Networks Fall 2009
Review – Last Lecture Computer Crimes Operating System Identification Firewalking
Review - Stack Fingerprinting Once the hosts and port have been mapped by scanning the target network, the final footprinting step is to determine the operating system This step is sometimes called stack fingerprinting. The two primary methods used to fingerprint are banner grabbing and active stack fingerprinting. The general process is to send a query or packet to the target system and analyze its response because different OS have different responses
Review - Firewalking Concept Firewalking is a technique used to gather information about a remote network protected by a firewall. The technique is being used for two purposes: Determining the rule set or ACL of a firewall or other packet-filtering device (mapping open ports on a firewall). Mapping a network behind a firewall. When a firewall’s policy is to drop ICMP ECHO Request/reply this technique is very effective.
OUTLINE Computer Crimes Network Sniffing Protecting the Network
Computer Crimes
Crimes 1 Thousands of people have reportedly fallen prey to a phishing attack that uses ecards as bait. The cards appear to come from a secret admirer. When the recipient clicks on the provided link, the computer is directed to a malicious site that attempts to download a keystroke logger; the card is then displayed. The attack exploits a flaw in Microsoft Windows that was patched in May
Crimes 2 China's second largest domain name service (DNS) provider, Xinet, was hit with an eight-hour denial of service attack that disabled 180,000 web sites. Many of the web sites are back on line and Xinet hopes to have the rest (primarily smaller sites) back on line by October 7.
Crimes 3 Purdue University is notifying approximately 2,500 individuals who were students at the school in 2000 that their personal data may have been compromised. The data include names and SSNs. A security check of an administrative workstation in the University's Chemistry Department found that a file might have been accessed by a cyber intruder. Purdue has established a toll-free number for people who believe they may be affected by the breach. Analysis indicated that the intruder obtained remote access to the computer's hard drive and installed software that would allow files to be downloaded.
Network Sniffing
Network Sniffing The goal of network sniffing is to eavesdrop on the network in order to capture the packets transmitted over the network. It is a passive form of information gathering As with all the techniques studied so far network sniffing can be used for either attacking a network or protecting a network.
Why Sniff? Wealth of data Ease of Access Unencrypted packets include numerous plaintext information (i.e. passwords, credit cards, etc.), among other goodies. Ease of Access When installed on a gateway (internet or intranet), the sniffer can listen to all packets through the gateway.
Components of a Sniffer The hardware: adapter, wire tap. Driver: capture the packets and store them in the buffer. Packet filter: filter the packets according to user rules. Packet analyzer: analyses the packets, and generate human readable reports.
Process By default, computers listen and respond only to packets addressed to them. Sniffers open the NIC (Network Interface Card) card into a promiscuous mode. In this mode, the computer monitors and captures all network traffic and packets passing by despite their true destination.
How Sniffing Works – MAC Address A computer connected to a LAN has two addresses The IP address The MAC (Media Access Control) address that uniquely identifies each node of the network and is stored on the network card It is the MAC address that is used by Ethernet to actually deliver a data packet Starting with an IP address, the Network layer looks up the MAC address in the ARP (Address Resolution Protocol) cache If it is not in the cache then it broadcasts a request packet (ARP request) to all machines on the network The machine with that address responds with its MAC address The MAC address is then added to the cache
How Sniffing Works – Shared Ethernet In a shared Ethernet environment all hosts are connected to the same bus Packets are sent to all the machines but only the one with the matching address accepts the packet and the others discard it A machine running a sniffer breaks this rule and accepts all packets This is a totally passive and difficult to detect form of sniffing HUB A B C D X X B B B B B B B B X Sniffer
How Sniffing Works – Switched Ethernet In this case hosts are connected to a switch instead of a hub The switch maintains a table of each hosts MAC address and a physical port to each host So the switch sends packets to the designated computer and does not broadcast them So a promiscuous computer can not sniff out the packet traffic So, problem solved – or is it?
ARP Spoofing Goal: D wants to sniff the traffic from A Send an ARP reply (it is OK even if it has not been asked for) telling A that D is the switch Result is all traffic from A will go to D first Switch A B C D C Data C Data A Switch MAC is B C Data
Source IP: A Source MAC: D Source IP: A Source MAC: D ARP Cache Poisoning Goal: Anything sent from C to A will first go to D Send an ARP reply to C with A’s IP but D’s MAC C will update its cache with the new IP-MAC relationship so everything C sends to A will actually go to D Switch A B C D C Source IP: A Source MAC: D C Source IP: A Source MAC: D
MAC Flooding Switches keep a translation table that maps MAC addresses to the physical ports on the switch The switch has a limited memory for this table MAC Flooding makes use of this limitation by bombarding switch with fake MAC addresses until the switch can not keep up The switch then enters a “failopen” mode It starts to act like a hub and broadcasts its packets to all the machines on the network
Protecting the Network
The First Step Since gathering information is the first step in any attack on a network, the first line of defense should be to prevent the release of information or at the very least detect information scans This can be done by looking for information leaks yourself and plugging them before the “bad guys” find them There are some procedures which will detect information scans as well
Detecting Sniffers Sniffers are passive so they are very difficult to detect, however there are some tricks that can help Ping Method: send a ping request with the IP address of the suspect machine but not its MAC address Ideally nobody should see this packet as each Ethernet Adapter will reject it as it does not match its MAC address If the suspect machine is running a sniffer it will respond because it does not reject packets with a wrong MAC address This is an old and no longer very reliable method
ARP Method Goal: Get a promiscuous machine to cache a correct IP/MAC pair and then respond with that information Send a non-broadcast ARP which will only be read by a machine in a promiscuous mode It will cache the IP/MAC address in the ARP Next, send a broadcast ping packet with the correct IP but a different MAC address Only a machine which sniffed the prior ARP will have the correct cache and only it will respond to the broadcast ping
Local Host Detection Test on shemp: Often after a machine has been compromised, hackers will leave sniffers to compromise other machines If you suspect that your machine has a sniffer running execute the ifconfig -a command It will display information about all the interfaces on the system Test on shemp: If a sniffer were running it would report: RUNNING PROMISC
Encryption Other Methods There are some sniffer detectors available but in general IDS work well The best method to defeat sniffing is: Encryption