Part 8 - Sniffing the VICTIM's Packets

Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
or

Already have an account? Sign In »

Time
5 hours 38 minutes
Difficulty
Intermediate
CEU/CPE
6
Video Transcription
00:04
Okay, now that we've got a remote desktop connection available and a persistent neck yet,
00:10
listener,
00:12
another thing we want to think about is sniffing the traffic on this remote host on the victim host.
00:18
And if you're connected remotely, you gotta reverse connection through a firewall. Obviously, it's gonna be difficult thing to do. So weaken. Luckily, we can run a sniffer directly through the interpreter shell.
00:30
So what I do is first all verifying
00:33
that I have a system level account, which I do.
00:39
And I've just loaded the sniffer extension.
00:42
If I run the help command, you'll notice that all of my sniffer commands now appear
00:49
at the bottom of my help screen.
00:52
So the first thing I want to do is look at my interfaces.
00:57
We got three interfaces.
00:59
Looks like from the ones I see here, this is the one that's actually hosting my connection.
01:10
So what I want to do now is start sniffing on that
01:15
interface so super it's never start three.
01:19
It's telling me that it started to capture some packets,
01:22
and when I could do is I could, for instance,
01:27
I could tell that
01:30
whoops,
01:38
I could go back to my uh,
01:41
connection. Run. A director of command generates in traffic.
01:47
Still capturing packets.
01:49
Uh, I want to do now, though, is dunk those packets so I can run sniffer dump,
01:55
uh, interface three. And I'm gonna give it a
01:57
path. So Route
02:00
desktop. I'll call this sniff The cap
02:07
Looks like a captured 375 packets that would include a bunch of the you know, whatever connections that system is has going on, whatever day is going in and out, plus whatever information I just generated
02:23
and what I can then do is stop sniffing
02:27
Since I and we see that that's never gonna cap file, uh, showed up here.
02:32
So I might say that my my, uh, sniffing is done. Something to stop sniffing on Interface three.
02:42
Now, what I want to do is launch wire shock
02:46
so I could actually look at my packet capture and see what I've got.
02:53
I could open a file,
02:55
uh, my route. Just top. I've got sniffed out caps. I'll go ahead and open that.
03:00
It's got a full screen
03:05
and we can see that captured
03:08
375 packets, as it said,
03:13
and his information here looks like some net bios. Some are queries. Cem Veum, Air Traffic.
03:21
It's possible that this the system would be connecting to other systems, and I could therefore inspect all that traffic.
03:29
If you haven't used winner short before, it's ah, great tool,
03:34
and you can go into any particular packet and analyze all of its members. You can look at the flags, look at all the source
03:40
and sore sport, source, address, destination, poor destination address and so on.
03:46
And you can see anything you want to know about any given packet that you've decided to analyze.
03:53
All right, So, having a sniffers, they're useful. And
03:57
as long as the interpreter Shell is active, you can start and stop the sniffer
04:01
all the while dumping the traffic back to your local machine for subsequent analysis.
04:08
All right, see, in the next section.
Up Next