Network Eavesdropping

2 Outline Concepts Concepts Methodology Methodology Detection Detection

3 Eavesdropping Sniffer : Packet capture Tools (Trademark) Sniffer : Packet capture Tools (Trademark) Network sniffing is to eavesdrop the network to capture the packets transmitted over the network Network sniffing is to eavesdrop the network to capture the packets transmitted over the network It monitors traffic destined to itself as well as to all other hosts on the network It monitors traffic destined to itself as well as to all other hosts on the network Can be used for both attacking and protecting purposes Can be used for both attacking and protecting purposes

4 Uses of a sniffer Traffic Analysis Traffic Analysis Performance Analysis Performance Analysis IDS/IPS are built on sniffer IDS/IPS are built on sniffer Stealing clear-text content Stealing clear-text content Username & Password Username & Password Conversations Conversations

5 How does a sniffer work Normal Mode Normal Mode Each network interface card (NIC) and network device has a unique MAC address Each network interface card (NIC) and network device has a unique MAC address NIC only receives packets destined to its specific MAC address, and all other packets are ignored NIC only receives packets destined to its specific MAC address, and all other packets are ignored Sniffer Mode Sniffer Mode A machine running a sniffer breaks this rule and accepts all packets A machine running a sniffer breaks this rule and accepts all packets Turn on “promiscuous” mode on NIC Turn on “promiscuous” mode on NIC Make NIC accept all data-link layer frames regardless of the MAC address Make NIC accept all data-link layer frames regardless of the MAC address

6 Anatomy of sniffer Capture Driver Software driver to capture and filter packet Buffer Temporarily space before processing Decode Decoding to readable form Storage Storage for offline analysis Media

7 How to sniff in shared networks Passive running Passive running Just put the NIC into the promiscuous mode Just put the NIC into the promiscuous mode Switched networks : Switched networks : Prevents traditional sniffing because frames are route to a single port, based on a table of MAC/port associations Prevents traditional sniffing because frames are route to a single port, based on a table of MAC/port associations

8 How to sniff in switched networks Prevents traditional sniffing Prevents traditional sniffing Switches keep an internal list of the MAC addresses of the hosts that are on its ports. Switches keep an internal list of the MAC addresses of the hosts that are on its ports. Traffic is sent to a port, only if a destination host is recorded as being present on that port. Traffic is sent to a port, only if a destination host is recorded as being present on that port. Switched Networks are not really safe from sniffing Switched Networks are not really safe from sniffing Sniff in switched networks need active operations: Sniff in switched networks need active operations: ARP Spoofing ARP Spoofing MAC flooding MAC flooding

9 ARP revisit :0:20:7a:49: :10:4B:13:0A:BC ARP request A want to resolve MAC address of D A sends a broadcast ARP request :0:20:7a:49: :10:4B:13:0A:BC ARP reply ABCD ABCD D sends a unicast ARP reply to A who has IP ? me! with 00:10:4B:13:0A:BC

10 Gratuitous ARP A host "announces" their IP address to the local network when its interface is configured, usually at booting time to to prevent the use of duplicate addresses on the same network A host "announces" their IP address to the local network when its interface is configured, usually at booting time to to prevent the use of duplicate addresses on the same network Routers and other network hardware may cache information gained from gratuitous ARP packets Routers and other network hardware may cache information gained from gratuitous ARP packets :0:20:7a:49: :10:4B:13:0A:BC Gratuitous ARP gratuitous ARP packet is an ARP request with both sender's and the target's IP address fields containing the configured IP address gratuitous ARP packet is an ARP request with both sender's and the target's IP address fields containing the configured IP address ABCD Hi Everyone, my IP is and my MAC is 8:0:20:7a:49:68

11 ARP datagrams frame hdr ARP/RARP message datalink frame Hardware type:16 Protocol type:16 hlen:8 plen:8 ARP Operation:16 Sender MAC addr (bytes 0-3) sender MAC addr (bytes 4-5) sender IP addr (bytes 0-1) sender IP addr (bytes 2-3) dest MAC addr (bytes 0-1) dest MAC addr (bytes 2-5) dest IP addr (bytes 0-3)

12 ARP request packet IP: MAC:02:60:8c:2e:b5:8b IP: MAC: ?? Sample ARP request Ethernet packet dest MAC (broadcast) source MAC ARP frame type Ethernet / IP MAC=6/ IP=4 /request source MAC source IP dest MAC (unknown) dest IP 0x0806 FF:FF:FF:FF:FF 02:60:8c:2e:b5:8b 0x01 0x800 0x06 0x04 0x001 02:60:8c:2e:b5:8b :00:00:00:00: checksum Ethernet checksum

13 ARP reply packet IP: MAC: 02:60:8c:2e:b5:8b IP: MAC: 00:00:e8:15:cc:0c Sample ARP reply Ethernet packet dest MAC (unicast) source MAC ARP frame type Ethernet / IP MAC=6/ IP=4 /reply source MAC source IP dest MAC dest IP 0x :60:8c:2e:b5:8b 00:00:e8:15:cc:0c 0x01 0x800 0x06 0x04 0x002 00:00:e8:15:cc:0c :60:8c:2e:b5:8b checksum Ethernet checksum

14 Playing with ARP How to see the ARP table? How to clear the ARP table? How to add the ARP entry? How to check table in IPv6?

15 Facts about ARP Stateless protocol Stateless protocol Not designed security in mind Not designed security in mind No means for authentication or validation No means for authentication or validation Nothing prevents clients from crafting custom ARP messages Nothing prevents clients from crafting custom ARP messages Can forge source IP address Can forge source IP address Can forge source MAC address Can forge source MAC address Result: malicious nodes can fool network nodes into sending traffic to the wrong MAC address, so exposed to a lot of attacks: Result: malicious nodes can fool network nodes into sending traffic to the wrong MAC address, so exposed to a lot of attacks: ARP Spoofing (ARP cache poisining) ARP Spoofing (ARP cache poisining) MAC flooding MAC flooding

16 ARP cache Kept locally to minimize the number of ARP requests broadcasting Kept locally to minimize the number of ARP requests broadcasting Updates the cache with the new IP/MAC associations for each reply Updates the cache with the new IP/MAC associations for each reply Some OSs will update the cache if a reply is received, regardless of whether they sent out an actual request Some OSs will update the cache if a reply is received, regardless of whether they sent out an actual request Possible to overwrite the ARP cache on many OS Possible to associate the MAC address with the default gateway’s IP address

17 ARP weakness If two machines have the same IP address, they will both respond to the same ARP request (IP Conflict) If two machines have the same IP address, they will both respond to the same ARP request (IP Conflict) Depending on the OS, one of two things could happen Depending on the OS, one of two things could happen The slowest (last) ARP reply to arrive will be cached until the ARP entry expires The slowest (last) ARP reply to arrive will be cached until the ARP entry expires The first ARP reply to arrive will be cached, and any further ARP replies will be ignored (until ARP entry expires) The first ARP reply to arrive will be cached, and any further ARP replies will be ignored (until ARP entry expires)

18 ARP Spoof Methods to spoof the contents of an ARP table Methods to spoof the contents of an ARP table Takes advantage of the ARP cache Takes advantage of the ARP cache Process of corrupting cache is “Poisoning” hence also called ARP Cache poisoning Process of corrupting cache is “Poisoning” hence also called ARP Cache poisoning Cause all outgoing traffic from the target host to be transmitted to the hacker’s host Cause all outgoing traffic from the target host to be transmitted to the hacker’s host Hacker can also forge ARP replies Hacker can also forge ARP replies Dsniff by Dug Song includes a program named “arpspoof” for this purpose Dsniff by Dug Song includes a program named “arpspoof” for this purpose

19 ARP Spoofing Scenario IP addrMAC addr IBMB ICMC IP addrMAC addr IAMA IBMB IP addrMAC addr IAMC IBMB IP addrMAC addr IBMC ICMC IP addrMAC addr IAMA ICMC IP addrMAC addr IAMA IBMB IP:IA, MAC:MA IP:IB, MAC:MB IP:IC, MAC:MC attacker IP:IA, MAC:MA IP:IB, MAC:MB IP:IC, MAC:MC attacker Normal Condition After ARP Spoofing

20 ARP Poisoning : Broadcast Request IP:IA, MAC:MA IP:IB, MAC:MB IP:IC, MAC:MC attacker IP addrMAC addr IBMB ICMC IP addrMAC addr IAMA IBMB IP addrMAC addr IAMA ICMC Who has IA My IP is IB

21 ARP Poisoning : Response to Broadcast IP:IA, MAC:MA IP:IB, MAC:MB IP:IC, MAC:MC attacker IP addrMAC addr IBMC ICMC IP addrMAC addr IAMA IBMB IP addrMAC addr IAMA ICMC I have IA and my MAC is MA

22 ARP Poisoning : Result liked Sniffing Not quite sniffer but fairly close IP:IA, MAC:MA IP:IB, MAC:MB IP:IC, MAC:MC attacker IP addrMAC addr IBMC ICMC IP addrMAC addr IAMA IBMB IP addrMAC addr IAMA ICMC  Packet destiny for IB is first sent to IC  Attacker forward packet to B

23 ARP Poisoning : Broadcast Request IP:IA, MAC:MA IP:IB, MAC:MB IP:IC, MAC:MC attacker IP addrMAC addr IBMB ICMC IP addrMAC addr IAMA IBMB IP addrMAC addr IAMA ICMC Who has IB My IP is IA

24 ARP Poisoning : Broadcast Request IP:IA, MAC:MA IP:IB, MAC:MB IP:IC, MAC:MC attacker IP addrMAC addr IBMC ICMC IP addrMAC addr IAMA IBMB IP addrMAC addr IAMA ICMC I have IB and my MAC is MC I have IB and my MAC is MB

25 ARP Poisoning : Unsolicited Response IP:IA, MAC:MA IP:IB, MAC:MB IP:IC, MAC:MC attacker IP addrMAC addr IBMB ICMC IP addrMAC addr IAMA IBMB IP addrMAC addr IAMA ICMC I have IX and my MAC is MC

26 ARP Poisoning : Response to Unsolicited IP:IA, MAC:MA IP:IB, MAC:MB IP:IC, MAC:MC attacker IP addrMAC addr IBMB ICMC IXMC IP addrMAC addr IAMA IBMB IP addrMAC addr IAMA ICMC IXMC I have IX and my MAC is MC

27 MAC Flooding A switch keeps a table of all MAC addresses (in buffer) appear on each port A switch keeps a table of all MAC addresses (in buffer) appear on each port If a large number of addresses appear on a single port, some switches begin to send all traffic to that port If a large number of addresses appear on a single port, some switches begin to send all traffic to that port Flooding the switch with randomly faked MAC addresses. Flooding the switch with randomly faked MAC addresses. The switch will become overloaded and fail into the “failopen mode” The switch will become overloaded and fail into the “failopen mode” In failopen mode, it operates exactly like a hub, transmitting all packets to all addresses in the network In failopen mode, it operates exactly like a hub, transmitting all packets to all addresses in the network Dsniff includes a program named “macof” that facilitates the flooding of a switch with random MAC addresses Dsniff includes a program named “macof” that facilitates the flooding of a switch with random MAC addresses

28 MAC Address Cloning MAC addresses intended to be globally-unique and unchangeable MAC addresses intended to be globally-unique and unchangeable Today, MAC addresses can be easily changed Today, MAC addresses can be easily changed An attacker could DoS a target computer, clone the target’s MAC address, and receive all frames intended for the target An attacker could DoS a target computer, clone the target’s MAC address, and receive all frames intended for the target

29 Sample Tools Ettercap ( ) Ettercap ( ) Complete sniffing and ARP corruption tool with command-line and GUI Complete sniffing and ARP corruption tool with command-line and GUI Arpspoof ( ) Arpspoof ( ) Basic ARP manipulation tool; part of dsniff package Basic ARP manipulation tool; part of dsniff package ARPoison ( ) ARPoison ( ) Basic ARP spoofing tool Basic ARP spoofing tool Many more… Many more…

30 Sniffer Prevention and Detection Done properly, impossible to detect a sniffer Done properly, impossible to detect a sniffer Sniffing is a passive activity, don’t generate unusual traffic Sniffing is a passive activity, don’t generate unusual traffic normally linked to active intrusion attacks normally linked to active intrusion attacks Difficult to prevent it Difficult to prevent it

31 Possible Protection Three main types Three main types End node precautions End node precautions Prevention Prevention Detection Detection

32 Precautions and Implementation Use VPN or some other encrypted channel for all communication Use VPN or some other encrypted channel for all communication Verify the authenticity of all SLL and SSH certificates before accepting them Verify the authenticity of all SLL and SSH certificates before accepting them

33 Prevention Deploy intelligence Ethernet switch support following features Deploy intelligence Ethernet switch support following features Secured port Secured port Specify MAC address for each port Specify MAC address for each port limit amount of MAC on an interface limit amount of MAC on an interface Smart Cache Smart Cache Only timeout inactive entries Only timeout inactive entries Smart management Smart management Never flood Never flood Require a host to send traffic first before receiving Require a host to send traffic first before receiving Dynamic ARP inspection Dynamic ARP inspection Uses information from DHCP to block unknown binding Uses information from DHCP to block unknown binding DHCP snoop DHCP snoop

34 Sniffer Detection Shared Network Shared Network Local detection of promiscuous mode Local detection of promiscuous mode Ping test Ping test ARP test ARP test Ping Latency test Ping Latency test Employing a honeypot Employing a honeypot Switched Network Switched Network track down any nodes found performing ARP cache changed track down any nodes found performing ARP cache changed

35 Sniffer Detection : Ping test Construct an ICMP echo request Construct an ICMP echo request Set the IP address to that of the suspected host. Set the IP address to that of the suspected host. Choose a mismatched MAC address. Choose a mismatched MAC address. In some systems, if the NIC is in promiscuous mode, the sniffer will grab this packet as a legitimate packet and respond accordingly In some systems, if the NIC is in promiscuous mode, the sniffer will grab this packet as a legitimate packet and respond accordingly Most systems will ignore this packet since its MAC address is wrong. Most systems will ignore this packet since its MAC address is wrong. If the suspected host replies to our request, we know that it is in promiscuous mode If the suspected host replies to our request, we know that it is in promiscuous mode

36 Sniffer Detection : ARP test Send out an ARP request to the suspect host with all valid information except a bogus destination MAC address Send out an ARP request to the suspect host with all valid information except a bogus destination MAC address Non-promiscuous mode machine would never see the packet Non-promiscuous mode machine would never see the packet Promiscuous mode machine would process it and reply Promiscuous mode machine would process it and reply

37 Sniffer Detection : Ping Latency test Methods Methods Make two different populations, normal mode population and the promiscuous mode population, or Make two different populations, normal mode population and the promiscuous mode population, or ping the suspected host and record the RTT ping the suspected host and record the RTT Create a lot of fake TCP connections Create a lot of fake TCP connections We expect the sniffer to be processing packets and the latency will increase We expect the sniffer to be processing packets and the latency will increase Ping the suspected host again to see if the round trip time is increased Ping the suspected host again to see if the round trip time is increased

38 Sniffer Detection : Honeypot Create telnet for with lots of logins + passwords connection to telnet server (may be faked server) Create telnet for with lots of logins + passwords connection to telnet server (may be faked server) Sniffer takes bait Sniffer takes bait

39 Sniffer Detection Limitation ARP, ICMP, DNS Test ARP, ICMP, DNS Test Sophisticate attackers are of course aware of this and design their sniffer to filter out or ignore these packets Sophisticate attackers are of course aware of this and design their sniffer to filter out or ignore these packets Latency Test Latency Test Probabilistic technique Probabilistic technique Many known and unknown factors, OS, Traffic, may affect the results Many known and unknown factors, OS, Traffic, may affect the results

40 Antisniffer Tools Antisniff http :// packetstormsecurity. org / sniffers / antisniff / http :// packetstormsecurity. org / sniffers / antisniff / Anti-Antisniff

41 Sniffer Detection: Detect ARP Spoof Detect and track down any nodes found performing ARP cache corruption Detect and track down any nodes found performing ARP cache corruption Tools Tools arpwatch: Watches for ARP cache entry changes and sends if found arpwatch: Watches for ARP cache entry changes and sends if found Ettercap: has a plugin that can detect suspicious ARP and other Ettercap users on a network. Ettercap: has a plugin that can detect suspicious ARP and other Ettercap users on a network. Network Intrusion Detection System (IDS): most are designed with the ability to detect and warn about suspicious ARP activity Network Intrusion Detection System (IDS): most are designed with the ability to detect and warn about suspicious ARP activity

42 Future Prevention? Secure Address Resolution Protocol (S- ARP) Secure Address Resolution Protocol (S- ARP) S-ARP uses public/private key pairs to authenticate ARP responses S-ARP uses public/private key pairs to authenticate ARP responses

43 Final Recommendation The best way to avoid damage by sniffer is not to pass usernames and passwords over the network in form of clear text The best way to avoid damage by sniffer is not to pass usernames and passwords over the network in form of clear text Encryption is the best solution Encryption is the best solution Use SSH instead of telnet Use SSH instead of telnet Use HTTPS instead of HTTP Use HTTPS instead of HTTP Use SCP and SFTP instead of FTP Use SCP and SFTP instead of FTP

44 Some commons sniffer Tcpdump Tcpdump Wireshark Wireshark Ettercap Ettercap Snort Snort Dsniff Dsniff