Sniffing in a Switched Network



Similar documents
Packet Sniffing on Layer 2 Switched Local Area Networks

Packet Sniffer Detection with AntiSniff

1. LAB SNIFFING LAB ID: 10

Packet Sniffing and Spoofing Lab

Own your LAN with Arp Poison Routing

School of Information Science (IS 2935 Introduction to Computer Security, 2003)

Information Security Training. Assignment 1 Networking

- Basic Router Security -

Multi-Homing Dual WAN Firewall Router

20-CS X Network Security Spring, An Introduction To. Network Security. Week 1. January 7

Firewall VPN Router. Quick Installation Guide M73-APO09-380

Ethical Hacking as a Professional Penetration Testing Technique

Tools for Attacking Layer 2 Network Infrastructure

TCP/IP Security Problems. History that still teaches

LAB THREE STATIC ROUTING

CS 326e F2002 Lab 1. Basic Network Setup & Ethereal Time: 2 hrs

WIRELESS SECURITY. Information Security in Systems & Networks Public Development Program. Sanjay Goel University at Albany, SUNY Fall 2006

CYBER ATTACKS EXPLAINED: PACKET CRAFTING

HONEYD (OPEN SOURCE HONEYPOT SOFTWARE)

Linux Network Security

CREATING AN IKE IPSEC TUNNEL BETWEEN AN INTERNET SECURITY ROUTER AND A WINDOWS 2000/XP PC

OSBRiDGE 5XLi. Configuration Manual. Firmware 3.10R

Quick Note 53. Ethernet to W-WAN failover with logical Ethernet interface.

Lab VI Capturing and monitoring the network traffic

Lab 2 - Basic Router Configuration

co Characterizing and Tracing Packet Floods Using Cisco R

Wireless Security: Secure and Public Networks Kory Kirk

Packet Sniffers Submitted in partial fulfillment of the requirement for the award of degree Of MCA

IP Filter/Firewall Setup

PFSENSE Load Balance with Fail Over From Version Beta3

Make a folder named Lab3. We will be using Unix redirection commands to create several output files in that folder.

Chapter 1 Configuring Basic Connectivity

CMPT 471 Networking II

Technical Support Information Belkin internal use only

How Subnets Work in Practice. Fred Marshall Coastal Computers & Networks

Computer Networks I Laboratory Exercise 1

Leased Line PPP Connections Between IOS and HP Routers

Chapter 6 Using Network Monitoring Tools

Configuring the Transparent or Routed Firewall

Firewalls, IDS and IPS

How To Understand and Configure Your Network for IntraVUE

How to deploy console cable to connect WIAS-3200N and PC, to reset setting or check status via console

CYBER ATTACKS EXPLAINED: THE MAN IN THE MIDDLE

CET442L Lab #2. IP Configuration and Network Traffic Analysis Lab

Topics in Network Security

INTRUDER DETECTION MONITORING APPLICATION USING SNMP PROTOCOL

Figure 1. Wireshark Menu Bar

J ai pas de TUN et je m en TAP

The Trivial Cisco IP Phones Compromise

Project 2: Firewall Design (Phase I)

Firewalls. Firewalls. Idea: separate local network from the Internet 2/24/15. Intranet DMZ. Trusted hosts and networks. Firewall.

Chapter 1 Configuring Internet Connectivity

Looking for Trouble: ICMP and IP Statistics to Watch

Deploying Windows Streaming Media Servers NLB Cluster and metasan

Chapter 6 Using Network Monitoring Tools

This Lecture. The Internet and Sockets. The Start If everyone just sends a small packet of data, they can all use the line at the same.

Chapter 7 Troubleshooting

How To Check If Your Router Is Working Properly

Network Attacks. Common Network Attacks and Exploits

An Analysis of Security Mechanisms in the OSI Model

Note: This case study utilizes Packet Tracer. Please see the Chapter 5 Packet Tracer file located in Supplemental Materials.

Session Hijacking Exploiting TCP, UDP and HTTP Sessions

Volume SYSLOG JUNCTION. User s Guide. User s Guide

8 steps to protect your Cisco router

Cain & Abel v 2.5. Password Cracking Via ARP Cache Poisoning Attacks. v.1. Page 1 of 15

LEARNING COMPUTER SYSTEMS VULNERABILITIES EXPLOITATION THROUGH PENETRATION TEST EXPERIMENTS

Attack Lab: Attacks on TCP/IP Protocols

EXPLORER. TFT Filter CONFIGURATION

Smart Tips. Enabling WAN Load Balancing. Key Features. Network Diagram. Overview. Featured Products. WAN Failover. Enabling WAN Load Balancing Page 1

Defeating Firewalls : Sneaking Into Office Computers From Home

Zarząd (7 osób) F inanse (13 osób) M arketing (7 osób) S przedaż (16 osób) K adry (15 osób)

Bridgewalling - Using Netfilter in Bridge Mode

Lab Objectives & Turn In

INTERNET SECURITY: THE ROLE OF FIREWALL SYSTEM

Chapter 9 Monitoring System Performance

WLAN Attacks. Wireless LAN Attacks and Protection Tools. (Section 3 contd.) Traffic Analysis. Passive Attacks. War Driving. War Driving contd.

Terminal Server Configuration and Reference Errata

1 PC to WX64 direction connection with crossover cable or hub/switch

ARP Poisoning (Man-in-the-Middle) Attack and Mitigation Techniques

A Research Study on Packet Sniffing Tool TCPDUMP

Prestige 310. Cable/xDSL Modem Sharing Router. User's Guide Supplement

CSCE 465 Computer & Network Security

Virtual private network. Network security protocols VPN VPN. Instead of a dedicated data link Packets securely sent over a shared network Internet VPN

A S B

DRO-210i LOAD BALANCING ROUTER. Review Package Contents

The IP Transmission Process. V1.4: Geoff Bennett

Teldat Router. ARP Proxy

During your session you will have access to the following lab configuration. CLIENT1 (Windows XP Workstation) /24

Chapter 4 Security and Firewall Protection

Guideline for setting up a functional VPN

How To Load balance traffic of Mail server hosted in the Internal network and redirect traffic over preferred Interface

DATA COMMUNICATIONS MANAGEMENT. Gilbert Held INSIDE

Hands-on MESH Network Exercise Workbook

MONITORING OF TRAFFIC OVER THE VICTIM UNDER TCP SYN FLOOD IN A LAN

Packet Sniffing: What it s Used for, its Vulnerabilities, and How to Uncover Sniffers

Network Traffic Analysis and Intrusion Detection using Packet Sniffer

Lab 1: Network Devices and Technologies - Capturing Network Traffic

Broadband Phone Gateway BPG510 Technical Users Guide

Evading Infrastructure Security Mohamed Bedewi Penetration Testing Consultant

Transcription:

Sniffing in a Switched Network -With A Recipe To Hack A Switch Using Ettercap and Ethereal -Manu Garg manugarg at gmail dot com

Problem Statement- To gain access to main switch of your company using a machine in the same LAN. Tools used- Ettercap, Ethereal Techniques Used- Arp spoofing and Sniffing

How can we achieve our goal? Most of the network administrators use telnet to login to a cisco machine. Telnet is a clear-text protocol so, if you can sniff the packets you can get to know what is other person talking to the machine. Easy then, I will just sniff the packets from the wire and get into my switch. Hey, I don t see any traffic on the wire. What could be the reason? You are in switched network and switches don t do any favor to the hackers. They transmit data only between the talking machines. But this is not fair. They said I am on ethernet. Are they not supposed to use CSMA/CD then? Ethernet has grown up buddy. It s switched ethernet now.

Hey wait! Don t get disappointed too soon. We hackers are not supposed to get defeated by a switch. Right? Right. Our elite masters who designed TCP/IP protocols didn t forget us. They left an otherwise invisible path which can be seen by only their enlightened students. So what is that path? It s the path of arp spoofing. By using this technique you can fool your target machines to send data through your attacking machine and then you can sniff it on your attacking machine.

ARP SPOOFING!! How does it work? Switch forwarding traffic based on MAC address Target 1 IP: 192.168.1.1 Hw: 00:00:00:00:00:01 Switch Target 2 IP: 192.168.1.100 Hw: 00:00:00:00:00:02 AM (Attacking Machine) IP: 192.168.1.121 Hw: 00:00:00:00:00:03 Before Attack..

Before attack, T1 and T2 are talking to each other only. Below is the arp table of the machines. T1(192.168.1.1): T2(192.168.1.100): 192.168.1.100 00:00:00:00:00:02 192.168.1.1 00:00:00:00:00:01 192.168.1.123 00:00:00:00:00:14 192.168.1.123 00:00:00:00:00:14 The switch understands only MAC addresses and forwards the packets to the right machines based on this MAC address. What if we manipulate the arp tables (this is called arp poisoning) on T1 and T2 so that the target MAC address in all the packets being exchanged between them, becomes the MAC address of our attacking machine. You got it right. Then switch will forward the packet to the attacking machine. So after attack arp table should look like something below: T1: T2: 192.168.1.100 00:00:00:00:00:03 192.168.1.1 00:00:00:00:00:03 192.168.1.123 00:00:00:00:00:14 192.168.1.123 00:00:00:00:00:14 Where 00:00:00:00:00:03 is the MAC address of attacking machine.

ARP SPOOFING!! How does it work? Switch forwarding traffic based on MAC address Target 1 IP: 192.168.1.1 Hw: 00:00:00:00:00:01 Switch Target 2 IP: 192.168.1.100 Hw: 00:00:00:00:00:02 AM (Attacking Machine) IP: 192.168.1.121 Hw: 00:00:00:00:00:03 After Attack.. Note: Don t forget to enable ip_forwarding on your attacking machine otherwise you ll break down traffic between 2 machines.

OK. I guess, now you know what ARP spoofing is. Now the bigger question - How do we poison ARP table on T1 and T2? Explanation starts from another question. How do the hosts build this arp table? This table is built using arp protocol. ARP protocol has 2 kinds of packets ARP request and ARP reply. When a machine (say, A) wants to know MAC address of another machine (say, B), it sends an ARP request asking who has IP address B. This is a broadcast, i.e. sent to FF:FF:FF:FF:FF:FF. It is picked up by all the machines in the LAN and only the machine possessing IP address B sends an ARP reply. It is sent to machine A only. Machine A stores this MAC address in it s ARP table. Now you must be getting some clue. Yes, we are going to poison ARP table of T1 and T2 by sending them ARP replies. Most of the machines are generous enough and respect the ARP reply packet even when there was no request for particular IP address. There are some machines, for example SunOS, which make an ARP entry only if there is a request for the one or if that ip is already in the ARP table. We can make them request for particular IP address by sending them an ICMP Echo packet from that IP address.

Ok. So you want me to create these ARP replies myself and manage all this. No dude. We have blessings of our fellow hackers. Alberto Ornaghi (a.k.a. ALoR) and Marco Valleri (a.k.a. NaGA) from Milan have created a nice tool called Ettercap based on equally cool library libnet from Mike. Ettercap is pretty versatile and tool of choice for MITM attacks including ARP spoofing. Ettercap also has sniffing capabilities, but I prefer to use it only for spoofing. For sniffing, I prefer using Ethereal. Main reason for this is the use of pcap format for storing packets by ethereal. Pcap is a pretty old format and there are many tools available to analyze pcap files. So, use ettercap for arp spoofing. Enable ip forwarding in kernel to maintain the connection between victim machines. And start sniffing using tethereal (text interface to ethereal). That s all you need to do.

Recipe Let s try to do everything said till now. Let s look at our problem once again We want to get into the main switch of our company. This will allow us to configure the switch ports the way we want. First task, find out ip address of the switch. In my case it is 192.168.1.100. You can use Nmap s OS detection feature to guess it. Now find out how network admin communicates with the switch. In my case network admin sits offsite. So, he connects to the switch through WAN and the requests come through the gateway. I use another machine in the same subset to observe the traffic for sometime and find out that all incoming traffic to the subnet comes through the router 192.168.1.2 and all outgoing traffic goes through the router 192.168.1.1. So, when network guy from 192.168.101.34 logs into cisco console, packets are routed through the routers 192.168.1.1 and 192.168.1.2.

Rest of the network Routers (R) 192.168.1.1 Hw Addr. 00:00:00:00:00:01 Routers (R) 192.168.1.2 Hw Addr. 00:00:00:00:00:04 Attacked Switch (S) Cisco Catalyst 5000 series 192.168.1.100 Hw. Addr. 00:00:00:00:00:02 Same subnet Attacking Machine (M) RHEL AS 4.0 192.168.1.121 Hw Addr : 00:00:00:00:00:03

As you can guess, I need to put attacking machine in the path between 192.168.1.1-192.168.1.100 to tap outgoing packets and 192.168.1.2 192.168.1.100 to tap incoming packets. So, I need to tell the router 192.168.1.2 that 192.168.1.100 is at 00:00:00:00:00:03 which is the MAC address of attacking machine. At the same time also tell switch i.e. 192.168.1.100 that 192.168.1.1 is at 00:00:00:00:00:03. Before inviting packets to your machine, make sure you have path for them to reach their destination i.e. don t forget to enable ip forwarding. In linux you can enable ip forwarding using following command: echo 1 >/proc/sys/net/ipv4/ip_forward Recipe

Start spoofing. To start arp spoofing using ettercap: ettercap -o -T -P repoison_arp -M arp:remote /192.168.1.100/ /192.168.1.1-2/ -o : only spoofing no sniffing. -T : text mode -P repoison_arp Tells it to load plugin repoison_arp. This plugin re-poisons arp table at some intervals -M arp:remote /192.168.1.100/ /192.168.1.1-2/ Tells it to start MITM attack with 192.168.1.100 in first target group and 192.168.1.1, 192.168.1.2 in second target group. I ll suggest you to run ettercap in screen terminal, so that you can detach from screen and forget about it for some time. I used ettercap NG-0.7.2. You can download it from http://ettercap.sourceforge.com.

Start Sniffing Now you are all set to start sniffing. Use following command to start sniffing and write packets to a file: # tethereal -afilesize:100000 -w /tmp/cisco.pcap -f "host 192.168.1.100 and not arp and not icmp -afilesize:100000 limits the file size to 100MB. -w /tmp/cisco.pcap writes packets to /tmp/cisco.pcap -f host 192.168.1.100 and not arp and not icmp is the filter string. It tells to collect the packets either coming from or going to 192.168.1.100 and not to collect any arp or icmp packets.

Use some social engineering. Find out when network team is going to work on the switch or any other host which you want to break into. Leave your tools running while they do it. Later on you can analyze the capture file by opening it in ethereal and you can just follow the telnet stream to find out the password. That s all it takes. A person is smart. People are dumb, panicky, dangerous animals and you know it. --Ed Solomon

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information