Transcript Lab#4-2

Network Security: Lab#4-2
Packet Sniffers
J. H. Wang
Dec. 2, 2013
Objectives
• To learn to use packet sniffers
– Tcpdump/WinDump
– Wireshark (formerly Ethereal)
– Cain and Abel
Packages Used in this Lab
• Packages
– tcpdump/WinDump
– WireShark
– Cain and Abel
Experiment Scenario
• To test the basic functions of a packet
sniffer
– Dump packets
– Check packet details: IP, port, protocol, …
– Packet statistics
• To test the vulnerability of some protocols
– Use FTP to login and transfer files
– Use sftp to login and transfer files
Packet Sniffers
• tcpdump/WinDump
• Wireshark
• Cain and Abel
• ettercap
tcpdump
• Homepage: http://www.tcpdump.org/
• Current version (for Linux):
– tcpdump 4.5.1: a powerful command-line packet
analyzer
– libpcap 1.5.1: and a C/C++ library for network traffic
capture
• For Windows:
– WinDump 3.9.5:
http://www.winpcap.org/windump/
• Windows version of tcpdump
– WinPcap 4.1.3: http://www.winpcap.org/
• Windows version of libpcap
– A driver for low-level network access
– A library for low-level network analysis
Example Commands
• To display all network adapters
– WinDump -D
• To listen to all traffic in network adapter
#1
– WinDump -i 1
• To listen to all traffic with source or
destination port number 80
– WinDump -i 1 port 80
• To dump all captured packets in file
– WinDump -r <file>
Wireshark
• Homepage: http://www.wireshark.org/
• Latest version: 1.10.3 (formerly Ethereal)
• Also includes the latest WinPcap library
Example Usage for Wireshark
• To display all network interfaces
– Choose [Capture/Interfaces]
• To start capturing packets
– Click [Start]
• To stop capturing packets
– [Capture/Stop]
• To display statistics about packets
–
–
–
–
–
–
[Statistics/Summary]
[Statistics/Protocol Hierarchy]
[Statistics/Endpoints]
[Statistics/IO Graphs]
[Statistics/Flow Graph]
[Statistics/WLAN Traffic]
Cain and Abel
• Homepage: http://www.oxid.it/cain.html
• Version: 4.9.47
• A “password recovery tool” for Microsoft
operating systems
– Using dictionary, brute-force, cryptanalysis attacks
• A packet sniffer
• Man-in-the-middle attack using ARP spoofing
• Installation steps
– Cain and Abel
– WinPcap 4.1.2 library for packet capturing
• Packet sniffer
– [Configure]: to select the network adapter
– [Filters and Ports]: to select the ports to be
monitored
– Right click on sniffer, then [Scan MAC
Address]
– ARP Poison Routing (APR)
ettercap
• Homepage:
http://ettercap.sourceforge.net/
• Version: 0.8.0-Lacassagne
• Platforms: Linux/FreeBSD/Mac OS
X/Windows XP/Solaris
• Man-in-the-middle attack using ARP
spoofing
• It uses libpcap library
• Installation
Another Usage of Packet Sniffer:
Vulnerability of FTP
• First, open the packet sniffer
• Second, use FTP to login
–
–
–
–
Under [Start], type “cmd”
ftp 140.124.13.2
Type in username & password
bye
• Then, check the username and password
in packet sniffer
Example for sftp
• First, open the packet sniffer
• Second, use psftp to login and transfer
files
–
–
–
–
Start “psftp”
open 140.124.13.2
Type in username & password
bye
• Then, check the username and password
in packet sniffer
Other Examples
• You can also check the vulnerability for
the following protocols
–
–
–
–
Telnet vs. ssh
SMTP vs. SMTPS (with SSL) or SMTPAuth
POP3
…
Summary
• Packet sniffer
–
–
–
–
tcpdump/WinDump
Wireshark
Cain & Abel
Ettercap
• Vulnerability of protocols
– FTP