Presentation is loading. Please wait.

Presentation is loading. Please wait.

Sniffing – Spoofing - Session Hijacking Isbat Uzzin Nadhori Informatical Engineering PENS-ITS Edited by Irwan AK.

Published byKristina Mills Modified over 8 years ago

Similar presentations

Presentation on theme: "Sniffing – Spoofing - Session Hijacking Isbat Uzzin Nadhori Informatical Engineering PENS-ITS Edited by Irwan AK."— Presentation transcript:

1 Sniffing – Spoofing - Session Hijacking Isbat Uzzin Nadhori Informatical Engineering PENS-ITS Edited by Irwan AK

2 Sniffing Sniffing merupakan usaha untuk membaca dan menganalisa paket yang lewat di jaringan menggunakan program packet sniffing

3 Packet sniffing is listening (with SW) to the raw network device for data packets that fit certain criteria. A “Packet Sniffer” is needed to collect those data packets. It must be capable of working with the type of network interface supported by the OS. Packets are all in binary format. A “Protocol Analyzer” helps making sense of it all. It recognizes which bits belong to header fields of protocols in which data is embedded. It can be useful to debug, at bit level, an application that sends and receives messages through a TCP/IP connection.  Ethereal: runs on all popular platforms, including Unix, Linux and Windows. It is a powerful protocol analyzer. Open source.  tcpdump, Natas (Windows), nfswatch and Web Packet Sniffer (Unix) are other examples of free sniffers.  LanWatch, Etherpeek, Sniff’em are examples of commercial sniffers. Packet Sniffing What is packet sniffing? Available Tools

4 Ethreal Now known as Wireshark http://www.wireshark.org/ Install wireshark on GNU/Linux. #apt-get install wireshark...damn it so easy install wireshark on GNU Linux.

5 Wireshark

6 Packet Sniffing (2.1) Introduction to Ethereal Click this button to show available interfacesClick “Capture” to start

7 Packet Sniffing (2.2) Introduction to Ethereal While the sniffer is running, this window shows how many packets, belonging to each different protocol, are being captured. Click “Stop” to finish the capture and analyze the results

8 Packet Sniffing List of captured packetsProtocol AnalyzerPacket in binary format The selected packet is analyzed below The selected piece of the packet is highlighted below (2.3) Introduction to Ethereal

9 Packet Sniffing (5.1) Example: Analysis of packets exchanged between an LLRP Reader (IP: 206.169.229.171) and a Client (IP: 18.58.0.254) TCP connection establishment: Step 1: Client initiates connection [SYN flag set] and informs about its initial Sequence Number. Step 2: Reader accepts, acknowledges the previous message and informs about the initial Sequence Number chosen for the reverse direction [SYN, ACK flags set]. Step 3: Client acknowledges the previous message [ACK flag set]. Once the connection is established, LLRP data transfer can take place. ClientReader SYN, Seq=X SYN, ACK, Seq=Y, Ack=X+1 ACK, Seq=X, Ack=Y+1 LLRP data transfer

10 Wait … what is LLRP Low Level Reader Protocol (LLRP) Standard Is protocol for an interface between RFID Readers and Clients. The interface protocol is called low-level because it provides control of RFID air protocol operation timing and access to air protocol command parameters. The design of this interface recognizes that in some RFID systems, there is a requirement for explicit knowledge of RFID air protocols and the ability to control Readers that implement RFID air protocol communications. It also recognizes that coupling control to the physical layers of an RFID infrastructure may be useful for the purpose of mitigating RFID interference. http://www.epcglobalinc.org/standards/llrp

11 RFID RFID (bahasa Inggris: Radio Frequency Identification) atau Identifikasi Frekuensi Radio adalah sebuah metode identifikasi dengan menggunakan sarana yang disebut label RFID atau transponder untuk menyimpan dan mengambil data jarak jauh. Label atau kartu RFID adalah sebuah benda yang bisa dipasang atau dimasukkan di dalam sebuah produk, hewan atau bahkan manusia dengan tujuan untuk identifikasi menggunakan gelombang radio. Label RFID terdiri atas mikrochip silikon dan antena. Label yang pasif tidak membutuhkan sumber tenaga, sedangkan label yang aktif membutuhkan sumber tenaga untuk dapat berfungsi. http://id.wikipedia.org/wiki/RFI D

12 Question.. Masih inget dengan TCP/UDP ? Masih inget dengan Connection Oriented dan Connection Less Oriented ? TCP ? UDP ?

13 Packet Sniffing (5.2) Example: TCP Connection Establishment. Step 1. IP (18.58.0.254) requests a connection [SYN] to IP (206.169.229.171)

14 Packet Sniffing (5.3) Example: TCP Connection Establishment. Step 2. IP (206.169.229.171) accepts the connection [SYN, ACK]

15 Packet Sniffing (5.4) Example: TCP Connection Establishment. Step 3. IP (18.58.0.254) acknowledges the last message [ACK] so that connection is established

16 Link Layer Protocol: Ethernet. Protocol’s header contains source and destination MAC addresses Network Layer Protocol: IP. Protocol’s header contains source and destination IP addresses Transport Layer Protocol: TCP. Protocol’s header contains source and destination ports. Sequence and Acknowledgement numbers are useful to follow the order in which messages were sent. In TCP protocol, first sequence number is randomly generated. To make it easier to follow, Ethereal displays relative numbers, that is, as if the first one would be zero. These are the data bits sent by the application Packet Sniffing (5.5) Example: LLRP data transfer.

17 Question... Masih inget dengan TCP layer dan OSI Layer ?

18 Packet Sniffing (5.6) Example: LLRP data transfer. Client sends to the Reader GET_READER_CAPABILITIES LLRP message 040100 0b 00 0100 0000 0100 0000 00010000 0000 1011 0000 0000 00010000 Application Data: 01234567890123456789012345678901 Rsvd = 000Ver = 0 01Message Type = 00 0000 0001 = “1”Message Length [31:16] = 0000 0000 0000 0000 Message Length [15:0] = 0000 0000 0000 1011 = “11”Message ID [31:16] = 0000 0000 0000 0000 Message ID [15:0] = 0000 0000 0000 0001 Requested Data = 0000 0000 According to LLRP binary encoding:

19 Session Hijacking Session Hijacking adalah mengambil alih sebuah session pada satu koneksi jaringan. Tipe : – Active session hijacking attacker mengambil alih sebuah session yang terjadi dengan cara memutuskan sebuah komunikasi yang terjadi. Attacker bertindak sebagai man-in-the-middle dan aktif dalam komunikasi antara client dengan server. Serangan ini membutuhkan keahlian untuk menebak nomer sequence (SEQ) dari server, sebelum client dapat merespon server. Passive session hijacking Attacker hanya melihat lalu lintas packet. Biasa disebut sbg sniffing Bisa memberikan informasi penting misal : id user dan password dari client yang sedang melakukan login ke server, sehingga dapat digunakan oleh attacker untuk melakukan login pada lain waktu

20 Spoofing In spoofing (fooling, deceiving), an attacker impersonates someone else. This allows him/her to exploit the access privileges of the spoofed.

21 Type of Spoofing ARP Spoofing Attacker change MAC address client with MAC Address Attacker IP spoofing Attacker uses IP address of another computer to acquire information or gain access Email spoofing Attacker sends email but makes it appear to come from someone else Web spoofing Attacker tricks web browser into communicating with a different web server than the user intended.\ Non-network (social engineering)

22 IP Spoofing IP spoofing is the creation of TCP/IP packets with somebody else's IP address in the header. Routers use the destination IP address to forward packets, but ignore the source IP address. The source IP address is used only by the destination machine, when it responds back to the source. When an attacker spoofs someone’s IP address, the victim’s reply goes back to that address. Since the attacker does not receive packets back, this is called a one-way attack or blind spoofing.

23 Email Spoofing  3 Basic way to perform : – Aliasing – Modify mail client – Telnet to port 25

24 Email Spoofing One simple form of email spoofing is to create a valid email account (on yahoo or hotmail) and put someone else’s name in the alias field. In mail relaying, an attacker uses a mail server to send mail to someone in a different domain When email is sent by a user, the From: address is not validated.

25 Web Spoofing One way to lure people to a malicious site is to give it a URL that is similar to that of a legitimate site, e.g., www.paypai.com wwwFirstNationalBank.com Another way is for the attacker to provide HTML with a mislabeled link to another page, e.g., in an email. Example: American Red Cross

26 MitM Attacks ‘Man-in-the-Middle’ refers to a machine that is set up so that traffic between two other machines must pass through the MitM machine. Difficult to setup, especially over the Internet. Not so difficult in a LAN environment. Provides no additional advantages over a ‘sniffer’ – is actually just a way to implement a sniffer. Defense: Encryption – however, MitM can refer to an intermediate encrypter Strong perimeter security for Internet MitM attacks. Only secure as the weakest link – the MitM can attack from either end. So, even if you have strong security, but your partner does not, the MitM is possible from the other end.

27 Countermeasure IP Spoofing Protect against with good firewall rules – keep your machines from launching a spoofed IP – router filters Limit configuration access on machines Programs like arpwatch that keep track of IP/MAC pairings The best way to protect against source routing spoofing is to simply disable source routing at your routers. Email Spoofing Most email servers today do not allow email relaying. They only allow emails to be sent to/from their range of IP addresses. They insure that the recipient’s domain is the same domain as the mail server. The attacker can run his own email server, but then he is easier to trace. Defense - Do not allow Email relaying on your STMP servers Web Spoofing Use a ‘server-side certificate’. Still, users should Examine the browser location/status line Examine links in HTML source code. Disable “active” content (Java, JavaScript, Active X) in the browser. Ensure that your browser starts on a “secure page” (a local HTML page)

Download ppt "Sniffing – Spoofing - Session Hijacking Isbat Uzzin Nadhori Informatical Engineering PENS-ITS Edited by Irwan AK."

Similar presentations

Module X Session Hijacking

Module X Session Hijacking
Network and Application Attacks Contributed by- Chandra Prakash Suryawanshi CISSP, CEH, SANS-GSEC, CISA, ISO 27001LI, BS 25999LA, ERM (ISB) June 2006.

Network and Application Attacks Contributed by- Chandra Prakash Suryawanshi CISSP, CEH, SANS-GSEC, CISA, ISO 27001LI, BS 25999LA, ERM (ISB) June 2006.
Computer Security and Penetration Testing

Computer Security and Penetration Testing
CCNA – Network Fundamentals

CCNA – Network Fundamentals
Intermediate TCP/IP TCP Operation.

Intermediate TCP/IP TCP Operation.
Are you secured in the network ?: a quick look at the TCP/IP protocols Based on: A look back at “Security Problems in the TCP/IP Protocol Suite” by Steven.

Are you secured in the network ?: a quick look at the TCP/IP protocols Based on: A look back at “Security Problems in the TCP/IP Protocol Suite” by Steven.
Sniffing, Spoofing, Hijacking This presentation is an amalgam of presentations by Mark Michael, Randy Marchany and Ed Skoudis. I have edited and added.

Sniffing, Spoofing, Hijacking This presentation is an amalgam of presentations by Mark Michael, Randy Marchany and Ed Skoudis. I have edited and added.
Suneeta Chawla Web Security Presentation Topic : IP Spoofing Date : 03/24/04.

Suneeta Chawla Web Security Presentation Topic : IP Spoofing Date : 03/24/04.
Hacking Presented By :KUMAR ANAND SINGH 04-243,ETC/2008.

Hacking Presented By :KUMAR ANAND SINGH ,ETC/2008.
Network Attacks Mark Shtern.

Network Attacks Mark Shtern.
Network Layer and Transport Layer.

Network Layer and Transport Layer.
Security Awareness: Applying Practical Security in Your World, Second Edition Chapter 5 Network Security.

Security Awareness: Applying Practical Security in Your World, Second Edition Chapter 5 Network Security.
Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Information.

Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Information.
Securing TCP/IP Chapter 6. Introduction to Transmission Control Protocol/Internet Protocol (TCP/IP) TCP/IP comprises a suite of four protocols The protocols.

Securing TCP/IP Chapter 6. Introduction to Transmission Control Protocol/Internet Protocol (TCP/IP) TCP/IP comprises a suite of four protocols The protocols.
Institute of Technology Sligo - Dept of Computing Semester 2 Chapter 9 The TCP/IP Protocol Suite Paul Flynn.

Institute of Technology Sligo - Dept of Computing Semester 2 Chapter 9 The TCP/IP Protocol Suite Paul Flynn.
1 CCNA 2 v3.1 Module 10. 2 Intermediate TCP/IP CCNA 2 Module 10.

1 CCNA 2 v3.1 Module Intermediate TCP/IP CCNA 2 Module 10.
Understanding Networks Charles Zangla. Network Models Before I can explain how connections are made from across the country, I would like to provide you.

Understanding Networks Charles Zangla. Network Models Before I can explain how connections are made from across the country, I would like to provide you.
1.  A protocol is a set of rules that governs the communications between computers on a network.  Functions of protocols:  Addressing  Data Packet.

1.  A protocol is a set of rules that governs the communications between computers on a network.  Functions of protocols:  Addressing  Data Packet.
FIREWALL TECHNOLOGIES Tahani al jehani. Firewall benefits  A firewall functions as a choke point – all traffic in and out must pass through this single.

FIREWALL TECHNOLOGIES Tahani al jehani. Firewall benefits  A firewall functions as a choke point – all traffic in and out must pass through this single.
Network Security Philadelphia UniversityAhmad Al-Ghoul 2010-20111 Module 9 TCP/IP Layers and Vulnerabilities  MModified by :Ahmad Al Ghoul  PPhiladelphia.

Network Security Philadelphia UniversityAhmad Al-Ghoul Module 9 TCP/IP Layers and Vulnerabilities  MModified by :Ahmad Al Ghoul  PPhiladelphia.

Similar presentations

Ads by Google