Home arrow Security arrow Page 5 - LAN Reconnaissance

4.4 Getting Information from the LAN - Security

If you're trying to keep your LAN secure, sometimes it helps to think like a cracker. This article shows you how to scout out a LAN, and how malicious hackers get around security. It is excerpted from chapter four of Security Power Tools, written by Bryan Burns et. al. (O'Reilly, 2007; ISBN: 0596009631). Copyright 2007 O'Reilly Media, Inc. All rights reserved. Used with permission from the publisher. Available from booksellers or direct from O'Reilly Media.

  1. LAN Reconnaissance
  2. 4.1 Mapping the LAN
  3. 4.2 Using ettercap and arpspoof on a Switched Network
  4. 4.3 Dealing with Static ARP Tables
  5. 4.4 Getting Information from the LAN
  6. 4.5 Manipulating Packet Data
By: O'Reilly Media
Rating: starstarstarstarstar / 5
November 13, 2008

print this article



Here are some useful techniques for getting info out of the LAN youre sniffing.

Logging Packet Data

If you want to log packets you see in a file using the tools already covered, the process is actually somewhat standardized. If you are running p0f to fingerprint operating systems on the network, you can log results with the o option.

If you would rather dump all packets to a file similar to the way you would with tcpdump (see Chapter 18), you can give p0f thew(write packets) option:

  [lou@duodenum] p0f w session.pcap

The same holds true for dsniff; you can write packets to a file using thewoption:

  [lou@duodenum] dsniff w sniffedsession.pcap  

ettercap also allows dumping packet data to a file. Again, thewoption is used to facilitate writing captured traffic:

  [lou@duodenum] ettercap T i eth0 w captured.pcap M arp:poison //

Filtering Incoming Packets

ettercap, p0f, and dsniff all support BPF-style filters in the same format as tcpdump.

For example, this commands dsniff to listen for cleartext passwords in Telnet traffic going to

  [lou@duodenum] dsniff host and port 23

This commands p0f to fingerprint FTP traffic coming from or going to

  [lou@duodenum] p0f dst port 21 and (src host or dst host

Setting BPF filters in ettercap requires the f (filter) option. This example commands ettercap to run in promiscuous mode on the default interface, listening for HTTP traffic with a packet size greater than 256 bytes:

  [lou@duodenum] ettercap T f port 80 and greater 256

To filter ettercaps packet data output (referred in the manpage as visualization) according to a regular expression, use the -e option:

   [lou@duodenum] ettercap -T -e "foo|bar"

If you know what data you are looking for, the regular expressions can end up looking pretty complex:

  [lou@duodenum] ettercap T e "[yY]ou shall be ([aq][bu][ci](et)?\.)|foobar"

You can combine BPF filters with packet logging to filter sessions with particular characteristics:

  [lou@duodenum] p0f w logging.pcap dst port 21 and src host

Fingerprinting LAN Hosts

If you are investigating a network and find that there are 60 or so Windows XP machines and one Solaris box, you may want to know why that one SUN box is there, right? It would also be interesting if you could identify which machines are running what operating system. To do that, lets use a technique called OS fingerprinting.

Various programs can provide good OS identification. For example, the widely used and famous Nmap program (available from http://www.insecure.org) uses a technique of active fingerprinting. Nmap sends packets to a host with particular TCP/IP options and headers set, and then sees how the machine responds.

Use theOoption to tell nmap that you want to fingerprint a host (for more on Nmap, see Chapter2):

  [lou@duodenum] nmap -O
  Starting Nmap 4.10 ( http://www.insecure.org/nmap/ ) at 2006-07-26 18:23 PDT
  Interesting ports on
  Not shown: 1677 closed ports
  22/tcp   open  ssh
  6000/tcp open  X11
  MAC Address: 00:16:CB:96:89:73 (Apple Computer)
  Device type: general purpose
  Running: Apple Mac OS X 10.3.X
  OS details: Apple Mac OS X 10.3.5 or 10.3.7
  Nmap finished: 1 IP address (1 host up) scanned in 35.251 seconds

Another method utilizes a technique called passive fingerprinting. Passive fingerprinting works by quietly examining packets for telltale patterns, not by sending data directly to a target host.

One of the granddaddies of passive fingerprinting is p0f, the Passive Operating System Fingerprinter. The O in operating system is replaced with a 0 (zero) character.

At its heart, p0f is trivial to use:

  [lou@duodenum] p0f
  p0f - passive os fingerprinting utility, version 2.0.5
  (C) M. Zalewski <
lcamtuf@dione.cc>, W. Stearns <wstearns@pobox.com>
  p0f: listening (SYN) on 'eth1', 231 sigs (13 generic), rule: 'all'. - FreeBSD 4.7-5.2 (or MacOS X 10.2-10.3) (1) (up: 4511 hrs)
    -> (distance 0, link: ethernet/modem)

p0f listens to an interface (optionally specified by theioption) for incoming SYN packets and then attempts to match the packet to a database of known
characteristics. It is quite good at detecting the general flavor of the operating system.

One thing you might like to do is save network traffic with tcpdump and analyze the packets at your leisure using specialized tools. To have p0f read from a libpcap capture file, specify thesoption:

  [lou@duodenum] p0f s 200603031121-capture.pcap

A nice and relatively quiet way to get an idea of what is on the LAN is to arpspoof the gateway, use tcpdump to save a few hours of traffic, and then run p0f to identify the hosts.

ettercap can also fingerprint hosts. With the-Poption, you can enable an ettercap plug-in by name:

  [lou@duodenum] ettercap -Tq-P finger /
ettercap NG-0.7.3  copyright 2001-2004 ALoR & NaGA

   FINGERPRINT      : FFFF:05B4:40:00:0:1:1:1:A:3C
OPERATING SYSTEM : Mac OS X (Panther) ver. 10.3.3 (7F44)

This fingerprinting is slightly out of date. I ran this against a Macintosh running Mac OS X 10.4.7 (Tiger), and as you can see, ettercap misidentified it as 10.3.3 (Panther).

ettercap 0.7.3 ships with 27 useful plug-ins and one plug-in called dummy for developers to get their feet wet. The arp_cop plug-in is quite useful for detecting unscrupulous users running ettercap on your LAN.

Figure 4-4 shows what the plug-in list looks like in the GTK+ interface.

Sniffing Plain-Text Passwords

If you are a security researcher or an administrator, you want to get an idea of how often plain-text passwords are used on your network. If it is easy for you to sniff a password, it is easy for the bad guy to sniff the same information.

ettercap makes it trivial to sit on a LAN segment and simply sniff traffic for plain-text passwords. Run the command:

  [lou@duodenum] ettercap -Tq -i eth0 M arp:remote -l /tmp/passwords

Figure 4-4.  ettercap sure has a lot of plug-ins

and ettercap sniffs on interface eth0 and logs all sniffed passwords. The -l option tells ettercap to log session information to an .eci file (in this case, the info is saved to /tmp/passwords.eci). If you want to log all the packet data as well, use the Lflag, and the packet data is saved to an .ecp file of the same name. For the preceding example, this is /tmp/passwords.ecp. These logfiles can be read back though etterlog. If you want ettercap to write packets to a libpcap file la tcpdump, use thewoption.

If ettercap makes it trivial to capture cleartext passwords, the dsniff program makes it stupidly simple:

  [lou@duodenum] dsniff
  dsniff:listening on eth1 
07/24/06 16:21:51 tcp -> (ftp)
  USER louzah
  PASS foolish

dsniff supports well over 30 protocols, including all of the well-known plain-text protocols (POP, IMAP, Telnet, FTP, HTTP) as well as several databases (Oracle SQL*Net, Microsoft SQL) and most of the common chat protocols (AOL Instant Messenger, ICQ).

Running dsniff on your network can suddenly create a lot of work for you or your network administrator as you discover how many applications send sensitive data in the clear. ;-)

Shadow Browsing

After arpspoof-ing the gateway, theres nothing quite like sneaking a look at what people are browsing. The dsniff suite includes a utility called webspy that surfs along with another host on the LAN by extracting the URLs they visit and opening them in your browser:

  [lou@duodenum] webspy

If you are running a Gecko-based browser such as Firefox or Mozilla, webspy opens URLs right along with whatever and wherever that host visits. Unfortunately, webspy cannot tell you whether the person is actually browsing to a particular site, or whether they are running wget inside a scripted loop, generating a large number of URLs to, say, a JPEG of the Goatse Guy. (Not that you should ever do this if you suspect your browsing habits are being tracked.)

>>> More Security Articles          >>> More By O'Reilly Media

blog comments powered by Disqus
escort Bursa Bursa escort Antalya eskort


- Secure Your Business for Data Privacy Day
- Google Testing Security Fob Password Alterna...
- Security News Highlights Concerns
- Going to Extremes for Data Security
- Skipfish Website Vulnerability Scanner
- Critical Microsoft Visual Studio Security Pa...
- US Faces Tech Security Expert Deficit
- LAN Reconnaissance
- An Epilogue to Cryptography
- A Sequel to Cryptography
- An Introduction to Cryptography
- Security Overview
- Network Security Assessment
- Firewalls
- Whats behind the curtain? Part II

Developer Shed Affiliates


Dev Shed Tutorial Topics: