Besides the Nessus (which we saw in previous tutorials), another important ally for any network administrator concerned about security is the Wireshark, the good old Ethereal, which changed its name in June 2006. He is a powerful sniffer, which allows capture network traffic, providing a powerful tool to detect problems and better understand the operation of each protocol.
Just as Nessus, it can be used both to protect your system to steal data about the neighbors, a double-edged sword. Because of this it is sometimes seen as a "hacker tool" when in reality the objective of the program is to give you control over what enters and leaves the machine and its ability to detect quickly any type of trojan, spyware, or unauthorized access.
Although he usually does not installed by default, most distributions provide the package "Wireshark" (or "ethereal," according to the level of upgrade). In distributions derived from Debian, you can use apt-get, as usual.
Besides the Linux versions are also available for Windows versions 2000, XP and Vista. You can download them in http://www.wireshark.org/.
In the case of Linux, it is also possible to install from the package with the source code, available on the download page (option preferred by those who would have access to the latest version of the program). The package is installed with the known ". / Configure", "make" and "make install". As it depends on a relatively large number of compilers and libraries, many of them unusual, you almost always need to install some additional components manually.
A simple way to install all the components necessary for the compilation (hint useful not only in the case of Wireshark, but for installing programs from the source in general) is using the "auto-apt", available through the apt-get. To use it, install the package via apt-get command and turn the "auto-apt update":
Code:
# apt-get install auto-apt
# auto-apt update
From there, you can run the commands of compilation through it, as in:
Code:
$ tar -zxvf wireshark-0.99.1pre1
$ cd wireshark-0.99.1pre1
$ auto-apt run ./configure
$ auto-apt run make
$ su
# make install
During installation, the self-USA apt apt-get to install the necessary components, as in this screenshot:
Once installed, open the program by using the "Wireshark" (or "ethereal," according to the version installed). The Wireshark is one of those programs with so many features that you can only really learn using. To begin, nothing better than catching a few packages. Click "Capture> Start":
Here are the options for capture. The first option is important to "Capture packets in Promiscuous mode", where you decide if you want to capture only the packets addressed to your own machine, or you want to also try to capture packets from other machines on the network. This is possible because the hubs donkeys only reflect the transmission, sending all packages for all seasons.
The MAC address of the recipient is included at the beginning of each frame sent over the network. Normally, the board listens only to the packages it, ignoring the other, but in Promiscuous mode it will receive all packets, regardless of the MAC address which it is intended. The switches and hub-switches are more discreet, forwarding traffic only to the correct recipient, but most of the cheaper models are vulnerable to attack by ARP poisoning and MAC flooding, as we shall see below.
Then you have the option "Update list of packets in real time." Enabling this option, the packages appear on the screen as they are captured in real time. Otherwise, you need to capture a number of packages to then view the entire cake.
Below are some options to stop the capture after a certain time, or after capturing a certain amount of data. The problem here is that Wireshark captures all data transmitted on the network, which (in a local area network) can quickly consume all the RAM available, until you stop the capture and save the dump with the packets captured in a file.
Giving the OK, you open the screen capture of packages, where you can track the number of packages taken:
On the main screen, we have a list of packages, with various information such as the sender and addressee of each package, the protocol used (TCP, FTP, HHTP, AIM, NetBIOS, etc.). And a column with more details, including TCP port to which the package was intended.
Packages that appear with a small network of local and issuing a domain or IP and the Internet be addressed include requests, upload files, e-mails sent messages, ICQ and MSN, and in many cases also passwords for access. The packages from the Internet micros are answers to these requests, including web pages, read e-mails, downloaded files, and so on. Through sniffer, you can capture all kinds of information that a non-encrypted traffic from the network.
Clicking on one of the packages and then on the "Follow TCP Stream", the Ethereal displays a window with all the conversion, displayed in text mode.
Most of what you will see will be binary data, including pictures of various web pages and files. Even the html pages of often enough so compressed (to save bandwidth), again in an unreadable format. But gold mining, you will find many interesting things, such as messaging (MSN and ICQ) and email, which, by default, are sent in plain text. Using the "Follow TCP Stream", it is possible to trace the entire conversation:
Author:Carlos E. Morimoto
25/04/2008
ليست هناك تعليقات:
إرسال تعليق