Pages

1/29/2014

newsoft's tech blog: Pentester trick #8: command-line sniffing made easy

newsoft's tech blog: Pentester trick #8: command-line sniffing made easy: command-line sniffing made easy



The most reliable and lightweight tool I know is ... the one made by Microsoft, a.k.a. Microsoft Network Monitor. It relies on Windows built-in packet capture features, therefore leaving minimal footprint on the target system. It can run without install. It works on all Microsoft-supported Windows versions, in x86, x64 and even IA64 flavors.

How to use it ?
  1. Download and install Microsoft Network Monitor on a standalone computer.
  2. Upload nmconfig.exe and nmcap.exe on the target computer.
  3. Enable the Microsoft Network Monitor Driver: nmconfig /install
  4. Test: nmcap /displaynetworks
  5. Sniff all TCP traffic on every local interface: nmcap /network * /capture tcp /File tcp.cap
  6. Disable the Microsoft Network Monitor Driver: nmconfig /uninstall
(Caveat: the capture file format is not Winpcap-compatible. However, Wireshark (and others) know how to read it.)

No comments: