Ethical Hacking – Snifers : Lisa Bock

May 21, 2020
whireshark, npcap
gather;
decode(epan: protocol tree, dissectors, dissector-plugins, display filters);
display:
analysis(is thsi normal trafic: tcp flags, malware signatures, traffic in clear text, router advertisements)
Active Attacks: buffer overflow,dos, malware,security services(confidentiality, integrity, availability, authentication)
Passive Attack: sniffering(passwd, router advertisements), eavesdropping, reconnaissance(ping scan,port scan),tapping(port mirroring, span(switch port analyzer), arp spoofing),
Arp spoofing:
enable ip forwarding on the hacker’s machine:
#echo 1 > /proc/sys/net/ipv4/ip_forward
spoof the victim that the hacker’s MAC address is the gateway
#arpspoof -t vitim gateway
spoof the gateway to believe we are the victim
#arpspoof -t gateway victim
macof attack (floods CAM table and switch enters a fail-open mode and starts acting like a hub sends traffic out to all ports)
yersinia(stp(spanning tree protocol), cdp(cisco discovery), dtp, dhcp, hrsp,isl, vtp,802.1q,802.1x)
change MAC:nic property, registry
IPv4/IPv6(no fragmentation fields, no internet header length, no header checksum(udp checksum mandatory))
DHCP (server 67, client 68) starvation attack -DOS
R1(config)# service dhcp
R1(config)# ip dhcp excluded-address 192.168.5.1
R1(config)# ip dhcp pool jasper_pool
R1(dhcp-config)# network 192.168.5.0 255.255.255.0
R1(dhcp-config)# dns-server address 192.168.5.1
R1(config)#
yersinia sends multiple Doscover packets to deletes the ip pool
Rogue DHCP Server – yersinia
Arp https://cloudshark.io/
ettercap #echo 1 > /proc/sys/net/ipv4/ip_forward
$nano /etc/ettercap/etter.conf
[privs]
ec_uid = 0
uncomment iptables
https://asecuritysite.com/
protecting tools: snort, arpalert, arpwatch, arpon, xarp
DNS(UDP53 for request, TCP53 for zone transfer)
Cache poisoning ipconfig/displaydns
Capturing Images(URLsnarf, Webspy,Driftnet,Wireshark)
HTTP Status Codes(1xx informational, 2xx success, 3xx redirection, 4xx client error, 404 not found, 5xx server error)
web-sniffer.net
tshark -i “ethernet 2” -a duration:10 -w tshark.pcap
tpacketcapture www.taosoftware.co.jp
dubugproxy,hackingapks ,omnipeek ,tcpdump,ettercap,dnsiff,cloudshark
antisniff, arpwatch, snort, whosonmywifi