Module 08 sniffers

IMIlodule Lawful Intercept ¿j DHCP Attacks Wiretapping 1 ARP Poisoning Attacks Sniffing Threats 4 Spoofing Attack Types of Sniffing DNS Poisoning } Hardware Protocol Analyzers » Snif

Trang 1

Engineered by Presented by Professionals

IM

Certified Ethical Hacker

Trang 2

or “history hijacking”) about visitors

Though it’s not surprising that YouPorn tops the list of spying sites, less racy

sources like Technorati, TheSun.co.uk, and Wired were all fingered for tapping into

your browsing habits (Perez Hilton was on there too—but again, not that

surprising.) The information is often used to target advertising campaigns—a very lucrative field that companies like Interclick are capitalizing on Their official statement is that the guilty script is meant only as a form of quality control

http://goodmenproject.com

Trang 3

IMIlodule

Lawful Intercept ¿j DHCP Attacks Wiretapping 1 ARP Poisoning Attacks Sniffing Threats 4 Spoofing Attack

Types of Sniffing ) DNS Poisoning } Hardware Protocol Analyzers » Sniffing Tools MAC Attacks ) Countermeasures

=1\\vwwW é.) Me==:

Trang 4

Lawful

The service provider then

Lawful intercept is a process The LEA delivers a request intercepts the target's traffic

to service provider, who is a copy of the perform electronic surveillance responsible for intercepting intercepted traffic to the LEA

on a target as authorized by a ion to and without the

judicial or administrative order from the individual

on the traditional session to determine which kg telecommunications and of its edge routers

Internet services in voice, (data 4 data, and multiservice communication) : « =>,

Trang 5

Học viện Công Nghệ Thông Tin Bách

Khoa

Benefits of Lawful Intercept

re) Allows multiple LEAs to run a lawful intercept on the same target

without each other's knowledge

xM Hides information about lawful intercepts from all but the

most privileged users Supports wiretaps in both the input and output

Trang 6

An intercept access point (IAP) is a device that

provides information for the lawful intercept

A mediation device (supplied by a third-party

` vendor) handles rnost of the processing for the lawful intercept

._ The collection function is a program that

- stores and processes the traffic

h intercepted by the service provider

Trang 7

J Wiretapping is the process of monitoring the and conversations

by a third party _j) Attackers (hardware, software or combination of both) to

the circuit carrying information between two phones or hosts on Internet

| ~t Types of Wiretapping }-

Active Wiretapping Passive Wiretapping

it only monitors and It monitors and records the traffic records and also

Trang 8

By placing a packet

sniffer on a network

In promiscuous

mode, an attacker can

capture and analyze

all of the network

Syslog Traffic

Chat Sessions

\

A packet sniffer can only capture packet

information within a given subnet

Usually any laptop

can plug into the

network and gain network

Trang 9

How a Works?

data transmitted on its segment

Sniffer can constantly read all information entering the computer through the NIC by

encapsulated in the data packet

NIC Cardin

* Promiscuous

Trang 10

Trang 12

#4

7

Types of Sniffing:

W When sniffing is performed on a switched network, it is known as active sniffing

\ Active sniffing relies on injecting packets (ARP) into the network that causes traffic

Trang 13

Protocols Vulnerable to Sniffing

Passwords and data Passwords and data Data sent in clear text sent in clear text sent in clear text

user names and sent in clear text sent in clear text sent in clear text

passwords

_ nn

Trang 14

ww sBK ACAD

Tie to in OSI Model

the same rules as applications and services that reside further up the stack

layers being aware of the problem

Trang 15

wi sBK ACAD

Hardware

equipment that captures analyzes its content

signals without altering according to certain

the traffic in a cable oS Z

E==> | | —> generated by hacking Vs

1 software installed in the +}——

Nes network

aa

Trang 16

FLUKE Networks EtherScope™

Copyright ® by E6-Cewwucg

Trang 17

wi sBK ACAD

SPAN port is a port which is configured to receive a

copy of every packet that passes through a switch

When connected to the SPAN port,

Protocol Analyzer : a IDS

cm) | op) | | op cm) ' cop] | | | qœ whe | itr

a a a A a A A a SPAN Port IDS port

Host Host Host Host Host Host Host Host

Se he he Pe

Trang 19

MAC flooding involves flooding

switch with numerous requests

MAC flooding makes use of

this limitation to bombard switch with fake MAC addresses until the switch cannot keep up

Switch then acts as a hub by broadcasting packets to all machines on the network and attackers can sniff the traffic easily

Trang 20

/CAMI Table

J All Content Addressable Memory (CAM) tables have a

43 it such as MAC addresses available on physical ports with their

associated VLAN parameters

48 Bit Hexadecimal Number Creates Unique Layer

Two Address

1258.3582.8DAB

First 24 bits = Manufacture Code Second 24 bits = Specific Interface,

Assigned by IEEE Assigned by Manufacturer

| 0000.0aXX.XXXX | 0000.0aXX.XXXX

Broadcast Address

Trang 22

Once the CAM table on the switch is full, additional ARP request traffic will

This attack will also fill the CAM tables of adjacent switches

Trang 23

IMac Flooding Switches with macof

macof is a Linux tool that is a part of dsniff collection

Macof sends random source MAC and IP addresses

This tool floods the switch’s CAM tables (131,000 per min) by sending

bogus MAC entries

95 66:ab:6d:4:b2:85 0.0.0.0.45638 -0.0.0.4568: sS 123587152:456312589(D0) win 512

:2 12:85:2£:52:41:25 0.0.0.42358 -0.0.0.35842: S 3256789512: 3568742158(0) win 512

52: af 82:12:41:l:ac:d6 -0.0.0.45213 -0.0.0.2358: S 3684125687:3256874125(0) win 512 c:b5:8c:6d:2a Sa:cc:£6:41:8da:dt 0.0.0.12354 -0.0.0.78521: S 1236542358:3698521475(0) win 512

42:ac:85:c5:96 a5-:5f:ad:9d:12:aa 0.0.0.0.123 > 0.0.0.0.12369: S 8523695412: 8523698742(0) win 512

4d:4c:5a:5d:ad a4:ad:5f:4d:e9:ad 0.0.0.0.23685 > 0.0.0.0.45686: S 236854125:365145752(0) win 512

:©5:1a:25:2:a 25:35:a8:5d:af:fc 0.0.0.0.23685 > 0.0.0.0.85236: S 8623574125:3698521456(0) win 512

< + Copyright ® by EE-

Trang 24

IMAC Flooding Tool: Yersinia

dotig

dtp

history hsrp

interfaces stats

stp

users version

vtp

Show running attacks

Cisco Discovery Protocol (CDP) information Dynamic Host Configuration Protocol (DHCP) information

802.10 information Dynamic Trunking Protocol (DTP) information Display the session command history

Hot Standby Router Protocol (HSRP) information Interface status

Show statistics

Display information about terminal lines

System hardware and software status

Virtual Trunking Protocol (VTP) information

Trang 25

How to Defend against v

00:0c:1c:cc:cc:cc Only 1 MAC Address

sie oil: i cits

switchport port-security maximum 1 vian access

switchport port-security violation restrict

1

2

3

4 switchport port-security aging time 2

5 switchport port-security aging type inactivity

6 snmp-server enable traps port-security trap-rate 5

eee ee Be eee |

Trang 26

DNS Poisoning

Techniques

eves a| I

Ẻ s

Sniffing Counter Tools measures

Trang 27

3 DHCP servers maintain | ion in a database such as

valid TCP/IP configuration parameters, valid IP addresses, and duration of the

lease offered by the server

4 It provide address configuration to DHCP-enabled clients in the form of a

Lease Time: 12 days

Trang 28

DHCPNAK

DHCPRELEASE

Trang 29

Server Name (SNAIVIE)—64 bytes

Filename— i238 bytes DHCP Options

Trang 30

@ DHCP Discovery (Broadcast) x (Size of Scope) ¥ DHCP Server

< DHCP Offer (Unicast) x (Size of DHCPScope)

Trang 31

REE Tạng ne nee == Wrong IP Address > Denial-of-Service with incorrect IP

Wrong DONS server > Attacker is DNS server

Trang 33

How to Defend Against

and =

DHCP Snooping

— = ›, Enabled ne Trusted › =3

DHCP Server DHCP Server

Untrusted Untrusted

switchport port-security ip dhop snooping vian 4,104

switchport port-security maximum 1 no ip dhep snooping information option

switchport port-security violation restrict ip đhcp snooping

switchport port-security aging time 2

switchport port-security aging type inactivity

Trang 34

Sniffing MAC DHCP ARP Poisoning

Concepts Attacks Attacks Attacks

= ae [Ee Ir¬

Spoofing DNS Sniffing Counter

Attack Poisoning Tools measures

eee a Eee |

Trang 35

The ARP protocol

broadcasts the needs to commu

network machines ith another, it

to find out their 1p the ARP tal physical MAC MAI idre : address fou the tal

identifies with this

address, the machine

Trang 36

ARP packets can be

to send data to the

flooded with spoofed ARP computer s ARP cache with

Trang 37

Khoa

Yes, | aen here

MW/hen a initiates a session with in the same This is 10.1.1.1 and

Layer 2 broadcast domain, an ARP request is my MAC address is

request onto the wire ` responds to the ARP request :

Sends ARP request ` =

e ro re ws @eeeten Ï v “wtMs««e.es.*.*ẻ«s«««s«.e.- “wÝÄGẴ.+ex«ẻx*«ẽex*s*««*«s«««s« a

7 tr 4c Malicious user eavesdrops on Š

— ` responses and spoofs as the - so

No, t am 10.1.1.1 ) legitimate user ve

st domain and can res; ~ “are

a ` Information for IP address

broadcast ARP t and reply to 10.1.1.1 Is now be aa

= 2U.1.2.2 IS NOW Deing sen

spoofing the MAC address “ha” z 6

MAC address 9:8:7:6:5:4

Trang 38

of ARP Poisoning

Using fake ARP messages, an attacker can between

two machines so that all traffic is exchanged via his/her PC

Trang 41

Tool: Ufasoft Snif i = SP Se san

fore 1@ 142 448 9 & { F * TY! we ater

Repiy 19 168.17 01:éc €f:‹ TRUNCATED?! 5

, Request who-has | 60 tef 192 168.1 TRL

', Recueest who-has 197 1 ¡60 tet 19“

heq,e# who-has 1 Regques who hes i‘

Repiy 197.14

; Repiy 1%

t2:3 , Reply 8 - i PLPC AT

Plugins ARP spoeting Packets Stetistics | 413 /25/2019 t , Request who-hes 1 ` ¡hệ 1PS#¿CA!

| si# Kequex who-nhes 192 5 5S tet V2 168 1UTICA

~ Enable AP-spocting f — — = | i44 (2S ỉ } >, Repent who-hes 1% ' i 192 168.1 1A4#4CAI

` x 0 we ‘ Requew who-has 1% ' I 168.1 TREMYCAT

Scan Lens Refresh k2 zs > 8 mĩ +“ 182.1 149 3 RP, Request who-has 19 b 168.16 TRLINCE

` KẾ = poisoning tool that sniffs passwords

and email messages on the network

source O:6:16-91:111 re Fe ; oo S S4 H8 GÌ gwyyy7 Ufasoft Snif is an automated ARP

Works on Wi-Fi network as well

Trang 42

Use DHCP Snooping Binding Table and Dynamic ARP Inspection

iain ie No ARP entry in the

binding table then DHCP Snooping Enabled discard the packet Dynamic ARP Inspection Enabled

Check the and fields to see if the ARP from the interface is in the binding; it not,

Trang 43

DHCP snooping is nfigure n following VLANs: 2 -

DHCP snooping is operational on tclicwing VLANs + Ö 1

DHCP snooping is onfigure n che foll ing L3

Switch SN SBS SS Ve as Mae Sn Ae ot ie hs PN a ha = HS

SSW DAI-S-DHCP SNOOPING DENY: 1 invalid ARPS

MacAddress IpAddress Lease Type VLAN Interface (Res) on FaO/5, vlian

10.(fƒ0013.€GO0SO.ac€4/192.1€6.1310.,1/€€€€.€€€€.,€€£€€

1a:12:3b:2f:df:1c 10.10.10.8 125864 dhcp- 4 FastEthernet 32> 168.10.1/05:37:31 UTC Mon Mar 35

snooping 3/3 Total number of bindings: 1

Trang 44

Sniffing MAC DHCP ARP Poisoning

Concepts Attacks Attacks Attacks

Trang 45

IMAC /

3 MAC duplicating attack is launched by i of clients who are actively

associated with a switch port and re-using one of those addresses

J By listening to the traffic on the network, a malicious user can

to receive all the traffic destined for the user

My MAC address the network only if your

is A:B:C:D:E MAC address is A:B:C:D:E

of the currently associatec users and then

uses that MAC adcress to attack other users associated to the same switch port

No! My MAC

Address is A:B:C:D:E

Tiêu đề	Module 8 Sniffers
Trường học	Học viện Công Nghệ Thông Tin Bách Khoa
Chuyên ngành	Information Security
Thể loại	lecture notes
Năm xuất bản	2010
Thành phố	Unknown

Định dạng
Số trang	111
Dung lượng	27,37 MB