[The Phoenix]

Hi there!

I'm currently working on a school final computers summative assignment, and I need to find a way to sniff packets remotely over the internet. I know there are well-known methods out there to do this, but you have to set something up on the remote computer. I have worked for a long time on this, using the tool Wireshark, and the windows service rpcapd.exe - Remote Packet Capture Protocol v.0 (experimental)) -, and the project will have to be presented next week, but I'm still having a lot of trouble! The problem I've come to is establishing a connection to the remote computer. I was wondering if anybody had any ideas I could use to do this.

Thanks!

The Phoenix

[Anonymous User]

The Phoenix, on 11 January 2010 - 01:03 AM, said:

Hi there!

I'm currently working on a school final computers summative assignment, and I need to find a way to sniff packets remotely over the internet. I know there are well-known methods out there to do this, but you have to set something up on the remote computer. I have worked for a long time on this, using the tool Wireshark, and the windows service rpcapd.exe - Remote Packet Capture Protocol v.0 (experimental)) -, and the project will have to be presented next week, but I'm still having a lot of trouble! The problem I've come to is establishing a connection to the remote computer. I was wondering if anybody had any ideas I could use to do this.

Thanks!

The Phoenix

Which is it you are trying to do, sniff packets or connect remotely?


To connect remotely will require adjusting firewall settings on the remote host to allow incoming connections. Instructions for doing this will vary depending on the operating system/s used in the lab. If you are trying to connect from the internet then you will also need to configure some type of port forwarding on the router that the remote host is connected to.


As far as sniffing remote packets is concerned I've never heard of being able to do that. You could however (at least I would assume, I'm not speaking from personal knowledge here) set up a remote server to act as sort of a MiTM and capture/re forward packets to a local attack platform. That would be pretty much the same as sniffing packets.

Understand though that the term "sniffing" applies to the act of placing ones NIC into what I believe is called promiscuous mode which basically tells it to accept ANY packets traveling across the network, regardless of their destination. That being said I believe the technology is primarily used on a LAN.


Could be wrong though, we'll see what others say.

[Gerard]

As mentioned, you can't just capture packets over the internet like you would on a LAN with wireshark. You could create a VPN to sniff packets on said LAN though.

[Israel]

Well, I used to ask this question and people would give me the same response that this was not possible to sniff a remote node/router, short of launching an exploit on said router. However that is not totally true. If you navigate here: http://www.criticals...et/misc/videos/ you will find a long list of videos to download. Go to the one entitled "Sniffing Remote Router Traffic via GRE Tunnels". This was put together before Backtrack, but all the tools they use are on Backtrack or can be downloaded to any Linux distro.

[memnoch]

Israel, the point is that you can't simply sniff remote traffic because the general problem is that this remote traffic will usually not reach your NIC, so no sniffing. You have to somehow make that traffic get to you, or go to where the traffic is. So it's either a routing question, a question of how to mirror the traffic and stream that mirror to your NIC, or a question of how to get access to a remote machine that can access the traffic and sniff on that machine.

In the video you linked to, they solved that question by tunneling all the traffic to another router under their control, but then the traffic can't really be considered remote anymore.

Quote

short of launching an exploit on said router

That's exactly what they show in the video. They exploit the poorly configured SNMP setup to update the victim's router's config. So the response you got is still valid, it's not possible unless you exploit some kind of vulnerability that helps you solve one of the problems I mentioned above.

[Israel]

Quote

So it's either a routing question, a question of how to mirror the traffic and stream that mirror to your NIC, or a question of how to get access to a remote machine that can access the traffic and sniff on that machine.

Nicely put, but nobody else said that.

Quote

That's exactly what they show in the video.

Ok, correct me if I'm wrong but using programs like 161 and copy-router-config ar not the same as launching an exploit. Brute Force is not an exploit. Neither is changing the configuration of your router. Nothing in that video suggested to me they were using a buffer overflow, heap overflow, or real exploit.

This post has been edited by Israel: 18 January 2010 - 05:07 PM

[memnoch]

Israel, on 18 January 2010 - 05:06 PM, said:

Nicely put, but nobody else said that.

Tbh, I couldn't care less if anybody else said it or not. If you think about it, this is what it comes down to :) Simply starting your sniffer of choice won't cut it, you need to get to the traffic or get the traffic to you.

Israel, on 18 January 2010 - 05:06 PM, said:

Ok, correct me if I'm wrong but using programs like 161 and copy-router-config ar not the same as launching an exploit. Brute Force is not an exploit. Neither is changing the configuration of your router. Nothing in that video suggested to me they were using a buffer overflow, heap overflow, or real exploit.

What is a real exploit? If you limit the term to buffer overflows, fine, then they didn't use an exploit. In my book, using configuration mistakes to achieve something the original owner did not want/intend is exploiting a vulnerability. And changing the config of YOUR router certainly is not an exploit, but using the misconfiguration to configure THEIR router (as they do in the video) is most likely not what the presumed owner had in mind.

[Gerard]

Quote

...or a question of how to get access to a remote machine that can access the traffic and sniff on that machine.

Quote

Nicely put, but nobody else said that.

Quote

You could create a VPN to sniff packets on said LAN though.

[Israel]

My bad... You did say that. I forgot :P