Transcript Lab#4-2

Network Security: Lab#4-2
Packet Sniffers
J. H. Wang
Jun. 2, 2011
Objectives
• To learn to use packet sniffers
– Tcpdump/WinDump
– Wireshark (formerly Ethereal)
– Cain and Abel
Packages Used in this Lab
• Packages
– tcpdump/WinDump
– WireShark
– Cain and Abel
Experiment Scenario
• To test the basic functions of a packet
sniffer
– Dump packets
– Check packet details: IP, port, protocol, …
– Packet statistics
• To test the vulnerability of some protocols
– Use FTP to login and transfer files
– Use sftp to login and transfer files
Packet Sniffers
•
•
•
•
tcpdump/WinDump
Wireshark
Cain and Abel
ettercap
tcpdump
• Homepage: http://www.tcpdump.org/
• Current version (for Linux):
– tcpdump 4.1.1: A powerful command-line packet
analyzer
– libpcap 1.1.1: And a C/C++ library for network traffic
capture
• For Windows:
– WinDump 3.9.5: http://www.winpcap.org/windump/
• Windows version of tcpdump
– WinPcap 4.1.2: http://www.winpcap.org/
• Windows version of libpcap
– A driver for low-level network access
– A library for low-level network analysis
Example Commands
• To display all network adapters
– WinDump -D
• To listen to all traffic in network adapter #1
– WinDump -i 1
• To listen to all traffic with source or
destination port number 80
– WinDump -i 1 port 80
• To dump all captured packets in file
– WinDump -r <file>
Wireshark
• Homepage: http://www.wireshark.org/
• Latest version: 1.4.6 (formerly Ethereal)
• Also includes WinPcap library 4.1.2
Example Usage for Wireshark
• To display all network interfaces
– Choose [Capture/Interfaces]
• To start capturing packets
– Click [Start]
• To stop capturing packets
– [Capture/Stop]
• To display statistics about packets
– [Statistics/Summary]
– [Statistics/Protocol Hierarchy]
– [Statistics/Endpoints]
– [Statistics/IO Graphs]
– [Statistics/Flow Graph]
– [Statistics/WLAN Traffic]
Cain and Abel
• Homepage: http://www.oxid.it/cain.html
• Version: 4.9.40
• A “password recovery tool” for Microsoft
operating systems
– Using dictionary, brute-force, cryptanalysis attacks
• A packet sniffer
• Man-in-the-middle attack using ARP spoofing
• Installation steps
– Cain and Abel
– WinPcap 4.1.2 library for packet capturing
• Packet sniffer
– [Configure]: to select the network adapter
– [Filters and Ports]: to select the ports to be
monitored
– Right click on sniffer, then [Scan MAC
Address]
– ARP Poison Routing (APR)
ettercap
• Homepage:
http://ettercap.sourceforge.net/
• Version: NG-0.7.3
• Platforms: Linux/FreeBSD/Mac OS
X/Windows XP/Solaris
• Man-in-the-middle attack using ARP
spoofing
• It uses libpcap library
• Installation
Another Usage of Packet Sniffer:
Vulnerability of FTP
• First, open the packet sniffer
• Second, use FTP to login
– Under [Start], type “cmd”
– ftp 140.124.13.2
– Type in username & password
– bye
• Then, check the username and password
in packet sniffer
Example for sftp
• First, open the packet sniffer
• Second, use psftp to login and transfer
files
– Start “psftp”
– open 140.124.13.2
– Type in username & password
– bye
• Then, check the username and password
in packet sniffer
Other Examples
• You can also check the vulnerability for the
following protocols
– Telnet vs. ssh
– SMTP vs. SMTPS (with SSL) or SMTPAuth
– POP3
–…
Summary
• Packet sniffer
– tcpdump/WinDump
– Wireshark
– Cain & Abel
– Ettercap
• Vulnerability of protocols
– FTP