CEH v8 labs module 08 Sniffers

N etw ork sniffing involves intercepting network traffic between two target network is also referred to as a network monitor that is used legitimately by a network administrator to moni

Module 08

A packet sniffer is a type of program that monitors any bit of information entering

or leaving a netirork It is a type of plug-and-play 1 )iretap device attached to a computer that eavesdrops on netirork traffic.

Lab Scenario

of the tools that are used to secure the network can also be used by attackers to

d a ta , such as sensitive information, email text, etc.

N etw ork sniffing involves intercepting network traffic between two target network

is also referred to as a network monitor that is used legitimately by a network administrator to monitor the network for vulnerabilities by capuinng the network traffic and should there be any issues, proceeds to troubleshoot the same.

and analyze all die network traffic Once attackers have captured the network traffic

can easily intnide into a network using tins login information and compromise odier systems on die network.

traffic an aly zers and he or she should be able to m aintain and m onitor a network

spoofing, or DNS poisoning, and know the types of information that can be detected from the capmred data and use the information to keep the network running smoodilv.

Lab Objectives

The objective of this lab is to familiarize students with how to sniff a network and analyze packets for any attacks on the network.

The primary objectives of tins lab are to:

■ Secure the network from attacks

Lab Environment

111 tins lab, yo u need:

■ A web browser with an Internet connection

■ Administrative privileges to mil tools

Lab Duration

Time: 80 Minutes

Overview of Sniffing Network

information, system information, and organizational information.

Lab Tasks

Pick an organization that you feel is worthy of your attention Tins could be an educational institution, a commercial company, or perhaps a nonprofit charity.

P L E A S E T A L K T O Y O U R I N S T R U C T O R I F Y O U H A V E Q U E S T I O N S

R E L A T E D T O T H I S L A B

Sniffing the Network Using the OmniPeek Network Analyzer

Own/Peek is a standalone network analysis tool used to solve network problem.

Lab Scenario

From the previous scenario, now you are aware of the importance of network

knowledge of sniffing network packets, performing ARP poisoning, spooling the network, and DNS poisoning.

Lab Objectives

The objective of tins lab is to reinforce concepts of network security policy, policy enforcement, and policy audits.

Lab Environment

" O m niPeek N etw ork A nalyzer located at D:\CEH-Tools\CEHv8 Module 08 Sniffing\Sniffing Tools\O m niPeek N etw ork A nalyzer

from the link

h ttp :// www.wildpackets.com/products/omnipeek network analyzer

the lab might differ

■ W indows 8 running on virtual machine as target machine

■ A dm inistrative privileges to run tools

Lab Duration

Tune: 20 Minutes

Overview of OmniPeekNetwork Analyzer

O m niPeek N etw ork A nalyzer gives network engineers real-time visibility and expert analysis of each and every part ol the network from a single interface, winch

includes Ethernet, Gigabit, 10 Gigabit, VoIP, video to remote ottices, and 802.

Lab Tasks

2 0 1 2

corner of die desktop.

F I G U R E 1.1: W in do w s Server 2012 — D esktop view

p ro v id e s users w ith the

v is ib ility and analysis they

need to keep V o ic e and

4 The main window of W ildPackets O m niPeek Demo appears, as shown 111 die following screenshot.

IntM Captur■ T«1np<11*1 luullui■ Swmwj

F I G U R E 1.3: O m n iPe e k m ain screen

5 Launch Windows 8 Virtual Machine.

follows:

box when it appears.

m T o d e p loy and

m ain ta in V o ic e and V id e o

o ver I P successfully, yo u

need to be able to analyze

and tro u b le sh o o t m edia

tra ffic sim ultaneously w ith

the n e tw o rk the m edia

C:\Users\Administratorpocuments\Capture File size: | 256 : *~] megabytes

1-megabytes

[ I] Stop saving after | 1000

ך = | files (2,560 MB)

I I Keep most recent 10

I I New file every 1

I I Limit each packet to 128 3~| bytes

O Discard duplicate packets Buffer size: | 100 * megabytes

O Show this dialog when creating a new capture

Help Cancel

General

A dapter

802.11

Triggers Filters Statistics O utput

A nalysis O ptions

f f l l O m n iP e e k N e tw o rk

A n a ly z e r o ffe rs real-tim e

h ig h -level v ie w o f the entire

netw ork, expert analyses,

and d rill-d o w n to packets,

d u rin g capture.

F I G U R E 1.4: O m n iPeek capture options - G eneral

E th ica l H a c k in g a n d C o u n te n n ea su re s Copyright © by EC-Council

C E H L ab M an u al P ag e 590

d Click A d ap ter and select E th ern et 111 die list for Local m achine Click

\ - m vSwitch (Virtual Network Internal Adapter)

■5 vEthernet (Virtual Network Internal Adapter)

III

<E

Help

Property Description Device Realtek PCIe GBE Family Controller Media Ethernet

Address DO: :36 Link Speed 100 Mbits/s WildPackets API No

Cancel

General

| Adapter' 802.11 Triggers Filters Statistics O utput Analysis O ptions

tro u b le sh o o tin g w ire d and

w ireless netw orks reduces

the to ta l cost o f o w nership

and illu m in ates ne tw ork

p ro b le m s that w o u ld

otherw ise be d iffic u lt to

detect.

F I G U R E 1.5: O m n iPe e k capture options - Adapter

N etw ork D ashboard 111 die capture window of OmniPeek.

Wid= - ׳OmniPeek

■ h V V 1' g - » t* - <\ r J u , B: ;» e IQ E j F

sutn «■ vapt alt packets

Utib/itton / M.m.t.• Window* ( I Sm and Av»>r.1u••)

8 The captured statistical analysis o f die data is displayed 011 die C apture tab

of die navigation bar.

9 Elhcfnct PatJtrts: 1.973 Duutioa: 001:25

F I G U R E 1.7: O m n iPe e k statistical analysis o f die data

D ashboard 111 die left pane ot die window.

r — 1<w— » * * * t, ISOMS' Too״ VN.A40W HPIp WldP.x *• I ׳OmniPeek'־ ",י ״■

173.194.36.4'4 125.12S.169

3zc- 1769,0st=

Src- 13& ,70י 5rc- 1063, !>3*־

V-443443443

n : s S r~ 14 4 3 'S ^ 443 I S ,3=2007

[ Oms

12 173.1M.3C.223.194.36.22

123.1

123.176.32.15410.0.0.2

24275

נ נ : 119.9.5.51S7.SC.C7.22267.222

»

5

י 15

157.56.67.222157.56.67.22210.0.0.s

64 7.55*925029

184 7.5952990:9 1s1a 7.asoscccso 151S 0:9י 55290ל

arirs5

ל זז5

«n rsSTTTJ

31 e= 1040,D»t=

Src- 443,

u*a״-4434431040

F I G U R E 1.8: O m n iPe e k displaying Packets captured

Dashboard.

EQQl O n u iiP e e k

P ro fe ssio n a l expands the

capabilities o f O m n iP e e k

B asic, extending its reach

to all sm all businesses and

corp orate w orkg ro up s,

regardless o f the size o f the

o rien ted ellipse, able to

g ro w to the size necessary

I t is easy to read the maps,

the d iic k e r the lin e betw een

nodes, the greater the

traffic; the bigger d ie dot,

the m o re tra ffic throu g h

that node T h e nu m b e r o f

nodes displayed can also be

lim ite d to d ie busiest

F I G U R E 1.9: O m n iPe e k statistical reports o f N odes

diagnosis, w ith a sim ple

rig h t c lic k o f d ie m ouse.

sp ecified m o n ito r statistics

fu n ctio n once p er second,

testing fo r user-specified

p ro b le m and re solu tion

con d ition s.

F I G U R E 1.10: O m n iPe e k Summary details

360.320 0.795

F.1« | fdH

(

J a w 5»sA.־

F I G U R E 1.11: O n u iiP e e k saving die results

Help Cancel

Save

F I G U R E 1.12: O n u iiP e e k Selecting the Report format

F K jU K fc 1.12 (Jmml-׳eek Selecting the Report tom iat

15 The report can be viewed as a PDF.

m o n ito r tlie ir entire

netw ork, rap id ly

tro u b le sh o o t faults, and fix

OmniPeek Report: 9/15/2012 12:21:22Start: 9/15/2012 12:02:46, Duration: 0:01:25Total Bytes: 1014185 Total Packets: 2000

Tools Sign Comment

0 360

360320 0.796 794656

0 000

0000

0 000 0.000

63

009695989

0 3603603200795794656

Summary Statistics Reported 9/15/2012 12.21.22

Start Date DurationGroup NetworkTotal Bytes 1014185Total Packets N׳ATotal B10.1dc.1st 1061Total Multicast 6933Average Utilisation (percent) 0 096Average Utilisation (blts/s) 95989Current Utilisation (percent) 0 360Current Utilization (bits/s) 360320Max Utilization (percenl) 0.795Max Utilization (bits/s) 79*656Group Errors

TotalCRCFrame AlignmentRuntOversize

OmniPeek Report

^ f t Dashboard

- " tf Statistics t? Summaryt? Nodes I? Protocols

®I? Expert I? Summary Flows I? Application

Lf Voice & Video

“׳ Lf Graphs

1f Packet Sues

1/ NetworkUtilisation(bits/s)

If Network

Utilization (percent)(? Address CountComparisons I? Application

I f Vo«e & Video

® f f Graphs

I f Packet Sues

I f NetworkUtilization(bits/s)1? NetworkUtilization(percent)I? AddressComparisons

f f Application

m C o m p a ss Interactive

D a sh b o a rd o ffers b o th

real-tim e and p ost-capture

m o n ito rin g o f h ig h -level

n e tw o rk statistics w ith d rill

d o w n cap ab ility in to

packets fo r the selected

tim e range U s in g the

T ool/U tility Information Collected/O bjectives Achieved

0 !Labs

0 Classroom

Spoofing MAC Address Using SMAC

SM A C is apon ׳eif/ 1 1 and easy-to-use tool that is a M A C address changer (spoofer) The tool can activate a new M A C address right after changing it automatically.

Lab Scenario

111 the previous k b you learned how to use OmmPeek Network Analyzer to capture network packets and analyze the packets to determine it any vulnerability is present

sent and received, errors, etc., which will allow the attacker to analyze the captured packets and exploit all the computers in a network.

If an administrator does not have a certain level of working skills of a packet sniffer,

p e n e tratio n te s te r, you must spoof MAC addresses, sniff network packets, and perform ARP poisoning, network spoofing, and DNS poisoning 111 tins lab you will examine how to spoof a MAC address to remain unknown to an attacker.

■ SMAC located at D:\CEH-T 0 0 ls\CEHv 8 Module 08 Sniffing\MAC Spoofing Tools\SMAC

http://www.klcconsulting.net/ smac/default.htm#smac27

the lab might differ

■ A computer running W indows S erver 2012 as Host and Windows Server

installation steps to install SMAC

■ A dm inistrative privileges to run tools

privacy is all about MAC addresses.

access points (Disclaimer: Authorization to perform these tests must be obtained from the system’s owner(s)).

Lab Tasks

corner of die desktop.

*•r

4 Windows Server 2012

Windows Sewer 2012 Rdcttt Cardidatc Datacen!׳

Evulud’.kn copy Build 84CC

1 & rc ! 1 T ! n ^ H

F I G U R E 2.1: W in do w s Server 2012 — D esktop view

as the adm inistrator Y o u

c o u ld d o this b y rig h t c lic k

o n d ie S M A C p ro g ram

ic o n a nd c lic k o n "R u n as

A d m in is tra to r i f n o t logged

in as an adm inistrator.

F I G U R E 2.2: W in dow s Server 2012 — Start menu

ID | Active I Spoofed I Network Adapter

Hyper-V Virtual Ethernet Adapter #2Hyper•V Virtual Ethernet Adaptei #3

rriiEiii ■1 ן יו

0017 Yes No

Rem ove MACRestart Adapter \ IPConfigRandom MAC ListRefresh Exit

17 Show On^i Active Network Adapters New Spoofed MAC Address

p o - r r r ־ ■

Disclaimer: Use this program at your own risk We ate not responsible fot any damage that may occur to any system This program is not to be used for any illegal or unethical purpose Do not use this program if you do not agree with

F I G U R E 2.3: S M A C m ain screen

F I G U R E 2.4: S M A C Random button to generate M A C addresses

simply MAC address spoofing.

E tliical H a c k in g a n d C o u n term easu res Copyright © by EC-Council

־r a !

S M A C 2.7 Evaluation M od e - KLC Consulting: www klcconsulting.net

;■36-■0810.0.0.2 DO-l169.254.103.138 00■ '

File View Options Help

ID | Active | Spoofed | Netwcnk Adapter

Hyper-V Virtual Ethernet Adapter 82 Hyper-V Virtual Ethernet Adapter #3

0015 Yes No

0017 Yes No

Update MAC Remove MAC |Restart Adapter | IPConfigRandom MAC ListRefresh Exit

I* Show Only Active Network Adapteis New Spoofed MAC Address ^ I

IE - | 05 - | F C - | 63 - | 34 - 07־ l x j

— פ

Network ConnectionIvEthemet (Realtek POe GBE Famdy Conliollei • Virtual Switch)Hardware ID

A I |vms_mp

|SCHENCK PEGASUS CORP [0005FC]

Spoofed MAC Address

|Not SpooledActive MAC Address

|D 0 -» W « ■-36Disclaimer: Use this program at your own risk We are not responsible 101 any damage that may occur to any system This program is not to be used for any illegal ot unethical purpose Do not use this progiam if you do not agree with

F I G U R E 2.5: S M A C selecting a new spoofed M A C address

N etw ork A dapter information.

r

g

Network Connection

IvEthemet (Realtek PCIe GBE Family Controller ■ Virtual Switch)

F I G U R E 2.6: S M A C N etw ork Connection inform ation

die N etw ork C onnection information These buttons allow to toggle between die Network Connection and Network Adapter information r

g

Network Adapter

|Hyper-V Virtual Ethernet Adapter 82

F I G U R E 2.7: S M A C N etw ork Adapter information

9 Similarly, die Hardware ID and Configuration ID display dieir respective names.

Configuration ID information.

Hardware ID

|vms_mp

F I G U R E 28: S M A C Hardware I D display

die H ardw are ID inform ation These buttons allow to toggle between die Hardware ID and Configuration ID information.

tro u b le sh oo t n etw ork

p roblem s, test In tru sio n

D e te c tio n / P re ve n tio n

Systems (ID S /IP S ,) test

In cid e n t Response plans,

b u ild high -availability

12 To bring up die ipconfig information, click IPConfig.

S T A S K 2

Viewing IPConfig

Inform ation

C Qt11 e I P C o n f ig

in fo rm a tio n w ill show in

the " V ie w IP C o n fig

W in d o w Y o u can use the

F ile m en u to save o r p rin t

the I P C o n fig in fo rm a tio n

F I G U R E 2.10: S M A C to view7 the inform ation o f IP C o n fig

E th ica l H a c k in g a n d C o u n term easu res Copyright © by EC-Council

C E H L ab M an u al P ag e 602

15 If there is 110 address in die MAC a d d re s s held, click Load List to select a ]MAC address list tile you have created.

Organize ■* New folder

4 Downloads jgf Recent places J| SkyDrive

v Text Format (*.txt)File name: | Sample_MAC_Address_List.txt

Open pr

C Q 1t11 e IP C o n fig

in fo rm a tio n w ill sh o w in

the " V ie w IP C o n fig

W in d o w Y o u can use the

F ile m en u to save o r p rin t

the I P C o n fig in fo rm a tio n

address, therefore, even

th o ug h y o u can update this

address, it m ay be rejected

b y the N I C device d rive r

because it is n o t valid , and

T R U E M A C address w ill

be used instead.

O the rw ise , "00-00-00-00-

00-00" m ay be accepted by

the N I C device driver;

how ever, the device w ill

n o t fun ction.

F I G U R E 2.14: S M A C M A C L ist w indow

17 A list of MAC addresses will be added to die MAC List 111 SMAC Choose a

MAC A ddress and click S elect This MAC Address will be copied to New Spoofed MAC A ddress on die main SMAC screen.

C: \Pr ogramD ata\KLC\S M AC\S ample_M AC_Address_List txt

F I G U R E 2.15: S M A C M A C L ist w indow

disconnection problem for your Network Adapter.

Update MAC

F I G U R E 2.16 S M A C Restarting N e tw o rk Adapter

Lab Analysis

Analyze and document die results related to die lab exercise.

P L E A S E T A L K T O Y O U R I N S T R U C T O R I F Y O U H A V E Q U E S T I O N S

R E L A T E D T O T H I S L A B

Questions

1 Evaluate and list the legitimate use of SMAC.

2 Determine whether SMAC changes hardware MAC addresses.

3 Analyze how vou can remove the spoofed MAC address using die SMAC.

In tern et C onnection R equired

Platform Supported

Sniffing a Network Using the WinArpAttacker Tool

W inArpAttacker is a program that can scan, attack, detect, and protect computers

on a local area network (LAN ).

Lab Scenario

You have already learned in the previous lab that you can conceal your identity by

attempt to evade network intrusion detection systems, bypass access control lists, and impersonate as an authenticated user and can continue to communicate widiin the network when die authenticated user goes offline Attackers can also push MAC flooding to compromise die security of network switches.

the network; you must have sound knowledge of footprinting, network protocols

to specify one or more MAC addresses tor each port Another way to avoid attacker

run the tool W inArpAttacker to smtt a network and prevent it from attacks.

Lab Objectives

The objectives of tins lab are to:

■ S c a n D e te c t P ro te c t, and A tta c k computers 011 local area networks (LANs):

period o f 2-3 seconds

■ S a v e and load computer list tiles, and save the LAN regularly for a new computer list

C E H L ab M an u al P ag e 606 E th ica l H a c k in g a n d C o u n te n n ea su re s Copyright © by EC-Council

■ Freely p ro v id e in fo rm atio n regarding die type o f operating systems they employ?

a c c e s s

information regarding the network services provided by the organization

information, which could be used for social engineering purposes

Lab Environment

To conduct the lab you need to have:

■ W inA rpA ttacker located at D:\CEH-Tools\CEHv8 Module 08 Sniffing\ARP Poisoning Tools\W inArpAttacker

http:/ / www.xfocus.net

the lab might differ

■ W indows 2008 mnning on virtual maclune as target maclune

■ A dm inistrative pnvileges to run tools

Lab Duration

Time: 10 Minutes

Overview of Sniffing

information, system information, and organizational information.

Lab Tasks

1 Launch Windows 8 Yutual Maclune.

ק ־ ־ ד ^ רUntitled WinArpAttackw 3.5 ?0066.4

Fite lean Attack Dctect options View Help

Xev op»n s &ve scan Attack 1:״ stop send K*««art Cpflu׳* as cut

ArpSQ | A<pSP | ArpRQ 1 ArpRP | Packets ( T>aff!c(KI ]Ho::^״ c | Online Snitf 1 Attack

10.0.01 00■•

10.0.0 3 10.004 00-10.005 00■

00-־•

0010.0.0710.0.08 0010.0.0 255 FF-״

16*254 255 255 FF-*

224.0.0.22 01•*

| AtlHotl | FftetHovI | Fff»(tH(Kt2 [ Count |

של־* —*W<sA*»<*e'!200««<—

I-׳.-־ w a r !ג •lew*! soya, m tse mo reducMte 11«ty

p>• • : » » 1: CAxSvev try Gjea^r/Mac s ML U.

p* ־־ : » » !: ! Cs* : a20L>־c trse terns :• 10.0.0.V tr« ptogoir ruy 96! 1190r«0cy

16 3 GVV: taao.l On: 0 Off: 0 Sniffing: :

Klee DO-fc • - y- 16-3.GW: 1ft(X0.1 On: 0 Off; 0 Snrffmj: Q ,

F I G U R E 31: W iiiA rp A ttack e r m ain w ind ow

(2-3 seconds).

־ד 5 r ~ rUntitled WinArpAttackef 35 ?006 6.4

ck L»9tect send h«c<׳art Cpfluit lkel£ a : cutHwhmne I Online I SnrtfL I Attade I AipSQ I AmSP I AmW I ArpWP I Padafa I TufficOq I

JL*«[ ✓| Mofmalitan

1 Mat

- ۥ03 IE-2D

• NOE

10.0.01 OO* •10.0.03 oa -־

10.0.04 oa ־10.0.0 5 00• -10.0.07 D4.♦ -10.0.0a 00• ־

1000 2SS FF-► • • ••FF169• 254 255.255 FF-* • • ־ FF224.0.022 -

MacOO-fc ♦ - 16-3,GW :1000.1 ,On: 0 Qff:0 SnrffmyQ , J

Sff«aHoa2 | Count |

1 ActHotl

I Evtnt

6a_/!fp_£mrv_CM»ae «1

]1

ן ־ ן ־ ־ : ־ נ נ כ מ ^ י י

F I G U R E 3.2: W u iA rp A ttacker Scan options

6 Scanning saves and loads a computer list die and also scans die LAN regularly for new computer lists.

C a u tio n :T h is p ro g ram

is dangerous, released just

fo r research A n y p ossible

lo ss caused b y this pro g ram

bears n o relatio n to the

attack, detect, and protect

com p uters o n a lo c a l area

netw ork.

0 3 T h e י • o p tio n scan can

scan and sh o w the active

hosts o n the L A N w ith in a

v e ry short time It has tw o

33 ■

Untitled WinArpAmrke r 5 ?006.6.4

f- lד.י

.״

Fit

S

p p a

He j open Save 5c»r! Attack Slop Seni Rccouw Optow lfc«-p AO.Kit

| AipSQ | A>pSP | /UpfiQ | fcpBP I P*chrt» | Tr«ffic[IQ T

1 Online 1 SnjWi | AtUcfcPAddmi

10.0.01 OnlinWN-MSSEICK Onlin WINOOWSfl Onlin WNDOWS8 Onlin VMN-IXQN3W Onlin E-20 WORKGROUP Onlin AOMN Onlin

4-CC

*36

*:-060903

I AclHoK

I Evtnt

oof* » 1r * c c 00• *-06 00-■ - • —0«

03

־-■

00CO

*

־

*00-1

2012-09 17 10-4905 N<w_M0«

2012-09-17104905 IW.Hotf 2012-09-17 10 AOS NmHoU

2012-09-171049 33 fep.Sun

2012 09 17104905 Ne*Hoa

2012 09 1710-1905 N«w.Hok

5-3 GV.1: 10.0,0.1 On: 7 Off: : Sniffing: 0

F I G U R E 3.3: W in A ip A tta c ke r Loading a Com puter l i s t w indow

By performing die attack action, scanning can pnll and collect all die packets

ioooj 10.00.4 00- •10.010.5 00-10.010.6 00-•

00-10.00.7 0 4 •10.010* 00- •1000.255 Fr-♦־

1 &9.2S4 2SS.2SS FF•*

16-3 GW: 100.0.1 On: 7 Off■, 0 SniffmyO

10.0.0.710.0.0.8 100.0.210.0.0.4

2012-09 17 10-4905 N«w_M0*

2012-09• 17 10 4905 Ncw.Ftotf 2012-09-1710 S401 /,*p.Sun 2012-09 17104905 N«wH0K

2012 09 1710-4905 Ntw.Host

K Mlau of 10.9.0.1, m« 1 <•**־> nwy tit

& I n this to o l, attacks

can p u ll and c o lle ct all the

packets o n the L A N

ARP A ttack

C Qt11 e F lo o d o p tio n

sends I P c o n flic t packets to

target com p uters as fast as

possible I f y o u send to o

m any, the target com puters

g o dow n.

F I G U R E 3.4: W in A ip A tta c ke r A R P A ttack type

9 Scanning acts as another gateway or IP-forwarder without odier user recognition on die LAN, while spoofing ARP tables.

10 All die data sniffed by spoofing and forwarded by die WuiArpAttackerlP-

r 18 ■

Untitled WinArpAmrk<*r 006.6.4? 5 דPi* Scan Attack Q*t*ct Cptio!

I 1■■Iikliq I

I t.p ip j ArpSP I fl.PBQ I flipRP |

5C*n Attack stop S*r»J !vecoiw C*3tow lH«Up At».

Adfret* _ | Hoitname | Online j Sniff 1 AH«.k

E &

0 10001 00- • • 4-CC 100.0.1 Online Not Normal 88 10! 203 0 0 OOO

□ 10002 DO 5-36 WN-MSSEICK Online Nor 355 5 5 109 0 000

□ 100103 00- « * *-06 WNOOWS8 Online Nor מ 0 27 1 0 000

□ 100.0.4 oc ־ *״•-« WN0CWS8 Online Nor Normal s 0 4 1 0 0.00E10A0l5 00- • • ♦ •£-03 VMN-UQN3W Online Nor 36 0 2 0 000

□ 10007 D4-» E-2D WORKGROUP Online Nor.- 1 0 22 1 0 0.00

□ 100108 00 • ^ ״ -OE A0M1N Online Nor Normal 41 0 30 1 0 0.00

1 Mac[ Court |

1 ActHotfEv*nt

I <nv

► 4CC

> * -06

• *•0903 ■

00••

10.0011000.110.00.4 1000510.00.6 10.007 1000310.00255 rr-

169.254.255.255

ff-

00 10.00.7 1000.1 1000.810.0.0.210.0.0.4

»r 19.0.0.1, m« pvjrini may *

»U<B17KMW& N*w_M0*

7012-09• 17 10490: Naw.HoU2012-09-17105401 A«p Scan

2012 09 17104905 Ncw.Host

2012 09 17104*05 N«*.Host

6-E G A: 10X1,0.1 On: 7 Off: ׳: Sniffing 0 y/\

6■• GW:10.0.0■ I On: 7 Off: : Sniffiny 0

F I G U R E 3.5: W in A rp A ttacke r data sniffed by spoofing

File Scan A ttack Detect O ptions View Help

Stop Send Recount Options Live Up About

F I G U R E 3.6: W iiiA rp A ttack e r toolbar options

Lab Analysis

com puters, so the targets

can’t receive p ackets fro m

the Internet T h is attack is

1 WuiArp

Internet C onnection R equired

□ Yes Platform Supported

0 Classroom

0 No

0 !Labs

Analyzing a Network Using the Capsa Network Analyzer

Capsa Ne/)j ׳ork Analyser is an easy-to-use Ethernet network analyser (i.e., packet sniffer or protocol analyser) for network monitoring and troubleshooting.

Lab Scenario

Using WinArpAttacker you were able to sniff the network to find information like host name, MAC address, IP address, subnet mask, DNS server, etc An attacker, too, can use tliis tool to gain all such information and can set up a rogue DHCP server serving clients with false details A DNS attack can be performed using an extension to the DNS protocol.

To prevent tins, network administrators must securely configure client systems and

army Securely configure name servers to reduce the attacker's ability to corrupt a zone hie with die amplification record As a penetration tester you must have sound knowledge ol sniffing, network protocols and their topology, TCP and UDP

mechanisms Tins lab will teach you about using other network analyzers such as Capsa Network Analyzer to capture and analyze network traffic.

Lab Objectives

The objective of this lab is to obtain information regarding the target organization that includes, but is not limited to:

Lab Environment

To earn’ out die lab, you need:

■ C olasoftC apsa N etw ork A nalyzer located at D:\CEH-Tools\CEHv8 Module

08 Sniffing\Sniffing Tools\C apsa N etw ork Analyzer

A nalyzer from die link h ttp://www.colasoft.con 1

the lab might differ

installation steps to install Colasoft Capsa Free Network Analyzer

■ A dm inistrative pnvileges to 11111 tools

Note: This lab requires an active Internet connection for license key registration

Lab Duration

Time: 20 Minutes

Overview of Sniffing

information, system information, password information, and organizational information.

Lab Tasks

corner of the desktop.

V*r

S 3 W in d o w s S e rv e r 2 0 1 2

Windows Server 2012 Release Candidate Datacen!*

Evaluation copy Build 840c

2 Click C o la so ft C a p sa 7 F re e N etw o rk A nalyzer to launch the Network Analyzer tool.

F I G U R E 4.2: W in dow s Server 2012 — Start menu

C olasoft Capsa 7 Free - A ctivation G uide

W e lc o m e to Colasoft Capsa 7 Free A c tiv a tio n G uide.

License Information:

W indow s User SKM C Groups|

03910-20080-80118-96224-37173

User Name:

Company:

Serial N u m b e r

C lick here to get your serial number

To a ctiv a te th e p ro d uct now, s e le ct o ne o f th e fo llo w in g and c lick th e

N e x t b utton Please c o n tact capsafree@ colasoft.com fo r any question.

® A ctivate Online (Recommended)

O A ctivate Offline

Help

| Next > | | Cancel"

F I G U R E 4.3: Colasoft Capsa 7 Free N e tw ork Analyzer — A ctivation G u id e w indow

E th ica l H a c k in g a n d C o u n term easu res Copyright © by EC-Council

C E H L ab M an u al P ag e 614

4 Continue to click N ext on the Activation Guide and click Finish.

Help

C olasoft Capsa 7 Free - A ctiva tio n G uide

Successfully activated!

Finish

F I G U R E 4.4: Colasoft Capsa 7 Free N e tw ork A n a ly ze r—A ctivatio n successful

No adapter selected Capture Filter &

No filter selected, accept allpackets

Set Capture Filter Netw ork Profile ^

Full Analysis

To provide comprehensive analysis of all the applications and network problem!

Plugin module loaded:

MSNYahoo Messenger

FulAnatyia Traffic Mon to* HTTP Analytic Email Analyst DNSAnalytk FTPAnalyt*

C Q a s a n e tw o rk analyzer,

Capsa m ake it easy to

m o n ito r a nd analyze

n e tw o rk tra ffic w ith its

in tu itive and in fo rm a tio n -

ric h tab views.

F I G U R E 4.5: C o la s o ft Capsa N e tw o rk A n a ly z e r m ain screen

6 111 the C a p tu re tab o f the main window, select the E th e rn e t check box

111 A d a p te r and click S ta r t to create a new project.

EthernetCapture Filter ^

No filter selected, accept all packet*

Set Capture Fitter Netw ork Profile &

Name

־ \Yi1ed Me: wort Adapter^)

IP Packe bp, Speed Packet־ Byte UNcati a

MSNYahoo Messenger

!!!!!

111111

iiiiiiiunm II llllllll iiiiriiinniiRii

1 ^ 3 |F־f= « 1-r-m psps■

Ful Analysis Tiafftc Mcnitoi HTTP Analysis Email Analysis DNS Analysis FTP Analysis IM Analysis

F I G U R E 4.6: C o la s o ft Capsa N e tw o r k A n a ly z e r creating a N e w Pro ject

7 D ash b o ard provides various graphs and charts o f the statistics You can

T r y it F re e Q l

live O«no

eJ V.lo Is Uitij NetowfcBandwc

£ How to Detect ARP Mtacts jjj How to Detect Ncfwort: loop Hew to Montor W M*»sof

4 ) How to Monts! &S»v« Email [ More Video*.-)

.J MwMtoi linpluytre• W*b»1t«

03 I cannot ntphwr MI trnWic.

J3I C1 cote IrallH Ut4uat.w« U«rt _J [Fill JMart 4 Wlrvtev Captive crcatr TrofBc ufltrener chart [ Hor*• In Knowlt'dgt-thn*•- ]

i tB l- ז״

DefaultTotal Traffic by Bytes

i IjvJL

u tiliza tio n rate is d ie ratio

o f curren t ne tw o rk tra ffic

to the m a x im u m tra ffic that

The Summary tab provides full general analysis and statistical

! ם ־ r״ 1

m I - 1 TattleSait Stop General w i

Analysis Racket Display ^ * H A J

Faultlluqnmn SUtMkiWorrnation Dijgnosfc Ntfcti Diagnosis Woninq Dianne (■ t Critical Ow900-.11

> traffic

TotalBroadcastMultieeit

FIG U R E 4.8: Colasoft Capsa Network Analyzer Summary

network by groups o f protocol layers or security levels W ith tins tab you can view the perform ance o f the protocols

D iagnosis Events.

» ! ?13S

w w —! _ PP5« limnm m

cH!5t07Cha FacKet Buncr n&MBj

New Capsa v7.6

Released Try it Free

)Net\«orkBnrd*M»1>

tor IM Melange

_J Monitor Employee* WeirMle

U Create TraIlk UtMzotion Chart

UK |Ent!Start a Wireless Capture

J Create Ttaffk U U Jattn 010• t

| More ■ו Knowledge bacr |

Diagnosis Item Diagnosis Address

a transport layer 207m2»182 OCt^ ♦ • ־ ••.CC 207218

v TCP Retransmission 17* 255 81.1 OCk^■♦ «MkCC 17a255

S/ TCP Slow Rcipon.s 178255.SU OCt*־ •:CC 17825 5 J

± TCP Duplicafrd Aclmowlnlijitnir 741;5J)6.1U oct♦״- ״׳ ♦-CC T4 1252

T uniport TCPנ j ;״ « d P a O ,t::0 ־^׳m295m4)Tran !port TCP Slo^v &CIC|Pa(krtI»i] nd Pac ktt!27]licm 20170 ira)

V Ptiformance Transport TCP Slow ACK(P»cket!47] tnO PacV«;27^f0m 20172 ומז)

V Ptrlcrmance Transport TCP Slow ACK1Packet.>!] ■nd Packct! 1J]f ram 22134 ms)

V Performance Transport TCP Slow ACKiPacfceti&1] and PaeVet:!:from 23577 ms;

4׳ Pciformance Transport TCP Slow ACKtPacket!82] ■no Pac«st.:.f rom 23577 ms;

V Periormance Transport TCP Slow ACKfPacketlU] me Packet; Vfram23577ira)1׳ P«fcrm3nce Transport TCP Slow ACK(Padrct!219: *׳'d t>acr«t{l97frcm 2*262 rm)

V Performance Transport TCP Slow ACK!Packet!>13 and PacketJ»3|frcm 26023 m־l

y Capture- KJArvalyse 4#£thc1ntt ' nactive Duration: 00.25:34 V 4.689 <£ 0 fteady

FIGU RE 4.9: Colasoft Capsa Network Analyzer Diagnoses

E Oa liigh network

utilization rate indicates the

network is busy, whereas a

low utilization rate

indicates the network is

11 D ouble-click the highlighted D iagnosis Event to view the detailed information o f this event.

History Cha Packet B!

Online Resource

New Capsa v7.6

Released Try ft Free

Jp״) Who It LIMng Nel\«ork nnrd^tti י

M Haw to DatMt Neivwy*: Loop

U |Ent|SUrt a Wireless Capture

J Create Traffk Utlteton Chat [ More m Knowledgebase— 1

*3 Network Group j c , J T ן==י)

Stop Genera! Analysis Racket Display Packet log L, — -_J' I E ^

A*anr1 Setting{ Object Buffer "*י Outpirt Output

?lerwcrlr ProtUf Analysis Profile Data Storage 1־ c r ״ ■ל ^ w !5l

x y'^Jasht :7 3־f Somrriai/• ] Diagnosis x [־piotocol f Physical £ndpo !rTf IP snap j ־י־ [ - •,><*! C .« ta t.- f IP CorryqDiagnosis Item Diagnosis Address

& A % * C - Dfc*grvosk: 10 u « - ד - 2 - Swtetk* | 11 |

± TCP Duplicated Acknowlmlgtmtnt 74125236.182 Oft»-«~«k*CC 741252

- Nerworlr layer י4ו?5 י36.ו63 Oft• •־ •!CC 74.125.2

Diagnosis Events

Seventy Type layer Event Cetenpbon '

V Puformance Tun sport TCP SIoa ACKiPacktf !28] and Packtt:27^,0<n 235 ms) ־

V Performance Tranipoit TCP Slow AC Kl Packet :is] and P«ckrt!27]fton1 20170 mt)

is P«1formance Transport TCP Slow ACK(P»ck«!47]j«d P*ctr«;27]#f0n120172 ms)

i> Paformance I ran sport TCP Slow ACKlPacket.W]«rnd Pace* U Jo ti 22134 1m)

V Performance Transport TCP Slow ACK^Pacfcrti&l] atd Pack e»''’+rom 23577 m*

V Puformance Transport TCP Slow ACK1P»ck£tl82] no Packet.:.*ram23577an:

V Performance Transport TCP Slow ACK(P«cket|54] me Packet! 5]from 23577 rm)

V Performance Transport TCP Slow ACKiPadrer:’ 19: a׳yJ 62&י ms)

V Performance Transport TCP Slow ACK|P>cket:3A3] and f»ack*4J303J?rcm >6623 mil י׳

*

Node Explorerד

-^ C ap tu t - FtJAiMtyse 41 Ethernet 'inactive Duration: 00:25:34 4,689 ~®0 Realty

FIG U R E 4.10: Analyzing Diagnosis Event

12 The TCP S low ACK - Data Stream of D iagnostic Information w indow appears, displaying Absolute Time, Source, Destination, Packet Info, TCP, IP, and other information.

Ll54W442JaF.A-.L- c^Mmfeouc.f .1-WTTPtraffic 533 b

Su> Cnodc Summary

U l l Nun»46 Ungth-1.51* & HTTP.M.1 2000jC

591 Nun»s47 lensw = 59l & Continuation or no

Protocol

HTTP207.2I8.2J5.162:80 1010.02:1406 207.2I8.2J5.182:80

L

A

״.-־ r1M6t46223.F : 3280995673 ,

F = A r

: 15446224.F= •A L

־ '•׳.ז 3

&=

i - -

64 lp- :48

HTTPHTTP

207218.235.182:8010.0.0.2:1406100.0.2:1405 207218.235.182:80 101002:1406 207218.235.182:30 207215235.182:80

10^02:1406207.2182351182.90

10002:1406 10042:1406207218235.182:80

207218235.18280

t0g]c20073660

102320412394

102320412967102340583003

:־

i IO/«J

/> |6]iMetgearl

[12/2]((

H U M

־

Cnteioe

o*rc /ננ 14

!

( 30 By• esI (14/11 0s0r

0111

"

115/1

osrc י/ :15

!

02

*1V1J] ן

l :goore

OxOt/־.[

15

|.(

I Ho Congest scr

116/1140By'.«a11563301

16/2J

JJ0/1J OrtC _

• •© JrsMjjnrt Protocol w ilt ignoi

FIG U R E 4.11: TCP Slow ACK — D ata Stream o f Diagnostic Inform ation window

transactions hierarchically, allowing you to view and analyze the protocols.

E th ica l H a c k in g a n d C o u n term easu res Copyright © by EC-Council

C E H L ab M an u al P ag e 618

FIG U R E 4.12: Colasoft Capsa N etw ork Analyzer Protocol analysis

New Capsa v7.6 Released Try it Free

Is Liang Network Band/Jd י קו(More Videos-1

י׳׳

* י

&yt«* » P«ck«t> trti P«r S«ond

׳ le<al Srqirrnt 8.YX 512 bps

br local Holt 755.578 KB 3^81 0 bpi

74.125.128.189\PhysJul Conversations 177Physical Conversation

Lndpcint ל •> < - Endpoint 2 Ouibon Bytes-י _J Monitor Employee* Website

C-3 DO — &36 33: B ■ " - 0 3 :נ OOrfOOO 36C E 360 E VKlt*

36 ־00

= ? E^ai: * ־ ):FC 0000.00 28C B 230 Bt ₪ m I cannot capture AIL trailk

3 0 0 :• - — E.-06 033 ין: M S Socf O&OOOO 82 B 82 8 *J Create Tratlk: Utllizalion Chart why/

«J lEntlStart a Wireless Capture

=9 Vk ■ EK» O J5J:—' ):66 OttOCWO 82 6 82 B

*00■: -־־L-06 33 ? ט: ■ mm»w\ OOKJOOO 90 B 90 B3P 00; ־ ־־ 09 ט ל33 !•־—*-0:01 CftOOOO 90 6 90 6 | More n Knowl«torHn«r )

^00!•■ 8.-00 33 * - 0!CF 000000 90 B 90 B

™ f

U Y Pn*e>'cH.f*64tt (I)

& Phy.kal Eiptortf 3)

11 IP ! iplotn (4)

laptut MIA*at)-,o mOHitKl ' injttivt Duration:001)0:44 if i,405 gO fti*0/

FIGU RE 4.13: Colasoft Capsa Network Analyzer Physical E ndpoint analysis

comm unicating within the network.

traffic volumes, and check if there is a multicast storm or broadcast

FIGU RE 4.14: Colasoft Capsa N etw ork Analyzer IP Endpoint view

two MAC addresses.

—— H^Na»«Ta&lt

l׳s» f

Analytlt Bartrrt Ditplay Objfrt Bun ft rtwo«* frowr An#ly«n f*ot 1lf

Step G*rttni

/ 0* r 60׳«U f!>un1maiy fOiayiom [ Piutotol fPhymai fcndppmt | IP fcr>dtK> n: !?tymallc ■»>«'•■ x|ipc.q ,«! 1 v Online RcSOUrcO

New Capsa v7.6 Released

Try it Free

Is Liang Network B and/Jd קוי(More Videos-1L3 Monitor Employee* WeteitetoJ I cannot capture ALL tratlk

why?

U Create Traffic UttfUation Chart

«J lEnt ISUrt d Wirelev* Capture

uJ Create Tiaflk Utfittt*n Ourt

1

/^.ap<uc ^u*Ar>al>-,6 ^fctlHirxt ''!njctivt Duration: 0111M? ^12.787 (£0 Ready

FIG U R E 4.15: Colasoft Capsa Network Analyzer Physical Conversations

nodes.

19 The lower pane o f the IP conversation section offers U D P and TCP conversation, which you can drill down to analyze.

C Qa sa delicate work,

network analysis always

requires us to view die

original packets and analyze

them However, n o t all the

network failures can be

found in a very short

period Sometimes network

analysis requires a long

period o f monitoring and

m ust be based on the

baseline o f die normal

network.

C Qt t l tells die router

whedier die packet should

be dropped if it stays in the

network for too long TTL

is initially designed to

define a time scope beyond

which the packet is

dropped As TTL value is

deducted by at least 1 by

the router w hen die packet

passes through, TTL often

indicates the num ber o f the

routers which the packet

passed through before it

was dropped.

E th ica l H a c k in g a n d C o u n term easu res Copyright © by EC-Council

C E H L ab M an u al P ag e 620

m r I met

״leapt

־|~jd p c ׳ fM ta [To^T<epc<•■ | < > Online Resource

^ * ״ to Dr tret r1*rA0rfc Loop

^ HOWto tonitor IM Nt?esage

J r i ^ t o

1 More VWcov 1How TO•

_J Monitor (mptoyeet Webvlle_J ! cannot capture ALL traltR

why#

_J Create Traffic UtlfeaUon Chart

U lEntlSlart a Wirele** Capture

J 0 calc Tiattfc UtliMtOl Olfft

3 100.02 3 100.0.3 0000:00 546 B J46 B 0 B 3 3 0 10:302

3 100.05 S 239255.255.250 0000:10 4051 *CBam \ re 0 B 4 4 0 1031-2

a 100.0s g 224.0.022 0000.22 448B 448 E 0 B 7 7 0 10311

3 !00.02 9 100.0.5 0000;00 110 B 110 E 0 B 0 1031:3100.05

ל•* g 224.0.0252 0001:29 1.1 Si KB 1.18S W 0 B 17 17 0 1031:1

3 >aa1u ^ 224.0.0251 0000:00 d05 B 40ל B 0 B 3 0 10:340100.02 ?4125.236.169 0002:36 17463 *:B 13.712— WS1- *2 51 31 1036:4

t Captmt A•EUkjixt ־ ractive Duration: 01:29:49 ^ 14-182 &’ 0 Ready

FIGURE 4.16: Colasoft Capsa N etw ork Analyze! IP Conversations

analysis o f packets between two IPs Here we are checking the conversation between 10.0.0.5 and 239.255.255.250.

Step Ganerai

Online Resourceition | Mat«u

| UOPC

New Capsa v7.6

Released

T ry i t Free

jg) vho Is U9ng Network Bard*1dt*1?

Jb»| How to Detect ARP Acta±s jg») H3w to Detect I'lerA'ark Loop Jgj How to Monitor IM Mecsage[More Videos-]

How-To'sLai Mwiltor Website

LU I cannot capture ALL traflk

why?

U Create Trail* Utfeatlon Chart

LH lEntlStart a Wlreievt Capture

J Cr«U Tialft; Utliution 01«t

| More m KnowlrAjrhn**■ )

a ^ i C ״ tu• AnatphUPConveivatkNi: f 61 |

«• Endpoint 2 Duration 8/ttt Bylo •> pw»-> Pto E«t5W ״

3 '00.02 ל 4 125.236.173 0002:22 4«1 KB2.751 K6 2i>ro_ 14 10 1021:1 100.03 S I 224.0.022 000011 986 B 986 b 0 B 17 0 1029:51!

3 100.014 K 224.0.022 0000:11 754 B 754 B 0B 13 0 1029:«

100.02 *3! 100.0.4 0003:00 224 B 224 E C B 2 0 10302

3 '00 02 S '010.03 0000:00 546 B 346 B 0B 3 0 1030 2

^ IOO C.5 ל ]239.255255.250 00(0:10 4051KB 4051 n C8 4 C '*31=21IOO-ClS g 224.0.022 0000-22 ■448 B 448 B 0 B 0 1031:1

3 100.012 9 100.0.5 0000:00 110 B 110 B 0 B 1 0 1031:3

"±100.0^ g 224,0.0252 000129 1.185 KB 1.185 KB C B 17 0 1031:1

3 1O0.0L3 g 224.0.0251 00.00:00 05ג B 405 B 0 B 3 0 1034.03JCJ5.0J) I2J 255255255.255 0012:12 2.723 KB 2.723 KB 0 B 0 1029:5

S 100.01 ^ 2SS2SS.2SS.255 0012:13 4.061 KB 40)61 KB 0 B 7 0 1029:S00.06

Therrare no i«m5»0 thow mthi** ־

21 A w indow opens displaying full packet analysis between 10.0.0.5 and 239.255.255.250.

| - l u

Analysis Project I • Ttl' ׳V i a ; ! ; -10.0.0 - ■2}?-2j5-2'52:0 ־ Pa:'-:r.s

r ^ ־

Src= 52748;Dst= 37Q2;le*= W;Cherte u ״י239.255.255.2 50:3702

5:5274813.04

<־ל3

*1031:3

S1c= S2748;D1l=3702,Len=999,Checb1239.2SS.25S250:3702

1031.K&1U3S 10.005:52748

4s

t*met IS<l?vS)) 112/2]

114/1] 015C (20 Bytesi ( I4/ l | Cx0r

* זז0

15/1 ן 115/11 oxrc

(ignore 1 [18/1( 0102(Mo Congest• er.> (IS/'.] OxOl(101• By.ea 1(K/2)

(SO) t18/2]

!20/נ j taec (May r1«3c*f-• (39/1] 9*40(U*V 0 :20/1) ז: »א ־ ־ ו x20

1*0 ן 20/ 2 נ rrr

» 00 00 01 11 m ci u 00 00 e* i r rr

1 k «r :0 « so ’ a c k מדנ u 1־

10190x0032000

■k o D i£«!«=-.ia ־.«d SirvicM Ii«ld:

: • y :irrcztQ t.i־^.d s«rvlc«j Codepolai:

• ■ o TK&aport Protocol w in ignore she ׳

I "O C o e g iin a :

30iלפ643לי

«736606C Kל2022972

€676

€?

633

«

FIGU RE 4.18: Full Packet Analysis o f N odes in IP Conversations

TCP conversations between pairs o i nodes.

23 Double-click a node to display the full analysis o l packets.

Analysis Project 1 - Full AnaTyjis * Colasoft Capsa 7 Fre»* :'ill Nod?') ם י x

'־

-

-» output o#fM •

״ mm

I

11 ^

Aflaptr l«n capture 1 ־*two* ff0Wr *n#ly urtofiK Data >ta8׳gt 1• er ■* ■?, 90• C1 HiitoqrCha Po<m Buffrt r c.

Node Explorer X ■n| Plv>wt«l ConvU laUon | P C0rtv«1w1t10(v I CP Uwiv'afiation X | JDPCorN«tat10n \ M«tm [ ׳ k W | L09 f Report | 4 fr Online Resource * 1

N e w Capsa v7.6 Released

T ry i t Free

Jgj Who Is U9ng Network Bard*td»1»

*ב« to Detect ARP Atta±s

H3w to Detect Mer*orfc loap

JfS\ 4כ« to htonrtor IM Messaae

H3״ to Monitor & save Emab

(More Videos-1

L3 Monitor Emvfc>vee* Webwte

*J I cannot capture ALL traffic,

why?

U Create Traffic Utftiatlon Chart

U (Ent ISUrt a Wirefe** Capture

J Cr«aU Tiaflk Utliution Ourt

| Mere m Knowl«l<jrhn*r |

AoatpkMCPCowoe.wtkxi: | W Bytes Protocd

3246 KB HTTP

2 933 KB HTTP 1*36 KB HTTP

• - Endpoint 2

3 207.218235.182:80

!34 74.125.236.173:80

3 74.125.2J6.173-^074.125236.165.8051

ל 74.125.236.165:80

S 100.02:1406100.021402צ100.02:14033

1 666 KB HTTP 3.3*5 KB r P S

1 6W KB HTTP 18*1 KB HTTP

MOll KB HTTP זלס B HTTPS

36 0ל HTTP

170 8 HTTPS

30 י B HTTPS1»4KB HTTPS

־34.125.236.163-443ל3

3 •'4.125236.163443

74 Pt.n* IIW441

ao.o2141100.02:1413 00.02:1423 00.021426 00.021422 00.021425

00021433 00.02:1436 00.02:1439 00.021441 00.02:1442 00.021445

" _ _

/;a p tu t ^o*Af^t)-.e oa tK im t 'irwctivt Dotation: 0115228 V 17.281 ^ 0 Ready

FIG U R E 4.19: Colasoft Capsa Network Analyzer TCP Conversations

conversation between two nodes.

securing remote access to a

computer, obtaining access

to plaintext, and so on

While attempting to remain

undetected, the backdoor

may take the fo n n o f an

installed program or could

473 10=26=53466676 74125.236.174:443 10.0.02:1410 - ־TP־ 66 Seq-4?C412S878,Ack=2362281344.F=.A S

474 10J6:S34*S72S 1aaa21410 74.125.236.174443 HTTPS Seqz 23622fi1844,Aclc=4204123979 F=.1 Yl_

475 10^6:53486972 1QJ10l21410 74.125.236.174443 HTTPS 58 Seqz2362281844,Ack=4204123a79.F=.A F.47S 10^6:53 506597 74125236.174:443 10.0.0.2:1410 HTTPS 64 S«rq: 42C41r£87?.Ack = 23622£1i;5 F = i F

!״.© rvlaM Codapolnt: 0000 00 [15/1] OxFCj•״• Transport Protocol will ignore the CC (Availability) [*-5/13 0x02

•••• 0 Coaacszioc: 0 ■ 11: Coraraticat [IS/11 CxCi

i ^ l e s a l -cacv.: 52 <&2 Bytes) [16/

: # ider'incaiior.: 0X&9D6 (22998) |18/2|

־ S rrag»nt Flag*: 010 (Don 1 י rr»3*fcm) [20/1] OxEC

|~0 Reserved: 0 [20/1] OxCOi—• ־raggenc: 1 י f2Q/11 0»4C v]-״;° U 05 Ei o! a K CD ! j ״ “ « « “ »“ “ “״ l 2 ll ״ M 0־ o! 04 ״ £ 6 S .J).

FIGU RE 4.20: Full Packet Analysis o f N odes in TCP Conversations

U D P conversations between two nodes.

26 The lower pane o f this tab gives you related packets and reconstructed data flow to help you drill down to analyze the conversations.

״J Motiltor Ciiitiloveet Wetollc

L3 I cannot captara ALL traMk

why#

CredleTraffic UtH^Uon Chart

ICntlSUrt 4 VV״ ete»» Capture

u j C׳iaU Train; UtlLMUOn Omt

| More m Knowl«i<>r bow |_

Endpoint 1 *> , E״apo, »2 Duration Byte*&,!־-<< 9 ־ >tes Pe;«di Pk1i־> - Ptts Piotcc

o 1aaa10:56123 7 224.0.0252:5355 OOiWflO 136 B 135 B 0B 2 2 0 LDP

*2 1010.02:567*0 2d 202.53^.8:53 OOsOCfcOO 217 B 7S B 138 B 2 1 1 DMS

3 1010.0.7:5009' ?5 ’’4.0.0252:5355 0ftM«) 158 B 358 B OB 2 2 0 54463

*ו4נ00

׳נג:נ0ו

email w orm is a computer

worm that can copy itself

to the shared folder in a

system and keeps sending

infected emails to

stochastic email addresses

In this way, it spreads fast

via SMTP mail servers.

FIGU RE 4.21: Colasoft Capsa Network Analyzer U D P Conversations

28 The weight ot the line indicates the volume o t traffic between nodes