Pentest Insights: Choosing a traffic analysis and interception tool

Traffic analysis is a very important step in penetration testing. In the packets transmitted over the network, you can find many interesting things, for example, passwords to access various resources and other valuable data. To intercept and analyze traffic, sniffers are used, many of which mankind has invented. Today I will talk about several popular sniffers for Windows.

To intercept traffic, analyzers can use packet forwarding or apply what is called Promiscuous mode of the network card which disables filtering to accept all packets, regardless of their destination. Normally, the Ethernet interface filters packets at the binder layer. With this filtering, the network card only accepts broadcast requests and packets whose MAC address matches its address. Promiscuous mode preserves all other packets so that the sniffer can intercept the data.

Theoretically, it is possible to collect all packets in the local network segment where the sniffer is installed. Yet, in this case, the volume of data is going to be excessive for further analysis, and the log files will quickly swell to completely indecent sizes.

Optionally, you can configure the app to only pick up traffic from certain protocols (POP3, HTTP, IMAP, Telnet, FTP) or only scan the first 100 bytes of each packet, which usually contain the most data. most significant: target host address, usernames and passwords. Modern sniffers can also listen to encrypted traffic.

Traffic analyzers have multiple uses as they can help diagnose a network, identify and troubleshoot problems, detect malware, or find out what users are doing and the websites they visit. But it is the search for the security of a network perimeter or a pentest that makes a sniffer an indispensable tool for reconnaissance and data collection.

Many sniffers have been created for various operating systems. Additionally, such software can be installed on a router and examine all traffic passing through it. Today I will talk about popular traffic analyzers for Microsoft Windows platform.

SEE ALSO: Kubernetes Cost Management: Notable Challenges and Tools

Wireshark

Everyone who has faced the traffic analysis task at least once seems to be familiar with this tool. Wireshark’s popularity is completely understandable. Firstly, this product is free, and its functionality is quite sufficient to solve the most pressing problems related to the interception and analysis of data transmitted over the network. The product enjoys well-deserved popularity among virus analysts, reverse engineers, system administrators and, of course, penetration testers.

This analyzer has a multilingual interface and can work with a large number of network protocols. It makes no sense to list them all here: a full list can be found at the manufacturer’s website. In Wireshark, you can parse each intercepted packet into multiple parts, view its headers and content. The application has a convenient routine for navigating through packages, including various algorithms for searching and filtering them, and has a powerful statistics collection engine. Recorded data can be exported in various formats. Additionally, there is an option to automate the Wireshark operation using Lua scripts and connect additional (even in-house developed) modules for traffic scanning and analysis.

In addition to Ethernet, the sniffer can intercept traffic from wireless networks (802.11 standards and Bluetooth protocol). This allows you to analyze IP telephony traffic and render TCP streams. Tunnel traffic analysis is also possible. Wireshark does a great job of decoding protocols, but understanding the results of that decoding, of course, requires a good understanding of their structure.

Wireshark is not flawless: it does not treat retrieved streams as a single memory buffer, which makes further processing difficult. When analyzing tunneled traffic, several analysis modules are used at once, and each subsequent one replaces the result of the previous one. This makes traffic analysis unavailable in multi-level tunnels.

In summary, in addition to being popular, Wireshark is a high quality product that allows you to track the content of packets roaming the network, their transmission speed and find exposed areas in the network infrastructure. However, unlike professional suites, this application does not have any handy viewing tools. Moreover, Wireshark is not so easy to use, for example, in terms of retrieving usernames and passwords from traffic, while this is one of the typical penetration testing tasks.

InterceptNG

It is also a very old and gray-haired tool; the first references date back to 2011. Since then, InterceptNG project, unlike many of its competitors, did not just survive. It came with a range of improvements and new features. The latest updated version of the sniffer is from 2020. There is an .APK version of the program for Android and even a console version of this tool for Unix.

Intercepter-NG uses the NPcap utility, the portable version of which, according to the developers’ assurances, is integrated into the product. However, it does not work on Windows 10. To run the sniffer, I had to download NPcap and install it manually.

Intercept-NG has a nice user interface and allows you to view traffic in multiple modes. There is a normal view of packets and their contents, allowing packet filtering by pcap or providing the Follow TCP Flow function to analyze a session in detail.

There is also a Messengers mode, where the tool attempts to intercept messenger traffic, mostly old school products like Yahoo, MSN, and AIM, but Jabber protocol is supported. With Telegram, the trick failed because the sniffer simply does not see it.

Passwords mode is available. It displays usernames and passwords retrieved from traffic that is transmitted via HTTP, FTP, SMTP, IMAP, POP3, LDAP, Telnet, etc.

Resurrection mode allows you to recover files transferred via FTP, HTTP, SMB, POP3, IMAP, and SMTP, and only files from terminated TCP sessions are successfully restored.

Intercept-NG contains a very useful tool. It is a simple DHCP server, NAT service which allows ICMP/UDP/TCP packets to be distributed between different segments of the Ethernet network. There are several network scanners: DHCP, ARP, smart gateway search is implemented.

Another useful tool is the MiTM attack launcher module. Supported methods include spoofing (with support for NBNS, DNS, LLMNR protocols), DNS over ICMP forwarding, ICMP forwarding, SSLStrip, SSL MiTM, and a few others.

With the help of the program, you can scan a specified range of ports for applications running on it, scan the protocols associated with these ports. You can switch the sniffer to extreme mode, in which it will intercept all TCP packets without checking ports. This allows you to detect applications on the network running on non-standard ports that are overridden by the administrator. The problem with this mode is that the app ruthlessly slows down and freezes periodically.

The current version of Intercepter-NG has a built-in tool to exploit the Heartbleed vulnerability, which is an OpenSSL error that allows you to unauthorized read memory on the server or on the client, including to extract the key private from the server. The package also includes a brute force tool and an X-Scan multithreaded vulnerability scanner.

Thus, starting from a simple network analysis application, Intercepter-NG gradually becomes a kind of harvester that allows you to analyze the network in search of open ports and unpatched vulnerabilities, intercept identifiers and passwords and get rough items.

Cons of Intercepter-NG include that the program is recognized as malicious by Windows Defender, Kaspersky Antivirus, and some other security vendors. It may be blocked at the download stage from the manufacturer’s website. To work with the sniffer, you’ll have to disable antiviruses, but it’s a rather small price to pay to be able to use such a versatile tool.

SmartSniff

SmartSniff is a simple sniffer that works with UDP, TCP and ICMP protocols. It takes WinPcap and Microsoft Network Monitor Driver Version 3 be installed.

The project was originally developed on Windows 2000 / XP, but it is still alive today. The latest version of the sniffer dates from 2018. The utility makes it possible to intercept traffic passing through the local machine and to view the contents of the packets; to be honest, he can’t do anything else.

Tcpdump

Tcpdump is written in C. This utility was originally developed for Unix but was later ported to Windows, which uses WinPcap. It requires administrative privileges to work properly. WinDump is a more popular open source version of Tcpdump among Windows users.

SEE ALSO: “70% of organizations recognize the importance of secure coding training”

Burp Suite

Burp Suite is another popular tool among pentesters designed to test the security of web applications. Burp is part of Kali Linux, a version for Windows with a 64-bit architecture is available. There is a good reason to call this application the Swiss army knife of the pentester as it has no rival when it comes to vulnerability scanning and web application security auditing.

Burp Suite features include sending modified requests to remote sites, brute forcing, fuzzing, searching for files on the server, and more.

In fact, as a sniffer, Burp is not universal at all because it only knows how to monitor traffic between the browser and a remote web application using an intercept proxy. To work with the HTTPS protocol, you need to install an additional certificate. But for some purposes, it may be enough.

Burp intercepts all the packets that the browser sends and receives and, therefore, allows you to analyze the traffic of various web applications, including online messengers or social networks. If the infrastructure to be investigated by the pentester contains services that run over HTTP or HTTPS, there is probably no better tool to test them. But using Burp purely as an HTTP/HTTPS traffic sniffer is like hauling tomatoes from a summer cottage in a Rolls Royce: it’s designed for completely different tasks.

Conclusion

Sniffers have many differences, and each one is best suited for its specific purposes. There’s nothing better than Burp Suite for finding web applications and intercepting local HTTP traffic. Wireshark is great for finding problem areas on your local network or for getting a list of remote hosts a program has access to. And for attacks on network infrastructure, you can use Intercepter-NG as it has a whole set of useful tools for penetration testing.

Charles J. Kaplan