Chapter 4 - Sniffing & Evasion Flashcards
Promiscuous Mode
Has to be set manulaly. NIC will grab anything passed on wire regardless of destination. Tools for this: WinPcap and libpcap (linux)
CSMA/CD
Carrier Sense Multiple Access/Collision Detection - used over Ethernet to decide who can talk
What protocols are susceptible to sniffing
SMTP, FTP, TFTP, IMAP, POP3, NNTP, and HTTP, TCP shows sequence numbers, TCP and UDP show open ports, IP shows source and destination
Collision Domains
Traffic sent from your NIC (regardless of mode) ca nonly be seen within the same collision domain. Hubs have 1 collision domain. Switches have one for each port.
arp -d *
Clears ARP cache
arp -a
Displays current ARP cache
ARP
Address Resolution Protocol: Resolves IP address to MAC addresses. Packets are ARP_REQUEST and ARP_REPLY. Arp -a displays arp cache
Gratuitous ARP
Special packet to update ARP cache even without a request.
IPV6 Loopback address is what?
::1 also uses 128-bit address
IPv6 Address Types
Unicast - Addressed and inteded for one host interface. Multicast - Addresssed for multiple host interfaces. Anycast - Large number of hosts can receive; nearest host opens
IPv6 Scopes
(Scope applies for multicast and anycast). Link Local - Applies only to hosts on the same subnet (Address block fe80::/10) Site Local: Applie to hosts within the same organization (Address block FEC0::/10). Global: Includes everything
Lawful intercetpion
Legally intercepting communications between two parties
Active vs Passive Wiretapping
Active - Interjecting something into communication. Passive - Only monitors and records the data.
Active vs Passive Sniffing
Passive - Watching network traffic without interaction; only works for same collision domain. Active - Uses methods to make a switch send traffic to you even though it isn’t destined for your machine
Span Port
Switch configuration that makes the switch send a copy of all frames from other ports to a specific port. Not all switches can do this.
Network Tap
Special port on a switch that allows the connected device to see all traffic.
Port Mirroring
Another word for span port
CAM Table
The table on a switch that stores which MAC address is on which port. If table is empty or full, everything sent to all ports. This is whats known as MAC flooding
Etherflood
Tool uses to cause MAC flooding
Macof
Tool used to cause MAC flooding
Switch port stealing
Similar to CAM flood. Flood the CAM with unsolicited ARPs. But instead of attempting to fill the table, you’re only interested in updating the information regarding a specific port, causing a race condition
ARP Poisoning
Same as ARP Spoof or Gratuitous ARP. Changes the cache of machines so that packets are sent to you instead of intended target.
What are some countermeasures to ARP poisoning ?
Dynamic ARP Inspection using DHCP snooping. Xarp can also watch for this. Default gateway MAC can be added permanently to machine’s cache.
ARP Poisoning Tools
Cain and Abel, WinArpAttacker, Ufasoft
DHCPv4 Packets
DHCPDISCOVER, DHCPOFFER, DHCPREQUEST, DHCPACK
DHCPv6 Packets
Solicit, Advertise, Request (confirm/Renew), Reply
DHCP Steps
- Client sends DHCPDISCOVER. 2. Server responds with DHCPOFFER. 3. Client sends request for IP with DHCPREQUEST. 4. Server sends address and config via DHCPACK
DHCP Starvation
Attempt to exhaust all available addresses from the server.
DHCP Starvation Tools
Yersinia, DHCPstarv
Rogue DHCP Server
Fake DHCP server that hands out bad IP addresses to computers on network
MAC Spoof vs IRDP Spoof vs DNS Poisoning
MAC - Changes your MAC address to have packets sent to yourself. IRDP Spoofing - hacker sends ICMP Router Discovery Protocol message for malicious gateway. DNS Poison - changs where machine gets their DNS info from.
Ethereal
What Wireshark used to be called. Packet filter
What does the following Wireshark filter accomplish: !(arp or icmp or dns)
Filters out the “noise” from ARP, DNS, and ICMP requests
Wireshark filter: http.request
Displays HTTP GET requests
ip.addr==172.17.15.12 && tcp.port==23 This filter does what on Wireshark?
Displays Telnet packets containing that IP.
tcp.flags==0x16 This filter does what on Wireshark?
Filters TCP requests with ACK flag set
tcpdump -i eth1
Puts interface in listening mode
tcpdump -w
will write results to a file
tcpdump syntax
tcpdump -i eth1 - puts interface in listening mode. -w will write results to file
Windows version of tcpdump is what?
WinDump
tcptrace
Analyzes files produced by packet capture programs such as Wireshark, tcpdump, and Etherpeek
Ettercap
Sniffing tool, can also be used for MITM attacks, ARP poisoning
Capsa Network Analyzer
Network snsiffer
Snort
Open source IDS, can be used as a sniffer, traffic logger, and a protocol analyzer. Three modes: Sniffer, Packet Logger, NIDS
Sniffing tools
Snort, Sniff-O-Matic, EtherPeek, WinDump, WinSniffer
What does the following snort rule do: alert tcp !HOME_NET any -> $HOME_NET 31337 (msg : “BACKDOOR ATTEMPT-Backorifice”)
This rule tells snort “If you happen to come across any packet from any address that is not my home network, using any source port, intended for an address within my home network on port 31337
Dynamic NAT vs Static NAT vs Port Address Translation (PAT)
Dynamic: Many to Many , Static: One to Many , Port Address Translation (PAT): Many to One
Signature-based vs Anomaly-based IDS
Signature - Compares packets against a list of known traffic patterns. Anomaly - Makes decisions on alerts based on learned behavior and “normal” patterns.
Screened Subnet
Hosts all public-facing servers and services.
Bastion Hosts
Hosts on the screened subnet designed to protect internal resources.
Private Zone
Hosts internal hosts that only respond to requests from within that zone
Multi-homed Firewall
Firewall that has two or more interfaces
Stateful Inspection
Firewalls that track the entire status of a connection
Packet-Filtering
Firewalls that only looked at the headers
Circuit-level Gateway
Firewall that works on Layer 5 (session Layer)
Application-level gateway
Firewall that works lke a proxy, allowing specific services in or out.
Tools for IDS evasion
Nessus, ADMmutate (creates scripts nto recognizable by signature files) NIDSbench, Inundator (flooding tool)
An ICMP Type 3 Code 13 shows what?
Traffic is being blocked by the firewall
ICMP Type 3 Code 3 shows that
The client itself has the port closed
Firewalking
Going through every port on a firewall to determine what is open
High Interaction vs Low Interaction Honeypot
High Interaction: Simulates all services and applications and is designed to be completely compromised. Low Interaction: Simulates a number of services and cannot be completely compromised.
Honeypot Tools
Specter, Honeyd, KFSensor
Tools for firewall evasion
CovertTCP, ICMP Shell, 007 Shell