Okay, now that we've got a remote desktop connection available and a persistent neck yet,
another thing we want to think about is sniffing the traffic on this remote host on the victim host.
And if you're connected remotely, you gotta reverse connection through a firewall. Obviously, it's gonna be difficult thing to do. So weaken. Luckily, we can run a sniffer directly through the interpreter shell.
So what I do is first all verifying
that I have a system level account, which I do.
And I've just loaded the sniffer extension.
If I run the help command, you'll notice that all of my sniffer commands now appear
at the bottom of my help screen.
So the first thing I want to do is look at my interfaces.
We got three interfaces.
Looks like from the ones I see here, this is the one that's actually hosting my connection.
So what I want to do now is start sniffing on that
interface so super it's never start three.
It's telling me that it started to capture some packets,
and when I could do is I could, for instance,
I could tell that
I could go back to my uh,
connection. Run. A director of command generates in traffic.
Still capturing packets.
Uh, I want to do now, though, is dunk those packets so I can run sniffer dump,
uh, interface three. And I'm gonna give it a
path. So Route
desktop. I'll call this sniff The cap
Looks like a captured 375 packets that would include a bunch of the you know, whatever connections that system is has going on, whatever day is going in and out, plus whatever information I just generated
and what I can then do is stop sniffing
Since I and we see that that's never gonna cap file, uh, showed up here.
So I might say that my my, uh, sniffing is done. Something to stop sniffing on Interface three.
Now, what I want to do is launch wire shock
so I could actually look at my packet capture and see what I've got.
I could open a file,
uh, my route. Just top. I've got sniffed out caps. I'll go ahead and open that.
It's got a full screen
and we can see that captured
375 packets, as it said,
and his information here looks like some net bios. Some are queries. Cem Veum, Air Traffic.
It's possible that this the system would be connecting to other systems, and I could therefore inspect all that traffic.
If you haven't used winner short before, it's ah, great tool,
and you can go into any particular packet and analyze all of its members. You can look at the flags, look at all the source
and sore sport, source, address, destination, poor destination address and so on.
And you can see anything you want to know about any given packet that you've decided to analyze.
All right, So, having a sniffers, they're useful. And
as long as the interpreter Shell is active, you can start and stop the sniffer
all the while dumping the traffic back to your local machine for subsequent analysis.
All right, see, in the next section.