Sniffing. Michael Sonntag Institute for Information processing and microprocessor technology (FIM) Johannes Kepler University Linz, Austria

Similar documents
Intrusion Detection, Packet Sniffing

Packet Sniffer Detection with AntiSniff

Lab VI Capturing and monitoring the network traffic

BASIC ANALYSIS OF TCP/IP NETWORKS

A Research Study on Packet Sniffing Tool TCPDUMP

Packet Sniffers Submitted in partial fulfillment of the requirement for the award of degree Of MCA

Course Overview: Learn the essential skills needed to set up, configure, support, and troubleshoot your TCP/IP-based network.

INTERNATIONAL JOURNAL OF PURE AND APPLIED RESEARCH IN ENGINEERING AND TECHNOLOGY

Topics in Network Security

Securing end devices

Guide to Network Defense and Countermeasures Third Edition. Chapter 2 TCP/IP

A host-based firewall can be used in addition to a network-based firewall to provide multiple layers of protection.

Network Security: Workshop

Security+ Guide to Network Security Fundamentals, Fourth Edition. Chapter 6 Network Security

Linux Network Security

TCP/IP Security Problems. History that still teaches

CCNA R&S: Introduction to Networks. Chapter 5: Ethernet

CCT vs. CCENT Skill Set Comparison

Overview. Securing TCP/IP. Introduction to TCP/IP (cont d) Introduction to TCP/IP

Computer Networks/DV2 Lab

CTS2134 Introduction to Networking. Module Network Security

Wireless Networks. Welcome to Wireless

General Network Security

How To Understand and Configure Your Network for IntraVUE

Advanced Higher Computing. Computer Networks. Homework Sheets

1 Data information is sent onto the network cable using which of the following? A Communication protocol B Data packet

7 Network Security. 7.1 Introduction 7.2 Improving the Security 7.3 Internet Security Framework. 7.5 Absolute Security?

Network Security. Tampere Seminar 23rd October Overview Switch Security Firewalls Conclusion

Building Secure Network Infrastructure For LANs

Promiscuous Monitoring in Ethernet and Wi-Fi Networks

ESSENTIALS. Understanding Ethernet Switches and Routers. April 2011 VOLUME 3 ISSUE 1 A TECHNICAL SUPPLEMENT TO CONTROL NETWORK

CUSTOMIZED ASSESSMENT BLUEPRINT COMPUTER SYSTEMS NETWORKING PA. Test Code: 8148 Version: 01

WiFi Security Assessments

SSVP SIP School VoIP Professional Certification

Session Hijacking Exploiting TCP, UDP and HTTP Sessions

COMPUTER NETWORK TECHNOLOGY (40)

12/3/08. Security in Wireless LANs and Mobile Networks. Wireless Magnifies Exposure Vulnerability. Mobility Makes it Difficult to Establish Trust

Outline. CSc 466/566. Computer Security. 18 : Network Security Introduction. Network Topology. Network Topology. Christian Collberg

Overview of Network Security The need for network security Desirable security properties Common vulnerabilities Security policy designs

Technical Support Information Belkin internal use only

COMPUTER NETWORK TECHNOLOGY (300)

This Lecture. The Internet and Sockets. The Start If everyone just sends a small packet of data, they can all use the line at the same.

Protocols and Architecture. Protocol Architecture.

Post-Class Quiz: Telecommunication & Network Security Domain

CMPT 471 Networking II

Networks: IP and TCP. Internet Protocol

IP Networking. Overview. Networks Impact Daily Life. IP Networking - Part 1. How Networks Impact Daily Life. How Networks Impact Daily Life

20-CS X Network Security Spring, An Introduction To. Network Security. Week 1. January 7

Zarząd (7 osób) F inanse (13 osób) M arketing (7 osób) S przedaż (16 osób) K adry (15 osób)

Considerations In Developing Firewall Selection Criteria. Adeptech Systems, Inc.

Networking Basics and Network Security

Wireless Encryption Protection

Internet Control Protocols Reading: Chapter 3

Overview. Summary of Key Findings. Tech Note PCI Wireless Guideline

CSE331: Introduction to Networks and Security. Lecture 6 Fall 2006

Introduction on Low level Network tools

Networking Test 4 Study Guide

WIRELESS SECURITY. Information Security in Systems & Networks Public Development Program. Sanjay Goel University at Albany, SUNY Fall 2006

Collecting information

Networking: EC Council Network Security Administrator NSA

Firewalls. Chapter 3

2. HOW PACKET SNIFFER WORKS

Cape Girardeau Career Center CISCO Networking Academy Bill Link, Instructor. 2.,,,, and are key services that ISPs can provide to all customers.

Own your LAN with Arp Poison Routing

Network Forensics: Log Analysis

SCADA System Security. ECE 478 Network Security Oregon State University March 7, 2005

Firewall VPN Router. Quick Installation Guide M73-APO09-380

SSVVP SIP School VVoIP Professional Certification

Internet Protocol: IP packet headers. vendredi 18 octobre 13

Chapter 1 Personal Computer Hardware hours

Networks. Connecting Computers. Measures for connection speed. Ethernet. Collision detection. Ethernet protocol

9 Simple steps to secure your Wi-Fi Network.

Lecture Objectives. Lecture 8 Mobile Networks: Security in Wireless LANs and Mobile Networks. Agenda. References

co Characterizing and Tracing Packet Floods Using Cisco R

Firewalls and VPNs. Principles of Information Security, 5th Edition 1

CSCI 362 Computer and Network Security

Cisco Certified Network Associate Exam. Operation of IP Data Networks. LAN Switching Technologies. IP addressing (IPv4 / IPv6)

Networked AV Systems Pretest

Security Type of attacks Firewalls Protocols Packet filter

Networking 4 Voice and Video over IP (VVoIP)

Distinct. Network Monitor. User s Guide

EKT 332/4 COMPUTER NETWORK

CYBER ATTACKS EXPLAINED: PACKET CRAFTING

Chapter 6 Configuring the SSL VPN Tunnel Client and Port Forwarding

Configuring Switch Ports and VLAN Interfaces for the Cisco ASA 5505 Adaptive Security Appliance

INTRUSION DETECTION SYSTEMS and Network Security

> Technical Configuration Guide for Microsoft Network Load Balancing. Ethernet Switch and Ethernet Routing Switch Engineering

How do I get to

Slide 1 Introduction cnds@napier 1 Lecture 6 (Network Layer)

Lab 1: Packet Sniffing and Wireshark

- Hubs vs. Switches vs. Routers -

Security Technology White Paper

N-CAP Users Guide Everything You Need to Know About Using the Internet! How Firewalls Work

- Basic Router Security -

Ethernet. Ethernet. Network Devices

Chapter 1 Network Security

Voice over IP. VoIP (In) Security. Presented by Darren Bilby NZISF 14 July 2005

Security Awareness. Wireless Network Security

Firewall Firewall August, 2003

Detecting Threats in Network Security by Analyzing Network Packets using Wireshark

Transcription:

Sniffing Michael Sonntag Institute for Information processing and microprocessor technology (FIM) Johannes Kepler University Linz, Austria sonntag@fim.uni-linz.ac.at 1

What is a "Sniffer"? Devices or programs, which capture or copy data packets Theory: A "receive-only" device Practice: Most software sends e.g. DNS lookups to decode IP addresses, The "sniffed" packets are then analyzed later on (= packet analysis) I.e. you don't see (only) a bit/byte stream, but a TCP packet or an HTTP stream These are also called wiretap programs In "old" times this was used for phones by attaching wires to the telephone lines Why would you use them? Professional products network management, finding problems, Will copy everything and can filter according to various expressions Underground products Intrusions, hacking Will automatically filter out passwords Sniffing, 2012 2

Threats to network traffic: Interruption Information Source Normal Flow Information Destination Normal Flow Normal process of transmitting data Information Source Interruption Information Destination Interruption E.g. failure of a switch/router, Denial of Service attack,... Copeland J. Computer Network Security, 2000 http://www.csc.gatech.edu/~copeland/8813/slides Sniffing, 2012 3

Threats to network traffic: Fabrication Information Source Normal Flow Information Destination Normal Flow Normal process of transmitting data Information Source Fabrication Information Destination Fabrication E.g. packet construction Different source address than it actually should have Copeland J. Computer Network Security, 2000 http://www.csc.gatech.edu/~copeland/8813/slides Sniffing, 2012 4

Threats to network traffic: Interception Information Source Normal Flow Information Destination Normal Flow Normal process of transmitting data Information Source Interception Information Destination Interception E.g. packet sniffer Copeland J. Computer Network Security, 2000 http://www.csc.gatech.edu/~copeland/8813/slides Sniffing, 2012 5

Threats to network traffic: Modification Information Source Normal Flow Information Destination Normal Flow Normal process of transmitting data Information Source Modification Information Destination Modification E.g. content scanner, proxy Copeland J. Computer Network Security, 2000 http://www.csc.gatech.edu/~copeland/8813/slides Sniffing, 2012 6

Protocol analysis Definitions: Protocol Analysis is the process of capturing network traffic (with sniffing programs) and looking at it closely in order to figure out what is going on. [Graham_Sniff_2000] A protocol analyzer interprets the sniffed packets and interprets ist fields (according to the protocols). Renders interpreting the result of sniffing much easier (or even possible)! Sniffing, 2012 7

Sniffer example: Wireshark Sniffed, copied, and analyzed traffic Decoded single packet (on different levels) Full binary view of single packet Sniffing, 2012 8

Areas of use Automatic sifting the traffic for cleartext passwords and usernames Copying the communication between certain entities (if in readable format) Normally: Persons. But may also be devices or programs E.g. reverse engineering of protocols Error analysis to discover/analyze/solve network problems E.g. to frequent topology changes (TCs) with STP (Spanning Tree Protocol) Performance analysis for locating bottlenecks Network Intrusion Detection to discover hacks/intruders Network Traffic Logging to generate logs a hacker cannot modify or delete On a system with read-only connection to the network; but: Crashing (Ping of Death)? Sniffing, 2012 9

Classification of sniffers Breadth of functionality Universal sniffers (all / many protocols) Protocol-specific sniffers (e.g. only IP, only FTP / WWW /...) Depth of functionality How detailed the data/packets are analyzed Integrated specific functions, e.g. password sniffing Area of use Standalone Distributed (with central management/reporting/analysis system) or remote Detection/evasion measures MAC-Filter in sniffer software,... Sniffing, 2012 10

Broadcast networks Intranets / LANs are often broadcast networks Because they employ Ethernet Broadcast means, that every sender pushes its data into the network and hopes (relies on), that only the intended recipient will read it Ethernet is a shared medium, i.e. from a logical view all clients are connected to a single medium (cable) Ethernet is based on collision detection (CSMA/CD). All segments connected by a hub build a SINGLE collision domain "But we use switches" This is good, but doesn't prevent problems You can still attack the switch so it acts like a hub (or other attacks) Sniffing, 2012 11

Anatomy of an Ethernet frame 8 6 6 2 46-1500 4 preamble destination address source address typ/ len L L C S N A P data FCS Preamble: Synchronization of clocks, Also includes the "Start Frame Delimiter" Destination and source address are hardware addresses (=MAC addresses) Example: 00-60-08-2C-C3-FE EtherType or length: Indicates which protocol is encapsulated within LLC/SNAP/VLAN-Tag Note: Many NICs strip the VLAN tag so you can't see it Depends also on driver! Payload data FCS (Frame Check Sequence): CRC for error checking Sniffing, 2012 12

MAC addresses (1) MAC = Media Access Control 48 Bit Ethernet MAC address The first Bit marks unicast addresses (0) resp. multicast addresses (1) If the second Bit is 0, the next 22 Bits identify the producer as OUI (=Organisationally Unique Identifier), who then manages the next 24 Bits himself. The uniqueness of these MAC addresses is essential for correct working in a LAN! Note: Outside of a LAN duplicates may exist, but can again produce problems Many identifiers are created based on the assumption of MAC addresses being worldwide unique, e.g. GUUIDs List of vendor / OUI codes: http://standards.ieee.org/develop/regauth/oui/ Special (destination) MAC address: Broadcast: FF-FF-FF-FF-FF-FF Sniffing, 2012 13

MAC addresses (2) Identify your own MAC address: Windows >=XP: ipconfig /all or netsh Unix/Linux: ifconfig List the IP addresses in the local net which you are currently communicating with (via IP) : arp a Note: "Other" addresses might appear too, which "nearby" computer comm. with On switches, routers hp# show arp hp# show mac MAC addresses should be unique, but with most modern hardware spoofing is possible quite easily You cannot rely on them to be correct Changes through software or Re-Burn of the EEPROM Sniffing, 2012 14

Filtering in the protocol stack Each layer of the protocol stack filters out that part of the traffic not destined for this system Aim: Get rid of unnecessary traffic as early as possible Goal: Reduce the amount of work necessary Application Presentation Session UDP/TCP (Transport) IP (Network) NIC Driver (Data Link) NIC (Physical) Discard Discard Discard Discard Sniffing, 2012 15

How can a sniffer just "listen in"? The Ethernet hardware contains a filter, which normally drops any traffic not directed to this device (and not a broadcast): MAC filter Promiscuous Mode Sniffer switches the hardware (network device) to the promiscuous mode This turns off the MAC filter and consequently all of the traffic is delivered to the upper layers and potentially available If not filtered there! If this is a shared medium this is the complete traffic within a collision domain! Note: The load will be much higher, as every packet must be handled! "But shared mediums don't exist any more" Wrong: WLAN is a typical example! Sniffing, 2012 16

Promiscuous mode Filtered traffic NIC (MAC filter) All traffic NIC (Promiscuous mode) Discard Discard nothing During normal operation the NIC drops (discards) traffic not for this system based on MAC addresses In promiscuous mode this filter is switched off All traffic will be passed on (up) and nothing is discarded Sniffing, 2012 17

Components of a sniffer Hardware Capture driver Buffer Realtime analysis Decode Additional functionality: Packet editing (Re-)Transmission Specialty: Don't send anything Capture driver Promiscuous mode Application Presentation Session Transport Network Data Link Physical Sniffing, 2012 18

Basic structure of a sniffer Display Capture Buffer Capture Filter Packet Decoder Display Filter Network Driver+ (Capture Driver) NIC (Promiscuous Mode) Realtime Analysis Border for distributed sniffing Sniffing, 2012 19

Places to sniff (1) A hacker has the following options to listen in on the communication between two clients: Passive methods The attacker must only "plug in" the sniffer and can immediately access all data If you are one of the clients, this is always possible Useless? No! SW might hide a lot of details which you might be interested in! Active methods The attacker must actively do something because of the network architecture E.g. switches; these don not broadcast all traffic Disadvantage: He produces traffic this might be noticed! Local versus distributed sniffing Sniffing, 2012 20

Places to sniff (2) active Route redirection Route redirection Intranet L-1 L-3 Internet L-3 L-2 Intranet Client ISP Router Client Sniff on the client Sniff in the LAN (HUB) Sniff at the ISP passive Sniffing, 2012 21

Sniffing in WLANs WLAN = Wireless LAN Danger: Circumvention of firewall Just sniff from "outside" (e.g. the building) Signal distance: approx. 100 300 m But: With special antennas (e.g. parabolic antennas) reception from even longer distances become possible Countermeasures: MAC filtering: Allow allowing the "known good" MAC addresses to connect Why is this deficient on several levels? Think! En cryption Old: WEP = Wired Equivalent Privacy IPSec Not integrated (manually possible very good)! Newer standards 802.11i with WPA-2 (TKIP, AES, 802.1x,...) Sniffing, 2012 22

Defending against sniffers Encryption (SSL, VPNs, PGP, SSH,...) Do not use broadcast networks, especially not WLANs Physical security for wires and equipment (switches) To prevent hardware manipulation Making the collision domains smaller Splitting on layer 2 Switches for the local network Will only help against "amateur hackers" Several attacks are still possible, e.g. ARP spoofing or flooding the switch so it will behave like a hub VLANs help, but it depends on how switches finds out assignment port VLAN Splitting on layer 3 Using routers And potentially also firewalls Sniffing, 2012 23

Detecting sniffers Theoretically (solely passive sniffers) impossible, but Practically very often possible, because: Sniffers cause traffic distributed /remote sniffers communicate with each other/the server And these are the ones hacker will use when installing them remotely They use active methods (ARP spoofing,...) Perform reverse DNS lookups Sniffer detectors employ active methods (Decoys,...) Sniffer still suffer from bugs or peculiarities of their network stack The best method to detect sniffers, is to use a sniffer! Ping method, ARP method, DNS method, Note: Local sniffers (on the same computer) can be detected typically easily! Sniffing, 2012 24

ex Detecting sniffers Sending special traffic to the network where sniffing is suspected Computers sniffing are hopefully acting differently than all other computers Victim 192.168.0.3 L-1 192.168.0.1 192.168.0.2 Host running sniffer detection Suspicious of sniffing Sniffing, 2012 25

Detection: Ping method Assumption: A client with the IP 192.168.0.2 and MAC 00-60-08-2C-C4-FE is under suspicion of employing a sniffer We are on the same Ethernet segment We construct a special ping packet (ICMP Echo Request) with following data: IP: 192.168.0.2 A lightly modified MAC: 00-60-08-2C-C4-FD Theoretically nobody should answer to this ping, as the MAC address in it does not exist But a client in promiscuous mode looks at the packet and will (often) answer to it Why? Not filtered based on MAC ( Sniffing!), IP address is correct Answer Sniffing, 2012 26

Detection: DNS method Create a packet with both a non-existing MAC and a non-existing IP address Send it out on the network where a sniffer is suspected to be running Any "normal" computer will ignore it, as it is not for him ( wrong MAC) The network should remain completely "silent" But a sniffer will inspect the packet and, hopefully, try to resolve the IP address in it to its hostname This DNS request is noted and shows that a sniffer exists (and who it is) Disadvantage: Will only work if the sniffer "cooperates", i.e. resolves IP addresses/names If it is completely passive, i.e. really only listening, this won't work! Sniffing, 2012 27

Detection: ARP test Prerequisite: In the same Ethernet segment (local network) Prepare an ARP request (Almost) All systems react on receiving an ARP request Modify the destination for the ARP request In the layer 2 frame Instead of the broadcast address ffffff-ffffff use e.g. ffffff-fffffe If a computer answers, the NIC is probably in promiscuous mode This doesn't necessary mean that a sniffer is present, but it is very likely! Normal computers would not answer, as they only check for their own MAC address and the "real" broadcast address (all FFs) Other option: Send FF:00:00:00:00:00 Standard Windows NIC drivers (at least older ones) inspect only the first byte to find out whether a packet is a broadcast or not Sniffing, 2012 28

But what to do in these cases? There is no protocol bound to the Sniffing Interface There will be no reaction at all to ARPs, pings,! Better method required! Dedicated wiretap-hardware Switch with mirroring functionality "Monitoring port", etc. Sniffing, 2012 29

Detecting sniffers: AntiSniff No sniffer active http://packetstormsecurity.org/sniffers/antisniff/ Sniffing, 2012 30

Detecting sniffers: AntiSniff Sniffer seems to be running! ARP test is positive http://packetstormsecurity.org/sniffers/antisniff/ Sniffing, 2012 31

"Endangered species (protocols)" You cannot tell too often: All these protocols transmit passwords (or important data) unencrypted! Telnet, rlogin http (without TLS/SSL) SNMP (passwords), DNS (unsecured data very important for attackers) SMTP, POP, IMAP NNTP, FTP For most of these protocols secure alternatives already exist (TLS for HTTP, PGP with POP/IMAP/SMTP, ) But you have to use them! Also: "External = HTTPS, Internal = HTTP" Is this a good policy? An attacker might have a sniffer on the inside too Sniffing, 2012 32

Summary Sniffing = Interception = Listening is a very dangerous technique You can get a lot of information without having to hack a computer Most of the techniques will not show up in any logs Therefore the following aspect are important: Encryption is important against sniffing Perhaps even locally: Try to use secure protocols also within your local network! Sniffing alone is very difficult, unless extended by active techniques If someone can tamper with your glass fibre cables, you're out of luck anyway! Investigate your equipment: Switches often support various forms of protection Lockdown, static assignments ( management issues!), DNS snooping, Partition your network: Routers, VLANs, Sniffing, 2012 33

Thank you for your attention! Michael Sonntag Institute for Information processing and microprocessor technology (FIM) Johannes Kepler University Linz, Austria sonntag@fim.uni-linz.ac.at 34

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information