Ceh v7 lab manual pdf

Before starting tins lab, login to the virtual machine s. Capturing Packet 2. O n the host machine, launch the Start menu by hovering the mouse cursor on the lower-left corner o f the desktop. Click Wireshark to launch the application.

The Wireshark main window appears. Telephony Toolt intermit Help f t interface!.. The Wireshark Capture Interface window appears. The interface should show some packets passing through it, as it is connected to the network. See the wiki 0! Traffic informs o f packets generated through the com puter while browsing the Internet. Stop the running live capture by clicking the icon m on the toolbar.

Wirfstiark 1. Clear Apply Scr. MSFT S. Packets: D J! SI A S Now, go to Edit and click Find P acket Module 08 - Sniffers Tc! Standard c 1. T things on your network iT titter Add P«ck«t Comment..

The Wireshark: Find P acket window appears. Click Find. Wireshark doesn't send FHter: pwd packets on the network or do other active tilings except for name Search In String Options Direction resolutions, but even that can be disabled. Wireshark will now display die sniffed password from die captured packets.

Lab Analysis Analyze and document die results related to die lab exercise. Evaluate die protocols that are supported bv Wireshark. Determine the devices Wireshark uses to capture packets. By merely capturing enough packets, attackers can Test your extract the user name and password if the victim authenticates themselves a public network especially into a website without an HTTPS connection. As preventive measures an administrator an organization should always advise employees not provide sensitive information public networks without an HTTPS connection.

Man-in-the-middle attacks come many variations and can be carried out on a sw itched LAN. Launch your W indows Server virtual machine Victim Machine. Man-ln-The-Middle 2. Launch your W indows 8 virtual machine Attacker Machine. Attack 3. O n the host machine Windows Server , launch the Start m enu by hovering the mouse cursor on the lower-left corner o f the desktop.

It can also be used for substitution attacks diat can actively manipulate data. Command 1 1 Uninstall caching mechanisms. To configure the Ethernet card, click Configure from the m enu bar. The Configuration Dialog window appears.

Tlie Configuration Dialog window consists o f several tabs. Click the Sniffer tab to select the sniffing adapter. Select Adapter and click Apply and then OK. Only ethemet adapters supported MAC address. It is in this window that we select our victim s. N ow click the Sniffer tab. Dc:cdtf: I j Nct. Select All h o sts in my su bn et and check the All T e sts check box. After scanning is com pleted, a list o f detected MAC a d d r esses is displayed.

Click the APR tab at the bottom o f the main window. APR state Full-! It's primarily To m onitor the traffic between two computers, select APR enables you to hiiack IP traffic between the selected host on the left list and al selected hosts on the light list in both directions If a selected host has routing capabilities WAN traffic will be mteicepted as well Please note that since youi machine has not the same performance of a router you could cause DoS if you set APR between youi Default Gateway and all other hosts on your LAN.

Access to Module 08 - Sniffers k J Many Windows applications use this feature; Internet Explorer, O utlook and Outlook Express for example store user names and passwords using this service. N ow launch the com m and prom pt in W indows Server and type ftp A ll rig h ts reserved.

Now, on the host machine, observe the tool listing some packets exchange. Click the P assw ord s tab as shown the following screenshot to view the sniffed password for ftp Determine how you can defend against ARP cache poisoning in a network.

Similarly, attackers, too, can sniff the username and Test your password o f a user. If that account Web exercise has administrator permissions, attackers can disable firewalls and load fatal vimses and worms on die computer and spread diat onto the network.

W hen using a wireless connection, as an administrator you must use the strongest security supported by vour wireless devices and also advise other employees to use a strong password. The passwords must be changed weekly or monthly. Tliis includes documents, emails, and YoicelP conversations. ARP attacks go undetected by firewalls; hence, tins lab you will be guided to use the XArp tool, which provides advanced techniques to detect ARP attacks to prevent vour data.

Different security levels and fine-tuning possibilities allow normal and power users to efficiendy use XArp to detect ARP attacks.

Launch the Start m enu by hovering the mouse cursor on the lower-left corner o f the desktop. Aggressive inspection modules are employed which might basic give false alerts in some Get XArp Professional now!

M icrosoft Cor MAC addresses are associated to network adapter that connects devices to networks. ARP tables, or cache, are 4. By default the security level is set to high.

Set the Security level to a g g r e ssiv e on the XArp screen. Using this level might give false attack alerts as it operates on a highly aggressive packet basic inspection philosophy. Get XAtd Professional now!

The XArp pop-up appears displaying the alerts. Get XArp Professional now! W indows8 M icrosoft Cor AntiARP V Determine how you can defend against ARP cache poisoning a network. An attacker can send ARP packets to Test your attack a network. Tins attack uses all — Web exercise resources of both victim and non-victim computers.

Using a specific technique with a protocol analyzer you should be able to identify the cause o f the broadcast storm and a method to resolve the storm. Identify susceptible points the network and protect them before attackers discover and exploit the vulnerabilities, especially ARP-enabled LAN systems, a protocol with known security loopholes that allow attackers to conduct various ARP attacks.

Attackers may also install network interfaces to promiscuous mode to capture all the packets that pass over a network. As an expert ethical hacker and penetration tester you must be aware of die tools to detect network interfaces running promiscuous mode as it might be a network sniffer.

If a system has network interfaces promiscuous mode, it may indicate die presence o f a network sniffer running on die system. PromqryUI cannot detect standalone sniffers or sniffers running on non-Windows operating systems.

PromqryUI 2. Double-click promqryui. Only run software from publishers you trust. Module 08 - Sniffers 3. P rom q ryU I Please read the following license agreement. The terms and conditions of this EULA are separate network device to intercept and apart from those contained in any other agreement between and read each network Microsoft Corporation and you. YOU entirety. Do you accept all of the terms of the preceding Ucense Agreement7 If you choose No, Install will close.

To install you must accept this agreement. The WinZip Self-Extractor dialog box appears. E X E tothe Unzip specified folder press the Unzip button. Run WinZip Unzio to folder: Browse EXE to the Unzip specified folder press the Unzip button. Close destination o f your choice to save die setup file.

Now, install. NET Framework 1. Open File - Security Warning Running. N ET Framework version 1. Click Y es to initiate the. N ET Framework installation in the Setup package that includes everything you need to run dialog box.

NET Microsoft. Wliile attempting to install. N ET Framework 1. Click Run Program. I f solutions are found, Windows will automaticaly display a website th at lists steps you can take.

NFT Framework 1. Select the radio button for I agree and click Install in the L icense A greem ent dialog box. NET j'J! Once the installation is complete, click OK in the Microsoft. NET Ft;imework1.

Once installation is complete, go to Start and click Promqry to launch the program. Services Run The main window o f Prom qryUI appears. Click Add. Latest commit. Git stats 9 commits.

Failed to load latest commit information. CEH Cheatsheet 2. CEH Cheatsheet. CEH Read Topics. CEH Tools. View code. UtilUotioii Ourt idle. The D iagnosis tab provides the real-time diagnosis events o f the global network by groups o f protocol layers or security levels. With tins tab you can view the performance o f the protocols Sjstar Double-click the highlighted D iagnosis Event to view the detailed information o f this event.

Packet log. Packet B! L- The Protocol tab lists statistics o f all protocols used network transactions hierarchically, allowing you to view and analyze the protocols.

The Physical Endpoint tab lists statistics o f all MAC addresses that communicate the network hierarchically. O n the IP Endpoint tab, you can easily find the nodes with the highest traffic volumes, and check if there is a multicast storm or broadcast storm your network. Module 08 - Sniffers C Q a s a delicate work, network analysis always requires us to view die original packets and analyze them.

However, no t all the network failures can be found in a very short period. Sometimes network analysis requires a long period o f monitoring and must be based on the baseline o f die normal network. Y Prrtrrel. AMfc09 co 1s!

Module 08 - Sniffers m Imret leapt. IP Conversations Double-click a conversation the IP Conversation list to view the full analysis o f packets between two IPs.

Here we are checking the conversation between Y Prc4c-rcl. A window opens displaying full packet analysis between Double-click a node to display the full analysis ol packets. A Full A nalysis window is opened displaying detailed inform ation of conversation between two nodes. The lower pane o f this tab gives you related packets and reconstructed data flow to help you drill down to analyze the conversations.

Oil the Matrix tab, you can view the nodes communicating the network by connecting them lines graphically. The weight ot the line indicates the volume ot traffic between nodes arranged an extensive ellipse. You can easily navigate and shift between global statistics and details o f specific network nodes by switching the corresponding nodes the Node Explorer window.

The P acket tab provides the original inform ation tor any packet. Double-click a packet to view the full analysis information o f packet decode. Eiftora 5 1e I3. Protocols may be I3. More n Knowl«iqrbale.. Select a packet and we can see its hex digits as well as the meaning o f each field.

The figure below shows the structure o f an ARP packet. This makes it easy to understand how the packet is encapsulated according to its protocol rule. Email com m unications, etc. The Report tab provides 27 statistics reports from the global network to a specific network node.

You can click the respective hyperlinks tor inform ation or you can scroll down to view the complete detailed report. XO KB 1. M o d u le 08 - Sniffers Click Stop toolbar after completing your task. Analyze how Capsa affects your network traffic, while analyzing the network. What types of instant messages does Capsa monitor?

Determine it the packet buffer will affect performance. If yes, then what steps can you take to avoid or reduce its effect on software? Test your Attackers listen to the conversation occurring between two hosts and issue packets knowledge using the same source IP address. These sorts of attacks e a Workbook review can cause various types o f damage, including die injection into an existing TCP connection of data and the premature closure o f an existing TCP connection by die injection of counterfeit packets with the FIN bit set.

To be an expert ethical hacker and penetration tester, you must have sound knowledge o f sniffing network packets, performing ARP poisoning, spoofing the network, and DNS poisoning. Another use of a packet analyzer is to sniff passwords, which you will learn about tins lab using die Wireshark packet analyzer.

Lab Objectives — Tools The objective of tins lab is to demonstrate the sniffing teclnnque to capture from dem onstrated in multiple interfaces and data collection from any network topology. Networks use broadcast technology to send data. Data transmits dirough die broadcast network, which can be read by anyone on the odier computer present on die network. Usually, all the computers except the recipient of die message will notice diat die m essa g e is not meant for diem, and ignore it.

Many computers are programmed to look at even' message on die network. If someone misuses die facility, they can view m essage, which is not intended of odiers. Before starting tins lab, login to the virtual machine s. Capturing Packet 2. O n the host machine, launch the Start menu by hovering the mouse cursor on the lower-left corner o f the desktop. Click Wireshark to launch the application. The Wireshark main window appears.

Telephony Toolt intermit Help f t interface!.. The Wireshark Capture Interface window appears. The interface should show some packets passing through it, as it is connected to the network.

See the wiki 0! Traffic informs o f packets generated through the com puter while browsing the Internet. Stop the running live capture by clicking the icon m on the toolbar.

Wirfstiark 1. Clear Apply Scr. MSFT S. Packets: D J! SI A S Now, go to Edit and click Find P acket Module 08 - Sniffers Tc! Standard c 1. T things on your network iT titter Add P«ck«t Comment..

The Wireshark: Find P acket window appears. Click Find. Wireshark doesn't send FHter: pwd packets on the network or do other active tilings except for name Search In String Options Direction resolutions, but even that can be disabled. Wireshark will now display die sniffed password from die captured packets. Lab Analysis Analyze and document die results related to die lab exercise.

Evaluate die protocols that are supported bv Wireshark. Determine the devices Wireshark uses to capture packets. By merely capturing enough packets, attackers can Test your extract the user name and password if the victim authenticates themselves a public network especially into a website without an HTTPS connection. As preventive measures an administrator an organization should always advise employees not provide sensitive information public networks without an HTTPS connection.

Man-in-the-middle attacks come many variations and can be carried out on a sw itched LAN. Launch your W indows Server virtual machine Victim Machine.

Man-ln-The-Middle 2. Launch your W indows 8 virtual machine Attacker Machine. Attack 3. O n the host machine Windows Server , launch the Start m enu by hovering the mouse cursor on the lower-left corner o f the desktop.

It can also be used for substitution attacks diat can actively manipulate data. Command 1 1 Uninstall caching mechanisms. To configure the Ethernet card, click Configure from the m enu bar. The Configuration Dialog window appears. Tlie Configuration Dialog window consists o f several tabs. Click the Sniffer tab to select the sniffing adapter.

Select Adapter and click Apply and then OK. Only ethemet adapters supported MAC address. It is in this window that we select our victim s. N ow click the Sniffer tab. Dc:cdtf: I j Nct. Select All h o sts in my su bn et and check the All T e sts check box. After scanning is com pleted, a list o f detected MAC a d d r esses is displayed.

Click the APR tab at the bottom o f the main window. APR state Full-! It's primarily To m onitor the traffic between two computers, select APR enables you to hiiack IP traffic between the selected host on the left list and al selected hosts on the light list in both directions If a selected host has routing capabilities WAN traffic will be mteicepted as well Please note that since youi machine has not the same performance of a router you could cause DoS if you set APR between youi Default Gateway and all other hosts on your LAN.

Access to Module 08 - Sniffers k J Many Windows applications use this feature; Internet Explorer, O utlook and Outlook Express for example store user names and passwords using this service. N ow launch the com m and prom pt in W indows Server and type ftp A ll rig h ts reserved. Now, on the host machine, observe the tool listing some packets exchange.

Click the P assw ord s tab as shown the following screenshot to view the sniffed password for ftp Determine how you can defend against ARP cache poisoning in a network. Similarly, attackers, too, can sniff the username and Test your password o f a user. If that account Web exercise has administrator permissions, attackers can disable firewalls and load fatal vimses and worms on die computer and spread diat onto the network.

W hen using a wireless connection, as an administrator you must use the strongest security supported by vour wireless devices and also advise other employees to use a strong password.

The passwords must be changed weekly or monthly. Tliis includes documents, emails, and YoicelP conversations. ARP attacks go undetected by firewalls; hence, tins lab you will be guided to use the XArp tool, which provides advanced techniques to detect ARP attacks to prevent vour data.