Network Eavesdropping

Outline Concepts Methodology Detection

Eavesdropping Sniffer : Packet capture Tools (Trademark) Network sniffing is to eavesdrop the network to capture the packets transmitted over the network It monitors traffic destined to itself as well as to all other hosts on the network Can be used for both attacking and protecting purposes

Uses of a sniffer Traffic Analysis Performance Analysis IDS/IPS are built on sniffer Stealing clear-text content Username & Password Conversations

How does a sniffer work Normal Mode Sniffer Mode Each network interface card (NIC) and network device has a unique MAC address NIC only receives packets destined to its specific MAC address, and all other packets are ignored Sniffer Mode A machine running a sniffer breaks this rule and accepts all packets Turn on “promiscuous” mode on NIC Make NIC accept all data-link layer frames regardless of the MAC address

Anatomy of sniffer Media Storage Decode Buffer Capture Driver Storage for offline analysis Decoding to readable form Decode Buffer Temporarily space before processing Capture Driver Software driver to capture and filter packet Media

How to sniff in shared networks Passive running Just put the NIC into the promiscuous mode Switched networks : Prevents traditional sniffing because frames are route to a single port, based on a table of MAC/port associations

How to sniff in switched networks Prevents traditional sniffing Switches keep an internal list of the MAC addresses of the hosts that are on its ports. Traffic is sent to a port, only if a destination host is recorded as being present on that port. Switched Networks are not really safe from sniffing Sniff in switched networks need active operations: ARP Spoofing MAC flooding

ARP revisit A want to resolve MAC address of D 158.108.1.2 8:0:20:7a:49:68 158.108.1.5 00:10:4B:13:0A:BC A want to resolve MAC address of D A sends a broadcast ARP request A B C D ARP request who has IP 158.108.1.5? 158.108.1.2 8:0:20:7a:49:68 158.108.1.5 00:10:4B:13:0A:BC D sends a unicast ARP reply to A A B C D ARP reply me! with 00:10:4B:13:0A:BC

Hi Everyone , my IP is 158.108.1.2 and my MAC is 8:0:20:7a:49:68 Gratuitous ARP A host "announces" their IP address to the local network when its interface is configured, usually at booting time to to prevent the use of duplicate addresses on the same network Routers and other network hardware may cache information gained from gratuitous ARP packets 158.108.1.2 8:0:20:7a:49:68 158.108.1.5 00:10:4B:13:0A:BC gratuitous ARP packet is an ARP request with both sender's and the target's IP address fields containing the configured IP address A B C D Gratuitous ARP Hi Everyone , my IP is 158.108.1.2 and my MAC is 8:0:20:7a:49:68

ARP datagrams 0 15 16 31 Hardware type:16 Protocol type:16 datalink frame frame hdr ARP/RARP message 0 15 16 31 Hardware type:16 Protocol type:16 hlen:8 plen:8 ARP Operation:16 Sender MAC addr (bytes 0-3) sender MAC addr (bytes 4-5) sender IP addr (bytes 0-1) sender IP addr (bytes 2-3) dest MAC addr (bytes 0-1) dest MAC addr (bytes 2-5) dest IP addr (bytes 0-3)

ARP request packet Sample ARP request Ethernet packet IP:158.108.33.2 MAC:02:60:8c:2e:b5:8b IP:158.108.33.5 MAC: ?? Sample ARP request Ethernet packet 0x0806 FF:FF:FF:FF:FF 02:60:8c:2e:b5:8b 0x01 0x800 0x06 0x04 0x001 158.108.33.2 00:00:00:00:00:00 158.108.33.5 checksum dest MAC (broadcast) source MAC ARP frame type Ethernet / IP MAC=6/ IP=4 /request source MAC source IP dest MAC (unknown) dest IP Ethernet checksum

ARP reply packet Sample ARP reply Ethernet packet IP: 158.108.33.2 MAC: 02:60:8c:2e:b5:8b IP: 158.108.33.5 MAC: 00:00:e8:15:cc:0c Sample ARP reply Ethernet packet 0x0806 02:60:8c:2e:b5:8b 00:00:e8:15:cc:0c 0x01 0x800 0x06 0x04 0x002 158.108.33.5 158.108.33.2 checksum dest MAC (unicast) source MAC ARP frame type Ethernet / IP MAC=6/ IP=4 /reply source MAC source IP dest MAC dest IP Ethernet checksum

Playing with ARP How to see the ARP table? How to clear the ARP table? How to add the ARP entry? How to check table in IPv6?

Facts about ARP Stateless protocol Not designed security in mind No means for authentication or validation Nothing prevents clients from crafting custom ARP messages Can forge source IP address Can forge source MAC address Result: malicious nodes can fool network nodes into sending traffic to the wrong MAC address, so exposed to a lot of attacks: ARP Spoofing (ARP cache poisining) MAC flooding

ARP cache Kept locally to minimize the number of ARP requests broadcasting Updates the cache with the new IP/MAC associations for each reply Some OSs will update the cache if a reply is received, regardless of whether they sent out an actual request Possible to overwrite the ARP cache on many OS Possible to associate the MAC address with the default gateway’s IP address

ARP weakness If two machines have the same IP address, they will both respond to the same ARP request (IP Conflict) Depending on the OS, one of two things could happen The slowest (last) ARP reply to arrive will be cached until the ARP entry expires The first ARP reply to arrive will be cached, and any further ARP replies will be ignored (until ARP entry expires)

ARP Spoof Methods to spoof the contents of an ARP table Takes advantage of the ARP cache Process of corrupting cache is “Poisoning” hence also called ARP Cache poisoning Cause all outgoing traffic from the target host to be transmitted to the hacker’s host Hacker can also forge ARP replies Dsniff by Dug Song includes a program named “arpspoof” for this purpose

ARP Spoofing Scenario After ARP Spoofing Normal Condition attacker IP:IA, MAC:MA IP:IB, MAC:MB IP:IC, MAC:MC attacker IP:IA, MAC:MA IP:IB, MAC:MB IP:IC, MAC:MC attacker IP addr MAC addr IB MB IC MC IP addr MAC addr IB MC IC IP addr MAC addr IA MA IC MC IP addr MAC addr IA MC IB MB IP addr MAC addr IA MA IB MB IP addr MAC addr IA MA IB MB

ARP Poisoning : Broadcast Request IP:IA, MAC:MA IP addr MAC addr IB MB IC MC IP:IB, MAC:MB IP addr MAC addr IA MA IC MC Who has IA My IP is IB IP addr MAC addr IA MA IB MB attacker IP:IC, MAC:MC

ARP Poisoning : Response to Broadcast IP:IA, MAC:MA IP addr MAC addr IB MC IC I have IA and my MAC is MA IP:IB, MAC:MB IP addr MAC addr IA MA IC MC IP addr MAC addr IA MA IB MB attacker IP:IC, MAC:MC

ARP Poisoning : Result liked Sniffing Not quite sniffer but fairly close IP:IA, MAC:MA IP addr MAC addr IB MC IC  Packet destiny for IB is first sent to IC IP:IB, MAC:MB IP addr MAC addr IA MA IC MC  Attacker forward packet to B IP addr MAC addr IA MA IB MB attacker IP:IC, MAC:MC

ARP Poisoning : Broadcast Request IP:IA, MAC:MA IP addr MAC addr IB MB IC MC Who has IB My IP is IA IP:IB, MAC:MB IP addr MAC addr IA MA IC MC IP addr MAC addr IA MA IB MB attacker IP:IC, MAC:MC

ARP Poisoning : Broadcast Request IP:IA, MAC:MA IP addr MAC addr IB MC IC I have IB and my MAC is MB I have IB and my MAC is MC IP:IB, MAC:MB IP addr MAC addr IA MA IC MC IP addr MAC addr IA MA IB MB attacker IP:IC, MAC:MC

ARP Poisoning : Unsolicited Response IP:IA, MAC:MA IP addr MAC addr IB MB IC MC IP:IB, MAC:MB IP addr MAC addr IA MA IC MC I have IX and my MAC is MC IP addr MAC addr IA MA IB MB attacker IP:IC, MAC:MC

ARP Poisoning : Response to Unsolicited IP:IA, MAC:MA IP addr MAC addr IB MB IC MC IX IP:IB, MAC:MB IP addr MAC addr IA MA IC MC IX I have IX and my MAC is MC IP addr MAC addr IA MA IB MB attacker IP:IC, MAC:MC

MAC Flooding A switch keeps a table of all MAC addresses (in buffer) appear on each port If a large number of addresses appear on a single port, some switches begin to send all traffic to that port Flooding the switch with randomly faked MAC addresses. The switch will become overloaded and fail into the “failopen mode” In failopen mode, it operates exactly like a hub, transmitting all packets to all addresses in the network Dsniff includes a program named “macof” that facilitates the flooding of a switch with random MAC addresses

MAC Address Cloning MAC addresses intended to be globally-unique and unchangeable Today, MAC addresses can be easily changed An attacker could DoS a target computer, clone the target’s MAC address, and receive all frames intended for the target

Sample Tools Ettercap (http://ettercap.sourceforge.net/) Complete sniffing and ARP corruption tool with command-line and GUI Arpspoof (http://monkey.org/~dugsong/dsniff/faq.html) Basic ARP manipulation tool; part of dsniff package ARPoison (http://www.arpoison.net/) Basic ARP spoofing tool Many more…

Sniffer Prevention and Detection Done properly, impossible to detect a sniffer Sniffing is a passive activity, don’t generate unusual traffic normally linked to active intrusion attacks Difficult to prevent it

Possible Protection Three main types End node precautions Prevention Detection

Precautions and Implementation Use VPN or some other encrypted channel for all communication Verify the authenticity of all SLL and SSH certificates before accepting them

Prevention Deploy intelligence Ethernet switch support following features Secured port Specify MAC address for each port limit amount of MAC on an interface Smart Cache Only timeout inactive entries Smart management Never flood Require a host to send traffic first before receiving Dynamic ARP inspection Uses information from DHCP to block unknown binding DHCP snoop

Sniffer Detection Shared Network Switched Network Local detection of promiscuous mode Ping test ARP test Ping Latency test Employing a honeypot Switched Network track down any nodes found performing ARP cache changed

Sniffer Detection : Ping test Construct an ICMP echo request Set the IP address to that of the suspected host. Choose a mismatched MAC address. In some systems, if the NIC is in promiscuous mode, the sniffer will grab this packet as a legitimate packet and respond accordingly Most systems will ignore this packet since its MAC address is wrong. If the suspected host replies to our request, we know that it is in promiscuous mode

Sniffer Detection : ARP test Send out an ARP request to the suspect host with all valid information except a bogus destination MAC address Non-promiscuous mode machine would never see the packet Promiscuous mode machine would process it and reply

Sniffer Detection : Ping Latency test Methods Make two different populations, normal mode population and the promiscuous mode population, or ping the suspected host and record the RTT Create a lot of fake TCP connections We expect the sniffer to be processing packets and the latency will increase Ping the suspected host again to see if the round trip time is increased

Sniffer Detection : Honeypot Create telnet for with lots of logins + passwords connection to telnet server (may be faked server) Sniffer takes bait

Sniffer Detection Limitation ARP, ICMP, DNS Test Sophisticate attackers are of course aware of this and design their sniffer to filter out or ignore these packets Latency Test Probabilistic technique Many known and unknown factors, OS, Traffic, may affect the results

Antisniffer Tools Antisniff Anti-Antisniff http://packetstormsecurity.org/sniffers/antisniff/ Anti-Antisniff http://www.securityfocus.com/tools/336

Sniffer Detection: Detect ARP Spoof Detect and track down any nodes found performing ARP cache corruption Tools arpwatch: Watches for ARP cache entry changes and sends e-mail if found Ettercap: has a plugin that can detect suspicious ARP and other Ettercap users on a network. Network Intrusion Detection System (IDS): most are designed with the ability to detect and warn about suspicious ARP activity

Future Prevention? Secure Address Resolution Protocol (S-ARP) S-ARP uses public/private key pairs to authenticate ARP responses

Encryption is the best solution Final Recommendation The best way to avoid damage by sniffer is not to pass usernames and passwords over the network in form of clear text Encryption is the best solution Use SSH instead of telnet Use HTTPS instead of HTTP Use SCP and SFTP instead of FTP

Some commons sniffer Tcpdump Wireshark Ettercap Snort Dsniff http://www.tcpdump.org Wireshark http://www.wireshark.org/ Ettercap http://ettercap.sourceforge.net/ Snort http://www.snort.org Dsniff http://monkey.org/~dugsong/dsniff/