CEH Lab Manual Sniffing Module 08Er vaebie 7 tenor inolale Bl weenie D wonton coe Motte 08 -Sottog Sniffing a Network A pase sir sa ype of plog-and play wiretap device tached toa compater that eavesdrop om natwork trafic. Units a bit of information entering or lasing a nebvork. Lab Scenario “Sain” isthe process of monitoring and capeurng data packets passing through a given network ising software or harcuare devices, There are two pes of sifing: passive and atv Pasive sniffing refers to sifing ona hub-based network; active oii refers to sifing on a switch based peswork. Altough passive snifing was predominant in exes day, proper network secuing architecture has been implemented (switch based aetwork) mia tis kind of attack. However, there area few loopholes in suitch-based nctwork implerestation that can open doots fr an attacker to sil neewotk tae, Attackers hack the network using sifers, where he/she mainly targets the protocols ‘vulnerable w sniffing Some of the protcols vulnerable to scilfing indode HTTP, FIP, SMP, POP, and so on. ‘The sniffed traffic comprises FIP and "Teloct passwords, chat sessions, email nd web talfic, DNS tsaflic, and so on. Once atuckes obtain such sensitive information, they might atempt to impersonate target "Ths, i is essential wo assess the seausiy of the secwork’s infastucure, Gnd the loopholes ini and puch them up to ensure a secure network envionment. So, 2849 ciel hacker penetration testes, your dates include 1+ eplementng nervork ating wols suc as Wiseshark, Cain & Abele. ia san attempt to find loopholes in the network 7re0ts domomtmtedin Lab Objectives. ‘this lab are "The objective ofthis lab sto make students learn wo sila newwork and mraiabloin analyze packets for zy attacks on the n ayae packets for any atacks on the nework. Foowcenvio ‘The primary objectives ofthis lab ate tor Module 08 * Soiff the nerwork Siting ‘Analyze incoming and outgoing packets 1 Troubleshoot she setwork for perfomance "= Sccate the network from attacks GLa a Tila ng wd Geman Cap Tips fowel pwantone ty eectMei 08 Sting Lab Environment Inthis ab, you will eed: + AWeb btowser with an ntemet connection 1 Administaive privileges to nan tools Lab Duration ‘Time: 75 Minuses Overview of Sniffing Network ‘Snifings peformed to collec basic information from the tng and ts nerworke Te hheps to find vulnertiltes and selet exploits for attack, It determines network, system, ad organizational information “Brae: Lab Tasks ‘Overiow Pick an organization that you feel is worthy of your atcation. This could be an ‘edocational insuton, a commercial ecapany, or nonprofit cast. Recommended labs to assist you in sniffing the network 1 Peforming Man-iohe Mille Atal sing Cala & Abel Spoofing MAC Ades using SHAE "| Sniffing Passwords using Wireshark + Anais Network sig the Capa Network Anahyeer 1 Saifing te Network sing the Ommlpook Network Amtyzor + Detecing ARP Polsoningin a Switch Based Network * Desecing ARP Atacks with Xap Tool Lab Analysis, Analyze and document hercules otis exerci. Prove your opinion ‘of your ung’ seat posture and expire thigh pc and Gee formation, ASE TALK TO YOUR INSTRUCTOR IF YOU HAVE QUESTIONS “caittatmat Pyrat —~—~SCSC*S*S*S*SCSTSC gd Cs Cn Oy KE Wngpchneel epic woe Poevsti 7 Tengo tole Bo Warennite ED want ee Mi 08 Sting Performing Mar-in-the-Middle Attack using Cain & Abel Cain & Abel is «password recor tol that allows reavry of passnrds by sifing ‘the network, and cracking encrypted pastures Lab Scenario ‘You letnad in the previous lab how to obtain wer mame and passwords wsing Wireshark By merely epauting enough pickets, atackers can exit the usermame and passsond if vitins authenticate themsches in puble networks, expecially on ‘ussceured websites. Once a password i hacked, an stacker ean simply Log into the vitim’s email secount or use that password to login to ther PayPal and drain the victim's bank zecouat. "They can even change the password forthe mal Avackers ‘can use Wireshark to decrypt the fames wih the vet’ password they already have. [Asa prevensve measur, an omanization’s Administ should advise employees _noto provide erste information in publicnctworkswithoat HTTPS connections. ‘VEN snd SSH aunaeingmust be ured to secure the networc connection. Assn expert [Ethical Hacker and Penaration Tester you mast have sound knowledge of sniffing, network prosocols and ths topology, TCP and UDP services, outing abl, remote access GSH or VPN), eutheoticaton mechanism and encrypon techniques. Another method tough which you can gain username snd passwo is by usiog (Cain & Abel .o perform mann the mide (MIM) atsicks, Lab Objectives “The objective ofthis lab to accomplish the following information regarding the ‘target organization that includes, but isnot limited 1: ‘+ Soiff network trafic and perform ARP Poisoning ‘+ Launch Man in-the Middle atace 1 Soiffnerwork for password ita Meme Tifiieites pessem ncePortela “demonstrated in (in lab are. TooteceHvIO Module 08 Sriting Dv en drones Lab Environment ‘To cay-out the lb, you ead: Gain and Aba), locate st ZACEH-TooIsICEHVIO Module 06 SaiftngiARP Polsoning ToosiCain & Abel * You can download she lates vesion of Cain & Abel from. etpunwrwoxiait * TFyou decide to download the latest version, then screenshots shown in the lab mighe difer A computer ring Windows Server 2016 * Windows 10 nsoning on vrs machine as the Attcher machine Windows 2012 Server ninnng on vial machine a the Vie machine A Wieb browser with Interet connection * Administasve prviages to nun sole Lab Duration “Vime: 15 Minutes (Overview of a Man-in-the-Middle Attack ‘An MITMisa form of aecve eavesdeopping in which the aracker makes independent ‘connections wth the wets and relays messages berwcen them, making them believe Siioera that they are elling dtey to eachother over a private connection, when in fc the cetre conversation fe controlled by the atacker, [MIM atacks come in many varistions and ean be caied out ona switched LAN, Lab Tasks fe 1. Navigite to ZACEMToolsICEHV10 Module 08 Sniffing\ARP Poisoning ‘ToolsiCain & Abel and double cick ea setup.exe, Man-tn-The Middle ‘attack 2. Ifthe Open Fte- Security Warning pop-up appear, click Rum, Corey "Ei ang Gomera CapMi 08 Sting 3. Follow the wirard-chiven instalation steps to install Cain &e Abel, 4. The WinPeap Installation pop-up appears; click Don't install, 5 you Ihave already iosalled it dosing the lab setup. iaP cap talaion wasn 1h eam st ck vert cone ah Viretip dt Stabe amma 5. Laanch the Windows Server 2012 an the Windows 10 ‘virtual machines. "hed Hating Geom Copa Hamel “iiss posse ster onesMorse 08-Seting 5. Switch back to the Windows Server 2016 machine, and lainch Calm & [bel from the Apps screen. 7. ‘The main Window of Cain & Abel appears, as shown in the screenshotMest 08- Sing 8, To configure Fihemet card, click ontigure from mens bar. Dvnsir oe ini del re ach nttesnes ea pedo erent ee "IGURE 15 Gin AM Gunnin Opn 9, ‘The Gonfiguration Dialog window appears. OD pleats om 10. The window consists of several tabs. Click the Sniffer tab to select See nitestoee shea 11, Select the Adaptor associated with the IP address of the machine, and cic ao om toxadoa | HTTP Felt | Cute Sparing | Cntenes aactr | ARCH Feeonodea) | APRSSLOxere Sic ee Siete 1020 Cathet are hot Aster eae WARDING On tiara i pted ‘licunetatl Gon Mees [7 Sat Sifrensatp [Denture emai GORE 1 Can Cain eg Wd “Giltatieas Reming ems Co TB gie Root epintons ey ReneeWincanton Se 6 sem tee Seep er ml 12, Click Startistop Snitier ca the toolbar to bepin saiffing. @ezng ty v.ommseoes or A Son er Note: If the €ain Warming pop-up opens, click OX. WARNING 8 TCP Large/Giant Send OMloding seabed ot he Cument nto nto, Cis SL Mit ates could be fected, eae check the Windows + adanced eng of your ner Interface configuration. ‘Akemstivey you ean lobly disable task olading features wth the feliowing command eth tip st lobo tastofeadedsable Remember to deactivate and activate the newoskintrace after the above command. 13, Now click the Sniffer tab, [2 [eee (Wee cone [ee OT om [] Foeee [ices Tete [rete Te Le | “GH R—SSCS~*~*~*~*~*”*C gd oc Cah Mise peetone Seer eatDaren an PSone pat Sates ie iia ‘Ga ah Mana Ps 114, Click dhe plus (# ico, or sight click inthe window, and select Sean MAC [Addresses t scan the newwork for hosts. 15, The MAC Addross Seamor window appears. Check AI hosts In my ‘subnet and All Tests, then click OK. 16, Cain Abel stars seanning for MAC addvesscsand Wats all hose found, 17. Afer scanning is completed, 2 ist of detected MAC addresses arc splayed as shown in the screenshots: see hte® ty 4. ommeseDm mse mo oem (Cee Sener ee esta en eto ‘edooetAN inte Bvcmcne Dom etn oun ner Statens ua kre ERIE Lae ee. ‘Ca ab Mama RP 18, Click the APR tab at the ver end of the window. seecmee +7 4 .ommmsoasOrh 19, Click anywhere on the top most section in the right pane wo activate the see kwh Foy Ome eOe TOF A [zine Re one oer em OT me ee | ‘ia Hang wd Goocrncnins Ch yO “ifiieitewes posse nce seede 08-Srting 20, Click the Plus (¢) icons the New ARP Polson Routing window opens, from which we ean add IPs t listen to traffic. pone py iectnee 21, To monitor the traffic between two computers, select 10.40.1010 (Windows 40) and 10.40.1012 (Windows Server 2042). Click OK. Wate etoman Teh ieee fiber Soe 22, Select the added IP adatess in the Configuration Routed packets, and lick Start’Stop APR. ‘CTT Mona Pa ‘Ra Wig nl Gowers Cae Oy we “Eiigectocral Bywaeke'Sach PoteetMote 08 Sting Note: IF the Gouldet bind HTTPS acceptor socket pop-up appears click se@aee? +0 \commesoas orf 3 ae 8 ietomry Bisa 3 sma 23. Now, lunch command prompt in Windows Server 2012, and type Fp 410.40.40:40 (IP address of Windows 10) and press Enter. 24, When prompted for a username, ype “Martin” and press Ent password, pe “apple” and press Enter. [Note: Irespective ofa successful login (or even oflogin fur), captres the password entered daring login,Mods 08 ting 25, On the Windows Server 2016 machine, observe the tool listing some Se ehHRe ty Y LOmmBsOss OFA soe om "AQUHE l car h a hegd 26, Click the Passwords tb, as shown i the screenshot, o view the sniffed password for ep 10.10.10.40, Set FIGURE 9: inn 27. This way, an attacker can obtain passwords in cleanent if the channel ‘rough whieh information is passing doesn't provide encryption. ‘Seta Naa PP Ein tonrel Rgwcnekns tyesMs 08-Seting Lab Analysis: “Analyze and document the resus related to this hb exercise: Provide your opinion ‘of your targe?s security peste and “cxpoeure” dough public and fre iformation. PLEASE TALK TO YOUR INSTRUCTOR IF YOU HAYE QUESTIONS RELATED TO THIS LAB, OYes No Platform Supported © Classroom Bitabs ‘Gata Mana Pye ica ting a Gases Cpyh OK "hijpe owes upeasctsea cy MatEvie F tenor tose Bi wavensine ED want ew Spoofing MAC Address using SMAC SMAC isa peril and easy tous too for MAC adress changer (oe). Te toad can atte a new MAC addres ight afer changing it extomasicel Lab Scenario MAC dpliating or spoofing attack involves sifing 2 network for MAC aes ‘oflegtimate dient connect tothe acworIn this tack, the attacker Sst etieves the MAC adresses of cleus who are acivelyastodsted with the witch port Then the anacker spoofs his or her mm MAC address with the MAC address of the Jegidmate cient, Once the spooling is succesful che atacker can receive all fic essed forthe cent Thus, an anacker can pain access tothe network and takeover ‘heidentity ofa network user. [fan administrator docs not have the working packe- soifingskl i is hard wo defend intrusions So, as an Expert Ethical Hacker and Penetration Tester, you must spoof MAC adétesss, soiff network packets, and _peform ARP poisoning network spoofing, and DNS poisoning, I this ab, you will Team how to spoof a MAC addres to rem unknown to an ticker Lab Objectives "The objecive ofthis lb is o reinforce coneepts of nerwork secutey policy, policy enforcement and policy audits, Inthis ab, you wil ears how to spoof a MAC addees Lab Environment Inthe ab, you will nod: 1 SMAC located at 210E Tools CEHv10 Module 08 SnifingiMAC Spoofing “ToolesMAC You can download the latest version of SMAC from the like tps hwo sdeconsulting-netsmacisctaultntmomacz7 1 Ifyou decide to download the latest version, then screenshots shown inthe lab might difer A computer running Windows Server 2016 asa virnual machinenian ares ‘WRC ree orton eseiee eel Brass Insta SMAG Seen ‘sani “ea aan Pt oslo 08- St * Administative pivieges to run tools A Web browser with Innemet access Lab Duration “Times § Minutes Overview of SMAC Spoofing MAC protects penoral and individual privacy. Many organizations track ‘ire or wireless nerwork users via thr MAC Adresses. In addition, there are more sod more WicH wireless connections and wireless network use MAC Addresses to ‘communicate these days, Thus, wireless neswork scetiy and privacy has to do with MAC address Spoofing is arid out to perform seaurty Velneabiliy ‘Testing, pencration texing fon MAC address based authentication and authorization syrtems Ge, witless accese pots). Disclaimer: Athoriason wo perform these tes must he cbained fom the system's owner) Lab Tasks 1. Navigue 10 ZACEM-TodIsICEHVIO Module 08 SniffingiMAC Spoofing ‘ToolsSMAC, a ouble-dick smac20 setup.exe. 2. Ifthe Open Flle- Security Warning pop-up appears, cick Run. 3. Follow the wizard ive instalation steps to install SMAC. Yfdeone ee sec 20 Sena oo Th rean itett SNCS crea Ie ssergy mcaneanag nyu ot ot ens Misciuewshe ScuePonsn ‘rng Ge inte rena whe Su oon Wananga oe cn i and ‘ormnoutbenes nash enon Seba! te pega oy Patel marek nse ome pied Cae oat ge aie accept "ia Hagan Comma Cpa Ey "Expctoewel peace sed tedMoaite08-Sottg 4. On completing the instalation, asnch SMAE from the Apps ls. Brier 5. “The SMAC main sercen appears, along with the License Agreement. lick — Accept to continue, Configure SMAC Bae an Teo [itn Uarcee eee Se re hon aba ont [ecm Coats eee Keeney | pois beim png recap, bore he 7 ad mt Ro Rel Rope ey ee“Gila Nenad Res Ta ag Commo Mea 08-Sting 6, The Registration window appears click Proceed t continue with the uoregistered version of SMAC, SMAC 2.0 8 “This ean unrogietored vorsion. UR 2A Regen 17. Tre SMAC main window appears. Choose the network: adapter of the machine whose MAC Address to be spoofed. Paes ue | oman | = arr =< 24 | ee Be ay ma ore ene epee gy eager Tiisae towel Rpcdncon one teD ssrctete poe Telnet de” Disses ae Semi tr Speen PS) eter Repay ge Sha cera Sense ‘Gi a Manat e 8. To genertes random MAC addres, click Random, Eo a Fs fom es No ne Sr NR Camman —NTOTS— CHES OTOTST 8 seroecatneey Nenseode habe SSS ——— ca Se = Senate or rN Henan >) a. Het reer + caijnanenpenctaaig ame a fom Ao nese baNR mean — OTS — CHOC SOOTY er med ot ee [it “ie “46 fom fon i> a a [GwGane SsmcmcocTon ne wD] —=] See Sage —— 2 See esos —— 2) (Sete Eien Ron Un aeen nym yaaa A lnobopun sls sta! aw lea ranehclsasoe UensustneSapumtosSon south UME 27 SAC wena 10, ‘The Network Connection ot Adapter display its respective name. "ica iatng snd Gomes Cop “ish taural pessoms ter Ps1, Gick the forward arrow button on Network Connection to cispay the Network Adapter. Nee Spode MAC Ades a [an “fen —[as [aaj coor St | Spatenacadses a mc i ar ec >) foebene ——. pove aera Ihcrpens wltbswedx ay fol weed pammn Dorel cethe pan oso ages © 12. Gicking the beckward arrow button on Network Adapter will agin display the Network Connection. "These buttons allow toggling between the [Network Connection and Neswork Adapter. Dassen ee (TI ao a iar §— —— ci es RE Ueda: Un oepen sae oi, Wega masta ay roe nace bow cn (iciipuncwneteenatesyiigluctelpaae tomsatemara lpn Sea | AGLRAD SINC Ager bmMods 08- Sting 13, Simily, the Hardvaze ID and Configuration ID display theie respective information. 14, Click dhe forward art button on Hardware 1 to display Configuration 1D peer er fy [eowcone SemcoAnUCTOR. we mE =) (Feisopearctsondlsy ipl cad pasos boca er GERI SIAC he py 15, Gicking te bockwanl aow button on Configuration 1D will again display Hardware 1D information, "These batons toggle between Hardware ID and ‘Confgurtion ID. BRET Taner” EC TESA Fe ew Opton Hee Te 1 Seti ener ete | saan evSosesbac naan faite peso poy Beet | | [oncoRe SEwiCOROUETOR wc ows] =) ‘veh fe secanicone ee » ftkess —— | Siena [teergonsrciw brent rps wae seaoe erciant pope jer aperee ELREZISMAC Cnn Dy “Cet Mmal et—~SSCSCS~*~*S*SCS*S*CR gd Cam a hy CEE Mand Pa Tignes Repo se PeDncireaie Buenas ‘eile ‘Get Tab Nana Pas Medit08-eting 16, To bring up the ipconfig information, click Peon. 5 sone vessewe_| fa fee fae forox foo Pesos (oa ForemesorenaccT ne nas =] fae ee Sexton iat Ae ci >) 2) == —$£$——_— es ie “ fels@are' —— (etidieosa meas ————“® istanaristemnsbryiniowehsinaeen tomemaoan ms gmom o GRERA RCo eon 17. The IPontig widow pops up, displaying she IP configuration deal of she sdeced Network Adapter 18, Glick Close aftr enalyzing the informasion 9 View IPContig Fie incon P Corgan Host Kane wieswuaiETHus Pray Dre Sui Nowe Type bie TPeubg nae Na ANS Pow Enaied No tt ada Ehret Comecionspecte DNS Sut DBesten ref OSTA Gigs Nem Carnet Pac Are ‘oruczserors DACP Ens No Ablocrtiguonnnaied yes (Pveaugece ir as So ete o6371671 1 Pome HN HAC Aare ‘ia Heng Gamera Ci Em MER Kaerel Rpwactor ssh arose Sacer ‘Gia Nenad Mote 08 -Stog 19, You canals impont the MAC ates list nto SMAC by dicking MAC List. es a Wee oes ET 5 Sania ee feos = foe“ [4s fee fon fro) [GONCORE SEMCONUETOR, wc pacOes] =] eae foetaswors§ —— 4) ea aa aoe oe RTT ER Uheoonencesudbrsyinal wrens Dorm teseount sna sot GLRERI SC MSOC as 20, IF there is 0 address in the MAC addres feld, dick Load List to sect « IMAC addres it le you have crested, Tila ang Goan ope HE Tips fowel pwantone ty eect1 saci erat ad Silo = aoe ‘cme Cen pa ee Drowe autre 29 A sto MAC adresses willbe added tothe MAG Lit n SMAC. Choose tiem eReew oc MAG Address, and cick Select to cnpy the MAC. Address to the "New peg Spooted MAC Adeross” inthe rain SMAC sereen, ae WAC x allie z Snes oc 094280 £9 demonstrate sig to cape wai fom mulipe ‘nnerices and collect doa fram ay aework topology. Inthis lab, you wil kam how to: + Copture Passwords of Led Ineface and 1+ Capnure tafe from Remete Inerice Lab Environment Inthis ab, you will eed: 1 Witeshar, located at 24CEH ToolSCEHV1O Module 08 Snifing\Sniting ‘Tools Wireshark + You can download the Inte version of Wireshark ftom the link hitpestwwewewireshark-org download htm! Tica ning wd Gomarmcanne Gah Oy Ka Bitzer Repay ted© onc Gran Install Wiresharke ‘Stak Mon a Modi 08 ting * 1 you decide to dowload the latest version, then sroenshots shown in the Jab might lifer A computer sunning Windows Server 2016 Auacker machine ‘+ A vem machine sinning Windows 10 Victim machine + AWeb browser with Internet connection + Adminisutive privileges 10 un tools Lab Duration “Time: 15 Minutes Overview of Password Sniffing ‘An attacker needs to manipulate the functionality ofthe switch to seal talic passing through it A packet sniffing progeam (also known. as a sf) ean eapture data packets only from within a given subnet, which means that it cannot sniff packets fom another network Often any laptop can plug into a nezwork and gun access to |e Many eoreprises switch ports are open. A packer sniffer placed on a nerworc in promiscuoks mode can captore and analyze all of the network traf. Sniffing, programs tum of the fier employed by Esheret network inerfice cards (NICS) 9 [prevent the host machine ftom seing other suaions’ tafe Thus siffing programs ‘an se everyone's mi. Lab Tasks 1, Before starting dis lb, ensure that WinPeap is installed, Also, lg ito the viral machine), 2. Navigite to ZICEHToORICEHYIO Module 08 Snifing\Snitfing ‘ToolsiWireshari ind double-click Wiresharkwin4-2.4,2.0x0 3. IF Open Filo Security Waming pop-up sppess click Rum.Modst08- tng 4. Follow the wizard-driven installation steps to install Wireshark, Welcome to Wireshark 2.4.2 64-bit Setup ‘hs war wl gate yu trough He estalann of ee trang te reat, mate ae near ewes ee ent te cnt, 5. On completing the installation, launch Wireshark feom the App st, CN Mm Pa ‘ica Nnting nd Gooner Cop hy Eaede 08-Srting Brasx > 6. The Wireshark main window appears, 2s shown inthe screenshot: configure 7. From the Wireshark main window, select All mtorfaces shown and waresinark and doubleclick the Ethemet interface as shown in te screenshot. Capture Trathec ‘Note: Eshemet name may vary in your lab envitonment. Dental ee "Gare eposemenne preenean HURL Wt Winky wae Ope = 8. Wineshark starts capturing the packets generated while any trafic is received or sent from your machine. Dinos + Gratien ‘sours, cise rset 9, Nogyoih the Widow ial ache ng 10 Sach ny chee Crome pe ‘powrmumeanopcom ise as st =aaiiee ae “Eiigectocral Bywaeke'Sach PoteetMose 08-Seting 11, MovieScope home page appears, type ‘teeeot23 in the password fied and click Login as shown in the sercenshot min the username field and re Tyasn 3 12, septne runing ve oaptre by cing] on he oo. Stop Live see - CapturingMode 08 Sttog ‘LOURE37. eh Sig ep Pat 14, Selecta destination to save the fly specify «file name, snd select a le format, Click save, Here, peapng format has been chosen. Waar ivetiewe IGOR 38 Wi Sg ede tie maAne 15, Hiker HTTP tzaffc by issuing nttprequestimethod == “POST” syntax in = ‘the Filter field and cick Apply. Paseworde ‘Gata Maral Pt "ia Hang and Canoes Capp Miaipecowwes tpmctons cy Poeoa 08S 16, Applying this syntax helps you sarrow down the search for husp POST tale, FIGURES et Rag pe DI wnwst ono 17, Wireshark filers only up packets, x shown in the sereenshot "LGURDA10 We Reg bape 18, Now, goto Bait and cick vient Beppe BE ietectne cs Siren FIGURE 31 inh Find Pos Opin GELS tea eC gem pa Oy “iii tewral eens Sy Peteodio 08- Sting 19, ‘The Wirosharke Find Packot section appears as shown in the screenshot 20, Choose Packet deuils from the drop-down list lect Narrow (UTF-8/ [ASCII from the Character widen drop-down lst, an sleet String, type ‘pwd ic the Fiter fed and cick Fin, Gece Per Teeey see Semuicmee” 2, Wieshask wil now pay he snlfed pasword from the capened cant Gata Namal Ps Tica igen Gomermcnnn Cor Oh “hin cresRapasca Se PeedModi 08-ttng 23, Before beginning this task, log onto the Windows 10 viral machine —Gtasee {@ssume this is the target machine) and sign into the Jason user account Capture Remote ‘sing awerty es the password, Network Trftle = ‘Note; Hasure tht the Jason account has admin privileges. 24, Switch wo the Windows Server 20%6, and navigate to Desktop. Hover ‘oer the lower left ofthe sercen and click on Search icon, 25, Scarch for Remote Desktop Commection {inthe Search box) and click Romote Desktop Connection. ing Gomera prs eR26, The Remote Desktop Connection dialog bax appears click Show Options. ) Remote Desktop Connection - Remote Desktop Connection 27. The dialog bex expands. Flin the Computer and User name fc with ‘he target chin’ IP adress and wsemame 28, Click Connect, [Note:The IP address and wemame may dilfer depending on your lb [Here for instance, the username and password are Jason aod qwerty. This i ‘one of the wser accounts in the machine with admin privileges. 1B Se rea — =] ‘GaN a Mae ‘ica Natng snd Gonna Cop Ham “ish aural pesscws ter sn‘Cea Naa Pee Mods 08- Sting 29, The Windows Security pop-up appears. Enter the password (qwerty), sand click OK. Enter your credentials "CURLS ag eae 30. The Remote Desktop Connection pop-up appears click Yes. WE Remote Desktop Connection ‘The rencte computer coud net be authenteated due to problems wth ts secutty carficate. maybe uneafe to proceed, Cotticate name il Name inthe centiot rom the remcte compte DESKTOP-SVEDCVI Centicate eros “The folowing eros were encourtere whl vakdating the remote computers cathoate BY Tre centicate a not fom a trusted oxthyng autho. ‘Do you wart to connect desote these ceticate eros? dont ask me again for connections to this computer ve co GUS Habitgtentc Deke onm ‘Ei ating snd Gunmen Cp Oy EE med “iagheaaonas upedoe sty PoeMole 08- Sting 31. Now the tame computeris remotely logged into from the Windows Server 2016 machine, a shown in the seenshor 32, Hover over the lower lef of the screen snd click Control Panel app as shown in the sereenshot. Gitta Mana es ica mms aEMads 08 ting 33, The Controt Pane! window appears scect Administrative Tools, GUM 2S Annee 34, In the Administrative Tools conttl pane), double-click Services, PCR aac ie 235, Inthe Services contr pancl, choose Remote Packet Capture Protocol 0 (experimental), right-click the service and click Start CD racine sien GE 2 Saige ape Pra “Carita Be —~SCS~*~*~*~*S*SCSCSC ga Cn pr Mpc Rowe epeantons dy eeMosse 08- Sting 36. Close all the windows that were opened ia Windows 10 machine and dose the Remote Desktop Consection, 37. Launch Wieesherk application from the Apps screen of the Windows ‘Server 2016 machine. 38, ‘The Wireshark in window appears as shown inthe screenshot 39, Brom the Wireshark mest bar, select Capture > Options... UE SS ps fe Wak 40. The Wireshark - Capture Interfaces window appears; click Manage Interfaces, URE S28 Oem Wik “Gattis Syen# ——~—~SCSCSCS*S*S*SCSCSCSC gt Cp Oy itp asene glans cyteModst08- sting 41. The Manage Interiaces window appears. Click the Remote Interfaces. ‘ab, and click Add button. (DD Wired wi ot pes Ee etc 42, The Wireshark: Remote Interface wisslow appears. 43, In Mowe textfield, enter che IP addres of the target machine and in che Port textfield, enter the port aumber 2002 44, Under Authentication, sclct Password authentication, and ester the ‘arget machine's wer credentials, 45. Click on. ‘Note: The IP adess and user credentils nay differ in our lab environenent, ‘GaN a Mae ‘ica Mating snd Gomer Cop Beam “hah laurel pesscwm tc ss46, A.new remote interface is added on the Remote Interfaces tx 47, Select the host, click Apply, and click Close. | [a Reem amonier acne anaes mrs "GSD po een erie 48, The newiy added remote interface appears in the Wireshark - Capture Intertaces window. 49, Chede the interface under which IP address of the target machine i displayed, uncheck the other interfices, and click Start as shown inthe screenshot. 50, Sign into the wer account Jason in Windows 40 virwal machine. Here, yom aze signing in asa vietin. "Note: The Remote Desktop connection gets disconnected as soon a you sign into the vistas machine, “Gitte neit ie nig Cem Cc Tips foes upeacions tty ortMi 08 Sting 51, Browne the Internet from the target machine fod Create an account 52, Switch back 10 the Windows Server 2016 machine. Wireshark stats ‘eptuing as soon asthe user (here, you) bepns to browse the Internet, ss shown inthe sercenshor ‘Gi Lab Mena53, Stop the running live eapeure after a while by clicking the stop buon in the mens bar. AGU 335-Suppp emcee 54, Tn this way, you can capture traffic on aremoteinerface using Wireshark, 55, ln real-time, when attackers gun the credentials of vietim machin, they atempt to capture its remote interface and monitor the tlie i user browses, to reveal! confidential wer information. Lab Analysis Aculyze and document he resus related otis ab exe. Proide your pion ‘oF your target's security poste an “exposure” through public and free information, PLEASE TALE TO YOUR INSTRUCTOR IF YOU HAVE QUESTIONS No Bitabs “Gait tama ye —~SCSCS*S*S*S*SCSCSSC ig Cas i ly me “hpin ima! Rgmesone Ses ae2 vate 7 Tenynr imal Bl voscenie PD wantost eck ‘Ca a ena Analyzing a Network using Capsa Network Analyzer Capea Network Anaber i an easy-to-use Eibornet mwa anaes, patket, sniffer or protocol anabyzer) for meboork. nnitoring and troubleshooting. Lab Scenario (Caps is a portable network analyzer application for both LANs and WLANs which performs sealdme packet eating capably, 2477 network moatorig, aianeed Protocol nas, depth packet deoong snd automate expert agnosis. Ie gos ‘ne step ake of enlfing by intvelyatalyng network packets and gene tmeaningl inprmation Network adminisratars can ise Capa compere Iigh-evel window view for monitoring the ete networ, for aque night ito eqwork adminisiaon ar network cngjocers that alows rapid piapoiing ad ‘esohing aplication poblens Lab Objectives ‘Theobjectve ofthis lab so obtain information regarding the target organization that clades, bis aot limited to: * “Network waffic analysis, communication monitoring Network communication monitoring Network problem diagnosis Network secuiy analysis Network peeformance detecting + Nerwork protocol analysis Pe aad Rockabyeroots ‘his lab are Module 08 | Siting DD casts cape Steevie sa? Drasxs Install Capen Network Analyer GR Mana Mei 08 Sting Lab Environment "To compete this lb, you will nocd: "Colasoft Capea Network Analyzer located st 2ICEH-ToolscEHV10 Module 08 SnitingiSniting ToolsCapsa Network Analyzor You ean downoad the latest ession of Colasoft Capea Nenwotk Analee fiom th ink hetplhwwew.colasoltcom "+ Ifyou doce w download the last version, than sreenshots shown fa the lab ight differ + Accompoter running, Windows Server 20t6machine 1+ Adimisistative privileges to nan to's + Avweb bromer with an Intemetconnecion "Note: This a requires ave internet connection for license key registration Lab Duration "Time: 5 Minutes (Overview of Sniffing ‘Snifing is preformed wo collet baie information of the target and its network Te hheps to find voloembiltis snd sdet exploits for stack Tt determines network information, system infomation, password. information, and organizational informacion Sniffing can be Active or Paste. Lab Tasks 1, Navigate to 20CEH-ToolsiMedule 08 Snifing\Sniffing TootsiCapsa Network Analyzer 20d double-click ‘capsa ent demo 10.0.0.10038 x64.0xe. 2, Ifthe Open File Security Warning pop-up appears, clic Run. accegand Goan Copa Ga “Eien epsenoe eorakeeeDc Nena Mes 08-Srting 3, Follow the wizard-driven installation steps to install Capst Netwotk Analyzer, Tah Cape Ep Dae = ¥ Welcome to the Colasoft Capsa 10 Enterprise Demo Setup Wizard Tienerst cat ass Ener Dene a Eni) merce "tepecmmrce tyre ote eats bre nes Note: If 2 Windows Security dislog-box opens dusing installtion, click Instat 4, On eompleting the instalation, launch Colasoft Capea 10 Enterprise Demo fre the Apps is. i aig Geno Fy HaatMite 08-Sttog 5. The Colasoft Capsa 10 Enterprise Demo dialog box apex; click OK, ‘Thankyou fr ye Cotas, Ts done wl eaten 5 dan) Th demo varnish the i verona ows + eterna ethane cone. gr dc made to ely pce fe Stn estes em Be eed sane ‘2 hea pate Paces wt be sshd forces ow 3 asta potas Foner omy tar ase Ponto 2c ain ot ‘The ep srg car contd ian oat be nti ed {it reste besos tothe paket bl, rca te i vere 6. The Colasoft Capsa 10 Entorprise Demo main window appears, a5 shown in the folowing screenshot Ce Dasa fl fe) Dw aig hid ical opoeeeen oa TEigataeend Rywactorssy RareMo 08-Seting Gras: 7. Io the Capture ab, check Ethomet adapter sod click Start w create a ‘Begin Packet Den bees ‘Analyse Denna PIOUREAS aa Capek Ari eg New Pes ‘Note: 10:10.10.46 isthe IP address of the Windows Server 2046 machine, which may diffe in your lab environment. Grane 8, “The Dashboard provides graphs and charts ofthe statistics. ‘Analyzo the Dashboard Information FLOUR ok Nat A DatMose 08- ting 9. The Summary tab provides fill general analysis and statistical Besse" Bbimtin hited sien he oie aps wn — : — Information -ayS Brie :OOmM BD storm GURL ata Cpa New ey TATE TT — 10. "TheBiagnoni ia provides the reamed eves of the plaba Riza 1D every pe of pote lpr or ect vel, With thi semire te sar eels m Dingess Iniematon 11.7 view the TCP slow responte, click TOP Slow Reaponte inthe Traneprt Layer, wich in toa wil highligh te owen poo ia Diagnosis Events URS aio Cp ewe Aan Dignan “Cited eke —~SCSCSC*~*S*S*SCSCSC na Cae ey Miata upmachue sey PoeMeds 08- Sng 12 Doullectck the highighted Diagnosis Event wo view i deuled AGL Ap Dagon et 13. The Packet ~ Details - Analysis Project window displays Absolute “Time, Source, Destination, Packer Iafo, TCP, IP, and other information elated to the event. ACL AIFe—Deh— A Po ino “Gavan eR SSSCSCS*S*SCS*CRR gdm Ci Biiechnerl epson oeMotte 08-Sttng 14, Close the Packet - Details - Analysis Project window after analyzing the reslts 15, The Protocot tab Tits statics of all protocols used in the networle transactions hierarchically, MAC Endpoint and IP Endpoint for the selected poets ae displayed as well ‘OUR: Glan Cape nr Pec 16.The MAG Endpoint th lists statistics of all MA addreswes that ‘communicate ia the network hiesarchically. FIGURE Cat Cap New dyer MACE ads ‘Ga tab Manel Pt ic Hing nd Coes Cpr Mini Rowwer tpmctons Sey PoeMods 08 ting Gras 17. The endpoint tab displays satstis ofall IP addresses communicating ee inthe Network ‘Analyze the pa) 18, On the # Endpoint ib, you can easily find the nodes with the highest (formation lwaffie volumes, and check if there is 2 multicast storm or broadcast 1D rstaonerea, arose PURE A Ce Cape Nek Ander Ee 19, The MAG Conversation tab presents the conversations between two MAC addresses. ne Satgeateae nie ae ‘itera by jon hag Fe aaa Sodom [Gar teed heii ang ad mc Co Tiltgekowval epecctons dy ReetMes 08-Sting 20, The 1P Conversation t2h presents TP conversations between palts of Brase aie Examine the 21. The lower pane of the IP Conversation section offers UDP and TEP 1 Conversations coaversatin, which you ean dil down to analyee IGURE AIC Ree ae PCr 22, Double-click a conversation in the 1P Conversation lst to view the fall analysis of packets between two IPs, Here, we are checking the ‘conversation between 10.10.40.46 and 200.122.209.78, IGURE 16 Cala Cape ac P Cone oie ating an Gunmen Copy ingen opto Sey MeMote 08 -Stog 2B.A window displays fall packet analysis between 10.10.40.6 and 200.122.200.78, "IGURL 417 Pl ie nat Nad IP Coes 24, "The TEP Conversation tab dynamically presens the realtime status of | ‘TCP conversations berween pais of nodes. 25, Double-click a node to display the full analysis of packets ‘Git ab MenaMoat 08- Sing 26, Transaction List displays the TCP transactions beween the selected pai Draex a2 arabes IOORE 9 Cola apa Navn Apr Tan ti Tire ta 27. The Transaction Summary tab displays the summary ofthe transactions AGUNG apm New re Tn Saray 28, The UDP Conversation tab dynamically presents the real-ime satus of | Examine the UDP conversations hetmeen tro nodes. [UDP Conversation ai SSSCSCR Rg Coe Cy Mitturkomral epmntoet Sach eaeDs sein eee Citak Maal Fear 29, The lower pane of this ub gives you related packets and reconstructed ata flow t0 help you drill down to analyze the conversations. GU 42 Et Cape Neo ier LP Comers 30, lo the Matte tb, you can view the nodes communicating in the network ‘by gmphicaly connecting them with lines. 31. The weight of cach line indicates the volume of traffic between nodes arranged in an extensive ollpse, 32, You can easily avignte and shift berwen global statistics and desis of| apeiieedteronie br sitting the compen eee the Mode Explorer window. OUR Caled ape Ne np ie Tal ig nd Comicon Caps EE Tiigie oor peace sash RoneMeds 08- Sng TEASE Te 33. The Packet tb provides orginal information for any packet. Double- area lice packer to view ie fill analysis information of packer decode. ‘Analyze the Packet Dotals 1D tran nee Ese he ‘io veclaggtine LGUREA2S Cal Cp Nod Ami Pet on 1M. The packer decade consists of two major views: Mex View and Decoding BD Prsccot cating ie a Ciientere Soe ear Err See PICLHE-24 Fa Anak Dade CT Maal ial Hang nd Gomsemacnars Ci Ticked pew see oeMote 08 -Stog 135. "The Log tb provides 1 Global Log, DNS Log, Emall Log, FTP Log, HTTP Log, 160 Log, MSN Log, and Yahoo Log. 136. So, you can view the logs of TEP conversations, Web accoss, DNS transactions, Email communications, and others. GUN 24a Capea Are DNS ag ew Gita Nenad Tia Hating nd Graeme CO Tir owet leper47, Ifyou have MSN o Yahoo messenger running on your system, you can ‘view the MSN and Yahoo logs. GUI 42k Cae Cap Nek Sader VAIO “Cities Bee ——~SCSCS*~*~*S*S*CSCSCSSC a Cam ae ym “Mikasa nh Sy aMette 08 thog SC The Report ah provides 28 states sports om the global nesor to jeeaeeae, specific nerwork node. & 439, You can click the respective hypedinks for information o you can sera mene down to view a complete detaled report. se one Global Report Eerspes amare Simian Sheep Sahai TPGURE 38 Cle Cap Ne er Fo a Re ae OOOSOC”S*COR Ty oe gy Tiga aren Rywactorsbs Po‘CRT Manat Py Mes 08-Sting 40. Click Stop after completing your task. IOUNE 4: Cnt Cp Nek Am ig ne 41, In realtime, anattacket may petform ths analysis in a attempt to obtain secstive information, aswell a to find any network loopholes. Lab Analysis Analyze and docamen the results related to this ab exis. Provide your opinion ‘of your tatpe’s security posure and exposure thmugh public and fe information PLUASE TALK 70 YOUR INSTRUCTOR IP YOU HAVE QUESTIONS Ove No Platform Supported Classroom A itabs Thfgir kml epson oy oePy vate fre 7 Tease iste BB wiewie D wrkinat en 2t00t8 ‘Tools ceHVIO ‘Ge Tab Mana Poe Sniffing the Network using the Omnipeek Network Analyzer One isa anda neers tel me oe networks. Lab Scenario Fim the previo senro, tre yon nic fthennpnmne of ewe aig, ‘Avatespet Eth Hack and Penetration Tes, you tt have ound nol of ming newark paket, performing ARP poicing sooting de netwrk DNS pasoning Lab Objectives ‘The ojpive ofthis ib sto nnibexconeps of network sec pliy, policy coforcemest, nd poley aii Lab Environment In this a, you sil ed + Amb banat wih intent act + Auiness Email ID to download the oa A compat nnn Windows Sever 2016 a viel chine + Windows 10 ming ona vital ache athe get machine 1 Adminitveprvages or ols Lab Duration “Tine 15 Minus COrniPe Newent: Asis ges newness sie vay and expert tiga of each snd evoy jst ofthe motes: mn ag ii, ickaing Edema, Gigabit, 10 Gabi, VolP, aod Video to remote offices, and 802, Mafb/e/n. Tica tg en Goer Copy KE ‘http kecrer upeetons acd MeetMods 08- Sting Lab Tasks THREE &_Launcha web browser type ps /srrwsaevinscom/ re 30 day —STAER + softwae ln te ares ar, and pes ta. Inotat Ommipeek 2 ‘Tilia the details nal Ue required elds, check the eaptehs, nd click START GES Geen nae 3. Now, logit the business ema account related tothe email ID spedtfed in ‘he registration page, an lick ele here linkin the email. "GOS alate edo ‘Gia bt Tia ang and Gna Cap Tighe lowed tpwanckn ssa Retooe 08-Sttng 4, The OminiPeck dowload page appeats, containing the Seal amber and download lnk. Copy the serialnumber, an click Download the Teal FREE SOFTWARE TRIALS DOWNLOAD Download Instructions Sayyius Omnipeok Enterprise ~ | ROLMAS Demat un 5. On compleson ofthe download, navigate wo the download location ofthe tool, and doublectick ie Ifthe Open File» Security Warning pop-up appear ick Run. "The OmniPeek install wizard appears click Next ‘lekcome tothe Omnipeck installer for ‘Seve Omripec 111-1 (64-bit) ‘He monte tl Oro 164) “Gitta Monat eke —~—~SCS*~*~*~*S*SCSCSSSC Gem a Mikige necro panies Poe‘rita Manat Pa Mods 08- iting 8. ‘The Product Activation sicp appears; select Automatic: requires an Intomet connoction, and cick Next. Pe Oveipecraer % Proc Activation savvius. Ee mserierain go whion in sornsconmanen (Sorat ees rer cerecion "Ose grees choy va ae 9. ‘The Customer Information step appears; type a User name, Company name, email 1 (provided atthe time of resztion) and enter the Seat Number that yu noted at the step 4. 10, Click Next. ‘Ria Masi nl Comcreins yh y KEme “iki awa Renny PeMedite08- Sting Note: Sperily the srl ey that you obtained daring seistration. 11. The System information section appears; check Share my system Information, ad dick Met a a | AGUS OmaPSm abet ak 12. The License Agreement scp appears ace the rerns of Heese agreement, ad click Next ‘ripe ar % ‘cence Agreement eee read he Song ere apse savvius, |neesrap toposes sau Sen cape Egos Sorware cote ensuset Teste eran Relcene one] Oot ecap! tterntn tle reenent Save Report. Save the ‘Capture Results saps Sues ee os. = “GhittaiMonal yon ~~SCSC~SC*~*C*CSCSSSC gt Game Ca KE “ifiieitewes posse nce seCLR 525 Oma Si een a 30, Minimize the Omnipeck main window, And navigate to locaton where you have seed the report and double-click to open the fie. The saved report can ‘be view asin de sexeenshot below "Note: I How do you want to open this le winden appears, choose the ype sod click OK 8000 ™ Denyse eae ean ‘Seca ne eceDrae need Cepia Sorat Sergent = “Gi cab Nena as cee 1 ein 8 nn a reseMedite08- Sting 5, Sell down the pl to view the complete report. GUNES: Oa Rem Fee 32 In rabtime, an atacker may perform this analysis in an atempt to obtain sensive information, as wells find any nerwork loopholes. Lab Analysis Analyze and document the results elated to the lab exercise. PLEASE TALK TO YOUR INSTRUCTOR IF YOU HAVE QUESTIONS Dyes No Platiorm Supported Classroom Ditabs BAG engender Cr Tikeckinwen! Ryser se saeMode 06 Stiog Detecting ARP Poisoning ina Switch Based Network ARP spoofing is techigue by which altackers send Address Resolution Protocol “messages onto @ local area network. Lab Scenario Yui __ ARP cache pisoningisa method of atacking a1LAN network by updating the age — amin cormputers ARP cache with both a forged ARP sequest and reply packes in.an effort Freese tm change the Layer 2 Pthamer MAC address (ce, tht of the networe card) #0 one tevin thatthe atacker can monitor. Attackers use ARP poisoning to stiff om the target “Bi vesounsie error. Amckers can thos steal sensitive information, prevent nctwork and web access and perform DoS and MITM attacks, ‘You, as an ethical hacker and pen tester, mus assess your omganizaion or a target of ‘evaluation for ARP poisoning vulnerabilities Lab Objectives “The cbse of this ab isto epson undontand how ts 1+ esl ARP Poisoning ona sich bse nexwork = Detect ARP Poisoning using Wireshark Lab Environment “Topsfonn his by, yo wl ne 1A computer rng wth Widows Seve 2016 chine 4 Kalina nuoingas vmal machine Winds 0 runing vital machine Lab Duration ‘Tine: 15 Mines “Carta imal men? SCS Ca HE Mir noonat upeactont anc aeGraens Motil 08- Sting Overview of ARP Poisoning ARP resolves IP adesses wo the MAC (hardware) aes of the interface 10 sed data If he machine ends an ARP request aortalyconsklers that the ARP reply ‘comes from the right machine. ARP provides no means to verify the authenscy oF the responding device. Indeed, systems which haven't made an. ARP rexuest also accept the ARP reply coming from other devices, Lab Tasks Note: Launch the Windows 40 and Kall Linux vistsal machines before ‘bepioning this ab 1. Switch to Windows 10 machine, navigete to ZCEMTodIsICEHVIO| Module 08 SniffingiARP Poisoning ToolsiCain & Abel, double-click ‘ca setup.exe, and follow the wizard-drven instalation steps toi Cain & Abel. ‘Note: fa User Account Control pop-up appears, click You, Ifa window Seeurty dialog-box appears, asking you to enter nerwork credential, type the following credentials and cick OX: ‘User name: Administrator Password: Password OUND eg ae At "ii Hang md Gowen Coa © Bam Mh egeonrat cca th eteMods 08- Sting 2 Duting installaion, the WinPeap Installation pop-up appears click natal 3, Follow the wizard driven installation steps to install WinPesp. Wolcome to the WinPcap 4.1.3 ‘Setup Wizard Tine ce you tech eee Vin Fee rfemstona ast see at te Wen ‘atta Pes?oo 08- Sting 4, Navigate to ZHCEHTooIRICEHVIO Module 08 Snifting\Sniting ‘ToolsiWireshark, double-dick Wireshark-win642.4.2.exe, and fallow the wizand-drven installation steps to install the application. Note: Ifthe User Account Control pop-up appear, click Yes. [A Wacken TAOS Welcome to Wireshark 2.4.2 64-bit Setup ele string tesalatn, mk ne Wrearot Braexs 5, Now, double-click ¢atm to launch it. Perform ARP ‘Note: Ifa User Account Controt pop-up appess, click Yes Poisoning Gita onal Tied ig i GomonenosModite08-eting 6, The Cain window appears; lick Configure inthe menu bar LAR Cane can ae 7 The Configuration Dialog window appens click the Sitter ab A Selet the adapter, and click Appt thes OK. tigation Da Challenge Spocting | Ftersandpots | HTTP Feds Tacwote | Cee Spy | Cafes Cec Sitar] APR (Am Povo Rastne) | APRSSL Opera ICU G7 Contig Ca ed “Gitiaktend eae ——~SCSC~*~*~*S*S*SCSCSSC me ip OM Mia koenes pected9. Now, lick StartStop Sniffer in the oolbar 10, Ifthe @ain pop-up appears, click OK. WARNING 2 TCP Laige/Giant Send Ofloacing is eabled ot the ‘umen netork interface, Cts SL Mih atacks could be affected plesee check the Windows advanced zttingsof your network irteface configuration. [enatively you can lob dcable tak ofloasing features uth he Sina am netsh int pst lob tastooade disable ermemberto deactivate and reactivate the network intrace fer the st "IGOR 60 Cn opp “Canaan Bend —~—~C~C~*~*CSCSCSC ga Cn Sy “Hip teaweet penton seo11, Click the Snitter sab. ‘OU Cig Ser 12, Click + inthe oolbar. 13, The MAG Address Seamer window appears; select Range radio button 14, Specify the IP address range you want wo sean there, 10.10.10. 110.40.10.30, which might diferin your lab environmen), 15, Check AN Tests, and cick OK. “CHIE Miomd ac —SSCSCS*~*~*~*~*S*C ge Co ‘iiipes caret Rpmdasie PoteetModo 08 Song 16, ‘The spplication begins to perform ARP cers om the IP address range and displays iin the Sniffer window, ICU Soy AC Ane 17. On completing the ARP tess, all the MAC apd their associated IP ‘eidresses that responded to the ARP requests ate displayed, a8 shown in ‘Gi ab MemMods 08 ting 18, Now, click the APR tab 19, Click anywhere on the topmost section (i the right pane) to activate the 20, Once the + icon is activated, cick it assim By = gumnseoes gr 21, The New ARP Poison Routing window appears, Now, you need to select ‘the machines between which you want to intereepe traffic. 22, Select the frst tanger (here, 1040.10.46, the Windows Server 2016 ‘machine) ftom the lit of IP addresses displayed inthe let pane GUNES New ARP Ps oti Wh “GIL Maat st —~SCS*S*”*”S*CW gad Game iy Tien Ropar ce Pe‘Ge Tab Namal Pas oat 08 Seto 23, Upon selecting the fist age, lst of IP addresses excluding the Gt target appenrsin the right pan. 24, You need to slectthe second tact IP adress (here, 1040.40.41, he Kall Linux machine) from the night-pane. By doing vo, you are seting CCain to perform ARP poisoning berween the fist and second targem. 25, Once complete, the selected targets appeat in the top section, 26, Now, click the Start’Stop APR bution tinitate the ARP Poison Routing steack. jemeneelss sivommsaous or YIGURE 7 Pei A Foe Rg "Ea Hann Couronne | "Expactaweel epoactora cs ManeMote 08 Sting 27. The staus of the a screenshot: changes 10. Pot ning, 26 shown ie the aeekbRe +4 a AO 28, Cain & Abel is intercepting the tafic traversing between these two machines, 29. To generate waflc between the machines, you need 10 ping one target rmachine using the other Bras 30. Switch to Kal Linux machine, and launch a command-line terminal “Silat Rem SSC pememn pa EModi 08-ittng 51. Type hping3 UP addross of Windows Server 2016] < 100000 and press Enter to ping Windows Server 201Gwith 100000 packets Note: In this lab the IP adklress of Windows Server 2016 is 10.10.10.16 which mighe differ in your lab enviroranent. Brae © 32, Now, immedialy switch to the windows 10 machine, go to the Apps verre! screen, and click Wireshark to lunch it Detoct ARP Poisoning IP ‘adress Spoofing ‘GRE Nal Pie Tic Hata ad Goma Copa Oy Kea Tiisheloored yucicor ss PocoMods 08- Sing 33. The Wiresharkc main window appears; click Bat in the menu bar, and select Preferences. “2M, The Wireshark Preferences ‘window appear expand the Protocols, “Gintama Ge SSSS*S*S*S*S*C an Ori Ca “ihe iaaredpessowe seeSiting 235, Select the ARP/RARP nal. 36. Fnsure that Detect ARP request storms and Detect duplicate IP ‘address configuration are checked. 37, Click On, seeorerete Ceaser aaan) 38, Now, selet the interface associated with your network, then click Start LOURE G25 Spa “Gavttanatanal env ——~~SCSCSC*C~*S*SCSCSTSTSC* gt oC Oy Em Mir Rowe acetone aeMods 08 ting 239, Wireshark begs to capture affe between the two machines, 40, Switch to Cain & Abel to observe the packets lowing between the 18 machines, ‘Suc Bins B cron 2B cement Bim 3 sesso Bisa ‘ication Gonearins Cap HE aioe near apeactont acy MedModo 08 Song 41, Now, switch to Wireshark, and click Stop to stop packet capture ICOM epg te Cpe 42, Click Amatyze in the menu bas, and select Expert Information. FIGURE 62 man age naman “Gitta ag ie ag Come Cn Tips owed pwactonn eds eerM08 -Seting 43. The Expert information winlow appears; cle the Warnings ode. Duplicate IP addresses have been configured, using ARP prowcol, as shown inthe screenshot: 4, Keep the Export Information widow above the Wirshark window, so you can view the packet number and the Packet details section. 45, Expand a Sequonce node, and select a packet (here, 108). 46, On slerng the packet number, Wireshark highlights the pack, ad its astociated information ie dapayed vader Packet Det. “Ga a Mea aoa ating an Gunmen Cop ‘Mito Repent Sty41. Observe the warnings highlighted in yellow, as shown in the sezeeashot: 48. The yellow warnings indicate that duplicate IP addresses have been detected at one MAC adds. 49, One MAC address corresponds 10 the anacker machine (Windows 8.1) and she other tothe target machine. 50. "Ths, ARP spoofing hasbeen succes deteced using Wireshak, Lab Analysis, Analy and document the rss related to this lab exercise. Provide your opinion ‘of your trge’s security posure and exposure, ASE TALK TO YOUR INSTRUCTOR IF YOU HAVE QUESTIONS Bitabs “igen poset cr snModsle08-Sttog Detecting ARP Attacks with XArp Tool XArp is @ security application that uses advanced techniques to detect ARP -hased cata TEE Lab Scenario Crvai ARD attacks go undetected by few hence inthis ab you wil be guided 10 we sur .Arp too which has advanced techniques for preventing sch tacks and proseesng F ronson date idle B vércrnic _ Lab Objectives {D1 wertseot ry The objective ofthis Ia is "To detect ARP attacks Lab Environment i feeemintedin ‘Tocompaethi, ou wtloca: sire 1 XApiatbeamda sean roster ons 8 tag AR Specng — Toaon Toots Tenmti® + You andownlbal dc buat veionof XA ra toate Shrenntnn aearcpectacpieeriad a + fjou dei ws dovnioa heat ven hen ecb showin de weiguatter A compu running Windows Server 2016 * Administasve privileges to un tok, Lab Duration "Time: 5 Minutes ‘Ga ak Mana Pex 08-Seting (Overview of XArp Arp helps users detect ARP attacks aod keep their data private Administrators can use XAgp to monitor whole subuess foe such auacks. Diferent security levds and fine-tuning posses allow typical and power users to use XArp to detect ARP auacks. Lab Tasks Meera 1, Navigne to ZACEM-TeoWCEMVI0 Module 08. Snifing ARP Spooting a Detection Tootsixarg, snd double-click xarp2.2.2inexe. cnn, 2. “The Open File- Security Warning appcis click Rum. 3, Follow the wisard driven instalation step co stall XArp. Welcome to the XArp 2.2.2 Setup Wizard Ths view ose ou eeu the saben ox Ie recamanded tat yu cose a oer patos bef stay Setip. The mae paseo uate ‘Seeteysan Refcabouthaerg treo! your “CHIL SSSCS~S*S*~*S*U i Cn “ithe cbetoes dy eeeMose 08 Sorts 4, On completing the installa, launch XAmp from the Appa list. 5. “The main window of XArp appears, displaying a list of TPs, MAC addresses, and other information for machines in the network, S00 wi acs Sentai bk sh ia Maal Pc Taian argos i Sy mkMods 08 ting 6. On the Windows Server 2016 machine, XArp displays no ARP attacks, Note: Ifyou observe these resus log onto a vial machine. You can run Cain de Abelto initiate ARP Poisoning of the Windows Server 2016 machine. 7. By default, the Security levels set to basic; stit to aggressive. 8. Log onto the Windows Server 2012 and Windows 10 viral machines, 9, Pecform ARP poisoning using Cain & Abel, GLE ARP panned A “Gaviabimal Reis —~—~CSC*~*~*S*SCSCSSC a an a "htghe Roca Rema by eeedsl 08 eing 10, The XArp pop-up appears, displaying the Alerts, pat ‘hou oneal ua GUST Nt et 11, ‘The status changes to ARP attacks detected!. Semipennte Trevino (apa ce rhe ‘tena Amie fee GARETT Ap: Aes “Gatti tea acho —~—~SCS*S*S*S*SCSCSSC aC re ly “itdtrtoel sinters Sexy eetLab Analysis. Annlyze snd document the results rated to this ab exercise PLEASE TALE TO YOUR INSTRUCTOR IF YOU HAVE QUESTIONS Intemet Connection Required Des FINo Platform Supported Classroom Bitabs “GEHVLak Mam gc —SSCS*~*~*~*SCS*C gC ‘iipe Reanel Rpocetoo sic eee