Welcome to a lesson on using and map and wire shark together.
Like N map wire, shark is an amazing free network analysis tool. It's a full featured protocol analyzer with capabilities that extend far beyond the scope of this course. With that said, though, this lesson is intended to encourage you to install and or use wire shark during your end map scanning,
you'll be able to see how and map sends out its probes,
manipulates packet headers and generally crafts. T C V I. P packets.
Let's get started.
Here are the learning objectives for this lesson.
First, we'll talk about what wire shark is in a little about its history and use.
Next, we'll talk about why we, as I D professionals, should use it.
Then we'll discuss why you should consider playing around with wire shark alongside and map. And finally,
we'll do a lab on just that.
For most of you, learning about N map wire, shark is probably a tool with which you are very familiar. In the battle days of network analysis, packet sniffers were really expensive and hard to come by.
Wire shark, which was originally called ethereal, changed all that
officially wire Shark is a network protocol analyzer that lets you capture and interactively browse Traffic running on a computer network is free and open. Source.
The biggest thing I want to mention here is that wire shark is really amazing, but the way that T. C B I P works on a switch network can limit its effectiveness.
Specifically, just because you plays a protocol analyzer like wire shark on a network and tell it to listen to a network network traffic doesn't mean that all traffic will be seen in it.
In order for wire shark to capture all traffic on a network, it must be set toe listen promiscuously, and it must be running on a hub which repeats all traffic or a span or mirrored port on a switch.
If you're a network administrator, these air definitely things you could make happen if you choose, but you probably won't want to on a production network just for the sake of learning and map.
Just because this limitation exists, though, doesn't mean that wire shark is useless. Much to the contrary, are wire short captures in this lesson will be set up from the receiving end, will install wire shark on the target host, then run some scans than filter and evaluate the results.
So I use wire shark while there are 1,000,000 uses for wire shark, even on a switched Ethernet network,
this is true for both network administrators and information security professionals.
In most cases, wire shark is used for troubleshooting communication between a specific center and recipient.
I've personally used it a lot to troubleshoot VPN and remote connectivity issues. Voice over I P and sip issues and everyday switching and DCP issues
for info SEC professionals wire short can be an effective tool for investigation.
For example, if you have reason to believe that a host on your network has been compromised and want to gather evidence about the breach, you might set up a wire short capture to determine the source in nature of that breach.
This can help you figure out how to mitigate the threat and can provide you a solid network. Forensic evidence in case you need to bring in law enforcement and build a case,
using wire shark on any map, scanning station or on a target host can be very informative and educational gives you the opportunity to see how in map, crafts and sentence probes and how they're received.
Since the purpose of this course is to dig deeper into n map, I think that introducing you to wire sharks use within map is very fitting.
We've covered basics about T. C V I P
along with some of the details about TCP and UDP headers. In previous lessons.
Using wire shark within map will allow you to see what the TCP and UDP packets look like as they're crafted and placed on the wire.
Doing this is not only educational, but it also helps you gain a healthy respect for n maps, efficiency and speed.
Okay, so in the lab, we're gonna run through a couple of scans and look at the raw packets using wire shark. We haven't really covered scan techniques, though, so don't get caught up too much in the end. Map commands. I'll explain them as I run them, but just know that will go into them in much more detail later. The main point here
is just to encourage you to consider running wire shark on your scanning station
or on selected targets, so that you can see what end map is doing when you run scans
in this lab, we're going to run three and map scans first will run a default and map scan, which is a TCP Syn scan of 1000 ports.
Second will run a UDP scan of a couple of specific boards and finally will run an end map Ex Miss Scan, which sets the TCP Finn push and urgent flags.
I'll point out the difference between capture filters and display filters, and I'll give you some basic syntax for filtering in wire shark.
The last bullet point here is a link to a really, really good cheat sheet for filtering in wire shark. Let's do it.
All right, so welcome to the lab on running wire shark and then map together.
So let's just jump right in. So just to set the stage,
I'm sitting here on Windows 10
and maps scanning station
and the machine that I'm running wire shark on, which is the target host,
is Ah, Windows 2012 Server,
and I am remote desktop into it.
You could see that here at the bottom. I'll go ahead and pop that up.
So here's that machine.
So the map scanning stations I p address
the I P address of the target host is
All right, I'll clear the screen.
really, I wanted to diagram this out, but since it's only two machines, I figure you can follow just fine. Um,
let's go ahead and open up the and map
and I'll fire up wire shark.
And this machine is not extremely powerful, so it might take a little bit of time.
All right, So
if you install wire shark on your machine, you might see more than just one adapter here. I just have one. It's called physical because this machine run some virtual machines also.
the first thing I want to point out was that you see right here it says, capture using this filter. Well, everything that I show you from now on,
type in your filtering commands here in the capture filter.
Or you can type in
commands up here for your display filter
Anything that you type here.
Once you run your wire shark capture
if you enter it in your capture filter
basically, and map will only listen for those,
uh, those those filtered packets. So,
um and I'll show you in a second what the display filters look like The display filters, on the other hand, will capture everything. But
when you type in your display filter,
it will then filter
out of that list of everything, just the stuff that you want to see. So in this lab, we're gonna focus on display filters and not capture filters. And that's the main point that I wanted to make. Um, so the first thing that you want to d'oh
is select your network adapter
you want to
go up to capture,
then click on options.
And then the main thing that you want to make sure is checked is this promiscuous check box.
It's both down here
and up here in my case is already, uh, it's already selected, so I'm just gonna leave it as it ISS.
So the next thing you want to do is up here. You see the little ah,
the little shark fin,
we're gonna go ahead and click on that
and you see that It's already started capturing packets.
So I'm going to go back to my scanning station.
all I'm going to do in this first scan is to, ah, standard default and map scan of that
target host, which is at 1 92.1 68 at 1 10 So we'll run a N map
when I into it at 168.1 dot 10.
Skin is very quick. There you go.
Now open Back up
the target host
now. Stop the capture.
All right, So
if we scroll up on this top window, you see all the traffic that's going on
or all the traffic that has been heard by the target host.
It's all really good information. But
the problem with it
it might be receiving some broadcasts. It might have some other unit cast traffic or some multi gas traffic. So
one of the most powerful things about ah, wire shark is the ability to filter the display.
The traffic that is displayed here