All posts by joet3ch_admin

Traffic Flow Analysis

now that the SEKURE_LAB is done, Im going to capture raw packets using ethereal. this will give me a great visualization of the actual traffic and what traffic is normal and which is not…

being able to look at traffic and spot suspicious activity is a must for network security. i am going to experiment on this tonight at the newbie level..

its time to boot up the lan.. win98 box isnt passing POST… i bet the display card is creepin since the case is all bent. we can do without the machine for tonight.

ethereal just finished installing on AMD12, time for the fun!

i have analyzed the log after just performing a ping from intel350 to amd12 : results!!

TOTAL – 91 packets

mostly packets coming in from the cisco routers and waps.

1 ARP packet from 10.10.0.2 who has 10.10.0.15? tell 10.10.0.2

then 1 ARP packet from 10.10.0.15 to 10.10.0.2 revealing its MAC address.

4 ICMP packets coming out of 10.10.0.2 flowing to 10.10.0.154 ICMP packets going back to 10.10.0.2 from 10.10.0.15

the ping created a good basic example.

Now Im going to use Metasploit Framework-.2.2 to use the Micro$oft LSASS MS04-011 Overflow exploit against 10.10.0.2 to see what it looks like inside of ethereal…. shall be interesting to see an actual exploit do its thing on the wire..

RESULTS!@

10.10.0.2 Machine auto rebooted after LSASS message appeared in a popup.

a brief summary of the ethereal results:

10.10.0.2 sends dhcp inform to 255.255.255.255

10.10.0.2 sends request for workgroup SEKURE
then we have a local master anouncement from both machines
next an arp from 10.10.0.15 and then a response from 10.10.02
a lot of ACK and SYN packets back and forth

the most interesting parts are this:

the machines negotiate a session using SMB … then 10.10.0.15 logs onto 10.10.0.2 with user anonymous and then finds its way to \10.10.0.2IPC$ and then lsarpc

Well now I have 2 good examples of watching traffic pass over the lan.

Im gonna go play with ethereal .. be back later!

Oh yea i gotta rename the systems.. i dont like vender/model … whatever

Security Toolkit

-+-.Security Toolkit.-+-

  • .software. –

    [.m$.]
    -AdAware
    -AVG
    -BHODeamon
    -HiJackThis
    -MS AntiSpyware
    -Spybot
    -StartupList
    -HexEdit
    -WildPackets IPSubnetCalc
    -Metropipe Portable Linux
    -ActivePorts
    -Cain
    -d3tr
    -ethereal
    -HTTPSnoop
    -IDServe
    -MS Baseline Analyzer
    -NetCat
    -NetStumbler
    -Nmap
    -PortDetective
    -ProbeTS
    -PowerScan
    -Snort
    -TrendMicro AV Scanner
    -VNC
    -WinArpSpoofer
    -WinPcap
    -mIRC
    -Putty/PSCP
    -Servu-FTP
    -SSH
    -SolarWinds TFTP Server
    -WS_FTP
    -Xchat
    -Retina
    -VMWare Workstation

    [.nix.]



  • .Live Distros. –
    -Ubuntu
    -HOACD
    -SuperPE
    -NST
    -STD
    -Auditor
    -PHLAK
    -SuSe Linux
    -FreeBSD
  • .hardware-n-accessories. –

BACKPACK
-Memory Reader USB
-Digital Camera
-Swiss Army Knife
-Gerber Tool
-PCMCIA 10/100 NIC
-PCMCIA 802.11b NIC
-Mini First Aid Kit
-Headphones/mic
-USB Mouse
-Pens/sharpie
-Serial > RJ45 Adapter
-RJ11 Phone Line
-CAT5 Cable
-Crossover Cat5 Cable
-Fiber Cable
-Cisco 1000BaseSX Module
-Cisco GBIC Module
-USB > mini cable
-USB Extension Cable
-Laptop Lock
-TabletPC w/charger
-Folders for Hardcopies
-Blank: CD-Rs/CD-RWs/DVD-RWs/DVD-Rs
-Floppy Disk
-Memory Stick
-Compact Flash
-Secure Digital
-USB Flash Memory Stick
-USB Hard Drive

SECOND TOOL BAG
-HUB
-serial and console cables
-CAT5 Cables
-PCI 10/100 NIC
-TechAID Troublershooter PCI Adapter
-Screwdrivers
-Cutters
-Wrenches
-Plyers
-Wire Cutters
-Tape Measure
-AntiStatic Wrist Bands
-Zip Ties
-Toner Cloth
-Spare WiFi Antenna
-Crimpers
-Punchdowns
-etc.etc. This bag gets everything the little bags can’t fit 🙂

HTTP Sniffing

just fooled around with HTTPSnoop. this app is neato! allows you to capture all http traffic which reveals logons/passwords, etc.

can’t wait to battle the next hijacked browser i come across with this tool. gives you good visibility into behind the scenes web surfing.

until next time ….