Presentation is loading. Please wait.

Presentation is loading. Please wait.

Packet Sniffers Lecture 10 - NETW4006 NETW4006-Lecture09.

Published byGyles Henderson Modified over 5 years ago

Similar presentations

Presentation on theme: "Packet Sniffers Lecture 10 - NETW4006 NETW4006-Lecture09."— Presentation transcript:

1 Packet Sniffers Lecture 10 - NETW4006 NETW4006-Lecture09

2 Content Definition Sniffer Capabilities How does it work?
When does it work? Preventing Sniffing Detection of Sniffing References NETW4006-Lecture09

3 Definition Packet sniffing: act of capturing data packets flowing across network. The sniffer is a program/device that monitor data travelling over a network. legitimate uses to monitor network performance or troubleshoot problems: network audit, demonstrate insecurity of plaintext network protocols Also used by hackers and crackers to gather information illegally about networks they intend to break into: passwords, IP addresses, credit card numbers, protocols being used on the network and other information (binary data into something intelligible) that will help the attacker infiltrate the network. NETW4006-Lecture09

4 Sniffer Capabilities Watch all network traffic over any Network Interface Card (NIC) connected to the host machine: TCP, IP, UDP, ICMP, ARP, RARP. Also port specific traffic: http, ftp, telnet,… Forging ARP replies: intercept packets from target host(s) on the LAN intended for another host on the LAN: effective way of sniffing traffic on a switch Passive sniffing: determine the local gateway of an unknown network – Data link layer (Hub) Active Sniffing-Flood local network with random MAC addresses: switches will fail open in repeating mode, facilitating sniffing). This is no longer passive sniffing (Switch) Password sniffing: minimally parsing each application protocol, and saving the "interesting" pieces Sniffing HTTP traffic: output all requested URLs and do offline log analysis Capture URLs from a client to local web browser for display URL, updated in real-time: when the target surfs, the local browser surfs Hub transmits line data to each port on the machine and has no line mapping. Switch looks at the MAC address associates with each frame passing through it and sends the data to the required port. RARP – Reverse Address Resolution Protocol NETW4006-Lecture09

5 NETW4006-Lecture09

6 How Does a Sniffer Work ? Packet sniffer must be on the same network as the originating or intended destination machine Remote sniffing: install some Trojan or backdoor program on one of the computers on either the sending or receiving networks they may be able to do the packet sniffing remotely Trojan: malicious program disguised as a normal application (perform a desirable function for the user prior to run or install but steals information or harms the system) Backdoor: secret or undocumented means of getting into a computer system(is a method of bypassing normal authentication) NETW4006-Lecture09

7 How Sniffer Works ? (1) Most common way of networking computers – Ethernet Computer connected to LAN has two addresses – MAC Address(uniqly identifies each node in a network & stored on Network card ), MAC is used by Ethernet protocol while building frames to transfer data to an from a system IP Address – used by applications. Data Link Layer uses an Ethernet header with the MAC address of the destination machine rather than IP address. The Network Layer is responsible for mapping IP network address to the MAC address as required by Data Link protocol. It initially looks for the MAC addresses of the destination machine in a table- called as ARP cache NETW4006-Lecture09

8 If no entry if found for the IP address, an ARP broadcast of a request packet goes out to all machines on the local sub-network. The machine with that particular address responds to the source machine with its MAC address. This MAC address then gets added to the source machine ARP cache. The source machine, in all its communication with the destination machine uses this MAC. NETW4006-Lecture09

9 Preventing Sniffing Prevention: which network services send data in the plain text ? default /old POP, SMTP, FTP, Telnet, News clients, ICQ, MSN and AOL Instant messengers send passwords in clear text When logging into services check if encrypted login is supported. Even if you login securely any you send is still in clear text, anyone on the path that the travels through can technically read it Use Encryption to encrypt the message so that no one on the path to the destination can read: Pretty Goof Privacy ( When shopping on-line make sure the store has a "secure" connection for submitting credit card details: standard SSL 128bit encryption ( and TLS RFC 2246 and previous lecture and lab) Telnet sends password and normal data in plain text: SSH encrypts connection (RFC 4251 to RFC 4254 and previous lecture and lab) If possible use a Switch rather than a HUB on a LAN: efficient protection in practice (more work required to successfully sniff) NETW4006-Lecture09

10 Indication/Detection of Sniffing
Difficult to detect that a packet sniffer is sniffing a connection: passive act (the data is "logged" but unaltered). Would require physically checking all your Ethernet connections by walking around, and observing the output of ifconfig -a !!! A major clue: many DNS lookup are taking place could mean the sniffer is attempting to convert IP addresses to host names A stronger method of detecting packet sniffing: send an ARP request to the device in question to determine if promiscuous mode: in most cases assumption that it is the network card of the computer running the sniffer Defence against sniffing is not really prevention but rather providing security solutions so that even if large amounts of data is sniffed, not much use can be made out of it.  This is the major reason behind one-time passwords and encryption NETW4006-Lecture09

11 Indication/Detection of Sniffing
The DNS Test Detection tool itself is in promiscuous mode. Create numerous fake TCP connections on same network segment, expecting a poorly written sniffer picks up on those connections and resolve the IP addresses of the  nonexistent hosts.   Packet sniffers can perform reverse DNS lookups for the captured packets. When reverse DNS lookup occurs, a detection tool sniffs (promiscuous mode) the lookup request to see if the target is the one requesting resolution of that nonexistent host The Ping Test Construct an ICMP echo request with: of the suspected sniffing machine + mismatched Most systems should disregard this packet because bad Some Linux, NetBSD and NT systems, when the NIC is in promiscuous, the sniffer collects as a legitimate packet  and respond. Clever attackers make that sniffer does not answer such packets NETW4006-Lecture09

12 Indication/Detection of Sniffing
The ICMP Ping Latency Test  Ping the target and note the Round Trip Time (RTT) + create hundreds of fake TCP connections on our network segment at a lightning rate.  Then observe if the target machine's network latency increases The ARP Test  Send an ARP request to target with a bogus destination A machine in promiscuous mode would reply NETW4006-Lecture09

13 Open Source Sniffers tcpdump: “grand-father” of packet sniffers: by default on Linux. We are going to use it during the Lab. (See the manual) Ethereal (now Wireshark excellent GUI based sniffer. Good protocol details. hunt: sniffer including some attack tools. Ettercap: sniffer for switched LANs: ARP poisoning and the man-in-the-middle technique to sniff all the connections between two hosts. It can inject characters to server (emulating commands) or to client (emulating replies) while maintaining an established TCP connection. dsniff: records observed usernames and passwords from various known protocols tcpflow: records TCP stream payloads NETW4006-Lecture09

Download ppt "Packet Sniffers Lecture 10 - NETW4006 NETW4006-Lecture09."

Similar presentations

Ethical Hacking Module VII Sniffers.

Ethical Hacking Module VII Sniffers.
Password Cracking, Network Sniffing, Man-in-the-Middle attacks, and Virtual Private Networks Lab 2 – Class Discussion Group 3 Ruhull Alam Bhuiyan Keon.

Password Cracking, Network Sniffing, Man-in-the-Middle attacks, and Virtual Private Networks Lab 2 – Class Discussion Group 3 Ruhull Alam Bhuiyan Keon.
Security Lab 2 MAN IN THE MIDDLE ATTACK

Security Lab 2 MAN IN THE MIDDLE ATTACK
Man in the Middle Attack

Man in the Middle Attack
ARP AND RARP ROUTED AND ROUTING Tyler Bish. ARP There are a variety of ways that devices can determine the MAC addresses they need to add to the encapsulated.

ARP AND RARP ROUTED AND ROUTING Tyler Bish. ARP There are a variety of ways that devices can determine the MAC addresses they need to add to the encapsulated.
Tactics to Discover “Passive” Monitoring Devices

Tactics to Discover “Passive” Monitoring Devices
1 Address Resolution Protocol (ARP) Relates to Lab 2. This module is about the address resolution protocol.

1 Address Resolution Protocol (ARP) Relates to Lab 2. This module is about the address resolution protocol.
Hands-On Ethical Hacking and Network Defense Lecture 15 Man in the Middle Attack to get Passwords from HTTPS Sessions.

Hands-On Ethical Hacking and Network Defense Lecture 15 Man in the Middle Attack to get Passwords from HTTPS Sessions.
COEN 252 Computer Forensics Remote Sniffer Detection.

COEN 252 Computer Forensics Remote Sniffer Detection.
SYSTEM ADMINISTRATION Chapter 19

SYSTEM ADMINISTRATION Chapter 19
Packet Analyzers, a Threat to Network Security. Agenda Introduction The background of packet analyzers LAN technologies & network protocols Communication.

Packet Analyzers, a Threat to Network Security. Agenda Introduction The background of packet analyzers LAN technologies & network protocols Communication.
1 Eastern Michigan University Asad Khailany, Eastern Michigan University Dmitri Bagatelia, Eastern Michigan University Wafa Khorsheed, Eastern Michigan.

1 Eastern Michigan University Asad Khailany, Eastern Michigan University Dmitri Bagatelia, Eastern Michigan University Wafa Khorsheed, Eastern Michigan.
Network Attacks Mark Shtern.

Network Attacks Mark Shtern.
Sniffing the sniffers - detecting passive protocol analysers John Baldock, Intel Corp Craig Duffy, Bristol UWE.

Sniffing the sniffers - detecting passive protocol analysers John Baldock, Intel Corp Craig Duffy, Bristol UWE.
Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Information.

Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Information.
Man in the Middle attacks and ARP poisoning explained

Man in the Middle attacks and ARP poisoning explained
1 Chapter 6 Network Security Threats. 2 Objectives In this chapter, you will: Learn how to defend against packet sniffers Understand the TCP, UDP, and.

1 Chapter 6 Network Security Threats. 2 Objectives In this chapter, you will: Learn how to defend against packet sniffers Understand the TCP, UDP, and.
Chapter Eleven An Introduction to TCP/IP. Objectives To compare TCP/IP’s layered structure to OSI To review the structure of an IP address To look at.

Chapter Eleven An Introduction to TCP/IP. Objectives To compare TCP/IP’s layered structure to OSI To review the structure of an IP address To look at.
Protocol Headers Pre DA SA 0800h … version H L 6 TCP Header Data FCS

Protocol Headers Pre DA SA 0800h … version H L 6 TCP Header Data FCS
JMU GenCyber Boot Camp Summer, 2015. Network Sniffing Sometimes it is possible observe/record traffic traveling on a network Network traffic may contain.

JMU GenCyber Boot Camp Summer, Network Sniffing Sometimes it is possible observe/record traffic traveling on a network Network traffic may contain.

Similar presentations

Ads by Google