Transcript LAN Structure - FTP Gunadarma

Sniffing
Introduction
• Sniffing is passively eavesdropping on the
network.
• A way for hackers to gain information on
the network. E.g.
– Username
– Password
• Can also be used as an investigating
technique.
LAN Structure
• Computers and network devices such as
printers are interconnected by a shared
transmission medium.
• Cabling system
– Twisted-pair cable
– Coaxial cable
– Optical fiber
(a)
(b)
Ethernet
Processor
RAM
ROM
RAM
Figure 6.10
• LAN standards define physical layer
protocols
– Specify the physical properties of the cabling or
wireless system. E.g.
•
•
•
•
•
•
Connectors
Maximum cable lengths
Digital transmission system
Modulation
Line code
Transmission speed
• Computer and network devices are
connected to the cabling system through
– Network interface card (NIC) or
– LAN adapter card
• NIC card
– Coordinates the transfer of information between
the computer and the network.
– Transfers information in parallel format to and
from the RAM of the computer.
– Transfers information in serial format to and
from the network.
– Functions
• Parallel-to-serial conversion
• Data buffering.
– Components
• Port that meets the connector and transmission
specifications.
• ROM containing firmware that allows the NIC to
implement the MAC protocol.
– NIC is assigned a unique physical address
burned into the ROM
• First three bytes specify the card vendor
• remaining bytes specify a unique number for that
vendor.
– Contain hardware that allows it to recognize
• Its physical address
• Broadcast address
• Multicast addresses that direct frames to groups of
stations.
– Can be set to run in “promiscuous” mode where
it listens to all transmissions.
• Used by system administrator to troubleshoot the
network.
• Used by hackers to intercept unencrypted passwords
and other information.
LAN Topology
10Base5
10Base2
10BaseT
Medium
Thick
Coax
Thin
Coax
Twisted Optical
pair
fiber
Max
Segment
length
500m
200m
100m
2km
Bus
Star
Pointto-Point
link
Topology Bus
10BaseF
• The original standard specified 10Base5
– Made use of thick (10mm) coaxial cable
operating at a data rate of 10Mbps.
– Max. segment length of 500 meters.
– Use Manchester coding
– Require transceiver to attach the NIC card to
the coaxial cable.
• 10Base2
– Uses thin (5mm) coaxial cable.
– Operating at 10Mbps with a maximum segment
of 200 meters.
– Uses T-shaped BNC junctions
– 10Base5 and 10Base2 segments can be
combined through the use of a repeater that
forwards the signals from one segment to the
other.
(a)
transceivers
(b)
Figure 6.55
• 10BaseT
– Use two unshielded twisted pairs of copper
wires operating at 10Mbps.
– The advantage of twisted pair is low cost and
its prevalence in existing office wiring (for
telephone)
– Connected to a hub.
– Star topology.
– Use CSMA-CD protocol.
– The star topology of 10BaseT provides three
approaches to operating the LAN.
• First approach
– The hub monitors all transmissions from the
stations.
– When there is only one transmission, the hub
repeats the transmission on the other lines.
– If there is a collision, the hub sends a jamming
signal to all the stations.
– This action causes the stations to implement the
backoff algorithm.
– The stations are said to be in the same collision
domain.
• Second approach
– operating the hub as an Ethernet switch.
– Each input port buffers incoming transmissions.
– The incoming frames are examined and
transferred to the appropriate outgoing ports.
– Each incoming line is in its own collision
domain, so collisions will not occur if only a
single station is attached to a line.
– It is possible to have several stations share an
input line using another hub.
• Third approach
– Stations transmit in full-duplex mode.
– Each port in the switch has only a single station
attached to it.
– Introducing a dedicated transmission line for
each direction enables transmissions to take
place in both directions simultaneously without
collisions.
– The stations can continue to operate the
CSMA-CD algorithm, but they will never
encounter collisions.
Single collision domain
(a)
(b)
     
High-Speed Backplane or
Interconnection fabric




Figure 6.56
• Fast Ethernet
– IEEE 802.3u standard was approved in 1995 to
provide Ethernet LANs operating at 100Mbps
(fast Ethernet).
– To maintain compatibility with the old standard,
the frame format, interfaces, and procedures
have been kept the same.
– When the transmission speed is increased from
10Mbps to 100Mbps, the packet transmission
time is reduced by a factor of 10.
100BaseT4 100BaseT
100BaseF
Medium
Twisted
pair cat 3
UTP four
pairs
Twisted
pair Cat 5
UTP two
pairs
Max.
Segment
Length
100m
100m
Optical
fiber
multimode
two
strands
2km
Topology
Star
Star
Star
How sniffers work?
• A packet sniffer is a program that
eavesdrops on the network traffic.
• It captures data as it passes across the
network.
• Normal Condition
– Data is placed in frames for the local area
network.
– Each frame is addressed to a particular MAC
(media access control) address.
– Each network interface card (NIC) and network
device has a unique MAC address.
– Usually MAC address is not allowed to be
changed.
– NIC only receives packets destined to its
specific MAC address, and all other packets are
ignored.
• Promiscuous mode
– When the NIC is in promiscuous mode, it will
pass the data from every frame to the protocol
stack regardless of the MAC address.
HTTP Request
Header contains source and
destination port numbers
Header contains source and
destination IP addresses;
transport protocol type
Header contains source
and destination physical
addresses; network
protocol type
Ethernet
Header
TCP
Header
IP
Header
Frame
Check
Sequence
Writing a Simple Sniffer
Socket()
Bind()
Promiscuous
mode
Recvfrom()
Server
socket()
bind()
listen()
Client
accept()
blocks until server receives
a connect request from client
read()
write()
close()
socket()
connect negotiation
connect()
data
write()
data
read()
close()
Socket calls for connection-oriented communication
(Just to refresh your memory)
Server
socket()
Client
socket()
bind()
bind()
recvfrom()
blocks until server
receives data from client
data
sendto()
data
sendto()
recvfrom()
close()
close()
Socket calls for connectionless communication
(Just to refresh your memory)
Int socket(int family, int type, int protocol)
• Create an endpoint for communication
• Family identifies the family by address or protocol
• We are only concerned with AF_INET
• Type: identifies the semantics of communication
– SOCK_STREAM
• Sequence of bytes, does not preserve message boundary
– SOCK_DGRAM
• In blocks of bytes called datagram
– SOCK_RAW
• Access to internal network interface (superuser)
– SOCK_PACKET
• To get Ethernet packets (for Linux).
• Protocol: identifies protocol (0 - default)
– SOCK_STREAM, AF_INET (TCP)
– SOCK_DGRAM, AF_INET(UDP)
– ETH_P_ALL
• Get Ethernet packets.
Int bind(int sd, struct sockaddr *name, int
namelen)
• Assign an address to the socket.
• sd is the socket descriptor return by the
socket call.
• name is a pointer to an address structure.
• namelen is the size of address structure.
• Note: For TCP or UDP connection, usually
sockaddr_in structure is used to assign the
values. sockaddr is just for casting purpose.
struct sockaddr {
sa_family_t
char
sa_family; /* address family */
sa_data[14]; /* up to 14 bytes of direct
address */
};
•
•
•
sa_familiy = AF_INET
Sa_data = name of the interface
In our sniffer, sockaddr is used to assign the value.
• ioctl operation
– has traditionally been the system interface.
– Used by network programming for
•
•
•
•
Obtaining interface information.
Set the interface configuration.
Accessing the routing table.
ARP cache.
– Here we will use this function to set the
network interface to promiscuous mode.
Ioctl(int fd, int request, /*void *arg */);
• fd: sockfd
• request: type of the request
– SIOCGIFFLAGS
• Return the interface flags in the ifr_flags member
– SIOCSIFFLAGS
• Set the interface flags from the ifr_flags member
• arg: address of an ifr record
Recvfrom(sockfd, buf, sizeof(buf) …)
– Get the next available packet.
• Here is the code for a simple sniffer
(from Chapter 9 of “Hack proofing your network”)
– Sniffer can then examine the data and pick off
interesting information.
• Header information.
• Username and password.
– Common application protocols that are
interested by hackers.
•
•
•
•
•
•
telnet (port 23)
ftp (port 21)
Pop (port 110)
Imap (port 143)
NNTP (port 119)
Rexec (port 512)
• rlogin (port 513)
• X11 (port 6000+)
– Magic cookie
•
•
•
•
NFS files Handles
Windows NT authentication
SMTP (Port 25)
HTTP (Port 80)
– It can also watch TCP, IP, UDP, ICMP, ARP,
RARP.
What a sniffer can do?
• Determine the local gateway of an unknown
network via passive sniffing.
• Become a simple password sniffer
– Parsing each application protocol and saving
interesting formation.
• Output all requested URLs sniffed from
HTTP traffic and analyze them offline.
• Send URLs sniffed from a client to your
local Netscape browser for display.
– Intercept packets from a target host by forging
ARP replies.
– Flood the local network with random MAC
addresses
• Cause some switches to fail open in repeating mode.
Detection of Quiet Sniffers
• Properties
– Collect data only
– Does not respond to any of the information
– Does not generate its own traffic
• Requires physical checking
– Ethernet connections
– Check the configuration of network card
e.g. ifconfig -a
Detection of Malicious sniffer
• DNS Test
– Create numerous fake TCP connections.
– Expecting a poorly written sniffer to
• pick up on those connections.
• Resolve the IP addresses of the nonexistent hosts.
– When a reverse DNS lookup occurs, a sniffer
detection tool sniffs the lookup request to see if
the target is the nonexistent host.
• Ping Test
– Construct an ICMP echo request
• Set the IP address to that of the suspected host.
• Deliberately choose a mismatched MAC address.
– Most systems will ignore this packet since its
hardware address is wrong.
– In some systems, if the NIC is in promiscuous
mode, the sniffer will grab this packet as a
legitimate packet and respond accordingly.
– If the suspected host replies to our request, we
know that it is in promiscuous mode.
– Clever attackers are of course aware of this and
update their sniffers to filter out these packets.
• ICMP Ping Latency Test
– Ping the suspected host and take the round trip
time.
– Create a lot of fake TCP connections.
– We expect the sniffer to be processing those
packets and the latency will increase.
– Ping the suspected host again to see if the round
trip time is increased.
• ARP Test
– Send out an ARP request to the suspect host
with all valid information except a bogus
destination MAC address.
– A machine that is not in promiscuous mode
would never see the packet.
– If a machine is in promiscuous mode, the ARP
request would be seen and the kernel would
process it and reply.
Sniffer Countermeasures
• The best countermeasure for a sniffer is not
to allow the hacker to have access to your
systems.
• Use switches instead of hubs.
– With a hub, all traffic is shown to each system
on the LAN.
– In a switched environment, frames are shown
only to the interface where the MAC address
actually resides.
To
aa:aa:aa:aa:aa:aa
Hub
To
aa:aa:aa:aa:aa:aa
T1
T2
T3
MAC address
aa:aa:aa:aa:aa:aa
MAC address
bb:bb:bb:bb:bb:bb
MAC address
cc:cc:cc:cc:cc:cc
Accept the frame
Ignore the frame
Ignore the frame
To
aa:aa:aa:aa:aa:aa
Hub
To
aa:aa:aa:aa:aa:aa
T1
Hacker
T3
MAC address
aa:aa:aa:aa:aa:aa
MAC address
bb:bb:bb:bb:bb:bb
MAC address
cc:cc:cc:cc:cc:cc
Accept the frame
When the NIC is run in
promiscuous mode, the
frame will be accepted.
Ignore the frame
To
aa:aa:aa:aa:aa:aa
To
aa:aa:aa:aa:aa:aa
Switch
To
aa:aa:aa:aa:aa:aa
T1
Hacker
T3
MAC address
aa:aa:aa:aa:aa:aa
MAC address
bb:bb:bb:bb:bb:bb
MAC address
cc:cc:cc:cc:cc:cc
Accept the frame
No frame is received
No frame is received
– However, some new sniffers have the capability
to sniff on switched networks.
• The best way to avoid damage by sniffers is
not to pass usernames and passwords over
the network in form of clear text.
–
–
–
–
Encryption is the key idea.
Use SSH instead of telnet.
Use HTTPS instead of HTTP
Use SCP and SFTP for file transfer.
Advanced Sniffing Techniques
• Is switch really safe?
– Switches keep an internal list of the MAC
addresses of the hosts that are on its ports.
– Traffics is sent to a port, only if the destination
hosts is recorded as being present on that port.
– Attackers have created new methods to get
around these technology advancements.
• ARP Spoofing
– It is possible to overwrite the ARP cache on
many operating systems.
– It is possible to associate the MAC address with
the default gateway’s IP address.
– Cause all outgoing traffic from the target host
to be transmitted to the hacker’s host.
– Hacker can also forge ARP replies.
• Dsniff sniffer by Dug Song includes a program
named “arpredirect” for exactly this purpose.
• ARP Flooding
– A switch must keep a table of all MAC
addresses appear on each port.
– If a large number of addresses appear on a
single port, some switches begin to send all
traffic to that port.
– Dsniff sniffer includes a program named
“macof” that facilitates the flooding of a switch
with random MAC addresses
• Routing Games
– Change the routing table of the host you wish to
monitor
• All traffic on a network will pass through your host
– Sending a fake route advertisement message via
the Routing Information Protocol (RIP).
– Declaring yourself as the default gateway.
– Enable IP forwarding, and the default gateway
is set to the real network.
– All outbound traffic from the host will pass
through your host and onto the real network
gateway.
– Cannot receive return traffic.
Some commons sniffers
• Tcpdump
– http://www.tcpdump.org
• Hunt
– http://www.cri.cz/kra/index.html
• Linux-Sniff
– http://packetstorm.securify.com
• Sniffit
– http://rpmfind.net/linux/RPM/freshmeat/sniffit/i
ndex.html
• Ethereal
– http://ethereal.zing.org
• Snort
– http://www.snort.org
• Karpski
– http://mojo.calyx.net/~btx/karpski.html
• Gnusniff
– http://www.ozemail.com.au/~peterhawkins/gnu
sniff.html
• Dsniff
– http://www.monkey.org/~dugsong
Reference
• Kevin L. Poulsen,, “Hack Proofing Your
Network: Internet Tradecraft”, Chapter 9, p.
260-284.