Sniffing - Module 07 - PDF

# Sniffing - Module 07 ## Unmask the Invisible Hacker ### Certified Ethical Hacker ## Network Sniffing and Threats - Sniffing is a process of monitoring and capturing all data packets passing through a given network using sniffing tools. - It is a form of wiretap applied to computer networks. **Sensitive Information Obtained Through Sniffing:** - Syslog Traffic - Telnet Passwords - Router Configuration - FTP passwords - DNS Traffic - Email Traffic - Web Traffic - Chat Sessions **Many enterprises' switch ports are open.** Anyone in the same physical location can plug into the network using an Ethernet cable. ## How a Sniffer Works - Sniffer turns the NIC of a system to the promiscuous mode so that it listens to all the data transmitted on its segment. - Attacker forces switch to behave as a hub. - A sniffer can constantly monitor all the network traffic to a computer through the NIC by decoding the information encapsulated in the data packet. ## Types of Sniffing: Passive Sniffing 1. Passive sniffing means sniffing through a hub, on a hub the traffic is sent to all ports. 2. It involves only monitoring of the packets sent by others without sending any additional data packets in the network traffic. 3. In a network that use hubs to connect systems, all hosts on the network can see all traffic therefore attacker can easily capture traffic going through the hub. 4. Hub usage is out-dated today. Most modern networks use switches. **Note:** Passive sniffing provides significant stealth advantages over active sniffing. ## Types of Sniffing: Active Sniffing - Active sniffing is used to sniff a switch-based network. - Active sniffing involves injecting address resolution packets (ARP) into the network to flood the switch's Content Addressable Memory (CAM) table, CAM keeps track of which host is connected to which port. **Active Sniffing Techniques:** 1. MAC Flooding 2. DNS Poisoning 3. ARP Poisoning 4. DHCP Attacks 5. Switch Port Stealing 6. Spoofing Attack ## How an Attacker Hacks the Network Using Sniffers 1. An attacker connects his laptop to a switch port. 2. He runs discovery tools to learn about network topology. 3. He identifies victim's machine to target his attacks. 4. He poisons the victim machine by using ARP spoofing techniques. 5. The traffic destined for the victim machine is redirected to the attacker. 6. The hacker extracts passwords and sensitive data from the redirected traffic. ## Protocols Vulnerable to Sniffing | Keystrokes including user names and passwords | Passwords and data sent in clear text | |---|---| | HTTP | IMAP | | Telnet and Rlogin | SMTP and NNTP | | POP | FTP | | | Passwords and data sent in clear text | ## Sniffing in the Data Link Layer of the OSI Model - Sniffers operate at the **Data Link layer** of the OSI model. - Networking layers in the OSI model are designed to work **independently** of each other; if a sniffer sniffs data in the Data Link layer, the upper OSI layer will not be aware of the sniffing. **Compromised:** - **Application Stream:** POP3, IMAP, IM, SSL, SSH - **Protocols/Ports** - **IP Addresses** - **Initial Compromise** - **Physical Links** ## Hardware Protocol Analyzer - A hardware protocol analyzer is a piece of equipment that captures signals without altering the traffic in a cable segment. - It can be used to monitor network usage and identify malicious network traffic generated by hacking software installed in the network. - It captures a data packet, decodes it, and analyzes its content according to certain predetermined rules. - It allows attacker to see individual data bytes of each packet passing through the cable. ## Hardware Protocol Analyzers - Keysight N2X N5540A - Keysight E2960B - RADCOM PrismLite Protocol Analyzer - RADCOM Prism UltraLite Protocol Analyzer - FLUKE Networks OptiView® XG Network Analyzer - FLUKE Networks OneTouch™ AT Network Assistant ## Wiretapping 1. Wiretapping is the process of monitoring telephone and Internet conversations by a third party. 2. Attackers **connect a listening device** (hardware, software, or a combination of both) to the circuit carrying information between two phones or hosts on the Internet. 3. It allows an attacker to **monitor, intercept, access, and record information** contained in a data flow in a communication system. ## Types of Wiretapping - **Active Wiretapping:** It monitors, records, alters and also injects something into the communication or traffic. - **Passive Wiretapping:** It only monitors and records the traffic and gain knowledge of the data it contains. **Note:** Wiretapping without a warrant or the consent of the concerned person is a criminal offense in most countries ## Lawful Interception - Lawful interception refers to legally **intercepting data communication** between two end points for surveillance on the traditional telecommunications, VoIP, data, and multiservice networks. 1. **Court order/request for wiretap** 2. **Legal Authority:** System for real-time reconstruction of intercepted data 3. **Access Switch/Tap** 4. **Exchange Router:** Service provider sets an access switch/tap on exchange router 5. **Storage System:** Law enforcement agencies can access intercepted data whenever required 6. **Internet:** Central Management Server (CMS) 7. **Service Provider** ## Wiretapping Case Study: PRISM - PRISM stands for "Planning Tool for Resource Integration, Synchronization, and Management," and is a "data tool" designed to collect and process "foreign intelligence" that passes through American servers. - NSA wiretaps a huge amount of foreign internet traffic that is routed through or saved on U.S. servers. **Data Flow:** - U.S. and Canada: 2,946 Gbps - Latin America and Caribbean: 4,972 Gbps - Europe: 5 Gbps - Africa: 11 Gbps - Asia and Pacific: 2,721 Gbps - 1,345 Gbps - 343 Gbps - 40 Gbps ## MAC Flooding - MAC flooding involves flooding of CAM table with fake MAC address and IP pairs until it is full. - Switch then acts as a hub by broadcasting packets to all machines on the network and attackers can sniff the traffic easily. ## How to Defend against MAC Attacks - **Configuring Port Security on Cisco switch:** - switchport port-security - switchport port-security maximum 1 vlan access - switchport port-security violation restrict - switchport port-security aging time 2 - switchport port-security aging type inactivity - snmp-server enable traps port-security trap-rate 5 - **Only 1 MAC Address Allowed on the Switch Port:** Port security can be used to restrict inbound traffic from only a selected set of MAC addresses and limit MAC flooding attack. ## What Is Address Resolution Protocol (ARP)? - Address Resolution Protocol (ARP) is a stateless protocol used for resolving IP addresses to machine (MAC) addresses. - All network devices (that needs to communicate on the network) broadcasts ARP queries in the network to find out other machines' MAC addresses. - When one machine needs to communicate with another, it looks up its ARP table. If the MAC address is not found in the table, the ARP_REQUEST is broadcasted over the network. - All machines on the network will compare this IP address to their MAC address. - If one of the machine in the network identifies with this address, it will respond to ARP_REQUEST with its IP and MAC address. - The requesting machine will store the address pair in the ARP table and communication will take place. **Data Flow**: - **I want to connect to 192.168.168.3, but I need MAC address:** IP ID: 194.54.67.10; MAC: 00:16:48:64:42:e4 - **ARP_Request:** Hello, I need the MAC address of 192.168.168.3. - **ARP_Reply:** I am **192.168.168.3**, MAC address is **00-14-20-01-23-47**. - **Connection Established**: - IP ID: 192.168.168.1; MAC: 00-14-20-01-23-45 - IP ID: 192.168.168.2; MAC: 00-14-20-01-23-46 - IP ID: 192.168.168.3; MAC: 00-14-20-01-23-47 ## ARP Spoofing Attack - ARP packets can be **forged** to send data to the attacker's machine. - ARP Spoofing involves constructing a large number of **forged ARP request** and reply packets to overload a switch. - Switch is set in '**forwarding mode'** after ARP table is flooded with spoofed ARP replies and attackers can sniff all the network packets. - Attackers flood a target computer's ARP cache with forged entries, which is also known as **poisoning**. ## Threats of ARP Poisoning - Using fake **ARP messages**, an attacker can divert all communications between two machines so that all traffic is exchanged via his/her PC. **Threats:** - Packet Sniffing - Session Hijacking - VoIP Call Tapping - Manipulating Data - Man-in-the-Middle Attack - Data Interception - Connection Hijacking - Connection Resetting - Stealing Passwords - Denial-of-Service (DoS) Attack ## MAC Spoofing/Duplicating - MAC duplicating attack is launched by **sniffing a network for MAC addresses** of clients who are actively associated with a switch port and re-using one of those addresses. - By listening to the traffic on the network, a **malicious user can intercept and use a legitimate user's MAC address** to receive all the traffic destined for the user. - This attack allows an attacker to **gain access to the network** and take over someone's identity already on the network. **Data Flow:** - **My MAC address is aa:bb:cc:dd:ee:ff:** Legitimate User - **Switch Rule:** Allow access to the network only if your MAC address is aa:bb:cc:dd:ee:ff. - **No! My MAC Address is aa:bb:cc:dd:ee:ff:** Switch - **Attacker sniffs the network for MAC addresses of the currently associated users and then uses that MAC address to attack other users associated to the same switch port:** Attacker - **Internet** ## DNS Poisoning Techniques - DNS poisoning is a technique that **tricks a DNS server into believing** that it has received authentic information when, in reality, it has not. - It results in **substitution of a false IP address** at the DNS level where web addresses are converted into numeric IP addresses. - It **allows attacker to replace IP address entries** for a target site on a given DNS server with IP address of the server he/she controls. - Attacker can **create fake DNS entries** for the server (containing malicious content) with same names as that of the target server. **Data Flow:** - **Victims** - **DNS Server** - **Internet DNS Spoofing (Remote network)** - **Intranet DNS Spoofing (Local network)** - **Proxy Server DNS Poisoning** - **DNS Cache Poisoning** - **Attacker:** DNS Attack Scripts ## Sniffing Tool: Wireshark 1. It lets you **capture and interactively browse the traffic** running on a computer network. 2. Wireshark uses **Winpcap to capture packets**, so it can only capture the packets on the networks supported by Winpcap. 3. **It captures live network traffic** from Ethernet, IEEE 802.11, PPP/HDLC, ATM, Bluetooth, USB, Token Ring, Frame Relay, FDDI networks. 4. **Captured files can be programmatically edited via command-line**. 5. **A set of filters** for customized data display can be refined using a display filter. **Data Flow**:` - **Attacker** - **Wireshark Tool** - **Network** - **Victim** ## How to Defend Against Sniffing (Cont'd) 1. **Use HTTPS instead of HTTP** to protect user names and passwords. 2. **Use switch instead of hub** as switch delivers data only to the intended recipient. 3. **Use SFTP, instead of FTP** for secure transfer of files. 4. **Use PGP and S/MIPE, VPN, IPSec, SSL/TLS, Secure Shell (SSH) and One-time passwords (OTP)**. 4. **Always encrypt the wireless traffic** with a strong encryption protocol such as WPA and WPA2. 5. **Retrieve MAC directly from NIC** instead of OS; this prevents MAC address spoofing. 6. **Use tools to determine** if any NICs are running in the promiscuous mode. ## How to Detect Sniffing - You will need to check **which machines are running in the promiscuous mode**. - Promiscuous mode allows a network device to **intercept and read each network packet that arrives in its entirety**. - **Run IDS and notice** if the MAC address of certain machines has changed (Example: router's MAC address). - **IDS can alert** the administrator about suspicious activities. - **Run network tools** such as Capsa Network Analyzer to monitor the network for strange packets. - It enables you to **collect, consolidate, centralize and analyze traffic data** across different network resources and technologies.

Sniffing - Module 07 - PDF

Document Details

Tags

Related

Summary

Full Transcript

Upgrade to continue