Penetration Testing mailing list archives
Re: Passive PenTesting
From: Robin <robin () rbsec net>
Date: Fri, 03 Dec 2010 23:56:37 +0000
Mak, If the requests for the websites went through the machine that was capturing, they should appear in the hosts list in Network Miner. If you're only getting part of them, you might need to open the pcap file in Wireshark, and look by hand. Filtering traffic to/from tcp 80 should give you most of the sites. Telling if there's a firewall is very difficult from a cap file. You can look for evidence of connections being dropped, but that's about it. As for software - again, you're going to have to look for connections taht could lead to software. If they've got an outbound connection to tcp 6667, they're probably running an IRC client. Not much you can do other than that, unless you can grab banners. A cap file is very limited for what you're trying to do; the information you want can only really be gained through active testing. At the end of the day, you can only get as much information as your cap contains, and it's unlikely to contain what you're looking for. ~Robin
Robin, thanks for the information. I have another question may be you will be able to answer that. How can I pull out information like which sites user visited, if a firewall is installed on that machine, what softwares are installed etc. I would appreciate if you can guide me on that. Best, MAK On Fri, Dec 3, 2010 at 3:41 PM, Robin <robin () rbsec net> wrote:Mak, Network Miner is a Windows tool that can pull a lot of information from pcap files. It gives you a list of hosts, known information about them (open ports, OS, etc), and also extracts files and text from the capture. http://networkminer.sourceforge.net/ ~RobinHi All, I was wondering if there is any free tool available to do penetrationtesting/banner grabbing from the packet capture file. Thanks MAK ------------------------------------------------------------------------ This list is sponsored by: Information Assurance Certification Review Board Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified. http://www.iacertification.org ------------------------------------------------------------------------
------------------------------------------------------------------------ This list is sponsored by: Information Assurance Certification Review Board Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified. http://www.iacertification.org ------------------------------------------------------------------------
Current thread:
- Passive PenTesting Maverick (Dec 03)
- Re: Passive PenTesting Chris Griffin (Dec 06)
- Message not available
- Message not available
- Re: Passive PenTesting Robin (Dec 06)
- Re: Passive PenTesting Maverick (Dec 06)
- Re: Passive PenTesting John Lampe (Dec 07)
- Message not available