Scribd Logo
Upload

Welcome to Scribd!

  • CEH v8 Labs Module 08 Sniffers PDF

    Uploaded by

    Selvin Davis
    1 views90 pages

    Original Title

    CEH v8 Labs Module 08 Sniffers.pdf

    Copyright

    © © All Rights Reserved

    Available Formats

    PDF or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document

    Copyright:

    © All Rights Reserved
    Download as PDF or read online from Scribd
    Flag for inappropriate content
    Download as pdf
    1 views90 pages

    CEH v8 Labs Module 08 Sniffers PDF

    Uploaded by

    Selvin Davis

    Copyright:

    © All Rights Reserved
    Download as PDF or read online from Scribd
    Flag for inappropriate content
    Download as pdf
    of 90
    CEH Lab Manual Sniffers Module 08 © Vatoabte information P Tes your nowedge BS Webeswacise 2 Workbook review Sniffing a Network A packet sniffer isa pe of program that monitors any bit of information entering or leaving a network. It is a type of plug-and-play wiretap device attached to.a computer that eavesdrops on network traffic. Lab Scenario Sniffing is a technique used to intereept data in information security, where many of the tools exploit and compromise the same network. The core objective of sniffing is to steal data, such as sensitive information, email text, ete. Network sniffing involves intescepting network teaflic between two tagget network ‘nodes and captusing network packets exchanged between nodes. A packet sniffer is also refesred to as a network monitor that is used legitimately by a network administrator to monitor the network for vulnerabilities by capturing the network traffic and should there be any issues, proceeds to troubleshoot the same. Similatly, sniffing tools can be used by attackers in promiscuous mode to capture and analyze all the network trafic. Once attackers have captured the network trattic they can analyze the packets and view the user name anc password information in a given network as this information is teansmitted in a cleartext format. An attacker ‘can easily intrude into a network using this login information and compromise other systems on the network. Hence, its very enucial for a network administrator to be familiar with network traffic analyzers aud hie or she should be able to maintain and monitor a network to detect rogue packet sniffers, MAC attacks, DHCP attacks, ARP poisoning, spoofing, or DNS poisoning, and know the types of information that can be detected from the captured data and use the information to keep the network ‘munning smoothly. Lab Objectives The objective of this lab is to familiarize students with how to snifffa network and analyze packets for any attacks on the network. The primary objectives of this ab are to: * Sniff the network Analyze incoming and outgoing packets "Troubleshoot the network for performance ‘CEH Lab Manual Page 555 “Eiical Hacking and Countemneasures Copyight © ty EC Councd “AI Righs Reserved. Repodueton s Sie Prluited. STaAsK 4 "Secure the network from attacks Lab Environment In this lab, you need: * A web browser with an Internet connection, * Administrative privileges to mun tools Lab Duration Time: 80 Minutes Overview of Sniffing Network Sniffing is pestormed to eolleet basic information from the taxget and its network. Ichelps to find vulnerabilities and select exploits for attack. It determines network information, system information, and organizational information. Lab Tasks Pick an organization that you feel is worthy of your attention, This could be an ‘educational institution, a commercial company, or pethaps 2 nonprofit charity Recommended labs to assist you in sniffing the network: * Sniling the network using the Colasoft Packet Builder * Snitling the network using the OmniPeek Network Analyzer "Spoofing MAC address using SMAC * Sniffing the network using the WinArpAttacker tool "Analyzing the network using the Colasoft Network Analyzer "Sniffing passwords using Wireshark * Performing man-in-the-middle attack using Cain & Abel * Advanced ARP spoofing detection using KARP * Detecting Systems running in promiscuous mode in a network using PromaryU! * Shifting a password from capnused packets using Sniff - 0 - Matic Lab Analysis Analyze and document the results related to the lab exercise. Give your opinion on ‘your targets security posture and exposure through public and fiee information. ‘CEH Lab Manual Page 556 ‘Eieal Hacking and Countemneasures Copyghn © by EC Councd “AI Righs Reserved. Repodueton s Sie Prluited. PLEASE TALK TO YOUR INSTRUCTOR IF YOU HAVE QUESTIONS RELATED TO THIS LAB. ‘CEH Lab Manual Page 557 ‘Eieal Hacking and Countemneasures Copyghn © by EC Councd “AI Righs Reserved. Repodueton s Sie Prluited. Sniffing the Network Using the OmniPeek Network Analyzer OnmiPeek is a standalone network analysis tool used to solve network problems. Lab Scenario © Valuable eee From the previous scenario, now you are aware of the importance of network > suitfing. As an expext ethieal hacker anc penetration tester, you must have sound 7 Tet your knowledge of 1g network packets, performing ARP poisoning, spoofing the teats henwork, and DNS poisoning, B webesecise ( Waktockinzw Lab Objectives ‘The objective of this lab is to reinforce concepts of network security policy, policy enforcement, and policy audits. Lab Environment In this lab, you need: * OmniPeck Network Analyzer located at DACEH-ToolsiCEHv8 Module 08 Sniffing\Sniffing Tools\OmniPeek Network Analyzer = You can also download the latest version of OmniPeek Network Analyzer from the link Iup:/Awww.wildpackets.com/products/omnipeck network analyzer # Ifyou decide to download the latest version, then screenshots shown in the lab might difter * A computer running Windows Server 2012 a's host machine "Windows 8 running on viral machine as target machine # A web browser and Microsoft. NET Framework 2.0 or later + Double-click OmniPeek682demo.exe and follow the wizarddriven installation steps to install OmmiPeek682demo.exe * Administrative privileges to nun tools ‘CEH Lab Manual Page 558 Tica Hacking and Cousteancasares Copright © by EC Couacl “AI Righs Reserved. Repodueton s Sie Prluited. Lab Duration Time: 20 Minutes Overview of OmniPeekNetwork Analyzer ‘OmniPeok Network Analyzer gives network engineers real-time visibility and expert analysis of each and every part of the network fom a single interface, which includes Ethernet, Gigabit, 10 Gigabit, VoIP, video to remote offices, and 802. Lab Tasks rask + 1. Install OmniPeek Network Analyzer on the host machine Windows Server 2012, Installing ‘OmniPeok 2. Launch the Start menu by hovering the mouse cursor on the lower left Network Analyzer comer of the desktop. FIGURE 11: Windows Serer 2012-Desiop view 3. Click the WildPackets OmniPeek Demo app in the Start menu to launch the tool. Dorouirec Earerpie ESR aah feed ep Voie aad ico apyestions and on med appcasons soning pura onthe oad Page 539 Tihical Hacking and Coustenncnsares Copright © by EC Couscl “AI Riphs Reserved Reproduction Suey Proud. 4. ‘The main window of WildPackets OmniPeck Demo appears, as shown in (ro eter ant minnie an Vie the following screenshot. SerlPcenty yon Seiwieabewmajae [Shuatintectmte Shemini itches Seremogen FIGURE 13 Onan sare 5. Launch Windows 8 Viral Machine. Stas 2 6. Now, in Windows Server 2012 czeate an OmniPeek captuce window as follows: Starting New Copture a. Click the New Capture icon on the main sereen of OmniPeck. b. View the General options in the OmniPeek Capture Options dialog box when it appeass. Leave the defiilt general settings and click OK. pnoroner aioe ese [tT oon a seer expe amas (sep sng ater [1856 FE owostrtes eed Fae iment [B Crateey EF Cmte [oe Cert agian ee te so [metre Dieenatgncungameyeee TRGURE 14 Oi ogo Cama GEHL Maal ge ica Hing Comma pair ECCT “A igh Reserved Repeoducton Sey Prolite. d. Click Adapter and select Ethernet in the list for Local machine, Click OK. FIGURE 1 Omak apie pins - Ader 7. Now, click Start Gapture to begin capturing packets, The Start Capture tab changes to Stop Capture and traffic statistics begin to populate the Network Dashboard in the capture window of OmniPeck. FIGURE 16 OnniPeck cing cape window ‘CEH Lab Manual Page 551 ‘Eikeal Hacking and Countermeasures Copyght © by BC Counc “A igh Reserved Repeoducton Sey Prolite. 8. The captured statistical analysis of the data is displayed on the Capture tab Dowairece of the navigation bas. FIGURE 17. OmniPek stint of data 9. To view the captured packets, select Packets in a apture section of the Dashboard in the left pane of the window. (hemoce ua tough 10. Similarly, you can view Log, Filters, Hierarchy, and Peer Map by selecting ‘tat node, The eer of in So Reet the respective options in the Dashboard. Jediotebesex | L1. You can view the Nedes and Protocols from the Statisties section of the wy OnPerk erat Dashboard. ‘aay beinae ‘CEH Tab Mosual Page 32 ‘Bical Hacking and Cousteonessares Coppigin © by BC Cosel “A igh Reserved Repeoducton Sey Prolite. FIGURE 19: OnniPck sai cpr of Nodes 12, You can view a complete Summary of your network from the Statistics section of the Dashboard. ial i TL S55 Hi my i ha FIGURE 1.10 Oneieck Soy ets 13. To save the result, select File> Save Report. ‘CEH Lab Manual Page 555 “Eiical Hacking and Gountemneasures Copii © by EC Councl “A igh Reserved Repeoducton Sey Prolite. Diving omer et cpe cate cao ‘Sabts Onmiagine sectger ten pos Onesie SER ‘eodesd Eape FIGURE 111: Omaieck sing the rene 14, Choose the format of the repost type from the Save Report window and then click Save. WD eagecescn crear Sr its feet aaa ect epe ne nat FIGURE 112 OmaPeck Sette Rept oat [HGUKE 112 Umateek Seung the Kept oat 15, The report can be viewed as a PDF. ‘CEH Lab Manual Page 554 ‘Eikeal Hacking and Countermeasures Copyght © by BC Counc “A igh Reserved Repeoducton Sey Prolite. Lab Analysis Analyze and document the results related to the lab exercise. ‘CEH Lab Manual Page 595 ‘Eikeal Hacking and Countermeasures Copyght © by BC Counc “A igh Reserved Repeoducton Sey Prolite. Tool/Utility | Information Collected / Objectives Achieved ‘Network Information: Network Utilization Carrent Activity Log Top Talkers by IP Address Top Protocols Packets Information: * Sonsce * Destination: * Size OmniPeek = Protocol Network Analyzer Nodes Statistics: Total Bytes for a Node Packets Sent Packets Received Broadcast/Multicast Packets Summary includes Information such as: General Network Exrors Counts Size Distribution PLEASE TALK TO YOUR INSTRUCTOR IF YOU HAVE QUESTIONS RELATED TO THIS LAB. ‘CEH Lab Manual Page 596 ‘Eieal Hacking and Countemneasures Copyghn © by EC Councd “AI Righs Reserved. Repodueton s Sie Prluited. 1. Analyze what 802.11n adapters are supported in OmniPeek Network Analyzer. 2. Determine how you can use the OmniPeek Analyzer to assist with fisewall rules, 3. Evaluate how you create a filter to span multiple ports. enniomeien OYes No Platform Supported @ Classroom Dilabs CEH Lab Manat Page 7 Tia Hacking and Goustonessaves Copel by EE Come “AI Righs Reserved. Repodueton s Sie Prluited. & Vatuabte P? Ter your nowledge BE Webesescse £2 Workbook review demonstrated in this lab are available in Tools\CEHV8: ‘Module 08. Spoofing MAC Address Using SMAC SMAC is a powerful and easy-to-use tool that is a MAC address changer (spoofr). The tool can activate a new MAC address right after changing it automaticaly Lab Scenario In the previous lab you leamed how to use OmniPeek Network Analyzer to capture network packets and analyze the packets to determine if any vulnerability is present in the network. If an attacker is able to capture the network packets using such tools, hhe or she can gain information such as packet source and destination, total packets sent and received, errors, etc., which will allow the attacker to analyze the captured packets and exploit all the computers in a network. Tf an administrator does not have a certain level of working skills of a packet sniffer, it is really hard to defend intmsions. So as an expert ethical hacker and penetration tester, you must spoof MAC addeesses, sniff network packets, and perform ARP poisoning, network spoofing, and DNS poisoning. In this lab you will ‘examine how to spoof a MAC address to remain unknown to an attacker. Lab Objectives ‘The objective of this lab is to reinforce concepts of network security policy, policy enforcement, and policy audits. In this lab, you will leam how to spoof a MAC address. Lab Environment In the lab, you need: | SMAC located at DACEH-Tools\CEHV8 Module 08 SniffingIMAC Spoofing Tools'sMAC "You can also download the latest version of SMAG from the link hitp:/ /wwew.klcconsulting.net/smac /detiult.htast#smac27 "Ifyou decide to download the latest version, then screenshots shown in the lab might differ CEH Lab Manual Page 598 “Eiical Hacking and Countemneasures Copyight © ty EC Councd “AI Righs Reserved. Repodueton s Sie Prluited. «A computer sunning Windows Server 2012 as Host and Windows Server 2008 as Vietim Machine * Double-click smac27beta setup.exe and follow the wizard-driven installation steps to install SMAC "Administrative privileges to sun tools © Aweb browser with Internet access Lab Duration Ti Overview of SMAC Diswcisspwest Spoofing a MAC protects personal ancl individual privacy. Many organizations Windows acaldacs” teack wired or wireless network users via their MAC addresses. In addition, there are seedy MAC more and more WEFI wireless connections available these days and wireless Gomucrwocunee networks use MAC addresses t0 communicate. Wireless network security and IMAC aden for simon 7 . MAC abeues foralno privacy is all about MAC addresses Carte (UIC) om the ‘Spoofing is carried out to perform security vulnerability testing, penetration testing requ ofwhetierthe on MAC. address-based authentication and authorization systems, ic. wireless access points. Disclaimer: Authorization to perform these tests must be obtained from the system’s owner(s) 10 Minutes Lab Tasks 1. Launch the Start menu by hovering the mouse cursor on the lower-left comer of the desktop. Dasitrc works on the Network Inesface Cad (SIO), wich son the Microsoft bance compat st HCL). FIGURE 21: WindowsServer 2012 —Desiop view Click the SMAC 2.7 app in the Start menu to launch the tool. Diarra you sat SMAC ropa yout ati oul do hs by ig ik tn the SMAC propa Son and ek an os ‘Adiniseator if not logged ‘CEH Lab Manual Page 599 ical Hacking and Coustenncnsares Copright © by EC Couacl “Al Rights Reserved. Reproductions Sey Prolite. Stas 1 ‘Spoofing MAC Address Discacatps pope to poet ti py Eine uerenstne Naess ine ee We Wades FIGURE 22 Windows Sees 2012 Sat ners 3. The SMA main screen appears. Choose a network adapter to spoof a MAC address. Seon re Nn J Ro mi i = a a eid a candom MAC address, Random. FIGURE 24 SMAC Rao ton to genie MAC aesee 5. Clicking the Random button also inputs the New Spoofed MAC Address to simply MAC address spoofing Tihical Hacking and Couatesnensures Coppight © by EC Counc "AI Riphs Reserved Reproduction Suey Prolubied. Network and TT Sey Amrit that (Sea See 5 rs 1 Senne Me bee rane | senses | uke ion Sed Aes ma} Reuat ade Pore She ee QUAC [Glos re ea 94 Ter] x} Ras mice ‘Ades base) sotente [ecresmscr meg =) Sondes Acids i Con 2 Fatspaes 4) fetes OSE aay oa VST — een set 2 seme ——— 2) fer 4 FIGURE 25 SMAC seeing nc poted MAC ses 6. The Network Connection or Adapter display their respective names. 7. Click the forward arrow button in Network Connection to display the Network Adapter infomation. Network Connection [Ethernet (Reakek PCie GEE Family Corres - Vatual Switch) FIGURE 26 SMAC Newodk Comeininfriton 8, Clicking the backward arrow button in Network Adapter will again display Disstrc dons ot the Network Connection information. These buttons allow to toggle sang thet between the Network Connection and Network Adapter information, Siew eae nies, SMAC change Network Adapter softwace based MAC desis ad the ae Hyper Vitusl Ethemet Adapter RS MAC adiesses yon change se satin fom boot. FIGURE 27, SMAC Netw Adapter inflmation 9. Similadly, the Harcware ID and Configuration ID display their respective 10. Click the forward stow button in Hardware 1D to display the Configuration ID information. FIGURE28 SMAC Hache ID dey 11, Clicking the backward arrow button in Configuration 1D will again display the Hardware ID information. These buttons allow to togale between the Hardware ID and Configuration ID information. Configuration ID « (C7897839EDBD AAD BESS STI FAEASESAT| FIGURE 29:SMAC Confguatin ID dlr ‘CEH Lab Manual Page GOT ‘Eikeal Hacking and Countemneasures Copyght © by BC Councd “Al Rights Reserved. Reproductions Sey Prolite. 12. To bring up the ipeontfig information, click IPConfig. Sraswa “Viewing IPGonfig” Update MAC Remove MAC Viewing IPConfig Information Restart Adapter FIGURE 210: SMAC view he infoaaton of PConig 15, The IPGonfig window pops up, and you can also save the information by clicking the File men at the top of the window. Windows IP Configuration Host Name WINMSSELOKAKAT Pinay Dns Sf Node Type yb IP Routng Enabled No ANS Prow Enabled No [Etbemet adapter vEtheme (Vetul Netwot Internal Adapter) Conan spec ONS Sut — Poca ae Crercoaty psa cpanel Atccoigaaion nied err Ponte treba ender 6579610667054 9P lene Ke Yona Adocrgaseniot hg 682483 ome a Semon tn Strata ohemre ao sen Ghceve Chen DUIS... 00D 0D01- 9 ENS Sewers iccatonn it icc no FIGURE 211 SMACIFCalgisnsion 14. You can also import the MAC address list into SMAC by clicking MAC List. Update MAC Remove MAC Restart Adapter TAGURE 22 SACnng AC ess ‘GEHL Maal Page OE Eel Hacking ad Cosemeanres Coppi © by EC Coad “Al Rights Reserved. Reproductions Sey Prolite. 15, If there is no address in the MAG address field, click Load List to select a MAC address list file you have created. inretrcante sion how in aeicerote Wwe Yoncurtethe Bem toste or pant Se tReet neon FIGURE 213 SMACMAC Ls window 16. Select the Sample MAG Address List.txt file from the Lead MAC List window. QO> t1b=rvmoe vacvene——ve)[smonc Ogee * Noa Sone mi Detep Seenested Te - {Y6/2008 11:11 PM__Test Document B00 tes 3 Document 2 Mase Pees Bi vee compte Wh teeaoaete) GteaiDeo) FIGURE 214:SMAC MAC Let win ‘CEH Lab Manual Page 605 ‘Eikeal Hacking and Countemneasures Copyght © by BC Councd “Al Rights Reserved. Reproductions Sey Prolite. 17. A list of MAC addresses will be added to the MAC List in SMAC. Choose a MAC Address and click Select. This MAC Address will be copied to New ‘Spoofed MAC Address on the main SMAC screen. D0 is crewed and ‘inane by Cored {sfomaton ems Scop Posters (CiSSP»), Cented Information Swen Autos (ISA. crn Cen Stems Engineers (MCSES) aa previo oftaie agin 2D satac aisptays the folowing information C:\ProgramData\KLC\SMAC\Samele MAC. Addtess_List bt ‘Bours Nerwou neice aed NIC) FIGURE 215 SMAC MAC Lt window © Device ID + Acin Sme 18. To restart Network Adapter, click Restart Adapter, which restarts the + NIcDescipon selected Network Adapter. Restarting the adapter causes a temporary + Spofed sas disconnection problem for your Network Adapter. + IPAdtes Acne MAC abies us + Spoofed MAC Ades + NICHaxtese ID + NC Confguation ID FIGURE 216 SMAC Retating Newodk Mager Lab Analysis Analyze and document the results related to the lab exercise, Lo cn eee) * Host Name "Node Type MAC Address SMAC «IP Address "DHCP Enabled "Subnet Mask # DNS Servers CEH Lab Masval Page 008 ‘Bical Hacking and Counteonessares Coppin © by BCCouncl “Al Rights Reserved. Reproductions Sey Prolite. PLEASE TALK TO YOUR INSTRUCTOR IF YOU HAVE QUESTIONS RELATED TO THIS LAB. Questions 1. Evaluate and list the legitimate use of SMAC. 2. Determine whether SMAC changes hardware MAC addresses. 3. Analyze how you can remove the spoofed MAC address using the SMAC. - ae O Yes HINo Platform Supported Z Classroom Bilabs CEH Lab Moval Page ‘Bical Hacking and Counteonessares Coppin © by EC Councl “AL Righs Reserved Repeoducton Sey Prliited. Sniffing a Network Using the WinArpAttacker Tool WinArpAttacker is a program that can scan, attack, detect, and protect computers on a local area network (LAN). Lab Scenario ‘You have already learned in the previous lab that you can conceal your identity by LL spoofing the MAC addsess. An attacker too can alter his or her MAC addsess and Be Web eseicine £2 Workbook review attempt to evade network intrusion detection systems, bypass access control lists, and impersonate as an authenticated user and can continue to communicate within the network when the authenticated user goes offline. Attackers can also push MAC flooding to compromise the security of network switches. Asan administrator, itis very important for you to detect odd MAC addresses on, the network: you must have sound knowledge of footprinting, network protocols, and theie topology, TCP and UDP services, routing tables, remote access (SSH or VPN), and authentication mechanisms. You can enable port secusty on the switch to specify one or more MAC addresses for each port. Another way to avoid attacker sniffing on your network is by using static ARP entries. In this lab, you will learn to sun the tool WinArpattacker to sniff a network and prevent it from attacks. Lab Objectives ‘The objectives of this lab are to: «Scan, Detect, Protect, anid Attack computers on local area networks (LANs): # Sean and show the active hosts on the LAN within a very short time period of 2-3 seconds Save and load computer list files, and save the LAN regularly f computer list "Update the computer list in passive mode using sniffing technology ‘CEH Lab Manual Page 606 “Eical Hacking and Countemneasures Coppi © ty EC Councd “AL Righs Reserved Repeoducton Sey Prliited. Freely provide information regarding the type of operating systems they empl Discover the kind of firewall, wireless access point auc remote Discover any published information on the topology of the network Discover if the site is seeking help for IT positions that could give information regarding the network services provided by the organization Identify actual users and discover if they give out too much personal information, which could be used for social engineering purposes Lab Environment ‘To conduct the lab you need to have: WinArpattacker located at DiCEH-ToolsiCEHv8 Module 08 Sniffing ARP Poisoning ToolsiWinArpAttacker You can also download the latest version of WinArpAttacker from the link hitp://www.xfocus.net If you decide to download the latest version, then screenshots shown in the lab might differ A computer mnning Windows Server 2012 as host machine Windows 2008 inning on vistual machine as target machine A computer updated with network devices and deivers Installed version of WinPeap drivers Double-click WinArpAttacker.exe to launch WinAspattacker Administrative privileges to nin tools Lab Duration ‘Time: 10 Minutes Cowearramce — Overview of Sniffing vrais oncompuers ‘unig Windows /2003, Sniffing is performed to collect basic information of a target and its network. It helps to find vulnerabilities and to select exploits for attack. It determines network information, system information, and organizational information, Lab Tasks ras + 1 Launch Windows 8 Virtual Machine. Launch WinArpAttacker in the host machine. ‘CEH Lab Manual Page 6O7 Tihical Hacking and Couatesnensures Copnight © by EC Counc “AL Righs Reserved Repeoducton Sey Prliited. © couson Tis propa Js dango, eased just, Tceeseuch Ay posible lows ened by hs progam teas ao lon tthe shor (uashadow),ify00 dost age witht you ‘st dle inane (ine opion sean ‘rasan te acae SUSE ‘cpt as we SNe Perret oo Ste bsafingen Seta |. Click the Sean option from the toolbar menu and select Sean LAN. The scan shows the active hosts on the LAN in a very short period of time (2-3 seconds). The Sean option has two modes: Normal sean and Antisniff scan. [ellos Laval se ae FIGURE 32 WintpAnace San optans Scanning saves and loads a computer list file and also scans the LAN regulatly for new computer list. ‘CEH Lab Manual Page 608 ‘Eical Hacking and Countermeasures Copyigt © ty EC Councd “Al Rights Reserved. Reproductions Sey Prolite. Ptah tot anacke pacer abe pus ante LAN FIGURE 39: Whisper Longs Coupe Lt window Eraex 2 7. By performing the attack action, scanning can pull and collect all the packets ee on the LAN. ‘ARP Attack 8. Select a host (10.00.5 ~ Windows Server 2008) from the displayed list and sclect Attack > Flood. Dive Food option Fan. th tage competes edo FIGURE 34 WndspAmacis ARP Arche 9. Scanning acts as another gateway or IP-forwacder without other user recognition on the LAN, while spoofing ARP tables. 10. All the data sniffed by spoofing and forwarded by the WinArpattackerIP- forward functions are counted, as shown in the main interface. CEH Lab Manval Page 60> ibicl Hacking and Contemnessars Coppigh © by EE Comme “Al Rights Reserved. Reproductions Sey Prolite. Dine BanGueraypson he stewny wong MAC Scns oftige Compaen sth gets faa ieee pak om ‘he lore. Thi ack ‘oft topes ‘elon FIGURES Watches nie by pti Dine opion, Confit, tke ARP lod, sexsalpeodsP conte packets weet erates ‘nay not beable to work Teens of eee p Sco neg de sion he aes a FIGURE 36 WatspAtcer ot ons 12, Select a desired location and click Save the save the reports Lab Analysis “Analyze and document the scanned, attacked IP addresses discovered in the lab. ecco "Host Name "Node Type = MAC Address WinArpAttacker * TP Address "DHCP Enabled = Subnet Mask DNS Servers PLEASE TALK TO YOUR INSTRUCTOR IF YOU HAVE QUESTIONS RELATED TO THIS LAB CEH Lab Mnval Page 6 ‘Bical Hacking and Counteonessares Coppin © by BCCouncl “Al Rights Reserved. Reproductions Sey Prolite. No Platform Supported Z Classroom Bilabs ‘CEH Lab Manual Page 61 “Eical Hacking and Countemneasures Coppi © ty EC Councd “AL Righs Reserved Repeoducton Sey Prliited. Analyzing a Network Using the Capsa Network Analyzer Capsa Network Analyzer isan easy-to-use Ethernet network analyzer (it, packet sniffer or protocol analyzer) for network mronitoring and troubleshooting. Lab Scenario ‘Using WinArpAttacker you were able to sniff the network to find information like host name, MAC address, IP address, subnet mask, DNS server, etc. An attacker, too, can use this tool to gain all such information and can set up a rogue DHCP server serving clients with false details, A DNS attack can be performed using an extension to the DNS protocol. ‘To prevent this, network administrators must securely configure client systems and ‘use antivims protection so that the attacker is unable to recruit his or her botnet army. Securely configure name servers to reduce the attacker's ability to cosmupt a zone file with the amplification record. As a penetration tester you must have sound knowledge of snifling, network protocols and their topology, TCP and UDP services, routing tables, remote access (SSH or VPN), and authentication mechanisms. This lab will teach you about using other network analyzers such as Capsa Network Analyzer to capture and analyze network trafic. Lab Objectives ‘The objective of this lab is to obtain information regarding the target ‘organization that includes, but is not limited to: Nenwork traffic analysis, communication monitoring Network communication monitoring Network problem diagnosis Network security analysis Network performance detecting Network protocol analysis ‘CEH Lab Manual Page 612 “Eical Hacking and Countemneasures Coppi © ty EC Councd “AL Righs Reserved Repeoducton Sey Prliited. prose Lab Environment demonstrated in To carry out the lab, you need: this lab are available in * ColasoftCapsa Network Analyzer located at DACEH-ToolsiCEHv8 Module DICEH. 08 Sniffing’ Sniffing Tools\Capsa Network Analyzer Tools\CEHV8 wy oe You can also download the latest version of ColasoftCapsa Network a Analyzer from the link hitp:/ /www.colisoft.com * Ifyou decide to download the latest version, then screenshots shown in the lab might differ * A computer mnning Windows Server 2012 as host machine Windows 8 munning on virtual machine as target machine Double-click capsa free 7.4.1.2626.exe and follow the wizard-driven installation steps to install Colasoft Capsa Free Network Analyzer © Administrative privileges to mun tools © Aweb browser with an Internet connection, Note: This lab requires an active Internet connection for license key registration Deswesce | Lab Duration Nerwodk Annyer rs oo Serer 2003 Sever 4 2008/7 wit G4 bit Eaton, Time: 20 Minutes Overview of Sniffing Sniffing is performed to collect basic information of the target and its network. It helps to find vulnerabilities and select exploits for attack. It determines network information, system information, password information, and organizational information. Sniffing can be Aetive or Passive, Lab Tasks 1. Launch the Start comer of the desktop. by hovering the mouse cursor on the lower-left Deepa Newoit Aulus enyose Eine scsi ne Germaine fecal fx Srvoat aatuag nl Suing ‘CEH Lab Manual Page 613 ical Hacking and Coustenncnsares Copright © by EC Couacl “Al Rights Reserved. Reproductions Sey Prolite. Click Colasoft Capsa 7 Free Network Analyzer to launch the Network Analyzer tool 3. The Colasoft Capsa 7 Free - Activation Guide window will appear. ‘Type the activation key that you receive in your registered email and click Next. Wilcome to Cots Caps 7 Free Acthaton Gul. Company: [SMC Gourd (ck hereto et your sel number “Toacthate the prodct now: select one ofthe folowing and ck the Ment btton eae contact copmatreeScolntt.com foray uestion © Actate Onin Recommended) Atte Ofine FIGURE 43 Colnft Cpe Pie Netoth Arlyn — Acton Gi window al Page 6 ical Hacking and Coustenncnsares Copright © by EC Couacl "AI Riphs Reserved Reproduction Suey Prolubied. 4 FIGURE 44 Colt Capes Fie Netotk Arle — tation sccm 5, The Colasoft Capsa 7 Free Network Analyzer main window appears ———=r— ss anerwouk anatyzes, Capen te cen t0 ‘monitor and analre ‘etwork ae wth ts ‘Eerste infor a mS) B) fal FIGURE 45 Colao Capea Neswouh Anat ain cen ‘CEH Lab Manual Page 618 ical Hacking and Coustenncnsares Copright © by EC Couacl “AL Riphs Reserved Reproduction Suid Prolab. 6. In the Capture tab of the main window, select the Ethemet check box in Adaptor and click Start to create a new project. FIGURE 46: ColnoftCapsa Nerwouk Analyzer creating « New Projet 7. Dashboard provides vatious graphs and charts of the statisties. You can view the analysis report in a graphical format in the Dashboard section of Node Explorer. Dire neework win te is the io (ferent net tafe to the mci af that 2 por can hale Fe ia the nerwock FIGURE 47 Colmoft Capea Netwouk Anaiae: Dashbond ‘CEH Lab Manual Page ole ical Hacking and Coustenncnsares Copright © by EC Couacl “AL Riphs Reserved Reproduction Suid Prolab. Ca neh eect dewotk s bos, ess Bevdbauen ae Tools this lab are available in Tools\CEHV8: Module 08 Sniffing 8, The Summary tab provides full general analysis and statistical information of the selected node in the Nede Explorer window. FIGURE 48 Colsoft Capa Nerwok Asarae Samiary 9. The Diagnosis tab provides the real-time diagnosis events of the global network by groups of protocol layers or security levels. With this tab you can view the performance of the protocols 10. To view the slow response of TCP, click TEP Slow Response in Transport Layer, which in turn will highlight the slowest response in Diagnosis Events. ‘CEH Lab Manual Page 617 ‘Eical Hacking and Countermeasures Copyigt © ty EC Councd “Al Rights Reserved. Reproductions Sey Prolite. LL. Double-click the highlighted Diagnosis Event to view the detailed information of this event. FIGURE 4.10: Anan Dingnons Best 12. The TEP Slow ACK - Data Stream of Diagnostic Information window appears, displaying Absolute Time, Source, Destination, Packet Info, TCP, IP, and other information, FIGURE 4.11: TCP Siow ACK — Data Stream of Diagnotic Information window 15. The Protocol tab lists statistics of all protocols used in network transactions hierarchically, allowing you to view and analyze the protocols. (CEH Lab Manual Page 68 ‘Eikeal Hacking and Countemneasures Copyght © by BC Councd “Al Rights Reserved. Reproductions Sey Prolite. FIGURE 4.12 Colao Capea Netwouk Anat Potocelanasis 14, The Physical Endpoint tab lis statistics of all MAC addresses that communicate in the network hierarchically. FIGURE 4.13: Colt Capst NewoukAnajes Physical Epo aalss IP Endpoint tab displays statistics of all IP addresses communicating within the network. 16. On the IP Endpoint tab, you can easily find the nodes with the highest traffic volumes, and check if there is a multicast storm or broadcast storm in your network. ‘CEH Lab Manual Page 619 ‘Eikeal Hacking and Countemneasures Copyght © by BC Councd “Al Rights Reserved. Reproductions Sey Prolite. FIGURE 4.14: Colasoft Capa Neswotk Anyaee IP Endpoint view 17. The Physical Conversation tab presents the conversations between two MAC addresses. ‘owters ohh the packet FIGURE 4.15: Colnoft Caps Nerwouk Analy Psi Counesations os decreed 18. The IP Conversation tab presents IP conversations between pairs of nodes. 19. The lower pane of the IP conversation section offers UDP and TCP conversation, which you can drill down to analyze. ‘CEH Lab Manual Page ‘Eikeal Hacking and Countemneasures Copyght © by BC Councd “Al Rights Reserved. Reproductions Sey Prolite. FIGURE 416: Colasoft Cape Netwock Anlyaee IP Conversations 20. Double-click a conversation in the IP Conversation list to view the full analysis of packets between two IPs. Here we are checking the conversation between 10.0.0.5 and 239.255.255.250. FIGURE 417: Coisoft Capa Newwosk Aalyaer IP Conversations 21. A window opens displaying full packet analysis between 10.0.0.5 and 239.255.255.250. ‘CEH Lab Manual Page ‘Eikeal Hacking and Countemneasures Copyght © by BC Councd “Al Rights Reserved. Reproductions Sey Prolite. Ds vattoorina compte ter ot ptopetn x aleitn) Seametind of peng ‘oumal shescrion, ‘eng moe eee 108 Sonpobeing ace topkbuee, and soon ‘Westen tenia ected he bcos ‘nny tke he fou of tested poms o cold tei modicnion sn cxsig og oe FIGURE 4.18: a Packet Ams of Noes in IP Conreratons 22. The TEP Conversation tab dynamically presents the real-time status of ‘TCP conversations between pairs of nodes. 23. Double-click a node to display the full analysis of packets. FIGURE 419: Coot Capea Nerwodk Aniae TCP Conversions 24. A Full Analysis window is opened displaying detailed information of conversation between two nodes. CEH Lab Masoal Page ibicl Hacking and Contemnessars Coppigh © by EE Comme “Al Rights Reserved. Reproductions Sey Prolite. FIGURE 420: Packet Ars of Noda TCP Coosectons 25. The UDP Conversation tab dynamically presents the real-time status of UDP conversations between two nodes. 26. The lower pane of this tab gives you related packets and reconstructed data flow to help you drill down to analyze the conversations. Dita erwaking an cecal worm a computer ‘woum that can copy fll {othe shed folder ina sytem and keeps eng Infected ena to Sochasic ema nds, Intis ot opeds fst i SNTP ad servers FIGURE 421: Colo Capa Nerwouk Anayer UDP Conertions 27. On the Matrix tab, you can view the nodes communicating in the network by connecting them in lines graphically. 28. The weight of the line indicates the volume of traffic between nodes arranged in an extensive ellipse. ‘CEH Tab Maual Page ‘Bical Hacking and Counteonessares Coppin © by BCCouncl “Al Rights Reserved. Reproductions Sey Prolite. Dorce we encounter ‘he network malfioeton o¢ stack themostimporaat (ding we dur py stenon ts the cient ‘etwork connection ind the protien Al of these statin a inched inthe ein ain ColasoftCapn DAProtocois may be Implemented by harass, of the two. Atthe lowest levels potocal defies the Connection. A potoclis a foul descipton of tnevenge Foxman he dls fox exchanging those ‘CEH Lab Manual Page 29. You can easily navigate and shift between global statistics and details of specific network nodes by switching the corresponding nodes in the Node Explorer window. FIGURE 422 Coo Capea Nerwouk Anaiae Mati view 30, The Packet tab provides the original information for any packet. Double-click a packet to view the full analysis information of packet decode. FIGURE 425 Colo Capea Netwouh Anaize Packt information 31. The Packet decode consists of two major parts: Hex View and Decode View. Tihical Hacking and Couatesnensures Coppight © by EC Counc “AL Riphs Reserved Reproduction Suid Prolab. [Dre eats Fercaranarne Sethe, Siheckealopace poston Sen Paictacteecm seis Exierecharne tego ell he Hpac whe Scnecof an ARP pce, Rmatiaye ccna epee Soo ingot FIGURE 424 Ful Anais of Pucker Decode 32. The Leg tab provides a Global Log, DNS Log, Email Log, FTP Log, HTTP Log, MSN Log and Yahoo Log. 33. You can view the logs of TCP conversations, Web access, DNS transactions, Email communications, etc £ a € FIGURE 425 Colasoft Cape Nerwock Antyaes Global Log view CEH Lab Manual Page 5 ‘Eical Hacking and Countermeasures Copyigt © ty EC Councd “Al Rights Reserved. Reproductions Sey Prolite. FIGURE 426 Colao Capa Netwouk Analraer HTTP Log view 34, If you have MSN or Yahoo Messenger running on your system, you can ‘view the MSN and Yahoo logs. ‘CEH Lab Manual Page 5 ‘Eikeal Hacking and Countemneasures Copyght © by BC Councd “Al Rights Reserved. Reproductions Sey Prolite. Distnos at Toons and wou aed a cee {he aerwoak, beene they hve tosemin data othe Icke. On the wed dit acest forthe Tin to accomplish its mission Soieisa ood soliion to ut fice the spect of {effi naps at potocal sty techlogy| 35. The Report tab provides 27 statistics reports from the global network to a sori network node. FIGURE 428: Colwoft Caps Newodk Analyaee Ful Amls's Report, 36. You can click the respective hyperlinks for information ox you can scroll down to view the complete detailed report. Full Analysis's Report FIGURE 429: Coloft Caps Newook Amlyer Fail Analss's Report ‘CEH Lab Manual Page 7 “Eical Hacking and Countemneasures Copii © by EC Coancl “Al Rights Reserved. Reproductions Sey Prolite. Lab Analysis Analyze and document the results related to the lab exercise. Give your opinion on ‘your target’s security posture and exposure through public and free information. tility = Name "Physical Address "IP Address Packet Info: * Packet Number * Packet Length "Captured Length Ethemet Type: = Destination Addzess = Source Address * Protocol Capsa Network "Physical Endpoint ‘analyzer = IP Endpoint Conversations: © Physical Conversation © IP Conversation # TCP Conversation © UDP Conversation Logs: "= Global Log = DNS Log = Email Log "= FIPLog © HTTP Log "MSN Log "Yahoo Log CEH Lab Masoal Page ibicl Hacking and Contemnessars Coppigh © by EE Comme “Al Rights Reserved. Reproductions Sey Prolite. PLEASE TALK TO YOUR INSTRUCTOR IF YOU HAVE QUE RELATED TO THIS LAB. Questions 1. Analyze how Capsa affects your network taffic, while analyzing the network, 2. What types of instant messages does Capsa monitor? 3. Determine if the packet butter will affect performance. If yes, then what steps can you take to avoid of rednce its effect on software? ONo OiLabs CEH Lab Manual Page ‘Eikeal Hacking and Countemneasures Copyghn © by EC Councd “AL Righs Reserved Repeoducton Sey Prliited. ‘ON KEY & Vataabte information 7? Te your knowledge BS Widereecise LD Workbook review Sniffing Passwords Using Wireshark Wireshark is a network packet analyzer: A network packet analyzer will ty to capture network packets and display packet data in detail Lab Scenario As in the previous lab, you are able to capture TCP and UDP conversations; an attacker, too, can collect this information and perform attacks on a network, Attackers listen to the conversation occurring between two hosts and issue packets, using the same source IP address. Attackers will first know the IP address and correct sequence number by monitoring the traffic. Once the attacker has control ‘over the connection, he or she then sends counterfeit packets. These sorts of attacks ‘can cause various types of damage, including the injection into an existing TCP connection of data and the premature closure of an existing TCP connection by the injection of counterteit packets with the FIN bit set. As an administrator you can configure a firewall or router to prevent the damage caused by such attacks. To be an expert ethical hacker and penetration tester, you must have sound knowledge of sniffing network packets, performing ARP poisoning, spoofing the network, and DNS poisoning. Another use of a packet analyzer is to sniff passwords, which you will lean about in this lab using the Wireshark packet analyzer. Lab Objectives ‘The objective of this lab is to demonstrate the sniffing technique to capture from demonstrated in ir i 7 beeing multiple intesinces and data collection from any network topology. available in i DiceH. Lab Environment ‘TooliCEHve Tn the lab you will need: ‘Module 08 . . ‘Sniffing * Wireshark oct’ ot BIEEH-TooliCEHV® Madu 09 Siting Sniffing rools\Wireshark CEH Lab Masval Page 630 ‘Bical Hacking and Counteonessares Coppin © by EC Councl “AL Righs Reserved Repeoducton Sey Prliited. DrYouean download esha fom ap eww ong, Srasw Capturing Packet Divvieesnak isa open Socbne woe she GNU Genes abe eense (GPL) ‘CEH Lab Manual Page OL © You can also download the latest version of WireShark from the link Lise 0 you decide to download the latest version, then screenshots shown in the lab might differ © A computer running Windows Server 2012 as Host (Attacker) machine © A virtual machine (Windows 8 or Windows 2008 Server) as a Victim machine © Aweb browser with Internet connection + Double-click Wireshark-win64-1.8.2.exe and follow the wizard-driven installation steps to install WireShark * Administrative privileges to nin tools Lab Duration Time: 20 Minutes Overview of Password Sniffing Password sniffing uses various techniques to sniff network and get someone’s password. Networks use broadeast technology to send data. Data transmits through the broadcast network, which can be read by anyone on the other ‘computer present on the network. Usually, all the computers except the recipient of the message will notice that the message is not meant for them, and ignore it. Many computers are programmed to look at every message on the network. IF someone misuses the facility, they can view message, which is not intended of others. Lab Tasks 1. Before starting this lab, login to the virtual machine(s). 2. On the host machine, launch the Start menu by hovering the mouse cursor on the lower-left corner of the desktop. FIGURE 3: Window Sener 2012~-Dasinp view 3. Click Wireshark to launch the application. Tihical Hacking and Couatesnensures Coppight © by EC Counc “Al Rights Reserved. Reproductions Sey Prolite. (Da cerwo pacer FIGURE 52: Windows Serer 2012-Desiop view alyzed of fesse devee wed to Somine vats gong on insides aerwork abi, ost sn ceeukian to eomine ints gingeninte eesccable barat 4. The Wireshark main window appears. Iigher ert of cou). FIGURE 53 Wires Ms Window 5. From the Wireshark menu bar, select Capture > Interfaces (Ctri+l). ‘CEH Lab Manual Page GE ikea Hacking snd Countcencnnics Coprgh © by BC Connell "AI Riphs Reserved Reproduction Suey Prolubied. wisest is wed foe: Newwodkadainitatons se into woleshoo acted pooblans 1 Nerwodk seas (Divine epee tele fom many ile ‘SSetmesgpe aad Sipe hag Sie LAN el su oan, Osean pep ore Sree g senly FIGURE 54 Wet Mi Wao wih aie Opti 6. The Wireshark Capture Interface window appears. Descigtion ° la sone Realtek PCle GE Family Controller oa one 1B microzo Comportion feoncosnasranibssres 0 1B Merozot Corportion ee tdab 350045342086 21 ‘Sun ‘Sp ‘opvone FIGURE 55: Wiest Cape arcs Window 7. In the Wireshark Capture Interfaces dialog box, find and select the Ethernet Driver Interface that is connected to the system. 8. In the previous screenshot, itis the Realtek PCle GBE Family Controller. The interface should show some packets passing through it, as it is connected to the network. 9. Click Start in that interface’s line. CEH Lab Manual Page ‘Eical Hacking and Countermeasures Copyigt © ty EC Councd “Al Rights Reserved. Reproductions Sey Prolite. (DAA spore erro cond fone Eire kee supported by Windows ‘Resided Sethe iki Peron Eto oper fos flan fo sies cya ye FIGURE 56 Wie Cop ates Wink -Seting Cape 10. Traffic informs of packets generated through the computer while browsing the Internet. weaves esaime a exeaisecerl fae Ted cc FIGURES? Wes Wan wh Packs igi 11, Now, switch to the virtual machine and login to your email ID for which you would like to sniff the password. Erase et ‘Stop Live 12. Stop the running live captuse by clicking the icon WH on the toolbar. Capturing CEH Lab Masoal Page 38 ibicl Hacking and Contemnessars Coppigh © by EE Comme “Al Rights Reserved. Reproductions Sey Prolite. FIGURE 58 Wiesn Window Stopping Lie Cape name for the file, and save it in the desired location Srask Saving Captured Files FIGURE 59: WeShsk~ Sing the Cape Packets 14, Now, go to Edit and click Find Packet. Dovisesnak esa sve pickets eprsed a hese umber of fonts of ther ‘apres popes CEH Lab Manual Page 5 ‘Eikeal Hacking and Countemneasures Copyght © by BC Councd “Al Rights Reserved. Reproductions Sey Prolite. A Wisesbatk is not a0 Inesaon detection ten, {ew nwa you when isertask witl aot manipalte thing oa the ‘setwork will ony enue” things om esha does send packets on the netrock ot Detter cne things (eseept for mame sities, bt even hat (abe dea Pees Ta eiaaae gens a FIGURE 510 Wieshak — Fntng Packet Option 15. The Wireshark: Find Packet window appears. Fd © Diploy er Hervaee © sting Cova low cat et | Gna © Dow Ash ede Noro] ‘nel FIGURE 51: Wireshadk — FindPacket Window 16. In Find By, sclect String, type pw in the Filter field, select the radio button for Packet details under Search In and select ASCH Unicode & Non-Unicode from the Character set drop-

    You might also like