Presentation is loading. Please wait.

Presentation is loading. Please wait.

ARP cache Poisoning For the Detection of Sniffers in an Ethernet Network Raoudha KHCHERIF Assistant Professor National School of Computer Science University.

Published byAubrie Martin Modified over 9 years ago

Similar presentations

Presentation on theme: "ARP cache Poisoning For the Detection of Sniffers in an Ethernet Network Raoudha KHCHERIF Assistant Professor National School of Computer Science University."— Presentation transcript:

1 ARP cache Poisoning For the Detection of Sniffers in an Ethernet Network Raoudha KHCHERIF Assistant Professor National School of Computer Science University of Mannouba TUNISIA raoudha.khcherif@engr.smu.edu

2 Network and computer Are you secure? YES NO I Don’t Know

3 Network Intrusions Intrusions can be achieved in a matter of seconds using automated intruder tools Gain access to computing resources (to launch attacks) as well as to private data Compromise series of remote systems, making it difficult to trace their activities Network intrusions originating outside of your jurisdiction may be difficult (or impossible) to prosecute

4 Number of Intruders able to execute attacks http://www.cert.org/present/cert-overview-trends/module-2.pdf

5 External ? Internal ? 95% of computer crime are from internal employees

6 Security Issues in Networking Normal Flow Host AHost BHost AHost B Interruption Attack on the Availability

7 Host AHost B Interception Attack on the confidentiality

8 Host AHost B Modification Attack on the integrity

9 Host AHost B Fabrication Attack on the authenticity

10 Active Attacks Host AHost B Intruder

11 Passive Attacks Host A Host B Intruder

12 Outline Basics ARP Poisoning Attack Sniffers Promiscuous Node detection ARP Cache Poisoning for Promiscuous Node Detection Conclusion

13 What is ARP? - Protocol Which maps IP address to MAC address - Operates in Network and Datalink Layer - ARP is designed to work for protocols other than IP Purpose of ARP 32-bit Internet address 48-bit Ethernet address ARPRARP

14 Basics and working of ARP HP Laser jet printer 129.119.103.2 My Computer 129.119.10.42 Who has 129.119.103.2 ARP Request Check ARP cache IP address Broadcast

15 HP Laser jet printer 129.119.103.2 My Computer 129.119.10.42 I have 129.119.103.2 My MAC is [??-??-??-??-??-??] ARP Reply MAC return

16 Basics and working of ARP (cont) ARP table of Source host dynamic ??-??-??-??-??-??129.119.103.2 dynamic00-E0-2B-13-68-00129.119.103.1 TypePhysical AddressIP Address

17 ARP Spoofing is a kind of Spoofing in which a forged ARP reply is sent to the original ARP request Updation of target computer‘s cache with a forged entry. ARP Spoofing/ ARP Poisoning

18 Vulnerable & Non Vulnerable OS OS Vulnerable to ARP Spoofing 1.Windows 95/98/2000 2.Windows NT 3.Linux 4.Netgear 5.AIX 4.3 OS Not Vulnerable to ARP Spoofing SUN SOLARIS

19 ARP Poisoning Introducing a spurious IP Ethernet address mapping in another host’s ARP cache. Many techniques are used…

20 ARP Poisoning --Broadcast request Host A 10.10.0.1 Host B 10.10.0.2 Host C (Hacker) 10.10.0.11 00-E0-2B-13-68-0010.10.0.2 Who has 10.10.0.1 My IP is 10.10.0.2 ??-??-??-??-??-??10.10.0.2

21 ARP Poisoning--Response to a request Host A 10.10.0.1 Host B 10.10.0.2 Host C (Hacker) 10.10.0.2 Who has 10.10.0.2 My IP is 10.10.0.1 ??-??-??-??-??-??10.10.0.2 I have 10.10.0.2 My MAC is [00-E0-2B-13-68-00] I have 10.10.0.2 My MAC is [??-??-??-??-??-??]

22 ARP Poisoning -- Unsolicited Responses Host A 10.10.0.1 Host B 10.10.0.2 Host C (Hacker) 10.10.0.11 00-E0-2B-13-68-0010.10.0.2 I have 10.10.0.29 My MAC is [??-??-??-??-??-??] ??-??-??-??-??-??10.10.0.29 00-E0-2B-13-68-0010.10.0.2

23 Passive Protocol Analysis: Sniffing A packet sniffer is a tool that plugs into a computer network and monitors all network traffic. It monitors traffic destined to itself as well as to all other hosts on the network.

24 Ingredients for successful sniffing 1.Shared Media : usually an Ethernet card 2.Promiscuous Mode Operations NIC NormalNIC Promiscuous To Other To this machineAll Packet Hardware Filter

25 NIC’s Hardware addresses The NIC can set up different filters called hardware filter in order to receive different kinds of packets. –Broadcast: FF:FF:FF:FF:FF:FF –Promiscuous –Others Packets are filterd differently when the NIC is set to promiscuous mode and that to normal mode

26 Anatomy of a sniffer Packet Media Media: usually an Ethernet card but could also be a wireless card or anything else. Capture Driver Capture driver: software driver to capture and filter network traffic. Buffer Buffer: packets must temporarily buffered prior to storage or processing. Decode Decode: packets must be decoded to human readable form. Logging/Editing Logging: permanent storage of packets for offline analysis

27 Uses of a sniffer Traffic Analysis Fault analysis of networks Intrusion detection Systems are built on sniffers Performance analysis to identify bottlenecks Stealing clear-text content – Passwords – Credit card numbers – “Secret” email conversations Gaining unauthorized access to remote hosts. Are sniffers bad? YES & NO

28 Example FTP Packet FTP Packet FTP Packet FTP Packet FTP Packet http://www.ethereal.com/download.html

29

30 Example Email Packets Email Packets Email Packets Email Packets Email Great! He is sending some interesting information to his boss

31

32 Prevention vs Detection ? Sniffing is a passive activity, hence done properly it is impossible to detect a sniffer! Difficult to prevent it.

33 Why is so difficult to detect sniffers? The attack is essentially passive –They don’t generate unusual traffic –They are normally linked to active intrusion attacks Only requires a standard machine Threat is always seen as external – 80% to 95% are internal! Winpcap, Libpcap http://winpcap.polito.it/ http://www.cet.nau.edu/~mc8/Socket/Tutorials/section1.html

34 Prevention ? CISCO S YSTEMS Switch Sniffer Host A Host B Switched Network

35 Switch Sniffing -- ARP spoofing CISCO S YSTEMS Switch ARP Reply: IP of B Has MAC C ARP Reply: IP of A Has MAC C Host A Host B Host C Hacker Packet destined for IP B Forwarded Packet

36 Traffic from the Switch to target machines CISCO S YSTEMS Switch Host AHost B Hacker ARP Poisoning

37 Traffic from Target machine to the switch CISCO S YSTEMS Switch ARP Reply: IP of the switch Has MAC FF:FF:FF:FF:FF:FF ARP Reply: IP of the switch Has MAC FF:FF:FF:FF:FF Host A Host B Hacker

38 Switch sniffing -- MAC Spoofing Keep a translation table that maps various MAC addresses to the physical ports on the switch Has a limited memory for this work. Bombard the switch with fake MAC addresses till the switch can’t keep up. It enters into what is known as “failopen mode” wherein it starts acting as a hub by broadcasting packets to all the machines on the network.

39 Detection? There are some practical solutions: –Local detection of promiscuous mode –The RTT detection technique –The DNS detection technique –The ARP detection technique –Employing a honeypot

40 RTT detection technique The RTT ( Round Trip Time), time taken by a packet to reach destination + time that the response took to reach the source. The simples of the collected RTT measurements represents tow different populations, normal mode population and the promiscuous mode population Measurements are statistically different enough and therefore represent two different populations.

41 DNS detection technique Good GUY IP: 192.168.0.62 SNIFFER Listening for DNS lookup 10.10.10.10 TCP Packet: Decoding fake traffic! BINGO! You must be in promiscuous mode! DNS Lookup: Hey! Who is 10.10.10.10?

42 ARP detection technique Good GUY IP: 192.168.0.62 Eth.Mode: Normal Eh.MAC: 00:b8:66:15:9a:11 SNIFFER IP: 192.168.0.63 Eth.Mode: Promiscous Eh.MAC: 00:88:c9:22:14:8c Dest MAC:FF:00:00:00:00:00 Src.IP :192.168.0.62 Dst IP: 192.168.0.63 Type ARP Request NIC: In promiscuous mode, picks it up and gives to OS IP Stack: Hmm…, ARP Request to me, send reply back Dest. MAC: 00:b8:66:15:9a:11 Src. IP: 192.168.0.63 Dst. IP: 192.168.0.62 Type: ARP Reply BINGO! You must be in promiscuous mode!

43 Limits ARP detection technique –If a host does not generate any ARP reply RTT detection technique: Probabilistic technique, –Many known and unknown factors, OS, Traffic, may affect the results DNS detection technique –Sniffers can easily be changed to not perform the reverse lookup

44 Detection using ARP cache Poisoning

45 Idea Host A 10.10.10.1 Host B 10.10.10.2 Telnet 10.10.10.2 ARP cache 10.10.10.200:00:00:00:00:01 Check it’s ARP cache If there is no entries ARP request If the port 23 is open TCP Packet If not ICMP Packet

46 ARP cache poisoning attack based detection technique 3 different phases –Phase 1: Corrupt ARP cache of each sniffing host in the LAN with fake entries –Phase 2: Establish a TCP connection –Phase 3: Sniff the LAN in order to capture any packet containing the fake entry.

47 How can I poison only the Sniffing hosts? Send ARP Reply with hardware destination is set to an address that does not exist. NIC is in normal mode: the packet is refused by the hardware filter of the NIC. NIC is in promiscuous mode, the NIC does not perform any filter operation. Then this packet is able to pass to the system kernel. The system kernel assumes that this ARP reply packet arrives because it contains the same IP address as that machine, so it should respond to the packet. Software Filter: The packet is actually filtered again by the system kernel. The software filter depends on the operating system kernel. It is unnecessary to sent ARP packet with MAC addresses that do not exist, since the software filter will block such packets. We need to send ARP packets with MAC addresses that may pass the software filter.

48 Software filtering Hardware Addresses Windows9x/MEWindows2k/NTLinux NormPromisNormPromisNormPromis FF:FF:FF:FF:FF:FF  FF:FF:FF:FF:FF:FE-  -  -  FF:FF:00:00:00:00-  -  -  FF:00:00:00:00:00-  ---  01:00:00:00:00:00-----  01:00:5E:00:00:00-----  01:00:5E:00:00:01  FF:FF:FF:FF:FF:FE-  -  - 

49 First Phase: ARP Poisoning We Configure an ARP Reply packet such that it has fake broadcast address as the destination address Ethernet address of destinationFF:FF:FF:FF:FF:FE Ethernet address of senderFake address Protocol type (ARP =0806)08 06 Hardware address space (Ethernet =01)00 01 Protocol address space (Ipv4= 0800)08 00 Byte length of hardware address06 Byte Leth of protocol address04 Opcode (ARP request =01, ARP reply =02)00 02 Hardware address of sender of this packet Protocol address of sender of this packetFake Address Hardware address of target of this packet Protocol address of Target

50 ARP Poisoning NIC Promiscuous NIC normal ARP Reply with fake sender address ARP cache Poisoned

51 2 nd Phase : Establishing TCP connection We configure now an TCP packet (with the bit SYN set) with source address is the fake one. Send this packet on Broadcast.

52 Establishing TCP connection NIC Promiscuous NIC normal TCP packet with fake sender address

53 3 th Phase: Detection of the sniffing hosts Machines with ARP cache poisoned reply with an ICMP error message or TCP ( the connection can be done) Machines with NIC on normal mode will reply with an ARP request. We use a sniffer to capture and analyze the packets on the net and the machines who send ICMP or TCP that has fake IP and MAC addresses as the destination addresses, are the machine who are running a sniffer.

54 Detection of the sniffing hosts NIC Promiscuous NIC normal ARP Request ICMP or TCP BINGO! You must be in promiscuous mode!

55 Evaluation We tested this Method with simple sniffer and advanced one, According to our experimentations, compared to other anti-sniffers (PromiScan, PMD, L0pht Antisniff ), only this method can detect both advanced and simple sniffers in the LAN. http://www.securityfriday.com http://webteca.port5.com http://www.l0pht.com/antisniff

56 How to avoid Sniffers? Switched Network Never send clear-text messages on the Net –SSH for telnet –SFTP for FTP –VPN for clear-text traffic

57 Kiddie: A friend of mine told me that it is possible to sniff on a LAN... so I bought a switch ;) NaGoR: mmhhh.... Kiddie: Now my LAN is SECURE ! you can't sniff my packets... ah ah ah NaGoR: are you sure ? look at ettercap doing its work... Kiddie: Oh my god... it sniffs all my traffic !! I will use only ciphered connections on my LAN, so ettercap can't sniff them ! ah ah ah NaGoR: mmhhh.... Kiddie: Now I'm using SSH. My LAN is SECURE ! NaGoR: are you sure ? look at ettercap doing its work... Kiddie: shit !! grrrr...

58 Tools ettercap (http://ettercap.sf.net)http://ettercap.sf.net dsniff ( http://www.monkey.org/~dugsong/dsniff) http://www.monkey.org/~dugsong/dsniff

59 “A false sense of security, is worse than insecurity” Steve Gibson

60 Thank You raoudha.khcherif@engr.smu.edu

Download ppt "ARP cache Poisoning For the Detection of Sniffers in an Ethernet Network Raoudha KHCHERIF Assistant Professor National School of Computer Science University."

Similar presentations

Module X Session Hijacking

Module X Session Hijacking
Password Cracking, Network Sniffing, Man-in-the-Middle attacks, and Virtual Private Networks Lab 2 – Class Discussion Group 3 Ruhull Alam Bhuiyan Keon.

Password Cracking, Network Sniffing, Man-in-the-Middle attacks, and Virtual Private Networks Lab 2 – Class Discussion Group 3 Ruhull Alam Bhuiyan Keon.
Security Lab 2 MAN IN THE MIDDLE ATTACK

Security Lab 2 MAN IN THE MIDDLE ATTACK
ARP Spoofing.

ARP Spoofing.
ARP Caching Christopher Avilla. What is ARP all about? Background Packet Structure Probe Announcement Inverse and Reverse Proxy Tools Poisoning MAC Flooding.

ARP Caching Christopher Avilla. What is ARP all about? Background Packet Structure Probe Announcement Inverse and Reverse Proxy Tools Poisoning MAC Flooding.
ARP Cache Poisoning How the outdated Address Resolution Protocol can be easily abused to carry out a Man In The Middle attack across an entire network.

ARP Cache Poisoning How the outdated Address Resolution Protocol can be easily abused to carry out a Man In The Middle attack across an entire network.
Sniffing in a Switched Network -With A Recipe To Hack A Switch Using Ettercap and Ethereal -Manu GargManu Garg manugarg at gmail.

Sniffing in a Switched Network -With A Recipe To Hack A Switch Using Ettercap and Ethereal -Manu GargManu Garg manugarg at gmail.
Tactics to Discover “Passive” Monitoring Devices

Tactics to Discover “Passive” Monitoring Devices
1 Address Resolution Protocol (ARP) Relates to Lab 2. This module is about the address resolution protocol.

1 Address Resolution Protocol (ARP) Relates to Lab 2. This module is about the address resolution protocol.
CISCO NETWORKING ACADEMY Chabot College ELEC 99.05 Address Resolution Protocol.

CISCO NETWORKING ACADEMY Chabot College ELEC Address Resolution Protocol.
Media Access Control (MAC) addresses in the network access layer ▫ Associated w/ network interface card (NIC) ▫ 48 bits or 64 bits IP addresses for the.

Media Access Control (MAC) addresses in the network access layer ▫ Associated w/ network interface card (NIC) ▫ 48 bits or 64 bits IP addresses for the.
Hands-On Ethical Hacking and Network Defense Lecture 15 Man in the Middle Attack to get Passwords from HTTPS Sessions.

Hands-On Ethical Hacking and Network Defense Lecture 15 Man in the Middle Attack to get Passwords from HTTPS Sessions.
Sniffing, Spoofing, Hijacking This presentation is an amalgam of presentations by Mark Michael, Randy Marchany and Ed Skoudis. I have edited and added.

Sniffing, Spoofing, Hijacking This presentation is an amalgam of presentations by Mark Michael, Randy Marchany and Ed Skoudis. I have edited and added.
COEN 252 Computer Forensics Remote Sniffer Detection.

COEN 252 Computer Forensics Remote Sniffer Detection.
Suneeta Chawla Web Security Presentation Topic : IP Spoofing Date : 03/24/04.

Suneeta Chawla Web Security Presentation Topic : IP Spoofing Date : 03/24/04.
Packet Analyzers, a Threat to Network Security. Agenda Introduction The background of packet analyzers LAN technologies & network protocols Communication.

Packet Analyzers, a Threat to Network Security. Agenda Introduction The background of packet analyzers LAN technologies & network protocols Communication.
1 Eastern Michigan University Asad Khailany, Eastern Michigan University Dmitri Bagatelia, Eastern Michigan University Wafa Khorsheed, Eastern Michigan.

1 Eastern Michigan University Asad Khailany, Eastern Michigan University Dmitri Bagatelia, Eastern Michigan University Wafa Khorsheed, Eastern Michigan.
Network Attacks Mark Shtern.

Network Attacks Mark Shtern.
Security Awareness: Applying Practical Security in Your World, Second Edition Chapter 5 Network Security.

Security Awareness: Applying Practical Security in Your World, Second Edition Chapter 5 Network Security.
Sniffing the sniffers - detecting passive protocol analysers John Baldock, Intel Corp Craig Duffy, Bristol UWE.

Sniffing the sniffers - detecting passive protocol analysers John Baldock, Intel Corp Craig Duffy, Bristol UWE.

Similar presentations

Ads by Google