Re: [PEN-TEST] Deploying a Win32 Sniffer

[Ryan Permeh <ryan () EEYE COM>]

the new winpcap drivers are dynaload. and so are the pcausa ndis drivers.
You probably still need to do a reboot on nt 4, but on win2k, you shouldn't
have to.  We make Iris that is released, and captures packets using a
dynaload driver, but is  graphical in nature.  It could, however, generate
trace files that could be grabbed and processed off the target host.
Signed,
Ryan
eEye Digital Security Team
http://www.eEye.com

----- Original Message -----
From: "The Picard" <thepicard () HOME COM>
To: <PEN-TEST () SECURITYFOCUS COM>
Sent: Wednesday, November 29, 2000 7:34 PM
Subject: Re: Deploying a Win32 Sniffer


> Also, the people from NT Objectives have a dynamically-loading version of
> windump, dubbed 2.03, which doesn't require a reboot. However, it's not
> stable and I've found that it messes up the network communication and/or
> freezing the machine after several uses.
>
> -----Original Message-----
> From: Penetration Testers [mailto:PEN-TEST () SECURITYFOCUS COM]On Behalf
> Of MadHat
> Sent: None
> To: PEN-TEST () SECURITYFOCUS COM
> Subject: Re: Deploying a Win32 Sniffer
>
>
> At 04:36 PM 11/28/2000 -0500, you wrote:
> > I have heard several people say that once you compromise a minor target
> > you might want to install a packet sniffer to pickup IDs and passwords on
> > the wire.
> >
> > The sniffers I have used (for example, DSniff for Win32) require a packet
> > driver to be installed on the system and it be rebooted. Is there some
way
> > to sniff IDs/Passwords without that type of packet driver?
>
>
> buttsniffer (http://packetstorm.securify.com/sniffers/buttsniffer)  is the
> only one I know of that is out.  And can cause problems like crashing the
> machine.  I have only played with it a little, so YMMV...
>
> Foundstone says they have one called fsniff that will work, but they
> haven't released it as of yet...
>
>
>
> MadHat at unspecific.com