310 likes | 563 Views
Network Sniffing. Sometimes it is possible observe/record traffic traveling on a network Network traffic may contain valuable information: Usernames and passwords Encrypted Unencrypted E-mail, web requests (and replies), data files Etc.
E N D
Network Sniffing • Sometimes it is possible observe/record traffic traveling on a network • Network traffic may contain valuable information: • Usernames and passwords • Encrypted • Unencrypted • E-mail, web requests (and replies), data files • Etc. • A sniffer is a piece of software that captures network traffic
Analogy - Wiretapping • The FBI conducts wiretaps • Go to a judge and get a court order authorizing the wiretap • Who? • What? • When? • Why? • With the help of the phone company, can listen to/record a suspect’s phone conversations to obtain evidence
Analogy – Wiretapping (cont) • Sniffer allows an administrator (or attacker) to record/listen in on conversations between computers • May need authorization to monitor network traffic • Electronic Communications Privacy Act • https://www.cdt.org/issue/wiretap-ecpa • May not need authorization to monitor network traffic • “Trap and Trace”/”Pen register” • Consent • May not care - attackers
Sniffing - Environment • Some networks use shared media so passive sniffing is very easy • Network interface cards can be placed in “promiscuous” mode so that they do not ignore traffic to other hosts • Wireless network traffic can also be captured (but may be encrypted) • Sniffing is more difficult (but not impossible) in switched environments
Protocol Analysis • Captured network packets contain binary data which is difficult to interpret • Most sniffers include a protocol analysis component which organizes and displays the (human-readable) contents of the traffic • Example: Wireshark
Example – An Nmap Port Scan • Target host: 10.0.0.207 • Start Wireshark • Source host: 10.0.0.204 • Perform a TCP-connect scan • nmap –sT <target host> • View results
Example – A Web Connection • Target host: 10.0.0.207 • Start Wireshark • Source host: 10.0.0.204 • Open a text-based web browser • Get default web page on the target host • View results
Example – An FTP Connection • Target host: 10.0.0.207 • Start Wireshark • Source host: 10.0.0.204 • Use the ftp client • ftp <target host> • View results
Example – An SFTP Connection • Target host 10.0.0.204 • Source host 10.0.0.207 • Use the sftp client • sftp guest@<target host> • View results
Man-in-the-Middle • In a switched environment a host only receives: • Traffic destine for itself • Broadcast traffic • Cannot see traffic between other hosts • Man-in-the-middle = insert yourself as an (undetected) intermediary between communicating hosts
I Alice Bob I Alice Bob Man-in-the-middle (cont) • Normal: • Man-in-the-middle:
Man-in-the-middle (cont) • How to achieve man-in-the-middle in a switched environment? • Exploit address resolution protocols
Address Resolution • All network communications must be carried out over physical networks • Each machine has a unique physical address • Programs (and humans) use IP addresses to specify the machine to which a message is sent • The address resolution problem – need to map IP address to physical address
The Address Resolution Problem Hosts A and B are on the same physical network B wants to communicate with A but only knows A’s IP address A B C D E
The Address Resolution Protocol (ARP) Host A wants to resolve the IP address IB Host A broadcasts a special (ARP) packet that asks the host with IP address IB to respond with its physical address All hosts receive the request Host B recognizes its IP address Host B sends a reply containing its physical address
A X B Y A X B Y ARP • Phase 1: • Phase 2:
ARP Caches • Each host maintains a cache of recently-used mappings • Information in the cache expires after a set time has elapsed • When sending an ARP request a host includes its IP-to-physical address binding • All machines on a physical network “snoop” ARP packets for mappings
Demo – ARP Cache • Host 10.0.0.207 has not communicated with 10.0.0.205 • 207’s ARP cache probably doesn’t contain an entry for 205 • Host 207 makes a web request to 205 • ARP for 205’s physical address • Added to 207’s cache • Web request sent and reply received
ARP Cache Poisoning • Broadcast ARP replies associating your physical address with a given IP address • Other hosts receive this message and put the mapping into their ARP cache • When a machine wants to communicate with the given IP address it sends the frame to your physical address • You read the frame and then forward it on to the real destination host
Cain and Abel • A man-in-the-middle LAN attack tool • Sniffer • Protocol analyzer • URL: http://www.oxid.it/cain.html • Can be used to poison hosts ARP caches
Demo – ARP Cache Poisoning • Hosts 10.0.0.204 and 10.00.205 may or may not have communicated • ARP caches may or may not contain entries for each other • Start Cain (on .207) and poison both 204 and 205’s ARP caches: • 207’s HW address associated with .204’s IP • 207’s HW address associated with .205’s IP
ARP Cache Poisoning - Result • 204 and 205 will communicate with each other • May not realize that their communications are flowing through a third-party • All communications will flow through 207 • 207 can read/store traffic • 207 forwards between the two hosts
Example – An FTP Connection • Switched Environment • Source host: .204 • Destination host: .205 • Attacker: .207 • Using: • Cain and Abel
ARP Poisoning • Can: • Read traffic • Modify traffic
Example – DNS Spoofing • Switched Environment • Source host: .203 • Destination host: Google • Attacker: .207 • Using: • Cain and Abel
Example – SSH Downgrade • Switched Environment • Source host: my laptop • Destination host: 10.0.0205 • Attacker: .207 • Using: • Cain and Abel
ARP Poisoning • What attackers look for: • Sensitive, unencrypted communications • Web requests/replies, e-mail, FTP • Weakly-encrypted communications • Old versions of SSH, RDC
ARP Poisoning - Countermeasures • Static ARP tables/smart switch • ARPwatch • IDS
Summary • Network traffic may contain valuable information: • Usernames and passwords • Encrypted • Unencrypted • E-mail, web requests (and replies), data files • Etc. • ARP poisoning can allow an attacker to capture and modify network traffic as a man-in-the-middle: • Cain and Abel