Date post: | 01-Jun-2018 |
Category: |
Documents |
Upload: | fouad-boutat |
View: | 260 times |
Download: | 4 times |
8/9/2019 CEH v5 Module 07 Sniffers.pdf
http://slidepdf.com/reader/full/ceh-v5-module-07-snifferspdf 1/106
Module VIISniffers
Ethical Hacking Version 5
8/9/2019 CEH v5 Module 07 Sniffers.pdf
http://slidepdf.com/reader/full/ceh-v5-module-07-snifferspdf 2/106
8/9/2019 CEH v5 Module 07 Sniffers.pdf
http://slidepdf.com/reader/full/ceh-v5-module-07-snifferspdf 3/106
EC-CouncilCopyright © by EC-Council
All Rights reserved. Reproduction is strictly prohibited
Module Objective
This module will familiarize you with the following topics:
Sniffing Protocols vulnerable to sniffing
Types of sniffing
ARP and ARP spoofing attack
Tools for ARP spoofing MAC flooding
Tools for MAC flooding
Sniffing tools
Types of DNS poisoning Raw sniffing tools
Detecting sniffing
Countermeasures
8/9/2019 CEH v5 Module 07 Sniffers.pdf
http://slidepdf.com/reader/full/ceh-v5-module-07-snifferspdf 4/106
EC-CouncilCopyright © by EC-Council
All Rights reserved. Reproduction is strictly prohibited
Module Flow
Sniffing Definition
Countermeasures
Types of Sniffing
Protocols Vulnerableto Sniffing
Tools for MAC Flooding
MAC Flooding
Raw Sniffing Tools
Detection of SniffingTools for ARP Spoofing
ARP and ARP Spoofing Attack
Types of DNS Poisoning
Sniffer Hacking Tools
8/9/2019 CEH v5 Module 07 Sniffers.pdf
http://slidepdf.com/reader/full/ceh-v5-module-07-snifferspdf 5/106
EC-CouncilCopyright © by EC-Council
All Rights reserved. Reproduction is strictly prohibited
Definition: Sniffing
A program or device that captures vital
information from the network trafficspecific to a particular network
Sniffing is a data interception
technology
The objective of sniffing is to steal:
• Passwords (from email, the web,
SMB, ftp, SQL, or telnet)
• Email text
• Files in transfer (email files, ftp files,
or SMB)
8/9/2019 CEH v5 Module 07 Sniffers.pdf
http://slidepdf.com/reader/full/ceh-v5-module-07-snifferspdf 6/106
EC-CouncilCopyright © by EC-Council
All Rights reserved. Reproduction is strictly prohibited
Protocols Vulnerable to Sniffing
Protocols that are susceptible to sniffers include:
• Telnet and Rlogin: Keystrokes including user names and passwords
• HTTP: Data sent in clear text
• SMTP: Passwords and data sent in clear text
• NNTP: Passwords and data sent in clear text
• POP: Passwords and data sent in clear text
• FTP: Passwords and data sent in clear text
• IMAP: Passwords and data sent in clear text
8/9/2019 CEH v5 Module 07 Sniffers.pdf
http://slidepdf.com/reader/full/ceh-v5-module-07-snifferspdf 7/106
EC-CouncilCopyright © by EC-Council
All Rights reserved. Reproduction is strictly prohibited
Tool: Network View – Scans the Network
for Devices
8/9/2019 CEH v5 Module 07 Sniffers.pdf
http://slidepdf.com/reader/full/ceh-v5-module-07-snifferspdf 8/106
EC-CouncilCopyright © by EC-Council
All Rights reserved. Reproduction is strictly prohibited
The Dude Sniffer
Developed by Mikro Tik, the Dude network monitor is a new application
which can improve the way you manage your network environment
Functions:
• Automatically scans all devices within specified subnets
• Draws and lays out a map of your networks
• Monitors services of your devices• Alerts you in case some service has problems
It is written in two parts:
• Dude Server, which runs in a background
• Dude Client, which may connect to local or remote dude server
Download this tool from
http://www.eccouncil.org/cehtools/dude.zip
8/9/2019 CEH v5 Module 07 Sniffers.pdf
http://slidepdf.com/reader/full/ceh-v5-module-07-snifferspdf 9/106
EC-CouncilCopyright © by EC-Council
All Rights reserved. Reproduction is strictly prohibited
Screenshots
8/9/2019 CEH v5 Module 07 Sniffers.pdf
http://slidepdf.com/reader/full/ceh-v5-module-07-snifferspdf 10/106
EC-CouncilCopyright © by EC-Council
All Rights reserved. Reproduction is strictly prohibited
Screenshots
8/9/2019 CEH v5 Module 07 Sniffers.pdf
http://slidepdf.com/reader/full/ceh-v5-module-07-snifferspdf 11/106
EC-CouncilCopyright © by EC-Council
All Rights reserved. Reproduction is strictly prohibited
Screenshots
8/9/2019 CEH v5 Module 07 Sniffers.pdf
http://slidepdf.com/reader/full/ceh-v5-module-07-snifferspdf 12/106
EC-CouncilCopyright © by EC-Council
All Rights reserved. Reproduction is strictly prohibited
Ethereal
Ethereal is a network
protocol analyzer for
UNIX and Windows
It allows the user to
examine data from a
live network or from a
capture file on a disk The user can
interactively browse
the captured data,
viewing summary anddetailed information
for each packet
captured
8/9/2019 CEH v5 Module 07 Sniffers.pdf
http://slidepdf.com/reader/full/ceh-v5-module-07-snifferspdf 13/106
EC-CouncilCopyright © by EC-Council
All Rights reserved. Reproduction is strictly prohibited
Display Filters in Ethereal
Display filters are used to change the view of packetsin captured files
Display Filtering by Protocol
• Example: type the protocol in the filter box
• arp, http, tcp, udp, dns
Filtering by IP Address
• ip.addr == 10.0.0.4
Filtering by multiple IP Addresses
• ip.addr == 10.0.0.4 or ip.addr ==10.0.0.5
Monitoring Specific Ports
• tcp.port==443
• ip.addr==192.168.1.100 machine
ip.addr==192.168.1.100 && tcp.port=443
Other Filters
• ip.dst == 10.0.1.50 && frame.pkt_len >
400
• ip.addr == 10.0.1.12 && icmp &&
frame.number > 15 && frame.number < 30
• ip.src==205.153.63.30 or
ip.dst==205.153.63.30
8/9/2019 CEH v5 Module 07 Sniffers.pdf
http://slidepdf.com/reader/full/ceh-v5-module-07-snifferspdf 14/106
EC-CouncilCopyright © by EC-Council
All Rights reserved. Reproduction is strictly prohibited
Following the TCP Stream in Ethereal
Ethereal reassembles all of the packets in
a TCP conversation and displays the
ASCII in an easy-to-read format
This makes it easy to pick out usernames
and passwords from insecure protocols
such as Telnet and FTP
Example: Follow the stream of the HTTP
session and save the output to a file. You
should then be able to view the
reconstructed HTML content offline
Command: Selecting a TCP packet in the
Summary Window and then selecting
Analyze -> Follow TCP Stream from
the menu bar will display the Follow TCP
Stream window. You can also right-click
on a TCP packet in the Summary Window
and choose Follow TCP Stream to display
the window
8/9/2019 CEH v5 Module 07 Sniffers.pdf
http://slidepdf.com/reader/full/ceh-v5-module-07-snifferspdf 15/106
EC-CouncilCopyright © by EC-Council
All Rights reserved. Reproduction is strictly prohibited
tcpdump
tcpdump is a common computer network debugging tool thatruns under the command line. It allows the user to intercept and
display TCP/IP and other packets being transmitted or receivedover a network to which the computer is attached
8/9/2019 CEH v5 Module 07 Sniffers.pdf
http://slidepdf.com/reader/full/ceh-v5-module-07-snifferspdf 16/106
8/9/2019 CEH v5 Module 07 Sniffers.pdf
http://slidepdf.com/reader/full/ceh-v5-module-07-snifferspdf 17/106
8/9/2019 CEH v5 Module 07 Sniffers.pdf
http://slidepdf.com/reader/full/ceh-v5-module-07-snifferspdf 18/106
8/9/2019 CEH v5 Module 07 Sniffers.pdf
http://slidepdf.com/reader/full/ceh-v5-module-07-snifferspdf 19/106
EC-CouncilCopyright © by EC-Council
All Rights reserved. Reproduction is strictly prohibited
Active Sniffing
Switch Attacker
Sniffing through a switch
Difficult to sniff
Can easily be detected
Techniques for active sniffing:• MAC flooding• ARP spoofing
Attacker tries to poison the
switch by sending bogus MACaddresses
Switch looks at the MAC addressassociated with each frame, sendingdata only to the connected port
LAN
8/9/2019 CEH v5 Module 07 Sniffers.pdf
http://slidepdf.com/reader/full/ceh-v5-module-07-snifferspdf 20/106
EC-CouncilCopyright © by EC-Council
All Rights reserved. Reproduction is strictly prohibited
What is Address Resolution Protocol?
Address Resolution Protocol is a
network layer protocol used to
convert an IP address to a physical
address (called a MAC address), such
as an Ethernet address
To obtain a physical address, the host broadcasts an ARP request to the
TCP/IP network
The host with the IP address in the
request replies with its physical
hardware address on the network
8/9/2019 CEH v5 Module 07 Sniffers.pdf
http://slidepdf.com/reader/full/ceh-v5-module-07-snifferspdf 21/106
EC-CouncilCopyright © by EC-Council
All Rights reserved. Reproduction is strictly prohibited
ARP Spoofing Attack
ARP resolves IP addresses to the MAC (hardware) address of theinterface to send data
ARP packets can be forged to send data to the attackers’ machines
An attacker can exploit ARP poisoning to intercept network traffic between two machines on the network
By MAC flooding a switch's ARP table with spoofed ARP replies, the
attacker can overload the switches and then packet sniff the network while the switch is in “forwarding mode”
8/9/2019 CEH v5 Module 07 Sniffers.pdf
http://slidepdf.com/reader/full/ceh-v5-module-07-snifferspdf 22/106
8/9/2019 CEH v5 Module 07 Sniffers.pdf
http://slidepdf.com/reader/full/ceh-v5-module-07-snifferspdf 23/106
EC-CouncilCopyright © by EC-Council
All Rights reserved. Reproduction is strictly prohibited
ARP Poisoning
Step 1: Legitimate user sends ARP request, which the Switch broadcasts onto the wire
Step 2: Another legitimate userresponds to the ARP request
Step 3: Malicious usereavesdrops on the ARP requestand responds after thelegitimate user, spoofing thelegitimate response and sendinghis malicious MAC address tothe originator of the request
Step 4: Information for IPaddress 10.1.1.1 is now beingsent to MAC address 9:8:7:6:5:4
Hey 10.1.1.1 are you there?
Yes I' am here. This is10.1.1.1 and my MACaddress is 1:2:3:4:5:6
No, I' am 10.1.1.1 and myMAC address is
9:8:7:6:5:4
Legitimate User
Attacker
Internet
Switch
8/9/2019 CEH v5 Module 07 Sniffers.pdf
http://slidepdf.com/reader/full/ceh-v5-module-07-snifferspdf 24/106
EC-CouncilCopyright © by EC-Council
All Rights reserved. Reproduction is strictly prohibited
Mac Duplicating
MAC duplicating attack is launched by
sniffing the network for the MAC addresses
of clients that are actively associated with a
switch port and re-using one of those
addresses
By listening to traffic on the network, amalicious user can intercept and use a
legitimate user's MAC address
The attacker will receive all traffic destined
for that legitimate user
This technique works on Wireless Access
Points with MAC filtering enabled
8/9/2019 CEH v5 Module 07 Sniffers.pdf
http://slidepdf.com/reader/full/ceh-v5-module-07-snifferspdf 25/106
EC-CouncilCopyright © by EC-Council
All Rights reserved. Reproduction is strictly prohibited
Mac Duplicating Attack
Step 1: Malicious user sniffsthe network for MAC addresses
of currently associatedlegitimate users and then usesthat MAC address to attackother users associated to thesame switch port
Legitimate User
Attacker
Internet
Switch
My MAC addressis A:B:C:D:E
N o ! M y M
A C A d d r e
s s i s
A : B : C : D :
E
Switch Rule: Allow access tothe network only if your MACaddress is A:B:C:D:E
8/9/2019 CEH v5 Module 07 Sniffers.pdf
http://slidepdf.com/reader/full/ceh-v5-module-07-snifferspdf 26/106
8/9/2019 CEH v5 Module 07 Sniffers.pdf
http://slidepdf.com/reader/full/ceh-v5-module-07-snifferspdf 27/106
EC-CouncilCopyright © by EC-Council
All Rights reserved. Reproduction is strictly prohibited
Ettercap
A tool for IP-based sniffing in a switched network, MAC-based sniffing, OSfingerprinting, ARP poisoning-based sniffing, and so on
8/9/2019 CEH v5 Module 07 Sniffers.pdf
http://slidepdf.com/reader/full/ceh-v5-module-07-snifferspdf 28/106
EC-CouncilCopyright © by EC-Council
All Rights reserved. Reproduction is strictly prohibited
MAC Flooding
MAC flooding involves flooding the switch with numerous requests
Switches have a limited memory for mapping various MAC
addresses to the physical ports on the switch
MAC flooding makes use of this limitation to bombard the switch
with fake MAC addresses until the switch cannot keep up
The switch then acts as a hub by broadcasting packets to all the
machines on the network
After this, sniffing can be easily performed
8/9/2019 CEH v5 Module 07 Sniffers.pdf
http://slidepdf.com/reader/full/ceh-v5-module-07-snifferspdf 29/106
EC-CouncilCopyright © by EC-Council
All Rights reserved. Reproduction is strictly prohibited
Tools for MAC Flooding
Tools for MAC Flooding
• Macof (Linux-based tool)• Etherflood (Linux and Windows)
8/9/2019 CEH v5 Module 07 Sniffers.pdf
http://slidepdf.com/reader/full/ceh-v5-module-07-snifferspdf 30/106
EC-CouncilCopyright © by EC-Council
All Rights reserved. Reproduction is strictly prohibited
Linux Tool: Macof
Macof floods the local network with random MAC
addresses, causing some switches to fail to open in
repeating mode, which facilitates sniffing
macof [ - i i nt er f ace] [ - s sr c] [ - d dst ]
[ -e tha] [ -x sport] [ -y dport] [ -nt i mes]
8/9/2019 CEH v5 Module 07 Sniffers.pdf
http://slidepdf.com/reader/full/ceh-v5-module-07-snifferspdf 31/106
8/9/2019 CEH v5 Module 07 Sniffers.pdf
http://slidepdf.com/reader/full/ceh-v5-module-07-snifferspdf 32/106
EC-CouncilCopyright © by EC-Council
All Rights reserved. Reproduction is strictly prohibited
Windows Tool: EtherFlood
EtherFlood floods a switched network with Ethernet frames with randomhardware addresses
The effect on some switches is that they start sending all traffic out on allports so that the attacker is able to sniff all traffic on the sub-network
http://ntsecurity.nu/toolbox/etherflood/
8/9/2019 CEH v5 Module 07 Sniffers.pdf
http://slidepdf.com/reader/full/ceh-v5-module-07-snifferspdf 33/106
EC-CouncilCopyright © by EC-Council
All Rights reserved. Reproduction is strictly prohibited
Threats of ARP Poisoning
Internal network attacks are typicallyoperated via ARP Poisoning attacks
Everyone can download on the InternetMalicious software used to run ARP Spoofingattacks
Using fake ARP messages, an attacker candivert all communication between twomachines so that all traffic is exchanged via his
PC
By means, such as a man-in-the-middleattack , the attacker can, in particular:
• Run Denial of Service (DoS) attacks
• Intercept data• Collect passwords
• Manipulate data
• Tap VoIP phone calls
8/9/2019 CEH v5 Module 07 Sniffers.pdf
http://slidepdf.com/reader/full/ceh-v5-module-07-snifferspdf 34/106
EC-CouncilCopyright © by EC-Council
All Rights reserved. Reproduction is strictly prohibited
DHCP Starvation Attack
A DHCP starvation attack works by broadcasting DHCP requests withspoofed MAC addresses
This is easily achieved with attack tools such as gobbler If enough requests are sent, the network attacker can exhaust the address
space available to the DHCP servers for a period of time
The network attacker can then set up a rogue DHCP server on his or her
system and respond to new DHCP requests from clients on the network. By placing a rogue DHCP server on the network, a network attacker can
provide clients with addresses and other network information
Since DHCP responses typically include default gateway and DNS serverinformation, the network attacker can supply his or her own system as thedefault gateway and DNS server resulting in a "man-in-the-middle" attack
Download Gobbler tool at http://www.eccouncil.org/cehtools/gobbler.zip
8/9/2019 CEH v5 Module 07 Sniffers.pdf
http://slidepdf.com/reader/full/ceh-v5-module-07-snifferspdf 35/106
EC-CouncilCopyright © by EC-Council
All Rights reserved. Reproduction is strictly prohibited
IRS – ARP Attack Tool
Many servers and network devices like routers and switches provide featureslike ACLs, IP Filters, Firewall rules, and so on, to give access to their Servicesonly to particular network addresses (usually Administrators’ workstations)
This tool scans for IP restrictions set for a particular service on a host
It combines “ARP Poisoning” and “Half-Scan” techniques and tries spoofedTCP connections to the selected port of the target
IRS is not a port scanner but a “valid source IP address” scanner for a givenservice
8/9/2019 CEH v5 Module 07 Sniffers.pdf
http://slidepdf.com/reader/full/ceh-v5-module-07-snifferspdf 36/106
EC-CouncilCopyright © by EC-Council
All Rights reserved. Reproduction is strictly prohibited
ARPWorks Tool
ArpWorks is a utility for sending customized ‘ARP announce’
packets over the network
All ARP parameters, including the Ethernet Source MAC addresscan be changed as you like
Other features are: IP to MAC revolver, subnet MAC discovery,
host isolation, packets redirection, and general IP conflict
8/9/2019 CEH v5 Module 07 Sniffers.pdf
http://slidepdf.com/reader/full/ceh-v5-module-07-snifferspdf 37/106
EC-CouncilCopyright © by EC-Council
All Rights reserved. Reproduction is strictly prohibited
Tool: Nemesis
Nemesis provides an interface to craft and inject a variety ofarbitrary packet types. Also used for ARP Spoofing
Nemesis Supports the following protocols:• arp
• dns
• ethernet
• icmp
• igmp
• ip
• ospf
• rip
• tcp
• udp
8/9/2019 CEH v5 Module 07 Sniffers.pdf
http://slidepdf.com/reader/full/ceh-v5-module-07-snifferspdf 38/106
EC-CouncilCopyright © by EC-Council
All Rights reserved. Reproduction is strictly prohibited
Sniffer Hacking Tools (dsniff package)
Sniffer hacking tools (These tools are available on theLinux CD-ROM)
arpspoof Intercepts packets on a switched LAN
dnsspoof
Forges replies to DNS address and pointer queries
dsniff Password sniffer
filesnarf
Sniffs files from NFS traffic
mailsnarf Sniffs mail messages in Berkeley mbox format
msgsnarf
Sniffs chat messages
8/9/2019 CEH v5 Module 07 Sniffers.pdf
http://slidepdf.com/reader/full/ceh-v5-module-07-snifferspdf 39/106
EC-CouncilCopyright © by EC-Council
All Rights reserved. Reproduction is strictly prohibited
Sniffer Hacking Tools (cont’d)
sshmitm
SSH monkey-in-the-middle
tcpkill Kills TCP connections on a LAN
tcpnice
Slows down TCP connections on a LAN
urlsnarf
Sniffs HTTP requests in Common Log Format
webspy
Displays sniffed URLs in Netscape in real time
webmitm
HTTP/HTTPS monkey-in-the-middle
8/9/2019 CEH v5 Module 07 Sniffers.pdf
http://slidepdf.com/reader/full/ceh-v5-module-07-snifferspdf 40/106
EC-CouncilCopyright © by EC-Council
All Rights reserved. Reproduction is strictly prohibited
Linux Tool: Arpspoof
Arpspoof redirects packets from a target host intendedfor another host on the LAN by forging ARP replies
Arpspoof is the effective way of sniffing traffic on aswitch
ar pspoof [ - i i nt er f ace] [ - t t ar get ]
host
8/9/2019 CEH v5 Module 07 Sniffers.pdf
http://slidepdf.com/reader/full/ceh-v5-module-07-snifferspdf 41/106
EC-CouncilCopyright © by EC-Council
All Rights reserved. Reproduction is strictly prohibited
Linux Tool: Dnsspoof
Dnsspoof forges replies to arbitrary DNS address/pointerqueries on the LAN. DNS spoofing is useful in bypassing
hostname-based access controls, or in implementing a variety of man-in-the-middle attacks
dnsspoof [ - i i nt er f ace] [ - f host sf i l e]
[ expr essi on]
8/9/2019 CEH v5 Module 07 Sniffers.pdf
http://slidepdf.com/reader/full/ceh-v5-module-07-snifferspdf 42/106
EC-CouncilCopyright © by EC-Council
All Rights reserved. Reproduction is strictly prohibited
Linux Tool: Dsniff
Dsniff is a password sniffer which handles FTP, Telnet, SMTP, HTTP, POP,poppass, NNTP, IMAP, SNMP, LDAP, Rlogin, RIP, OSPF, PPTP MS-CHAP,NFS, VRRP, and so on
Dsniff automatically detects and minimally parses each applicationprotocol, only saving the interesting bits, and uses Berkeley DB as its outputfile format, only logging unique authentication attempts. Full TCP/IPreassembly is provided by libnids
dsni f f [ - c] [ - d] [ - m] [ - n] [ - i i nt er f ace] [ - s snapl en]
[ - f servi ces] [ - t t r i gger [ , . . . ] ] ] [ - r | - w savef i l e][ expr es- si on]
8/9/2019 CEH v5 Module 07 Sniffers.pdf
http://slidepdf.com/reader/full/ceh-v5-module-07-snifferspdf 43/106
8/9/2019 CEH v5 Module 07 Sniffers.pdf
http://slidepdf.com/reader/full/ceh-v5-module-07-snifferspdf 44/106
EC-CouncilCopyright © by EC-Council
All Rights reserved. Reproduction is strictly prohibited
Linux Tool: Mailsnarf
Mailsnarf outputs email messages sniffed from SMTPand POP traffic in Berkeley mbox format, suitable for
offline browsing with your favorite mail readermai l snar f [ - i i nt er f ace] [ [ - v] pat t er n[ expr essi on] ]
8/9/2019 CEH v5 Module 07 Sniffers.pdf
http://slidepdf.com/reader/full/ceh-v5-module-07-snifferspdf 45/106
8/9/2019 CEH v5 Module 07 Sniffers.pdf
http://slidepdf.com/reader/full/ceh-v5-module-07-snifferspdf 46/106
EC-CouncilCopyright © by EC-Council
All Rights reserved. Reproduction is strictly prohibited
Linux Tool: Sshmitm
Sshmitm proxies and sniffs SSH traffic redirected bydnsspoof capturing SSH password logins, and optionally
hijacking interactive sessions Only SSH protocol version 1 is (or ever will be) supported.
This program is far too dangerous
sshmi t m [ - d] [ - I ] [ - p por t ] host [ por t ]
8/9/2019 CEH v5 Module 07 Sniffers.pdf
http://slidepdf.com/reader/full/ceh-v5-module-07-snifferspdf 47/106
EC-CouncilCopyright © by EC-Council
All Rights reserved. Reproduction is strictly prohibited
Linux Tool: Tcpkill
Tcpkill kills specified in-progress TCP connections(useful for libnids-based applications which require a full
TCP 3-way handshake for TCB creation)
t cpki l l [ - i i nt er f ace] [ - 1. . . 9] expr essi on
8/9/2019 CEH v5 Module 07 Sniffers.pdf
http://slidepdf.com/reader/full/ceh-v5-module-07-snifferspdf 48/106
EC-CouncilCopyright © by EC-Council
All Rights reserved. Reproduction is strictly prohibited
Linux Tool: Tcpnice
Tcpnice slows down specified TCP connections on a LAN via active traffic shaping
t cpni ce [ - I ] [ - i i nt er f ace] [ - n i ncr ement ]expr essi on
l l f
8/9/2019 CEH v5 Module 07 Sniffers.pdf
http://slidepdf.com/reader/full/ceh-v5-module-07-snifferspdf 49/106
EC-CouncilCopyright © by EC-Council
All Rights reserved. Reproduction is strictly prohibited
Linux Tool: Urlsnarf
Urlsnarf outputs all requested URLs sniffed from HTTP traffic in CLF(Common Log Format, used by almost all web servers), suitable foroffline post-processing with your favorite web log analysis tool (analog,
wwwstat, and so on)
ur l snar f [ - n] [ - i i nt er f ace] [ [ - v] pat t er n[ expr essi on] ]
i l b
8/9/2019 CEH v5 Module 07 Sniffers.pdf
http://slidepdf.com/reader/full/ceh-v5-module-07-snifferspdf 50/106
EC-CouncilCopyright © by EC-Council
All Rights reserved. Reproduction is strictly prohibited
Linux Tool: Webspy
Webspy sends URLs sniffed from a client to your local Netscape
browser for display, updated in real time (as the target surfs, your
browser surfs along with them, automatically). Netscape must be
running on your local X display ahead of time
webspy [ - i i nt er f ace] host
Li T l W b i
8/9/2019 CEH v5 Module 07 Sniffers.pdf
http://slidepdf.com/reader/full/ceh-v5-module-07-snifferspdf 51/106
EC-CouncilCopyright © by EC-Council
All Rights reserved. Reproduction is strictly prohibited
Linux Tool: Webmitm
Webmitm transparently proxies and sniffs HTTP/HTTPS traffic
redirected by dnsspoof, capturing most secure SSL-encrypted
webmail logins and form submissions
webmi t m [ - d]
8/9/2019 CEH v5 Module 07 Sniffers.pdf
http://slidepdf.com/reader/full/ceh-v5-module-07-snifferspdf 52/106
8/9/2019 CEH v5 Module 07 Sniffers.pdf
http://slidepdf.com/reader/full/ceh-v5-module-07-snifferspdf 53/106
2. Internet DNS Spoofing (Remote
8/9/2019 CEH v5 Module 07 Sniffers.pdf
http://slidepdf.com/reader/full/ceh-v5-module-07-snifferspdf 54/106
EC-CouncilCopyright © by EC-Council
All Rights reserved. Reproduction is strictly prohibited
e e S Spoo g ( e o e
Network) Send a Trojan to Rebecca’s machine and change her DNS IP address to that of the attacker’s
Works across networks. Easy to set up and implement
Rebecca types www.xsecurity.com in her
Web Browser
Hacker runs DNS
Server in RussiaIP: 200.0.0.2
D N S R e q u e s t g o e s t o 2 0 0 .0 .0 .2
W h a t i s t h e I P a d d r e s s o f w w w .x s e c u r i t y .c o m
Real Website www.xsecurity.com
IP: 200.0.0.45
Hacker’s fake website sniffs the credentialand redirects the request to real website
55
Fake WebsiteIP: 65.0.0.2
Hacker’s infects Rebecca’s computer bychanging her DNS IP address to: 200.0.0.2
D N S R e s p o n s e
w w w
.x s e c u r i t y .c o m i s l o c a t e d a t 6 5 .0 .0 .2
R e b e c c a ’ s B r o w s e r c o n n e c t s t o 6 5 .0 .0 .2
11
22
33
44
Internet DNS Spoofing
8/9/2019 CEH v5 Module 07 Sniffers.pdf
http://slidepdf.com/reader/full/ceh-v5-module-07-snifferspdf 55/106
EC-CouncilCopyright © by EC-Council
All Rights reserved. Reproduction is strictly prohibited
Internet DNS Spoofing
To redirect all the DNS request traffic going from hostmachine to come to you
1. Set up a fake website on your computer
2. Install treewalk and modify the file mentioned in the readme.txt to your IPaddress. Treewalk will make you the DNS server
3. Modify the file dns-spoofing.bat and replace the IP address with your IPaddress
4. Trojanize the dns-spoofing.bat file and send it to Jessica (ex: chess.exe)
5. When the host clicks the trojaned file, it will replace Jessica’s DNS entry in herTCP/IP properties with that of your machine’s
6. You will become the DNS server for Jessica and her DNS requests will gothrough you
7. When Jessica connects to XSECURITY.com, she resolves to the fakeXSECURITY website; you sniff the password and send her to the real website
3 Proxy Server DNS Poisoning
8/9/2019 CEH v5 Module 07 Sniffers.pdf
http://slidepdf.com/reader/full/ceh-v5-module-07-snifferspdf 56/106
EC-CouncilCopyright © by EC-Council
All Rights reserved. Reproduction is strictly prohibited
3. Proxy Server DNS Poisoning
Send a Trojan to Rebecca’s machine and change her proxy server settings in Internet Explorer tothat of the attacker’s
Works across networks. Easy to set up and implement
Rebecca types www.xsecurity.com in her
Web Browser
Hacker runs Proxy
Server in RussiaIP: 200.0.0.2
Real Website www.xsecurity.com
IP: 200.0.0.45
Hacker’s fake website sniffs the credentialand redirects the request to real website
44
Fake WebsiteIP: 65.0.0.2
Hacker sends Rebecca’s request to Fake website
22
3311
A l l R e b e c c a ’ s W
e b r e q u e s t s g o e s t h r o u g h
H a c k e r ’ s m a c h i n e
Hacker’s infects Rebecca’s computer bychanging her IE Proxy address to:200.0.0.2
4 DNS Cache Poisoning
8/9/2019 CEH v5 Module 07 Sniffers.pdf
http://slidepdf.com/reader/full/ceh-v5-module-07-snifferspdf 57/106
EC-CouncilCopyright © by EC-Council
All Rights reserved. Reproduction is strictly prohibited
4. DNS Cache Poisoning
To perform a cache poisoning attack, the attacker exploits a flaw in
the DNS server software that can make it accept incorrect
information
If the server does not correctly validate DNS responses to ensure
that they have come from an authoritative source, the server will
end up caching the incorrect entries locally and serve them to users
that make the same request
• For example, an attacker poisons the IP address DNS entries for a
target website on a given DNS server, replacing them with the IP
address of a server he controls
• He then creates fake entries for files on the server he controls with
names matching those on the target server
Interactive TCP Relay
8/9/2019 CEH v5 Module 07 Sniffers.pdf
http://slidepdf.com/reader/full/ceh-v5-module-07-snifferspdf 58/106
EC-CouncilCopyright © by EC-Council
All Rights reserved. Reproduction is strictly prohibited
Interactive TCP Relay
It operates as a simple
TCP tunnel listening on
a specific port andforwarding all traffic to
the remote host and port
The program can
intercept and edit the
traffic passing through it
The traffic can be edited
with the built-in HEXeditor
8/9/2019 CEH v5 Module 07 Sniffers.pdf
http://slidepdf.com/reader/full/ceh-v5-module-07-snifferspdf 59/106
HTTP Sniffer: EffeTech
8/9/2019 CEH v5 Module 07 Sniffers.pdf
http://slidepdf.com/reader/full/ceh-v5-module-07-snifferspdf 60/106
EC-CouncilCopyright © by EC-Council All Rights reserved. Reproduction is strictly prohibited
HTTP Sniffer: EffeTech
An HTTP protocol packet sniffer and network analyzer
Captures IP packets containing HTTP protocol
Enables on-the-fly content viewing while monitoring andanalyzing
Parses and decodes HTTP protocol, and generates a web
traffic report for reference
8/9/2019 CEH v5 Module 07 Sniffers.pdf
http://slidepdf.com/reader/full/ceh-v5-module-07-snifferspdf 61/106
Ace Password Sniffer
8/9/2019 CEH v5 Module 07 Sniffers.pdf
http://slidepdf.com/reader/full/ceh-v5-module-07-snifferspdf 62/106
EC-CouncilCopyright © by EC-Council All Rights reserved. Reproduction is strictly prohibited
Ace Password Sniffer
Can monitor and capture passwords through FTP, POP3,
HTTP, SMTP, Telnet, and some web mail passwords
Can listen on LAN and capture passwords of any network user
Ace Password Sniffer works passively and is hard to detect
If a network is connected through a switch, the sniffer can be
run on the gateway or proxy server, which can get all network
traffic
Screenshot
8/9/2019 CEH v5 Module 07 Sniffers.pdf
http://slidepdf.com/reader/full/ceh-v5-module-07-snifferspdf 63/106
EC-CouncilCopyright © by EC-Council All Rights reserved. Reproduction is strictly prohibited
Screenshot
MSN Sniffer
8/9/2019 CEH v5 Module 07 Sniffers.pdf
http://slidepdf.com/reader/full/ceh-v5-module-07-snifferspdf 64/106
EC-CouncilCopyright © by EC-Council All Rights reserved. Reproduction is strictly prohibited
MSN Sniffer
Captures MSN chat on a network
It records MSN conversations automatically
All intercepted messages can be saved as HTML files forlater processing and analyzing
Everything will be recorded without being detected
Capturing Messages
Sniffer
Chatting
MSN Sniffer
8/9/2019 CEH v5 Module 07 Sniffers.pdf
http://slidepdf.com/reader/full/ceh-v5-module-07-snifferspdf 65/106
EC-CouncilCopyright © by EC-Council All Rights reserved. Reproduction is strictly prohibited
MSN Sniffer
SmartSniff
8/9/2019 CEH v5 Module 07 Sniffers.pdf
http://slidepdf.com/reader/full/ceh-v5-module-07-snifferspdf 66/106
EC-CouncilCopyright © by EC-Council All Rights reserved. Reproduction is strictly prohibited
SmartSniff
SmartSniff is a
TCP/IP packet
capture program
that allows you to
inspect network
traffic that passes
through your
network adapter
Valuable tool to
check what
packets your
computer issending to the
outside world
Session Capture Sniffer: NetWitness
8/9/2019 CEH v5 Module 07 Sniffers.pdf
http://slidepdf.com/reader/full/ceh-v5-module-07-snifferspdf 67/106
EC-CouncilCopyright © by EC-Council All Rights reserved. Reproduction is strictly prohibited
p
NetWitness is the MOST POWERFUL sniffer in the market
The patented technology recreates “sessions” and displays them
on the screen
The Law enforcement agencies in the U.S. like FBI use this tool
NetWitness audits and monitors all traffic on the network
Interprets the activities into a format that network engineers andnon-engineers alike can quickly understand
Records all activities, and transforms the “take” into a densetransactional model describing the network, application, andcontent levels of those activities
Session Capture Sniffer: NWreader
8/9/2019 CEH v5 Module 07 Sniffers.pdf
http://slidepdf.com/reader/full/ceh-v5-module-07-snifferspdf 68/106
EC-CouncilCopyright © by EC-Council All Rights reserved. Reproduction is strictly prohibited
p
FTP Sessionscaptured
Cain and Abel
8/9/2019 CEH v5 Module 07 Sniffers.pdf
http://slidepdf.com/reader/full/ceh-v5-module-07-snifferspdf 69/106
EC-Council Copyright © by EC-Council All Rights reserved. Reproduction is strictly prohibited
MSCACHE Hashes Dumper
MSCACHE Hashes Dictionary and Brute-Force Crackers
Sniffer filter for SIP-MD5 authentications
SIP-MD5 Hashes Dictionary and Brute-Force Crackers
Off-line capture file processing compatible with winpcap, tcpdump,
and ethereal format
Cain’s sniffer can extract audio conversations based on SIP/RTP
protocols and save them into WAV files
Cain and Abel
8/9/2019 CEH v5 Module 07 Sniffers.pdf
http://slidepdf.com/reader/full/ceh-v5-module-07-snifferspdf 70/106
EC-Council Copyright © by EC-Council
All Rights reserved. Reproduction is strictly prohibited
Packet Crafter Craft Custom TCP/IPPackets
8/9/2019 CEH v5 Module 07 Sniffers.pdf
http://slidepdf.com/reader/full/ceh-v5-module-07-snifferspdf 71/106
EC-Council Copyright © by EC-Council
All Rights reserved. Reproduction is strictly prohibited
Packets
SMAC
8/9/2019 CEH v5 Module 07 Sniffers.pdf
http://slidepdf.com/reader/full/ceh-v5-module-07-snifferspdf 72/106
EC-Council Copyright © by EC-Council
All Rights reserved. Reproduction is strictly prohibited
SMAC is a MAC Address Modifying Utility (spoofer)for Windows 2000, XP, and Server 2003 systems. It displays networkinformation of available network adapters on one screen. The built-inlogging capability allows it to track MAC address modification activities
NetSetMan Tool
8/9/2019 CEH v5 Module 07 Sniffers.pdf
http://slidepdf.com/reader/full/ceh-v5-module-07-snifferspdf 73/106
EC-Council Copyright © by EC-Council
All Rights reserved. Reproduction is strictly prohibited
NetSetMan allows you to quickly switch between pre-configured network settings
It is ideal for ethical hackers that have to connect to different networks all the time
and need to update their network settings each time
NetSetMan allows you to create 6 profiles including IP address settings, Subnet Mask,
Default Gateway, and DNS servers
Raw Sniffing Tools
8/9/2019 CEH v5 Module 07 Sniffers.pdf
http://slidepdf.com/reader/full/ceh-v5-module-07-snifferspdf 74/106
EC-Council Copyright © by EC-Council
All Rights reserved. Reproduction is strictly prohibited
Sniffit
Aldebaran
Hunt
NGSSniff Ntop
pf
IPTraf
Etherape
Snort
Windump/tcpdump
Etherpeek
Mac Changer
Iris
NetIntercept
WinDNSSpoof
Features of Raw Sniffing Tools
8/9/2019 CEH v5 Module 07 Sniffers.pdf
http://slidepdf.com/reader/full/ceh-v5-module-07-snifferspdf 75/106
EC-Council Copyright © by EC-Council
All Rights reserved. Reproduction is strictly prohibited
Data can be intercepted “off the wire” from a live
network connection, or read from a captured file
Can read captured files from tcpdump
Command line switches to the editcap program that
enables the editing or conversion of the captured files
Display filter enables the refinement of the data
Sniffit
8/9/2019 CEH v5 Module 07 Sniffers.pdf
http://slidepdf.com/reader/full/ceh-v5-module-07-snifferspdf 76/106
EC-Council Copyright © by EC-Council
All Rights reserved. Reproduction is strictly prohibited
Sniffit is a packet sniffer for TCP/UDP/ICMP packets
It provides detailed technical information about the packets and
packet contents in different formats
By default it can handle Ethernet and PPP devices, but can be
easily forced into using other devices
Aldebaran
8/9/2019 CEH v5 Module 07 Sniffers.pdf
http://slidepdf.com/reader/full/ceh-v5-module-07-snifferspdf 77/106
EC-CouncilCopyright © by EC-Council
All Rights reserved. Reproduction is strictly prohibited
Aldebaran is an advanced LINUX sniffer/network
analyzer
It supports sending data to another host, dump file
encryption, real-time mode, packet content scanning,
network statistics in HTML, capture rules, colored
output, and more
Hunt
8/9/2019 CEH v5 Module 07 Sniffers.pdf
http://slidepdf.com/reader/full/ceh-v5-module-07-snifferspdf 78/106
EC-CouncilCopyright © by EC-Council
All Rights reserved. Reproduction is strictly prohibited
Hunt is used to watch TCP connections, intrude onthem, or reset them
It is meant to be used on Ethernet, and has activemechanisms to sniff switched connections
Features:
• It can be used for watching, spoofing, detecting, hijacking, andresetting connections
• MAC discovery daemon for collecting MAC addresses, sniffdaemon for logging TCP traffic with the ability to search for a
particular string
8/9/2019 CEH v5 Module 07 Sniffers.pdf
http://slidepdf.com/reader/full/ceh-v5-module-07-snifferspdf 79/106
8/9/2019 CEH v5 Module 07 Sniffers.pdf
http://slidepdf.com/reader/full/ceh-v5-module-07-snifferspdf 80/106
Pf
8/9/2019 CEH v5 Module 07 Sniffers.pdf
http://slidepdf.com/reader/full/ceh-v5-module-07-snifferspdf 81/106
EC-CouncilCopyright © by EC-Council
All Rights reserved. Reproduction is strictly prohibited
Pf is Open BSD’s system for filtering TCP/IP traffic and
performing Network Address Translation
It is also capable of normalizing and conditioning
TCP/IP traffic, and providing bandwidth control and
packet prioritization
IPTraf
8/9/2019 CEH v5 Module 07 Sniffers.pdf
http://slidepdf.com/reader/full/ceh-v5-module-07-snifferspdf 82/106
EC-Council
Copyright © by EC-Council All Rights reserved. Reproduction is strictly prohibited
IPTraf is a network
monitoring utility for IP
networks. It interceptspackets on the network and
gives out various pieces of
information about the current
IP traffic over it IPTraf can be used to monitor
the load on an IP network,
the most used types of
network services, and theproceedings of TCP
connections, and others
EtherApe
8/9/2019 CEH v5 Module 07 Sniffers.pdf
http://slidepdf.com/reader/full/ceh-v5-module-07-snifferspdf 83/106
EC-Council
Copyright © by EC-Council All Rights reserved. Reproduction is strictly prohibited
EtherApe is a graphical
network monitor for Unix
Featuring link layer, IP, and
TCP modes, it displays
network activity graphically
It can filter traffic to be
shown, and can read trafficfrom a file as well as live
from the network
8/9/2019 CEH v5 Module 07 Sniffers.pdf
http://slidepdf.com/reader/full/ceh-v5-module-07-snifferspdf 84/106
Netfilter
8/9/2019 CEH v5 Module 07 Sniffers.pdf
http://slidepdf.com/reader/full/ceh-v5-module-07-snifferspdf 85/106
EC-Council
Copyright © by EC-Council All Rights reserved. Reproduction is strictly prohibited
Netfilter and iptables are the
framework inside the Linux
2.4.x kernel which enablespacket filtering, network
address translation (NAT), and
other packet mangling
Netfilter is a set of hooks
inside the Linux 2.4.x kernel's
network stack which allows
kernel modules to register
callback functions called every
time a network packet
traverses one of those hooks
Features
Stateful packet filtering
(connection tracking)
All kinds of network address
translation
Flexible and extensible
infrastructure
Netfilter
8/9/2019 CEH v5 Module 07 Sniffers.pdf
http://slidepdf.com/reader/full/ceh-v5-module-07-snifferspdf 86/106
EC-Council
Copyright © by EC-Council All Rights reserved. Reproduction is strictly prohibited
Network Probe
8/9/2019 CEH v5 Module 07 Sniffers.pdf
http://slidepdf.com/reader/full/ceh-v5-module-07-snifferspdf 87/106
EC-Council
Copyright © by EC-Council
All Rights reserved. Reproduction is strictly prohibited
This network monitor and
protocol analyzer gives the
user an instant picture ofthe traffic situation on the
target network
All traffic is monitored in
real time
All the information can be
sorted, searched, and
filtered by protocols, hosts,conversations, and
network interfaces
Maa Tec Network Analyzer
8/9/2019 CEH v5 Module 07 Sniffers.pdf
http://slidepdf.com/reader/full/ceh-v5-module-07-snifferspdf 88/106
EC-Council
Copyright © by EC-Council
All Rights reserved. Reproduction is strictly prohibited
MaaTec Network Analyzer
is a tool that is used for
capturing, saving, and
analyzing network traffic
Features:
• Real-time network
traffic statistics
• Scheduled network
traffic reports
• Online view of
incoming packets
• Multiple data color
options
Tool: Snort
8/9/2019 CEH v5 Module 07 Sniffers.pdf
http://slidepdf.com/reader/full/ceh-v5-module-07-snifferspdf 89/106
EC-Council
Copyright © by EC-Council
All Rights reserved. Reproduction is strictly prohibited
There are three main modes in which
Snort can be configured: sniffer, packet
logger, and network intrusion detection
system
Sniffer mode reads the packets off of the
network and displays them for you in a
continuous stream on the console
Packet logger mode logs the packets tothe disk
Network intrusion detection mode is the
most complex and configurable
configuration, allowing Snort to analyzenetwork traffic for matches against a
user-defined rule set
Tool: Windump
8/9/2019 CEH v5 Module 07 Sniffers.pdf
http://slidepdf.com/reader/full/ceh-v5-module-07-snifferspdf 90/106
EC-Council
Copyright © by EC-Council
All Rights reserved. Reproduction is strictly prohibited
WinDump is the porting to the Windows platform of tcpdump, themost used network sniffer/analyzer for UNIX
Tool: Etherpeek
8/9/2019 CEH v5 Module 07 Sniffers.pdf
http://slidepdf.com/reader/full/ceh-v5-module-07-snifferspdf 91/106
EC-Council
Copyright © by EC-Council
All Rights reserved. Reproduction is strictly prohibited
Ethernet network traffic and protocolanalyzer. By monitoring, filtering,
decoding, and displaying packet data, itfinds protocol errors and detectsnetwork problems such as unauthorizednodes, misconfigured routers, andunreachable devices
Mac Changer
8/9/2019 CEH v5 Module 07 Sniffers.pdf
http://slidepdf.com/reader/full/ceh-v5-module-07-snifferspdf 92/106
EC-Council
Copyright © by EC-Council
All Rights reserved. Reproduction is strictly prohibited
MAC changer is a Linux utility for setting a specific
MAC address for a network interface
It enables the user to set the MAC address randomly. It
allows specifying the MAC of another vendor or setting
another MAC of the same vendor
The user can also set a MAC of the same kind (such as a
wireless card)
It offers a choice of vendor MAC list of more than 6200
items
Iris
8/9/2019 CEH v5 Module 07 Sniffers.pdf
http://slidepdf.com/reader/full/ceh-v5-module-07-snifferspdf 93/106
EC-Council
Copyright © by EC-Council
All Rights reserved. Reproduction is strictly prohibited
It allows for the reconstruction of network traffic in a format that is simple to use andunderstand. It can show the web page of any employee who is watching it during workhours
NetIntercept
8/9/2019 CEH v5 Module 07 Sniffers.pdf
http://slidepdf.com/reader/full/ceh-v5-module-07-snifferspdf 94/106
EC-Council
Copyright © by EC-Council
All Rights reserved. Reproduction is strictly prohibited
A sniffing tool that studies external break-in attempts, watches for the misuse ofconfidential data, displays the contents of an unencrypted remote login or web session,categorizes or sorts traffic by dozens of attributes, and searches traffic by criteria such asemail headers, websites, and file names
WinDNSSpoof
8/9/2019 CEH v5 Module 07 Sniffers.pdf
http://slidepdf.com/reader/full/ceh-v5-module-07-snifferspdf 95/106
EC-Council
Copyright © by EC-Council
All Rights reserved. Reproduction is strictly prohibited
This tool is a simple DNS ID Spoofer for
Windows 9x/2K
To use it, you must be able to sniff traffic of the
computer being attacked
Usage : wds -h
Example : wds -n www.microsoft.com -i
216.239.39.101 -g 00-00-39-5c-45-3b
How to Detect Sniffing?
8/9/2019 CEH v5 Module 07 Sniffers.pdf
http://slidepdf.com/reader/full/ceh-v5-module-07-snifferspdf 96/106
EC-Council
Copyright © by EC-Council
All Rights reserved. Reproduction is strictly prohibited
You will need to check which machines are running in promiscuous
mode
Run ARPWATCH and notice if the MAC address of certain machines
has changed (Example: router’s MAC address)
Run network tools like HP OpenView and IBM Tivoli network health
check tools to monitor the network for strange packets
AntiSniff Tool
8/9/2019 CEH v5 Module 07 Sniffers.pdf
http://slidepdf.com/reader/full/ceh-v5-module-07-snifferspdf 97/106
EC-Council
Copyright © by EC-Council
All Rights reserved. Reproduction is strictly prohibited
AntiSniff tool can detect machines on the network that are runningin promiscuous mode
ArpWatch Tool
8/9/2019 CEH v5 Module 07 Sniffers.pdf
http://slidepdf.com/reader/full/ceh-v5-module-07-snifferspdf 98/106
EC-Council
Copyright © by EC-Council
All Rights reserved. Reproduction is strictly prohibited
ArpWatch is a tool that monitors Ethernet activity and keeps a
database of Ethernet/IP address pairings
It also reports certain changes via email
Place triggers when your router’s MAC address changes on your
network
Countermeasures
8/9/2019 CEH v5 Module 07 Sniffers.pdf
http://slidepdf.com/reader/full/ceh-v5-module-07-snifferspdf 99/106
EC-Council
Copyright © by EC-Council
All Rights reserved. Reproduction is strictly prohibited
Restriction of physical access to network media ensures that a
packet sniffer cannot be installed
The best way to be secured against sniffing is to use Encryption. It
would not prevent a sniffer from functioning but will ensure that
what a sniffer reads is not important
ARP Spoofing is used to sniff a switched network, so an attacker will
try to ARP spoof the gateway. This can be prevented by permanently
adding the MAC address of the gateway to the ARP cache
8/9/2019 CEH v5 Module 07 Sniffers.pdf
http://slidepdf.com/reader/full/ceh-v5-module-07-snifferspdf 100/106
Countermeasures (cont’d)
8/9/2019 CEH v5 Module 07 Sniffers.pdf
http://slidepdf.com/reader/full/ceh-v5-module-07-snifferspdf 101/106
EC-Council
Copyright © by EC-Council
All Rights reserved. Reproduction is strictly prohibited
There are various tools to detect a sniffer in a
network:
• ARP Watch
• Promiscan
• Antisniff • Prodetect
Countermeasures (cont’d)
8/9/2019 CEH v5 Module 07 Sniffers.pdf
http://slidepdf.com/reader/full/ceh-v5-module-07-snifferspdf 102/106
EC-Council
Copyright © by EC-Council
All Rights reserved. Reproduction is strictly prohibited
Small Network
• Use of static IP addresses and static ARP tables which prevents
hackers from adding spoofed ARP entries for machines in the
network
Large Networks• Network switch Port Security features should be enabled
• Use of ArpWatch to monitor Ethernet activity
8/9/2019 CEH v5 Module 07 Sniffers.pdf
http://slidepdf.com/reader/full/ceh-v5-module-07-snifferspdf 103/106
Summary
8/9/2019 CEH v5 Module 07 Sniffers.pdf
http://slidepdf.com/reader/full/ceh-v5-module-07-snifferspdf 104/106
EC-Council
Copyright © by EC-Council
All Rights reserved. Reproduction is strictly prohibited
Sniffing allows to capture vital information from network traffic. It
can be done over the hub or the switch (passive or active)
Passwords, emails, and files can be grabbed by means of sniffing ARP poisoning can be used to change the Switch mode of the
network to Hub mode and subsequently carry out packet sniffing
Ethereal, Dsniff, Sniffit, Aldebaran, Hunt, and NGSSniff are some
of the most popular sniffing tools
The best way to be secured against sniffing is to use encryption,
and apply the latest patches or other lockdown techniques to the
system
8/9/2019 CEH v5 Module 07 Sniffers.pdf
http://slidepdf.com/reader/full/ceh-v5-module-07-snifferspdf 105/106
EC-Council
Copyright © by EC-Council
All Rights reserved. Reproduction is strictly prohibited