Presentation is loading. Please wait.

Presentation is loading. Please wait.

Tactics to Discover “Passive” Monitoring Devices

Published byMarcos Strowbridge Modified over 9 years ago

Similar presentations

Presentation on theme: "Tactics to Discover “Passive” Monitoring Devices"— Presentation transcript:

1 Tactics to Discover “Passive” Monitoring Devices Mudge@atstake.com

2 The Problem at Hand Local ether segments behave like party-line phone systems A B C D E F G H A-B : CDEFGH can listen in A-H : BCDEFG can listen in Etc. etc. Without encryption there are no secrets

3 How Systems Know What to Listen To … Ether headerpayloadEther headerpayload Read a packet from the network Is the dest ether header my MAC address? Make a copy of the packet and hand it to the OS stack yes no Network Interface Card decision flow Systems are courteous largely for performance. Hardware filtering at the NIC hands up only the packets the system is supposed to receive. Promiscuous mode tells the NIC that all packets should be handed to the OS stack. Not just the ones with the matching MAC destination address.

4 Ether and IP Headers Destination AddressSource Addresstype 6 bytes 2 bytes Ether IP verslenTOSTotal length (bytes) identificationflagsfragment offset TTLprotocolchecksum Source IP Address Destination IP Address 44816 313 8816 32 Application Transport Network Link Telnet, SMTP, etc TCP, UDP IP, ICMP Device Driver, Interface card 4 layers of TCP/IP protocol suite

5 The Disconnect Physical Data Network Transport Session Presentation Application

6 DNS Method Definition The Domain Naming System maps IP addresses to names and vice-versa. DNS allows hierarchical grouping of domain DNS is a necessity for human convenience % telnet foo.bar.baz Trying 10.10.12.132 … Connected to foo.bar.baz. Q: Who is foo.bar.baz? A: foo.bar.baz is 10.10.12.132 (follow up by initiating TCP connection to port 23)

7 DNS Method 1 Sniffing the Sniffer Spoofed packets are sent out on the local network The network is sniffed looking for reverse DNS lookups on spoofed packet Any systems asking about the fictitious systems is in promiscuous mode Src 10.0.0.5 -> Dst 10.0.0.6 10.0.0.5 10.0.0.6 192.168.1.10 Sniffer Bogus System 1Bogus System 2 Who is 10.0.0.5?

8 DNS Method 2 Queries to DNS Server The DNS server is under our control Spoofed packets with addresses handled by the DNS server are sent out on the local network Any requests that the DNS server receives for the spoofed machines are from machines in promiscuous mode Src 10.0.0.5 -> Dst 10.0.0.6 10.0.0.5 10.0.0.6 192.168.1.10 Sniffer Bogus System 1Bogus System 2 Net 192.168.1 Net 10 DNS Server Whois 10.0.0.5? router

9 DNS Method Pros and Cons Can work across multiple networks Names of machines are very telling and as such, many malicious sniffers will do the reverse lookups Does not saturate the local network High reliability – minimal false positives Sniffing systems do not have to perform reverse lookups Sniffing systems can do batch reverse lookups later on – this defeats method 1 but not method 2 ProsCons

10 Ether Tricks Definition Ether tricks work by intentionally mis- mapping layer 2 and layer 3 addresses 08:00:20:10:22:e0 192.168.1.10 66:66:66:66:66:66 192.168.1.10 !=

11 Ether Tricks 1 Linux Classic When in promiscuous mode the NIC does not filter the ether address. The kernel must filter the ether address on its own. ICMP – Echo Request Correct ether address Correct IP address ICMP – Echo Reply Normal behavior for non-promiscuous mode

12 Ether Tricks 1 linux (cont) ICMP – Echo Request In-correct ether address Correct IP address No response as NIC did not pass the packet to the stack Normal behavior for non-promiscuous mode

13 Ether Tricks 1 linux (cont) ICMP – Echo Request In-correct ether address Correct IP address Older linux behavior for promiscuous mode ICMP – Echo Reply NIC had to pass all traffic to OS. OS forgot to check the MAC address and only looked at IP

14 Ether Tricks 2 BSD Style Problems ICMP – Echo Request In-correct ether address Broadcast IP address Older BSD behavior for promiscuous mode ICMP – Echo Reply NIC had to pass all traffic to OS. OS forgot to check the MAC address and only looked at IP (took a different path for broadcast)

15 Ether Tricks 3 Microsoft Shortcut Ether Address What the NIC filters on 6 bytes 4 bytes Word What many MS software drivers check when in promisc ff:ff:ff:ff:00:00|IP|ICMP echo request Equivalent to be ff:ff:ff:ff:ff:ff on many promisc NT systems

16 Ether Tricks Pros and Cons High reliability, low false positives Limited to local ether segment Dependent upon particular OS/Kernel “nuances” Pros Cons

17 Machine Latency defined Hardware filtering Discards packets not addressed to correct MAC address Handled by on-card logic Minimal impact on system performance as few interrupts Kernel not called in to process unless really needed Match criteria == MAC, broadcast, multicast Software filtering All packets must be copied and handed over to OS On-card logic bypassed Severe impact on system performance due to maximum interrupts Kernel must process packets Malicious sniffing often happens in user space – context shift from Kernel to User space is expensive

18 Machine Latency example A B C A – ether: 08:00:20:ac:1e:e2 IP: 192.168.1.10 B – ether: 08:00:20:ac:22:16 IP: 192.168.1.12 C – ether: 08:00:20:ac:23:e4 IP: 192.168.1.14

19 Machine Latency example A B C A – ether: 08:00:20:ac:1e:e2 IP: 192.168.1.10 B – ether: 08:00:20:ac:22:16 IP: 192.168.1.12 C – ether: 08:00:20:ac:23:e4 IP: 192.168.1.14 1 2 1 – ICMP Echo Request Ether Src: 08:00:20:ac:1e:e2 Ether Dst: 08:00:20:ac:23:e4 IP Source: 192.168.1.10 IP Dest: 192.168.1.14 Latency == 2 ms 2 – ICMP Echo Request Ether Src: 08:00:20:ac:1e:e2 Ether Dst: 08:00:20:ac:22:16 IP Source: 192.168.1.10 IP Dest: 192.168.1.12 Latency == 3 ms

20 Machine Latency example A B C A – ether: 08:00:20:ac:1e:e2 IP: 192.168.1.10 B – ether: 08:00:20:ac:22:16 IP: 192.168.1.12 C – ether: 08:00:20:ac:23:e4 IP: 192.168.1.14 1 2 1 – ICMP Echo Request Ether Src: 08:00:20:ac:1e:e2 Ether Dst: 08:00:20:ac:23:e4 IP Source: 192.168.1.10 IP Dest: 192.168.1.14 Latency == 4 ms 2 – ICMP Echo Request Ether Src: 08:00:20:ac:1e:e2 Ether Dst: 08:00:20:ac:22:16 IP Source: 192.168.1.10 IP Dest: 192.168.1.12 Latency == 300 ms 3 3 – ICMP Echo Request Ether Src: 66:66:66:66:66:67 Ether Dst: 66:66:66:66:66:66 IP Source: 192.168.1.30 IP Dest: 192.168.1.33

21 Machine Latency Methods for increasing end-node processing Fake entire three way handshake Fake connections to well known sniffed ports Use “legitimate” ether addresses that still have no physical presence Fake huge numbers of sessions Fake huge numbers of SYN recv’d states The trick is to make the sniffing application process as much as possible in user space

22 Machine Latency Pros and Cons Cross platform Often times crashes sniffing programs Confined to local segment High accuracy in watching deltas for a particular machine over time Pros Limited to local ether segment Assumptions must be made about systems response under load Network and regular machine load assumptions must be made Network congestion Cons

23 Spotting the curious Create fictitious connections to a real machine Use a ‘trap’ account Watch and log on the legitimate machine for anyone attempting to log on with the ‘trap’ account

Download ppt "Tactics to Discover “Passive” Monitoring Devices"

Similar presentations

Interconnecting Networks with TCP/IP

Interconnecting Networks with TCP/IP
Media Access Control (MAC) addresses in the network access layer ▫ Associated w/ network interface card (NIC) ▫ 48 bits or 64 bits IP addresses for the.

Media Access Control (MAC) addresses in the network access layer ▫ Associated w/ network interface card (NIC) ▫ 48 bits or 64 bits IP addresses for the.
ISO/OSI Model Layers Application: applications that use the network. This is were mail, browsers, ftp, etc reside Presentation: data formats, character.

ISO/OSI Model Layers Application: applications that use the network. This is were mail, browsers, ftp, etc reside Presentation: data formats, character.
IP Protocol - Introduction Dr. Farid Farahmand. Introduction TDM transport networks are not sufficient for data communications Low utilization TDM networks.

IP Protocol - Introduction Dr. Farid Farahmand. Introduction TDM transport networks are not sufficient for data communications Low utilization TDM networks.
COEN 252 Computer Forensics Remote Sniffer Detection.

COEN 252 Computer Forensics Remote Sniffer Detection.
1 Version 3 Module 8 Ethernet Switching. 2 Version 3 Ethernet Switching Ethernet is a shared media –One node can transmit data at a time More nodes increases.

1 Version 3 Module 8 Ethernet Switching. 2 Version 3 Ethernet Switching Ethernet is a shared media –One node can transmit data at a time More nodes increases.
1 Version 3 Module 8 Ethernet Switching. 2 Version 3 Ethernet Switching Ethernet is a shared media –One node can transmit data at a time More nodes increases.

1 Version 3 Module 8 Ethernet Switching. 2 Version 3 Ethernet Switching Ethernet is a shared media –One node can transmit data at a time More nodes increases.
Slide 1 Attacks on TCP/IP. slide 2 Security Issues in TCP/IP uNetwork packets pass by untrusted hosts Eavesdropping (packet sniffing) uIP addresses are.

Slide 1 Attacks on TCP/IP. slide 2 Security Issues in TCP/IP uNetwork packets pass by untrusted hosts Eavesdropping (packet sniffing) uIP addresses are.
Sniffing the sniffers - detecting passive protocol analysers John Baldock, Intel Corp Craig Duffy, Bristol UWE.

Sniffing the sniffers - detecting passive protocol analysers John Baldock, Intel Corp Craig Duffy, Bristol UWE.
Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Information.

Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Information.
Networks 1 CS502 Spring 2006 Network Input & Output CS-502 Operating Systems Spring 2006.

Networks 1 CS502 Spring 2006 Network Input & Output CS-502 Operating Systems Spring 2006.
ITIS 6167/8167: Network and Information Security Weichao Wang.

ITIS 6167/8167: Network and Information Security Weichao Wang.
Detection of Promiscuous nodes Using Arp Packets By Engin Arslan.

Detection of Promiscuous nodes Using Arp Packets By Engin Arslan.
Introduction to InfoSec – Recitation 12 Nir Krakowski (nirkrako at post.tau.ac.il) Itamar Gilad (itamargi at post.tau.ac.il)

Introduction to InfoSec – Recitation 12 Nir Krakowski (nirkrako at post.tau.ac.il) Itamar Gilad (itamargi at post.tau.ac.il)
CS 356 Systems Security Spring 2015 Dr. Indrajit Ray

CS 356 Systems Security Spring Dr. Indrajit Ray
IST 228\Ch3\IP Addressing1 TCP/IP and DoD Model (TCP/IP Model)

IST 228\Ch3\IP Addressing1 TCP/IP and DoD Model (TCP/IP Model)
CN2668 Routers and Switches Kemtis Kunanuraksapong MSIS with Distinction MCTS, MCDST, MCP, A+

CN2668 Routers and Switches Kemtis Kunanuraksapong MSIS with Distinction MCTS, MCDST, MCP, A+
Protocol Headers Pre DA SA 0800h … version H L 6 TCP Header Data FCS

Protocol Headers Pre DA SA 0800h … version H L 6 TCP Header Data FCS
OSI Model Routing Connection-oriented/Connectionless Network Services.

OSI Model Routing Connection-oriented/Connectionless Network Services.
CCNA Guide to Cisco Networking Fundamentals Fourth Edition

CCNA Guide to Cisco Networking Fundamentals Fourth Edition

Similar presentations

Ads by Google