Presentation is loading. Please wait.

Presentation is loading. Please wait.

Network Eavesdropping

Published byLambert Blair Modified over 6 years ago

Similar presentations

Presentation on theme: "Network Eavesdropping"— Presentation transcript:

1 Network Eavesdropping

2 Outline Concepts Methodology Detection

3 Eavesdropping Sniffer : Packet capture Tools (Trademark)
Network sniffing is to eavesdrop the network to capture the packets transmitted over the network It monitors traffic destined to itself as well as to all other hosts on the network Can be used for both attacking and protecting purposes

4 Uses of a sniffer Traffic Analysis Performance Analysis
IDS/IPS are built on sniffer Stealing clear-text content Username & Password Conversations

5 How does a sniffer work Normal Mode Sniffer Mode
Each network interface card (NIC) and network device has a unique MAC address NIC only receives packets destined to its specific MAC address, and all other packets are ignored Sniffer Mode A machine running a sniffer breaks this rule and accepts all packets Turn on “promiscuous” mode on NIC Make NIC accept all data-link layer frames regardless of the MAC address

6 Anatomy of sniffer Media Storage Decode Buffer Capture Driver
Storage for offline analysis Decoding to readable form Decode Buffer Temporarily space before processing Capture Driver Software driver to capture and filter packet Media

7 How to sniff in shared networks
Passive running Just put the NIC into the promiscuous mode Switched networks : Prevents traditional sniffing because frames are route to a single port, based on a table of MAC/port associations

8 How to sniff in switched networks
Prevents traditional sniffing Switches keep an internal list of the MAC addresses of the hosts that are on its ports. Traffic is sent to a port, only if a destination host is recorded as being present on that port. Switched Networks are not really safe from sniffing Sniff in switched networks need active operations: ARP Spoofing MAC flooding

9 ARP revisit A want to resolve MAC address of D
8:0:20:7a:49:68 00:10:4B:13:0A:BC A want to resolve MAC address of D A sends a broadcast ARP request A B C D ARP request who has IP ? 8:0:20:7a:49:68 00:10:4B:13:0A:BC D sends a unicast ARP reply to A A B C D ARP reply me! with 00:10:4B:13:0A:BC

10 Hi Everyone , my IP is 158.108.1.2 and my MAC is 8:0:20:7a:49:68
Gratuitous ARP A host "announces" their IP address to the local network when its interface is configured, usually at booting time to to prevent the use of duplicate addresses on the same network Routers and other network hardware may cache information gained from gratuitous ARP packets 8:0:20:7a:49:68 00:10:4B:13:0A:BC gratuitous ARP packet is an ARP request with both sender's and the target's IP address fields containing the configured IP address A B C D Gratuitous ARP Hi Everyone , my IP is and my MAC is 8:0:20:7a:49:68

11 ARP datagrams 0 15 16 31 Hardware type:16 Protocol type:16
datalink frame frame hdr ARP/RARP message Hardware type: Protocol type:16 hlen: plen: ARP Operation:16 Sender MAC addr (bytes 0-3) sender MAC addr (bytes 4-5) sender IP addr (bytes 0-1) sender IP addr (bytes 2-3) dest MAC addr (bytes 0-1) dest MAC addr (bytes 2-5) dest IP addr (bytes 0-3)

12 ARP request packet Sample ARP request Ethernet packet IP:158.108.33.2
MAC:02:60:8c:2e:b5:8b IP: MAC: ?? Sample ARP request Ethernet packet 0x0806 FF:FF:FF:FF:FF 02:60:8c:2e:b5:8b 0x01 0x800 0x06 0x04 0x001 00:00:00:00:00:00 checksum dest MAC (broadcast) source MAC ARP frame type Ethernet / IP MAC=6/ IP=4 /request source MAC source IP dest MAC (unknown) dest IP Ethernet checksum

13 ARP reply packet Sample ARP reply Ethernet packet IP: 158.108.33.2
MAC: 02:60:8c:2e:b5:8b IP: MAC: 00:00:e8:15:cc:0c Sample ARP reply Ethernet packet 0x0806 02:60:8c:2e:b5:8b 00:00:e8:15:cc:0c 0x01 0x800 0x06 0x04 0x002 checksum dest MAC (unicast) source MAC ARP frame type Ethernet / IP MAC=6/ IP=4 /reply source MAC source IP dest MAC dest IP Ethernet checksum

14 Playing with ARP How to see the ARP table? How to clear the ARP table? How to add the ARP entry? How to check table in IPv6?

15 Facts about ARP Stateless protocol Not designed security in mind
No means for authentication or validation Nothing prevents clients from crafting custom ARP messages Can forge source IP address Can forge source MAC address Result: malicious nodes can fool network nodes into sending traffic to the wrong MAC address, so exposed to a lot of attacks: ARP Spoofing (ARP cache poisining) MAC flooding

16 ARP cache Kept locally to minimize the number of ARP requests broadcasting Updates the cache with the new IP/MAC associations for each reply Some OSs will update the cache if a reply is received, regardless of whether they sent out an actual request Possible to overwrite the ARP cache on many OS Possible to associate the MAC address with the default gateway’s IP address

17 ARP weakness If two machines have the same IP address, they will both respond to the same ARP request (IP Conflict) Depending on the OS, one of two things could happen The slowest (last) ARP reply to arrive will be cached until the ARP entry expires The first ARP reply to arrive will be cached, and any further ARP replies will be ignored (until ARP entry expires)

18 ARP Spoof Methods to spoof the contents of an ARP table
Takes advantage of the ARP cache Process of corrupting cache is “Poisoning” hence also called ARP Cache poisoning Cause all outgoing traffic from the target host to be transmitted to the hacker’s host Hacker can also forge ARP replies Dsniff by Dug Song includes a program named “arpspoof” for this purpose

19 ARP Spoofing Scenario After ARP Spoofing Normal Condition attacker
IP:IA, MAC:MA IP:IB, MAC:MB IP:IC, MAC:MC attacker IP:IA, MAC:MA IP:IB, MAC:MB IP:IC, MAC:MC attacker IP addr MAC addr IB MB IC MC IP addr MAC addr IB MC IC IP addr MAC addr IA MA IC MC IP addr MAC addr IA MC IB MB IP addr MAC addr IA MA IB MB IP addr MAC addr IA MA IB MB

20 ARP Poisoning : Broadcast Request
IP:IA, MAC:MA IP addr MAC addr IB MB IC MC IP:IB, MAC:MB IP addr MAC addr IA MA IC MC Who has IA My IP is IB IP addr MAC addr IA MA IB MB attacker IP:IC, MAC:MC

21 ARP Poisoning : Response to Broadcast
IP:IA, MAC:MA IP addr MAC addr IB MC IC I have IA and my MAC is MA IP:IB, MAC:MB IP addr MAC addr IA MA IC MC IP addr MAC addr IA MA IB MB attacker IP:IC, MAC:MC

22 ARP Poisoning : Result liked Sniffing
Not quite sniffer but fairly close IP:IA, MAC:MA IP addr MAC addr IB MC IC  Packet destiny for IB is first sent to IC IP:IB, MAC:MB IP addr MAC addr IA MA IC MC  Attacker forward packet to B IP addr MAC addr IA MA IB MB attacker IP:IC, MAC:MC

23 ARP Poisoning : Broadcast Request
IP:IA, MAC:MA IP addr MAC addr IB MB IC MC Who has IB My IP is IA IP:IB, MAC:MB IP addr MAC addr IA MA IC MC IP addr MAC addr IA MA IB MB attacker IP:IC, MAC:MC

24 ARP Poisoning : Broadcast Request
IP:IA, MAC:MA IP addr MAC addr IB MC IC I have IB and my MAC is MB I have IB and my MAC is MC IP:IB, MAC:MB IP addr MAC addr IA MA IC MC IP addr MAC addr IA MA IB MB attacker IP:IC, MAC:MC

25 ARP Poisoning : Unsolicited Response
IP:IA, MAC:MA IP addr MAC addr IB MB IC MC IP:IB, MAC:MB IP addr MAC addr IA MA IC MC I have IX and my MAC is MC IP addr MAC addr IA MA IB MB attacker IP:IC, MAC:MC

26 ARP Poisoning : Response to Unsolicited
IP:IA, MAC:MA IP addr MAC addr IB MB IC MC IX IP:IB, MAC:MB IP addr MAC addr IA MA IC MC IX I have IX and my MAC is MC IP addr MAC addr IA MA IB MB attacker IP:IC, MAC:MC

27 MAC Flooding A switch keeps a table of all MAC addresses (in buffer) appear on each port If a large number of addresses appear on a single port, some switches begin to send all traffic to that port Flooding the switch with randomly faked MAC addresses. The switch will become overloaded and fail into the “failopen mode” In failopen mode, it operates exactly like a hub, transmitting all packets to all addresses in the network Dsniff includes a program named “macof” that facilitates the flooding of a switch with random MAC addresses

28 MAC Address Cloning MAC addresses intended to be globally-unique and unchangeable Today, MAC addresses can be easily changed An attacker could DoS a target computer, clone the target’s MAC address, and receive all frames intended for the target

29 Sample Tools Ettercap (http://ettercap.sourceforge.net/)
Complete sniffing and ARP corruption tool with command-line and GUI Arpspoof ( Basic ARP manipulation tool; part of dsniff package ARPoison ( Basic ARP spoofing tool Many more…

30 Sniffer Prevention and Detection
Done properly, impossible to detect a sniffer Sniffing is a passive activity, don’t generate unusual traffic normally linked to active intrusion attacks Difficult to prevent it

31 Possible Protection Three main types End node precautions Prevention
Detection

32 Precautions and Implementation
Use VPN or some other encrypted channel for all communication Verify the authenticity of all SLL and SSH certificates before accepting them

33 Prevention Deploy intelligence Ethernet switch support following features Secured port Specify MAC address for each port limit amount of MAC on an interface Smart Cache Only timeout inactive entries Smart management Never flood Require a host to send traffic first before receiving Dynamic ARP inspection Uses information from DHCP to block unknown binding DHCP snoop

34 Sniffer Detection Shared Network Switched Network
Local detection of promiscuous mode Ping test ARP test Ping Latency test Employing a honeypot Switched Network track down any nodes found performing ARP cache changed

35 Sniffer Detection : Ping test
Construct an ICMP echo request Set the IP address to that of the suspected host. Choose a mismatched MAC address. In some systems, if the NIC is in promiscuous mode, the sniffer will grab this packet as a legitimate packet and respond accordingly Most systems will ignore this packet since its MAC address is wrong. If the suspected host replies to our request, we know that it is in promiscuous mode

36 Sniffer Detection : ARP test
Send out an ARP request to the suspect host with all valid information except a bogus destination MAC address Non-promiscuous mode machine would never see the packet Promiscuous mode machine would process it and reply

37 Sniffer Detection : Ping Latency test
Methods Make two different populations, normal mode population and the promiscuous mode population, or ping the suspected host and record the RTT Create a lot of fake TCP connections We expect the sniffer to be processing packets and the latency will increase Ping the suspected host again to see if the round trip time is increased

38 Sniffer Detection : Honeypot
Create telnet for with lots of logins + passwords connection to telnet server (may be faked server) Sniffer takes bait

39 Sniffer Detection Limitation
ARP, ICMP, DNS Test Sophisticate attackers are of course aware of this and design their sniffer to filter out or ignore these packets Latency Test Probabilistic technique Many known and unknown factors, OS, Traffic, may affect the results

40 Antisniffer Tools Antisniff Anti-Antisniff
Anti-Antisniff

41 Sniffer Detection: Detect ARP Spoof
Detect and track down any nodes found performing ARP cache corruption Tools arpwatch: Watches for ARP cache entry changes and sends if found Ettercap: has a plugin that can detect suspicious ARP and other Ettercap users on a network. Network Intrusion Detection System (IDS): most are designed with the ability to detect and warn about suspicious ARP activity

42 Future Prevention? Secure Address Resolution Protocol (S-ARP) S-ARP uses public/private key pairs to authenticate ARP responses

43 Encryption is the best solution
Final Recommendation The best way to avoid damage by sniffer is not to pass usernames and passwords over the network in form of clear text Encryption is the best solution Use SSH instead of telnet Use HTTPS instead of HTTP Use SCP and SFTP instead of FTP

44 Some commons sniffer Tcpdump Wireshark Ettercap Snort Dsniff
Wireshark Ettercap Snort Dsniff

Download ppt "Network Eavesdropping"

Similar presentations

Ethical Hacking Module VII Sniffers.

Ethical Hacking Module VII Sniffers.
Password Cracking, Network Sniffing, Man-in-the-Middle attacks, and Virtual Private Networks Lab 2 – Class Discussion Group 3 Ruhull Alam Bhuiyan Keon.

Password Cracking, Network Sniffing, Man-in-the-Middle attacks, and Virtual Private Networks Lab 2 – Class Discussion Group 3 Ruhull Alam Bhuiyan Keon.
ARP Spoofing.

ARP Spoofing.
ARP Caching Christopher Avilla. What is ARP all about? Background Packet Structure Probe Announcement Inverse and Reverse Proxy Tools Poisoning MAC Flooding.

ARP Caching Christopher Avilla. What is ARP all about? Background Packet Structure Probe Announcement Inverse and Reverse Proxy Tools Poisoning MAC Flooding.
© 2006 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Common Layer 2 Attacks and Countermeasures.

© 2006 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Common Layer 2 Attacks and Countermeasures.
1 Address Resolution Protocol (ARP) Relates to Lab 2. This module is about the address resolution protocol.

1 Address Resolution Protocol (ARP) Relates to Lab 2. This module is about the address resolution protocol.
Media Access Control (MAC) addresses in the network access layer ▫ Associated w/ network interface card (NIC) ▫ 48 bits or 64 bits IP addresses for the.

Media Access Control (MAC) addresses in the network access layer ▫ Associated w/ network interface card (NIC) ▫ 48 bits or 64 bits IP addresses for the.
COEN 252 Computer Forensics Remote Sniffer Detection.

COEN 252 Computer Forensics Remote Sniffer Detection.
ARP cache Poisoning For the Detection of Sniffers in an Ethernet Network Raoudha KHCHERIF Assistant Professor National School of Computer Science University.

ARP cache Poisoning For the Detection of Sniffers in an Ethernet Network Raoudha KHCHERIF Assistant Professor National School of Computer Science University.
Network Attacks Mark Shtern.

Network Attacks Mark Shtern.
Special IP Addresses All 0’s – this computer on bootstrap Network.000s – id’s the network Network.111s – broadcast 111111 – broadcast 127.x loopback 6/9/2015ICSS420.

Special IP Addresses All 0’s – this computer on bootstrap Network.000s – id’s the network Network.111s – broadcast – broadcast 127.x loopback 6/9/2015ICSS420.
Security Awareness: Applying Practical Security in Your World, Second Edition Chapter 5 Network Security.

Security Awareness: Applying Practical Security in Your World, Second Edition Chapter 5 Network Security.
Sniffing the sniffers - detecting passive protocol analysers John Baldock, Intel Corp Craig Duffy, Bristol UWE.

Sniffing the sniffers - detecting passive protocol analysers John Baldock, Intel Corp Craig Duffy, Bristol UWE.
Oct 21, 2004CS573: Network Protocols and Standards1 IP: Addressing, ARP, Routing Network Protocols and Standards Autumn 2004-2005.

Oct 21, 2004CS573: Network Protocols and Standards1 IP: Addressing, ARP, Routing Network Protocols and Standards Autumn
Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Information.

Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Information.
CSEE W4140 Networking Laboratory

CSEE W4140 Networking Laboratory
ITIS 6167/8167: Network and Information Security Weichao Wang.

ITIS 6167/8167: Network and Information Security Weichao Wang.
Introduction to InfoSec – Recitation 12 Nir Krakowski (nirkrako at post.tau.ac.il) Itamar Gilad (itamargi at post.tau.ac.il)

Introduction to InfoSec – Recitation 12 Nir Krakowski (nirkrako at post.tau.ac.il) Itamar Gilad (itamargi at post.tau.ac.il)
Layer 2 Security – No Longer Ignored Security Possibilities at Layer 2 Allan Alton, BSc CISA CISSP NetAnalyst UBC October 18, 2007.

Layer 2 Security – No Longer Ignored Security Possibilities at Layer 2 Allan Alton, BSc CISA CISSP NetAnalyst UBC October 18, 2007.
23-Support Protocols and Technologies Dr. John P. Abraham Professor UTPA.

23-Support Protocols and Technologies Dr. John P. Abraham Professor UTPA.

Similar presentations

Ads by Google