Download presentation
1
CHAPTER 9 Sniffing
2
DEFINITION A method by which an attacker can compromise the security of a network in a passive fashion using sniffer. A sniffer is a a tool (a program or wire-tap devices) that plugs into computer networks and eavesdrops on the network traffic. Sniffers have been around for a long time in two forms. Commercial sniffers are used to help maintain networks. Underground sniffers are used to break into computers
3
THINGS TO SNIFF The most important thing typically to sniff is Authentication Information The example of authentication information are usernames and passwords. Following is a sampling of typical protocols on network traffic that are sniffed, especially for passwords. 1. Telnet (Port 23) 2. FTP (Port 21) 3. POP (Port 110) 4. IMAP (Port 143) 5. MNTP (Port 119)
4
THINGS TO SNIFF 6. rlogin (Port 513) 7. X11 (Port 6000+)
8. NFS File Handles 9. SMTP (Port 25) 10. HTTP (Port 80) Windows NT Authentication 1. Plaintext 2. LanManager (LM) 3. NT LanManager
5
SNIFFING TECHNIQUES Switch Tricks ARP Spoofing
There are some advanced sniffing techniques can be used: Switch Tricks Hackers use tricks to find short cuts for gaining unauthorized access to systems. They may use their access for illegal or destructive purposes, or they may simply be testing their own skills to see if they can perform a task. ARP Spoofing ARP Spoofing is a technique used by crackers in order to sniff frames on a switched LAN or stop the traffic on the LAN.
6
SNIFFING TECHNIQUES ARP Flooding Routing Games
The intruder is trying to see what hosts you have active on your network. They are nottrying to deny service to you, just trying to find out what potential targets are available on your network. This is often a precursor to an attack. Be sure you have your network secured properly. Routing Games The routing algorithm that act as an adversary that attempts to intercept data in the network.
7
SNIFFING PROTECTION Password Protection Data Protection
The data-encryption solutions also provide for secure authentication. Examples are SMB/CIFS (Windows) and Kerberos v5 (UNIX). Data Protection SSL SSL (Secure Socket Layers) is built into all popular web browsers and web servers. It allows encrypted web surfing, and is almost always used in e-commerce when users enter their credit card information.
8
SNIFFING PROTECTION Secure Shell (Ssh)
Ssh (Secure Shell) is a program to log into another computer over a network, to execute commands in a remote machine, and to move files from one machine to another. It provides strong authentication and secure communications over unsecure channels. Switching Switching refers to protocols in which messages are divided into packets before they are sent.
9
SNIFFING PROTECTION Configure Local Network
VPNs (Virtual Private Networks) VPNs provide encrypted traffic across the Internet. Configure Local Network Replacing your hub with a switch will provide a simple, yet effective defense against casual sniffing.
10
SNIFFING DETECTION “ping” method ARP method
Most "sniffers" run on normal machines with a normal TCP/IP stack. This means that if you send a request to these machines, they will respond. The trick is to send a request to IP address of the machine, but not to its Ethernet adapter. ARP method The ARP method is similar to the ping method, but an ARP packet is used instead.
11
SNIFFING DETECTION DNS method
The simplest ARP method transmits an ARP to a non-broadcast address. If a machine responds to such an ARP of its IP address, then it must be in promiscuous mode. DNS method Many sniffing programs do automatic reverse-DNS lookups on the IP addresses they see. Therefore, a promiscuous mode can be detected by watching for the DNS traffic that it generates. This method can detect dual-homed machines and can work remotely.
12
SNIFFING DETECTION “source-route” method “latency” method
Another technique involves configuring the source-route information inside the IP header. This can be used to detect sniffers on other, nearby segments. “latency” method This is a more evil method. On one hand, it can significantly degrade network performance. On the other hand, it can 'blind' sniffers by sending too much traffic. This method functions by sending huge quantities of network traffic on the wire.
13
SNIFFER DETECTORS AntiSniff CPM (Check Promiscuous Mode) neped
The most comprehensive sniffer-detection tool. CPM (Check Promiscuous Mode) A tool from Carnegie-Mellon that checks to see if promiscuous mode is enabled on a UNIX machine. neped A tool from The Apostols that detects sniffers running on the local segment.
Similar presentations
© 2024 SlidePlayer.com. Inc.
All rights reserved.