1 / 12

Chapter 6

Chapter 6. Gathering Data from Networks: Sniffers. Sniffing Defined. Using a program or device to monitor data traveling through a network Good use: Network management & monitoring Bad use: Steal passwords, email, files. TCP/IP Model. 4 layer model Application Transport Internet

bridie
Download Presentation

Chapter 6

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Chapter 6 Gathering Data from Networks: Sniffers

  2. Sniffing Defined • Using a program or device to monitor data traveling through a network • Good use: Network management & monitoring • Bad use: Steal passwords, email, files

  3. TCP/IP Model • 4 layer model • Application • Transport • Internet • Network Access

  4. TCP Header Components • Source Port Urgent Pointer • Destination Port Options • Sequence Number • Ack Number • Data Offset • Reserved • Control Bits • URG, ACK, PSH, RST, SYN, FIN • Window • Checksum

  5. How Sniffers Work • Promiscuous Mode • Capture packets headed for target’s MAC • Most commonly sniffed (unencrypted) • HTTP, POP3, IMAP, SNMP, FTP, Telnet, NNTP • Passive versus Active • Passive needs • Hub (called: shared Ethernet) • Wireless AP • Port mirroring on switch (called: switched Ethernet) • Example: use Trojan to install Back Orifice on target machine. Attacker gets email from “Butt Trumpet” plug-in after installation. Now packet sniffer can be installed.

  6. How Sniffers Work • Passive versus Active • Active needs • ARP spoofing: spoof the gateway’s MAC address • MAC flooding/Traffic-flooding attack: flood switch with fake MAC addresses to overcome the limited memory; causes “failopen mode” • MAC duplicating

  7. Detection & Countermeasures • Hard to detect since no trace is left • Look for machines in promiscuous mode • Run ‘arpwatch’ for changed MAC addresses • Use ‘HP OpenView’ or ‘IBM Tivoli’ for strange packets • Best: encryption • AES • RC4 • RC5

  8. Overcoming Switch limitations • ARP poisoning • Uses ARP spoofing to redirect packets • Result: DoSand MITM • Countermeasures • Static ARP entries in cache

  9. Sniffing Tools • Wireshark: aka Ethereal • open source protocol analyzer; capture traffic in real time • Snort: also packet logger • IDS: detects threats, such as buffer overflows, stealth port scans, CGI attacks, SMB probes and NetBIOS queries, NMAP and other port scanners, well-known backdoors and system vulnerabilities, and DDoS clients, and alerts the user about them. It develops a new signature to find vulnerabilities. • Snortsnarf: converts data collected from Snort into Web pages for easier reading • Sandhain • open source multi-platform application that is used for checking the integrity of centralized files & detecting host-based intrusion (HIDS)

  10. MAC Flooding & DNS Spoofing • Overcoming switched networks • ARP spoofing • sniff data frames on a LAN or stop the traffic altogether • Overwhelm a switch (macof) • DNS Spoofing / Poisoning • Feed the DNS server with incorrect information • Intranet Spoofing • Internet Spoofing • Proxy Server DNS Poisoning • DNS Cache Poisoning • Kaminsky DNS Vulnerability – Summer 2008 • http://unixwiz.net/techtips/iguide-kaminsky-dns-vuln.html

  11. Tools • Wireshark • Dsniff: collection of tools • Filesnarf, mailsnarf, urlsnarf, msgsnarf (Instant Messages) webspy, arpspoof, dnsspoof, macof • Dnspoof • Forges replies to DNS queries • Alerts of spoofed packets • Cain & Abel • MITM attacks; sniffing; ARP poisoning • EtherPeek • Ethercap

  12. Tools • SMAC • Hunt • TCPDump: command-line tool • Network Probe • Snort

More Related