1 Eastern Michigan University Asad Khailany, Eastern Michigan University Dmitri Bagatelia, Eastern Michigan University Wafa Khorsheed, Eastern Michigan.

Slides:

Advertisements

Similar presentations

ARP Cache Poisoning How the outdated Address Resolution Protocol can be easily abused to carry out a Man In The Middle attack across an entire network.

Advertisements

ITIS 1210 Introduction to Web-Based Information Systems Chapter 44 How Firewalls Work How Firewalls Work.

COEN 252 Computer Forensics Remote Sniffer Detection.

Packet Analyzers, a Threat to Network Security. Agenda Introduction The background of packet analyzers LAN technologies & network protocols Communication.

Network Attacks Mark Shtern.

70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 11: Planning Network Access.

How do Networks work – Really The purposes of set of slides is to show networks really work. Most people (including technical people) don’t know Many people.

Sniffing the sniffers - detecting passive protocol analysers John Baldock, Intel Corp Craig Duffy, Bristol UWE.

Lesson 11-Virtual Private Networks. Overview Define Virtual Private Networks (VPNs). Deploy User VPNs. Deploy Site VPNs. Understand standard VPN techniques.

Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Information.

Understanding Networks. Objectives Compare client and network operating systems Learn about local area network technologies, including Ethernet, Token.

Introduction To Networking

FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 6 Packet Filtering By Whitman, Mattord, & Austin© 2008 Course Technology.

Prepared By E.Musa Alyaman1 Networking Theory Chapter 1.

Networking DSC340 Mike Pangburn. Networking: Computers on the Internet  1969 – 4  1971 – 15  1984 – 1000  1987 – 10,000  1989 – 100,000  1992 –

Computer Networks IGCSE ICT Section 4.

Faten Yahya Ismael.  It is technology creates a network that is physically public, but virtually it’s private.  A virtual private network (VPN) is a.

Introduction to InfoSec – Recitation 12 Nir Krakowski (nirkrako at post.tau.ac.il) Itamar Gilad (itamargi at post.tau.ac.il)

Networking Components Chad Benedict – LTEC

FIREWALL TECHNOLOGIES Tahani al jehani. Firewall benefits  A firewall functions as a choke point – all traffic in and out must pass through this single.

70-291: MCSE Guide to Managing a Microsoft Windows Server 2003 Network Chapter 10: Remote Access.

What is in Presentation What is IPsec Why is IPsec Important IPsec Protocols IPsec Architecture How to Implement IPsec in linux.

1 Chapter 6 Network Security Threats. 2 Objectives In this chapter, you will: Learn how to defend against packet sniffers Understand the TCP, UDP, and.

Packet Filtering. 2 Objectives Describe packets and packet filtering Explain the approaches to packet filtering Recommend specific filtering rules.

© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public ITE PC v4.0 Chapter 1 1 Basic Security Networking for Home and Small Businesses – Chapter 8.

23-Support Protocols and Technologies Dr. John P. Abraham Professor UTPA.

JMU GenCyber Boot Camp Summer, Network Sniffing Sometimes it is possible observe/record traffic traveling on a network Network traffic may contain.

CHAPTER 2 PCs on the Internet Suraya Alias. The TCP/IP Suite of Protocols Internet applications – client/server applications The client requested data.

COEN 252 Computer Forensics

Network Protocols. Why Protocols?  Rules and procedures to govern communication Some for transferring data Some for transferring data Some for route.

Chapter 6: Packet Filtering

By : Himanshu Mishra Nimish Agarwal CPSC 624.  A system designed to prevent unauthorized access to or from a private network.  It must have at least.

1 Semester 2 Module 10 Intermediate TCP/IP Yuda college of business James Chen

© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.0 Application Layer Functionality and Protocols.

COEN 252 Computer Forensics Collecting Network-based Evidence.

Objectives Configure routing in Windows Server 2008 Configure Routing and Remote Access Services in Windows Server 2008 Network Address Translation 1.

Introduction to InfoSec – Recitation 11 Nir Krakowski (nirkrako at post.tau.ac.il) Itamar Gilad (itamargi at post.tau.ac.il)

Hands-On Microsoft Windows Server Introduction to Remote Access Routing and Remote Access Services (RRAS) –Enable routing and remote access through.

1 The Internet and Networked Multimedia. 2 Layering  Internet protocols are designed to work in layers, with each layer building on the facilities provided.

Linux Networking and Security

Fundamentals of Proxying. Proxy Server Fundamentals  Proxy simply means acting on someone other’s behalf  A Proxy acts on behalf of the client or user.

Network Security. 2 SECURITY REQUIREMENTS Privacy (Confidentiality) Data only be accessible by authorized parties Authenticity A host or service be able.

Application Layer Khondaker Abdullah-Al-Mamun Lecturer, CSE Instructor, CNAP AUST.

Computer Networking From LANs to WANs: Hardware, Software, and Security Chapter 13 FTP and Telnet.

1 Network Administration Module 3 ARP/RARP. 2 Address Resolution The problem Physical networks use physical addresses, not IP addresses Need the physical.

CHAPTER 9 Sniffing.

CIS 450 – Network Security Chapter 4 - Spoofing. Definition - To fool. In networking, the term is used to describe a variety of ways in which hardware.

Sniffer, tcpdump, Ethereal, ntop

Protocols COM211 Communications and Networks CDA College Olga Pelekanou

NETWORKING FUNDAMENTALS. Network+ Guide to Networks, 4e2.

Networking Material taken mainly from HowStuffWorks.com.

Protocols Monil Adhikari. Agenda Introduction Port Numbers Non Secure Protocols FTP HTTP Telnet POP3, SMTP Secure Protocols HTTPS.

Firewalls A brief introduction to firewalls. What does a Firewall do? Firewalls are essential tools in managing and controlling network traffic Firewalls.

1 © 2004, Cisco Systems, Inc. All rights reserved. Wireless LAN (network) security.

SECURE SHELL MONIKA GUPTA COT OUTLINE What is SSH ? What is SSH ? History History Functions of Secure Shell ? Functions of Secure Shell ? Elements.

CSCI 530 Lab Packet Sniffing.

Spoofing The False Digital Identity. What is Spoofing?  Spoofing is the action of making something look like something that it is not in order to gain.

Chapter 7: Using Network Clients The Complete Guide To Linux System Administration.

Comparison of Network Attacks COSC 356 Kyler Rhoades.

SESSION HIJACKING It is a method of taking over a secure/unsecure Web user session by secretly obtaining the session ID and masquerading as an authorized.

Fall  Computer Crimes  Operating System Identification  Firewalking 2.

An Introduction To ARP Spoofing & Other Attacks

Networks Fall 2009.

LAN Vulnerabilities.

Outline Basics of network security Definitions Sample attacks

Packet Sniffers Lecture 10 - NETW4006 NETW4006-Lecture09.

Lecture 6: TCP/IP Networking By: Adal Alashban

Topic 5: Communication and the Internet

Wireless Spoofing Attacks on Mobile Devices

Outline Basics of network security Definitions Sample attacks

Presentation transcript:

1 Eastern Michigan University Asad Khailany, Eastern Michigan University Dmitri Bagatelia, Eastern Michigan University Wafa Khorsheed, Eastern Michigan University

2 Do You Want to become a Hacker?  Now you can get an MS degree specializing on hacking techniques from a university in Paris France.  Do not miss this golden opportunity!  Soon you will see your institution also offers a degree in hacking techniques

3 ABSTRACT   Computers on the network normally only listen to communications destined to them.   However, when they enter promiscuous mode they can listen to all communications whether destined or not destined to them.   Computers are put into the promiscuous mode by installing software package known as packet Sniffers.

4 –  Sniffers are the best tools for hackers to attack computers. –  Network administrators use Sniffers for network troubleshooting and security analysis. Many sniffing and anti sniff packages available on the Internet for download. –  This paper discusses sniffing and anti sniffing, their advantages and disadvantages, and presents some recommendations to make network systems and their data more secure. ABTRACT

5 INTRODUCTION A computer to be able to listen to all communications on the network must be in a multi-partners mode. Such mode is known as the promiscuous mode  Through packed Sniffers computers can transfer to the promiscuous mode.  Attackers love packet Sniffere.  Sniffers are valuable tools needed by network administrators to do network trouble shooting, to perform network security analysis and to measure the performance of network system.

6 INTRODUCTION - 2  Sniffers are used by law enforcement agencies to monitor network systems.  Anti sniff packages are available to determine whether or not a suspected remote computer is listening in to all communications on the network.  Several methods utilized by anti sniff package to identify suspected computers on the network are discussed in this paper.

7 What sniffing packages used for?  Sniffing packages used for:  Network traffic analysis to 1. Identify the type of network application used. 2. Identify the hosts using the network. 3. Identify the bottlenecks. 4. Capture data sniffing packages used for troubleshooting of network applications. 5. Create network traffic logs.

8 More usages of sniffing packages  Gathering private data such as passwords, credit cards information, messages,.. etc.  Establishing connection with senders while using authentication provided by receiver.  Modifying and resending data to recipients.

9 SNIFFERS AND NETWORK ARCHITECTURES  Sniffing is possible because most network architectures use shared medium and protocols that presume only intended computer receives and reads the message.

10 Case: Ethernet architecture Computer A sends a message to Computer C. Since all computers share the same line Computers B and D can listen to messages if they are in promiscuous (multi partner) mode. In this case the message was not change but the privacy was compromised since data was only copied and not modified.

11 Case: Routed network Routed protocol, means that sent message might be handled by several hosts. Any of the hosts can copies the message or changes the message and forwarded to others hosts. The final recipient of the message will never know that the message was modified. Thus the security risk taking in routed protocol is much greater than Ethernet architecture.

12 DIFFERENT METHODS FOR DTECTING ACTIVE SNIFFERS  Theoretically it is impossible to detect active Sniffers if they only listen without sending anything i.e. if they are in passive mode. Practically there are some methods can be used to identify suspected computers that are trying to listen to messages not intended for them.  Some Popular Methods To Identify Suspected Computers Are:

13 1. PING METHOD.  A computer is uniquely identified on the network by its serial number of its network computer card. This hardware address is called MAC (Media Access Control address).  Sniffer always turns off MAC filter on its host device, thus it can receive all messages that are intended or not intended for that device.

14 1. PING METHOD. How to identify suspected computers ?  Send a message to the suspected device using a wrong MAC address and a corrected IP address, the device should not respond if it has MAC address filter on, but if it runs in a promiscuous mode it will respond to the message. Thus a computer, which is listening, is identified. New problems to be solved:  The newer sniffer devices/programs have built-in filters, which prevent such kind of responses.

15 2. ARP: Address Resolution Protocol METHOD. ARP is a TCP/IP protocol maps an IP address into physical address. The ARP method uses arp packets. On a network when a computer sends arp request to a broadcast address, all those computers see that request send an arp answer with their IP to MAC address mapping. How suspected computers identified? If such request is sent to a regular non-broadcast address, there should not be any reply, if a reply is received that computer will be a suspected sniffer device.

16 3. DNS METHOD. The DNS method works on the assumption that many attackers use IP addresses to find DSN names. Most sniffer programs have a feature to do a reverse DNS lookup using an IP to get the hostname. How suspected computers identified? An anti sniff package places itself in a promiscuous mode and sends a message to fictitious hosts such as charge BankC.com. The address of all computers that use reverse lookup request referencing the fictitious hosts are flagged as being suspected computers.

17 4. SOURCE-ROUTE METHOD IP header has an option of loose source routing. Routers ignore destination IP address and instead will forward message to the next IP in source-route option. How to identify suspected computers ? Turn off packet routing on a specific computer and the packet should be dropped at that computer. A computer that sniffs messages responds to such message that the packed was dropped on the computer, which the package was dropped. For instance, you send a message from computer A to computer B, but you route it through computer C first. If you turn off packet routing on computer C, then packet should be dropped. Thus, if computer B responds to such message, that was dropped at C, it means computer B sniffed the message.

18 5. DECOY METHOD. This method sets up a “victim” computer that will repeatedly run script to login to a remote server using a dummy account with no real permissions, and try to find any hacker who tries to use that dummy account to login to the remote server. How to identify suspected computers?  Setup a “victim” computer that will repeatedly run script to login to a remote server using a dummy account with no real permissions.  Any hacker who gets such login information tries login to remote server.  Any login attempt not originated from the “victim” computer indicates that someone was sniffing on your network and stole that account number information.

19 6. OTHER METHODs. There are many more methods that can be used to detect sniffing activities None works 100% of the time, because hackers already know them and try to work around those detection methods. One of the among the best software packages that use all the above methods to find sniffing activities is: AntiSniff package (

20 Protocols targeted for sniffing by hackers Protocols that transmit data in plain text format make it easy for hackers to get what they want. Some of protocols targeted for sniffing are: 1. telnet 2. rlogin (user sessions and passwords) 3. HTTP(passwords, web-based s) 4. Simple Network Management Protocol (passwords) 5. Network News Transfer Protocol (passwords) 6. Post Office Protocol (passwords, s) 7. File Transfer Protocol (passwords) 8. Internet Message Access Protocol (passwords, s).

21 METHODS TO ENFORCE NETWORK SECURITY switched network  Use of switched network eliminates use of shared wire.  Switch knows the location of every device on the network, and sends data directly to the intended recipient without transmitting the message all over the network. The diagram in the next slide compares two network of computers one interconnected by a hub and the other interconnected by a switch.

22 Switch And Hub Networks Hubs send communications to all connected computers. Switch, on the other hand, remembers what computer is connected to what port on the switch, thus it forwards message only to one computer. Hub Switch

23 Data encryption Method:  This one of the oldest security routines used to enforce security.  Many software algorithms and software packages are available to encrypt data.  You can encrypt you messages before sending them, e.g. PGP (Pretty Good Privacy) is being used to encrypt messages. You can choose a secure protocol with built-in encryption schemes, e.g. SSH (Secure Shell) instead of telnet of rlogin.

24 Some disadvantages of encrypting over plain text messages  Encrypting increases the message size as well as response time, since message has to be not only encrypted on one end, but also decrypted by the recipient on the other end.  It might not be a reasonable solution for some setups that require very high response time.

25 Some important usages of sniffing methods: Sniffing methods can be used for:  Network management.  Traffic analysis can identify who is using what network resource in what way. For instance, you can identify users who use most of your bandwidth, then you can find out whether they use it for a legitimate purpose or not.  Because most network applications use fixed port numbers you can filter traffic and identify software that are being used..  Maximizing network performances.

26 More usages of sniffing methods:  Not all packets capturing is intended to compromise security. For instance, during programming of a network application programmers might want to see the network traffic that local computer generates, so that troubleshooting of the application can go much faster.  It is also possible to use sniffer to create log of all network traffic, so that serve as evidence in case security is compromised on some other system on the network. Those logs can be used to track down the intruders and to support legal action to bring those hackers to justice.

27 CONCLUSION  The security threat that sniffers pose can be minimized using combination of switched networks and encryption.  Sniffers can be sometimes detected using sniffing detection software.  Network professionals to manage networks for identifying problems and monitoring usage of network resources have used sniffers for a long time.  Hackers utilize Sniffing packages to attack networked computers to steal information.  It may be impossible to make sure that no one uses sniffing packages against you, but it is important to make sure that unauthorized people could not get useful information.

28 REFERENCES. 1. Web Server Security, & Maintenance by Eric Larson & Bruan / / / /