packet sniffing & arp poisoning
DESCRIPTION
This slideshow shows the threat ARP poisoning poses by allowing Packet sniffing attacks using Wireshark on a college network and provides possible mitigation action for the vulnerabilityTRANSCRIPT
![Page 1: Packet sniffing & ARP Poisoning](https://reader034.vdocuments.net/reader034/viewer/2022042518/55875c6fd8b42ae1788b4680/html5/thumbnails/1.jpg)
![Page 2: Packet sniffing & ARP Poisoning](https://reader034.vdocuments.net/reader034/viewer/2022042518/55875c6fd8b42ae1788b4680/html5/thumbnails/2.jpg)
Packet sniffing is a term used to describe
Capturing of packets that are transmitted
over a network
![Page 3: Packet sniffing & ARP Poisoning](https://reader034.vdocuments.net/reader034/viewer/2022042518/55875c6fd8b42ae1788b4680/html5/thumbnails/3.jpg)
Wireshark is a free and open-source
packet analyser. It is used for network
troubleshooting, analysis, software and
communications protocol development,
and education.
![Page 4: Packet sniffing & ARP Poisoning](https://reader034.vdocuments.net/reader034/viewer/2022042518/55875c6fd8b42ae1788b4680/html5/thumbnails/4.jpg)
The SICSR network is susceptible to ARP
spoofing which is a technique whereby an
attacker sends fake (“spoofed”)Address
resolution protocol(ARP) messages onto a
LAN.
Generally, the aim is to associate the
attacker's Mac address with the IP of another
host (such as the default gateway), causing
any traffic meant for that IP address to be
sent to the attacker instead.
![Page 5: Packet sniffing & ARP Poisoning](https://reader034.vdocuments.net/reader034/viewer/2022042518/55875c6fd8b42ae1788b4680/html5/thumbnails/5.jpg)
![Page 6: Packet sniffing & ARP Poisoning](https://reader034.vdocuments.net/reader034/viewer/2022042518/55875c6fd8b42ae1788b4680/html5/thumbnails/6.jpg)
After downloading and installing Wireshark,
you can launch it and click the name of
an interface under Interface List to start
capturing packets on that interface. For
example, if you want to capture traffic on
the wireless network, click your wireless
interface. You can configure advanced
features by clicking Capture Options, but
this isn’t necessary for now.
![Page 7: Packet sniffing & ARP Poisoning](https://reader034.vdocuments.net/reader034/viewer/2022042518/55875c6fd8b42ae1788b4680/html5/thumbnails/7.jpg)
![Page 8: Packet sniffing & ARP Poisoning](https://reader034.vdocuments.net/reader034/viewer/2022042518/55875c6fd8b42ae1788b4680/html5/thumbnails/8.jpg)
As soon as you click the interface’s
name, you’ll see the packets start to
appear in real time. Wireshark captures
each packet sent to or from your system.
If you’re capturing on a wireless
interface and have promiscuous mode
enabled in your capture options, you’ll
also see other the other packets on the
network.
![Page 9: Packet sniffing & ARP Poisoning](https://reader034.vdocuments.net/reader034/viewer/2022042518/55875c6fd8b42ae1788b4680/html5/thumbnails/9.jpg)
![Page 10: Packet sniffing & ARP Poisoning](https://reader034.vdocuments.net/reader034/viewer/2022042518/55875c6fd8b42ae1788b4680/html5/thumbnails/10.jpg)
The captured packets can be filtered
according to protocol , IP, method and
various other parameters.
![Page 11: Packet sniffing & ARP Poisoning](https://reader034.vdocuments.net/reader034/viewer/2022042518/55875c6fd8b42ae1788b4680/html5/thumbnails/11.jpg)
Wireshark was a tool used to analyze the
network and identify that ARP poisoning is
possible on the network.
The sniffer would not give any result if the
poisoning failed.
![Page 12: Packet sniffing & ARP Poisoning](https://reader034.vdocuments.net/reader034/viewer/2022042518/55875c6fd8b42ae1788b4680/html5/thumbnails/12.jpg)
Audit Plan
Auditor Name: Viren Rao Date of Auditing :24/8/2014
Scope Plan Audit Selection area
Selection
criteria for auditors
Training plan for auditors
Audit goal Audit status Reporting
Audit
archival location
To evaluate whether ARP poisoning is
possible
Check for new needs for improvement, Start Date: 24/8/2014 ,
Closure Date: 7/9/2014.
Last audit results: ARP poisining is still possible
hence enabling packet sniffing
Selection of auditors: risk analyst, project
manager and system admin
The system admins will be needed to trained to take
appropriate actions
Is packet sniffing possible ?
Level of risk is HIGH
SICSR network
![Page 13: Packet sniffing & ARP Poisoning](https://reader034.vdocuments.net/reader034/viewer/2022042518/55875c6fd8b42ae1788b4680/html5/thumbnails/13.jpg)
FMEA is a disciplined procedure, which allows anticipating failures and preventing their occurrence in implementation/development. FMEA Process in Packet sniffing : Select the design for FMEA team. Identify critical areas Analyse network Identified associated failure mode and effects.
Are the Analysis tools giving any output ? Just avoid that risk. Assign severity, occurrence and detection rating to each cause. Severity :High Occurrence: 1/10
Calculate Risk Priority Number (PRN) for each cause RPN : 8/10 Determine recommended action to reduce all RPN Take appropriate actions. Recalculate all RPN;’s with actual results.
![Page 14: Packet sniffing & ARP Poisoning](https://reader034.vdocuments.net/reader034/viewer/2022042518/55875c6fd8b42ae1788b4680/html5/thumbnails/14.jpg)
RISK mitigation PLAN
TITLE:Packet sniffing analyst:Viren Rao
Date:10/8/2014
Risk id Date identified risk Source Catgory Severity probability index impact in $
Exposure to risk identified
Response
Mitigation plan
Contengency plan
Threshold trigger for contengency plan
ownership
Risk status Progress
1 10-08-
2014 Packet sniffing SICSR Technical Risk High
least likely No $ harm less
Accepted
Risk Avoidance
Configure and purchace appropriate firewalls SICSR
Yet to be mitigated
Packet sniffing is still possible
![Page 15: Packet sniffing & ARP Poisoning](https://reader034.vdocuments.net/reader034/viewer/2022042518/55875c6fd8b42ae1788b4680/html5/thumbnails/15.jpg)
Security is something that most
organizations try to work upon .
However it is observed that most
organizations seldom look into an
untouched area which is the Layer 2 of the
OSI which can open the network to a
variety of attacks and compromises.
![Page 16: Packet sniffing & ARP Poisoning](https://reader034.vdocuments.net/reader034/viewer/2022042518/55875c6fd8b42ae1788b4680/html5/thumbnails/16.jpg)
Currently this vulnerability has not been
exploited. If at all this vulnerability is
exploited this could be a major security
breach as all packets moving around a
single subnet on the network can be
intercepted .
![Page 17: Packet sniffing & ARP Poisoning](https://reader034.vdocuments.net/reader034/viewer/2022042518/55875c6fd8b42ae1788b4680/html5/thumbnails/17.jpg)
To allocate resources and implement cost-effective controls,
organizations, after identifying all possible controls and
evaluating their feasibility and effectiveness, should conduct a
cost-benefit analysis for each proposed control to determine
which controls are required and appropriate for their
circumstances.
Benefits could be:
Tangible: Quantitative
Intangible: Qualitative
![Page 18: Packet sniffing & ARP Poisoning](https://reader034.vdocuments.net/reader034/viewer/2022042518/55875c6fd8b42ae1788b4680/html5/thumbnails/18.jpg)
Cost factor New in Rs. Enhancements in Rs.
Hardware 90,000 30,000
Software -- --
Policies and
procedures
50,000 20,000
Efforts 100000 50000
Training 50000 10000
Maintenance 50000
![Page 19: Packet sniffing & ARP Poisoning](https://reader034.vdocuments.net/reader034/viewer/2022042518/55875c6fd8b42ae1788b4680/html5/thumbnails/19.jpg)
Man In The Middle attacks(MITM) which
are done using ARP poisoning can be
prevented in numerous ways.
However all methods are not suitable in all
scenarios .
![Page 20: Packet sniffing & ARP Poisoning](https://reader034.vdocuments.net/reader034/viewer/2022042518/55875c6fd8b42ae1788b4680/html5/thumbnails/20.jpg)
To prevent ARP spoofing you need to add
a static ARP on the LAN.
This method become troublesome if your
router changed frequently, so if you use
this prevention method you need to delete
the old one and add the new one if it
change.
![Page 21: Packet sniffing & ARP Poisoning](https://reader034.vdocuments.net/reader034/viewer/2022042518/55875c6fd8b42ae1788b4680/html5/thumbnails/21.jpg)
Configuration of existing switches to use
Private VLANS where one port can only
speak with the gateway.
Even things on the same subnet must go
through the gateway to talk.
![Page 22: Packet sniffing & ARP Poisoning](https://reader034.vdocuments.net/reader034/viewer/2022042518/55875c6fd8b42ae1788b4680/html5/thumbnails/22.jpg)
According to a white paper ,Cisco Catalyst
6500 Series Switches have an mechanism to
prevent such attacks .It provides a feature
called Dynamic ARP Inspection (DAI) which
helps prevent ARP poisoning and other ARP-
based attacks by intercepting all ARP
requests and responses, and by verifying their
authenticity before updating the switch's
local ARP cache or forwarding the packets to
the intended destinations
![Page 23: Packet sniffing & ARP Poisoning](https://reader034.vdocuments.net/reader034/viewer/2022042518/55875c6fd8b42ae1788b4680/html5/thumbnails/23.jpg)
The first method is This method is strictly not suitable for the SICSR network as it is a temporary solution for small networks.
Considering the fact that we have Webservers running on our network, the second method will significantly hamper the performance of the network ,and therefore is not suitable for the network infrastructure.
The third method is the best solution for this vulnerability and should be implemented on priority basis.
![Page 24: Packet sniffing & ARP Poisoning](https://reader034.vdocuments.net/reader034/viewer/2022042518/55875c6fd8b42ae1788b4680/html5/thumbnails/24.jpg)
![Page 25: Packet sniffing & ARP Poisoning](https://reader034.vdocuments.net/reader034/viewer/2022042518/55875c6fd8b42ae1788b4680/html5/thumbnails/25.jpg)
• Purpose: To assess the risk involved in
packet sniffing.
• Scope of this risk assessment:
Components are SICSR network.
![Page 26: Packet sniffing & ARP Poisoning](https://reader034.vdocuments.net/reader034/viewer/2022042518/55875c6fd8b42ae1788b4680/html5/thumbnails/26.jpg)
Briefly describe the approach used to
conduct the risk assessment,
such as—
Risk Assessment Team Members
Check whether PR poisoning is possible
![Page 27: Packet sniffing & ARP Poisoning](https://reader034.vdocuments.net/reader034/viewer/2022042518/55875c6fd8b42ae1788b4680/html5/thumbnails/27.jpg)
Server, Network, Interface.
The mission is to avoid sniffing.
![Page 28: Packet sniffing & ARP Poisoning](https://reader034.vdocuments.net/reader034/viewer/2022042518/55875c6fd8b42ae1788b4680/html5/thumbnails/28.jpg)
Packets on network can be intercepted.
![Page 29: Packet sniffing & ARP Poisoning](https://reader034.vdocuments.net/reader034/viewer/2022042518/55875c6fd8b42ae1788b4680/html5/thumbnails/29.jpg)
List the observations:
Identification of existing mitigating
security controls: Implementing use of
tools to detect poisoning.
Likelihood and evaluation: low likelihood
Impact analysis and evaluation: High
impact
Risk rating based on the risk-level matrix:
Medium
![Page 30: Packet sniffing & ARP Poisoning](https://reader034.vdocuments.net/reader034/viewer/2022042518/55875c6fd8b42ae1788b4680/html5/thumbnails/30.jpg)
Packet sniffing is a technical risk, Risk
level is high, we can use features in new
switches or configure existing switches for
patching the risk
![Page 31: Packet sniffing & ARP Poisoning](https://reader034.vdocuments.net/reader034/viewer/2022042518/55875c6fd8b42ae1788b4680/html5/thumbnails/31.jpg)