Announcement

Collapse
No announcement yet.

Packet sniffing

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Packet sniffing

    Hi ,

    I want to do some packet sniffing for some infected hosts. I got my packet sniffer setup, promiscuous mode etc. where is the best place for me to plug in to get best packet captures.

    At the moment dsl modem goes to > cisco pix asa 5505 firewall and then that goes to a > drop to a patch panel then from path panel to > 3 switches.

    I wil be using a laptop with packet sniff progs.

    Should i just use my network drop seeing that its in promiscuous mode or should I plug in on switch(non cisco switches) or plug into pix. monitor port? if there is a monitor port on either switch or pix which would it be and what is best plug in to achieve best captures or LAN traffic going out /in etc

    Thanks in advance

  • #2
    Re: Packet sniffing

    IMO, I would simply go into the switches and mirror the ports that the infected machines are plugged into. I'd mirror them to the port that the monitoring laptop is plugged into. There really doesn't seem to be a need to monitor at the gateway (5505) or modem. The packets coming from the infected machines will tell where they're headed and coming from. However, are you sure that you know exactly which machines are infected? If there are possibly more machines on the network that are infected that you don't know about maybe you should monitor at the gateway to look for any suspicious traffic (especially traffic that matches the patterns that the known infected machines are exhibiting).

    If you really want to get fancy you could install Snort to monitor the network's traffic.
    Wesley David
    LinkedIn | Careers 2.0
    -------------------------------
    Microsoft Certifications: MCSE 2003 | MCSA:Messaging 2003 | MCITP:EA, SA, EST | MCTS: a'plenty | MCDST
    Vendor Neutral Certifications: CWNA
    Blog: www.TheNubbyAdmin.com || Twitter: @Nonapeptide || GTalk, Reader and Google+: [email protected] || Skype: Wesley.Nonapeptide
    Goofy kitten avatar photo from Troy Snow: flickr.com/photos/troysnow/

    Comment


    • #3
      Re: Packet sniffing

      Hey,

      I dont know which machines are infected. Also the switches are not smart, i dont believe they got monitoring ports (cheap co). I got through with packet sniffing though. I used wireshark and placed a hub between my gateway and swtiched network then placed my sniffer on the hub to see all traffic. strange thing i am only sseing 1 ip that sending smtp traffic not to my external mailhost. Strange, i thought id pick up more, i sniffed for about an hr but live and promiscuous, id expect spam bots to constantly send

      Comment


      • #4
        Re: Packet sniffing

        What type of switches are they? That hub trick will work fine though (a poor man's network TAP ) Spam bots might not constantly send. I was reading recently that spammers are doing a better job at throttling their zombie's usage of the network so as to avoid detection. Many botnets are only operating at a small fraction of their potential so that the owners can gain control of more computers for longer. Do you block all SMTP ingress and egress at the firewall and only allow email traffic to your legit email server? Maybe some kind of network traffic monitor would be good so you can view reports on what's going on.

        This reminds me of a time when I sat down at a person's PC that was behaving slow and erratic. I did a netstat -ab and saw some connections going back to IPs in Turkey.

        Me: Do you do any business with people in Turkey?
        User: Uhhh... no.
        Me: Super. "format c: /FS:NTFS /V:nosoupforyou /X"
        Wesley David
        LinkedIn | Careers 2.0
        -------------------------------
        Microsoft Certifications: MCSE 2003 | MCSA:Messaging 2003 | MCITP:EA, SA, EST | MCTS: a'plenty | MCDST
        Vendor Neutral Certifications: CWNA
        Blog: www.TheNubbyAdmin.com || Twitter: @Nonapeptide || GTalk, Reader and Google+: [email protected] || Skype: Wesley.Nonapeptide
        Goofy kitten avatar photo from Troy Snow: flickr.com/photos/troysnow/

        Comment


        • #5
          Re: Packet sniffing

          They are NEWlink 6003324 (looks cheap and old) switches. I used network probe 3.0 and it did detected another machine sending faor amount size of constant data. this was b4 i used packet sniffer and already unplugged that assumed infected machine. I'm thinking of replugin that machine tomorrow for a 10-20 mins or so to see if its actually using tcp smtp traffic then i'd feel a lil logically better. No there are no ingress egress filters on pix. I want to have it set with at least access list to deny all smtp except to legit mailhost destination but stupid guy above thinks my idea isn't good. His way is to find the infected hosts by AV's. But really even with that approach A, B i still gotta find infected hosts, so ill leave sniffer with filters on majority of the day tomorrow I hope to get more logical evidence, keep u posted
          Last edited by willing; 10th June 2009, 03:30.

          Comment


          • #6
            Re: Packet sniffing

            Originally posted by willing View Post
            I want to have it set with at least access list to deny all smtp except to legit mailhost destination but stupid guy above thinks my idea isn't good.
            Doesn't think it's a good thing? Show him some materials that show that this is an industry standard best practice and see what he says. That's not the only search that will harvest some good materials, but it's a start. In fact, at one place I worked at our ISP asked us to do that because they noticed that we had a lot of outbound SMTP traffic that looked suspicious.
            Wesley David
            LinkedIn | Careers 2.0
            -------------------------------
            Microsoft Certifications: MCSE 2003 | MCSA:Messaging 2003 | MCITP:EA, SA, EST | MCTS: a'plenty | MCDST
            Vendor Neutral Certifications: CWNA
            Blog: www.TheNubbyAdmin.com || Twitter: @Nonapeptide || GTalk, Reader and Google+: [email protected] || Skype: Wesley.Nonapeptide
            Goofy kitten avatar photo from Troy Snow: flickr.com/photos/troysnow/

            Comment


            • #7
              Re: Packet sniffing

              Originally posted by willing View Post
              At the moment dsl modem goes to > cisco pix asa 5505 firewall and then that goes to a > drop to a patch panel then from path panel to > 3 switches.
              Did you know you can set up a packet capture in your asa?

              access-list captured line 1 extended permit ip host 10.80.28.5 host 10.80.2.10
              access-list captured line 2 extended permit ip host 10.80.2.10 host 10.80.28.5
              capture captured access-list captured interface outside packet-length 1522
              capture captured access-list captured interface inside packet-length 1522
              show capture captured


              view output in wireshark or some other wire sniffer

              https://192.168.1.1/admin/capture/captured/pcap - this will save file as pcap to open up in wireshark

              Comment

              Working...
              X