1 / 29

Network Sniffing

Network Sniffing. Sometimes it is possible observe/record traffic traveling on a network Network traffic may contain valuable information: Usernames and passwords Encrypted Unencrypted E-mail, web requests (and replies), data files Etc.

ahava
Download Presentation

Network Sniffing

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Network Sniffing • Sometimes it is possible observe/record traffic traveling on a network • Network traffic may contain valuable information: • Usernames and passwords • Encrypted • Unencrypted • E-mail, web requests (and replies), data files • Etc. • A sniffer is a piece of software that captures network traffic

  2. Analogy - Wiretapping • The FBI conducts wiretaps • Go to a judge and get a court order authorizing the wiretap • Who? • What? • When? • Why? • With the help of the phone company, can listen to/record a suspect’s phone conversations to obtain evidence

  3. Analogy – Wiretapping (cont) • Sniffer allows an administrator (or attacker) to record/listen in on conversations between computers • May need authorization to monitor network traffic • Electronic Communications Privacy Act • https://www.cdt.org/issue/wiretap-ecpa • May not need authorization to monitor network traffic • “Trap and Trace”/”Pen register” • Consent • May not care - attackers

  4. Sniffing - Environment • Some networks use shared media so passive sniffing is very easy • Network interface cards can be placed in “promiscuous” mode so that they do not ignore traffic to other hosts • Wireless network traffic can also be captured (but may be encrypted) • Sniffing is more difficult (but not impossible) in switched environments

  5. Protocol Analysis • Captured network packets contain binary data which is difficult to interpret • Most sniffers include a protocol analysis component which organizes and displays the (human-readable) contents of the traffic • Example: Wireshark

  6. Example – An Nmap Port Scan • Target host: 10.0.0.207 • Start Wireshark • Source host: 10.0.0.204 • Perform a TCP-connect scan • nmap –sT <target host> • View results

  7. Example – A Web Connection • Target host: 10.0.0.207 • Start Wireshark • Source host: 10.0.0.204 • Open a text-based web browser • Get default web page on the target host • View results

  8. Example – An FTP Connection • Target host: 10.0.0.207 • Start Wireshark • Source host: 10.0.0.204 • Use the ftp client • ftp <target host> • View results

  9. Example – An SFTP Connection • Target host 10.0.0.204 • Source host 10.0.0.207 • Use the sftp client • sftp guest@<target host> • View results

  10. Man-in-the-Middle • In a switched environment a host only receives: • Traffic destine for itself • Broadcast traffic • Cannot see traffic between other hosts • Man-in-the-middle = insert yourself as an (undetected) intermediary between communicating hosts

  11. I Alice Bob I Alice Bob Man-in-the-middle (cont) • Normal: • Man-in-the-middle:

  12. Man-in-the-middle (cont) • How to achieve man-in-the-middle in a switched environment? • Exploit address resolution protocols

  13. Address Resolution • All network communications must be carried out over physical networks • Each machine has a unique physical address • Programs (and humans) use IP addresses to specify the machine to which a message is sent • The address resolution problem – need to map IP address to physical address

  14. The Address Resolution Problem Hosts A and B are on the same physical network B wants to communicate with A but only knows A’s IP address A B C D E

  15. The Address Resolution Protocol (ARP) Host A wants to resolve the IP address IB Host A broadcasts a special (ARP) packet that asks the host with IP address IB to respond with its physical address All hosts receive the request Host B recognizes its IP address Host B sends a reply containing its physical address

  16. A X B Y A X B Y ARP • Phase 1: • Phase 2:

  17. ARP Caches • Each host maintains a cache of recently-used mappings • Information in the cache expires after a set time has elapsed • When sending an ARP request a host includes its IP-to-physical address binding • All machines on a physical network “snoop” ARP packets for mappings

  18. Demo – ARP Cache • Host 10.0.0.207 has not communicated with 10.0.0.205 • 207’s ARP cache probably doesn’t contain an entry for 205 • Host 207 makes a web request to 205 • ARP for 205’s physical address • Added to 207’s cache • Web request sent and reply received

  19. ARP Cache Poisoning • Broadcast ARP replies associating your physical address with a given IP address • Other hosts receive this message and put the mapping into their ARP cache • When a machine wants to communicate with the given IP address it sends the frame to your physical address • You read the frame and then forward it on to the real destination host

  20. Cain and Abel • A man-in-the-middle LAN attack tool • Sniffer • Protocol analyzer • URL: http://www.oxid.it/cain.html • Can be used to poison hosts ARP caches

  21. Demo – ARP Cache Poisoning • Hosts 10.0.0.204 and 10.00.205 may or may not have communicated • ARP caches may or may not contain entries for each other • Start Cain (on .207) and poison both 204 and 205’s ARP caches: • 207’s HW address associated with .204’s IP • 207’s HW address associated with .205’s IP

  22. ARP Cache Poisoning - Result • 204 and 205 will communicate with each other • May not realize that their communications are flowing through a third-party • All communications will flow through 207 • 207 can read/store traffic • 207 forwards between the two hosts

  23. Example – An FTP Connection • Switched Environment • Source host: .204 • Destination host: .205 • Attacker: .207 • Using: • Cain and Abel

  24. ARP Poisoning • Can: • Read traffic • Modify traffic

  25. Example – DNS Spoofing • Switched Environment • Source host: .203 • Destination host: Google • Attacker: .207 • Using: • Cain and Abel

  26. Example – SSH Downgrade • Switched Environment • Source host: my laptop • Destination host: 10.0.0205 • Attacker: .207 • Using: • Cain and Abel

  27. ARP Poisoning • What attackers look for: • Sensitive, unencrypted communications • Web requests/replies, e-mail, FTP • Weakly-encrypted communications • Old versions of SSH, RDC

  28. ARP Poisoning - Countermeasures • Static ARP tables/smart switch • ARPwatch • IDS

  29. Summary • Network traffic may contain valuable information: • Usernames and passwords • Encrypted • Unencrypted • E-mail, web requests (and replies), data files • Etc. • ARP poisoning can allow an attacker to capture and modify network traffic as a man-in-the-middle: • Cain and Abel

More Related