Seminar Topic - PowerPoint PPT Presentation

About This Presentation
Title:

Seminar Topic

Description:

... a command-line based packet sniffer. tcpshow (tcpdump-based analysis). ... By placing a packet sniffer on a network in ... is to encrypt network traffic using ... – PowerPoint PPT presentation

Number of Views:618
Avg rating:3.0/5.0
Slides: 34
Provided by: 123semina
Category:

less

Transcript and Presenter's Notes

Title: Seminar Topic


1
Seminar Topic
  • Packet Sniffing

2
  • Presented By
  • Soumitra Kumar Jana(06/CS/55)
  • Chandan Paul(06/CS/84)
  • Sankha De(06/CS/61)
  • Shantanu Das(06/CS/104)
  • CSE 7th SEM,HIT
  • Under the Guidance of
  • Ms. Jayeeta Majumdar
  • Lecturer, CSE ,HIT

3
Topics to be discussed
  • INTRODUCTION TO PACKET SNIFFING
  • WHO USES PACKET SNIFFERS AND WHY
  • types of sniffing
  • protocols vulnerable to sniffing
  • Internet Basics
  • packet sniffers
  • how sniffers work?
  • SOME TECHNIQUES FOR IMPLEMENTING SNIFFING
  • SOME POPULAR PACKET SNIFFERS
  • exploits of packet sniffers
  • how to detect sniffing
  • countermeasures
  • conclusion
  •  

4
The Network Today
5
Introduction to Packet Sniffing
Host A
Host B
Router A
Router B
  • Sniffing is a data interception technology.The
    term sniffing commonly is used to describe
    protocol analysis, the process of viewing and
    analyzing the contents of packets on a network.
  • Tools used for this purpose are properly called
    protocol analyzers, but the term sniffer also is
    widely used for such tools.
  • Protocol analyzers or sniffers are network
    troubleshooting tools that provide a detailed
    view of network traffic.

6
(Continued...)
  • A network analyzer is just software running on a
    computer with a networkcard. It works by placing
    the network card in promiscuous mode, which
    enables the card to see all the traffic on the
    network, even traffic not destined to the
    network-analyzer host. The network analyzer
    performs the following functions
  • Captures all network traffic.
  • Interprets or decodes what is found into a
    human-readable format.
  • Displays it all in chronological order.

7
Who Uses Packet Sniffers and Why?
  • System administrators
  • -- To monitor the flow of network
    traffic
  • --Troubleshoot communication problems
  • --Understand system problems and
    performance
  • --Intrusion detection
  • --Debug network protocol
    implementations
  • --Detection of erroneous packet flow
    through the network
  • --Gather and report network usage and
    statistics.

8
(Continued...)
  • Malicious individuals (intruders)
  • --Capture cleartext data
  • --Passively collect data on vulnerable protocols
  • FTP, POP3, IMAP, SMATP, rlogin, HTTP etc
  • Capture VoIP Data.
  • --Mapping the target network
  • --Traffic pattern discovery
  • --Actively break into the network (backdoor
    techniques)

9
Types of Sniffing
Sniffing
Passive Sniffing
Active Sniffing

  • Passive sniffing means sniffing through a hub.It
    is passive because it is difficult to detect.An
    attacker simply connects to the hub from his/her
    machine.
  • Active sniffing means sniffing through a
    switch.It is easy to detect.Attacker tries to
    poison the switch by sending bogus MAC address.

10
Protocols Vulnerable to Sniffing
  • Protocols that are suspectible to sniffers
    include-
  • Telnet Keystrokes including usernames and
    passwords.
  • HTTPData sent in the clear text.
  • SMTPPassword and data sent in the clear text.
  • POP Password and data sent in the clear text.
  • FTP Password and data sent in the clear text.
  • IMAP
  • VoIP
  • SNMP etc.


  • 10

11
INTERNET Today
  • Internet is based on TCP/IP architecture. The
    model defines four (or five) layers.
  • Physical Layer
  • Data Link Layer Ethernet, 802.11(2)
  • Network Layer IPv4 (IPv6)(3)
  • Transport Layer TCP, UDP(4)
  • Application Layer SMTP, HTTP, FTP(5)

12
Packet Sniffers
  • A "Packet Sniffer" is a utility that sniffs
    without modifying the network's packets in any
    way. By comparison, a firewall sees all of a
    computer's packet traffic as well, but it has the
    ability to block and drop any packets that its
    programming dictates. Packet sniffers merely
    watch, display, and log this traffic.
  • How They Work
  • An Ethernet sniffer is software that works
    in concert with the network interface card (NIC)
    to blindly suck up all traffic within earshot
    of the listening system, rather than just the
    traffic addressed to the sniffing host.

13
How They Work(Continues...)
  • ? Normally, an Ethernet NIC will discard any
    traffic not specifically addressed to itself or
    the network broadcast address, so the card must
    be put in a special state called promiscuous mode
    to enable it to receive all packets floating by
    on the wire.Once the network hardware is in
    promiscuous mode, the sniffer software can
    capture and analyze any traffic that traverses
    the local Ethernet segment.
  • ? This limits the range of a sniffer somewhat
    because it will not be able to listen to traffic
    outside of the local networks collision domain
    (that is, beyond routers, switches, or other
    segmenting devices).
  • ? Obviously, a sniffer judiciously placed on a
    backbone, internetwork link, or other network
    aggregation point will be able to monitor a
    greater volume of traffic than one placed on an
    isolated Ethernet segment.This is the basic
    understanding of the function of a sniffer.

14
Some Techniques for Implementing Packet Sniffing
  • ARP Spoofing or ARP
    Poisioning
  • The process of falsifying the source Media Access
    Control (MAC) addresses of packets being sent on
    an Ethernet network is called ARP spoofing or ARP
    poisoning. ARP spoofing involves sending forged
    ARP replies to redirect network traffic to the
    attacking host. If the attacking host is only
    listening to traffic and not participating in it,
    legitimate hosts are usually unaware that the
    packets they are transmitting are being
    redirected to an attacker and are not reaching
    their intended destinations.
  • Tools used Cain Abel,Ettercap etc.

15
(Continues...)
  • MAC
    duplicating
  • MAC duplicating attack is launched by
    sniffing network for MAC addresses of clients who
    are actively associates with a switch-port.By
    listening to the traffic on the network a
    malicious user can intercept and use a legitimate
    users MAC address and he got all the traffic
    destined for that legitimate user.

  • MAC Flooding
  • MAC flooding is an attack that tries to flood
    the internal memory of Ethernet switches using
    large numbers of spoofed Media Access Control
    (MAC) addresses. Switches has limited memory for
    mapping the MAC addresses to the physical ports
    on switch.MAC flooding uses this limitation and
    floods the switch with fake MAC addresses until
    the switch cant keep up.Switch then acts like a
    hub by broadcasting packets to all machines in
    the network.After that sniffing is easily
    performed.
  • Tools used-Etherflood.

16
(Continues...)
  • IP Based
    Spoofing
  • This is the original way of packet sniffing.It
    works by putting the network card into
    promiscuous mode and sniffs all packets.This
    method only works in non-switched networks.All
    the modern sniffers uses this technique.
  • DNS
    Poisoning
  • DNS spoofing provides DNS servers with false
    information to impersonate DNS servers.The DNS
    server beleives that it has got authentic
    information when, in reality,it does not.
  • Intranet DNS Poisoning(LAN)
  • Internet DNS Poisoning(Remote Network)
  • Proxy Server DNS Poisoning
  • DNS Cache Poisoning

17
Some Popular Packet sniffers
  • Linux/Unix-based sniffers use libpcap, which
    must be installed prior to installing any
    sniffer.
  • tcpdump, a command-line based packet sniffer.
  • tcpshow (tcpdump-based analysis).
  • Wireshark (Packet sniffer GUI) Formerly
    Ethereal
  • ngreg network grep (Command line tool to apply
    regular expressions to tcpdump output).
  • Dsniff-is a password sniffer handles
    FTP,Telnet,SMTP,HTTP,POP etc.
  • Windows-based sniffers use WinPcap, which must
    be installed prior to installing any sniffer.
  • 1.Wireshark(Packet sniffer GUI) Formerly
    Ethereal
  • 2.Capsa Network Analyzer (Packet Sniffer) from
    Colasoft
  • 3.Cain Abel from Oxid.it
  • 4. WinDump, a DOS command-line packet sniffer
  • 5.CommViewer

18
Wireshark
  • Wireshark (formerly Ethereal) is a UNIX- and
    Windows-based open source network monitoring
    tool. Stable release is 1.2.4.Wireshark is a
    software that "understands" the structure of
    different networking protocols. Thus, it is able
    to display the encapsulation and the fields along
    with their meanings of different packets
    specified by different networking protocols.
    Wireshark uses pcap to capture packets, so it can
    only capture the packets on the networks
    supported by pcap.
  • Data can be captured "from the wire" from a live
    network connection or read from a file that
    records the already-captured packets.
  • Live data can be read from a number of types of
    network, including Ethernet, IEEE 802.11, PPP,
    and loopback.
  • Captured network data can be browsed via a GUI,
    or via the terminal (command line) version of the
    utility, tshark.
  • Decodes over 750 protocols .
  • Compatible with many other sniffers .

19
MENU BAR
  • DISPLAY FILTER SPECIFICATION

Listing of All the Packets
Details of Selected Packet Header
Packet Content in Hex ASCII Code
20
Selected TCP Packet 43262
Details of the selected packet (43262)
Raw data (content of packet 43262)
21
Filtering HTTP Packets Only
Accessing http//en.wikipedia.org with source ip
10.10.39.155.The destination ip for this packet
is 10.10.3.254
22
Cain and Abel
  • Cain and Abel (sometimes called simply
    "Cain") is a Windows password recovery tool. It
    can recover many kinds of passwords using methods
    such as network packet sniffing, cracking various
    password hashes by using methods such as
    dictionary attacks, brute force and cryptanalysis
    attacks. Cryptanalysis attacks are done via
    rainbow tables which can be generated with the
    winrtgen.exe program provided with Cain and Abel.
  • TCP/UDP Traceroute with DNS Resolver
  • Dumping protected storage passwords -Reveals
    locally stored passwords of Outlook, Outlook
    Express, Outlook Express Identities, Outlook
    2002, Internet Explorer and MSN Explorer.
  • APR(ARP Poison Routing)- Enables sniffing on
    switched networks.
  • Sniffer -Captures passwords, hashes and
    authentication information while they are
    transmitted on the network.
  • IP to MAC Address resolver
  • Used for remote purposes such as Remote
    Console,Remote Route Table Manager,Remote TCP/UDP
    Table Viewer etc.

23
Start/Stop APR
  • Start/Stop Sniffer
  • Button

Traceroute any web address
Sniffer Operations
Lists network computers with MAC,Hostname
24
Lists all computers on the subnet
Username,passwords and web address is retrieved
  • Lists all computers in the subnet

APR(ARP Poison Routing)
25
ARP Poison Routing
  • Session
  • Hijacking

Session Hijacking
26
LAN View
LAN View
WAN View
APR Poisoning Status
27
Exploits of Packet Sniffers
  • One disturbingly powerful aspect of packet
    sniffers is their ability to place the hosting
    machine's network adapter into "promiscuous
    mode." Network adapters running in promiscuous
    mode receive not only the data directed to the
    machine hosting the sniffing software, but
    also ALL of the traffic on the physically
    connected local network.
  • By placing a packet sniffer on a network in
    promiscuous mode, a malicious intruder can
    capture and analyze all of the network traffic.
    Within a given network, username and password
    information is generally transmitted in clear
    text which means that the information would be
    viewable by analyzing the packets being
    transmitted.

28
How to Detect Sniffing?
  • There are two basic approaches to detecting
    sniffers
  • 1. host based
  • 2. network based
  • The most direct host-based approach is to
    determine whether the target systems network
    card is operating in promiscuous mode. On UNIX,
    several programs can accomplish this, including
    Check Promiscuous Mode (cpm)
  • Sniffers are also visible in the Process List
    and tend to create large log files over time, so
    simple UNIX scripts using ps, grep can illuminate
    suspicious sniffer-like activity. But these
    techniques are not always effective.

29
(Continued...)
  • Check whether the MAC address of some
    machine(such as a Router) has changed.
  • Network-based sniffer detection has been
    hypothesized for a long time. One of the first
    proof of concepts, Anti-Sniff, was created by
    L0pht.
  • Run network tools like HP OpenView or IBM Tivoli
    to monitor network for strange packets.

30
Countermeasures
Host A
Host B
Router A
Router B
  • The following techniques and tools can be
    used to mitigate sniffers
    AuthenticationUsing strong authentication, such
    as one-time passwords, is a first option for
    defense against packet sniffers.
  • Switched infrastructureMigrating to Switched
    Network Topologies . Shared Ethernet is extremely
    vulnerable to sniffing.
  • Antisniffer toolsUse these tools to employ
    software and hardware designed to detect the use
    of sniffers on a network.
  • CryptographyThe best way to defeat sniffing
    is to encrypt network traffic using Internet
    Protocol Security (IPSec) or some other
    mechanism. This wont stop attackers from
    sniffing your network, but it will make it harder
    for them to gain anything useful from their
    efforts.

31
Conclusion
  • Its a cruel irony in information security that
    many of the features that make using computers
    easier or more efficient and the tools used to
    protect and secure the network can also be used
    to exploit and compromise the same computers and
    networks. This is the case with packet sniffing.
  • Detecting rogue packet sniffers on your network
    is not an easy task. By its very nature the
    packet sniffer is passive. It simply captures the
    packets that are traveling to the network
    interface it is monitoring. That means there is
    generally no signature or erroneous traffic to
    look for that would identify a machine running a
    packet sniffer. There are ways to identify
    network interfaces on your network that are
    running in promiscuous mode though and this might
    be used as a means for locating rogue packet
    sniffers.

32
References
  • http//en.wikipedia.org
  • http//www.cet.nau.edu/mc8/Socket/Tutorials/secti
    on1.html
  • http//www.tcpdump.org/pcap.htm
  • http//mixter.void.ru/rawip.html
  • http//www.coders.eu.org/manualy/win/wskfaq/exampl
    es/rawping.html
  • http//www.wireshark.org
  • http//www.oxid.it

33
  • THANK YOU
Write a Comment
User Comments (0)
About PowerShow.com