Saturday, June 18, 2011

Cain & Abel + Wireshark + NetworkMiner

Almost all beginners are mostly familiar with Windows than any other OS. In this tutorial, I’m going to make a step-by-step guide on how to capture packets between a target host and the gateway and extract the data from it (i.e. pictures, OS fingerprints, http login credentials, etc.).

Tools Required:
Cain & Abel
Wireshark
NetworkMiner

Step 1:
Do a Man-in-the-Middle attack against the target host. To do this, start Cain, go to Sniffer tab, click the Start Sniffer icon (next to the Open icon), click Configure and select your active network adapter.

Selecting the network adapter from the Configuration Dialog


Step 2:
Start scanning for all active hosts in your subnet. To do this, click the blue “+” icon. From the dialog box, select “All hosts in my subnet” and click Ok.


The results appear like this.


Step 3:
Go to the ARP section of the Sniffer tab. The sections are located at the bottom of the interface. Again, click the “+” icon. Select the IP of your target host from the left pane and select your gateway router IP address from the right pane. Click OK.


As shown in the picture, my target is host 192.168.1.56 and my gateway IP is 192.168.1.1.


Step 4:
Back to the ARP section, click the Start ARP icon (the third icon) to start poisoning the ARP Table.


The Cain itself can show you the passwords entered by the target host.

Step 5:
Now while Cain is doing all the poisoning, let’s run Wireshark to capture all traffic between the target host and the router. In the Capture Options, it is important to disable the “Capture packets in promiscuous mode”. The reason for that is for Wireshark to capture only the traffic among the three systems involved (the gateway, the target host, and your PC)


Step 6:
If you think you have enough captured packets, stop capturing and save it as a .pcap file

Step 7:
Now start NetworkMiner and open the .pcap file from the previous step. Wait while NetworkMiner prepare the .pcap file. After a few minutes of waiting, you’ll see plain data like pictures, OS fingerprints, http login credentials, etc. from the .pcap file!



P.S. - NetworkMiner can do Wireshark’s task but the latter is much better so I don’t recommend NetworkMiner as an alternative to Wireshark.

Hope you learned something.
Posted by at No comments:
Subscribe to: Posts (Atom)