Jump to content

Enterprise Pentesting & Wireless packet capture?


PooCheesey2
 Share

Recommended Posts

Hi. I am a System Admin for a company and we were authorized to do some in house packet tracing as part of a cyber security exercise. I am looking to get some Hak5 gear and do some packet sniffing on our guest Wi-Fi. The test is looking to see if we can monitor internal packets from outside of the business. Would a packet squirrel be best for this or would I need something different? How does this tie into Cloud C2? The idea is to install a device on the ethernet line that connects our ISP's router to our Cisco Miraki firewall. Would a packet squirrel be able sniff out packets remotely for this task or is a laptop connection to the packet squirrel still needed? We want to be able to use a device that could use the exsisting outbound connection to send packet data to Cloud C2 while outside of the network. 

Link to comment
Share on other sites

What's the size of the company/network? Traffic volumes? Having a Squirrel keeping up with the pace could be difficult even with quite moderate volumes of traffic (speaking of volumes for a network, not a single device). To me, the Squirrel is not a tool that is supposed to be used in such a scenario. It's more a computer client based device that is used to monitor traffic of specific computers in a network, not a network as a whole. You will also perhaps risk (depending on what speed that is possible for incoming/outgoing traffic) limiting the external speed to 100 MBps if putting the Squirrel in line. I would probably use some other setup for this specific need to be able to get all traffic desired and at the same time not jeopardizing the network performance/speed. C2 has its use cases, but if you control the network, I don't see the need of using C2 in this specific scenario. There are other ways to get the data.

Link to comment
Share on other sites

Its a fairly large company around 1200 employees. The miraki is set up to slow indevidual connections down to a maximum of 5 MBps per user. The circuit size curretly is only 15 MBps with our plans to increase its size in the future. Part of the test is to also capture usablity of the circuit. We are trying to anylize by how much more the circuit will need to be increased by. The current plan is to only increase to 300 MBps. While browsing the information on the packet squirrel there is a picture of it being used to infiltrate a WAP (Wireless Access Point) which is why I asked if if it could be used for whole network infiltration. If a packet squirrel is not the tool for this then what would you recommend we use? 

Link to comment
Share on other sites

I have a Squirrel and I really like the concept. I would however be very careful implementing it in such a scenario. Some kind of risk assessment on business impact is for sure needed before doing this kind of thing (as always), including testing. Stakeholders should know what you are doing on the technical side and be aware of what the implications might be (pure and simple "change management" in other terms).

To not interrupt or disturb any ongoing vital networking traffic, I would probably use some kind of mirroring of the network traffic instead of sitting directly in line. The Squirrel has the NETMODE called TRANSPARENT, but I'm still not sure if the Squirrel is the correct wrench to use for this type of bolt.

A simple switch with port mirroring functionality and able to handle greater network speeds would perhaps be more suitable along with a reasonably sized computer that can handle all the traffic flowing through the perimeter interface of the network without any (or with less) packet loss. Then record the traffic or combine it with some open source NIDS solution such as Suricata, Zeek or Snort. Or Security Onion which includes some of those (and a lot more). It might be a "slight" overkill though, but could be worth checking if you plan to make any changes to your cybersec posture and want to introduce more functionality. Using such tools/solutions probably makes it more easy to tune your captures and what you like to process.

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...