hacking module 07
TRANSCRIPT
NMCSP2008 Batch-I
Module VII
Sniffers
Scenario
Dave works as an Engineer in the IT
support department of a multinational
banking company. Sam, a graduate in
Computer Engineering, has been recently
recruited by the bank as a Trainee to work
under Dave. Sam knew about packet
sniffers and had seen their malicious use .
Sam wanted to Sniff the network to show the
vulnerabilities to Dave.1. What information does Sam need to install a
sniffing program?2. How can Sam find out if there are any Sniffing
detectors in the network?3. Can Sam Sniff from a remote network?4. Can he install a sniffer in Dave's machine?5. Can he gain credit card information by sniffing?6. Is Sam’s action ethical?
Module Objectives
Definition
Objectives of sniffing
Passive Sniffing
Active Sniffing
Different types of Sniffing tools
Countermeasures
Summary
Module Flow
Definition Of Sniffing
Sniffing Tools
ARP Poisoning Passive Sniffing
Active Sniffing
Countermeasures
Definition: Sniffing
A program or device that
captures vital information from
the network traffic specific to a
particular network.
Sniffing is basically a “data
interception” technology.
The objective of sniffing is to
grab:
• Password (e-mail, web, SMB,
ftp, SQL, telnet)
• Email text
• Files in transfer (e-mail, ftp,
SMB)
Passive Sniffing
The data sent across the LAN will be sent to each system on the LAN
LAN
Attacker
Hub
Active Sniffing
It looks at the MAC Addresses associated with each frame, sending data only to required connection.
LAN
Attacker: Tries to poison the switchby sending bogus MAC addresses
Switch
EtherFlood
http://ntsecurity.nu/toolbox/etherflood/
EtherFlood floods a switched network with Ethernet
frames with random hardware addresses.
The effect on some switches is that they start
sending all traffic out on all ports so that the attacker
is able to sniff all traffic on the network.
ARP Poisoning
ARP resolves IP addresses to the MAC (hardware) address of the interface to send data.ARP packets can be forged to send data to the attacker’s machine(s).An attacker can exploit ARP Poisoning to intercept network traffic between two machines in the network.MAC flooding a switch's ARP table with spoofed ARP replies, allows a attacker to overload the switches and then packet sniff the network while the switch is in "hub" mode.
ARP Poisoning
Router192.168.1.25
Attacker
Victim192.168.1.21
Step 1Attacker says that his IP is 192.168.1.21 and his MAC address is (say) ATTACKERS_MAC
Step 2Victim’s Internet traffic forwarded to attacker’s systemas its MAC address is associatedwith the Router
Step 3Attacker forwards the traffic to the Router
Countermeasures
Small Network• Use of static IP addresses and static ARP
tables which prevent hackers from adding spoofed ARP entries for machines in the network
Large Networks• Network switch "Port Security" features
should be enabled
• Use of Arpwatch to monitor ethernet activityhttp://www.redhat.com/swr/i386/arpwatch-2.1a11-
1.i386.html
Tools For Sniffing
Ethereal
Dsniff
Sniffit
Aldebaran
Hunt
NGSSniff
Ntop
pf
IPTraf
Etherape
Netfilter
Network Probe
Maa Tec Network
Analyzer
Tools For Sniffing
Snort Macof, MailSnarf, URLSnarf, WebSpy Windump Etherpeek Ettercap SMAC Mac Changer Iris NetIntercept WinDNSSpoof
Ethereal
Ethereal is a network protocol analyzer for UNIX and Windows. It allows the user to examine data from a live network or from a capture file on a disk.The user can interactively browse the captured data, viewing summary and detailed information of each packet captured.
Features
Data can be intercepted “off the wire” from a
live network connection, or read from a
captured file.
Can read captured files from tcpdump.
Command line switches to the editcap program
enables the editing or conversion of the
captured files.
Display filter enables the refinement of the data.
Dsniff
Dsniff is a collection of tools for network auditing and penetration testing. ARPSPOOF, DNSSPOOF, and MACOF facilitate the interception of network traffic that is normally unavailable to an attacker. SSHMITM and WEBMITM implement active man-in-the-middle attacks against redirected SSH and https sessions by taking advantage of the weak bindings in ad-hoc PKI.
Sniffit
Sniffit is a packet sniffer for TCP/UDP/ICMP
packets.
It provides detailed technical information about
the packets and packet contents in different
formats.
By default it can handle Ethernet and PPP
devices, but can be easily forced into using
other devices.
Aldebaran
Aldebaran is an advanced LINUX
sniffer/network analyzer.
It supports sending data to another host, dump
file encryption, real-time mode, packet content
scanning, network statistics in html, capture
rules, colored output, and much more.
Hunt
Hunt is used to watch TCP connections, intrude
into them, or reset them.
It is meant to be used on an Ethernet segment, and
has active mechanisms to sniff switched
connections.
Features:
• It can be used for watching, spoofing, detecting, hijacking, and resetting connections
• MAC discovery daemon for collecting MAC addresses, sniff daemon for logging TCP traffic with the ability to search for a particular string
NGSSniff
NGSSniff is a network packet capture and
analysis program.
Packet capture is done via windows sockets raw
IP or via Microsoft network monitor drivers.
It can carry out packet sorting and does not
require installed drivers to run.
It carries out real time packet viewing.
Ntop
Ntop is a network traffic probe that shows network usage. In interactive mode, it displays the network status on the user’s terminal. In webmode, it acts as a web server, creating an html dump of the network status.
pf
pf is Open BSDs system for filtering TCP/IP
traffic and doing Network Address Translation.
It is also capable of normalizing, and
conditioning, TCP/IP traffic, providing
bandwidth control, and packet prioritization.
IPTraf
IPTraf is a network monitoring utility for IP networks. It intercepts packets on the network and gives out various pieces of information about the currently monitored IP traffic.IPTraf can be used to monitor the load on an IP network, the types of network services that are most in use, the proceedings of TCP connections, and others.
Etherape
EtherApe is a graphical network monitor for UNIX. Featuring link layer, IP and TCP modes, it displays network activity graphically. It can filter traffic to be shown, and can read traffic from a file as well as live from the network.
Features
Network traffic is displayed graphically. The more "talkative" a node is, the bigger its representation.
User may select the level of the protocol stack to concentrate on.
User may either look at traffic within the network, end to end IP, or even port to port TCP.
Data can be captured "off the wire" from a live network connection, or read from a tcpdump capture file.
Data display can be refined using a network filter.
Netfilter
Netfilter and iptables are the framework inside the Linux 2.4.x kernel which enables packet filtering, network address translation (NAT) and other packet mangling.
Netfilter is a set of hooks inside the Linux 2.4.x kernel's network stack which allows kernel modules to register the callback functions called every time a network packet traverses one of those hooks.
FeaturesStateful packet filtering (connection tracking) Many network address translation schemes Flexible and extensible infrastructure Large numbers of additional features, as patches
Screenshot: Netfilter
Network Probe
This network monitor and protocol analyzer gives the user an instant picture of the traffic situation on the target network. All traffic is monitored in real time. All the information can be sorted, searched, and filtered by protocols, hosts, conversations, and network interfaces.
Maa Tec Network Analyzer
MaaTec Network Analyzer is a tool that is used for capturing, saving and analyzing network traffic.
Features:• Real time network
traffic statistics.
• Scheduled network traffic reports.
• Online view of incoming packets.
• Multiple data color options.
Tool: Snort
There are three main modes in which Snort can be configured: sniffer, packet logger, and network intrusion detection system. Sniffer mode simply reads the packets off of the network and displays them for you in a continuous stream on the console. Packet logger mode logs the packets to the disk.Network intrusion detection mode is the most complex and configurable configuration, allowing Snort to analyze network traffic for matches against a user defined rule set.
Macof, MailSnarf, URLSnarf, WebSpy
Macof floods the local network with random MAC addresses, causing some switches to fail open in repeating mode, and thereby facilitates sniffing. Mailsnarf is capable of capturing and outputting SMTP mail traffic that is sniffed on the network.urlsnarf is a tool for monitoring Web traffic.Webspy allows the user to see all the webpages visited by the victim.
Tool: Windump
WinDump is the port to the Windows platform of tcpdump, the most used network sniffer/analyzer for UNIX.
Tool: Etherpeek
Ethernet network traffic and protocol analyzer. By monitoring, filtering, decoding and displaying packet data, it discovers protocol errors and detects network problems such as unauthorized nodes, misconfigured routers, unreachable devices, etc.
SMAC
SMAC is a MAC Address Modifying Utility (spoofer) for Windows 2000, XP, and Server 2003 systems. It displays network information of available network adapters in one screen. The built-in logging capability allows the tracking of MAC address modification activities.
MAC Changer
MAC Changer is a Linux utility for setting a specific MAC address to a network interface.
It enables the user to set the MAC address randomly, set a MAC from another vendor, or set another MAC from the same vendor.
The user can also set a MAC of the same kind (e.g.: wireless card).
It offers a choice of vendor MAC list (more than 6200 items) to choose from.
Ettercap
A tool for IP based sniffing in a switched network, MAC based sniffing, OS fingerprinting, ARP poisoning based sniffing, etc.
Iris
It allows the reconstruction of network traffic in a format that is simple to use and understand. It can show the web page of any employee that is surfing the web during work hours.
NetIntercept
A sniffing tool that studies external break-in attempts, watches for misuse of confidential data, displays the contents of an unencrypted remote login or a web session, categorize, or sort, traffic by dozens of attributes, search traffic by criteria such as e-mail headers, web sites, and file names, etc.
WinDNSSpoof
This tool is a simple DNS ID Spoofer for
Windows 9x/2K.
In order to use it you must be able to
sniff the traffic of the computer being
attacked.
Usage: wds -h
Example: wds -n www.microsoft.com -i
216.239.39.101 -g 00-00-39-5c-45-3b
TCPDump, Network Monitor
TCPDump• A widely used network diagnosis and analysis tool for
UNIX-based OSs.
• Used to trace network problems, detect ping attacks, and monitor network activities.
• Monitors, and decodes, application layer data.
Network Monitor• Network-monitoring software that is part of Windows
NT server.
• Latest versions capture all data traffic.
• Maintains the history of each network connection.
• Provides high-speed filtering capabilities.
• Captures network traffic and converts it to a readable format.
Gobbler, ETHLOAD
Gobbler• MS-DOS based sniffer
• Used to gain knowledge about network traffic
• Used remotely over a network
• Runs from a single workstation, analyzing only the local packets
ETHLOAD• Freeware packet sniffer written in C
• Execute on MS-DOS and Novell platforms
• Cannot be used to sniff rlogin and Telnet sessions
Esniff, Sunsniff, Linux Sniffer, Sniffer Pro Esniff
• Written in C by a hacker called “rokstar”• Used to sniff packets on OSs developed by Sun
Microsystems• Coded to capture initial bytes which includes
username and password Sunsniff
• Written in C, specifically for Sun Microsystems OS Linux_sniffer
• A Linux-specific sniffer written in C for experimenting with network traffic.
Sniffer Pro• Trademark of Network Associates Inc.• Easy-to-use interface for capturing and viewing
network traffic.
Scenario
Sam found out that he was working in a shared Ethernet network segment. So a sniffer can be launched from any machine in the LAN. Sam ran a sniffer and at the end of the day he studied the captured data. Sam could not believe it !!!
1. He was actually able to read e-mails2. Read passwords off the wire in clear-
text. 3. Read files 4. Read financial transactions and
credit card numbersSam decided to share the information with Dave the next day. How do you think that Dave will react to this? Was Sam guilty of espionage?
Countermeasures
Restriction of physical access to network media to ensure
that a packet sniffer cannot be installed.
The best way to be secured against sniffing is to use
encryption. It will not prevent a sniffer from functioning,
but it will ensure that what a sniffer reads is
incomprehensible.
ARP Spoofing is used to sniff a switched network. So the
attacker will try to ARP spoof the gateway. This can be
prevented by permanently adding the MAC address of the
gateway to the ARP cache.
Countermeasures (contd.)
Change the network to SSH. There are various tools to detect a sniffer
in a network. They are as follows:• ARP Watch
• Promiscan
• Antisniff
• Prodetect
Summary
Sniffing allows the capture of vital information from network traffic. It can be done over a hub or switch (Passive or Active).
Capturing passwords, e-mail, files, etc. can be done by means of sniffing.
ARP poisoning can be used to change the Switch mode, of the network, to Hub mode and subsequently carry out packet sniffing.
Ethereal, Dsniff, Sniffit, Aldebaran, Hunt, NGSSniff, etc. are some of the most popular sniffing tools.
The best way to be secured against sniffing is to use encryption, applying the latest patches, and applying other lockdown techniques to the systems.