LAN Vulnerabilities.

Slides:



Advertisements
Similar presentations
ARP Spoofing.
Advertisements

ARP Caching Christopher Avilla. What is ARP all about? Background Packet Structure Probe Announcement Inverse and Reverse Proxy Tools Poisoning MAC Flooding.
1 ICS 156: Lecture 2 (part 2) Data link layer protocols Address resolution protocol Notes on lab 2.
1 Address Resolution Protocol (ARP) Relates to Lab 2. This module is about the address resolution protocol.
Media Access Control (MAC) addresses in the network access layer ▫ Associated w/ network interface card (NIC) ▫ 48 bits or 64 bits IP addresses for the.
1 Address Resolution Protocol (ARP) Relates to Lab 2. This module is about the address resolution protocol.
Network Attacks Mark Shtern.
1 Computer Networks Internetworking Devices. 2 Repeaters Hubs Bridges –Learning algorithms –Problem of closed loops Switches Routers.
Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Information.
Internetworking School of Business Eastern Illinois University © Abdou Illia, Spring 2007 (Week 4, Tuesday 1/30/2007)
Introduction to InfoSec – Recitation 12 Nir Krakowski (nirkrako at post.tau.ac.il) Itamar Gilad (itamargi at post.tau.ac.il)
Layer 2 Switch  Layer 2 Switching is hardware based.  Uses the host's Media Access Control (MAC) address.  Uses Application Specific Integrated Circuits.
Evolution of Networking Devices
Network Redundancy Multiple paths may exist between systems. Redundancy is not a requirement of a packet switching network. Redundancy was part of the.
ARP Address Resolution Protocol Ref:
Address Resolution Protocol(ARP) By:Protogenius. Overview Introduction When ARP is used? Types of ARP message ARP Message Format Example use of ARP ARP.
Introduction to InfoSec – Recitation 11 Nir Krakowski (nirkrako at post.tau.ac.il) Itamar Gilad (itamargi at post.tau.ac.il)
ARP Spoofing Attacks Dr. Neminath Hubballi IIT Indore © Neminath Hubballi.
Cisco 3 – Switching Concepts Perrine. J Page 16/1/2016 Module 4 The use of bridges and switches for segmentation results in ____? 1.Multiple broadcast.
1 Network Administration Module 3 ARP/RARP. 2 Address Resolution The problem Physical networks use physical addresses, not IP addresses Need the physical.
Chapter 19 Binding Protocol Addresses (ARP) A frame transmitted across a physical network must contain the hardware address of the destination. Before.
Media Access Control (MAC) addresses in the network access layer ▫ Associated w/ network interface card (NIC) ▫ 48 bits or 64 bits IP addresses for the.
Cisco Discovery Home and Small Business Networking Chapter 3 – Connecting to the Network Jeopardy Review Darren Shaver – Kubasaki High School – Okinawa,
CNIT 124: Advanced Ethical Hacking Ch 7: Capturing Traffic.
NET 324 D Networks and Communication Department Lec1 : Network Devices.
LAN Switching Concepts. Overview Ethernet networks used to be built using repeaters. When the performance of these networks began to suffer because too.
McGraw-Hill©The McGraw-Hill Companies, Inc., 2004 Connecting Devices CORPORATE INSTITUTE OF SCIENCE & TECHNOLOGY, BHOPAL Department of Electronics and.
0x440 Network Sniffing.
Mapping IP Addresses to Hardware Addresses Chapter 5.
Internetworking School of Business Eastern Illinois University © Abdou Illia, Spring 2016 (February 3, 2016)
Networking Components Assignment 3 Corbin Watkins.
Lec # 25 Computer Network Muhammad Waseem Iqbal. Learn about the Internetworking Devices – Repeaters – Hubs – Switches – Bridges – Routers.
SESSION HIJACKING It is a method of taking over a secure/unsecure Web user session by secretly obtaining the session ID and masquerading as an authorized.
Fall  Computer Crimes  Operating System Identification  Firewalking 2.
1 Address Resolution Protocol (ARP). 2 Overview 3 Need for Address Translation Note: –The Internet is based on IP addresses –Local area networks use.
Chapter 3 Part 1 Switching and Bridging
An Introduction To ARP Spoofing & Other Attacks
Instructor & Todd Lammle
Introduction to Information Security
ARP Address Resolution Protocol
Networks Fall 2009.
Link Layer 5.1 Introduction and services
Instructor Materials Chapter 5: Ethernet
Networking Devices.
Part III Datalink Layer 10.
Address Resolution Protocol (ARP)
Lab 2 – Hub/Switch Data Link Layer
Network connectivity to the legacy wired LAN
MAC Addresses and ARP 32-bit IP address:
Semester 1 Cisco Discovery JEOPADY Chapter 3.
Chapter 4 Data Link Layer Switching
Chapter 9 Ethernet Part II
Address Resolution Protocol (ARP)
Hubs Hubs are essentially physical-layer repeaters:
ARP: Address Resolution Protocol
Lab 2 – Hub/Switch Data Link Layer
Computer Networks 9/17/2018 Computer Networks.
Hubs Hubs are essentially physical-layer repeaters:
Address Resolution Protocol (ARP)
CS4470 Computer Networking Protocols
Protocol layering and data
Address Resolution Protocol (ARP)
Part III Datalink Layer 10.
1 ADDRESS RESOLUTION PROTOCOL (ARP) & REVERSE ADDRESS RESOLUTION PROTOCOL ( RARP) K. PALANIVEL Systems Analyst, Computer Centre Pondicherry University,
Chapter 9 Ethernet Part II.
Ch 17 - Binding Protocol Addresses
Protocol layering and data
Network connectivity to the legacy wired LAN
Computer Networks ARP and RARP
LAN Addresses and ARP IP address: drives the packet to destination network LAN (or MAC or Physical) address: drives the packet to the destination node’s.
Presentation transcript:

LAN Vulnerabilities

Local Area Network How to connect computers? Topologies Point to Point? Sharing a medium? Topologies Ring Bus Star

Ethernet Most popular LAN technology Original Ethernet is Bus topology CSMA/CD for Media Access Protocol Devices Repeater, Bridge, Hub, Switch Coaxial Cable -> Twisted Pair (Category 5…) 10M -> 100M -> 1G

Hubs Layer-1 A device that connects several computer on Ethernet Have a number of RJ-45 ports Hubs do no processing on network traffic--they simply repeat the incoming signal to all available ports.

Switches Layer-2 Connects several computers in a network by a number of RJ-45 ports Same as Hubs Every port works as a Bridge A switch has table of (MAC, port) pairs Store and Forward, Cut through Each device can act independently from other devices Network Security

Example: local networking Network Security

Picture from Wikipedia Ethernet Frame Picture from Wikipedia

Physical (MAC) Address Why need address? Each Network Card is assigned a physical address Usually assigned by hardware manufacturer Network Card will only accept the frames that is destined to it

Network Sniffing Basically, network sniffing is to eavesdrop the network to capture the packets transmitted over the network. Network Security

Components of a Sniffer The hardware: adapter with promiscuous mode capability Driver: capture the packets and store them in the buffer. Packet filter: filter the packets according to user rules. Packet analyzer: analyses the packets, and generate human readable reports. Examples: TcpDump, Wireshark Network Security

How to sniff? Frames are transmitted on Ethernet Broadcast Frames Examples? All computers read the frame Non-broadcast frames Only the target computer reads the frame Can the frame be read by other computers? Hub? Switch? Network Security

Detecting Sniffing A LAN with many computers, we want to detect which one of them is sniffing We know all IP addresses of those computers What happens if we send a ARP request with an IP address and a non-broadcasting MAC address? E.g. fake broadcast FF:FF:FF:FF:FF:FE Network Security

Layer-2 Switch Switches learn the binding of port and MAC address By examining MAC addresses of frames arrives from each port The association may change, when A different computer is plugged into a port Network Security

Port Stealing Attacker floods the switch with forged gratuitous ARP reply packets with the source MAC address being that of the target host and the destination MAC address being that of the attacker. Since the destination MAC address of each flooding packet is the attackers MAC address, the switch will not forward these packets to other ports, meaning they will not be seen by other hosts on the network A race condition: because the target host will send packets too. The switch will see packets with the same source MAC address on two different ports and will constantly change the binding of the MAC address to the port. Remember that the switch binds a MAC address to a single port. If the attacker is fast enough, packets intended for the target host will be sent to the attacker’s switch port and not the target host. When a packet arrives, the attacker performs an ARP request asking for the target hosts’ IP address. Next, the attacker stops the flooding and waits for the ARP reply. When the attacker receives the reply, it means that the target hosts’ switch port has been restored to its original binding. The attacker now sniffs the packet and forwards it to the target host and restarts the attack… Network Security

Port Stealing Layer 2 switch Gratuitous ARP (forged) A Attacker B 1 2 3 Layer 2 switch Gratuitous ARP (forged) The attack starts by having the attacker flood the switch with forged gratuitous ARP packets with the source MAC address being that of the target host and the destination MAC address being that of the attacker. The flooding process described here is different than the flooding process used in CAM table flooding. Since the destination MAC address of each flooding packet is the attackers MAC address, the switch will not forward these packets to other ports, meaning they will not be seen by other hosts on the network. Now, a race condition exists because the target host will send packets too. The switch will see packets with the same source MAC address on two different ports and will constantly change the binding of the MAC address to the port. Remember that the switch binds a MAC address to a single port. If the attacker is fast enough, packets intended for the target host will be sent to the attacker’s switch port and not the target host. The attacker has now stolen the target hosts’ switch port. When a packet arrives to the attacker, the attacker performs an ARP request asking for the target hosts’ IP address. Next, the attacker stops the flooding and waits for the ARP reply. When the attacker receives the reply, it means that the target hosts’ switch port has been restored to its original binding. Now, the attacker can sniff the packet, then forward it to the target host and restart the flooding process waiting for new packets. A Attacker B Network Security

ARP Spoofing Also called ARP poisoning Goal is to poison victim’s ARP cache to map an IP address to a wrong MAC address arp –a Attacker can become man-in-the-middle Method: Send fake ARP messages

ARP – Address Resolution Protocol mapping from IP addresses to MAC addresses Request 140.252.13 .1 .2 .3 .4 .5 08:00:20:03:F6:42 00:00:C0:C2:9B:26 arp req | target IP: 140.252.13.5 | target eth: ? Reply 140.252.13 .1 .2 .3 .4 .5 08:00:20:03:F6:42 00:00:C0:C2:9B:26 arp rep | sender IP: 140.252.13.5 | sender eth: 00:00:C0:C2:9B:26

Example ARP Request + Bits 0 - 7 8 - 15 16 - 31 Hardware type = 1 Hardware type = 1 Protocol type = 0x0800 32 Hardware length = 6 Protocol length = 4 Operation = 1 (request) 64 SHA (first 32 bits) = 0x000958D8 96 SHA (last 16 bits) = 0x1122 SPA (first 16 bits) = 0x0A0A 128 SPA (last 16 bits) = 0x0A7B THA (first 16 bits) = 0xFFFF 160 THA (last 32 bits) = 0xFFFFFFFF 192 TPA = 0x0A0A0A8C From Wikipedia

Example ARP Reply + Bits 0 - 7 8 - 15 16 - 31 Hardware type = 1 Hardware type = 1 Protocol type = 0x0800 32 Hardware length = 6 Protocol length = 4 Operation = 2 (reply) 64 SHA (first 32 bits) = 0x000958D8 96 SHA (last 16 bits) = 0x33AA SPA (first 16 bits) = 0x0A0A 128 SPA (last 16 bits) = 0x0A8C THA (first 16 bits) = 0x0009 160 THA (last 32 bits) = 0x58D81122 192 TPA = 0x0A0A0A7B From Wikipedia

ARP Spoofing

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.