Seminar Topic Packet Sniffing
Presented By: Soumitra Kumar Jana(06/CS/55) Chandan Paul(06/CS/84) Sankha De(06/CS/61) Shantanu Das(06/CS/104) CSE 7th SEM,HIT Under the Guidance of: Ms. Jayeeta Majumdar Lecturer, CSE ,HIT
Topics to be discussed types of sniffing INTRODUCTION TO PACKET SNIFFING WHO USES PACKET SNIFFERS AND WHY types of sniffing protocols vulnerable to sniffing Internet Basics packet sniffers how sniffers work? SOME TECHNIQUES FOR IMPLEMENTING SNIFFING SOME POPULAR PACKET SNIFFERS exploits of packet sniffers how to detect sniffing countermeasures conclusion
The Network Today:
Introduction to Packet Sniffing Host A Host B Router A Router B Sniffing is a data interception technology.The term sniffing commonly is used to describe protocol analysis, the process of viewing and analyzing the contents of packets on a network. Tools used for this purpose are properly called protocol analyzers, but the term sniffer also is widely used for such tools. Protocol analyzers or sniffers are network troubleshooting tools that provide a detailed view of network traffic.
(Continued...) A network analyzer is just software running on a computer with a networkcard. It works by placing the network card in promiscuous mode, which enables the card to see all the traffic on the network, even traffic not destined to the network-analyzer host. The network analyzer performs the following functions: Captures all network traffic. Interprets or decodes what is found into a human-readable format. Displays it all in chronological order.
Who Uses Packet Sniffers and Why? System administrators -- To monitor the flow of network traffic --Troubleshoot communication problems --Understand system problems and performance --Intrusion detection --Debug network protocol implementations --Detection of erroneous packet flow through the network --Gather and report network usage and statistics.
(Continued...) Malicious individuals (intruders) --Capture cleartext data --Passively collect data on vulnerable protocols FTP, POP3, IMAP, SMATP, rlogin, HTTP etc Capture VoIP Data. --Mapping the target network --Traffic pattern discovery --Actively break into the network (backdoor techniques)
Types of Sniffing Sniffing Passive Sniffing Active Sniffing Passive sniffing means sniffing through a hub.It is passive because it is difficult to detect.An attacker simply connects to the hub from his/her machine. Active sniffing means sniffing through a switch.It is easy to detect.Attacker tries to poison the switch by sending bogus MAC address.
Protocols Vulnerable to Sniffing Protocols that are suspectible to sniffers include- Telnet :Keystrokes including usernames and passwords. HTTP:Data sent in the clear text. SMTP:Password and data sent in the clear text. POP: Password and data sent in the clear text. FTP: Password and data sent in the clear text. IMAP VoIP SNMP etc. 10
INTERNET Today Physical Layer Data Link Layer: Ethernet, 802.11(2) Internet is based on TCP/IP architecture. The model defines four (or five) layers. Physical Layer Data Link Layer: Ethernet, 802.11(2) Network Layer: IPv4 (IPv6)(3) Transport Layer: TCP, UDP(4) Application Layer: SMTP, HTTP, FTP(5)
Packet Sniffers How They Work A "Packet Sniffer" is a utility that sniffs without modifying the network's packets in any way. By comparison, a firewall sees all of a computer's packet traffic as well, but it has the ability to block and drop any packets that its programming dictates. Packet sniffers merely watch, display, and log this traffic. How They Work An Ethernet sniffer is software that works in concert with the network interface card (NIC) to blindly suck up all traffic within “earshot” of the listening system, rather than just the traffic addressed to the sniffing host.
How They Work(Continues...) Normally, an Ethernet NIC will discard any traffic not specifically addressed to itself or the network broadcast address, so the card must be put in a special state called promiscuous mode to enable it to receive all packets floating by on the wire.Once the network hardware is in promiscuous mode, the sniffer software can capture and analyze any traffic that traverses the local Ethernet segment. This limits the range of a sniffer somewhat because it will not be able to listen to traffic outside of the local network’s collision domain (that is, beyond routers, switches, or other segmenting devices). Obviously, a sniffer judiciously placed on a backbone, internetwork link, or other network aggregation point will be able to monitor a greater volume of traffic than one placed on an isolated Ethernet segment.This is the basic understanding of the function of a sniffer.
Some Techniques for Implementing Packet Sniffing ARP Spoofing or ARP Poisioning The process of falsifying the source Media Access Control (MAC) addresses of packets being sent on an Ethernet network is called ARP spoofing or ARP poisoning. ARP spoofing involves sending forged ARP replies to redirect network traffic to the attacking host. If the attacking host is only listening to traffic and not participating in it, legitimate hosts are usually unaware that the packets they are transmitting are being redirected to an attacker and are not reaching their intended destinations. Tools used –Cain & Abel,Ettercap etc.
(Continues...) MAC duplicating MAC duplicating attack is launched by sniffing network for MAC addresses of clients who are actively associates with a switch-port.By listening to the traffic on the network a malicious user can intercept and use a legitimate user’s MAC address and he got all the traffic destined for that legitimate user. MAC Flooding MAC flooding is an attack that tries to flood the internal memory of Ethernet switches using large numbers of spoofed Media Access Control (MAC) addresses. Switches has limited memory for mapping the MAC addresses to the physical ports on switch.MAC flooding uses this limitation and floods the switch with fake MAC addresses until the switch can’t keep up.Switch then acts like a hub by broadcasting packets to all machines in the network.After that sniffing is easily performed. Tools used-Etherflood.
(Continues...) IP Based Spoofing DNS Poisoning This is the original way of packet sniffing.It works by putting the network card into promiscuous mode and sniffs all packets.This method only works in non-switched networks.All the modern sniffers uses this technique. DNS Poisoning DNS spoofing provides DNS servers with false information to impersonate DNS servers.The DNS server beleives that it has got authentic information when, in reality,it does not. Intranet DNS Poisoning(LAN) Internet DNS Poisoning(Remote Network) Proxy Server DNS Poisoning DNS Cache Poisoning
Some Popular Packet sniffers Linux/Unix-based sniffers use libpcap, which must be installed prior to installing any sniffer. tcpdump, a command-line based packet sniffer. tcpshow (tcpdump-based analysis). Wireshark (Packet sniffer GUI) [Formerly Ethereal] ngreg — network grep (Command line tool to apply regular expressions to tcpdump output). Dsniff-is a password sniffer handles FTP,Telnet,SMTP,HTTP,POP etc. Windows-based sniffers use WinPcap, which must be installed prior to installing any sniffer. 1.Wireshark(Packet sniffer GUI) [Formerly Ethereal] 2.Capsa Network Analyzer (Packet Sniffer) from Colasoft 3.Cain & Abel from Oxid.it 4. WinDump, a DOS command-line packet sniffer 5.CommViewer
Wireshark Wireshark (formerly Ethereal) is a UNIX- and Windows-based open source network monitoring tool. Stable release is 1.2.4.Wireshark is a software that "understands" the structure of different networking protocols. Thus, it is able to display the encapsulation and the fields along with their meanings of different packets specified by different networking protocols. Wireshark uses pcap to capture packets, so it can only capture the packets on the networks supported by pcap. Data can be captured "from the wire" from a live network connection or read from a file that records the already-captured packets. Live data can be read from a number of types of network, including Ethernet, IEEE 802.11, PPP, and loopback. Captured network data can be browsed via a GUI, or via the terminal (command line) version of the utility, tshark. Decodes over 750 protocols . Compatible with many other sniffers .
Listing of All the Packets MENU BAR DISPLAY FILTER SPECIFICAT ION Listing of All the Packets Details of Selected Packet Header Packet Content in Hex & ASCII Code
Raw data (content of packet # 43262) Selected TCP Packet #43262 Details of the selected packet (#43262) Raw data (content of packet # 43262) CS420: High Speed Multimedia and Multiservice Networks
Filtering HTTP Packets Only Accessing http://en.wikipedia.org with source ip 10.10.39.155.The destination ip for this packet is 10.10.3.254
Cain and Abel Cain and Abel (sometimes called simply "Cain") is a Windows password recovery tool. It can recover many kinds of passwords using methods such as network packet sniffing, cracking various password hashes by using methods such as dictionary attacks, brute force and cryptanalysis attacks. Cryptanalysis attacks are done via rainbow tables which can be generated with the winrtgen.exe program provided with Cain and Abel. TCP/UDP Traceroute with DNS Resolver Dumping protected storage passwords -Reveals locally stored passwords of Outlook, Outlook Express, Outlook Express Identities, Outlook 2002, Internet Explorer and MSN Explorer. APR(ARP Poison Routing)- Enables sniffing on switched networks. Sniffer -Captures passwords, hashes and authentication information while they are transmitted on the network. IP to MAC Address resolver Used for remote purposes such as Remote Console,Remote Route Table Manager,Remote TCP/UDP Table Viewer etc.
Start/Stop Sniffer Button Start/Stop APR Traceroute any web address Sniffer Operations Lists network computers with MAC,Hostname
Lists all computers on the subnet Username,passwords and web address is retrieved Lists all computers in the subnet APR(ARP Poison Routing)
ARP Poison Routing Session Hijacking Session Hijacking
LAN View LAN View WAN View APR Poisoning Status
Exploits of Packet Sniffers One disturbingly powerful aspect of packet sniffers is their ability to place the hosting machine's network adapter into "promiscuous mode." Network adapters running in promiscuous mode receive not only the data directed to the machine hosting the sniffing software, but also ALL of the traffic on the physically connected local network. By placing a packet sniffer on a network in promiscuous mode, a malicious intruder can capture and analyze all of the network traffic. Within a given network, username and password information is generally transmitted in clear text which means that the information would be viewable by analyzing the packets being transmitted.
How to Detect Sniffing? There are two basic approaches to detecting sniffers: 1. host based 2. network based The most direct host-based approach is to determine whether the target system’s network card is operating in promiscuous mode. On UNIX, several programs can accomplish this, including Check Promiscuous Mode (cpm) Sniffers are also visible in the Process List and tend to create large log files over time, so simple UNIX scripts using ps, grep can illuminate suspicious sniffer-like activity. But these techniques are not always effective.
(Continued...) Check whether the MAC address of some machine(such as a Router) has changed. Network-based sniffer detection has been hypothesized for a long time. One of the first proof of concepts, Anti-Sniff, was created by L0pht. Run network tools like HP OpenView or IBM Tivoli to monitor network for strange packets.
Countermeasures Host A Host B Router A Router B The following techniques and tools can be used to mitigate sniffers: Authentication—Using strong authentication, such as one-time passwords, is a first option for defense against packet sniffers. Switched infrastructure—Migrating to Switched Network Topologies . Shared Ethernet is extremely vulnerable to sniffing. Antisniffer tools—Use these tools to employ software and hardware designed to detect the use of sniffers on a network. Cryptography—The best way to defeat sniffing is to encrypt network traffic using Internet Protocol Security (IPSec) or some other mechanism. This won’t stop attackers from sniffing your network, but it will make it harder for them to gain anything useful from their efforts.
Conclusion Its a cruel irony in information security that many of the features that make using computers easier or more efficient and the tools used to protect and secure the network can also be used to exploit and compromise the same computers and networks. This is the case with packet sniffing. Detecting rogue packet sniffers on your network is not an easy task. By its very nature the packet sniffer is passive. It simply captures the packets that are traveling to the network interface it is monitoring. That means there is generally no signature or erroneous traffic to look for that would identify a machine running a packet sniffer. There are ways to identify network interfaces on your network that are running in promiscuous mode though and this might be used as a means for locating rogue packet sniffers.
References http://en.wikipedia.org http://www.cet.nau.edu/~mc8/Socket/Tutorials/section1.html http://www.tcpdump.org/pcap.htm http://mixter.void.ru/rawip.html http://www.coders.eu.org/manualy/win/wskfaq/examples/rawping.html http://www.wireshark.org http://www.oxid.it
THANK YOU