While working to verify some windows setting, i had to capture the network traffic and confirm that the setting is in place. This steps below may help you as much as it did for me. :)
Capturing the network traffic
We can use our favourite packet capture tool to capture the network traffic between the source and destination hosts. Here, i will demonstrate both using the plain vanilla 'tcpdump' and 'tethereal' tool.# tcpdump -vvXX port 445 -w /dir_path/file_name
# tethereal -p -w /dir_path/file_name port 445
You can see that i'm trying to capture as much data as i can although it may be excessive but it may be worthwhile if you find that you need those data later on.
Once you have the above in placed, you can then fire off the traffic that you want to capture. As in above example, i'm trying to capture SMB traffic.
Trigger the traffic
In this demonstration, i will use 'nmap' to trigger the SMB traffic.# nmap --script smb-security-mode.nse 192.168.1.1
You should see the 'tcpdump' output reporting that some traffic are captured.
[root@server ~]# tethereal -p -w /tmp/smb.capture port 445 Capturing on bond0 12
Below is the output for 'tethereal'. Your output should be similar.
[root@server ~]# tcpdump -vvXX port 445 -w /tmp/smb.capture tcpdump: listening on bond0, link-type EN10MB (Ethernet), capture size 96 bytes 12 packets captured 0 packets received by filter 0 packets dropped by kernel
Display the network traffic for analysis
Now that the traffic has been captured, time to display them.If you are using 'tcpdump', you may have to use another tool to analyse the network traffic as there is no functionality built in to decode the protocol that you are looking at.
To display using 'tcpdump', try this.
# tcpdump -vvXX -r /tmp/smb.capture
Here, you may want to use a free, online tool at [http://sadjad.me/phd/]. This is literally a packet HEX decoder. you need to copy out those HEX for a particular packet into the webpage and click 'decode'. After that, just click on the result to expand and read the information that is decoded.
If you are using 'tethereal', try this instead.
# tethereal -Vx -r /tmp/smb,capture | more
Yes, i was trying to find out if the SMB protocol was set to encrypted plus signing enabled + signing required. Here's the essential part of the output.
Security Mode: 0x0f .... ...1 = Mode: USER security mode .... ..1. = Password: ENCRYPTED password. Use challenge/response .... .1.. = Signatures: Security signatures ENABLED .... 1... = Sig Req: Security signatures REQUIRED
Thats all folks!
No comments:
Post a Comment