Presentation is loading. Please wait.

Presentation is loading. Please wait.

Fall 2010 1  Computer Crimes  Operating System Identification  Firewalking 2.

Published byMae Tucker Modified over 7 years ago

Similar presentations

Presentation on theme: "Fall 2010 1  Computer Crimes  Operating System Identification  Firewalking 2."— Presentation transcript:

1

2 Fall 2010 1

3  Computer Crimes  Operating System Identification  Firewalking 2

4  Once the hosts and port have been mapped by scanning the target network, the final footprinting step is to determine the operating system  This step is sometimes called stack fingerprinting.  The two primary methods used to fingerprint are banner grabbing and active stack fingerprinting.  The general process is to send a query or packet to the target system and analyze its response because different OS have different responses 3

5  Firewalking is a technique used to gather information about a remote network protected by a firewall.  The technique is being used for two purposes:  Determining the rule set or ACL of a firewall or other packet-filtering device (mapping open ports on a firewall).  Mapping a network behind a firewall.  When a firewall’s policy is to drop ICMP ECHO Request/reply this technique is very effective. 4

6  Computer Crimes  Network Sniffing  Protecting the Network 5

7 6 Computer Crimes

8  Thousands of people have reportedly fallen prey to a phishing attack that uses ecards as bait.  The cards appear to come from a secret admirer. When the recipient clicks on the provided link, the computer is directed to a malicious site that attempts to download a keystroke logger; the card is then displayed.  The attack exploits a flaw in Microsoft Windows that was patched in May 7

9  China's second largest domain name service (DNS) provider, Xinet, was hit with an eight-hour denial of service attack that disabled 180,000 web sites.  Many of the web sites are back on line and Xinet hopes to have the rest (primarily smaller sites) back on line by October 7. 8

10  Purdue University is notifying approximately 2,500 individuals who were students at the school in 2000 that their personal data may have been compromised.  The data include names and SSNs.  A security check of an administrative workstation in the University's Chemistry Department found that a file might have been accessed by a cyber intruder.  Purdue has established a toll-free number for people who believe they may be affected by the breach.  Analysis indicated that the intruder obtained remote access to the computer's hard drive and installed software that would allow files to be downloaded. 9

11 10 Network Sniffing

12  The goal of network sniffing is to eavesdrop on the network in order to capture the packets transmitted over the network.  It is a passive form of information gathering  As with all the techniques studied so far network sniffing can be used for either attacking a network or protecting a network. 11

13  Wealth of data  Unencrypted packets include numerous plaintext information (i.e. passwords, credit cards, etc.), among other goodies.  Ease of Access  When installed on a gateway (internet or intranet), the sniffer can listen to all packets through the gateway. 12

14  The hardware: adapter, wire tap.  Driver: capture the packets and store them in the buffer.  Packet filter: filter the packets according to user rules.  Packet analyzer: analyses the packets, and generate human readable reports. 13

15  By default, computers listen and respond only to packets addressed to them.  Sniffers open the NIC (Network Interface Card) card into a promiscuous mode.  In this mode, the computer monitors and captures all network traffic and packets passing by despite their true destination. 14

16  A computer connected to a LAN has two addresses  The IP address  The MAC (Media Access Control) address that uniquely identifies each node of the network and is stored on the network card  It is the MAC address that is used by Ethernet to actually deliver a data packet  Starting with an IP address, the Network layer looks up the MAC address in the ARP (Address Resolution Protocol) cache  If it is not in the cache then it broadcasts a request packet (ARP request) to all machines on the network  The machine with that address responds with its MAC address  The MAC address is then added to the cache 15

17  In a shared Ethernet environment all hosts are connected to the same bus  Packets are sent to all the machines but only the one with the matching address accepts the packet and the others discard it  A machine running a sniffer breaks this rule and accepts all packets  This is a totally passive and difficult to detect form of sniffing 16 HUB A B C D BB X B X B Sniffer BB X BB

18  In this case hosts are connected to a switch instead of a hub  The switch maintains a table of each hosts MAC address and a physical port to each host  So the switch sends packets to the designated computer and does not broadcast them  So a promiscuous computer can not sniff out the packet traffic 17 So, problem solved – or is it?

19  Goal: D wants to sniff the traffic from A  Send an ARP reply (it is OK even if it has not been asked for) telling A that D is the switch  Result is all traffic from A will go to D first 18 Switch A B C D A Switch MAC is B C Data C C

20  Goal: Anything sent from C to A will first go to D  Send an ARP reply to C with A’s IP but D’s MAC  C will update its cache with the new IP-MAC relationship so everything C sends to A will actually go to D 19 Switch A B C D C Source IP: A Source MAC: D C

21  Switches keep a translation table that maps MAC addresses to the physical ports on the switch  The switch has a limited memory for this table  MAC Flooding makes use of this limitation by bombarding switch with fake MAC addresses until the switch can not keep up  The switch then enters a “failopen” mode  It starts to act like a hub and broadcasts its packets to all the machines on the network 20

22 21 Protecting the Network

23  Since gathering information is the first step in any attack on a network, the first line of defense should be to prevent the release of information or at the very least detect information scans  This can be done by looking for information leaks yourself and plugging them before the “bad guys” find them  There are some procedures which will detect information scans as well 22

24  Sniffers are passive so they are very difficult to detect, however there are some tricks that can help  Ping Method: send a ping request with the IP address of the suspect machine but not its MAC address  Ideally nobody should see this packet as each Ethernet Adapter will reject it as it does not match its MAC address  If the suspect machine is running a sniffer it will respond because it does not reject packets with a wrong MAC address  This is an old and no longer very reliable method 23

25  Goal: Get a promiscuous machine to cache a correct IP/MAC pair and then respond with that information  Send a non-broadcast ARP which will only be read by a machine in a promiscuous mode  It will cache the IP/MAC address in the ARP  Next, send a broadcast ping packet with the correct IP but a different MAC address  Only a machine which sniffed the prior ARP will have the correct cache and only it will respond to the broadcast ping 24

26  Often after a machine has been compromised, hackers will leave sniffers to compromise other machines  If you suspect that your machine has a sniffer running execute the ifconfig -a command  It will display information about all the interfaces on the system 25 Test on shemp: If a sniffer were running it would report: RUNNING PROMISC

27  There are some sniffer detectors available but in general IDS work well  The best method to defeat sniffing is: 26

Download ppt "Fall 2010 1  Computer Crimes  Operating System Identification  Firewalking 2."

Similar presentations

Password Cracking, Network Sniffing, Man-in-the-Middle attacks, and Virtual Private Networks Lab 2 – Class Discussion Group 3 Ruhull Alam Bhuiyan Keon.

Password Cracking, Network Sniffing, Man-in-the-Middle attacks, and Virtual Private Networks Lab 2 – Class Discussion Group 3 Ruhull Alam Bhuiyan Keon.
Man in the Middle Attack

Man in the Middle Attack
CISCO NETWORKING ACADEMY Chabot College ELEC 99.05 Address Resolution Protocol.

CISCO NETWORKING ACADEMY Chabot College ELEC Address Resolution Protocol.
Media Access Control (MAC) addresses in the network access layer ▫ Associated w/ network interface card (NIC) ▫ 48 bits or 64 bits IP addresses for the.

Media Access Control (MAC) addresses in the network access layer ▫ Associated w/ network interface card (NIC) ▫ 48 bits or 64 bits IP addresses for the.
WARNING ! The system is either busy or has been unstable. You can wait and See if it becomes available again, or you can restart your computer. *

WARNING ! The system is either busy or has been unstable. You can wait and See if it becomes available again, or you can restart your computer. *
COEN 252 Computer Forensics Remote Sniffer Detection.

COEN 252 Computer Forensics Remote Sniffer Detection.
SYSTEM ADMINISTRATION Chapter 19

SYSTEM ADMINISTRATION Chapter 19
Introduction to Network Analysis and Sniffer Pro

Introduction to Network Analysis and Sniffer Pro
Packet Analyzers, a Threat to Network Security. Agenda Introduction The background of packet analyzers LAN technologies & network protocols Communication.

Packet Analyzers, a Threat to Network Security. Agenda Introduction The background of packet analyzers LAN technologies & network protocols Communication.
1 Eastern Michigan University Asad Khailany, Eastern Michigan University Dmitri Bagatelia, Eastern Michigan University Wafa Khorsheed, Eastern Michigan.

1 Eastern Michigan University Asad Khailany, Eastern Michigan University Dmitri Bagatelia, Eastern Michigan University Wafa Khorsheed, Eastern Michigan.
Network Security Testing Techniques Presented By:- Sachin Vador.

Network Security Testing Techniques Presented By:- Sachin Vador.
Security Awareness: Applying Practical Security in Your World, Second Edition Chapter 5 Network Security.

Security Awareness: Applying Practical Security in Your World, Second Edition Chapter 5 Network Security.
Security Awareness: Applying Practical Security in Your World

Security Awareness: Applying Practical Security in Your World
Sniffing the sniffers - detecting passive protocol analysers John Baldock, Intel Corp Craig Duffy, Bristol UWE.

Sniffing the sniffers - detecting passive protocol analysers John Baldock, Intel Corp Craig Duffy, Bristol UWE.
Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Information.

Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Information.
Network Security. Network security starts from authenticating any user. Once authenticated, firewall enforces access policies such as what services are.

Network Security. Network security starts from authenticating any user. Once authenticated, firewall enforces access policies such as what services are.
IP Routing: an Introduction. Quiz 0-31 32-63 64-95 96-127 128-159 160-191 192-223 224-255.

IP Routing: an Introduction. Quiz
Introduction to InfoSec – Recitation 12 Nir Krakowski (nirkrako at post.tau.ac.il) Itamar Gilad (itamargi at post.tau.ac.il)

Introduction to InfoSec – Recitation 12 Nir Krakowski (nirkrako at post.tau.ac.il) Itamar Gilad (itamargi at post.tau.ac.il)
JMU GenCyber Boot Camp Summer, 2015. Network Sniffing Sometimes it is possible observe/record traffic traveling on a network Network traffic may contain.

JMU GenCyber Boot Camp Summer, Network Sniffing Sometimes it is possible observe/record traffic traveling on a network Network traffic may contain.
COEN 252 Computer Forensics

COEN 252 Computer Forensics

Similar presentations

Ads by Google