Chapter 9: Sniffers Flashcards
Promiscuous mode
network card setting to capture all traffic (including not yours)
Active vs Passive Sniffing
ACTIVE - traffic is monitored & possibly altered
PASSIVE - traffic is only monitored
HW protocol Analyzers
plug directly into the NW at the HW level & can monitor traffic w/ out manipulating traffic
Not easily accessible by ethical hackers & are extremely pricey
Lawful Inception (LI)
aka Wiretapping; legally sanctioned access to communications NW data such as telephone calls or e-mail msgs
In terms of LI, sniffing process is looked at as having 3 components
1) IAP (Intercept Access Point) - where info is fathered for the LI
2) Mediation device supplied by 3rd party that handles information processing
3) Collection function that stores &processes info intercepted by the 3rd party
MAC Flooding
Most common method for enabling sniffing on a switch is to turn it into a device that does allow switching. We want to convert it to a hub-like environment
A switch keeps track of MAC addresses received by writing them to a content addressable memory (CAM) table;
If a switch is flooded with MAC addresses, it may overwhelm the switches ability to write its own CAM table; in turn it makes the switch fall into a giant hub
Tool: Macof
CAM table
Content Accessible Memory table with a fixed size that stores information such as MAC address of each client, port they are attached to, & any VLAN info;
A CAM table is used by the switch to help get traffic to its destination, but when it’s full…..in older switches, it would cause the switch to fail “open” & act as a hub, the flood would spill over affecting adjacent switches
Must maintain flood to keep switch acting as a hub; if flooding stop, the time outs that are set on the switch will start clearing out the CAM table entries, allowing switch to go to normal operations
(in newer switches, the success rate of mac flooding is much lower)
ARP Poisoning
Address Resolution Protocol poisoning //attempts to contaminate NW w/ improper gateway mappings
What ARP does is it maps IP addresses to specific MAC addresses thereby allowing switches to know most efficient path for data being sent
CON: ARP doesn’t have prerequisites for its sending or receiving process; ARP broadcasts free to roam NW at will;
PRO: Attacker takes advantage of this open traffic concept by feeding incorrect ARP mappings to the gateway itself or to the hosts of the NW
Tools: Ettercap, Cain & Abel, Arpspoof
IP DHCP snooping feature
Counters ARP poisoning
Some switches have IP DHCP Snooping feature that verifies MAC-to-IP mappings & stores valid mappings in a DB
MAC spoofing
when an attacker changes their MAC address to the MAC address of an existing authenticated machine already on the NW
Not a technique used for NW-side sniffing, but gives unauthorized access onto NW w/ out much effort
Port security
Counters MAC Flooding, MAC Spoofing
low level security that allows a specific # of MAC addresses to attach to a switchport; If this is enabled, it allows MAC spoofing easier
Port Mirror or SPAN port
This technique is through physical means; here you can need physical access to the switch & use port mirroring or Switched Port Analyzer (SPAN)
This technique sends a copy of every NW packet encountered on one switchport or a whole VLAN to another port where it may be monitored
Used to monitor traffic for diagnostic purposes or implementing devices such as NIDS (NW intrusion detection systems)
SSH
Soft Shell used to Tunnel data (encrypt), securely get access to remote computer, widely used by NW admins to control servers and web remotely
SSL
Secure Sockets Layer that encrypts data to keep prying eyes from altering traffic or seeing it
Cain and Abel
ARP poisoning, password cracking, and sniffing
