Playing with a Network

>>56162170
Sniff all traffic and look for passwords

>>56162218
So what sort of packet would you be looking for passwords in?

>>56162443
http?
but every serious site is using https nowadays, so you are out of luck
there is sslstrip but modern browser will prevent this
just don't be a prick and leave people alone

>>56162170

cain and able for windows, you can arp poison the lan and start a man in the middle attack whilst using wireshark with the .pcap extention.

good way to single out a station/user on the LAN

assuming the router is vulnerable to this type of attack.

there used to be an addon for firefox , which is very outdated now, called firesheep, it was used to hijack sessions, everything from facebook to bank websites. worked very well with wireshark and cain&able -

p.s. I had permission to PEN test and nothing illegal was done.

>>56162636

on a side note, if you can create a BVI interface on the router that can open up a whole lot of possibilities with wireshark, Keep in mind, it's simply a PACKET CAPTURE tool.

>>56162170

Well it seems like you are trying to do niggerish stuff, but "data carving" is pretty cool.

You can filter for GET requests, follow the TCP streams, and see what users are downloading.

There is a tool called foremost that works great for this.


Alternately you can use a combination of ettercap and driftnet to instantly view what a target machine is GET ing.


Also, are you connected to a hub or a router? If it's a router, you will definitely need to use ettercap to poison ARP table to redirect other users traffic for inspection.

Alternately you can use a combination of ettercap and driftnet to instantly view what a target machine is GET ing.

>>56162636
Lmao Cain and Abel are like 15 year old programs they won't do shit unless you're on XP service pack 0 with an even older router

>>56163061

Alternately you can use a combination of ettercap and driftnet to instantly view what a target machine is GET ing.

>>56163162

Yeah. I know.

I had my thoughts out of order, and didn't cut that part out.

>>56163089
Cain and Abel still work perfectly fine even with 1000 clients at once.

>>56163818

It's a virus ridden skid pos and you should feel bad for using it.

File: ello-hdpi-58c0d37a.jpg (261KB, 750x676px) Image search: [Google]

261KB, 750x676px

>>56162170

>>56162170
The most basic exercises are:
>Sniff the password of an FTP connection
>Get the URLs a user visits
>Spy on an IRC conversation

>>56162170
>started monitoring my network at my job.

If you're not an IT employee/admin at your company, IT/admins might have a problem with that if they find out. They'll probably not like random employees monitoring traffic. On a fully switched network you should only receive subnet broadcasts in addition to frames that are explicitly directed to your host, but that still can give you a lot of info that IT might consider being none of your business.

>>56164547
isn't irc encrypted?
not an irc user, so sorry for the stupid question

>>56162443
protocol: http
info: POST/GET
this is usually how you find out what the person you're monitoring has typed/entered

>>56162170
>>56162218
>i dont know the difference between a hub and a switch
>i dont know what a SPAN port is

>>56162636
>I dont know what ARP inspection

>>56164602
Traditionally, no. You can optionally use it over TLS these days though.

>>56164547
>>56164602
>>56164679
What is the point of irc? I tried using one to help me get unbanned from 420chan but it was a pain in the ass!

>>56164707

Think high sea shipping lanes for hackers

>>56164707
>What is the point of irc?

chatting with other sperges, bots, hackers.

It was what we used before the days of IM and fagbook.

>>56164444
check'd

>>56162170
Are you just running Wireshark on your local desktop at work? If so, you're not going to see shit because you'll only be sniffing your own traffic.

>>56162636
Cain doesn't work on any enterprise-grade router made in the last 10 years, bro

>>56165179
How do I sniff traffic on the whole network then? I work at a verizon store and my manager told me to check our network because some shady customers connect to it.

>>56162170
>started monitoring my network at my job
"How to get fired"

>>56165835

Plug into the hub, or redirect traffic through your machine.

You already had the answer to this question. How dense are you?

>>56164745
>>56164793
Wow fuck that lol

>>56165835
If you have a single Layer 2 switch for all the traffic, then you can set up one of the ports as a mirror port and plug your laptop into that. If it's much more complicated than that then you'll need to provide us a network diagram.

>>56165875

You punk bitch kids have it too cozy these days. Be grateful.

>>56165874
Any "hub" purchased in the last 5-10 years is actually a layer 2 switch and not a true hub. And any decent switch/router will have automatic ARP flood protection to prevent skiddie shit like Cain from working,

>>56165920

Cool. So what would happen if you changed your MAC to the same as another client on the layer 2 switched network? Would you be able to pick up the same frame as the other client simultaneously?

>>56164618
what do you mean, the anon admitted that arp poison only works against vulnerable networks

>>56162170
i use wireshark daily and still can't think of something "fun" just sitting there and looking at traffic. wireshark gets fun when you want to know something and you need packet analysis and you follow the connections to get your answer

I recommend getting a cheap switch that supports mirroring, put it between your network and your router or between your router and modem for the best capping. Netgear, mikrotik, or even just a custom pc with 2 network cards (some more involved setup using a pc but still simple if you just find a tutorial or just know how to bridge interfaces)

some fun things to do is look at the dns queries and see where people are fapping. can also run the stats and who's fapping to hd and who's fapping to 380p

check out the book practical packet analysis 2nd edition, there's a pdf of it out in the wild and it's easy to follow and even has example caps on the website so you can practice using the interface and entering filters etc

that gook is also a great starter on learning networking in general from the bottom up.

>>56165971
It depends on the router/switch. On old shit, yes, you would receive two frames out 2 ports. On modern-day stuff it's going to either A) Update the MAC table with your information and only forward frames down your port or B) Not update the MAC table and continue sending the frames down the original port

Enterprise-class devices are usually smart enough to detect when shenanigans are afoot and will completely disable one or both of the conflicting ports until a network administrator intervenes, which is obviously bad if you're trying to hide your network spoofing.

>>56166112

interdasting. thanks for the info.

>>56165887
assuming the switch can do it this is the correct approach

another thing would be to drill it into their head that the customer accessible network should never be a concern outside of wan rate limiting because that network should be separated from the corporate network

are your switches and network drops vlaned out?

File: netbios.png (196KB, 2723x1419px) Image search: [Google]

196KB, 2723x1419px

Asked in the stupid questions thread, but I'll ask here in the wireshark thread as well. What's with this netbios traffic from my laptop? An anon said the IPs were all asia/middle east.

File: these.png (355KB, 1794x811px) Image search: [Google]

355KB, 1794x811px

>>56166289

if you want to turn it off check out your adapter settings and disable the microsoft services. wont remove all the guff but lots of it

>>56166289
The fact that you have NetBIOS traffic trying to reach publicly-routable IPs from your laptop is pretty concerning.

148.0.106.186, for example, appears to be somebody's home network in the Dominican Republic. That's probably not good.

File: ppepe.jpg (40KB, 600x582px) Image search: [Google]

40KB, 600x582px

>>56162636
>p.s. I had permission to PEN test and nothing illegal was done.
this kind of fear is sad, why would he have to explain this? this isn't freedom.

>He can't be arrested for this,
>he shouldn't be in "the list" cause some post on 4chan.
>worst thing is that he is in "the list" even with his "PEN test" alibi that nobody buys

>>56165179
The more machines on the VLAN, the more you can learn from the broadcasts tho.

File: 1466300862246.jpg (107KB, 1424x842px) Image search: [Google]

107KB, 1424x842px

>>56166396
whatdoes a paranoid person have to do with freedom? he's not going to get blackbaged for saying he scanned a network

well, maybe in russia or china

>>56166289

This

>>56166344

95% of the time it's "hello, my name is such and such in NetBIOS" queries.

>>56166366

or has a public IP.

>>56166417
yeah, like

>oh god, and apple user is here

>oh lol, they have dropbox localsync enabled

how do kids boot people off Xbox/PSN

pretty easy to run a pakcet sniffer to pick up ip's, but what do they do once they have the IP's?

>>56165889
I think what they have now is fairly bland. The 90s/early to mid 00s were far more exciting. They missed the golden age of personal computing, and don't even have a clue. Sad.

>>56165889
how to find a good irc channel and don't be gtfo instantly?

>>56166428
NetBIOS is not supposed to be routed over the public Internet, it should be blocked at the network gateway by a firewall.

>>56166417
You can't really do anything with broadcasts, though

>>56166477
DDoS and/or lag switch

>>56166504

I know but it's good for us old fucks to have something to lord over them.

>>56166514

lurk. be respectful. use a proxy.

>>56166477
p2p is very rare in gaming even voice chat should route via the host server i thought

some games you can trick the host into revealing IPs but back in the day we'd just get people to join our vent and then we have it

>>56166559
I help my brother DoS faggots with my server but he only has a 360. Works for all of his FPS games.

>>56166590
how do you associate the IP to the specific fag you're griefing

>>56166618
Host has the most packets.
Just love tap everyone else and figure out who it is.
I wrote some shitty program in python that does it automatically but most people actually still use cain, believe it or not.

>>56166632
pretty baller

im not surprised a service based on a microsoft's masterful designs is so exploitable

they really do believe security is an extra feature that should be sold as an upgrade later

>>56166515

should, but clearly isn't in this case.

How to pinpoint the process which sends out a series of SNMP get-request UDP datagrams periodically?

File: autism.jpg (16KB, 640x480px) Image search: [Google]

16KB, 640x480px

>>56166552
should I at least say hello when entering a channel or that sounds annoying because I don't know anyone yet?

>>56166692
>>56166632
Is there any way to capture packets from a network you don't actually have the password to? For example, people in an apartment or school residence.

>>56167368
Sure, you can capture packets all day long. You just can't read them.
Spoof their network and have them put the password in for you. Or, if it's something shitty like WEP, crack it. Not rocket science.

>>56167091
Ok, nevermind, it was apparently the print spooler service trying to poll a network printer on a network the machine was on in the past.

(Still, any tips how to generally best go about finding the source of suspicious traffic?)

>>56164418
>muh skids11111111
>virus ridden
Prove it

>>56167403
It's WPA2 and I've tried cracking it in the past to no avail.

How do you spoof a network? I've only ever heard of spoofing MAC or IP addresses. Thanks, by the way.

>>56167531
>create network with same name
>spoof de-authentication packets from original network and spam at target
>can't use original
>they try to connect to yours
>????
>profit
I've been too lazy to see if you can just capture the password so I do a one-time "confirm your internet password" thing.
Works most of the time.

>>56167554
Much appreciated.

>>56167236
saying hello is the first sign that you are a skid, sperg or just a clueless fag. just DONT

>>56166514
Have something interesting to contribute, and know how to hardchat. Don't be a pussy when being hardchatted, kicked, banned, or /topic'd when first joining a new server; your ass is being tested on if it fits in. Finally, use a bouncer.

>>56167827
what is a bouncer

>>56167733
>>56167827
sound like good advises, thanks anons

>>56167844
Pretty much an IRC proxy, with added features such as keeping your session opened.

I recommend ZNC, but it has been years since I used IRC so maybe something else better has come around since. Here is a good resource to get you started on hosting a ZNC bouncer: http://wiki.znc.in/ZNC

The only difficulty with bouncers is that not many web-hosts will allow you to run one.

>>56167933
To add to this don't run a bouncer on your local machine, host it somewhere preferably not tied to your IRL. There is zero point running a bouncer locally. The site doesn't make that clear.

>>56168044
You can host a bouncer on IRCcloud for $5/month.

>>56162636
>windows
no

>>56167933
>>56168044
>>56168101
Bouncers are for gui babies, just use tmux or screen.

>>56169985
god you're such a neet loser i see you post in every thread

just fucking end your life faggot

>>56170656
just filter him or shut the fuck up

>>56162170
youre not going to learn much staring at pcaps and not knowing how anything works.
read some basic networking books then come back to it and things will click

>>56164618
you could always flood the switch with mac addresses turning it into a hub basically. ive found that very few switches have any kind of port-security.

>>56170914
>you could always flood the switch with mac addresses turning it into a hub basically. ive found that very few switches have any kind of port-security.
And doing this at work is a very good idea, you think?

File: 2465431551321.jpg (58KB, 440x440px) Image search: [Google]

58KB, 440x440px

>>56162636
>Using Cain & Abel
>At work

>>56165875
>Wow fuck that lol
Fucking summer.