Upload
aurox3d
View
220
Download
0
Embed Size (px)
Citation preview
7/31/2019 Scanning and Analysis Tools- Packets Sniffers
1/22
School of Computer Sciences
Universiti Sains Malaysia
Penang
CST 233
Information Security & Assurance
Assignment 2
TITLE : Scanning and Analysis tools- Packets Sniffers
STUDENT NAME : SOH SIN SIANG
MATRIC NUMBER : 107630
LECTURER : Dr. Aman Jantan
7/31/2019 Scanning and Analysis Tools- Packets Sniffers
2/22
TABLE OF CONTENT
1. INTRODUCTION..3 2. PACKETS SNIFFERS53. HOW DOES A PACKET SNIFFER WORKS?.64. SNIFFING METHOD AND CASE STUDIES OF IT.7
PACKET SNIFFING IN NON-SWITCHED ENVIRONMENT...8
PACKET SNIFFING IN SWITCHED ENVIRONMENT11
5. HOW TO AVOID/MITIGATE THE THREAT FROM PACKET SNIFFING..196. CONCLUSION..21 7. REFERENCES..21
7/31/2019 Scanning and Analysis Tools- Packets Sniffers
3/22
Introduction
What are scanning and analysis tools
Scanning and analysis tools are computer programs that used to find vulnerabilities
in systems, and security holes in individual system components. For examples, the
vulnerabilities of specific hosts, routers, or even firewalls.
Many scanning and anaylsis tools are developed by hackers community, or so called,
hackerware. Most of them are open source and free of charge. Some of these tools
are extremely complex while some of them are rather simple. Hackers use scanning
and analysis tools to find the vulnerabilities of the network while the same tools can
also be used by network defenders to find potential vulnerabilities and secure it. This
paper will focus on one of the scanning and analysis tools, that is packet sniffer.
Categories of scanning and analysis tools
There are several categories of scanning and analysis tools. The following are the
categories of scanning and analysis tools.
1. port scanners
Port scanners are tools used by both attackers and defenders to identify the
computers that are active on a network, as well as the ports and services active
on those computers.
2. network mappersNetwork mappers are tools that identify all systems connected to a network.
7/31/2019 Scanning and Analysis Tools- Packets Sniffers
4/22
3. OS detection toolsTools that detect target hosts operating system. Knowing a hosts OS is critical is
one is to exploit the hosts vulnerabilities. For example, the known bugs of that
OS.
4. Firewall analysis toolsHelps in understanding and discovery of firewall rules and assist the
administrator in analyzing the rules to determine exactly what they allow and
what they reject
5.Vulnerability scannersSoftware tools that assess security vulnerabilities in network & hosts and produce
a set of scan results.
6. Packet sniffersA network tool that collects copies of packets from the network and analyzes
them. More details on this category will be explored in this paper.
7. Wireless sniffersA software or maybe hardware that is capable of capturing & decoding packets
as they pass over airwaves.
7/31/2019 Scanning and Analysis Tools- Packets Sniffers
5/22
Packets sniffers
What is packet sniffers
A packet sniffer is a tool that plugs into a computer network and monitors all
network traffic. It monitors traffic destined to itself as well as to all other hosts on
the network. Packet sniffers can be run on both non-switched and switched
networks. Packet sniffing in a non-switched environment is well understood
technology while in a switched environment; it is more of a challenge to eavesdrop
on network traffic. More details on the different of sniffing in a non-switched and
switched environment will be discussed in the following section.
Uses of a packet sniffer
Sniffing programs are usually found in two forms. Commercial packet sniffers are
used to help to observe and maintain networks, while underground packet sniffers
are used by attackers to gain unauthorized access to remote hosts. Below are some
common uses of sniffing programs:
Searching for clear text usernames and passwords from the network. Conversion of network traffic into human readable form. Network analysis to find bottlenecks or problems. Network intrusion detection to monitor for attackers. Filter suspicious content from network traffic
7/31/2019 Scanning and Analysis Tools- Packets Sniffers
6/22
How does a packet sniffer work?
A packet sniffer works by looking at every packet sent in the network, including
packets not intended for itself. This is accomplished in a variety of ways. These
sniffing methods will be described below. Sniffers also work differently depending on
the type of the network they are in.
In a shared Ethernet environment, all hosts are connected to the same busand compete with one another for bandwidth. In such an environment
packets meant for one machine are received by all the other machines. This,
any machines in such an environment placed in promiscuous mode will be
able to capture packets meant for other machine and can therefore listen to
all the traffic on the network.
In a switched Ethernet, hosts are connected to a switch instead of a hub. Theswitch maintains a table to keep track of each computers MAC address and
delivers packets destined for a particular machine to the port on which that
machine is connected. The switch is an intelligent device that sends packets
to the destined computer only and does not broadcast to all the machines on
the network, as in the previous case. This switched Ethernet environment was
intended for better network performance, but as an added benefit, a machine
in promiscuous mode will not work here. As a result of this, most network
administrators assume that sniffers dont work in a switched environment.
7/31/2019 Scanning and Analysis Tools- Packets Sniffers
7/22
Sniffing methods and case studies of it
There are three types of sniffing methods. Some method work in non-switched
network while others work in switched networks. The sniffing methods are: IP-based
sniffing, MAC-based sniffing, and ARP-based sniffing.
IP-based sniffing
This is the usual way of packet sniffing. It works by putting the network card into
promiscuous mode and sniffing all packets matching the IP address filter. Normally,
the IP address isnt set so it can capture all the packets. This method only works in
non-switched networks.
MAC-based sniffing
This method works by putting the network card into promiscuous mode and sniffing
all packets matching the MAC address filter.
ARP-based sniffing
This method works a little different. It doesnt put the network card into
promiscuous mode. This isnt necessary because ARP packets will be sent to us. This
happens because the ARP protocol is stateless. Because of this sniffing can be done
on a switched network. More details on ARP based sniffing will be discussed in the
following session.
7/31/2019 Scanning and Analysis Tools- Packets Sniffers
8/22
Packet sniffing in a non-switched
environment
In a non-switched environment, the latest generation of packet sniffing tools is
highly effective at reaping passwords and other sensitive information from the
network.
A large number of commonly used protocols either transmit data in plaintext (which
can easily be sniffed), or they do not use strong enough encryption to prevent a
sniffing and cracking attack. Examples of plaintext protocols include smtp, pop3,
snmp, ftp , telnet and http. Perhaps the best known encrypted protocol that is
vulnerable to sniffing and cracking attacks is Microsofts LM (LAN Manager) protocol,
used for authenticating Windows clients.
Tools to sniff in a non-switched environment(case studies)
Dsniff
For plaintext protocols, to eavesdrop on username, password, and other sensitive
information , a very useful tool is dsniff from Dug Song. The dsiff tool is available for
various flavors of unix, and also windows.
In addition to sniffing the plaintext protocols mentioned above, dsniff is exceptionally
good at filtering the sniffed traffic to display onlyinteresting information such as
usernames and passwords.
A sample run of dsniff is shown in figure 1, showing the windows port of dsniff
harvesting passwords on a small network.
7/31/2019 Scanning and Analysis Tools- Packets Sniffers
9/22
ScoopLM
Another example of password sniffing and cracking tool, is the ScoopLM tools, which
is freeware and downloadable from the internet. ScoopLM will sniff windows 2000/xp
and LM /NTLM encrypted passwords. Its brother, BeatLM, enables cracking of
encrypted passwords that ScoopLM has harvested by brute-force or dictionary
attacks. Together, they are a significant threat to the security of Microsoft
networking in a non-switched environment.
Figure 2: ScoopLM scniffing username and password
7/31/2019 Scanning and Analysis Tools- Packets Sniffers
10/22
Figure 2 shows a sample run of ScoopLM, sniffing windows usernames and
encrypted passwords. The sniffed usernames and passwords can then be saved to a
temporary file, and loaded into BeatLM to be cracked.
The two examples given show us how simple it is to discover sensitive information
by eavesdropping on a non-switched network. This fact has helped to drive
businesses to replace hubs in their network by switches. There are many other good
reasons for doing this, for example, increasing network performance. Replacing hubs
by switches in the belief that it will totally cure the problem of sniffing is wrong and
misguided. The following section will demonstrate why.
7/31/2019 Scanning and Analysis Tools- Packets Sniffers
11/22
Packet sniffing in a switched
environment
Switches
On the surface, it would seem that replacing hubs by switches will mitigate the
packet sniffing threat to a large extent. The fact that switches will only send network
traffic to the machine that it is destined for implies that if machine is communicating
with machine B, machine C will not be able to eavesdrop on their conversation. In
figure 3, let us assume that machine A instigates a telnet connection to machine B.
In the situation above, Machine C cannot easily see the network traffic for the telnet
session passing between Machines A and B. The switch ensures that this traffic does
not travel over any unnecessary ports, it only flows over the ports that machine A
and B are connected to. However, a number of techniques exist that will subvert the
statement above, enabling C to snoop on the network traffic between A and B.
7/31/2019 Scanning and Analysis Tools- Packets Sniffers
12/22
How to sniff in a switched environment
Sniffing traffic in a switched environment is achieved by setting up a man-in-the
middle attack. The attackers use a variety of techniques to force network traffic to/
from the victim to go to the attackers machine. When this occur, the attacker can
inspects (or even modify) the victims network traffic.
There are a numbers of techniques that permit sniffing in a switched environment.
Common techniques include ARP spoofing, MAC flooding, MAC duplicating, ICMP
redirection, DHCP spoofing and port stealing.
The following section will discuss in details about ARP spoofing as ARP spoofing is a
classic man-in-the-middle attack.
ARP spoofing
Taking the previous examples of machines A, B, and C, assumes C wanted to
eavesdrop on network traffic between A and B. For a man-in-middle attack, C
pretends to A that it is B. then when A sends traffic destined for B, it is intercepted
by C. C passes this information onto B, pretending that it came from A. Similarly, C
also performs a comparable role for traffic from B, which is destined for A. the goal
of the man-in-the-middle attack is shown in figure 4.
7/31/2019 Scanning and Analysis Tools- Packets Sniffers
13/22
In more detail, using ARP spoofing to complete the man-in-the-middle-attack, two
steps, detailed below, need to be performed.
First, we need to understand how A and B will normally communicate. A requires Bs
MAC address. To get this, A will check in its ARP cache to see if it already has Bs
MAC address.
If this is the case, it will use the MAC address pulled from the ARP cache. IF this is
not the case, A will broadcast an ARP request. B will respond with its MAC( and IP)
address. Bs IP address and corresponding MAC address will be stored in As ARP
caches, for future use. A can now send packets of data to B. for B to communicate
with A, a similar process will take place.
7/31/2019 Scanning and Analysis Tools- Packets Sniffers
14/22
Let us now assume that A and B have established each others MAC addresses, and
are communicating through a switch. How can C eavesdrop on the conversation?
This is where ARP spoofing comes into play.
1. The first step is for C to pretend to A that it is in fact B. if this can beachieved, network traffic destined for B will be routed to C. Likewise, C
must pretend to B that it is in fact A. How can this be achieved? The
answer is that C poisons the ARP cache on A and B. C sends a spoofed
ARP packet to A, instructing A to send packets destined for B to C. the
spoofed ARP packet C sends forces A to update its own ARP cache. In As
updated ARP cache, Bs IP address maps to Cs MAC address. This means
future communication from A which is destined for B will go via C.
The following tables show what happens to As ARP cache;
IP addresses MAC addresses
[Bs IP Address] [Bs MAC Address]
[Cs IP Address] [Bs MAC Address]
Table1:MachineAs ARP cache-before C sends spoofed ARP packet
IP addresses MAC addresses
[Bs IP Address] [Cs MAC Address]
[Cs IP Address] [Cs MAC Address]
Table 2: Machine As ARP cache-after C sends spoofed ARP packet
7/31/2019 Scanning and Analysis Tools- Packets Sniffers
15/22
C also does something similar to B. It sends a spoofed ARP packet to B, instructing B
to update its ARP cache so that As IP address maps to Cs MAC address.
Once this has been done, packets that A attempts to send to B are routed to C.
packets that B attempts to send to A are routed to C as well.
2. There is one more important step. Machine C also has to ensure thattraffic it receives is sent on to its true destination. So, for example, when A
sends traffic destined for B, it is intercepted by C, but sendt on from C to
B. this can easily be achieved by IP forwarding, a facility supported by
many operating systems. Alternatively, an application can take
responsibility for forwarding the traffic to its true destination.
Once the above steps have been performed, C will be intercepting network traffic
between A and B.
7/31/2019 Scanning and Analysis Tools- Packets Sniffers
16/22
Tools to sniff in a switched environment (case studies)
The number of tools that enable sniffing in a switched environment is on the
increase. Ettercap will be covered in this section.
Ettercap
Ettercap, a tool that describes itself as a powerful and flexible tool for man-in-the-
middle attacks. It runs on many leading platforms including Windows, Linux, and
Mac OsX. It can easily be downloaded from the internet as open source.
Before running ettercap, the ARP cache on machine A and B were checked, via the
arp/a command. As expected, the ARP cache on A was storing the true IP and MAC
addresses of B and C:
7/31/2019 Scanning and Analysis Tools- Packets Sniffers
17/22
Similarly, the ARP cache on B was storing the true IP and MAC addresses of A and C.
Next, ettercap was run on Machine C, and set to sniff traffic between A and B. at
this stage, ettercap performs ARP spoofing to set up the man-in-the-middle attack.
Re-examining the ARP caches on A and B is illuminating: note how machine Cs Mac
address replaces the true MAC addresses for machines A and B:
Now traffic between A and B was being intercepted by C. Similar to dsniff, ettercap
has in-built knowledge of a large number of network protocols. It can highlight
interesting areas of sniffed traffic, such as usernames and passwords. The following
diagram shows ettercap eavesdropping the start of a telnet session between A and B:
7/31/2019 Scanning and Analysis Tools- Packets Sniffers
18/22
During a sniffing session, ettercap may detect a large number of usernames and
passwords. The data may be saved to simple ASCII file for examination later on.
7/31/2019 Scanning and Analysis Tools- Packets Sniffers
19/22
How to avoid/mitigate the threat from
packet sniffing
Detecting packet sniffers
One way to mitigate against the threat of packet sniffing tools is to try to detect if
they are used on the network.
Detecting in a non-switched environmentDetecting tools designed to run in a non-switched environment is difficult. This is
because the tools are usually passive. They work by putting the network
interface card into promiscuous mode, allowing any networj traffic that reaches
the card to be examined. Akin to a radio receiver, sniffers do not necessarily
cause extra, suspicious traffic to be transmitted on the netowkr, so how can they
be discovered?
A number of techniques can be used to try to detect machines whose network
cards are running in promiscuous mode, and likely to be sniffing traffic. Many of
the techniques used rely on detecting specific weaknesses in TCP/IP stacks.
LOphts antisniff employs knowledge of the idiosyncrasies of TCP/IP stacks to
detect machines running in promiscuous mode.
Detecting in a switched environmentAs indicated previously, sniffing in switched environment implies a man-in-the-
middle attack. Eavesdropping in this case will be active in that network traffic
7/31/2019 Scanning and Analysis Tools- Packets Sniffers
20/22
will be delivered to the attacking machine, then forwarded onto the true recipient.
Detecting this is somewhat easier than detecting the passive tools.
It is possible to detect techniques such as ARP spoofing-software such as LBNLs
arpwatch can detect suspicisous ARP network traffic, and inform a network
administrator.
Locking down the network environment
Solutions such as Microsofts Software Restriction Policies and AppSense can help to
ensure that only approved software is runpacket sniffing tools and other hacking
tools could be prevented from executing.
Encryption
The most viable solution to protect against packet sniffing is encryption.
Instead of halting the use of cleartext protocols, one possibility is to encrypt all
network traffic by using IPSec33. By encrypting using IPSec, it is possible to
continue to use plaintext protocols - all data is encapsulated by IPSec, and is
encrypted for its transfer across the network. Thus legacy applications that may rely
on using older, plaintext protocols will be unaffected.
IPSec is completely transparent to applications and to users. It is an open standard,
supported by many vendors, including Microsoft and Cisco. Furthermore, many Unix
implementations support IPSec. The easy configurability of IPSec within Windows
further increases its accessibility.
7/31/2019 Scanning and Analysis Tools- Packets Sniffers
21/22
Implementation of a layer three encryption technology such as IPSec solves the
sniffing problem completely. The scalability, widespread availability and seamless
operation of IPSec highlight it as a pragmatic solution to the problem of network
eavesdropping.
Conclusion
Scanning and analysis tools can be used at both bright and dark side. Security
professional will use them as the tools to find out the vulnerability of their system
and try to cover and enforce their system to free from vulnerabilities, while hackers
will use them as the tools to find out the vulnerabilities of certain system and try to
exploit through the vulnerabilities.
Packet sniffer is a tool where both hackers and security professional often used.
Packet sniffer can be used in both switch and non-switch network environment.
Packet sniffer can capture things like clear text passwords and usernames or other
sensitive information and material. Since sniffing is possible in both the environment,
its a good practice for user to encrypt their data commmuncations.
References
[1]http://www.linuxjournal.com/article/5869
[2]http://en.wikipedia.org/wiki/Packet_analyzer
[3]http://www.surasoft.com/articles/packetsniffing-2.php
[4]http://www.windowsecurity.com/whitepapers/Sniffing_network_wiretap_sniffer_FAQ_.html
http://www.linuxjournal.com/article/5869http://www.linuxjournal.com/article/5869http://www.linuxjournal.com/article/5869http://en.wikipedia.org/wiki/Packet_analyzerhttp://en.wikipedia.org/wiki/Packet_analyzerhttp://en.wikipedia.org/wiki/Packet_analyzerhttp://www.surasoft.com/articles/packetsniffing-2.phphttp://www.surasoft.com/articles/packetsniffing-2.phphttp://www.surasoft.com/articles/packetsniffing-2.phphttp://www.windowsecurity.com/whitepapers/Sniffing_network_wiretap_sniffer_FAQ_.htmlhttp://www.windowsecurity.com/whitepapers/Sniffing_network_wiretap_sniffer_FAQ_.htmlhttp://www.windowsecurity.com/whitepapers/Sniffing_network_wiretap_sniffer_FAQ_.htmlhttp://www.windowsecurity.com/whitepapers/Sniffing_network_wiretap_sniffer_FAQ_.htmlhttp://www.surasoft.com/articles/packetsniffing-2.phphttp://en.wikipedia.org/wiki/Packet_analyzerhttp://www.linuxjournal.com/article/58697/31/2019 Scanning and Analysis Tools- Packets Sniffers
22/22
Figure 1:http://students.mimuw.edu.pl/SO/Projekt06-07/temat5-g8/raczkowski/dsniff.png
Figure 2:http://www.opennet.ru/base/sec/arp_snif2.jpg
Figure 5:http://images.ientrymail.com/securitypronews/ettercap_2.gif
Figure 9: http://www.securemac.com/images/ettercap/ettercaphosts.gif
http://images.ientrymail.com/securitypronews/ettercap_2.gifhttp://images.ientrymail.com/securitypronews/ettercap_2.gifhttp://images.ientrymail.com/securitypronews/ettercap_2.gifhttp://images.ientrymail.com/securitypronews/ettercap_2.gif