Traffic Flow Analysis

now that the SEKURE_LAB is done, Im going to capture raw packets using ethereal. this will give me a great visualization of the actual traffic and what traffic is normal and which is not…

being able to look at traffic and spot suspicious activity is a must for network security. i am going to experiment on this tonight at the newbie level..

its time to boot up the lan.. win98 box isnt passing POST… i bet the display card is creepin since the case is all bent. we can do without the machine for tonight.

ethereal just finished installing on AMD12, time for the fun!

i have analyzed the log after just performing a ping from intel350 to amd12 : results!!

TOTAL – 91 packets

mostly packets coming in from the cisco routers and waps.

1 ARP packet from who has tell

then 1 ARP packet from to revealing its MAC address.

4 ICMP packets coming out of flowing to ICMP packets going back to from

the ping created a good basic example.

Now Im going to use Metasploit Framework-.2.2 to use the Micro$oft LSASS MS04-011 Overflow exploit against to see what it looks like inside of ethereal…. shall be interesting to see an actual exploit do its thing on the wire..

RESULTS!@ Machine auto rebooted after LSASS message appeared in a popup.

a brief summary of the ethereal results: sends dhcp inform to sends request for workgroup SEKURE
then we have a local master anouncement from both machines
next an arp from and then a response from 10.10.02
a lot of ACK and SYN packets back and forth

the most interesting parts are this:

the machines negotiate a session using SMB … then logs onto with user anonymous and then finds its way to \$ and then lsarpc

Well now I have 2 good examples of watching traffic pass over the lan.

Im gonna go play with ethereal .. be back later!

Oh yea i gotta rename the systems.. i dont like vender/model … whatever