LAN Sniffer 1.0
(Trojan.Win32.AphexSniffer.10)

by Aphex

Released in May 2002 


LAN Sniffer 1.0 by Aphex of EES

This remote admin packet sniffer is implemented using WinPcap. WinPcap is an architecture for
packet capture and network analysis for the Win32 platforms. It includes a kernel-level packet
filter, a low-level dynamic link library (packet.dll), and a high-level and system-independent
library (wpcap.dll, based on libpcap version 0.6.2). The packet filter is a device driver that
adds to Windows 95, 98, ME, NT, 2000 and XP the ability to capture raw data from a network
card, with the possibility to filter and store in a buffer the captured packets. 

The main benifit of this software is that you can capture all TCP/IP taffic on the entire local
segmant. A computer sharing a hub with other computers will be able capture not only it's own
TCP/IP traffic but also traffic of the other computers sharing the same segment.

A segment can be thought of as anything not seperated by a switch or router.

WinPcap is about 300KB compressed. This is what makes the server size so large.
It is small drawback when compared to the amount of function provided.

The server only uses outgoing connections to establish a link with the client.
This enables it to bypass complications arising from the server being on a private LAN.

Also, the server has the capabilty to gain trusted permissions with most software firewalls.
It will run completely undetected. The main file will not even show up in the process list.

To begin run "Generator.exe"

Windows 95/98/ME: Cable/DSL(NIC not USB), Ethernet, PPP WAN, FDDI, ARCNET, ATM and Token Ring.
Windows NT/2K/XP: Cable/DSL(NIC not USB), Ethernet, FDDI, ARCNET, ATM and Token Ring.

This product includes software developed by the Politecnico di Torino, and its contributors.


Each server that connects to the client is allocated it's own console window. This cosole window
can be undocked from the main client and made to float as a sizeable toolwindow by clicking on the
top left corner of the console window and dragging it from the form. You can return the console 
window to the main client by typing 'dock' at the console. You can also clear any console by
typing 'clear'.

CONSOLE COMMANDS: You can display a summary of this list in any console window by typing 'help'.

  Sniffer Startup Commands:

    To begin sniffing you should select your filtering options first. Then retrieve a list of
    available adapters. Once you choose an adapter you can issue the start command.

      sniffer adapters list - list available adapters
      sniffer start <adapter #> - starts the sniffer on the specified adapter
      sniffer stop - stops the sniffer


  Sniffer Display Commands:

    By defualt both of these are turned off. If you want to view packets you must turn one
    or both of these on.

      sniffer hex on - turns hexadecimal packet view on
      sniffer hex off - turn hexadecimal packet view off

      sniffer asc on - turns ASCII packet view on
      sniffer asc off - turn ASCII packet view off


  Sniffer Filter Commands:

    The sniffer will only capture TCP/IP traffic according to these settings. Ips, ports and
    strings apply to both incomming and outgoing traffic. The sniffer ignores all traffic on
    the same port it is using to prevent it sniffing it's own traffic and creating a loop.

    Be certain that you use a port you will not want to monitor.

      sniffer all on - turns all traffic sniffing on
      sniffer all off - turns all traffic sniffer off

      sniffer ips add <ip> - adds an ip to the sniffer's capture list
      sniffer ips del <#> - deletes an ip to the sniffer's capture list 
      sniffer ips clear - clears all ips in the sniffer's capture list
      sniffer ips list - lists all ips in the sniffer's capture list

      sniffer ports add <port> - adds a port to the sniffer's capture list
      sniffer ports del <#> - deletes a port to the sniffer's capture list 
      sniffer ports clear - clears all ports in the sniffer's capture list
      sniffer ports list - lists all ports in the sniffer's capture list

      sniffer strings add <string> - adds a string to the sniffer's capture list
      sniffer strings del <#> - deletes a string to the sniffer's capture list 
      sniffer strings clear - clears all strings in the sniffer's capture list
      sniffer strings list - lists all strings in the sniffer's capture list


  Sniffer Logging Commands:

    Each console window can create it's own log file.

      sniffer log on - begins logging for the current console window
      sniffer log off - stops logging for the current console window
      sniffer log file <filepath> - specifies the log file to use for the current console window



Aphex


Server:
size: 844.288 bytes

startup:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
MegaSecurity