Network Eavesdropping

Network Eavesdropping

Outline • Concepts • Methodology • Detection

Eavesdropping • Sniffer : Packet capture Tools (Trademark) • Network sniffing is to eavesdrop the network to capture the packets transmitted over the network • It monitors traffic destined to itself as well as to all other hosts on the network • Can be used for both attacking and protecting purposes

Uses of a sniffer • Traffic Analysis • Performance Analysis • IDS/IPS are built on sniffer • Stealing clear-text content • Username & Password • Conversations

How does a sniffer work • Normal Mode • Each network interface card (NIC) and network device has a unique MAC address • NIC only receives packets destined to its specific MAC address, and all other packets are ignored • Sniffer Mode • A machine running a sniffer breaks this rule and accepts all packets • Turn on “promiscuous” mode on NIC • Make NIC accept all data-link layer frames regardless of the MAC address

Anatomy of sniffer Storage Storage for offline analysis Decoding to readable form Decode Buffer Temporarily space before processing Capture Driver Software driver to capture and filter packet Media

How to sniff in shared networks • Passive running • Just put the NIC into the promiscuous mode • Switched networks : • Prevents traditional sniffing because frames are route to a single port, based on a table of MAC/port associations

How to sniff in switched networks • Prevents traditional sniffing • Switches keep an internal list of the MAC addresses of the hosts that are on its ports. • Traffic is sent to a port, only if a destination host is recorded as being present on that port. • Switched Networks are not really safe from sniffing • Sniff in switched networks need active operations: • ARP Spoofing • MAC flooding

ARP revisit 158.108.1.2 8:0:20:7a:49:68 158.108.1.5 00:10:4B:13:0A:BC • A want to resolve MAC address of D • A sends a broadcastARP request A B C D ARP request who has IP 158.108.1.5? 158.108.1.2 8:0:20:7a:49:68 158.108.1.5 00:10:4B:13:0A:BC • D sends a unicast ARP reply to A A B C D ARP reply me! with 00:10:4B:13:0A:BC

Gratuitous ARP • A host "announces" their IP address to the local network when its interface is configured, usually at booting time to to prevent the use of duplicate addresses on the same network • Routers and other network hardware may cache information gained from gratuitous ARP packets 158.108.1.2 8:0:20:7a:49:68 158.108.1.5 00:10:4B:13:0A:BC • gratuitous ARP packet is an ARP request with both sender's and the target's IP address fields containing the configured IP address A B C D Gratuitous ARP Hi Everyone , my IP is 158.108.1.2 and my MAC is 8:0:20:7a:49:68

Hardware type:16 Protocol type:16 hlen:8 plen:8 ARP Operation:16 Sender MAC addr (bytes 0-3) sender MAC addr (bytes 4-5) sender IP addr (bytes 0-1) sender IP addr (bytes 2-3) dest MAC addr (bytes 0-1) dest MAC addr (bytes 2-5) dest IP addr (bytes 0-3) ARP datagrams datalink frame frame hdr ARP/RARP message 0 15 16 31

FF:FF:FF:FF:FF 02:60:8c:2e:b5:8b 0x0806 0x01 0x800 0x001 0x04 0x06 02:60:8c:2e:b5:8b 158.108.33.2 00:00:00:00:00:00 158.108.33.5 checksum ARP request packet IP:158.108.33.5 MAC: ?? IP:158.108.33.2 MAC:02:60:8c:2e:b5:8b Sample ARP request Ethernet packet dest MAC (broadcast) source MAC ARP frame type Ethernet / IP MAC=6/ IP=4 /request source MAC source IP dest MAC (unknown) dest IP Ethernet checksum

02:60:8c:2e:b5:8b 00:00:e8:15:cc:0c 0x0806 0x01 0x800 0x002 0x04 0x06 00:00:e8:15:cc:0c 158.108.33.5 02:60:8c:2e:b5:8b 158.108.33.2 checksum ARP reply packet IP: 158.108.33.2 MAC: 02:60:8c:2e:b5:8b IP: 158.108.33.5 MAC: 00:00:e8:15:cc:0c Sample ARP reply Ethernet packet dest MAC (unicast) source MAC ARP frame type Ethernet / IP MAC=6/ IP=4 /reply source MAC source IP dest MAC dest IP Ethernet checksum

Playing with ARP How to see the ARP table? How to clear the ARP table? How to add the ARP entry? How to check table in IPv6?

Facts about ARP • Stateless protocol • Not designed security in mind • No means for authentication or validation • Nothing prevents clients from crafting custom ARP messages • Can forge source IP address • Can forge source MAC address • Result: malicious nodes can fool network nodes into sending traffic to the wrong MAC address, so exposed to a lot of attacks: • ARP Spoofing (ARP cache poisining) • MAC flooding

ARP cache • Kept locally to minimize the number of ARP requests broadcasting • Updates the cache with the new IP/MAC associations for each reply • Some OSs will update the cache if a reply is received, regardless of whether they sent out an actual request • Possible to overwrite the ARP cache on many OS • Possible to associate the MAC address with the default gateway’s IP address

ARP weakness • If two machines have the same IP address, they will both respond to the same ARP request (IP Conflict) • Depending on the OS, one of two things could happen • The slowest (last) ARP reply to arrive will be cached until the ARP entry expires • The first ARP reply to arrive will be cached, and any further ARP replies will be ignored (until ARP entry expires)

ARP Spoof • Methods to spoof the contents of an ARP table • Takes advantage of the ARP cache • Process of corrupting cache is “Poisoning” hence also called ARP Cache poisoning • Cause all outgoing traffic from the target host to be transmitted to the hacker’s host • Hacker can also forge ARP replies • Dsniff by Dug Song includes a program named “arpspoof” for this purpose

IP:IA, MAC:MA IP:IA, MAC:MA IP:IB, MAC:MB IP:IB, MAC:MB attacker attacker IP:IC, MAC:MC IP:IC, MAC:MC ARP Spoofing Scenario After ARP Spoofing Normal Condition

ARP Poisoning : Broadcast Request IP:IA, MAC:MA IP:IB, MAC:MB Who has IA My IP is IB attacker IP:IC, MAC:MC

ARP Poisoning : Response to Broadcast IP:IA, MAC:MA I have IA and my MAC is MA IP:IB, MAC:MB attacker IP:IC, MAC:MC

ARP Poisoning : Result liked Sniffing • Not quite sniffer but fairly close IP:IA, MAC:MA Packet destiny for IB is first sent to IC IP:IB, MAC:MB  Attacker forward packet to B attacker IP:IC, MAC:MC

ARP Poisoning : Broadcast Request IP:IA, MAC:MA Who has IB My IP is IA IP:IB, MAC:MB attacker IP:IC, MAC:MC

ARP Poisoning : Broadcast Request IP:IA, MAC:MA I have IB and my MAC is MB I have IB and my MAC is MC IP:IB, MAC:MB attacker IP:IC, MAC:MC

ARP Poisoning : Unsolicited Response IP:IA, MAC:MA IP:IB, MAC:MB I have IX and my MAC is MC attacker IP:IC, MAC:MC

ARP Poisoning : Response to Unsolicited IP:IA, MAC:MA IP:IB, MAC:MB I have IX and my MAC is MC attacker IP:IC, MAC:MC

MAC Flooding • A switch keeps a table of all MAC addresses (in buffer) appear on each port • If a large number of addresses appear on a single port, some switches begin to send all traffic to that port • Flooding the switch with randomly faked MAC addresses. • The switch will become overloaded and fail into the “failopen mode” • In failopen mode, it operates exactly like a hub, transmitting all packets to all addresses in the network • Dsniff includes a program named “macof” that facilitates the flooding of a switch with random MAC addresses

MAC Address Cloning • MAC addresses intended to be globally-unique and unchangeable • Today, MAC addresses can be easily changed • An attacker could DoS a target computer, clone the target’s MAC address, and receive all frames intended for the target

Sample Tools • Ettercap (http://ettercap.sourceforge.net/) • Complete sniffing and ARP corruption tool with command-line and GUI • Arpspoof (http://monkey.org/~dugsong/dsniff/faq.html) • Basic ARP manipulation tool; part of dsniff package • ARPoison (http://www.arpoison.net/) • Basic ARP spoofing tool • Many more…

Sniffer Prevention and Detection • Done properly, impossible to detect a sniffer • Sniffing is a passive activity, don’t generate unusual traffic • normally linked to active intrusion attacks • Difficult to prevent it

Possible Protection • Three main types • End node precautions • Prevention • Detection

Precautions and Implementation • Use VPN or some other encrypted channel for all communication • Verify the authenticity of all SLL and SSH certificates before accepting them

Prevention • Deploy intelligence Ethernet switch support following features • Secured port • Specify MAC address for each port • limit amount of MAC on an interface • Smart Cache • Only timeout inactive entries • Smart management • Never flood • Require a host to send traffic first before receiving • Dynamic ARP inspection • Uses information from DHCP to block unknown binding • DHCP snoop

Sniffer Detection • Shared Network • Local detection of promiscuous mode • Ping test • ARP test • Ping Latency test • Employing a honeypot • Switched Network • track down any nodes found performing ARP cache changed

Sniffer Detection : Ping test • Construct an ICMP echo request • Set the IP address to that of the suspected host. • Choose a mismatched MAC address. • In some systems, if the NIC is in promiscuous mode, the sniffer will grab this packet as a legitimate packet and respond accordingly • Most systems will ignore this packet since its MAC address is wrong. • If the suspected host replies to our request, we know that it is in promiscuous mode

Sniffer Detection : ARP test • Send out an ARP request to the suspect host with all valid information except a bogus destination MAC address • Non-promiscuous mode machine would never see the packet • Promiscuous mode machine would process it and reply

Sniffer Detection : Ping Latency test • Methods • Make two different populations, normal mode population and the promiscuous mode population, or • ping the suspected host and record the RTT • Create a lot of fake TCP connections • We expect the sniffer to be processing packets and the latency will increase • Ping the suspected host again to see if the round trip time is increased

Sniffer Detection : Honeypot • Create telnet for with lots of logins + passwords connection to telnet server (may be faked server) • Sniffer takes bait

Sniffer Detection Limitation • ARP, ICMP, DNS Test • Sophisticate attackers are of course aware of this and design their sniffer to filter out or ignore these packets • Latency Test • Probabilistic technique • Many known and unknown factors, OS, Traffic, may affect the results

Antisniffer Tools • Antisniff • http://packetstormsecurity.org/sniffers/antisniff/ • Anti-Antisniff • http://www.securityfocus.com/tools/336

Sniffer Detection: Detect ARP Spoof • Detect and track down any nodes found performing ARP cache corruption • Tools • arpwatch: Watches for ARP cache entry changes and sends e-mail if found • Ettercap: has a plugin that can detect suspicious ARP and other Ettercap users on a network. • Network Intrusion Detection System (IDS): most are designed with the ability to detect and warn about suspicious ARP activity

Future Prevention? • Secure Address Resolution Protocol (S-ARP) • S-ARP uses public/private key pairs to authenticate ARP responses

Final Recommendation • The best way to avoid damage by sniffer is not to pass usernames and passwords over the network in form of clear text • Encryption is the best solution • Use SSH instead of telnet • Use HTTPS instead of HTTP • Use SCP and SFTP instead of FTP

Some commons sniffer • Tcpdump • http://www.tcpdump.org • Wireshark • http://www.wireshark.org/ • Ettercap • http://ettercap.sourceforge.net/ • Snort • http://www.snort.org • Dsniff • http://monkey.org/~dugsong/dsniff/

Network Eavesdropping

Network Eavesdropping

Presentation Transcript

Network

Detecting Eavesdropping A Solution

Chapter 5 Eavesdropping and Interception of Communication

Ditto : Eavesdropping for the Common Good in Multi-hop Wireless Networks

Network

Bird Song Learning in an Eavesdropping Context

Network

We ’ ve established the fact that Eavesdropping is common...

Network

Network

Magellan F/5 Status Eavesdropping PISCO

Network of Network Perspectives

Hardening Web Browsers Against Man-in-the-Middle and Eavesdropping Attacks

Resilient Network Coding in the Presence of Eavesdropping Byzantine Adversaries

A Full Frequency Masking Vocoder for Legal Eavesdropping Conversation Recording

Network

Network +

Network

Eavesdropping Attack