CEH Lab Manual Sniffers Module 08 Sniffing a Network A packet sniffer is a type of program that monitors any bit of information entering or leaving a netirork It is a type of plug-and-play 1)iretap device attached to a computer that eavesdrops on netirork traffic I CON KEY / Valuable information Test your knowledge — Web exercise m Workbook review Lab Scenario Sniffing is a teclniique used to in terce p t d a ta 111 information security, where many of the tools that are used to secure the network can also be used by attackers to exploit and compromise the same network The core objective of sniffing is to stea l d ata, such as sensitive information, email text, etc N etw ork sniffing involves intercepting network traffic between two target network nodes and capturing network packets exchanged between nodes A p a c k e t sniffer is also referred to as a network monitor that is used legitimately by a network administrator to monitor the network for vulnerabilities by capuinng the network traffic and should there be any issues, proceeds to troubleshoot the same Similarly, smtfing tools can be used by attackers 111 prom iscuous mode to capmre and analyze all die network traffic Once attackers have captured the network traffic they can analyze die packets and view the u se r nam e and passw ord information 111 a given network as diis information is transmitted 111 a cleartext format A11 attacker can easily intnide into a network using tins login information and compromise odier systems on die network Hence, it is very cnicial for a network administrator to be familiar with netw ork traffic an alyzers and he or she should be able to m aintain and m onitor a network to detect rogue packet sniffers, MAC attacks, DHCP attacks, ARP poisoning, spoofing, or DNS poisoning, and know the types of information that can be detected from the capmred data and use the information to keep the network running smoodilv Lab Objectives The objective of this lab is to familiarize students with how to sniff a network and analyze packets for any attacks on the network The primary objectives of tins lab are to: ■ Sniff the network ■ Analyze incoming and outgoing packets ■ Troubleshoot the network for performance C E H L ab M an u al Page 585 E th ical H a ck in g a nd C o untenneasures Copyright © by EC-Council All Rights Reserved Reproduction is Strictly Prohibited Module 08 - Sniffers ■ Secure the network from attacks ^^Tools d e m o n stra te d in th is lab a re available in D:\CEHTools\CEHv8 Module 08 Sniffing Lab Environment 111 tins lab, you need: ■ A web browser with an Internet connection ■ Administrative privileges to mil tools Lab Duration Time: 80 Minutes Overview of Sniffing Network Sniffing is performed to co lle ct b asic inform ation from the target and its network It helps to tind vulnerabilities and select exploits for attack It determines network information, system information, and organizational information Lab Tasks Overview Pick an organization that you feel is worthy of your attention Tins could be an educational institution, a commercial company, or perhaps a nonprofit charity Recommended labs to assist you 111 sniffing the network: ■ Sniffing die network using die C o lasoft P a c k e t B uilder ■ Sniffing die network using die O m niP eek N etw ork A nalyzer ■ Spooling MAC address using SMAC ■ Sniffing the network using die W inA rpA ttacker tool ■ Analyzing the network using the C o laso ft N etw ork A nalyzer ■ Sniffing passwords using W ireshark ■ Performing man-in-tlie-middle attack using Cain & Abel ■ Advanced ARP spoofing detecdon using XArp ■ Detecting Systems running 111 promiscuous mode 111 a network using PromqryUI ■ Sniffing a password from captured packets using Sniff - O - M atic Lab Analysis Analyze and document the results related to the lab exercise Give your opinion on your target’s secuntv posture and exposure through public and free information C E H L ab M an u al Page 586 E th ical H a ck in g a nd C o untenneasures Copyright © by EC-Council All Rights Reserved Reproduction is Strictly Prohibited Module 08 - Sniffers PL E A S E TALK T O YO UR I N S T R U C T O R IF YOU HA VE Q U E S T I O N S R E L A T E D T O T H I S LAB C E H L ab M an u al Page 587 E th ical H a ck in g a nd C o untenneasures Copyright © by EC-Council All Rights Reserved Reproduction is Strictly Prohibited Module 08 - Sniffers Sniffing the Network Using the OmniPeek Network Analyzer Own/Peek is a standalone network analysis tool used to solve networkproblem I CON KEY / Valuable information s Test your knowledge w W eb exercise m Workbook review Lab Scenario From the previous scenario, now you are aware of the importance of network smtting As an expert eth ical h a c k e r and penetration te ste r, you must have sound knowledge of sniffing network packets, performing ARP poisoning, spooling the network, and DNS poisoning Lab Objectives The objective of tins lab is to reinforce concepts of network security policy, policy enforcement, and policy audits Lab Environment t^ T o o ls d e m o n stra te d in th is lab a re available in D:\CEHTools\CEHv8 Module 08 Sniffing 111 tins lab, you need: " O m niPeek N etw ork Analyzer located at D:\CEH-Tools\CEHv8 Module 08 Sniffing\Sniffing Tools\Om niPeek N etw ork Analyzer ■ You can also download the latest version ol O m niPeek N etw ork Analyzer from the link http:// www.wildpackets.com/products/omnipeek network analyzer ■ If you decide to download die la te s t version, dien screenshots shown 111 the lab might differ ■ A computer running Windows Server 2012 as host machine ■ W indows running on virtual machine as target machine ■ A web browser and Microsoft NET Framework 2.0 or later ■ Double-click O m niPeek682dem o.exe and follow the wizard-driven installation steps to install O m niPeek682dem o.exe ■ C E H L ab M an u al Page 588 A dm inistrative privileges to run tools E th ical H a ck in g a nd C o untenneasures Copyright © by EC-Council All Rights Reserved Reproduction is Stricdy Prohibited Module 08 - Sniffers Lab Duration Tune: 20 Minutes Overview of OmniPeekNetwork Analyzer O m niPeek N etw ork Analyzer gives network engineers real-time visibility and expert analysis of each and every part ol the network from a single interface, winch includes Ethernet, Gigabit, 10 Gigabit, VoIP, video to remote ottices, and 802 Lab Tasks ™TASK 1 Install O m niPeek N etw ork Analyzer on die host machine W indows Server 2012 Installing O m niPeek N etw ork Analyzer Launch the S ta rt menu by hovering die mouse cursor on die lower left corner of die desktop F I G U R E 1.1: W in w s Server 2012 —D esktop view Click die W ildPackets O m niPeek Demo app die tool 111 die S tart menu to launch £=8=s1O m n iP e e k E n te rp rise p ro v id e s users w ith the v is ib ility and analysis they need to keep V o ic e and V id e o ap plications and no n-m edia a pplications ru n n in g o p tim a lly o n d ie n e tw ork Administrator ^ S ta rt Google Chrome Menaqer L V *3 & Mo/1110 hretox ••0 File Module: Compass Adapter Local machine: WIN-MSSELCK4K41 M l Local Area Connection* 10 Analysis O ptions effe ctive ly m o n ito r and tro u b le sh o o t services M E th e rn e t] ■9 vSwitch (Realtek PCIe GBE Family Controller ‫ ־‬Virtual ru n n in g o n yo u r entire netw ork U s in g the same I- ■p vEthernet (Realtek PCIe GBE Family Controller ‫ ־‬Virfa \ - m vSwitch (Virtual Network Internal Adapter) ■5 vEthernet (Virtual Network Internal Adapter) so lu tio n fo r tro u b le sh o o tin g w ire d and w ireless netw orks reduces CXOOOO 0X 0010 0X 0020 0x003a gpbcro Matic 1.07 Trio! Vers on I‫־‬ ‫ ם‬T x Help H>p01V VkucJ Efcioroot Adaptor tt2 Sauce 74125.236.182 10CC.7 123.176.32.125 123176 32 155 10GO 123.176.32.135 1000.7 202.53.3.8 10QG.7 1QQC.7 IOQO.7 10Q0.7 17117k ‫_ רו מי‬ 45 0 00 cz 50 19 56 3D 2S 0000 3C 07 D1 61 » Destination 1Q0.0.7 123176.32.155 1Q0.0.7 100.0.7 12317632.155 100.0.7 202.53.88 100.0.7 123108.40.33 123108.40.33 123 175.32.13 12317S.32.13 1nnn7 ‫יי‬ 15 ‫ ד‬4 00 00 0 50 021 C l 98 52 00 00 2E €3 F €D v j o u | Protocd Size 97 TCP 743 TCP 54 TCP 1514 TCP 54 TCP 74 TCP 71 UDP B7 UDP 56 TCP B6 TCP 52 TCP 54 TCP _C2 1CP 3D 56 35 0D 06 171 20 OA Cl 02 €4 0D Q »a| e j 3J _ | T«*>! 09/24/1214:25:55 09/24/121425.55 09/24/12 14.25.55 09/24/121*25 55 09/24/121*25-55 09/24/121*25:55 09/24/12 14:25:55 09/24/12 14.25.55 09/24/12 14.25.55 09/24/12 14:25:56 0S125-57*24/121‫׳‬ 09/24/121*25:57 ‫ ו ל‬4-‫ל‬5-»‫ה‬7 F€ •7B 20 57 B 5‫ ג‬3 ‫ד‬ 6F CD 61 €9 0A Pat sic 443 2753 eo eo 2753 £0 5377C 53 2776 2777 2775 2775 Port a 104! 00 275: 275: 80 [••• \-m 141- H ■H I - •* 0- ^ Version ‫־‬ Heacter lenrjth 20) ‫ ־‬b*es> Type Of Servce = OcOO Total Length 60 ‫־‬ tientfication = (&1574 flags = 0x00 A BEEU i _^ T*im& To l K/& —^ 53 1—d Protocol = (TCP) 537 ; ‫ ״‬l@ fleacter Checkeum = (ktC1F6 80 |‫ ״‬P Source IP = 123.176.32.155 80 L ) P Deet IP = 10.0.07 80 TCP Header 80 © Source Pat - 80 (HTTP) ?77! v < ! a Sea Number - fc561AG257 93 E r = { | O ACK Number - QcB85A3785 _ P V W Z O Offset - (20byte*) €Z P X R d o n a in P flog# - Cbcl * i n , coaa j O YWrdowa Size - 22737 ■ ® Checksum » to&352 •••• ® Uigorrt Ponler • CbiOOM Dete o Data length ■ 20 l< = ‫ם‬ >11 FIGURE 9.12: Sniff-O-Matic —Marked packets Lab Analysis Analyze and document die results related to die lab exercise T o o l/U tility In fo rm atio n C o lle c te d /O b je c tiv e s A chieved H e a d e r L ength: T im e T o Live: 61 Protocol: H e a d e r C hecksum : 0xC lF6 Sniff-O -M atic Source IP: 123.176.32.155 D est IP: 10.0.0.7 Source P ort: 80 (HTTP) D e stin atio n P ort: 2753 U sern am e an d p assw o rd PL EA S E TALK T O Y OUR I N S T R U C T O R IF YOU HAVE Q U E S T I O N S R E L A T E D T O T H I S L AB Questions Determine how you can defend against ARP cache poisoning 111 a network C E H L ab M anual Page 672 E th ical H a ck in g a nd C ounterm easures Copyright © by EC-Council All Rights Reserved Reproduction is Strictly Prohibited Module 08 - Sniffers In te rn e t C o n n ectio n R equired Y es □ No P latform S upported C lassroom C E H L ab M an u al Page 673 iLabs E th ical H a ck in g a nd C o untenneasures Copyright © by EC-Council All Rights Reserved Reproduction is Stricdy Prohibited ... in th is lab a re available in D:CEHToolsCEHv8 Module 08 Sniffing 111 tins lab, you need: " O m niPeek N etw ork Analyzer located at D: CEH- ToolsCEHv8 Module 08 SniffingSniffing ToolsOm niPeek... th is lab a re available in D:CEHToolsCEHv Module 08 Sniffing C E H L ab M an u al Page 598 111 the lab, you need: ■ SMAC located at D: CEH- T0 lsCEHv8 Module 08 SniffingMAC Spoofing ToolsSMAC... Reproduction is Strictly Prohibited Module 08 - Sniffers ■ Secure the network from attacks ^^Tools d e m o n stra te d in th is lab a re available in D:CEHToolsCEHv8 Module 08 Sniffing Lab Environment