Sniffing - Module 07 PDF

# Sniffing - Module 07 ## Unmask the Invisible Hacker ### CEH Certified Ethical Hacker ## Network Sniffing and Threats - Sniffing is a process of monitoring and capturing all data packets passing through a given network using sniffing tools - It is a form of wiretap applied to computer networks | | Sensitive Information Obtained Through Sniffing | | |-------------|---------------------------------------------|-------------| | Syslog Traffic | | DNS Traffic | | Telnet Passwords | | Email Traffic | | Router Configuration | | Web Traffic | | FTP passwords | | Chat Sessions | - Many enterprises' switch ports are open - Anyone in the same physical location can plug into the network using an Ethernet cable ## How a Sniffer Works - **Promiscuous Mode** - Sniffer turns the NIC of a system to the promiscuous mode so that it listens to all the data transmitted on its segment. - A sniffer can constantly monitor all the network traffic to a computer through the NIC by decoding the information encapsulated in the data packet. ## Types of Sniffing: Passive Sniffing - **Passive sniffing means sniffing through a hub, on a hub the traffic is sent to all ports** - **It involves only monitoring of the packets sent by others without sending any additional data packets in the network traffic** - **In a network that use hubs to connect systems, all hosts on the network can see all traffic therefore attacker can easily capture traffic going through the hub** - **Hub usage is out-dated today. Most modern networks use switches** ## Types of Sniffing: Active Sniffing - **Active sniffing is used to sniff a switch-based network.** - **Active sniffing involves injecting address resolution packets (ARP) into the network to flood the switch's Content Addressable Memory (CAM) table, CAM keeps track of which host is connected to which port.** ### Active Sniffing Techniques 1. MAC Flooding 2. DNS Poisoning 3. ARP Poisoning 4. DHCP Attacks 5. Switch Port Stealing 6. Spoofing Attack ## How an Attacker Hacks the Network Using Sniffers 1. An attacker connects his laptop to a switch port. 2. He runs discovery tools to learn about network topology. 3. He identifies victim's machine to target his attacks. 4. He poisons the victim machine by using ARP spoofing techniques. 5. The traffic destined for the victim machine is redirected to the attacker. 6. The hacker extracts passwords and sensitive data from the redirected traffic. ## Protocols Vulnerable to Sniffing | | | | | |-----------------------------------|----------------------------------------------|-----------------------------------|--------------------------------------------| | **Data sent in clear text** | | **Passwords and data sent in clear text** | | | Keystrokes including user names and passwords | | | Passwords and data sent in clear text | | **Passwords and data sent in clear text** | | | Passwords and data sent in clear text | **Protocols vulnerable to sniffing** - HTTP - Telnet and Rlogin - POP - IMAP - SMTP and NNTP - FTP ## Sniffing in the Data Link Layer of the OSI Model - Sniffers operate at the Data Link layer of the OSI model. - Networking layers in the OSI model are designed to work independently of each other; if a sniffer sniffs data in the Data Link layer, the upper OSI layer will not be aware of the sniffing | | | | |---------------------|-------------------------|----------------------| | Application | Application Stream | Application | | Presentation | POP3, IMAP, IM, SSL, SSH | Presentation | | Session | | Session | | Transport | Protocols/Ports | Transport | | **Compromised** | | Network | | Network | IP Addresses | Data Link | | Data Link | **Initial Compromise** | Physical | | Physical | Physical Links | | ## Hardware Protocol Analyzer - A hardware protocol analyzer is a piece of equipment that captures signals without altering the traffic in a cable segment. - It can be used to monitor network usage and identify malicious network traffic generated by hacking software installed in the network . - It captures a data packet, decodes it, and analyzes its content according to certain predetermined rules. - It allows attacker to see individual data bytes of each packet passing through the cable. ## Hardware Protocol Analyzers - Keysight N2X N5540A - Keysight E2960B - RADCOM PrismLite Protocol Analyzer - RADCOM Prism UltraLite Protocol Analyzer - FLUKE Networks OptiView® XG Network Analyzer - FLUKE Networks OneTouch™ AT Network Assistant ## Wiretapping - Wiretapping is the process of monitoring telephone and Internet conversations by a third party. - Attackers connect a listening device (hardware, software, or a combination of both) to the circuit carrying information between two phones or hosts on the Internet. - It allows an attacker to monitor, intercept, access, and record information contained in a data flow in a communication system. ### Types of Wiretapping - **Active Wiretapping** - It monitors, records, alters and also injects something into the communication or traffic. - **Passive Wiretapping** - It only monitors and records the traffic and gain knowledge of the data it contains. **Note:** Wiretapping without a warrant or the consent of the concerned person is a criminal offense in most countries. ## Lawful Interception - Lawful interception refers to legally intercepting data communication between two end points for surveillance on the traditional telecommunications, VoIP, data, and multiservice networks. 1. Court order/request for wiretap 2. Access Switch/Tap 3. Service provider sets an access switch/tap on exchange router 4. Exchange Router 5. Storage System 6. Law enforcement agencies can access intercepted data whenever required 7. Central Management Server (CMS) 8. Internet 9. Service Provider 10. User 1, User 2, User 3 ## Wiretapping Case Study: PRISM - PRISM stands for "Planning Tool for Resource Integration, Synchronization, and Management," and is a "data tool" designed to collect and process "foreign intelligence" that passes through American servers. - NSA wiretaps a huge amount of foreign internet traffic that is routed through or saved on U.S. servers. | | | |--------------------------------------------------|--------------------------| | **U.S. and Canada** | 2,946 Gbps | | **Latin America and Caribbean** | 4,972 Gbps | | **Europe** | 5 Gbps | | **Asia and Pacific** | 11 Gbps | | **Africa** | 2,721 Gbps | | | 1,345 Gbps | | | 343 Gbps | | | 40 Gbps | ## MAC Flooding - MAC flooding involves flooding of CAM table with fake MAC address and IP pairs until it is full. - Switch then acts as a hub by broadcasting packets to all machines on the network and attackers can sniff the traffic easily. ## How to Defend against MAC Attacks - Only 1 MAC Address Allowed on the Switch Port - **Configuring Port Security on Cisco switch:** - switchport port-security - switchport port-security maximum 1 vlan access - switchport port-security violation restrict - switchport port-security aging time 2 - switchport port-security aging type inactivity - snmp-server enable traps port-security trap-rate 5 - Port security can be used to restrict inbound traffic from only a selected set of MAC addresses and limit MAC flooding attack. ## What Is Address Resolution Protocol (ARP)? - Address Resolution Protocol (ARP) is a stateless protocol used for resolving IP addresses to machine (MAC) addresses. - All network devices (that needs to communicate on the network) broadcasts ARP queries in the network to find out other machines' MAC addresses. - When one machine needs to communicate with another, it looks up its ARP table. If the MAC address is not found in the table, the ARP_REQUEST is broadcasted over the network. - All machines on the network will compare this IP address to their MAC address. - If one of the machine in the network identifies with this address, it will respond to ARP_REQUEST with its IP and MAC address. - The requesting machine will store the address pair in the ARP table and communication will take place. ## ARP Spoofing Attack - ARP packets can be forged to send data to the attacker's machine. - ARP Spoofing involves constructing a large number of forged ARP request and reply packets to overload a switch. - Switch is set in 'forwarding mode' after ARP table is flooded with spoofed ARP replies and attackers can sniff all the network packets. - Attackers flood a target computer's ARP cache with forged entries, which is also known as poisoning. ## Threats of ARP Poisoning - Using fake ARP messages, an attacker can divert all communications between two machines so that all traffic is exchanged via his/her PC. | | | |-----------------------------------|-----------------------------------| | Packet Sniffing | Data Interception | | Session Hijacking | Connection Hijacking | | VoIP Call Tapping | Connection Resetting | | Manipulating Data | Stealing Passwords | | Man-in-the-Middle Attack | Denial-of-Service (DoS) Attack | ## MAC Spoofing/Duplicating - MAC duplicating attack is launched by sniffing a network for MAC addresses of clients who are actively associated with a switch port and re-using one of those addresses. - By listening to the traffic on the network, a malicious user can intercept and use a legitimate user's MAC address to receive all the traffic destined for the user. - This attack allows an attacker to gain access to the network and take over someone's identity already on the network. ## DNS Poisoning Techniques - DNS poisoning is a technique that tricks a DNS server into believing that it has received authentic information when, in reality, it has not. - It results in substitution of a false IP address at the DNS level where web addresses are converted into numeric IP addresses. - **It allows attacker to replace IP address entries for a target site on a given DNS server with IP address of the server he/she controls.** - **Attacker can create fake DNS entries for the server (containing malicious content) with same names as that of the target server.** ## Sniffing Tool: Wireshark - It lets you capture and interactively browse the traffic running on a computer network. - Wireshark uses Winpcap to capture packets, so it can only capture the packets on the networks supported by Winpcap. - It captures live network traffic from Ethernet, IEEE 802.11, PPP/HDLC, ATM, Bluetooth, USB, Token Ring, Frame Relay, FDDI networks. - Captured files can be programmatically edited via command-line . - A set of filters for customized data display can be refined using a display filter. ## How to Defend Against Sniffing (Cont'd) - Use HTTPS instead of HTTP to protect user names and passwords. - Use switch instead of hub as switch delivers data only to the intended recipient. - Use SFTP, instead of FTP for secure transfer of files. - Use PGP and S/MIPE, VPN, IPSec, SSL/TLS, Secure Shell (SSH) and One-time passwords (OTP). - Always encrypt the wireless traffic with a strong encryption protocol such as WPA and WPA2. - Retrieve MAC directly from NIC instead of OS; this prevents MAC address spoofing. - Use tools to determine if any NICs are running in the promiscuous mode. ## How to Detect Sniffing - You will need to check which machines are running in the promiscuous mode. - Promiscuous mode allows a network device to intercept and read each network packet that arrives in its entirety. - Run IDS and notice if the MAC address of certain machines has changed (Example: router's MAC address). - IDS can alert the administrator about suspicious activities. - Run network tools such as Capsa Network Analyzer to monitor the network for strange packets . - It enables you to collect, consolidate, centralize and analyze traffic data across different network resources and technologies.

Sniffing - Module 07 PDF

Document Details

Tags

Related

Summary

Full Transcript

Upgrade to continue