module 08: sniffers...2013/04/15 · sniffing network packets, performing arp poisoning, spoofing...

Module 08: Sniffers

Objective

The objective of this lab is to make students learn to sniff a network and analyze packets for any

attacks on the network.

The primary objectives of this lab are to:

Sniff the network

Analyze incoming and outgoing packets

Troubleshoot the network for performance

Secure the network from attacks

Scenario

Since you are an expert Ethical Hacker and PenetrationTester, your IT director instructs you to

sniff a network and analyze if there is evidence of any of the following on the network: MAC

attacks, DHCP attacks, ARP poisoning, spoofing, or DNS poisoning.

Virtual Machines

The following virtual machines are required for completion of this lab:

1. 2008 Server (10.10.10.1)

2. Windows 7 (10.10.10.31)

3. 2003 Server (10.10.10.61)

4. NAT

Exercise I: Mapping a Network Topology Using Look@LAN

Lab Scenario

To be an expert Ethical Hacker and Penetration Tester, you must have sound knowledge of sniff

network packets, perform ARP poisoning, spoof the network and DNS poisoning.

Lab Objectives

The objective of this lab is to reinforce concepts of network security policy, policy enforcement

and policy audits.

1. Log on to Windows Server 2003

Switch to Windows Server 2003 (10.10.10.61) machine from Machines tab in the right

pane of the window.

2. Enter Credentials

Go to Machine Commands and click Ctrl+Alt+Del.

In the log on box enter the following credentials and click Enter.

User Name: Administrator

Password: Pa$$w0rd

You can also use the Machine Commands menu to enter the user name and password.

3. Install Look@LAN

To install Look@LAN navigate, to Z:\CEHv7 Module 08 Sniffers\Network

Topology\lookatlan.

Double-click on lalsetup250.exe to install Look@LAN.

Follow the wizard driven installation steps to install Look@LAN.

Z:\ drive is mapped network drive containing the CEH tools.

4. Launch Look@LAN

To launch Look@LAN, navigate to Start --> All Programs --> Look@LAN -->

Look@LAN.

5. Create New Profile

To creata new profile click Create New Profile from Look@LAN wizard

6. New Profile Settings

In New Profile settings select the target machine IP. In this lab, it is Windows Server

2003 (10.10.10.61) and click Next.

7. Starts Sniffing

The tool will start sniffing details on the machine

A window will open with a list of IP addresses. Click Hide button at the bottom of the

window

8. View Statistics

mailto:Look@LAN

mailto:Look@LAN

mailto:Look@LAN

mailto:Look@LAN

mailto:Look@LAN

mailto:Look@LAN

Go to View menu from menu bar and select Statistics. The Statistics will list down the

number of Online and Offline machines in the right pane.

9. View Network settings

Go to Settings and click Network Settings from the menu bar it displays the network

confirguration.

10. Trapping Configuration

Go to Settings and select Trapping Configuration from the menu bar. The Trapping

configuration window will list down the General and Mail option available for trapping.

11. Quick Host Scan

Go to Tools and select Quick Host Scan.

12. Input the Host IP

Input the Host IP as 10.10.10.61 (Windows Server 2003) and click Analyze.

13. Proof Scan

After scanning is completed it displays Proof Scan wizard. Close the Proof Scan wizard.

14. View Graphs

To view graphical statistics go to Tools menu and select Show graphs.

Lab Analysis

In this lab you have reinforced concepts of network security policy, policy enforcement and

policy audits.

Exercise II: Sniffing the Network Using the Colasoft Packet

Builder

Lab Scenario

To be an expert Ethical Hacker and Penetration Tester, you must have sound knowledge of

sniffing network packets, performing ARP poisoning, spoofing the network, and DNS poisoning.

Lab Objectives

The objective of this lab is to reinforce concepts of network security policy, policy enforcement

and policy audits.

1. Logon to Windows Server 2003


pane of the window.



In the log on box enter the following credentials and press Enter.


Password: Pa$$w0rd

You can also use the Machine Commands menu to enter your user name and password.

3. Install Colasoft Packet Builder

To install Colasoft Packet Builder, navigate to Z:\CEHv7 Module 08 Sniffers\Sniffing

Tools\TCP-IP Packet Crafter\Packet Builder.

Double-click on pkbuilder10_build166.exe file.

Follow the wizard driven installation steps to install Colasoft Packet Builder.

Z:\ drive is mapped network drive containig the CEH tools.

4. Launch Colasoft Packer Builder

To launch Colasoft Packer Builder, navigate to Start --> All Programs --> Colasoft

Packet Builder 1.0 --> Colasoft Packet Builder 1.0.

5. Check the Adapter settings

Before starting of your task, check the Adapter settings from Send option and click

Select default adapter to set it to the default from the menu bar.

6. Select Adapter

Select the approriate adapter from the drop down list and click OK button.

7. Create Packet

To add or create the packet, click Add in the menu section.

8. Adding Packet

When an Add Packet dialog box pops up, you need to select the template and click OK.

9. Added Packets

You can view the added packets list on your right-hand side of your window.

10. Decode Editor

Colasoft Packet Builder allows you to edit decoding information in the two editors:

Decode Editor and Hex Editor left hand side of the window.

11. Send All Packets

To send all packets at one time, click Send All from the menu bar.

Check the Burst Mode option in Send All Packets dialog window, and then click Start.

12. Export All Packets

To export the packets sent from the file menu, click File --> Export --> All Packets.

13. Save Packets

Save the packets at your desired location click on Save button to save.

Lan Analysis

In this lab you have performed network sniffing using the Colasoft Packet Builder.

Exercise III: Sniffing the Network Using the OmniPeek

Network Analyzer

Lab Scenario


sniffing network packets, performing ARP poisoning, spoofing the network, and DNS poisoning.

Lab Objectives

The objective of this lab is to reinforce concepts of network security policy, policy enforcement,

and policy audits.



pane of the window.





Password: Pa$$w0rd


3. Install OmniPeekNetwork Analyzer

To install OmniPeekNetwork Analyzer, navigate to Z:\CEHv7 Module 08

Sniffers\Sniffing Tools\Packet Sniffing Tool\OmniPeek Network Analyzer.

Double-click on OmniPeek607demo.exe to install.

Follow the wizard driven installation steps to install OmniPeekNetwork Analyzer.

Z:\ drive is mapped network drive containing the CEH tools

4. Launch OmniPeekNetwork Analyzer

To launch OmniPeekNetwork Analyzer, navigate to Start --> All Programs -->

WildPackets OmniPeek Demo.

5. OmniPeek Main Window

OmniPeek evaluation version warning window will appear click OK or close to continue.

6. Create an OmniPeek capture

Create an OmniPeek capture window as follows:

o Click New Capture on the main screen of OmniPeek.

o View the general options in the OmniPeek Capture Options dialog box when it

appears.

o Leave the default general settings and click OK.

7. Start Capture

Now, Click Start Capture to begin capturing packets. The Start Capture tab turns to

Stop Capture and traffic statistics begin to populate the Network Dashboard in the

capture window of OmniPeek.

8. View Captured Packets

To view captured packets, click the Capture tab views in the navigation bar, where you

can view expert and statistical analysis of the data, the Peer Map display and more.

9. View Captured Packets

To view the captured packets, select Packets in a Capture section of the Dashboard at

the left hand-side of the window.

Similarly, you can view Log, Filters, Hierarchy, and Peer Map by selecting the respective

options in the same Dashboard.

You can view the Nodes and Protocols from the Statistics section of the Dashboard.

10. Saving Report

To save the result, go to File --> Save Report.

11. Report Type

Select format type of the report and click Save button.

Lab Analysis

In this lab you have performed network sniffing using the OmniPeek Network Analyzer.

Exercise IV: Spoofing MAC Address Using SMAC

Lab Scenario

To be an expert Ethical Hacker and Penetration Tester, you must spoof MAC addresses, sniff

network packets, and perform ARP poisoning, network spoofing and DNS poisoning.

Lab Objectives

The objective of this lab is to reinforce concepts of network security policy, policy enforcement,

and policy audits.

In this lab, you will learn how to spoof the MAC address.



pane of the window.





Password: Pa$$w0rd


3. Install SMAC

To install SMAC, navigate to E:\CEHv7 Module 08 Sniffers\MAC Spoofing

Tools\SMAC.

Double-click smac27beta_setup.exe and follow the wizard-driven installation steps to

install SMAC.

4. Launch SMAC

To launch SMAC, navigate to Start --> All Programs --> KLC --> SMAC 2.7.

5. Accept the SMAC 2.7 License Agreement

Click I Accept button on the License Agreement of SMAC.

6. SMAC 2.0 Registration

Click Proceed button on SMAC 2.0 Registration wizard.

7. Choose a Network Adapter

Choose a network adapter to spoof MAC address. To generate a random MAC address,

click Random, which also inputs into the New Spoofed MAC Address to simplify MAC

Address Spoofing

8. New Spoofed MAC Address

You can able to see new spoofed MAC address left hand side of the window

9. Network Connection or Adapter Section

The network connection or adapter displays the network connection name.

Click << or >> icon. The display changes to show network adapter information. These

buttons toggles between network adapter and network connection information.

10. Hardware ID and Configuration ID

Click << or >>. The display changes to show Configuration ID information. This button

toggles between Hardware ID and Configuration ID.

11. IPConfig

To bring up the ipconfig information, click IPConfig.

12. IPConfig window

The IPConfig window pops up. You can also save the information by clicking on the

File menu at the top of the window.

13. MAC List

You can also import the MAC address list into SMAC by clicking MAC List.

14. Load List

If there is no address in the MAC address field, click Load List to select a MAC address

list file you have created.

15. Sample MAC Address List

From the browse window select Sample_MAC_Address_List.txt file and click Open

button.

16. MAC List

It displays the sample MAC Addresses loaded in MAC List window.

17. Select MAC Address

Select any one the MAC address from the list and click Select button.

18. Restart Adapter

To restart Network Adapter, click Restart Adapter, which restarts the selected Network

Adapter. You cause a temporary disconnection problem for your Network Adapter.

Lab Analysis

In this lab you have performed MAC Address Spoofing using SMAC.

Exercise V: Sniffing a Network Using the WinArpAttacker

Tool

Lab Scenario


Footprinting, network protocols and their topology, TCP and UDP services, routing tables,

remote access (SSH or VPN), and authentication mechanisms.

Lab Objectives

The objectives of this lab are to:

Scan, Detect, Protect, and Attack computers on local area networks (LANs):

Scan and show the active hosts on the LAN within a very short time period of 2-3

seconds

Save and load computer list files, and save the LAN regularly for a new computer list

Update the computer list in passive mode using sniffing technology

Freely provide information regarding the type of operating systems they employ?

Discover the kind of firewall, wireless access point and remote access

Discover any published information on the topology of the network

Discover if the site is seeking help for IT positions that could give information regarding

the network services provided by the organization

Identify actual users and discover if they give out too much personal information, which

could be used for social engineering purposes~



pane of the window.





Password: Pa$$w0rd


3. Install WinPcap

To install WinPcap, navigate to E:\CEHv7 Lab Prerequisites\WinPcap.

Double-click WinPcap_4_1_2.exe and follow the wizard-driven installation steps to

install WinPcap.

4. Launch WinArpAttacker

To launch WinArpAttacker, navigate to E:\CEHv7 Module 08 Sniffers\ARP Poisoning

Tools\WinArpAttacker.

Double-click “WinArpAttacker.exe” to launch WinArpAttacker.

5. Scanning Hosts on the LAN

Click the Scan option from the toolbar menu and select Scan LAN.

The scan shows active hosts on the LAN in a very short period of time (2-3 seconds).

The Scan option has two modes: Normal scan and Antisniff scan.

6. Scanning Saves and Loads

Scanning saves and loads a computer list file and also scans the LAN regularly for new

computer lists.

7. ARP Attack

By performing attack action, scanning can pull and collect all the packets on the LAN.

Select a Host (10.10.10.61 – Windows Server 2003) from the displayed list and select

Attack --> Flood

Make sure that Windows Server 2003 (10.10.10.61) is running before running this lab.

8. Data Sniffed by Spoofing and Forwarded

Scanning acts as another gateway or IP-forwarder without other user recognition on

the LAN, while spoofing ARP tables.

All the data sniffed by spoofing and forwarded by the WinArpAttackerIP-forward

functions are counted, as shown in the main interface.

9. Saving Report

Click Save to save the report.

Lab Analysis

In this lab you have performed network sniffing using the WinArpAttacker Tool.

You have now:

Scanned, Detected, Protected, and Attacked computers on local area networks (LANs):

Scanned and showed the active hosts on the LAN within a very short time period of 2-3

seconds

Saved and loaded computer list files, and saved the LAN regularly for a new computer

list

Updated the computer list in passive mode using sniffing technology

Freely provided information regarding the type of operating systems they employ

Discovered the kind of firewall, wireless access point and remote access

Discovered any published information on the topology of the network

Discovered if the site is seeking help for IT positions that could give information

regarding the network services provided by the organization

Identified actual users and discovered if they give out too much personal information,

which could be used for social engineering purposes

Exercise VI: Analyzing a Network Using the Colasoft Capsa

Network Analyzer

Lab Scenario


sniffing, network protocols and their topology, TCP and UDP services, routing tables, remote

access (SSH or VPN) and authentication mechanisms.

Lab Objectives

The objective of this lab is to obtain information regarding the target organization that includes,

but is not limited to:

Network traffic analysis,

Network communication monitoring

Network problem diagnosis

Network security analysis

Network performance detection

Network protocol analysis~



pane of the window.





Password: Pa$$w0rd


3. Install Colasoft Capsa Network Analyzer

To install Colasoft Capsa Network Analyzer, navigate to E:\CEHv7 Module 08

Sniffers\Sniffing Tools\Packet Sniffing Tool\Capsa Network Analyzer.

Double-click capsa_ent_7.2.1.2299_demo.exe and follow the wizard-driven installation

steps to install Colasoft Capsa Network Analyzer.

4. Launch Colasoft Capsa Network Analyzer

To launch Colasoft Capsa Network Analyzer, navigate to Start --> All Programs -->

Colasoft Capsa 7 Demo --> Colasoft Capsa 7 Demo.

5. Welcome Screen

Click Buy Later or Close button on the Welcome screen to continue.

6. Create New Project

In the Capture tab of the main window, select the Local Area Connection check box in

Adapters and click Play located at the bottom-right of the window, which creates a New

Project

7. Analysis Report

You can view the analysis report in a graphical format in the Dashboard section of Node

Explorer.

8. Summary Tab

The Summary tab shows full analysis and statistics.

9. Diagnosis Tab

View the performance of protocols with the Diagnosis tab.

10. Protocol Tab

You can view an analysis of protocols on the Protocol tab.

11. IP Endpoint

The IP Endpoint tab displays statistics of all IP addresses communicating within the

Network.

On IP Endpoint tab, you can easily find the nodes with the highest traffic volumes, and

check if there is a multicast storm or broadcast storm in your network.

12. IP Conversation

The IP Conversation tab presents IP conversations between pairs of nodes.

The lower pane of the IP Conversation section offers UDP and TCP conversation, which

you can drill down to analyze.

13. TCP Conversation

The TCP Conversation tab dynamically presents the real-time status of TCP

conversations between pairs of nodes.

The lower pane on this tab offers related packets, time sequence charts, and

reconstructed data flow to help you drill down to analyze the conversations.

14. UDP Conversation

The UDP Conversation tab dynamically presents the real-time status of UDP

conversations between two nodes.

The lower pane of this tab gives you related packets and reconstructed data flow to help

you drill down to analyze conversations.

15. Matrix Tab

In the Matrix tab, you can view the nodes communicating in the network by connecting

them in lines graphically.

The weight of the line indicates the volume of traffic between nodes arranged in an

extensive ellipse.

You can easily navigate and shift between global statistics and details of specific network

nodes by switching corresponding nodes in the Node Explorer window.

16. Packet Tab

The Packet tab provides original information for any packet. It consists of three major

parts: Summary Decode, Hex/ASCII/EBCDIC Decode and Field Decode.

17. Log Tab

The Log tab provides an Email Log, FTP Log, DNS Log and HTTP Log.

You can view the logs of TCP conversations, web access, DNS transactions and email

communications.

18. Report Tab

The Report tab provides 27 statistics reports from the global network to a specific

network node.

You can view this display in 2D or 3D style of line charts or area charts. A new feature of

this tab allows you to create reports on demand.

19. Stop

Click Stop on the main window after completing your task.

Lab Analysis

In this lab you have analyzed a network using the Colasoft Capsa Network Analyzer.

You have performed:

Network traffic analysis

Network communication monitoring

Network problem diagnosis

Network security analysis

Network performance detection

Network protocol analysis

Exercise VII: Sniffing Passwords using Wireshark

Lab Scenario


sniffing Network Packets, performing ARP Poisoning, spoofing network and DNS poisoning.

Lab Objectives

The objective of this lab is to demonstrate Sniffing technique to capture from multiple interfaces

and data collection from any network topology.



pane of the window.





Password: Pa$$w0rd


3. Install Wireshark

To install Wireshark, navigate to E:\CEHv7 Module 08 Sniffers\Sniffing

Tools\Wireshark.

Double-click wireshark.exe and follow the wizard-driven installation steps to install

WireShark.

4. Launch Wireshark

Launch Wireshark in Windows Server 2008 (IP address: 10.10.10.1) (Host Machine).

To launch, click Start --> All Programs --> Wireshark --> Wireshark

5. Capture Interfaces

From the Wireshark menu bar, click Capture --> Interfaces...

6. Wireshark: Capture Interfaces

In the Wireshark Capture Interfaces box, find Ethernet Driver Interface that is

connected to the system.

Click Start button in that interface’s line.

7. Traffic Information

The wireshark displays the traffic captured.

8. Analyzing Captured Files

Now, click --> Stop button or you can stop the session from Capture tab and click -->

Stop

9. Analyze the Captured Files

Now, navigate to File option and click --> Open to analyze the captured files

10. Wireshark pop-up

Save Capture file before opening a new one pop-up appears click Contiue without

Saving button

11. Sample Capture File

For this lab, the sample captured file of telnet is located at E:\CEHv7 Module 08

Sniffers\Wireshark Sample Capture Files\telnet-cooked.pcap

Now, select sample captured file of Telnet and click --> Open as shown in below figure

12. Observe the Password

Telnet traffic is generated as shown in below figure

Now, browse to Frame number 29, and right click --> Follow TCP Stream

13. Follow TCP Stream

In Follow TCP Stream wizard, find the Login and Password option that extracted

Lab Analysis

In this lab you have performed Sniffing to capture from multiple interfaces and data collection

from any network topology.

Exercise VIII: Performing Man-In-The-Middle Attack using

Cain & Abel

Lab Scenario

To be an expert Ethical Hacker and Penetration Tester you must have sound knowledge of

sniffing, network protocols and their topology , TCP and UDP services, routing tables, remote

access (SSH or VPN), authentication mechanism and encryption techniques.

Lab Objectives

The objective of this lab to accomplish the following: Sniff network traffic and perform ARP

Poisoning

Launch Man-in-the-Middle attack

Sniff network for password~

1. Logon to Windows 7

Switch to Windows 7 (10.10.10.31) machine from Machines tab of the right pane of your

window.




Password: Pa$$w0rd


3. Switch to Windows Server 2003

Switch to Windows Server 2003 machine from Machines tab in the right pane of the

window.





Password: Pa$$w0rd




pane of the window.

You can use Machine Commands Ctrl + Alt + Del to login


In the log on box enter the following Credentials and press Enter


Password: Pa$$w0rd

Once you login to Windows Server 2008 (10.10.10.1) machine server manager window

will pop-up, close server manager window.

You can use the Machine Commands menu to enter your user name and password

7. Install WinPcap

To install WinPcap, navigate to E:\CEHv7 Lab Prerequisites\WinPcap.

Double-click WinPcap_4_1_2.exe and follow the wizard-driven installation steps to

install WinPcap.

8. Install Cain & Abel

To install Cain & Abel, navigate to E:\CEHv7 Module 08 Sniffers\ARP Poisoning

Tools\Cain and Abel.

Double-click ca_setup.exe and follow the wizard-driven installation steps to install Cain

& Abel.

9. Launch Cain & Abel

To launch Cain & Abel navigate to Start --> All Programs --> Cain --> Cain

10. Configure Ethernet Card

When you first open Cain & Abel, you will notice a series of tabs near the top of the

window.

To configure Ethernet Card, click Configure from menu bar.

11. Configuration Dialog Box

Configuration Dialog window consists of several tabs. Click Sniffer tab to select sniffing

adapter.

Select adapter and click Apply and OK.

12. Start Sniffing

To start sniffing click Start/Stop Sniffer icon from the menu bar. And open Sniffer tab

13. Click + (Add to List) icon

Now click + icon to Scan for MAC Addresses from the menu bar

or

Right click on the dashboard and select Scan MAC Addresses from context menu

14. MAC Addresses Scanner

MAC Addresses Scanner wizard opens select All hosts in my subnet option or select

Range option from Target section.

From Promiscuous-Mode Scanner section check All Tests option then click OK button.

If you are selecting a Range option then you must provide the IP range of your network.

In this lab we have selected Range option and we have provided a range of 10.10.10.1 to

10.10.10.90

15. APR Tab

After scanning is complete, a list of detected MAC addresses is displayed.

Now click on APR tab from the bottom of cain & abel window.

+ (Add to List) icon will disabled in this tab.

16. Activate + (Add to List) icon

To activate this + (Add to List) icon click any where in the dashboard it will activate.

17. Click + (Add to List) icon

Click + (Add to List) icon to open New ARP Poison Routing wizard.

18. New ARP Poison Routing

In New ARP Poison Routing wizard select Windows Server 2003 (10.10.10.61) from the

left pane.

After selecting Windows Server 2003 (10.10.10.61) IP Address then in right pane it

displays Windows 7 (10.10.10.31) IP address. Now select Windows 7 IP Address from

the right pane and click OK button

19. Start APR Poisoning

Now click Start/Stop APR button to start APR poisoning as shown in the following

figure.

After clicking on Start/Stop APR button note down the packets generated.


Switch to Windows Server 2003 (10.10.10.61) machine through Machines tab from the

right pane of the window

21. Launch Command Prompt

Launch Command Prompt in Windows Server 2003 (10.10.10.61) and in command

prompt type this command ping 10.10.10.31 and press Enter

10.10.10.31 is represents Windows 7 IP address



right pane of the window.

After switching to Windows Server 2008 you can observe some packets are captured in

Cain & Abel.




24. Launch IIS Manager

To launch IIS Manager, navigate to Start --> Administrative Tools --> Internet

Information Services (IIS) Manager.

25. FTP Site Service

In IIS Manager window select FTP Sites from the left pane and check whether the FTP

service is running.

If it is not running right-click on Default FTP Site and select the Start option from the

context menu.

26. Switch to Windows 7

Switch to Windows 7 (10.10.10.31) machine from Machines tab from the right pane of

the window.

27. Launch Firefox

Launch Firefox browser in Windows 7 (10.10.10.31) machine and type ftp://10.10.10.61

in the address bar and press Enter.

10.10.10.61 represents Windows Server 2003 IP address

28. Authentication Required

In Authentication Required pop-up enter the credentials of Windows Server 2003

(10.10.10.61) machine and click OK button.

Enter these Credentials User Name: Administrator

Password: Pa$$w0rd


Switch to Windows Server 2008 (10.10.10.1) machine from Machines tab from the


30. Observe the Packets

Now check with the Packets in Cain & Abel.

31. Passwords Tab

Click Passwords tab at bottom

32. Captured Password

Select FTP from the left pane under Passwords.

Now check for the ftp://10.10.10.61 accessed from the Windows 7 machine

(10.10.10.31). It will display the password that you have entered at Authentication

Required pop-up.

Lab Analysis

In this lab you have accomplished the following: Sniffed network traffic and performed ARP

Poisoning.

You have now:

ftp://10.10.10.61/

ftp://10.10.10.61/

Launched Man-in-the-Middle attack

Sniffed network for password

module 08: sniffers...2013/04/15 · sniffing network packets, performing arp poisoning, spoofing...

Documents