Man
Professional
- Messages
- 3,051
- Reaction score
- 577
- Points
- 113
Contents of the article:
Traffic analysis is the most important stage of penetration testing (or even hacking). Many interesting things can be found in packets transmitted over the network, such as passwords for accessing various resources and other valuable data. Sniffers are used to intercept and analyze traffic, and humanity has come up with a great many of them. Today we will talk about the most popular sniffers for Windows.
Theoretically, it is possible to collect all packets in the local network segment where the sniffer is installed, but in this case there will be too much data for subsequent analysis, and the log files will quickly swell to completely indecent sizes. Or you can configure the application so that it catches traffic only for certain protocols (HTTP, POP3, IMAP, FTP, Telnet) or analyzes only the first 100 bytes of each packet, which usually contains the most interesting: the address of the target host , logins and passwords. Modern sniffers can also listen to encrypted traffic.
Traffic analyzers are often used for "peaceful" purposes - to diagnose a network, identify and fix problems, detect malware, or find out what users are doing and what sites they visit. But it is when studying the security of a network perimeter or performing penetration testing that a sniffer is an indispensable tool for reconnaissance and data collection. There are sniffers for various operating systems, and such software can be installed on a router and used to analyze all traffic passing through it. Today we will talk about the most common popular traffic analyzers for the Microsoft Windows platform.
Probably everyone who has ever encountered the task of traffic analysis knows about this program. Wireshark's popularity is quite justified: firstly, this product is free, and secondly, its capabilities are quite sufficient to solve the most pressing issues related to interception and analysis of data transmitted over the network. The product is deservedly popular with virus analysts, reverse engineers, system administrators and, of course, pentesters.
This analyzer has a Russian-language interface, can work with a large number of network protocols (there is no point in listing them all here: the full list can be found on the manufacturer's website). In Wireshark, you can disassemble each intercepted packet into parts, view its headers and contents. The application has a very convenient mechanism for navigating through packets, including various algorithms for searching and filtering them, and a powerful mechanism for collecting statistics. Saved data can be exported to different formats, and it is possible to automate Wireshark using Lua scripts and connect additional (even self-developed) modules for parsing and analyzing traffic.
In addition to Ethernet, the sniffer can intercept wireless network traffic (802.11 standards and Bluetooth protocol). The tool allows you to analyze IP telephony traffic and restore TCP flows, tunneled traffic analysis is supported. Wireshark copes well with the task of decoding protocols, but to understand the results of this decoding, you must, of course, have a good understanding of their structure.
Wireshark's disadvantages include the fact that the recovered streams are not considered by the program as a single memory buffer, which makes their subsequent processing difficult. When analyzing tunneled traffic, several parsing modules are used at once, and each subsequent one in the program window replaces the result of the previous one - as a result, traffic analysis in multi-level tunnels becomes impossible.
In general, Wireshark is not just a popular, but a very good product that allows you to track the contents of packets roaming the network, their transmission speed, and find “problem areas” in the network infrastructure. But unlike commercial applications, there are no convenient visualization tools. In addition, with Wireshark, it is not so easy, for example, to catch logins and passwords from traffic, and this is one of the typical tasks in penetration testing.
Among the currently existing sniffers, CommView is one of the oldest and most distinguished veterans; Hacker wrote about this product back in 2001. The project is still alive, actively developing and updating: the latest version is dated 2020. Despite the fact that the product is paid, the manufacturer offers to download a trial version, which allows you to see how the application works in practice - the trial version of the sniffer intercepts traffic for five minutes, after which it asks for money.
The program has a Russian-language interface, which can be a determining factor when choosing a sniffer for users who do not speak English. The main advantage of CommView is the ability to flexibly configure packet filtering rules: you can select individual protocols that the application will track, sort packets by a number of features, such as size or header. The range of supported protocols is also quite large: the sniffer can work with the most common application protocols, as well as reconstruct a TCP session and UDP stream. At the same time, CommView allows you to analyze traffic down to the lowest-level protocol packets - TCP, UDP, ICMP, and view "raw" data. The program displays the headers of intercepted packets, collects detailed IP traffic statistics. Saved data can be exported to 12 different formats, from .txt and .csv to files of other analyzers such as Wireshark.
In addition to network card traffic, CommView can monitor VPN connections, as well as traffic passing through modems - analog, mobile, ADSL, ISDN and others, for which a special driver is installed in the system. It is possible to intercept VoIP traffic and SIP telephony sessions. The application includes a packet generator, with which you can send a packet of a specified length to a specified Ethernet interface, with arbitrary headers and content. There is also a fairly convenient log file viewer, allowing you to open log files in a separate sniffer window and search their contents.
The tool is, without a doubt, extremely convenient and useful, if not for the "biting" prices for the license. For a professional pentester, buying such a tool will certainly be justified, but for the sake of "looking at the network" once, you can look for alternative - cheaper or free solutions.
This is also a very old and gray-haired tool - Hacker first wrote about it back in 2012. Since then, the project developed by our compatriots not only has not disappeared from the Internet, like many of its competitors, but has even been actively developed and improved - the latest current version of the sniffer dates back to 2020. There is a version of the program for Android in the form of an .APK file and even a console version of this tool for Unix.
In its work, Intercepter-NG uses the NPcap utility, a portable version of which, according to the developers, it carries with it. However, practice has shown that either they forgot to put it there, or it does not work in Windows 10 - to launch the sniffer, I had to download NPcap from the site https://nmap.org/npcap/ and install it manually .
Intercepter-NG has a pretty nice user interface and allows you to view traffic in several modes. There is a regular view of packets and their contents, in which you can filter packets using pcap rules or use the Follow TCP stream function for detailed analysis of any session. There is a Messengers Mode, in which the tool tries to intercept instant messenger traffic - primarily the fossilized ICQ, MSN, Yahoo and AIM, but there is support for the Jabber protocol. The trick did not work with Telegram: the sniffer simply did not see it.
There is a Passwords Mode, which displays logins and passwords caught from traffic transmitted via FTP, HTTP, SMTP, POP3, IMAP, LDAP, Telnet and other protocols. Resurrection mode allows you to recover files transmitted via HTTP, FTP, SMB, IMAP, POP3 and SMTP - while only files from completed TCP sessions are successfully recovered.
Intercepter-NG has an additional and very useful toolkit. This is a simple DHCP server, a NAT service that allows you to broadcast ICMP/UDP/TCP packets between different Ethernet network segments. There are several network scanners: ARP, DHCP, a "smart" gateway search is implemented. Another useful tool is a module for organizing MiTM attacks. The supported methods are Spoofing (with support for DNS/NBNS/LLMNR protocols), ICMP Redirect, DNS over ICMP Redirect, SSL MiTM, SSLStrip and some others.
The program can scan a specified range of ports in search of applications running on them, and analyze protocols associated with these ports. You can switch the sniffer to extreme mode, in which it will intercept all TCP packets without checking ports, which will allow you to detect applications running on non-standard and administrator-defined ports on the network. However, in this mode the application slows down mercilessly and periodically freezes completely.
The current version of Intercepter-NG has a built-in tool for exploiting the Heartbleed vulnerability - an error in the OpenSSL cryptographic software, with which you can unauthorizedly read memory on the server or client, including for extracting the server's private key. The package also includes a brute force tool and a multi-threaded vulnerability scanner X-Scan. In other words, from a simple network analysis application, Intercepter-NG is gradually turning into a kind of combine, allowing you to scan the network for open ports and unpatched vulnerabilities on the fly, intercept logins with passwords and brute force something.
The downside of Intercepter-NG is that the program is recognized as malicious by Kaspersky Anti-Virus and Windows Defender, which is why it is killed at the stage of downloading from the manufacturer's website. So to work with the sniffer, you will have to disable antiviruses, but this is a rather modest price to pay for the opportunity to use such a multifunctional tool.
A simple sniffer that works with TCP, UDP and ICMP protocols. Requires installation of WinPcap driver and Microsoft Network Monitor Driver version 3 .
The project was initially developed for Windows 2000/XP (which is actually noticeable from its interface), but it is still alive today - the latest version of the sniffer is dated 2018. The utility allows you to intercept traffic passing through the local machine and view the contents of packets - it can't do anything else, actually.
A C-based console utility, originally developed for Unix but later ported to Windows, which uses WinPcap. It requires administrative privileges to function properly. Among Windows users, the open-source version of tcpdump, called WinDump, is more popular and can be downloaded for free from https://www.winpcap.org/windump/ .
Another popular tool among pentesters, designed for testing the security of web applications. Burp is part of Kali Linux, there is a version for Windows with a 64-bit architecture. This framework is not without reason called the "Swiss knife of a pentester" - in terms of searching for vulnerabilities and auditing the security of web applications, it has no equal. Burp Suite includes the ability to send modified requests to remote nodes, brute force, fuzzing, search for files on the server, and much more.
Actually, Burp is not a universal sniffer at all - it can only track traffic between the browser and a remote web application using an intercepting proxy, which requires an additional certificate to be installed in the system for the HTTPS protocol to work. But for certain purposes, this may be enough.
Burp intercepts all packets sent and received by the browser and, accordingly, allows you to analyze the traffic of various web applications, including online messengers or social networks. If the infrastructure being examined by a pentester has services running via HTTP or HTTPS, there is probably no better tool for testing them. But using Burp only as an HTTP/HTTPS traffic sniffer is like hauling potatoes from your summer cottage in a Lamborghini: it is designed for completely different tasks.
- Theory
- Wireshark
- CommView
- Interceptor-NG
- SmartSniff
- tcpdump
- Burp Suite
- Conclusion
Traffic analysis is the most important stage of penetration testing (or even hacking). Many interesting things can be found in packets transmitted over the network, such as passwords for accessing various resources and other valuable data. Sniffers are used to intercept and analyze traffic, and humanity has come up with a great many of them. Today we will talk about the most popular sniffers for Windows.
THEORY
To intercept traffic, analyzers can use packet redirection or use the so-called Promiscuous mode - an "indiscriminate" mode of operation of the network adapter, in which filtering is disabled and the adapter accepts all packets regardless of who they are addressed to. In a normal situation, the Ethernet interface filters packets at the data link level. With such filtering, the network card accepts only broadcast requests and packets whose MAC address in the header matches its own. In Promiscuous mode, all other packets are not discarded, which allows the sniffer to intercept data.Theoretically, it is possible to collect all packets in the local network segment where the sniffer is installed, but in this case there will be too much data for subsequent analysis, and the log files will quickly swell to completely indecent sizes. Or you can configure the application so that it catches traffic only for certain protocols (HTTP, POP3, IMAP, FTP, Telnet) or analyzes only the first 100 bytes of each packet, which usually contains the most interesting: the address of the target host , logins and passwords. Modern sniffers can also listen to encrypted traffic.
Traffic analyzers are often used for "peaceful" purposes - to diagnose a network, identify and fix problems, detect malware, or find out what users are doing and what sites they visit. But it is when studying the security of a network perimeter or performing penetration testing that a sniffer is an indispensable tool for reconnaissance and data collection. There are sniffers for various operating systems, and such software can be installed on a router and used to analyze all traffic passing through it. Today we will talk about the most common popular traffic analyzers for the Microsoft Windows platform.
WIRESHARK
- Manufacturer: Wireshark Foundation
- Website: https://www.wireshark.org
- License: free
Probably everyone who has ever encountered the task of traffic analysis knows about this program. Wireshark's popularity is quite justified: firstly, this product is free, and secondly, its capabilities are quite sufficient to solve the most pressing issues related to interception and analysis of data transmitted over the network. The product is deservedly popular with virus analysts, reverse engineers, system administrators and, of course, pentesters.
This analyzer has a Russian-language interface, can work with a large number of network protocols (there is no point in listing them all here: the full list can be found on the manufacturer's website). In Wireshark, you can disassemble each intercepted packet into parts, view its headers and contents. The application has a very convenient mechanism for navigating through packets, including various algorithms for searching and filtering them, and a powerful mechanism for collecting statistics. Saved data can be exported to different formats, and it is possible to automate Wireshark using Lua scripts and connect additional (even self-developed) modules for parsing and analyzing traffic.
In addition to Ethernet, the sniffer can intercept wireless network traffic (802.11 standards and Bluetooth protocol). The tool allows you to analyze IP telephony traffic and restore TCP flows, tunneled traffic analysis is supported. Wireshark copes well with the task of decoding protocols, but to understand the results of this decoding, you must, of course, have a good understanding of their structure.
Wireshark's disadvantages include the fact that the recovered streams are not considered by the program as a single memory buffer, which makes their subsequent processing difficult. When analyzing tunneled traffic, several parsing modules are used at once, and each subsequent one in the program window replaces the result of the previous one - as a result, traffic analysis in multi-level tunnels becomes impossible.
In general, Wireshark is not just a popular, but a very good product that allows you to track the contents of packets roaming the network, their transmission speed, and find “problem areas” in the network infrastructure. But unlike commercial applications, there are no convenient visualization tools. In addition, with Wireshark, it is not so easy, for example, to catch logins and passwords from traffic, and this is one of the typical tasks in penetration testing.
COMMUNICATION
- Manufacturer: TamoSoft
- Website: https://www.tamos.ru/products/commview/
- License: paid, purchase license or subscription
Among the currently existing sniffers, CommView is one of the oldest and most distinguished veterans; Hacker wrote about this product back in 2001. The project is still alive, actively developing and updating: the latest version is dated 2020. Despite the fact that the product is paid, the manufacturer offers to download a trial version, which allows you to see how the application works in practice - the trial version of the sniffer intercepts traffic for five minutes, after which it asks for money.
The program has a Russian-language interface, which can be a determining factor when choosing a sniffer for users who do not speak English. The main advantage of CommView is the ability to flexibly configure packet filtering rules: you can select individual protocols that the application will track, sort packets by a number of features, such as size or header. The range of supported protocols is also quite large: the sniffer can work with the most common application protocols, as well as reconstruct a TCP session and UDP stream. At the same time, CommView allows you to analyze traffic down to the lowest-level protocol packets - TCP, UDP, ICMP, and view "raw" data. The program displays the headers of intercepted packets, collects detailed IP traffic statistics. Saved data can be exported to 12 different formats, from .txt and .csv to files of other analyzers such as Wireshark.
In addition to network card traffic, CommView can monitor VPN connections, as well as traffic passing through modems - analog, mobile, ADSL, ISDN and others, for which a special driver is installed in the system. It is possible to intercept VoIP traffic and SIP telephony sessions. The application includes a packet generator, with which you can send a packet of a specified length to a specified Ethernet interface, with arbitrary headers and content. There is also a fairly convenient log file viewer, allowing you to open log files in a separate sniffer window and search their contents.
The tool is, without a doubt, extremely convenient and useful, if not for the "biting" prices for the license. For a professional pentester, buying such a tool will certainly be justified, but for the sake of "looking at the network" once, you can look for alternative - cheaper or free solutions.
INTERCEPTER-NG
- Manufacturer: unknown
- Website: https://sniff.su
- License: free
This is also a very old and gray-haired tool - Hacker first wrote about it back in 2012. Since then, the project developed by our compatriots not only has not disappeared from the Internet, like many of its competitors, but has even been actively developed and improved - the latest current version of the sniffer dates back to 2020. There is a version of the program for Android in the form of an .APK file and even a console version of this tool for Unix.
In its work, Intercepter-NG uses the NPcap utility, a portable version of which, according to the developers, it carries with it. However, practice has shown that either they forgot to put it there, or it does not work in Windows 10 - to launch the sniffer, I had to download NPcap from the site https://nmap.org/npcap/ and install it manually .
Intercepter-NG has a pretty nice user interface and allows you to view traffic in several modes. There is a regular view of packets and their contents, in which you can filter packets using pcap rules or use the Follow TCP stream function for detailed analysis of any session. There is a Messengers Mode, in which the tool tries to intercept instant messenger traffic - primarily the fossilized ICQ, MSN, Yahoo and AIM, but there is support for the Jabber protocol. The trick did not work with Telegram: the sniffer simply did not see it.
There is a Passwords Mode, which displays logins and passwords caught from traffic transmitted via FTP, HTTP, SMTP, POP3, IMAP, LDAP, Telnet and other protocols. Resurrection mode allows you to recover files transmitted via HTTP, FTP, SMB, IMAP, POP3 and SMTP - while only files from completed TCP sessions are successfully recovered.
Intercepter-NG has an additional and very useful toolkit. This is a simple DHCP server, a NAT service that allows you to broadcast ICMP/UDP/TCP packets between different Ethernet network segments. There are several network scanners: ARP, DHCP, a "smart" gateway search is implemented. Another useful tool is a module for organizing MiTM attacks. The supported methods are Spoofing (with support for DNS/NBNS/LLMNR protocols), ICMP Redirect, DNS over ICMP Redirect, SSL MiTM, SSLStrip and some others.
The program can scan a specified range of ports in search of applications running on them, and analyze protocols associated with these ports. You can switch the sniffer to extreme mode, in which it will intercept all TCP packets without checking ports, which will allow you to detect applications running on non-standard and administrator-defined ports on the network. However, in this mode the application slows down mercilessly and periodically freezes completely.
The current version of Intercepter-NG has a built-in tool for exploiting the Heartbleed vulnerability - an error in the OpenSSL cryptographic software, with which you can unauthorizedly read memory on the server or client, including for extracting the server's private key. The package also includes a brute force tool and a multi-threaded vulnerability scanner X-Scan. In other words, from a simple network analysis application, Intercepter-NG is gradually turning into a kind of combine, allowing you to scan the network for open ports and unpatched vulnerabilities on the fly, intercept logins with passwords and brute force something.
The downside of Intercepter-NG is that the program is recognized as malicious by Kaspersky Anti-Virus and Windows Defender, which is why it is killed at the stage of downloading from the manufacturer's website. So to work with the sniffer, you will have to disable antiviruses, but this is a rather modest price to pay for the opportunity to use such a multifunctional tool.
SMARTSNIFFS
- Manufacturer: Nirsoft
- Website: https://www.nirsoft.net/utils/smsniff.html
- License: free
A simple sniffer that works with TCP, UDP and ICMP protocols. Requires installation of WinPcap driver and Microsoft Network Monitor Driver version 3 .
The project was initially developed for Windows 2000/XP (which is actually noticeable from its interface), but it is still alive today - the latest version of the sniffer is dated 2018. The utility allows you to intercept traffic passing through the local machine and view the contents of packets - it can't do anything else, actually.
TCPDUMP
- Manufacturer: Tcpdump Group
- Website: http://tcpdump.org/
- License: Free (modified BSD license)
A C-based console utility, originally developed for Unix but later ported to Windows, which uses WinPcap. It requires administrative privileges to function properly. Among Windows users, the open-source version of tcpdump, called WinDump, is more popular and can be downloaded for free from https://www.winpcap.org/windump/ .
BURP SUITE
- Manufacturer: Portswigger
- Website: https://portswigger.net/burp
- License: Free (Community Edition)
Another popular tool among pentesters, designed for testing the security of web applications. Burp is part of Kali Linux, there is a version for Windows with a 64-bit architecture. This framework is not without reason called the "Swiss knife of a pentester" - in terms of searching for vulnerabilities and auditing the security of web applications, it has no equal. Burp Suite includes the ability to send modified requests to remote nodes, brute force, fuzzing, search for files on the server, and much more.
Actually, Burp is not a universal sniffer at all - it can only track traffic between the browser and a remote web application using an intercepting proxy, which requires an additional certificate to be installed in the system for the HTTPS protocol to work. But for certain purposes, this may be enough.
Burp intercepts all packets sent and received by the browser and, accordingly, allows you to analyze the traffic of various web applications, including online messengers or social networks. If the infrastructure being examined by a pentester has services running via HTTP or HTTPS, there is probably no better tool for testing them. But using Burp only as an HTTP/HTTPS traffic sniffer is like hauling potatoes from your summer cottage in a Lamborghini: it is designed for completely different tasks.
