Presentation is loading. Please wait.

Presentation is loading. Please wait.

JMU GenCyber Boot Camp Summer, 2015. Network Sniffing Sometimes it is possible observe/record traffic traveling on a network Network traffic may contain.

Published byAntonia Webb Modified over 8 years ago

Similar presentations

Presentation on theme: "JMU GenCyber Boot Camp Summer, 2015. Network Sniffing Sometimes it is possible observe/record traffic traveling on a network Network traffic may contain."— Presentation transcript:

1 JMU GenCyber Boot Camp Summer, 2015

2 Network Sniffing Sometimes it is possible observe/record traffic traveling on a network Network traffic may contain valuable information: –Usernames and passwords Encrypted Unencrypted –E-mail, web requests (and replies), data files –Etc. A sniffer is a piece of software that captures network traffic

3 Analogy - Wiretapping The FBI conducts wiretaps –Go to a judge and get a court order authorizing the wiretap Who? What? When? Why? –With the help of the phone company, can listen to/record a suspect’s phone conversations to obtain evidence

4 Analogy – Wiretapping (cont) Sniffer allows an administrator (or attacker) to record/listen in on conversations between computers –May need authorization to monitor network traffic –Electronic Communications Privacy Act –https://www.cdt.org/issue/wiretap-ecpa –May not need authorization to monitor network traffic –“Trap and Trace”/”Pen register” –Consent –May not care - attackers

5 Sniffing - Environment Some networks use shared media so passive sniffing is very easy –Network interface cards can be placed in “promiscuous” mode so that they do not ignore traffic to other hosts Wireless network traffic can also be captured (but may be encrypted) Sniffing is more difficult (but not impossible) in switched environments

6 Protocol Analysis Captured network packets contain binary data which is difficult to interpret Most sniffers include a protocol analysis component which organizes and displays the (human-readable) contents of the traffic –Example: Wireshark

7 Example – An Nmap Port Scan Target host: 192.168.78.141 –Start Wireshark Source host: 192.168.78.142 –Perform a TCP-connect scan nmap –sT View results

8 Example – A Web Connection Target host: 192.168.78.141 –Start Wireshark Source host: 192.168.78.142 –Open a text-based web browser Get default web page on the target host View results

9 Example – An FTP Connection Target host: 192.168.78.141 –Start Wireshark Source host: 192.168.78.142 –Use the ftp client ftp View results

10 Example – An SFTP Connection Target host 192.168.78.142 Source host 192.168.78.141 –Use the sftp client sftp guest@ View results

11 Man-in-the-Middle In a switched environment a host only receives: –Traffic destine for itself –Broadcast traffic Cannot see traffic between other hosts Man-in-the-middle = insert yourself as an (undetected) intermediary between communicating hosts

12 Man-in-the-middle (cont) Normal: Man-in-the-middle: AliceBobIAliceBobI

13 Man-in-the-middle (cont) How to achieve man-in-the-middle in a switched environment? Exploit address resolution protocols

14 Address Resolution All network communications must be carried out over physical networks –Each machine has a unique physical address Programs (and humans) use IP addresses to specify the machine to which a message is sent The address resolution problem – need to map IP address to physical address

15 The Address Resolution Problem Hosts A and B are on the same physical network B wants to communicate with A but only knows A’s IP address EDCBA

16 The Address Resolution Protocol (ARP) Host A wants to resolve the IP address I B Host A broadcasts a special (ARP) packet that asks the host with IP address I B to respond with its physical address All hosts receive the request Host B recognizes its IP address Host B sends a reply containing its physical address

17 ARP Phase 1: Phase 2: AXB Y AXB Y

18 ARP Caches Each host maintains a cache of recently- used mappings –Information in the cache expires after a set time has elapsed When sending an ARP request a host includes its IP-to-physical address binding All machines on a physical network “snoop” ARP packets for mappings

19 Demo – ARP Cache Host.141 has not communicated with.143 –.141’s ARP cache probably doesn’t contain an entry for.143 Host.141 makes a web request to.143 –ARP for.143’s physical address Added to.141’s cache –Web request sent and reply received

20 ARP Cache Poisoning Broadcast ARP replies associating your physical address with a given IP address –Other hosts receive this message and put the mapping into their ARP cache –When a machine wants to communicate with the given IP address it sends the frame to your physical address –You read the frame and then forward it on to the real destination host

21 Cain and Abel A man-in-the-middle LAN attack tool –Sniffer –Protocol analyzer URL: http://www.oxid.it/cain.html Can be used to poison hosts ARP caches

22 Demo – ARP Cache Poisoning Hosts.142 and.143 may or may not have communicated –ARP caches may or may not contain entries for each other Start Cain (on.141) and poison both.142 and.143’s ARP caches: –.142’s HW address associated with.141’s IP –.143’s HW address associated with.141’s IP

23 ARP Cache Poisoning - Result.142 and.143 will communicate with each other –May not realize that their communications are flowing through a third-party All communications will flow through.141 –.141 can read/store traffic –.141 forwards between the two hosts

24 Example – An FTP Connection Switched Environment –Source host:.143 –Destination host:.142 –Attacker:.141 Using: –Cain and Abel

25 ARP Poisoning Can: Read traffic Modify traffic

26 Example – DNS Spoofing Switched Environment –Source host:.143 –Destination host: Google –Attacker:.141 Using: –Cain and Abel

27 Example – SSH Downgrade Switched Environment –Source host: my laptop –Destination host:.147 –Attacker:.141 Using: –Cain and Abel

28 ARP Poisoning What attackers look for: –Sensitive, unencrypted communications Web requests/replies, e-mail, FTP –Weakly-encrypted communications Old versions of SSH, RDC

29 ARP Poisoning - Countermeasures Static ARP tables/smart switch ARPwatch IDS

30 Summary Network traffic may contain valuable information: –Usernames and passwords Encrypted Unencrypted –E-mail, web requests (and replies), data files –Etc. ARP poisoning can allow an attacker to capture and modify network traffic as a man-in-the-middle: –Cain and Abel

Download ppt "JMU GenCyber Boot Camp Summer, 2015. Network Sniffing Sometimes it is possible observe/record traffic traveling on a network Network traffic may contain."

Similar presentations

Ethical Hacking Module VII Sniffers.

Ethical Hacking Module VII Sniffers.
Security Lab 2 MAN IN THE MIDDLE ATTACK

Security Lab 2 MAN IN THE MIDDLE ATTACK
ARP Spoofing.

ARP Spoofing.
ARP Cache Poisoning How the outdated Address Resolution Protocol can be easily abused to carry out a Man In The Middle attack across an entire network.

ARP Cache Poisoning How the outdated Address Resolution Protocol can be easily abused to carry out a Man In The Middle attack across an entire network.
Media Access Control (MAC) addresses in the network access layer ▫ Associated w/ network interface card (NIC) ▫ 48 bits or 64 bits IP addresses for the.

Media Access Control (MAC) addresses in the network access layer ▫ Associated w/ network interface card (NIC) ▫ 48 bits or 64 bits IP addresses for the.
Hands-On Ethical Hacking and Network Defense Lecture 15 Man in the Middle Attack to get Passwords from HTTPS Sessions.

Hands-On Ethical Hacking and Network Defense Lecture 15 Man in the Middle Attack to get Passwords from HTTPS Sessions.
Sniffing, Spoofing, Hijacking This presentation is an amalgam of presentations by Mark Michael, Randy Marchany and Ed Skoudis. I have edited and added.

Sniffing, Spoofing, Hijacking This presentation is an amalgam of presentations by Mark Michael, Randy Marchany and Ed Skoudis. I have edited and added.
SYSTEM ADMINISTRATION Chapter 19

SYSTEM ADMINISTRATION Chapter 19
Packet Analyzers, a Threat to Network Security. Agenda Introduction The background of packet analyzers LAN technologies & network protocols Communication.

Packet Analyzers, a Threat to Network Security. Agenda Introduction The background of packet analyzers LAN technologies & network protocols Communication.
System Security Scanning and Discovery Chapter 14.

System Security Scanning and Discovery Chapter 14.
1 Eastern Michigan University Asad Khailany, Eastern Michigan University Dmitri Bagatelia, Eastern Michigan University Wafa Khorsheed, Eastern Michigan.

1 Eastern Michigan University Asad Khailany, Eastern Michigan University Dmitri Bagatelia, Eastern Michigan University Wafa Khorsheed, Eastern Michigan.
Security Awareness: Applying Practical Security in Your World

Security Awareness: Applying Practical Security in Your World
Oct 21, 2004CS573: Network Protocols and Standards1 IP: Addressing, ARP, Routing Network Protocols and Standards Autumn 2004-2005.

Oct 21, 2004CS573: Network Protocols and Standards1 IP: Addressing, ARP, Routing Network Protocols and Standards Autumn
Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Information.

Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Information.
CSCI 4550/8556 Computer Networks Comer, Chapter 19: Binding Protocol Addresses (ARP)

CSCI 4550/8556 Computer Networks Comer, Chapter 19: Binding Protocol Addresses (ARP)
Adrian Crenshaw.  I run Irongeek.com  I have an interest in InfoSec education  I don’t know everything - I’m.

Adrian Crenshaw.  I run Irongeek.com  I have an interest in InfoSec education  I don’t know everything - I’m.
1 Reminding - ARP Two machines on a given network can communicate only if they know each other’s physical network address ARP (Address Resolution Protocol)

1 Reminding - ARP Two machines on a given network can communicate only if they know each other’s physical network address ARP (Address Resolution Protocol)
Chapter 19 Binding Protocol Addresses (ARP) Chapter 20 IP Datagrams and Datagram Forwarding.

Chapter 19 Binding Protocol Addresses (ARP) Chapter 20 IP Datagrams and Datagram Forwarding.
Man in the Middle attacks and ARP poisoning explained

Man in the Middle attacks and ARP poisoning explained
1 Chapter Overview Understanding Windows Name Resolution Using WINS.

1 Chapter Overview Understanding Windows Name Resolution Using WINS.

Similar presentations

Ads by Google