CEH Lab Manual

Sniffers
Module 08


Sniffing a Network
A packet sniffer is a type of program that monitors any bit of information entering
or leaving a netirork. It is a type of plug-and-play 1)iretap device attached to a
computer that eavesdrops on netirork traffic.
I CON

KEY

/ Valuable
information
Test your
knowledge
—

Web exercise

m

Workbook review

Lab Scenario
Sniffing is a teclniique used to in terce p t d a ta 111 information security, where many
of the tools that are used to secure the network can also be used by attackers to
exploit and compromise the same network. The core objective of sniffing is to stea l
d ata, such as sensitive information, email text, etc.

N etw ork sniffing involves intercepting network traffic between two target network
nodes and capturing network packets exchanged between nodes. A p a c k e t sniffer
is also referred to as a network monitor that is used legitimately by a network
administrator to monitor the network for vulnerabilities by capuinng the network
traffic and should there be any issues, proceeds to troubleshoot the same.

Similarly, smtfing tools can be used by attackers 111 prom iscuous mode to capmre
and analyze all die network traffic. Once attackers have captured the network traffic
they can analyze die packets and view the u se r nam e and passw ord information 111
a given network as diis information is transmitted 111 a cleartext format. A11 attacker
can easily intnide into a network using tins login information and compromise odier
systems on die network.
Hence, it is very cnicial for a network administrator to be familiar with netw ork
traffic an alyzers and he or she should be able to m aintain and m onitor a network
to detect rogue packet sniffers, MAC attacks, DHCP attacks, ARP poisoning,
spoofing, or DNS poisoning, and know the types of information that can be
detected from the capmred data and use the information to keep the network
running smoodilv.

Lab Objectives
The objective of this lab is to familiarize students with how to sniff a network
and analyze packets for any attacks on the network.
The primary objectives of tins lab are to:
■ Sniff the network
■ Analyze incoming and outgoing packets
■ Troubleshoot the network for performance

C E H L ab M an u al Page 585

E th ical H a ck in g a nd C o untenneasures Copyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited.


Module 08 - Sniffers

■ Secure the network from attacks
^^Tools
d e m o n stra te d in
th is lab a re
available in
D:\CEHTools\CEHv8
Module 08
Sniffing

Lab Environment
111 tins lab, you need:

■ A web browser with an Internet connection
■ Administrative privileges to mil tools

Lab Duration
Time: 80 Minutes

Overview of Sniffing Network
Sniffing is performed to co lle ct b asic inform ation from the target and its network.
It helps to tind vulnerabilities and select exploits for attack. It determines network
information, system information, and organizational information.

Lab Tasks
Overview


Pick an organization that you feel is worthy of your attention. Tins could be an
educational institution, a commercial company, or perhaps a nonprofit charity.
Recommended labs to assist you 111 sniffing the network:
■ Sniffing die network using die C o lasoft P a c k e t B uilder
■ Sniffing die network using die O m niP eek N etw ork A nalyzer
■ Spooling MAC address using SMAC
■ Sniffing the network using die W inA rpA ttacker tool
■ Analyzing the network using the C o laso ft N etw ork A nalyzer
■ Sniffing passwords using W ireshark
■ Performing man-in-tlie-middle attack using Cain & Abel

■ Advanced ARP spoofing detecdon using XArp
■ Detecting Systems running

111

promiscuous mode

111

a network using

PromqryUI

■ Sniffing a password from captured packets using Sniff - O - M atic

Lab Analysis
Analyze and document the results related to the lab exercise. Give your opinion on
your target’s secuntv posture and exposure through public and free information.


C E H L ab M an u al Page 586

E th ical H a ck in g a nd C o untenneasures Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.


Module 08 - Sniffers

PL E A S E TALK T O YO UR I N S T R U C T O R IF YOU HA VE Q U E S T I O N S
R E L A T E D T O T H I S LAB.

C E H L ab M an u al Page 587

E th ical H a ck in g a nd C o untenneasures Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.


Module 08 - Sniffers

Sniffing the Network Using the
OmniPeek Network Analyzer
Own/Peek is a standalone network analysis tool used to solve networkproblem.
I CON KEY
/ Valuable
information

s

Test your

knowledge

w

W eb exercise

m

Workbook review

Lab Scenario
From the previous scenario, now you are aware of the importance of network
smtting. As an expert eth ical h a c k e r and penetration te ste r, you must have sound
knowledge of sniffing network packets, performing ARP poisoning, spooling the
network, and DNS poisoning.

Lab Objectives
The objective of tins lab is to reinforce concepts of network security policy, policy
enforcement, and policy audits.

Lab Environment
t^ T o o ls
d e m o n stra te d in
th is lab a re
available in
D:\CEHTools\CEHv8
Module 08
Sniffing

111


tins lab, you need:
"

O m niPeek N etw ork Analyzer located at D:\CEH-Tools\CEHv8 Module 08
Sniffing\Sniffing Tools\Om niPeek N etw ork Analyzer

■ You can also download the latest version ol O m niPeek N etw ork Analyzer
from the link
http:// www.wildpackets.com/products/omnipeek network analyzer
■ If you decide to download die la te s t version, dien screenshots shown 111
the lab might differ
■ A computer running Windows Server 2012 as host machine
■

W indows 8 running on virtual machine as target machine

■ A web browser and Microsoft .NET Framework 2.0 or later
■ Double-click O m niPeek682dem o.exe and follow the wizard-driven
installation steps to install O m niPeek682dem o.exe
■

C E H L ab M an u al Page 588

A dm inistrative privileges to run tools

E th ical H a ck in g a nd C o untenneasures Copyright © by EC-Council
All Rights Reserved. Reproduction is Stricdy Prohibited.



Module 08 - Sniffers

Lab Duration
Tune: 20 Minutes

Overview of OmniPeekNetwork Analyzer
O m niPeek N etw ork Analyzer gives network engineers real-time visibility and expert

analysis of each and every part ol the network from a single interface, winch
includes Ethernet, Gigabit, 10 Gigabit, VoIP, video to remote ottices, and 802.

Lab Tasks
™TASK 1

1. Install O m niPeek N etw ork Analyzer on die host machine W indows Server
2012 .

Installing
O m niPeek
N etw ork Analyzer

2. Launch the S ta rt menu by hovering die mouse cursor on die lower left
corner of die desktop.

F I G U R E 1.1: W in do w s Server 2012 —D esktop view

3. Click die W ildPackets O m niPeek Demo app
die tool.

111


die S tart menu to launch

£=8=s1O m n iP e e k E n te rp rise
p ro v id e s users w ith the
v is ib ility and analysis they
need to keep V o ic e and
V id e o ap plications and
no n-m edia a pplications
ru n n in g o p tim a lly o n d ie
n e tw ork

Administrator ^

S ta rt

Google
Chrome

Menaqer
L

V

*3

&
____

Mo/1110

hretox

<9

«

rtyp«-V
Maruoer

Hypw-V
Virtual
KAvhloo

*‫י‬
WildPock...
OmmPwk

*

°‫'־■־־‬

F I G U R E 1.2: W in dow s Server 2012 — Start menu

C E H L ab M anual Page 589

E th ical H a ck in g a nd C ounterm easures Copyright © by EC-Council
All Rights Reserved. Reproduction is Stricdy Prohibited.


Module 08 - Sniffers


m

T o d e p loy and

m ain ta in V o ic e and V id e o
o ver I P successfully, yo u
need to be able to analyze
and tro u b le sh o o t m edia
tra ffic sim ultaneously w ith

4. The main window of W ildPackets O m niPeek Demo appears, as shown 111
die following screenshot.
6mi»e4
^ • t- ‫־‬u

*. 2:

*

x

,, r »

the n e tw o rk the m edia
tra ffic is ru n n in g on

^

>


New Capture

:

f i j L_ ± t

f

*

Open Capture File

ffi

v‫*׳‬v* Onr!Enor>»4

Start Montor

*We• ‫ י* • ״‬OmnPwk!

Retcat rlit*

Itxalior

IntM Captur■ T«1np<11*1

luullui■

Stmixry

Swmwj

OtKunanUtlon

•

Retouc••

•w0>WnV1•Oalii) JwliiJ

!MlMKtDuppan
1 Vm tMfwar»•UMK*•MmrrMk*WHPartrf*ivnW* CO

1r»«1n QO

»

^WidPacketj
F I G U R E 1.3: O m n iPe e k m ain screen

5. Launch Windows 8 Virtual Machine.
6. Now, 111 W indows S erver 2012 create an OmniPeek capture window as
follows:
S tarting New
C apture

a.

Click die New C apture icon on die main screen of OmniPeek.


b. Mew die G eneral options
box when it appears.

111

die O m niPeek C apture O ptions dialog

c. Leave die default general settings and click OK.
C ap tu re O p tio n s ‫ ־‬v E th e rn e t (R ea lte k PCIe GBE Fam ily C o n tro lle r - V irtu
General

‫יח ת‬

General

A dapter

802.11
Triggers
Filters

f f l l O m n iP e e k N e tw o rk

Capture title:

Capture 1

□ Continuous capture

Statistics O utput


O Capture to disk

A nalysis O ptions

File path:
C:\Users\Administratorpocuments\Capture 1-

A n a ly z e r o ffe rs real-tim e

File size: | 256

h ig h -level vie w o f the entire
netw ork, expert analyses,

[I] Stop saving after | 1000

□

: *~] megabytes
megabytes

and d rill-d o w n to packets,
d u rin g capture.

I IKeep most recent

10

I INew file every


‫ | = ך‬files (2,560 MB)

1

I ILimit each packet to

128

3~| bytes

O Discard duplicate packets
Buffer size: | 100

*

megabytes

O Show this dialog when creating a new capture

Cancel

Help

F I G U R E 1.4: O m n iPeek capture options - G eneral

C E H L ab M anual Page 590

E th ical H a ck in g a nd C o untenneasures Copyright © by EC-Council
All Rights Reserved. Reproduction is Stricdy Prohibited.



Module 08 - Sniffers

d. Click A dapter and select E thernet

111

die list for Local m achine. Click

OK.
C ap tu re O p tio n s ‫ ־‬E thernet
General

A d a p te r

| Adapter'

0 0

802.11
[ 0 3 N e tw o rk Coverage:

Triggers

W it h the E th e rn e t, G ig a b it,

Filters

‫ל‬


10G , and wireless
capabilities, y o u can n o w

Statistics O utput

-a 8

> ••0 File
Module: Compass Adapter
Local machine: WIN-MSSELCK4K41
M l Local Area Connection* 10

Analysis O ptions

effe ctive ly m o n ito r and
tro u b le sh o o t services

M . E th e rn e t]
■9 vSwitch (Realtek PCIe GBE Family Controller ‫ ־‬Virtual

ru n n in g o n yo u r entire
netw ork. U s in g the same

I- ■p vEthernet (Realtek PCIe GBE Family Controller ‫ ־‬Virfa.
\ - m vSwitch (Virtual Network Internal Adapter)
■5 vEthernet (Virtual Network Internal Adapter)

so lu tio n fo r
tro u b le sh o o tin g w ire d and

w ireless netw orks reduces


the to ta l cost o f o w nership
and illu m in ates ne tw ork

III

Property

p ro b le m s that w o u ld
otherw ise be d iffic u lt to
detect.

Description

Device

Realtek PCIe GBE Family Controller

Media

Ethernet

Address

DO:

Link Speed

100 Mbits/s

:36

WildPackets API

No

Cancel

Help

F I G U R E 1.5: O m n iPe e k capture options - Adapter

7. Now, click S ta rt C apture to begin capturing packets. The S tart C apture
tab changes to Stop C apture and traffic statistics begin to populate the
N etw ork D ashboard 111 die capture window of OmniPeek.
■h ... V V 1' g - »

£ Q D ash b oa rds display
im p o rta n t data that every
n e tw o rk engineer needs to
k n o w regarding the

t* - <\ r J

u

, . B: ;» e IQ E j

Wid=

F

-

‫׳‬OmniPeek

sutn «■ vapt altpackets
Utib/itton / M.m.t.• Window* ( I Smand Av»>r.1u••)

n e tw o rk w ith o u t spending
lo ts o f tim e analyzing the
captured data.

lop Protocol*

F I G U R E 1.6: O m n iPe e k creating a capture w indow

C E H L ab M anual Page 591

E th ical H a ck in g a nd C ounterm easures Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.


Module 08 - Sniffers

8. The captured statistical analysis of die data is displayed
of die navigation bar.

EQQlO n u iiP e e k

011

die C apture tab

P ro fe ssio n a l expands the
capabilities o f O m n iP e e k
B asic, extending its reach

* •u-n ., y . 3. *

to all sm all businesses and
corp orate w orkg ro up s,

— w hw fct FlhrhiW

regardless o f the size o f the
n e tw o rk o r the n u m b e r o f

Netw-orfc inai/rffh.n ‫ ל‬Minute Window (I Second Average)

em ployees. O m n iP e e k
P ro fe ssio n a l pro v id e s

!“

a 03-

I

1

02■*

su p p o rt fo r m u ltip le
n e tw o rk interfaces w h ile
still sup p o rtin g up to 2
O m n i E n g in e s acting as

L A

b o d i a full-featured
n e tw o rk analyzer and
con so le fo r rem ote
n e tw o rk analysis.

20*17* 1522•
■ 206.176.15226

10002 1000$

2.0%
173.1W36.11

173 19436 10
173.1■

0»«rs

0102!10 ‫ י‬d4.364.:202.63.8.8167.6667.222

DNS

TCP ‫יו‬

OHCPVG 1QMP

9 Elhcfnct PatJtrts: 1.973

Duutioa: 001:25

F I G U R E 1.7: O m n iPe e k statistical analysis o f die data

9. To view die captured packets, select P a c k e ts
D ashboard 111 die left pane ot die window.

m

r

‫״ * * • "'י ל‬

a»*»oon

m

H ie O m n iP e e k Peer

5

€

19.9.5.2
19.9.:.2

173.194.36.4
173.194.36.4
'4 . 125.12S.169

19.9.9.2

1‫ י‬3.194.36.22
19.9.0.2
123.1‫■>ל‬32.154

WmmK

17
IS
IS

M a p show s all
c o m m u n ica tin g nodes

Ltfctto

21
22

19.1.3.2

19.9.1.5

24
2*

1‫ נ‬. ‫ נ‬. : . 5
19.9.5.5
1S7.SC.C7.222
15‫ י‬. 5». 67.222

w ith in yo u r ne tw o rk and is
d ra w n as a verticallyo rien ted ellipse, able to
g ro w to the size necessary.
It is easy to read the maps,
the d iic k e r the lin e betw een
nodes, the greater the
traffic; the bigger d ie dot,
the m o re tra ffic throu g h
that node. T h e nu m b e r o f
nodes displayed can also be
lim ite d to d ie busiest
a n d /o r active nodes, o r to
any O m n iP e e k filters that

1ssr

27
2»
<1— 1 ■

19.9.0.2
19.9.0.2

sue

\
10.0.9.2
‫ו‬

123.176.32.154
10.0.0.2

157.56.67.222
157.56.67.222
157.56.67.222
10.0.0.s

!

173.194.36.4

« * » •r*t

SS
95

0.0CC0S1CCD writs
0.03:20X19 s m s

64

64
163
64
2870
64
64
118
936
64
64
70
103

0.939*25029 a n rs
0.039S4SCI‫ )׳‬STTrS
0.771222000
0.811S9JCJ0 3TTT*
4.31I23SOOO
ana
n :s
4.350147CS9 an ss
4.355064CJO 3TTT5
4.SE52S40S9 37TrS
4.$86969029 an?3
4.SS79CMS9
6.097097050 an?
€.100119000 HIT?
0.92264>0:0

S r~

3=c=
SICSrc-

64
70

7.21122*000 O F
7.301449020 O I »

C PCKT-1727
31== 1040,D»t= 443 ....3.,3=1830...

7.55*925029
7.5952990:9
7.asoscccso
0:9‫ י‬. 55290‫ל‬

31e= 1040,D»t= 443 .&
3=1e30...
Src- 1040, D8t- 443 .A P...,3-1830...
u. . ,S- 519. . Slaw Server Respe-r.se Tise 10
Src- 443, u*a‫״‬- 1040
‫ ־־‬SI*...

173.194.36.22
3

15
[ Calls

Htj,

10.0.0.2

173.1M.3C.22
1‫ ־‬3.194.36.22

.
1►

19.9.0.2
173.1*4.36.4

12
13

0 1 3 * 0 *

>

10.9.5.2

[ Oms

4 ‫ יי‬A i d

3

I w c s to r

' ‫ " ־‬,‫■ ״ י‬
WldP.x *• I ‫׳‬OmniPeek

VN.A40W HPIp

> 3‫ ־‬.

mt.Mrd: .{000
N 'lh rh ^]
V ‫ ״‬-‫••!<«•׳**״‬
feO>fao.1r4%
•4 ■ ‫׳‬11 = L ***** i•* a
vote*‫«* ״‬

a C apture section ol die

»5

‫ז‬

t,ISOMS' Too‫״‬

»***

tJ u
sun?**

ii

r — 1

111

64
184
1s1a
151S
si
<4

arirs
5‫ זז ל‬5
«nrs
STTTJ

e .0010460:9 an iz
#.9C19»X:9

3zc- 443,0*t=

•W ....3= 796...

3zc- 1769,0st= 443 .u.......3=1486...
Src- 13&,70‫ י‬V- 443 .*....,5-366S...
5rc- 1063, !>3*‫ ־‬443 •h.......S- 956...
443
14 4 3 'S ^
443,Dst=
443,D3t- 1051
443.03T1051

Src- 1051,DOT‫ ״‬KJfC=172e .
Src- 60.D3T.‫ ־‬1726

.I S ...,3=2007...
.&....,3= 94...
94...
.A?.. . , 3 9 4 ‫־‬...
•fc
S-20D7...
.A ....,3-2997...

3ss- 1770,0*t‫ ־‬443 .Xf...,3=3e68...
■‫ ע‬1‫ ז«י״»יוו‬PMMtt: 4000

Ou'Miea .<rx>

F I G U R E 1.8: O m n iPe e k displaying Packets captured

10. Similarly, you can view Log. Filters. Hierarchy, and P eer Map by selecting
die respective options 111 the D ashboard.
11. You can view die N odes and P rotocols from die S ta tistic s section of die
Dashboard.

m av be in use.

C E H L ab M anual Page 592

E th ical H a ck in g a nd C ounterm easures Copyright © by EC-Council
All Rights Reserved. Reproduction is Stricdy Prohibited.

Module 08 - Sniffers

m

O n -th e -F ly Filters:

Y o u sh o u ld n ’t have to stop
y o u r analysis to change
w h a t y o u ’re lo o k in g at.
O m n iP e e k enables yo u to
create filters and ap ply
d ie m im m ediately. T h e
W ild P a ck e ts “ select
related” feature selects the
packets relevant to a
p articular node, pro to co l,
conversation, o r expert
diagnosis, w ith a sim ple
rig h t c lic k o f d ie m ouse.

F I G U R E 1.9: O m n iPe e k statistical reports o f N odes

12. You can view a complete Sum m ary of your network from tlie S ta tistic s
section of the D ashboard.

£ Q A la rm s and
N o tific a tio n s: U s in g its
advanced alarm s and
no tifica tion s, O m n iP e e k

u n co ve rs hard-to-diagnose
n e tw o rk p ro b le m s and
n o tifie s the o ccurrence o f
issues im m ediately.
O m n iP e e k alarm s query a
sp ecified m o n ito r statistics
fu n ctio n once p er second,
testing fo r user-specified
p ro b le m and re solu tion
con d ition s.
F I G U R E 1.10: O m n iPe e k Summary details

13. To sa v e the result, select File‫ ^־‬S a v e Report.

C E H L ab M anual Page 593

Etliical H a ck in g a nd C ounterm easures Copyright © by EC-Council
All Rights Reserved. Reproduction is Stricdy Prohibited.


Module 08 - Sniffers

- '0

OmniPtek
F.1« | fdH

u«M0« tooit
i

♦ *J

x ’

T A « L u u i i v w ;j « i J .

►
ii

*

u a 3 ‫־׳‬

j

-

CufTW.
5.15/2012
t2rt2:<6

m

U s in g O m n iP e e k ’s

lo c a l capture capabilities,
centrali 2ed console
d istributes O m n iE n g in e

inte llige n t software probes,

360.320
0.795

‫ מיי‬.‫־‬J a w 5»sA(

O m tiip lia n ce ® ,
T im e lin e ™ ne tw ork
recorders, and E x p e rt
Analysis.

‫זז‬
•‫־‬.* *«•»»-

Ltncrnct P.ikfta 2.000

Dum.011 001.B

F I G U R E 1.11: O n u iiP e e k saving die results

14. Choose the format of the report type from die S ave R eport window and
dien click Save.
Save Report
2e 1R eport type:

pull PDF Report
Q
m

E ng ine e rs can

m o n ito r tlie ir entire
netw ork, rap id ly
tro u b le sh o o t faults, and fix
p ro b le m s to m a xim ize
n e tw o rk up tim e and user
satisfaction.

j v

R ep ort folder:

C : \Users \Adm inistrator d o cu m e n ts R e p o rts \C apture 1
R ep ort description
PDF reports contain Summary Statistics, Node Statistics, Protocol
Statistics, Node/Protocol Detail Statistics, E x p e rt Stream and Application
Statistics, Voice and Video, Wireless Node and Channels Statistics, and
graphs.

Save

Cancel

Help

F I G U R E 1.12: O n u iiP e e k Selecting the Report format
F K jU K fc . 1.12 (Jmml-‫׳‬eek Selecting the Report tom iat

15. The report can be viewed as a PDF.

C E H L ab M anual Page 594

E th ical H a ck in g a nd C ounterm easures Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.


Module 08 - Sniffers

OmniPeek Report: 9/15/2012 12:21:22

OmniPeek Report
^

f t Dashboard

Start: 9/15/2012 12:02:46, Duration: 0:01:25

-" tf Statistics
t? Summary

Total Bytes: 1014185. Total Packets: 2000

t? Nodes
I? Protocols
®I? Expert
I? Summary
Flows
I? Application
Lf Voice & Video

“‫ ׳‬Lf Graphs
1f Packet Sues
1/ Network
Utilisation
(bits/s)

m

If Network
Utilization
(percent)

C o m p a ss Interactive

(? Address
Count
Comparisons

D a sh b o a rd o ffers b o th
real-tim e and post-capture
m o n ito rin g o f h ig h -level

I? Application

___ LSi£__

n e tw o rk statistics w ith d rill
d o w n cap ab ility in to
packets fo r the selected
tim e range. U s in g the

C o m p a ss dashboard,
m u ltip le files can be
aggregated and analyzed
sim ultaneously.

Tools
Boolcmarfct
?

Sign

Comment .

Summary Statistics. Reported 9/15/2012 12.21.22

B*

ft“

3 i? OmniPeek Report —
&

Dashboard
- ' t f Statistics
IP Summary
(? Nodes

Start Date
Start Time
Duration

1? Protocols
Expert
1? Summary
(? Flows
I? Applications
I f Vo«e & Video
® f f Graphs
I f Packet Sues
I f Network
Utilization
(bits/s)
1? Network
Utilization
(percent)
I? Address
Comparisons
f f Application

Group. Network
Total Bytes
Total Packets
Total B10.1dc.1st
Total Multicast
Average Utilisation (percent)
Average Utilisation (blts/s)
Current Utilisation (percent)
Current Utilization (bits/s)
Max Utilization (percenl)
Max Utilization (bits/s)

1014185
N‫׳‬A
1061
6933
0 096
95989
0 360
360320
0.795
79*656

63
0096
95989
0 360
360320
0795
794656

0105
0 585
0096
95989
0 360
360320
0.795
794656

0 360

360320
0.796
794656

Group Errors

00000000

Total
CRC
Frame Alignment
Runt
Oversize

0 000
0.000
0.000

F I G U R E 1.13: O m n iPe e k Report in P D F format

Lab Analysis
Analyze and document the results related to the lab exercise.

C E H L ab M anual Page 595

E th ical H a ck in g a nd C ounterm easures Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.


Module 08 - Sniffers

T ool/U tility

Information Collected/Objectives Achieved
Network Information:
■
■
"
■
■

Network Utilization
Current Activity
L°g
Top Talkers bv IP Address
Top Protocols

Packets Information:

OmniPeek
Network Analyzer

■
■
■
■

Source
Destination
Size

Protocol

N odes Statistics:
■
■
■
■

Total Bytes for a Node
Packets Sent
Packets Received
Broadcast/Multicast Packets

Summary includes Information such as:
■
■
■
■
■

General
Network
Errors
Counts
Size Distribution

PL E A S E TALK T O YO UR I N S T R U C T O R IF YOU HA VE Q U E S T I O N S
R E L A T E D T O T H I S LAB.

C E H L ab M an u al Page 596

E th ical H a ck in g a nd C ounterm easures Copyright © by EC-Council
All Rights Reserved. Reproduction is Stricdy Prohibited.


Module 08 - Sniffers

Questions
1. Analyze what 802.1111 adapters are supported 111 OmniPeek Network
Analyzer.
2. Determine how you can use the OmniPeek Analyzer to assist with firewall
rules.
3. Evaluate how you create a filter to span multiple ports.
Internet Connection Required
□ Yes

0 No

Platform Supported
0 Classroom

C E H L ab M an u al Page 597

0 !Labs

E th ical H a ck in g a nd C ounterm easures Copyright © by EC-Council
All Rights Reserved. Reproduction is Stricdy Prohibited.


Module 08 - Sniffers

Lab

Spoofing MAC Address Using SMAC
SM AC is apon ‫׳‬eif/11and easy-to-use tool that is a M A C address changer (spoofer).
The tool can activate a new M A C address right after changing it automatically.
I CON KEY

Lab Scenario

/ Valuable
information

111 the previous kb you learned how to use OmmPeek Network Analyzer to capture
network packets and analyze the packets to determine it any vulnerability is present
111 the network. If an attacker is able to capture the network packets using such tools,
he 01‫ ־‬she can gain information such as packet source and destination, total packets
sent and received, errors, etc., which will allow the attacker to analyze the captured
packets and exploit all the computers in a network.

Test your
knowledge

H

Web exercise

ffi! Workbook review

If an administrator does not have a certain level of working skills of a packet sniffer,

it is really hard to defend intrusions. So as an expert ethical h a c k e r and
p en etratio n te ste r, you must spoof MAC addresses, sniff network packets, and
perform ARP poisoning, network spoofing, and DNS poisoning. 111 tins lab you will
examine how to spoof a MAC address to remain unknown to an attacker.

Lab Objectives
The objective of tins lab is to reinforce concepts of network security policy, policy
enforcement, and policy audits.
111 tins lab, you will learn how to spoof a MAC address.

Lab Environment
^^Tools
d e m o n stra te d in
th is lab a re
available in
D:\CEHTools\CEHv 8
Module 08
Sniffing

C E H L ab M an u al Page 598

111

the lab, you need:
■

SMAC located at D:\CEH-T0 0 ls\CEHv8 Module 08 Sniffing\MAC Spoofing
Tools\SMAC

■ You can also download the latest version ot SMAC from the link

smac/default.htm#smac27
■ It you decide to download the la te s t version, then screenshots shown
the lab might differ

111

E th ical H a ck in g a nd C ounterm easures Copyright © by EC-Council
All Rights Reserved. Reproduction is Stricdy Prohibited.


Module 08 - Sniffers

■ A computer running W indows Server 2012 as Host and Windows Server
2008 as
tun Machine
■ Double-click sm ac 2 7 b e ta _ setu p .ex e
installation steps to install SMAC

and follow the wizard-driven

A dm inistrative privileges to run tools

■

■ A web browser with Internet access

Lab Duration
Time: 10 Minutes

Overview of SMAC

f f i s M A C is a p o w e rfu l
yet easy-to-use and in tu itive
W in d o w s M A C address
m o d ify in g u tility ( M A C
address spoofing) w h ic h
a llo w s users to change
M A C addresses fo r a lm ost
any N e tw o r k Interface
C a rd s (N IC s) o n the
W in d o w s 2003systems,
regardless o f w h e th e r die
m anufacturers a llo w d iis
o ption.

Spoofing a MAC protects personal and individual privacy. Many organizations

track wired or wireless network users via their MAC addresses. 111 addition, there are
more and more Wi-Fi w ireless connections available these days and wireless
networks use MAC addresses to com m unicate. Wireless network security and
privacy is all about MAC addresses.
Spooling is carried out to perform security vulnerability testin g , penetration testing
on MAC address-based au th en ticatio n and authorization systems, i.e. wireless
access points. (Disclaimer: Authorization to perform these tests must be obtained
from the system’s owner(s)).

Lab Tasks
1. Launch die S ta rt menu by hovering die mouse cursor on die lower-left
corner of die desktop.

C Q s m a c w o rk s o n d ie

N e tw o r k Interface C a rd
(N IC ), w h ic h is o n the
M ic ro s o ft hardware
c o m p a tib ility lis t (H C L ).

4 Windows Server 2012
Windows Sewer 2012 Rdcttt Cardidatc Datacen!‫׳‬
Evulud’.kn copy Build 84CC

*•r

1&

rc ! 1 T ! n ^ H
F I G U R E 2.1: W in do w s Server 2012 —D esktop view

2. Click die SMAC 2.7 app 111 die S ta rt menu to launch die tool.
Q=sJ W h e n yo u start S M A C
program , yo u m u st start it
as the adm inistrator. Y o u
c o u ld d o this b y rig h t clic k
o n d ie S M A C p ro g ram
ic o n a nd c lic k o n "R u n as
A d m in is tra to r i f n o t logged
in as an adm inistrator.

C E H L ab M anual Page 599

E th ical H a ck in g a nd C ountem ieasures Copyright © by EC-Council
All Rights Reserved. Reproduction is Stricdy Prohibited.

Module 08 - Sniffers

F I G U R E 2.2: W in dow s Server 2012 — Start menu

£

T A S K

1

Spoofing MAC
A ddress

3. Tlie SMAC main screen appears. Choose a network adapter to spoof a
MAC address.
%

SMAC 2.7 Evaluation Mode - KLC Consulting: www.klcconsulting.net

File

View

ID

| Active I Spoofed I Network Adapter

Options

rriiEiii ■1 ‫ןוי‬
0017 Yes

No

Help
IP Address

Hyper-V Virtual Ethernet Adapter #2

Hyper•V Virtual Ethernet Adaptei #3

EMU^HET
169.254.103.138 01

17 Show On^i Active Network Adapters

Rem ove MAC

New Spoofed MAC Address

Spoofed MAC Address
|Not Spoofed

Restart Adapter

IPConfig

Random

MAC List

Refresh

Exit

J

Network Connection________________________________
|vEthernet (Realtek POe GBE Famdy Controller •Virtual Switch)

A |

Hardware ID______________________________________
|vms_mp

Active MAC Address

p o -rrr‫■ ־‬

\

_>>J

Disclaimer: Use this program at your own risk. We ate not responsible fot any damage that may occur to any system
This program is not to be used for any illegal or unethical purpose Do not use this program if you do not agree with

E Q s m a c helps p eople to
p ro te ct th e ir priva cy by

h id in g d ie ir real M A C
A d d resses in the w id ely
available W i- F i W ireless

F I G U R E 2.3: S M A C m ain screen

4. To generate a random MAC address. Random.

N e tw o rk .

Update MAC

Remove MAC

Restart Adapter

IPConfig

Random

MAC List

Refresh

Exit

F I G U R E 2.4: S M A C Random button to generate M A C addresses

5. Clicking die Random button also inputs die New Spoofed MAC A ddress to
simply MAC address spoofing.

C E H L ab M anual Page 600

Etliical H a ck in g a nd C ounterm easures Copyright © by EC-Council
All Rights Reserved. Reproduction is Stricdy Prohibited.


Module 08 - Sniffers

‫־‬r a !

S M A C 2.7 Evaluation M od e - KLC Consulting: www .klcconsulting.net
File

m

S M A C also helps

N e tw o rk and I T Security
p rofessionals to

View

Options

Help

ID | Active | Spoofed | Netwcnk Adapter
0015 Yes
No

Hyper-V Virtual Ethernet Adapter 82
0017 Yes
No
Hyper-V Virtual Ethernet Adapter #3

10.0.0.2
DO-l
169.254.103.138 00■ '

;■36
-■08

tro ub le sh oo t n etw ork
p roblem s, test Intrusio n
D e te c tio n / P re ve n tio n
Systems (ID S /IP S ,) test
In cid e nt Response plans,
b u ild high-availability
solutions, recover ( M A C
A d d re ss based) software
licenses, and etc.

I* Show Only Active Network Adapteis

Update MAC

New Spoofed MAC Address
IE - | 05

-|F C

^

- | 63

- | 34

|SCHENCK PEGASUS CORP. [0005FC]
Spoofed MAC Address
|Not Spooled

-

I

Restart Adapter

07‫ ־‬l x j

— ‫פ‬

Remove MAC

|

IPConfig

|

Random

MAC List

Refresh

Exit

Network Connection
IvEthemet (Realtek POe GBE Famdy Conliollei •Virtual Switch)

Active MAC Address
|D 0 -» W « ■-36

A I

Hardware ID______________________________________
|vms_mp

Disclaimer: Use this program at your own risk. We are not responsible 101 any damage that may occur to any system
This program is not to be used for any illegal ot unethical purpose Do not use this progiam if you do not agree with

F I G U R E 2.5: S M A C selecting a new spoofed M A C address

6. The Network Connection 01‫־‬Adapter display dieir respective names.
7. Click die forward arrow button
Network A dapter information.
r

111

N etwork Connection to display die

Network Connection____________________________________

IvEthemet (Realtek PCIe GBE Family Controller ■Virtual Switch)

g

F I G U R E 2.6: S M A C N etw ork Connection inform ation

£ Q s m ‫ \׳‬c does n o t
change d ie hardware
b u m e d -in M A C addresses.
S M \ C changes the
software-based !M A C
addresses, and d ie new
M A C addresses yo u change

Clicking die backward arrow button 111 N etw ork A dapter will again display
die N etwork C onnection information. These buttons allow to toggle
between die Network Connection and Network Adapter information.
r Network Adapter
|Hyper-V Virtual Ethernet Adapter 82

are sustained fro m reboots.

g

F I G U R E 2.7: S M A C N etw ork Adapter information

9. Similarly, die Hardware ID and Configuration ID display dieir respective
names.
10. Click die forward arrow button
Configuration ID information.

111

H ardw are

ID to display die

Hardware ID
|vms_mp
F I G U R E 28: S M A C Hardware I D display

11. Clicking die backward arrow button 111 Configuration ID will again display
die H ardw are ID information. These buttons allow to toggle between die
Hardware ID and Configuration ID information.
Configuration ID
|{C7897B 39-E D BD -4M0-B E 95-511FAE 4588A1}

3

F I G U R E 2.9: S M A C Configuration I D display

C E H L ab M anual Page 601

E th ical H a ck in g a nd C ounterm easures Copyright © by EC-Council
All Rights Reserved. Reproduction is Stricdy Prohibited.

Module 08 - Sniffers

12. To bring up die ipconfig information, click IPConfig.
S

T A S K

2

Viewing IPConfig
Inform ation

U pdate MAC

R em ove MAC

R estart A dapter

IPConfig

R andom

MAC List

R efresh

Exit

,

j

F I G U R E 2.10: S M A C to view7the inform ation o f IP C o n fig

13. Tlie IPConfig window pops up, and you can also save die information by
clicking die File menu at the top of die window.
— ‫ם‬
File
W indow s IP Configuration
Host N a m e
Primary Dns S u ffix
Node T y p e
IP Routing Enabled
W INS Proxy Enabled

: WIN-MSSELCK4K41
: Hybrid
:N o
:N o

Ethernet adapter vEthernet (Virtual Network Internal Adapter):

C Q t 11e I P C o n fig
in fo rm a tio n w ill show in
the " V ie w IP C o n fig
W in d o w . Y o u can use the
F ile m en u to save o r p rin t
the I P C o n fig in fo rm a tio n .

Connection-specific DNS Suffix .
D escription
: Hyper-V Virtual Ethernet Adapter 83
Physical Address
:0 0 -08
DHCP Enabled
:Y e s
Autoconfiguration E n a b le d . . . . : Yes
Link-local IPv6 A d d re ss
: fe80::6868:8573:b1b6:678a%19(Preferred)
Autoconfiguration IPv4 Address. .: 169.254.103.138(Preferred)
Subnet M a s k
: 255.255.0.0
Default G a te w a y
DHCPv6 IA ID
: 452990301
DHCPv6 Client D UID : 00-01 -00-01 ■
1
‫־‬A- 16- 36
DNS S e rvers
: fec0:0:0:ffff::1%1
fec0:0:0:ffff::2%1
Close

1

F I G U R E 2.11: S M A C IP C o n fig inform ation

14. You can also import the MAC address list into SMAC by clicking MAC List.

k.

Update MAC

Remove MAC

Restart Adapter

IPConfig

Random

MAC List

Refresh

i

Exit

F I G U R E 2.12: S M A C listing M A C addresses

C E H L ab M anual Page 602

E th ical H a ck in g a nd C ounterm easures Copyright © by EC-Council
All Rights Reserved. Reproduction is Stricdy Prohibited.


Module 08 - Sniffers

15. If there is 110 address in die MAC a d d re ss held, click Load List to select a
]MAC address list tile you have created.
MAC List
<- Load List

C Q 1 t 11e IP C o n fig
in fo rm a tio n w ill sh o w in
the " V ie w IP C o n fig
W in d o w . Y o u can use the
F ile m en u to save o r p rin t
the I P C o n fig in fo rm a tio n .

Select
Close

No List
F I G U R E 2.13 S M A C M A C l is t w indow

16. Select die Sam ple MAC A ddress L ist.txt tile from the Load MAC List
window.
Load M A C List
0 2 W h e n chang ing M A C

■i.f

address, yo u M U S T assign
M A C addresses a cco rding
to I A N A N u m b e r

Organize ■

*

ProgramData ► KLC ► SMAC

v

C

Search SMAC

‫ ־י‬s m

New folder

Assig n m e n ts database. F o r
exam ple, "00-00-00-00-00-

■ Desktop

00" is n o t a v a lid M A C
address, therefore, even

jgf Recent places

4

”

Downloads

A

Name

—

Date modified

Type

i-‫־‬l LicenseAgreement.txt

6/6/200811:11 PM

Text Document

, , Sample_MAC_Address_List.txt

4 /S 0 /2 0 0 6 1:23 PM

Text Document

J|. SkyDrive

th o ug h y o u can update this
address, it m ay be rejected
b y the N I C device d rive r
because it is n o t valid , and
T R U E M A C address w ill
be used instead.

O the rw ise , "00-00-00-00-

Libraries
0

f c l Pictures
B

00-00" m ay be accepted by
the N I C device driver;
how ever, the device w ill
n o t fun ction.

Documents

J* Music
Videos

Computer
U . Local Disk (G )
1_

j Local Disk (DO

<|

>

File name: |Sample_MAC_Address_List.txt

v

Text Format (*.txt)
Open

pr

F I G U R E 2.14: S M A C M A C List w indow

C E H L ab M anual Page 603

E th ical H a ck in g a nd C ounterm easures Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.


Module 08 - Sniffers

17. A list of MAC addresses will be added to die MAC List 111 SMAC. Choose a
MAC A ddress and click S elect. This MAC Address will be copied to New
Spoofed MAC A ddress on die main SMAC screen.
m

S M A C is created and

m aintained b y C e rtifie d
In fo rm a tio n Systems
Security P ro fessio nals
(CISSPs), C e rtifie d
In fo rm a tio n System
A u d ito rs (C ISA s),

M ic ro s o ft C e rtifie d Systems
E n g in e e rs (M C S E s), and
pro fe ssio n a l softw are
engineers.

m

MAC List

%
0D=

:99

OD
OD
OD

. -E7

-E9
■E8

S M A C displays the

fo llo w in g in fo rm a tio n
ab ou t a N e tw o rk Interface

C: \Pr ogramD ata\KLC\S MAC\S ample_M AC_Address_List. txt

C a rd (N IC ).
•

D e v ic e I D

•

A c tiv e Status

•

N I C D e s c rip tio n

•

S p o o fe d status

•

I P A d d re ss

•

A c tiv e M A C address

•

S p o o fe d M \ C A d d re ss

•

N I C H ardw are I D

•

N I C C o n fig u ra tio n I D

F I G U R E 2.15: S M A C M A C List w indow

18. To restart Network Adapter, click R esta rt A dapter, which restarts die
selected N etw ork A dapter. Restarting die adapter causes a temporary
disconnection problem for your Network Adapter.
Update MAC
|

Restart Adapter

IPConfig

Random

MAC List

Refresh

Exit

u

F I G U R E 2.16 S M A C Restarting N e tw o rk Adapter

Lab Analysis
Analyze and document die results related to die lab exercise.
T ool/U tility

SMAC

C E H L ab M anual Page 604

Information Collected/Objectives Achieved
■
■
■
■
■
■
■

Host Name
Node Type
MAC Address
IP Address
DHCP Enabled
Subnet Mask
DNS Servers

E th ical H a ck in g a nd C ounterm easures Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.

Module 08 - Sniffers

P L E A SE TALK TO Y O UR I N S T R U C T O R IF YOU HA VE Q U E S T I O N S
R E L A T E D T O T H I S LAB.

Questions
1. Evaluate and list the legitimate use of SMAC.
2. Determine whether SMAC changes hardware MAC addresses.
3. Analyze how vou can remove the spoofed MAC address using die SMAC.
Internet Connection Required
□ Yes

0 No

Platform Supported
0 Classroom

C E H L ab M an u al Page 605

0 iLabs

E th ical H a ck in g a nd C ountem ieasures Copyright © by EC-Council
All Rights Reserved. Reproduction is Stricdy Prohibited.


Module 08 - Sniffers

Sniffing a Network Using the
WinArpAttacker Tool
WinArpAttacker is aprogram that can scan, attack, detect, andprotect computers

on a local area network (LAN ).
I CON

KEY

.__ Valuable

1

information
Test your
knowledge
Web exercise

ea

Lab Scenario
You have already learned in the previous lab that you can conceal your identity by
spoofing the ]MAC address. A11 attacker too can alter his 01‫ ־‬her MAC address and
attempt to evade network intrusion detection systems, bypass access control lists,
and impersonate as an authenticated user and can continue to communicate widiin
the network when die authenticated user goes offline. Attackers can also push MAC
flooding to compromise die security of network switches.

Workbook review

As an administrator, it is very important for you to detect odd MAC addresses 011
the network; you must have sound knowledge of footprinting, network protocols
and their topology, TCP and UDP services, routing tables, remote access (SSH 01‫־‬
VPN), and authentication mechanisms. You can enable port security 011 the switch

to specify one or more MAC addresses tor each port. Another way to avoid attacker
sniffing 011 your network is by using static *ARP entries. 111 tins lab, you will learn to
run the tool WinArpAttacker to smtt a network and prevent it from attacks.

Lab Objectives
The objectives of tins lab are to:
■

S can . D e te c t. P ro te c t, and A tta c k computers

011

local area networks

(LANs):
■

Scan and show the active hosts
period of 2-3 seconds

■

S a v e and load computer list tiles, and save the LAN regularly for a new
computer list

011

the LAN widiin a very short time

■ Update the computer list 111 p a ssiv e m ode using sniffing technolog}‫־‬

C E H L ab M an u al P ag e 606

E th ical H a ck in g a nd C o untenneasures Copyright © by EC-Council
All Rights Reserved. Reproduction is Stricdy Prohibited.


Module 08 - Sniffers

■

Freely p rovide inform ation regarding die type of operating systems they
employ?

■ Discover the kind ot firew all, w ire le s s a c c e s s point and re m o te
access

■ Discover any published information on the topology of the n etw o rk
■ Discover if the site is seeking help for IT p o sitio n s that could give
information regarding the network services provided by the
organization
■

Identity actual users and discover if they give out too much personal
information, which could be used for social engineering purposes

Lab Environment
To conduct the lab you need to have:
■ W inArpAttacker located at D:\CEH-Tools\CEHv8 Module 08 Sniffing\ARP
Poisoning Tools\W inArpAttacker

■ You can also download the latest version ot W inArpAttacker trom the link
http:/ / www.xfocus.net

^~Tools
d e m o n stra te d in
th is lab a re
available in
D:\CEHTools\CEHv8
Module 08
Sniffing

■ If you decide to download the la te s t version, then screenshots shown in
the lab might differ
■ A computer running Windows Server 2012 as host machine
■ W indows 2008 mnning on virtual maclune as target maclune
■ A computer updated with network devices and drivers
■

Installed version ot W inPcap dnvers

■ Double-click W inA rpA ttacker.exe to launch WinArpAttacker
■

A dm inistrative pnvileges to run tools

Lab Duration
Time: 10 Minutes
W in A R P A tta c k e r
w o rk s o n com puters

ru m iin g W in d o w s /2003.

Overview of Sniffing
Sniffing is performed to co lle ct b asic inform ation of a target and its network. It
helps to find vulnerabilities and to select exploits for attack. It determines network
information, system information, and organizational information.

Lab Tasks
* T A S K

1

Scanning H osts
on th e LAN

C E H L ab M an u al Page 607

1. Launch Windows 8 Yutual Maclune.
2. Launch W inArpAttacker 111 the host maclune.

E th ical H a ck in g a nd C ountem ieasures Copyright © by EC-Council
All Rights Reserved. Reproduction is Stricdy Prohibited.


Module 08 - Sniffers

Untitled

‫ר ^ ד ־ ־ ק‬

WinArpAttackw 3.5 ?0066.4

Fite lean Attack Dctect options View Help

C a u tio n :T h is p ro g ram

D ^ i
Xev

op»n

* «» a a *

s &ve

scan

Ho::^‫ ״‬c

is dangerous, released just
fo r research. A n y p ossible

| Online

Snitf 1... Attack

q
Attack1:‫ ״‬stopsendK*««art

ArpSQ | A

Cpflu‫*׳‬ascut
Packets

(

T>aff!c(KI

]

lo ss caused b y this pro g ram
bears n o relatio n to the
a utho r (unshadow), i f y o u
d o n ’t agree w ith this, y o u
m u st delete it im m ediately.

| AtlHotl

| FftetHovI

| Fff»(tH(Kt2

[ Count |
10.0.01
10.0.0 3
10.004
10.005
10.0.07
10.0.08
10.0.0255

16*254255 255
224.0.0.22

00■•
000000■
00‫•־‬
00
FF-‫״‬
FF-*
01•*

‫*־לש‬
—*WI-‫׳‬.-‫־‬
w a r !‫• ג‬lew*! soya, m tsemo reducMte 11«ty
p>• • : » » 1: CAxSvev try Gjea^r/Mac s MLU.
p* ‫ ־־‬: » » !: ! Cs* : a20L>‫־‬c trse terns :• 10.0.0.V tr« ptogoir ruy 96! 1190r«0cy
16 3 GVV: taao.l

On: 0 Off: 0 Sniffing: :

Klee DO-fc • - y- 16-3.GW: 1ft(X0.1

Q=J W iiiA rp A tta c k e r is a
p ro g ram d ia t can scan,
attack, detect, and protect
com p uters o n a lo c a l area
netw ork.

On: 0 Off; 0 Snrffmj: Q ,

F I G U R E 31: W iiiA rp A ttack e r m ain w ind ow

3. Click die S can option from die toolbar menu and select S can LAN.
4. The scan shows die a ctiv e h o sts
(2-3 seconds).

011

die LAN 111 a very short period ol time

5. The S can opUon has two modes: Normal sc a n and Antisniff scan.
Untitled

JL*«[ ✓| Mofmalitan

r~ ‫ ם‬r 5‫ד־‬

WinArpAttackef 35 ?006 6.4

ck

L»9tect

Hwhmne

I Online I SnrtfL. I Attade

send h«c<‫׳‬art Cpfluit lkel£

a : cut

I AipSQ I AmSP I AmW I ArpWP I

Padafa

I

TufficOq

I

0 3 T h e• ‫י‬o p tio n scan can
scan and sh o w the active
hosts o n the L A N w ith in a

I Evtnt

1 ActHotl

Sff«aHoa2

| Count |
10.0.01
10.0.03
10.0.04
10.0.0 5
10.0.07
10.0.0a
1000 2SS

169•254255.255
224.0.022

v e ry short time. It has tw o
scan m odes, N o r m a l
a n d A n tisn iff. T h e second is
to fin d w h o is sn iffin g on
the I A N .
‫ ן‬. ‫ ־ ־ ן ־‬: ‫ י י ^ מ כ נ נ ־‬1] 1

1 Mat
OO*
oa
oa
00•
D4.♦
00•
FF-►
FF-*

•
-‫־‬
‫־‬
- - ۥ03
IE-2D
‫ • ־‬NOE
• • ••FF
• • ‫ ־‬FF
-

6a_/!fp_£mrv_CM»ae«
MacOO-fc ♦-

16-3,GW:1000.1

,On: 0 Qff:0 SnrffmyQ , J

F I G U R E 3.2: W u iA rp A ttacker Scan options

6. Scanning saves and loads a computer list die and also scans die LAN
regularly for new computer lists.

C E H L ab M anual Page 608

E th ical H a ck in g a nd C ounterm easures Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.