2. Agenda
O What is Packet sniffing
O Switched VS Hubed Networks
O Packet sniffing attacks
O Packet sniffing detection.
O Packet sniffing prevention.
O Conclusion.
3. Packet Sniffing
O Packet Sniffing is a technique used to
listen to the packets flow in the network.
O Packet sniffer (network analyzer) is a tool
(hardware or software) used to listen to
the packets flow in the network.
4. Packet Sniffer uses
O Network Engineers, System Administrators
and Security professionals
O Analyze network problems.
O Find traffic bottlenecks and troubleshoot
problems.
O Monitor network usage.
O Intruders
O Search for plain-text passwords and user
names.
O Hijacking sensitive information such as credit
card information and financial data.
O Analyzing network traffic.
5. Packet Sniffer components
O Hardware
O Usually a standard network adaptor.
O Capture drive
O This is the main part of a sniffer that captures the data, filters it
and stores it in the buffer.
O Buffer
O Used to store captured filtered data for later analysis.
O Real-time analysis
O This feature provide a little bit of analysis for faults and
performance issues as data captured from the wire.
O Decode
O Responsible for displaying the data with description for human
interpretation.
O Packet editing/transmission
O Used to modify packets and re-transmit them over the network.
9. Packet sniffing in non-
switched networks
O Called shared environment.
O Hosts are connected to a Hub.
O simply a repeater. It takes the signal
coming in on one of its ports, amplifies it,
and sends it back out on its other ports.
O Packets broadcasted to all hosts in the
network.
11. Cont. Packet sniffing in non-
switched networks
O Promiscuous mode or promisc mode is a
configuration of a network card that
makes the card pass all traffic it receives
to the central processing unit rather than
just frames addressed to it.
12. Packet sniffing in switched
networks
O Hosts are connected via Switch.
O Lockup table (ARP Cache, MAC table)
with the MAC address and IP address of
all hosts.
O Packets transmitted only to the
designated host.
14. ARP: Address Resolution
Protocol
O Computer networking protocol for
determining a network host's hardware
address (Link Layer) when only its
Internet Layer (IP)(Network Layer
address) is known.
O Request (“who-has”): specifies the IP
address of the host whose MAC address
we want to find out.
O Reply (“is-at”): the answer a host should
send specifying the MAC address
associated to that IP address.
15. Cont. ARP: Address Resolution
Protocol
IP Address MAC Address Type
129.119.103.1 00-E0-2B-13-68- Dynamic
00
129.119.103.2 ??-??-??-??-??- Dynamic
ARP Cache
??
O Entries are either Static or Dynamic.
O Fixed size.
O Gratuitous ARP.
16. Packet Sniffing Attacks
O ARP Spoofing and ARP Cache poisoning.
O MAC Flooding.
O MAC Duplicating.
O Switch Port Stealing.
17. Packet Sniffing Attacks:
ARP Spoofing
O Perform Man-In-the-Middle Attack
O ARP Cache poisoning
O Send forged ARP Gratuitous reply (A-MAC,
V-IP)
O Cache is stateless, update with forged
reply.
O Attacker receives traffic.
O Store for later analysis.
O IP Forwarding to the victim.
19. Cont. ARP Spoofing
IP Address MAC Address
Host B IP address Host B MAC address
Host C IP address Host C MAC address
ARP cache before poisoning
IP Address MAC Address
Host B IP address Host C MAC address
Host C IP address Host C MAC address
ARP cache after poisoning
20. Packet Sniffing Attacks:
MAC Flooding
O Also called “switch jamming”.
O MAC table has fixed size.
O Attacker floods the switch with forged
MAC address requests.
O Switch enters Hub-liked mode.
O Forward traffic to all ports.
O Attacker sniffs the traffic.
21. Packet Sniffing Attacks:
MAC Duplicating (Cloning)
O Attacker updates its own MAC address
with the victim MAC address.
O Can be done using “ifconfig” in Linux.
O Switch forwards traffic to both hosts.
O No IP forwarding is used.
22. Packet Sniffing Attacks:
Switch Port Stealing
O Flood the switch with forged gratuitous
reply with (A-MAC, V-IP).
O All replies contains (A-MAC), traffic is
forwarded to the attacker only.
O Should be carried out very fast.
23. Packet Sniffing Detection
O Packet sniffing is a passive attack.
O Sometimes it generate additional traffic
specially when used with an active attack.
O Detection based on technique used:
O RARP.
O ARP Cache poisoning.
O Arpwatch
O Decoy method
24. Packet Sniffing Detection:
Reverse ARP (RARP)
O Used to detect MAC Duplicating.
O Send a Request for the IP address of a
known MAC address.
O Multiple replies means this machine is
sniffing the network.
25. Packet Sniffing Detection:
ARP Cache Poisoning
O Perform a counter attack on the sniffing
machine.
O Three phases:
O Poison the cache of each host in the
network with fake entries.
O Establish a TCP connection.
O Sniff the LAN to capture packets with fake
entries.
26. ARP Cache Poisoning:
Phase 1
O Send a forged gratuitous reply with fake
IP address and a valid MAC address to
bypass the software filter.
O Attacker’s host will update its own cache.
O What IP address to select as the fake one
to poison only the sniffer host?
28. Cont. ARP Cache Poisoning:
Phase 2
O Broadcast a TCP packet with a fake
source address to the network.
O Non-sniffing machines will reply with ARP
request.
O Sniffing machines will reply with ICMP
error message or TCP connection can be
performed.
29. Cont. ARP Cache Poisoning:
Phase 3
O Use a sniffer to detect machines that
responded with a ICMP error or TCP
message.
30. Packet Sniffing Detection:
Arpwatch
O Tool that uses lipbcap to store a database
with (IP-MAC) pairs.
O Records every operation made on the
network and send it via Email.
O Software are not 100% accurate.
31. Packet Sniffing Detection:
Decoy Method
O Administrator establishes a connection
between a host and virtual server.
O Uses a plain-text UserName and
Password.
O Intrusion detection system activated once
credentials used.
33. Packet Sniffing Prevention
O Port Security and Static ARP entries.
O Authentication techniques.
O Secured protocols.
O Encryption.
34. Packet Sniffing Prevention:
Port Security and Static ARP entries
O Port Security on Switch
O Once IP-MAC is set, it can’t be changed.
O Only Administrator can change them.
O Static ARP entries
O Not timed out.
O Not replaced by forged ARP replies.
O Constraint to the size of the network.
O Overhead to maintain cache and keep it
up-to-date.
35. Packet Sniffing Prevention:
Authentication
O Kerbros
O Credentials no stored on the server.
O Not transmitted over the network.
O One time passwords
O Used only once.
O Authentication service that only protect
credentials and not other types of traffic.
O Prone to passwords guessing attacks.
36. Packet Sniffing Prevention:
Secured Protocols
O Never send data in plain-text
O SSH for telnet.
O SFTP for FTP.
O VPN for cleat text traffic.
O Virtual private networks (VPN)
O All traffic is encrypted.
O Additional overhead.
O Can be sniffed if exposed to Trojans
37. Packet Sniffing Prevention:
Encryption
O Only the payloads are
scrambled, ensuring that packets reach
the correct destinations.
O Attacker can see where traffic was
headed and where it came from, but not
what it carries.
O Additional overhead.
O Use of strong encryption techniques.
O layer three encryption technologies such
as IPSec
40. Conclusion
O Switched Networks are vulnerable to
various security attacks, Sniffing is one of
them.
O Sniffing is a passive attack that we need
to be aware of in order to protect against
it.
O Replacing Hubs with Switches doesn’t
mean we are prone against sniffing.
O Lack of optimal solution to protect our
networks doesn’t mean we can’t protect
them.
Editor's Notes
Packet sniffing tools can be used either in legal or illegal forms. Legal forms which called commercial sniffers that are used by network administrator to monitor the network and detect security breaches. Illegal forms which called underground sniffers that are used by hackers and network intruders to gain access to unauthorized date and steal sensitive information.
A packet sniffing as mentioned before can be either a software installed in a designated places throughout the network or can be a piece of hardware (a wired tape device) that is plugged in the network to monitor traffic.
Each frame includes the hardware (Media Access Control) address. When a network card receives a frame, it normally drops it unless the frame is addressed to that card. In promiscuous mode, however, the card allows all frames through, thus allowing the computer to read frames intended for other machines or network devices.
Who has:It is almost always sent as a broadcast frame, so asto hopefully reach the host with the desired IPaddress when we don’t know its MAC address.Is-at:. Itis almost always sent as a unicast frame directed tothe MAC address of the machine that sent therequest.
The attack starts by having the attacker flood the network with forged gratuitous ARP packets that each contains unique source MAC addresses. This causes some switches to go into a hub-like mode forwarding all traffic to all ports. What happens is that once the CAM table is full, the traffic without a CAM entry floods on the local VLAN. The already existing traffic with existing entries in the CAM table will not be forwarded out on all of the ports. Now, with the traffic being broadcasted to everyone, there will be no trouble sniffing it.
It's not difficult to imagine that, since all frames on the network are routed based on their MAC address, that the ability to impersonate another host would work to our advantage. That's just what MAC duplicating does. You reconfigure Node B to have the same MAC address as the machine whose traffic you're trying to sniff. This is easy to do on a Linux box if you have access to the 'ifconfig' command. This differs from ARP Spoofing because, in ARP Spoofing, we are 'confusing' the host by poisoning it's ARP cache. In a MAC Duplicating attack, we actually confuse the switch itself into thinking two ports have the same MAC address. Since the data will be forwarded to both ports, no IP forwarding is necessary.
This process should be carried very fast because any transmission of new packets with the original destination MAC address will update the cache with the correct binding.
and records every operation made on network from installing new hosts to changing IP address of existing hosts. In addition, it can detect if anyone is missing with the network settings and try to change their IP address to the server or the gateway and send all these operations via Email. When the MAC address associated with an IP changes (referred toas a flip-flop), an email is sent to an administrator.Tests showed that running Parasite on a network caused a flood of flip-flops, leaving the MAC ofthe attacker present in Arpwatch’s emails. Ettercap caused several flip flops, but would be difficult todetect on a DHCP-enabled network where flip flops occur at regular intervals.
A network administrator can deceive sniffing hosts by performing a decoy method. It is carried out by establishing a connection between a host and a virtual server using plain-text username and password. Once a sniffer try to use these credentials, intrusion detection system is activated and reports intruding attempt.
Kerbros: authentication service that performs two –way authentication between any two parties.
Virtual private networks (VPNs) can provide prevention against sniffing since all transmitting of data is used in encrypted form. So despite the overhead of sending encrypted data, it makes it hard to a sniffer to preach the security of VPNs, but this does not mean that VPNs are not prone to sniffing because once a host is compromised to Trojan with a sniffer plugged-in to it, a sniffer not only can sniff encrypted traffic but also unencrypted traffic before it gets into the VPN.