Pentest Insights: Choosing a Tool for Traffic Analysis and Interception
Traffic analysis is a very important stage of penetration testing. In packets transmitted over the network, you can find many interesting things, for example, passwords for accessing various resources and other valuable data. To intercept and analyze traffic, sniffers are used, which humanity has invented a great many. Today I will talk about several popular sniffers for Windows.
To intercept traffic, analyzers can use packet forwarding or apply the so-called Promiscuous mode of the network adapter that disables filtering to accept all packets regardless of who they are addressed to. Normally, the Ethernet interface filters packets at the link layer. With this filtering, the network card only accepts broadcast requests and packets whose MAC address matches its address. The Promiscuous mode retains all other packets so that the sniffer can intercept data.
Theoretically, it is possible to collect all packets in the local network segment where the sniffer is installed. Still, in this case, the data volume is going to be excessive for further analysis, and the log files will quickly swell to completely indecent sizes.
As an option, you can configure the application so that it catches traffic of only certain protocols (POP3, HTTP, IMAP, Telnet, FTP) or analyzes only the first 100 bytes of each packet, which usually contains the most meaningful data: the target host address, logins, and passwords. Modern sniffers can also listen to encrypted traffic.
Traffic analyzers have multiple uses as they may help diagnose a network, identify and fix problems, detect malware, or find out what users are doing and what websites they visit. But it is the researching the security of a network perimeter or a pentest that makes a sniffer an indispensable tool for reconnaissance and data collection.
Plenty of sniffers were created for various operating systems. In addition, such software can be installed on a router and examine all traffic passing through it. Today I am going to talk about popular traffic analyzers for the Microsoft Windows platform.
Everyone who at least once faced the task of traffic analysis seems to be aware of this tool. The popularity of Wireshark is quite understandable. First, this product is free, and its features are quite enough to solve the most pressing issues related to intercepting and analyzing data transmitted over the network. The product enjoys well-deserved popularity among virus analysts, reverse engineers, system administrators, and, of course, penetration testers.
This analyzer has a multilingual interface and can work with a large number of network protocols. It makes no sense to list them all here: a complete list can be found on the manufacturer’s website. In Wireshark, you can parse each intercepted packet into parts, view its headers and contents. The application has a convenient routine for navigating through packages, including various algorithms for searching and filtering them, and has a powerful engine for collecting statistics. The saved data can be exported in different formats. In addition, there is an option to automate the Wireshark operation using Lua scripts and connect additional (even developed in-house) modules for traffic parsing and analyzing.
Besides Ethernet, the sniffer can intercept traffic from wireless networks (802.11 standards and Bluetooth protocol). This allows you to analyze IP telephony traffic and restore TCP flows. Tunneled traffic analysis is also possible. Wireshark does an excellent job of decoding protocols, but to understand the results of this decoding, you must, of course, have a good understanding of their structure.
Wireshark is not flawless: it does not process recovered streams as a single memory buffer, making their subsequent processing difficult. When analyzing tunneled traffic, several parsing modules are used at once, and each subsequent one replaces the result of the previous one. This renders unavailable traffic analysis in multi-level tunnels.
To sum it up, apart from being popular, Wireshark is a high-quality product that allows you to track the contents of packets roaming around the network, their transmission speed, and find exposed areas in the network infrastructure. However, unlike business-grade suites, this app has no convenient visualization tools. In addition, Wireshark is not so easy to use, for example, in terms of retrieving logins and passwords from traffic, while this is one of the typical tasks in penetration testing.
This is also a very old and gray-haired tool; the first references date back to 2011. Since then, the IntercepterNG project, unlike many of its competitors, has not just survived. It came up with a range of refinements and new features. The last updated version of the sniffer is dated 2020. There is an .APK version of the program for Android and even a console version of this tool for Unix.
Intercepter-NG uses the NPcap utility, which portable version, according to the developers’ assurances, is embedded into the product. However, it does not work in Windows 10. To launch the sniffer, I had to download NPcap and install it manually.
Intercepter-NG has a nice user interface and allows you to view traffic in several modes. There is a normal view of packets and their contents, enabling packet filtering by pcap or providing the Follow TCP stream function to analyze a session in detail.
There is also a Messengers Mode, in which the tool tries to intercept the traffic of messengers, mostly the old-school products like Yahoo, MSN, and AIM, but Jabber protocol is supported. With Telegram, the trick has failed as the sniffer simply does not see it.
Passwords Mode is available. It shows the logins and passwords retrieved from the traffic which are transmitted via HTTP, FTP, SMTP, IMAP, POP3, LDAP, Telnet, etc.
Resurrection mode allows you to recover files transferred via FTP, HTTP, SMB, POP3, IMAP, and SMTP, and only files from completed TCP sessions are successfully restored.
Intercepter-NG contains a very useful tool. It is a simple DHCP server, NAT service that allows ICMP/ UDP/ TCP packets to be distributed between different Ethernet network segments. There are several network scanners: DHCP, ARP, smart gateway search is implemented.
Another useful tool is the module for launching MiTM attacks. Supported methods include Spoofing (with support for NBNS, DNS, LLMNR protocols), DNS over ICMP redirect, ICMP redirect, SSLStrip, SSL MiTM, and some others.
With the help of the program, you can scan a specified range of ports in search of applications running there, analyze the protocols associated with these ports. You can switch the sniffer to extreme mode, in which it will intercept all TCP packets without checking the ports. This allows you to detect applications on the network running on non-standard ports that are overridden by the administrator. The problem with this mode is that the application mercilessly slows down and periodically freezes tightly.
The current version of Intercepter-NG has a built-in tool for exploiting the Heartbleed vulnerability, which is an OpenSSL error that enables you to unauthorizedly read memory on the server or on the client, including to extract the server’s private key. The package also comprises a brute-force tool and a multi-threaded vulnerability scanner X-Scan.
So, from a simple network analysis application, Intercepter-NG is gradually becoming a kind of harvester that allows you to scan the network for open ports and unpatched vulnerabilities, intercept logins and passwords, and get stuff brute-forced.
The disadvantages of Intercepter-NG include that the program is recognized as malicious by Windows Defender, Kaspersky Antivirus, and some other security vendors. It may get blocked at the stage of downloading it from the manufacturer’s website. To work with the sniffer, you will have to disable antiviruses, but this is a rather modest price to pay for the ability to use such a versatile tool.
The project was originally developed under Windows 2000 / XP, but it is still alive today. The latest version of the sniffer is dated 2018. The utility allows you to intercept traffic passing through the local machine and view the contents of packets; to be honest, it cannot do anything else.
Tcpdump is written in C. This utility was originally developed for Unix but later ported to Windows, which uses WinPcap. It requires administrative privileges to function properly. WinDump is a more popular open-source version of Tcpdump among Windows users.
Burp Suite is another popular tool among pentesters designed for testing the security of web applications. Burp is part of Kali Linux, a version for Windows with 64-bit architecture is available. There is a good reason for labeling this app a Swiss knife of the pentester as it has no rivals in terms of searching for vulnerabilities and auditing the security of web applications.
Burp Suite features enable sending modified requests to remote sites, brute-force, fuzzing, searching for files on the server, and much more.
Actually, as a sniffer, Burp is not at all universal as it only knows how to monitor traffic between the browser and a remote web application using an intercepting proxy. To work with the HTTPS protocol, you need to install an additional certificate. But for certain purposes, this may be enough.
Burp intercepts all packets that the browser sends and receives and, accordingly, allows you to analyze the traffic of various web applications, including online messengers or social networks. If the infrastructure to be investigated by the pentester contains services that work via HTTP or HTTPS, there is probably no better tool for testing them. But using Burp only as a sniffer of HTTP/HTTPS traffic is like transporting tomatoes from a summer cottage with a Rolls Royce: it is designed for completely different tasks.
Sniffers feature a good deal of differences, and each of them is better suited for its specific purposes. There is nothing better than Burp Suite for researching web applications and intercepting local HTTP traffic. Wireshark is perfect for finding problem areas in your local network or getting a list of remote hosts accessed by a program. And for attacks on network infrastructure, you can use Intercepter-NG as it has a whole set of useful tools for penetration testing.
About The Author
David Balaban is a computer security researcher with over 17 years of experience in malware analysis and antivirus software evaluation. David runs MacSecurity.net and Privacy-PC.com projects that present expert opinions on contemporary information security matters, including social engineering, malware, penetration testing, threat intelligence, online privacy, and white hat hacking. David has a strong malware troubleshooting background, with a recent focus on ransomware countermeasures.