1 00:00:00,470 --> 00:00:08,390 Mature, mature, has the capability of package sniffing the remote host without ever touching the hard 2 00:00:08,390 --> 00:00:08,750 disk. 3 00:00:09,610 --> 00:00:16,150 I'll tell you why it's especially useful because you may want to monitor what type of information is 4 00:00:16,150 --> 00:00:25,150 being sent, this never extension can store up to 200000 packets and a ring buffer and exports them 5 00:00:25,150 --> 00:00:26,890 and standard PopCap format. 6 00:00:27,910 --> 00:00:31,750 So you can later process them using Wireshark or whatever you want. 7 00:00:32,640 --> 00:00:40,030 As an alternative to using this no extension, there's a script and that's called packet recorder, 8 00:00:40,950 --> 00:00:45,140 the script allows for more granularity when capturing packets. 9 00:00:46,080 --> 00:00:48,990 So not only can you sniff a particular interface. 10 00:00:49,990 --> 00:00:52,970 But any specified interface on the target? 11 00:00:53,590 --> 00:00:54,640 Why don't we have a look at that? 12 00:00:57,000 --> 00:01:00,780 So here I have a system level session on Métis, voidable three. 13 00:01:01,810 --> 00:01:05,110 OK, so Snipper is an extension form interpreter. 14 00:01:06,170 --> 00:01:11,450 And to be able to use it, I will load Sniffer onto the session. 15 00:01:12,810 --> 00:01:16,770 And you can view sniffer commands by help sniffer. 16 00:01:18,880 --> 00:01:22,340 Right, so there are six sniffer commands available here. 17 00:01:22,990 --> 00:01:25,720 I think the names are pretty clear and self-explanatory. 18 00:01:26,860 --> 00:01:32,740 Don't think there's any need to explain each command, but I will quickly show you how to use them. 19 00:01:34,040 --> 00:01:38,570 So you must know the interfaces on the target to sniff, right? 20 00:01:39,540 --> 00:01:44,340 So sniffer interfaces will list the interfaces on the target. 21 00:01:45,430 --> 00:01:52,060 And you might just get an error like this, and this is because of my session, it's a system level 22 00:01:52,060 --> 00:01:58,690 session, so I can't gather packett in this situation, all you have to do is downgrade your session. 23 00:01:59,660 --> 00:02:03,620 So how do you do that type piece as. 24 00:02:04,990 --> 00:02:15,970 Explorer, not easy to get the process idea of Explorer FXE and its 51 Ninety-two, so now. 25 00:02:16,870 --> 00:02:19,390 Migrate 51 90 to. 26 00:02:21,960 --> 00:02:24,150 All right, migration was successful. 27 00:02:25,710 --> 00:02:28,590 So now just list interfaces again. 28 00:02:29,680 --> 00:02:30,880 Snipper interfaces. 29 00:02:32,320 --> 00:02:37,300 And here are the available interfaces detected on the target. 30 00:02:38,170 --> 00:02:41,380 Now, the first column defines ID numbers for them. 31 00:02:42,480 --> 00:02:46,770 So we can then type sniffer start H. 32 00:02:47,850 --> 00:02:49,980 I think this message is enough to give us help. 33 00:02:51,170 --> 00:03:01,070 And now you can start sniffing sniffers, start then, too, for the interface, Heidi, and 30000 for 34 00:03:01,070 --> 00:03:04,610 a packet buffer and sniffer has started. 35 00:03:05,730 --> 00:03:09,060 So now you need to create some traffic on meds, employable three. 36 00:03:10,300 --> 00:03:15,460 So what I'll do is I'll open it and and just visit some pages on meds, voidable to. 37 00:03:17,200 --> 00:03:18,190 And I think there's enough. 38 00:03:19,650 --> 00:03:27,750 So to dump the captured traffic, we first have to stop sniffing so sniffers stop. 39 00:03:28,840 --> 00:03:30,040 On the interface side. 40 00:03:31,150 --> 00:03:32,620 And it looks like it stopped. 41 00:03:34,110 --> 00:03:42,810 So now we have two options right now, you can either dump the traffic or you can release the packets, 42 00:03:43,710 --> 00:03:52,560 so to dump just use sniff or dump and the interface ID and then the path that you want to save the file. 43 00:03:57,480 --> 00:04:01,950 Saved now open a new tab and go to that bath. 44 00:04:05,000 --> 00:04:08,930 So now we're going to use Wireshark to view the Picart file. 45 00:04:11,610 --> 00:04:14,580 I'm looking for log in that BHP. 46 00:04:17,280 --> 00:04:23,160 Well, there it is then, right, click on the packet and, well, we'll follow the Tsipi stream. 47 00:04:24,720 --> 00:04:29,040 And here's what I searched for, the username and password I entered. 48 00:04:29,940 --> 00:04:30,720 So what does that mean? 49 00:04:31,650 --> 00:04:36,900 It means that you captured the target's network traffic without even touching the system. 50 00:04:40,230 --> 00:04:45,960 So for those of you out there who want another option, there is an interpreter script. 51 00:04:46,870 --> 00:04:48,460 That's called packet recorder. 52 00:04:49,440 --> 00:04:56,370 So let's run packett recorder without any options, and that'll bring us our help menu. 53 00:04:57,360 --> 00:04:58,710 And the parameters are explained. 54 00:04:59,250 --> 00:05:00,850 Yeah, pretty good, I think. 55 00:05:01,740 --> 00:05:02,220 Now. 56 00:05:03,220 --> 00:05:06,010 This process has the exact same logic as before. 57 00:05:06,820 --> 00:05:09,010 So first with the interfaces. 58 00:05:10,230 --> 00:05:13,470 Run Pacard Recorder El. 59 00:05:15,760 --> 00:05:24,580 Same interfaces to start recording run packett recorder I interface to. 60 00:05:26,070 --> 00:05:30,120 Well, the directory to save the picture file. 61 00:05:33,080 --> 00:05:35,060 And the sniffing has begun. 62 00:05:38,280 --> 00:05:41,940 So now I'm going to go over to metastable April three to create some extra traffic. 63 00:05:46,430 --> 00:05:48,020 And that's plenty for now. 64 00:05:50,810 --> 00:05:54,080 So I'll go to another tab, go to the directory. 65 00:05:57,600 --> 00:05:59,880 So many folder's. 66 00:06:01,690 --> 00:06:04,090 OK, so you can open that file with Wireshark. 67 00:06:06,100 --> 00:06:12,550 All right, now you can examine the packets, for example, I'm going to choose this one and follow 68 00:06:12,550 --> 00:06:13,300 the stream. 69 00:06:14,830 --> 00:06:19,360 And here is the content of the pages that I visited.