Chapter 9: Sniffers

Question 1

Sniffers (not a hacking tool)

Answer 1

used to capture & scan traffic moving across a NW (captures packets)

Question 2

For effective Sniffing, switch interface to: Promiscuous mode

Answer 2

doesn’t discriminate between traffic, captures ALL traffic

Question 3

Active vs Passive Sniffing

Answer 3

ACTIVE - traffic is monitored & possibly altered

PASSIVE - traffic is only monitored

Question 4

HW protocol Analyzers

Answer 4

Besides sniffers, there are HW protocol analyzers which plug directly into the NW at the HW level & can monitor traffic w/ out manipulating traffic

Not easily accessible by ethical hackers & are extremely pricey

Question 5

Lawful Inception (LI)

Answer 5

aka Wiretapping; legally sanctioned access to communications NW data such as telephone calls or e-mail msgs

Question 6

How successful sniffing is depends on

Answer 6

the inherent insecurity of certain NW protcols;

TCP/IP, Telnet/rlogin Keystrokes, HTTP, SMTP (transfer of email), NNTP (nW news transfer Protocol - all communication including PWs & data sent in the clear), POP (post office protocol; retrieving mail from server), FTP, IMAP (internet msg access protocol - like SMTP)

Question 7

In terms of LI, sniffing process is looked at as having 3 components

Answer 7

1) IAP (Intercept Access Point) - where info is fathered for the LI
2) Mediation device supplied by 3rd party that handles information processing
3) Collection function that stores &processes info intercepted by the 3rd party

Question 8

Wireshark filter breakdown

Answer 8

Example ip.addr == 192.168.1.2

First is the protocol, next is the field, then operator, then the value

ne means NOT EQUAL

eq means EQUAL

Question 9

Wireshark CLI (command-line interface) tools (don’t need to memorize)

Answer 9

1) tshark //cmd line version of Wireshark (like TCPdump)
2) dumpcap //capture traffic
3) capinfos //reads capture & returns stats
4) editcap //edits or translates the format of captured files
5) mergecap //combines multiple capture files into one
6) text2cap //creates a capture file from an ASCII hexdump of packets

Question 10

TCPdump

Answer 10

//cmd based sniffer; native to linux, but its equivalent for windows is WINdump

tcpdump //allows you to start capturing packets from lowest NIC

tcpdump -w tel_capture.log //saves the capture into tel_capture.log

Question 11

Switched Network Sniffing

Answer 11

A wired switch doesn’t allow you to sniff the whole NW; each switchport is a collosion domain, so traffic within the switch doesn’t travel between ports (traffic is separate to each switchport)

Question 12

MAC Flooding

Answer 12

Most common method for enabling sniffing on a switch is to turn it into a device that does allow switching. We want to convert it to a hub-like environment

A switch keeps track of MAC addresses received by writing them to a content addressable memory (CAM) table;

If a switch is flooded with MAC addresses, it may overwhelm the switches ability to write its own CAM table; in turn it makes the switch fall into a giant hub

Tool: Macof

Question 13

CAM table

Answer 13

Content Accessible Memory table with a fixed size that stores information such as MAC address of each client, port they are attached to, & any VLAN info;

A CAM table is used by the switch to help get traffic to its destination, but when it’s full…..in older switches, it would cause the switch to fail “open” & act as a hub, the flood would spill over affecting adjacent switches

Must maintain flood to keep switch acting as a hub; if flooding stop, the time outs that are set on the switch will start clearing out the CAM table entries, allowing switch to go to normal operations

(in newer switches, the success rate of mac flooding is much lower)

Question 14

Overflowing a CAM table using Ubuntu

Answer 14

Standard repositories store the tools needed for a successful attack; obtained with APTITUDE

1) su to root
2) aptitude install dsniff //install DSNIFF (include Macof)
3) enter cmd: macof //will start flooding CAM table
4) Ctrl +Z to stop

Question 15

ARP Poisoning

Answer 15

Address Resolution Protocol poisoning //attempts to contaminate NW w/ improper gateway mappings

What ARP does is it maps IP addresses to specific MAC addresses thereby allowing switches to know most efficient path for data being sent

CON: ARP doesn’t have prerequisites for its sending or receiving process; ARP broadcasts free to roam NW at will;

PRO: Attacker takes advantage of this open traffic concept by feeding incorrect ARP mappings to the gateway itself or to the hosts of the NW

Tools: Ettercap, Cain & Abel, Arpspoof

Question 16

IP DHCP snooping feature

Answer 16

Some switches have IP DHCP Snooping feature that verifies MAC-to-IP mappings & stores valid mappings in a DB

Question 17

Sniff a public NW

Answer 17

so much ARP traffic will appear, you will see new machines hopping on and off

Question 18

MAC spoofing

Answer 18

when an attacker changes their MAC address to the MAC address of an existing authenticated machine already on the NW

Not a technique used for NW-side sniffing, but gives unauthorized access onto NW w/ out much effort

Question 19

Port security

Answer 19

low level security that allows a specific # of MAC addresses to attach to a switchport; If this is enabled, it allows MAC spoofing easier

Question 20

Port Mirror or SPAN port

Answer 20

This technique is through physical means; here you can need physical access to the switch & use port mirroring or Switched Port Analyzer (SPAN)

This technique sends a copy of every NW packet encountered on one switchport or a whole VLAN to another port where it may be monitored

Used to monitor traffic for diagnostic purposes or implementing devices such as NIDS (NW intrusion detection systems)

Question 21

5 Defenses against attacks for Switches & WAP

Answer 21

1) Use a hardware-switched NW for the most sensitive portions of your NW in an effort to isolate traffic to a single segment or collision domain
2) Implement IP DHCP Snooping on switches to prevent ARP-poisoning & spoofing attacks
3) Implement policies preventing promiscuous mode on NW adapters
4) Be careful when deploying wireless access points, knowing that all traffic on the wireless NW is subject to sniffing
5) Encrypt your sensitive traffic using an encrypting protocol such as SSH or IPSec

Question 22

6 ways to harden your NW against sniffing

Answer 22

1) Static ARP entires (preconfiguring a device w/ the MAC address)
2) Port Security - used by switches that have the ability to be programmed to allow only specific MAC addresses to send & receive data from each port; can specify max # of MAC addresses switchport can learn
3) IPv6 instead of IPv4 (IPv6 has more security options)
4) Replacing protocols such as FTP & Telnet w/ SSH (or if SSH is not avail, use IPsec
5) VPNs can provide an effective defense against sniffing due to their encryption
6) SSL with IPsec

Question 23

What is SSH?

Answer 23

Soft Shell used to Tunnel data (encrypt), securely get access to remote computer, widely used by NW admins to control servers and web remotely

Question 24

What is SSL?

Answer 24

Secure Sockets Layer that encrypts data to keep prying eyes from altering traffic or seeing it

Question 25

Each switchport represents a

Answer 25

collision domain therefore limiting sniffing to only the clients residing on that port

Question 26

Wireless access points function as a

Answer 26

HUB in which they do not segregate traffic as a traditional wired switch does

Question 27

MAC spoofing applies a legitimate MAC address to an unauthenticated host, which allows the attacker to pose as a valid user. Based on your understanding of ARP, what would indicate a bogus client?

Answer 27

A reverse ARP request maps to two hosts

Question 28

What technique funnels all traffic back to a single client, allowing sniffing from all connected hosts

Answer 28

ARP poisoning; the attacker maps all traffic to the attacker’s interface before traveling to proper destination

Question 29

Cain and Abel is known for

Answer 29

ARP poisoning, password cracking, and sniffing

Question 30

Which cmd launches a CLI (command line interface) version of Wireshark?

Answer 30

tshark

Question 31

Using TCPdump, what is the command used to save the capture for later review & what is the command to read the capture

Answer 31

tcpdump -w capture.log //save

tcpdump -r capture.log //read

Question 32

What is the generic syntax of a Wireshark filter?

Answer 32

Protocol.Field.Operator.Value

IP.ADDR == 192.168.1.54
(TCP.PORT == 23)

Question 33

Tiffany is analyzing a capture from a client’s NW, she is interested in NetBIOS traffic, what port does Tiffany filter for?

Answer 33

(TCP.PORT eq 139)

Port 139

Question 34

What device will limit the traffic to one port and what device will not?

Answer 34

A switch will, A hub will not