1.Packet Sniffing inSwitched Local Area NetworksBy Ishraq Fatafta

2. AgendaO What is Packet sniffingO Switched VS Hubed NetworksO Packet sniffing attacksO Packet sniffing detection.O Packet sniffing prevention.O Conclusion. 3. Packet SniffingO Packet Sniffing is a technique used tolisten to the packets flow in the network.O Packet sniffer (network analyzer) is a tool(hardware or software) used to listen tothe packets flow in the network. 4. Packet Sniffer usesO Network Engineers, System Administratorsand Security professionalsO Analyze network problems.O Find traffic bottlenecks and troubleshootproblems.O Monitor network usage.O IntrudersO Search for plain-text passwords and usernames.O Hijacking sensitive information such as creditcard information and financial data.O Analyzing network traffic. 5. Packet Sniffer componentsO Hardware O Usually a standard network adaptor.O Capture drive O This is the main part of a sniffer that captures the data, filters itand stores it in the buffer.O Buffer O Used to store captured filtered data for later analysis.O Real-time analysis O This feature provide a little bit of analysis for faults andperformance issues as data captured from the wire.O Decode O Responsible for displaying the data with description for humaninterpretation.O Packet editing/transmission O Used to modify packets and re-transmit them over the network. 6. Packet Sniffer components:Hardware 7. Packet Sniffer components: Software 8. Packet Sniffer components: Software 9. Packet sniffing in non-switched networksO Called shared environment.O Hosts are connected to a Hub.O simply a repeater. It takes the signalcoming in on one of its ports, amplifies it,and sends it back out on its other ports.O Packets broadcasted to all hosts in thenetwork. 10. Cont. Packet sniffing in non-switched networks 11. Cont. Packet sniffing in non-switched networksO Promiscuous mode or promisc mode is a configuration of a network card that makes the card pass all traffic it receives to the central processing unit rather than just frames addressed to it. 12. Packet sniffing in switched networksO Hosts are connected via Switch.O Lockup table (ARP Cache, MAC table)with the MAC address and IP address ofall hosts.O Packets transmitted only to thedesignated host. 13. Cont. Packet sniffing inswitched networks 14. ARP: Address Resolution ProtocolO Computer networking protocol fordetermining a network hosts hardwareaddress (Link Layer) when only itsInternet Layer (IP)(Network Layeraddress) is known.O Request (who-has): specifies the IPaddress of the host whose MAC addresswe want to find out.O Reply (is-at): the answer a host shouldsend specifying the MAC addressassociated to that IP address. 15. Cont. ARP: Address ResolutionProtocolIP Address MAC AddressType 129.119.103.1 00-E0-2B-13-68- Dynamic 00 129.119.103.2 ??-??-??-??-??- Dynamic ARP Cache ?? O Entries are either Static or Dynamic. O Fixed size. O Gratuitous ARP. 16. Packet Sniffing AttacksO ARP Spoofing and ARP Cache poisoning.O MAC Flooding.O MAC Duplicating.O Switch Port Stealing. 17. Packet Sniffing Attacks: ARP SpoofingO Perform Man-In-the-Middle AttackO ARP Cache poisoningO Send forged ARP Gratuitous reply (A-MAC,V-IP)O Cache is stateless, update with forgedreply.O Attacker receives traffic.O Store for later analysis.O IP Forwarding to the victim. 18. Cont. ARP Spoofing 19. Cont. ARP Spoofing IP Address MAC AddressHost B IP address Host B MAC addressHost C IP address Host C MAC address ARP cache before poisoning IP Address MAC AddressHost B IP address Host C MAC addressHost C IP address Host C MAC addressARP cache after poisoning 20. Packet Sniffing Attacks: MAC FloodingO Also called switch jamming.O MAC table has fixed size.O Attacker floods the switch with forgedMAC address requests.O Switch enters Hub-liked mode.O Forward traffic to all ports.O Attacker sniffs the traffic. 21. Packet Sniffing Attacks:MAC Duplicating (Cloning)O Attacker updates its own MAC addresswith the victim MAC address.O Can be done using ifconfig in Linux.O Switch forwards traffic to both hosts.O No IP forwarding is used. 22. Packet Sniffing Attacks:Switch Port StealingO Flood the switch with forged gratuitousreply with (A-MAC, V-IP).O All replies contains (A-MAC), traffic isforwarded to the attacker only.O Should be carried out very fast. 23. Packet Sniffing DetectionO Packet sniffing is a passive attack.O Sometimes it generate additional trafficspecially when used with an active attack.O Detection based on technique used:O RARP.O ARP Cache poisoning.O ArpwatchO Decoy method 24. Packet Sniffing Detection: Reverse ARP (RARP)O Used to detect MAC Duplicating.O Send a Request for the IP address of aknown MAC address.O Multiple replies means this machine issniffing the network. 25. Packet Sniffing Detection: ARP Cache PoisoningO Perform a counter attack on the sniffingmachine.O Three phases:O Poison the cache of each host in thenetwork with fake entries.O Establish a TCP connection.O Sniff the LAN to capture packets with fakeentries. 26. ARP Cache Poisoning:Phase 1O Send a forged gratuitous reply with fakeIP address and a valid MAC address tobypass the software filter.O Attackers host will update its own cache.O What IP address to select as the fake oneto poison only the sniffer host? 27. Cont. ARP Cache Poisoning:Phase 1: Software filtering Hardware Windows9x Windows2k Linux Addresses /ME /NTNorm Promis Norm Promis Norm PromisFF:FF:FF:FF:FF:F FFF:FF:FF:FF:FF:F - - - EFF:FF:00:00:00:00- - - FF:00:00:00:00:00- - -- 01:00:00:00:00:00- - - -- 01:00:5E:00:00:00- - - -- 01:00:5E:00:00:01 28. Cont. ARP Cache Poisoning: Phase 2O Broadcast a TCP packet with a fakesource address to the network.O Non-sniffing machines will reply with ARPrequest.O Sniffing machines will reply with ICMPerror message or TCP connection can beperformed. 29. Cont. ARP Cache Poisoning: Phase 3O Use a sniffer to detect machines thatresponded with a ICMP error or TCPmessage. 30. Packet Sniffing Detection: ArpwatchO Tool that uses lipbcap to store a databasewith (IP-MAC) pairs.O Records every operation made on thenetwork and send it via Email.O Software are not 100% accurate. 31. Packet Sniffing Detection:Decoy MethodO Administrator establishes a connectionbetween a host and virtual server.O Uses a plain-text UserName andPassword.O Intrusion detection system activated oncecredentials used. 32. Packet Sniffing Prevention Prevention is better than cure 33. Packet Sniffing PreventionO Port Security and Static ARP entries.O Authentication techniques.O Secured protocols.O Encryption. 34. Packet Sniffing Prevention:Port Security and Static ARP entries O Port Security on Switch O Once IP-MAC is set, it cant be changed. O Only Administrator can change them. O Static ARP entries O Not timed out. O Not replaced by forged ARP replies. O Constraint to the size of the network. O Overhead to maintain cache and keep it up-to-date. 35. Packet Sniffing Prevention: AuthenticationO KerbrosO Credentials no stored on the server.O Not transmitted over the network.O One time passwordsO Used only once.O Authentication service that only protectcredentials and not other types of traffic.O Prone to passwords guessing attacks. 36. Packet Sniffing Prevention:Secured ProtocolsO Never send data in plain-textO SSH for telnet.O SFTP for FTP.O VPN for cleat text traffic.O Virtual private networks (VPN)O All traffic is encrypted.O Additional overhead.O Can be sniffed if exposed to Trojans 37. Packet Sniffing Prevention:EncryptionO Only the payloads arescrambled, ensuring that packets reachthe correct destinations.O Attacker can see where traffic washeaded and where it came from, but notwhat it carries.O Additional overhead.O Use of strong encryption techniques.O layer three encryption technologies suchas IPSec 38. Packet Sniffing Prevention:Before Encryption 39. Packet Sniffing Prevention:After Encryption 40. ConclusionO Switched Networks are vulnerable tovarious security attacks, Sniffing is one ofthem.O Sniffing is a passive attack that we needto be aware of in order to protect againstit.O Replacing Hubs with Switches doesntmean we are prone against sniffing.O Lack of optimal solution to protect ournetworks doesnt mean we cant protectthem.