Chapter 6.pptx

Full Transcript

ETHICAL HACKING AND
PENETRATION TESTING
GUIDE
by

Dr TT

Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 1
 Chapter 6:

Network Sniffing

Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 2
 What Are Network Sniffing?

Network sniffing, aka eavesdropping, is a type of attack where
an attacker captures the packets across a wire or across air
(wireless connection).

The main goal is to capture unencrypted credentials across the
network.

The common target protocols include:

 FTP

 HTTP

 SMTP
The best way to protect against sniffing attacks is to use protocols that support encrypted
communication.
Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 3
Different Types of Sniffing
Sniffing can be primarily divided into two main categories:

 Active Sniffing
Active sniffing is where we directly interact with our target machine, by
sending packets and requests. ARP spoofing and MAC flooding are
common examples. Active sniffing is what we will focus more on.

 Passive Sniffing
In passive sniffing, the attacker does not interact with the target. They
just sit on the network and capture the packets sent and received by the
network. This happens in the case of hub-based networks or wireless
networks.

Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 4
Hubs versus Switches
In order to fully understand how sniffing works, we need to
understand the difference between hub-based and switch-based
networks.
Hub-based networks:
Switch-based networks:

Let’s assume that this topology runs on a hub-based network and that “Host A” would like to
communicate with “Host B.” It will forward the traffic to the hub. A hub is designed in such a
way that it broadcasts all the traffic, meaning that it will forward the traffic to all the hosts on a
network. Since the IP header contains the destination address of “Host B,” any other device
receiving the frames will drop it.

Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 5
Promiscuous versus
Nonpromiscuous Mode
Before we try to sniff traffic on a network, we would need to understand the difference
between a promiscuous mode and a nonpromiscuous mode, which are associated with our
network cards.
By default, our network card is in the nonpromiscuous mode, in which we will be able to
capture only the traffic that is destined for our computer.
However, we can change our network card to the promiscuous mode, which will allow us to
forcefully capture the traffic that is not destined for our computer. So rule number 1 for sniffing
is that all the network cards should be in the promiscuous mode.

 The idea behind a MITM attack is that the attacker places himself in the middle of the
communication between a client and a server. Therefore, any communication that is being
performed between a client and a server will be captured by the attacker.
 Once an attacker successfully becomes the man in the middle, he can perform many attacks
on the target network such as capturing all the traffic, denial of service attacks, dns
spoofing, and session hijacking
Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 6
ARP (address resolution protocol) Protocol
Basics
 It runs upon the link layer (Layer 2) of the OSI model. Its purpose is to
resolve an IP address to a MAC address. Any piece of hardware that
connects to the Internet has a unique MAC address associated with it.

This is a switch-based network, “Host A” with an IP 192.168.1.2 would like to
communicate with “Host B” with an IP 192.168.1.3. In order to communicate on a
local area, Host A would need to have the MAC address of Host B. Host A will look
inside its ARP cache and see if the entry for Host B’s IP address is present inside the
ARP table. If it’s not present, Host A will send an ARP broadcast packet to every
device on the network asking “Who has Host B’s IP address?” Once Host B receives
the ARP request, it will send an ARP reply telling Host A “I am Host B and here is my
MAC address.

Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 7
ARP Attacks
 MAC Flooding
The idea behind a MAC flooding attack is to send a huge amount of ARP
replies to a switch, thereby overloading the cam table of the switch.
Once the switch overloads, it goes into hub mode, meaning that it will
forward the traffic to every single computer on the network. All the attacker
needs to do now is run a sniffer to capture all the traffic.
The Macof is part of dsniff series of tools

Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 8
ARP Attacks
Con…
 ARP Poisoning
ARP poisoning is a very popular attack and can be used
to get in the middle of a communication. This could be
achieved by sending fake “ARP replies”. As discussed
earlier, the ARP protocol would always trust that the
reply is coming from the right device. Due to thisflaw in
its design, it can in no way verify that the ARP reply
was sent from the correct device.

Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 9
Using ARP Spoof to Perform MITM Attacks
Before we perform a man in the middle attack, we need to enable
IP forwarding so that the traffic could be forwarded to the
destination. In order to enable it, we will use the following
command:
 echo 1 >/proc/sys/net/ipv4/ip_forward

Thereafter, we can confirm that port forwarding is enabled by
using the cat command to display the contents of the ip _ forward
file. “1” means that IP forwarding is enabled; “0” means it’s
disabled.

Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 10
Sniffing the Traffic with Dsniff
 After we have successfully poisoned the ARP cache; now, we will learn
about a couple of sniffers that capture the traffic.

We run the dsniff command to execute “dsniff”

Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 11
DNS Spoofing
DNS spoofing attack, an attacker spoofs the IP address behind a domain
name. So even if the victim sees facebook.com in the browser, the real IP
behind it is different. This attack can be mostly used to perform phishing
attacks.
The steps required to perform a dns spoofing attack are as follows
1. Launching an ARP spoofing attack
2. Manipulating the dns records
3. Using Ettercap to launch a DNS spoofing attack

Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 12
DHCP Spoofing
DHCP stands for “Dynamic Host Configuration Protcol”. Its purpose
is to automatically assign IP addresses to any host that requests
an IP. So when a new host connects to a network, the DHCP server
would assign an IP address and the gateway.
The DHCP requests are made in the form of broadcasts. The idea
behind this attack is to send a reply to the victim before the real
DHCP does.

Using DHCP, we can manipulate the following things:
1. The IP address of the victim
2. Default gateway
3. DNS address

Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 13
 Ending of Chapter 5

THE END

Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 14