COEN 152 / 252 Computer Forensics

Slides:

Advertisements

Similar presentations

Man in the Middle Attack

Advertisements

Tactics to Discover “Passive” Monitoring Devices

CISCO NETWORKING ACADEMY Chabot College ELEC Address Resolution Protocol.

COEN 252 Computer Forensics Remote Sniffer Detection.

ARP cache Poisoning For the Detection of Sniffers in an Ethernet Network Raoudha KHCHERIF Assistant Professor National School of Computer Science University.

1 Eastern Michigan University Asad Khailany, Eastern Michigan University Dmitri Bagatelia, Eastern Michigan University Wafa Khorsheed, Eastern Michigan.

Network Attacks Mark Shtern.

MCDST : Supporting Users and Troubleshooting a Microsoft Windows XP Operating System Chapter 13: Troubleshoot TCP/IP.

1 Fall 2005 Hardware Addressing and Frame Identification Qutaibah Malluhi CSE Department Qatar University.

Security Awareness: Applying Practical Security in Your World

Sniffing the sniffers - detecting passive protocol analysers John Baldock, Intel Corp Craig Duffy, Bristol UWE.

Oct 21, 2004CS573: Network Protocols and Standards1 IP: Addressing, ARP, Routing Network Protocols and Standards Autumn

Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Information.

1 Reminding - ARP Two machines on a given network can communicate only if they know each other’s physical network address ARP (Address Resolution Protocol)

Detection of Promiscuous nodes Using Arp Packets By Engin Arslan.

Introduction to InfoSec – Recitation 12 Nir Krakowski (nirkrako at post.tau.ac.il) Itamar Gilad (itamargi at post.tau.ac.il)

IST 228\Ch3\IP Addressing1 TCP/IP and DoD Model (TCP/IP Model)

Support Protocols and Technologies. Topics Filling in the gaps we need to make for IP forwarding work in practice – Getting IP addresses (DHCP) – Mapping.

Protocol Headers Pre DA SA 0800h … version H L 6 TCP Header Data FCS

CCNA Guide to Cisco Networking Fundamentals Fourth Edition

Network Redundancy Multiple paths may exist between systems. Redundancy is not a requirement of a packet switching network. Redundancy was part of the.

CSCD433 Advanced Networks Fall 2011 Raw vs. Cooked Sockets.

COEN 252 Computer Forensics

70-291: MCSE Guide to Managing a Microsoft Windows Server 2003 Network Chapter 3: TCP/IP Architecture.

1 Network Packet Generator Midway presentation Supervisor: Mony Orbach Presenting: Eugeney Ryzhyk, Igor Brevdo.

COEN 252 Computer Forensics Collecting Network-based Evidence.

Huda AL_Omairl - Network 71 Protocols and Network Software.

CMPT 471 Networking II Address Resolution IPv4 ARP RARP 1© Janice Regan, 2012.

Introduction to InfoSec – Recitation 11 Nir Krakowski (nirkrako at post.tau.ac.il) Itamar Gilad (itamargi at post.tau.ac.il)

Day 14 Introduction to Networking. Unix Networking Unix is very frequently used as a server. –Server is a machine which “serves” some function Web Server.

Linux Networking and Security

CS 447 Networks and Data Communication ARP (Address Resolution Protocol) for the Internet Department of Computer Science Southern Illinois University Edwardsville.

Internet Protocols. Address Resolution IP Addresses are not recognized by hardware. If we know the IP address of a host, how do we find out the hardware.

1 Network Administration Module 3 ARP/RARP. 2 Address Resolution The problem Physical networks use physical addresses, not IP addresses Need the physical.

CHAPTER 9 Sniffing.

Chapter 19 Binding Protocol Addresses (ARP) A frame transmitted across a physical network must contain the hardware address of the destination. Before.

Birgit Bonham: Prospect High School ARP….or What’s your MAC address?

Chapter 9 Hardware Address & Frame Type Identification Hardware address of frame Addressing schemes Ethernet Frame header format.

CNIT 124: Advanced Ethical Hacking Ch 7: Capturing Traffic.

70-291: MCSE Guide to Managing a Microsoft Windows Server 2003 Network, Enhanced Chapter 3: TCP/IP Architecture.

Promiscuous node detection using ARP packets

0x440 Network Sniffing.

CPS110: Networks Landon Cox March 25, Network hardware reality  Lots of different network interface cards (NICs)  3Com/Intel, Ethernet/802.11x.

Mobile Packet Sniffer Ofer Borosh Vadim Lanzman Dr. Chen Avin

SESSION HIJACKING It is a method of taking over a secure/unsecure Web user session by secretly obtaining the session ID and masquerading as an authorized.

Fall  Computer Crimes  Operating System Identification  Firewalking 2.

Introduction to Networks

Computer Communications

IP: Addressing, ARP, Routing

Network Protocols.

Intro to Networks (part 1)

Networks Fall 2009.

Network Eavesdropping

Lab 2: Packet Capture & Traffic Analysis with Wireshark

Chapter 8 ARP(Address Resolution Protocol)

LAN Vulnerabilities.

ARP and RARP Objectives Chapter 7 Upon completion you will be able to:

Packet Sniffers Lecture 10 - NETW4006 NETW4006-Lecture09.

Troubleshooting IP Communications

Byungchul Park ICMP & ICMPv DPNM Lab. Byungchul Park

Network Protocols.

Computer Networks 9/17/2018 Computer Networks.

Net 323: NETWORK Protocols

Introduction to Networks

1 ADDRESS RESOLUTION PROTOCOL (ARP) & REVERSE ADDRESS RESOLUTION PROTOCOL ( RARP) K. PALANIVEL Systems Analyst, Computer Centre Pondicherry University,

OSI Reference Model Unit II

Computer Networks ARP and RARP

OSI Model 7 Layers 7. Application Layer 6. Presentation Layer

Presentation transcript:

COEN 152 / 252 Computer Forensics Remote Sniffer Detection

Sniffer Detection On the Host On the Net Look for capture files (typically big and growing). Look for a promiscuous card. Look for unauthorized connections or processes. On the Net Traffic analysis Traffic injection (probing) Much harder.

Network based Sniffer Detection Promiscuous mode detection DNS tests. Network latency tests. Trapping

Network based Sniffer Detection NIC hardware addresses NIC sets up different filters Broadcast: receive all broadcast addresses (with MAC ff:ff:ff:ff:ff:ff) Multicast based on multicast address All multicasts Promiscuous: receive all packets.

Promiscuous mode detection Each Network Interface Card (NIC) has a unique Medium Access Control (MAC) address. Card in non-promiscuous mode only catches packets with that MAC address.

MAC Promiscuous Mode Detection Send an echo request to the right IP address but with wrong MAC address. Only a NIC in promiscuous mode will pick up something with a wrong MAC address. The “Echo Request” package is passed up the stack to the IP layer. IP layer answers it.

MAC detection

ARP Detection Send an arp request with false MAC and correct IP address. Only promiscuous NIC will pick up package. Kernel sends ARP reply.

Software Filtering Based Detection Different OS implement filters differently. We can try: Fake broadcasting messages: FF:FF:FF:FF:FF:FF:FF:FE (Br47): Last bit missing FF:FF:00:00:00:00:00:00 (BR16) Only first 16 bits are the same as for broadcast. FF:00:00:00:00:00:00:00 (BR8) F0:00:00:00:00:00:00:00 (BR4)

Software Filtering Based Detection Different OS implement filters differently. We can try: Fake multicasting messages: 01:00:00:00:00:00:00:00 (Gr) Only group-bit set. 01:00:5E:00:00:00:00:00 (M0) Multicast address zero is usually not used 01:00:5E:00:00:00:00:01 (M1)(assigned to all) Multicast address one should be received by all in the test system 01:00:5E:00:00:00:00:02 (M2)(assigned to different set of nodes) Multicast address two should not be received by systems in the test group. 01:00:5E:00:00:00:00:03 (M3)(not registered)

Software Filtering Based Detection Windows XP WinME / 9x Win2K/NT Linux 2.4.x Free BSD 5.0 B47 -- X B16 B8 Gr M0 M1 O M2 M3 Response to various ARP requests. Normal mode: left column, promiscuous mode: right column O legal response, X illegal response, -- no response

Software Filtering Based Detection ARP requests to fake MAC addresses can determine promiscuous cards in an OS dependent manner. Trabelsi, Rahmani, Kaouech, Frikha: Malicious Sniffing Systems Detection Platform, SAINT ’04.

DNS Detection Technique Password sniffers (or sniffers not in stealth mode) generate network traffic. Sniffers use reverse DNS lookup Because they think they found a password and want to know the system. Because they want to provide the user with the name of the machines.

DNS Detection Technique

Load Detection Technique Sniffers are hard on the machine resources. Sniffer degrades performance when there is a lot of network load. Hence, generate lots of network load and measure timing.

Load Detection Technique

Round Trip Time Measuring Technique Experiments show: Round Trip Times show OS dependent differences of 10% - 40% between normal mode and promiscuous mode. Allows reliable detection. Using ICMP messages is less network load dependent.

Bait Technique Create telnet for a fake telnet server. With lots of logins + passwords. Sniffer takes bait. Telnet attempts to non-existing server. Works like a honey-pot.