Seminar Topic
Packet Sniffing
1
Presented By:Soumitra Kumar Jana(06/CS/55)Chandan Paul(06/CS/84)Sankha De(06/CS/61)Shantanu Das(06/CS/104)
CSE 7th SEM,HITUnder the Guidance of:
Ms. Jayeeta MajumdarLecturer, CSE ,HIT
2
Topics to be discussed INTRODUCTION TO PACKET SNIFFING WHO USES PACKET SNIFFERS AND WHY TYPES OF SNIFFING PROTOCOLS VULNERABLE TO SNIFFING INTERNET BASICS PACKET SNIFFERS HOW SNIFFERS WORK? SOME TECHNIQUES FOR IMPLEMENTING SNIFFING SOME POPULAR PACKET SNIFFERS EXPLOITS OF PACKET SNIFFERS HOW TO DETECT SNIFFING COUNTERMEASURES CONCLUSION 3
The Network Today:
4
Introduction to Packet Sniffing
Sniffing is a data interception technology.The term sniffing commonly is used to describe protocol analysis, the process of viewing and analyzing the contents of packets on a network.
Tools used for this purpose are properly called protocol analyzers, but the term sniffer also is widely used for such tools.
Protocol analyzers or sniffers are network troubleshooting tools that provide a detailed view of network traffic.
5
Host A Host BRouter A Router B
(Continued...)A network analyzer is just software
running on a computer with a networkcard. It works by placing the network card in promiscuous mode, which enables the card to see all the traffic on the network, even traffic not destined to the network-analyzer host. The network analyzer performs the following functions:
Captures all network traffic.Interprets or decodes what is found into a
human-readable format.Displays it all in chronological order.
6
Who Uses Packet Sniffers and Why?System administrators
-- To monitor the flow of network traffic
--Troubleshoot communication problems
--Understand system problems and performance
--Intrusion detection
--Debug network protocol implementations
--Detection of erroneous packet flow through the network
--Gather and report network usage and statistics.
(Continued...)Malicious individuals (intruders)
--Capture cleartext data --Passively collect data on vulnerable protocols
FTP, POP3, IMAP, SMATP, rlogin, HTTP etcCapture VoIP Data.
--Mapping the target network --Traffic pattern discovery --Actively break into the network (backdoor
techniques)
Types of Sniffing
Passive sniffing means sniffing through a hub.It is passive because it is difficult to detect.An attacker simply connects to the hub from his/her machine.
Active sniffing means sniffing through a switch.It is easy to detect.Attacker tries to poison the switch by sending bogus MAC address. 9
Sniffing
Passive Sniffing
ActiveSniffin
g
Protocols Vulnerable to Sniffing
Protocols that are suspectible to sniffers include-Telnet :Keystrokes including usernames and
passwords.HTTP:Data sent in the clear text.SMTP:Password and data sent in the clear text.POP: Password and data sent in the clear text.FTP: Password and data sent in the clear text.IMAP VoIPSNMP etc.
10
INTERNET Today Internet is based on TCP/IP architecture. The model defines
four (or five) layers. Physical LayerData Link Layer: Ethernet, 802.11(2)Network Layer: IPv4 (IPv6)(3)Transport Layer: TCP, UDP(4)Application Layer: SMTP, HTTP, FTP(5)
11
Packet SniffersA "Packet Sniffer" is a utility that sniffs without modifying the network's packets in any way. By comparison, a firewall sees all of a computer's packet traffic as well, but it has the ability to block and drop any packets that its programming dictates. Packet sniffers merely watch, display, and log this traffic.
How They Work An Ethernet sniffer is software that works in concert with
the network interface card (NIC) to blindly suck up all traffic within “earshot” of the listening system, rather than just the traffic addressed to the sniffing host.
12
How They Work(Continues...) Normally, an Ethernet NIC will discard any
traffic not specifically addressed to itself or the network broadcast address, so the card must be put in a special state called promiscuous mode to enable it to receive all packets floating by on the wire.Once the network hardware is in promiscuous mode, the sniffer software can capture and analyze any traffic that traverses the local Ethernet segment.
This limits the range of a sniffer somewhat because it will not be able to listen to traffic outside of the local network’s collision domain (that is, beyond routers, switches, or other segmenting devices).
Obviously, a sniffer judiciously placed on a backbone, internetwork link, or other network aggregation point will be able to monitor a greater volume of traffic than one placed on an isolated Ethernet segment.This is the basic understanding of the function of a sniffer.
13
Some Techniques for Implementing Packet Sniffing
ARP Spoofing or ARP PoisioningThe process of falsifying the source Media Access
Control (MAC) addresses of packets being sent on an Ethernet network is called ARP spoofing or ARP poisoning. ARP spoofing involves sending forged ARP replies to redirect network traffic to the attacking host. If the attacking host is only listening to traffic and not participating in it, legitimate hosts are usually unaware that the packets they are transmitting are being redirected to an attacker and are not reaching their intended destinations.
Tools used –Cain & Abel,Ettercap etc.14
(Continues...) MAC duplicating MAC duplicating attack is launched by sniffing network for
MAC addresses of clients who are actively associates with a switch-port.By listening to the traffic on the network a malicious user can intercept and use a legitimate user’s MAC address and he got all the traffic destined for that legitimate user.
MAC Flooding MAC flooding is an attack that tries to flood the internal
memory of Ethernet switches using large numbers of spoofed Media Access Control (MAC) addresses. Switches has limited memory for mapping the MAC addresses to the physical ports on switch.MAC flooding uses this limitation and floods the switch with fake MAC addresses until the switch can’t keep up.Switch then acts like a hub by broadcasting packets to all machines in the network.After that sniffing is easily performed.
Tools used-Etherflood.15
(Continues...)
IP Based SpoofingThis is the original way of packet sniffing.It works by
putting the network card into promiscuous mode and sniffs all packets.This method only works in non-switched networks.All the modern sniffers uses this technique.
DNS Poisoning DNS spoofing provides DNS servers with false
information to impersonate DNS servers.The DNS server beleives that it has got authentic information when, in reality,it does not.
Intranet DNS Poisoning(LAN)Internet DNS Poisoning(Remote Network)Proxy Server DNS PoisoningDNS Cache Poisoning 16
Some Popular Packet sniffers Linux/Unix-based sniffers use libpcap, which must be
installed prior to installing any sniffer.tcpdump, a command-line based packet sniffer.tcpshow (tcpdump-based analysis).Wireshark (Packet sniffer GUI) [Formerly Ethereal]ngreg — network grep (Command line tool to apply regular
expressions to tcpdump output).Dsniff-is a password sniffer handles
FTP,Telnet,SMTP,HTTP,POP etc. Windows-based sniffers use WinPcap, which must be
installed prior to installing any sniffer.1.Wireshark(Packet sniffer GUI) [Formerly Ethereal]2.Capsa Network Analyzer (Packet Sniffer) from Colasoft3.Cain & Abel from Oxid.it4. WinDump, a DOS command-line packet sniffer5.CommViewer 17
Wireshark Wireshark (formerly Ethereal) is a UNIX- and Windows-based
open source network monitoring tool. Stable release is 1.2.4.Wireshark is a software that "understands" the structure of different networking protocols. Thus, it is able to display the encapsulation and the fields along with their meanings of different packets specified by different networking protocols. Wireshark uses pcap to capture packets, so it can only capture the packets on the networks supported by pcap.
Data can be captured "from the wire" from a live network connection or read from a file that records the already-captured packets.
Live data can be read from a number of types of network, including Ethernet, IEEE 802.11, PPP, and loopback.
Captured network data can be browsed via a GUI, or via the terminal (command line) version of the utility, tshark.
Decodes over 750 protocols .Compatible with many other sniffers .
18
MENU BAR
DISPLAY FILTER SPECIFICATION
19
Listing of All the Packets
Details of Selected Packet Header
Packet Content in Hex & ASCII Code
CS420: High Speed Multimedia and Multiservice Networks 20
Selected TCP Packet#43262
Details of the selected packet (#43262)
Raw data (content of packet # 43262)
21
Filtering HTTP Packets Only
Accessing http://en.wikipedia.org with source ip 10.10.39.155.The destination ip for this packet is 10.10.3.254
Cain and Abel Cain and Abel (sometimes called simply "Cain") is a
Windows password recovery tool. It can recover many kinds of passwords using methods such as network packet sniffing, cracking various password hashes by using methods such as dictionary attacks, brute force and cryptanalysis attacks. Cryptanalysis attacks are done via rainbow tables which can be generated with the winrtgen.exe program provided with Cain and Abel.
TCP/UDP Traceroute with DNS ResolverDumping protected storage passwords -Reveals locally stored
passwords of Outlook, Outlook Express, Outlook Express Identities, Outlook 2002, Internet Explorer and MSN Explorer.
APR(ARP Poison Routing)- Enables sniffing on switched networks.Sniffer -Captures passwords, hashes and authentication information
while they are transmitted on the network. IP to MAC Address resolver • Used for remote purposes such as Remote Console,Remote Route
Table Manager,Remote TCP/UDP Table Viewer etc.22
Start/Stop APR
Start/Stop SnifferButton
23
Sniffer Operations
Traceroute any web address
Lists network computers with MAC,Hostname
Lists all computers in the subnet
Lists all computers on the subnet
APR(ARP Poison Routing)
Username,passwords and web address is retrieved
ARP Poison Routing
SessionHijacking
Session Hijackin
g
26
LAN ViewLAN View
WAN View
APR Poisoning Status
Exploits of Packet SniffersOne disturbingly powerful aspect of packet sniffers
is their ability to place the hosting machine's network adapter into "promiscuous mode." Network adapters running in promiscuous mode receive not only the data directed to the machine hosting the sniffing software, but also ALL of the traffic on the physically connected local network.
By placing a packet sniffer on a network in promiscuous mode, a malicious intruder can capture and analyze all of the network traffic. Within a given network, username and password information is generally transmitted in clear text which means that the information would be viewable by analyzing the packets being transmitted.
27
How to Detect Sniffing?There are two basic approaches to detecting sniffers:
1. host based
2. network based The most direct host-based approach is to determine
whether the target system’s network card is operating in promiscuous mode. On UNIX, several programs can accomplish this, including Check Promiscuous Mode (cpm)
Sniffers are also visible in the Process List and tend to create large log files over time, so simple UNIX scripts using ps, grep can illuminate suspicious sniffer-like activity. But these techniques are not always effective.28
(Continued...)Check whether the MAC address of some
machine(such as a Router) has changed.
Network-based sniffer detection has been hypothesized for a long time. One of the first proof of concepts, Anti-Sniff, was created by L0pht.
Run network tools like HP OpenView or IBM Tivoli to monitor network for strange packets.
29
Countermeasures
The following techniques and tools can be used to mitigate
sniffers: Authentication—Using strong authentication, such as one-time passwords, is a first option for defense against packet sniffers.
Switched infrastructure—Migrating to Switched Network Topologies . Shared Ethernet is extremely vulnerable to sniffing.
Antisniffer tools—Use these tools to employ software and hardware designed to detect the use of sniffers on a network.
Cryptography—The best way to defeat sniffing is to encrypt network traffic using Internet Protocol Security (IPSec) or some other mechanism. This won’t stop attackers from sniffing your network, but it will make it harder for them to gain anything useful from their efforts.
30
Host A Host BRouter A Router B
ConclusionIts a cruel irony in information security that many of
the features that make using computers easier or more efficient and the tools used to protect and secure the network can also be used to exploit and compromise the same computers and networks. This is the case with packet sniffing.
Detecting rogue packet sniffers on your network is not an easy task. By its very nature the packet sniffer is passive. It simply captures the packets that are traveling to the network interface it is monitoring. That means there is generally no signature or erroneous traffic to look for that would identify a machine running a packet sniffer. There are ways to identify network interfaces on your network that are running in promiscuous mode though and this might be used as a means for locating rogue packet sniffers.
31
ReferencesReferences• http://en.wikipedia.org
• http://www.cet.nau.edu/~mc8/Socket/Tutorials/section1.html
• http://www.tcpdump.org/pcap.htm
• http://mixter.void.ru/rawip.html
• http://www.coders.eu.org/manualy/win/wskfaq/examples/rawping.html
• http://www.wireshark.org
• http://www.oxid.it
THANK YOU
33