Internet Security ECOM 5347 Lab 1 Sniffing. Sniffing. Become aware of a class of vulnerabilities known as sniffing. Learn how to use a sniffer tool.

Similar documents
Packet Sniffer Detection with AntiSniff

A Research Study on Packet Sniffing Tool TCPDUMP

Packet Sniffers Submitted in partial fulfillment of the requirement for the award of degree Of MCA

BASIC ANALYSIS OF TCP/IP NETWORKS

Lab VI Capturing and monitoring the network traffic

Linux Network Security

Packet Sniffing: What it s Used for, its Vulnerabilities, and How to Uncover Sniffers

LEARNING COMPUTER SYSTEMS VULNERABILITIES EXPLOITATION THROUGH PENETRATION TEST EXPERIMENTS

Computer Networks/DV2 Lab

Packet Sniffing with Wireshark and Tcpdump

Intrusion Detection, Packet Sniffing

INTERNATIONAL JOURNAL OF PURE AND APPLIED RESEARCH IN ENGINEERING AND TECHNOLOGY

Attack Lab: Attacks on TCP/IP Protocols

Local DNS Attack Lab. 1 Lab Overview. 2 Lab Environment. SEED Labs Local DNS Attack Lab 1

Network Traffic Analysis

Information Security Training. Assignment 1 Networking

Procedure: You can find the problem sheet on Drive D: of the lab PCs. 1. IP address for this host computer 2. Subnet mask 3. Default gateway address

Introduction to Analyzer and the ARP protocol

Introduction to Network Security Lab 1 - Wireshark

Detection of Promiscuous Nodes Using ARP Packets

TCP/IP Security Problems. History that still teaches

Computer Networks/DV2 Lab

CCNA Discovery Networking for Homes and Small Businesses Student Packet Tracer Lab Manual

Chapter 8 Security Pt 2

Own your LAN with Arp Poison Routing

DNS Pharming Attack Lab

Packet Sniffing on Layer 2 Switched Local Area Networks

Lab 1: Network Devices and Technologies - Capturing Network Traffic

Session Hijacking Exploiting TCP, UDP and HTTP Sessions

Firewall Firewall August, 2003

Introduction on Low level Network tools

Module 1: Reviewing the Suite of TCP/IP Protocols

SY system so that an unauthorized individual can take over an authorized session, or to disrupt service to authorized users.

Figure 1. Wireshark Menu Bar

1 Data information is sent onto the network cable using which of the following? A Communication protocol B Data packet

WIRELESS SECURITY. Information Security in Systems & Networks Public Development Program. Sanjay Goel University at Albany, SUNY Fall 2006

1. LAB SNIFFING LAB ID: 10

Modern snoop lab lite version

During your session you will have access to the following lab configuration. CLIENT1 (Windows XP Workstation) /24

EKT 332/4 COMPUTER NETWORK

Lab Conducting a Network Capture with Wireshark

Practical Network Forensics

CS5008: Internet Computing

ΕΠΛ 674: Εργαστήριο 5 Firewalls

Wireshark Tutorial INTRODUCTION

Overview. Securing TCP/IP. Introduction to TCP/IP (cont d) Introduction to TCP/IP

How to monitor network traffic inside an ESXi host

Stateful Firewalls. Hank and Foo

Lab 2. CS-335a. Fall 2012 Computer Science Department. Manolis Surligas

2. HOW PACKET SNIFFER WORKS

VisuSniff: A Tool For The Visualization Of Network Traffic

Network Monitoring. By: Delbert Thompson Network & Network Security Supervisor Basin Electric Power Cooperative

Lab - Observing DNS Resolution

Technical Support Information Belkin internal use only

Introduction to Passive Network Traffic Monitoring

Course Overview: Learn the essential skills needed to set up, configure, support, and troubleshoot your TCP/IP-based network.

Security+ Guide to Network Security Fundamentals, Fourth Edition. Chapter 6 Network Security

Lab 1: Packet Sniffing and Wireshark

Wireless Security: Secure and Public Networks Kory Kirk

Chapter 8 Phase3: Gaining Access Using Network Attacks

Lab - Using Wireshark to View Network Traffic

Network Security: Workshop

Computer Networks I Laboratory Exercise 1

CCNA R&S: Introduction to Networks. Chapter 5: Ethernet

Unix System Administration

ΕΠΛ 475: Εργαστήριο 9 Firewalls Τοίχοι πυρασφάλειας. University of Cyprus Department of Computer Science

Introduction To Computer Networking

Virtual private network. Network security protocols VPN VPN. Instead of a dedicated data link Packets securely sent over a shared network Internet VPN

A Protocol Based Packet Sniffer

ARP Poisoning (Man-in-the-Middle) Attack and Mitigation Techniques

JK0-022 CompTIA Academic/E2C Security+ Certification Exam CompTIA

Intrusion Detection and Prevention: Network and IDS Configuration and Monitoring using Snort

Packet Sniffing and Spoofing Lab

Proxies. Chapter 4. Network & Security Gildas Avoine

Lab - Using IOS CLI with Switch MAC Address Tables

Lab exercise: Working with Wireshark and Snort for Intrusion Detection

CYBER ATTACKS EXPLAINED: THE MAN IN THE MIDDLE

CET442L Lab #2. IP Configuration and Network Traffic Analysis Lab

Hands-on Network Traffic Analysis Cyber Defense Boot Camp

Firewalls P+S Linux Router & Firewall 2013

INTERNET SECURITY: THE ROLE OF FIREWALL SYSTEM

A S B

How To Monitor And Test An Ethernet Network On A Computer Or Network Card

LAB THREE STATIC ROUTING

Network Security: Workshop. Dr. Anat Bremler-Barr. Assignment #2 Analyze dump files Solution Taken from

Detecting Threats in Network Security by Analyzing Network Packets using Wireshark

CS 326e F2002 Lab 1. Basic Network Setup & Ethereal Time: 2 hrs

CS197U: A Hands on Introduction to Unix

Solution of Exercise Sheet 5

1 hours, 30 minutes, 38 seconds Heavy scan. All scanned network resources. Copyright 2001, FTP access obtained

Firewall VPN Router. Quick Installation Guide M73-APO09-380

Snoopy. Objective: Equipment Needed. Background. Procedure. Due Date: Nov 1 Points: 25 Points

Configuring Security for FTP Traffic

Cisco Configuring Commonly Used IP ACLs

co Characterizing and Tracing Packet Floods Using Cisco R

Multi-Homing Dual WAN Firewall Router

Lecture 6: Network Attacks II. Course Admin

This Lecture. The Internet and Sockets. The Start If everyone just sends a small packet of data, they can all use the line at the same.

J ai pas de TUN et je m en TAP

A Very Incomplete Diagram of Network Attacks

Transcription:

Objectives Sniffing Become aware of a class of vulnerabilities known as sniffing. Learn how to use a sniffer tool. What is a packet sniffer? Sniffing is eavesdropping on the network and A packet sniffer is a piece of software that grabs all of the traffic flowing into and out of a computer attached to a network. They are available for several platforms in both commercial and opensource variations. Some of simplest packages are actually quite easy to implement in C or Perl, use a command line interface and dump captured data to the screen. More complex projects use a GUI, graph traffic statistics, track multiple sessions and offer several configuration options. Sniffers are also the engines for other programs. Intrusion Detection Systems (IDS) use sniffers to match packets against a rule-set designed to flag anything malicious or strange. Uses of a packet sniffer Sniffing programs are found in two forms. Commercial packet sniffers are used to help maintain networks and to demonstrate the insecurity of plaintext network protocols, while underground packet sniffers are used by attackers to gain unauthorized access to remote hosts, as an example capturing the passwords used in telnet, rlogin and ftp connections. Sniffing methods There are three types of sniffing methods. Some methods work in nonswitched networks while others work in switched networks. The sniffing methods are: IP-based sniffing, MAC-based sniffing, and ARP-based sniffing. 1. IP-based sniffing This is the original way of packet sniffing. It works by putting the network card into promiscuous mode and sniffing all packets matching the IP address filter. Normally, the IP address filter isn t set so it can capture all the packets. This method only works in non-switched networks. 2. MAC-based sniffing This method works by putting the network card into promiscuous mode and sniffing all packets matching the MAC address filter. 4

3. ARP-based sniffing This method works a little different. It doesn t put the network card into promiscuous mode. This isn t necessary because ARP packets will be sent to us. This happens because the ARP protocol is stateless. Because of this, sniffing can be done on a switched network. To perform this kind of sniffing, you first have to poison the ARP cache1 of the two hosts that you want to sniff, identifying yourself as the other host in the connection. Once the ARP caches are poisoned, the two hosts start their connection, but instead of sending the traffic directly to the other host it gets sent to us. We then log the traffic and forward it to the real intended host on the other side of the connection. This is called a man-in-the-middle attack. See Diagram 1 for a general idea of the way it works. A sniffer program makes the network interface card (NIC) on the machine S enter into a so-called promiscuous mode. An Ethernet NIC is built with a "filter" that ignores all traffic that does not belong to it, i.e., it ignores all frames whose destination MAC address does not match with its own. Through the NICs driver, a sniffer turns off this filter, putting the NIC into promiscuous mode. the defense against sniffing is not really prevention but providing security solutions so that even if large amounts of data is sniffed, not much use can be made out of it. This is the major reason behind one-time passwords and encryption. Capabilities of Sniffers A sniffer program allows a user to watch all network traffic over any network interfaces connected to the host machine. A sniffer program can watch TCP, IP, UDP, ICMP, ARP, RARP. A sniffer also lets you watch port specific traffic for monitoring http, ftp, telnet, etc. traffic. 5

A sniffer can intercept packets from a target host (or all hosts) on the LAN intended for another host on the LAN by forging ARP replies. This is an extremely effective way of sniffing traffic on a switch. Kernel IP forwarding must be turned on ahead of time for this capability. determine the local gateway of an unknown network via passive sniffing. flood the local network with random MAC addresses (causing some switches to fail open in repeating mode, facilitating sniffing). This is no longer passive/ silent sniffing. become a simple password sniffer by minimally parsing each application protocol, and saving the "interesting" pieces. output all requested URLs sniffed from HTTP traffic in CLF (Common Log Format, used by almost all web servers, suitable for offline post-processing with log analysis tools. send URLs sniffed from a client to local web browser for display, updated in real-time (that is, as the target surfs, the local browser surfs along). Examples of Sniffers 1. tcpdump 2. wireshark/ethereal: 3. hunt 4. ettercap: Ettercap is a network sniffer for switched LANs. It uses ARP poisoning and the man-in-the-middle technique to sniff all the connections between two hosts. It can inject characters to server (emulating commands) or to client (emulating replies) while maintaining an established TCP connection. 5. dsniff 6. sniffi. Detection of Sniffers 1. The DNS Test In this method, the detection tool itself is in promiscuous mode. We create numerous fake TCP connections on our network segment, expecting a poorly written sniffer to pick up on those connections and resolve the IP addresses of the nonexistent hosts. Some packet sniffers perform reverse DNS lookups for the packets it captures. When reverse DNS lookup occurs, a sniffer detection tool sniffs the lookup request to see if the target is the one requesting resolution of that nonexistent host. 2. The Ping Test This method relies on a problem in the target machine's kernel. we can construct an ICMP echo request with the IP address of the machine suspected of 6

hosting a sniffer but with a deliberately mismatched MAC address. We send an ICMP echo packet to the target with the correct destination IP address, but a bogus destination hardware address. Most systems will disregard this packet since its hardware address information is incorrect. But in some Linux, NetBSD and NT systems, since the NIC is in promiscuous mode, the sniffer will grab this packet off the network as a legitimate packet and respond accordingly. If the target in question replies to our request, we know it is in promiscuous mode. Clever attackers are of course aware of this and can update their sniffers to filter out such packets as the NIC itself would have had it not been in promiscuous mode. 3. The ICMP Ping Latency Test In this method, we ping the target and note the round trip time (RTT), from there. We create hundreds of fake TCP connections on our network segment at a lightning rate. We expect the sniffer to be processing those packets at a rate where the target machine's network latency will increase. We then ping the target once again, and compare the RTT this time to the first time. After a series of tests and averages, we can conclude whether or not a sniffer is indeed running on the target. 4. The ARP Test We send out an ARP request to our target with all valid information except a bogus destination hardware address. A machine that is not in promiscuous mode would never see the packet, since it wasn't destined to them, therefore it wouldn't reply. If a machine is in promiscuous mode, the ARP request would be seen and the kernel would process it and reply. By the machine replying, we know it is in promiscuous mode. Prevention of Sniffing Use switches instead of hubs. However, many commercial switches can be "overwhelmed" into behaving as though they are hubs. 7

Lab Experiment Requirements: Setup a network contains at least two machines (in the lab) or you can use software like VMware or Virtual PC to built you virtual lab (in the home). Procedures : 1. From PC1 setup wireshark (or other sniffing tool), from capture menu select interfaces then a list of network interfaces NIC will shown, select the interface that connected to the network you want to sniff. 2. Click start to start sniffing, in this case sniffing tool will capture any packet on the wire and analyze it ; as shown in figure 1 and 2. 3. If we want to sniff a specific machine then we can use options of the tool to determine specific ip to filter the captured packet to that ip. The analysis result of the sniffing tool depend on the packet that captured and the protocol that create the packet and will displayed according to OSI model, as an example if we deal with ARP protocol then the data will only in the lower layer (Physical, Data link, Network) and no other data because the ARP protocol work over Network layer as shown in figure1 ; another example is DNS packet the data that will displayed is in all layers (Physical,Data link, Network, Transport, and Application) as shown in figure 2. Let we discuss an example of analyzing a captured packet (DNS example) ; the result of the analyzing will displayed in the middle panel of the wireshark : 1. The first layer displays the Physical layer data. 2. The second layer shows the MAC address for the sender and receiver if available otherwise it give the MAC of the gateway for the sniffed machine, as shown in figure3. 3. Third layer shows the Network layer, the data in this layer is packet :it contains the source ip address and destination ip address, the internet protocol version ie, IPv4 or IPv6, checksum and other related information to this layer, as shown in figure 3. 4. Next layer displays the Transport layer (TCP or UDP), it displays source and destination ports and other related information, as shown in figure 4. 5. The last thing is the upper layer protocols, this data in this layers depends on the protocols that initialize the packet, as in our example the data here is related to DNS (Domain Name Service),as shown in figure 4. 6. We can use filter to display specific data such as UDP packets only, or ICMP echo request and echo reply as shown in figure 5. 8

Figure 1 ARP packet example Figure 2 DNS packet example 9

Figure 3 The figure illustrate data link layer frame with Src MAC address 00:19:d1:07:9b:18 and Dst MAC 00:11:f5:88:cd:24 and network layer packet with Src ip address 192.168.1.3 and Dst ip 192.168.1.1 and version 4 and the checksum is 0x6e0c. Figure 4 This figure illustrate the transport layer UDP protocol data with 4348 Src port, and 53 Dst port; and the application layer data of the DNS query about site: www.effetech.com 10

Figure 5 Using specific filter Also we can use wireshark sniffer using Backtrack Linux, From StartBacktrackPrivilege Escalation SniffersWireshark Figure 6 running wireshark from backtrack Also we can use other available sniffers such dsniff. 11

Exercise : Install Wireshark on your PC and start sniffing for some seconds, then analyze four different packets, for example if you capture ARP request packet you must show that this packet work only in the lower three layers and show the source IP and MAC and destination IP and MAC, also anything important and can recognize the captured packet. 12

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information