Part 8 - Sniffing the VICTIM's Packets

Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
or

Already have an account? Sign In »

Time
5 hours 38 minutes
Difficulty
Intermediate
CEU/CPE
6
Video Transcription
00:03
>> Now that we've got
00:03
>> a remote desktop connection available
00:03
>> and a persistent Netcat listener,
00:03
>> another thing we want to think about
00:03
>> is sniffing the traffic
00:03
>> on this remote host, on the victim host.
00:03
>> If you're connected remotely,
00:03
you have got a reverse connection through a firewall,
00:03
obviously, it's going to be difficult thing to do.
00:03
So locally, we can run a sniffer
00:03
directly through the Meterpreter shell.
00:03
So what I do is first I'll verify that
00:03
>> I have a system level account,
00:03
>> which I do, and I've just loaded the sniffer extension.
00:03
If I run the help command,
00:03
you'll notice that all of my sniffer commands now
00:03
appear at the bottom of my home screen.
00:03
So the first thing I want to do
00:03
>> is look at my interfaces.
00:03
>> I've got three interfaces.
00:03
Looks like from the ones I see here,
00:03
this is the one that's actually hosting my connection.
00:03
What I want to do now is
00:03
>> start sniffing on that interface.
00:03
>> So sniffer start three.
00:03
It's telling me that it started
00:03
>> to capture some packets.
00:03
>> What I can do is, for instance,
00:03
I could tell that,
00:03
whoops.
00:03
I could go back to my connection,
00:03
more directory command generates in traffic.
00:03
Still capturing packets.
00:03
What I want to do now though,
00:03
is dump those packets.
00:03
So I can run sniffer dump interface three,
00:03
and I'm going to give it a path.
00:03
So root desktop,
00:03
and I'll call this sniff.cap.
00:03
It looks like it captured 375 packets.
00:03
That would include a bunch of whatever
00:03
connections our system has going on,
00:03
whatever day is going in and out,
00:03
plus whatever information I just generated.
00:03
What I can then do is stop sniffing.
00:03
We see that the sniffer dot cap file showed up here.
00:03
So I might say that my sniffing is done,
00:03
so I'm going to stop sniffing on interface three.
00:03
Now, what I want to do is launch Wireshark .
00:03
So I could actually look at my packet capture
00:03
>> and see what I've got.
00:03
>> I can open a file on my root desktop,
00:03
I've got sniff.cap,
00:03
so I'll go ahead and open that.
00:03
Let's go to full screen.
00:03
We can see that I've captured 375 packets as it said.
00:03
There's information here looks like some net bios,
00:03
some art queries, some VMO traffic.
00:03
It's possible that this system
00:03
would be connecting to other systems,
00:03
and I could therefore inspect all that traffic.
00:03
If you haven't used Wireshark before,
00:03
it's a great tool.
00:03
You can go into any particular packet
00:03
and analyze all these perimeters.
00:03
You can look at the Flags,
00:03
>> look at all the source and source port,
00:03
>> source address, destination port,
00:03
destination address, and so on.
00:03
You can see anything you'd want to know about
00:03
any given packet that you've decided to analyze.
00:03
Having a sniffer is very useful.
00:03
As long as the Meterpreter shell is active,
00:03
you can start and stop the sniffer,
00:03
all the wild dumping the traffic back
00:03
>> to your local machine for subsequent analysis.
00:03
>> All right, see you in the next section.
Up Next