Embed Size (px)
Citation preview
Ethical Hacking v10 Module 7 - Sniffing
Sniffing
Goals• Understand Sniffing• Understand MAC Attacks• Understand DCHP Attacks• Understand Computer Worms• Understand ARP Poisoning• Understand MAC Spoofing Attacks• Understand DNS Poisoning• Learn Sniffing Tools• Learn Sniffing Countermeasures• Understand Sniffing Detection Techniques• Understand Sniffing Penetration Testing
Module 7.0 Sniffing• 7.1 Sniffing Concepts• 7.2 DHCP Attacks• 7.3 MAC Attacks• 7.4 ARP Poisoning• 7.5 DNS Poisoning• 7.7 Sniffing Tools• 7.8 Countermeasures• 7.9 Sniffing Detection Techniques• 7.10 Sniffing Pen Testing
7.1 Sniffing Concepts
Network Sniffing and Threats
• Sniffing monitors/captures data packets moving through a network• Form of wiretapping• Switch ports for many organizations are open• People in same location as network can plug in using Ethernet cable• Information gathered via sniffing:
• Syslog Traffic• DNS Traffic• Telnet Passwords• Email Traffic• Router Configuration• Web Traffic• FTP Passwords• Chat Sessions
Sniffing• Sniffing is monitoring and intercepting
data flowing through a network• Identify hosts, services, device types,
protocols, subnets, IP addresses, etc.• May use cleartext protocols to extract
credentials, capture files and images, read messages, and steal data• Some sniffers can re-create complete
TCP sessions
Sniffing (cont’d)• Encrypted data can provide
information• Source and destination addresses
and ports• SSID and initialization vectors for
wireless networks• VPN handshake information
• Two conditions must be met:• Sniffer interface must be in
promiscuous mode• Sniffer must be on the same
network segment as the traffic to be accessed
How Sniffing Works
• Turns system NIC to promiscuous mode• Listens to transmitted data on that segment• Able to decode information in data packer to constantly monitor
network traffic via NIC
Types of Network Sniffing
• Passive Sniffing• Sniffing via a hub to access all traffic going through the hub• Only monitoring packets, not sending• Modern networks use switches, instead of hubs
• Active Sniffing• Sniffs switch-based network• Done by injecting ARP into network to flood switch’s CAM table• Types include:
• MAC Flooding• DNS Poisoning• ARP Poisoning• DHCP Attacks• Switch Port Stealing• Spoofing Attack
Protocol Sniffing
• Vulnerable protocols include:• HTTP• IMAP
Telnet/Rlogin• SMTP/NNTP• POP• FTP
• Vulnerabilities include:• Clear-text data and passwords• Keystrokes that provide user names/passwords
Sniffing at the OSI Layer
• Sniffers work at OSI Data Link layer• OSI network layers operate independently• When data is sniffed in Data Link layer, upper layer will not know
Hardware Protocol Analyzer
• Equipment that captures signals to monitor network usage, but does not alter traffic in cable segment• Identifies malicious network traffic generated via hacking network
software• Grabs data packets and decodes and analyzes the content based on
predetermined rules• Attack is able to view individual bytes of data in each packet passing
through cable
Hardware Protocol Analyzers
• Wireshark• Keysight N2X N5540A• Keysight E2960B• RADCOM PrismLite Protocol Analyzer• RADCOM Prism UltraLite Protocol Analyzer• FLUKE Networks OptiView XG Network Analyzer• FLUKE Networks OneTouch AT Network Assistant
Wireshark Example
Wiretapping
• Process of third-party monitoring of phone/Internet conversations• Attacker connects a listening device to a circuit between two
hosts/phones• Attack can monitor, access, intercept, and record information• Types of Wiretapping:
• Active Wiretapping – Monitors/reads and injects something into communication/traffic• Passive Wiretapping – Only monitors/reads
Eavesdropping• Eavesdropping is secretly listening to private
conversations or communications
• Capture speech or telephone conversations• Plant a sniffer on a network
• Secretly place a camera or microphone in a room• Capture VoIP packets off the network and replay
them
• Use a phone to record someone entering a password or PIN from across a room
• Use a WiFi Pineapple or other man-in-the-middle device to capture wireless traffic
• Use an IMSI-catcher man-in-the-middle device to intercept cell phone calls
Lawful Interception
• Legal interception of data communication between end-points• For surveillance on traditional phone, VoIP, data, multi-service
networks
7.2 DHCP Attacks
How DHCP Works
• DHCP servers maintain TCP/IP configuration information on database• Ensures DHCP-enabled clients have address configuration in form of lease
offer• Works as follows:
1. Client broadcasts DHCPDISCOVER/SOLICIT request for DHCP configuration information
2. Relay agent captures client request and unicasts it to DHCP server3. DHCP server unicasts DHCPOFFER/ADVERTISE containing client/server MAC
address4. Relay agent broadcasts DHCPOFFER/ADVERTISE in client subnet5. Client broadcasts DHCPREQUEST/REQUEST to ask DHCP server for DHCP
configuration information6. DHCP server unicasts DHCPACK/REPLY message containing IP configuration
information to client
DHCP Attacks
• Starvation Attack• Rogue DHCP Server Attack
Defend Against DHCP Attacks
• Defend against starvation attack by enabling port security• Defend against rogue server attack by enabling DHCP snooping so it
can only accept DHCP transactions from trusted ports
7.3 MAC Attacks
MAC Address/CAM Table
• Every switch has its own fixed-size dynamic CAM table• CAM table stores information available on physical ports with
associated VLAN parameters
When CAM Table Is Full
• Attack in which all extra ARP request traffic will flood all switch ports• Switch behavior will change, learning mode will be reset to broadcast
on all hub-like ports• Attack will cause CAM tables of adjacent switches to be filled
MAC Flooding
• CAM table flooded with false MAC address/IP pairs until full• Causes switch to act like a hub and broadcast packets to all network
machines• Allows attackers to easily sniff traffic
Switch Port Stealing
• Uses MAC flooding to sniff packets• Switch flooded with forged gratuitous ARP packers using target MAC
address as the source and attacker’s MAC address as the destination• Attacker’s and target host packets will compete causing switch to change
attacker’s MAC address binding between two ports• With quick attack, packets going to target host will be redirected to
attacker’s switch port• Attack can steal target host switch port and send ARP request to stolen
port to gain target host’s IP address• ARP reply indicates target host’s switch port binding is restored – attacker
can now sniff packets sent to target host
Defend Against MAC Attacks
• Properly configure port security on switch• Port security is able to restrict inbound traffic from selected MAC
address• Limits MAC flooding attack
7.4 ARP Poisoning
What is Address Resolution Protocol (ARP)
• A stateless protocol used to resolve IP addresses to MAC addresses• Network devices broadcast ARP queries across network to locate MAC
addresses• Machines look up ARP table when they need to communicate with another
machine – ARP_REQUEST is broadcast across network with MAC address is not found• Machines on network will compare the IP address to their MAC address• A machine that identifies with request will respond using its IP and MAC
addresses• Requesting machine will ensure address pair is stored in ARP table and the
two machines will communicate
ARP Spoofing Attack
• ARP packets are faked to send data to attacker’s machine• Many ARP request/reply packets must be constructed to overload the
switch• Once ARP table is flooded with spoofed replies, switch shifts to
forwarding mode, allowing attacker to sniff network patches• Attacker floods (poisons) target computer’s ARP cache with fake
entries
ARP Poisoning• ARP Poisoning is the deliberate mapping of an
incorrect MAC address to an IP address• Redirects traffic for malicious purposes• Most common spoofing mechanism on Ethernet
and Wi-Fi networks• Facilitates man-in-the-middle attacks• Packets have both IP and MAC addresses
• Name resolution and ARP needed to look up destination
• MAC-to-IP mappings stored in ARP cache, which changes often
Types of ARP Poisoning
• Attackers use forged ARP messages to divert communications between two machines• Traffic ends up being exchanged through attacker’s machine
• Spoof client and server MAC addresses• Spoof default gateway MAC address
• Types of ARP poisoning include:• Packet Sniffing• Data Interception• Session Hijacking• Connection Hijacking• VoIP Call Trapping• Connection Resetting• Manipulating Data• Stealing Passwords• Man-in-the-Middle Attack• DoS Attack
ARP Poisoning Example
Ways to Poison ARP Cache
• Send fake ARP replies with your MAC address associated with the target IP address• Send fake ARP replies with your MAC address associated with the default gateway• Send fake ARP replies with the target MAC address associated with your switch
port• For man-in-the-middle, poison ARP cache of both victims• Must be on the same network segment
ARP Poisoning Tools
• Ettercap• Cain & Abel• WinArpAttacker• Ufasoft Snif
Man-in-the-Middle (MITM) Attacks• The attacker inserts himself/herself
into a client/server communication session• Man-in-the-Middle acts as relay
between client and server• Enables attacker to capture information
or manipulate data• Typically depends on:
• ARP poisoning• DNS/name lookup poisoning• ICMP redirect
Man-in-the-Middle (MITM) Attacks (cont’d)• Examples:• SSL downgrade or stripping• Netcat relay• Rogue access points on wireless
networks• Cellular network tower simulators
• Requires spoofing• Unsuccessful when packets are digitally
signed or if HTTP Strict Transport Security is required
ARP Spoofing Detection
• Use tools like Xarp to identify ARP attacks• Hard code ARP-IP mappings• Implement IDS• Use host-to-host VPNs
7.5 DNS Poisoning
Domain Name System (DNS) Poisoning Techniques• Makes DNS server think it has received authentic information• Substitutes a fake IP address at the DNS level• Permits attackers to replace IP address entries with the attacker’s IP
address• Attacker is able to generate false DNS server entries that have the same
name as the target server• Types of DNS poisoning include:
• Intranet DNS Spoofing• Internet DNS Spoofing• Proxy Server DNS Poisoning• DNS Cache Poisoning
Domain Name System (DNS) Cache Poisoning
• DNS Cache Poisoning is an attack method where DNS data is entered into a DNS server's lookup (resolver) cache and bogus records are then given to clients and other DNS servers
• Most DNS servers query other servers to resolve host names
• One false record can propagate to many DNS servers and clients
• Digital signatures and DNSSEC can help, and should be implemented
Name Resolution Exploits• NetBIOS used for name resolution on
Windows computers before DNS• Query WINS server and Lmhosts file, then
send broadcast message• Link-Local Multicast Name Resolution (LLMNR) replaced NetBIOS• Uses multicasting instead of broadcasting• Supports IPv4 and IPv6
Name Resolution Exploits (cont’d)• Windows name resolution process:• Check if the destination is self• Check if the name is currently in the DNS
resolver cache• Check if the name is in the
%systemroot%\system32\drivers\etc\hosts file.
• Query the DNS server• Send an LLMNR multicast to 224.0.0.252
(IPv6 FF02::1:3), UDP port 5355• Send a NetBIOS name query broadcast to
255.255.255.255, UDP port 137
Defend Against DNS Spoofing
• All DNS queries to be resolved to local DNS server• Ensure correct deployment/implementation of IDS• Restriction of DNS recursion service• Ensure DNS requests are blocked from external servers• Implementation of DNSSEC• Ensure use of DNS Non-Existent Domain Rate Limiting• Configuration of firewall to ensure restriction of external DNS lookup• Configuration of DNS resolver to utilize random source port for outgoing
queries• Ensure internal machines are secure
7.6 Sniffing Tools
Sniffing Tools
• Wireshark• SteelCentral Packet Analyzer• Tcpdump/Windump• OmniPeek Network Analyzer• Observer• Sniff-O-Matic• Colasoft Packet Builder• RSA NetWitness Investigator• ACE Password Sniffer
• Ipgrab• Big-Mother• EtherDetect Packet Sniffer• dsniff• EffeTech HTTP Sniffer• ntopng• Ettercap• SmartSniff• EtherApe
Sniffing Tools (cont’d)
• Network Probe• WebSiteSniffer• ICQ Sniffer• MaaTec Network Analyzer• Alchemy Network Monitor• CommView• NetResident• Kismet
• AIM Sniffer• Netstumbler
Packet Sniffing Tools for Mobile
• Wi.cap.Network Sniffer Pro• FaceNiff
7.7 Sniffing Countermeasures
and Pen Testing
Defend Against Sniffing
• Ensure use of HTTPS, rather than HTTP• Ensure use of switch, rather than hub• Ensure use of SFTP, rather than FTP• Ensure use of OTP, PGP, VPN, S/MIPE, SSL/TLS, SSH, and IPSec• Ensure strong encryption protocol for wireless traffic – WPA/WPA2• Determine if NICs are running in promiscuous mode
Detect Sniffing
• Determine which machines are running in promiscuous mode• Run IDS to see if MAC address of any machines have changed• Run network tools to monitor network for strange packets• Sniffer detection techniques include:• Ping Method• ARP Method• DNS Method
Promiscuous Detection Tools
• Promiscuous detection tools:• PromqryUI• Nmap
Sniffing Pen Testing
• Determine whether data transmission is secure from sniffing and interception attacks• Helps admins to:• Audit network traffic to check for malicious content• Ensure implementation of security mechanism• Find rogue sniffing apps• Find rogue DHCP/DNS servers• Determine presence of unauthorized networking devices
Sniffing Pen Testing (cont’d)
• Execute MAC flooding attack• Execute DHCP Starvation Attack• Execute Rogue Server Attack• Execute ARP Poisoning• Execute MAC Spoofing• Execute DNS Spoofing• Execute Cache Poisoning• Execute Proxy Server DNS Poisoning• Document findings
Sniffing Review
• Use sniffing and eavesdropping to obtain information needed for the exploit• Use ARP poisoning when
conducting man-in-the-middle attacks• Use hijacking to take over client
sessions• Choose your exploits based on the
target service or protocol• Use DNS cache poisoning and other
name resolution exploits to redirect targets when ARP poisoning isn't practical• Be careful when using DoS or stress
testing attacks, as they are likely to make the server or service unavailable
Lab 7: Sniffing
