- [ Certified Ethical Hacker v10 ] :: [ TOC ]
- [ Certified Ethical Hacker v10 ] :: [ Syllabus ]
- [ Certified Ethical Hacker v10 ] :: [ Chapters 1 & 2 ] :: Footprinting and Reconnaissance
- [ Certified Ethical Hacker v10 ] :: [ Chapter 3 ] :: Scanning
- [ Certified Ethical Hacker v10 ] :: [ Chapter 3 cont’d ] :: Enumeration
- [ Certified Ethical Hacker v10 ] :: [ Chapter 3 cont’d ] :: Vulnerability Analysis
- [ Certified Ethical Hacker v10 ] :: [ Chapter 4 ] :: Sniffing, Evasion and Packet Analysis
- [ Certified Ethical Hacker v10 ] :: [ Chapter 5 ] :: System Hacking
- [ Certified Ethical Hacker v10 ] :: [ Chapter 5 cont’d] :: Hash Cracking
- [ Certified Ethical Hacker v10 ] :: [ Chapter 6 ] :: Web Servers and Applications
- [ Certified Ethical Hacker v10 ] :: [ Chapter 6 cont’d] :: SQL Injection
- [ Certified Ethical Hacker v10 ] :: [ Chapter 6 cont’d] :: sqlmap
- [ Certified Ethical Hacker v10 ] :: [ Chapter 6 cont’d] :: Burp Suite
- [ Certified Ethical Hacker v10 ] :: [ Chapter 7 ] :: WiFi Hacking
- [ Certified Ethical Hacker v10 ] :: [ Chapter 8 ] :: Hacking Mobile Devices
- [ Certified Ethical Hacker v10 ] :: [ Chapter 8 cont’d ] :: Hacking the Internet of Things
- [ Certified Ethical Hacker v10 ] :: [ Chapter 9 ] :: Hacking in the Cloud
- [ Certified Ethical Hacker v10 ] :: [ Chapter 10 ] :: Trojans, Backdoors, Viruses and Worms
- [ Certified Ethical Hacker v10 ] :: [ Chapter 10 cont’d] :: Denial of Service
- [ Certified Ethical Hacker v10 ] :: [ Chapter 10 cont’d] :: Buffer Overflow
- [ Certified Ethical Hacker v10 ] :: [ Chapter 10 cont’d] :: Session Hijacking
- [ Certified Ethical Hacker v10 ] :: [ Chapter 11 ] :: Cryptography
- [ Certified Ethical Hacker v10 ] :: [ Chapter 12 ] :: Social Engineering
- [ Certified Ethical Hacker v10 ] :: [ Chapter 12 ] :: Physical Security
- [ Certified Ethical Hacker v10 ] :: [ Chapter 13 ] :: Pen Testing Methodology
- [ CEH Training ] :: [ Day 7 ]
- Using the GNU Debugger: John Hammond
- [ Review ] :: EC-Council’s iLabs Platform
- [ Certified Ethical Hacker v10 ] :: Using ngrok to Set a Trap From Inside NAT
- [ Certified Ethical Hacker v10 ] :: [ Practical ] :: Become a CEH Master
Chapter 4: Sniffing, Evasion and Packet Analysis
This is kind of an odd grouping, especially because “sniffing” doesn’t sound that different from “scanning,” which we did several steps ago. Learn how to split this hair: scanning is looking for hosts and ports, sniffing is capturing and examining traffic. (Yes, that’s wildly oversimplified.)
Using Wireshark, tshark and tcpdump
Wireshark
Wireshark is the de facto (meaning “in real life”) and de jure (meaning “in law”) standard for traffic (packet) sniffing. If you’re dragged into court you’ll want your evidence to be produced by Wireshark, then promptly MD5 or SHA checksummed.
https://www.wireshark.org/
(Note the Get Help menu for tutorial options.)
When you go looking for tutorials on Wireshark, be aware: the Wireshark user interface changes quite a bit across versions, so what you see on your computer may be different. Look for the newest videos, from good sources.
If you are totally new to Wireshark, meet HowToGeek.com and scan this tutorial:
https://www.howtogeek.com/104278/how-to-use-wireshark-to-capture-filter-and-inspect-packets/
Wireshark Capture Filters are kind of a big deal. You’ll need to know the basic syntax and operators. These guys have a great wiki, so take advantage of it. Start with this page:
https://wiki.wireshark.org/CaptureFilters
https://www.wireshark.org/docs/wsug_html_chunked/ChCapCaptureFilterSection.html
Sample VOIP captures are a great way to learn to use Wireshark. I suggest getting one here:
https://wiki.wireshark.org/SampleCaptures
You can open this file in Wireshark, select a packet of the call and follow (play) it.
https://www.wireshark.org/docs/wsug_html_chunked/ChAdvFollowStreamSection.html
tshark
https://www.wireshark.org/docs/man-pages/tshark.html
tcpdump
The tcpdump command lets you sniff traffic, by which we mean it lets you watch and capture the packets flowing on your network. It’s like a CLI for Wireshark. 😉
Here’s a chance to get to know Jeremy Druin (@webpwnized), who has put out great infosec videos for years. See his series, Introduction to Packet Analysis – Part 7: Capturing Network Traffic with TCPDump
The basics: https://www.youtube.com/watch?v=AIQVNlI_A20&t=155s
Building a lab to demo tcpdump: https://www.youtube.com/watch?v=Gdmz3jtqjMM
hping3
First there was hping, then hping2, and currently hping3. The versions are substantially different, so be careful which one you’re actually using/typing.
This packet-crafting utility lets you build custom IP packets, with total control over the size, source and destination IPs, flags, fragmentation, contents and everything else about them. Try thinking of it as an alternate nmap. And like nmap, you will need to know hping3 switches and syntax for the CEH exam.
Short example:
https://www.youtube.com/watch?v=AIQVNlI_A20
Longer example (from Hackersploit):
https://www.youtube.com/watch?v=1lDfCRM6dWk
A place to practice:
Evading IDS, IPS and Firewalls
There are at least three ways to evade detection, especially detection of malware you’re sending over the wire.
The first is packet fragmentation, easy to do in nmap with just the -f flag.
The second is encryption, which could be done a whole lot of different ways.
And the third is timing: Keeping your scans slow and small helps them go undetected. See page 167 in our CEH textbook for Matt Walker’s discussion with a “perimeter security guy”: How could he scan a network of over 10,000 hosts undetected? The response: keep your scans to less than 2 minutes each, and he could scan the whole network in about 2 days. So: slow down, scan smaller target ranges, and keep good records.
Scanning Firewalls with Firewalk
This takes three systems: your Kali attacker, a firewall, and a target system inside the firewall.
firewalk --S1 -1024 -i <interface> -n -pTCP <gateway IP> <target IP>
How it works:
http://packetfactory.openwall.net/projects/firewalk/firewalk-final.pdf
How to Use Firewalk on Kali
https://www.hackingloops.com/firewalk/
Summary and Examples from the nmap site
https://nmap.org/nsedoc/scripts/firewalk.html
Firewall/IDS Evasion and Spoofing from nmap.org
https://nmap.org/book/man-bypass-firewalls-ids.html
Bypassing Firewall Rules from nmap.org
https://nmap.org/book/firewall-subversion.html
Exercise
- Perform a firewalk of the target system I will supply (on-site classes only) using the firewalk tool..
- Perform a similar test with nmap.
- Run an nmap scan using the fragmentation flag.