![]() The log will be created in the folder that you were when starting logman. ![]() Now we should wait for the intended communication to happen, in our case, we can wait for around 60 seconds. Logman start -ets HackingSeriesSession -o hss.etl -p Microsoft-Windows-Winsock-AFD ![]() The following command starts Winsock Catalog Change, type it in cmd.exe:Ĭd c:\HackingSeries (or some other folder rather than c:\windows\system32…) Now we will perform the Winsock tracing to get more information about the communication. Open cmd.exe with administrative privileges. What should we do then to find out who is responsible for this type of communication? ETW! Let’s use Windows (ETW) to trace the HTTPS communication. The reason being that packet capture provider often runs in a DPC (Which often runs in an arbitrary process).Īn interesting situation happens when the process responsible for communication is named System. Keep in mind that the PID shown might not be the actual PID of the process which sent the packet or which received it. One thing to notice is that packets now have PID of the current process when the packet was logged visible in the Packet comments. This can be achieved by choosing the Wireshark toolbar File -> Open. ![]() Once that is done the last thing to do is to open the pcapng file in Wireshark. To use this tool simply navigate to where it was downloaded and if you moved the file generated by the previous command to the same location you can simply convert it as seen above. You can get prebuilt binaries of etl2pcapng here: As you can probably guess from its name it converts etl format to pcapng which can be opened by Wireshark. Microsoft Message Analyzer is a tool that is now retired, luckily for us etl2pcapng exists. This could be opened by tools like Microsoft Message Analyzer, but not by Wireshark. Make sure you generate some traffic during collection. Netsh trace start capture=yes report=disabled A capture can be collected using these commands in cmd. Windows comes out of the box with a command-line utility called “netsh”. Find destination port / destination IP address in the result, review the traffic and try to find the processes that are responsible for certain communication types. To get more details about the connections made open cmd.exe and type netstat –anb | more. To filter packets by a specific protocol just type the protocol name above the Packet List pane. The fields which are enclosed in square brackets “” are not present in the captured data, this is additional protocol information generated by Wireshark itself.Īnd the final pane is “Packet Bytes” pane which shows the data of the selected packet in a hexdump format. Next up is the “Packet Details” Pane which shows the more detailed information about the currently selected packet. In this case, we selected packet number one. By selecting a packet in this pane, we see more detailed information displayed in the other two panes. It displays a summary of each captured packet. First, we have the “Packet List” pane which is the colorful part of the window you see above. Wireshark is giving us a lot of information here. To stop the capture, click on the red square in the top left corner next to the shark fin. Wait for around 1 minute, feel free to visit a website to generate some traffic. Once you double click on the interface you chose the capture will start immediately. Let’s begin! Go to your toolkit and open Wireshark with administrative privileges.įrom the list select the network interface that you want to use for monitoring: We will use the technique of passive sniffing, it allows us to scan the network traffic without interfering with the network. In this episode, we will discuss how to capture and analyze network traffic using the Wireshark, etl2pcap, netsh, and logman tools.įirst of all, to start the monitoring we need the appropriate tools, this Episode will rely on Wireshark that can be downloaded here. How you ever wondered what is causing THAT traffic on your network interface card? The network administrators tend to perform network traffic monitoring by capturing the network data and analyzing the packets being sent from one server to another. Here comes the next episode of our Hacking Summer Camp! Do you still remember How to Steal Kerberos Tickets? Now we have prepared another bunch of hacking tips
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |