For anyone interested in network security and pen testing stuff, Wireshark is the tool to get, as it reveals pretty much everything about a network, the hosts and active services present, traffic volumes, payloads and sometimes login details as well. I was hoping to demonstrate some of that here, using a (publicly available) .pcap file I acquired from somewhere.
My personal method is to start by constructing a picture of the network, which is time consuming but sets the scene for whatever analysis. There are three IP addresses worth looking at:
* 192.168.0.100 – Appears to be a virtual machine running on VMware, and providing a large number of services, including IMAP, MySQL, POP3, HTTPS, domain services, Kerberos, Sun RPC and SMUX.
* 192.168.0.150 – Another VM making a load of requests through outgoing port 34988, so it had to be a proxy server.
* 18.104.22.168 – Multicast router.
View original post 479 more words