeek Analyzer to assist with firewall rules. 3. Evaluate how you create a filter to span multiple ports. Internet Connection Required □ Yes 0 No Platform Supported 0 Classroom C E H Lab Manual Page 597 0 !Labs Ethical Hacking and Countenneasures Copyright © by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.
  15. 15. M odule 08 - Sn iffers Lab S p o o fin g M A C A d d re s s U s in g S M A C S M A C i apon ‫׳‬i /1and easy-to-us toolthat i a M A C address changer ( p o e ) s ef1 e s sofr. The toolcan a t v t a new M A C address rig aft changing i automatically. ciae ht er t I CON KEY /Valuable inform ation Testyour k o le g nw de H Web e e x rcise orkbookreview ffi! W Lab Scenario 11the previous kb you learned how to use OmmPeek Network Analyzer to capture 1 network packets and analyze the packets to determine it any vulnerability is present 111 the network. If an attacker is able to capmre the network packets using such tools, he 01‫ ־‬she can gain information such as packet source and destination, total packets sent and received, errors, etc., which will allow the attacker to analyze the captured packets and exploit all the computers in a network. If an administrator does not have a certain level of working skills of a packet sniffer, it is really hard to defend intrusions. So as an expert e th ic a l h a c k e r and p e n e tra tio n te s te r, you must spoof MAC addresses, sniff network packets, and perform ARP poisoning, network spoofing, and DNS poisoning. 11tins lab you will 1 examine how to spoof a MAC address to remain unknown to an attacker. Lab Objectives The objective of tins lab is to reinforce concepts of network security policy, policy enforcement, and policy audits. 11tins lab, you will learn how to spoof a MAC address. 1 Lab Environment ^^Tools 111 the lab, you need: d e m o n s tra te d in th is lab a re a v a ila b le in D:CEHT oo lsC E H v 8 ■ SM AC located at D:CEH-T 00 lsC EH v 8 M o du le 0 8 S niffingM A C Spoofing ToolsS M A C ■ You can also download the latest version ot SM AC from the link http://www.klcconsulting.net/smac/default.htm#smac27 M o du le 08 Sniffing C E H Lab Manual Page 598 ■ It you decide to download the the lab might differ la te s t version, then screenshots shown 111 Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.
  16. 16. M odule 08 - Sn iffers ■ A computer running W in d ow s 2008 as tun Machine S e rv e r 2 0 12 as Host and Windows Server ■ Double-click s m a c 2 7 b e ta _ s e tu p .e x e installation steps to install SMAC and follow the wizard-driven ■ A d m in is tra tiv e privileges to run tools ■ A web browser with Internet access Lab Duration Time: 10 Minutes Overview of SMAC ffisMAC is a powerful yet easy-to-use and intuitive Windows M A C address modifying utility (M AC address spoofing) which allows users to change M A C addresses for almost any Network Interface Cards (N IC s) on die Windows 2003systems, regardless o f whether die manufacturers allow diis option. protects person al and individual privacy. Many organizations track wired or wireless network users via their MAC addresses. 11addition, there are 1 more and more Wi-Fi w ire le s s connections available diese days and wireless networks use MAC addresses to c o m m u n ic a te . Wireless network security and privacy is all about MAC addresses. Spoofing a MAC Spoofing is carried out to perform security v u ln e ra b ility tes tin g , penetration testing on MAC address-based a u th e n tic a tio n and au th o riza tio n systems, i.e. wireless access points. (Disclaimer: Authorization to perform these tests must be obtained from the system’s owner(s)). Lab Tasks 1 Launch die S ta rt menu by hovering die mouse cursor on die lower-left . corner of die desktop. [® S M A C works on die Network Interface Card (N IC ), which is on the Microsoft hardware compatibility list (H C L). 4 Windows Server 2012 Windows Sewer 2012 Rdrat Cardidatc Datacen!‫׳‬ Evulud’kn copy Build 84C . C *•r 1& rc !1 T !n ^ H F IG U R E 2.1: Windows Server 2012 —Desktop view 2. Click die SM A C 2 .7 app 111 die S ta rt menu to launch die tool. Q=sJ W hen you start SM AC program, you must start it as the administrator. You could do this by right click on die SM AC program icon and click on "Run as Administrator if not logged in as an administrator. C E H Lab Manual Page 599 Ethical Hacking and Countenneasures Copyright © by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.
  17. 17. M odule 08 - Sn iffers F IG U R E 2.2: Windows Server 2012 —Start menu £ T A S K 1 Spoofing MAC Address 3. The SM AC main screen appears. Choose a network adapter to spoof a MAC address. % File SMAC 2.7 Evaluation Mode - KLC Consulting: www.klcconsulting.net View Options Help ID | Active I Spoofed I NetworkAdapter Hyper-VVirtual Ethernet Adapter #2 0017 Yes No Hyper•VVirtual Ethernet Adaptei #3 rriiEiii ■1‫ן י‬ ‫ו‬ IP Address EMU^HET 169.254.103.138 0 1 17 Show O Active Network Adapters n^i Remove MAC New Spoofed MACAddress Restart Adapter IPConfig Random Refresh Spoofed MACAddress |Not Spoofed J Active MACAddress MAC List Exit Network Connection_______________________________ |vEthernet (Realtek POe GBE Fam Controller • dy Virtual Switch) Hardware ID_____________________________________ | 0ra r‫£׳‬ D-*‫־‬ A | _> > J |vms_mp Disclaimer: Use this programat your own risk. We ate not responsible fot any damage that m occur to any system ay This programis not to be used for any illegal or unethical purpose Do not use this programif you do not agree with d s M A C helps people to protect their privacy by hiding their real M A C Addresses in the widely available W i-Fi Wireless Network. F IG U R E 2.3: SMAC main screen 4. To generate a random MAC address. Random . U p d a te M A C Rem o ve M A C R e s ta rt A d a p te r I P C o n f ig Random M A C L is t R e fre s h E x it F IG U R E 24SM AC Random button to generate M AC addresses .: 5. Clicking die Random button also inputs die N e w simply MAC address spoofing. C E H Lab Manual Page 600 S poofed M AC A d d ress to Ethical Hacking and Countemieasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.
  18. 18. M odule 08 - Sn iffers ‫־‬a! r SMAC 2.7 Evaluation Mode - KLC Consulting: www.klcconsulting.net File View m SM AC also helps Network and IT Security professionals to troubleshoot network problems, test Intrusion Detection / Prevention Systems (ID S / IP S ,) test Incident Response plans, build high-availability solutions, recover (M AC Address based) software licenses, and etc. Options Help ID | Active | Spoofed | Network Adapter 0015 Yes No Hyper■ Virtual Ethernet Adapter 82 V 0017 Yes No Hyper-VVirtual Ethernet Adapter #3 I* Show Only Active Network Adapteis Update MAC New Spoofed MACAddress IE -| 05 - |F C ^ I -| 63 -| 34 - |SCHENCK PEGASUS CORP. [0005FC] Spoofed MAC Address |Not Spooled 10.0.0.2 DOl 169.254.103.138 0 ■ ' 0 Restart Adapter 0 ‫ ־‬l xj 7 ;■6 3 -■ 08 Remove MAC | Random MAC List Refresh — ‫פ‬ | IPConfig Exit Network Connection IvEthernet (Realtek PCIe GBE Fam Conliollei • dy Virtual Switch) Active MACAddress |D0-»W « ■ -36 AI Hardware ID_____________________________________ |vm p s_m Disclamer Use this programat your own risk. We are not responsible 11any damage that m occur to any system 0 ay This programis not to be used for any illegal o unethical purpose Do not use this programif you do not agree with t F IG U R E 2.5: SM AC selecting a new spoofed MAC address 6. Tlie Network Connection 01‫־‬Adapter display their respective names. 7. Click tlie forward arrow button N e tw o rk A d a p te r information. 111 N e tw o rk C o n nection r g N e t w o r k C o n n e c t io n _______________________________________________________ I v E t h e r n e t ( R e a l t e k P C I e G B E F a m ily C o n tro lle r ■V ir tu a l S w i t c h ) F IG U R E 2.6: SM AC Network Connection information C Q Is m a c does not change die hardware bumed-in M A C addresses. SM C changes the software-based !MAC addresses, and die new M A C addresses you change are sustained from reboots. to display die Clicking die backward arrow button 111 N e tw o rk A d a p te r will again display die N e tw o rk C o n n e ctio n information. These buttons allow to toggle between die Network Connection and Network Adapter information. r N e tw o rk A d a p te r g |H y p e r- V V ir t u a l E t h e r n e t A d a p t e r 8 2 F IG U R E 2.7: SM AC Network Adapter information 9. Similarly, die Hardware ID and Configuration ID display dieir respective names. 10. Click die forward arrow button C o n fig uratio n ID information. 111 H a rd w a re ID to display die H a r d w a r e ID |v m s _ m p F IG U R E 28: SM AC Hardware ID display 11. Clicking die backward arrow button 111 C o n fig uratio n ID will again display die H a rd w a re ID info rm ation . These buttons allow to toggle between die Hardware ID and Configuration ID information. C o n fig u r a tio n ID | { C 7 8 9 7 B 39 - E D B D - 4 M 0 - B E 9 5 - 5 1 1 F A E 4 5 8 8 A 1 } F IG U R E 2.9: SMAC Configuration ID display C E H Lab Manual Page 601 3 Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.
  19. 19. M odule 08 - Sn iffers S 12. To bring up die ipconfig information, click IPConfig. T A S K 2 Update MAC Remove MAC Restart Adapter IPConfig Random MAC List Refresh Exit V ie w in g IPConfig In fo rm atio n , j F IG U R E 2.10: SMAC to view7the information of IPConfig 13. Tlie IPConfig window pops up, and you can also save the information by clicking die F ile menu at the top of die window. — ‫ם‬ File W indow s IP Configuration Host N a m e Primary Dns S u ffix Node T y p e IP Routing Enabled W INS Proxy Enabled : WIN-MSSELCK4K41 : Hybrid :N o :N o Ethernet adapter vEthernet (Virtual Network Internal Adapter): C Q t 1 eIPC onfig 1 information w ill show in the "View IPConfig Window. You can use the File menu to save or print the IPConfig information. Connection-specific DNS Suffix . D escription : Hyper-V Virtual Ethernet Adapter 83 Physical Address :0 0 -08 DHCP Enabled :Y e s Autoconfiguration E n a b le d . . . . : Yes Link-local IPv6 A d d re ss : fe80::6868:8573:b1b6:678a%19(Preferred) Autoconfiguration IPv4 Address. .: 169.254.103.138(Preferred) Subnet M a s k : 255.255.0.0 Default G a te w a y DHCPv6 IA ID : 452990301 DHCPv6 Client D UID : 00-01 -00-01 ■ 1 ‫־‬A- 16- 36 DNS S e rvers : fec0:0:0:ffff::1%1 fec0:0:0:ffff::2%1 Close 1 F IG U R E 2.11: SM AC IPConfig information 14. You can also import the MAC address list into SMAC by clicking MAC Update MAC IPConfig Random k . Remove MAC Restart Adapter List. MAC List Refresh i Exit F IG U R E 2.12: SMAC listing M AC addresses C E H Lab Manual Page 602 Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.
  20. 20. M odule 08 - Sn iffers 15. If there is 110 address in die M AC ad d ress held, click Load ]MAC address list tile you have created. List to select a MAC List <- Load List CQ1t 1e IPConfig 1 information w ill show in the "View IPConfig Window. You can use the File menu to save or print the IPConfig information. S e le c t Close No List F IG U R E 2.13 SMAC M AC lis t window 16. Select die window. S am p le M AC A d d ress L is t.tx t file from the Load M AC List Load MAC List Q 2 W hen changing M AC address, you M U ST assign M A C addresses according to IA N A Number Assignments database. For example, "00-00-00-00-0000" is not a valid M A C address, therefore, even though you can update this address, it may be rejected by the N IC device driver because it is not valid, and T R U E M A C address will be used instead. Otherwise, "00-00-00-0000-00" may be accepted by the N IC device driver; however, the device w ill not function. ■ i.f Organize ■ * ” ProgramData ► KLC ► SMAC v C Search SMAC ‫ ־י‬s m New folder ■ Desktop 4 Downloads A Name 6/6/200811:11 PM Text Document , , Sample_MAC_Address_List.txt Jf SkyDrive Type i-‫־‬l LicenseAgreement.txt — jgf Recent places Date modified 4/S0/20061:23 PM Text Document Libraries 0 Documents J* Music fc l Pictures B Videos Computer U . Local Disk (G ) 1 j Local Disk (DO _ <| > File name: |Sample_MAC_Address_List.txt v Text Format (*.txt) Open pr F IG U R E 2.14: SM AC M AC List window C E H Lab Manual Page 603 Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.
  21. 21. M odule 08 - Sn iffers 17. A list of MAC addresses will be added to die MAC List 111 SMAC. Choose a MAC A d d ress and click S e le c t. This MAC Address will be copied to N e w Spoofed M AC A d d ress oil die main SMAC screen. m SM AC is created and maintained by Certified Information Systems Security Professionals (C ISSPs), Certified Information System Auditors (C ISA s), Microsoft Certified Systems Engineers (M C SEs), and professional software engineers. % MAC List 00 = O D O D OC■ :99 -9 E ■8 E . - E7 m SM AC displays the following information about a Network Interface Card (N IC ). C: P r o g r a m D a t a K L C S M A C S a m p le _ M A C _ A d d r e s s _ L i s t . txt F IG U R E 2.15: SMAC M AC List window • Device ID 18. To restart Network Adapter, click R e s ta rt A d ap ter, which restarts die selected N e tw o rk A d ap ter. Restarting die adapter causes a temporary disconnecdon problem for your Network Adapter. • Active Status • N IC Description • Spoofed status • IP Address U p d a te M A C • Active M A C address • Spoofed M AC Address | R e s ta rt A d a p te r I P C o n f ig Random M A C L is t R e fre s h • N IC Hardware ID E x it • N IC Configuration ID u F IG U R E 2.16 SMAC Restarting Network Adapter Lab Analysis Analyze and document die results related to die lab exercise. Tool/Utility SMAC C E H Lab Manual Page 604 Information Collected/Objectives Achieved ■ ■ ■ ■ ■ ■ ■ Host Name Node Type MAC Address IP Address DHCP Enabled Subnet Mask DNS Servers Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.
  22. 22. M odule 08 - Sn iffers PLEASE TALK TO YOUR INSTRUCTOR IF YOU HAVE QUESTIONS RELATED TO THIS LAB. Questions 1 Evaluate and list the legitimate use ot SMAC. . 2. Determine whether SMAC changes hardware MAC addresses. 3. Analyze how you can remove the spoofed MAC address using die SMC. Internet Connection Required □ Yes 0 No Platform Supported 0 Classroom C E H Lab Manual Page 605 0 iLabs Ethical Hacking and Countenneasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.
  23. 23. M odule 08 - Sn iffers S n iffin g a N e tw o r k U s in g th e W in A r p A tta c k e r T o o l WinArpAttacker i aprogram thatcan scan, a s ttack, d t c , andprotect computers eet on a localarea network (LAN). ICON KEY Lab Scenario 1. V ab _ alu le uifonnation You have already learned in the previous lab that you can conceal your identity by spooling the ]MAC address. An attacker too can alter 11 or her MAC address and 1s attempt to evade network intrusion detection systems, bypass access control lists, and impersonate as an authenticated user and can continue to communicate widiin the network when die authenticated user goes offline. Attackers can also push MAC flooding to compromise die security of network switches. Testyour k o le g nw de W ee eb x rcise orkbookreview ea W As an administrator, it is very important for you to detect odd MAC addresses 011 the network; you must have sound knowledge of footprinting, network protocols and their topology, TCP and UDP services, routing tables, remote access (SSH 01‫־‬ VPN), and authentication mechanisms. You can enable port security 011 the switch to specify one or more MAC addresses lor each port. Another way to avoid attacker sniffing 011 your network is by using static *ARP entries. 11tins lab, you will learn to 1 run the tool WinArpAttacker to sniff a network and prevent it from attacks. Lab Objectives The objectives of tins lab are to: ■ S c a n . D e te c t. P ro te c t, and A tt a c k computers 011 local area networks (LANs): ■ Scan and show the active hosts 011 the L A N widiin a very short time period of 2-3 seconds ■ S a v e and lo a d computer list files, and save the LAN regularly for a new computer list ■ Update the computer list 111 C E H Lab Manual Page 606 p a s s iv e m o d e using sniffing technolog}‫־‬ Ethical Hacking and Countemieasures Copyright © by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.
  24. 24. M odule 08 - Sn iffers ■ Freely p ro v id e employ? ■ in fo rm a tio n regarding die rype of operating systems they Discover the kind ot fir e w a ll, w ir e le s s a c c e s s p o in t and r e m o te access ■ Discover any published information on the topology of the n e tw o r k ■ Discover if the site is seeking help for IT p o s itio n s that could give information regarding the network services provided by the organization ■ Identity actual users and discover if they give out too much personal information, which could be used for social engineering purposes Lab Environment To conduct the lab you need to have: ■ W in A rp A tta c k e r located at D :CEH -ToolsC EHv 8 M o du le 0 8 SniffingARP P oisoning T o o ls W in A rp A tta c k e r ■ You can also download the latest version ot W in A rp A tta c k e r trom the link http://www.xtocus.net ^~Tools d e m o n s tra te d in th is lab a re a v a ila b le in ■ If you decide to download the la te s t the lab might differ ■ A computer running W in d o w s D:CEHT oo lsC E H v 8 ■ M o du le 08 W in d o w s 2 0 0 8 version, S e rv e r 2 0 1 2 then screenshots shown in as host machine running on virtual machine as target machine ■ A computer updated with network devices and drivers Sniffing ■ Installed version ot W in P cap drivers ■ Double-click W in A rp A tta c k e r.e x e to launch WinArpAttacker ■ A d m in is tra tiv e privileges to run tools Lab Duration Time: 1 Minutes 0 W inARPAttacker works on computers rumiing Windows /2003. Overview of Sniffing Sniffing is performed to c o lle c t b asic info rm ation of a target and its network. It helps to tind v u ln e ra b ilitie s and to select exploits for attack. It determines network information, system information, and organizational information. Lab Tasks * T A S K 1 S can ning H o sts on th e LAN C E H Lab Manual Page 607 1 . Launch Windows 8 Virtual Machine. 2. Launch W in A rp A tta c k e r 111 the host maclinie. Ethical Hacking and Countenneasures Copyright © by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.
  25. 25. M odule 08 - Sn iffers ‫ר ^ ד־־ ק‬ U title W A A c e 3 ?0 6 .4 n d in rp tta k i .5 0 6 Fite lean A ttacfc Dctect options View Help Caution:This program is dangerous, released just for research. Any possible loss caused by this program bears no relation to the author (unshadow), if you don’t agree with this, you must delete it immediately. D ^ i Xev op»n * «» a a * s &ve scan | Online | ActHoit Snrfli... Attack | FftetHovI q 1:‫ ״‬stopsendh*e*art A ttack ArpSQ | A pSP | ArpRQ 1 ArpRP | < | Fff»(tH(Kt2 Cpflu‫*׳‬ascut Packets ( ] [ Count | 1 .0 1 0 .0 1 .0 3 0 .0 1 0.004 10.005 10.0.07 10.0.08 1 .0 2 5 0 .0 5 IM 2 4 5 2 5 5 .2 5 5 2 4 .0 2 2 .0 .2 ‫*־לש‬ I- ‫־‬ ‫-.׳‬ Ta > ff!c(KI 00■ • 00 00 0■ 0 00‫•־‬ 00 FF-‫״‬ FF•* 01•* —*W<sA*»<*e'!200««<— w a r ! •lew*! soya, m tsem reducM 1 1«ty ‫ג‬ o te p>• •:»» 1 Cx vvtry Gar/McsM . : ASe je^ a L U p* ‫ ! : ! » » : ־־‬C : a2 L‫ ־‬trse terns :•10.0.0 tr* p g ir ruy 9 ! 1 9 r« c s* 0> c .V to o 6 1 0 0y 1 3G V iaao.1 6 V: O 0 O 0 Sniffing; : n: ff: Klee D - •- y 16-3.G : 1 0.1 Ofc W ft(X Q=J W iiiArpAttacker is a program diat can scan, attack, detect, and protect computers on a local area network. 3. Click die S ca n option from die toolbar menu and select S ca n 4. The scan shows die a c tiv e (2-3 seconds). hosts 011 sc a n Untitled WinArpAttackef 35 ?006 6.4 ek _E*c| V | Mofmalitan ‫׳‬ I EvtnC Detect Hwhmne I Online I SnrtfL. I Attade 1ActHotl send hc ‫׳‬art CpHcit lke1£ «< a: and A n tis n iff scan. r~ ‫5 ם‬ r ‫ד־‬ cut I AipSQ I An»5P I AmW I A P I rpW Sff«aHpq2 Padafa I TufficQq | Count | 1 .0 1 0 .0 10 .0.03 10 .0.04 1 .0.0 5 0 10.0.07 10.0.0a 10.0.0255 19 2542 5 5 6• 5 .2 5 224.0.022 ‫1 1 יי ^ מ כ נ נ ־: ־ ־ן ־. ן‬ ] LAN. die LAN in a very short period ot time 5. The S ca n option has two modes: N o rm al 0 3 The•‫י‬ option scan can scan and show the active hosts on the L A N within a very short time. It has two scan modes, Normal andAntisniff. The second is to find who is sniffing on the IA N . O 0 O 0 Snrffmj: Q , n: ff; F IG U R E 31: WiiiArpAttacker main window 1Mat (X>* oa 0a 0• 0 D4.♦ 00• FF► FF-* I • • ‫־‬ ‫־‬ • • - €• 3 0 IE-2D • NE O • ••FF • • •F F - 6 a_/!fp m M « _£ rv_C »ae M O acO -fc ♦ - 16-3,GW 1a0J3.1 ,O 0 Qff:0 SnrffmyQ , J n: F IG U R E 3.2: WinArpAttackei Scan options 6. Scanning saves and loads a computer list tile and also scans die LAN regularly for new computer lists. C E H Lab Manual Page 608 Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.
  26. 26. M odule 08 - Sn iffers U title W A A rkr 5?0 6 .4 n d in rp m f 0 .6 & I n this tool, attacks can pull and collect all the packets on the LA N . Fit S.‫״‬ .‫־ י‬ p pa H j open Save e PAddmi □1A1 0a □1*2 00 0 1Oil0.3 □ 10A04 □ 10:aa5 □ 10ixa7 □1*8 00 2012-09 17 104*05 2012*09•17 104905 2012-09-17 10AOS 2012-09-171049 33 2012-09■17104905 2012 09 17104905 33■ ‫ד‬ 5c»r! M aCk Slop Seni R . Optow lfc«-p A K ccouw tK it |H o»ln< 1Online 1SnjW | A i... tUtfc‫־‬ | AipSQ | A >pSP | /UpfiQ | frp«P I 10.0.01 Onlin W SSEICK... Onlin N-M *:-06 W O W lN O Sfl Onlin -:‫0־‬ 9 W DW IN O S8 Onlin ‫ 30-» ־‬V N Q 3W Onlin M -IX N ... E-20 W R G O P Onlin OKRU AOMN Onlin •-0E P«cfc«t» | Tr«ffic[IQ T IP ‫1. 1 0ז‬ .0 0 10.001 IM flf 4-CC *6 3 I Evtnt New_Ho* IW.Hotf Nm H U o Aip Sun New.Hox New.Hox I ActHotf 1000.7 1 .0 .1 0 .0 1000.8 1 .0 .2 0 .0 1000.4 100105 10.0.0.4 10.0.0.5 oof* • 1 *•cc r 0 • • • •-06 0 0■ - • —0 0■ « 00•■ ‫30-:- ־ ־‬ 1 .0 .6 0 0 0 - * - • • -M 0• 10.010.7 10.008 1000.255 169.2Si.2SS.2SS 04• 5-3 G « 100.0I V: iz- E20 •FF O 7 O ■ Sniffing: 0 n: ff: : F IG U R E 3.3: WinArpAttacker Loading a Computer lis t window By performing die attack action, scanning can puU and collect all die packets on die LAN. ARP A tta c k Select a host (10.0.0.5 —Windows Server 2008) from the displayed list and select A tta c k - Flood. > Untitled WinArpAttarlc<*r 3 5 ?006.6.4 so ■ «n»Ktu.^ibw U*H> © # S J tir E3 ‫ג*י׳‬ * ]~Iw t t ^ I An.au I fcpso I *■pUC I fcpwl M »j I C Q t 1 e Flood option 1 sends IP conflict packets to target computers as fast as possible. I f you send too many, the target computers go down. Event 2012-09 17 104*05 N«w_M 0* 2012-09• 17 104905 Nv o * * ‫_״‬M» 2012-09•1710J90S ^ ‫־‬Hoa 2012-09-17105401 14p St*n 2012-09 17104905 2012 09 17104905 N«w Ho* Me*.Hex 1ActHotf 1000.7 IP 10.0.0.4 10.0.0.5 Mat 10.001 1 .0 .1 0 0 00-• 00 10.004 10A0.5 10006 10.00.7 10.008 1000.255 169.2S42SS.2SS f Court I 1 0 .1 0 .0 1 .0 .8 0 .0 10 .0 0 .2 00- • 0000-• 04• 00- • ff•*■ FF-*‫־‬ KMlau of 10.9.0.1, m 1.<•**‫ ־‬nuy tit « > 16-3 G : 100.01 W O 7 O . 0 SniffmyO n: ff■ F IG U R E 3.4: WinArpAttacker A R P Attack type 9. Scanning acts as another gateway or IP-torwarder without odier user recognition on die LAN, while spoofing ARP tables. 10. All die data sniffed by spoofing and forwarded by die WinArpAttackerIPforward functions are counted, as shown in die main interface. C E H Lab Manual Page 609 Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.
  27. 27. M odule 08 - Sn iffers r 18■ U itlp W Ap mk * 0 6 .4 5‫ד‬ m d in r A r <r 0.6 ? CO lThe BanGatewayoption tells the gateway wrong M AC addresses o f target computers, so the targets can’t receive packets from the Internet. This attack is to forbid die targets access the Internet. Pi* Scan Attack Q*t*ct Cptio! E & □1000.1 □ 10002 □ 100103 □ 100.0.4 E10A0l 5 □ 10007 □ 100108 5C*n 00- • D O 00- « oc ‫־‬ 00- • • D4-» 00 . • I<v n 2012-09*171049(05 7012-09• 17 10490: 2012-09•17I0j»05 2012-09-17105401 2012 09 17104905 2012 09 17104905 • ■** m m Attack A frm A ____ |H itn m o ae • 4-CC 5-36 * *-06 * ‫90-•״‬ ♦ •£-03 E-20 ^*-OE stop © S*f»J !vecoiw C*3tow lH«Up At». . 1 |Olin j S iff. A « ne n H.k 100.0.1 W SSEICK... N-M W NOOW S8 W N0CW S8 V N-UQN3W M ... WR GO P OKRU AM O IN Online Online Online Online Online Online Online N ot... N or... N or. N or... N or... Nor.N or... Normal Normal Normal I t . p ip j ArpSP I fl.PBQ I flipRP I 88 355 ‫מ‬ 5 36 1 41 10! 5 0 0 0 0 0 1ActHotf Ev*nt N*w_M0* Naw.MoU P j» H o > 1 A«p Scan Ncw.Hest N«*.Host 203 5 27 4 2‫ו‬ 22 30 0 109 1 1 1 1 1 0 0 0 0 0 0 0 I 1OO I ^.‫»ז‬ O aoo 000 0.00 000 00 .0 0.00 1Mac 00•• [ Court | 1000.7 10.001 10.001 1000.1 1000.8 1 0 .2 0 .0 1.0.4 00 105 00 ■ •‫30-־‬ 10. 00 6 10.0.0.4 10.0.0.5 ► 4CC > *-06 •* 0 •9 00-- 107 00 103 00 1025 005 rr 19 S .25 S F6.24 S .2S F 1 .0 .1 m pvjrini m * 9 .0 , « ay 6-E GA: 10X 1,0.1 On: 7 Off: ‫ :׳‬Sniffing 0 y/ 5■• GW 10.0.0■I : On: 7 Off: : Sniffiny 0 F IG U R E 3.5: WinArpAttacker data sniffed by spoofing C Q t 1 e option, 1 IPConflict, like A R P Flood, regularlysendsIP conflict packets to target computers, so that users may not be able to work because o f regular ip conflict messages. In addition, the targets can’t access the LA N . 11. Click S a v e to save the report. m U n title d - W in A rp A tta c k e r 3.5 2006.6.4 File Scan Attack Detect Options View Help ARP^iZ □ New J B Open ■ Save scan - tm Attack - 4m J Stop i Send a S Rcut Options eon « Live Up ® About F IG U R E 3.6: WinArpAttacker toolbar options 12. Select a desired location and click S av e die save die report.. Lab Analysis Analyze and document die scanned, attacked IP addresses discovered 111 die lab. Tool/Utility WinArpAttacker Information Collected/Objectives Achieved ■ ■ ■ ■ ■ ■ ■ Host Name Node Type MAC Address IP Address DHCP Enabled Subnet Mask DNS Servers PLEASE TALK TO YOUR INSTRUCTOR IF YOU HAVE QUESTIONS RELATED TO THIS LAB. C E H Lab Manual Page 610 Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.
  28. 28. M odule 08 - Sn iffers Questions 1 WuiArp . Internet Connection Required □ Yes 0 No Platform Supported 0 Classroom C E H Lab Manual Page 611 0 !Labs Ethical Hacking and Countermeasures Copyright © by EC-Council A ll Rights Reserved. Reproduction is Stricdy Prohibited.
  29. 29. M odule 08 - Sn iffers A n a ly z in g a N e tw o r k U s in g t h e C a p s a N e tw o r k A n a ly z e r Capsa Ne/)j‫׳‬rk Analyser i an easy-to-useEthernet network analyser (.. packet o s ie, s i f rorprotocol analyser)for network monitoring and tr nfe oubleshooting. I CON KEY Lab Scenario /V ab alu le Using WinArpAttacker you were able to sniff the network to tind information like host name, MAC address, IP address, subnet mask, DNS server, etc. An attacker, too, can use tliis tool to gain all such information and can set up a rogue DHCP server serving clients with false details. A DNS attack can be performed using an extension to the DNS protocol. m ation form Test your ** Web e e x rcise m W orkbook re ‫׳‬ To prevent tins, network administrators must securely configure client systems and use antivirus protection so that the attacker is unable to recnut 111s or her botnet army. Securely configure name servers to reduce the attacker's ability to corrupt a zone tile with die amplification record. As a penetration tester you must have sound knowledge ot sniffing, network protocols and their topology, TCP and UDP services, routing tables, remote access (SSH 01‫־‬YPN), and authentication mechanisms. Tins lab will teach you about using other network analyzers such as Capsa Network Analyzer to capture and analyze network traffic. Lab Objectives The objective ot this lab is to obtain information regarding the target organization that includes, but is not limited to: ■ Network traffic analysis, communication monitoring ■ Network communication monitoring ■ Network problem diagnosis ■ Network security analysis ■ Network performance detecting ■ Network protocol analysis C E H Lab Manual Page 612 Ethical Hacking and Countenneasures Copyright © by EC-Council A ll Rights Reserved. Reproduction is Stricdy Prohibited.
  30. 30. M odule 08 - Sn iffers Lab Environment & T o o ls d e m o n s tra te d in th is lab a re a v a ila b le in To earn’ out die lab, you need: ■ C o laso ftC a p s a N e tw o rk A n a ly ze r located at D:CEH -ToolsC EHv 8 M o du le 0 8 SniffingSniffing Too lsC ap sa N e tw o rk A n a ly ze r D:CEHT oo lsC E H v 8 ■ You can also download the latest version of C o laso ftC a p s a A n a ly ze r from die link http://www.colasoft.com M o du le 08 Sniffing ■ If you decide to download die la te s t the lab might differ ■ A computer running W in d o w s version, S e rv e r 2 0 1 2 N e tw o rk dien screenshots shown 111 as host machine ■ Windows 8 running on virtual machine as target machine ■ Double-click ca p s a _ fre e _ 7 .4 .1 .2 6 2 6 .e x e and follow die wizard-driven installation steps to install Colasoft Capsa Free Network Analyzer ■ A d m in is tra tiv e pnvileges to run tools ■ A web browser with an Internet connection N ote: £Q1 ColasoftCapsa Network Analyzer runs on Server 2003 /Server 2008/7 with 64-bit Edition. This lab requires an active Internet connection for license key registration Lab Duration Time: 20 Minutes Overview of Sniffing Sniffing is performed to c o lle c t b asic in fo rm atio n of die target and its network. It helps to tind v u ln e ra b ilitie s and select exploits for attack. It determines network information, system information, password information, and organizational information. Sniffing can be A c tiv e or P assive. Lab Tasks 3 t a s k 1 A n alyze N e tw o rk Capsa Network Analyzer is an easy-to-use Ethernet network analyzer (i.e., packet sniffer or protocol analyzer) for network monitoring and troubleshooting. 1 Launch the S ta r t menu by hovering the mouse cursor on the lower-left . corner of the desktop. S 3 W in d o w s S e r v e r 2 0 1 2 V *r M ■afeLLxjjLtt! I a a Windows Server 2012 Release Candidate Datacen!* Evaluation copy. Build 84C C ,“,"J F IG U R E 4.1: Windows Server 2012—Desktop view C E H Lab Manual Page 613 Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.
  31. 31. M odule 08 - Sn iffers 2. Click C o la s o ft Analyzer tool. C a p s a 7 F re e N e tw o r k A n a ly z e r to launch the Network F IG U R E 4.2: Windows Server 2012 —Start menu 3. The C o la s o ft C a p s a 7 F re e - A c tiv a tio n G u id e window will appear. Type the activation key that you receive 111 your registered email and click N e x t. C o la s o ft C apsa 7 Free - A c tiv a tio n G u id e W elcom e to Colasoft Capsa 7 Free A ctivation Guide. License Information: User Name: Windows User Company: SKMC Groups| Serial Number 03910-20080-80118-96224-37173 Click here to get your serial number... To activate the product now, select one o f the follow ing and click the Next button. Please contact capsafree@ colasoft.com fo r any question. ® Activate Online (Recommended) O Activate Offline | Next > | | Cancel" Help F IG U R E 4.3: Colasoft Capsa 7 Free Network Analyzer —Activation Guide window C E H Lab Manual Page 614 Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.
  32. 32. M odule 08 - Sn iffers 4. Continue to click N e x t on the Activation Guide and click Fin ish . Colasoft Capsa 7 Free -Activation Guide Successfully activated! Help Finish F IG U R E 4.4: Colasoft Capsa 7 Free Network Analyzer—Activation successful 5. Tlie C o la s o ft C a p s a 7 F re e N e tw o r k A n a ly z e r Name - Yued Netmart Adapter(*) □ Ethernet □ Unfcno*« LJ t€lhe<nel (Virtual Network Internal Ada.. □ Jrfcro»n □ Ethernet IP ‫..**••י‬ 10.0.02 127.0.0.1 169254,103... 127.001 10D.02 1 0 0 0 1 5p‫ ״‬d Packets * 1.232 Kbps Obps 0 bps 0 bps 1232 Kbps 1,410.1 Mbps 1.410.1 Mbps 1,41a1 Mbps 1,410.1 Mbps 1010 Mbps Byte UHizatu. 718 170.1a. 08 0 7 1.073 K B 05 0 763 17S.6®_ A 0% No adapter selected Capture Filter & No filter selected, accept all 0% | packets. 0% 0% y Network Profile Set Capture Filter ^ Full Analysis To provide comprehensive analysis of all the applications CQas a network analyzer, Capsa make it easy to monitor and analyze network traffic with its intuitive and informationrich tab views. main window appears. and network problem! Plugin module loaded: M SN Yahoo M essenger o FulAnatyia ,‫ת‬ S. 1 Traffic Monto* HTTPAnalytic Em Analyst ail DNSAnalytk O FTPAnalyt* iMAntlytit F IG U R E 4.5: Colasoft Capsa Network Analyzer main screen C E H Lab Manual Page 615 Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.
  33. 33. M odule 08 - Sn iffers 6. 11the C a p tu re tab of the main window, select the E th e rn e t check box 1 111 A d a p te r and click S ta r t to create a new project. Name ‫ ־‬Y1ed M wort Adapter^) i e: ( 3 Ethernet LI UnbK**« □ v€th«<net (Virtual Network In U1n4l Ada.. D Unknown D Ethernet IP Packe... 10.0.02 127.01011 1 6 9 . 2 5 4 .1 0 3 0 127.010.1 10.0.0.2 Speed Packets bp, 9 15.800 Kbps 0 0 bps .‫״‬ 0 bps 0 0 bps 9 IS 800 K pi b 1,4111 Mbps 1,41ai Mbps 1,410.1 Mbps 1.41a1 Mbps 100.0Mbpt Byte UNcati... 2424 552/471. 0 08 48 12.156 K B 0B 0 *M2 S88206- a r 1 < * 0% « O N 0% H 111 111 iiiiiiiunm iiiirninniiPii 1 11Irmilll II1 1nm nti 1 1 1^3 Ful Analysis II llllllll III! m ‫! 1וווו‬frisiii 1 iiihrn 1 1rm — - |F‫־‬f=« % !!!!! Ee e th rn t Capture Filter ^ No filter selected, accept all packet*. Set Capture Fitter Network Profile & Full Analysis! To provide (omprehtntiv* analysis of all the applications and network pioblarm Plugin moduli loaded: M SN Yahoo Messenger psps■ ‫4»נ‬ O FTP Analysis IMAnalysis *L m Tiafftc Mcnitoi HTTPAnalysis Em Analysis ail D SAnalysis N F IG U R E 4.6: Colasoft Capsa Network Analyzer creating a New Project 7. D a s h b o a rd provides various graphs and charts of the statistics. You can view the analysis report in a graphical format 111 the D a s h b o a rd section ot N o d e E x p lo re r. ‫יירק‬ *I W a# f t y a II r r AayisP<‫... ------------__׳‬ nl s ak w itin s 0b« Bffe t • Otpt Otpt a g Jt u ! uu uu Cs5hfec;r3 x [Sum mary Diagnosis[Protocol]‫־‬Physical Enflporw [ ‫־‬PEridpr Mi -h t£j Fj■ A‫ ־‬S j5 1w ‫«׳‬ S T Piciocol zjfk i' (1) 3 9 PhysttJtsW ® 9 IP L>i;‫3( ־‬ f er | N e w C a p sa v 7 .6 R e le a s e d Try i Free t Q l Total Traffic by Bytes 116:3K B £ Q t 1 e network 1 utilization rate is the ratio o f current network traffic to the maximum traffic that a port can handle. It indicates die bandwidth use in the network. i 97 K 66 B 48 3K 8 B IjvJL... Top IP Total Traffic by Bytes 48i?«k» . J M M linpluytre•W*b»1t« w toi 97MKB Ill ' lr £ Hw DtetAP tats o to e c RMc jjj Hw DtetNfwrt:lop o to e c c o o Hw Mn rW ?aq e to oto Msaf Hw Mn !ftSvein■ o to oto f 4 1 [ MreVI«>..) o ku S0 IC O*5 S 2»2«7K8 ^#Eth«nct liveDw «o eJ V h Is U N fcB c J o srw etaw andw Top Application Protocols by Bytes W8 K 39 B M51K 9B 4 89K 42 B /C a •Full Ara*yi5 »f>j‫׳‬c Cc-.ft-ancr ]‫־‬IPCcoreoatie 4 * Online Resource i tB l- ‫״ז‬ Dfa lt eu a;0:0:0 ^ 57 n 011 5 03Ic n on h rA trn ir. a n t tp w lI W w by» J I C o Irail‫.״‬U it.‫..״‬U 3 1 te c tiltu «rt _J [F tJ a a n Mrt Cp tr.• ata crra T fBu in ec a tr ro c t< n r hrt [ Hr*•InKo lt'd t-th *•-] o nw g n Pa> .eJ F IG U R E 4.7: Colasoft Capsa Network Analyzer Dashboard C E H Lab Manual Page 616 Ethical Hacking and Countenneasures Copyright © by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.
  34. 34. M odule 08 - Sn iffers The S u m m a ry tab provides full general analysis and statistical information of the selected node in the N o d e E x p lo re r window. !‫1 ־‬r‫״‬ ‫ם‬ m I □ 5‫׳““ 1יי ךל‬ ‫׳ *״׳״׳‬ Sait Stop ----- 1 G eneral . Capture Table fJ«wcrtr Promt Node Explorer > ‫*>*!> ד‬ » •» < *H A J « i Analysis R acket Display ^ .‫רזו‬ Analyse profile m ut«anon <% 7, / ‫־‬ Qasnccard•1Summary x [‫־‬Q iagnosis [‫־‬Protocol fPhysical fcndpo.m IP fcnapo.rv. [ m pp!i'i !!!I'!!! i !‫ ־‬HistoryCho. tic C ■esa‫־‬cn [‫־‬IPCorrva cr! . ! Factcr Buncr (16M6j Online Resource f«MA«lgteSUtfctta: | ‫־:-צ‬ N e w C a p sa v 7 .6 R ele a se d T r y f t F ree U IT Protocol ! ■p'crrr (1) , S V5 Phv.ka' Lqstorcr (3) tfc IP E■ pk*n(4) Fault Duqnm SWMili it Worrnation Oijgnosk Ntfcti Diagnosis Wuninq r!a<jnot. t Critical O 9 -.11 w 00 >traffic Total Broadcast Mukiceit Av«a9«Pa«k*tSa• Pxkrt Sar Ifcttributaon E O a liigh network utilization rate indicates the network is busy, whereas a low utilization rate indicates die network is idle. )NetworkH erAM StH' 00% 01. 0.0 0 0% 472.954K B 4J440KS 175.757K0 <*64 00% 01 00% 00 00% 01 45.60ft K B 1 1 9 KB 300 47.542K B WW 128-255 256-SI1 5 21 2 1-03 1252 K bp*. 0b s p 1232 Kbpi uj M onitor Em ployee* W ebsite 1^32 Kbps 0 bps a bp< CreateTraffic UtilUotioii Ourt UJ lEntlSUrt a W ireless Capture J C reateTiaftkUU1aUn Chat 2 [ MoremKnowledgebase— 1 1024-1517 >11 =5 8 Captue - hMArat>-se 41Ethernet ‫ ־‬ractrve __ ____ : _ : __ _ _ Duration: 00.14:43'tf 2 » 2 ©0 P*iC, J F IG U R E 4.8: Colasoft Capsa Network Analyzer Summary 9. The D ia g n o s is tab provides the real-time diagnosis events of the global network by groups of protocol layers or security levels. With tins tab you can view the performance of the protocols 10. To view the slow response of TCP, click T C P S lo w R e s p o n s e in T ra n s p o rt L a y e r, which 111 turn will highlight the slowest response in D ia g n o s is E ve n ts . nalysis ‫ ־‬CoJascft Capsa 7 Free '50 Nodes) » ! S•ae• j ? 13S Adapter F«er Starr U Step CMH J , • 9 E/Tools ^ ful Analyse K ' f Prrtrrcll.pererli; S- Si Phv.ka bpkxer (It 0. I‫ ׳־‬E .plc.fr (4) d e m o n s tra te d in th is lab a re a v a ila b le in D:CEH- Too;! /!«m S l h g ““ “ '‫^ ־‬ ‫״‬ J G eneral Analysis P acket D isplay AlarmSetting! Object Buncr .' ■ Output Ovrpur ‫־‬Jr‫־‬v‫־־‬V= ‫*-.׳‬ A nalysis Profile ■ ■ € ‫ צ ־ - £ ב ־‬l1 m m in m w Diagnosis Item ‫ע‬ 6- ‫' 2 - ד‬ flame 1010:02 74.125.256.165 74.125^35.174 74,125^56.169 20721 235.162 178.255SI.‫י‬ 17&255.8« 74125J36.1U 74 1 5 ? ? 2 .‫61.6 י‬ —1_ pp5» cH!5to7Cho... W ₪ ₪ ₪ M ™ FacK Buncr n&MBj ct Diagnosis Address Dogrvosk: 10 & U & C •lamc MDbqnotx 8 Applet !on layer O DNSS«rvwSlowResponse O HTTP Sttvtr SlowResponse * a transport Layer v tCPRctrantm.st.en S TCP Slow Rcipon.s / ± TC Duplicated Aclmowlidgtnwr P S Network lay««r w | > ■ f t . Statistks: | 1 | 1 Ph>«ca1Address ‫ נ‬Add‫״‬ D ‫־‬ O - «c36 1 0.0102 74.1252 O M •:CC Ct^ Oft» » < - C C 74.1252 1C C 74.1252 O ♦ • ‫.־• ־‬CC Ct^ 207218. Ott*-♦ «MKC 17»J55. 178255 oct♦M1252 00♦ C C 74.1252 ‫:*♦ ס‬c ‫• • ג‬c ♦ •*c ‫״‬ • -! ‫•־‬ ♦c N e w C a p sa v 7 .6 R ele a se d T r y i t F ree J | > )N «o rd »1 eh rkBn *M > (o IMM «n$e r P1 Uiagnosis Events Too lsC E H v 8 u 6-W ‫•ע‬ Seventy V V V 4‫׳‬ V 1 ‫׳‬ V y Captue- KJArvalyse *)Ethernet Pttformance Ptrlcrmance Perform ance Performance Perform ance Perform ance Performance ' nactive layer Tunipoit Tran!port Transport Transport Transport Transport Transport Transport Transport M l OiagnoM l««nU | 75 | {vent Drtcnptton TC P 1ndPaO.,t::^rom295m4) TC S iC K F'«ke!:is] nd Pad.rt!27]f1 20I7D■m P Ickv 1 cm ) TC SlowACK(P«cket!<7] tnOPacV«;27^f0nt 20172 ‫)זמו‬ P n s) TC SlowACK1 P P*cket >:] ■ dPat.rf. 1Wrom22134 m TC SlowACK1 P :P»cket!a1 and PaeVrt:!:from23577m ] s: e s; TC SlowACKtPacket|S2] m Pac*a.;.?rom23577m P e TC SlowACKfPacketlU] m Packet' 3:from23577ns) P TC SlowACK(Padrct!219:* 6 ‫? ר‬dcrtllW^rcrn 2*262m5 P ) TC SlowACK!Packet!>13 and ?‫״‬cketJ303Jfn:m>6023m‫־‬l P • _ Duration: 00.25:34tf •4 8 < 0 fteady ,6 9 £ ; ‫״‬ j Sniffing Type ‫נ‬ M o du le 08 < ‫׳‬ 1 > _J M onitor Em ployee* W te ebM U CreateTraIlk. UtM zotionChart UK (Ent)Start a Wireievs Capture J C reateTratfl; U Jattn O 1 U '.0 ‫׳‬ . | More■ Know ‫ו‬ ledgebacr... | F IG U R E 4.9: Colasoft Capsa Network Analyzer Diagnoses C E H Lab Manual Page 617 Ethical Hacking and Countemieasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.
  35. 35. M odule 08 - Sn iffers 11. Double-click the highlighted D ia g n o s is information of this event. *5 N orkG etw roup Stop x Node Explorer ‫ד‬ G enerai A n Setting* *a r1 ?lerwcr* Profile jc , ^ ** J J Anslyiii Packet D lay . isp object Butter A naly5!5 Profile li !».*‫) ״‬ ‫!־‬P) ‫״‬ 4 ‫)י =ן‬ = l^j / : A / F " r A X Packet log . L, output Output Datastorage — -_J' IE .. it !c r ^ H ryC isto ha *‫:..>■ ־‬W 151 y '"3^rL,I~T [Somma1 Diagnosis x (‫־‬piotocol f Physical £ndpoifTf IPsnapj ‫ - [ ־־‬y,<alC.. [ IPCorryq y-] ‫.י‬ Diagnosis Item fol Anat>-i« H I f Pft*o r rc4t> 4ctM l) f> < S V5 Phv.ka Lq rcr (3) sto T to view the detailed Event D fc*grvosk: 10 ‫ע‬ & A % *. C » -‫ 2 - ד‬M e am *Um« ‫־‬ AIDaqnoti* 1 Q0A2 8 A S(jtion 1jy»‫־‬ |>f1 » 74,125.2^.165 74.25‫ן‬a >6.174 O O 5«vv SlowResponse tIS Q HTTP 5trvtr$l0wR«p0n« • 741252J6.69‫י‬ Id Irmpoit Layer 20721ft.235.82‫י‬ V TC Retrsntmiiiion P ‫ו.נ» 55287 ו‬ V TC Skw RsKWlifi • P 173255 E 32 ± TC Duplicated Acknowlwlqemerrt P ’4 1 .236.18 25 2 ‫6ר.65 י.5 1 4 י‬ ? 5 - Nerworlr layer , ■ ■I l» <1 Otagnosis Events W S eventy V V is i> V V V V V S ’ Type Pt»(0rm 4nce Perform ance Perform ance Perform ance Perform ance Perform ance Perform ance Perform ance Perform ance Packet B ! Online Resource Diagnosis Address StaeKtk^ | 1 | 1 0 Addit •• 1 0.0102 74.1252 74.125.2 741252 207218. 178J55. 178255J • 741252 74.125.2 |> Ptv/SKii Addrcu D O ■ •t J6 O ♦‫.>• ■• ־‬cc Ct^ O » • ».cc ft•► O Ct^ Oft» • ‫־‬CC . Oft^ • ‫:* ־־‬cc o ‫:• ► • ־‬CC 0ft»-«~«k*CC Oft•‫!• ־• • ־‬CC Jp) W UU N orknnrd^tti ‫י‬ ho sing et« M (to*to D N ori: L etect etw oop ^ * to M IM e.rif*• tow onitor M I M re VW o • cov-1 UiaqnoM I .‫ ״‬u j .. j Event Ce«npt>en • TCP SlowA K C 1Pack«!281andPacktt:27^,om2 5m 3 s) ‫־‬ TC SlowACKlPacket:46] and P«ckrt!27]l1 n1201701 P 0 m) TC SlowACK(P»ek«!47]j«d PacVft:'7^‫׳‬ty^ 20172 m P s) s) TC SlowACmPacket.W P ]«od Packet!13:4re*n22131 m *d TC SlowAC P Kt:Packet]31] » Pack(*'■'from 23577r»« e 2 5 7 s: TCP SlowA CKtP*ck£tl82] m Packet.:.*ram 3 7 m TCP SlowACK(P«tket|54] nc P ■rt' 5from 23577rm) ac ] TC SlowACKiPadcer!’ 19: v * ? a c.rtlir^ m 62& ‫ י‬m P s) TCP SlowA K d 43 and?‫״‬ck*t(30i(‘rcm > 6 3mil C )P> cet:3 ] 62 layer Tunsp rt o I rampart Transport Transport Transport Tran o sp rt T sp rt ran o Transport Transport N e w C a p sa v 7 .6 R ele a se d T r y f t F ree llo (o• w ' UJ Monitor EinotuvM Wetaitc Create Trait*. UtilUotioii Ourt U |Ent|SUrt a Wireteu Capture J C reateTraffk Utlteton Chat [ More m Knowledgebacr... | * ^Captut - FtJAiMtyse 41 Ethernet ''racttve r^Alatmfcx to o fo Duration: 00:25:344,689<£0R a ty e< - F IG U R E 4.10: Analysing Diagnosis Event 12. The T C P S lo w A C K - D a ta S tre a m o f D ia g n o s tic In fo rm a tio n window appears, displaying Absolute Time, Source, Destination, Packet Info, TCP, IP, and other information. ^3^7^7<0‫0זז?0^!ז‬ * ‫ח7 ג3ס »ז‬ 3 ‫ח‬ 8 n=‫י <־‬ -»M *‫ ־ י‬i 30• ^ ™ T C P S lo ^ C K ‫׳‬Pacto!20 n n7 Pac^ »C 2 2 0 J«8 k J- 0 7 0 1 2 Ja41 3 0 03 25 102 2 4 2 9 30134 1&2J2041296■ <00.02:1406 2 7 1 2 5 8 :8 0 .2 8 3 .1 2 0 100.02:1406 1 0JX21406 0 207.2I8.2J5.1 2 0 6 :8 1 1 .0 :1 0 00 2 40 207.2I8.2J5.1 2 0 8 :8 207218.235.182:80 I0c232a70«089 207218235.182:80 100.021406 100.0.2:1405 207218.235.182:80 1 .0 .2 4 5 0 .0 :1 0 2 7 1 .2 5 8 :3 0 2 8 3 .1 2 0 2 7 1 .2 5 8 :8 0 .2 8 3 .1 2 0 Cnodc N*jm»23 e‫״‬g *.«6 T NwnaB lenyth»#6 .m .M ‫,.־‬r 7 3 :.. .‫2־ ־‬ 2= 7 Sum ary m S*q«3’ 80995012.Acl‫ ״‬L 0 0 0 0 1 .. S.l 0 0 0 0 0 F■ S lM6644229,Ack: f 3 8 9 5 I3 = en 2 9 9 0 .F A..5.... S «q«328099S 013^Ack.L 5 W4 Ja .A .L 14 42 F - C G ,’online -«ou! 1w0‫״‬I,‫.״‬R‫ ״‬o ‫־‬h . LT ‫״‬k c r4 6 ‫־‬ Ungth-1.51* 591 crr47‫־‬ Su> M 66 S B 73 2 lensw=59l & HTTP/1 2M0K .1 i-HTTPtraffic no i Continuationor533 b Seq=328C995673.Aa‫־‬r1 6 6 2 .F‫ ־‬A‫. ״‬LM t4 2 3 Seq= lSi6646223,A :3 B 9 S6 3 = ek: 2 0 9 7 ,F ■*..*. S*q=328C S95673.Ack‫. 2 6 & 4 1 ־‬F : 5 & 4 2 4 = L.« Seq: 3 8 9 5 7 .Ack: 1 6M 224 .A 20965 S4 6 T1 .R.. 5)‫׳.- ו ׳ 6. 8־ ־‬ai■ 6- 2 4 < ‫.:. ־‬ 44 4 -? V 10.0.0.2:1406 1 2 4 5 3 0 207213235.182:30 030303 IC f23405 5 7 2 7 1 .2 5 1 2 0 3 5 3 0 .2 3 3 8 :9 Protocol H TTP H TTP U il H TTP H TTP H TTP H TTP ‫ ־ ז.׳•' 3צ‬Len 48.:• =5 8 64 = lp-:48----- i& . -v =53 ;ngth:58 E ' “ ?actet lafo: : © T V e‫־‬r: ?acW 3 :.<^?»creT Uzgv.z i (0 « /] « Source Address: & Protocol: IP - intarrtBt Protocol ! • C i r r « : « 5 1*.■ ‫:*־״‬v.c«* ‫:>1*1 ז‬ ‫ו‬ *1. ‫נ‬ [ >• ?1 ff‫״‬rfflt‫/*»־‬fl 5«rr1 eta C . 04«| • •O JrsMjjnrt Pretoeet w ill igno! iMetgearl (6/< | Cnteioe‫ ־‬IP(IP ri)) . [12/2] (14/ij o*rc (20 By'.vsl (14/11 0s0r 11 /1 0111 5 1 118/:‫ נ‬osrc l :goore1 ‫ן‬V1J 0*02 ] I H Consent: cr.1 |15/0 [.‫:0 ־‬ a x (40 By1;/116 •*.‫־‬ (8(3301 [18/2J (J0/1J OrtC 1 aa/1) o»co F IG U R E 4.11: T C P Slow A C K —Data Stream o f Diagnostic Information window 13. The P ro to c o l tab lists statistics of all protocols used 111 network transactions hierarchically, allowing you to view and analyze the protocols. C E H Lab Manual Page 618 Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.
  36. 36. M odule 08 - Sn iffers ^nal^!?Proiec^r7uI^nalyi1^Co!a5cf^!a p « 7 Free [50 Nodes) las f ► NetworkCroup U *» Aeaptfi Imet A nalysis Rsrket D isplay Objfrt B ifftfr A nalynt Profile f A 4<tt1ngi larm Mttwort Prone C apture j kU 4A Output OJ'piJt Datastorage F IG U R E 4.12: Colasoft Capsa Network Analyzer Protocol analysis 14. The P h y s ic a l E n d p o in t tab lists statistics of all MAC addresses that communicate 111 the network hierarchically. *‫י‬ ‫׳׳י‬ &yt«* » U Y Pn*e>'cH.f*64tt (I) . & Phy.kal Eiptortf 3) U IP E1 f4c»n(4) •‫׳‬ le«l Srqirrnt local Holt JWno! 63 6 • * 110.0.2 8 *8 oo:««^^*:cc <£74.125. IN 5 7 4.12S 11 .236 82 S 74.125 135.125 % 74.12‫36ו&32.צ‬ 6 74.1252361 0 16 31 74.125-2361165 7 .1 £ ‫471.632. ־‬ 42 S br 1. 2 8 ?‫!צ‬K 1 7 B .5 8 7 5 7 KB 5 .5 8 725.485K B 74 9 K 4 .7 6 B 224413 K B 1 2 7 KB 7 .0 4 1 2 5 KB 3 .6 2 3 .8 9KB 38 2 .6 1KB 21 1 .7 0KB 94 1 27 KB 9 8 M ■ ■ | | | | P«ck«t> S.W 4 i281 3,281 i* 3 3.242 «‫ל‬ 642 554 161 1 0 97 65 trti P S«okJ »r ‫׳‬ 512 bps 0 bpi 0 bps 0 bps 512bps O . bp‫׳‬ 0 bp: 0 bps 0 bps ‫סל‬bps 0 bps 0b s p N e w C a p sa v 7 .6 R ele a se d T r y it F ree Is Lia gN o Band ‫יק‬ n etw rk /Jd ‫ו‬ (More Videos-1 Physical Conversation CLndpomt 1•> 3 D — O 6:36 =? 00‫־‬ &3 6 30 0:• - — E 6 .-0 E» K =9 Vk ■ *00■: - ‫ ־־‬L-06 3P 00; ‫־‬ ‫90& ־־‬ 8 0 .-0 *OQ:•■ <- Endpoint 2 3 : B ■ " -03:‫נ‬ 3 ^ 0 1 : * ‫:) ־‬F C 033 ‫ :ןי‬M S S ocf B J j* — ):66 ‫0:0־■ —• - :33 ?ט‬ 1 ‫0:נ־ * —־• :33 לט‬ 1 0 - * 33 5‫!ס‬C F Ouibon O rfO O O O 000*00 O OO ttO O O CO ttO W COO fc O O 000000 QOO OQO ‫ ־״‬f ™ laptut MIA*at)-,o OtOHitKl *‫־‬injttivt 74125.128.189PhysicJ Conversation 177 Bytes-‫י‬ 3 CE 6 360 E 28C B 230 B m m m 82 B 82 8 82 6 82 6 90 B 90 B 90 6 90 6 90 B 90 B _J Monitor Employees Website VKlt« I cannot capture AIL traffic why/ *J Create Traffic UtiBzaUon Chari «J lEnt(Start a Wireless Capture | More n Knowledge ) > 1 Dotation:0 0 4 4 ‫^'נ0צו‬MO* gO ftt*0/ IS M ■ ■ F IG U R E 4.13: Colasoft Capsa Network Analyzer Physical Endpoint analysis 15. The IP E n d p o in t tab displays statistics of all IP addresses communicating within the network. 16. On the IP E n d p o in t tab, you can easily find the nodes with the highest traffic volumes, and check if there is a multicast storm or broadcast storm 111 your network. C E H Lab Manual Page 619 Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.
  37. 37. M odule 08 - Sn iffers CQ as a delicate work, network analysis always requires us to view the original packets and analyze them. However, not all the network failures can be found in a very short period. Sometimes network analysis requires a long period o f monitoring and must be based on the baseline o f the normal network. F IG U R E 4.14: Colasoft Capsa Network Analyzer IP Endpoint view 17. The P h y s ic a l C o n v e rs a tio n tab presents the conversations between two MAC addresses. lysis Project 1 • Full .apsa 7 Fre« [50 Nodes) ,/ITIP-1 ls f ‫»׳‬ Step 3 N o G U t5 «tw »fc f0 | — — H^Na»«Ta&lt G*rttni rrwo«* frowr lr>dpo<nt 1•> U Y Prrtr fell .£<‫)!<« ״‬ . C Q t t l tells die router whedier die packet should be dropped if it stays in the network for too long. T T L is initially designed to define a time scope beyond which the packet is dropped. As T T L value is deducted by at least 1 by the router when die packet passes through, T T L often indicates the number o f the routers which the packet passed through before it was dropped. Analytlt Bartrrt Ditplay Objfrt Bunft AniHym f^otilf i Output « rpm > iu / 0* r 60‫«׳‬U f!>un1 maiy fpiayiont [ Piutotol fPhymai fcndppml | IPfc d >n: !?tymallc ■»>«'•■ x|ipc.q ,«! 1 v Online Resource r> tK Node Explorer & O Phy.kal bptortf (3) II 16( IP! 1p*o«r»(4) iu up oa1M0!AMfc09 co 1 s!y>Aa:«<* CP C01&SftA&<&09 UV COIi».A&« 09 CPCCM5:50:A&«0« UP C 015:S& A3:6fc.09 UP C l5:*0:A3:ef C O e CP 0015c50‫& ־‬ .A efe:09 UP C li50‫־‬W O J :6£.06 CPC0I5:50!A3««9 Ok6?:£S1‫־‬A :16-.36 UP (‫:.־־‬e : Ex1*16:36 T SP C015:5ftA3:6£.« • - Endpoint i r 3 ‫* ״‬J3:FF:&?:00:CF »!} 33:33F :2:00:66‫צ‬ :F B* ‫1000:00 ג»3(:גג‬ ‫5 רש‬a00< ;33!00.- 1 .33 0 33:33:E :B O F F 2:D :C ®‫2000:000033:33 ל‬ V 33:33.0000:00.02 ‫61:00:00 *5:00:10 ;יש‬ ®5 01:00:5L00:00:16 ‫61:00:000035:33 ״ש‬ ®5 33:33:0000500:16 3 :3 :FF:5 O 6 3 3 iO :6 ® 3 3 ‫:ל‬FF:B :D :C 3 :3 2 OF 03 00:67:£‫:צ‬A1 ‫3ז‬ 6:1 5 0u(jt(Q n Byt» o&oooo 82 8 00:0000 82 8 00:0000 90 B 005 .0 00 0 90 3 00:0000 90 B (0:0006 214 8 214 8 00:00.06 00:0011 936 3 00:0 0:11 7‫8 4צ‬ 00:00:17 1.744K B 00:00:17 1.744K B 00:00.00 90 8 00:00.00 90 B 00:0000 3.434K B Byte* •> * ‫ ־‬IV*‫ ־‬P - «ek._ 08 82 b 82 B 08 90 B 0B » s C8 90 B 0B 214 B 08 214 B e8 966 B 0B 7S B 4 08 1 44K .’ B 0B 08 1.744K B 90 B 08 90 B 08 1.79713 1.684_ 20 01 «‫ ־‬PU » 1 1 1 1 1 3 3 1 7 13 1 9 1 9 1 1 10 - 0 0 0 0 0 0 0 0 0 0 0 0 10 Is Lia gN o Band ‫ק‬ n etw rk /Jd ‫יו‬ (More Videos-1 > ‫•ן‬ 1 IPConversation TC Conversation [‫״‬U P C P D onvereatio 1 | 0 :1S:SD:A8:6106 < > 33-J3* F:B*D<K3MF C 0 onve~*on: D uration <-Endpoint 2 Brtes Byres ‫י‬ <• B -w 4 3 F'tdpoint 1■ > *‫ ״״‬o ‫• ״ * ״ • * ״•״״*־‬ N e w C a p sa v7.6 Released T r y i t F ree L3 Monitor Employee* Weteite toJ I cannot capture ALL traffic, why? U Create TraHk. UttfUation Chart «J lEnt IStart d Wirelev* Capture uJ C reateTiaflkUtfittt*n Ourt | More n Know ledgehn«e...) " /^.ap<uc ^u*A r>al>-,6 ^Ethernet ''!njctivt Puntion: 0111M ? ^12.787 (£0 Ready .. .11 ' " ■‫"י‬ ‫״‬ ,‫״‬ F IG U R E 4.15: Colasoft Capsa Network Analyzer Physical Conversations 18. The IP nodes. C o n v e rs a tio n tab presents IP conversations between pairs of 19. The lower pane of the IP conversation section offers UDP and TCP conversation, which you can drill down to analyze. C E H Lab Manual Page 620 Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.
  38. 38. M odule 08 - Sn iffers ‫רו‬ m r Acaptri I m t e P C tu ap re *W 4A O utput O < J*p Jt D sto ata rage ‫ ~|־‬p c .‫׳‬ jd Node Explorer fM .ta [To^T<epc<•■ | < > Online Resource h*A‫״‬a j» .JP o v rs tio : 5 * e C ne a n 7 A 'J i S' E d o tI * <E do t2 n p in > - n pin Dr t n uaio B t i B‫־‬e - - >s P t Pcs> -Pta F s S r^ >e > s > 9 t ks ftt e ir t c 4 1 4 1 12:1 4 226 7 02 2 . 1 E 40 7 0 03 r~ 3 10 2 3 7.153.13 00:2 4«1KB 2 5 K 27 _ 2 0.0 V 10 3 ‫20. 42 ל‬ 0.0 _[ 2.0 2 00:‫וו‬ 00 96B 96B 0B 1 8 8 7 1 7 0 ‫ ־‬E0o:5)3 E 12r r” ( a t9 pe 3 '0 .0 § 24 .0 2 0 .4 5 2.0 .2 0.0:1 00 1 74B 71E 0B 1 S S 3 1 3 0 12:5 09 24B 24E C3 2 2 2 01D0 00: C 2 0 132 00 a!0 .0 ‫4 01 ! * ז‬ 0 2 a 0.0 0.0 00:0 00 0 56B J4 B 0B 3 4 6 0 1:3.2 00 3 10 2 3 10 .3 0.0 3 4 re 0B 4 0 132 2 10 5 S 295.25 5 00:1 45 *B am 0.0 325 5.20 00 0 01 C 01 a . s g 24 .02 2.0 2 00.2 00 2 4 8 48E 0B 7 4B 4 7 0 131 01 a .o 00:0 00 0 10B 10E 0B 1 1 0 13:3 01 3 !0 0 9 t o .5 02 ‫ 42 ^ 5 01*ל‬JX5 • 0.0 00:2 1 8 M 1 8M 01 9 .1S .1S 0B 1 7 1 7 0 13:1 01 2.0 22 00:0 00 0 0 2.0 21 4SB 45B 0B ‫נ‬ 0 3 0 1:30 04 3 >a u ^ 24 .0S a1 02 6 7* B 3 2 7 S1 2 5 1 3 13:4 1 06 !0 .0 02 7 .15 3.19 00:3 1 /?K 1. 1— W - * 4 2. 6 6 2 •iwo.o 9 2S S S .2S 01:1 22 K 22 K 02 2 73 B 73 B 0B 8 8 0 12 S09 S iS .2S S ‫יי‬ • IC C n iM n''llO C no tio ] P o w tlo P o v lu n ” 1 11 0 3 > 2 JX 2 NC C wv tio : 1 0 4 2 4 0 2 T P o v tM n 0 A 6C I x o it1> Jpw • Pc e ak t <En pin2 • do t I- P to .to rc c Vy ‫ »״־‬A r-a^.e Pv h .k a$N«two* Croup *» j —— H^NaawTa&le A alysis Rsrket D la n isp y tA Sfitm larm gi O bjrrt Bliftrr M ort Pro etw tttr Analynt Pro file ■ Prctr ■ r -- a 5* P :■***» )4 ( 100 0 N e w C a p sa v 7 .6 R ele a se d T r y i t F ree & ‫־״‬ho.. JangN tw rk e o £ ..‫ ״כ‬to r etw rk o p ^ . * ‫ ״‬toDtretN o L o ^ H W te ito IMN sa e O to n r t?e g I M Vtdeov.. 1 ore How To‫־‬ • _J M onitor Em ployees W etis4le _J ! c n o c p reALtra . a n t a tu L ltR wy h# _J C a T fficU ^U nO rt re te ra t« o w U |E t|S rtd lw tkCp re n ld W le a tu 1 T *«a1n ttrm A m h • o to feff ttia... J C « Tatt U U l0 « ‫׳‬e U r t : tliia X 1 t | More m Knowlr<iorKncr . | II. tCp t a tm 4 LU jix # k t > ‫ ־‬ra tiv Dr tio :0:2:4^1-8& Ra y c e ua n 1 9 9 412’0ed F IG U R E 4.16: Colasoft Capsa Network Analyze! IP Conversations 20. Double-click a conversation 111 the IP C o n v e rs a tio n list to view the full analysis of packets between two IPs. Here we are checking the conversation between 10.0.0.5 and 239.255.255.250. ‫-----נלז־־ל׳‬^ n a f^ i^ ro je c ^ ^ tji^ n a ly M ^ T o ta s o ^ a p s ^ ^ r^ '^ N o d e ? ^ | AnaVit | » Mr Hrtp* TEH ‫^ ״‬ us, Step ‫, ״. ״‬jj A nnlym flartet D lsy itp O bjrrt Buftrr A nalymh'otilr G anarai 1 output cxrpar ltcn|M u aU | UOPC Node Lxplorer A ^ U Y Prc4e.rcl(.plctrf (I) . S 9 Phyikal bfMxv C> 3 U 3 IPE1pio>«<4) f* iu i 3 ' 00.02 100.03 3 '0100.4 100.02 3 100.02 ^ 100 05 a lO .O O S 3 •00.012 "± 100.05 3 10 3 O .0L 3JCJ5.0J) S 100.01 3 ‫60.00־‬ a! *00.02 3 10002 C ‫״‬ «• tndpom 2 t 74 125.236.173 S I 224.0.022 ^ 224.0.022 ‫4.0.001 |׳ל‬ S 1010.03 ‫052.552552.932 ] ל‬ g 224.0.022 9 100.0.5 g 224.0.02S2 g 224.0.0251 I2J 255255255.255 ^ 2S S S 5 S 2S .2S .2S ^ 224.0.022 ^Si 207218.235.182 S 178255.83.1 1 ‫' י יי ־‬ _. D uratio n 0002:22 0000:11 0000:11 OOO OOO 0000:00 00(0:10 000022 0000:00 000129 00.00:00 0012:12 0012:13 000002 002018 0000:18 ......... onversation | ICP Conveivatkxi ‫״‬J0P C ‫ ״‬c Indpom ‫ ־‬t > <■Endpoint 2 8/ttt 4«1 K B 986 B 7 4B S 224 B 546 B 4051KB 448 B 110 B 1.185 K B 405 B 2.723 K B 4.061 K B 128 B 6.748K B 3.601KB a ■ ■“ 1 ,''“ ‘‫י‬ Bylo • > 2 K 2X>70_ .751 B 986 b 0B 754 B 0B 224 E CB 346 B 0B 4051 n C8 448 B 0B 110 B 0B CB 1.185K B 4 ‫>׳‬B C ‫־‬ 0B 2723 K E 0B 4061KB 0B 128 B 0B 1.614K 5/134_ B 1 1 K Z294_ .3 C E Online Resource tu•A<u»}>hO C P onversation: ‫ ־‬ M pw»-> •Pta f « t iw ‫״‬ 1 4 1 0 1021:1 1 7 0 1029:51 ‫־‬ 1029:« 1 3 0 2 0 10302 0 10302. 3 4 C I03M 0 1031:1 0 1031:3 1 17 0 1031:1 1034.0 3 0 0 1029:5 7 0 1029S 1042:1 0 2 14 24 10 10232 2 4 1 4 1 0 1043 2 “1 *' ‫<” ״‬ ’ <P 1 10.0.0. <-> 23925S2SS2S0MCP C onversation: C Prctccd P acket & ‫י‬ Therrareno i«m5»0 thow mthi* N e w C a p sa v 7 .6 R ele a se d T r y i t F ree jg) .vh Is U n N o Bard id o 9 g etw rk A tti? Jb» H wtoD A A s | o etect RP cta± jg ) H wtoD MrA rkLo p » 3 etect e 'a o Jgj H wtoM n rIMM ssa e o o ito e o [More Videos-] How-To's Li M ilto E p y e Wto te a w r mloe * e w L I c n o c p reALtraflk. U a n t a tu L wy h? U C a T fficU L UtiCa re te ra lMta u h rt L [E t(S rtaW lesCp re H n ta 1 v a tu re J C t»T ftkU tio «t r« ta . tliu n 0 1 * ‫־‬ | More m Knowlrri^rhn**■ .) ... "-"L Jt " ___ V __: F IG U R E 4.17: Colasoft Capsa Network Analyzer IP Conversations 21. A window opens displaying tiill packet analysis between 10.0.0.5 and 239.255.255.250. C E H Lab Manual Page 621 Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.
  39. 39. M odule 08 - Sn iffers Analysis Project I •Ttl' ‫׳‬V ia ;!; -10.0.0 r ^ |-lu -■2}?-2j5-2'52:0 ‫ ־‬Pa:'-:r.s ‫־‬ 1031:3*‫84725:540.31 7־< 3ל‬ 239.255.255.250:3702 1&3U4&4X13S 10.005:52748 239.2S .25S S 250:3702 S 52748;D 37Q rc= st= 2;le*=W;Cherte u‫י״‬ S c=S2748;D 1 1l=3702,Len=999,Checb1 . Packet Info: : S J l ‫:־‬r: !‫ #״‬roctc‫ ־‬Lesffsn: - j-^Capwred L s tfc eg ‫@-־‬T‫ « ״‬t - p ‫־‬ T Ii&eraet Type I I !-WDestiracior. ‫"־‬ E Q a backdoor in a computer system (or cryptosystem or algorithm) is a method o f bypassing normal authentication, securing remote access to a computer, obtaining access to plaintext, and so on. W hile attempting to remain undetected, the backdoor may take the fonn o f an installed program or could be a modification to an existing program or hardware device. t*met IS<l?vS)) :‫ » ״‬version: 112/2] 114/1] 0 5 1C (20 Byteal (I4/l| Cx0r ‫זז*0 ן1/51ן‬ 11 /1 oxrc 5 1 (ignore 1 [18/1( 0 0 12 ■ o Dk - i£«!«= .«d SirvicM Ii«ld: -.ia‫־‬ : • y :irrcztQt.i‫. ־‬d s«rvlc«« Codepolai: ^ • ■o nmtport Protocol win ignore she ‫׳‬ I "O C oegiina: (M Congest•. er.> (IS/'.] O l o xO 10 19 (101• By.ea 1 (K/2) (SO t18/2] ) 120/'.J O C IE [20/ 1J 0* 8C (M r1«3c*f-• (39/1] 9*40 ay (U*V 0 :20/1) ‫א»:ז‬ .‫ו.־.־‬x20 ‫נ2/02ן‬rrr 003 x02 00 0.... .0......... ..0....... 1 * 0 4 s » 00 00 01 11 m c i u 00 00 e* i r r r 1 k «r :0 « so ’ a c k ‫ נד מ‬u 1‫־‬ « ‫6ל 02 22 9? 27 6€ 67 ?€ 36 ל־‬C K 60 6 73 « ‫ פל 46 3ר יל‬i 30 3 F IG U R E 4.18: Fu ll Packet Analysis o f Nodes in IP Conversations 22. The T C P C o n v e rs a tio n tab dynamically presents the real-time status of TCP conversations between pairs ol nodes. 23. Double-click a node to display the full analysis ol packets. ‫ י ם‬x Analysis Project 1 - Full AnaTyjis * Colasoft Capsa 7 Fre»* :'ill Nod?') fcnaVi'i la* 1 T *flap*‫ ״‬l« n capture Node Explorer Snt*• Too* y Vep , / Hrtp ‫ף‬ V w W *5 N «t»»o*k G ro 1 N eTable am Smmi f, Mirm Setting !‫*־‬two* frowr j * W *« ]ket Ditplay P aeket I 65 < mm‫״‬ • output *n#ly urtofiK Dati-.tamgt I v a I .. .1 ) ( I J ------- ------- '‫------־‬1• e r ■* ■?,. 90• C 1 P X ■n| Phytrcal ConvUiaUon | PC0rtv«1 t1 (v ICP LtKi.■*nation x | JO Corueatation M«t -1[ PacUt [ Lo? [ Report | 4 w1 0 S 1 0 246 0 .0 10 “ ‫242 0.1צ‬ 2 0 .010 3 10 243 0.010 ± 11X10 00245 g 10 241 0.010 ! ! ! ! HiitoqrCha ! ! « !‫ ««»׳‬iiunrr 1 ‫.׳׳‬ f Online Resource r • - Endpoint 2 3 207.218235.182:80 !34 7 4.125.2 36.175:80 HdAm alfUaWCPC ret*atton: | W om Bytes Protocd 32 KB H 46 TTP 1889KB H‫־־‬P 3 74.125216.173-^0 2915 K H B TTP ‫0 5 1. 3 5 1. 7 5ל‬ 1 4 226 63 1.595<5 HTTP 74.125236.165JO * 1 1*36K H B TTP N e w C a p sa v 7 .6 R ele a se d T r y i t F ree 0002:1410 ao.o21411 0.0:11 0 2 43 0.0 1 1 0 242 0.0:12 0 2 43 a0.02l42i 00 246 1.012 0.012 0 242 00 245 1.012 Q 0.0_2:1434 0.0 1 3 0 243 0013 0245 0 .0 13 0 2 46 00 247 1.013 0 0 :13 0 2 49 ao.o21441 0 .0 :14 0 2 4; 0.0:14 0 2 43 0 .0 1 4 0 245 3 74.125236.174443 3 T4.125.236.174443 3 ?4.125236.174443 S '4 2 .2 5 6 4 3 .1 5 3 .1 9 4 3 74.125.236.169443 3 74.125236.169443 a 74.125.236.160443 !31 74.125236.169443 3 178,255.83.1:80 t l i ?07.218235.182445 ‘.l 1 8 5 .8 .1 0 7 .2 5 3 :8 3 178.255.83.2:80 3 65.54.82.155:80 3 3 3 3 3 ‫346 62.2 4׳‬ .15 3.174 ‫8.6 62.2 4׳‬ .15 3.17 0 ‫431.3 51־‬ 42.26 64( ‫4-6 .351. ל‬ 4 2.26 543 1 •.153.134 '4 226 643 7 Pt.n* 1 ‫י44 ו‬ 4 * ■ p tfro r> t)- P ttK K ‫; ׳‬a tu *A a .e fc M t 'irw ctivt Dt t n0128 V 121 g0 Ra y oaio : 152 78 ? ed K H'TPS *1629 B ‫ סיב‬H S 5 TTP P 5 -‫־־‬PS 0 r 1iS4KB H S TTP K H22475‫־־‬i‫־‬P5 B 146UKB H'TPS Jgj W Is U n N o Bard *d » ho 9 g etw rk a »1 *‫ ב‬toD A A s « etect RP tta± H wtoD Mr*o loap 3 etect e rfc JfS 4‫ כ‬toh n rIMM « to rto essaae H ‫ ״‬toM n r&saveEm 3 o ito ab (More Videos-1 K H T 666 1 B TP kb r ps 5 . ; * 6W K HTTP 1 B K HTTP 1 1 B 8.92 K HTTP 1021 B h ttps 8 170 3 HTTP 6 0 ‫ל‬ H S 8 170 TTP B H S 370 TTP 4KB H S 1 TTP » 1 ■ rn m‫־‬rp> ‫ ל‬w> L3 M onitor Em vee* W vfc> ebwte *J I cannot capture ALL traffic, why? U Create Traffic Utftiatlon Chart U (Ent ISUrt a Wirefe** Capture J C« UT flkU tio O rt r a ia tliu n u | Mere m Knowl«l<jrhn*r . | ..." ______ _ F IG U R E 4.19: Colasoft Capsa Network Analyzer T C P Conversations 24. A F ull A n a ly s is window is opened displaying detailed information of conversation between two nodes. C E H Lab Manual Page 622 Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.
  40. 40. M odule 08 - Sn iffers - d • * *‫׳‬ * No Absolute Time ‫:_־ _ _ ־‬ 467 1&2&47466913 47? 11126:53468163 473 10=26=53466676 474 10J6:S34*S72S 475 10^6:53486972 47S 10^6:53 506597 477 10^6:53 506633 - 4■ LSSSource 1aaa2:1410 1aaai1410 1aaa21410 74125-236174:443 1aaa21410 1Q l J1021410 74125236174:443 100021410 Destination 74.125.236.174443 74,125.236.174443 74.125.236.174443 10.0.02:1410 74.125.236.174443 74.125.236.174443 10.0.0.2:1410 74.125.236.174443 Protocol Summary ‫2263? ־‬r.4»‫־‬A. k_nc0«)rf0T0.r-. ..1 .,‫־‬ .er|_ Seq=2362281843,A O O O O O ck=O O O O O .F=..‫״‬S.l Seq;2362281843,A O O O O O ck=O O O O O .F=.,‫״‬S..L Seq-4?C412fi878,Ack=2362281344.F=.A .S... 5eqz 23622fi1844,Aclc=4204123879.F=.1 ...Y l_ Seqz2362281844,Ack=4204123a79.F=.A. F. S«rq: 42C41r£87?.Ack=23622£1i;5 F=.i.. F .. ;rq: 23622ei845,Ack: 4;041233S0.F=^ ___ Sre Decode https HTTP5 HTTP5 ‫ ־ ״‬TP‫־‬ HTTPS HTTPS HTTPS ■ P‫־‬ T 70 66 66 58 64 58 B-T Pockct Info: ^ Pasirec h'mb‫־‬r: ^? a = * e t Ler.gra: Captured Ler.gth: Tireataap: =■V*Btherr.ct Trpc II a ? jcatic atic a A2arc33: Q 5 c 3 t» u s r t n : <_p Protocol: ■ TP ‫ ־־‬Internet Protocol ‫׳‬T t i Version: 0 .leaser Lcr.gtfa: 1 I ft : 1 :rtr*r.: 2a u : :♦ r n c ti riaid: j- S Olff*r«r.tlat*<l S• rvlc•* Codapoint: j•‫ •״‬Transport Protocol will ignore the C C ••••0 Coaacszioc: i ^ l e s a l -cacv.: : # 1der'ir1c*110r.: ‫ ־‬S rrag»nt Flag*: |~0 Reserved: i— ‫־‬Torrent: • -‫°;״‬ U 05 Ei o! a K C ! j ‫“ « « “ ״‬ D "J 462 70 6 6 2012 /0 9/ 21 10:26:44.4fC749 [0/14] D O ! ■ 4 ♦‫:״‬C C ct 3:1r D0J • •• 6:36 [6/e] 0x0800 (Tnter&et TP| IPv4)) [12/2] [14/20] 4 [14/1] C xFO <21 Byc«9) [24/1] 3xOF & 0000 0010 !15/1] :xrr 0000 00.. [15/1] O xFC (Availability) [*-5/13 0x02 ■ Coraraticat [IS/11 CxCi 11: ............. 0 52 < 2 Bytes) [16/ & 0X 9D & 6 (22998) |18/2| (Don1‫ י‬rr«3*?n‫ ]1/02[ )־‬O C 010......... xE 0............. [20/11 O O xC .1........... ‫ י‬f2Q/11 0»4C_____ » “ “ “ ‫״‬ I Z 1‫״‬ 1 o‘ ‫״‬ “ “ v] 6 .. S M 0‫ ־‬o! 04 ‫£ ״‬ . . ........J). F IG U R E 4.20: Full Packet Analysis o f Nodes in T C P Conversations 25. The U D P C o n v e rs a tio n tab dynamically presents the real-time status of UDP conversations between two nodes. 26. The lower pane of this tab gives you related packets and reconstructed data flow to help you drill down to analyze the conversations. y ful Amk,Ui - ' PrrtrrclE‫״‬pcm I E‫־‬ Physical aq rer(3) sto S. & lf t q ‫־‬k> ra(4) £ Q In networking, an email worm is a computer worm that can copy itself to the shared folder in a system and keeps sending infected emails to stochastic email addresses. In diis way, it spreads fast via SM T P mail servers. ,. E a o t2 ‫ ״‬p,‫״‬ o 10 1:513 7. 24 05:55 0.00 62 2.022 35 *2 1 l0.02:56740 2 202.53.8.8.5S 0 d 3 11.0 :50' ?5 224.0.0252:5355 00 .7 09 ± T O .7 4^ tX .C :543 - j 2 4 0 5 :5 5 2 .0 2 2 3 5 3 1a0.a1a59606 ^ 224.0.0252:5355 3 100X110:59655 7$ 224.00252:5355 Endpoint 1* > a 100.010*2035 • 0 1 :5 7 6 0 .0 0 7 6 i 100.02:56632 S 10 7 18 0 .0 :5 0 7 ^ !00 10:5 5 .0 6*4 g 22 2S2.S3 4.00 SS 2 4 .0 5 :5 5 2 .0 2 2 3 5 3120 .53 .8<3 2 .8 5 ?3224.00.252:5355 ^ 24 05:55 2.022 35 /} 24 0 S SS 2.0.22 3S ^ 24 05:55 2.022 35 te Byte* &,!‫ >־9< - ־‬s < o w o 16B 15B 0B oo 3 3 D ratio u n OiMO 217 B O .O 0ftM«) 1 8 B 5 OO. O 158 B OD O 0 :00«0 1 6 B 0 3 OlXO 158 B ffO tc 00.0 1S8 B 00 0 o o o 136 B ooo OiMO 214 B O .O o o « 158 B o ao 7 B S 18B 5 15B 5 16B 3 15B 5 18B 5 16B 9 8 B 1 1 B SS 5 OOO 18B 15B f OO 5 t 00.0 16B 1bB 00 0 3 3 0110 156 B 1 8 B 0X0 5 Pe;«di Pk1i‫ ־ >־‬Ptts Piotcc 2 2 1 2 2 0B 13B 3 0B 1 0 0 0 0 0 0 1 0 O B O B O B 2 2 2 N e w C a p sa v 7 .6 R ele a se d T r y i t F ree 0 LP D 2 2 2 2 2 2 2 2 2 2 2 2 18B 3 OB C5 OB 0B O B 2 2 2 2 1 2 DS M UDPUDPUDPRTP UDP• UP D live Denio *•: m, DS N FTP 1 9 12:1.656 1.0 1iS13 03 9 289 0 .0062 0 UP D 0 UP D• 0 UP D I> <1 1■ 1 00 0<v24 WVrarkeH: 12 0 1 / D f'Ti'UtiCA P ttx l ro o 24 0S S S 2 A223S U0P 2 2 lftJl:2001A*M 10.0.01 !$ I2 0 6 J 22400242 SMS S 10 1:653 0.00 30 2 10 7 31 0.0:635 y P»flui1 Dau ] -Jtr > i 4• ^ C ' N o. 0 0 Abfdut•Tim Sourer « U CP a ‫׳״‬ ‫־‬ ‫»-«׳‬ a ‫׳־״‬ ‫»•׳״‬ jpt■orkBanditti ‫י‬ N o Lo etw rk o p I MoreVklotti‫״‬ ‫״‬J Motiltor Wetollc L3 1cannot captara ALL trjMk. w hy# C d T fficU ^U nCa re le ra tH o hrt |Ent|SUrt 4 V ‫״‬ete»» Capture V uj C UT inUL UnO t ‫׳‬ia ra ; tl MO m | More mK w > bow.. | no l«i< r > ‫י‬ _ F IG U R E 4.21: Colasoft Capsa Network Analyzer U D P Conversations 27. On the M a tr ix tab, you can view the nodes communicating 111 the network by connecting them 111 lines graphically. 28. The weight ot the line indicates the volume ot traffic between nodes arranged 111 an extensive ellipse. C E H Lab Manual Page 623 Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.
  41. 41. M odule 08 - Sn iffers 29. You can easily navigate and shift between global statistics and details of specific network nodes by switching the corresponding nodes 111 the N o d e E x p lo re r window. 1inay. s y=b!o nee we encounter the network malfunction or attack, the most important thing we should pay attention to is the current total network traffic, sent/received traffic, network connection, etc., to get a clear direction to find the problem. A ll o f these statistics are included in the endpoint tabs in ColasoftCapsa. Sjstd* a1 r ^ To o fe WHtlp-| y sg “ :a* A ter f«cr eap Stop B^ G cncrai L_* 5‫ "י׳‬hng5 s * A naly!!; Pro file fictw Prom ortr t i A nalytic Packet D lay itp F^ ct log cfc L objcct Butter . • output Oirpui v M« 5 ~ D Storsgf ata Ur«c « « « :*‫־‬ L‫>־*■- ־‬ 1 I f Protocol 4 /^T liO ‫״‬ JC ‫׳‬nt rPtiys'C^* Convexation f‫!־‬P ConversationfTC Coruaiation [ U Pi C P D Node Explorer D| X VieM ajiSiSiSS; : F3«ct Buttrr 1&M) ' B I ?■ jo. X 1P*0»cl V Online Resource T o p !00 Physical Conversat*on(Full Analysis) (1; &V P O hy‫.׳‬K4 E < « (3) I j*‫ *׳‬x r 1 ^ IPf .p4c»rt (4) 1 TcplO Phytic•! O IK‫׳‬l)nH ‫) 1 »׳‬ jpl W U H n N ■ kllnr«J*»it*‫׳‬ ho u g rlv w M H wtoDftf<M n ft:Lo p a t fR O o P • ntoMn r IM‫•0י׳«־*י‬ to o rto ‫׳‬ lop 100IPv4 C onversation 55:33 00:0000 1 (7 6) I Non! VkJcov- | Iop100#MNo<k BE:D 3:C C 4 9!C i‫־‬C |1 | User Hidden nodes( . 0 5f:0< »1 l:0& M 00:5t00.00 F 1 ) C8 UI M onitor Em ployees W ebsite uJ I cannot captureALL traffic, OGm(M8:7a05(14) why? UI CreateTraffic Utfeation Chart O (Ent)Start a WirelessCapture D A 1 :4F:48 3 2:5£ 7 ® J Cet Ta Ulizt nO rt r ae r flk t aio ia Invisible Nodes (0) >a lin fu ra*);e * E o l Cp e «A ♦th rx [ More■ Know ‫ו‬ ledqeb3«e._J ‫ ־‬ra tiv Dr tio :0:2:4 2.65 g c e ua n 2 3 4 1 6^‫ ־‬O F IG U R E 4.22: Colasoft Capsa Network Analyzer Matrix view 30. The P a c k e t tab provides the original information tor any packet. Double-click a packet to view the full analysis information of packet decode. % !c* Tx % <# w —‫ך‬ N orfc Group rtw Jf lB B l # » ‫^ ״‬ ifr r E © Ph^ike hptorer (3) B & I? Eiftora (5) 1T 1 6 C6 160217 101 e28 1C 1 6 CS 102 620 12 62 01 t y ! Protocols may be implemented by hardware, software, or a combination o f the two. A t die lowest level, a protocol defines the behavior o f a hardware connection. A protocol is a formal description of message formats and die rules for exchanging those messages. t J , J| j A nalytic ftsfket D itplay t Outpm ojrput jpc-nt fPtiy».u.* Convtf-.ation f 1P C 0nvei.dt1 n~fTC Corwettaiian f U PCoerwt.* < [ ,.U'jo ‫|־‬P«c<cl x ]‫־‬Leg f R«pcrt | * ► Online Resource 0 P O -> Node Explorer “ **A 1 - ‫•־‬ ‫׳‬t‫־‬v ■ r ‫;־‬ jfo ** /‫^ ־‬ ‫־‬ I3.-0242695615 13.-G i4a.599l 55 l3 2Ja5991M .0 ‫־‬ 13:02:49.101243 1 :0 :4 .1 3 2 3 2 9 018 S' 1 X .0 :1 3 < 0 .2 C 6 04:► }:C C D :►3 : O 6 • ‫־‬ ?4.125.135.125:5222 7 .1 5 3 .1 5 2 2 4 2 .1 5 2 :5 2 h* Avrfy*sPa1 fcets: | 1 647 | 1 iL N e w C a p sa v 7 .6 R ele a se d T r y i t F ree 74.125135-125:5222 D* O 36‫־‬ D*l- - - 1-C C 10.002:1036 I3 .-02-.49.103161 1a0.0.2:1036 7•-125.155125:5222 1:0.4.455 10 .2 06 3 2 9 920 0.0 :13 74.125.135.125c5222 llvp Demo 160222 160223 - T W hi inro: «‫״‬ a ‫׳־״‬ J tv ork e. ‫י‬ M O Lo ffA ffc o p IM ‫׳‬VW0™ 0 V «4 i & Ctpturtd Length: f ItU n w t 1yp< 11 t.4«uv <:02: ) 1 3012/09/21< ) 0/14( •ftb ja ti C :•• - - 881 C ] 0>‫'׳‬lLU Motillor (1np40v«mWetoJlc _ J I camwt (.■ p rvALL trtffk. a tu 0000 001c oojc O 068 ‫ י‬A£ 24 C D «‫ ל‬E6 LA L6 96 06 00 46 00 00 >« U S 40 00 fl C O O *a a< 04 0‫ דד ג‬aa aa 0‫ י6 סד ג4 ג של‬a« ae 4‫ ג‬t t os s» j» m a n 7a c* to to n 3 t% 4 0 0 4 3 0 0 wy h# « J Credit Traffic UtH^Uon Chart [Ent|$lart 4W ireto** C 41*urc ‫״‬J Ot»U T rafficUtliuaon 01-1 | M n Knowl«iqrt>a«‫ ...־‬I ore Kiplut f1iAn1ly.1s KBtittaml !active D uration: 0 :3 ^ ‫־ 4 0 1 ־‬ 2 9 6 $ 6 .2 ? gjO Read, F IG U R E 4.23: Colasoft Capsa Network Analyzer Packet information 31. The Packet decode consists of two major parts: H e x V ie w and D e c o d e V ie w . C E H Lab Manual Page 624 Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.
  42. 42. M odule 08 - Sn iffers £ Q Protocol decoding is the basic functionality as w ell There is a Packet tab, which collect all captured packets or traffic. Select a packet and we can see its hex digits as well as the meaning o f each field. The figure below shows the structure o f an A R P packet. This makes it easy to understand how the packet is encapsulated according to its protocol rule. F IG U R E 4.24: Full Analysis o f Packet Decode 32. The Log tab provides a G lo b a l Log, D N S H T T P Log. M SN Log and Y a h o o Log. 33. You can view the logs ot T C P Log, E m a il Log, F TP Log, c o n v e rs a tio n s , W e b a c c e s s , D N S tra n s a c tio n s . E m a il c o m m u n ic a tio n s , etc. F IG U R E 4.25: Colasoft Capsa Network Analyzer Global Log view C E H Lab Manual Page 625 Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.
  43. 43. M odule 08 - Sn iffers F IG U R E 4.26: Colasoft Capsa Network Analyzer H T T P Log view 34. If you have MSN or Yahoo Messenger mnning on your system, you can view the MSN and Yahoo logs. -FT*■ 3psa 7 Free C Node■ 50 WuVin Sjtfcai w r u ‫־‬m A apIrt -mn O tort V * K4An * m u ‘|f PirtNtl (■ lerrr (IJ p ‫ מי‬Phv.k* Elptortr (3) U & IPtiptoraf ft) . 6 *Jrtw Group o'fc Step Node Explorer ~ 4#4 «- To o ls Central f^UirmSftting' ffw froWf or* **[PtiyiK. r M u>g SN < 9 31 * 0b 109 ‫־״‬ ^a cl? '£ 4‫׳‬ ‫״‬ -...ilym Partrt D la isp y O Jftt D BUttff An n ly r.dlion ‫ ן‬IP Convin ‫ ׳‬y * ‫״, ״‬ 3& 0at« 1‫>״‬ « 2012/09/2111*5.23 2012/09/21 1*47:4* 2012/09/21 I3:4fl:32 2012/09/2113148:32 2012/09/21 13:4a42 2012/09/21 13:49:15 2012/09/21 13:49.2S 2012/09/21 13:49:27 2012/09/21 13:49:39 2012/09/21 13:5003 2012/09/21 13:50:19 2012/09/21 13:50:36 2012/09/21 1 :50 3 :41 ‫♦ •־‬rf a o a - xtnilc m iiH ’■# 4 a1 an iwtlVIc « wm U 1 N e w C a p sa v 7 .6 R ele a se d T r y i t F ree • CSvecon< *yen? ‫>♦־‬c4‫׳‬na1L s»aJ amfine Iharka co»n «4% aiLcocntwthcw areyou doing? otm ‫ '־‬glrvfctcfn j*4‫ ־‬jm I ritec. Z «totn te - In youjcim usfar the partytooigl ng •***milc m •do s y s s o '? a c we e ictmoiUcomiwddshal ;« you at the patty then♦■ ot^ ‫ ׳‬n iU »n«tec ‫״‬Tofbusy rev■* w rfc © co o W Is uangN o Banditti? ho etw rk bi H wtoD A Attaris o etect RP h,) H wtoD N o Lo p a etect etw rk o ^ H wtoM n rIMM g a o ito essa e H wtoM n ra SaveErn 3 o ito ab I Mr V e s .] oe ido- % ■ n 2 1 / 9 2 1 :0 :1 0 20 / 1 4 3 4 c4 n < 0 joined‫ ״י‬the chA <a U m L3 M onitor Employees W ebsite wy h? uJ Credit Trdtfk. UtHUdUonChart L3 lEntISUrt dW ireless CdlHure uJ CreiU TiaftktltllutionOurt | M IT ■ Knowlfrtfjrha«c.‫|״‬ o ‫ו‬ YHO AO / la < t M fvifr.c ^tUKitHt p u iA ,‫־‬Dr tio iim :0‫3:צו‬ ua n tivt 3 ‫צ צ‬ ..... A F IG U R E 4.27: Colasoft Capsa Network Analyzer M SN Log view C E H Lab Manual Page 626 Ethical Hacking and Countemieasures Copyright © by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.

×