Deff Arnaldy, M.Si 0818 0296 4763 deff_arnaldy@yahoo.com Sniffing & Keylogger Deff Arnaldy, M.Si 0818 0296 4763 deff_arnaldy@yahoo.com

Overview Konsep sniffing Capturing Live Network Data Explorasi hasil capturing Countermeasure sniffing Keyloggers Overview

Sniffer adalah program yang membaca dan menganalisa setiap protokol yang melewati mesin di mana program tersebut diinstal Secara default, sebuah komputer dalam jaringan (workstation) hanya mendengarkan dan merespon paket-paket yang dikirimkan kepada mereka. Namun demikian, kartu jaringan (network card) dapat diset oleh beberapa program tertentu, sehingga dapat memonitor dan menangkap semua lalu lintas jaringan yang lewat tanpa peduli kepada siapa paket tersebut dikirimkan. Aktifitasnya biasa disebut dengan Sniffing Konsep Sniffing

Sniffing Targets Data Link layer of protocol stack Sniffer – gathers traffic off network This data can include userIDs passwords transmitted by telnet, DNS queries and responses, sensitive emails, FTP passwords, etc. Allows attacker to read data passing a given machine in real time. Two types of sniffing: Active Passive Sniffing

Sniffing Active Passive Attacker still needs an account Several different attacks: - Parsing Packets - Flooding - Spoofed ARP Messages - DNS Spoofing - HTTPS and SSH spoofing Passive Attacker must have account on LAN Done over a hub Usually once access is gained on one computer attacker uses passwords to get in other computers Sniffing

Passive Sniffing user1 HUB Server user2 Bad guy BLAH HUB BLAH BLAH user2 BLAH Bad guy - Message gets sent to all computers on hub

Active Sniffing user1 Switch Server user2 Bad guy BLAH Switch BLAH user2 Bad guy - Message gets sent to only requesting computer by looking at MAC address

Dsniff Offers several ways around a switch Available for OpenBSD, Linux, Solaris, and there is a version for Windows Very popular and versatile In conjunction with sshmitm and webmitm, conducts all the above attacks Dsniff

Major Problems with Sniffing Any mischievious machine can examine any packet on a BROADCAST medium Ethernet is BROADCAST at least on the segments over which it travels Getting passwords is the first step in exploiting a machine email is plaintext and vulnerable Major Problems with Sniffing

What does one sniff? passwords email financial account information confidential information low-level protocol info to attack hardware addresses IP addresses routing, etc

What are the components of a packet sniffer? 1. Hardware : standard network adapters . 2. Capture Filter : This is the most important part . It captures the network traffic from the wire, filters it for the particular traffic you want, then stores the data in a buffer. 3. Buffers : used to store the frames captured by the Capture Filter . What are the components of a packet sniffer?

What are the components of a packet sniffer? 4. Real-time analyzer: a module in the packet sniffer program used for traffic analysis and to shift the traffic for intrusion detection. 5. Decoder : "Protocol Analysis" . What are the components of a packet sniffer?

Sniffers also work differently depending on the type of network they are in. Shared Ethernet Switched Ethernet How does a Sniffer Work?

How can I detect a packet sniffer? Ping method ARP method DNS method

Packet Sniffer Mitigation Host A Host B Router A Router B The following techniques and tools can be used to mitigate sniffers: Authentication—Using strong authentication, such as one-time passwords, is a first option for defense against packet sniffers. Switched infrastructure—Deploy a switched infrastructure to counter the use of packet sniffers in your environment. Antisniffer tools—Use these tools to employ software and hardware designed to detect the use of sniffers on a network. Cryptography—The most effective method for countering packet sniffers does not prevent or detect packet sniffers, but rather renders them irrelevant.

Top 11 Packet Sniffers Wireshark Kismet Tcpdump Cain and Abel Ettercap Dsniff NetStumbler Ntop Ngrep EtherApe KisMAC Top 11 Packet Sniffers

Working of Cain & Abel

What are sniffers used for? Detection of clear-text passwords and usernames from the network. Conversion of data to human readable format so that people can read the traffic. Performance analysis to discover network bottlenecks. Network intrusion detection in order to discover hackers. What are sniffers used for?

Prevention of Sniffing Segmentation into trustworthy segments bridges better yet .. switched hubs Not enough “not to allow sniffing” easy to add a machine on the net may try using X-terminals vs workstations Prevention of Sniffing

Prevention of Sniffing(more) Avoid password transmission one solution is r..family rlogin, rcp, rsh, etc put trusted hosts in .rhosts many SAs don’t want users to use them Using encrypted passwords Kerberos PGP public keys Prevention of Sniffing(more)

If all other attempts to gather passwords fail, then a keystroke logger is the tool of choice for hackers Keystroke loggers (keyloggers) can be implemented either using hardware or software Keylogger

Hardware keyloggers are small hardware devices that connect the keyboard to the PC and save every keystroke into a file or in the memory of the hardware device In order to install a hardware keylogger, a hacker must have physical access to the system

Software keyloggers are pieces of stealth software that sit between the keyboard hardware and the operating system so that they can record every keystroke. Software keyloggers can be deployed on a system by Trojans or viruses

References http://netsecurity.about.com/cs/hackertools/a/aa121403.htm http://e-articles.info/e/a/title/Packet-Sniffing:-Sniffing-Tools-Detection-Prevention-Methods/ http://sectools.org/sniffers.html http://en.wikipedia.org/wiki/Cain_and_Abel_(software) http://www.authorstream.com/Presentation/chinmayzen-79529-packet-sniffers-education-ppt-powerpoint/ http://www.youtube.com/watch?v=O00LENbtiIw