Traffic Flow Analysis

now that the SEKURE_LAB is done, Im going to capture raw packets using ethereal. this will give me a great visualization of the actual traffic and what traffic is normal and which is not…

being able to look at traffic and spot suspicious activity is a must for network security. i am going to experiment on this tonight at the newbie level..

its time to boot up the lan.. win98 box isnt passing POST… i bet the display card is creepin since the case is all bent. we can do without the machine for tonight.

ethereal just finished installing on AMD12, time for the fun!

i have analyzed the log after just performing a ping from intel350 to amd12 : results!!

TOTAL – 91 packets

mostly packets coming in from the cisco routers and waps.

1 ARP packet from who has tell

then 1 ARP packet from to revealing its MAC address.

4 ICMP packets coming out of flowing to ICMP packets going back to from

the ping created a good basic example.

Now Im going to use Metasploit Framework-.2.2 to use the Micro$oft LSASS MS04-011 Overflow exploit against to see what it looks like inside of ethereal…. shall be interesting to see an actual exploit do its thing on the wire..

RESULTS!@ Machine auto rebooted after LSASS message appeared in a popup.

a brief summary of the ethereal results: sends dhcp inform to sends request for workgroup SEKURE
then we have a local master anouncement from both machines
next an arp from and then a response from 10.10.02
a lot of ACK and SYN packets back and forth

the most interesting parts are this:

the machines negotiate a session using SMB … then logs onto with user anonymous and then finds its way to \$ and then lsarpc

Well now I have 2 good examples of watching traffic pass over the lan.

Im gonna go play with ethereal .. be back later!

Oh yea i gotta rename the systems.. i dont like vender/model … whatever

Security Toolkit

-+-.Security Toolkit.-+-

  • .software. –

    -MS AntiSpyware
    -WildPackets IPSubnetCalc
    -Metropipe Portable Linux
    -MS Baseline Analyzer
    -TrendMicro AV Scanner
    -SolarWinds TFTP Server
    -VMWare Workstation


  • .Live Distros. –
    -SuSe Linux
  • .hardware-n-accessories. –

-Memory Reader USB
-Digital Camera
-Swiss Army Knife
-Gerber Tool
-PCMCIA 10/100 NIC
-PCMCIA 802.11b NIC
-Mini First Aid Kit
-USB Mouse
-Serial > RJ45 Adapter
-RJ11 Phone Line
-CAT5 Cable
-Crossover Cat5 Cable
-Fiber Cable
-Cisco 1000BaseSX Module
-Cisco GBIC Module
-USB > mini cable
-USB Extension Cable
-Laptop Lock
-TabletPC w/charger
-Folders for Hardcopies
-Blank: CD-Rs/CD-RWs/DVD-RWs/DVD-Rs
-Floppy Disk
-Memory Stick
-Compact Flash
-Secure Digital
-USB Flash Memory Stick
-USB Hard Drive

-serial and console cables
-CAT5 Cables
-PCI 10/100 NIC
-TechAID Troublershooter PCI Adapter
-Wire Cutters
-Tape Measure
-AntiStatic Wrist Bands
-Zip Ties
-Toner Cloth
-Spare WiFi Antenna
-etc.etc. This bag gets everything the little bags can’t fit 🙂

HTTP Sniffing

just fooled around with HTTPSnoop. this app is neato! allows you to capture all http traffic which reveals logons/passwords, etc.

can’t wait to battle the next hijacked browser i come across with this tool. gives you good visibility into behind the scenes web surfing.

until next time ….