ATHENA CEH v7 module 08

Lawful s ercep: The service provider then Lawful intercept is a process The LEA delivers a request intercepts the target's traffic that enables a Law for a wiretap to the target's as it

Trang 2

Though it’s not surprising that YouPorn tops the list of spying sites, less racy sources like Technorati, TheSun.co.uk, and Wired were all fingered for tapping into your browsing habits (Perez Hilton was on there too—but again, not that

Trang 3

Module )> ectives

Lawful Intercept

Wiretapping

Sniffing Threats Types of Sniffing Hardware Protocol Analyzers

Trang 4

Lawful s ercep:

The service provider then Lawful intercept is a process The LEA delivers a request intercepts the target's traffic

that enables a Law for a wiretap to the target's as it passes through the router

Enforcement Agency (LEA) to service provider, who is and sends a copy of the

perform electronic surveillance responsible for intercepting intercepted traffic to the LEA

on a target as authorized by a data communication to and without the target's

judicial or administrative order from the individual knowledge

The surveillance is performed The service provider uses through the use of wiretaps the target's IP address or

on the traditional session to determine which telecommunications and of its edge routers handles Internet services in voice, the target's traffic (data data, and multiservice communication)

Trang 5

Benefits of

Allows multiple LEAs to run a lawful intercept on the same target

= each other's knowledge

ro) Hides information about lawful intercepts from all but the

most privileged users

~ Supports wiretaps in both the input and output

direction Does not affect the subscriber’s services on the

et : Supports wiretaps of the individual subscribers who share a single physical interface

Neither the administrator nor the calling parties are aware that packets are being copied or that the call is being tapped Provides two secure interfaces: one for setting up the wiretap and one for sending the intercepted traffic to the LEA

AT IENA EDI | VN

Trang 6

Network Components Used for

DO) intercept Pla ees point (IAP) is a device that „

tion for the lawful intercept

A mediation device a by a third-party

vendor) handles most of th | for the lawful intercept

The collection function is a program that

irene by the service provider

Trang 7

Wiretapping

J Wiretapping is the process of monitoring the telephone and Internet conversations

by a third party

J Attackers connect a listening device (hardware, software or combination of both) to

the circuit carrying information between two phones or hosts on Internet

: _—==== `

TRUNG TAM BAO TAO AN NINH MẠNG & QUAN TRI MANG

WWW.ATHENA.EDU.VN

Trang 8

Sniffing Threats

Ww

By placing a packet

sniffer on a network

in promiscuous

mode, an attacker can

capture and analyze

all of the network

traffic

Email Traffic

Telnet Passwords

Web

Ẳ An attacker can steal DNS \4“ sensitive information by Traffic \ sniffing the network

* Chat Sessions

Certified | Ethical Maskse

Usually any laptop can plug into the network and gain access to the network

Trang 9

Howa = er Works?

\ Sniffer turns the NIC of a system to the promiscuous mode so that it listens to all the

data transmitted on its segment Sniffer can constantly read all information entering the computer through the NIC by decoding the information encapsulated in the data packet

NIC Card in Promiscuous

/VWW A Tk IENA EDL | VN

Trang 10

Hacker —— a Switch

MAC Flooding DNS Poisoning ARP Poisoning

Trang 11

Types of Sniffing: Passive Sniffing

Active sniffing involves sending out multiple network probes to

identify APs Hub usage is outdated today

Trang 12

Types of Sniffing:

When sniffing is performed on a switched network, it is known as active sniffing

\) Active sniffing relies on injecting packets (ARP) into the network that causes traffic

Trang 13

Protocols Vulnerable to Sniffing

Passwords and data Passwords and data Data sent in clear text sent in clear text sent in clear text

Keystrokes including Passwords and data Passwords and data Passwords and data

user names and sent in clear text sent in clear text sent in clear text

passwords |

Trang 14

Tie to in OSI Model

the same rules as applications and services that reside further up the stack

layers being aware of the problem

Trang 15

Hardware Protocol Analyzers

analyzer is an a piece of

equipment that captures

signals without altering

the traffic in a cable

according to certain predetermined rules

segment

menor) usage and identify malicious network traffic generated by hacking software installed in the network

Trang 16

RADCOM Prism UltraLite FLUKE Networks OptiView® FLUKE Networks EtherScope™

Protocol Analyzer Network Analyzer Series Il Network Assistant

Trang 17

SPAN Port

SPAN per is a port which is configured to

aa ae - =0 =< ees a 2 = Ao Soe sees teenies “

SPAN Port IDS port

Trang 18

Concepts Attacks Attacks Attacks

Sniffing }> Techniques

Techniques

Copyright Ø by Ê

/VWW A Tk IENA EDL | VN

Trang 19

Switch then acts as a hub by MAC flooding makes use of

this limitation to bombard switch with fake MAC addresses until the switch cannot keep up

broadcasting packets to all machines on the network and attackers can sniff the traffic easily

Trang 20

IVIAC Address/CAM Table

J All Content Addressable Memory (CAM) tables have a fixed size

S3 It stores information such as MAC addresses available on physical ports with their

associated VLAN parameters

48 Bit Hexadecimal Number Creates Unique Layer

Two Address

1258.3582.8DAB

First 24 bits = Manufacture Code Second 24 bits = Specific Interface,

Assigned by IEEE Assigned by Manufacturer

Trang 21

C 3 RE tin dớïi, Bsuatfcbxte TH 2 *4swwsewssweee©s+keaessbee [el MAC C

the ARP ARP for B-::3% aie

C 3 Ais on port 1 VE 5 9%sesseseeeseodø6bsoeseeeeebe 4| MAC C

Learn: B is on port 2 rate

C 3 5 "3 “ese e ene eeeeeeeneeeseesseses

WW AT IENA EDL VN

Trang 22

What Happens When

HP ¿

Once the CAM table on the switch is full, additional ARP request traffic will

This attack will also fill the CAM tables of adjacent switches

Trang 23

Mac Flooding Switches with

9 is a Linux tool that is a part of dsniff collection

bogus MAC entries

:¢:b5:8c:6d:2a 5a:cc:£6:41:8d:dt -12354 -0.78521: S 1236542358:3698521475(0) win 512

>42:ac:85:¢c5:96 a5:5f:ad:9d:12:aa 0.0.0.0.123 > 0.0.0.0.12369: S 8523695412 :8523698742(0) win 512

:4d:4c:5a:5d:ad a4:ad:5f:4d:e9:ad 0.0.0.0.23685 > 0.0.0.0.45686: S 236854125: 365145752(0) win 512

:e5:1a:25:2:a 25:35:aB8:5d:af:fc D.0.0.0.23685 > 0.0.0.0.85236: S 86235 74125:3698521456(0) win 512

Trang 24

MAC Flooding Tool: Yersinia

8 Command Prompt

yersinia> en Password:

Show running attacks

Cisco Discovery Protocol (CDP) information

Dynamic Host Configuration Protocol (DHCP) information

802.10 information Dynamic Trunking Protocol (DTP) information Display the session command history

Hot Standby Router Protocol (HSRP) information

Interface status Show statistics Spanning Tree Protocol (STP) information Display information about terminal lines System hardware and software status

Virtual Trunking Protocol (VTP) information

: k Copyright ® by

Trang 25

How to Defend against =- ?2

mm Only 1 MAC Address 00:0a:4b:dd:dd:dd Allowed on the Switch Port

switchport port-security maximum 1 vlan access

switchport port-security violation restrict

switchport port-security aging time 2

switchport port-security aging type inactivity

Trang 26

MAC Attacks

Spoofing Attack

Trang 27

How — = —- Works?

“ DHCP servers maintain TCP/IP configuration information in a database such as

valid TCP/IP configuration parameters, valid IP addresses, and duration of the

lease offered by the server

It provide address configuration to DHCP-enabled clients in the form of a lease offer

Send My DHCP Configuration Information

VWW.A '} IENA EDL VN

Trang 28

Trang 29

IPv4 DHCP. -‹<

Transaction iD (XiD) Seconds Flags

Client iP Address (CiIADDR) Your iP Address (YIADDR) Server IP Address (SiIADDR) Gateway IP Address (GIADDR)

Server Name (SNAIVIE)—64 bytes

Filename—1i28 bytes DHCP Options

Copyright ® by Ê

Trang 30

DHCP Starvation Attack

W Attacker broadcasts discovery request for the entire DHCP scope and tries to

lease all of the DHCP addresses available in the DHCP scope

\ This is a Denial of Service (DoS) attack using DHCP leases

LJL1L)

LJD

Attacker

@ DHCP Discovery (Broadcast) x (Size of Scope) > DHCP Server

< DHCP Offer (Unicast) x (Size of DHCPScope) €@ —

Trang 31

—ogue ) CC» Server Attack

.) Attacker sets rogue DHCP server in the network and provides DHCP address

ssistesszice-2EEcSEE 369.38 can send incorrect TCP/IP setting

Default Routers: 10.10.11.130 : : : Wrong Default Gateway > Attacker is the gateway

Wrong DNS server > Attacker is DNS server

192.168.168.7 Pasko Timer tS cays = Wrong IP Address > Denial-of-Service with incorrect IP

Trang 32

Gobbler DHCP Starvation Attack Tool

DHCP Scope 10.10.10.1 10.10.10.2

10.10.10.3

10.10.10.4 10.10.10.5

Trang 33

How to Defend Against < - ` -~

and Rogue Server Attack?

Enable port security to defend against DHCP Enable DHCP snooping to defend against DHCP

starvation attack rogue server attack

switchport port-security Ti“ 21 no ip dhep snooping information option

switchport port-security violation restrict `

switchport port-security aging time 2

switchport port-security aging type inactivity

Copyright ® by Ê

Trang 34

Sniffing MAC DHCP ARP Poisoning

Sniffing ?> Techniques

Ss) a se =

Trang 35

What is Address Resolution Protocol (ARP)?

All machines on the If one of them

When one machine

identifies with this address, the machine will respond to ARP which will store the address pair in the ARP table and

communication will

= place

network will compare this IP address to their MAC address

needs to communicate

broadcasts the network machines

to find out their physical MAC address

(

address of 172.15.3.1 C is my MAC address: aa

Trang 36

ARP Spoofing Attack

ARP packets can be forged

to send data to the

Switch is set in ‘forwarding

mode’ after ARP table is

flooded with spoofed ARP

replies and attackers can

sniff all the network packets

constructing a large number

of forged ARP request and reply packets to overload a switch

`

Trang 37

Yes, |am here This is 10.1.1.1 and

my MAC address is :2:3:4:5:6

When a user A initiates a session with user Bin the same

Layer 2 broadcast domain, an ARP request is

broadcasted using the user B’s IP addresses and the user

A waits for the user B to respond with a MAC address

n.nnx“n-n“x mm ry ny rn ecees ^ ms.uuà —=ÉwW_ «&eannnbnenn ew eee À Ậ

%e, 144 * Malicious user eavesdrops on v

s Ƒ the ARP request and

*e = responses and spoofs as the

No, l am 10.1.1.1 = legitimate user

Malicious user eavesdrops on this unprotected

Layer 2 broadcast domain and can respond to

Information for IP address

10.1.1.1 is now being sent to

MAC address 9:8:7:6:5:4

broadcast ARP request and reply to the user A by

spoofing the user B's MAC address

Trang 38

_oreats of ARP Poisoning

Using fake ARP messages, an attacker can divert all communications between

two machines so that all traffic is exchanged via his/her PC

Trang 39

ARP Poisoning Tool: Cain and Abel

- roma]

hee +ÂÐ si R, S) mem hs @ Œ@9 2 @ 9 ñ

CS] APR-Cert GyPoisoning 19216 9022 8NNH _ 9 099608 :›::5 mm |

.®, APR-DNS E=m APR-S$SH-1 (0)

GP APR-RDP (0)

&) APR-FTPS (0) S) APR-POP3S (0)

ES Configuration / Routed Packets |

[ Hosts |& APR | + Routing LÊN Passwords lá VoIP |

Lost packets: 0%

http://www.oxid.it

Trang 40

ARP Poisoning Tool: W

as ga) Fl %Xầa

Save Stop Detect Serd Recount Options Uvelp About

âm-iC-2S Onine Normal Snifflan 1 1 3 23 18 1.06

00-15-58 Online Normal SnếfLan 270 11 12 63 0 0.00

J-1Đ-E( 168 Onire Normal Sngfisn ũ 1 5 z3 wu 6.27

oo-1¢ 168 Oriine Normal Saffian 0 1 s <3 3 20.01

00-15- Online Normal Snifian 0 1 8 23 0 0.00

00-15 (/A26 Onine Normal Snifflan 0 i 3 23 9 0.53

00-24-2 C48C4 Orline Normal Sniffien 0 1 3 23 =4 46.04

00-25 Onine Normal Snfflan lệ 1 + et 10 0.73

00-16 Oriine Normal Sniffisn 0 1 3 23 7 041

00-21-65 Onine Normal SnfflLan 0 1 3 23 sả 14.99 00-25- 168.43 Oniine Normal Snifflen 0 1 + 23 22 9.44

00-0A- 168.50 Online Normal ‘Snifian 0 1 2 23 0 0.00

7 192.168 00-06-81 168 Orline Normal Snifflan 0 23 46 23 0 0.00 Time Event | ActHost EffectHost FffectHoz+2 Cơm | A TP

2010-06-25 18:10:44 New Hos 192.169 1 192.168 2010-06-25 18:10:44 New_Host 192.168 1 192.168 2010-08-25 18:10:44 New_Host 192.163 I 192.168 E 2010-06-25 18:10:44 New Ho+ 192.168 1 192.168 -11- 2010-08-25 16:10:44 New _Host 192.163 1 192.168 00-21-85-

2010-08-25 18:10:46 arp_Scan 192.168 270 192.168 00-21-85-

2010-08-25 18:10:44 New Host 192.168 1 192.168 00-15-S8- 2010-08-25 18:12:13 Attack_Flood 192.168 1000

2010-08-25 16:12:13 Attack_IP_Conflict 192.168 01-01-01-0 1000 J

PPSr2510 18:10 38] —-Winaérpemtacker 3.6 2000 6 4

PS/25/10 1810-28] Tas program is freeware 50 you can use and redistribute & freely

PS25/10 $8:1044)] Starting host's online status scanmig PSl210 18:10-40] Hosts staus scamming tnished (3/25/10 8:11 56] Floeding mission can’t start

(825/10 18:12:19] Flooding mission started succerstully (8/24/10 18:12:13] Floeding mission finished

Ready IP; 192.168.163.15 Mac; 00-15-53-Al-30-49 GW: 192,166 168.16 On: 23 Off: 0 Sniffing: 0

Tiêu đề	ATHENA CEH v7 Module 08
Trường học	Athena College of Higher Education
Chuyên ngành	Higher Education
Thể loại	Lecture Module
Năm xuất bản	2023
Thành phố	Unknown

Định dạng
Số trang	86
Dung lượng	9,06 MB