Sniffing (Windump and pcap)

[Trench_Rot]

I'm trying to do an internal pen test and here's my dilemma...
I compromise a (Windows) machine and have cmd line access. I want to start sniffing traffic coming from and to the machine. How do I do that. As far as i know windump is the way to go, but it needs winpcap to run properly. The winpcap install is gui based. How do I get that on the system to allow me to sniff traffic.

Or is there another, better way to do this, perhaps with a different sniffer?

Thanks!

[MrLinus]

Ethereal might be more user friendly. I have seen inconsitencies with using the CLI windump (flaky?)

[Trench_Rot]

but doesn't ethereal have a gui set up and require pcap? Remember I'm on a windows box with strictly cmd line access.

If you know of a version of ethereal that meets these requirement can you send me the link please.

[MrLinus]

I believe tethereal is installed with it. tethereal man page

[spazzmatrix]

Why don't you just do the sniffing from your main computer? Ethereal can sniff a network with a hub. switched or routed networks will need something else.
Unfortunately for most windows users very few programs can be installed from the cml.
In fact winpcap can ONLY be installed from the GUI and all sniffers for windows are going to need it or windows won't know how to display the information of the raw packets or be able to set the device into permiscuous mode.

[Tedob1]

there are lots of sniffers written for win/dos that dont need winpcap.

http://packetstormsecurity.nl/sniffers/buttsniffer/

but unfortunatly because of its backorafice connection AV picks it up as a hacktool.

http://www.zone-h.org/download/file=4279/

symantec seems to leave ngsniff alone

winpcap also has a version that installs from the command line

[rapier57]

Winpcap will require a reboot, as well, to load the drivers. Tedob1's suggestions are probably the best, if you can get them past the AV protection.

Since you are doing an internal pen-test, I expect that you want to leave as few traces behind as possible and cause the least system disruption, as part of the test. Anything that can be run from the command window, and on removable media, without installation is preferred.

WinDump does require winpcap, so it won't work in this case.

[spazzmatrix]

I did not say NONE can be installed from cml.

In order to get programs onto this computer your going to have to ftp everything, unless you have another program already installed on the cml windows box, which may be picked up by anti-virus/firewall if it sees the connection is being started by a foriegn ip address.

It all sounds like "rat" or some other command line backdoor is being used and Trench_Rot may just be wanting to monitor the traffic on someone elses connection.

Either way I don't care. The fact of the matter is ANY program installed on windows having to do with ip traffic will require a reboot of the system in order to load OR they will need to be ran from cml, in which case spyware/anti-virus may pick up the new process...depending what is running. theres a thousand "IF" situations.

Best situation is you manage to ftp files to the computer that require no reboot, and won't be saught as virus/spyware. You run the sniffers (I assume you will delete the logs to leave less traces, or upload to a remote server for further viewing)

Dos cml doesnt have a lot to offer for pen testing though. Honestly you'd be better using something like knoppix, nst, phlak, or even F.I.R.E. These are bootable cd's that will allow you to test an entire network from one computer.

Last bit of two cents:
If you are trying to watch what someone else is doing (ex, friend, enemy) just remember the ISP the connections go through log everything, and if this person calls their isp up saying there computer is acting strange and new files start showing up (winpcap, tethereal, buttsniffer..etc) chances are the isp will check things out.

Other than that Tedob1 gave some good links, might also want to try sourceforge.net and freshmeat.net and search for sniffers.