Sniffing – Spoofing - Session Hijacking Isbat Uzzin Nadhori Informatical Engineering PENS-ITS Edited by Irwan AK.

Slides:

Advertisements

Similar presentations

Module X Session Hijacking

Advertisements

Network and Application Attacks Contributed by- Chandra Prakash Suryawanshi CISSP, CEH, SANS-GSEC, CISA, ISO 27001LI, BS 25999LA, ERM (ISB) June 2006.

Computer Security and Penetration Testing

CCNA – Network Fundamentals

Intermediate TCP/IP TCP Operation.

Are you secured in the network ?: a quick look at the TCP/IP protocols Based on: A look back at “Security Problems in the TCP/IP Protocol Suite” by Steven.

Sniffing, Spoofing, Hijacking This presentation is an amalgam of presentations by Mark Michael, Randy Marchany and Ed Skoudis. I have edited and added.

Suneeta Chawla Web Security Presentation Topic : IP Spoofing Date : 03/24/04.

Hacking Presented By :KUMAR ANAND SINGH ,ETC/2008.

Network Attacks Mark Shtern.

Network Layer and Transport Layer.

Security Awareness: Applying Practical Security in Your World, Second Edition Chapter 5 Network Security.

Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Information.

Securing TCP/IP Chapter 6. Introduction to Transmission Control Protocol/Internet Protocol (TCP/IP) TCP/IP comprises a suite of four protocols The protocols.

Institute of Technology Sligo - Dept of Computing Semester 2 Chapter 9 The TCP/IP Protocol Suite Paul Flynn.

1 CCNA 2 v3.1 Module Intermediate TCP/IP CCNA 2 Module 10.

Understanding Networks Charles Zangla. Network Models Before I can explain how connections are made from across the country, I would like to provide you.

1.  A protocol is a set of rules that governs the communications between computers on a network.  Functions of protocols:  Addressing  Data Packet.

FIREWALL TECHNOLOGIES Tahani al jehani. Firewall benefits  A firewall functions as a choke point – all traffic in and out must pass through this single.

Network Security Philadelphia UniversityAhmad Al-Ghoul Module 9 TCP/IP Layers and Vulnerabilities  MModified by :Ahmad Al Ghoul  PPhiladelphia.

Port Knocking Software Project Presentation Paper Study – Part 1 Group member: Liew Jiun Hau ( ) Lee Shirly ( ) Ong Ivy ( )

1 Lab 3 Transport Layer T.A. Youngjoo Han. 2 Transport Layer  Providing logical communication b/w application processes running on different hosts 

OSI Model Routing Connection-oriented/Connectionless Network Services.

Packet Filtering. 2 Objectives Describe packets and packet filtering Explain the approaches to packet filtering Recommend specific filtering rules.

IIT Indore © Neminath Hubballi

CHAPTER 2 PCs on the Internet Suraya Alias. The TCP/IP Suite of Protocols Internet applications – client/server applications The client requested data.

70-291: MCSE Guide to Managing a Microsoft Windows Server 2003 Network Chapter 3: TCP/IP Architecture.

Lecture 2 TCP/IP Protocol Suite Reference: TCP/IP Protocol Suite, 4 th Edition (chapter 2) 1.

Chapter 6: Packet Filtering

1 Semester 2 Module 10 Intermediate TCP/IP Yuda college of business James Chen

Network Services Networking for Home & Small Business.

© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.0 Network Services Networking for Home and Small Businesses – Chapter 6.

Forensic and Investigative Accounting Chapter 14 Internet Forensics Analysis: Profiling the Cybercriminal © 2005, CCH INCORPORATED 4025 W. Peterson Ave.

© McLean HIGHER COMPUTER NETWORKING Lesson 1 – Protocols and OSI What is a network protocol Description of the OSI model.

1 Version 3.0 Module 11 TCP Application and Transport.

CHAPTER 11 Spoofing Attack. INTRODUCTION Definition Spoofing is the act of using one machine in the network communication to impersonate another. The.

Chapter 4 Networking and the Internet. © 2005 Pearson Addison-Wesley. All rights reserved 4-2 Chapter 4: Networking and the Internet 4.1 Network Fundamentals.

Transmission Control Protocol TCP. Transport layer function.

Access Control List (ACL)

Chapter 6-2 the TCP/IP Layers. The four layers of the TCP/IP model are listed in Table 6-2. The layers are The four layers of the TCP/IP model are listed.

CCNA 1 v3.0 Module 11 TCP/IP Transport and Application Layers.

Chapter 15 – Part 2 Networks The Internal Operating System The Architecture of Computer Hardware and Systems Software: An Information Technology Approach.

CIS 450 – Network Security Chapter 4 - Spoofing. Definition - To fool. In networking, the term is used to describe a variety of ways in which hardware.

1 Introduction to TCP/IP. 2 OSI and Protocol Stack OSI: Open Systems Interconnect OSI ModelTCP/IP HierarchyProtocols 7 th Application Layer 6 th Presentation.

1. Layered Architecture of Communication Networks: TCP/IP Model

Transmission Control Protocol (TCP) Internet Protocol (IP)

Firewalls A brief introduction to firewalls. What does a Firewall do? Firewalls are essential tools in managing and controlling network traffic Firewalls.

Page 12/9/2016 Chapter 10 Intermediate TCP : TCP and UDP segments, Transport Layer Ports CCNA2 Chapter 10.

Computer Network Architecture Lecture 6: OSI Model Layers Examples 1 20/12/2012.

Access Control List (ACL) W.lilakiatsakun. Transport Layer Review (1) TCP (Transmission Control Protocol) – HTTP (Web) – SMTP (Mail) UDP (User Datagram.

Internet Flow By: Terry Hernandez. Getting from the customers computer onto the internet Internet Browser

© 2002, Cisco Systems, Inc. All rights reserved..

IP Security (IPSec) Matt Hermanson. What is IPSec? It is an extension to the Internet Protocol (IP) suite that creates an encrypted and secure conversation.

Also known as hardware/physi cal address Customer Computer (Client) Internet Service Provider (ISP) MAC Address Each Computer has: Given by NIC card.

Chapter 8.  Upon completion of this chapter, you should be able to:  Understand the purpose of a firewall  Name two types of firewalls  Identify common.

Comparison of Network Attacks COSC 356 Kyler Rhoades.

IST 201 Chapter 11 Lecture 2. Ports Used by TCP & UDP Keep track of different types of transmissions crossing the network simultaneously. Combination.

SESSION HIJACKING It is a method of taking over a secure/unsecure Web user session by secretly obtaining the session ID and masquerading as an authorized.

TCP Sliding Windows For each TCP connection each hosts keep two Sliding Windows, send sliding window, and receive sliding window to make sure the correct.

An Introduction To ARP Spoofing & Other Attacks

Lab 2: Packet Capture & Traffic Analysis with Wireshark

Networking for Home and Small Businesses – Chapter 6

Introduction to Networking

TCP/IP Networking An Example

Networking for Home and Small Businesses – Chapter 6

Packet Sniffing.

Topic 5: Communication and the Internet

TCP/IP Networking An Example

Lecture 3: Secure Network Architecture

Networking for Home and Small Businesses – Chapter 6

Presentation transcript:

Sniffing – Spoofing - Session Hijacking Isbat Uzzin Nadhori Informatical Engineering PENS-ITS Edited by Irwan AK

Sniffing Sniffing merupakan usaha untuk membaca dan menganalisa paket yang lewat di jaringan menggunakan program packet sniffing

Packet sniffing is listening (with SW) to the raw network device for data packets that fit certain criteria. A “Packet Sniffer” is needed to collect those data packets. It must be capable of working with the type of network interface supported by the OS. Packets are all in binary format. A “Protocol Analyzer” helps making sense of it all. It recognizes which bits belong to header fields of protocols in which data is embedded. It can be useful to debug, at bit level, an application that sends and receives messages through a TCP/IP connection.  Ethereal: runs on all popular platforms, including Unix, Linux and Windows. It is a powerful protocol analyzer. Open source.  tcpdump, Natas (Windows), nfswatch and Web Packet Sniffer (Unix) are other examples of free sniffers.  LanWatch, Etherpeek, Sniff’em are examples of commercial sniffers. Packet Sniffing What is packet sniffing? Available Tools

Ethreal Now known as Wireshark Install wireshark on GNU/Linux. #apt-get install wireshark...damn it so easy install wireshark on GNU Linux.

Wireshark

Packet Sniffing (2.1) Introduction to Ethereal Click this button to show available interfacesClick “Capture” to start

Packet Sniffing (2.2) Introduction to Ethereal While the sniffer is running, this window shows how many packets, belonging to each different protocol, are being captured. Click “Stop” to finish the capture and analyze the results

Packet Sniffing List of captured packetsProtocol AnalyzerPacket in binary format The selected packet is analyzed below The selected piece of the packet is highlighted below (2.3) Introduction to Ethereal

Packet Sniffing (5.1) Example: Analysis of packets exchanged between an LLRP Reader (IP: ) and a Client (IP: ) TCP connection establishment: Step 1: Client initiates connection [SYN flag set] and informs about its initial Sequence Number. Step 2: Reader accepts, acknowledges the previous message and informs about the initial Sequence Number chosen for the reverse direction [SYN, ACK flags set]. Step 3: Client acknowledges the previous message [ACK flag set]. Once the connection is established, LLRP data transfer can take place. ClientReader SYN, Seq=X SYN, ACK, Seq=Y, Ack=X+1 ACK, Seq=X, Ack=Y+1 LLRP data transfer

Wait … what is LLRP Low Level Reader Protocol (LLRP) Standard Is protocol for an interface between RFID Readers and Clients. The interface protocol is called low-level because it provides control of RFID air protocol operation timing and access to air protocol command parameters. The design of this interface recognizes that in some RFID systems, there is a requirement for explicit knowledge of RFID air protocols and the ability to control Readers that implement RFID air protocol communications. It also recognizes that coupling control to the physical layers of an RFID infrastructure may be useful for the purpose of mitigating RFID interference.

RFID RFID (bahasa Inggris: Radio Frequency Identification) atau Identifikasi Frekuensi Radio adalah sebuah metode identifikasi dengan menggunakan sarana yang disebut label RFID atau transponder untuk menyimpan dan mengambil data jarak jauh. Label atau kartu RFID adalah sebuah benda yang bisa dipasang atau dimasukkan di dalam sebuah produk, hewan atau bahkan manusia dengan tujuan untuk identifikasi menggunakan gelombang radio. Label RFID terdiri atas mikrochip silikon dan antena. Label yang pasif tidak membutuhkan sumber tenaga, sedangkan label yang aktif membutuhkan sumber tenaga untuk dapat berfungsi. D

Question.. Masih inget dengan TCP/UDP ? Masih inget dengan Connection Oriented dan Connection Less Oriented ? TCP ? UDP ?

Packet Sniffing (5.2) Example: TCP Connection Establishment. Step 1. IP ( ) requests a connection [SYN] to IP ( )

Packet Sniffing (5.3) Example: TCP Connection Establishment. Step 2. IP ( ) accepts the connection [SYN, ACK]

Packet Sniffing (5.4) Example: TCP Connection Establishment. Step 3. IP ( ) acknowledges the last message [ACK] so that connection is established

Link Layer Protocol: Ethernet. Protocol’s header contains source and destination MAC addresses Network Layer Protocol: IP. Protocol’s header contains source and destination IP addresses Transport Layer Protocol: TCP. Protocol’s header contains source and destination ports. Sequence and Acknowledgement numbers are useful to follow the order in which messages were sent. In TCP protocol, first sequence number is randomly generated. To make it easier to follow, Ethereal displays relative numbers, that is, as if the first one would be zero. These are the data bits sent by the application Packet Sniffing (5.5) Example: LLRP data transfer.

Question... Masih inget dengan TCP layer dan OSI Layer ?

Packet Sniffing (5.6) Example: LLRP data transfer. Client sends to the Reader GET_READER_CAPABILITIES LLRP message b Application Data: Rsvd = 000Ver = 0 01Message Type = = “1”Message Length [31:16] = Message Length [15:0] = = “11”Message ID [31:16] = Message ID [15:0] = Requested Data = According to LLRP binary encoding:

Session Hijacking Session Hijacking adalah mengambil alih sebuah session pada satu koneksi jaringan. Tipe : – Active session hijacking attacker mengambil alih sebuah session yang terjadi dengan cara memutuskan sebuah komunikasi yang terjadi. Attacker bertindak sebagai man-in-the-middle dan aktif dalam komunikasi antara client dengan server. Serangan ini membutuhkan keahlian untuk menebak nomer sequence (SEQ) dari server, sebelum client dapat merespon server. Passive session hijacking Attacker hanya melihat lalu lintas packet. Biasa disebut sbg sniffing Bisa memberikan informasi penting misal : id user dan password dari client yang sedang melakukan login ke server, sehingga dapat digunakan oleh attacker untuk melakukan login pada lain waktu

Spoofing In spoofing (fooling, deceiving), an attacker impersonates someone else. This allows him/her to exploit the access privileges of the spoofed.

Type of Spoofing ARP Spoofing Attacker change MAC address client with MAC Address Attacker IP spoofing Attacker uses IP address of another computer to acquire information or gain access spoofing Attacker sends but makes it appear to come from someone else Web spoofing Attacker tricks web browser into communicating with a different web server than the user intended.\ Non-network (social engineering)

IP Spoofing IP spoofing is the creation of TCP/IP packets with somebody else's IP address in the header. Routers use the destination IP address to forward packets, but ignore the source IP address. The source IP address is used only by the destination machine, when it responds back to the source. When an attacker spoofs someone’s IP address, the victim’s reply goes back to that address. Since the attacker does not receive packets back, this is called a one-way attack or blind spoofing.

Spoofing  3 Basic way to perform : – Aliasing – Modify mail client – Telnet to port 25

Spoofing One simple form of spoofing is to create a valid account (on yahoo or hotmail) and put someone else’s name in the alias field. In mail relaying, an attacker uses a mail server to send mail to someone in a different domain When is sent by a user, the From: address is not validated.

Web Spoofing One way to lure people to a malicious site is to give it a URL that is similar to that of a legitimate site, e.g., wwwFirstNationalBank.com Another way is for the attacker to provide HTML with a mislabeled link to another page, e.g., in an . Example: American Red Cross

MitM Attacks ‘Man-in-the-Middle’ refers to a machine that is set up so that traffic between two other machines must pass through the MitM machine. Difficult to setup, especially over the Internet. Not so difficult in a LAN environment. Provides no additional advantages over a ‘sniffer’ – is actually just a way to implement a sniffer. Defense: Encryption – however, MitM can refer to an intermediate encrypter Strong perimeter security for Internet MitM attacks. Only secure as the weakest link – the MitM can attack from either end. So, even if you have strong security, but your partner does not, the MitM is possible from the other end.

Countermeasure IP Spoofing Protect against with good firewall rules – keep your machines from launching a spoofed IP – router filters Limit configuration access on machines Programs like arpwatch that keep track of IP/MAC pairings The best way to protect against source routing spoofing is to simply disable source routing at your routers. Spoofing Most servers today do not allow relaying. They only allow s to be sent to/from their range of IP addresses. They insure that the recipient’s domain is the same domain as the mail server. The attacker can run his own server, but then he is easier to trace. Defense - Do not allow relaying on your STMP servers Web Spoofing Use a ‘server-side certificate’. Still, users should Examine the browser location/status line Examine links in HTML source code. Disable “active” content (Java, JavaScript, Active X) in the browser. Ensure that your browser starts on a “secure page” (a local HTML page)