Chapter 2 - 03 - Understand Network-level Attacks - 03_ocred.pdf

Full Transcript

Certified Cybersecurity Technician Information Security Attacks Exam 212-82 How a Sniffer Works A sniffer turns the NIC of a system to the promiscuous mode so that it listens to all the data transmitted on its segment g' Attacker PC running NIC Card in Promiscuous Mode A : X. oosssnisannatsaitoesisionsineiseese Home i e. : - AtthtErforcesg switch to behave asahub : Switch Copyright © by EC How Internet L All Rights Reserved. Reproduction is Strictly Prohibited. a Sniffer Works The most common way of networking computers is through an Ethernet connection. A computer connected to a local area network (LAN) has two addresses: a MAC address and an Internet Protocol (IP) address. A MAC address uniquely identifies each node in a network and is stored on the NIC itself. The Ethernet protocol uses the MAC address to transfer data to and from a system while building data frames. The data link layer of the OSI model uses an Ethernet header with the MAC address of the destination machine instead of the IP address. The network layer is responsible for mapping IP network addresses to the MAC address as required by the data link protocol. It initially looks for the MAC address of the destination machine in a table, usually called the Address Resolution Protocol (ARP) cache. If there is no entry for the IP address, an ARP broadcast of a request packet goes out to all machines on the local subnetwork. The machine with that particular address responds to the source machine with its MAC address. The source machine’s ARP cache adds this MAC address to the table. The source machine, in all its communications with the destination machine, then uses this MAC address. There are two basic types of Ethernet environments, These two types are: = and sniffers work differently in each. Shared Ethernet In a shared Ethernet environment, a single bus connects all the hosts that compete for bandwidth. In this environment, all the other machines receive packets meant for one machine. Thus, when machine 1 wants to talk to machine 2, it sends a packet out on the network with the destination MAC address of machine 2, along with its own source MAC address. The other machines in the shared Ethernet (machines 3 and 4) compare the frame’s destination MAC address with their own and discard the unmatched frame. Module 02 Page 185 Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Information Security Attacks Exam 212-82 However, a machine running a sniffer ignores this rule and accepts all the frames. Sniffing in a shared Ethernet environment is passive and, hence, difficult to detect. = Switched Ethernet In a switched Ethernet environment, the hosts connect with a switch instead of a hub. The switch maintains a table that tracks each computer’s MAC address and the physical port on which that MAC address is connected, and then delivers packets destined for a particular machine. The switch is a device that sends packets to the destined computer only; furthermore, it does not broadcast them to all the computers on the network. This results in better utilization of the available bandwidth and improved security. Hence, the process of putting a machine NIC into promiscuous mode to gather packets does not work. As a result, many people think that switched networks are secure and immune to sniffing. However, this is not true. Although a switch following methods: = is more secure than a hub, sniffing the network is possible using the ARP Spoofing ARP is stateless. A machine can send an ARP reply even without asking for it; furthermore, it can accept such a reply. When a machine wants to sniff the traffic originating from another system, it can ARP spoof the gateway of the network. The ARP cache of the target machine will have an incorrect entry for the gateway. Thus, all the traffic destined to pass through the gateway will now pass through the machine that spoofed the gateway MAC address. * MACFlooding Switches maintain a translation table that maps various MAC addresses to the physical ports on the switch. As a result, they can intelligently route packets from one host to another. However, switches have a limited memory. MAC flooding makes use of this limitation to bombard switches with fake MAC addresses until the switches can no longer keep up. Once this happens to a switch, it will enter fail-open mode, wherein it starts acting as a hub by broadcasting packets to all the ports on the switch. Once that happens, it becomes easy to perform sniffing. macof is a utility that comes with the dsniff suite and helps the attacker to perform MAC flooding. Once a switch turns into a hub, it starts broadcasting all packets it receives to all the computers in the network. By default, promiscuous mode is turned off in network machines; therefore, the NICs accept only those packets that are addressed to a user’s machine and discard the packets sent to the other machines. A sniffer turns the NIC of a system to promiscuous mode so that it listens to all the data transmitted on its segment. A sniffer can constantly monitor all the network traffic to a computer through the NIC by decoding the information encapsulated in the data packets. Attackers configure the NIC in their machines to run in promiscuous mode so that the card starts accepting all the packets. Thus, the attacker can view all the packets that are being transmitted in the network. Module 02 Page 186 Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Information Security Attacks -. Exam 212-82 Attacker PC running NIC Card in Promiscuous x LEI - _( = Mode Internet Figure 2.9: Working of a sniffer Module 02 Page 187 Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Information Security Attacks Exam 212-82 Man-in-the-Middle ‘ Attack The man-in-the-middle attack is used to intrude into an existing connection between systems and intercept the messages being exchanged O Attackers use different techniques and Victim split the TCP connection into two Web Server modify, and insert fraudulent data into the intercepted communication Attackers use tools such as Cain & Abel to perform man-in-the-middle attack MITM : Connection Connection @ O E 2 After the interception of the TCP connection, an attacker can read, ANIDS-0)- 4P eNY T Attacker-to-server connection sesssssssssssssssnnee » 2 Client-to-attacker connection 1. Client-to-attacker » = =. ) connections: Man-in-the-Middle Attack A man-in-the-middle (MITM) attack is used to intrude into an existing connection between systems and to intercept messages being transmitted. In this attack, attackers use different techniques and split a TCP connection into two: a client-to-attacker connection and an attackerto-server connection. After the successful interception of a TCP connection, an attacker can read, modify, and insert fraudulent data into the intercepted communication. In the case of an HTTP transaction, the TCP connection between the client and server is the target. Victim - Web Server A g: A : E Y 3. s g § i mitm £ - : Q2 g MIT™ : 2 & Connection Connection 0 - B : T s -. “ 3 N O "8 D S——— nmassiabolls 1 - - Attacker Figure 2.10: Prediction of session ID using a man-in-the-middle (MITM) attack Module 02 Page 188 Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Information Security Attacks Exam 212-82 Attackers use tools such as Cain & Abel to Abel is a password recovery tool that allows and cracking encrypted passwords. The ARP sending free spoofed ARPs to the network’s to attack a middleman. '-] R File View Configure Tools AwElhmRR & Decoders IE Network Ifl I. APR E) APR-Cent perform man-in-the-middle (MITM) attack. Cain & the recovery of passwords by sniffing the network poisoning feature of the Cain & Abel tool involves host victims. This spoofed ARP can make it easier - ' Help +v RaynEE0%E Sniffer [of Cracker Ié Traceroute | CCDU [')" B =N = = 6?0 Wireless |13 Query | Status 1P address MAC address Packets -> | I