fc_08_sniffing Flashcards
Packet Sniffing
Packet sniffing is a process of monitoring and capturing all data packets passing through a given network using a software application or hardware device
It allows an attacker to observe and access the entire network traffic from a given point
Packet sniffing allows an attacker to gather sensitive information such as Telnet passwords, email traffic, syslog traffic, router configuration, web traffic, DNS traffic, FTP password, chat sessions, account information, etc.
Though most networks today employ switch technology, packet sniffing is still useful. This is because installing remote sniffing programs on network components with heavy traffic flows such as servers and routers is relatively easy.
How sniffer works
Sniffer turns the NIC of a system to the promiscuous mode so that it listens to all the data transmitted on its segment
Types of Sniffing
Passive sniffing
- Passive sniffing refers to sniffing through a hub, wherein the traffic is sent to all ports
- It involves monitoring packets sent by others without sending any additional data packets in the network traffic
- In a network that use hubs to connect systems, all hosts on the network can see the all traffic and therefore, the attacker can easily capture traffic going through the hub
- Hub usage is an outdated approach. Most modern networks now use switches
Active Sniffing
- Active sniffing is used to sniff a switch-based network
- Active sniffing involves injecting Address Resolution Packets (ARP) into the network to flood the switch’s Content Addressable Memory (CAM) table, which keeps track of host-port connection
List active sniffing techniques
- MAC Flooding
- DHCP Attacks
- DNS Poisoning
- ARP Poisoning
- Swtich Port Stealing
- Spoofing Attack
How attackers Hacks the Network Using Sniffers
Protocols Vulnerable to Sniffing
- Telnet and RLogin: Keystrokes including user names and passwords are sent in clear text
- HTTP: Data is sent in clear text
- POP: Passwords and data are sent in clear text
- IMAP: Passwords and data are sent in clear text
- SMTP and NNTP: Passwords and data are sent in clear text
- FTP: Passwords and data are sent in clear text
In which lay of OSL layers do sniffers operate
data link layer
All layers above data link layer can potentially be compromised by sniffing
Hardware Protocol analyzers
Hardware Protocol Analyzers
- A hardware protocol analyzer is a piece of equipment that captures signals without altering the traffic in a cable segment
- It can be used to monitor network usage and identify malicious network traffic generated by hacking software installed in the network
- It captures a data packet, decodes it, and analyzes its content based on certain predetermined rules
- It allows the attacker to see individual data bytes of each packet passing through the cable
Name Hardware Analyzers
N2X N5540A Agilent Protocol Analyzer
Keysight E2960B
Others
RADCOM PrismLite Protocol Analyzer (https://cybarcode.com)
STINGA Protocol Analyzer (http://utelsystems.com)
NETSCOUT’s OneTouch AT Network Assistant (http://enterprise.netscout.com)
NETSCOUT’s OptiView XG Network Analysis Tablet (http://enterprise.netscout.com)
Agilent (Keysight) Technologies 8753ES (https://www.microlease.com)
Agilent (Keysight) Technologies E8364B (https://www.microlease.com)
U4421A Protocol Analyzer (http://www.keysight.com)
U4431A MIPI M-PHY Protocol Analyzer (http://www.keysight.com)
SPAN Ports
WireTapping
Active -> MITM
- Wiretapping is the process of monitoring telephone and Internet conversations by a third party
- Attackers connect a listening device (hardware, software, or a combination of both) to the circuit carrying information between two phones or hosts on the Internet
- It allows an attacker to monitor, intercept, access, and record information contained in a data flow in a communication system
- Typically, the attacker uses a small amount of electrical signal generated by the telephone wires to tap the conversation.
Types
- Active Wiretapping: In hacking terminology, active wiretapping is an MITM attack. This allows an attacker to monitor and record the traffic or data flow in a communication system. The attacker can also alter or inject data into the communication or traffic.
- Passive Wiretapping: Passive wiretapping is snooping or eavesdropping. This allows an attacker to monitor and record traffic. By observing the recorded traffic flow, the attacker can snoop for a password or other information.
Methods
- The official tapping of telephone lines
- The unofficial tapping of telephone lines
- Recording the conversation
- Direct line wiretap
- Radio wiretap
Lawful Interception
Lawful interception refers to legally intercepting data communication between two end points for surveillance on the traditional telecommunications, Voice over Internet Protocol (VoIP), data, and multiservice networks
List Sniffing Techniques
MAC attacks, DHCP attacks, ARP poisoning, spoofing attacks, DNS poisoning,
MAC Attacks
s
MAC Attacks => How CAM works?
Refer to the diagram below for the working of CAM table. It shows three machines: Machine A, Machine B and Machine C, each holding MAC address A, B and C. The machine A holding the MAC address A wants to interact with Machine B.
Machine A broadcasts an ARP request to the switch. The request contains the IP address of the target machine (Machine B), along with the source machine’s (Machine A) MAC and IP addresses. The switch then broadcasts this ARP request to all the hosts in the network and waits for the reply.
MAC Attacks => What Happens When CAM Table Is Full?
Once the CAM table fills up on a switch, additional ARP request traffic flood every port on the switch
This will change the behavior of the switch to reset to its learning mode, broadcasting on every port similar to a hub
This attack will also fill the CAM tables of adjacent switches
Fail open
MAC Attacks => MAC Flooding
MAC flooding involves flooding of CAM table with fake MAC address and IP pairs until it is full
The switch then acts as a hub by broadcasting packets to all machines on the network and therefore, the attackers can sniff the traffic easily
Mac Flooding Switches with macof
- macof is a Unix/Linux tool that is a part of dsniff collection
- macof sends random source MAC and IP addresses
- This tool floods the switch’s CAM tables (131,000 per min) by sending bogus MAC entries
MAC Attacks => Switch Port Stealing
a
MAC Attacks => How to Defend against MAC Attacks
To protect a port, this feature identifies and limits the MAC addresses of the machines that can access the port. If you assign a secure MAC address to a secure port, then the port will forward only the packets with source addresses that are inside the group of defined addresses.
A security violation occurs:
- When a port is configured as a secure port, and the maximum number of secure MAC addresses is reached
- When the MAC address of the machine that is attempting to access the port does not match any of the identified secure MAC addresses
Once the maximum number of secure MAC addresses on the port is set, the secure MAC addresses are included in an address table in any of the following three ways:
- You can configure all secure MAC addresses by using the switch port, port-securing mac-address interface configuration command.
- You can allow the port to dynamically configure secure MAC addresses with the MAC addresses of the connected devices.
- You can configure a number of addresses and allow the rest to be dynamically configured.
DHCP Attacks => How DHCP Works
a
DHCP Attacks => DHCP Request/Reply Messages
a
DHCP Attacks => DHCP Starvation Attack
a
DHCP Attacks => Rogue DHCP Server Attack
MITM
DHCP Attacks => How to Defend Against DHCP Starvation and Rogue Server Attack
- switchport port-security maximum 1 The switch port port-security maximum command configures the maximum number of secure MAC addresses for the port. The switch port port-security maximum 1 command configures the maximum number of secure MAC addresses for the port as 1.
- switchport port-security violation restrict The switch port port-security violation command sets the violation mode and the necessary action in case of detection of a security violation. The switch port port-security violation restrict command drops packets with unknown source addresses until a sufficient number of secure MAC addresses are removed.
- switchport port-security aging time 2 The switch port port-security aging time command configures the secure MAC address aging time on the port. The switch port port-security aging time 2 command sets the aging time as 2 minutes.
- switchport port-security aging type inactivity The switch port port-security aging type command configures the secure MAC address aging type on the port. The switch port port-security aging type inactivity command sets the aging type as inactivity aging.
- switchport port-security mac-address sticky Enables sticky learning on the interface by entering only the mac-address sticky keywords. When sticky learning is enabled, the interface adds all secure MAC addresses that are dynamically learned to the running configuration and converts these addresses to sticky secure MAC addresses.
For Rogue attacks protection
- ip dhcp snooping vlan 4,104 Enable or disable DHCP snooping on one or more VLANs.
- no ip dhcp snooping information option To disable the insertion and the removal of the option-82 field, use the no IP dhcp snooping information option in global configuration command. To configure an aggregation, switch to drop incoming DHCP snooping packets with option-82 information from an edge switch, use the no IP dhcp snooping information option allow-untrusted global configuration command.
- ip dhcp snooping Enable DHCP snooping option globally.
ARP Poisoning => What Is Address Resolution Protocol (ARP)?
- Address Resolution Protocol (ARP) is a stateless protocol used for resolving IP addresses to machine (MAC) addresses
- All network devices (that needs to communicate on the network) broadcasts ARP queries in the network to find out other machines’ MAC addresses
- When one machine needs to communicate with another, it looks up its ARP table. If the MAC address is not found in the table, the ARP_REQUEST is broadcasted over the network
- All machines on the network will compare this IP address to their MAC address
- If one of the machine in the network identifies with this address, it will respond to ARP_REQUEST with its IP and MAC address. The requesting machine will store the address pair in the ARP table and begin with the communication
ARP Poisoning => ARP Spoofing Attack
ARP spoofing is an intermediary to perform attacks such as DoS, MITM, and Session Hijacking.
https://www.youtube.com/watch?v=A7nih6SANYs&t=12s
Gateway
ARP Poisoning => ARP Poisoning Tools
Ufasoft Snif
Others
- BetterCAP (https://www.bettercap.org)
- Ettercap (https://github.com)
- ArpSpoofTool (https://sourceforge.net)
- MITMf (https://github.com)
- Cain & Abel (http://www.oxid.it)
- Arpoison (https://sourceforge.net)
- hping3 (http://www.hping.org)
ARP Poisoning => How to Defend Against ARP Poisoning
Implementation of Dynamic ARP Inspection (DAI) prevents poisoning attacks. DAI is a security feature that validates ARP packets in a network. When DAI activates on a VLAN, all ports on the VLAN are considered to be untrusted by default. DAI validates the ARP packets using a DHCP snooping binding table. The DHCP snooping binding table consists of MAC addresses, IP addresses, and VLAN interfaces acquired by listening to DHCP message exchanges. Hence, you must enable DHCP snooping before enabling DAI. Otherwise, establishing a connection between VLAN devices based on ARP is not possible. Consequently, a self-imposed DoS may result on any device in that VLAN.
If the host systems in a network hold static IP addresses, the DHCP snooping will not be possible, or other switches in the network cannot run dynamic ARP inspection. In such situations, you have to perform static mapping that associates an IP address to a MAC address on a VLAN to prevent an ARP poisoning attack.
ARP Poisoning => Configuring DHCP Snooping and Dynamic ARP Inspection on Cisco Switches
Configuring DHCP Snooping in Global configuration mode Switch(config)# ip dhcp snooping
Configuring DHCP Snooping for a VLAN
- Switch(config)# ip dhcp snooping vlan 10*
- Switch(config)# ^Z*
To view the DHCP snooping status
Switch# show ip dhcp snooping
If the switch is functioning only at layer 2, apply the ip dhcp snooping trust command to the layer 2 interfaces in order to designate uplink interfaces as trusted interfaces. This informs the switch that DHCP responses can arrive on those interfaces.
To see the DHCP snooping table, you have to execute the following command
Switch(config)# show ip dhcp snooping binding
Command to configure ARP Inspection for a VLAN Switch(config)# ip arp inspection vlan 10
Switch(config)# ip arp inspection vlan 10, 11, 12, 13 Or Switch(config)# ip arp inspection vlan 10-13
To view the ARP Inspection status
- Switch(config)# show ip arp inspection*
- %SW_DAI-4-DHCP_SNOOPING_DENY: 1 Invalid ARPs (Res) on Fa0/5, vlan 10 ([0013.6050.acf4/192.168.10.1/ffff.ffff.ffff/192.168.10.1/05:37:31 UTC Mon Oct30 2017])*
ARP Apoofing => ARP Spoofing Detection Tools
XArp
Others
Capsa Network Analyzer (http://www.colasoft.com)
ArpON (http://arpon.sourceforge.net)
ARP AntiSpoofer (https://sourceforge.net)
ARPStraw (https://github.com)
shARP (https://github.com)
Spoofing Attacks =>
MAC duplicating refers to spoofing a MAC address with the MAC address of a legitimate user on the network.
A MAC duplicating attack involves sniffing a network for MAC addresses of legitimate clients connected to the network.
In this attack, the attacker first retrieves the MAC addresses of clients who are actively associated with the switch port.
Then the attacker spoofs a MAC address with the MAC address of the legitimate client.
If the spoofing is successful, then the attacker can receive all the traffic destined for the client. Thus, an attacker can gain access to the network and take over the identity of someone on the network
Spoofing Attacks => MAC Spoofing/Duplicating
- Press Win + R to open Run, type regedt32 to start the registry editor
- Note: Do not type Regedit to start registry editor Go to “HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlS et\Control\Class{4d36e972-e325-11ce-bfc1-08002be10318} and double click on it to expand the tree
- 4-digit sub keys representing network adapters will be found (starting with 0000, 0001, 0002, etc.)
- Search for the proper “DriverDesc” key to find the desired interface
- Edit, or add, the string key “NetworkAddress” (data type “REG_SZ”) to contain the new MAC address
- Disable and then re-enable the network interface that was changed or reboot the system
Spoofing Attacks=> MAC Spoofing Technique: Windows
Technitium MAC Address Changer
Others
- MAC Address Changer http://www.novirusthanks.org
- Change MAC Address https://lizardsystems.com
- GhostMAC http://ghostmac.fevermedia.ro
- Spoof-Me-Now https://sourceforge.net
- SMAC http://www.klcconsulting.net
Spoofing Attacks=> MAC Spoofing Tools
Technitium MAC Address Changer
Technitium MAC Address Changer (TMAC) allows you to change (spoof) Media Access Control (MAC) Address of your Network Interface Card (NIC) instantly
MAC Address Changer http://www.novirusthanks.org Change MAC Address https://lizardsystems.com GhostMAC http://ghostmac.fevermedia.ro Spoof-Me-Now https://sourceforge.net SMAC http://www.klcconsulting.ne
Spoofing Attacks => IRDP Spoofing
Attackers can use IRDP spoofing to launch MITM, DoS, and passive sniffing attacks.
Passive Sniffing: In a switched network, the attacker spoofs IRDP traffic to re-route the outbound traffic of target hosts through the attacker’s machine.
MITM: Once sniffing starts, the attacker acts as a proxy between the victim and destination. The attacker plays an MITM role and tries to modify the traffic. DoS: IDRP spoofing allows remote attackers to add wrong route entries into victims routing table. The wrong address entry causes DoS.
DoS: IDRP spoofing allows remote attackers to add wrong route entries into victims routing table. The wrong address entry causes DoS.
Spoofing Attacks => How to Defend Against MAC Spoofing
To detect MAC spoofing, it is necessary to know all the MAC addresses in the network. The best way to defend against MAC address spoofing is to place the server behind the router. This is because routers depend only on IP addresses, whereas switches depend on MAC addresses for communication in a network. Making changes to Port security interface configuration is another way to prevent MAC spoofing attacks.
Once you enable the port security command, it allows you to specify the MAC address of the system connected to the specific port. It also allows for specific action to be taken if a port security violation occurs.
- DHCP Snooping Binding Table: The DHCP snooping process filters untrusted DHCP messages and helps to build and bind a DHCP binding table. This table contains the MAC address, IP address, lease time, binding type, VLAN number, and interface information to correspond with untrusted interfaces of a switch. It acts as a firewall between untrusted hosts and DHCP servers. It also helps in differentiating between trusted and untrusted interfaces.
- Dynamic ARP Inspection: The system checks the IP to MAC address binding for each ARP packet in a network. While performing a Dynamic ARP inspection, the system will automatically drop invalid IP to MAC address bindings.
- IP Source Guard: IP Source Guard is a security feature in switches that restricts the IP traffic on untrusted Layer 2 ports by filtering traffic based on the DHCP snooping binding database. It prevents spoofing attacks when the attacker tries to spoof or use the IP address of another host.
- Encryption: Encrypt the communication between the access point and computer to prevent MAC spoofing.
- Retrieval of MAC Address: You should always retrieve the MAC address from the NIC directly instead of retrieving it from the OS.
- Implementation of IEEE 802.1X suites: It is a type of network protocol for port-based Network Access Control (PNAC), and its main purpose is to enforce access control at the point where a user joins the network
- AAA (Authentication, Authorization and Accounting): Use of AAA (Authentication, Authorization and Accounting) server mechanism in order to filter MAC addresses subsequently.
DNS Poisoning=> DNS Poisoning Techniques
DNS Poisoning => Intranet DNS Spoofing
a
DNS Poisoning => Internet DNS Spoofing
DNS Poisoning => Proxy Server DNS Poisoning
DNS Poisoning => DNS Cache Poisoning
DNS Poisoning => How to Defend Against DNS Spoofing
Sniffing Tools => Wireshark
- It lets you capture and interactively browse the traffic running on a computer network
- Wireshark uses Winpcap to capture packets on its own supported networks
- It captures live network traffic from Ethernet, IEEE 802.11, PPP/HDLC, ATM, Bluetooth, USB, Token Ring, Frame Relay, FDDI networks
- A set of filters for customized data display can be refined using a display filter
Follow TCP Stream
Wireshark displays data from the TCP port with a feature known as “Follow TCP stream.” The tool sees TCP data in the same way as that of the application layer. Use this tool to find passwords in a Telnet session or make sense of a data stream. To see the TCP stream, select a TCP packet in the packet list of a stream/connection and then select the Follow TCP Stream menu item from the Wireshark Tools menu. Wireshark displays all the data from TCP stream by setting an appropriate display filter.
Sniffing Tools => Follow TCP Stream in Wireshark
Additional Filters
- tcp.flags.reset==1 Displays all TCP resets
- udp contains 33:27:58 Sets a filter for the HEX values of 0x33 0x27 0x58 at any offset
- http.request Displays all HTTP GET requests
- tcp.analysis. retransmission Displays all retransmissions in the trace
- tcp contains traffic Displays all TCP packets that contains the word ‘traffic’
- !(arp or icmp or dns) Masks out arp, icmp, dns, or other protocols and allows you to view traffic of your interest
- tcp.port == 4000 Sets a filter for any TCP packet with 4000 as a source or destination port
- tcp.port eq 25 or icmp Displays only SMTP (port 25) and ICMP traffic
- ip.src==192.168.0.0/16 and ip.dst==192.168.0.0/16 Displays only traffic in the LAN (192.168.x.x), between workstations and servers –no Internet
- ip.src != xxx.xxx.xxx.xxx && ip.dst != xxx.xxx.xxx.xxx && sip Filter by a protocol ( e.g. SIP ) and filter out unwanted IPs
Sniffing Tools => Display Filters in Wireshark
a
Sniffing Tools => Additional Wireshark Filters
a
Sniffing Tools => SteelCentral Packet Analyzer and Capsa Network Analyzer
SteelCentral Packet Analyzer
SteelCentral Packet Analyzer provides a graphical console for high-speed packet analysis
Capsa Network Analyzer
Capsa Network Analyzer captures all data transmitted over the network and provides a wide range of analysis statistics in an intuitive and graphic way
Sniffing Tools=> OmniPeek and Observer Analyzer
OmniPeek
OmniPeek sniffer displays a Google Map in the OmniPeek capture window showing the locations of all the public IP addresses of captured packets
Observer Analyzer
Observer provides a comprehensive drill-down into network traffic and provides back-in-time analysis, reporting, trending, alarms, application tools, and route monitoring capabilities
Sniffing Tools: Additional tools
Sniffing Tools: OmniPeek and Observer Analyzer
Sniffing Tools: Packet Sniffing Tools for Mobile
Wi.cap. Network Sniffer Pro
FaceNiff
Packet Capture
Countermeasures:
How to Defend Against Sniffing
- Restrict the physical access to the network media to ensure that a packet sniffer cannot be installed.
- Use end-to-end encryption to protect confidential information.
- Permanently add the MAC address of the gateway to the ARP cache.
- Use static IP addresses and ARP tables to prevent attackers from adding the spoofed ARP entries for machines in the network.
- Turn off network identification broadcasts and if possible restrict the network to authorized users in order to protect the network from being discovered with sniffing tools.
- Use IPv6 instead of IPv4 protocol.
- Use encrypted sessions such as SSH instead of Telnet, Secure Copy (SCP) instead of FTP, SSL for email connection, etc. to protect wireless network users against sniffing attacks.
- Use HTTPS instead of HTTP to protect usernames and passwords.
- Use switch instead of the hub as switch delivers data only to the intended recipient.
- Use Secure File Transfer Protocol (SFTP), instead of FTP for secure transfer of files.
- Use PGP and S/MIME, VPN, IPSec, SSL/TLS, Secure Shell (SSH), and One-time passwords (OTP).
- Always encrypt the wireless traffic with a strong encryption protocol such as WPA and WPA2.
- Retrieve MAC directly from NIC instead of OS; this prevents MAC address spoofing.
- Use tools to determine if any NICs are running in the promiscuous mode.
- Use a concept of ACL or Access Control List to allow access to only a fixed range of trusted IP addresses in a network.
- Change default passwords to complex passwords.
- Avoid broadcasting SSID (Session Set Identifier).
- Implement MAC filtering mechanism on your router.
Sniffing Detection Techniques
How to Detect Sniffing
a
Sniffer Detection Techniques: Ping Method and DNS Method
Reverse DNS lookup
Sniffer Detection Technique: ARP Method
a
Sniffing Detection Techniques: Promiscuous Detection Tools
PromqryUI: PromqryUI is a security tool from Microsoft that can be used to detect network interfaces that are running in promiscuous mode
Nmap:
Nmap’s NSE script allows you to check if a target on a local Ethernet has its network card in promiscuous mode
Command to detect NIC in promiscuous mode:
nmap –script=sniffer-detect [Target IP Address/Range of IP addresses]
Sniffing Pen Testing: Sniffing Penetration Testing1
CAM Table
The CAM (Content Addressable Memory) table is a dynamic table of fixed size. It stores information such as MAC addresses available on physical ports along with VLAN parameters associated with them. When a machine sends data to another machine in a network, the data passes through the switch. The switch searches for the destination MAC address (located in the Ethernet frame) in its CAM table, and once the MAC address is found, it forwards data to the machine through the port with which the MAC address is bound.
MAC Attacks => How to Defend against MAC Attacks Commands
- switchport port-security
Enables port security on the interface.
- switchport port-security maximum 1 vlan access
Sets the maximum number of secure MAC addresses for the interface. The range is 1 to 3072. The default is 1.
- switchport port-security violation restrict
Sets the violation mode, the action to be taken when a security violation {restrict | shutdown} is detected.
- switchport port-security aging time 2
Sets the aging time for the secure port.
- switchport port-security aging type inactivity
The type keyword sets the aging type as absolute or inactive.
- snmp-server enable traps port-security trap-rate 5
Controls the rate at which SNMP traps are generated.
Threats of ARP Poisoning
Sniffing Pen Testing: Sniffing Penetration Testing2
Sniffing Pen Testing: Sniffing Penetration Testing3
