Sniffing Techniques in Ethical Hacking
Document Details
SIT
Tags
Related
- Chapter 8 - 04 - Discuss Ethical Hacking Concepts - 01_ocred.pdf
- Chapter 8 - 04 - Discuss Ethical Hacking Concepts - 02_ocred_fax_ocred.pdf
- Ethical Hacking Notes PDF
- ECCouncil Certified Ethical Hacker Exam (CEHv12) 312-50v12 PDF
- Week-12 PDF - Ethical Hacking Lecture Notes
- Ethical Hacking Past Paper PDF Week 1 & 2
Full Transcript
SIT Internal ICT2212 Ethical Hacking Sniffing A/Prof Guo Huaqun (Linda) SIT Internal Acknowledgement This set of slides is based on A version from Dr. Raymond Chan (Some slides developed by Dr Peter Loh)...
SIT Internal ICT2212 Ethical Hacking Sniffing A/Prof Guo Huaqun (Linda) SIT Internal Acknowledgement This set of slides is based on A version from Dr. Raymond Chan (Some slides developed by Dr Peter Loh) 2 SIT Internal Introduction to Scanning and Enumeration Scanning and Reconnaissance Enumeration Cover Gain Tracks Access Keep Access Augment existing scanning and enumeration results Essential part of scanning and enumeration for remote targets on wireless channels 3 SIT Internal Introduction to Sniffing A method to compromise the security of a network or application; may use a sniffer A sniffer is a tool that can plug into a network node and eavesdrops on the data traffic Sniffers typically place network nodes into promiscuous mode A node in promiscuous mode can listen to all communications whether addressed to it or not (hub networks) Sniffing categories – passive or active 4 SIT Internal Passive Sniffing Input broadcasted Passive sniffing involves use of a sniffer (e.g. Cain and Abel, Wireshark) to monitor network packets Passive sniffing relies on the promiscuous mode feature of a network interface controller (NIC) Passive sniffing is difficult to detect but does not work well in switched networks 5 SIT Internal Active Sniffing No, I am! Switch looks at MAC address Active sniffing is required to bypass the segmentation that switches provide Packets injected into the network switch that causes traffic for other nodes to be sent to the attacker’s system (e.g. ArpSpoof) Active wireless sniffing involves sending out multiple network probes to identify Access Points (APs) 6 SIT Internal Arp Spoofing Demo (KALI Linux) - 1 arpspoof –t Tell victim, you are arpspoof –t Tell gateway, is you Enable IP forwarding – traffic thru you 7 SIT Internal Arp Spoofing Demo (KALI Linux) - 2 urlsnarf –i eth0 (captures website addresses visited by target’s machine driftnet –i eth0 (captures image traffic from target machine’s browser) 8 SIT Internal Arp Spoofing Demo (KALI Linux) - 3 MiTM Attack | ARP Spoofing | ARP Poisoning in Kali Linux https://www.youtube.com/watch?v=LrlOS2SbjNk 9 SIT Internal What is sniffing used for? For a Defender: Identify the type of network application(s) or service(s) used Identify the hosts using the network Identify the bottlenecks in the network Capture data to perform troubleshooting Create traffic logs to analyze security of network For an Attacker: Gather passwords, credit cards info, email messages, etc (privacy attack) Modifying/delay and resending data to recipients (integrity attack; replay attack) Establishing unintended connection with senders while using authentication provided by receiver (spoofing, MITM attacks) What can be mitigated by encryption, hashing and time stamps? 10 SIT Internal Encryption to Protect Privacy Key Management Issues – Certification Authority or Diffie-Hellman Key Exchange 11 SIT Internal Hashing to Protect Integrity Protect against Birthday Attacks 12 SIT Internal Spoofing and MITM attacks 13 SIT Internal Time Stamp against Replay Attacks Put time stamp to check that message is “fresh” 14 SIT Internal Protocols vulnerable to Sniffing Typical protocols vulnerable to sniffing: Telnet (Port 23) File Transfer Protocol: FTP (Port 21) Post Office Protocol v3: POP3 (Port 110) Internet Message Access Protocol: IMAP (Port 143) Network News Transfer Protocol: NNTP (Port 119) Simple Mail Transfer Protocol: SMTP (Port 25) Hypertext Transfer Protocol: HTTP (Port 80) These protocols have no data encryption How do we perform sniffing? 15 SIT Internal PACKET SNIFFERS SIT Internal Packet Sniffers Selective sniffing for switched networks A packet sniffer is a hardware device or software utility that uses a network adapter card to capture network packets Packet sniffers exploit information transferred in clear; you have seen protocols susceptible to these sniffers: e.g. Telnet, FTP, HTTP 17 SIT Internal Limitations of Packet Sniffing Packet sniffers only catch what they can see Users attached to hub – can see everything Users attached to switch – only see own traffic Wireless – access point is like hub Sniffers difficult to deploy in edge computing scenarios Network Interface Card (NIC) needs to be able to see all traffic, not just traffic to/from itself (Hub) NIC must support promiscuous mode Need administrator privilege (e.g. install WinPCap driver) Private information e.g. authentication data must be in clear SSL Packet Capture can decrypt secure comms between mobile apps and their backend services Capturing system must be application aware To provide forensic level information and details 18 SIT Internal What Is in a Packet? Source and Destination MAC Addresses Email contents Web addresses Authentication information Financial and Personal information Analysis of information requires use of packet analyzer (dSniff, Ettercap, Wireshark, Kismet) 19 SIT Internal dSniff https://www.kali.org/tools/dsniff/ https://www.monkey.org/~dugsong/dsniff/ A collection of tools for network auditing and penetration testing Written by security researcher and startup founder Dug Song to parse different application protocols and extract relevant information 20 SIT Internal Ettercap https://www.ettercap-project.org/ Ettercap is a comprehensive suite for man in the middle attacks. It features sniffing of live connections, content filtering on the fly and many other interesting tricks. It supports active and passive dissection of many protocols and includes many features for network and host analysis. 21 SIT Internal Password Capture WIRESHARK SIT Internal Wireshark Wireshark can: 1. Capture the incoming and outgoing traffic of the network interface 2. Capture all communications within a network It allows the user to put network interface controllers into promiscuous mode. See all traffic visible on that interface, not just traffic addressed to one of the interface's configured addresses and broadcast/multicast traffic. 23 SIT Internal Password Capture via Web Login Click Start, Wireshark. In Wireshark, on the left side, click "Interface List". In the "Wireshark: Capture Interfaces" box, check all the interfaces. Click the Start button. Open a Web browser and go to http://retail9.com/ssp-login.php On the top right of the screen, click "Sign In". Enter a Username of [email protected] (using your own name, not the literal string "YOURNAME") and a Password of topsecretpassword, as shown below: – You see an error message saying the login failed. – That doesn't matter--the point of this project is to see how the password was sent. In the Wireshark window, box, click Capture, Stop. In the Wireshark window, box, in the Filter bar, type this filter, as shown below: http.request.method == POST -> locate HTTP packet -> Follow TCP stream 24 SIT Internal Password Capture SMARTSNIFF SIT Internal SmartSniff Similar to Wireshark A network monitoring utility Can view the TCP/IP conversations in Ascii mode or as hex dump. 26 SIT Internal Password Capture via Form Login Start SmartSniff Select Options -> Capture Options -> Select WinPCap Capture Driver and wifi network adapter -> Click Browse to any non-https URL 27 SIT Internal Network Forensics – Pics and Malware NetworkMiner https://www.netresec.com/?p age=NetworkMiner An open-source network forensics tool that extracts artifacts, such as files, images, emails and passwords, from captured network traffic in PCAP files by parsing a PCAP file uploaded Can also be used to capture live network traffic by sniffing a network interface 28 SIT Internal ARP spoofing or poisoning SIT Internal Address Resolution Protocol (ARP) Primarily used to translate IP addresses to Ethernet MAC addresses The device driver for Ethernet NIC needs to do this to transfer a packet The MAC (Media Access Control) address is a physical machine Purpose of ARP address Each host maintains a table (ARP cache) of IP to MAC addresses 32-bit Internet address (internet layer) Message types: ARP / RARP request ARP RARP ARP / RARP reply No authentication in ARP: 48-bit Ethernet address ARP is a stateless protocol (link layer) Requests and replies can be forged 30 SIT Internal How does ARP work? Laser jet printer My Computer 129.119.103.2 129.119.10.42 ARP Request Check ARP cache -> lookup table IP Address Broadcast Who has 129.119.103.2 ? ARP table of Source host IP Address MAC Address 129.119.103.1 00-E0-2B-13-68-00 129.119.103.2 ??-??-??-??-??-?? 31 SIT Internal How does ARP work? Laser jet printer My Computer 129.119.103.2 129.119.10.42 I have 129.119.103.2 My MAC is [21-B2-E8-77-3C-54] ARP Reply ARP table of Source host MAC return IP Address MAC Address 129.119.103.1 00-E0-2B-13-68-00 What do you notice? 129.119.103.2 21-B2-E8-77-3C-54 32 SIT Internal ARP Spoofing (ARP Poisoning) Network Switch A forged ARP reply is sent to the source ARP request The source computer‘s ARP cache is updated with a forged entry 33 SIT Internal ARP Spoofing (ARP Poisoning) – 1/2 By spoofing the network switch, all hosts on the subnet will route through the attacker’s machine – You have to poison the ARP cache of every host on the subnet – IP Conflict possibility – Should not spoof IP of another client (two clients cannot have same IP) – Two clients can have same MAC addresses but different IP addresses – Machines get IP addresses dynamically with DHCP, their IP address may change from time to time, and thus triggers no special warning To perform ARP poisoning, 1) arp –s pub (or) 2) arpspoof –t ; arpspoof –t ; echo 1 > /proc/sys/bet/ipv4/ip_forward; followed by urlsnarf & driftnet (or) 3) sudo arpspoof –i eth0 -t ; sudo arpspoof –i eth0 -t ; 34 SIT Internal ARP Spoofing (ARP Poisoning) – 2/2 ARP cache entries are not long-lived because NICs may be switched IP Conflict? ARP Reply: 0 IP: 172.15.1.1 MAC: C 35 SIT Internal ARP Poisoning via Broadcast Request MAC: 00-E0-2B-13-68-00 Host A Host B 10.10.0.1 10.10.0.2 10.10.0.2 10-A7-C4-55-E3-06 No conflict if Host B does not also Who has 10.10.0.1? broadcast a My IP is 10.10.0.2 request Host C (Attacker) MAC: 10-A7-C4-55-E3-06 10.10.0.11 36 SIT Internal ARP Poisoning via Request Response Same IP address with 2 MAC Who has 10.10.0.2? addresses -> My IP is 10.10.0.1 IP conflict if Host A does an Host A Host B explicit check 10.10.0.1 10.10.0.2 10.10.0.2 ??-??-??-??-??-?? I have 10.10.0.2 My MAC is [00-E0-2B-13-68-00] I have 10.10.0.2 My MAC is [??-??-??-??-??-??] Host C (Attacker) 10.10.0.2 37 SIT Internal ARP Poisoning via Unsolicited Response 10.10.0.2 00-E0-2B-13-68-00 Host A Host B 10.10.0.1 10.10.0.2 10.10.0.2 00-E0-2B-13-68-00 10.10.0.29 10-A7-C4-55-E3-06 I have 10.10.0.29 My MAC is [10-A7-C4-55-E3-06] Host C (Attacker) 10.10.0.11 38 SIT Internal ARP Spoofing - Switched Network Switch forwarding traffic based on MAC address Target 1 Target 2 IP: 192.168.1.1 Switch IP: 192.168.1.2 Hw: 00:00:00:00:00:01 Hw: 00:00:00:00:00:02 192.168.1.2 00:00:00:00:00:02 192.168.1.1 00:00:00:00:00:01 192.168.1.123 00:00:00:00:00:14 192.168.1.123 00:00:00:00:00:14 AM (Attacking Machine) IP: 192.168.1.121 Hw: 00:00:00:00:00:03 Before Attack…….. 39 SIT Internal ARP Spoofing - Switched Network Switch forwarding traffic based on MAC address Target 1 Target 2 IP: 192.168.1.1 Switch IP: 192.168.1.2 Hw: 00:00:00:00:00:01 Hw: 00:00:00:00:00:02 192.168.1.2 00:00:00:00:00:03 192.168.1.1 00:00:00:00:00:03 192.168.1.123 00:00:00:00:00:14 192.168.1.123 00:00:00:00:00:14 AM (Attacking Machine) ARP replies from attacking IP: 192.168.1.121 machine to poison ARP Hw: 00:00:00:00:00:03 caches of Targets 1 and 2 even though there were no corresponding requests After Attack…….. 40 SIT Internal Rest of the network Routers (R) Routers (R) 192.168.1.1 192.168.1.2 Hw Addr. 00:00:00:00:00:01 Hw Addr. 00:00:00:00:00:02 Attacked Switch (S) Cisco Catalyst 5000 series Same subnet 192.168.1.100 Need to tell the router 192.168.1.2 Hw. Addr. 00:00:00:00:00:04 that 192.168.1.100 is at 00:00:00:00:00:03 which is the MAC MAC addresses are layer 2; address of the attacking machine. Modern routers implement arp- Also tell switch (S) at 192.168.1.100 spoof protection with network that 192.168.1.1 is at Attacking Machine (M) layer analyses 00:00:00:00:00:03. RHEL AS 4.0 192.168.1.121 Hw Addr : 00:00:00:00:00:03 41 SIT Internal Conclusion Sniffing – eavesdropping on network comms Hardware or software sniffer Passive (Hub Networks) - promiscuous mode Active (Switched Networks) Sniffing packets can reveal: Personal, authentication information (e.g. passwords) Image data and even malware Wireshark, SmartSniff, SniffPass, NetworkMiner ARP Spoofing (Poisoning): Inject fake arp packets to divert traffic to attacker Active sniffing Next Week Lecture – System Hacking 42