0% found this document useful (0 votes)

26 views120 pages

CEH v12 - Module08 OCR

The document covers the concepts and techniques related to packet sniffing in ethical hacking, including passive and active sniffing methods. It explains how attackers can capture sensitive information by monitoring network traffic and discusses various sniffing tools and countermeasures. Additionally, it highlights the importance of understanding the OSI model and the implications of lawful interception in data communication.

Uploaded by

darshanjain1905

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as PDF, TXT or read online on Scribd

0% found this document useful (0 votes)

26 views120 pages

CEH v12 - Module08 OCR

Uploaded by

darshanjain1905

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as PDF, TXT or read online on Scribd

You are on page 1/ 120

Certified| Ethical Hacker

Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker

Sniffing

Ethical Hacker

LEARNING OBJECTIVES

© LO#01: Summarize Sniffing Concepts © LO#03: Use Sniffing Tools

® LO#02: Demonstrate Different Sniffing Techniques © LO#04: Explain Sniffing Countermeasures

Module 08 Page1207 Ethical Hackingand CountermeasuresCopyright© by E@-Council

All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker
Sniffing

Ethical Hacker

Module 08 Page1208 Ethical Hackingand CountermeasuresCopyright© by EG-€ouncil

All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker
Sniffing

Packet sniffing is the process of monitoring and 4 Asniffer turns the NIC of a system to the
capturing all data packets passing through a given promiscuous mode so that it listens to all the data
network using a software application or hardware transmitted on its segment
device

Attacker PC
4 It allows an attacker to observe and access the running NIC Card in
Promiscuous Mode
entire network traffic from a given point
Attacker
forcesA a
switchto behave- a
1 Packet sniffing allows an attacker to gather
sensitive information such as Telnet passwords,
email traffic, syslog traffic, router configuration,
web traffic, DNS traffic, FTPpasswords, chat
sessions, and account information

Copyright © by _All Rights Reserved. Reproduction is Strictly Prohibited.

identifies each node of a network.

Module 08 Page1209 Ethical Hackingand CountermeasuresCopyright© by E@-Council

All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker
Sniffing

network users:

Copy of data passing

: through the switch

Figure 8.1: Packet sniffing scenario

= Shared Ethernet

Module 08 Page1210 Ethical Hackingand CountermeasuresCopyright© by E€-€ouneil

All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker
Sniffing

frame’s destination MAC address with their own and discard the unmatched frame.

=" Switched Ethernet

limitation to bombard switches with fake MAC addresses until the switches can no

Module 08 Page1211 Ethical Hacking and Countermeasures Copyright© by E€-€ouneil

All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker
Sniffing

Attacker PC

Promiscuous Mode
A

switch to behave
as a hub

Figure 8.2: Working of a sniffer

Module 08 Page 1212 Ethical Hacking and Countermeasures Copyright © by EG-Council

All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker
Sniffing

4 Passive sniffing refers to sniffing through

a hub, 4 Active sniffingis used to sniff a switch-based network
wherein the traffic is sent to all ports 4 Active sniffing involves injecting Address Resolution
4 It involves monitoring packets sent by others without Packets (ARP) into the network to flood the switch’s
sendingany additional data packets in the network Content AddressableMemory (CAM)table, which keeps
traffic track of host-port connections
J In anetwork that uses hubs to connect systems, all

therefore, the attackercaneasily capturetraffic going

through the hub
MAC Flooding DHCP Attacks
4 Hub usage is an outdated approach. Most modern
networks now use switches

DNS Poisoning Switch Port Stealing

Note: Passive sniffing provides significant stealth advantages over active sniffing Copyright
© by Natgeet eee tolegels
male gees
eeimal eeeslice

network.

Figure 8.3: Passive sniffing

Module 08 Page1213 Ethical Hackingand CountermeasuresCopyright© by EG-€ouncil

All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker
Sniffing

= DHCP attacks

Module 08 Page1214 Ethical Hacking and Countermeasures Copyright© by E€-€ouneil

All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker

Ethical Hocker

An attacker connects his desktop/laptop to a switch port He/she runs discovery tools to learn about network topology

He/she poisons the victim’s machine by using ARP spoofing

techniques

MiTM

The traffic destined for the victim’s machine is redirected to The hacker extracts passwords and sensitive data from
the attacker the redirected traffic

Celea eeay ws eet la cement

lagele
0eae gees
agian eelelslieileR

Switch.

tools.

Module 08 Page 1215 Ethical Hacking and Countermeasures Copyright © by E€-Gouneil

All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker
Sniffing

Figure 8.6: Identifying the victim’s machine

Figure 8.7: Attacker sending fake ARP messages

attack.

Figure 8.8: Redirecting the traffic to the attacker

Figure 8.9: Attacker extracting sensitive information

Module 08 Page 1216 Ethical Hacking and Countermeasures Copyright © by EG-Council

All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker

Ethical Hocker

Telnet Keystrokesincluding usernames

. 4 :
Passwords and data are sent in
and and passwords are sent in clear DIVIAP
: clear text

SMTP
: . Passwor n ta ar nt in

NNTP

.) Passwords and data are sent .) Passwords and data are sent
POP FTP
in clear text in clear text

HTTP

credentials.

SNMP

All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker
Sniffing

= SMTP

= NNTP

attackers to sniff sensitive information.

= POP

= FTP

= IMAP

allows attackers to obtain data and user credentials in cleartext.

Module 08 Page1218 Ethical Hacking and Countermeasures Copyright© by E€-€ouneil

All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker
Sniffing

Ethical Hocker

4 Sniffers operate at the data link layer of the OSI model

4 Networking layers in the OSI model are designed to work independently of each other; if a sniffer sniffs data
in the data link layer, the upper OSI layers will not be aware of the sniffing

oo. Application Stream f .

Application aS a i ae Sn NSSa ia a ate
ne a pe aePas Application

Session = Session
£
= Protocols/Ports
Transport eeeS SSS OSS eee aay eae Transport
IP Addresses
Network sn a eam eS SS a Heeme ane ane Network
Initial Compromise
Datalink @=="---"- ee ee oo Data Link

; Physical Links ;
Physical SnPoP ewer ES eea ee Ee ee Copyright
7.© _All
Rights
Physical
Reserved.
Reproduction
isStrictly
Prohibited.

Application Stream
Application
PP ee BD ©22 eeePOPS,
eee eeIMI,
IMAP, eeeSSL,eee
SSH pS
aren
oo Application
PP

Transport eee eee eee eee eee reer Transport

IP Addresses

Initial Compromise

Physical Links

Figure 8.10: Sniffing in the data link layer of the OSI model

Module 08 Page1219 Ethical Hackingand CountermeasuresCopyright© by EG-€ouncil

All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker
Sniffing

Ethical Hocker

in the network

Xgig 1000 32/128 GFC & TPI4000 Seri

25/50/100 GE Analyzer —— Hardware Protocol Analyzers

® PTW60(https://www.globalspec.com)

@®P5551APCle5.0 Protocol Exerciser(https://www.keysight.com)

® Voyager M4x Protocol Analyzer (https://teledynelecroy.com)

®@N2XN5540A Agilent Protocol Analyzer (https://www.valuetronics.com)

® Xgig 1000 (https://www.viavisolutions.com)

https://www. viavisolutions.com https://www.tek.com

network.

Module 08 Page1220 Ethical Hackingand CountermeasuresCopyright© by E@-Council

All Rights Reserved. Reproduction is Strictly Prohibited.
Sniffing
Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker

Via
Pe
a aXgig
1000

Figure 8.11: Xgig 1000 32/128 G FCand 25/50/100 GE Analyzer

TPI4000 Series

All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker
Sniffing

1 A SPANport is a port that is configured to receive a copy

of every packet that passes through a switch

When connected to the SPAN port,

an attacker can compromise the -*::****s****s*****=>
entire network

Protocol Analyzer

A A A A A A A A SPAN Port IDS Port

SPAN Port

internet

When connected to the SPAN port,

an attacker can compromise the ««*«******s:s**=*9>
entire network

Figure 8.13: Working of SPAN

Module 08 Page 1222 Ethical Hacking and Countermeasures Copyright © by EG-Council

All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker
Sniffing

Ethical Hocker

Attackers connect a listening device (hardware, software, or a combination of both) to the circuit carrying
information between two phones or hosts on the Internet

a It allows an attacker to monitor, intercept, access, and record information contained in a data flowina
communication system

Active Wiretapping Passive Wiretapping

J It monitors, records, alters, and : J) It only monitors and records the

also injects data into the ‘ Types of traffic and collects knowledge
communication or traffic : P : regarding the data it contains
Wiretapping
. 5

Note: Wiretapping without a warrant or the consent of the concerned person is aCopyright
criminal
© byoffense _All
in most
Rights
Reserved.
countries
Reproduction
isStrictly
Prohibited.

Module 08 Page1223 Ethical Hackingand CountermeasuresCopyright© by EG-€ouncil

All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker
Sniffing

Module 08 Page1224 Ethical Hackingand CountermeasuresCopyright© by E€-€ouneil

All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker
Sniffing

Ethical Hocker

4 Lawful interception refers to legally intercepting data communication between two end points for surveillance on
the traditional telecommunications, Voice over Internet Protocol (VoIP), data, and multiservice networks

Service
Court order/request for wiretap
PRR TTT TTT TTT TPCT T TTL TCT TPT TTT TTT PCDATA TCT TCT T TTT TCTPP TTT TCTTTP PRTC TTT TTP
Provider

System for real-time

Legal Authority reconstructionof
A intercepted data Service provider sets
an accessswitch/tap on

#
*.
,*
* *
*.

Law enforcement Router

" agenciescan access

: intercepted data
whenever required

Central Management Server (CMS) Internet

Copyright © by _All Rights Reserved. Reproduction is Strictly Prohibited.

Module 08 Page1225 Ethical Hackingand CountermeasuresCopyright© by EG-€ouncil

All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker
Sniffing

Service
Provider
SEER SS a CCS CRON TERRE C TERRE TEETER TT TTT eee eee

System for real-time

Legal Authority reconstructionof
intercepted data Service provider sets
an access switch/tap on
Access "tee, exchange
router

System .
: Lawenforcement Router
= agenciescan access
» intercepted data
= whenever
required V

Central Management Server (CMS) internet

Figure 8.14: Telco/ISP lawful solution

Module 08 Page 1226 Ethical Hacking and Countermeasures Copyright © by E€-Gouncil

All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker
Sniffing

Module 08 Page1227 Ethical Hackingand CountermeasuresCopyright© by EG-€ouncil

All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker
Sniffing

Ethical
Hocker

“Each switch has a fixed-size dynamic Content Addressable Memory (CAM) table
J The CAM table stores information such as MAC addresses available on physical ports with their associated
virtual LAN (VLAN) parameters

MAC Address CAM Table

; MAC Add Type RF) a=

Copyright© by Nat geet eee tole)

gels male gees
eeimal eee sliceR

0: Globally unique
1: Locally administered

OSI reference model uses MAC addresses for information transfer.

Module 08 Page1228 Ethical Hackingand CountermeasuresCopyright© by EG-€ouncil

All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker
Sniffing

3 Bytes 3 Bytes

1: Multicast

Figure 8.15: MAC address

CAM Table

the machines in the network.

MAC Add

a as:23:df:45:45:t6

5 er:23:23:er:t5:e3

Table 8.1: CAM table

Module 08 Page1229 Ethical Hackingand CountermeasuresCopyright© by E€-€ouneil

All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker
Sniffing

Port 1 Joe ’

the ARP
CAM Table

A 1 a
es teeeeeneees lamMACB «0555.
a eSa aee
ea
: : MAC A Ais on port 1

CAM Table Learn: Bis on port 2

A 1
7 Traffic A eREReEeceeeeen

C 3 MAC A

CAMTable Copyright
© by _AllRightsReserved.
Reproduction
isStrictlyProhibited.

ee SS.araran

Port 1 Jo Tey,

wn ai
CAM Table

Figure 8.16: Working of CAM table step-1

Module 08 Page1230 Ethical Hackingand CountermeasuresCopyright© by E€-€ouncil

All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker
Sniffing

machine is connected.

MAC| PORT
A 1

B 2

Cc 3
CAM Table

Figure 8.17: Working of CAM table step-2

A 1
: Traffic A
2

: MAC A

CAM Table

Figure 8.18: Working of CAM table step-3

Module 08 Page1231 Ethical Hackingand CountermeasuresCopyright© by E€-Council

All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker
Sniffing

Ethical Hocker

4 Once the CAM table fills up on a switch, additional ARP request traffic floods every port on the switch

4 This
like aattack
hub will also fill the CAM tables of adjacent switches

Traffic A ******-> B

MAC C can see the traffic from AtoB

MAC C can see the traffic from Ato B

Figure 8.19: Flooding a CAM table

Module 08 Page1232 Ethical Hackingand CountermeasuresCopyright© by EG-€ouncil

All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker
Sniffing

Ethical Hocker

Mac Flooding Switches with macof

4 MAC flooding involves the flooding of the CAM
table with fake MAC address and IP pairs until it is 4 macofis a Unix/Linux
tool that is a part of the dsniff
FI] collection
u
4 macof sends random source MAC and IP addresses
4 The switch then acts as a hub by broadcasting a Thistool floods the switch’s CAM tables (131,000 per min)
packets to all machines on the network, and by sending bogus MACentries
therefore, the attackerscansniff the traffic easily

MAC

eee
eda elesoa ea

addresses of devices connected in the network. A switch acts as an intermediate device

Module 08 Page1233 Ethical Hacking and Countermeasures Copyright© by E€-€ouneil

All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker
Sniffing

Figure 8.20: MAC flooding

se
, macof -i ethO -n 10 - Parrot Terminal

rile Edit View Search Jlerminal Help

@parrot
#macoT -1 ethO -n 10
30:51:94:77:a2:36 ee:3T:b:1c:c4:b2 0.0.0.0.58720 > 0.0.9.0.1823: S 864715485:864
715485(0) win 512
14:38:67:57:9d:4e 2b:91:49:32:7T:76 0.0.0.0.63022 > 0.90.0.0.40086: S 725735162:7
25735162(0) win 512
0:60:3T:64:e3:aa 54:00:¢01:34:71:2a 0.0.0.0.3822 > 0.0.0.0.50815: S 1515930213:15
15930213(0) win 512
fa:T0:e5:1:91:e5 ec:27:2T:6b:d9:4e 0.0.0.0.16297 > 0.0.0.0.64950: S 1869382664:1
869382664(0) win 512
B9:26:47:47:d0:3 3T:ba:6T:a:45:31 0.0.0.0.2225 > 0.0.0.0.28799: S 47757090:47757
990(0) win 512
3e:e8:cbd:5:3b:89 aa:33: -2:1f:Te 0.0.0.0.22205 > 0.0.0.0.49818: S 3607503:36075
03(0) win 512
46:ea:cc:34:e6:Te c:6b7:2:22:2e:32 0.0.0.0.7812 > 0.0.0.0.36202: S 757023228:7570
23228(0) win 512
79:92:2:71:eb:dc 43:2c:85:69:2a:c8 0.0.0.0.58766 > 0.0.0.0.5858: S 1059668333:10
59668333(0) win 512
42:8d:8c:14:al1:6e 7¢:5c:49:4c:9f:d7 0.0.0.0.40230 > 0.0.0.0.17278: S 598145893:5
98145893(0) win 512
ad:T1:40:45:20:3e 5b:55:09:52:a:10 0.0.0.0.33134 > 0.0.0.0.3794: S 1636475316:16
36475316(0) win 512

Figure 8.21: MAC flooding using macof

Module 08 Page 1234 Ethical Hacking and Countermeasures Copyright © by E€-Gouncil

All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker
Sniffing

Ethical Hocker

Layer 2 Switch
J The Switch Port Stealing sniffing technique uses MAC flooding to sniffthe packets r 7

4 The attacker floods the switch with forged gratuitous ARP packets with the target MAC
address as the source and his/her own MAC address as the destination

J Arace condition of the attacker’s flooded packets and the target host’s packets occurs;
thus the switch must change its MAC address, binding constantly between two different
ports

J Insuch acase, if the attacker is fast enough, he/she will able to direct the packets
intended for the target host toward his/her switch port

4 The attackernow managestosteal the target host’s switch port and sendsARPrequests
to the stolen switch port to discover the target host's IP address

J When the attacker gets an ARP reply, this indicates that the target host’s switch port
binding has been restored, and the attacker can now sniffthe packetssent toward the Copyright
© by ---- _All
Logical
Rights
Connection
Reserved.
Reproduction
isStrictlyProhibited.
targeted host ‘=""" RealConnection

Module 08 Page1235 Ethical Hackingand CountermeasuresCopyright© by EG-€ouncil

All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker

Figure 8.22: Switch port stealing

Table 8.2: Details of three hosts in a network

MAC Table

Table 8.3: MAC table

Module 08 Page1236 Ethical Hackingand CountermeasuresCopyright© by E@-Council

All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker
Sniffing

ARP Cache aa-bb-cc-dd-ee-ft

Table 8.4: ARP cache table

Table 8.6: ARP cache updated with a spoofed entry

Module 08 Page1237 Ethical Hackingand CountermeasuresCopyright© by E€-€ouneil

All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker
Sniffing

< LAN MAC Address < (

Oo
ge

255 HOsStA aa-bb-cc-dd-ee-ff 10.0.0.1 PortA

Host B bb-cc-dd-ee-—
Edi
gO0a 10.0.0.2 Port B

Ol} Host C 10.0.0.2 Port C

Table 8.7: MAC Table updated with a spoofed entry

Module 08 Page1238 Ethical Hackingand Countermeasures Copyright© by E€-€ouneil

All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker
Sniffing

00:0c:1c:cc:cc:cc Only 1 MAC Address

00:0a:4b:dd:dd:dd Allowed on the Switch Port

a ry my ot
(ED)
132,000

Configuring Port Security on Cisco Switch:

switchport port-security
switchport port-security maximum 1 vlan access
switchport port-security violation restrict
Port security can be used to restrict inbound traffic
switchport port-security aging time 2
from only a selected set of MAC addresses and limit
switchport port-security aging type inactivity
MAC flooding attack
snmp-server enable traps port-security trap-rate 5

addresses is reached

Module 08 Page1239 Ethical Hackingand CountermeasuresCopyright© by EG-€ouncil

All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker
Sniffing

00:0c:1c:cc:cc:cc
00:0a:4b:dd:dd:dd

a
ee
132,000
Bogus MACs

Figure 8.23: Flooding CAM tables

Only 1 MAC Address

Allowed on the Switch Port

rm a |

Figure 8.24: Blocking MAC flooding

Module 08 Page1240 Ethical Hackingand CountermeasuresCopyright© by E€-€ouneil

All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker
Sniffing

9. end

Module 08 Page1241 Ethical Hackingand CountermeasuresCopyright© by E€-€ouneil

All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker
Sniffing

Ethical Hocker

r ™ DHCP Starvation Attack Tool: Yersinia

) This is a denial-of-service (DoS) attack on the DHCP servers where
the attacker broadcasts forged DHCP requests and tries to lease all
the DHCP addresses available in the DHCP scope

J Therefore, the legitimate user is unable to obtain or renew an IP

address requested via DHCP,and fails to get access to the network

User A4 A r 4 DHCP
Server
de ee re

= 3 ff wy Sim a a
“S 8 >: 8 a5 %& DHCPScope
oe =: PP, r 7
eitas
tsa i ecsscrseoseennes
iecnmncttloanl
10.10.10.1 |
3 4K403 dhcpStarvation.py (Attps://github.com)

different DHCP requests cng

with manysourceMACs Attack Tools dhcpstarv (https://github.com)
10.10.10.254 Gobbler (https://sourceforge.net)
i sil ik. Copyright© by Nat geet eee tole)
gels male gees
eeimal eee slice
wl R

Information.

available in the network.

Module 08 Page1242 Ethical Hackingand CountermeasuresCopyright© by EG-€ouncil

All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker
Sniffing

MAC addresses.

DHCPDISCOVER
(IPv4)
/ Send My DHCP
SOLICIT (IPv6) (Broadcast) Configuration Information

DHCP-relay agent

DHCPREQUEST
(IPv4)
/REQUEST(IPv6) (Broadcast)
__. DHCP Server
DHCPACK(IPv4) / Reply (IPv6) (Unicast)
Here Is Your Configuration Seee eeecece eeeee eee eeeee eee eeeeeee eee .
: *" IP Address: 10.0.0.20

‘ = SubnetMask:255.255.255.0
See e eee , Default Routers: 10.0.0.1
, DNS Servers: 192.168.168.2, 192.168.168.3
, Lease Time: 2 days

Figure 8.25: Working of DHCP

committed network address

Module 08 Page1243 Ethical Hackingand CountermeasuresCopyright© by E€-€ouneil

All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker
Sniffing

Client to server relinquishing the network address and cancelin

the remaining lease

N/A Reconfigure .

information

A relay agent sends a relay-forward message to relay messages

A server sends a relay-reply message to a relay agent containin

Table 8.8: DHCPrequest/reply messages

IPv4 DHCP Packet Format

A series of DHCP messages is used in communication between DHCP servers and DHCP clients.

Module 08 Page1244 Ethical Hackingand CountermeasuresCopyright© by E€-€ouneil

All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker
Sniffing

OP Code Hardware Type Hardware Length HOPS

ail

Transaction ID (XID)
=

Client IP Address (CIADDR)

Your IP Address (YIADDR)

Server IP Address (SIADDR)

Gateway IP Address (GIADDR)

Client Hardware Address (CHADDR)—16 bytes

Server Name (SNAME)—64 bytes

Filename—128 bytes

DHCP Options

Figure 8.26: IPv4 DHCPpacket format

forwarded the message

a server

acquisition or renewal process

Used when the client has an IP address and can respond to

ARP requests

Module 08 Page1245 Ethical Hackingand CountermeasuresCopyright© by E€-€ouneil

Table 8.9: Fields of IPv4 DHCP message

10.10.10.2

different DHCP requests 7

with many source MACs

Attacker 10.10.10.254

Figure 8.27: DHCP starvation attack

Module08 Page1246 EthicalHacking

All Rights
and Countermeasures
Reserved.
Reproduction
Copyright
is Strictly
© by Prohibited.
E@-Council
Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker
Sniffing

=» Yersinia

ft5

yersinia [00:09:41]
—
Q.
Q,
QO.
a.
OF
S .255 MessageType
DISCOVER Iface
=amale LastAprseen
00:09:4
.295 DISCOVER ethO 11 Apr 00:09:
.255 DISCOVER ethO 11 Apr 00:09:¢
.255 DISCOVER etnO 11 Apr 00:09:¢
.255 DISCOVER ethO 11 Apr 00:09:¢
.255 DISCOVER ethO 11 Apr 00:09:¢
.255 DISCOVER ethO 11 Apr 00:09:¢
.255 DISCOVER Sag
al0) Apr 00:09:.
.255 DISCOVER Saal
0) Apr 00:09:4
.255 DISCOVER Sam
ale Apr 00:09:4

Total Packets: 1175142 —— DHCPPackets: 1175142 MAC Spoofing [X|]

02:48:33:606:02:51 Baealee otek ofceaeae

000.000.000.000 £39 .2309+220+LI2 00068 0006/7
ont ml ole oe 643C9869 9000 8000
CLOGMmClOlCMmClolOMmolele
000.000.000.000 000.000.000.000 000.000.000.000
02:48:33:606:02:51

Figure 8.28: Screenshot of Yersinia

Module 08 Page1247 Ethical Hackingand Countermeasures Copyright© by E€-€ouneil

All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker
Sniffing

Ethical Hocker

resulting in compromised network access

after knocking him/her out from the genuine DHCP server

DHCPOFFER(IPv4) / ADVERTISE(IPv6) (Unicast) from Rogue Server

<<CCPCHOUR
ROKR
RARE
EERE
SESE
CREESE
RR
EReaseseee Beeeee
DHCPREQUEST(IPv4) / REQUEST(IPv6) (Broadcast)

DHCP Server

User Qecccencececeeee "

EE
By running a rough DHCP server, an attacker
IP Address: 10.0.0.20 me emer ;
listenin onall >
can send incorrect TCP/IP setting
SubnetMask:255.255 .255.0 thotraiic 2
Default Routers: 10.0.0.1 passing
toor . Wrong Default Gateway > Attacker is the gateway
DNS Servers: 192.168.168.2, fromtheuser |
192 .168 .168.3
Wrong DNS server > Attacker is the DNS server
Lease Time: 2 days
Wrong IP Address > DoS with spoofed IP

Internet Rogue Server

Module 08 Page1248 Ethical Hackingand CountermeasuresCopyright© by EG-€ouncil

All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker
Sniffing

interface.

DHCPDISCOVERY(iPv4) / SOLICIT(IPv6) (Broadcast)

DHCP Server

User Gane
nenceccceneneenseenecnesenenseseaseseseseneaeanns
By running a rough DHCP server, an attacker
IP Address: 10.0.0.20 can send incorrect TCP/IP setting
Subnet Mask: 255.255.255.0

Default Routers: 10.0.0.1

Wrong Default Gateway > Attacker is the gateway
DNS Servers: 192.168.168.2,
192.168.168.3
Wrong DNS server > Attacker is the DNS server

Wrong IP Address > DoS with spoofed |P

Internet Rogue Server

Figure 8.29: Rogue DHCP server attack

DHCP Attack Tools

Some additional DHCP attack tools are listed below:

Module 08 Page1249 Ethical Hackingand CountermeasuresCopyright© by EG-€ouncil

All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker
Sniffing

J Enableport securityto defendagainstDHCPstarvation J EnableDHCPsnooping,whichallowsthe switchto accept

attacks a DHCPtransaction directedfrom a trusted port

DHCP Snooping

Attacker

IOS Switch Commands IOS Global Commands

@ switchport port-security 4) ip dhcp snooping 7 this turns on DHCP snooping
“@ switchport port-security maximum 1 ) ip dhcp snooping vlan 4,104 7this configures VLANs
W switchport port-security violation restrict to snoop
@ switchport port-security aging time 2 4 ip dhcp snooping trust >this configures interface as
Switchport port-security aging type inactivity trusted
Switchport port-security mac-address sticky Note:
Allportsin the VLAN
arenot trustedby default

Cele
a eeay _All RightsReserved.Reproductionis Strictly Prohibited.

MAC Limiting Configuration on Juniper Switches Configuring DHCP Filtering on a Switch

4 set interface ge-0/0/1 mac-limit 3 action 4 Enable DHCPfiltering for the switch:
EEOR config
4 set interface ge-0/0/2 mac-limit 3 action <IP address> dhcp filter
drop
exit
4 show
exit
interface 3 -0/0/1.0 { J) Enable DHCPfiltering for an interface:
mac-limit 3 action drop;
config
} interface 0/11

interface ge-0/0/2.0 { <IP address> dhcp filter trust

mac-limit 3 action drop; exit

} exit

J show ethernet-switching table J Show the DHCPfiltering configuration:

show <IP address>
Cele
ienae ee).dhcp ee
filtering
eee A eee
st-ls
gee
Vmalepees
aeaes)alls)
idcee

Module 08 Page1250 Ethical Hackingand CountermeasuresCopyright© by E€-€ouncil

All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker
Sniffing

removed.

2 minutes.

All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker
Sniffing

DHCP Snooping
Enabled

Figure 8.31: Defending against a rogue server attack

1OS Global Commands

Module 08 Page1252 Ethical Hackingand CountermeasuresCopyright© by E€-€ouneil

All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker
Sniffing

5. end

to the switch.

show

Module 08 Page1253 Ethical Hacking and Countermeasures Copyright© by E€-€ouneil

All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker
Sniffing

Switcn:

exit
exit

exit

Module 08 Page1254 Ethical Hackingand CountermeasuresCopyright© by E€-€ouneil

All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker
Sniffing

a stateless protocol used for C1-D1-E1-Fl/

resolving IP addresses to machine Poisoned ARP cache A
(MAC) addresses

data to the attacker’s machine I wantto connect

to 10.1.1.1 11-22-33-44-55-66
10.1.1.1,but! need UsercC
a MAC address IO.1.1.2 55-88-66-55-33-44 ‘ a

Sends ARPrequest onto : Actual legitimate user

manyforgedARPrequestandreply : responds
totheARP
request
:
packets to overload the switch Vo disp Gaee YY

4 The switch is set in “forwarding

mode”after the ARPtable is flooded
;
attackers can then sniffall the MACaddress
™ :S the ARPrequest
reinonsas'and and ike
inoolies
network packets -— : legitimateuser
1am 10.1.1.1 and ¥
j my MACaddress is

ARPcachewith forged entries, which ia

Information for IP address
is also known as poisoning 10.1.1.1 is nowbeing sent to
MAC address 11-22-33-44-55-66

Copyright © by _All Rights Reserved. Reproduction is Strictly Prohibited.

host machine should know the MAC address of the destination machine. The OS also maintains

for this address in its CAM table.

Module 08 Page1255 Ethical Hackingand CountermeasuresCopyright© by E@-Council

All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker
Sniffing

ARP_REQUEST
Hello, | need the MAC address of 10.10.10.3

need MAC address’ : ie ee EEE Ao

. MAC: 00-14-20-01-23-45

ARP REQUEST
Hello, |need the MAC address of 10.10.10.3

IP 1D: 10.10.10.2
MAC: 00-14-20-01-23-46
IP ID: 194.54.67.10 .

: Hello, |need the MAC address of 10.10.10.3

ARP_REPLY 1am 10.10.10.3. MAC address is 00-14-20-01-23-47

IP ID: 10.10.10.3

Connection Established

Figure 8.32: Working of ARP protocol

HostName IP MAC

A 194.54.67.10 00:1b:48:64:42:e4

B 192.54.67.15 O0-14-20-01-23-47

Module 08 Page1256 Ethical Hackingand CountermeasuresCopyright© by E@-Council

All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker
Sniffing

MAC address is 00-14-20-01-23-47.”

Ee Command Prompt — O x

Microsoft Windows A Gaestels (hoeseas)ooecohen

_ ra —ee ——_— a al _— : a on fa ee | if =

c:\Users\Admin}arp -a

; 40.10.1.11 --- OXS

Physical
62-15-Sd-24-2d-8f
Address

Figure 8.33: ARP cache

Module 08 Page1257 Ethical Hackingand Countermeasures Copyright© by E€-€ouneil

All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker
Sniffing

Yes, | am here
This is 10.1.1.1 and my
MAC address is Al-B1-
C1-D1-E1-F1

Poisoned ARP cache

10.1.1.0 21-56-88-99-55-66
| want to connect to 10.1.1.1 11-22-33-44-55-66
10.1.1.1, but | need
a MAC address A A
Switch broadcasts °

Sends Actual legitimate user

v @ecanas> @asssss> v A

Sends his malicious : Malicious user eavesdrops on

« responses and spoofs as the

lam 10.1.1.1l and

my MAC address is
11-22-33-44-55-66

Information for IP address

10.1.1.1is now being sent to

MAC address 11-22-33-44-55-66

Figure 8.34: Working of an ARP spoofing attack

Module 08 Page1258 Ethical Hackingand CountermeasuresCopyright© by EG-€ouncil

All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker
Sniffing

Ethical Hocker

4 Using fake ARP messages, an attacker can divert all communications between two machines, resulting in all
traffic being exchanged via the attacker’s PC

4
- + Cele
gna)! me
MA)
-4g
ecm
too
810-18)
gels
(0
odes
eine
imadeel
alis
ia-lep

communications between two machines so that all traffic redirects via the attacker’s PC.

between the victim and server.

switch in a network.

Module 08 Page1259 Ethical Hackingand CountermeasuresCopyright© by E€-€ouneil

All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker
Sniffing

Module 08 Page1260 Ethical Hacking and Countermeasures Copyright© by E€-€ouneil

All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker
Sniffing

Ettercap
https://www.ettercap-project.org

dsniff
https://www. monkey.org
https://linux. die.net

aa we https://github.com
Habu is a hacking toolkit
that provides various
commands to perform ARP
poisoning, sniffing, DHCP —
=— _—ihttps://sourceforge.net
Starvation, etc.
https://github.com
Copyright © by _All Rights Reserved.Reproduction is Strictly Prohibited.

Module 08 Page1261 Ethical Hacking and Countermeasures Copyright© by E€-€ouneil

All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker
Sniffing address
Obtained
theis
attacker's
ARP cache
replaced system
with
andthat
MAC of

Reverse command so that the

attacker can send replies both ways

Figure 8.35: Screenshots of arpspoof

=" Habu

attacks:

oO Username check on social networks

Module 08 Page1262 Ethical Hackingand Countermeasures Copyright© by E€-€ouneil

All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker
Sniffing

Module 08 Page1263 Ethical Hackingand Countermeasures Copyright© by E€-€ouneil

All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker
Sniffing

sh ip dhep snooping
Implement
binding
Dynamic ARP Inspection Using DHCP Snooping Binding Table

1a:127:3b:27£;df:1lc 10.10.10.8 125864 _— MACA

No ARP entry in the
: binding table then
DHCP Snooping Enabled : discard the packet
Dynamic
ARPInspection
Enabled
:
V
ARP 10.10.10.1

Saying 10.10.10.2

10.10.10.2 ARP 10.10.10.2

MAC B Saying 10.10.10.1

result on any device in that VLAN.

Module 08 Page1264 Ethical Hackingand CountermeasuresCopyright© by EG-€ouncil

All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker
Sniffing

MacAddress IpAddress Lease Interface ve 10.10.10.1

MACA
la:12:3b:2f ;df:1c 10.10.10.8 125864 FastEthernet3/18
~ No ARP entry in the |
binding table then
DHCPSnooping Enabled : _ discard the packet

a Gece
ceceeceseeesseeenssesens“ ARP 10.10.10.1
Prerrrrreiiir
tir itr > i
< inion cease
is MACC

10.10.10.2 ARP 10.10.10.2 10.10.10.5

MACB Saying 10.10.10.1

is MAC C
MACC

Module 08 Page 1265 Ethical Hacking and Countermeasures Copyright © by E€-Council

All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker

Ethical Hocker

Switch (config)# ip dhep snooping

Switch (config)# ip dhep snooping vlan 10
Switch(config)# *Z
Switch# show ip dhcp snooping - Disabled

Switch DHCP snooping is enabled ion : Disabled

DHCP snooping is configured on following VLANs: IQ : Disabled

10 Vlan Configuration Operation ACL Match Static ACL

DHCP snooping 1s operational on following VLANs:
10 Enabled Active
DHCP snooping is configured on the following L3 Vian ACL Logging DHCP Logging Probe Logging
Interfaces:
Deny Deny Off
Forwarded Dropped DHCP Drops ACL Drops
0) 0 0 0
DHCP snooping trust/rate is configured on the following
DHCP Permits ACL Permits Probe Permits Source MAC Failures
Interfaces:
0) 0 0 0
Dest MAC Failures IP Validation Failures Invalid Protocol Data
Interface Rate limit (pps)
0 0 0

MacAddress IpAddress Lease Type VLAN Interface £/192.168.10.1/05:37:31

Copyright
vian© by UTC Mon Jul. 08 2019])
Total number of bindings: 1 ——
eeee
da:12:3b:2£;df:1e 10.10.10.8 125864 dhcp- 4 FastEthernet
snooping 0/3

_All Rights Reserved. Reproduction is Strictly Prohibited.

Switch (config) # ip dhcp snooping

Switch (config) # %*Z

Switch# show ip dhcp snooping

Switch DHCP snooping is enabled
DHCP snooping 10

DHCP snooping is
trust/rate
configured
is on
configured
the following
on the
Ethical
L3
following
Hacking
Interfaces:
10and Countermeasures
Interfaces:Copyright© by E@-Council
DHCP snooping
ttn

DHCP snooping

Interface

All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker
Sniffing

Switch (config) # show ip dhcp snooping binding

MAC Address IP Address Lease (sec) Type VLAN Interface

ia:12:3b:2£;di:ic 10,10,10:.8 125864 dhcp-snooping 4A FastEthernet0/3

Total number of bindings: 1

Switch (config) # show ip arp inspection

Source Mac Validation ; Disabled

Destination Mac Validation : Disabled

IP Address Validation ; Disabled

Vlan Configuration Operation ACL Match Static ACL

10 Enabled Active

Vlan ACL Logging DHCP Logging Probe Logging

10 Deny Off
Vlan Forwarded Dropped DHCP Drops ACL Drops
10 0 0 0 0

10 0 0 0 0

Vlan Dest MAC Failures IP Validation Failures Invalid Protocol Data

10 0 0 0

Module 08 Page1267 Ethical Hacking and Countermeasures Copyright© by E€-€ouneil

All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker
Sniffing

Assume that an attacker with the source IP address 192.168.10.1 connects to VLAN 10 on

([0013.6050.acf£4/192.168.10.1/f£f££.£f££.f££££/192.168.10.1/05:37:31 utc Tue

APR 12 2022]
)

arp inspection
Switch (config)# show ip arp inspection
Source Mac Validation: Disabled

Destination Mac Validation: Disabled

IP Address Validation: Disabled

Vlan Configuration Operation ACL Match Static ACL

10 Enabled Active

Vlan ACL Logging DHCP Logging Probe Logging

10 Deny Deny Off

Vlan Forwarded Dropped DHCP Drops ACL Drops

10 30 ° > 0

Vlan DHCP Permits ACL Permits Probe Permits Source MAC Failures

10 30 0 0 0

Vlan Dest MAC Failures IP Validation Failures Invalid Protocol Data

Module 08 Page1268 Ethical Hacking and Countermeasures Copyright© by E€-€ouneil

Ethical Hocker

Capsa Portable Network Analyzer

It helps security professionals in quickly detecting ARP poisoning
https://www.wireshark.org
and ARP flooding attacks and in locating the attack source

demo_arp_attack- Colasoft Capsa[Stopped]- 00:13: 67:68: /D:99

File Edt iew Project Tools ‘Window Help

00;11:09:46 ni ir ih
| ort a:er:6e-7D:99\Packets:
|1,182
O0:11:58:47 ‘ Absolute
TimeSource |=
O00;
00:88:46 807 09:08:59.233956 00-13-8F-6... Oois 21.36.238.17 Tell 21.36.23
OO Lilie o is 21.36.239.27 Tell 21.36.73.
00;02:45:4£ is Z1.36.238,37 Tell 21.36.23.

O02; 45:40
O0-04;E6:40
6

o
is

is
Z21.36.238.47

Z1.36:238.57
Tell

Tell
21.36.23.

21.36.23...
ARP AntiSpoofer
O0:04 EB 40 https://sourceforge.net
00:11: 56)56
OO: 7344S?
is 1-96: 29(\67
is 21.36,238°77 Felt,
Tell 21.9629...
21.36.23...
o is 21.36.238.8? Tell 21.36.23...
OO;12:79:58
o is Z1.36.238,97 Tell 21.36.23.
00:11;85:62
is 21.36.238.107 Tell 21.36.2...
00:11:56:62
o is Z1.36.238.117 Tell 21.36.2...
00;11;56:64

00:
13:3F168
00:11:09:6E
| [= ARPStraw
OO0S12 https://github.com
64

60
Packetfilters: = — 2006-05-25 09:08:59. 234073
Errorpackets: = rE e pose]
Packetscanhurect : estination 55 FEF:
FF: FF: FF: FF: FF
Packetslost: ; =e 3 OO:135:8F 6B: 7D: 39
GxOS06

Packets
acceptet
[NEES|| , - shARP
Packets
rejected off
Buffer usaqe: } 483 KB
OO00| FF FF FF FF FF FF 00 13 @F 62 7D 353 O8 G6 OO O01 08 OO sii arai I| Daa
Fe https://github.com
OOl2Z
' 06 O4 00 G1 00 13 GF 6E 7D 95 15 24 EE BO 00 00 00 OO ¢ LL... ee eas ~

Nat geet eeetole)

gels male gees
eeimal eee sliceR

Module 08 source.
Page 1269 Ethical Hacking and Countermeasures Copyright © by E@-Gouncil

All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker
Sniffing

demo_arp_attack - Colasoft Capsa [Stopped] - 00:13:8F:6B: /D:99

File Edit View Project Tools Window Help

al
ay 00;11;09:46

Hal O00:11:5B:47

BY. 00:00:88:4¢5 .238.17

BP 00:11:11:44 _36.238.27
BY. 00:02:45:4 .36.238.37
BY. 00:02:45:4C .36.238.4?
BP. 00:04:E6:40 _36.238.5?
BP. 00:04:EB:4C "36.23% 63

BB. 00:73:44:57 36.238.8? Tell 21.36

BP. 00:11:85:62 ee .36.23...

BB) 00:11:58:68 eee] .36.238.107 Tell 21.36.2...
@) 00:11:58:60 817 09:08:59.234188 00:13:8F:6... _36.238.11? Tell 21.362... dq

: [=] PacketNumber: 000812

=|ProjectStatus a x cP Packet Length: 64
ee . @PCapture Length: 60 a

Errorpackets: 0 =) YWEthernet Type II [0/14]

Packetscaptured: 3,991 iy Destination Address: FF:FF:FF:FF:FF:FF [o/6)

Packets rejected: a
. ooo0| FF FF FF FF FF FF 00 13 8F 6B 7D 99 08 06 00 01 08 OO |........ MFccececerscevs

For Help, press Fi

Figure 8.38: Screenshot of Capsa Portable Network Analyzer

Module 08 Page 1270 Ethical Hacking and Countermeasures Copyright © by E€-Council

All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker
Sniffing

Ethical Hocker

1 A MAC duplicating attack is launched by sniffing a network for MAC addresses of clients who are actively associated with a
switch port and re-using one of those addresses

4 By listening to the traffic on the network, a malicious user can intercept and use a legitimate user's MAC address to receive
all the traffic destined for the user

. This attackallows an attacker to gain access to the network and take over someone's identity on the network

My MAC address Switch Rule: Allow accessto the network only

is aa:bb:cc:dd:ee:ff if your MAC address is aa:bb:cc:dd:ee:ft

Switch * Attacker sniffs the network for MAC addresses of

Legitimate User aa:bb:cc:dd:ee:ff
the currently associated users and then uses that
No! My - MAC address to attack other users associated to
MAC Address is the same switch port

internet

Note: This technique can be used to bypassWireless AccessPoints’

Module 08 Page1271 Ethical Hackingand CountermeasuresCopyright© by E@-Council

All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker
Sniffing

My MAC address Switch Rule: Allow access to the network only

is aa:bb:cc:dd:ee:ff if your MAC address is aa:bb:cc:dd:ee:ff

Switch * attacker sniffs the network for MACaddressesof

Legitimate User aa:bb:cc:dd:ee:ff
the currently associated users and then uses that
No! My : MAC address to attack other users associated to
MAC Address is the same switch port

Attacker

Internet

Figure 8.39: MAC spoofing/duplicating attack

Module 08 Page1272 Ethical Hackingand CountermeasuresCopyright© by EG-€ouncil

All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker

Certified
| Ethical Hocker

Network
Click
click
In theon
Under Start
Ethernet
the
the
Ethernet
and
and
“Property”
Advanced
Internet
search
Properties
and then
for
section,
tab
> Control
Networking
window,
clickbrowse
onPanel
Properties
click
and
for
and
onNetwork
Sharing
the
open
inConfigure
the
it,Center
Address
then
Ethernet
navigate
button
andStatus
click
and
to window
on
then
it

Method 1: If the network interface card supports

a clone MAC address, then follow these steps:

Microsoft Hyper-V Network Adapter Properties a

(General Driver Details Events

The followingpropertiesare availablefor this network adapter. Click

the property you want to change on the left, and then select its value
on the right.

Property: Value:
ForwardingOptimization © oo0A959D6816
Hyper-VNetwork Adapter Name
IPSec Offload
lPv4 Checksum Offload to
Type
Onassign
Note:
the
“ipconfig/all”
Enter
right
andthe
side,
click
MAC
under
OK
oraddress
“net
“Value,”
config
number
type
rdr”in
without
inthe
the new
command
a “:”
MACbetween
address
promptto
the
you
number
verify
wouldthe
pairs
like
Jumbo Packet
Large Send Offload Version 2 (IPv:
Large Send OffloadVersion2 (Pv!
Max Number of RSSProcessors
Maximum
Number
ofRSSQueues
aximum RSS Processor Numbe
a “|
ho work Address
Network Direct (ROMA)
Packet Direct
Receive Butter Size
Ss
changes
(change
If the changes
MAC address
are visible
in the
thenregistry)
reboot the system, otherwise try method 2

Cele
a eeay Nat geet eeetole)
gels male gees
eeimal eee sliceR

Cartitted Ethical Hocker

| Name Type Data

‘4 Press Win+ Rto open Run, type regedit to start the > (4d36e968-
0325-11
ce-bfc1-08002be10318}
ab) *RsclPwd REG
SZ 1
»9) [(4d360969-
2325-11
ce-bfc1-08002be10318)
ab) *Rec|Py6 REGSZ 1
registry editor ») £4d36e%$a-
2325-11
ce-bfc1-08002be10318}
| ab)
>) (4d36e96b-2325-11ce-bfcl-08002be10318} *RSS REG
SZ
Goto »™D(4d36e%6c-325-11ce-bficl-09002be10318}| 26)*RssBaseProcNu...
REG_SZ 0
,) [4d36e96d-2325-
11ce-bfe | ab)*ResMaxProcNu...
1-08002be10318} REG_SZ 63
"HKEY_
LOCALMACHINE\SYSTEM\CurrentControlSet\C ,) [4d36e%6e-
0325-11 | ab)
ce-bfc1-08002be10318}"RSSProfile REG
SZ 4
| ab)*TCPChecksum...REG_SZ 3
ontrol\Class\{4d36e972-e325-11ce-bfc1- » ) (4d36e96F-
2325-11
ce-bicl-08002be
10318)
») £4d36e970-2325- | 26)"TCPChecksum...
11ce-bfic1-08002be10318) REG527 3
08002be10318} and double click on it to expand the tree » (4d36e971-
2325-11 | 2b)
*UDPChecksum...
ce-bficl-08002be10318} REG
SZ 3
wD (4d36e972-e325-11ce-bfcl-08002be10318}| 2>)*UDPChecksum..,
REG_SZ 3
4 4-digit sub keys representing network adapters will be | 2) BusType REG
S? Ox0
meCharacteristics REGDWORD CxDOOD0004
(0)
displayed (starting with 0000, 0001, 0002, etc.)
| ab\Componentid
—REG_SZ VMBUS\{f8615163-df3e-46c5-913F-f2d2#965edDe}
| ab)DevicelnstancelD
REG_SZ VMBUS\{#9615163-df3e-46c5-913f-f2d2#965edDel\...
4 Search
for the proper “DriverDesc” keyto find the | ab)
DriverDate REG
SZ b-21-2006
desired interface | to) DrrverDateData REG_BINARY 00808c a3c5 4 cb01
ab)DriverDese REG$2 MicrosoftHyper-VNetworkAdapter
J) Right-click on the appropriate sub key and add, new | #6 DriverVersion REGS/ 10.0.22000,454

string value "NetworkAddress" (datatype "REG52") to |20)ForwardingOpti..

REG_SZ 0
| 2»)HyperVNetwork...
REG_S?Edit String m
contain the new MAC address | SueIfTypePreStart REGDW
| a>)InfPath REGSZ Valuename
*) Configuration
4) Right click on the “NetworkAddress” string value on the | £95Properties | 2b InfSection REG
S/ =Network
Address
») §4d36973-325- | meinstallTimeStamp
11ce-bfc1-08002be10318} REG_BINd
right side and select Modify... | 28]
Value data:
MatchingDeviceld
REG
SZ QO0A5S59D06876
> Op (4d36e974-2325-11ce-bfc1-08002be10318}
>) [4d360975-2325-11ce-bfcl-08002be10318}| 2b|MetCfginstanceld
REG_SZ
‘4 Inthe “Edit String” dialogue box, “Value data” field enter | fl) NetLuidindex REG
>) (4d36e977-2325-11ce-bfc1-08002be10318} _DWé
the new MAC address and click “OK” »DD§4d36e978-
2325-11
ce-bfic | abi
1-08002be10318} NetworkAddress
REG
$2
») [4d36e979-6325-
11ce-bfic1-08002be10318}
| ine Networkinterfac... REG_QWORD Ox181337
7380G0dT
(1326
77453328309375)
4 Disable and then re-enable the network interface that >) §4d36e97b-2325-11ce-bfc1-08002be10318}
| 4>)ProviderName
= REG_SZ Microsoft
> 0)(4d36e97d-2325-11ce-bfe1-08002be10318}
| 26 ReceiveBufferSize
REG_S? B192
was Changed or reboot the system > (4d36e97e-2325-
11ce-bfe1-08002be10318}
| ab)SendBufferSize REG_SZ 1024
| 26)VianiID REG
SZ 0

Cele
ig na ee) aAgeeAeee] 8gee male pees
as mae esa elias:

Module 08 Page 1273 Ethical Hacking and Countermeasures Copyright © by E@-Gouncil

All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker
Sniffing

Advanced tab.

‘iu
Note: Enter the MAC address number without “:” in between.

The followingpropertiesare availablefor this network adapter.Click

the propertyyou want to change on the left, and then select its value
on the right.
Property: Value:
Forwarding Optimization
Hyper-VNetwork AdapterName
IPSec Offload
IPv4 Checksum Offload
Jumbo Packet
Large Send Offload Version 2 (IPv:
LargeSendOffloadVersion2 (IP
v!
Max Number
of RSS Processors
_Maximum Number of RSS Queues

Network Direct (RDMA)

Packet Direct

Cance

Figure 8.40: Ethernet Properties dialog box

Module 08 Page 1274 Ethical Hacking and Countermeasures Copyright © by EG-Council

All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker
Sniffing

| '
File Edi iew Favorites Help

Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4d36e972-e325-11ce-bfc1-08002be10318}\0001
» ™)(4d36e967-€325-11ce-bfcl-08002be10318}
ies Type Data
> ) [4d36e968-€325-11ce-bfc1-08002be10318} aii REG
SZ ;
, ™)(4d36e969-e325-1
1ce-bfcl-08002be10318}din REG
SZ
» ™) [4d36e96a-e325-11ce-bfc1-08002be10318}=e acne
», ™)
™D{4d36e96b-e325-11ce-bfc1-08002be10318}
{4d36e96c-€325-11ce-bfcl-08002be10318} =~ =
J RssBaserrocNu..REG_AC o
»i {4d36096d-0325-11ce-bfc1-08002be10318}_,
||~~sMaxProcNu...
REG
SZ os
»") (4d36e96e-e325-11ce-bfcl-08002be10318}
28)
*RSSProfile REG_S2 4
»0 {4d36e96F-2325-1
1ce-bfc1-08002be
10318} abi"TCPChecksum...
REG_SZ 3
» )) (4d36e970-e325-11ce-bfc1-08002be10318}ab)"TePChecksum...REG_SZ 3
» )) {4d36e971-e325-11ce-bfc1-08002be10318}a6)*UDPChecksum...REG_SZ 3
wv
™))(4d36e972-e325-11ce-bfcl-08002be10318}
ab)"UDPChecksum...
REG_SZ 3
> = 0000 a> Bus
Type REG
SZ Ox0
OOOT ne}CharacteristicsREG_DWORD 0x00000004
(4)
ab Componentid REG
SZ VMBUS\f8615163-df3e-46c5-91
3f-f2d2f965ed0e}
ab)DevicelnstancelD REGSZ VMBUS\{f8615163-df3e-46c5-91
3f-f2d2f965ed0e}\V...
ab DriverDate REG_SZ 6-21-2006
ne DriverDateData REG_BINARY 0080Bea3<594<601

| ab)DriverVersionREG
SZ 10.0.22000.434
ab)ForwardingOpti... REG_SZ 0

ne IffypePreStart REG_DW(
; DeConfiguration ab)InfPath REG
SZ Value
name:
7Sa Properties ab |nfSection REG
SZ NetworkAddress
Module 08 Page 1275
, MP(4d360974-€325-11ce-bFcl-08002be10318}
|“2!MatchingDeviceld
REG_SZ
>I) (4d36e975-e325-11ce-bfcl-08002be
10318} ab/NetCfginstanceld
REG_SZ
> )) (4d36e977-2325-11ce-bfcl-08002be10318} weNetLuidindex REG_DWé Cancel
>MD{4d36e978-e325-11ce-bfc1-08002be10318}
|
»™)(4d36e979-e325-11ce-bfcl-08002be10318}
R's]
Networkinterfac...
REG_QWORDOx1d81357738060df
(132877455328305375)
») {[4d36e97b-e325-11ce-bfc1-08002be10318}4b |ProviderName REGSZ Microsoft
») (4d36e97d-e325-11ce-bfc1-08002be10318}ab)ReceiveBufferSizeREGSZ 8192
» ™) (4d36e97e-e325-11ce-bfcl-08002be10318} ab|SendBufferSize REG
SZ 1024
tna aon
eeren
eeesnneenameammessab)VlanID REG
SZ Ethical
0 Hacking
All Rights
and Countermeasures
Reserved. Reproduction
Copyright
is Strictly
© by Prohibited.
EG-Council
Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker
Sniffing

Ethical Hocker

Technitium MAC Address Changer (TMAC)

Technitium ; : | f) theMed SMAC
allows you to change (spoot) the Media

Network Interface Card (NIC) instantly

TechnitiumMACAddressChangerv6 - by Shreyas
Zare = ms

|_Network
Connections Changed
| MAC
Address https://www.novirusthanks.org
) i) Ethernet(KemelDebugger] No 00-00-00-00-00-00 Down,NonOperational 0 bps
|fv] Ethernet No 00-15-5D-01-80-00 Up,Operational 0bps

Sots eee https://lizardsystems.com

Connection Ethemet Onginal MAC Address
Device MicrosoftHyper-YNetwork,Adapter 00-15-5D-01
-80-00
Hardware ID VMBLIS\MI8615163-di3e-46c5-91
3F-f2d27965ed
0k MicrosottCorporation (Address:One MicrosoltWe

Config ID (54989599-F693-4023-B9B6-DCC2940B1114} Active MAC Address

00-15-5D-01-80-00(Original)
TCP/IP¥4: Enabled TCPAIP¥6: Enabled MicrosottCorporation (Address:One MicrosoltWa
| 0 Easy Mac Changer
Change
MAC
Address https://github.com
[00-14-98- 49-61- 4F—RandomMAC
Address
|
[00-14-98]
ADEC
&ParterAG
[Address
Staldenbachstrasse
30,|
i Automaticallyrestartnetwork connection to apply changes
iv Mak A istent 186293901
¥, bytes}
nt
MakenewMACaddress
persiste Received
465.67
MB(488293901 bytes)
| Use
02"
asfirst
octet
ofMAC
address
‘why? Speed
490B/s
(490
bytes) ™ Spoof-Me-Now
Sent d.32MB[8719629
bytes] https://sourceforge.net
Speed 0 By's(0 bytes]

https://technitium.com

Module 08 Page1276 Ethical Hackingand CountermeasuresCopyright© by EG-€ouncil

All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker
Sniffing

——-_—_- ——

— yA

File Action Options Help

|}i¥!} Ethernet[KernelDebugger] No 00-00-00-00-00-00 Down,Non Operational 0 bps

Connection Ethernet

Device MicrosoftHyper-VNetworkAdapter
Hardware ID VMBUS‘{f8615163-dfSe-46c5-91
3f-fad2f965edD:
Config ID {549683588-F693-4023-6
9B6-DCC294DB111
4}

TCP/IPv4: Enabled TCP/IP¥6: Enabled

EiChangeMACAddress

|
i?
iY Automatically
Make
Use '02'
newasMAC
first
restart
octet
address
network
of MAC
persistent
connection
address to applychanges -

Why?
Sent 6.32 MB (8719829bytes}

Module 08 Page 1277 Ethical Hacking

All Rights
and Countermeasures
Reserved. Reproduction
Copyright
is Strictly
© by Prohibited.
E@-Gouncil
Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker
Sniffing

Ethical Hocker

J ICMP Router Discovery Protocol (IRDP) is a routing protocol that allows a host to discover the IP addresses of active
routers on their subnet by listening to router advertisement and soliciting messages on their network

J The attacker sends a spoofed IRDP router advertisement message to the host on the subnet, causing it to change its
default router to whatever the attacker chooses

4 This attack allows the attacker to sniff the traffic and collect valuable information from the packets

J Attackers can use IRDPspoofing to launch man-in-the-middle, denial-of-service, and passive sniffing attacks

Attacker Router
Attacker

Routing Table Copyright

advertisement. AttackerRouter

Routing Table

Figure 8.43: IRDPspoofing

Module 08 Page1278 Ethical Hackingand CountermeasuresCopyright© by EG-€ouncil

All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker
Sniffing

Module 08 Page1279 Ethical Hackingand CountermeasuresCopyright© by E€-€ouneil

All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker
Sniffing

Ethical Hocker

J VLAN hopping is a technique used to target network resources present on a virtual LAN
J It can be performed by using two primary methods: Switch Spoofing and Double Tagging
J Attackers perform VLAN hopping attacks to steal sensitive information such as passwords, modify, corrupt or delete data,
install malicious codes or programs, and spread viruses, Trojans, and worms throughout the network

Switch Spoofing Double Tagging

J Attackers connect a rogue switch onto the network by ) Attackers add and modify tags in the Ethernet frame, thereby
tricking a legitimate switch and thereby creating a trunk allowing the flow of traffic throughany VLAN in the network
link between them

[ eee Legitimate
. Switch 1 —————————
==& & Switch 2

: Trunk VLAN10 -rd

ie
,VLAN20
-

VLAN 1

Module 08 Page1280 Ethical Hackingand CountermeasuresCopyright© by EG-€ouncil

All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker
Sniffing

Figure 8.44: Illustration of switch spoofing

ri
@ +

. *
= te
- 2
es .

Figure 8.45: Illustration of double tagging

Module 08 Page1281 Ethical Hackingand CountermeasuresCopyright© by EG-€ouncil

All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker
Sniffing

Ethical Hocker

Attackers connect a rogue switch into the network to change the operations of the STPprotocol and sniff all the
network traffic

4 Attackers configure the rogue switch such that its priority is less than that of any other switch in the network, which
makes it the root bridge, thus allowing the attackers to sniff all the traffic flowing in the network

pal Priority
=32769 server
Root ae nee
Bridge
Rogue Switch = | :

Prioritty=O"SS
SB iicbhnisiiaiuciabedathbeisiansncintedsasnieiliel
= "pcabicennennaaasipnemmae
.
- Traffic flow Switch 2 Traffic flow

: =Attackersniffsall Priority
=32769
: ; thenetworktraffic
iy

Module 08 Page1282 Ethical Hackingand CountermeasuresCopyright© by EG-€ouncil

All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker
Sniffing

Traffic flow
Seeee >

. a ee ee

Coeae ee Server

Rogue Switch "

Traffic flow Switch 2 Traffic flow

Figure 8.46: Illustration of an STP attack

Module 08 Page1283 Ethical Hackingand CountermeasuresCopyright© by E€-€ouncil

All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker
Sniffing

sh ip dhepUse
snooping
DHCPbinding
Snooping Binding Table, Dynamic ARP Inspection, and IP Source Guard

; 10.10.10.1

2a:33:4c:2£;4a:l1le
10.10.10.9 185235 E MACA

. DHCP Snooping Enabled : a re ee eee

: Dynamic
ARPInspection
Enabled
: does
notmatch,
thendiscard
thepacket

: —————“—- . 8 10.10.10.5 Mac B

Traffic Sent with IP

10.10.10.2 Mac C

MACC
Received Traffic Source
IP 10.10.10.2 Mac B

attacks:

Module 08 Page1284 Ethical Hackingand CountermeasuresCopyright© by E@-Council

All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker
Sniffing

untrusted interfaces.

= 10.10.10.1
2a:33:4c:2f;d4da:le 10.10.10.9 185235 FastEthernet3/18
snooping MAC A
A , eee

Givvnnnccnnnssencesnsnecceeess
: - 2
: _
10.10.10.5 Mac B
eerersReese , 3

Traffic Sent with IP

10.10.10.2MacC 10.10.10.5
MACC
- Received Traffic Source |

IP 10.10.10.2 Mac B

Module 08 Page1285 Ethical Hackingand CountermeasuresCopyright© by EG-€ouncil

All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker
Sniffing

Defend against Switch Spoofing Defend against Double Tagging

4 Explicitly configure the ports as accessports 4 Ensure that each accessport is assigned with
and ensure that all access ports are | VLAN except the default VLAN (VLAN 1):
| Gs
configured not to negotiate trunks:
Switchport access vlan 2

4 Ensure that the native VLANs on all trunk

“Ensure that all trunk ports are configured | switchport trunk native vlan 999
not to negotiate trunks: —
4 Ensure that the native VLANs on all trunk
Switch (config-if)# switchport mode 6-9 ports are explicitly tagged:
trunk

Switch (config-if)# switchport mode

nonegotiate

Module 08 Page1286 Ethical Hackingand CountermeasuresCopyright© by EG-€ouncil

All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker

Ethical Hocker

BPDU Guard Loop Guard

4 To enable the BPDU guard on all PortFast edge 4) To enable the loop guard on an interface:
ports: configure terminal
configure terminal
interface gigabiteethernet
interface gigabiteethernet slot/port
slot/port
spanning-tree portfast bpduguard ing-t
spanning-tree guardl oop

Root Guard UDLD (Unidirectional Link Detection)

To enable the root guard feature on an J To enable UDLD on an interface:

configure terminal interface gigabiteethernet slot/port

interface gigabiteethernet slot/port
udld { enable | disable | aggressive
spanning-tree guard root }

All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker
Sniffing

unidirectional links and further disable the affected interfaces in the network. These

Module 08 Page1288 Ethical Hackingand CountermeasuresCopyright© by E€-€ouneil

All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker
Sniffing

) DNS poisoning is a technique that tricks a DNS server 4 It allows the attacker to replace IP address entries
into believingthat it has received authentic information for a target site on a given DNSserver with the IP
when it has not received any address of the server he/she controls

4 It results in the substitution of a false IP address at the J The attacker can create fake DNS entries for the
DNS level where the web addresses are converted into server (containing malicious content) with names
numeric IP addresses similar to that of the target server

De Intranet DNS Attacker

Spoofing (Local
network)
Internet DNS
DNS Cache
Spoofing (Remote
Poisoning
network)

Proxy Server
DNS Poisoning

where web adaresses are converted into numeric IP addresses.

Module 08 Page1289 Ethical Hackingand CountermeasuresCopyright© by E@-Council

All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker
Sniffing

Module 08 Page1290 Ethical Hackingand CountermeasuresCopyright© by E€-€ouneil

All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker
Sniffing

Ethical Hocker

4 In this technique, the attacker’s system must be connected to the local area network (LAN) and be able to sniff
packets
J It works well against switches with ARP Poison Routing

What is the

IP address of Router

www.xsecurity.com mi
wwenace
eeteecerecsess
au [
ro ih?, a
IP:200.0.0.45 "

John A
Attacker sniffs the =
(IP:10.0.0.3)= routerandredirects
DNS
requests to his machine credential
and‘

WWW.XSecurity .<cCom
is located at
10.0.0.5

Attacker runs
arpspoof/dnsspoof Fake Website

Copyright© by ws eet la cement

lagele
0eae gees
agian eelelslieileR

server.

What is the
IP address of Router
www.xsecurity.com? IP1000254 Real Website
www.xsecurity.com ua
IP: 200.0.0.45 ua

John
. Attacker poisons the
(IP: 10.0.0.3): requests
to hismachine
router and redirects DNS redirects
Attacker
to
credential
real
the
sniffs
website
request
and
the .°-=

www.xsecurity.com
is located at
10.0.0.5

Attacker runs

Figure 8.48: Intranet DNS spoofing

Module 08 Page 1291 Ethical Hacking and Countermeasures Copyright © by E€-Council

All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker
Sniffing

Module 08 Page1292 Ethical Hackingand CountermeasuresCopyright© by E€-€ouneil

All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker
Sniffing

ol Hocker

4 Internet DNSSpoofing, the attacker infects John’s machine with a Trojan and changes his DNS IP address
to that of the attacker's

Whatis the
IP address of
WWw.xsecurity.com?
John’s Browser

Attackersniffsthe credential Mi
and redirects the request to
John Fake Website real website z
Real Website

(IP:10.0.0.5) IP:65.0.0.2 www.xsecurity.com

IP: 200.0.0.45

* DNS
Request
: to 200.0.0.2

Attacker runs DNS Server

(IP: 200.0.0.2)
changing his DNS IP address to 200.0.0.2

Copyright © by wet Apes aeme

stlegos
lVmde seme
adode eelaleidee

What is the
IP address of
www.xsecurity.com?
John’s Browser
connects to 65.0.0.2
iii pci CERNCRNNET:> u
Attacker sniffs the credential oi
and redirects the request to
: | websit

(IP:10.0.0.5): " IP:65.0.0.2 Www.xsecurity.com

- = DNS
Request ey,
s » to 200.0.0.2

: Attackerruns DNSServer
AttackerinfectsJohn’scomputer by (IP: 200.0.0.2)
changing his DNS IP address to 200.0.0.2

Figure 8.49: Internet DNS Spoofing

Module 08 Page1293 Ethical Hackingand CountermeasuresCopyright© by EG-€ouncil

All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker
Sniffing

Ethical Hocker

J The attacker sends a Trojan to John’s machine that changes his proxy server settings in Internet Explorer to
that of the attacker’s and redirects to the fake website

Edit proxy server

What is the

IPaddress
of &« RealWebsite
www.xsecurity.com? ino = www.xsecurity.com m2
Si Shad
(IP: 200.0.0.45) LV
Lilsae(Pe peter same?cme! foe acielresgeesPat vteet wel Ihe (oldoeing ener
<a Lee see oto[| tp sepa enire

a
=
a

John A . ee ee ee Attacker’sfakewebsitesniffs °
. the credential and redirects the =
(IP:10.0.0.5)
= 2 ‘

=AllofJohn’s
Web
. requests go through
« Attacker’s
machine

Coescusncnesceesenesnsesecssceacs Attacker
sends
John's
Attacker infects John’s request to the Fake website

computer by changing his IE Fake Website

Proxy address to 200.0.0.2 Attacker runs Proxy Server
IP: 200.0.0.2 Copyright
© by _AllRights
Reserved.
Reproduction
(IP: 65.0.0.2)
isStrictlyProhibited.

website.

Edit proxy server

What is the ace

Nacht
IP address of & > Real Website

www.xsecurity.com? ate i www.xsecurity.com m

CUO
: BIE.
(IP: 200.0.0.45) ma
Lee fee roe eee ecoceptfor addresses fiat plat eththe following entoes
Let Bernice ¢) fo beepeobe entre

is:
z=
.
.

John A : siesta aidaaaniaiaaiaas Attacker’s

fakewebsitesniffs:
(IP: 10.0.0.5) " : thecredential
andredirects
the °

: Allof John’s
Web
. requests go through
: Attacker’s
‘=
machine
SER ERE REPRER REE ERR SERRE RERERREE RRR RRR EEE

Attacker sends John’s

request to the Fake website
Attacker infects John’s
computer by changing his IE Fake Website
Proxyaddressto 200.0.0.2 Attacker runs Proxy Server (IP: 65.0.0.2)
IP: 200.0.0.2

Figure 8.50: Proxy server DNS poisoning

Ethical Hocker

J DNS cache poisoning refers to altering or adding forged DNS records into the DNS resolver cache so that a DNS
query is redirected to a malicious site

If the DNS resolver cannot validate that the DNS responses have been received from an authoritative source, it
will cache the incorrect entries locally, and serve them to users who make a similar request

Whatis the
IP address of
www. xsecurity.com?

with IP of fake website Internal DNS Authoritative

A DNS
server for
: xsecutity.com

; Send DNS response

= withIPofafake
Attacker’s fake website sniffs the : website

credential and redirects the

request to the real website

Real Website Fake Website Rogue DNS

server.

What is the Query for DNS info

IP address of CUE
PEE >
www.xsecurity.com?

DNS cache at user is updated

with IP of fake website Internal DNS Authoritative
A DNS server for
: xsecutity.com

: SendDNSresponse
= with IP of a fake

credential and redirects the

request to the real website

Real Website FakeWebsite Attacker RogueDNS

Figure 8.51: DNS cache poisoning

SAD DNS Attack

. https://github.com

https://www.ettercap-project.org

(1] Spoofing DNS responses...

| . | - 92.168.1.174]: Redirecting [exampledomainl.com] to
92.168.1.174]: Redirecting [exampLedomainl.com] to
1]| 92.168.1.174]: Redirecting [exampledomainl.com] to aa
e sent to [192.168.1.174]: Redirecting [exampledomainl.com] to [1.2.3.4] | DNS Poisoning Tool
@ st . 92.168.1.174]: Redirecting [exampledomainl.com] to yee CSoning 100
s Pi, 168 ee
eee| ete | examwl =efe)ite
payaeae LU a —— https://github.com

https://github.com

gels male gees
eeimal eee sliceR

malicious content with the same name.

certain IP address or a group of hosts in the network.

the tool to redirect the victim to some other website.

[exampledomainl.
[exampledomainl.
[examplLedomainl.
Tee erp ea
[exampledomainl.
eel epe a

Figure 8.52: Screenshot of DerpNSpootftool

Implement a Domain Name System Security Extension Restrict the DNS recusing service, full or partial, to
(DNSSEC) authorized users

Use DNS Non-Existent Domain (NXDOMAIN) rate

Use a Secure Socket Layer (SSL)for securing the traffic ee
limiting

Resolve all DNS queries to a local DNS server Secure internal machines

Block DNS requests to external servers Use a static ARP and IP tables

Configure a firewall to restrict external DNS lookup Use Secure Shell (SSH) encryption

Implement an intrusion detection system (IDS) and Do not allow outgoing traffic to use UDP port 53 asa
deploy it correctly default source port

Configure the DNS resolver to use a new random source

Audit the DNS server regularly to remove vulnerabilities
port for each outgoing query

how

Secure internal machines.

Use static ARP and IP tables.

Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker
Sniffing

= Randomize source and destination IP addresses.

= Randomize query IDs.

attacks.

= Ensure that the “Hosts” file resolution is disabled on both the clients and servers.

Ethical Hacker

Certified
| EthicalHocker

r | - 7
i Capturing
fromEthernet
2 _ a x
4 Itlets you capture and File Edit View Go Capture Analyze Statistics Telephony Wireless Jools Help
age Rei*e2xeFaSBeaan
interactively browse the (Wy
[ack
Stop.capturing
packets
| 3 -)+
Mo. Time Source Destinaton Protocol Length Info a
trafficrunningona 2257 467.547554 10.10.2.11 18.18.1.19 TCP 55 [TCP Keep-Alive] 61002 + 8@[ACK] Seqg=2933 Ack=146760Win=2626...
2258467 .547573 18.10.1.19 18.16.1.11 TCP 66 [TCP Keep-Alive ACK] 86 + 61002 [ACK] Seq=146760Ack=2934 Win-..
computer network 2259467 .573628 16..16.1.14 224.8.8.251 MDS 418 Standard query response @x@800@TXT, cache flush PTR_adb.tcp...
2268 467.573686 febe: 6fO9: fb32:b56.. Tfe2::fb MDS 438 Standard query response @x6000TXT, cache flush PTR_adb.tcp...
2261 467.5735713 Fesbe::15:5dtf:fel3:.. Tf2::Tb MONS 371 Standard query response @x8O0@TXT, cache flush PTR adb. tcp...
2262 467.656969 18.28.1121 16.18.1.19 TCP 55 [TCP Keep-Alive] 61603 = 86 PACK]Seq=4455Ack#270044Wine2613...
4 WiresharkusesWinpcap
to 22763
467.657002
2264 468,.359528
18.18.1.19
Fede: :1:1
18.18.1.11
TT82: 216
TCP
ICMPye
66 [TCP Keep-Alive ACK] 68 + 61003 PACK]Seqg=278044
90 Multicast Listener Report Message v2
Ack=4456Win-..

capture packets on its own 2265 471.917662

2266 471.928286
fe@@::1:1 F¥82: 71
feb@::deb2:9b3b:549...TfO2: 216
TOMPy6é 118 Router Advertisement
TCMP
v6
from 62:15:5d:13:3c:a8
90 Multicast Listener Report Messagev2
supported networks 2267 471,932361
2268 472.154729
fege: :596a;9dce:b1;:.. THO2::16
febe: :deb2:9b3b:549.. TfO2: 216
ICMPv6
TCMP
v6
118 Multicast Listener Report Message v2
98 Multicast Listener Report Messagev2
22769472.4114695 feb: :596a:9dce:b1:... FFO2::16 TOMPv6 118 Multicast Listener Report Message v2 Ss
Internet
Frame 1: Control
Ethernet II,
Protocol
98 bytes
Src: Message
MS-NLB-PhysServer-21
Version
on wire Protocol
6,
(720
Src:
bits),
feb@::1:1,
v6 98
5d:13:8c:a@
bytesDet:
captured
ffe2::16
(@2:15:5d:13:8c:a0),
(728 bits) on interface
Dst: IPvomcast_16
\Device\NPF(33:33:00:00:00:16)
766266803-67F7-4360-6A17-FFCOF7ESIFC2+, id @
4 It captures live network
traffic from Ethernet, IEEE
802.11, PPP/HDLC,ATM,
Bluetooth, USB,Token Ring,
Frame Relay,and FDDI
networks
33 33 Be eG O8316 62 15 Sd 15 8c 36 86 dd 60 68 33 ]

customized Gatadisplays AiPddnied

a Sie
BE
olb P
can be used ie
() Ethernet
2:<livecapture
inprogress
> Packets: 2259 * Disolayed:7269 (100.0%) Profile: Default
he - Cele
a eeay
https://www. wireshark.org

@ Capturing
fromEthernet
2 — Oo x
File Edit View Go Capture Analyze Statistics Telephony Wireless Jools Help
(E2o Re GCessetshhbaaan

No. Time Source Destination Protocol Length Info A

2257 467.547554 16.108.1.11 16.10.1.19 TCP 55 [TCP Keep-Alive] 61002 + 8@ [ACK] Seq=2933Ack=14676@Win=2626...
2258 467.547573 10.1@.1.19 1@.16.1.11 TCP 66 [TCP Keep-Alive ACK] 8@ + 61002 [ACK] Seq=14676@Ack=2934 Wine-..
2259 467.573628 16.1@.1.14 224.8.@.251 MDNS 415 Standard query response @x@000TXT, cache flush PTR_adb. tcp...
2260 467.573686 fes80::6F09:fb32:b86... FFO2:: Fb MDNS 438 Standard query response @x@@0@ TXT, cache flush PTR_adb.tcp...
2261 467.573718 fesO: :15:S5dtt:Tel3:... TTO@2::Tb MDNS 371 Standard query response 8x@@@@ TXT, cache flush PTR_adb. tcp...
2262 467.656969 16.16.1.11 10.16.1.19 TCP 55 [TCP Keep-Alive] 61003 + 8@[ACK] Seq=4455Ack=270044Win=2613..
2263 467.657002 16.16,1.19 18.16.1.11 TCP 66 [TCP Keep-Alive ACK] 8@+ 61003 [ACK] Seq=270044Ack=4456 Wine...
2264 468.359525 FeSO:21:1 FTO2:216 ICMPv6 96 Multicast Listener Report Message v2
2265 471.917662 fes@;:1:1 FF@2:21 ICMP
v6 118 Router Advertisement from @62:15:5d:13:8c:a0
2266 471.925280 fes@: :deb2:9b3b:549,.. FfO2::16 ICMPV6 9@Multicast Listener Report Message v2
2267 471,932361 Fes@::596a:9dce:bl:.. TfO2::16 ICMPv6 116 Multicast Listener Report Message v2
2268 472.154729 fes@: :deb2:9b3b:549... f7@2::16 ICMPyv6 9@Multicast Listener Report Message v2
2269 472.411469 fe80: :596a:9dce:bl:.. ffO2::16 ICMP v6 116 Multicast Listener Report Message v2 v
Module 08Frame
Page 1302
1: 90 bytes on wire (72@ bits), 9@ bytes captured (726 bits) on interface \Device\NPF_{B626B803-B7F7-480B-BA17-FFC@F7E31FC2}, id @
Ethernet II, Src: MS-NLB-PhysServer-21 5d:13:8c:a@ (02:15:5d:13:8c:a@), Dst: IPv6mcast_16 (33:33:00:00:00:16)
Internet Protocol Version 6, Src: fe8@::1:1, Dst: ffO2::16
Internet Control Message Protocol v6

Figure 8.53: Capturing packets

Ethical
usingHacking
Wireshark
All Rights
and Countermeasures
Reserved.Reproduction
Copyright
is Strictly
© by Prohibited.
EG-Council
Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker

Ethical Hocker

| File Edit ViewGo Capture

AnalyzeStatistics
Telephony
Wireless
ToolsHelp
fr — fa
| 4s > & x © Q alae = t . |) = Q a a Cece
s@
Veen
cebes
cMle
clessc4sMnQt
PUM.
. 0SesoccMecac
Bude
Pees
ssWOt
Miles
saa
- q-. Cee i eee ee eee ee ee
| |& tep.stream
eq 25 4 + | .-@,.5,.8.5..,6..+).0.0.1....388..'V....@8...
{2225}5¥
i Oi 8, Ber eee. hc Be Veecs ceaaheeJefe epeecEA IBLE
L i iA
| No. Time . Source Destination Protecal
Lengthinfo = W.v>.08.22....0¥.90.........8:.97...1...)-ie
| 136322.728138208109.19.1.195 10.16.1.i3 HTTP 1347HITP/1.1206 OK (PNG) D.dOX.:q...A./)7....-.4.2.4.}..0 : 4UC..t. 0. )PT
1380 22.607847000 10.10.1.19 16.16.1.13 HTTP 1816 HTTP/1.1 206 OR (PNG) Mh sObendPena
reeh Laie WeocOas'
146222.826617000 16.16.1.19 16.10.1.13 HTTP 490 HTTP/1.1206 OK (PNG) EP neeBenes Reece eeeeeMeeEeete GPM eee
Meeee BeLB aePeCPWmeFQ eee
oe he OP
1420 22.909742900 10.10.1.19 10.16.1.13 HTTP 1362 HITP/1.1 208 OK (PNG) preteen ees spelenBesedsese) eck RsceeeRegeet or eee cece s|
166116.1686042400160.10.1.19 10.16.1.13 HTTP 2005 HTTP/1.1206 OK (application/javascript) ~"Ep. Of... .0+s8O Nn
1227021.870057008 19.10.1.19 16.10.1.13 HTTP 27260 HTTP/1.1 208 OK (text/ntal) @.......8.....TEND.B8 .POST / MITP/1.1
|-+ 121721.84508450016.10.1.19 10.10.1.13 HTTP 470HTTP/1.1302 Found (text/html) MOST:
Www.
@oOVvie
scope.Com
rT. Tt eee Cee Tee TTE it age?
Te page ET User-Agent: Mozilla/5.0 (windowsNT 10.0; rv:78.0) Gecko/20100101 Firefou/T8.6
oo 841090406 7.410.449 7.10.1. Pr 54 > Keep-Alive ACK) 66 — 38270 [- eg=5460730
Ack=5. ACCOpL:Ceat/ntmn1,applications‘
xnteleal, applications eal;g=0.9, image/wobp,*/*;g=0.8
| 174933.04069290910. 10.10.1.19 rcp 54[TCPKeep-Alive]
38220
—80 [ACK]
Seq=5992
Ack=540730
. ROLE.Language:
Gn
-iS,
onigee-2
; Accept-Encoding: grip, deflate
; :| Content-Type:
applicatlon/x-wa-forn-ur
Lencoded
HOSt: wWwa.moviescope.com\r\n «i Content-Langtn: 224
User-Agent: Mozrillas5.@(WindowsNT 16.6; rv:78.0) Gecko/26100101 Firefox/78.6\r\n Origin: BLtp:// hw .fovlescope.com
» Accept-Encoding:
Accept: http:
Accept-Language:
Content-Type:
Content-Length:
Origin: text/html,
applications
//wew.moviescope.com\rn
3274\r\n
en-US,
gzip,
application/‘xzhtm|¢xml1,
en;qg=6,.5\rsn
deflate\r\n
x -waw-form-urLencoded\r\n
application/xm1;g=6.9, image/webp,"/*;q=0.8\r'\ ont: 2
Connection: heep-alive
Referer: ACCP:
/ ‘wie. POVLESOOpe.
Com
Upgrade-Insecure-Requests: 1

VIEWS
TATE
S32FwEPOULLTESMDc
SMjQrOTdkZHS10cn
RPBBRE
sUZtSMA2
PWgLPg
TSudagech Beethro
DAT: isr\n Mid VIEWSTATEGENERATOR=C7EE9ABBA
EVENTVALIDATIONS@2F
wEGAAR
JUDOrbpOnjNNA th) eM tr
TidatSpegibcndGscPod KASoe Ze QoeLoPacUnnsgPpHrng3] l6ulMcyuLy
Connection: keep-alive\r\n
TINTSIBLOJORgLR
IDETx binlogin=LogLlndTTP/1.1 382 Found
Referer: Http://www.
m@ovlescope.com/\r\n Cache-Controi: priva
Upgrade-Insecure-Requests: i\r\n Content-Type: text/htel; charseteutt-8
rin
LOCATION: /1InGex.a5pe
(Full request URL:trame:
est in nttip: // Www.MOVLESscope
.com sorwer: Microsoft-LiIS/ig.@
fRITP request 4/16) K-ASpHOt-Vorsion: 4.9. 30319
Prev request in frame 1185] set-Cookle: micopes] jwtydNfiwroz; path=/
esponse in frame: ieir K-Powered-By: ASP.NET

= HTML
ile
doagx-www-form-urlencoded
Form URLEncoded: applications
La: bytes
Date: Wed, 18 May 2022 12:50:53 GAT
Content-Length: i268

» Fore item: " VIEWSTAIE" = "WEPDULLTESSDc

5] Oz70TdkZH5S
LecnJ+8tsZt Sa/WigLFTSuNag66+464A4b76/sh1" chtml><head=<tit le+Odject moved</tit le ‘head><body>
» Form item: " VIERWSTATEGENERATOR" = “CEESABB" fhe whieh eae Fe i Ara?’=" 4 ha" if a

| © # Thewindow
sizevaluefromtheTCP
= “/wEdAARJUUbOrbpOxj]
header
(tcp.window
» Form item: "_ EVENTVALIDATION" size
NNN]
value),
xtMLURWM
2 bytes
TtrRuli Ga
Packets:
3D8g1DcnOGGcPO02LANGaxReGvMQ]
1793- Displayed:
69(3.8%)
2F
- Dropped
3fJAwSKugaxAa3gXTzRfq070LdP 16 chent pkts. 24 server pitts. J] tens

» FOr Ltem: "“txtusername” = “san”

» Form item: "txtpwd" = “test* = Show dataas ASC = Steam 25 &
» Fore item: *btnlogin™ = “Login*
Password revealed Find
Next
| 6035RM 19766006504f 5354262f 70485454 Bp POST/ Saveas Back & Close ~. Help

in a TCP Stream

a data stream.

File Edit View Go Capture Analyze Statistics Telephony Wireless Tools Help

1 *| 7

No. 363 Time Source

2, 198130206LE2LU. i. if
Destination
is. 4a
Protocol
iT P (3 Ps: . i
° a

106116.10804240010.10.1.19 10.10,.1.13 HTTP 2805HTTP/1.1

200 OK avascript)
1220
21.87005700@
19.10.1.19 1@.10.1.13 HTTP 27360
HTTP/1.1
206OK(text/html
S217
21. 19 16.10.1.13 HTTP areHTTP/i.1
302Foundcext/h |
HE 1.10, y 8.10.1.42 LP * ep live ACK]
88 . 3B22¢ACK, Seq=
546

Host: wWww.moviescope.com\r\n “
User-Agent: Mozilla/S.@ (Windows NT 10.0; rv:78.0) Gecko/20100161 Firefox/78.0\r\n
Accept: text/html, application/xhtm1+xm1, application/xm1; q=6.9, image/webp, */*;q=6.8\r\n
Accept-Language:en-US, en;q=0.5\r\n
Accept-Encoding: gzip, deflate\r\n
Content-Type: appLication/x-www-form-ur Lencoded\r\n
» Content-Length: 324\r\n
Origin: http://www.moviescope.com\r\n
ONT: i\r\n
Connection: keep-alive\r\n
Referer: http: //www.moviescope.com/\r\n
Upgrade-Insecure-Requests: 1\r\n
\r\n
est URI: Nttp://www.moviescope.com/
HTTP request 4/16
Prev request in frame: 1185
KE SpDONSe in :

Form item: “_
VIEWSTATE” = “/wEPDwULLTE3MDc5MjQz0TdkZH5
16cnJ+BtsUZtSM/W1LgLFq
T5uNag6G+46A4b26/sM1"
Form item: "_VIEWSTATEGENERATOR™= "C2EE9ABB"
Form item: "_EVENTVALIDATION"”
= "/wEdAARJUUubDSrbpOxjNNN]
xtMLIRWMttrRuli9aESDBgi
Dcn0GGcPO002LAX9axReGveQ]
2F3T
S3AwSKugaKAa3gx7zRTqQ070LGP_.
Form item: “txtusername" = "sam"
Form item: "txtpwd" = "Test"
Form item: “btnlogin™ = "Login"

6830 GE) 19 76 8008 50 4f 53 54 28 2f 20 4854 54 Wp PO ST / 7

© 7 Thewindow
size
value
fromtheTCP
header
Figure
(tcp.window
8.54:size
Wireshark
value),
2bytes
capturing
Packets:
TCP
1793
-Stream
Displayed;
69(3.8%)
‘Dropped;
0(0.0%)Profile:
Default
|

a ee eee M.0.n.
Giscien Bowens
TEND.B”.POST
/ HTTP/1.1
Host: www.moviescope.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:78.@) Gecko/20100101 Firefox/78.0
Accept: text/ntm1, application/xntmleml, application/xn1;q-0.9, image/webdp,*/*;q-0.8
Accept-Language: en-US,
en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-waw-form-ur lencoded
Content-Length: 324
Origin: Nttp://www.movlescope.com
DNT: 1
Connection: keep-alive
Referer: Nttp: //ww.foviescope
.com/
Upgrade-Insecure-Requests: 1

119aE3D8g91Dcn0GG6c 7ZRTQO7OLOPacUNnsgPpHrne3)
l6urMcyULV
YINCK2BIOIOBQUASDEt
x tnlogin=LoginHTTP/1.1 382 Found
Cache-Control: priva
Content-Type: text/html; charset=utf-8
Location: /index.aspx
Server: Microsoft-1IS/1¢.@
X-AspNet-Version: 4.90.30319
Set-Cookie: mscope=1jwydNfSwro=; path=/
X-Powered-By: ASP.NET
Date: Wed, 18 May 2022 12:50:53 GMT
Content-Length: 128

<html>chead><title>-Object moved</tit le></head><body>

ch?-fhierct enved toa co href=" /indaw sacnvw"*sharar
/as ¢ /h?>
16chentpkts,24serverpkts,31turns.
Entire conversation(546kB) ~ Show dataas ASCII - Stream 25 <>

FilterOutThisStream| Print Saveas... Back X Close +. Help

Figure 8.55: Password revealed in a TCP Stream

Display

Protocol

Monitoring @ tcp.port==23

Ports ip .addr==192.168.1.100 && tcp.port==23

Addresses

IP Address

@ ip.dst == 10.0.1.50 && frame.pkt_len > 400

Filters
@ ip.src==205.153.63.30 or ip.dst==205.153.63.30

= Other Filters

frame.number < 30

Ethical Hocker

!'(arp or icmp or dns)

tcp.flags.reset==
U Masks out arp, icmp, dns, or other protocols and
Displays all TCP resets allows you to view traffic of your interest

udp contains 33:27:58 tep.port == 4000

Setsa filter for the HEXvaluesof 0x330x27 0x58at any Sets a filter for any TCP packet with 4000 as a source
offset or destination port

http.request tcep.port eq 25 or icmp

Displays all HTTP GETrequests Displaysonly SMTP(port 25) and ICMPtraffic

ip.srce==192.168.0.0/16 and
tcp.analysis. Retransmission ip.dst==192.168.0.0/16
7 Displays only traffic in the LAN (192.168.x.x), between
Displays all retransmissions in the trace
workstations and servers — no Internet

ip. '=
tcp contains traffic ip.srce XXX.XXX. : XXX. XKX && ip.dst
ip.ds !=

i ee nee
ese en Filter by a protocol
(e.g. SIP
)andfilter out unwantedIPs

Additional Wireshark Filters

" tep contains traffic

interest

Internet

Ethical Hocker

Riverbed Packet Analyzer Plus performs the real- Capsa, a portable network performance analysis and
Riverbed Packet Capsa Portable
time network packet analysis and reporting of large Network Analyzer diagnostics tool, provides packet capture and analysis
Analyzer Plus trace files capabilities with an easy-to-use interface

ro| oe (a techlentral
PacketAnalyser
Plus - @x a io eo Ca] Analysis
Propect
1- Colasoft
Capsa13Enterprise
Thal — a x
(OME
| TIME
CONTI f fi o Anghsis
|= System TeeleViews
t . — = A ; +S ———i7 Vi
et =ha —_

ae F = ; © close
AiTacs : 5 7 - oF ae “a oT =
di Trace
File ote: earch = = reat Copy Adapter Stari Sop Analysis ConversationLog
« CgGetting
Started
7 Qe,
Detach Chart Object
aS«al Filter Views
cies
Tite
Filet Poaerri
ci
be Senere View Chart
Selection Capture Anakysis
Settings Utilization
(05) ios
a Tati
Chartibps)
Packet
Buffer
120.0
hae
Devices
{ rit ei uate ba i : Heteork
Usepe
byPort
Nore / beat =|
* fbLocal
Stem 5piores
©bey
Microso®
Corporation : A
ges
cnactelatitdhatinsdhdasian
tol \c#Capture
- Default Detau ‘|Port.||PProcess
Application
|SIP
|H323
| Noaid
&
byPort W @ DHProtocolExplorer
(1) <=
=NDMAC
Explorer
(3 ence st incdlvennish
Die
tee ==.
Fs]myIPExplorer
(3)
ma VolPExplorer a 16DKE
= Ee,Process
Explorer
(3) 7 80KE
4 ©) Applicatson
Explorer
(4) 3 60KB LiveDemo
peaaba +0 EG |

ror pe a Who In Lining Meteor Randveclth?

: ee _ee Ale ah ih Howto DetectARPAttacks

&Custom
‘Local
System SPP er How
teDetect
Network
Loog
How bi Monitor D4 eesege
at) RecentlyUsed
Biel
Barcdwidth
OverTine i Sr eee [More
Videos...
ial IP Comversations 12 ea I
8) NetworkUsageAnalysis 4 a How-To's
il Hetwork Usage oy Applicat |= 1
ite!Network
Usage
byPort
Nar = re Gg]Mow
toMonitor
Hetwork
Traffic
i)Protecs!
Dirtripation : a La]Monttor
Employees
Website
Vests
fin) Troff: Aratytis i ea [3] | cannot captore ALL traffic, why?

ooBarchaidth
Usage Lj CreateTrafficUtizationChart
@ Genenc (3) [Ent)Start a Wireless Capture
omLANaadNetaork 5 | Morein Knowledgebace_
|
oe Multi.Segenent
Arahart4! orucget
aLbP! | ¥

See Current
Selection:
214529
- 214360
(11.5)
@1see
- Total
Window:
214329
-214349
- Drop
After:
1Day ‘ < 2
Network
Usage
byPort
Name
onvifgl
at9:43
PM-Selected
Chart
Total
Throughput BR SyCapture-Defautt
MEtnemet<hBandwidth-1000Mbps
| finactive
OO0I02
482 GOReady fAameptrer
GO Go @o
https://www. riverbed.com https://www.colasoft.com

Cele
a eeay Nat geet eeetole)
gels male gees
eeimal eee sliceR

‘
OmniPeek |2-~ RITA \ (Real Intelligence
.
sind
sented
pondelcomet
tees oc ees Threat Analytics)
OmniPeeksniffer =o ~.DB B22)oF = https://www.activecountermeasures.com
Packets recerwed: 1,655

displaysaGoogle ieee
inetets
77 Enter
fiter expresson
herekeeFlforhelp — i

ac Flow
1| Fags Relatve
Tie
|Protce ObserverAnalyzer
y 4 Compass 2 i feae@::15:50rf:fe...Gall MLOv2-capabl @.446251
ICMPvé
MLDv2
LR ICMP
yt
window showin g nee
Eyer
3 i fee::a5.sdFe:fe...
4 “4Fee:215:
ig monsve
5dtf ee orsg BONS
VE
1
I
17a
375
9.454933
ONS
8.734556
ONS
siti
Bonjo.
1 2 4 TEBELSS ite. ss “ All ALOWV2-capabl,.. a4 1,533484 ICHPv6MLOw2
ICMP
Yt LR
the locations of all) w= at Sees i aa)
= Expert ? i Febo::15:5dffi fe... ¢ All MLDw2-capabl... 34 1.536619ICHPvG
ALDw2LR ICMP
yi
the public IP .Servers *
a w:: eee ee
All MLDv2-capabl... lls ae
1.536626ICMPv6
MLOv2
LA ICMP
yt .
Flows 9Ci16,18,1.14 %Lok? ed 1.536620
IGMP IGRP PRTGNetwork Monitor
addresses of Applications10MPe@2:15:50:13:8C:a5MP Ethernet
Broadcast 5a 1.542428
AAPRequest https://www.paessler.com
Wee 11 fe80:215:5dFF:
fe... BALLMLDv2-capabl.., a 1.760449
ICMPv6
MLOv2
LA ICMP
yi
Captu red pa ckets roblegy
Pages
12 Wfete::6f09:fb32:...
13 y 18,18.1.14
WY monsvs
iy eONS
2
3
208
188
2.034008
DNS
2.934908
ONS
Bonjor
Bordon
saerecbaile 14 WY
fe80::15:5dFF
fe... yfeDNSWS 1 178 2.034118
DNS Bonjot
Voice
&Video 15 i 18.18.1.14 iy ene a4 2.185062IGMP TGMP
Calls —' : - =- —_-—
= -— —
ee
oe= - - —_
=- | rWinds
i D Pack
7 1468 85C724 O06
7811 FF FE8066 66O82
88 *..$.x........ * *
Graphs @Status: exPAeAeAeD 426882efBGebBeBGGeBGBFBeFE ae eeee
eeee =
Statistics
Summary so :
PacketLength: ‘
178 5688
78 14@2
£988
G8 7898
80 De
1661 08G8
64 G2O@
2D200002
756E G9BE
6964 ...%. 6.06.5,
65 .....adb-unide https://www.solarwinds.com
Nocles @ Timestamp: B23:
23.S65297588eb/ lis 2622 B4 6E 74 69 66 69 65 64
04 SF 61 64 62 04 SF ntified._eadb._
sieaks & YFEthernetType2 987463 78056C6F63/616C88G8FF
G881 tcp.local.....
Application i} Destination: 33:33:00:00:00:FR
IPvémcast:e@:€
| 112OF41GE64726F6964Ch27 68FFG661 .Android.'....
M®
Source: @2:15:50:13:8C:A5 126C@
6C68210061 08G66875 8608 86OO...1.....K....
ne @Protocol
Type: @x6600
Internet
Protecol
versio 14@88681518
63FE
15468 75@@
Ce80:
3286CO
3288it #281eGGe..... Lids
680¢ 8880 BFG815 wx.cee
scree
ae .
a Sits aa eh

gale el =_i https://www.xplico.org

https://wwwe
Sele
liveaction.com
a eee) NaeAgee oeea) 8cele
|e ols me
ee eeallele
ae

Wireshark.

scket
Analyzer
Plus - @ xX
i)

Add TraceFile Probes Search

. CgGettingStarted
TraceFiles Remote General Chart Selection

Devices «<
¥ FF LocalSystem Filters (None) s
¥ gyMicrosoft
Corporation yt Total Throughput=
fe) Bandwidth Over Time 94

Views

* Custom ‘Local System

Wi mors
Pd Network UsageAnalysis (1 5Ook MeiPvé-icep

ne]Protoco!
Distribution
” ° o¢6
thee!
Traffic Analysis (1s
- 1c =OK
o Bardwidth Usage
wmGenenc
ss LAN and Network
> @ Multi-Segment Analysis (MSs

>»=) Talkers and Conversations

Bee Scots ey Current
Selection:
21:43:29
- 21:43:40
(11s)
@1sec- Total
Window:
21:43:29
- 2143:40
-Drop
After:1Day ©
NetworkUsageby PortNameon vifg0 at 9:43 PM ~- SelectedChartTotalThroughput RP

Figure 8.56: Screenshot of Riverbed Packet Analyzer Plus

monitor networks in a critical business environment.

AnalysisProject
1 - ColasoftCapsa13Enterprise
Trial = Co om

er VoIPExplorer
& BE Process
Explorer
(3)
& @ Application
Explorer
(4) LiveDemo

QFindTopTalkers
inNetwork
Q WhoIsUsing
Network
Bandwidth?
dow toDetectARPAttacks
Qrow toDetect
Network
Loop
Gow toMonitor
IMMessage
[ More Videos...
|

How-To's

ui] How to Monitor NetworkTraffic

ul) Monitor Employees Website Visits
UJ I cannot capture ALL traffic, why?
(i) Create Traffic Utilization Chart
"UJ [Ent]Start a Wireless Capture
[ More in Knowledgebase... |

Sd
How to Use Capsa
< >

Figure 8.57: Screenshot of Capsa Portable Network Analyzer

e
:- File
Omnipeek
Edit View Capture
Lele) eeigs) eo)

i“7 v ilEnter
afilterexpression
Capture1
here
(use
ma
iF1
—xfor
Buffer
. cil
—
Filter
."help)
a-*xy
= usage:
state:
—e
For
a=|0%
a
=<=
SE
= | eH
e
|Accept
——
a =SS
all
=Pa
=packets
Packets filtered: 1,665 fatal

Packets received: 1,665

Dashboards bn | hin

Applications Destination Size RelativeTime Protocol Applicat

Voice& Video ; 3 | hh
Compass 15:S5dff:fe... All MLDv2-capabl... 94 8.446251 ICMPv6 MLDv2 LR ICMPvt
Ses ::15:5dff:fe.., iy mDNSV6 178 @.484933 DNS Bonjoi
375 @.734558 DNS Bonjot
Notes ‘15:5d¥:fe... %All MLDv2-capabl... a4 1.533484 ICMPv6 MLDv2 LR ICMPvt
Filters iy #02: :1:4F6b:705c a8 1.533512 ICMPv6 NSol ICMPyt
Expert ::15:5dff:fe... meAl] MLDv2-capabl.., a4 1.536619 ICMPv6 MLDv2 LR ICMPyi
Clents/Servers ¢ All MLDv2-capabl... 114 1.536626 ICMPv6 MLDv2 LR ICMP yt

Flows 9 WW16.16.1.14 iy IGMP 64 1.536629 IGMP IGHP

Applications 16 9O2:15:5D:13:8C:A5 BBEthernetBroadcast 4 1.542478 ARP Request

Web 11 Wfe80::15:5aff:Fe...WAll MLDv2-capabl..., a4 1.760449 ICMPv6 MLDv2 LR ICMP vi

288 2.034688 DNS Bonjo

158 2.034068 DNS Bonjot
Pais 13 s 16.16.1.14 ¥ mDNS
Bemats 14 W fe80::15:5dff:fe... iy mDNSv6E 178 2.034118 ONS Bonjot
Voice&Video 15 10.10.1.14 “ IGMP 4 2.185602 IGMP IGMP

Calls aise aotEs

33 60 60 028 FE 62 15 5D 13 6C AS 86 DD 33..0.65 Ty scarass
Peer Map @ Packet Number: 6B C7 24-00 78 11 FF FE80 68 86 66 80 ~..S.K. access
00 @615 5D FF FE 13 8CAS FF@2OOGO. ww
Jewsrnees
Graphs @Flags: exebecaese @@00 CC Cb GOG8 BG CO COCO FE 14 ES cicccwcussacss
Statistics @ Status: exeeceeeae E9 60 78 98 D6 OBOO 06 OGOOG2 GOOB ...K. eee ess:
ilgurney @PacketLength: 178 @2 86 66 16 61 64 62 2D 75 bE 69 64 65 .....adb-unide
Nodes @ Timestamp: 6:23:23.805297508
64/11/2022 i " 74 69 66 69 65 64 64 SF 61 64 62 @4 SF ntified._adb.
Brotocels SYEthernetType2 63 78 2856C GF 63 61 6Cee 60 FF @@@1 tcp.local.....
Applications H) Destination: 33:33:00:00:00:FB
IPvémcast:@0:6 41GE
6472 6F 69 64 C@
27 66 FF @@@1 Android.‘
...
Countries B) Source: 62:15:5D:13:8C:A5 OC88 21 G8G1OGGGG2 75 OGGS 02 OO ...!..... teas
Sle)
B'1]@s(
ae4)ial+) @x86DD Internet Protocol versio @@15 B83
CO 32 CO 32 08 1C G8 01 BOOO .....cg sivcelgiala
73860 10 FE SO 66 66 G6 GO 60806 GO 15 Ki cee eenees
FF FE 13 8C AS @@80 88 GF

Android mobile devices.

eye ais ae Stop

Interface mile Source
‘aoe:
0.000954
icee
a tel Link

me
eS
16
a |

Ors Fae
a

OmtROre,
ie.

0.294144
i,

EE Stats Tools Diag

Figure 8.59: Screenshot of Sniffer Wicap

connection to a mobile. This app works on rooted Android devices. The Wi-Fi connection

bponury

Uniock app Request new key Go to website

Module 08 Page 1313 A

®&

€ 01-20 22:47:30

Gmail 01-2022:47:38
173.194.117.128:443 TCP
nrt04s09-in-10.1e100_net Sol

Lp) Umano 01-20 22:4

7°36
meade §=31.13.82.1:443 TCP

edge-star-shv-01-nrt1 facebook.com SL

Packet Capture U1202247-56

74,125.204.156:80 TCP

Google Account 01-2022:47:35

Manager,Google Backup
Transport,Google Contacts
Sync,Google Play
services,Google Services
Framework
173.194.117.154:80 TCP
nrt0.4s09-in-f76.1e100.net

Google Account U1202247-35

Manager,Google Backup
Transport,Google Contacts
Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker
Sniffing

Ethical Hacker

Ethical Hocker

machines in the network

Turn off network identification broadcasts, and if possible, restrict the network to authorized users
to protect the network from being discovered with sniffing tools

Use encrypted sessions, such as SSHinstead of Telnet, Secure Copy (SCP)instead of FTP,and SSLfor
email connections, to protect wireless network users against sniffing attacks
Copyright© by Nat geet eee tole)
gels male gees
eeimal eee sliceR

Ethical Hocker

Use HTTPS instead of HTTP to protect usernames Alwaysencrypt wirelesstraffic with a strong
and passwords encryption protocol such as WPA2 and WPA3

Use a switch instead of a hub as a switch delivers Retrieve the MACdirectly from the NICinstead of
data to the intendedrecipient only the OS;this prevents MACaddressspoofing

Use Secure File Transfer Protocol (SFTP),instead Usetools to determineif any NICsare runningin
of FTPfor the secure transferof files the promiscuous mode

Use PGPand S/MIME, VPN, IPsec, SSL/TLS,Secure

Useaccess-controllists (ACLs)to allowaccess
onlyto a fixed rangeof trusted IP addressesina
Shell (SSH),and One-time passwords(OTPs) network
i | é |

installed.

ARP entries for machines in the network.

IPv6.

WPAS3.

addresses in a network.

Check the Devices

Running in Run IDS Run Network Tools

Promiscuous Mode

4 You need to check which 4 Run IDS and see if the MAC J Run network tools such as
machines are running in the address of any of the machines Capsa Portable Network
promiscuous mode has changed (Example:router’s Analyzer to monitorthe
- MAC address) network for detecting strange
Promiscuous mode allowsa

and read each network ) IDS can alert the administrator © Enables you to collect,
packet that arrives in its about suspicious activities consolidate, centralize, and
entirety analyze traffic data across
different network resources and
technologies

Ethical Hocker

Ping Method DNS Method

Ping Message . Most of the sniffers perform reverse DNS lookups to identify
(10.0.0.1, AA:BB:CC:DD:EE:FF)
ancunecnceensccscsennennecces
> the machine from the IP address
Promiscuous
SE nwenenncnnacnuccnanennneneaan

Admin Suspect Machine

10.0.0.4, 10.0.0.1, ‘
36-2E-3G-45-S6-K2 11-22-33-44-55-66 :
FAD:ddAE Ae
MAC: 00-14-20-01-23-45

Reverse
Ping Message =

COCR
PURO
RRE == ‘ > 5 (> >
Non- : a
Promiscuous =. IPID:194.54.67.10—: a Se ee
Mode Admin neNespOCa Suspect
Machine MAC:00:1b:48:64:42:e4
= : MAC:
00-14-20-01-23-46 Bsnenrel
10.0.0.4, 10.0.0.1,

4 Sendsa ping request to the suspectmachinewith its IP aee

address and an incorrect MAC address. The Ethernet adapter MAC:
00-14-20-01-23-47
rejects it, as the MAC address does not match, whereas the
suspect machine running the sniffer responds to it as it does 4) Amachine generating reverse DNS lookup traffic is very likely
not reject packets with a different MAC address to be running a sniffer

lagele
0eae gees
agian eelelslieileR

4 Only the machine in the

promiscuous mode (machine C) Non-Broadcast
ARP

IP ID: 192.168.168.1
, ‘ : MAC: 00-14-20-01-23-45
4 Amachine in the promiscuous
mode responds to the ping
Non-Broadcast ARP
message as it has the correct
information about the host

will send an ARP probe to MAC:00:1b:48:64:42:e4 eeeee

identify the source of the ping Non-Broadcact
ARP
request See ae
Gan
ccceeeeeenscaneeceussesuseesausueunenas
ARP Request
IP ID: 192.168.168.3
MAC: 00-14-20-01-23-47

network.

Response Received

36-2E-3G-45-S6-K2 11-22-33-44-55-66

Figure 8.62: Promiscuous mode

Ping Message

No Response

36-2E-3G-45-S6-K2 11-22-33-44-55-66

Figure 8.63: Non-promiscuous mode

= DNS Method

IP ID: 192.168.168.1
MAC: 00-14-20-01-23-45

Reverse

Sreseeeneeeeeenesennnenees
.> ecucepennecueneraus
>

IP ID: 194.54.67.10 IP ID: 192.168.168.2

MAC: 00:1b:48:64:42:e4 MAC: 00-14-20-01-23-46 DNS Server

IP ID: 192.168.168.3
MAC: 00-14-20-01-23-47

Figure 8.64: Sniffing detection using the DNS method

= ARP Method

running.

Non-Broadcast ARP

ARP Request
IP ID: 192.168.168.1
MAC: 00-14-20-01-23-45

Non-Broadcast ARP

Ping Reply
IP ID: 194.54.67.10 IP ID: 192.168.168.2
MAC: 00:1b:48:64:42:e4 MAC: 00-14-20-01-23-46

Non-Broadcast ARP

ARP Request
IP ID: 192.168.168.3
MAC: 00-14-20-01-23-47

Figure 8.65: Detecting sniffing via the ARP method

Cartified Ethical Hocker

4) Nmap’s NSEscript allows you to check if asystem ona local

4 NetScanTools Pro includes a Promiscuous
Ethernet has its network card in the promiscuous mode
NetScan ModeScanner
toolto scanyoursubnetfor
Tools Pro network interfaces listening for all ethernet
Address/Range
nmap --script=sniffer-detect
of IP addresses] [Target IP packets in the promiscuous mode

| = Zenmap os o a demo
- NetScan
Took® ProDemo
VeronBuild
§-19-2020
based
onversion
11.91 = o a
scgn Jools Profile Help i

Tanger:
| 10,701.19 =| Profile +| Scant Canc BN i rea| ta
Welca... isc Rene
boBuyHow! Manual
Toots
- Promiscucus
ModeScanner
9
Figen, ;
HostsSenaices
Aimap
Qutpul
Ports
/Hots
Tapoliegy
Heart
Ceetaile
‘Scan ; si posiSeasnein OB
eb
osdeast
ii batGB
Mudeast
Address
0 Bocas
Bet
Aderess Aid
Mote
OS4Host nmap
scopesodter-detect
10.101,
19 = Deets Coe nlPree GB
Scadcact
16
bet GB
Muncact
Adcress
| rea =he ToAuineated
2 pew.
movesrepe:
Starting
Weed
aoe( Wttpa://neep.
org i et 2022-04-12
Mri PacificBaylight
Time ard EB
srcacicast
&bet GBMutcast
Address
3 satel Repu ts
seeyer eng
bag ne
1s up (a. = letenc (10.10.1.19) StaiteScanning
ond
Analyses
Complete ———
Botshown:
: S83 closed
£ tcp ports (reset
| hetevork
Eaterfae
T STATE SERWICE
ten cen tte Ether (00,00.f.11)- MacraeaPt
Hyer-WMletevoth,
achat
1 ip ooen serpc Ne —E —EEEEES — —————————————————————————————
f
Deytcp open netbios- san IP Address MACAddress iF Manofacturer Hostname £41 Sié BS GRE HO Mi Mi Analysis
Maton ope https
443/%cp
opentts MELO.1G.1.9
[Oz-15-so-ze-7e-05] iillof [x[x|Promtacacns
S26 /tip ope ldaps LG,10.L.13 &2-15-8-28-T4-64 7 z x 6 Ez & Haybe
Shifice ope ftps ela : la ena a fa \ ; ; Se
9i/icp ope imaps - LO.L0,L.14
= Od=[5=80-2 ! rt i Z E x *(. Kk
5 Bayes
eye
S55/tce open ponds 16,1 i2-15-85-24-72-81 WeeBoviescope com ff E 2 Zz x #£Matvhe
IML tcp open mag L9.10.1-22 9 1 z Mi ct Corporation SERVERIO22 x XK x % X% Maybe
rida ltep ope ienhy
ree /te =
Fl

Gi. milk

festa: “LU00111")

Pack

Extern.. https://www.netscantools.com

Filter
Hosts https://nmap.org Cele
ia nee ay . All RightsReserved.
Reproductionis StrictlyProhibited.

Promiscuous Detection Tools

addresses]

> Zenmap — Cp x
Scan Tools Profile Help

Command:

Hosts Services NmapOutputPorts/Hosts TopologyHostDetailsScans

www.moviescope< Starting Nmap7.92 ( https://nmap.org ) at 2022-04-12 06:01 Pacific Daylight Time

Nmap scan report for www.moviescope.com (10.10.1.19)
Host is up (@.0@23s latency).
Not shown: 985 closed tcp ports (reset)
PORT STATE SERVICE
80/tcp open http
135/tcp open wmsrpc
139/tcp open netbios-ssn
443/tcp open https
445/tcp open microsoft-ds
636/tcp open lidapssl
990/tcp open ftps
993/tcp open imaps
995/tcp open pop3s
1801/tcp open msmq
2163/tcp open zephyr-cit
2105/tcp open eklogin
2107/tcp open msmq-mgat
3389/tcp open ms-wbt-server
S06i/tcp open sip-tls
5357/tcp open wsdapi
8080/tcp open http-proxy
MACAddress: 02:15:50:28:76:03 (Unknown)

Filter Hosts

Figure 8.66: Screenshot showing Nmap output

= NetScanTools Pro

>
: File
demoEdit
- NetScanTools®
Accessibility
ProView
DemoI[Pv6
Version
Help
Build 5-19-2020basedon version11.91 =— Oo x

Welco... Clickhereto BuyNow! ManualTools- Promiscuous

ModeScanner@

Use
thistooltofind GBroadeast
31bit GBMulticastAddressO
©Group
BitAddress AddNote
network adapters listening
Mm
promiscuous
mode. GBBroadcast
16bit © Multicast
Address
1 ta@ umpToAutomated

Scanning
andAnalysis
Complete |_|Addto Favorites
Do Scan NetworkInterface
aa Ethernet (10. 10. 1.11) - Microsoft Hyper-V Network Adapter

StartIP Address IP Address MAC Address I/F Manufacturer Hostname B31 Ble Be GRP MO Ml MS Analysis

10.10.1.13 Q2-15-5D-28-76-03 ? x x «US X & Maybe

EndiPAccess 10.10.1.14
02-15-5D-28-76-0€ ? ¥ ys X%xX Maybe
9. 0. 2 - ©|| 10.10.1.1902-15-SD-28-76€-03 www.moviescope.com
x z& x X Maybe
10.10.1.22 00-15-5D-01-80-02 Microsoft Corporation SERVER2022 x x xX X X Maybe
gp Hostnames
Resowve
IPsto
Packet
Delay(ms)
o &&

Figure 8.67: Screenshot of NetScanTools Pro —Promiscuous Mode Scanner

Ethical Hocker

LJ In this module, we have discussed the following:

> Sniffing concepts along with protocols vulnerable to sniffing and various hardware
protocol analyzers

> Various sniffing techniques such as MAC attacks, DHCPattacks, ARP poisoning,
spoofing attacks, DNS poisoning, etc. along with their countermeasures
» Various sniffing tools

» Various countermeasures that are to be employed in order to prevent sniffing

attacks

» The module concluded with a detailed discussion on various sniffing detection

techniques

LJ In the next module, we will discuss in detail how attackers, as well as ethical hackers
and pen-testers, perform social engineering to steal critical information related to the
target organization

Fundamentals of Ethical Hacking
No ratings yet
Fundamentals of Ethical Hacking
74 pages
Sniffing
No ratings yet
Sniffing
120 pages
Packet Sniffing SKJ
100% (1)
Packet Sniffing SKJ
33 pages
Module 8 Sniffing
No ratings yet
Module 8 Sniffing
121 pages
TCP IP Vulnerabilities
100% (1)
TCP IP Vulnerabilities
17 pages
Module08 Hide01.Ir
No ratings yet
Module08 Hide01.Ir
120 pages
Packet Sniffer: A Seminar Report On
No ratings yet
Packet Sniffer: A Seminar Report On
21 pages
Restraining Packet Sniffing & Security A Brief Overview
No ratings yet
Restraining Packet Sniffing & Security A Brief Overview
5 pages
Packet Sniffing: - by Aarti Dhone
100% (1)
Packet Sniffing: - by Aarti Dhone
13 pages
Aerohive Certified Wireless Administrator (Acwa) : Aerohive's Instructor-Led Training
No ratings yet
Aerohive Certified Wireless Administrator (Acwa) : Aerohive's Instructor-Led Training
552 pages
CEH Module 8
No ratings yet
CEH Module 8
76 pages
Technical Seminar On Packet Sniffing: Sailatha.S
No ratings yet
Technical Seminar On Packet Sniffing: Sailatha.S
15 pages
CEHV8 - References
No ratings yet
CEHV8 - References
82 pages
Tech ULSB
83% (6)
Tech ULSB
4 pages
Ethical Hacking UNIT-4
No ratings yet
Ethical Hacking UNIT-4
30 pages
Information Security Threats and Attacks
No ratings yet
Information Security Threats and Attacks
20 pages
Ethical Hacking: Enumeration
No ratings yet
Ethical Hacking: Enumeration
37 pages
Packet Sniffers: Dept. of Mca, Biet, Davangere 1
No ratings yet
Packet Sniffers: Dept. of Mca, Biet, Davangere 1
15 pages
Sniffing
No ratings yet
Sniffing
5 pages
Network Traffic Analysis and Intrusion Detection Using Packet Sniffer
No ratings yet
Network Traffic Analysis and Intrusion Detection Using Packet Sniffer
24 pages
CEH Course Ethical Hacking and Countermeasures
No ratings yet
CEH Course Ethical Hacking and Countermeasures
74 pages
Starlink Booklet
100% (1)
Starlink Booklet
8 pages
Lab Task3 Yasir
No ratings yet
Lab Task3 Yasir
1 page
CSE 477: Introduction To Computer Security
No ratings yet
CSE 477: Introduction To Computer Security
37 pages
VXLAN EVPN Config Guide For Cisco Nexus
No ratings yet
VXLAN EVPN Config Guide For Cisco Nexus
19 pages
Modul 6 - Sniffing
No ratings yet
Modul 6 - Sniffing
60 pages
An-Ninh-Mang - Nguyen-Duy - Chuong04 - Sniffing - (Cuuduongthancong - Com)
No ratings yet
An-Ninh-Mang - Nguyen-Duy - Chuong04 - Sniffing - (Cuuduongthancong - Com)
67 pages
CEH Lesson 4 - Snipping, Session Hijacking, and DoS
No ratings yet
CEH Lesson 4 - Snipping, Session Hijacking, and DoS
25 pages
SAMYUNG AIS 50N User Manual EN
No ratings yet
SAMYUNG AIS 50N User Manual EN
68 pages
Servlets Notes unit 4
No ratings yet
Servlets Notes unit 4
90 pages
Method To Monitor The Transfer of Packets: Packet Sniffer: Abstract
No ratings yet
Method To Monitor The Transfer of Packets: Packet Sniffer: Abstract
3 pages
Lab1 Packet Sniffing
No ratings yet
Lab1 Packet Sniffing
8 pages
Week 9
No ratings yet
Week 9
57 pages
Annexure 1 - Technical Specs Document10102023
No ratings yet
Annexure 1 - Technical Specs Document10102023
15 pages
Ethical Hacking_241031_101542
No ratings yet
Ethical Hacking_241031_101542
33 pages
SAILOR 77 Fleet+ Installation Manual PDF
No ratings yet
SAILOR 77 Fleet+ Installation Manual PDF
61 pages
End Data Caps Canada Report
No ratings yet
End Data Caps Canada Report
9 pages
Paper 4
No ratings yet
Paper 4
3 pages
Ethical Hacking Unit V
No ratings yet
Ethical Hacking Unit V
43 pages
Sniffers Power Point
No ratings yet
Sniffers Power Point
28 pages
8th MODULE SNIFFING
No ratings yet
8th MODULE SNIFFING
38 pages
APPL 1343fg
No ratings yet
APPL 1343fg
7 pages
Doha XT2019 Moto G8 Plus - TS GUIDE - Trouble Shooting Guild
No ratings yet
Doha XT2019 Moto G8 Plus - TS GUIDE - Trouble Shooting Guild
34 pages
Packet Sniffing and Sniffing Detection: Ruchi Tuli
No ratings yet
Packet Sniffing and Sniffing Detection: Ruchi Tuli
11 pages
Network Traffic Monitor and Analysis Using Packet Sniffer: Shivam Kumar, Suryansh Jigyasu, Vikas Singh
No ratings yet
Network Traffic Monitor and Analysis Using Packet Sniffer: Shivam Kumar, Suryansh Jigyasu, Vikas Singh
6 pages
CHAPTER 1 Sample
No ratings yet
CHAPTER 1 Sample
8 pages
Unit - 5 Advance Java Notes
No ratings yet
Unit - 5 Advance Java Notes
64 pages
Packet Sniffer
No ratings yet
Packet Sniffer
19 pages
(Srch) Module 8 Sniffing
No ratings yet
(Srch) Module 8 Sniffing
71 pages
Servlet Sir Wale
No ratings yet
Servlet Sir Wale
93 pages
IJEMR20241401112
No ratings yet
IJEMR20241401112
6 pages
SNIFFING Gif3
No ratings yet
SNIFFING Gif3
5 pages
Ethical Hacking Syllabus Final
No ratings yet
Ethical Hacking Syllabus Final
2 pages
DCS - Integration With Other Systems PDF
No ratings yet
DCS - Integration With Other Systems PDF
6 pages
Sniffing
No ratings yet
Sniffing
2 pages
#Session Task 15-Sniffing
No ratings yet
#Session Task 15-Sniffing
7 pages
Unit2 The Internet
No ratings yet
Unit2 The Internet
19 pages
The Pon Story : Syndicate 7 Bhanu Garg Geken Ette Romita Razdan Jitender Singh Jitendar Yadav Ankit Anand
No ratings yet
The Pon Story : Syndicate 7 Bhanu Garg Geken Ette Romita Razdan Jitender Singh Jitendar Yadav Ankit Anand
78 pages
ACT Fibra Optica - Ibertronic
No ratings yet
ACT Fibra Optica - Ibertronic
22 pages
Day 12 Notes
No ratings yet
Day 12 Notes
14 pages
Onwumere Uche Justice
No ratings yet
Onwumere Uche Justice
15 pages
Network Sniffing
No ratings yet
Network Sniffing
9 pages
Experiment No.: 2: AIM: To Perform Encoding and Decoding For Hamming Code. APPARATUS: Scilab. Theory
No ratings yet
Experiment No.: 2: AIM: To Perform Encoding and Decoding For Hamming Code. APPARATUS: Scilab. Theory
4 pages
Scanning
No ratings yet
Scanning
6 pages
Chapter 5 Design Scenario
0% (2)
Chapter 5 Design Scenario
2 pages
VEVG2660 User Manual
No ratings yet
VEVG2660 User Manual
116 pages
Sound Localization Using Microphone Arrays: Anish Chandak 10/12/2006 COMP 790-072 Presentation
No ratings yet
Sound Localization Using Microphone Arrays: Anish Chandak 10/12/2006 COMP 790-072 Presentation
33 pages
Sattelite Communication
No ratings yet
Sattelite Communication
55 pages
Sniffing Eavesdropping
No ratings yet
Sniffing Eavesdropping
9 pages
Unit No. 3 Part 1 Packet Sniffers
No ratings yet
Unit No. 3 Part 1 Packet Sniffers
27 pages
PACKET SNIFFING B2
No ratings yet
PACKET SNIFFING B2
8 pages
Configuring NTP
No ratings yet
Configuring NTP
10 pages
Merabi Takashvili MC650 Chapter4 Detailed Assignment
No ratings yet
Merabi Takashvili MC650 Chapter4 Detailed Assignment
3 pages
PACKET SNIFFING
No ratings yet
PACKET SNIFFING
6 pages
networkb4
No ratings yet
networkb4
5 pages
BATCH-12-1
No ratings yet
BATCH-12-1
20 pages
73014004
No ratings yet
73014004
2 pages
Unit 3 Risc and cisc
No ratings yet
Unit 3 Risc and cisc
3 pages
Bmhspi3/Bmhspi0: DMR Hotspot Repeater
No ratings yet
Bmhspi3/Bmhspi0: DMR Hotspot Repeater
8 pages
Setting Up An RTU To Be A Master: Modbus
No ratings yet
Setting Up An RTU To Be A Master: Modbus
4 pages
N132SB/15 JUL/MAO-MIA: - Not For Real World Navigation
No ratings yet
N132SB/15 JUL/MAO-MIA: - Not For Real World Navigation
41 pages
Cisco Live - Overview of Troubleshooting Tools in Cisco Switches and Routers - BRKARC-2011 PDF
No ratings yet
Cisco Live - Overview of Troubleshooting Tools in Cisco Switches and Routers - BRKARC-2011 PDF
95 pages
Ch09
No ratings yet
Ch09
19 pages
Maximum Likelihood Decoding of Convolutional Codes
No ratings yet
Maximum Likelihood Decoding of Convolutional Codes
45 pages
Savitribai Phule Pune University Medical Center Phone Number - Google Search
No ratings yet
Savitribai Phule Pune University Medical Center Phone Number - Google Search
1 page
R2023-CSE-MCS ethical hacking
No ratings yet
R2023-CSE-MCS ethical hacking
1 page
Sophos Competitive
No ratings yet
Sophos Competitive
15 pages
Airway Wi-Fi 4G LTE: MRP: Rs. 4225.00 Warranty: 1 Year
No ratings yet
Airway Wi-Fi 4G LTE: MRP: Rs. 4225.00 Warranty: 1 Year
1 page
Mcgraw Hill Reviewer
No ratings yet
Mcgraw Hill Reviewer
48 pages
Engineering & Technology: 1. Photo
No ratings yet
Engineering & Technology: 1. Photo
2 pages
Fascination: Honeypots and Cybercrime
From Everand
Fascination: Honeypots and Cybercrime
Armin Snyder
No ratings yet
Certified Ethical Hacker (CEH v12) Exam Preparation
From Everand
Certified Ethical Hacker (CEH v12) Exam Preparation
Georgio Daccache
No ratings yet
The Certified Ethical Hacker Exam - version 8 (The concise study guide)
From Everand
The Certified Ethical Hacker Exam - version 8 (The concise study guide)
alasdair gilchrist
3/5 (9)
Wireless and Mobile Hacking and Sniffing Techniques
From Everand
Wireless and Mobile Hacking and Sniffing Techniques
Dr. Hidaia Mahmood Alassouli
No ratings yet

Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.