Adversaries may sniff network traffic to capture information about an environment, including authentication material passed over the network. Network sniffing refers to using the network interface on a system to monitor or capture information sent over a wired or wireless connection. An adversary may place a network interface into promiscuous mode to passively access data in transit over the network, or use span ports to capture a larger amount of data.Data captured via this technique may include user credentials, especially those sent over an insecure, unencrypted protocol. Techniques for name service resolution poisoning, such as LLMNR/NBT-NS Poisoning and SMB Relay, can also be used to capture credentials to websites, proxies, and internal systems by redirecting traffic to an adversary.
Network sniffing may also reveal configuration details, such as running services, version numbers, and other network characteristics (e.g. IP addresses, hostnames, VLAN IDs) necessary for subsequent Lateral Movement and/or Defense Evasion activities.
Perform a PCAP. Wireshark will be required for tshark. TCPdump may already be installed.
Upon successful execution, tshark or tcpdump will execute and capture 5 packets on interface ens33.
Supported Platforms: Linux
Name | Description | Type | Default Value |
---|---|---|---|
interface | Specify interface to perform PCAP on. | String | ens33 |
tcpdump -c 5 -nnni #{interface}
tshark -c 5 -i #{interface}
if [ ! -x "$(command -v tcpdump)" ] && [ ! -x "$(command -v tshark)" ]; then exit 1; else exit 0; fi;
echo "Install tcpdump and/or tshark for the test to run."; exit 1;
Perform a PCAP on macOS. This will require Wireshark/tshark to be installed. TCPdump may already be installed.
Upon successful execution, tshark or tcpdump will execute and capture 5 packets on interface en0A.
Supported Platforms: macOS
Name | Description | Type | Default Value |
---|---|---|---|
interface | Specify interface to perform PCAP on. | String | en0A |
sudo tcpdump -c 5 -nnni #{interface}
if [ -x "$(command -v tshark)" ]; then sudo tshark -c 5 -i #{interface}; fi;
if [ ! -x "$(command -v tcpdump)" ] && [ ! -x "$(command -v tshark)" ]; then exit 1; else exit 0; fi;
echo "Install tcpdump and/or tshark for the test to run."; exit 1;
Perform a packet capture using the windows command prompt. This will require a host that has Wireshark/Tshark installed.
Upon successful execution, tshark will execute and capture 5 packets on interface "Ethernet".
Supported Platforms: Windows
Name | Description | Type | Default Value |
---|---|---|---|
interface | Specify interface to perform PCAP on. | String | Ethernet |
wireshark_url | wireshark installer download URL | url | https://1.eu.dl.wireshark.org/win64/Wireshark-win64-3.4.5.exe |
tshark_path | path to tshark.exe | path | c:\program files\wireshark\tshark.exe |
npcap_url | npcap installed download URL | url | https://nmap.org/npcap/dist/npcap-1.31.exe |
npcap_path | path to npcap.sys | path | C:\Program Files\Npcap\npcap.sys |
"c:\Program Files\Wireshark\tshark.exe" -i #{interface} -c 5
Description: tshark must be installed and in the default path of "c:\Program Files\Wireshark\Tshark.exe".
if (test-path "#{tshark_path}") {exit 0} else {exit 1}
Invoke-WebRequest -OutFile $env:temp\wireshark_installer.exe #{wireshark_url}
Start-Process $env:temp\wireshark_installer.exe /S
if (test-path "#{npcap_path}") {exit 0} else {exit 1}
Invoke-WebRequest -OutFile $env:temp\npcap_installer.exe #{npcap_url}
Start-Process $env:temp\npcap_installer.exe
Uses the built-in Windows packet capture After execution you should find a file named trace.etl and trace.cab in the temp directory
Supported Platforms: Windows
netsh trace start capture=yes tracefile=%temp%\trace.etl maxsize=10
netsh trace stop
TIMEOUT /T 50
del %temp%\trace.etl
del %temp%\trace.cab