N MN HC
Tn n:
Sniff d liu trong mng Lan
Gio vin hng dn : Ths L Phc Nhm : Nguyn Gia Thng Bi Th Minh Trm
Phan Bch Thu Thy
A. L Thuyt: 1. Sniffer l g ?Sniffer l mt chng trnh gim st,
capture v phn tch lu lng mng, pht hin cc li v cng nh cc tt nghn xy
ra trn mng.
2. Sniffer c s dng nh th no ?Sniffer thng c s dng vo 2 mc ch khc
bit nhau. Tch cc: theo di v bo tr h thng mng bng cch phn tch cc li
xy ra trn mng, pht hin nhng c gng xm nhp mng tri php, gim st vic s
dng mng, thu thp v bo co s liu thng k mng, lc nhng gi tin c ni dung
ng nghi trong lu lng mng Tiu cc: nghe ln thng tin trn h thng mng,
nh cp username/password hoc nhng thng tin quan trng
3. Mt s vn c bn lin quan:LAN: Cc my tnh trong cng mng LAN chia s
cng mi trng truyn thng vi cc my tnh khc trong mng. Ethernet: l cng
ngh mng cc b (LAN) c s dng rng ri nht. Trong , tt c cc trm u thy c
cc frame truyn i trn mng. Ti mi trm, card mng c nhim kim tra cc
frame m n nhn c. Nu a ch ch trong frame nhn c l a ch ca n, frame s
c chuyn ln cc giao thc tng cao hn x l. Ngc li, card mng s l nhng
frame . Promiscuous mode: l s cu hnh cho card mng nhn vo tt c cc
frame m n nhn c ch khng phi ch nhng frame c a ch ch l n. Nhiu h iu
hnh yu cu ch c nhng ngi c c quyn superuser - ngi c ton quyn truy cp
vo h iu hnh v cu hnh cho n - mi c th m promiscuous mode.
4. Sniffer lm vic nh th no?Chng trnh sniffer s chnh card mng v
ch promiscuous. Sau , bt u c cc thng tin m n nhn c t cc frame thng
qua card mng. Tuy nhin nhng giao dch gia cc h thng mng my tnh thng
l nhng d liu dng nh phn. Bi vy nghe ln v hiu c nhng d liu dng nh
phn ny, cc chng trnh sniffer phi c tnh nng phn tch cc giao thc cng
nh gii m cc d liu dng nh phn hiu c chng. C hai hnh thc sniff l
passive v active.
5. Passive Sniffing
Khi chng trnh sniffer hot ng trong mt collision domain -
Collision domain l mt phn on mng kt ni thng qua hub - cc my trn phn
on u c th thy tt c cc lu lng trn mng. Nu attacker chy chng trnh
sniffer trn mt h thng trong mng LAN, cc chng trnh sniff s iu chnh
card mng(promiscuous mode) capture tt c cc gi tin m n nhn c,
attacker c th tp hp d liu c gi ti hoc gi t bt k my no trong mng. Hu
ht cc cng c sniffer thch hp sniff d liu trong mi trng hub. Cc cng c
ny gi l passive sniffer v n ch i d liu n v capture chng. Phng php
ny rt hiu qu khi lng l thu thp d liu trong mng LAN. Trong passive
sniffing, ngi xm nhp c th truy cp vo mng bng cc phng thc sau: Thng
qua ng truyn vt l. V d, mt ngi xm nhp c th vo trong to nh, vn phng
v dng laptop thu thp d liu bng cch kt ni trc tip vo mng truy cp. S
dng Trojan horse. Nhiu loi Trojan c xy dng c kh nng sniff d
liu.
6. Active Sniffing
Mt bin php chng li passive sniffing l thay th hub bi switch.
Khng nh mng da trn hub, switched ethernet khng broadcast tt c thng
tin ti cc h thng trong mng LAN. Switch iu chnh lung d liu gia cc
port ca n bng cch
ch ng gim st a ch MAC ca mi port, gip n chuyn tip d lip ti ch
mong mun. Do , switch gii hn d liu d liu m passive sniffer c th thu
thp. Nu c mt chng trnh passive sniffer kch hot trn mt switched LAN,
sniffer s ch thy c d liu vo ra ca mt my my m n c ci t vo. Tuy nhin,
vic s dng switch ch yu nhm c th s dng bng thng mt cch hiu qu hn l
bo mt, do vn c cch ph v v sniff d liu. Sniffer trn switched LAN ch
ng bm lu lng vo LAN tin hnh sniff. Do , c gi l l active sniffing.
Mt s phng thc s dng trong active sniffing nh ARP Spoofing, MAC
Flooding v MAC Duplicating 7. Tm hiu mt s c ch sniff d liu ARP
Spoofing K thut ARP Spoofing, cn c bit n vi tn ARP poisoning, c ch
ca ARP spoofing l gi cc ARP reply gi nh la cc my nn nhn gi d liu n
my ca k tn cng. C mt s cch sniff d liu trn switch network s dng ARP
spoofing nh: main-in-the-middle, MAC flooding, MAC cloning. Chc nng
chuyn mch ca switch: Vic a switch vo mng LAN c nhiu mc ch nhng mc
ch quan trong nht l chia mt mng LAN ra thnh nhiu vng khc nhau nhm
gim thiu vic xung t gi tin khi c qu nhiu thit b c ni vo cng mt mi
trng truyn dn. Cc vng c phn chia ny c gi l cc collision domain. Chc
nng chnh ca switch l vn chuyn cc frame lp 2 qua li gia cc collision
domain ny. c th vn chuyn chnh xc c gi tin n ch, switch cn phi c mt
s nh x gia a ch MAC ca cc thit b vt l gn tng ng vi cng no ca n.S ny
c lu li trong switch gi l switch-route-table hay cn c gi l bng CAM
(Content Address Memory). Bng CAM c xy dng khi switch khi ng, bng
cch kim tra a ch MAC ngun t nhng frame u tin c chuyn tip trn mi
port. Qu trnh vn chuyn gi tin qua switch c th c m t nh sau: Nu a ch
MAC ngun ca gi tin cha c trong bng CAM; switch s cp nht vi cng tng
ng. Nu a ch MAC ngun tn ti trong bng nhng vi mt cng khc, switch s
bo li MAC flapping v hu gi tin. Nu a ch ch ca gi tin l a ch
multicast hoc a ch broadcast hoc l a ch unicast nhng nh x ca a ch
ny khng tn ti trong bng CAM trc th gi tin s c gi ra tt c cc cng ca
switch tr cng m n nhn c gi tin. Nu a ch ch ca gi tin l a ch unicast
v nh x ca a ch tn ti trong bng CAM ng thi cng m n nhn c gi tin khc
vi cng m gi tin cn c chuyn i th n s gi gi tin n chnh xc cng c trong
bng CAM. Cc trng hp cn li, gi tin s b hu. Hnh 1.1: Chc nng chuyn
mch ca switch
Trong v d trn, khi host A gi bn tin n host B. Do switch cha c a
ch MAC ca B trong bng CAM ca mnh nn switch s gi broadcast ra mi cng
cn li ng thi s lu li a ch MAC ca A vo bng CAM. Sau khi host B nhn c
bn tin t A; B gi li tin cho A. Khi , switch c a ch ca A nn s gi
unicast ti port 1 ng thi cp nht a ch MAC ca B vo bng CAM.
Main-in-the-Middle c im ca switch l ch hiu c MAC address v chuyn
tip cc frame n my ch da trn MAC address ny. Bnh thng, switch s ch
chuyn tip lu lng gia hai host da vo bng nh tuyn m n xy dng. Do ,
chng ta khng th thy c lu lng truyn gia hai host trn switch network.
Attacker ch c th bt c lu lng unicast vo/ra trn chnh my ca mnh hoc
cc lu lng broadcast/multicast. Tuy nhin, c th truyn thng vi nhau,
cc my cn bit a ch MAC ca nhau. iu ny c thc hin nh giao thc ARP. Do
cc ARP request packet c gi broadcast, switch s gi n ra tt c cc
port. Lng nghe cc packet ny, sniffer c th nhanh chng bit c cc nh x
IP MAC hin ti ca mi host trn mng LAN. gim s ARP request, mi h thng
thc thi giao thc ARP s dng mt vng nh lu mt s cc nh x IP MAC gn nht
gi l ARP cache. Bng cch sa i ARP cache ca cc host, attacker c th
thay i hng lu lng gia cc host . Lm th no c th s i ARP cache?
im yu ca giao thc ARP l ARP l giao thc stateless khng yu cu xc
thc, do , mi host khi nhn c bt k ARP reply no cng s cp nht li ARP
cache ca n mc d n khng gi i ARP request. Da vo im ny, cc chng trnh
sniffer gi cc ARP gi n cc my nn nhn, nhm sa i ARP cache ca nn nhn.
Gi s, sniff d liu truyn gia hai host T1 v T2, chng trnh sniffer gi
ARP reply n host T1 thng bo IP-T2 c MAC address l MAC-Attacker, ng
thi cng gi ARP reply thng bo n host T2 tm thy IP-T1 ti MAC address
l MAC-Attacker. Sau khi sa i ARP cache, attacker ch vic ch d liu
truyn gia 2 host c switch chuyn ti my ca mnh. Do switch da vo a ch
MAC c cung cp trong phn tiu ca frame chuyn tip, n khng h bit rng a
ch MAC ny b sa i, truyn thng gia T1 v T2 by gi s c chuyn n my ca
attacker. Sniffer sau phi nh tuyn li cho packet n ch thc s, nu
khng, cc host s khng th truyn thng vi nhau c na. Xt v d :
Trc khi b tn cng, 2 host T1 v T2 ch ni chuyn vi nhau. ARP cache
ca mi host nh sau:
Sau kh b tn cng, ARP cache ca mi host nh sau:
Trong , 00:00:00:00:00:03 l MAC address ca my attacker.
C th m t li bng m hnh sau:
Nu khng c s truyn thng, sau khong thi gian timeout, mc IP-MAC
tng ng trong ARP cache s b xo. V l do ny, sniffer phi u c cc host
sau nhng khong thi gian u n. MAC flooding y l mt phng thc khc sniff
d liu trn cc switch network. Phng thc tn cng: c im ca switch l bng
CAM ch cha c mt s hu hn cc nh x v cc nh x ny khng phi tn ti mi mi
trong bng CAM. Sau mt khong thi gian no (thng l 30s) nu a ch ny
khng c dng trong vic trao i thng tin th n s b xa b khi bng. Khi bng
CAM c in y, tt c thng tin n s c gi n tt c cc cng ca n tr cng n nhn
c. Lc ny chc nng ca switch khng khc g chc nng ca mt hub.
Bng cch lm ngp bng CAM ca switch vi mt lng ln cc ARP reply gi,
hacker c th lm qu ti cc switch, sau sniff d liu trong mng khi
switch hot ng ch nh hub. Hnh 1.3: M hnh tn cng lm ngp bng CAM
Trong v d trn, host C ca k tn cng gi i lin tc hng lot cc bn tin
c a ch MAC ngun l a ch gi mo (host X v host Y). Switch s cp nht a
ch ca cc host gi mo ny vo bng CAM. Kt qu l khi host A gi tin n cho
host B; a ch ca B khng tn ti trong bng nn gi tin c switch gi ra cc
cng ca n v bn tin A ch gi ring cho B cng s c chuyn n C. MAC Cloning
MAC cloning hay cn gi l MAC spoofing l mt k thut hack thay i a ch
MAC ca card mng. Thng thng, a ch MAC l duy nht v c lu trong ROM ca
mi interface. Tuy nhin, ngy nay c th d dng thay i a ch MAC. Mt
attacker c th tin hnh tn cng DoS trn mt my ch, sau gn a ch IP v MAC
ca my cho my ca mnh, do attacker c th nhn tt c cc frame gi cho my b
tn cng. DoS Denial of Service:
Hacker c th d dng kt hp mt a ch IP c ngha vi mt a ch IP khng tn
ti. Chng hn, hacker gi mt ARP reply kt hp a ch IP ca router vi mt a
ch MAC khng tn ti. Sau , cc my tnh tin rng chng bit default gateway
u, nhng thc s, chng gi i nhng packet m ch n khng tn ti trong phn on
cc b. Hacker ngn chn mng kt ni n internet. Gy ra tn cng t chi dch v
DoS. 8. Cch phng chng S dng Port Security (hay cn c bit n nh l Port
Binding hay MAC Binding) ngn chn MAC cloning v MAC spoofing. Chc
nng ny khng cho php thay i bng MAC address ca switch. Tuy nhin, cc
thay i MAC hp l c th c thc thi bi ngi qun tr mng. Tuy nhin Port
Security khng ngn chn c ARP spoofing. Mt cch khc l s dng nh tuyn
tnh static routes. Khi , ngi qun tr phi lit k bng tay IP no i vi
MAC no. Cc ARP reply gi s khng th thay i ARP cache. Trn thc t, cch
ny ch c th p dng i vi cc mng LAN gia nh hoc nh, nu mng ln hn l khng
th v chng ta phi thm vo ARP cache bng tay vi s lng qu nhiu. Pht hin
ARP spoofing cng l mt cch phng chng. Cng c xARP c chc nng pht hin
ARP Spoofing trn windows. Dng cho Linux c cc cng c:
ARPSpoofDetector, ARP - GUARD, SGUIL, ARP Watch. xArp l mt cng c
gip gim st ARP cache. xArp nh k a ra nhng yu cu v ARP cache, v bo
co li nhng thay i trong cc nh x IP/MAC. Do xArp c th dng pht hin
ARP poisoning. S dng RARP pht hin MAC cloning. RARP yu cu a ch IP
ca mt MAC khng xc nh no . Gi RARP request ti tt c cc MAC address
trn mng, nu nhn c nhiu reply vi cng 1 a ch MAC, c th xc nh c my no
ang cloning hay khng. S dng cc thut ton v cc giao thc m ho chun cho
d liu trn ng truyn. Cch ny khng ngn chn sniffing nhng n ngn
attacker khng th c c ni dung ca d liu. Sau y l mt s giao thc: 1.
SSL (Secure Socket Layer) : Mt giao thc m ho c pht trin cho hu ht
cc Webserver, cng nh cc Web Browser thng dng. SSL c s dng m ho nhng
thng tin nhy cm gi qua ng truyn nh: S th tin dng ca khch hng, cc
password v thng tin quan trng. 2. OpenSSH: Khi bn s dng Telnet,
FTP2 giao thc chun ny khng cung cp kh nng m ho d liu trn ng truyn.
c bit nguy him l khng m ho Password, chng ch gi Password qua ng
truyn di dng Clear Text. iu g s xy ra nu nhng d liu nhy cm ny b
Sniffer. OpenSSH l mt b giao thc c ra i khc phc nhc im ny: ssh (s
dng thay th Telnet), sftp (s dng thay th FTP) Pht hin promiscuous
mode: gi nhng gi d liu vi a ch khng tn ti, nu nhn c gi tr li, chng
t c my ang ch promiscuous. Mt s cng c cho php pht hin cc h thng ang
trong ch promiscuous nh: 1. antisniff 2. snifftest 3. Promisc
B. Demo: 1. M hnh mng:
2. Qu trnh tin hnh:2.1 Chun b: 3 my tnh kt ni internet Down phin
bn mi nht ti http://www.oxid.it/cain.html Trn my Attacker ta tin
hnh ci t cng c Cain & Abel. 1 my tnh ci ftp server, my cn li l
ftp client 2.2 Tin hnh 2.2.1 Thit lp cu hnh cho Cain y l giao din
chnh ca chng trnh:
Chn tab sniffer
Chn tab configure chn card mng giao tip
Card mng giao tip hin ti l 192.168.1.5 . Sau khi apply v ok xong
chng ta s tin hnh sniff Chn Start Sniffer
Chn Add to list
y ta chn All host in my subnet. Ngoi ra chng ta c th chn khong
ip mun scan. Nhn Ok scan lp mng. Hin ti lp mng scan th thy c 3 my
(192.168.1.3, 192.168.1.6 v 192.168.1.7) v 1 ci a ch gateway ca
modem 192.168.1.1 Chn qua tab APR
Chn Add to list
By gi chng ta phi chn my mun capture password A (ct bn tri), y
my mun sniff l my 192.168.1.3. V cc my m my A truy cp n (ct bn phi)
ta chn tt c cc my cn li trong mng. Chn start APR Lc ny Cain s lm
cng vic ARP Poison Routing (C gii thch v APR trong phn l thuyt)
2.2.2 Sniff password khi my A truy cp mail (demo mail ca yahoo v
gmail) Lc ny my A sign in vo gmail. Trnh duyt cnh bo ht sc r rng l
trnh duyt khng tha nhn CA cung cp certificate cho site ny, tuy nhin
ngi dng thng thng th li khng n cnh bo bt thng ny, v tt nhin l vn
tip tc chn vo dng Accept this certificate temporality for this
session
Sau trnh duyt c sc thm 1 cnh bo Bn chp nhn 1 certificate khng hp
l nhng ngi dng thng thng vn khng .
V sau qu trnh ng nhp bnh thng th chuyn g s xy ra?? Attacker chn
tab Passwords v chn HTTP
Ch cn tm ra gi khi ng nhp vo gmail th s thy ngay password. User
y l [email protected] v pass l 123456!@# Th ng nhp vi
yahoo mail. Chng ta cng nhn c 1 cnh bo tng t
V sau qu trnh ng nhp ca nn nhn, attacker tip tc theo di tab
password
User: [email protected] Pass onlytest 2.2.3 My C sniff
password khi my A truy cp vo my B - Vic u tin l kim tra tt c cc kt
ni gia 3 my bng lnh ping thng dng nht. - Sau khi kim tra tt c cc kt
ni, my C s khi ng chng trnh Cain & Abel ca mnh chun b sniff
password khi my A kt ni vi my B Lc ny my A access vo my B:
Nhp user v password bnh thng. Sau khi access v thnh cng ri, ta
chuyn sang my nghe ln. Chn qua tab Passwords v chn SMB (Server
Message Block ). Chn gi no kt ni success v chn send to cracker
Chn qua tab Cracker. Chn gi va gi qua v d pass bng Brute-force
Attack NTLM Session Security Hashes
V ch i.
V y l password ca my TIGER2 vi user cop-test. Password l olala.
2.2.4 Attacker sniff account v password khi ftp client truy cp ftp
server Lc ny attacker ch vic scan lp mng, chn start sniff v bt u
ngi ch Khi ftp client truy cp vo ftp server
Chuyn sang my attacker
User v password khi ftp client truy cp vo ftp server hin ra rt
r.
