1 eastern michigan university asad khailany, eastern michigan university dmitri bagatelia, eastern...
TRANSCRIPT
1
Eastern Michigan UniversityAsad Khailany , Eastern Michigan University
Dmitri Bagatelia , Eastern Michigan University
Wafa Khorsheed , Eastern Michigan University
2
Do You Want to become a Hacker?
Now you can get an MS degree specializing on hacking techniques from a university in Paris France.
Do not miss this golden opportunity!Soon you will see your institution also
offers a degree in hacking techniques
3
ABSTRACT
Computers on the network normally only listen to communications destined to them.
However, when they enter promiscuous mode they can listen to all communications whether destined or not destined to them.
Computers are put into the promiscuous mode by installing software package known as packet Sniffers.
4
Sniffers are the best tools for hackers to attack computers.
Network administrators use Sniffers for network troubleshooting and security analysis. Many sniffing and anti sniff packages available on the Internet for download.
This paper discusses sniffing and anti sniffing, their advantages and disadvantages, and presents some recommendations to make network systems and their data more secure.
ABTRACT
5
INTRODUCTION
A computer to be able to listen to all communications on the network must be in a multi-partners mode. Such mode is known as the promiscuous mode
Through packed Sniffers computers can transfer to the promiscuous mode.
Attackers love packet Sniffere.
Sniffers are valuable tools needed by network administrators to do network trouble shooting, to perform network security analysis and to measure the performance of network system.
6
INTRODUCTION - 2
Sniffers are used by law enforcement agencies to monitor network systems.
Anti sniff packages are available to determine whether or not a suspected remote computer is listening in to all communications on the network.
Several methods utilized by anti sniff package to identify suspected computers on the network are discussed in this paper.
7
What sniffing packages used for?
Sniffing packages used for:
Network traffic analysis to
1. Identify the type of network application used.
2. Identify the hosts using the network.
3. Identify the bottlenecks.
4. Capture data sniffing packages used for
troubleshooting of network applications.
5. Create network traffic logs.
8
More usages of sniffing packages
Gathering private data such as passwords, credit cards information, email messages, .. etc.
Establishing connection with senders while using authentication provided by receiver.
Modifying and resending data to recipients.
9
SNIFFERS AND NETWORK ARCHITECTURES
Sniffing is possible because most network architectures use shared medium and protocols that presume only intended computer receives and reads the message.
10
Case: Ethernet architecture
Computer A sends a message to Computer C. Since all computers share the same line Computers B and D can listen to messages if they are in promiscuous (multi partner) mode. In this case the message was not change but the privacy was compromised since data was only copied and not modified.
C o m p u t e r A C o m p u t e r B C o m p u t e r C C o m p u t e r D
M e s s a g e
11
Case: Routed network
Routed protocol, means that sent message might be handled by several hosts.
Any of the hosts can copies the message or changes the message and forwarded to others hosts. The final recipient of the message will never know that the message was modified. Thus the security risk taking in routed protocol is much greater than Ethernet architecture.
12
DIFFERENT METHODS FOR
DTECTING ACTIVE SNIFFERS
Theoretically it is impossible to detect active Sniffers if they only listen without sending anything i.e. if they are in passive mode. Practically there are some methods can be used to identify suspected computers that are trying to listen to messages not intended for them.
Some Popular Methods To Identify Suspected Computers Are:
13
1. PING METHOD.
A computer is uniquely identified on the network by its serial number of its network computer card. This hardware address is called MAC (Media Access Control address).
Sniffer always turns off MAC filter on its host device, thus it can receive all messages that are intended or not intended for that device.
14
1. PING METHOD.
How to identify suspected computers ?
Send a message to the suspected device using a wrong MAC address and a corrected IP address, the device should not respond if it has MAC address filter on, but if it runs in a promiscuous mode it will respond to the message. Thus a computer, which is listening, is identified.
New problems to be solved:
The newer sniffer devices/programs have built-in filters, which prevent such kind of responses.
15
2. ARP: Address Resolution Protocol METHOD.
ARP is a TCP/IP protocol maps an IP address into physical address.
The ARP method uses arp packets.
On a network when a computer sends arp request to a broadcast address, all those computers see that request send an arp answer with their IP to MAC address mapping.
How suspected computers identified?
If such request is sent to a regular non-broadcast address, there should not be any reply, if a reply is received that computer will be a suspected sniffer device.
16
3. DNS METHOD.
The DNS method works on the assumption that many attackers use IP addresses to find DSN names.
Most sniffer programs have a feature to do a reverse DNS lookup using an IP to get the hostname.
How suspected computers identified?
An anti sniff package places itself in a promiscuous mode and sends a message to fictitious hosts such as charge BankC.com. The address of all computers that use reverse lookup request referencing the fictitious hosts are flagged as being suspected computers.
17
4. SOURCE-ROUTE METHOD
IP header has an option of loose source routing. Routers ignore destination IP address and instead will forward message to
the next IP in source-route option. How to identify suspected computers ?Turn off packet routing on a specific computer and the packet should be
dropped at that computer. A computer that sniffs messages responds to such message that the packed was dropped on the computer, which the package was dropped.
For instance, you send a message from computer A to computer B, but you route it through computer C first. If you turn off packet routing on computer C, then packet should be dropped. Thus, if computer B responds to such message, that was dropped at C, it means computer B sniffed the message.
18
5. DECOY METHOD.
This method sets up a “victim” computer that will repeatedly run script to login to a remote server using a dummy account with no real permissions, and try to find any hacker who tries to use that dummy account to login to the remote server.
How to identify suspected computers? Setup a “victim” computer that will repeatedly run script
to login to a remote server using a dummy account with no real permissions.
Any hacker who gets such login information tries login to remote server.
Any login attempt not originated from the “victim” computer indicates that someone was sniffing on your network and stole that account number information.
19
6. OTHER METHODs.
There are many more methods that can be used to detect sniffing activities
None works 100% of the time, because hackers already know them and try to work around those detection methods.
One of the among the best software packages that use all the above methods to find sniffing activities is:
AntiSniff package (http://www.securitysoftwaretech.com/antisniff/)
20
Protocols targeted for sniffing by hackers
Protocols that transmit data in plain text format make it easy for hackers to get what they want. Some of protocols targeted for sniffing are:
1. telnet 2. rlogin (user sessions and passwords) 3. HTTP(passwords, web-based emails) 4. Simple Network Management Protocol (passwords) 5. Network News Transfer Protocol (passwords) 6. Post Office Protocol (passwords, emails) 7. File Transfer Protocol (passwords) 8. Internet Message Access Protocol (passwords, emails).
21
METHODS TO ENFORCE NETWORK SECURITY
switched network
Use of switched network eliminates use of shared wire.
Switch knows the location of every device on the network, and sends data directly to the intended recipient without transmitting the message all over the network.
The diagram in the next slide compares two network of computers one interconnected by a hub and the other interconnected by a switch.
22
Switch And Hub Networks
Hubs send communications to all connected computers. Switch, on the other hand, remembers what computer is connected to what port on the
switch, thus it forwards message only to one
computer.
C o m p u t e r A C o m p u t e r B C o m p u t e r C
M e s s a g e t oC o m p u t e r C
M e s s a g e t oC o m p u t e r C
M e s s a g e t oC o m p u t e r C
H u b
C o m p u t e r A C o m p u t e r B C o m p u t e r C
M e s s a g e t oC o m p u t e r C
M e s s a g e t oC o m p u t e r C
S w i t c h
Hub Switch
23
Data encryption Method:
This one of the oldest security routines used to enforce security.
Many software algorithms and software packages are available to encrypt data.
You can encrypt you messages before sending them, e.g. PGP (Pretty Good Privacy) is being used to encrypt email messages.
You can choose a secure protocol with built-in encryption schemes, e.g. SSH (Secure Shell) instead of telnet of rlogin.
24
Some disadvantages of encrypting over plain text messages
Encrypting increases the message size as well as response time, since message has to be not only encrypted on one end, but also decrypted by the recipient on the other end.
It might not be a reasonable solution for some setups that require very high response time.
25
Some important usages of sniffing methods:
Sniffing methods can be used for: Network management. Traffic analysis can identify who is using what
network resource in what way. For instance, you can identify users who use most of your bandwidth, then you can find out whether they use it for a legitimate purpose or not.
Because most network applications use fixed port numbers you can filter traffic and identify
software that are being used.. Maximizing network performances.
26
More usages of sniffing methods:
Not all packets capturing is intended to compromise security. For instance, during programming of a network application programmers might want to see the network traffic that local computer generates, so that troubleshooting of the application can go much faster.
It is also possible to use sniffer to create log of all network traffic, so that serve as evidence in case security is compromised on some other system on the network. Those logs can be used to track down the intruders and to support legal action to bring those hackers to justice.
27
CONCLUSION
The security threat that sniffers pose can be minimized using combination of switched networks and encryption.
Sniffers can be sometimes detected using sniffing detection software.
Network professionals to manage networks for identifying problems and monitoring usage of network resources have used sniffers for a long time.
Hackers utilize Sniffing packages to attack networked computers to steal information.
It may be impossible to make sure that no one uses sniffing packages against you, but it is important to make sure that unauthorized people could not get useful information.
28
REFERENCES.
1. Web Server Security, & Maintenance by Eric Larson & Bruan
2.http://lin.fsid.cvut.cz/~kra/index.html 3. http://www.eeye.com/ 4. http://neworder.box.sk/ 5. http://www.securitysoftwaretech.com/ 6. http://www.winsniffer.com/ 7. http://www.snifferpro.co.uk/ 8. http://stein.cshl.org/~lstein/talks/WWW6/sniffer/ 9. http://www.atstake.com/ 10. http://www.swrtec.de/clinux/ 11. http://stein.cshl.org/~lstein/talks/WWW6/sniffer/