©2011-BR

CEH - S N I F F I N G

Configuration:

Your machine is HACKER, running Windows XP Professional.

The IP address of your machine is 192.168.100.66/24.
Your target machine is :

1. WIN2000, running Windows 2000

The IP address of WIN2000 is 192.168.100.2/24.

2. WIN2003, running Windows 2003

The IP address of WIN2000 is 192.168.100.1/24.

Objectives:

1. Poison your LAN using ARP Poisoning

2. Sniff the the victim traffic
3. Capture FTP password

Tools:

Cain & Abel

Preparation:

Ensure that all virtual machines are connected.

Logon to HACKER virtual machine and try to test connectivity between these
three machines by using standard ping command.

1
 ©2011-BR

Detailed Steps:

1. In WIN2000, open command prompt , then type this :

C:\>arp –d

then

C:\>arp –a

You will see the result similar to this :

Just ignore the value of VM-NAT interface. As you can see that there’s no ARP entry
for subnet 192.168.100.x/255

2. Do that in WIN2003 machine as well

2
 ©2011-BR

3. From WIN2000 check the MAC of Virtual LAN interface.

C:\>ipconfig /all

Windows 2000 IP Configuration

Host Name . . . . . . . . . . . . : WIN2000

Ethernet adapter Virtual LAN:

Connection-specific DNS Suffix . :

Description . . . . . . . . . . . : VMware Accelerated
AMD PCNet Adapter

Physical Address. . . . . . . . . : 00-0C-29-62-C0-70

DHCP Enabled. . . . . . . . . . . : No
IP Address. . . . . . . . . . . . : 192.168.100.2
Subnet Mask . . . . . . . . . . . : 255.255.255.0

Then ping the ip address of WIN2003 machine :

C:\>ping 192.168.100.1

Then check the arp table list on both machines, and note it.

C:\> arp –a

4. Do the same things at WIN2003 machine.

3
 ©2011-BR

5. From your HACKER machine, check the physical address too and write it down.

6. In HACKER machine, run Cain & Abel : go to Start - Program - Cain - Cain
Then click on ‘Configure’, to configure the interface that we want to use, which has the ip
address of 192.168.100.66.

4
 ©2011-BR

7. Activate the sniffer button (the green/second button from the left on the top panel), then
go to sniffer tab (on the top tab panel ), then press the big blue PLUS (+) sign , then start
scanning your network (just clik OK)

You will the the scanning result :

5
 ©2011-BR

8. After that, still on the sniffer tab :

- click on the APR tab on the bottom panel

- on APR menu tree, click ‘APR’

- on the right top column, just clik on any column

- click the big blue PLUS sign (+)

- you will go to the “New ARP Poison Routing” window,

- then on the left panel, click the ip address of WIN2003 server (192.168.100.1)

- on the right panel, click the ip address of WIN2000 server (192.168.100.2).

- Then click OK.

6
 ©2011-BR

9. Start poisoning, by clicking on the yellow APR button (like a radioactive/nuclear

button) on the top panel.

7
 ©2011-BR

10. Go to your WIN2000 machine, then from the command prompt, try to FTP to
WIN2003 machines, using username : administrator, password : password.

C:\> ftp 192.168.100.1

11. In Cain Abel, click on the bottom Passwords tab , then clik on ‘FTP’ tree

8
 ©2011-BR

12. Try to set WIN2003 virtual network card to connect to the internet. (use NAT &
DHCP mode), poison the arp between VMWARE gateway and WIN2003 machine.
then open friendster, and try to login  . See the result !!