Sniffing & Keylogger. Deff Arnaldy, M.Si

Transcription

1 Sniffing & Keylogger Deff Arnaldy, M.Si

2 Konsep sniffing Capturing Live Network Data Explorasi hasil capturing Countermeasure sniffing Keyloggers Overview 2

3 Sniffer adalah program yang membaca dan menganalisa setiap protokol yang melewati mesin di mana program tersebut diinstal Secara default, sebuah komputer dalam jaringan (workstation) hanya mendengarkan dan merespon paket-paket yang dikirimkan kepada mereka. Namun demikian, kartu jaringan (network card) dapat diset oleh beberapa program tertentu, sehingga dapat memonitor dan menangkap semua lalu lintas jaringan yang lewat tanpa peduli kepada siapa paket tersebut dikirimkan. Aktifitasnya biasa disebut dengan Sniffing Konsep Sniffing 3

4 Targets Data Link layer of protocol stack Sniffer gathers traffic off network This data can include userids passwords transmitted by telnet, DNS queries and responses, sensitive s, FTP passwords, etc. Allows attacker to read data passing a given machine in real time. Two types of sniffing: Active Passive Sniffing 4

5 Passive Attacker must have account on LAN Done over a hub Usually once access is gained on one computer attacker uses passwords to get in other computers Sniffing Active Attacker still needs an account Several different attacks: - Parsing Packets - Flooding - Spoofed ARP Messages - DNS Spoofing - HTTPS and SSH spoofing 5

6 Passive Sniffing user1 BLAH HUB user2 Server - Message gets sent to all computers on hub Bad guy 6

7 Active Sniffing user1 BLAH Switch user2 Server - Message gets sent to only requesting computer by looking at MAC address Bad guy 7

8 Offers several ways around a switch Available for OpenBSD, Linux, Solaris, and there is a version for Windows Very popular and versatile In conjunction with sshmitm and webmitm, conducts all the above attacks Dsniff 8

9 Any mischievious machine can examine any packet on a BROADCAST medium Ethernet is BROADCAST at least on the segments over which it travels Getting passwords is the first step in exploiting a machine is plaintext and vulnerable Major Problems with Sniffing 9

10 What does one sniff? passwords financial account information confidential information low-level protocol info to attack hardware addresses IP addresses routing, etc 10

11 1. Hardware : standard network adapters. 2. Capture Filter : This is the most important part. It captures the network traffic from the wire, filters it for the particular traffic you want, then stores the data in a buffer. 3. Buffers : used to store the frames captured by the Capture Filter. What are the components of a packet sniffer? 11

12 4. Real time analyzer: a module in the packet sniffer program used for traffic analysis and to shift the traffic for intrusion detection. 5. Decoder : "Protocol Analysis". What are the components of a packet sniffer? 12

13 Sniffers also work differently depending on the type of network they are in. 1. Shared Ethernet 2. Switched Ethernet How does a Sniffer Work? 13

14 How can I detect a packet sniffer? Ping method ARP method DNS method 14

15 Packet Sniffer Mitigation Host A Router A Router B Host B The following techniques and tools can be used to mitigate sniffers: Authentication Using strong authentication, such as one time passwords, is a first option for defense against packet sniffers. Switched infrastructure Deploy a switched infrastructure to counter the use of packet sniffers in your environment. Antisniffer tools Use these tools to employ software and hardware designed to detect the use of sniffers on a network. Cryptography The most effective method for countering packet 15 sniffers does not prevent or detect packet sniffers, but rather renders them irrelevant.

16 Wireshark Kismet Tcpdump Cain and Abel Ettercap Dsniff NetStumbler Ntop Ngrep EtherApe KisMAC Top 11 Packet Sniffers 16

17 Working of Cain & Abel 17

18 Detection of clear text passwords and usernames from the network. Conversion of data to human readable format so that people can read the traffic. Performance analysis to discover network bottlenecks. Network intrusion detection in order to discover hackers. What are sniffers used for? 18

19 Segmentation into trustworthy segments bridges better yet.. switched hubs Not enough not to allow sniffing easy to add a machine on the net may try using X-terminals vs workstations Prevention of Sniffing 19

20 Avoid password transmission one solution is r..family rlogin, rcp, rsh, etc put trusted hosts in.rhosts many SAs don t want users to use them Using encrypted passwords Kerberos PGP public keys Prevention of Sniffing (more) 20

21 If all other attempts to gather passwords fail, then a keystroke logger is the tool of choice for hackers Keystroke loggers (keyloggers) can be implemented either using hardware or software Keylogger 21

22 Hardware keyloggers are small hardware devices that connect the keyboard to the PC and save every keystroke into a file or in the memory of the hardware device In order to install a hardware keylogger, a hacker must have physical access to the system 22

23 Software keyloggers are pieces of stealth software that sit between the keyboard hardware and the operating system so that they can record every keystroke. Software keyloggers can be deployed on a system by Trojans or viruses 23

24 References articles.info/e/a/title/packet Sniffing: Sniffing Tools Detection Prevention Methods/ packet sniffers education ppt powerpoint/ 24