Eastern Michigan University

Download Report

Transcript Eastern Michigan University

1
Eastern Michigan University
Asad Khailany , Eastern Michigan University
Dmitri Bagatelia , Eastern Michigan University
Wafa Khorsheed , Eastern Michigan University
Do You Want to become a
Hacker?
 Now you can get an MS degree
specializing on hacking techniques from a
university in Paris France.
 Do not miss this golden opportunity!
 Soon you will see your institution also
offers a degree in hacking techniques
2
ABSTRACT
  Computers on the network normally only
listen to communications destined to them.
  However, when they enter promiscuous
mode they can listen to all communications
whether destined or not destined to them.
  Computers are put into the promiscuous
mode by installing software package known
as packet Sniffers.
3
ABTRACT

Sniffers are the best tools for hackers to attack
computers.
  Network administrators use Sniffers for network
troubleshooting and security analysis. Many
sniffing and anti sniff packages available on the
Internet for download.
  This paper discusses sniffing and anti sniffing,
their advantages and disadvantages, and presents
some recommendations to make network systems
and their data more secure.
4
INTRODUCTION
A computer to be able to listen to all communications on the network
must be in a multi-partners mode. Such mode is known as the
promiscuous mode
 Through packed Sniffers computers can transfer to the promiscuous
mode.
 Attackers love packet Sniffere.
 Sniffers are valuable tools needed by network administrators to do
network trouble shooting, to perform network security analysis and to
measure the performance of network system.
5
INTRODUCTION - 2
 Sniffers are used by law enforcement agencies to
monitor network systems.
 Anti sniff packages are available to determine
whether or not a suspected remote computer is
listening in to all communications on the network.
 Several methods utilized by anti sniff package to
identify suspected computers on the network are
discussed in this paper.
6
What sniffing packages used
for?
 Sniffing packages used for:

1.
2.
3.
4.
Network traffic analysis to
Identify the type of network application used.
Identify the hosts using the network.
Identify the bottlenecks.
Capture data sniffing packages used for
troubleshooting of network applications.
5. Create network traffic logs.
7
More usages of sniffing
packages
 Gathering private data such as passwords,
credit cards information, email messages, ..
etc.
 Establishing connection with senders while
using authentication provided by receiver.

Modifying and resending data to
recipients.
8
SNIFFERS AND
NETWORK
ARCHITECTURES
 Sniffing is possible because most network
architectures use shared medium and
protocols that presume only intended
computer receives and reads the message.
9
Case: Ethernet architecture
Computer A
Computer B
Computer C
Computer D
Message
Computer A sends a message to Computer C. Since all
computers share the same line Computers B and D can
listen to messages if they are in promiscuous (multi
partner) mode. In this case the message was not change but
the privacy was compromised since data was only copied
and not modified.
10
Case: Routed network
Routed protocol, means that sent message might be
handled by several hosts.
Any of the hosts can copies the message or
changes the message and forwarded to others
hosts. The final recipient of the message will never
know that the message was modified. Thus the
security risk taking in routed protocol is much
greater than Ethernet architecture.
11
DIFFERENT METHODS FOR
DTECTING ACTIVE SNIFFERS
 Theoretically it is impossible to detect active
Sniffers if they only listen without sending
anything i.e. if they are in passive mode.
Practically there are some methods can be used to
identify suspected computers that are trying to
listen to messages not intended for them.
 Some Popular Methods To Identify Suspected
Computers Are:
12
1. PING METHOD.

A computer is uniquely identified on the
network by its serial number of its network
computer card. This hardware address is called
MAC (Media Access Control address).

Sniffer always turns off MAC filter on its
host device, thus it can receive all messages
that are intended or not intended for that device.
13
1. PING METHOD.
How to identify suspected computers ?

Send a message to the suspected device using a
wrong MAC address and a corrected IP address, the
device should not respond if it has MAC address filter
on, but if it runs in a promiscuous mode it will respond
to the message. Thus a computer, which is listening, is
identified.
New problems to be solved:

The newer sniffer devices/programs have built-in
filters, which prevent such kind of responses.
14
2. ARP: Address Resolution
Protocol METHOD.
ARP is a TCP/IP protocol maps an IP address into
physical address.
The ARP method uses arp packets.
On a network when a computer sends arp request to a
broadcast address, all those computers see that request
send an arp answer with their IP to MAC address
mapping.
How suspected computers identified?
If such request is sent to a regular non-broadcast address,
there should not be any reply, if a reply is received that
computer will be a suspected sniffer device.
15
3. DNS METHOD.
The DNS method works on the assumption that
many attackers use IP addresses to find DSN names.
Most sniffer programs have a feature to do a
reverse DNS lookup using an IP to get the hostname.
How suspected computers identified?
An anti sniff package places itself in a
promiscuous mode and sends a message to fictitious
hosts such as charge BankC.com. The address of all
computers that use reverse lookup request referencing
the fictitious hosts are flagged as being suspected
computers.
16
4. SOURCE-ROUTE
METHOD
IP header has an option of loose source routing.
Routers ignore destination IP address and instead will forward message to
the next IP in source-route option.
How to identify suspected computers ?
Turn off packet routing on a specific computer and the packet should be
dropped at that computer. A computer that sniffs messages responds to
such message that the packed was dropped on the computer, which the
package was dropped.
For instance, you send a message from computer A to computer B, but you
route it through computer C first. If you turn off packet routing on
computer C, then packet should be dropped. Thus, if computer B
responds to such message, that was dropped at C, it means computer B
sniffed the message.
17
5. DECOY METHOD.
This method sets up a “victim” computer that will
repeatedly run script to login to a remote server using a
dummy account with no real permissions, and try to
find any hacker who tries to use that dummy account to
login to the remote server.
How to identify suspected computers?

Setup a “victim” computer that will repeatedly run
script to login to a remote server using a dummy
account with no real permissions.

Any hacker who gets such login information tries
login to remote server.

Any login attempt not originated from the “victim”
computer indicates that someone was sniffing on your
network and stole that account number information. 18
6. OTHER METHODs.
There are many more methods that can be used to detect
sniffing activities
None works 100% of the time, because hackers already
know them and try to work around those detection
methods.
One of the among the best software packages that use all
the above methods to find sniffing activities is:
AntiSniff
package
(http://www.securitysoftwaretech.com/antisniff/)
19
Protocols targeted for
sniffing by hackers
Protocols that transmit data in plain text format make it
easy for hackers to get what they want. Some of
protocols targeted for sniffing are:
1. telnet
2. rlogin (user sessions and passwords)
3. HTTP(passwords, web-based emails)
4. Simple Network Management Protocol (passwords)
5. Network News Transfer Protocol (passwords)
6. Post Office Protocol (passwords, emails)
7.
File Transfer Protocol (passwords)
8.
Internet Message Access Protocol (passwords,
emails).
20
METHODS TO ENFORCE
NETWORK SECURITY
switched network
 Use of switched network eliminates use of shared wire.
 Switch knows the location of every device on the
network, and sends data directly to the intended
recipient without transmitting the message all over the
network.
The diagram in the next slide compares two network of
computers one interconnected by a hub and the other
interconnected by a switch.
21
Switch And Hub Networks
Hub
Switch
S
w
itch
H
ub
M
essageto
C
om
puter C
M
essageto
C
om
puter C
C
om
puter A
C
om
puter B
M
essageto
C
om
puter C
M
essageto
C
om
puter C
C
om
puter C
C
om
puter A
M
essageto
C
om
puter C
C
om
puter B
C
om
puter C
Hubs send communications to all
connected computers.
Switch, on the other hand, remembers
what
computer is connected to what port on
the
switch, thus
computer.
it forwards message only to one
22
Data encryption Method:
 This one of the oldest security routines used to enforce
security.
 Many software algorithms and software packages are
available to encrypt data.
 You can encrypt you messages before sending them,
e.g. PGP (Pretty Good Privacy) is being used to encrypt
email messages.
You can choose a secure protocol with
built-in encryption schemes, e.g. SSH (Secure
Shell) instead of telnet of rlogin.
23
Some disadvantages of
encrypting over plain text
messages
 Encrypting increases the message
size as well as response time, since
message has to be not only encrypted
on one end, but also decrypted by the
recipient on the other end.
 It might not be a reasonable solution
for some setups that require very high
response time.
24
Some important usages
of sniffing methods:
Sniffing methods can be used for:
 Network management.
 Traffic analysis can identify who is using what
network resource in what way. For instance,
you can identify users who use most of your
bandwidth, then you can find out whether they
use it for a legitimate purpose or not.
 Because most network applications use fixed
port numbers you can filter traffic and identify
software that are being used..
 Maximizing network performances.
25
More usages of sniffing
methods:
 Not all packets capturing is intended to
compromise security. For instance, during
programming of a network application
programmers might want to see the network
traffic that local computer generates, so that
troubleshooting of the application can go
much faster.
 It is also possible to use sniffer to create log
of all network traffic, so that serve as evidence
in case security is compromised on some
other system on the network. Those logs can
be used to track down the intruders and to
support legal action to bring those hackers to
justice.
26
CONCLUSION
 The security threat that sniffers pose can be
minimized using combination of switched
networks and encryption.
 Sniffers can be sometimes detected using
sniffing detection software.
 Network professionals to manage networks for
identifying problems and monitoring usage of
network resources have used sniffers for a
long time.
 Hackers utilize Sniffing packages to attack
networked computers to steal information.
 It may be impossible to make sure that no one
uses sniffing packages against you, but it is
27
important to make sure that unauthorized
REFERENCES.
1. Web Server Security, & Maintenance by Eric
Larson & Bruan
2.http://lin.fsid.cvut.cz/~kra/index.html
3. http://www.eeye.com/
4. http://neworder.box.sk/
5. http://www.securitysoftwaretech.com/
6. http://www.winsniffer.com/
7. http://www.snifferpro.co.uk/
8.
http://stein.cshl.org/~lstein/talks/WWW6/sniffer
/
9. http://www.atstake.com/
28
10. http://www.swrtec.de/clinux/