Presentation is loading. Please wait.

Presentation is loading. Please wait.

Networks Fall 2009.

Published byCandace Briggs Modified over 6 years ago

Similar presentations

Presentation on theme: "Networks Fall 2009."— Presentation transcript:

1 Networks Fall 2009

2 Review – Last Lecture Computer Crimes Operating System Identification Firewalking

3 Review - Stack Fingerprinting
Once the hosts and port have been mapped by scanning the target network, the final footprinting step is to determine the operating system This step is sometimes called stack fingerprinting. The two primary methods used to fingerprint are banner grabbing and active stack fingerprinting. The general process is to send a query or packet to the target system and analyze its response because different OS have different responses

4 Review - Firewalking Concept
Firewalking is a technique used to gather information about a remote network protected by a firewall. The technique is being used for two purposes: Determining the rule set or ACL of a firewall or other packet-filtering device (mapping open ports on a firewall). Mapping a network behind a firewall. When a firewall’s policy is to drop ICMP ECHO Request/reply this technique is very effective.

5 OUTLINE Computer Crimes Network Sniffing Protecting the Network

6 Computer Crimes

7 Crimes 1 Thousands of people have reportedly fallen prey to a phishing attack that uses ecards as bait. The cards appear to come from a secret admirer. When the recipient clicks on the provided link, the computer is directed to a malicious site that attempts to download a keystroke logger; the card is then displayed. The attack exploits a flaw in Microsoft Windows that was patched in May

8 Crimes 2 China's second largest domain name service (DNS) provider, Xinet, was hit with an eight-hour denial of service attack that disabled 180,000 web sites. Many of the web sites are back on line and Xinet hopes to have the rest (primarily smaller sites) back on line by October 7.

9 Crimes 3 Purdue University is notifying approximately 2,500 individuals who were students at the school in 2000 that their personal data may have been compromised. The data include names and SSNs. A security check of an administrative workstation in the University's Chemistry Department found that a file might have been accessed by a cyber intruder. Purdue has established a toll-free number for people who believe they may be affected by the breach. Analysis indicated that the intruder obtained remote access to the computer's hard drive and installed software that would allow files to be downloaded.

10 Network Sniffing

11 Network Sniffing The goal of network sniffing is to eavesdrop on the network in order to capture the packets transmitted over the network. It is a passive form of information gathering As with all the techniques studied so far network sniffing can be used for either attacking a network or protecting a network.

12 Why Sniff? Wealth of data Ease of Access
Unencrypted packets include numerous plaintext information (i.e. passwords, credit cards, etc.), among other goodies. Ease of Access When installed on a gateway (internet or intranet), the sniffer can listen to all packets through the gateway.

13 Components of a Sniffer
The hardware: adapter, wire tap. Driver: capture the packets and store them in the buffer. Packet filter: filter the packets according to user rules. Packet analyzer: analyses the packets, and generate human readable reports.

14 Process By default, computers listen and respond only to packets addressed to them. Sniffers open the NIC (Network Interface Card) card into a promiscuous mode. In this mode, the computer monitors and captures all network traffic and packets passing by despite their true destination.

15 How Sniffing Works – MAC Address
A computer connected to a LAN has two addresses The IP address The MAC (Media Access Control) address that uniquely identifies each node of the network and is stored on the network card It is the MAC address that is used by Ethernet to actually deliver a data packet Starting with an IP address, the Network layer looks up the MAC address in the ARP (Address Resolution Protocol) cache If it is not in the cache then it broadcasts a request packet (ARP request) to all machines on the network The machine with that address responds with its MAC address The MAC address is then added to the cache

16 How Sniffing Works – Shared Ethernet
In a shared Ethernet environment all hosts are connected to the same bus Packets are sent to all the machines but only the one with the matching address accepts the packet and the others discard it A machine running a sniffer breaks this rule and accepts all packets This is a totally passive and difficult to detect form of sniffing HUB A B C D X X B B B B B B B B X Sniffer

17 How Sniffing Works – Switched Ethernet
In this case hosts are connected to a switch instead of a hub The switch maintains a table of each hosts MAC address and a physical port to each host So the switch sends packets to the designated computer and does not broadcast them So a promiscuous computer can not sniff out the packet traffic So, problem solved – or is it?

18 ARP Spoofing Goal: D wants to sniff the traffic from A
Send an ARP reply (it is OK even if it has not been asked for) telling A that D is the switch Result is all traffic from A will go to D first Switch A B C D C Data C Data A Switch MAC is B C Data

19 Source IP: A Source MAC: D Source IP: A Source MAC: D
ARP Cache Poisoning Goal: Anything sent from C to A will first go to D Send an ARP reply to C with A’s IP but D’s MAC C will update its cache with the new IP-MAC relationship so everything C sends to A will actually go to D Switch A B C D C Source IP: A Source MAC: D C Source IP: A Source MAC: D

20 MAC Flooding Switches keep a translation table that maps MAC addresses to the physical ports on the switch The switch has a limited memory for this table MAC Flooding makes use of this limitation by bombarding switch with fake MAC addresses until the switch can not keep up The switch then enters a “failopen” mode It starts to act like a hub and broadcasts its packets to all the machines on the network

21 Protecting the Network

22 The First Step Since gathering information is the first step in any attack on a network, the first line of defense should be to prevent the release of information or at the very least detect information scans This can be done by looking for information leaks yourself and plugging them before the “bad guys” find them There are some procedures which will detect information scans as well

23 Detecting Sniffers Sniffers are passive so they are very difficult to detect, however there are some tricks that can help Ping Method: send a ping request with the IP address of the suspect machine but not its MAC address Ideally nobody should see this packet as each Ethernet Adapter will reject it as it does not match its MAC address If the suspect machine is running a sniffer it will respond because it does not reject packets with a wrong MAC address This is an old and no longer very reliable method

24 ARP Method Goal: Get a promiscuous machine to cache a correct IP/MAC pair and then respond with that information Send a non-broadcast ARP which will only be read by a machine in a promiscuous mode It will cache the IP/MAC address in the ARP Next, send a broadcast ping packet with the correct IP but a different MAC address Only a machine which sniffed the prior ARP will have the correct cache and only it will respond to the broadcast ping

25 Local Host Detection Test on shemp:
Often after a machine has been compromised, hackers will leave sniffers to compromise other machines If you suspect that your machine has a sniffer running execute the ifconfig -a command It will display information about all the interfaces on the system Test on shemp: If a sniffer were running it would report: RUNNING PROMISC

26 Encryption Other Methods
There are some sniffer detectors available but in general IDS work well The best method to defeat sniffing is: Encryption

Download ppt "Networks Fall 2009."

Similar presentations

Password Cracking, Network Sniffing, Man-in-the-Middle attacks, and Virtual Private Networks Lab 2 – Class Discussion Group 3 Ruhull Alam Bhuiyan Keon.

Password Cracking, Network Sniffing, Man-in-the-Middle attacks, and Virtual Private Networks Lab 2 – Class Discussion Group 3 Ruhull Alam Bhuiyan Keon.
Man in the Middle Attack

Man in the Middle Attack
Tactics to Discover “Passive” Monitoring Devices

Tactics to Discover “Passive” Monitoring Devices
1 Address Resolution Protocol (ARP) Relates to Lab 2. This module is about the address resolution protocol.

1 Address Resolution Protocol (ARP) Relates to Lab 2. This module is about the address resolution protocol.
CISCO NETWORKING ACADEMY Chabot College ELEC 99.05 Address Resolution Protocol.

CISCO NETWORKING ACADEMY Chabot College ELEC Address Resolution Protocol.
Media Access Control (MAC) addresses in the network access layer ▫ Associated w/ network interface card (NIC) ▫ 48 bits or 64 bits IP addresses for the.

Media Access Control (MAC) addresses in the network access layer ▫ Associated w/ network interface card (NIC) ▫ 48 bits or 64 bits IP addresses for the.
WARNING ! The system is either busy or has been unstable. You can wait and See if it becomes available again, or you can restart your computer. *

WARNING ! The system is either busy or has been unstable. You can wait and See if it becomes available again, or you can restart your computer. *
COEN 252 Computer Forensics Remote Sniffer Detection.

COEN 252 Computer Forensics Remote Sniffer Detection.
SYSTEM ADMINISTRATION Chapter 19

SYSTEM ADMINISTRATION Chapter 19
Introduction to Network Analysis and Sniffer Pro

Introduction to Network Analysis and Sniffer Pro
Packet Analyzers, a Threat to Network Security. Agenda Introduction The background of packet analyzers LAN technologies & network protocols Communication.

Packet Analyzers, a Threat to Network Security. Agenda Introduction The background of packet analyzers LAN technologies & network protocols Communication.
1 Eastern Michigan University Asad Khailany, Eastern Michigan University Dmitri Bagatelia, Eastern Michigan University Wafa Khorsheed, Eastern Michigan.

1 Eastern Michigan University Asad Khailany, Eastern Michigan University Dmitri Bagatelia, Eastern Michigan University Wafa Khorsheed, Eastern Michigan.
Network Security Testing Techniques Presented By:- Sachin Vador.

Network Security Testing Techniques Presented By:- Sachin Vador.
Security Awareness: Applying Practical Security in Your World, Second Edition Chapter 5 Network Security.

Security Awareness: Applying Practical Security in Your World, Second Edition Chapter 5 Network Security.
Security Awareness: Applying Practical Security in Your World

Security Awareness: Applying Practical Security in Your World
Sniffing the sniffers - detecting passive protocol analysers John Baldock, Intel Corp Craig Duffy, Bristol UWE.

Sniffing the sniffers - detecting passive protocol analysers John Baldock, Intel Corp Craig Duffy, Bristol UWE.
Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Information.

Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Information.
Network Security. Network security starts from authenticating any user. Once authenticated, firewall enforces access policies such as what services are.

Network Security. Network security starts from authenticating any user. Once authenticated, firewall enforces access policies such as what services are.
IP Routing: an Introduction. Quiz 0-31 32-63 64-95 96-127 128-159 160-191 192-223 224-255.

IP Routing: an Introduction. Quiz
Introduction to InfoSec – Recitation 12 Nir Krakowski (nirkrako at post.tau.ac.il) Itamar Gilad (itamargi at post.tau.ac.il)

Introduction to InfoSec – Recitation 12 Nir Krakowski (nirkrako at post.tau.ac.il) Itamar Gilad (itamargi at post.tau.ac.il)

Similar presentations

Ads by Google