Sniffing (Windump and pcap)
Results 1 to 8 of 8

Thread: Sniffing (Windump and pcap)

  1. #1
    Member
    Join Date
    Sep 2003
    Posts
    42

    Sniffing (Windump and pcap)

    I'm trying to do an internal pen test and here's my dilemma...
    I compromise a (Windows) machine and have cmd line access. I want to start sniffing traffic coming from and to the machine. How do I do that. As far as i know windump is the way to go, but it needs winpcap to run properly. The winpcap install is gui based. How do I get that on the system to allow me to sniff traffic.

    Or is there another, better way to do this, perhaps with a different sniffer?

    Thanks!

  2. #2
    Just a Virtualized Geek MrLinus's Avatar
    Join Date
    Sep 2001
    Location
    Redondo Beach, CA
    Posts
    7,324
    Ethereal might be more user friendly. I have seen inconsitencies with using the CLI windump (flaky?)
    Goodbye, Mittens (1992-2008). My pillow will be cold without your purring beside my head
    Extra! Extra! Get your FREE copy of Insight Newsletter||MsMittens' HomePage

  3. #3
    Member
    Join Date
    Sep 2003
    Posts
    42
    but doesn't ethereal have a gui set up and require pcap? Remember I'm on a windows box with strictly cmd line access.

    If you know of a version of ethereal that meets these requirement can you send me the link please.

  4. #4
    Just a Virtualized Geek MrLinus's Avatar
    Join Date
    Sep 2001
    Location
    Redondo Beach, CA
    Posts
    7,324
    I believe tethereal is installed with it. tethereal man page
    Goodbye, Mittens (1992-2008). My pillow will be cold without your purring beside my head
    Extra! Extra! Get your FREE copy of Insight Newsletter||MsMittens' HomePage

  5. #5
    Senior Member
    Join Date
    Oct 2001
    Posts
    131
    Why don't you just do the sniffing from your main computer? Ethereal can sniff a network with a hub. switched or routed networks will need something else.
    Unfortunately for most windows users very few programs can be installed from the cml.
    In fact winpcap can ONLY be installed from the GUI and all sniffers for windows are going to need it or windows won't know how to display the information of the raw packets or be able to set the device into permiscuous mode.
    Whats a \"START\" button?

  6. #6
    Senior Member
    Join Date
    Nov 2001
    Posts
    4,786
    there are lots of sniffers written for win/dos that dont need winpcap.

    http://packetstormsecurity.nl/sniffers/buttsniffer/

    but unfortunatly because of its backorafice connection AV picks it up as a hacktool.

    http://www.zone-h.org/download/file=4279/

    symantec seems to leave ngsniff alone

    winpcap also has a version that installs from the command line
    Bukhari:V3B48N826 “The Prophet said, ‘Isn’t the witness of a woman equal to half of that of a man?’ The women said, ‘Yes.’ He said, ‘This is because of the deficiency of a woman’s mind.’”

  7. #7
    Banned
    Join Date
    Apr 2003
    Posts
    1,146
    Winpcap will require a reboot, as well, to load the drivers. Tedob1's suggestions are probably the best, if you can get them past the AV protection.

    Since you are doing an internal pen-test, I expect that you want to leave as few traces behind as possible and cause the least system disruption, as part of the test. Anything that can be run from the command window, and on removable media, without installation is preferred.

    WinDump does require winpcap, so it won't work in this case.

  8. #8
    Senior Member
    Join Date
    Oct 2001
    Posts
    131
    I did not say NONE can be installed from cml.

    In order to get programs onto this computer your going to have to ftp everything, unless you have another program already installed on the cml windows box, which may be picked up by anti-virus/firewall if it sees the connection is being started by a foriegn ip address.

    It all sounds like "rat" or some other command line backdoor is being used and Trench_Rot may just be wanting to monitor the traffic on someone elses connection.

    Either way I don't care. The fact of the matter is ANY program installed on windows having to do with ip traffic will require a reboot of the system in order to load OR they will need to be ran from cml, in which case spyware/anti-virus may pick up the new process...depending what is running. theres a thousand "IF" situations.

    Best situation is you manage to ftp files to the computer that require no reboot, and won't be saught as virus/spyware. You run the sniffers (I assume you will delete the logs to leave less traces, or upload to a remote server for further viewing)

    Dos cml doesnt have a lot to offer for pen testing though. Honestly you'd be better using something like knoppix, nst, phlak, or even F.I.R.E. These are bootable cd's that will allow you to test an entire network from one computer.

    Last bit of two cents:
    If you are trying to watch what someone else is doing (ex, friend, enemy) just remember the ISP the connections go through log everything, and if this person calls their isp up saying there computer is acting strange and new files start showing up (winpcap, tethereal, buttsniffer..etc) chances are the isp will check things out.

    Other than that Tedob1 gave some good links, might also want to try sourceforge.net and freshmeat.net and search for sniffers.
    Whats a \"START\" button?

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •