PACKET SNIFFINGTHE EASY WAY INTO SYSTEMSPART 1

by Demetris Papapetrouand Michael Nicolaou

Page 2

Introduction

What is a sniffer?

• A piece of software that can look at network traffic, decode it,

and give meaningful data back

What is it used for?

• by network administrators to troubleshoot problems

• by forensic investigators to analyze malware communications

• other legitimate uses

Non-legitimate uses?

• to capture clear-text and/or hashed passwords

Page 3

Introduction

Sniffing prerequisites?

• Network Analyzer / Packet Sniffing Software

• NIC in Promiscuous Mode (to sniff 3-party traffic)

• Physical access to the network (Wired / WiFi)

Types of Sniffing

• Passive Sniffing

• Active Sniffing

Page 4

Introduction

Passive Sniffing

• Performed through a hub (broadcasts all traffic)

• Performed on wireless networks (traffic is on the air)

• No packet injection needed to redirect traffic to us

Active Sniffing

• Performed on switched networks (we mainly see our traffic)

• Need to inject packets to redirect traffic to us

Page 5

Hub Network

Page 6

Switched Network

Page 7

Active Sniffing

Active Sniffing Techniques

• SPAN Port on switch

• MAC Flooding

• Rogue DHCP Server

• ARP Poisoning

• DNS Spoofing

• DNS Cache Poisoning

• Proxy Server Poisoning

• etc

Page 8

Protocols Vulnerable to Sniffing

Clear-text Protocols

Other Protocols & Applications

• Telnet / r-services

• FTP

• HTTP

• SMTP

• POP3

• IMAP

• SNMP

• SIP

• SMB

• MSSQL

• MySQL

• Oracle

• Sybase

• VNC

• IKE

• SIP/RTP

Page 9

ARP Poisoning

Page 10

OSI 7 Layers and the ARP Protocol

Application

Data Link

Presentation

Physical

Session

Transport

Network

Ethernet

IP

TCP, UDP

RPC, NETBIOS

MIME, MPEG

HTTP, FTP, SMTP

ARP

Page 11

Address Resolution Protocol (ARP)

What is it?

• Protocol for mapping IP to MAC addresses

• Restricted to the LAN

• Uses broadcasts (Ethernet)

• Uses requests and replies

• Uses announcements (Gratuitous ARP)

• Machines cache IP to MAC mappings (ARP table)

Page 12

Normal Traffic - ARP Communication

Alice

Bob

ARPWho has Alice’s MAC? Tell Bob.

ARPAlice’s MAC is xx:xx:xx:xx

Page 13

Normal Traffic – IP Communication

Alice

Bob

IP: Alice’sMAC: Alice’s

IP: Bob’sMAC: Bob’s

Page 14

Normal Traffic – Packet Capture

Page 15

ARP Poisoning – Spoofed packets

Alice

Bob

ARPAlice’s IP is at Chuck’s MAC

Chuck

ARPBob’s IP is at Chuck’s MAC

Page 16

ARP Poisoning – Redirected Request

Alice

Bob

IP: Bob’sMAC: Bob’s

IP: Bob’sMAC: Chuck’s Chuck

Page 17

ARP Poisoning – Redirected Reply

Alice

Bob

IP: Alice’sMAC: Chuck’s

IP: Alice’sMAC: Alice’s Chuck

Page 18

Logical Network Diagram - Demo

Internet

Router10.10.10.1

Attacker10.10.10.4

Victim10.10.10.2

Page 19

DEMO

Page 20

ARP Poisoning Countermeasures

“DHCP Snooping” and "Dynamic ARP Inspection” (Cisco switches)

Static ARP entries (built-in commands, ARPFreeze)

3rd party prevention tools (AntiARP, ArpStar, ArpON)

3rd party detection tools (Arpwatch, Winarpwatch)

IDS/IPS detection rules

Page 21

In Part 2 of this series

DNS Spoofing

NBNS Spoofing

Proxy Server Poisoning

Credential Harvesting

Rogue Software Updates

Traffic Manipulation and Client-Side Attacks

Page 22

Download Presentation

Presentation slides available at

www.qsecure.com.cy/whitepapers/Packet_Sniffing_Part1.pdf

Page 23

We would be happy to help.

Do You Have Any Questions?