Scanning and Analysis Tools- Packets Sniffers

7/31/2019 Scanning and Analysis Tools- Packets Sniffers

1/22

School of Computer Sciences

Universiti Sains Malaysia

Penang

CST 233

Information Security & Assurance

Assignment 2

TITLE : Scanning and Analysis tools- Packets Sniffers

STUDENT NAME : SOH SIN SIANG

MATRIC NUMBER : 107630

LECTURER : Dr. Aman Jantan


2/22

TABLE OF CONTENT

1. INTRODUCTION..3 2. PACKETS SNIFFERS53. HOW DOES A PACKET SNIFFER WORKS?.64. SNIFFING METHOD AND CASE STUDIES OF IT.7

PACKET SNIFFING IN NON-SWITCHED ENVIRONMENT...8

PACKET SNIFFING IN SWITCHED ENVIRONMENT11

5. HOW TO AVOID/MITIGATE THE THREAT FROM PACKET SNIFFING..196. CONCLUSION..21 7. REFERENCES..21


3/22

Introduction

What are scanning and analysis tools

Scanning and analysis tools are computer programs that used to find vulnerabilities

in systems, and security holes in individual system components. For examples, the

vulnerabilities of specific hosts, routers, or even firewalls.

Many scanning and anaylsis tools are developed by hackers community, or so called,

hackerware. Most of them are open source and free of charge. Some of these tools

are extremely complex while some of them are rather simple. Hackers use scanning

and analysis tools to find the vulnerabilities of the network while the same tools can

also be used by network defenders to find potential vulnerabilities and secure it. This

paper will focus on one of the scanning and analysis tools, that is packet sniffer.

Categories of scanning and analysis tools

There are several categories of scanning and analysis tools. The following are the

categories of scanning and analysis tools.

1. port scanners

Port scanners are tools used by both attackers and defenders to identify the

computers that are active on a network, as well as the ports and services active

on those computers.

2. network mappersNetwork mappers are tools that identify all systems connected to a network.


4/22

3. OS detection toolsTools that detect target hosts operating system. Knowing a hosts OS is critical is

one is to exploit the hosts vulnerabilities. For example, the known bugs of that

OS.

4. Firewall analysis toolsHelps in understanding and discovery of firewall rules and assist the

administrator in analyzing the rules to determine exactly what they allow and

what they reject

5.Vulnerability scannersSoftware tools that assess security vulnerabilities in network & hosts and produce

a set of scan results.

6. Packet sniffersA network tool that collects copies of packets from the network and analyzes

them. More details on this category will be explored in this paper.

7. Wireless sniffersA software or maybe hardware that is capable of capturing & decoding packets

as they pass over airwaves.


5/22

Packets sniffers

What is packet sniffers

A packet sniffer is a tool that plugs into a computer network and monitors all

network traffic. It monitors traffic destined to itself as well as to all other hosts on

the network. Packet sniffers can be run on both non-switched and switched

networks. Packet sniffing in a non-switched environment is well understood

technology while in a switched environment; it is more of a challenge to eavesdrop

on network traffic. More details on the different of sniffing in a non-switched and

switched environment will be discussed in the following section.

Uses of a packet sniffer

Sniffing programs are usually found in two forms. Commercial packet sniffers are

used to help to observe and maintain networks, while underground packet sniffers

are used by attackers to gain unauthorized access to remote hosts. Below are some

common uses of sniffing programs:

Searching for clear text usernames and passwords from the network. Conversion of network traffic into human readable form. Network analysis to find bottlenecks or problems. Network intrusion detection to monitor for attackers. Filter suspicious content from network traffic


6/22

How does a packet sniffer work?

A packet sniffer works by looking at every packet sent in the network, including

packets not intended for itself. This is accomplished in a variety of ways. These

sniffing methods will be described below. Sniffers also work differently depending on

the type of the network they are in.

In a shared Ethernet environment, all hosts are connected to the same busand compete with one another for bandwidth. In such an environment

packets meant for one machine are received by all the other machines. This,

any machines in such an environment placed in promiscuous mode will be

able to capture packets meant for other machine and can therefore listen to

all the traffic on the network.

In a switched Ethernet, hosts are connected to a switch instead of a hub. Theswitch maintains a table to keep track of each computers MAC address and

delivers packets destined for a particular machine to the port on which that

machine is connected. The switch is an intelligent device that sends packets

to the destined computer only and does not broadcast to all the machines on

the network, as in the previous case. This switched Ethernet environment was

intended for better network performance, but as an added benefit, a machine

in promiscuous mode will not work here. As a result of this, most network

administrators assume that sniffers dont work in a switched environment.


7/22

Sniffing methods and case studies of it

There are three types of sniffing methods. Some method work in non-switched

network while others work in switched networks. The sniffing methods are: IP-based

sniffing, MAC-based sniffing, and ARP-based sniffing.

IP-based sniffing

This is the usual way of packet sniffing. It works by putting the network card into

promiscuous mode and sniffing all packets matching the IP address filter. Normally,

the IP address isnt set so it can capture all the packets. This method only works in

non-switched networks.

MAC-based sniffing

This method works by putting the network card into promiscuous mode and sniffing

all packets matching the MAC address filter.

ARP-based sniffing

This method works a little different. It doesnt put the network card into

promiscuous mode. This isnt necessary because ARP packets will be sent to us. This

happens because the ARP protocol is stateless. Because of this sniffing can be done

on a switched network. More details on ARP based sniffing will be discussed in the

following session.


8/22

Packet sniffing in a non-switched

environment

In a non-switched environment, the latest generation of packet sniffing tools is

highly effective at reaping passwords and other sensitive information from the

network.

A large number of commonly used protocols either transmit data in plaintext (which

can easily be sniffed), or they do not use strong enough encryption to prevent a

sniffing and cracking attack. Examples of plaintext protocols include smtp, pop3,

snmp, ftp , telnet and http. Perhaps the best known encrypted protocol that is

vulnerable to sniffing and cracking attacks is Microsofts LM (LAN Manager) protocol,

used for authenticating Windows clients.

Tools to sniff in a non-switched environment(case studies)

Dsniff

For plaintext protocols, to eavesdrop on username, password, and other sensitive

information , a very useful tool is dsniff from Dug Song. The dsiff tool is available for

various flavors of unix, and also windows.

In addition to sniffing the plaintext protocols mentioned above, dsniff is exceptionally

good at filtering the sniffed traffic to display onlyinteresting information such as

usernames and passwords.

A sample run of dsniff is shown in figure 1, showing the windows port of dsniff

harvesting passwords on a small network.


9/22

ScoopLM

Another example of password sniffing and cracking tool, is the ScoopLM tools, which

is freeware and downloadable from the internet. ScoopLM will sniff windows 2000/xp

and LM /NTLM encrypted passwords. Its brother, BeatLM, enables cracking of

encrypted passwords that ScoopLM has harvested by brute-force or dictionary

attacks. Together, they are a significant threat to the security of Microsoft

networking in a non-switched environment.

Figure 2: ScoopLM scniffing username and password


10/22

Figure 2 shows a sample run of ScoopLM, sniffing windows usernames and

encrypted passwords. The sniffed usernames and passwords can then be saved to a

temporary file, and loaded into BeatLM to be cracked.

The two examples given show us how simple it is to discover sensitive information

by eavesdropping on a non-switched network. This fact has helped to drive

businesses to replace hubs in their network by switches. There are many other good

reasons for doing this, for example, increasing network performance. Replacing hubs

by switches in the belief that it will totally cure the problem of sniffing is wrong and

misguided. The following section will demonstrate why.


11/22

Packet sniffing in a switched

environment

Switches

On the surface, it would seem that replacing hubs by switches will mitigate the

packet sniffing threat to a large extent. The fact that switches will only send network

traffic to the machine that it is destined for implies that if machine is communicating

with machine B, machine C will not be able to eavesdrop on their conversation. In

figure 3, let us assume that machine A instigates a telnet connection to machine B.

In the situation above, Machine C cannot easily see the network traffic for the telnet

session passing between Machines A and B. The switch ensures that this traffic does

not travel over any unnecessary ports, it only flows over the ports that machine A

and B are connected to. However, a number of techniques exist that will subvert the

statement above, enabling C to snoop on the network traffic between A and B.


12/22

How to sniff in a switched environment

Sniffing traffic in a switched environment is achieved by setting up a man-in-the

middle attack. The attackers use a variety of techniques to force network traffic to/

from the victim to go to the attackers machine. When this occur, the attacker can

inspects (or even modify) the victims network traffic.

There are a numbers of techniques that permit sniffing in a switched environment.

Common techniques include ARP spoofing, MAC flooding, MAC duplicating, ICMP

redirection, DHCP spoofing and port stealing.

The following section will discuss in details about ARP spoofing as ARP spoofing is a

classic man-in-the-middle attack.

ARP spoofing

Taking the previous examples of machines A, B, and C, assumes C wanted to

eavesdrop on network traffic between A and B. For a man-in-middle attack, C

pretends to A that it is B. then when A sends traffic destined for B, it is intercepted

by C. C passes this information onto B, pretending that it came from A. Similarly, C

also performs a comparable role for traffic from B, which is destined for A. the goal

of the man-in-the-middle attack is shown in figure 4.


13/22

In more detail, using ARP spoofing to complete the man-in-the-middle-attack, two

steps, detailed below, need to be performed.

First, we need to understand how A and B will normally communicate. A requires Bs

MAC address. To get this, A will check in its ARP cache to see if it already has Bs

MAC address.

If this is the case, it will use the MAC address pulled from the ARP cache. IF this is

not the case, A will broadcast an ARP request. B will respond with its MAC( and IP)

address. Bs IP address and corresponding MAC address will be stored in As ARP

caches, for future use. A can now send packets of data to B. for B to communicate

with A, a similar process will take place.


14/22

Let us now assume that A and B have established each others MAC addresses, and

are communicating through a switch. How can C eavesdrop on the conversation?

This is where ARP spoofing comes into play.

1. The first step is for C to pretend to A that it is in fact B. if this can beachieved, network traffic destined for B will be routed to C. Likewise, C

must pretend to B that it is in fact A. How can this be achieved? The

answer is that C poisons the ARP cache on A and B. C sends a spoofed

ARP packet to A, instructing A to send packets destined for B to C. the

spoofed ARP packet C sends forces A to update its own ARP cache. In As

updated ARP cache, Bs IP address maps to Cs MAC address. This means

future communication from A which is destined for B will go via C.

The following tables show what happens to As ARP cache;

IP addresses MAC addresses

[Bs IP Address] [Bs MAC Address]

[Cs IP Address] [Bs MAC Address]

Table1:MachineAs ARP cache-before C sends spoofed ARP packet

IP addresses MAC addresses

[Bs IP Address] [Cs MAC Address]

[Cs IP Address] [Cs MAC Address]

Table 2: Machine As ARP cache-after C sends spoofed ARP packet


15/22

C also does something similar to B. It sends a spoofed ARP packet to B, instructing B

to update its ARP cache so that As IP address maps to Cs MAC address.

Once this has been done, packets that A attempts to send to B are routed to C.

packets that B attempts to send to A are routed to C as well.

2. There is one more important step. Machine C also has to ensure thattraffic it receives is sent on to its true destination. So, for example, when A

sends traffic destined for B, it is intercepted by C, but sendt on from C to

B. this can easily be achieved by IP forwarding, a facility supported by

many operating systems. Alternatively, an application can take

responsibility for forwarding the traffic to its true destination.

Once the above steps have been performed, C will be intercepting network traffic

between A and B.


16/22

Tools to sniff in a switched environment (case studies)

The number of tools that enable sniffing in a switched environment is on the

increase. Ettercap will be covered in this section.

Ettercap

Ettercap, a tool that describes itself as a powerful and flexible tool for man-in-the-

middle attacks. It runs on many leading platforms including Windows, Linux, and

Mac OsX. It can easily be downloaded from the internet as open source.

Before running ettercap, the ARP cache on machine A and B were checked, via the

arp/a command. As expected, the ARP cache on A was storing the true IP and MAC

addresses of B and C:


17/22

Similarly, the ARP cache on B was storing the true IP and MAC addresses of A and C.

Next, ettercap was run on Machine C, and set to sniff traffic between A and B. at

this stage, ettercap performs ARP spoofing to set up the man-in-the-middle attack.

Re-examining the ARP caches on A and B is illuminating: note how machine Cs Mac

address replaces the true MAC addresses for machines A and B:

Now traffic between A and B was being intercepted by C. Similar to dsniff, ettercap

has in-built knowledge of a large number of network protocols. It can highlight

interesting areas of sniffed traffic, such as usernames and passwords. The following

diagram shows ettercap eavesdropping the start of a telnet session between A and B:


18/22

During a sniffing session, ettercap may detect a large number of usernames and

passwords. The data may be saved to simple ASCII file for examination later on.


19/22

How to avoid/mitigate the threat from

packet sniffing

Detecting packet sniffers

One way to mitigate against the threat of packet sniffing tools is to try to detect if

they are used on the network.

Detecting in a non-switched environmentDetecting tools designed to run in a non-switched environment is difficult. This is

because the tools are usually passive. They work by putting the network

interface card into promiscuous mode, allowing any networj traffic that reaches

the card to be examined. Akin to a radio receiver, sniffers do not necessarily

cause extra, suspicious traffic to be transmitted on the netowkr, so how can they

be discovered?

A number of techniques can be used to try to detect machines whose network

cards are running in promiscuous mode, and likely to be sniffing traffic. Many of

the techniques used rely on detecting specific weaknesses in TCP/IP stacks.

LOphts antisniff employs knowledge of the idiosyncrasies of TCP/IP stacks to

detect machines running in promiscuous mode.

Detecting in a switched environmentAs indicated previously, sniffing in switched environment implies a man-in-the-

middle attack. Eavesdropping in this case will be active in that network traffic


20/22

will be delivered to the attacking machine, then forwarded onto the true recipient.

Detecting this is somewhat easier than detecting the passive tools.

It is possible to detect techniques such as ARP spoofing-software such as LBNLs

arpwatch can detect suspicisous ARP network traffic, and inform a network

administrator.

Locking down the network environment

Solutions such as Microsofts Software Restriction Policies and AppSense can help to

ensure that only approved software is runpacket sniffing tools and other hacking

tools could be prevented from executing.

Encryption

The most viable solution to protect against packet sniffing is encryption.

Instead of halting the use of cleartext protocols, one possibility is to encrypt all

network traffic by using IPSec33. By encrypting using IPSec, it is possible to

continue to use plaintext protocols - all data is encapsulated by IPSec, and is

encrypted for its transfer across the network. Thus legacy applications that may rely

on using older, plaintext protocols will be unaffected.

IPSec is completely transparent to applications and to users. It is an open standard,

supported by many vendors, including Microsoft and Cisco. Furthermore, many Unix

implementations support IPSec. The easy configurability of IPSec within Windows

further increases its accessibility.


21/22

Implementation of a layer three encryption technology such as IPSec solves the

sniffing problem completely. The scalability, widespread availability and seamless

operation of IPSec highlight it as a pragmatic solution to the problem of network

eavesdropping.

Conclusion

Scanning and analysis tools can be used at both bright and dark side. Security

professional will use them as the tools to find out the vulnerability of their system

and try to cover and enforce their system to free from vulnerabilities, while hackers

will use them as the tools to find out the vulnerabilities of certain system and try to

exploit through the vulnerabilities.

Packet sniffer is a tool where both hackers and security professional often used.

Packet sniffer can be used in both switch and non-switch network environment.

Packet sniffer can capture things like clear text passwords and usernames or other

sensitive information and material. Since sniffing is possible in both the environment,

its a good practice for user to encrypt their data commmuncations.

References

[1]http://www.linuxjournal.com/article/5869

[2]http://en.wikipedia.org/wiki/Packet_analyzer

[3]http://www.surasoft.com/articles/packetsniffing-2.php

[4]http://www.windowsecurity.com/whitepapers/Sniffing_network_wiretap_sniffer_FAQ_.html
http://www.linuxjournal.com/article/5869http://www.linuxjournal.com/article/5869http://www.linuxjournal.com/article/5869http://en.wikipedia.org/wiki/Packet_analyzerhttp://en.wikipedia.org/wiki/Packet_analyzerhttp://en.wikipedia.org/wiki/Packet_analyzerhttp://www.surasoft.com/articles/packetsniffing-2.phphttp://www.surasoft.com/articles/packetsniffing-2.phphttp://www.surasoft.com/articles/packetsniffing-2.phphttp://www.windowsecurity.com/whitepapers/Sniffing_network_wiretap_sniffer_FAQ_.htmlhttp://www.windowsecurity.com/whitepapers/Sniffing_network_wiretap_sniffer_FAQ_.htmlhttp://www.windowsecurity.com/whitepapers/Sniffing_network_wiretap_sniffer_FAQ_.htmlhttp://www.windowsecurity.com/whitepapers/Sniffing_network_wiretap_sniffer_FAQ_.htmlhttp://www.surasoft.com/articles/packetsniffing-2.phphttp://en.wikipedia.org/wiki/Packet_analyzerhttp://www.linuxjournal.com/article/5869


22/22

Figure 1:http://students.mimuw.edu.pl/SO/Projekt06-07/temat5-g8/raczkowski/dsniff.png

Figure 2:http://www.opennet.ru/base/sec/arp_snif2.jpg

Figure 5:http://images.ientrymail.com/securitypronews/ettercap_2.gif

Figure 9: http://www.securemac.com/images/ettercap/ettercaphosts.gif
http://images.ientrymail.com/securitypronews/ettercap_2.gifhttp://images.ientrymail.com/securitypronews/ettercap_2.gifhttp://images.ientrymail.com/securitypronews/ettercap_2.gifhttp://images.ientrymail.com/securitypronews/ettercap_2.gif

Documents

Scanning and Analysis Tools- Packets Sniffers