Sniffing

Sniffing is another technique to use internally. A sniffer or packet capture utility is able to capture any traffic traveling along the network segment to which it is connected. We normally set up sniffers throughout the organization to capture network traffic, hoping to identify valuable information such as user IDs and passwords. We use sniffing to passivelycapture data being sent across the internal network. Laptops are usually the ideal platform since they are portable and easy to conceal. The system does not even need an IP address since it passively captures the traffic. The sniffing machine copies the data without modifying its contents and is difficult to detect even with sophisticated intrusion detection software. There are programs, such as AntiSniff, that have some success in detecting sniffers.
Switched Ethernet environments reduce the risk of packet capture. Since the sniffer is able to capture traffic only on its same network segment, a sniffer in a switched environment can see only traffic destined for it. However, in a shared environment or mixed environment, sniffers can be very useful for capturing valuable traffic. In addition, dsniff, written by Dug Song, is able to sniff across switches. The techniques dsniff uses to sniff on switched segments can cause denial-of-service conditions and therefore should be used cautiously during penetration testing.
Any network traffic that is transmitted in clear text is susceptible to sniffing. Telnet, FTP, and other clear-text sessions provide valuable information. The sniffer can capture a complete telnet and FTP session, including the user name and password. In addition, sniffed e-mail and HTTP traffic may yield actual passwords or clues that enable passwords to be guessed. Sniffed e-mail may also yield confidential material, legal matters, or other information that should normally be encrypted.
If the thought that this information can be captured from your network concerns you, L0phtCrack's SMB Capture sniffer will surely concern you. The NT password sniffer, SMB Capture, within L0phtCrack can sniff NT passwords directly from the network. If the passwords are weak (for example, dictionary word, short, one number at the end), L0phtCrack will be able to crack the passwords within minutes. If the passwords are strong (mixture of uppercase and lowercase letters, special characters) it could take months for them to be cracked. The fact that most NT networks use LANMAN passwords makes matters even worse. LANMAN passwords are required to be sent when non-NT clients (Windows 9x) need to authenticate to NT servers. The LANMAN passwords are not case sensitive and are therefore easier to crack. At the start of the internal testing scenario, start SMB Capture to begin capturing and cracking the NT passwords.
Normally we set up a sniffer in the test room where we are located during the testing. In addition, we try to find another network segment with critical data or high-volume network traffic on which to place a sniffer. Often, network segments that are connected to the data center, system administrators' work areas, legal departments, human relations departments, or senior management make excellent targets for sniffers. The key is to find a location in which to place the sniffer where it will not be noticed. If network closets can be accessed, you could plug the sniffer directly into a switch or hub port and attempt to conceal the sniffer somehow. Since most network closets are locked, we usually end up hiding the sniffer in an empty office, cubicle, or conference room. On occasion, we have hidden sniffers under podiums in conference rooms. Often there are so many wires coming out of the podium, no one notices one extra.
Once the sniffer is set up in the remote location, you need to find a way to retrieve the data from it. You can either go back and pick up the sniffer later and read the data, use a script to FTP it at regular intervals, or use a remote control program to go back and retrieve the data and configure the system as needed. The use of remote control programs on these hidden sniffers is quite effective. These programs allow you to periodically check the data you're receiving from the sniffer and make changes to the configuration as you learn more about the network. For instance, if you see login sessions that use the syntax “passwd,” you can filter the sniffed traffic using ngrep or another filtering command to capture this traffic in a file. The more filters you can place on the sniffer, the easier it will be to analyze the data. However, be careful not to make your filters too restrictive or you may miss critical data.
Internal testing is much like a series of linked vulnerabilities. Once you gain administrator access on one system, additional systems start to fall. Fortunately for the tester and unfortunately for the organization, administrator passwords on many systems tend to be the same within the organization. Additionally, there is usually at least one account from each compromised system that will work on another system. So as you begin to crack systems, build a list of information that may be useful in attacking other systems: account names, passwords, files that may offer password hints, vulnerable services, and so on. In addition, look for trust relationships between systems. Often a system we previously scanned from a laptop that showed no ports open will suddenly have many ports open when scanned from a compromised system. This is due to the fact that the system may have trust relationships or may use filtering to allow only certain hosts to connect to these services. Therefore, be sure to load your hacker kit onto the compromised host and begin the discovery phase on the remaining systems.

Source :http://e-articles.info/e/a/title/What-is-Sniffing/

Comments

Post a Comment

Popular posts from this blog

Hello Word Laravel

Image
Oke guys, kemarin kita sudah meninstall laravel di macbook. Sekarang kita coba untuk perkenalan dengan laravel. Biasanya neh, kalau di buku-buku tutorial kalau pertama begini pasti nyebutnya "Hello Word". Mungkin bete juga kali yak kebanyakan cingcong. Okelah kalau begitu. Adapun langkah-langkahnya : 1.   Jalankan php artisannya. Di tutorial sebelumnya belum dijelasakan yak php artisan itu apa. Okelah   kalau begitu, mungkin mirip apache kali ya. Soalnya kalau kita jalankan php artisan tanpa apache masih bisa jalan euy. Adapun untuk menjalankan php artisan, ketik di bawah ini di dalam terminal : php artisan serve Jangan lupa yo, ip / url nya dicatat yang diblok biru. 2.  Setelah menjalankan php artisan, kemudian buka ip / url yang diblok biru di browser yang kamu suka. 3.  Karena tampilan tersebut default dari instalasi, sekarang kita mau ganti menjadi file hello word yang kayak di buku-buku tutorial. Yaitu masuk ke f...
Read more

1 Introduction to Oracle Database

This chapter provides an overview of the Oracle database server. The topics include: Oracle Database Architecture Oracle Database Features Oracle Database Application Development Oracle Database Architecture A database is a collection of data treated as a unit. The purpose of a database is to store and retrieve related information. A database server is the key to information management. In general, a server reliably manages a large amount of data in a multiuser environment so that many users can concurrently access the same data. A database server also prevents unauthorized access and provides efficient solutions for failure recovery. Oracle Database is the first database designed for enterprise grid computing, the most flexible and cost-effective way to manage information and applications. Enterprise grid computing creates large pools of industry-standard, modular storage and servers. With this architecture, each new system can be rapidly provisioned from the p...
Read more

Setting Path Java di Mac OS

Image
1.  Mac OSX 10.5 atau terbaru Di Mac OSX versi 10.5 atau yang terbaru, Apple merekomendasikan untuk mensetting $JAVA_HOME dengan menggunakan /usr/libexec/java_home, untuk mengekspor dapat menggunakan file .bash_profile atau .profile .   - Buka terminal, ketik vim .bash_profile atau vim .profile    - Ubah file .bash_profile atau .profile seperti gambar di bawah ini:     Untuk keluar tekan esc pada tombol, dilanjut ketik :wq untuk menyimpan perubahan tersebut. -  Ketik di terminal source .bash_profile . -  Ketika di terminal echo $JAVA_HOME untuk melihat path javanya.    -  Ketika di terminal java -version untuk melihat versi java terbaru 2.  Versi Lama Mac OSX  Dikarenakan versi Mac OSX lama tidak ada /usr/libexec/java_home , maka ketika mensetting di file .bash_profile harus menuliskan path javanya. Untuk langkah-langkahnya sama seperti di atas, hanya saja ket...
Read more