now that the SEKURE_LAB is done, Im going to capture raw packets using ethereal. this will give me a great visualization of the actual traffic and what traffic is normal and which is not…
being able to look at traffic and spot suspicious activity is a must for network security. i am going to experiment on this tonight at the newbie level..
its time to boot up the lan.. win98 box isnt passing POST… i bet the display card is creepin since the case is all bent. we can do without the machine for tonight.
ethereal just finished installing on AMD12, time for the fun!
i have analyzed the log after just performing a ping from intel350 to amd12 : results!!
TOTAL – 91 packets
mostly packets coming in from the cisco routers and waps.
1 ARP packet from 10.10.0.2 who has 10.10.0.15? tell 10.10.0.2
then 1 ARP packet from 10.10.0.15 to 10.10.0.2 revealing its MAC address.
4 ICMP packets coming out of 10.10.0.2 flowing to 10.10.0.154 ICMP packets going back to 10.10.0.2 from 10.10.0.15
the ping created a good basic example.
Now Im going to use Metasploit Framework-.2.2 to use the Micro$oft LSASS MS04-011 Overflow exploit against 10.10.0.2 to see what it looks like inside of ethereal…. shall be interesting to see an actual exploit do its thing on the wire..
10.10.0.2 Machine auto rebooted after LSASS message appeared in a popup.
a brief summary of the ethereal results:
10.10.0.2 sends dhcp inform to 255.255.255.255
10.10.0.2 sends request for workgroup SEKURE
then we have a local master anouncement from both machines
next an arp from 10.10.0.15 and then a response from 10.10.02
a lot of ACK and SYN packets back and forth
the most interesting parts are this:
the machines negotiate a session using SMB … then 10.10.0.15 logs onto 10.10.0.2 with user anonymous and then finds its way to \10.10.0.2IPC$ and then lsarpc
Well now I have 2 good examples of watching traffic pass over the lan.
Im gonna go play with ethereal .. be back later!
Oh yea i gotta rename the systems.. i dont like vender/model … whatever