Ceh v8 labs module 08 sniffers

CEH Lab Manual

Sniffers
M o d u le

0 8

S n iffin g a N e tw o r k
A packet s i f ri a type ofprogram that monitors any b of information entering
nfe s
it
or leaving a n
etiro Iti a type ofplug-and-play wiretap d v c attached t a
rk.
s
eie
o
computer that eavesdrops on netirork t a f c
rfi.

I CON KEY

Lab Scenario

/V ab
alu le
inform
ation

Sniffing is a teclnnque used to in te rc e p t d a ta 111 information security, where many
of the tools that are used to secure the network can also be used by attackers to
exploit and compromise the same network. The core objective of sniffing is to ste a l
d a ta , such as sensitive information, email text, etc.

Testyour
kn w d e
o le g
—

Web e e
x rcise

m

W
orkbookreview

N e tw o rk sniffing involves intercepting network traffic between two target network
nodes and capturing network packets exchanged between nodes. A p a c k e t sn iffer
is also referred to as a network monitor that is used legitimately by a network
administrator to monitor the network for vulnerabilities by capuinng the network
traffic and should there be any issues, proceeds to troubleshoot the same.

Similarly, sniffing tools can be used by attackers 111 p ro m iscuo us mode to capmre
and analyze all die network traffic. Once attackers have captured the network traffic
they can analyze die packets and view the u ser n am e and p assw ord information 111
a given network as diis information is transmitted 111 a cleartext format. A 11 attacker
can easily mtmde into a network using tins login information and compromise odier
systems on die network.
Hence, it is very cnicial for a network administrator to be familiar with n e tw o rk
tra ffic an a ly ze rs and he or she should be able to m a in ta in and m o n ito r a network
to detect rogue packet sniffers, MAC attacks, DHCP attacks, A R P poisoning,
spoofing, or DNS poisoning, and know the types of information that can be
detected from the capmred data and use the information to keep the network
running smoodilv.

Lab Objectives
The objective of this lab is to familiarize students with how to sniff a network
and analyze packets for any attacks on the network.
The primary objectives of tins lab are to:
■ Sniff the network
■ Analyze incoming and outgoing packets
■ Troubleshoot the network for performance

C E H Lab Manual Page 585

Ethical Hacking and Countenneasures Copyright © by EC-Council
All Rights Reserved. Reproduction is Stricdy Prohibited.

M odule 08 - Sn iffers

■ Secure the network from attacks
^^Tools

Lab Environment

d e m o n s tra te d in
th is lab a re

111

tins lab, you need:

a v a ila b le in

■ A web browser with an Internet connection

D:CEHT oo lsC E H v 8

■ Administrative privileges to run tools

M o du le 08
Sniffing

Lab Duration
Time: 80 Minutes

Overview of Sniffing Network
Sniffing is performed to c o lle c t b asic in fo rm atio n from the target and its network.
It helps to find v u ln e ra b ilitie s and select exploits for attack. It determines network
information, system information, and organizational information.

Lab Tasks
Pick an organization that you feel is worthy of your attention. This could be an
educational institution, a commercial company, or perhaps a nonprofit charity.

O v e rv ie w

Recommended labs to assist you 111 sniffing the network:
■ Sniffing die network using die C o la s o ft

P a c k e t B u ild e r

■ Sniffing die network using die O m n iP e e k

N e tw o r k A n a ly z e r

■ Spooling MAC address using S M A C
■ Sniffing the network using die W in A r p A tta c k e r tool
■ Analyzing the network using the C o la s o ft

N e tw o r k A n a ly z e r

■ Sniffing passwords using W ire s h a rk
■ Performing man-in-the-middle attack using C a in

& A b el

■ Advanced ARP spoofing detection using X A rp
■ Detecting Systems running

111

promiscuous mode

111

a network using

P ro m q ry U I

■ Sniffing a password from captured packets using S n iff -

O - M a tic

Lab Analysis
Analyze and document the results related to the lab exercise. Give your opinion on
your target’s security‫״‬posture and exposure through, public and free information.


Ethical Hacking and Countermeasures Copyright © by EC-Council
A ll Rights Reserved. Reproduction is Stricdy Prohibited.


PLEASE TALK TO YOUR INSTRUCTOR IF YOU HAVE QUESTIONS
RELATED TO THIS LAB.




S n iffin g t h e N e tw o r k U s in g t h e
O m n iP e e k N e tw o r k A n a ly z e r
Own/Peek i a standalone network analysis too used t s l e networkproblem.
s
l
o ov

ICON KEY
/Valuable
inform
ation
Testyour
k o le g
nw de

Lab Scenario
From the previous scenario, now you are aware of the importance of network
smtting. As an expert e th ic a l h a c k e r and p e n e tra tio n te s te r, you must have sound
knowledge of sniffing network packets, performing ARP poisoning, spoofing the
network, and DNS poisoning.

w We e e
b x rcise
m

W
orkbookreview

Lab Objectives
Tlie objective of tins lab is to reinforce concepts of network security policy, policy
enforcement, and policy audits.

Lab Environment
t^Tools
th is lab a re

111

tins lab, you need:
"

a v a ila b le in
M o du le 08

O m n iP e ek N e tw o rk A n a ly ze r

located at D:CEH -ToolsC EHv 8

M o du le 08

S niffingSniffing T o o lsO m n iP ee k N e tw o rk A n a ly ze r

■ You can also download the latest version ot O m n iP e e k N e tw o rk A n a ly ze r
from the 1111k
http://www.w11dpackets.com/products/om111peek network analyzer

Sniffing

■ If you decide to download die la te s t
the lab might differ
■ A computer mnmng W in d o w s
■

W in d o w s

version,

S e rv e r 2 0 1 2

then screenshots shown 111

as host machine

8 running on virtual machine as target machine

■ A web browser and Microsoft .NET Framework 2.0 or later
■ Double-click O m n iP e e k 6 8 2 d e m o .e x e and follow the wizard-driven
installation steps to install O m n iP e e k 6 8 2 d e m o .e x e
■


A d m in is tra tiv e

privileges to run tools


Lab Duration
Tune: 20 Minutes

Overview of OmniPeekNetwork Analyzer
gives network engineers real-time visibility and expert
analysis of each and every part ol the network from a single interface, winch
includes Ethernet, Gigabit, 10 Gigabit, VoIP, video to remote offices, and 802.
O m n iP e e k N e tw o rk A n a ly ze r

Lab Tasks
™T A S K 1

1 Install O m n iP e e k
.
2012.

N e tw o rk A n a ly ze r

on die host machine W in d ow s

S erve r

In s tallin g
O m n iP e e k
N e tw o rk A n a ly ze r

2. Launch the S ta rt menu by hovering die mouse cursor on die lower left
corner of die desktop.

F IG U R E 1.1: Windows Server 2012 —Desktop view

3. Click die W ild P a c k e ts
die tool.
81

£ = OmniPeek Enterp rise
=s
provides users with die
visibility and analysis they
need to keep Voice and
Video applications and
non-media applications
running optimally on die
network

O m n iP e e k D em o

app 111 die

G o le
og
C ro e
hm

Mn q r
eae

V

menu to launch

Administrator ^

S ta rt

L

S ta rt

*3

&

____

M /10
o 11
h to
re x

<9

«

rtyp
«-V
M ru e
a or

Hp y wV
V a
irtu l
K v lo
Ah o

*‫י‬
W P c ...
ild o k
O mw
mPk
*

°‫'־■־־‬

F IG U R E 1.2: Windows Server 2012 —Start menu




m

To deploy and
maintain Voice and Video
over IP successfully, you
need to be able to analyze
and troubleshoot media
traffic simultaneously with
the network the media
traffic is running on

4. The main window of W ild P a c k e ts
die following screenshot.

O m n iP e e k D em o

appears, as shown 111
6m
i»e4

^ • t- ‫ ־‬u

*. 2
:

*

x

,, r »

^ :

>

N Capture
ew

f i j L _± t

f

*

O Capture File
pen

ffi

ViewOiwiEngines

Start M tor
on

*We•‫ י׳י •״‬OmnPwk!

Retcat rlit*

Itxalior

IntM C tu T 1 p 1 *
ap i■ « n <11

luullui■

Stmixfy
Swmwj

OtKunanUtlon

••M•
m

R»kh«c
»*

3w OiM
t«J u

!MlMKtDuppan
1 Vm tM a • M *• m k*W Partrf*rvnW CO
fw r» U K M rrM H
to

»

1 r.aii QO

^WidPacketj
F IG U R E 1.3: OmniPeek main screen

5.

Launch

Windows 8 Virtual Machine.

6. Now, 111
follows:
S ta rtin g N e w
C a p tu re

W in d o w s S e rv e r

a. Click die N e w

C a p tu re

2 0 12 create an OmniPeek capture window as

icon on die main screen of OmniPeek.

b. Mew die G en eral options
box when it appears.

111

die

O m n iP e ek C a p tu re O ptions

dialog

c. Leave die default general settings and click OK.
C a p tu re O p tio n s ‫ ־‬v E th e rn e t (R e a lte k PCIe GBE F a m ily C o n tr o lle r - V irtu
General

‫יחת‬

G e n e ra l

Adapter

82 1
0.1
Triggers
Filters

Capture title:

Capture 1

□ Continuous capture

Statistics Output

f f l l OmniPeek Network
Analyzer offers real-time
high-level view o f the entire
network, expert analyses,
and drill-down to packets,
during capture.

O Capture to disk

Analysis Options

File path:

□

C:UsersAdministratorpocumentsCapture 1
File size: | 256

: *~] megabytes

[ I] Stop saving after

| 10
00

I I Keep most recent

10

I I New file every

megabytes
‫ | = ך‬files (2,560 MB)

1

I I Limit each packet to

128

3~| bytes

O Discard duplicate packets
Buffer size: | 100

*

megabytes

O Show this dialog when creating a new capture

Cancel

Help

F IG U R E 1.4: OmniPeek capture options -General




d. Click A d a p te r and select E th e rn e t

111

die list for

L ocal m ach ine.

Click

OK.
C a p tu re O p tio n s ‫ ־‬E th e rn e t
General

A d a p te r

| Adapter'

0 0

802.11
Triggers

[0 3 Network Coverage:
W ith the Ethernet, Gigabit,
10G, and wireless
capabilities, you can now
effectively monitor and
troubleshoot services
running on your entire
network. Using the same
solution for
troubleshooting wired and
wireless networks reduces
the total cost o f ownership
and illuminates network
problems that would
otherwise be difficult to
detect.

>••0 File

Filters

‫ל‬

Statistics Output

- 8 Local machine: WIN-MSSELCK4K41
a

Module: Compass Adapter

M lLocal Area Connection* 10

Analysis Options

M . Ethernet]
■9 vSwitch (Realtek PCIe GBE Family Controller ‫ ־‬Virtual
I- ■p vEthernet (Realtek PCIe GBE Family Controller ‫ ־‬Virti

-mvSwitch (Virtual Network Internal Adapter)

■ 5 vEthernet (Virtual Network Internal Adapter)

<
E
Property

III

Description

Device

Realtek PCIe GBE Family Controller

Media

Ethernet

Address

DO:

Link Speed

100 Mbits/s

WildPackets API

No

:36

Cancel

Help

F IG U R E 1.5: OmniPeek capture options -Adapter

7. Now, click S ta rt C a p tu re to begin capturing packets. The S ta rt C a p tu re
tab changes to Sto p C a p tu re and traffic statistics begin to populate the
N e tw o rk Dashboard 111 die capture window of OmniPeek.
WldPack
■h

£ Q Dashboards display
important data that every
network engineer needs to
know regarding the
network without spending
lots o f time analyzing the
captured data.

...

V V 1' g -

» t* -

< r J

u

,

‫׳‬OmniPeek

. B : ;» e IQ E j F

sutn «■ vapt a p c e
ll a k ts

Utib/itton / M .t.• W tow( I Smand A
.m
tiM
v»>r.1u••)

lop Protocol*

F IG U R E 1.6: OmniPeek creating a capture window


All Rights Reserved. Reproduction is Strictly Prohibited.


8. The captured statistical analysis of die data is displayed 011 die C a p tu re tab
of die navigation bar.

E QOmniPeek
Ql
Professional expands the
capabilities o f OmniPeek
Basic, extending its reach
to all small businesses and
corporate workgroups,
regardless o f the size o f die
network or die number o f
employees. OmniPeek
Professional provides
support for multiple
network interfaces while
still supporting up to 2
Om ni Engines acting as
bodi a full-featured
network analyzer and
console for remote
network analysis.

•u-n ., y . 3. *
— w hw fct FlhrhiW
N -o inai/rffh.n ‫ ל‬Minute Window (I Second Average)
etw rfc

!“

I

1

a 03-

0■
2*

2 %
.0
10002 1000$
1 31 43 1
7 9 60
1 3 W6 1
7 .1 3 .1
■10002
■ 7 .1 4 6
1 3 d .3 4
.:2 2 3 .8
0 .6 .8

r« 1 * 1 22
7 5 •
■2 6 H 26
0 .17 52

0»«rs
17 67 2
6 .6 6 .2 2

DS
N

L A

OC 6 1M
H PV
QP

TCP ‫יו‬

9 Etlwnet PatJtrts: 1.973

Ountion: 001:25

F IG U R E 1.7: OmniPeek statistical analysis o f die data

9. To view die captured packets, select P a c k e ts
D ashboard 111 die left pane ol die window.
> 3‫. ־‬

m rd .{0 0
t.M : 0
n
V ‫ ••! •׳**״- ״‬u 1 < N'lhrh^]
«< m
fevh .iftfs
fao
• ■ ‫= 11׳‬L4
vote*‫«* ״‬

*

' ‫■ ״י, " ־‬
WldP.xkct. ‫׳‬OmniPeek

r
»5

1

4 ‫ יי‬A i d

Mr! <**«• .
1►

y
Htj,

***** i•*a
1a.1.g.2
173.194.3(.<

10.0.0.2

5
€

13.3.0.2
19.9.:.2

173.194.36.4
173.194.36.4

13.9.9.2

[

Oms

1
2
1
3

1^3.194.36.22
1~3.194.36.22

1
5

m

H ie OmniPeek Peer
Map shows all
communicating nodes
within your network and is
drawn as a verticallyoriented ellipse, able to
grow to the size necessary.
It is easy to read the maps,
the diicker the line between
nodes, the greater the
traffic; the bigger die dot,
the more traffic through
that node. The number o f
nodes displayed can also be
limited to die busiest
and/or active nodes, or to
any OmniPeek filters that
mav be in use.


1 3.194.36.22
‫י‬
13.9.0.2
123.176.32.154

W K
mm

1
7
IS
IS

Ltfctto

2
1
2
2
2
4
‫מ‬

173.194.36.22

19.1.3.2
19.9.1.6
19.9.1.5
19.9.5.5
1S7.SC.C7.222
157.56.67.222

[ Clls
a

1
Er

2
7
2
»

<1
1 1
—

19.9.0.2
19.9.0.3

‫ו‬

10.0.9.2
123.176.32.154
10.0.0.2

157.56.67.222
157.56.67.222
157.56.67.222
10.0.0.s

!

su
e

Ot*• * •
c • r*t

ss
9
5

'4.125.12S.169

10.9.S.2
Iw csto r

G iJ h O a

A
dapt 4 O V
1 K rti

3
m

a C a p tu re section ol die

t,ISO S' T o V .A 0 ‫״‬rip
M o‫ ״‬N 4 W

» ** *

tJ u
sun?**

ii

r — 1w
<—

111

173.194.36.4

o.oooasiosa writs
0.93:20X19 sm s

6
4
6
4
13
6
6
4
28 0
7
‫״‬
6
4
6
4
18
1
96
3
6
4
6
4
7
0
13
0

0.939*25029 arirs
0.93994SCI9 STTrS
0.771222000
0.811S9JCJ9 3T *
TT
4.31e23SC
S3
an a
n :s
4.350147029 anss
4.3 5 6 C 3 T 5
5 9 4 JO T T
4.SE52S4CS0 37T?S
4.566969090 an?3
4.SS70CMS0
6.097997090 an?
€.100119000 HIT?
C
.922643C:3

6
4
7
0

7.21122*000 O F
7.301449029 O I»

C PC T 7 7
K -1 2
4
3 = 1040,D
1=
»t= 4 3 ....3.,3=1030...

6
4
14
8
ISIS
1 1S
5

7.55*925023 arirs
7.5952930:9 5‫5 זזל‬
7.ISO C «nrs
SCC SO
7.952900:9‫ל‬STTTJ

3 e 1040,D
1=
»t= 1 3
4
3=
1e30...
Src- 1040,031 4 3 .AP...,3-1630...
— 4
,S- 519. . Slaw Server R sp r.se T13* 1
e c0
Src- 443,0a‫4 1 ״־‬
‫00 ־‬
‫ ־־‬SI*...

>
5
<
4

e.9 1 4 0 9 an iz
0962
t.0c10»»600

3ss- 1770,0*t‫. 3 4 ־‬LB... ,30069...
4

!:S S S
55

3zc- 413,0*t=

•
W....3= 796...

3zc- 1769, O
st= 4 3 .u..... 3=
4
1406...
Src- 1 70 03 - 4 3 .*....,5-366S...
7 , V 4
5rc- 1 63 03*‫■ 3 4 ־‬
0 ,
4 h..... S- 956...
43
4
Sr~ 1
443'S^
3 c= 443,D
=
st=
SIC- 443,03t_ 1 5
01
Src- 443.03T15
91
Src- 10 3T—
S1.D
‫ ״‬KJfC 172e .
=
Src- 5 ,0 1 1 2
0 3 .‫6 7 ־‬

.1 3...,3=
2007...
.&....,3= 94...
.*....,S- 94...
.A?... ,3 9 4 ‫...־‬
•
fc
S-20D7...
.h ....,3-2997...

■ llh«rn«! P*a»U: 2 0
J>
.0 0

O 'ea .‫׳‬y j i
U'M

F IG U R E 1.8: OmniPeek displaying Packets captured

10. Similarly, you can view Log. Filters. H ierarch y, and P e e r
die respective options 111 the Dashboard.
11. You can view die
Dashboard.

N o d es

M ap

by selecting

and P ro to co ls from die S ta tis tic s section of die



m

On-the-Fly Filters:
You shouldn’t have to stop
your analysis to change
what you’re looking at.
OmniPeek enables you to
create filters and apply
them immediately. The
WildPackets “ select
related” feature selects the
packets relevant to a
particular node, protocol,
conversation, or expert
diagnosis, with a simple
right click o f the mouse.

F IG U R E 1.9: OmniPeek statistical reports o f Nodes

12. You can view a complete
section of the Dashboard.

S u m m a ry

of your network from the

S ta tis tic s

£ Q Alarms and
Notifications: Using its
advanced alarms and
notifications, OmniPeek
uncovers hard-to-diagnose
network problems and
notifies the occurrence of
issues immediately.
OmniPeek alarms query a
specified monitor statistics
function once per second,
testing for user-specified
problem and resolution
conditions.
F IG U R E 1.10: OmniPeek Summary details

13. To s a v e the result, select F ile ‫ ^־‬S a v e


Report.



-

OmniPtek
F « | fd
.1
H

u«M0« tooit

i

ii

♦ * J

*

'0

x ’

*Hi 'OmnlPrck
T A « L u u ! i i v w .!j O ! J .

►
i
-

ua3‫׳‬
‫־‬
C fT .
u W
5 52 1
.1 / 0 2
t2 :<
rt2 6
< L2S
M

m

Using OmniPeek’s
local capture capabilities,
centrali ed console
distributes OmniEngine
intelligent software probes,
Om nipliance®,
T im elin e™ network
recorders, and Expert
Analysis.

2

360.320
0.795

‫־. מיי‬Jaw

‫זז‬
■‫«.־‬

Ltn ct
crn

20
.0 0

lM1.V0a 001.B

F IG U R E 1.11: OmniPeek saving die results

14. Choose the format of the report type from die
then click Save.

S a v e R e p o rt

window and

Save Report
2e 1R e p o rt ty p e :
fiy!!..PDF:.Report
Q

m

Engineers can
monitor dieir entire
network, rapidly
troubleshoot faults, and fix
problems to maximize
network uptime and user
satisfaction.

j v

R e p o rt fo ld e r:

C : U se rs A d m in is tra to r d o c u m e n ts R e p o r ts C a p tu re 1
R e p o rt d e scrip tio n
PDF re p o rts c o n ta in S um m ary S ta tis tic s , N ode S ta tis tic s , P ro to co l
S ta tis tic s , N o d e /R ro to c o l D etail S ta tis tic s , E x p e rt S tre a m a nd A p p lic a tio n
S ta tis tic s , Voice a n d V ideo, W ire le ss N ode a nd C ha n n els S ta tis tic s , a n d
g ra p h s.

Save

C ancel

Help

F IG U R E 1.12: OmniPeek Selecting the Report format

2
:

MCjUKfc 1.1 (Jmnil-'eek Selecting the Report tonnat

15. The report can be viewed as a PDF.




OmniPeek Report
^

-"tf Statistics
t? Summary
t? Nodes
I? Protocols
®I? Expert
I? Summary
Flows
I? Application
Lf Voice &Video
“‫ ׳‬Lf Graphs
1 Packet Sues
f
1/ Network
Utilisation
(bits/s)
If Network
Utilization
(percent)
(? Address
Count
Comparisons
I? Application

m

Compass Interactive
Dashboard offers both
real-time and post-capture
monitoring o f high-level
network statistics widi drill
down capability into
packets for the selected
time range. Using the
Compass dashboard,
multiple files can be
aggregated and analyzed
simultaneously.

f t Dashboard

OmniPeek Report: 9/15/2012 12:21:22
Start: 9/15/2012 12:02:46, Duration: 0:01:25
Total Bytes: 1014185. Total Packets: 2000

___ Li£ _
S_
Tools
Bookm
ark(
?

&

B*
ft“
3 i? OmniPeek Report —
Dashboard
- 'tf Statistics
IP Summary
(? Nodes
1? Protocols
Expert
1? Summary
(? Flows
I? Applications
If Vo«e &Video
®ff Graphs
If Packet Sues
If Network
Utilization
(bits/s)
1? Network
Utilization
(percent)
I? Address
Comparisons
ff Application

Sign

Comment .

Summary Statistics. Reported 9/15/2012 12.21.22

Start Date
Start Time
Duration
Group. Network
Total Bytes
Total Packets
Total B10.1dc.1st
Total Multicast
Average Utilisation (percent)
Average Utilisation (blts/s)
Current Utilisation (percent)
Current Utilization (bits/s)
Max Utilization (percent)
Max Utilization (bits/s)

1014185
N‫׳‬A
1061
6933
0 096
95989
0 360
360320
0.795
79*656

63
0096
95989
0 360
360320
0795
794656

0105
0 585
0096
95989
0 360
360320
0.795
794656

0 360
360320
0.796
794656

Group Errors

00
0
0
00
00
00
00

Total
CRC
Frame Alignment
Runt
Oversize

0.000
0.000

F IG U R E 1.13: OmniPeek Report in PD F format

Lab Analysis
Analyze and document the results related to the lab exercise.




Tool/Utility

Information Collected/Objectives Achieved
Network Information:
■ Network Utilization
■ Current Activity
" L °g
■ Top Talkers bv IP Address
■ Top Protocols
Packets Information:

OmniPeek
Network Analyzer

■
■
■
■

Source
Destination
Size
Protocol

Nodes Statistics:
■
■
■
■

Total Bytes for a Node
Packets Sent
Packets Received
Broadcast/Multicast Packets

Summary includes Information such as:
■
■
■
■
■

General
Network
Errors
Counts
Size Distribution





Questions
1 Analyze what 8 2 1 1 adapters are supported 111 OmniPeek Network
.
0 .1 1
Analyzer.
2. Determine how you can use the OmniPeek Analyzer to assist with firewall
rules.
3. Evaluate how you create a filter to span multiple ports.
Internet Connection Required
□ Yes

0 No

Platform Supported
0 Classroom


0 !Labs



Lab

S p o o fin g M A C A d d re s s U s in g S M A C
S M A C i apon ‫׳‬i /1and easy-to-us toolthat i a M A C address changer ( p o e )
s
ef1
e
s
sofr.
The toolcan a t v t a new M A C address rig aft changing i automatically.
ciae
ht er
t
I CON

KEY

/Valuable
inform
ation
Testyour
k o le g
nw de
H Web e e
x rcise
orkbookreview
ffi! W

Lab Scenario
11the previous kb you learned how to use OmmPeek Network Analyzer to capture
1
network packets and analyze the packets to determine it any vulnerability is present
111 the network. If an attacker is able to capmre the network packets using such tools,
he 01‫ ־‬she can gain information such as packet source and destination, total packets
sent and received, errors, etc., which will allow the attacker to analyze the captured
packets and exploit all the computers in a network.
If an administrator does not have a certain level of working skills of a packet sniffer,
it is really hard to defend intrusions. So as an expert e th ic a l h a c k e r and
p e n e tra tio n te s te r, you must spoof MAC addresses, sniff network packets, and
perform ARP poisoning, network spoofing, and DNS poisoning. 11tins lab you will
1
examine how to spoof a MAC address to remain unknown to an attacker.

Lab Objectives
The objective of tins lab is to reinforce concepts of network security policy, policy
enforcement, and policy audits.
11tins lab, you will learn how to spoof a MAC address.
1

Lab Environment
^^Tools

111

the lab, you need:

th is lab a re
a v a ila b le in

■

SM AC

located at D:CEH-T 00 lsC EH v 8

M o du le 0 8 S niffingM A C Spoofing

ToolsS M A C

■ You can also download the latest version ot SM AC from the link
http://www.klcconsulting.net/smac/default.htm#smac27

M o du le 08
Sniffing


■ It you decide to download the

la te s t version,

then screenshots shown 111



■ A computer running W in d ow s
2008 as
tun Machine

S e rv e r

2 0 12 as Host and Windows Server

■ Double-click s m a c 2 7 b e ta _ s e tu p .e x e
installation steps to install SMAC

and follow the wizard-driven

■



■ A web browser with Internet access

Lab Duration
Time: 10 Minutes

Overview of SMAC
ffisMAC

is a powerful
yet easy-to-use and intuitive
Windows M A C address
modifying utility (M AC
address spoofing) which
allows users to change
M A C addresses for almost
any Network Interface
Cards (N IC s) on die
Windows 2003systems,
regardless o f whether die
manufacturers allow diis
option.

protects person al and individual privacy. Many organizations
track wired or wireless network users via their MAC addresses. 11addition, there are
1
more and more Wi-Fi w ire le s s connections available diese days and wireless
networks use MAC addresses to c o m m u n ic a te . Wireless network security and
privacy is all about MAC addresses.
Spoofing a MAC

Spoofing is carried out to perform security v u ln e ra b ility tes tin g , penetration testing
on MAC address-based a u th e n tic a tio n and au th o riza tio n systems, i.e. wireless
access points. (Disclaimer: Authorization to perform these tests must be obtained
from the system’s owner(s)).

Lab Tasks
1 Launch die S ta rt menu by hovering die mouse cursor on die lower-left
.
corner of die desktop.

[® S M A C works on die
Network Interface Card
(N IC ), which is on the
Microsoft hardware
compatibility list (H C L).

4

Windows Server 2012
Windows Sewer 2012 Rdrat Cardidatc Datacen!‫׳‬
Evulud’kn copy Build 84C
.
C

*•r

1&

rc !1 T !n ^ H
F IG U R E 2.1: Windows Server 2012 —Desktop view

2. Click die SM A C

2 .7

app 111 die S ta rt menu to launch die tool.

Q=sJ W hen you start SM AC
program, you must start it
as the administrator. You
could do this by right click
on die SM AC program
icon and click on "Run as
Administrator if not logged
in as an administrator.




£

T A S K

1

Spoofing MAC
Address

3. The SM AC main screen appears. Choose a network adapter to spoof a
MAC address.
%
File

SMAC 2.7 Evaluation Mode - KLC Consulting: www.klcconsulting.net
View

Options

Help

ID

| Active I Spoofed I NetworkAdapter
Hyper-VVirtual Ethernet Adapter #2
0017 Yes
No
Hyper•VVirtual Ethernet Adaptei #3

rriiEiii ■1‫ן י‬
‫ו‬

IP Address

EMU^HET
169.254.103.138 0
1

17 Show O Active Network Adapters
n^i

Remove MAC

New Spoofed MACAddress

Restart Adapter

IPConfig

Random
Refresh
Spoofed MACAddress
|Not Spoofed

J

Active MACAddress

MAC List
Exit

Network Connection_______________________________
|vEthernet (Realtek POe GBE Fam Controller •
dy
Virtual Switch)
Hardware ID_____________________________________

| 0ra r‫£׳‬
D-*‫־‬

A |

_>
>
J

|vms_mp

Disclaimer: Use this programat your own risk. We ate not responsible fot any damage that m occur to any system
ay
This programis not to be used for any illegal or unethical purpose Do not use this programif you do not agree with

d s M A C helps people to
protect their privacy by
hiding their real M A C
Addresses in the widely
available W i-Fi Wireless
Network.

F IG U R E 2.3: SMAC main screen

4. To generate a random MAC address. Random .
U p d a te M A C

Rem o ve M A C

R e s ta rt A d a p te r

I P C o n f ig

Random

M A C L is t

R e fre s h

E x it

F IG U R E

24SM AC Random button to generate M AC addresses
.:

5. Clicking die Random button also inputs die N e w
simply MAC address spoofing.


S poofed M AC A d d ress

to

Ethical Hacking and Countemieasures Copyright © by EC-Council


‫־‬a!
r

SMAC 2.7 Evaluation Mode - KLC Consulting: www.klcconsulting.net
File View

m

SM AC also helps
Network and IT Security
professionals to
troubleshoot network
problems, test Intrusion
Detection / Prevention
Systems (ID S / IP S ,) test
Incident Response plans,
build high-availability
solutions, recover (M AC
Address based) software
licenses, and etc.

Options

Help

ID | Active | Spoofed | Network Adapter
0015 Yes
No
Hyper■ Virtual Ethernet Adapter 82
V
0017 Yes
No
Hyper-VVirtual Ethernet Adapter #3

I* Show Only Active Network Adapteis

Update MAC

New Spoofed MACAddress
IE -| 05 - |F C

^ I

-| 63 -| 34 -

|SCHENCK PEGASUS CORP. [0005FC]
Spoofed MAC Address
|Not Spooled

10.0.0.2
DOl
169.254.103.138 0 ■ '
0

Restart Adapter

0 ‫ ־‬l xj
7

;■6
3
-■
08

Remove MAC
|

Random

MAC List

Refresh

— ‫פ‬

|

IPConfig
Exit

Network Connection
IvEthernet (Realtek PCIe GBE Fam Conliollei •
dy
Virtual Switch)

Active MACAddress
|D0-»W « ■
-36

AI

Hardware ID_____________________________________
|vm p
s_m

Disclamer Use this programat your own risk. We are not responsible 11any damage that m occur to any system
0
ay
This programis not to be used for any illegal o unethical purpose Do not use this programif you do not agree with
t

F IG U R E 2.5: SM AC selecting a new spoofed MAC address

6. Tlie Network Connection 01‫־‬Adapter display their respective names.
7. Click tlie forward arrow button
N e tw o rk A d a p te r information.

111 N e tw o rk C o n nection

r

g

N e t w o r k C o n n e c t io n _______________________________________________________

I v E t h e r n e t ( R e a l t e k P C I e G B E F a m ily C o n tro lle r ■V ir tu a l S w i t c h )

F IG U R E 2.6: SM AC Network Connection information

C Q Is m a c does not
change die hardware
bumed-in M A C addresses.
SM C changes the
software-based !MAC
addresses, and die new
M A C addresses you change
are sustained from reboots.

to display die

Clicking die backward arrow button 111 N e tw o rk A d a p te r will again display
die N e tw o rk C o n n e ctio n information. These buttons allow to toggle
between die Network Connection and Network Adapter information.

r

N e tw o rk A d a p te r

g

|H y p e r- V V ir t u a l E t h e r n e t A d a p t e r 8 2

F IG U R E 2.7: SM AC Network Adapter information

9. Similarly, die Hardware ID and Configuration ID display dieir respective
names.
10. Click die forward arrow button
C o n fig uratio n ID information.

111

H a rd w a re

ID

to display die

H a r d w a r e ID
|v m s _ m p

F IG U R E 28: SM AC Hardware ID display

11. Clicking die backward arrow button 111 C o n fig uratio n ID will again display
die H a rd w a re ID info rm ation . These buttons allow to toggle between die
Hardware ID and Configuration ID information.
C o n fig u r a tio n ID
| { C 7 8 9 7 B 39 - E D B D - 4 M 0 - B E 9 5 - 5 1 1 F A E 4 5 8 8 A 1 }

F IG U R E 2.9: SMAC Configuration ID display


3



S

12. To bring up die ipconfig information, click IPConfig.
T A S K

2

Update MAC

Remove MAC

Restart Adapter

IPConfig

Random

MAC List

Refresh

Exit

V ie w in g IPConfig
In fo rm atio n

,

j

F IG U R E 2.10: SMAC to view7the information of IPConfig

13. Tlie IPConfig window pops up, and you can also save the information by
clicking die F ile menu at the top of die window.
—

‫ם‬

File
W indow s IP Configuration
Host N a m e
Primary Dns S u ffix
Node T y p e
IP Routing Enabled
W INS Proxy Enabled

: WIN-MSSELCK4K41
: Hybrid
:N o
:N o

Ethernet adapter vEthernet (Virtual Network Internal Adapter):

C Q t 1 eIPC onfig
1
information w ill show in
the "View IPConfig
Window. You can use the
File menu to save or print
the IPConfig information.

Connection-specific DNS Suffix .
D escription
: Hyper-V Virtual Ethernet Adapter 83
Physical Address
:0 0 -08
DHCP Enabled
:Y e s
Autoconfiguration E n a b le d . . . . : Yes
Link-local IPv6 A d d re ss
: fe80::6868:8573:b1b6:678a%19(Preferred)
Autoconfiguration IPv4 Address. .: 169.254.103.138(Preferred)
Subnet M a s k
: 255.255.0.0
Default G a te w a y
DHCPv6 IA ID
: 452990301
DHCPv6 Client D UID : 00-01 -00-01 ■
1
‫־‬A- 16- 36
DNS S e rvers
: fec0:0:0:ffff::1%1
fec0:0:0:ffff::2%1
Close

1

F IG U R E 2.11: SM AC IPConfig information

14. You can also import the MAC address list into SMAC by clicking MAC
Update MAC

IPConfig

Random
k
.

Remove MAC

Restart Adapter

List.

MAC List

Refresh

i

Exit

F IG U R E 2.12: SMAC listing M AC addresses




15. If there is 110 address in die M AC ad d ress held, click Load
]MAC address list tile you have created.

List

to select a

MAC List

<- Load List

CQ1t 1e IPConfig
1
information w ill show in
the "View IPConfig
Window. You can use the
File menu to save or print
the IPConfig information.

S e le c t

Close

No List
F IG U R E 2.13 SMAC M AC lis t window

16. Select die
window.

S am p le M AC A d d ress L is t.tx t

file from the

Load M AC List

Load MAC List
Q 2 W hen changing M AC
address, you M U ST assign
M A C addresses according
to IA N A Number
Assignments database. For
example, "00-00-00-00-0000" is not a valid M A C
address, therefore, even
though you can update this
address, it may be rejected
by the N IC device driver
because it is not valid, and
T R U E M A C address will
be used instead.
Otherwise, "00-00-00-0000-00" may be accepted by
the N IC device driver;
however, the device w ill
not function.

■
i.f
Organize ■
*

”

ProgramData ► KLC ► SMAC

v

C

Search SMAC

‫ ־י‬s m

New folder

■ Desktop
4 Downloads

A

Name

6/6/200811:11 PM

Text Document

, , Sample_MAC_Address_List.txt

Jf SkyDrive

Type

i-‫־‬l LicenseAgreement.txt

—

jgf Recent places

Date modified

4/S0/20061:23 PM

Text Document

Libraries
0 Documents

J* Music
fc l Pictures
B

Videos
Computer

U . Local Disk (G )
1 j Local Disk (DO
_

<|

>

File name: |Sample_MAC_Address_List.txt

v

Text Format (*.txt)
Open

pr

F IG U R E 2.14: SM AC M AC List window




17. A list of MAC addresses will be added to die MAC List 111 SMAC. Choose a
MAC A d d ress and click S e le c t. This MAC Address will be copied to N e w
Spoofed M AC A d d ress oil die main SMAC screen.
m

SM AC is created and
maintained by Certified
Information Systems
Security Professionals
(C ISSPs), Certified
Information System
Auditors (C ISA s),
Microsoft Certified Systems
Engineers (M C SEs), and
professional software
engineers.

%

MAC List

00 =
O
D
O
D
OC■

:99

-9
E
■8
E
.

- E7

m

SM AC displays the
following information
about a Network Interface
Card (N IC ).

C: P r o g r a m D a t a K L C S M A C S a m p le _ M A C _ A d d r e s s _ L i s t . txt

F IG U R E 2.15: SMAC M AC List window

• Device ID

18. To restart Network Adapter, click R e s ta rt A d ap ter, which restarts die
selected N e tw o rk A d ap ter. Restarting die adapter causes a temporary
disconnecdon problem for your Network Adapter.

• Active Status
• N IC Description
• Spoofed status
• IP Address

U p d a te M A C

• Active M A C address
• Spoofed M AC Address

|

R e s ta rt A d a p te r

I P C o n f ig

Random

M A C L is t

R e fre s h

• N IC Hardware ID

E x it

• N IC Configuration ID
u

F IG U R E 2.16 SMAC Restarting Network Adapter

Lab Analysis
Analyze and document die results related to die lab exercise.
Tool/Utility

SMAC


■
■
■
■
■
■
■

Host Name
Node Type
MAC Address
IP Address
DHCP Enabled
Subnet Mask
DNS Servers




Questions
1 Evaluate and list the legitimate use ot SMAC.
.
2. Determine whether SMAC changes hardware MAC addresses.
3. Analyze how you can remove the spoofed MAC address using die SMC.
□ Yes

0 No

Platform Supported
0 Classroom


0 iLabs



S n iffin g a N e tw o r k U s in g th e
W in A r p A tta c k e r T o o l
WinArpAttacker i aprogram thatcan scan, a
s
ttack, d t c , andprotect computers
eet
on a localarea network (LAN).

ICON KEY

Lab Scenario

1. V ab
_ alu le
uifonnation

You have already learned in the previous lab that you can conceal your identity by
spooling the ]MAC address. An attacker too can alter 11 or her MAC address and
1s
attempt to evade network intrusion detection systems, bypass access control lists,
and impersonate as an authenticated user and can continue to communicate widiin
the network when die authenticated user goes offline. Attackers can also push MAC
flooding to compromise die security of network switches.

Testyour
k o le g
nw de
W ee
eb x rcise
orkbookreview
ea W

As an administrator, it is very important for you to detect odd MAC addresses 011
the network; you must have sound knowledge of footprinting, network protocols
and their topology, TCP and UDP services, routing tables, remote access (SSH 01‫־‬
VPN), and authentication mechanisms. You can enable port security 011 the switch
to specify one or more MAC addresses lor each port. Another way to avoid attacker
sniffing 011 your network is by using static *ARP entries. 11tins lab, you will learn to
1
run the tool WinArpAttacker to sniff a network and prevent it from attacks.

Lab Objectives
The objectives of tins lab are to:
■

S c a n . D e te c t. P ro te c t,

and A tt a c k computers 011 local area networks

(LANs):
■ Scan and show the active hosts 011 the L A N widiin a very short time
period of 2-3 seconds
■

S a v e and lo a d computer list files, and save the LAN regularly for a new
computer list

■ Update the computer list 111


p a s s iv e m o d e

using sniffing technolog}‫־‬



■ Freely p ro v id e
employ?
■

in fo rm a tio n

regarding die rype of operating systems they

Discover the kind ot fir e w a ll,

w ir e le s s a c c e s s p o in t

and r e m o te

access

■ Discover any published information on the topology of the n e tw o r k
■ Discover if the site is seeking help for IT p o s itio n s that could give
information regarding the network services provided by the
organization
■ Identity actual users and discover if they give out too much personal
information, which could be used for social engineering purposes

Lab Environment
To conduct the lab you need to have:
■

W in A rp A tta c k e r

located at D :CEH -ToolsC EHv 8

M o du le 0 8 SniffingARP

P oisoning T o o ls W in A rp A tta c k e r

■ You can also download the latest version ot W in A rp A tta c k e r trom the link
http://www.xtocus.net

^~Tools
th is lab a re
a v a ila b le in

■ If you decide to download the la te s t
■ A computer running W in d o w s


■

M o du le 08

W in d o w s 2 0 0 8

version,

S e rv e r 2 0 1 2

then screenshots shown in

as host machine

running on virtual machine as target machine

■ A computer updated with network devices and drivers

Sniffing

■ Installed version ot W in P cap drivers
■ Double-click W in A rp A tta c k e r.e x e to launch WinArpAttacker
■



Lab Duration
Time: 1 Minutes
0
W inARPAttacker
works on computers
rumiing Windows /2003.

Overview of Sniffing
Sniffing is performed to c o lle c t b asic info rm ation of a target and its network. It
helps to tind v u ln e ra b ilitie s and to select exploits for attack. It determines network
information, system information, and organizational information.

Lab Tasks
* T A S K

1

S can ning H o sts
on th e LAN


1
.

Launch

Windows 8 Virtual Machine.

2. Launch W in A rp A tta c k e r 111 the host maclinie.



‫ר ^ ד־־ ק‬

U title W A A c e 3 ?0 6 .4
n d in rp tta k i .5 0 6
Fite lean A
ttacfc Dctect options View Help

Caution:This program
is dangerous, released just
for research. Any possible
loss caused by this program
bears no relation to the
author (unshadow), if you
don’t agree with this, you
must delete it immediately.

D ^ i
Xev

op»n

* «» a a *

s &ve

scan

| Online

| ActHoit

Snrfli... Attack

| FftetHovI

q 1:‫ ״‬stopsendh*e*art
A
ttack

ArpSQ | A pSP | ArpRQ 1 ArpRP |
<

| Fff»(tH(Kt2

Cpflu‫*׳‬ascut
Packets

(

]

[ Count |
1 .0 1
0 .0
1 .0 3
0 .0
1
0.004
10.005
10.0.07
10.0.08
1 .0 2 5
0 .0 5
IM 2 4 5 2 5
5 .2 5 5
2 4 .0 2
2 .0 .2

‫*־לש‬
I- ‫־‬
‫-.׳‬

Ta
> ff!c(KI

00■
•
00
00
0■
0
00‫•־‬
00
FF-‫״‬
FF•*
01•*

—*W<sA*»<*e'!200««<—
w a r ! •lew*! soya, m tsem reducM 1 1«ty
‫ג‬
o
te

p>• •:»» 1 Cx vvtry Gar/McsM .
: ASe
je^ a L
U

p* ‫ ! : ! » » : ־־‬C : a2 L‫ ־‬trse terns :•10.0.0 tr* p g ir ruy 9 ! 1 9 r« c
s* 0>
c
.V
to o
6 1 0 0y
1 3G V iaao.1
6 V:

O 0 O 0 Sniffing; :
n:
ff:

Klee D - •- y 16-3.G : 1 0.1
Ofc
W ft(X

Q=J W iiiArpAttacker is a
program diat can scan,
attack, detect, and protect
computers on a local area
network.

3. Click die S ca n option from die toolbar menu and select S ca n
4. The scan shows die a c tiv e
(2-3 seconds).

hosts 011

sc a n

Untitled WinArpAttackef 35 ?006 6.4

ek
_E*c| V | Mofmalitan
‫׳‬

I

EvtnC

Detect

Hwhmne

I Online I SnrtfL. I Attade

1ActHotl

send hc ‫׳‬art CpHcit lke1£
«<

a:

and A n tis n iff scan.
r~ ‫5 ם‬
r ‫ד־‬

cut

I AipSQ I An»5P I AmW I A P I
rpW

Sff«aHpq2

Padafa I

TufficQq

| Count |
1 .0 1
0 .0
10
.0.03
10
.0.04
1 .0.0 5
0
10.0.07
10.0.0a
10.0.0255
19 2542 5 5
6•
5 .2 5

224.0.022
‫1 1 יי ^ מ כ נ נ ־: ־ ־ן ־. ן‬
]

LAN.

die LAN in a very short period ot time

5. The S ca n option has two modes: N o rm al

0 3 The•‫י‬
option scan can
scan and show the active
hosts on the L A N within a
very short time. It has two
scan modes, Normal
andAntisniff. The second is
to find who is sniffing on
the IA N .

O 0 O 0 Snrffmj: Q ,
n:
ff;

F IG U R E 31: WiiiArpAttacker main window

1Mat
(X>*
oa
0a
0•
0
D4.♦
00•
FF►
FF-*

I

•
•
‫־‬
‫־‬
•
•

- €• 3
0
IE-2D
• NE
O
•
••FF
• • •F
F

-

6
a_/!fp m M «
_£ rv_C »ae
M O
acO -fc ♦
-

16-3,GW 1a0J3.1

,O 0 Qff:0 SnrffmyQ , J
n:

F IG U R E 3.2: WinArpAttackei Scan options

6. Scanning saves and loads a computer list tile and also scans die LAN
regularly for new computer lists.




U title W A A rkr 5?0 6 .4
n d in rp m f
0 .6
& I n this tool, attacks
can pull and collect all the
packets on the LA N .

Fit S.‫״‬

.‫־ י‬

p pa

H j open Save
e
PAddmi

□1A1
0a
□1*2
00
0 1Oil0.3
□ 10A04

□ 10:aa5
□ 10ixa7

□1*8
00

2012-09 17 104*05
2012*09•17 104905
2012-09-17 10AOS
2012-09-171049 33
2012-09■17104905
2012 09 17104905

33■

‫ד‬

5c»r!

M
aCk
Slop Seni R . Optow lfc«-p A K
ccouw
tK it
|H
o»ln<
1Online 1SnjW | A
i... tUtfc‫־‬
| AipSQ | A
>pSP | /UpfiQ | frp«P I
10.0.01
Onlin
W SSEICK... Onlin
N-M
*:-06 W O W
lN O Sfl
Onlin
-:‫0־‬
9 W DW
IN O S8
Onlin
‫ 30-» ־‬V N Q 3W Onlin
M -IX N ...
E-20 W R G O P Onlin
OKRU
AOMN
Onlin
•-0E

P«cfc«t» |

Tr«ffic[IQ T

IP
‫1. 1 0ז‬
.0 0
10.001

IM
flf

4-CC

*6
3

I Evtnt
New_Ho*
IW.Hotf
Nm H U
o
Aip Sun
New.Hox
New.Hox

I ActHotf

1000.7

1 .0 .1
0 .0
1000.8
1 .0 .2
0 .0

1000.4
100105

10.0.0.4
10.0.0.5

oof* • 1 *•cc
r
0 • • • •-06
0
0■ - • —0
0■
«

00•■ ‫30-:- ־ ־‬

1 .0 .6
0 0

0 - * - • • -M
0•

10.010.7
10.008
1000.255
169.2Si.2SS.2SS

04•

5-3 G « 100.0I
V:

iz-

E20
•FF

O 7 O ■ Sniffing: 0
n: ff: :

F IG U R E 3.3: WinArpAttacker Loading a Computer lis t window

By performing die attack action, scanning can puU and collect all die packets
on die LAN.
ARP A tta c k

Select a host (10.0.0.5 —Windows Server 2008) from the displayed list and
select A tta c k - Flood.
>
Untitled WinArpAttarlc<*r 3 5 ?006.6.4
so ■
«n»Ktu.^ibw U*H> ©
#
S J tir E3 ‫ג*י׳‬
*
]~Iw
t t
^
I An.au I fcpso I *■pUC I fcpwl
M »j I

C Q t 1 e Flood option
1
sends IP conflict packets to
target computers as fast as
possible. I f you send too
many, the target computers
go down.

Event
2012-09 17 104*05 N«w_M
0*
2012-09• 17 104905 Nv o *
* ‫_״‬M»
2012-09•1710J90S ^ ‫־‬Hoa
2012-09-17105401 14p St*n
2012-09 17104905
2012 09 17104905

N«w Ho*
Me*.Hex

1ActHotf
1000.7

IP

10.0.0.4
10.0.0.5

Mat

10.001
1 .0 .1
0 0

00-•
00

10.004
10A0.5
10006
10.00.7
10.008
1000.255
169.2S42SS.2SS

f Court I

1 0 .1
0 .0
1 .0 .8
0 .0
10 .0
0 .2

00- •
0000-•
04•
00- •
ff•*■

FF-*‫־‬

KMlau of 10.9.0.1, m 1.<•**‫ ־‬nuy tit
«
>

16-3 G : 100.01
W

O 7 O . 0 SniffmyO
n: ff■

F IG U R E 3.4: WinArpAttacker A R P Attack type

9. Scanning acts as another gateway or IP-torwarder without odier user
recognition on die LAN, while spoofing ARP tables.
10. All die data sniffed by spoofing and forwarded by die WinArpAttackerIPforward functions are counted, as shown in die main interface.




r 18■

U itlp W Ap mk * 0 6 .4 5‫ד‬
m d in r A r <r 0.6 ?

CO lThe
BanGatewayoption tells the
gateway wrong M AC
addresses o f target
computers, so the targets
can’t receive packets from
the Internet. This attack is
to forbid die targets access
the Internet.

Pi* Scan Attack Q*t*ct Cptio!

E &
□1000.1
□ 10002
□ 100103
□ 100.0.4
E10A0l
5
□ 10007
□ 100108

5C*n

00- •
D
O
00- «
oc ‫־‬
00- • •
D4-»
00 . •

I<v
n
2012-09*171049(05
7012-09• 17 10490:
2012-09•17I0j»05
2012-09-17105401
2012 09 17104905
2012 09 17104905

• ■** m
m
Attack

A frm
A ____ |H itn m
o ae
• 4-CC
5-36
* *-06
* ‫90-•״‬
♦ •£-03
E-20
^*-OE

stop

©

S*f»J !vecoiw C*3tow lH«Up At».
.

1

|Olin j S iff. A «
ne n
H.k

100.0.1
W SSEICK...
N-M
W
NOOW
S8
W
N0CW
S8
V N-UQN3W
M
...
WR GO P
OKRU
AM
O IN

Online
Online
Online
Online
Online
Online
Online

N
ot...
N
or...
N
or.
N
or...
N
or...
Nor.N
or...

Normal
Normal
Normal

I t . p ip j ArpSP I fl.PBQ I flipRP I

88
355
‫מ‬
5
36
1
41

10!
5
0
0
0
0
0

1ActHotf

Ev*nt
N*w_M0*
Naw.MoU
P j» H o >
1
A«p Scan
Ncw.Hest
N«*.Host

203
5
27
4
2‫ו‬
22
30

0
109
1
1
1
1
1

0
0
0
0
0
0
0

I 1OO I
^.‫»ז‬
O
aoo
000
0.00
000
00
.0

0.00

1Mac
00••

[ Court |

1000.7

10.001
10.001

1000.1
1000.8
1 0 .2
0 .0

1.0.4
00
105
00

■ •‫30-־‬

10.
00
6

10.0.0.4
10.0.0.5

►
4CC
> *-06
•* 0
•9

00--

107
00
103
00
1025
005
rr
19 S .25 S F6.24 S .2S F

1 .0 .1 m pvjrini m *
9 .0 , «
ay

6-E GA: 10X
1,0.1

On: 7 Off: ‫ :׳‬Sniffing 0 y/

5■• GW 10.0.0■I
:

On: 7 Off: : Sniffiny 0

F IG U R E 3.5: WinArpAttacker data sniffed by spoofing
C Q t 1 e option,
1
IPConflict, like A R P Flood,
regularlysendsIP conflict
packets to target
computers, so that users
may not be able to work
because o f regular ip
conflict messages. In
addition, the targets can’t
access the LA N .

11. Click S a v e to save the report.
m

U n title d - W in A rp A tta c k e r 3.5 2006.6.4

File

Scan

Attack

Detect

Options

View

Help

ARP^iZ
□
New

J B
Open

■
Save

scan

-

tm

Attack

-

4m

J
Stop

i
Send

a

S

Rcut Options
eon

«
Live Up

®
About

F IG U R E 3.6: WinArpAttacker toolbar options

12. Select a desired location and click S av e die save die report..

Lab Analysis
Analyze and document die scanned, attacked IP addresses discovered 111 die lab.
Tool/Utility

WinArpAttacker

■
■
■
■
■
■
■

Host Name
Node Type
MAC Address
IP Address
DHCP Enabled
Subnet Mask
DNS Servers





Questions
1 WuiArp
.

□ Yes

0 No

Platform Supported
0 Classroom


0 !Labs



A n a ly z in g a N e tw o r k U s in g t h e
C a p s a N e tw o r k A n a ly z e r
Capsa Ne/)j‫׳‬rk Analyser i an easy-to-useEthernet network analyser (.. packet
o
s
ie,
s i f rorprotocol analyser)for network monitoring and tr
nfe
oubleshooting.

I CON KEY

Lab Scenario

/V ab
alu le

Using WinArpAttacker you were able to sniff the network to tind information like
host name, MAC address, IP address, subnet mask, DNS server, etc. An attacker,
too, can use tliis tool to gain all such information and can set up a rogue DHCP
server serving clients with false details. A DNS attack can be performed using an
extension to the DNS protocol.

m ation
form
Test your

** Web e e
x rcise
m

W
orkbook re
‫׳‬

To prevent tins, network administrators must securely configure client systems and
use antivirus protection so that the attacker is unable to recnut 111s or her botnet
army. Securely configure name servers to reduce the attacker's ability to corrupt a
zone tile with die amplification record. As a penetration tester you must have sound
knowledge ot sniffing, network protocols and their topology, TCP and UDP
services, routing tables, remote access (SSH 01‫־‬YPN), and authentication
mechanisms. Tins lab will teach you about using other network analyzers such as
Capsa Network Analyzer to capture and analyze network traffic.

Lab Objectives
The objective ot this lab is to obtain information regarding the target
organization that includes, but is not limited to:
■ Network traffic analysis, communication monitoring
■ Network communication monitoring
■ Network problem diagnosis
■ Network security analysis
■ Network performance detecting
■ Network protocol analysis




Lab Environment

& T o o ls
th is lab a re
a v a ila b le in

To earn’ out die lab, you need:
■

C o laso ftC a p s a N e tw o rk A n a ly ze r

located at D:CEH -ToolsC EHv 8 M o du le

0 8 SniffingSniffing Too lsC ap sa N e tw o rk A n a ly ze r


■ You can also download the latest version of C o laso ftC a p s a
A n a ly ze r from die link http://www.colasoft.com

M o du le 08
Sniffing

■ If you decide to download die la te s t
■ A computer running W in d o w s

version,

S e rv e r 2 0 1 2

N e tw o rk

dien screenshots shown 111

as host machine

■ Windows 8 running on virtual machine as target machine
■ Double-click ca p s a _ fre e _ 7 .4 .1 .2 6 2 6 .e x e and follow die wizard-driven
installation steps to install Colasoft Capsa Free Network Analyzer
■


pnvileges to run tools

■ A web browser with an Internet connection
N ote:
£Q1 ColasoftCapsa
Network Analyzer runs on
Server 2003 /Server
2008/7 with 64-bit Edition.

This lab requires an active Internet connection for license key registration

Lab Duration
Time: 20 Minutes

Overview of Sniffing
Sniffing is performed to c o lle c t b asic in fo rm atio n of die target and its network. It
helps to tind v u ln e ra b ilitie s and select exploits for attack. It determines network
information, system information, password information, and organizational
information.
Sniffing can be A c tiv e or P assive.

Lab Tasks
3 t a s k

1

A n alyze N e tw o rk

Capsa Network
Analyzer is an easy-to-use
Ethernet network analyzer
(i.e., packet sniffer or
protocol analyzer) for
network monitoring and
troubleshooting.

1 Launch the S ta r t menu by hovering the mouse cursor on the lower-left
.
corner of the desktop.

S 3 W in d o w s S e r v e r 2 0 1 2

V
*r

M

■afeLLxjjLtt! I a a

Windows Server 2012 Release Candidate Datacen!*
Evaluation copy. Build 84C
C

,“,"J

F IG U R E 4.1: Windows Server 2012—Desktop view




2. Click C o la s o ft
Analyzer tool.

C a p s a 7 F re e N e tw o r k A n a ly z e r

to launch the Network


3. The C o la s o ft C a p s a 7 F re e - A c tiv a tio n G u id e window will appear.
Type the activation key that you receive 111 your registered email and
click N e x t.
C o la s o ft C apsa 7 Free - A c tiv a tio n G u id e
W elcom e to Colasoft Capsa 7 Free A ctivation Guide.

License Information:
User Name:

Windows User

Company:

SKMC Groups|

Serial Number

03910-20080-80118-96224-37173

Click here to get your serial number...
To activate the product now, select one o f the follow ing and click the
Next button. Please contact capsafree@ colasoft.com fo r any
question.

® Activate Online (Recommended)
O Activate Offline

|

Next >

| |

Cancel"

Help

F IG U R E 4.3: Colasoft Capsa 7 Free Network Analyzer —Activation Guide window




4. Continue to click N e x t on the Activation Guide and click

Fin ish .

Colasoft Capsa 7 Free -Activation Guide
Successfully activated!

Help

Finish

F IG U R E 4.4: Colasoft Capsa 7 Free Network Analyzer—Activation successful

5. Tlie

C o la s o ft C a p s a 7 F re e N e tw o r k A n a ly z e r

Name
- Yued Netmart Adapter(*)
□ Ethernet
□ Unfcno*«
LJ t€lhe<nel (Virtual Network Internal Ada..
□ Jrfcro»n
□ Ethernet

IP

‫..**••י‬

10.0.02
127.0.0.1
169254,103...
127.001
10D.02

1
0
0
0
1

5p‫ ״‬d Packets

*
1.232 Kbps
Obps
0 bps
0 bps
1232 Kbps

1,410.1 Mbps
1.410.1 Mbps
1,41a1 Mbps
1,410.1 Mbps
1010 Mbps

Byte UHizatu.

718 170.1a.
08
0
7 1.073 K
B
05
0
763 17S.6®_

A

0%

No adapter selected
Capture Filter

&

No filter selected, accept all
0% |

packets.

0%
0% y

Network Profile

Set Capture Filter
^

Full Analysis
To provide comprehensive
analysis of all the applications

CQas a network analyzer,
Capsa make it easy to
monitor and analyze
network traffic with its
intuitive and informationrich tab views.

main window appears.

and network problem!

Plugin module loaded:
M
SN
Yahoo M
essenger

o
FulAnatyia

,‫ת‬
S.
1
Traffic Monto* HTTPAnalytic Em Analyst
ail

DNSAnalytk

O

FTPAnalyt*

iMAntlytit

F IG U R E 4.5: Colasoft Capsa Network Analyzer main screen




6. 11the C a p tu re tab of the main window, select the E th e rn e t check box
1
111 A d a p te r and click S ta r t to create a new project.

Name
‫ ־‬Y1ed M wort Adapter^)
i
e:
( 3 Ethernet
LI UnbK**«
□ v€th«<net (Virtual Network In
U1n4l Ada..
D Unknown
D Ethernet

IP

Packe...

10.0.02
127.01011
1 6 9 . 2 5 4 .1 0 3 0
127.010.1
10.0.0.2

Speed Packets

bp,

9 15.800 Kbps
0
0 bps
.‫״‬
0 bps
0
0 bps
9 IS 800 K pi
b

1,4111 Mbps
1,41ai Mbps
1,410.1 Mbps
1.41a1 Mbps
100.0Mbpt

Byte UNcati...

2424 552/471.
0
08
48 12.156 K
B
0B
0
*M2 S88206-

a

r
1

< *
0%
«
O
N
0% H

111
111
iiiiiiiunm
iiiirninniiPii
1 11Irmilll II1 1nm nti
1
1
1^3

Ful Analysis

II llllllll
III! m
‫! 1וווו‬frisiii
1 iiihrn
1

1rm
—
-

|F‫־‬f=«

%

!!!!!

Ee e
th rn t
Capture Filter

^

No filter selected, accept all
packet*.
Set Capture Fitter
Network Profile

&

Full Analysis!
To provide (omprehtntiv*
analysis of all the applications
and network pioblarm
Plugin moduli loaded:
M
SN
Yahoo Messenger

psps■
‫4»נ‬

O

FTP Analysis

IMAnalysis

*L

m
Tiafftc Mcnitoi HTTPAnalysis Em Analysis
ail

D SAnalysis
N

F IG U R E 4.6: Colasoft Capsa Network Analyzer creating a New Project

7.

D a s h b o a rd provides various graphs and charts of the statistics. You can
view the analysis report in a graphical format 111 the D a s h b o a rd section
ot N o d e E x p lo re r.

‫יירק‬
*I
W

a# f
t

y a II r r

AayisP<‫... ------------__׳‬
nl s ak
w itin s 0b« Bffe t • Otpt Otpt
a g
Jt u !
uu uu

Cs5hfec;r3 x [Sum
mary Diagnosis[Protocol]‫־‬Physical Enflporw [
‫־‬PEridpr
Mi -h
t£j Fj■ A‫ ־‬S j5
1w ‫«׳‬

S T Piciocol zjfk i' (1)
3 9 PhysttJtsW ®
9
IP L>i;‫3( ־‬
f er |

N e w C a p sa v 7 .6
R e le a s e d
Try i Free
t
Q l

Total Traffic by Bytes
116:3K
B

£ Q t 1 e network
1
utilization rate is the ratio
o f current network traffic
to the maximum traffic that
a port can handle. It
indicates die bandwidth use
in the network.

i

97 K
66 B
48 3K
8 B

IjvJL...

Top IP Total Traffic by Bytes

48i?«k»

. J M M linpluytre•W*b»1t«
w toi

97MKB

Ill
' lr

£ Hw DtetAP tats
o to e c RMc
jjj Hw DtetNfwrt:lop
o to e c c o o
Hw Mn rW ?aq
e to oto Msaf
Hw Mn !ftSvein■
o to oto f 4
1
[ MreVI«>..)
o ku

S0 IC
O*5 S
2»2«7K8

^#Eth«nct

liveDw
«o
eJ V h Is U N fcB c
J o srw etaw andw

Top Application Protocols by Bytes

W8 K
39 B
M51K
9B
4 89K
42 B

/C a •Full Ara*yi5
»f>j‫׳‬c

Cc-.ft-ancr ]‫־‬IPCcoreoatie 4 * Online Resource

i tB l- ‫״ז‬
Dfa lt
eu

a;0:0:0 ^ 57
n 011
5

03Ic n on h rA trn ir.
a n t tp w lI W
w
by»
J I C o Irail‫.״‬U it.‫..״‬U
3 1 te
c
tiltu «rt
_J [F tJ a a
n Mrt
Cp tr.•
ata
crra T fBu in ec a
tr ro c t< n r hrt
[ Hr*•InKo lt'd t-th *•-]
o nw g n

Pa>
.eJ

F IG U R E 4.7: Colasoft Capsa Network Analyzer Dashboard




The S u m m a ry tab provides full general analysis and statistical
information of the selected node in the N o d e E x p lo re r window.
!‫1 ־‬r‫״‬
‫ם‬
m I

□ 5‫׳““ 1יי ךל‬
‫׳ *״׳״׳‬
Sait

Stop

----- 1
G
eneral .

Capture

Table

fJ«wcrtr Promt

Node Explorer

>

‫*>*!> ד‬
» •»
<

*H A
J

«

i
Analysis R
acket Display ^

.‫רזו‬

Analyse profile

m

ut«anon <%
7,

/ ‫־‬
Qasnccard•1Summary x [‫־‬Q
iagnosis [‫־‬Protocol fPhysical fcndpo.m IP fcnapo.rv. [

m

pp!i'i

!!!I'!!!

i

!‫ ־‬HistoryCho.
tic

C ■esa‫־‬cn [‫־‬IPCorrva
cr!
.

!

Factcr Buncr (16M6j

Online Resource

f«MA«lgteSUtfctta: | ‫־:-צ‬
R ele a se d
T r y f t F ree

U IT Protocol ! ■p'crrr (1)
,
S V5 Phv.ka' Lqstorcr (3)
tfc
IP E■
pk*n(4)
Fault
Duqnm SWMili
it
Worrnation Oijgnosk
Ntfcti Diagnosis
Wuninq r!a<jnot. t
Critical O 9 -.11
w 00
>traffic
Total
Broadcast
Mukiceit
Av«a9«Pa«k*tSa•
Pxkrt Sar Ifcttributaon

E O a liigh network
utilization rate indicates the
network is busy, whereas a
low utilization rate
indicates die network is
idle.

)NetworkH
erAM
StH'

00%
01.
0.0 0
0%

472.954K
B
4J440KS
175.757K0

<*64

00%
01
00%
00
00%
01

45.60ft K
B
1 1 9 KB
300
47.542K
B

WW
128-255
256-SI1
5 21 2
1-03

1252 K
bp*.
0b s
p
1232 Kbpi

uj M
onitor Em
ployee* W
ebsite
1^32 Kbps
0 bps

a bp<

CreateTraffic UtilUotioii Ourt
UJ lEntlSUrt a W
ireless Capture
J C
reateTiaftkUU1aUn Chat
2
[ MoremKnowledgebase—
1

1024-1517
>11
=5 8

Captue - hMArat>-se

41Ethernet

‫ ־‬ractrve

__ ____ : _ : __
_ _

Duration: 00.14:43'tf 2 » 2 ©0 P*iC,
J

F IG U R E 4.8: Colasoft Capsa Network Analyzer Summary

9. The D ia g n o s is tab provides the real-time diagnosis events of the global
network by groups of protocol layers or security levels. With tins tab
you can view the performance of the protocols
10. To view the slow response of TCP, click T C P S lo w R e s p o n s e in
T ra n s p o rt L a y e r, which 111 turn will highlight the slowest response in
D ia g n o s is E ve n ts .
nalysis ‫ ־‬CoJascft Capsa 7 Free '50 Nodes)
»

!

S•ae•
j

?

13S
Adapter F«er

Starr

U
Step

CMH

J
,

•
9

E/Tools

^ ful Analyse
K ' f Prrtrrcll.pererli;
S- Si Phv.ka bpkxer (It
0.
I‫ ׳־‬E
.plc.fr (4)

th is lab a re
a v a ila b le in
D:CEH-

Too;!

/!«m

S l h g ““
“ '‫^ ־‬
‫״‬
J
G
eneral
Analysis P
acket D
isplay
AlarmSetting!
Object
Buncr
.' ■ Output Ovrpur
‫־‬Jr‫־‬v‫־־‬V=
‫*-.׳‬
A
nalysis Profile

■

■

€ ‫ צ ־ - £ ב ־‬l1 m m
in
m
w

Diagnosis Item

‫ע‬
6- ‫' 2 - ד‬
flame
1010:02
74.125.256.165
74.125^35.174
74,125^56.169
20721 235.162
178.255SI.‫י‬
17&255.8«
74125J36.1U
74 1 5 ? ?
2 .‫61.6 י‬

—1_

pp5»

cH!5to7Cho...

W ₪ ₪ ₪ M ™

FacK Buncr n&MBj
ct

Diagnosis Address

Dogrvosk: 10
& U &
C •lamc
MDbqnotx
8 Applet !on layer
O DNSS«rvwSlowResponse
O HTTP Sttvtr SlowResponse
*
a transport Layer
v tCPRctrantm.st.en
S TCP Slow Rcipon.s
/
± TC Duplicated Aclmowlidgtnwr
P
S Network lay««r

w

|
>

■

f
t
.

Statistks: | 1 |
1
Ph>«ca1Address
‫ נ‬Add‫״‬
D ‫־‬
O
- «c36
1
0.0102
74.1252
O M •:CC
Ct^
Oft» » < - C
C
74.1252
1C
C 74.1252
O ♦ • ‫.־• ־‬CC
Ct^
207218.
Ott*-♦ «MKC
17»J55.
178255
oct♦M1252
00♦
C
C
74.1252

‫:*♦ ס‬c
‫• • ג‬c
♦ •*c
‫״‬
• -!
‫•־‬
♦c

R ele a se d
T r y i t F ree

J
|
>

)N «o rd »1
eh rkBn *M >
(o IMM «n$e
r
P1

Uiagnosis Events

Too lsC E H v 8

u 6-W ‫•ע‬
Seventy

V
V
V
4‫׳‬
V
1
‫׳‬
V
y Captue- KJArvalyse

*)Ethernet

Pttformance
Ptrlcrmance
Perform
ance
Performance
Perform
ance
Perform
ance
Performance
' nactive

layer
Tunipoit
Tran!port
Transport
Transport
Transport
Transport
Transport
Transport
Transport
M
l

OiagnoM l««nU | 75 |
{vent Drtcnptton
TC
P
1ndPaO.,t::^rom295m4)
TC S iC K F'«ke!:is] nd Pad.rt!27]f1 20I7D■m
P Ickv
1
cm
)
TC SlowACK(P«cket!<7] tnOPacV«;27^f0nt 20172 ‫)זמו‬
P
n
s)
TC SlowACK1
P
P*cket >:] ■ dPat.rf. 1Wrom22134 m
TC SlowACK1
P
:P»cket!a1 and PaeVrt:!:from23577m
]
s:
e
s;
TC SlowACKtPacket|S2] m Pac*a.;.?rom23577m
P
e
TC SlowACKfPacketlU] m Packet' 3:from23577ns)
P
TC SlowACK(Padrct!219:* 6 ‫? ר‬dcrtllW^rcrn 2*262m5
P
)
TC SlowACK!Packet!>13 and ?‫״‬cketJ303Jfn:m>6023m‫־‬l
P

•

_
Duration: 00.25:34tf •4 8 < 0 fteady
,6 9 £

;
‫״‬
j

Sniffing

Type

‫נ‬

M o du le 08

<
‫׳‬
1
>

_J M
onitor Em
ployee* W te
ebM

U CreateTraIlk. UtM
zotionChart
UK (Ent)Start a Wireievs Capture
J C
reateTratfl; U Jattn O 1
U
'.0 ‫׳‬
.
| More■ Know
‫ו‬
ledgebacr... |

F IG U R E 4.9: Colasoft Capsa Network Analyzer Diagnoses




11. Double-click the highlighted D ia g n o s is
information of this event.
*5 N orkG
etw
roup
Stop

x

Node Explorer

‫ד‬

G
enerai

A n Setting*
*a r1
?lerwcr* Profile

jc ,

^

**

J

J

Anslyiii Packet D lay .
isp
object
Butter
A
naly5!5 Profile

li !».*‫) ״‬
‫!־‬P) ‫״‬
4

‫)י =ן‬
=

l^j / : A / F "
r A X

Packet log . L,
output Output
Datastorage

— -_J' IE ..
it !c r

^

H ryC
isto ha

*‫:..>■ ־‬W
151

y '"3^rL,I~T [Somma1 Diagnosis x (‫־‬piotocol f Physical £ndpoifTf IPsnapj ‫ - [ ־־‬y,<alC.. [ IPCorryq
y-]
‫.י‬
Diagnosis Item

fol Anat>-i«
H I f Pft*o
r
rc4t> 4ctM l)
f> <
S V5 Phv.ka Lq rcr (3)
sto

T

to view the detailed

Event

D
fc*grvosk: 10 ‫ע‬
& A % *. C » -‫ 2 - ד‬M e
am
*Um«
‫־‬
AIDaqnoti*
1
Q0A2
8 A S(jtion 1jy»‫־‬
|>f1
»
74,125.2^.165
74.25‫ן‬a >6.174
O O 5«vv SlowResponse
tIS
Q HTTP 5trvtr$l0wR«p0n«
• 741252J6.69‫י‬
Id Irmpoit Layer
20721ft.235.82‫י‬
V TC Retrsntmiiiion
P
‫ו.נ» 55287 ו‬
V TC Skw RsKWlifi
• P
173255 E
32
± TC Duplicated Acknowlwlqemerrt
P
’4 1 .236.18
25
2
‫6ר.65 י.5 1 4 י‬
?
5
- Nerworlr layer
,
■
■I
l»
<1
Otagnosis Events
W
S
eventy
V
V
is
i>
V
V
V
V
V

S ’
Type
Pt»(0rm
4nce
Perform
ance
Perform
ance
Perform
ance
Perform
ance
Perform
ance
Perform
ance
Perform
ance
Perform
ance

Packet B
!

Online Resource

Diagnosis Address
StaeKtk^ | 1 |
1
0 Addit ••
1
0.0102
74.1252
74.125.2
741252
207218.
178J55.
178255J •
741252
74.125.2
|>

Ptv/SKii Addrcu
D
O
■ •t J6
O ♦‫.>• ■• ־‬cc
Ct^
O » • ».cc
ft•►
O
Ct^
Oft»
• ‫־‬CC
.
Oft^ • ‫:* ־־‬cc
o ‫:• ► • ־‬CC
0ft»-«~«k*CC
Oft•‫!• ־• • ־‬CC

Jp) W UU N orknnrd^tti ‫י‬
ho sing et«
M (to*to D N ori: L
etect etw oop
^ * to M IM e.rif*•
tow onitor M
I M re VW
o • cov-1

UiaqnoM I .‫ ״‬u j .. j
Event Ce«npt>en
•
TCP SlowA K
C 1Pack«!281andPacktt:27^,om2 5m
3 s)
‫־‬
TC SlowACKlPacket:46] and P«ckrt!27]l1 n1201701
P
0
m)
TC SlowACK(P»ek«!47]j«d PacVft:'7^‫׳‬ty^ 20172 m
P
s)
s)
TC SlowACmPacket.W
P
]«od Packet!13:4re*n22131 m
*d
TC SlowAC
P
Kt:Packet]31] » Pack(*'■'from 23577r»«
e
2 5 7 s:
TCP SlowA
CKtP*ck£tl82] m Packet.:.*ram 3 7 m
TCP SlowACK(P«tket|54] nc P ■rt' 5from 23577rm)
ac
]
TC SlowACKiPadcer!’ 19: v * ? a c.rtlir^ m 62& ‫ י‬m
P
s)
TCP SlowA K d 43 and?‫״‬ck*t(30i(‘rcm > 6 3mil
C )P> cet:3 ]
62

layer
Tunsp rt
o
I rampart
Transport
Transport
Transport
Tran o
sp rt
T sp rt
ran o
Transport
Transport

R ele a se d
T r y f t F ree

llo (o•
w '
UJ Monitor EinotuvM Wetaitc

Create Trait*. UtilUotioii Ourt
U |Ent|SUrt a Wireteu Capture
J C
reateTraffk Utlteton Chat
[ More m Knowledgebacr... |

*
^Captut - FtJAiMtyse

41 Ethernet

''racttve

r^Alatmfcx to
o fo

Duration: 00:25:344,689<£0R a ty
e<

-

F IG U R E 4.10: Analysing Diagnosis Event

12. The T C P S lo w A C K - D a ta S tre a m o f D ia g n o s tic In fo rm a tio n window
appears, displaying Absolute Time, Source, Destination, Packet Info,
TCP, IP, and other information.
^3^7^7<0‫0זז?0^!ז‬
* ‫ח7 ג3ס »ז‬
3 ‫ח‬
8
n=‫י <־‬
-»M *‫ ־ י‬i 30•
^ ™ T C P S lo ^ C K ‫׳‬Pacto!20 n n7 Pac^

»C 2 2 0 J«8
k J- 0 7 0
1 2 Ja41 3 0
03
25
102 2 4 2 9
30134
1&2J2041296■

<00.02:1406
2 7 1 2 5 8 :8
0 .2 8 3 .1 2 0
100.02:1406
1 0JX21406
0

207.2I8.2J5.1 2 0
6 :8
1 1 .0 :1 0
00 2 40
207.2I8.2J5.1 2 0
8 :8
207218.235.182:80

I0c232a70«089 207218235.182:80

100.021406
100.0.2:1405
207218.235.182:80
1 .0 .2 4 5
0 .0 :1 0
2 7 1 .2 5 8 :3
0 2 8 3 .1 2 0
2 7 1 .2 5 8 :8
0 .2 8 3 .1 2 0

Cnodc
N*jm»23 e‫״‬g *.«6
T
NwnaB lenyth»#6
.m .M
‫,.־‬r 7 3 :.. .‫2־ ־‬
2=
7

Sum ary
m
S*q«3’ 80995012.Acl‫ ״‬L 0 0 0 0 1 .. S.l
0 0 0 0 0 F■
S lM6644229,Ack: f 3 8 9 5 I3 =
en
2 9 9 0 .F A..5....
S
«q«328099S
013^Ack.L 5 W4 Ja .A .L
14 42 F - C G ,’online -«ou! 1w0‫״‬I,‫.״‬R‫ ״‬o ‫־‬h .
LT
‫״‬k

c r4 6 ‫־‬

Ungth-1.51*

591 crr47‫־‬

Su>
M
66
S
B
73
2

lensw=59l

& HTTP/1 2M0K
.1
i-HTTPtraffic no
i Continuationor533 b
Seq=328C995673.Aa‫־‬r1 6 6 2 .F‫ ־‬A‫. ״‬LM t4 2 3
Seq=
lSi6646223,A :3 B 9 S6 3 =
ek: 2 0 9 7 ,F ■*..*.
S*q=328C
S95673.Ack‫. 2 6 & 4 1 ־‬F
: 5 & 4 2 4 = L.«
Seq: 3 8 9 5 7 .Ack: 1 6M 224 .A
20965
S4 6 T1 .R..

5)‫׳.- ו ׳ 6. 8־ ־‬ai■
6- 2 4 < ‫.:. ־‬
44
4
-?
V

10.0.0.2:1406

1 2 4 5 3 0 207213235.182:30
030303
IC
f23405 5 7 2 7 1 .2 5 1 2 0
3 5 3 0 .2 3 3 8 :9

Protocol
H
TTP
H
TTP

U il
H
TTP
H
TTP
H
TTP
H
TTP

‫ ־ ז.׳•' 3צ‬Len 48.:• =5
8

64

=
lp-:48----- i&
. -v =53
;ngth:58

E ' “ ?actet lafo:

: © T V e‫־‬r:
?acW 3
:.<^?»creT Uzgv.z

i (0 «
/]
« Source Address:
& Protocol:
IP - intarrtBt Protocol

! • C i r r « : « 5 1*.■ ‫:*־״‬v.c«* ‫:>1*1 ז‬
‫ו‬
*1.
‫נ‬
[ >• ?1 ff‫״‬rfflt‫/*»־‬fl 5«rr1 eta C
.
04«|
• •O JrsMjjnrt Pretoeet w ill igno!

iMetgearl (6/<
|
Cnteioe‫ ־‬IP(IP ri))
.

[12/2]

(14/ij o*rc
(20 By'.vsl (14/11 0s0r
11 /1 0111
5 1
118/:‫ נ‬osrc
l :goore1 ‫ן‬V1J 0*02
]
I H Consent: cr.1 |15/0 [.‫:0 ־‬
a
x
(40 By1;/116 •*.‫־‬
(8(3301 [18/2J
(J0/1J OrtC
1
aa/1) o»co

F IG U R E 4.11: T C P Slow A C K —Data Stream o f Diagnostic Information window

13. The P ro to c o l tab lists statistics of all protocols used 111 network
transactions hierarchically, allowing you to view and analyze the
protocols.




^nal^!?Proiec^r7uI^nalyi1^Co!a5cf^!a p « 7 Free [50 Nodes)

las

f

►

NetworkCroup

U

*»

Aeaptfi Imet

A
nalysis Rsrket D
isplay
Objfrt
B
ifftfr
A
nalynt Profile

f A 4<tt1ngi
larm
Mttwort Prone

C
apture

j

kU

4A

Output OJ'piJt
Datastorage

F IG U R E 4.12: Colasoft Capsa Network Analyzer Protocol analysis

14. The P h y s ic a l E n d p o in t tab lists statistics of all MAC addresses that
communicate 111 the network hierarchically.

*‫י‬

‫׳׳י‬
&yt«* »

U Y Pn*e>'cH.f*64tt (I)
.
&
Phy.kal Eiptortf 3)
U
IP E1
f4c»n(4)

•‫׳‬

le«l Srqirrnt
local Holt
JWno!
63
6
• * 110.0.2
8 *8 oo:««^^*:cc
<£74.125. IN
5 7
4.12S 11
.236 82
S 74.125 135.125
% 74.12‫36ו&32.צ‬
6 74.1252361 0
16
31 74.125-2361165
7 .1 £ ‫471.632. ־‬
42 S

br

1.
2
8

?‫!צ‬K 1 7
B .5 8
7 5 7 KB
5 .5 8
725.485K
B
74 9 K
4 .7 6 B
224413 K
B
1 2 7 KB
7 .0 4
1 2 5 KB
3 .6 2
3 .8 9KB
38
2 .6 1KB
21
1 .7 0KB
94
1 27 KB
9 8

M
■
■
|
|
|
|

P«ck«t>
S.W
4
i281
3,281
i* 3
3.242
«‫ל‬
642
554
161

1
0
97
65

trti P S«okJ
»r
‫׳‬
512 bps
0 bpi
0 bps
0 bps
512bps
O .
bp‫׳‬
0 bp:
0 bps
0 bps
‫סל‬bps
0 bps
0b s
p

R ele a se d
T r y it F ree

Is Lia gN o Band ‫יק‬
n etw rk
/Jd ‫ו‬

(More Videos-1

Physical Conversation

CLndpomt 1•>
3 D —
O
6:36
=? 00‫־‬
&3
6
30 0:• - — E 6
.-0
E»
K
=9 Vk ■
*00■: - ‫ ־־‬L-06
3P 00; ‫־‬
‫90& ־־‬
8 0
.-0
*OQ:•■

<- Endpoint 2
3 : B ■ " -03:‫נ‬
3
^ 0 1 : * ‫:) ־‬F
C
033 ‫ :ןי‬M S S ocf
B J j* —
):66
‫0:0־■ —• - :33 ?ט‬
1
‫0:נ־ * —־• :33 לט‬
1
0 - * 33 5‫!ס‬C
F

Ouibon
O rfO O
O O
000*00
O OO
ttO O
O CO
ttO W
COO
fc O O
000000
QOO
OQO

‫ ־״‬f ™
laptut MIA*at)-,o

OtOHitKl

*‫־‬injttivt

74125.128.189PhysicJ Conversation 177
Bytes-‫י‬
3 CE
6
360 E
28C B
230 B m m m
82 B
82 8
82 6
82 6
90 B
90 B
90 6
90 6
90 B
90 B

_J Monitor Employees Website
VKlt«
I cannot capture AIL traffic
why/
*J Create Traffic UtiBzaUon Chari
«J lEnt(Start a Wireless Capture
| More n Knowledge

)

>
1
Dotation:0 0 4 4 ‫^'נ0צו‬MO* gO ftt*0/

IS M

■

■

F IG U R E 4.13: Colasoft Capsa Network Analyzer Physical Endpoint analysis

15. The IP E n d p o in t tab displays statistics of all IP addresses
communicating within the network.
16. On the IP E n d p o in t tab, you can easily find the nodes with the highest
traffic volumes, and check if there is a multicast storm or broadcast
storm 111 your network.




CQ

as a delicate work,
network analysis always
requires us to view the
original packets and analyze
them. However, not all the
network failures can be
found in a very short
period. Sometimes network
analysis requires a long
period o f monitoring and
must be based on the
baseline o f the normal
network.

F IG U R E 4.14: Colasoft Capsa Network Analyzer IP Endpoint view

17. The P h y s ic a l C o n v e rs a tio n tab presents the conversations between
two MAC addresses.
lysis Project 1 • Full

.apsa 7 Fre« [50 Nodes)
,/ITIP-1

ls f
‫»׳‬

Step

3 N o G U
t5 «tw »fc f0 |
—
— H^Na»«Ta&lt
G*rttni
rrwo«* frowr

lr>dpo<nt 1•>
U Y Prrtr fell .£<‫)!<« ״‬
.

C Q t t l tells die router
whedier die packet should
be dropped if it stays in the
network for too long. T T L
is initially designed to
define a time scope beyond
which the packet is
dropped. As T T L value is
deducted by at least 1 by
the router when die packet
passes through, T T L often
indicates the number o f the
routers which the packet
passed through before it
was dropped.

Analytlt Bartrrt Ditplay
Objfrt
Bunft
AniHym fôtilf

i
Output « rpm
>

iu

/ 0* r 60‫«׳‬U f!>un1
maiy fpiayiont [ Piutotol fPhymai fcndppml | IPfc d >n: !?tymallc ■»>«'•■ x|ipc.q ,«! 1 v Online Resource
r> tK

Node Explorer

& O Phy.kal bptortf (3)
II 16( IP! 1p*o«r»(4)

iu

up oa1M0!AMfc09
co 1
s!y>Aa:«<*
CP C01&SftA&<&09
UV COIi».A&« 09
CPCCM5:50:A&«0«
UP C
015:S&
A3:6fc.09
UP C l5:*0:A3:ef C
O
e
CP 0015c50‫& ־‬
.A efe:09
UP C li50‫־‬W
O
J :6£.06
CPC0I5:50!A3««9
Ok6?:£S1‫־‬A
:16-.36
UP (‫:.־־‬e : Ex1*16:36
T
SP C015:5ftA3:6£.«

• - Endpoint i
r 3 ‫* ״‬J3:FF:&?:00:CF
»!} 33:33F :2:00:66‫צ‬
:F
B* ‫1000:00 ג»3(:גג‬
‫5 רש‬a00< ;33!00.- 1
.33
0
33:33:E :B O F
F 2:D :C
®‫2000:000033:33 ל‬
V 33:33.0000:00.02
‫61:00:00 *5:00:10 ;יש‬
®5 01:00:5L00:00:16
‫61:00:000035:33 ״ש‬
®5 33:33:0000500:16
3 :3 :FF:5 O 6
3 3 iO :6
® 3 3 ‫:ל‬FF:B :D :C
3 :3
2 OF
03 00:67:£‫:צ‬A1 ‫3ז‬
6:1 5

0u(jt(Q
n
Byt»
o&oooo
82 8
00:0000
82 8
00:0000
90 B
005 .0
00 0
90 3
00:0000
90 B
(0:0006
214 8
214 8
00:00.06
00:0011
936 3
00:0
0:11
7‫8 4צ‬
00:00:17 1.744K
B
00:00:17 1.744K
B
00:00.00
90 8
00:00.00
90 B
00:0000 3.434K
B

Byte* •> * ‫ ־‬IV*‫ ־‬P
- «ek._
08
82 b
82 B
08
90 B
0B
» s
C8
90 B
0B
214 B
08
214 B
e8
966 B
0B
7S B
4
08
1 44K
.’
B
0B
08
1.744K
B
90 B
08
90 B
08
1.79713 1.684_
20

01

«‫ ־‬PU
»

1
1

1
1
1
3
3
1
7
13
1
9
1
9
1
1
10

-

0
0
0
0
0
0
0
0
0
0
0
0
10

Is Lia gN o Band ‫ק‬
n etw rk
/Jd ‫יו‬

(More Videos-1

> ‫•ן‬
1
IPConversation TC Conversation [‫״‬U P C
P
D onvereatio 1
| 0 :1S:SD:A8:6106 < > 33-J3* F:B*D<K3MF C
0
onve~*on:
D
uration
<-Endpoint 2
Brtes
Byres ‫י‬
<• B

-w 4 3
F'tdpoint 1■
>

*‫ ״״‬o ‫• ״ * ״ • * ״•״״*־‬

N e w C a p sa v7.6
Released
T r y i t F ree

L3 Monitor Employee* Weteite
toJ I cannot capture ALL traffic,
why?
U Create TraHk. UttfUation Chart
«J lEnt IStart d Wirelev* Capture
uJ C
reateTiaflkUtfittt*n Ourt
| More n Know
ledgehn«e...)

"

/^.ap<uc û*A
r>al>-,6 Êthernet

''!njctivt Puntion: 0111M
?

^12.787 (£0 Ready

.. .11 ' "
■‫"י‬
‫״‬
,‫״‬

F IG U R E 4.15: Colasoft Capsa Network Analyzer Physical Conversations

18. The IP
nodes.

C o n v e rs a tio n

tab presents IP conversations between pairs of

19. The lower pane of the IP conversation section offers UDP and TCP
conversation, which you can drill down to analyze.




‫רו‬
m
r
Acaptri I m t
e

P

C tu
ap re

*W

4A

O
utput O <
J*p Jt
D sto
ata rage
‫ ~|־‬p c .‫׳‬
jd

Node Explorer

fM .ta

[To^T<epc<•■ | < > Online Resource

h*A‫״‬a j» .JP o v rs tio : 5
* e C ne a n 7
A 'J i S'
E d o tI * <E do t2
n p in > - n pin
Dr t n
uaio
B t i B‫־‬e - - >s P t Pcs> -Pta F s S r^
>e > s > 9 t ks ftt
e
ir t c
4
1
4 1 12:1
4 226 7
02 2
. 1 E 40
7
0 03 r~
3 10 2 3 7.153.13 00:2 4«1KB 2 5 K 27 _ 2
0.0
V 10 3 ‫20. 42 ל‬
0.0 _[ 2.0 2
00:‫וו‬
00
96B 96B 0B 1
8
8
7
1
7
0 ‫ ־‬E0o:5)3
E 12r r” (
a t9
pe
3 '0 .0 § 24 .0 2
0 .4 5 2.0 .2
0.0:1
00 1
74B 71E 0B 1
S
S
3
1
3
0 12:5
09
24B 24E C3 2
2
2
01D0
00:
C
2
0 132
00
a!0 .0 ‫4 01 ! * ז‬
0 2 a 0.0
0.0
00:0
00 0
56B J4 B 0B 3
4
6
0 1:3.2
00
3 10 2 3 10 .3
0.0
3
4
re
0B 4
0 132
2 10 5 S 295.25 5 00:1 45 *B am
0.0
325 5.20 00 0 01 C
01
a . s g 24 .02
2.0 2
00.2
00 2
4 8 48E 0B 7
4B 4
7
0 131
01
a .o
00:0
00 0
10B 10E 0B
1
1
0 13:3
01
3 !0 0 9 t o .5
02
‫ 42 ^ 5 01*ל‬JX5
• 0.0
00:2 1 8 M 1 8M
01 9 .1S .1S
0B 1
7
1
7
0 13:1
01
2.0 22
00:0
00 0
0
2.0 21
4SB 45B 0B ‫נ‬
0
3
0 1:30
04
3 >a u ^ 24 .0S
a1
02 6 7* B 3 2
7
S1
2
5
1 3 13:4
1 06
!0 .0
02
7 .15 3.19 00:3 1 /?K 1. 1— W - *
4 2. 6 6
2
•iwo.o 9 2S S S .2S 01:1 22 K 22 K
02 2 73 B 73 B 0B 8
8
0 12 S09
S iS .2S S
‫יי‬
• IC C n iM n''llO C no tio ]
P o w tlo P o v lu n
”
1
11 0 3 > 2 JX 2 NC C wv tio : 1
0 4 2 4 0 2 T P o v tM n 0
A 6C
I x o it1>
Jpw •
Pc e
ak t
<En pin2
• do t
I- P to
.to rc c

Vy ‫ »״־‬A
r-a^.e

Pv
h .k

a$N«two* Croup
*»
j
—— H^NaawTa&le
A alysis Rsrket D la
n
isp y
tA Sfitm
larm
gi
O
bjrrt
Bliftrr
M ort Pro
etw
tttr
Analynt Pro
file

■
Prctr ■
r
--

a 5* P :■***» )4
(

100
0

R ele a se d
T r y i t F ree

& ‫־״‬ho.. JangN tw rk
e o
£ ..‫ ״כ‬to
r
etw rk o p
^ . * ‫ ״‬toDtretN o L o
^ H W te ito IMN sa e
O to n r t?e g
I M Vtdeov.. 1
ore
How To‫־‬
•
_J M
onitor Em
ployees W
etis4le

_J ! c n o c p reALtra .
a n t a tu L ltR
wy
h#
_J C a T fficU ^U nO rt
re te ra t« o w
U |E t|S rtd lw tkCp re
n ld W le a tu

1

T *«a1n ttrm A m
h • o to feff ttia...

J C « Tatt U U l0 «
‫׳‬e U r t : tliia X 1 t

| More m Knowlr<iorKncr . |

II.

tCp t
a tm

4 LU jix
# k t

>
‫ ־‬ra tiv Dr tio :0:2:4^1-8& Ra y
c e ua n 1 9 9 412’0ed

F IG U R E 4.16: Colasoft Capsa Network Analyze! IP Conversations

20. Double-click a conversation 111 the IP C o n v e rs a tio n list to view the full
analysis of packets between two IPs. Here we are checking the
conversation between 10.0.0.5 and 239.255.255.250.
‫-----נלז־־ל׳‬^ n a f^ i^ ro je c ^ ^ tji^ n a ly M ^ T o ta s o ^ a p s ^ ^ r^ '^ N o d e ?

^

| AnaVit | »

Mr

Hrtp*

TEH

‫^ ״‬

us,
Step

‫, ״. ״‬jj

A
nnlym flartet D lsy
itp
O
bjrrt
Buftrr
A
nalymh'otilr

G
anarai

1

output cxrpar

ltcn|M u
aU

| UOPC

Node Lxplorer
A ^

U Y Prc4e.rcl(.plctrf (I)
.
S 9 Phyikal bfMxv C>
3
U 3 IPE1pio>«<4)
f*

iu

i

3 ' 00.02
100.03
3 '0100.4
100.02
3 100.02
^ 100 05
a lO .O
O S
3 •00.012
"± 100.05
3 10 3
O .0L
3JCJ5.0J)
S 100.01
3 ‫60.00־‬
a! *00.02
3 10002

C ‫״‬
«• tndpom 2
t
74 125.236.173
S I 224.0.022
^ 224.0.022
‫4.0.001 |׳ל‬
S 1010.03
‫052.552552.932 ] ל‬
g 224.0.022
9 100.0.5
g 224.0.02S2
g 224.0.0251
I2J 255255255.255
^ 2S S S 5
S 2S .2S .2S
^ 224.0.022
^Si 207218.235.182
S 178255.83.1
1 ‫' י יי ־‬
_.

D
uratio
n
0002:22
0000:11
0000:11
OOO
OOO
0000:00
00(0:10
000022
0000:00
000129
00.00:00
0012:12
0012:13
000002
002018
0000:18

.........
onversation |
ICP Conveivatkxi ‫״‬J0P C
‫ ״‬c
Indpom ‫ ־‬t >

<■Endpoint 2

8/ttt
4«1 K
B
986 B
7 4B
S
224 B
546 B
4051KB
448 B
110 B
1.185 K
B
405 B
2.723 K
B
4.061 K
B
128 B
6.748K
B
3.601KB
a ■ ■“
1 ,''“ ‘‫י‬

Bylo •
>
2 K 2X>70_
.751 B
986 b
0B
754 B
0B
224 E
CB
346 B
0B
4051 n
C8
448 B
0B
110 B
0B
CB
1.185K
B
4 ‫>׳‬B
C
‫־‬
0B
2723 K
E
0B
4061KB
0B
128 B
0B
1.614K 5/134_
B
1 1 K Z294_
.3 C E

Online Resource

tu•A<u»}>hO C
P onversation: ‫ ־‬
M
pw»->
•Pta f « t iw ‫״‬
1
4
1
0
1021:1
1
7
0
1029:51 ‫־‬
1029:«
1
3
0
2
0
10302
0
10302.
3
4
C I03M
0
1031:1
0
1031:3
1
17
0
1031:1
1034.0
3
0
0
1029:5
7
0
1029S
1042:1
0
2
14
24
10
10232
2
4
1
4
1
0
1043 2

“1

*'

‫<” ״‬
’
<P
1

10.0.0. <-> 23925S2SS2S0MCP C
onversation: C
Prctccd
P
acket
&
‫י‬

Therrareno i«m5»0 thow mthi*

R ele a se d
T r y i t F ree

jg) .vh Is U n N o Bard id
o 9 g etw rk A tti?
Jb» H wtoD A A s
| o
etect RP cta±
jg ) H wtoD MrA rkLo p
» 3
etect e 'a o
Jgj H wtoM n rIMM ssa e
o
o ito
e o
[More Videos-]
How-To's

Li M ilto E p y e Wto te
a w r mloe * e w
L I c n o c p reALtraflk.
U a n t a tu L
wy
h?
U C a T fficU L UtiCa
re te ra lMta u h rt
L [E t(S rtaW lesCp re
H n ta 1 v a tu
re
J C t»T ftkU tio «t
r« ta . tliu n

0
1

* ‫־‬

| More m Knowlrri^rhn**■ .)

...

"-"L Jt " ___
V __:
F IG U R E 4.17: Colasoft Capsa Network Analyzer IP Conversations

21. A window opens displaying tiill packet analysis between 10.0.0.5 and
239.255.255.250.




Analysis Project I •Ttl' ‫׳‬V ia ;!; -10.0.0
r

^

|-lu

-■2}?-2j5-2'52:0 ‫ ־‬Pa:'-:r.s

‫־‬

1031:3*‫84725:540.31 7־< 3ל‬

239.255.255.250:3702

1&3U4&4X13S 10.005:52748

239.2S .25S
S 250:3702

S 52748;D 37Q
rc=
st= 2;le*=W;Cherte u‫י״‬
S c=S2748;D
1
1l=3702,Len=999,Checb1

. Packet Info:
:
S J l ‫:־‬r:
!‫ #״‬roctc‫ ־‬Lesffsn:
-

j-^Capwred L s tfc
eg
‫@-־‬T‫ « ״‬t - p ‫־‬
T Ii&eraet Type I I
!-WDestiracior. ‫"־‬

E Q a backdoor in a
computer system (or
cryptosystem or algorithm)
is a method o f bypassing
normal authentication,
securing remote access to a
computer, obtaining access
to plaintext, and so on.
W hile attempting to remain
undetected, the backdoor
may take the fonn o f an
installed program or could
be a modification to an
existing program or
hardware device.

t*met IS<l?vS))
:‫ » ״‬version:

112/2]

114/1] 0 5
1C
(20 Byteal (I4/l| Cx0r
‫זז*0 ן1/51ן‬
11 /1 oxrc
5 1
(ignore 1 [18/1( 0 0
12

■ o Dk
- i£«!«= .«d SirvicM Ii«ld:
-.ia‫־‬
: • y :irrcztQt.i‫. ־‬d s«rvlc«« Codepolai:
^
• ■o nmtport Protocol win ignore she ‫׳‬
I "O C oegiina:

(M Congest•. er.> (IS/'.] O l
o
xO
10
19

(101• By.ea 1 (K/2)
(SO t18/2]
)
120/'.J O C
IE
[20/ 1J 0* 8C
(M r1«3c*f-• (39/1] 9*40
ay
(U*V 0 :20/1) ‫א»:ז‬
.‫ו.־.־‬x20
‫נ2/02ן‬rrr

003
x02

00
0....
.0.........
..0.......

1
*
0

4
s

» 00 00 01 11 m c i u 00 00 e* i r r r
1 k «r :0 « so ’ a c k ‫ נד מ‬u 1‫־‬

« ‫6ל 02 22 9? 27 6€ 67 ?€ 36 ל־‬C K 60 6 73 « ‫ פל 46 3ר יל‬i 30
3

F IG U R E 4.18: Fu ll Packet Analysis o f Nodes in IP Conversations

22. The T C P C o n v e rs a tio n tab dynamically presents the real-time status of
TCP conversations between pairs ol nodes.
23. Double-click a node to display the full analysis ol packets.
‫ י ם‬x

Analysis Project 1 - Full AnaTyjis * Colasoft Capsa 7 Fre»* :'ill Nod?')
fcnaVi'i

la* 1
T
*flap*‫ ״‬l« n
capture
Node Explorer

Snt*•

Too*
y

Vep

, / Hrtp ‫ף‬

V w
W

*5 N
«t»»o*k G
ro
1 N eTable
am
Smmi
f, Mirm Setting
!‫*־‬two* frowr

j *
W

*«
]ket Ditplay
P
aeket I 65
<
mm‫״‬
• output
*n#ly urtofiK
Dati-.tamgt

I v
a
I
..
.1 ) ( I
J
------- ------- '‫------־‬1• e r ■* ■?,.
90• C
1

P
X ■n| Phytrcal ConvUiaUon | PC0rtv«1 t1 (v ICP LtKi.■*nation x | JO Corueatation M«t -1[ PacUt [ Lo? [ Report | 4
w1 0

S 1 0 246
0 .0 10
“ ‫242 0.1צ‬
2 0 .010
3 10 243
0.010
± 11X10
00245
g 10 241
0.010

!

! ! !
HiitoqrCha

!

! «
!‫ ««»׳‬iiunrr 1
‫.׳׳‬

f Online Resource
r

• - Endpoint 2
3 207.218235.182:80
!34 7
4.125.2
36.175:80

HdAm
alfUaWCPC ret*atton: | W
om
Bytes Protocd
32 KB H
46
TTP
1889KB H‫־־‬P

3 74.125216.173-^0

2915 K H
B TTP

‫0 5 1. 3 5 1. 7 5ל‬
1 4 226 63

1.595<5 HTTP

74.125236.165JO

*
1

1*36K H
B TTP

R ele a se d
T r y i t F ree

0002:1410
ao.o21411

0.0:11
0 2 43
0.0 1 1
0 242
0.0:12
0 2 43
a0.02l42i

00 246
1.012
0.012
0 242
00 245
1.012
Q
0.0_2:1434

0.0 1 3
0 243
0013
0245
0 .0 13
0 2 46
00 247
1.013
0 0 :13
0 2 49
ao.o21441

0 .0 :14
0 2 4;
0.0:14
0 2 43
0 .0 1 4
0 245

3 74.125236.174443
3 T4.125.236.174443
3 ?4.125236.174443
S '4 2 .2 5 6 4 3
.1 5 3 .1 9 4
3 74.125.236.169443
3 74.125236.169443
a 74.125.236.160443
!31 74.125236.169443
3 178,255.83.1:80
t l i ?07.218235.182445
‘.l 1 8 5 .8 .1 0
7 .2 5 3 :8
3 178.255.83.2:80
3 65.54.82.155:80

3
3
3
3
3

‫346 62.2 4׳‬
.15 3.174
‫8.6 62.2 4׳‬
.15 3.17 0
‫431.3 51־‬
42.26 64(
‫4-6 .351. ל‬
4 2.26 543
1
•.153.134
'4 226 643
7 Pt.n* 1 ‫י44 ו‬
4
*

■ p tfro r> t)- P ttK K
‫; ׳‬a tu *A a .e fc M t

'irw
ctivt Dt t n0128 V 121 g0 Ra y
oaio : 152
78 ? ed

K H'TPS *1629
B
‫ סיב‬H S 5
TTP

P 5 -‫־־‬PS
0 r

1iS4KB H S
TTP
K H22475‫־־‬i‫־‬P5
B
146UKB H'TPS

Jgj W Is U n N o Bard *d »
ho 9 g etw rk a »1
*‫ ב‬toD A A s
«
etect RP tta±
H wtoD Mr*o loap
3
etect e rfc
JfS 4‫ כ‬toh n rIMM
« to rto
essaae
H ‫ ״‬toM n r&saveEm
3
o ito
ab
(More Videos-1

K H T 666 1
B TP
kb r ps 5 . ;
*
6W K HTTP 1
B
K HTTP 1 1
B
8.92
K HTTP 1021
B
h ttps 8 170
3 HTTP 6 0
‫ל‬
H S 8 170
TTP
B H S 370
TTP
4KB H S 1
TTP »
1 ■ rn m‫־‬rp>
‫ ל‬w>

L3 M
onitor Em vee* W
vfc>
ebwte
*J I cannot capture ALL traffic,
why?
U Create Traffic Utftiatlon Chart
U (Ent ISUrt a Wirefe** Capture

J C« UT flkU tio O rt
r a ia tliu n u

| Mere m Knowl«l<jrhn*r . |

..."
______ _

F IG U R E 4.19: Colasoft Capsa Network Analyzer T C P Conversations

24. A F ull A n a ly s is window is opened displaying detailed information of
conversation between two nodes.




- d • * *‫׳‬
*
No
Absolute Time
‫:_־ _ _ ־‬
467
1&2&47466913
47?
11126:53468163
473
10=26=53466676
474
10J6:S34*S72S
475
10^6:53486972
47S
10^6:53 506597
477
10^6:53 506633

- 4■ LSSSource
1aaa2:1410
1aaai1410
1aaa21410
74125-236174:443
1aaa21410
1Q l
J1021410
74125236174:443
100021410

Destination
74.125.236.174443
74,125.236.174443
74.125.236.174443
10.0.02:1410
74.125.236.174443
74.125.236.174443
10.0.0.2:1410
74.125.236.174443

Protocol

Summary
‫2263? ־‬r.4»‫־‬A. k_nc0«)rf0T0.r-. ..1 .,‫־‬
.er|_
Seq=2362281843,A O O O O O
ck=O O O O O .F=..‫״‬S.l
Seq;2362281843,A O O O O O
ck=O O O O O .F=.,‫״‬S..L
Seq-4?C412fi878,Ack=2362281344.F=.A .S...
5eqz 23622fi1844,Aclc=4204123879.F=.1 ...Y
l_
Seqz2362281844,Ack=4204123a79.F=.A. F.
S«rq: 42C41r£87?.Ack=23622£1i;5 F=.i.. F ..
;rq: 23622ei845,Ack: 4;041233S0.F=^ ___

Sre Decode

https

HTTP5
HTTP5
‫ ־ ״‬TP‫־‬
HTTPS
HTTPS
HTTPS
■ P‫־‬
T

70
66
66
58
64
58

B-T Pockct Info:
^ Pasirec h'mb‫־‬r:
^? a = * e t Ler.gra:
Captured Ler.gth:
Tireataap:
=■V*Btherr.ct Trpc II
a ? jcatic atic a A2arc33:
Q 5 c 3 t» u s r t n :
<_p Protocol:
■ TP ‫ ־־‬Internet Protocol
‫׳‬T
t i Version:
0 .leaser Lcr.gtfa:
1
I ft : 1 :rtr*r.: 2a u : :♦ r n c ti riaid:
j- S Olff*r«r.tlat*<l S• rvlc•* Codapoint:
j•‫ •״‬Transport Protocol will ignore the C
C
••••0 Coaacszioc:
i ^ l e s a l -cacv.:
: # 1der'ir1c*110r.:
‫ ־‬S rrag»nt Flag*:
|~0 Reserved:
i— ‫־‬Torrent:
•
-‫°;״‬

U 05 Ei o! a K C ! j ‫“ « « “ ״‬
D

"J

462
70

6
6

2012 /0 9/ 21 10:26:44.4fC749
[0/14]
D O ! ■ 4
♦‫:״‬C
C
ct 3:1r
D0J • ••
6:36 [6/e]
0x0800
(Tnter&et TP| IPv4)) [12/2]
[14/20]
4
[14/1] C
xFO
<21 Byc«9) [24/1] 3xOF
&
0000 0010
!15/1] :xrr
0000 00..
[15/1] O
xFC
(Availability) [*-5/13 0x02
■ Coraraticat [IS/11 CxCi
11:
............. 0
52
< 2 Bytes) [16/
&
0X 9D
& 6
(22998) |18/2|
(Don1‫ י‬rr«3*?n‫ ]1/02[ )־‬O C
010.........
xE
0.............
[20/11 O O
xC
.1...........
‫ י‬f2Q/11 0»4C_____
» “ “ “ ‫״‬

I Z

1‫״‬
1

o‘ ‫״‬

“ “

v]
6 .. S

M 0‫ ־‬o! 04 ‫£ ״‬

. . ........J).

F IG U R E 4.20: Full Packet Analysis o f Nodes in T C P Conversations

25. The U D P C o n v e rs a tio n tab dynamically presents the real-time status of
UDP conversations between two nodes.
26. The lower pane of this tab gives you related packets and reconstructed
data flow to help you drill down to analyze the conversations.

y ful Amk,Ui
- ' PrrtrrclE‫״‬pcm I
E‫־‬
Physical aq rer(3)
sto
S. & lf t q ‫־‬k>
ra(4)

£ Q In networking, an
email worm is a computer
worm that can copy itself
to the shared folder in a
system and keeps sending
infected emails to
stochastic email addresses.
In diis way, it spreads fast
via SM T P mail servers.

,. E a o t2
‫ ״‬p,‫״‬
o 10 1:513 7. 24 05:55
0.00 62
2.022 35
*2 1 l0.02:56740 2 202.53.8.8.5S
0
d
3 11.0 :50' ?5 224.0.0252:5355
00 .7 09
± T O .7 4^
tX .C :543 - j 2 4 0 5 :5 5
2 .0 2 2 3 5
3 1a0.a1a59606 ^ 224.0.0252:5355
3 100X110:59655 7$ 224.00252:5355

Endpoint 1*
>

a 100.010*2035
• 0 1 :5 7 6
0 .0 0 7 6
i 100.02:56632
S 10 7 18
0 .0 :5 0 7
^ !00 10:5 5
.0 6*4

g 22 2S2.S3
4.00
SS
2 4 .0 5 :5 5
2 .0 2 2 3 5
3120 .53 .8<3
2 .8 5
?3224.00.252:5355
^ 24 05:55
2.022 35
/} 24 0 S SS
2.0.22 3S
^ 24 05:55
2.022 35

te
Byte* &,!‫ >־9< - ־‬s
<
o w o 16B 15B 0B
oo 3
3

D ratio
u n

OiMO 217 B
O .O
0ftM«) 1 8 B
5
OO. O 158 B
OD
O
0 :00«0 1 6 B
0
3
OlXO 158 B
ffO
tc
00.0 1S8 B
00 0
o o o 136 B
ooo
OiMO 214 B
O .O
o o « 158 B
o ao

7 B
S
18B
5
15B
5
16B
3
15B
5
18B
5
16B
9
8 B
1
1 B
SS

5
OOO 18B 15B
f OO 5
t
00.0 16B 1bB
00 0 3
3
0110 156 B 1 8 B
0X0
5

Pe;«di Pk1i‫ ־ >־‬Ptts Piotcc

2

2
1
2
2

0B
13B
3
0B

1
0
0
0
0
0
0
1
0

O
B
O
B
O
B

2
2
2

R ele a se d
T r y i t F ree

0 LP
D

2
2
2
2
2
2
2
2
2

2
2
2

18B
3
OB
C5
OB
0B

O
B

2

2
2

2
1
2

DS
M
UDPUDPUDPRTP
UDP•
UP
D

live Denio
*•: m,

DS
N

FTP

1
9

12:1.656 1.0 1iS13
03 9 289 0 .0062

0 UP
D
0 UP
D•
0 UP
D
I>
<1
1■
1 00 0<v24 WVrarkeH: 12
0 1
/
D
f'Ti'UtiCA
P ttx l
ro o
24 0S S S
2 A223S
U0P

2
2

lftJl:2001A*M 10.0.01 !$ I2
0 6 J

22400242 SMS

S 10 1:653
0.00 30
2 10 7 31
0.0:635

y P»flui1 Dau ]
-Jtr > i 4• ^ C '
N
o.

0
0

Abfdut•Tim Sourer
«

U
CP

a ‫׳״‬
‫־‬
‫»-«׳‬
a ‫׳־״‬
‫»•׳״‬

jpt■orkBanditti ‫י‬
N o Lo
etw rk o p

I MoreVklotti‫״‬

‫״‬J Motiltor

Wetollc

L3 1cannot captara ALL trjMk.
w
hy#

C d T fficU ^U nCa
re le ra tH o hrt
|Ent|SUrt 4 V ‫״‬ete»» Capture
V
uj C UT inUL UnO t
‫׳‬ia ra ; tl MO m
| More mK w > bow.. |
no l«i< r

>
‫י‬
_

F IG U R E 4.21: Colasoft Capsa Network Analyzer U D P Conversations

27. On the M a tr ix tab, you can view the nodes communicating 111 the
network by connecting them 111 lines graphically.
28. The weight ot the line indicates the volume ot traffic between nodes
arranged 111 an extensive ellipse.




29. You can easily navigate and shift between global statistics and details of
specific network nodes by switching the corresponding nodes 111 the
N o d e E x p lo re r window.
1inay. s

y=b!o nee we encounter
the network malfunction or
attack, the most important
thing we should pay
attention to is the current
total network traffic,
sent/received traffic,
network connection, etc.,
to get a clear direction to
find the problem. A ll o f
these statistics are included
in the endpoint tabs in
ColasoftCapsa.

Sjstd*

a1 r
^

To
o fe

WHtlp-|

y sg “
:a*

A ter f«cr
eap

Stop

B^

G
cncrai

L_* 5‫ "י׳‬hng5
s *
A
naly!!; Pro
file

fictw Prom
ortr
t

i
A
nalytic Packet D lay
itp
F^ ct log
cfc
L
objcct
Butter
. • output Oirpui v M« 5
~
D Storsgf
ata
Ur«c
« « « :*‫־‬

L‫>־*■- ־‬
1 I f Protocol
4

/^T
liO

‫״‬

JC ‫׳‬nt rPtiys'C^* Convexation f‫!־‬P ConversationfTC Coruaiation [ U Pi
C
P
D

Node Explorer

D| X

VieM

ajiSiSiSS;
:

F3«ct Buttrr 1&M)
' B

I ?■ jo. X 1P*0»cl
V

Online Resource

T o p !00 Physical Conversat*on(Full Analysis)

(1;

&V P
O hy‫.׳‬K4 E < « (3) I
j*‫ *׳‬x r
1 ^ IPf .p4c»rt (4)
1

TcplO Phytic•!
O

IK‫׳‬l)nH
‫) 1 »׳‬
jpl W U H n N ■ kllnr«J*»it*‫׳‬
ho u g rlv w
M H wtoDftf<M n ft:Lo p
a
t fR O o
P • ntoMn r IM‫•0י׳«־*י‬
to
o rto
‫׳‬

lop 100IPv4
C
onversation

55:33 00:0000 1 (7
6)

I Non! VkJcov- |

Iop100#MNo<k
BE:D 3:C C 4
9!C i‫־‬C |1 |

User Hidden nodes( .

0 5f:0< »1
l:0&
M

00:5t00.00 F 1 )
C8

UI M
onitor Em
ployees W
ebsite
uJ I cannot captureALL traffic,

OGm(M8:7a05(14)

why?

UI CreateTraffic Utfeation Chart
O (Ent)Start a WirelessCapture

D A 1 :4F:48
3 2:5£ 7
®

J Cet Ta Ulizt nO rt
r ae r flk t aio ia

Invisible Nodes (0)

>a lin fu ra*);e * E o l
Cp e «A
♦th rx

[ More■ Know
‫ו‬
ledqeb3«e._J

‫ ־‬ra tiv Dr tio :0:2:4 2.65 g
c e ua n 2 3 4 1 6^‫ ־‬O

F IG U R E 4.22: Colasoft Capsa Network Analyzer Matrix view

30. The P a c k e t tab provides the original information tor any packet.
Double-click a packet to view the full analysis information of packet
decode.
%
!c*

Tx %
<#

w

—‫ך‬

N orfc Group
rtw

Jf lB B l # » ‫^ ״‬
ifr
r

E © Ph^ike hptorer (3)
B & I? Eiftora (5)

1T 1
6 C6
160217

101
e28
1C 1
6 CS
102
620

12
62
01

t y ! Protocols may be
implemented by hardware,
software, or a combination
o f the two. A t die lowest
level, a protocol defines the
behavior o f a hardware
connection. A protocol is a
formal description of
message formats and die
rules for exchanging those
messages.

t

J

, J|

j

A
nalytic ftsfket D
itplay

t

Outpm ojrput

jpc-nt fPtiy».u.* Convtf-.ation f 1P C
0nvei.dt1 n~fTC Corwettaiian f U PCoerwt.* < [ ,.U'jo ‫|־‬P«c<cl x ]‫־‬Leg f R«pcrt | * ► Online Resource
0
P
O
->

Node Explorer

“ **A
1 - ‫•־‬
‫׳‬t‫־‬v ■ r
‫;־‬

jfo

**

/‫^ ־‬
‫־‬

I3.-0242695615
13.-G
i4a.599l 55
l3 2Ja5991M
.0 ‫־‬
13:02:49.101243
1 :0 :4 .1 3 2
3 2 9 018

S'

1 X .0 :1 3
< 0 .2 C 6
04:► }:C
C
D :►3 :
O 6
•
‫־‬
?4.125.135.125:5222
7 .1 5 3 .1 5 2 2
4 2 .1 5 2 :5 2

h* Avrfy*sPa1 fcets: | 1 647 |
1
iL
R ele a se d
T r y i t F ree

74.125135-125:5222
D*
O
36‫־‬

D*l- - - 1-C
C
10.002:1036

I3
.-02-.49.103161 1a0.0.2:1036

7•-125.155125:5222

1:0.4.455 10 .2 06
3 2 9 920 0.0 :13

74.125.135.125c5222

llvp Demo

160222

160223

- T

W
hi

inro:

«‫״‬
a ‫׳־״‬

J tv ork
e.

‫י‬

M O Lo
ffA ffc o p

IM ‫׳‬VW0™
0 V «4
i & Ctpturtd Length:
f ItU n w t 1yp< 11

t.4«uv <:02: ) 1 3012/09/21<
) 0/14(
•ftb ja ti C :•• - - 881
C

] 0>‫'׳‬lLU Motillor (1np40v«mWetoJlc
_ J I camwt (.■ p rvALL trtffk.
a tu

0000
001c
oojc

O 068 ‫ י‬A£ 24 C D «‫ ל‬E6 LA L6 96 06 00 46 00 00 >« U S 40 00
fl
C O
O
*a a< 04 0‫ דד ג‬aa aa 0‫ י6 סד ג4 ג של‬a« ae 4‫ ג‬t t os s» j» m a n
7a c* to to n 3 t% 4 0 0
4
3 0 0

wy
h#

« J Credit Traffic UtH^Uon Chart
[Ent|$lart 4W
ireto** C
41*urc
‫״‬J Ot»U T
rafficUtliuaon 01-1

| M n Knowl«iqrt>a«‫ ...־‬I
ore

Kiplut f1iAn1ly.1s

KBtittaml

!active

D
uration: 0 :3 ^ ‫־ 4 0 1 ־‬
2 9 6 $ 6 .2 ? gjO Read,

F IG U R E 4.23: Colasoft Capsa Network Analyzer Packet information

31. The Packet decode consists of two major parts: H e x

V ie w

and D e c o d e

V ie w .




£ Q Protocol decoding is
the basic functionality as
w ell There is a Packet tab,
which collect all captured
packets or traffic. Select a
packet and we can see its
hex digits as well as the
meaning o f each field. The
figure below shows the
structure o f an A R P packet.
This makes it easy to
understand how the packet
is encapsulated according
to its protocol rule.

F IG U R E 4.24: Full Analysis o f Packet Decode

32. The Log tab provides a G lo b a l Log, D N S
H T T P Log. M SN Log and Y a h o o Log.
33. You can view the logs ot T C P

Log, E m a il Log, F TP Log,

c o n v e rs a tio n s , W e b a c c e s s , D N S

tra n s a c tio n s . E m a il c o m m u n ic a tio n s ,

etc.

F IG U R E 4.25: Colasoft Capsa Network Analyzer Global Log view




F IG U R E 4.26: Colasoft Capsa Network Analyzer H T T P Log view

34. If you have MSN or Yahoo Messenger mnning on your system, you can
view the MSN and Yahoo logs.
-FT*■
3psa 7 Free C Node■
50

WuVin

Sjtfcai

w r u ‫־‬m

A apIrt -mn
O

tort

V * K4An * m
u ‘|f PirtNtl (■ lerrr (IJ
p
‫ מי‬Phv.k* Elptortr (3)
U & IPtiptoraf ft)
.

6

*Jrtw Group
o'fc

Step

Node Explorer

~ 4#4
«-

To
o ls

Central

f^UirmSftting'
ffw froWf
or*

**[PtiyiK.

r M u>g
SN

<
9

31 *
0b
109

‫־״‬
^a
cl?
'£

4‫׳‬

‫״‬

-...ilym Partrt D la
isp y
O Jftt
D
BUttff
An
n ly

r.dlion ‫ ן‬IP Convin

‫ ׳‬y * ‫״, ״‬
3&
0at« 1‫>״‬
«
2012/09/2111*5.23
2012/09/21 1*47:4*
2012/09/21 I3:4fl:32
2012/09/2113148:32
2012/09/21 13:4a42
2012/09/21 13:49:15
2012/09/21 13:49.2S
2012/09/21 13:49:27
2012/09/21 13:49:39
2012/09/21 13:5003
2012/09/21 13:50:19
2012/09/21 13:50:36
2012/09/21 1 :50
3 :41

‫♦ •־‬rf a o a
- xtnilc m iiH
’■# 4 a1 an iwtlVIc
« wm U 1

R ele a se d
T r y i t F ree

• CSvecon<
*yen?
‫>♦־‬c4‫׳‬na1L s»aJ amfine Iharka
co»n

«4% aiLcocntwthcw areyou doing?
otm
‫ '־‬glrvfctcfn j*4‫ ־‬jm I ritec.
Z «totn te - In youjcim usfar the partytooigl
ng

•***milc m •do s y s
s o '? a c we e

ictmoiUcomiwddshal ;« you at the patty then♦■
ot^ ‫ ׳‬n iU »n«tec ‫״‬Tofbusy rev■* w rfc
© co
o

W Is uangN o Banditti?
ho
etw rk
bi H wtoD A Attaris
o
etect RP
h,) H wtoD N o Lo p
a
etect etw rk o
^ H wtoM n rIMM g
a
o ito
essa e
H wtoM n ra SaveErn
3
o ito
ab

I Mr V e s .]
oe ido-

%

■
n

2 1 / 9 2 1 :0 :1
0 20 / 1 4 3 4

c4 n < 0 joined‫ ״י‬the chA
<a U m

L3 M
onitor Employees W
ebsite

wy
h?

uJ Credit Trdtfk. UtHUdUonChart
L3 lEntISUrt dW
ireless CdlHure
uJ CreiU TiaftktltllutionOurt
| M IT ■ Knowlfrtfjrha«c.‫|״‬
o ‫ו‬

YHO
AO

/ la < t M fvifr.c ^tUKitHt
p u iA

,‫־‬Dr tio iim :0‫3:צו‬
ua n tivt 3 ‫צ צ‬

.....

A

F IG U R E 4.27: Colasoft Capsa Network Analyzer M SN Log view



Ceh v8 labs module 08 sniffers

Ceh v8 labs module 08 sniffers

Recomendados

Recomendados

Mais conteúdo relacionado

Mais procurados

Mais procurados (20)

Destaque

Destaque (17)

Semelhante a Ceh v8 labs module 08 sniffers

Semelhante a Ceh v8 labs module 08 sniffers (17)

Último

Último (20)

Ceh v8 labs module 08 sniffers