fc_08_sniffing Flashcards
Packet Sniffing
Packet sniffing is a process of monitoring and capturing all data packets passing through a given network using a software application or hardware device
It allows an attacker to observe and access the entire network traffic from a given point
Packet sniffing allows an attacker to gather sensitive information such as Telnet passwords, email traffic, syslog traffic, router configuration, web traffic, DNS traffic, FTP password, chat sessions, account information, etc.
Though most networks today employ switch technology, packet sniffing is still useful. This is because installing remote sniffing programs on network components with heavy traffic flows such as servers and routers is relatively easy.
How sniffer works
Sniffer turns the NIC of a system to the promiscuous mode so that it listens to all the data transmitted on its segment
Types of Sniffing
Passive sniffing
- Passive sniffing refers to sniffing through a hub, wherein the traffic is sent to all ports
- It involves monitoring packets sent by others without sending any additional data packets in the network traffic
- In a network that use hubs to connect systems, all hosts on the network can see the all traffic and therefore, the attacker can easily capture traffic going through the hub
- Hub usage is an outdated approach. Most modern networks now use switches
Active Sniffing
- Active sniffing is used to sniff a switch-based network
- Active sniffing involves injecting Address Resolution Packets (ARP) into the network to flood the switch’s Content Addressable Memory (CAM) table, which keeps track of host-port connection
List active sniffing techniques
- MAC Flooding
- DHCP Attacks
- DNS Poisoning
- ARP Poisoning
- Swtich Port Stealing
- Spoofing Attack
How attackers Hacks the Network Using Sniffers
Protocols Vulnerable to Sniffing
- Telnet and RLogin: Keystrokes including user names and passwords are sent in clear text
- HTTP: Data is sent in clear text
- POP: Passwords and data are sent in clear text
- IMAP: Passwords and data are sent in clear text
- SMTP and NNTP: Passwords and data are sent in clear text
- FTP: Passwords and data are sent in clear text
In which lay of OSL layers do sniffers operate
data link layer
All layers above data link layer can potentially be compromised by sniffing
Hardware Protocol analyzers
Hardware Protocol Analyzers
- A hardware protocol analyzer is a piece of equipment that captures signals without altering the traffic in a cable segment
- It can be used to monitor network usage and identify malicious network traffic generated by hacking software installed in the network
- It captures a data packet, decodes it, and analyzes its content based on certain predetermined rules
- It allows the attacker to see individual data bytes of each packet passing through the cable
Name Hardware Analyzers
N2X N5540A Agilent Protocol Analyzer
Keysight E2960B
Others
RADCOM PrismLite Protocol Analyzer (https://cybarcode.com)
STINGA Protocol Analyzer (http://utelsystems.com)
NETSCOUT’s OneTouch AT Network Assistant (http://enterprise.netscout.com)
NETSCOUT’s OptiView XG Network Analysis Tablet (http://enterprise.netscout.com)
Agilent (Keysight) Technologies 8753ES (https://www.microlease.com)
Agilent (Keysight) Technologies E8364B (https://www.microlease.com)
U4421A Protocol Analyzer (http://www.keysight.com)
U4431A MIPI M-PHY Protocol Analyzer (http://www.keysight.com)
SPAN Ports
WireTapping
Active -> MITM
- Wiretapping is the process of monitoring telephone and Internet conversations by a third party
- Attackers connect a listening device (hardware, software, or a combination of both) to the circuit carrying information between two phones or hosts on the Internet
- It allows an attacker to monitor, intercept, access, and record information contained in a data flow in a communication system
- Typically, the attacker uses a small amount of electrical signal generated by the telephone wires to tap the conversation.
Types
- Active Wiretapping: In hacking terminology, active wiretapping is an MITM attack. This allows an attacker to monitor and record the traffic or data flow in a communication system. The attacker can also alter or inject data into the communication or traffic.
- Passive Wiretapping: Passive wiretapping is snooping or eavesdropping. This allows an attacker to monitor and record traffic. By observing the recorded traffic flow, the attacker can snoop for a password or other information.
Methods
- The official tapping of telephone lines
- The unofficial tapping of telephone lines
- Recording the conversation
- Direct line wiretap
- Radio wiretap
Lawful Interception
Lawful interception refers to legally intercepting data communication between two end points for surveillance on the traditional telecommunications, Voice over Internet Protocol (VoIP), data, and multiservice networks
List Sniffing Techniques
MAC attacks, DHCP attacks, ARP poisoning, spoofing attacks, DNS poisoning,
MAC Attacks
s
MAC Attacks => How CAM works?
Refer to the diagram below for the working of CAM table. It shows three machines: Machine A, Machine B and Machine C, each holding MAC address A, B and C. The machine A holding the MAC address A wants to interact with Machine B.
Machine A broadcasts an ARP request to the switch. The request contains the IP address of the target machine (Machine B), along with the source machine’s (Machine A) MAC and IP addresses. The switch then broadcasts this ARP request to all the hosts in the network and waits for the reply.
MAC Attacks => What Happens When CAM Table Is Full?
Once the CAM table fills up on a switch, additional ARP request traffic flood every port on the switch
This will change the behavior of the switch to reset to its learning mode, broadcasting on every port similar to a hub
This attack will also fill the CAM tables of adjacent switches
Fail open
MAC Attacks => MAC Flooding
MAC flooding involves flooding of CAM table with fake MAC address and IP pairs until it is full
The switch then acts as a hub by broadcasting packets to all machines on the network and therefore, the attackers can sniff the traffic easily
Mac Flooding Switches with macof
- macof is a Unix/Linux tool that is a part of dsniff collection
- macof sends random source MAC and IP addresses
- This tool floods the switch’s CAM tables (131,000 per min) by sending bogus MAC entries
MAC Attacks => Switch Port Stealing
a
MAC Attacks => How to Defend against MAC Attacks
To protect a port, this feature identifies and limits the MAC addresses of the machines that can access the port. If you assign a secure MAC address to a secure port, then the port will forward only the packets with source addresses that are inside the group of defined addresses.
A security violation occurs:
- When a port is configured as a secure port, and the maximum number of secure MAC addresses is reached
- When the MAC address of the machine that is attempting to access the port does not match any of the identified secure MAC addresses
Once the maximum number of secure MAC addresses on the port is set, the secure MAC addresses are included in an address table in any of the following three ways:
- You can configure all secure MAC addresses by using the switch port, port-securing mac-address interface configuration command.
- You can allow the port to dynamically configure secure MAC addresses with the MAC addresses of the connected devices.
- You can configure a number of addresses and allow the rest to be dynamically configured.
DHCP Attacks => How DHCP Works
a
DHCP Attacks => DHCP Request/Reply Messages
a
DHCP Attacks => DHCP Starvation Attack
a
DHCP Attacks => Rogue DHCP Server Attack
MITM
DHCP Attacks => How to Defend Against DHCP Starvation and Rogue Server Attack
- switchport port-security maximum 1 The switch port port-security maximum command configures the maximum number of secure MAC addresses for the port. The switch port port-security maximum 1 command configures the maximum number of secure MAC addresses for the port as 1.
- switchport port-security violation restrict The switch port port-security violation command sets the violation mode and the necessary action in case of detection of a security violation. The switch port port-security violation restrict command drops packets with unknown source addresses until a sufficient number of secure MAC addresses are removed.
- switchport port-security aging time 2 The switch port port-security aging time command configures the secure MAC address aging time on the port. The switch port port-security aging time 2 command sets the aging time as 2 minutes.
- switchport port-security aging type inactivity The switch port port-security aging type command configures the secure MAC address aging type on the port. The switch port port-security aging type inactivity command sets the aging type as inactivity aging.
- switchport port-security mac-address sticky Enables sticky learning on the interface by entering only the mac-address sticky keywords. When sticky learning is enabled, the interface adds all secure MAC addresses that are dynamically learned to the running configuration and converts these addresses to sticky secure MAC addresses.
For Rogue attacks protection
- ip dhcp snooping vlan 4,104 Enable or disable DHCP snooping on one or more VLANs.
- no ip dhcp snooping information option To disable the insertion and the removal of the option-82 field, use the no IP dhcp snooping information option in global configuration command. To configure an aggregation, switch to drop incoming DHCP snooping packets with option-82 information from an edge switch, use the no IP dhcp snooping information option allow-untrusted global configuration command.
- ip dhcp snooping Enable DHCP snooping option globally.
ARP Poisoning => What Is Address Resolution Protocol (ARP)?
- Address Resolution Protocol (ARP) is a stateless protocol used for resolving IP addresses to machine (MAC) addresses
- All network devices (that needs to communicate on the network) broadcasts ARP queries in the network to find out other machines’ MAC addresses
- When one machine needs to communicate with another, it looks up its ARP table. If the MAC address is not found in the table, the ARP_REQUEST is broadcasted over the network
- All machines on the network will compare this IP address to their MAC address
- If one of the machine in the network identifies with this address, it will respond to ARP_REQUEST with its IP and MAC address. The requesting machine will store the address pair in the ARP table and begin with the communication
ARP Poisoning => ARP Spoofing Attack
ARP spoofing is an intermediary to perform attacks such as DoS, MITM, and Session Hijacking.
https://www.youtube.com/watch?v=A7nih6SANYs&t=12s
Gateway
ARP Poisoning => How to Defend Against ARP Poisoning
Implementation of Dynamic ARP Inspection (DAI) prevents poisoning attacks. DAI is a security feature that validates ARP packets in a network. When DAI activates on a VLAN, all ports on the VLAN are considered to be untrusted by default. DAI validates the ARP packets using a DHCP snooping binding table. The DHCP snooping binding table consists of MAC addresses, IP addresses, and VLAN interfaces acquired by listening to DHCP message exchanges. Hence, you must enable DHCP snooping before enabling DAI. Otherwise, establishing a connection between VLAN devices based on ARP is not possible. Consequently, a self-imposed DoS may result on any device in that VLAN.
If the host systems in a network hold static IP addresses, the DHCP snooping will not be possible, or other switches in the network cannot run dynamic ARP inspection. In such situations, you have to perform static mapping that associates an IP address to a MAC address on a VLAN to prevent an ARP poisoning attack.
Spoofing Attacks => IRDP Spoofing
Attackers can use IRDP spoofing to launch MITM, DoS, and passive sniffing attacks.
Passive Sniffing: In a switched network, the attacker spoofs IRDP traffic to re-route the outbound traffic of target hosts through the attacker’s machine.
MITM: Once sniffing starts, the attacker acts as a proxy between the victim and destination. The attacker plays an MITM role and tries to modify the traffic. DoS: IDRP spoofing allows remote attackers to add wrong route entries into victims routing table. The wrong address entry causes DoS.
DoS: IDRP spoofing allows remote attackers to add wrong route entries into victims routing table. The wrong address entry causes DoS.
DNS Poisoning=> DNS Poisoning Techniques
DNS Poisoning => Intranet DNS Spoofing
a
DNS Poisoning => Internet DNS Spoofing
DNS Poisoning => Proxy Server DNS Poisoning
DNS Poisoning => DNS Cache Poisoning
DNS Poisoning => How to Defend Against DNS Spoofing
Sniffing Tools => Follow TCP Stream in Wireshark
Additional Filters
- tcp.flags.reset==1 Displays all TCP resets
- udp contains 33:27:58 Sets a filter for the HEX values of 0x33 0x27 0x58 at any offset
- http.request Displays all HTTP GET requests
- tcp.analysis. retransmission Displays all retransmissions in the trace
- tcp contains traffic Displays all TCP packets that contains the word ‘traffic’
- !(arp or icmp or dns) Masks out arp, icmp, dns, or other protocols and allows you to view traffic of your interest
- tcp.port == 4000 Sets a filter for any TCP packet with 4000 as a source or destination port
- tcp.port eq 25 or icmp Displays only SMTP (port 25) and ICMP traffic
- ip.src==192.168.0.0/16 and ip.dst==192.168.0.0/16 Displays only traffic in the LAN (192.168.x.x), between workstations and servers –no Internet
- ip.src != xxx.xxx.xxx.xxx && ip.dst != xxx.xxx.xxx.xxx && sip Filter by a protocol ( e.g. SIP ) and filter out unwanted IPs
Sniffing Detection Techniques
How to Detect Sniffing
a
Sniffer Detection Techniques: Ping Method and DNS Method
Reverse DNS lookup
Sniffer Detection Technique: ARP Method
a
Sniffing Pen Testing: Sniffing Penetration Testing1
Sniffing Pen Testing: Sniffing Penetration Testing2
Sniffing Pen Testing: Sniffing Penetration Testing3
