Sniffing. Michael Sonntag Institute for Information processing and microprocessor technology (FIM) Johannes Kepler University Linz, Austria

Similar documents
CIT 380: Securing Computer Systems. Network Security Concepts

When does it work? Packet Sniffers. INFO Lecture 8. Content 24/03/2009

AN TOÀN LỚP 4: TCP/IP ATTACKS NGUYEN HONG SON PTITHCM

n Describe sniffing concepts, including active and passive sniffing n Describe sniffing countermeasures n Describe signature analysis within Snort

Introduction to Computer Networks. CS 166: Introduction to Computer Systems Security

This course prepares candidates for the CompTIA Network+ examination (2018 Objectives) N

ICS 351: Networking Protocols

CCNA 1 Chapter 5 v5.0 Exam Answers 2013

Hands-On TCP/IP Networking

Fundamental Questions to Answer About Computer Networking, Jan 2009 Prof. Ying-Dar Lin,

Network Security. Thierry Sans

Lab Using Wireshark to Examine Ethernet Frames

Computer Forensics: Investigating Network Intrusions and Cybercrime, 2nd Edition. Chapter 2 Investigating Network Traffic

2. What is a characteristic of a contention-based access method?

Lab Using Wireshark to Examine Ethernet Frames

Unit A - Connecting to the Network

Managing and Securing Computer Networks. Guy Leduc. Chapter 7: Securing LANs. Chapter goals: security in practice: Security in the data link layer

Applied Networks & Security

Material for the Networking lab in EITF25 & EITF45

20-CS Cyber Defense Overview Fall, Network Basics

Defining Networks with the OSI Model. Module 2

NETGEAR-FVX Relation. Fabrizio Celli;Fabio Papacchini;Andrea Gozzi

Int ernet w orking. Internet Security. Literature: Forouzan: TCP/IP Protocol Suite : Ch 28

Overview. Computer Network Lab, SS Security. Type of attacks. Firewalls. Protocols. Packet filter

CSc 466/566. Computer Security. 18 : Network Security Introduction

Objectives. Hexadecimal Numbering and Addressing. Ethernet / IEEE LAN Technology. Ethernet

R (2) Implementation of following spoofing assignments using C++ multi-core Programming a) IP Spoofing b) Web spoofing.

Internet Layers. Physical Layer. Application. Application. Transport. Transport. Network. Network. Network. Network. Link. Link. Link.

Lecture 9: Switched Ethernet Features: STP and VLANs

Switched environments security... A fairy tale.

CSE 565 Computer Security Fall 2018

Computer Networks Security: intro. CS Computer Systems Security

A+ Guide to Software: Managing, Maintaining, and Troubleshooting, 5e. Chapter 8 Networking Essentials

Imi :... Data:... Nazwisko:... Stron:...

BreezeACCESS VL Security

Cisco Cisco Certified Network Associate (CCNA)

CompTIA Network+ Study Guide Table of Contents

2. LAN Topologies Gilbert Ndjatou Page 1

Lecture 33. Firewalls. Firewall Locations in the Network. Castle and Moat Analogy. Firewall Types. Firewall: Illustration. Security April 15, 2005

Assignment - 1 Chap. 1 Wired LAN s

Internetwork Expert s CCNA Security Bootcamp. Common Security Threats

Networking interview questions

Wireless LAN Security (RM12/2002)

Vendor: HP. Exam Code: HP2-Z32. Exam Name: Implementing HP MSM Wireless Networks. Version: Demo

Layer 4: UDP, TCP, and others. based on Chapter 9 of CompTIA Network+ Exam Guide, 4th ed., Mike Meyers

Chapter 5 Reading Organizer After completion of this chapter, you should be able to:

Expected Outcomes Able to design the network security for the entire network Able to develop and suggest the security plan and policy

Network Defenses 21 JANUARY KAMI VANIEA 1

521262S Computer Networks 2 (fall 2007) Laboratory exercise #4: Multimedia, QoS and testing

MTA_98-366_Vindicator930

The MAC Address Format

CCNA Exploration Network Fundamentals

Port Mirroring in CounterACT. CounterACT Technical Note

CSC 574 Computer and Network Security. TCP/IP Security

MiPDF.COM. 1. Convert the decimal number 231 into its binary equivalent. Select the correct answer from the list below.

Sniffing & Keylogger. Deff Arnaldy, M.Si

precise rules that govern communication between two parties TCP/IP: the basic Internet protocols IP: Internet protocol (bottom level)

The following virtual machines are required for completion of this lab: Exercise I: Mapping a Network Topology Using

Exam E1 Copyright 2010 Thaar AL_Taiey

TELNET is short for Terminal Network Enables the establishment of a connection to a remote system, so that the local terminal appears to be the

Chapter 2. Switch Concepts and Configuration. Part I

Introduction to Ethernet. Guy Hutchison 8/30/2006

PROTECTING INFORMATION ASSETS NETWORK SECURITY

NETWORK SECURITY. Ch. 3: Network Attacks

Networks Fall This exam consists of 10 problems on the following 13 pages.

Network Security. Kitisak Jirawannakool Electronics Government Agency (public organisation)

Fundamentals of Networking. OSI & TCP/IP Model. Kuldeep Sonar 1

CMPE 150 Winter 2009

ECCouncil Certified Ethical Hacker. Download Full Version :

Protocol Analysis: Capturing Packets

4. The transport layer

Advanced Security and Mobile Networks

Data Communication and Network. Introducing Networks

Fundamentals of Computer Networking AE6382

Distributed Systems. 27. Firewalls and Virtual Private Networks Paul Krzyzanowski. Rutgers University. Fall 2013

CS61C Machine Structures Lecture 37 Networks. No Machine is an Island!

Chapter Three test. CompTIA Security+ SYO-401: Read each question carefully and select the best answer by circling it.

Exam Questions SY0-401

Chapter 2 - Part 1. The TCP/IP Protocol: The Language of the Internet

SYSTEMS ADMINISTRATION USING CISCO (315)

Study Guide. Module Two

Network Model. Why a Layered Model? All People Seem To Need Data Processing

Detecting Sniffers on Your Network

Single Network: applications, client and server hosts, switches, access links, trunk links, frames, path. Review of TCP/IP Internetworking

HP High-End Firewalls

n Learn about the Security+ exam n Learn basic terminology and the basic approaches n Implement security configuration parameters on network

TCP/IP Networking. Training Details. About Training. About Training. What You'll Learn. Training Time : 9 Hours. Capacity : 12

Session Overview. ! Introduction! Layer 2 and 3 attack scenarios! CDP, STP & IEEE 802.1q! ARP attacks & ICMP abuse! Discovering & attacking IGPs

Some Considerations on Protocol Analysis and Debugging

DKT 224/3 LAB 2 NETWORK PROTOCOL ANALYZER DATA COMMUNICATION & NETWORK SNIFFING AND IDENTIFY PROTOCOL USED IN LIVE NETWORK

CompTIA Exam JK0-023 CompTIA Network+ certification Version: 5.0 [ Total Questions: 1112 ]

Chapter 11: It s a Network. Introduction to Networking

CSC 4900 Computer Networks: Security Protocols (2)

Chapter 2. Switch Concepts and Configuration. Part II

Chapter 2 Communicating Over the Network

CCNA 1 v5.0 R&S ITN Final Exam 2014

Indicate whether the statement is true or false.

Lecture-4. TCP/IP-Overview:

Data Communications and Networks Spring Syllabus and Reading Assignments

CISCO SYSTEM ADMINISTRATION (41)

Transcription:

Sniffing Michael Sonntag Institute for Information processing and microprocessor technology (FIM) Johannes Kepler University Linz, Austria michael.sonntag@jku.at 1

What is a "Sniffer"? Devices or programs, which capture or copy data packets Theory: A "receive-only" device Practice: Most software sends e.g. DNS lookups to decode IP addresses, The "sniffed" packets are then analyzed later on (= packet analysis) I.e. you don't see (only) a bit/byte stream, but a TCP packet or an HTTP stream These are also called wiretap programs In "old" times this was used for phones by attaching wires to the telephone lines Why would you use them? Professional products network management, finding problems, Will copy everything and can filter according to various expressions Underground products Intrusions, hacking Will automatically filter out passwords 2

Threats to network traffic: Interruption Information Source Normal Flow Information Destination Normal Flow Normal process of transmitting data Information Source Interruption Information Destination Interruption E.g. failure of a switch/router, Denial of Service attack,... Copeland J. Computer Network Security, 2000 http://www.csc.gatech.edu/~copeland/8813/slides 3

Threats to network traffic: Fabrication Information Source Normal Flow Information Destination Normal Flow Normal process of transmitting data Information Source Fabrication Information Destination Fabrication E.g. packet construction Different source address than it actually should have Copeland J. Computer Network Security, 2000 http://www.csc.gatech.edu/~copeland/8813/slides 4

Threats to network traffic: Interception Information Source Normal Flow Information Destination Normal Flow Normal process of transmitting data Information Source Interception Information Destination Interception E.g. packet sniffer Copeland J. Computer Network Security, 2000 http://www.csc.gatech.edu/~copeland/8813/slides 5

Threats to network traffic: Modification Information Source Normal Flow Information Destination Normal Flow Normal process of transmitting data Modification Modification E.g. content scanner, proxy Information Source Information Destination Copeland J. Computer Network Security, 2000 http://www.csc.gatech.edu/~copeland/8813/slides 6

Protocol analysis Definitions: Protocol Analysis is the process of capturing network traffic (with sniffing programs) and looking at it closely in order to figure out what is going on. A protocol analyzer interprets the sniffed packets and interprets ist fields (according to the protocols). Renders interpreting the result of sniffing much easier (or even possible)! 7

Sniffer example: Wireshark Sniffed, copied, and analyzed traffic Decoded single packet (on different levels) Full binary view of single packet 8

Areas of use Automatic sifting the traffic for cleartext passwords and usernames Copying the communication between certain entities (if in readable format) Normally: Persons. But may also be devices or programs E.g. reverse engineering of protocols Error analysis to discover/analyze/solve network problems E.g. to frequent topology changes (TCs) with STP (Spanning Tree Protocol) Performance analysis for locating bottlenecks Network Intrusion Detection to discover hacks/intruders Network Traffic Logging to generate logs a hacker cannot modify or delete On a system with read-only connection to the network; but: Crashing (Ping of Death)? 9

Classification of sniffers Breadth of functionality Universal sniffers (all / many protocols) Protocol-specific sniffers (e.g. only IP, only FTP / WWW /...) Depth of functionality How detailed the data/packets are analyzed Integrated specific functions, e.g. password sniffing Area of use Standalone Distributed (with central management/reporting/analysis system) Remote Detection/evasion measures MAC-Filter in sniffer software,... 10

Broadcast networks Intranets / LANs are often broadcast networks Because they employ Ethernet Broadcast means, that every sender pushes its data into the network and hopes (relies on), that only the intended recipient will read it Ethernet is a shared medium, i.e. from a logical view all clients are connected to a single medium (cable) Ethernet is based on collision detection (CSMA/CD). All segments connected by a hub build a SINGLE collision domain "But we use switches" This is good, but doesn't prevent problems You can still attack the switch so it acts like a hub (or other attacks) Result: Broadcast network again! 11

Anatomy of an Ethernet frame 8 6 6 2 46-1500 4 preamble Preamble: Synchronization of clocks, Also includes the "Start Frame Delimiter" Destination and source address are hardware addresses (=MAC addresses) Example: 00-60-08-2C-C3-FE EtherType or length: Indicates which protocol is encapsulated within LLC/SNAP/VLAN-Tag Note: Many NICs strip the VLAN tag so you can't see it Depends also on driver! Payload data destination address source address typ/ len L L C S N A P data FCS FCS (Frame Check Sequence): CRC for error checking 12

MAC addresses (1) MAC = Media Access Control 48 Bit Ethernet MAC address The first Bit marks unicast addresses (0) resp. multicast addresses (1) If the second Bit is 0, the next 22 Bits identify the producer as OUI (=Organisationally Unique Identifier), who then manages the next 24 Bits himself. The uniqueness of these MAC addresses is essential for correct working in a LAN! Note: Outside of a LAN duplicates may exist, but can again produce problems Many identifiers are created based on the assumption of MAC addresses being worldwide unique, e.g. GUUIDs List of vendor / OUI codes: http://standards.ieee.org/develop/regauth/oui/ Special (destination) MAC address: Broadcast: FF-FF-FF-FF-FF-FF 13

MAC addresses (2) Identify your own MAC address: Windows >=XP: ipconfig /all or netsh Unix/Linux: ifconfig List the IP addresses in the local net which you are currently communicating with (via IP) : arp a Note: "Other" addresses might appear too, which "nearby" computer comm. with On switches, routers hp# show arp hp# show mac MAC addresses should be unique, but with most modern hardware spoofing is possible quite easily You cannot rely on them to be correct Changes through software or Re-Burn of the EEPROM 14

Filtering in the protocol stack Each layer of the protocol stack filters out that part of the traffic not destined for this system Aim: Get rid of unnecessary traffic as early as possible Goal: Reduce the amount of work necessary Application Presentation Session UDP/TCP (Transport) IP (Network) NIC Driver (Data Link) NIC (Physical) Sniffing, 2012 Discard Discard Discard Discard 15

How can a sniffer just "listen in"? The Ethernet hardware contains a filter, which normally drops any traffic not directed to this device (and not a broadcast): MAC filter Promiscuous Mode Sniffer switches the hardware (network device) to the promiscuous mode This turns off the MAC filter and consequently all of the traffic is delivered to the upper layers and potentially available If not filtered there! If this is a shared medium this is the complete traffic within a collision domain! Note: The load will be much higher, as every packet must be handled! "But shared mediums don't exist any more" Wrong: WLAN is a typical example! 16

Promiscuous mode Filtered traffic All traffic NIC (MAC filter) NIC (Promiscuous mode) Discard Discard nothing During normal operation the NIC drops (discards) traffic not for this system based on MAC addresses In promiscuous mode this filter is switched off All traffic will be passed on (up) and nothing is discarded 17

Components of a sniffer Hardware Capture driver Buffer Realtime analysis Decode Additional functionality: Packet editing (Re-)Transmission Specialty: Don't send anything Capture driver Promiscuous mode Sniffing, 2012 Application Presentation Session Transport Network Data Link Physical 18

Basic structure of a sniffer Display Capture Buffer Capture Filter Packet Decoder Display Filter Network Driver+ (Capture Driver) NIC (Promiscuous Mode) Realtime Analysis Border for distributed sniffing 19

Places to sniff (1) A hacker has the following options to listen in on the communication between two clients: Passive methods The attacker must only "plug in" the sniffer and can immediately access all data If you are one of the clients, this is always possible Useless? No! SW might hide a lot of details which you might be interested in! Active methods The attacker must actively do something because of the network architecture E.g. switches; these do not broadcast all traffic Disadvantage: He produces traffic this might be noticed! Local versus distributed sniffing 20

Places to sniff (2) active Route redirection Route redirection Intranet L-1 L-3 Internet L-3 L-2 Intranet Client ISP Router Client Sniff on the client Sniff in the LAN (HUB) Sniff at the ISP passive 21

Sniffing in WLANs WLAN = Wireless LAN Danger: Circumvention of firewall Just sniff from "outside" (e.g. the building) Signal distance: approx. 100 300 m But: With special antennas (e.g. parabolic antennas) reception from even longer distances become possible Countermeasures: MAC filtering: Allow only the "known good" MAC addresses to connect Why is this deficient on several levels? Think! Encryption Old: WEP = Wired Equivalent Privacy IPSec Not integrated (manually possible very good, but complex)! Newer standards 802.11i with WPA-2 (TKIP, AES, 802.1x,...) 22

Defending against sniffers Encryption (SSL, VPNs, PGP, SSH,...) Do not use broadcast networks, especially not WLANs Physical security for wires and equipment (switches) To prevent hardware manipulation Making the collision domains smaller Splitting on layer 2 Switches for the local network Will only help against "amateur hackers" Several attacks are still possible, e.g. ARP spoofing or flooding the switch so it will behave like a hub VLANs help, but it depends on how switches finds out assignment port VLAN Splitting on layer 3 Using routers And potentially also firewalls 23

Detecting sniffers Theoretically (solely passive sniffers) impossible, but Practically very often possible, because: Sniffers cause traffic distributed /remote sniffers communicate with each other/the server And these are the ones hacker will use when installing them remotely They use active methods (ARP spoofing,...) Perform reverse DNS lookups Sniffer detectors employ active methods (Decoys,...) Sniffer still suffer from bugs or peculiarities of their network stack The best method to detect sniffers, is to use a sniffer! Ping method, ARP method, DNS method, Note: Local sniffers (on the same computer) can be detected typically easily! 24

ex Detecting sniffers Sending special traffic to the network where sniffing is suspected Computers sniffing are hopefully acting differently than all other computers Victim 192.168.0.3 L-1 192.168.0.1 192.168.0.2 Host running sniffer detection Suspicious of sniffing 25

Detection: Ping method Assumption: A client with the IP 192.168.0.2 and MAC 00-60-08-2C-C4-FE is under suspicion of employing a sniffer We are on the same Ethernet segment We construct a special ping packet (ICMP Echo Request) with following data: IP: 192.168.0.2 A slightly modified MAC: 00-60-08-2C-C4-FD Theoretically nobody should answer to this ping, as the MAC address in it does not exist But a client in promiscuous mode looks at the packet and will (often) answer to it Why? Not filtered based on MAC ( Sniffing!), IP address is correct Answer 26

Detection: DNS method Create a packet with both a non-existing MAC and a non-existing IP address Send it out on the network where a sniffer is suspected to be running Any "normal" computer will ignore it, as it is not for him ( wrong MAC) The network should remain completely "silent" But a sniffer will inspect the packet and, hopefully, try to resolve the IP address in it to its hostname This DNS request is noted and shows that a sniffer exists (and who it is) Disadvantage: Will only work if the sniffer "cooperates", i.e. resolves IP addresses/names If it is completely passive, i.e. really only listening, this won't work! 27

Detection: ARP test Prerequisite: In the same Ethernet segment (local network) Prepare an ARP request (Almost) All systems react on receiving an ARP request Modify the destination for the ARP request In the layer 2 frame Instead of the broadcast address ffffff-ffffff use e.g. ffffff-fffffe If a computer answers, the NIC is probably in promiscuous mode This doesn't necessary mean that a sniffer is present, but it is very likely! Normal computers would not answer, as they only check for their own MAC address and the "real" broadcast address (all FFs) Other option: Send FF:00:00:00:00:00 Standard Windows NIC drivers (at least older ones) inspect only the first byte to find out whether a packet is a broadcast or not 28

But what to do in cases like these? There is no protocol bound to the Sniffing Interface There will be no reaction at all to ARPs, pings,! Better method required! Dedicated wiretap-hardware Switch with mirroring functionality "Monitoring port", etc. 29

Physical wiretaps http://www.netoptics.com/sites/default/files/pubtpcu3zdu- 1%20install.pdf http://www.netoptics.com/products/network-taps/gig-zero-delay-tap http://passthrough.fwnotify.net/download/461090/http://www.netoptics.com/sites/default/ files/pdf/datasheet/slim-tap-datasheet.pdf 30

Detecting sniffers: AntiSniff No sniffer active http://packetstormsecurity.org/sniffers/antisniff/ 31

Detecting sniffers: AntiSniff Sniffer seems to be running! ARP test is positive http://packetstormsecurity.org/sniffers/antisniff/ 32

"Endangered species (protocols)" You cannot tell too often: All these protocols transmit passwords (or important data) unencrypted! Telnet, rlogin http (without TLS/SSL) SNMP (passwords), DNS (unsecured data very important for attackers) SMTP, POP, IMAP NNTP, FTP For most of these protocols secure alternatives already exist (TLS for HTTP, PGP with POP/IMAP/SMTP, ) But you have to use them! Also: "External = HTTPS, Internal = HTTP" Is this a good policy? An attacker might have a sniffer on the inside too 33

Summary Sniffing = Interception = Listening is a very dangerous technique You can get a lot of information without having to hack a computer Most of the techniques will not show up in any logs Therefore the following aspect are important: Encryption is important against sniffing Perhaps even locally: Try to use secure protocols also within your local network! Sniffing alone is very difficult, unless extended by active techniques If someone can tamper with your glass fibre cables, you're out of luck anyway! Investigate your equipment: Switches often support various forms of protection Lockdown, static assignments ( management issues!), DNS snooping, Partition your network: Routers, VLANs, 34

Thank you for your attention! Michael Sonntag Institute for Information processing and microprocessor technology (FIM) Johannes Kepler University Linz, Austria michael.sonntag@jku.at 35

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback