Chap09 Sniffing

Download Report

Transcript Chap09 Sniffing 

CHAPTER 9
Sniffing
DEFINITION



A method by which an attacker can compromise
the security of a network in a passive fashion
using sniffer.
A sniffer is a a tool (a program or wire-tap
devices) that plugs into computer networks and
eavesdrops on the network traffic.
Sniffers have been around for a long time in two
forms. Commercial sniffers are used to help
maintain networks. Underground sniffers are
used to break into computers
THINGS TO SNIFF

The most important thing typically to sniff is

The example of authentication information are
usernames and passwords.
Following is a sampling of typical protocols on
network traffic that are sniffed, especially for
passwords.
1. Telnet (Port 23)
2. FTP (Port 21)
3. POP (Port 110)
4. IMAP (Port 143)
5. MNTP (Port 119)






Authentication Information
THINGS TO SNIFF









6. rlogin (Port 513)
7. X11 (Port 6000+)
8. NFS File Handles
9. SMTP (Port 25)
10. HTTP (Port 80)
Windows NT Authentication
1. Plaintext
2. LanManager (LM)
3. NT LanManager
SNIFFING TECHNIQUES





There are some advanced sniffing techniques
can be used:
Switch Tricks
Hackers use tricks to find short cuts for gaining
unauthorized access to systems. They may use
their access for illegal or destructive purposes,
or they may simply be testing their own skills to
see if they can perform a task.
ARP Spoofing
ARP Spoofing is a technique used by crackers in
order to sniff frames on a switched LAN or stop
the traffic on the LAN.
SNIFFING TECHNIQUES




ARP Flooding
The intruder is trying to see what hosts you have
active on your network. They are nottrying to
deny service to you, just trying to find out what
potential targets are available on your network.
This is often a precursor to an attack. Be sure
you have your network secured properly.
Routing Games
The routing algorithm that act as an adversary
that attempts to intercept data in the network.
SNIFFING PROTECTION






Password Protection
The data-encryption solutions also provide for
secure authentication.
Examples are SMB/CIFS (Windows) and
Kerberos v5 (UNIX).
Data Protection
SSL
SSL (Secure Socket Layers) is built into all
popular web browsers and web servers. It allows
encrypted web surfing, and is almost always
used in e-commerce when users enter their
credit card information.
SNIFFING PROTECTION




Secure Shell (Ssh)
Ssh (Secure Shell) is a program to log into
another computer over a network, to execute
commands in a remote machine, and to move
files from one machine to another. It provides
strong authentication and secure
communications over unsecure channels.
Switching
Switching refers to protocols in which messages
are divided into packets before they are sent.
SNIFFING PROTECTION

VPNs (Virtual Private Networks)
VPNs provide encrypted traffic across the
Internet.

Configure Local Network


Replacing your hub with a switch will provide a
simple, yet effective defense against casual
sniffing.
SNIFFING DETECTION




“ping” method
Most "sniffers" run on normal machines with a
normal TCP/IP stack. This means that if you
send a request to these machines, they will
respond. The trick is to send a request to IP
address of the machine, but not to its Ethernet
adapter.
ARP method
The ARP method is similar to the ping method,
but an ARP packet is used instead.
SNIFFING DETECTION




The simplest ARP method transmits an ARP to a
non-broadcast address. If a machine responds to
such an ARP of its IP address, then it must be in
promiscuous mode.
DNS method
Many sniffing programs do automatic reverseDNS lookups on the IP addresses they see.
Therefore, a promiscuous mode can be detected
by watching for the DNS traffic that it generates.
This method can detect dual-homed machines
and can work remotely.
SNIFFING DETECTION





“source-route” method
Another technique involves configuring the
source-route information inside the IP header.
This can be used to detect sniffers on other,
nearby segments.
“latency” method
This is a more evil method. On one hand, it can
significantly degrade network performance. On
the other hand, it can 'blind' sniffers by sending
too much traffic.
This method functions by sending huge
quantities of network traffic on the wire.
SNIFFER DETECTORS

AntiSniff

The most comprehensive sniffer-detection tool.

CPM (Check Promiscuous Mode)



A tool from Carnegie-Mellon that checks to see if
promiscuous mode is enabled on a UNIX
machine.
neped
A tool from The Apostols that detects sniffers
running on the local segment.