Traffic Flow Analysis

now that the SEKURE_LAB is done, Im going to capture raw packets using ethereal. this will give me a great visualization of the actual traffic and what traffic is normal and which is not…

being able to look at traffic and spot suspicious activity is a must for network security. i am going to experiment on this tonight at the newbie level..

its time to boot up the lan.. win98 box isnt passing POST… i bet the display card is creepin since the case is all bent. we can do without the machine for tonight.

ethereal just finished installing on AMD12, time for the fun!

i have analyzed the log after just performing a ping from intel350 to amd12 : results!!

TOTAL – 91 packets

mostly packets coming in from the cisco routers and waps.

1 ARP packet from 10.10.0.2 who has 10.10.0.15? tell 10.10.0.2

then 1 ARP packet from 10.10.0.15 to 10.10.0.2 revealing its MAC address.

4 ICMP packets coming out of 10.10.0.2 flowing to 10.10.0.154 ICMP packets going back to 10.10.0.2 from 10.10.0.15

the ping created a good basic example.

Now Im going to use Metasploit Framework-.2.2 to use the Micro$oft LSASS MS04-011 Overflow exploit against 10.10.0.2 to see what it looks like inside of ethereal…. shall be interesting to see an actual exploit do its thing on the wire..

RESULTS!@

10.10.0.2 Machine auto rebooted after LSASS message appeared in a popup.

a brief summary of the ethereal results:

10.10.0.2 sends dhcp inform to 255.255.255.255

10.10.0.2 sends request for workgroup SEKURE
then we have a local master anouncement from both machines
next an arp from 10.10.0.15 and then a response from 10.10.02
a lot of ACK and SYN packets back and forth

the most interesting parts are this:

the machines negotiate a session using SMB … then 10.10.0.15 logs onto 10.10.0.2 with user anonymous and then finds its way to \10.10.0.2IPC$ and then lsarpc

Well now I have 2 good examples of watching traffic pass over the lan.

Im gonna go play with ethereal .. be back later!

Oh yea i gotta rename the systems.. i dont like vender/model … whatever