Muhammad Farooq-i-Azam CHASE-2006 Lahore

Similar documents
Sirindhorn International Institute of Technology Thammasat University

Experiment 2: Wireshark as a Network Protocol Analyzer

Packet Header Formats

Internetworking models

University of Toronto Faculty of Applied Science and Engineering. Final Exam, December ECE 461: Internetworking Examiner: J.

Packet Sniffing and Spoofing

Module : ServerIron ADX Packet Capture

ICS 451: Today's plan

TCP /IP Fundamentals Mr. Cantu

CIT 380: Securing Computer Systems. Network Security Concepts

ARP, IP, TCP, UDP. CS 166: Introduction to Computer Systems Security 4/7/18 ARP, IP, TCP, UDP 1

AN INTRODUCTION TO ARP SPOOFING

Computer Forensics: Investigating Network Intrusions and Cybercrime, 2nd Edition. Chapter 2 Investigating Network Traffic

A Simple Network Analyzer Decoding TCP, UDP, DNS and DHCP headers

Internet Layers. Physical Layer. Application. Application. Transport. Transport. Network. Network. Network. Network. Link. Link. Link.

HPE Knowledge Article

Computer Networks A Simple Network Analyzer PART A undergraduates and graduates PART B graduate students only

Lecture 2: Basic routing, ARP, and basic IP

Switched environments security... A fairy tale.

CS 356: Computer Network Architectures. Lecture 10: IP Fragmentation, ARP, and ICMP. Xiaowei Yang

K2289: Using advanced tcpdump filters

CNT5505 Programming Assignment No. 4: Internet Packet Analyzer (This is an individual assignment. It must be implemented in C++ or C)

CSC 405 Introduction to Computer Security. Network Security

The ACK and NACK of Programming

ELEC5616 COMPUTER & NETWORK SECURITY

Fall 2003 Wincati Issue

ECE 650 Systems Programming & Engineering. Spring 2018

/tmp/dump/dump02_arp_dns-weather_syn_fin complete-session - Ethereal Page 1

Detecting Sniffers on Your Network

Lab Using Wireshark to Examine Ethernet Frames

in-the-middle attack

Cisco Nexus 7000 Series Architecture: Built-in Wireshark Capability for Network Visibility and Control

IPv6. IPv4 & IPv6 Header Comparison. Types of IPv6 Addresses. IPv6 Address Scope. IPv6 Header. IPv4 Header. Link-Local

Lab Using Wireshark to Examine Ethernet Frames

The Transport Layer. Part 1

CS 458 Internet Engineering Spring First Exam

IPv6 Protocols and Networks Hadassah College Spring 2018 Wireless Dr. Martin Land

Layer 4: UDP, TCP, and others. based on Chapter 9 of CompTIA Network+ Exam Guide, 4th ed., Mike Meyers

Transport Layer. Gursharan Singh Tatla. Upendra Sharma. 1

Prof. Bill Buchanan Room: C.63

NETWORK INTRUSION. Information Security in Systems & Networks Public Development Program. Sanjay Goel University at Albany, SUNY Fall 2006

History Page. Barracuda NextGen Firewall F

SSC-D02 HOMEWORK 2. Jean-Yves Le Boudec. November 6, 2002

CSE 127: Computer Security Network Security. Kirill Levchenko

When does it work? Packet Sniffers. INFO Lecture 8. Content 24/03/2009

A Study on Intrusion Detection Techniques in a TCP/IP Environment

The Transport Layer. Internet solutions. Nixu Oy PL 21. (Mäkelänkatu 91) Helsinki, Finland. tel fax.

Network Security. Introduction to networks. Radboud University, The Netherlands. Autumn 2015

Material for the Networking lab in EITF25 & EITF45

Man In The Middle Project completed by: John Ouimet and Kyle Newman

ICS 351: Networking Protocols

! ' ,-. +) +))+, /+*, 2 01/)*,, 01/)*, + 01/+*, ) 054 +) +++++))+, ) 05,-. /,*+), 01/-*+) + 01/.*+)

Lab Assignment for Chapter 1

CSCI-GA Operating Systems. Networking. Hubertus Franke

Protocol Layers & Wireshark TDTS11:COMPUTER NETWORKS AND INTERNET PROTOCOLS

Computer Networks A Simple Network Analyzer Decoding Ethernet and IP headers

ECE 358 Project 3 Encapsulation and Network Utilities

EE 610 Part 2: Encapsulation and network utilities

CCNA 1 Chapter 7 v5.0 Exam Answers 2013

Switching & ARP Week 3

Network Model. Why a Layered Model? All People Seem To Need Data Processing

Layered Networking and Port Scanning

ECE4110 Internetwork Programming. Introduction and Overview

Introduction to Network. Topics

Computer Networks/DV2 Lab

The Capture and Reduction Technology of Image Data based on HTTP Protocol 1

Wireshark- Looking into the Packet. Henry A. McKelvey, MIS. Blacks in Technology

19: Networking. Networking Hardware. Mark Handley

TCP = Transmission Control Protocol Connection-oriented protocol Provides a reliable unicast end-to-end byte stream over an unreliable internetwork.

Networking Technologies and Applications

Computer Networks (Introduction to TCP/IP Protocols)

Chapter 2 - Part 1. The TCP/IP Protocol: The Language of the Internet

DDoS Testing with XM-2G. Step by Step Guide

Applied Networks & Security

Question Score 1 / 19 2 / 19 3 / 16 4 / 29 5 / 17 Total / 100

SC/CSE 3213 Winter Sebastian Magierowski York University CSE 3213, W13 L8: TCP/IP. Outline. Forwarding over network and data link layers

Introduction to Computer Networks. CS 166: Introduction to Computer Systems Security

Sirindhorn International Institute of Technology Thammasat University

I'IHITIIBIFI UI'IIVERSITY

CYBER ATTACKS EXPLAINED: PACKET SPOOFING

ENEE 457: Computer Systems Security 11/07/16. Lecture 18 Computer Networking Basics

COMP2330 Data Communications and Networking

Redesde Computadores(RCOMP)

Wireshark Lab: DHCP SOLUTION

UNIT V. Computer Networks [10MCA32] 1

Wire Shark Lab1. Intro

Interconnecting Networks with TCP/IP

Address Resolution Protocol (ARP), RFC 826

CS 457 Lecture 11 More IP Networking. Fall 2011

Transport Layer. <protocol, local-addr,local-port,foreign-addr,foreign-port> ϒ Client uses ephemeral ports /10 Joseph Cordina 2005

network security s642 computer security adam everspaugh

How to use IP Tables

Introduction to Internet. Ass. Prof. J.Y. Tigli University of Nice Sophia Antipolis

Course Contents. The TCP/IP protocol Stack

Denial of Service. Eduardo Cardoso Abreu - Federico Matteo Bencic - Pavel Alexeenko -

Computer Networks. Transmission Control Protocol. Jianping Pan Spring /3/17 CSC361 1

AN TOÀN LỚP 4: TCP/IP ATTACKS NGUYEN HONG SON PTITHCM

Sirindhorn International Institute of Technology Thammasat University

ECPE / COMP 177 Fall Some slides from Kurose and Ross, Computer Networking, 5 th Edition

CE3005: Computer Networks Laboratory 3 SNIFFING AND ANALYSING NETWORK PACKETS

Transcription:

Muhammad Farooq-i-Azam CHASE-2006 Lahore

Overview Theory Existing Sniffers in action Switched Environment ARP Protocol and Exploitation Develop it yourself 2

Network Traffic Computers and network devices communicate with each other by sending or receiving information over tiny bundles of electronic signals called packets. Flow of different packets to and from different computers over the network is said to constitute network traffic. 3

Packet Types and Structures Data Packets Visible Not all contents of the packet are seen by the end user. e. g. HTTP packets MAC IP TCP HTTP Data 4

Packet Types and Structures Control Packets Invisible e. g. ARP packets MAC ARP 5

Ethernet Our Domain of Experiment Non-Switched Hub Single broadcast domain Seldom used now a days Switched Hub Multiple broadcast domains 6

Promiscuous Mode Normal Operation of NIC Receive packets of own address only Operation Under Promiscuous Mode Receive all packets regardless of destination address Non-switched Ethernet LAN Capture traffic of neighbors Switched Ethernet LAN Still gets own traffic Further techniques in addition to mere promiscuous mode 7

Packet Sniffer A piece of software that captures all the traffic flowing in and out of a computer. Non-Promiscuous Mode Sniffing Own packets for both switched and non-switched LANs. Promiscuous Mode Sniffing Non-switched LAN Entire neighbor traffic Switched LAN Own traffic only Additional technique for capturing neighbor traffic ARP exploits 8

Some Theory Network Layers Ethernet and ARP Protocols 9

Physical and Logical Node to node communication uses physical addresses i.e. MAC addresses. Applications use logical addresses i.e. IP addresses. Each host on an Ethernet LAN has IP address MAC address 10

Why Logical Needs to Get Physical Host A Host B Application on AApplication on Host B They talk to each other using services provided by protocols on lower layers 11

Layer Talks to Layer A B HTTP Client HTTP Server TCP Port 1026 TCP Port 80 IP 172.16.11.11 IP 172.16.22.22 00:00:1c:aa:aa:aa 00:00:1c:bb:bb:bb 12

Frame Transmission MAC header of the frame should have destination s physical address Sending machine should know the receiving machine s physical address Destination MAC Source MAC Proto Type 13

Finding Destination Knowing the Destination Physical Address Host maintains a list of IP MAC mappings Uses ARP for hosts not in the list Updates the list of mappings 14

Typical IP MAC Mappings arp -a Interface: 172.16.30.30 on Interface 0x9000003 Internet Address Physical Address Type 172.25.30.1 00-50-8b-66-86-33 dynamic 172.25.30.2 00-07-e7-47-b3-cb dynamic 172.25.30.3 00-50-fc-71-38-94 dynamic 172.25.30.4 00-07-e9-5b-3f-e6 dynamic 172.25.30.5 00-30-6e-c9-af-13 dynamic 15

ARP Overview 16 Host A wants to send a frame to host B Host A broadcasts an ARP query to find out physical address for the given IP of B Every host on LAN receives query Host B with the given IP sends back its physical address in a unicast reply. Host A now sends the frame to B using the destination address

ARP Frame Format 48.bit: Ethernet address of destination 48.bit: Ethernet address of sender 16.bit: Protocol type Ethernet packet data: 16.bit: Hardware address space (e.g., Ethernet) 16.bit: Protocol address space. 8.bit: byte length of each hardware address 8.bit: byte length of each protocol address 16.bit: opcode [REQUEST REPLY] nbytes: Hardware address of sender mbytes: Protocol address of sender nbytes: Hardware address of target of this packet (if known). mbytes: Protocol address of target. 17

Example Packet ARP Request Destination: ff:ff:ff:ff:ff:ff Source: 00:11:11:25:4a:d2 Type: 0x0806 (ARP) Hardware type: 0x0001 (Ethernet) Protocol type: 0x0800 (IP) Hardware size: 6 Protocol size: 4 Opcode: 0x0001 (Request) Sender MAC address: 00:11:11:25:4a:d2 Sender IP address: 172.16.30.27 Target MAC address: 00:00:00:00:00:00 Target IP address: 172.16.36.21 18

Example Packet ARP Reply Destination: 00:11:11:25:4a:d2 Source: 00:03:ba:68:7b:b2 Type: 0x0806 (ARP) Hardware type: 0x0001 (Ethernet) Protocol type: 0x0800 (IP) Hardware size: 6 Protocol size: 4 Opcode: 0x0002 (Reply) Sender MAC address: 00:03:ba:68:7b:b2 Sender IP address: 172.16.36.21 Target MAC address: 00:11:11:25:4a:d2 Target IP address: 172.16.30.27 19

ARP Exploitation Fabricated/Spoofed ARP packets ARP request packets False source IP MAC binding Poison target ARP cache Unicast source-spoofed packets to a single host Interrupt communication between spoofed and target hosts Intercept communication between spoofed and target hosts Broadcast source-spoofed packets Isolate target host from everyone else Intercept communication between target and the rest 20

ARP Exploitation - Example Three hosts on a LAN Principal host A IP 172.16.11.11 MAC 00:00:c1:aa:aa:aa Principal host B IP 172.16.22.22 MAC 00:00:c1:bb:bb:bb Man in the middle host C IP 172.16.33.33 MAC 00:00:c1:cc:cc:cc 21

ARP Exploitation - Example Normal IP MAC Bindings Host A 172.16.22.22 00:00:c1:bb:bb:bb Host B 172.16.11.11 00:00:c1:aa:aa:aa 22

ARP Exploitation - Example Interception By Host C One-way interception All communication from A to B OR All communication from B to A Two-way interception All communication between A and B 23

ARP Exploitation - Example One-way interception Make A believe that B has MAC of C Change IP MAC mappings in host A to be 172.16.22.22 00:00:1c:cc:cc:cc C forwards packets with destination IP of B to B Else communication from A do not reach B i.e. partial DoS A A B C 24

ARP Exploitation Example Two-way interception Make A believe that B has MAC of C Change IP MAC mappings in host A to be 172.16.22.22 00:00:1c:cc:cc:cc C forwards packets received from A to B Make B believe that A has MAC of C Change IP MAC mappings in host B to be 172.16.11.11 00:00:1c:cc:cc:cc C forwards packets received from B to A If no packet forwarding, then interruption i.e. DoS 25

ARP Exploitation - Example A A B C 26

How to Impersonate Spoofed ARP request packets Desired IP MAC binding in the sender field Example: C impersonating B Send an ARP request packet to A with following data Sender MAC Address: 00:00:1c:cc:cc:cc Sender IP Address: 172.16.22.22 IP MAC binding in A is now: 172.16.22.22 00:00:1c:cc:cc:cc 27

ARP Exploitation - Example ARP Source-Spoofed Request Packet Destination: 00:00:c1:aa:aa:aa Source: 00:00:c1:cc:cc:cc Type: 0x0806 (ARP) Hardware type: 0x0001 (Ethernet) Protocol type: 0x0800 (IP) Hardware size: 6 Protocol size: 4 Opcode: 0x0001 (Request) Sender MAC address: 00:00:c1:cc:cc:cc Sender IP address: 172.16.22.22 Target MAC address: 00:00:00:00:00:00 Target IP address: 172.16.66.66 28

DoS Or Intercept DoS Just Capture and do not forward Intercept Capture and forward # echo 1 > /proc/sys/net/ipv4/ip_forward 29

Packet Sniffer Tools ipgrab Command line Distributed with Debian Linux For Unix based systems tcpdump Command line Distributed with various platforms Classical ethereal Both command line and gui Both windows and Unix based systems 30

Existing Tools Switched Network dsniff ettercap arpspoof 31

Example Trace An Exchange of Packets 172.16.22.22 -> Broadcast ARP Who has 172.16.11.11? Tell 172.16.22.22 172.16.11.11 -> 172.16.22.22 ARP 172.16.11.11 is at 00:00:1c:aa:aa:aa 172.16.22.22 -> 172.16.11.11 TCP 1291 > 8080 [SYN] 172.16.11.11 -> 172.16.22.22 TCP 8080 > 1291 [SYN, ACK] 172.16.22.22 -> 172.16.11.11 TCP 1291 > 8080 [ACK] 172.16.22.22 -> 172.16.11.11 HTTP GET http://www.msn.com/ HTTP/1.0 32

Example Trace Single Packet Ethernet II, Src: 00:00:1c:bb:bb:bb, Dst: 00:00:1c:aa:aa:aa Destination: 00:00:1c:aa:aa:aa Source: 00:00:1c:bb:bb:bb Type: IP (0x0800) Internet Protocol, Src Addr: 172.16.22.22 (172.16.22.22), Dst Addr: 172.16.11.11 (172.16.11.11) Version: 4 Header length: 20 bytes Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00) 0000 00.. = Differentiated Services Codepoint: Default (0x00).....0. = ECN-Capable Transport (ECT): 0......0 = ECN-CE: 0 Total Length: 413 Identification: 0x22bd (8893) Flags: 0x04 (Don't Fragment) 0... = Reserved bit: Not set.1.. = Don't fragment: Set..0. = More fragments: Not set Fragment offset: 0 Time to live: 128 Protocol: TCP (0x06) Header checksum: 0x505f (correct) Source: 172.16.22.22 (172.16.22.22) Destination: 172.16.11.11 (172.16.11.11) 33

Example Trace Single Packet (continued) Transmission Control Protocol, Src Port: 1291 (1291), Dst Port: 8080 (8080), Seq: 1, Ack: 1, Len: 373 Source port: 1291 (1291) Destination port: 8080 (8080) Sequence number: 1 (relative sequence number) Next sequence number: 374 (relative sequence number) Acknowledgement number: 1 (relative ack number) Header length: Flags: Window size: 17520 Checksum: 0x40a4 (correct) 20 bytes 0x0018 (PSH, ACK) 0...... = Congestion Window Reduced (CWR): Not set.0..... = ECN-Echo: Not set..0.... = Urgent: Not set...1... = Acknowledgment: Set... 1... = Push: Set....0.. = Reset: Not set.....0. = Syn: Not set......0 = Fin: Not set 34

Example Trace Single Packet (continued) Hypertext Transfer Protocol GET http://www.msn.com/ HTTP/1.0\r\n Request Method: GET Request URI: http://www.msn.com/ Request Version: HTTP/1.0 Accept: */*\r\n Accept-Language: en-us\r\n User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0;.NET CLR 1.1.4322)\r\n Host: www.msn.com\r\n Proxy-Connection: Keep-Alive\r\n \r\n 35

Packet Sniffer Development Kernel dependent packet capture OS dependent code No portability new application for each OS E.g. Berkeley Packet Filter (BPF) Data Link Provider Interface (DLPI) SOCK_PACKET Kernel-independent packet capture Libpcap Unix based systems Winpcap Microsoft Windows Portable BSD Solaris Linux 36

Source Code ARP Packet Crafting Packet Sniffer 37

Thank You Questions? 38

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback