0x440 Network Sniffing.

Slides:

Advertisements

Similar presentations

Ethical Hacking Module VII Sniffers.

Advertisements

Password Cracking, Network Sniffing, Man-in-the-Middle attacks, and Virtual Private Networks Lab 2 – Class Discussion Group 3 Ruhull Alam Bhuiyan Keon.

ARP AND RARP ROUTED AND ROUTING Tyler Bish. ARP There are a variety of ways that devices can determine the MAC addresses they need to add to the encapsulated.

ARP Caching Christopher Avilla. What is ARP all about? Background Packet Structure Probe Announcement Inverse and Reverse Proxy Tools Poisoning MAC Flooding.

1 ICS 156: Lecture 2 (part 2) Data link layer protocols Address resolution protocol Notes on lab 2.

1 Address Resolution Protocol (ARP) Relates to Lab 2. This module is about the address resolution protocol.

Media Access Control (MAC) addresses in the network access layer ▫ Associated w/ network interface card (NIC) ▫ 48 bits or 64 bits IP addresses for the.

1 Address Resolution Protocol (ARP) Relates to Lab 2. This module is about the address resolution protocol.

1 Eastern Michigan University Asad Khailany, Eastern Michigan University Dmitri Bagatelia, Eastern Michigan University Wafa Khorsheed, Eastern Michigan.

Network Attacks Mark Shtern.

1 Version 3 Module 8 Ethernet Switching. 2 Version 3 Ethernet Switching Ethernet is a shared media –One node can transmit data at a time More nodes increases.

Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Information.

CSEE W4140 Networking Laboratory

An introduction to Network Analyzers Dr. Farid Farahmand 3/23/2009.

1 Reminding - ARP Two machines on a given network can communicate only if they know each other’s physical network address ARP (Address Resolution Protocol)

CSEE W4140 Networking Laboratory Lecture 2: ARP Jong Yul Kim

Detection of Promiscuous nodes Using Arp Packets By Engin Arslan.

Introduction to InfoSec – Recitation 12 Nir Krakowski (nirkrako at post.tau.ac.il) Itamar Gilad (itamargi at post.tau.ac.il)

Layer 2 Security – No Longer Ignored Security Possibilities at Layer 2 Allan Alton, BSc CISA CISSP NetAnalyst UBC October 18, 2007.

Introduction to IT and Communications Technology Justin Champion C208 – 3292 Ethernet Switching CE

Network Redundancy Multiple paths may exist between systems. Redundancy is not a requirement of a packet switching network. Redundancy was part of the.

Computer Science and Engineering Computer System Security CSE 5339/7339 Session 24 November 11, 2004.

CSCD433 Advanced Networks Fall 2011 Raw vs. Cooked Sockets.

JMU GenCyber Boot Camp Summer, Network Sniffing Sometimes it is possible observe/record traffic traveling on a network Network traffic may contain.

Karlstad University Introduction to Vulnerability Assessment Labs Ge Zhang Dvg-C03.

Examining TCP/IP.

CMPT 471 Networking II Address Resolution IPv4 ARP RARP 1© Janice Regan, 2012.

CDPA 網管訓練駭客任務 2 Ethernet Switching ARP, IP, LAN, Subnet IP Header, Routing ICMP

Introduction to InfoSec – Recitation 11 Nir Krakowski (nirkrako at post.tau.ac.il) Itamar Gilad (itamargi at post.tau.ac.il)

Raw Sockets Vivek Ramachandran. A day in the life of Network Packet.

Mahindra-British Telecom Ltd. Exploiting Layer 2 By Balwant Rathore.

Chapter 19 - Binding Protocol Addresses

CS 447 Networks and Data Communication ARP (Address Resolution Protocol) for the Internet Department of Computer Science Southern Illinois University Edwardsville.

ARP Spoofing Attacks Dr. Neminath Hubballi IIT Indore © Neminath Hubballi.

Layer 2 and Switching. How Computers Communicate  In a two node flat network data can be sent without addressing.

1 Network Administration Module 3 ARP/RARP. 2 Address Resolution The problem Physical networks use physical addresses, not IP addresses Need the physical.

CHAPTER 9 Sniffing.

Chapter 19 Binding Protocol Addresses (ARP) A frame transmitted across a physical network must contain the hardware address of the destination. Before.

Media Access Control (MAC) addresses in the network access layer ▫ Associated w/ network interface card (NIC) ▫ 48 bits or 64 bits IP addresses for the.

CNIT 124: Advanced Ethical Hacking Ch 7: Capturing Traffic.

Sniffer, tcpdump, Ethereal, ntop

Address Resolution Protocol (ARP). Internet and Data Link Layer Addresses Each host and router on a subnet needs a data link layer address to specify.

ARP ‘n RARP. The Address Resolution Protocol (ARP) is a request sent out by a computer to find another computer’s MAC address. It already knows the IP.

Address Resolution Protocol Yasir Jan 20 th March 2008 Future Internet.

Mobile Packet Sniffer Ofer Borosh Vadim Lanzman Dr. Chen Avin

SESSION HIJACKING It is a method of taking over a secure/unsecure Web user session by secretly obtaining the session ID and masquerading as an authorized.

Fall  Computer Crimes  Operating System Identification  Firewalking 2.

1 Address Resolution Protocol (ARP). 2 Overview 3 Need for Address Translation Note: –The Internet is based on IP addresses –Local area networks use.

An Introduction To ARP Spoofing & Other Attacks

Introduction to Networks v6.0

Networks Fall 2009.

Exploiting Layer 2 By Balwant Rathore.

Network Eavesdropping

MAC Address Tables on Connected Switches

Lab 2: Packet Capture & Traffic Analysis with Wireshark

NetStep Challenge If the hubs in the graphic were replaced by switches, what would be virtually eliminated? 4 Port Hub 8 Port Hub Broadcast domains Repeater.

Instructor Materials Chapter 5: Ethernet

Address Resolution Protocol (ARP)

LAN Vulnerabilities.

Packet Sniffers Lecture 10 - NETW4006 NETW4006-Lecture09.

Semester 2 1 JEOPARDY CHAPTER 1 REVIEW S2C01 Jeopardy Review.

Address Resolution Protocol (ARP)

IP Network Layer and Ethernet Encapsulation

Computer Networks 9/17/2018 Computer Networks.

Address Resolution Protocol (ARP)

Address Resolution Protocol (ARP)

1 ADDRESS RESOLUTION PROTOCOL (ARP) & REVERSE ADDRESS RESOLUTION PROTOCOL ( RARP) K. PALANIVEL Systems Analyst, Computer Centre Pondicherry University,

Computer Networks ARP and RARP

Data-Link Layer The Internet is a combination of networks glued together by connecting devices (routers or switches) If a packet is to travel from a host.

Presentation transcript:

0x440 Network Sniffing

Network Sniffing Sniffing Tools ARP Spoofing

What is the Network Sniffing The act of capturing packets that aren’t necessarily meant for public viewing is called SNIFFING

Two Sniffing Flows According to Network Non-switched network environment Setting the promiscuous mode Packet-capturing Switched network environment ARP spoofing

Non-switched vs. Switched Network The flow of traffic in a non-switched network (cont.) It should be noted that step 3 and 4 can be reversed in order

Non-switched vs. Switched Network The flow of traffic in a non-switched network Step 1 Node A transmits a frame to Node C Step 2 Hub will broadcast this frame to active port Setp 3 Node B will receive the frame and will examine the address in the frame. After determining that it is not the intended host, it will discard the frame Step 4 Node C will receive the frame and will examine the address in the frame. After determining that it is the intended host. it will process the frame further

Non-switched vs. Switched Network How to generate Canary Non-switched vs. Switched Network The flow of traffic in a switched network (cont.)

Non-switched vs. Switched Network The flow of traffic in a switched network Step 1 Node A transmits a frame to Node C Step 2 The switch will examine this frame and determi ne what the intended host is. It will then set up a connection between Node A and Node C so that they have a ‘private’ connection Setp 3 Node C will receive the frame and will examine the address. After determining that it is the intended host, it will process the frame further

Sniffing Non-switched Network For a host to be used as a sniffing agent, NIC must be set to the promiscuous mode After the promiscuous mode is set... NIC no longer drop network frames which are addressed to other hosts

Sniffing Non-switched Network Setting the promiscuous mode $ sudo ifconfig eth0 promisc

Packet Capturing Tools Sniffers tcpdump dsniff Raw socket sniffer raw_tcpsniff pcap_sniff (with libpcap) decode_sniff (with libpcap)

Sniffer: tcpdump $ sudo tcpdump –X ‘ip host <victim IP>’

Sniffer: dsniff $ sudo dsniff –n

Packet Capturing Tools Sniffers tcpdump dsniff Raw socket sniffer raw_tcpsniff pcap_sniff (with libpcap) decode_sniff (with libpcap)

# Raw Socket Raw socket is an network socket that allows direct sending and receiving of Internet protocol packets without any protocol-specific transport layer formatting Raw socket is specified by suing SOCK_RAW as the type There are multiple protocol options IPPROTO_TCP, IPPROTO_UDP, IPROTO_ICMP

Raw Socket Sniffer: raw_tcpsniff raw_tcpsniff.c

Raw Socket Sniffer: raw_tcpsniff $ gcc –o raw_tcpsniff raw_tcpsniff.c $ sudo ./raw_tcpsniff

Raw Socket Sniffer with Libpcap: pcap_sniff pcap_sniff.c

Raw Socket Sniffer with Libpcap: pcap_sniff $ gcc –o pcap_sniff pcap_sniff.c –lpcap $ sudo ./pcap_sniff

Raw Socket Sniffer with Libpcap: decode_sniff decode_sniff.c

Raw Socket Sniffer with Libpcap: decode_sniff decode_sniff.c

Raw Socket Sniffer with Libpcap: Decode_sniff decode_sniff.c

Raw Socket Sniffer with Libpcap: decode_sniff $ gcc –o decode_sniff decode_sniff.c –lpcap $ sudo ./decode_sniff

Sniffing Switched Networks ARP spoofing One of the basic operations of the Ethernet protocol revolves around ARP (Address Resolution Protocol) requests and replies. In general, when Node A wants to communicate with Node C on the network, it sends an ARP request. Node C will send an ARP reply which will include the MAC address. Even in a switched environment, this initial ARP request is sent in a broadcast manner. It is possible for Node B to craft and send an unsolicited, fake ARP reply to Node A. This fake ARP reply will specify that Node B has the MAC address of Node C. Node A will unwittingly send the traffic to Node B since it professes to have the intended MAC address.

Sniffing Switched Network ARP spoofing using NEMESIS (cont.) Attacker IP: 1.1.1.20 MAC: 00:00:00:BB:BB:BB Victim1 IP: 1.1.1.10 MAC: 00:00:00:AA:AA:AA Victim2 IP: 1.1.1.30 MAC: 00:00:00:CC:CC:CC

Sniffing Switched Network ARP spoofing using NEMESIS (cont.) Attacker (System B) → Victim1 (System A) $ sudo nemesis arp –v –r –d eth0 –S 1.1.1.30 –D 1.1.1.10 -h 00:00:00:BB:BB:BB -m 00:00:00:AA:AA:AA -H 00:00:00:BB:BB:BB -M 00:00:00:AA:AA:AA Attacker (System B) → Victim2 (System C) $ sudo nemesis arp –v –r –d eth0 –S 1.1.1.10 –D 1.1.1.30 -h 00:00:00:BB:BB:BB -m 00:00:00:CC:CC:CC -H 00:00:00:BB:BB:BB -M 00:00:00:CC:CC:CC

Sniffing Switched Network ARP spoofing using NEMESIS ARP Cache of Victim1 (System A) ARP Cache of Victim2 (System C)

the end