• Document: 1. LAB SNIFFING LAB ID: 10
  • Size: 2.7 MB
  • Uploaded: 2019-06-13 10:17:24
  • Status: Successfully converted


Some snippets from your converted document:

HERA LAB ID: 10 SNIFFING Sniffing in a switched network – ARP Poisoning Analyzing a network traffic Extracting files from a network trace Stealing credentials Mapping/exploring network resources SNIFFING LAB ID: 10 1. LAB You are a Penetration Tester and you’re asked to determine if a very sensitive network segment is secure. The client named Sportsfoo.com is a small research company specialized in Sports, so all data from a specific segment should only be available to the authorized users and should not be exposed to anybody else. The scope provided by the client is any host/device on the 172.16.5.0/24 network. The following image represents the LAB environment: Network 172.16.5.0 172.16.5.x PENTESTER eLearnSecurity s.r.l. © 2012 | H E R A 2 SNIFFING LAB ID: 10 2. GOALS Map the network Sniff the traffic Review the network traffic List your findings See what you can do with the credentials discovered Bonus: Provide a list of countermeasures to your client 3. WHAT YOU WILL LEARN How to map a network How to sniff in a switched network – ARP Poisoning attack Review FTP and HTTP packets Obtain files transferred via SMB How to use the sensitive information obtained from the network trace in order to expand your access to the network To guide you during the lab you will find different Tasks. Tasks are meant for educational purposes and to show you the usage of different tools and different methods to achieve the same goal. They are not meant to be used as a methodology. eLearnSecurity s.r.l. © 2012 | H E R A 3 SNIFFING LAB ID: 10 Armed with the skills acquired though the task you can achieve the Lab goal. If this is the first time you do this lab, we advise you to follow these Tasks. Once you have completed all the Tasks, you can proceed to the end of this paper and check the solutions. 4. RECOMMENDED TOOLS netdiscover nmap arpspoof driftnet Wireshark Metasploit / PSEXEC SMBmount 5. IMPORTANT NOTE Further information: Labs machines (like web server and internal organization machines) are not connected to the internet. In order to connect to the target organization website you have to insert the following line in your hosts file: eLearnSecurity s.r.l. © 2012 | H E R A 4 SNIFFING LAB ID: 10 10.10.10.10 intranet.sportsfoo.com ------------------------------------------ hosts path --------------------------------------- Windows: C:\Windows\System32\drivers\etc\hosts Linux: /etc/hosts eLearnSecurity s.r.l. © 2012 | H E R A 5 SNIFFING LAB ID: 10 1. TASKS Task 1: Host Discovery – Using ARP requests Using only ARP packets, please list all online hosts of the network 172.16.5.0/24. Mac Address Host IP address Please, list another way (another tool and its parameters) you could use to get the same information (still using only ARP packets): ____________________________________________________________ ____________________________________________________________ Task 2: Host Discovery – Using DNS Task 2.1: Determine the DNS Server Perform a port scan in all of the hosts above in order to identify which one is running the DNS Service. Be very specific, so make sure you will only check for the DNS Port. Also, using the same command line, determine if the DNS Server is running Linux, BSD, or Windows. DNS Server IP Address eLearnSecurity s.r.l. © 2012 | H E R A 6 SNIFFING LAB ID: 10 Task 2.2: Determine the domain name Using any DNS Lookup tool, please, determine for what domain name this DNS Server is authoritative. Domain Name Task 2.3: List additional hosts using DNS zone transfer Once you know the domain name and the DNS Server address, please, check if you are able to identify new hosts using a DNS zone transfer. New Hosts Can you tell why the hosts above were not found using ARP requests? ____________________________________________________________ ____________________________________________________________ ____________________________________________________________ Task 3: Identify the default gateway for the 172.16.5.0/24 network According to all tasks above, you have been able to identify two different networks. Now we need to identify the

Recently converted files (publicly available):