Eastern Michigan University

1
Eastern Michigan University

• Asad Khailany , Eastern Michigan University
• Dmitri Bagatelia , Eastern Michigan University
• Wafa Khorsheed , Eastern Michigan University

2
Do You Want to become a Hacker?

• Now you can get an MS degree specializing on
  hacking techniques from a university in Paris
  France.
• Do not miss this golden opportunity!
• Soon you will see your institution also offers a
  degree in hacking techniques

3
ABSTRACT

•   Computers on the network normally only listen
  to communications destined to them.
• However, when they enter promiscuous mode they
  can listen to all communications whether destined
  or not destined to them.
•   Computers are put into the promiscuous mode by
  installing software package known as packet
  Sniffers.

4
ABTRACT

•    Sniffers are the best tools for hackers to
  attack computers.
• Network administrators use Sniffers for network
  troubleshooting and security analysis. Many
  sniffing and anti sniff packages available on the
  Internet for download.
•  This paper discusses sniffing and anti
  sniffing, their advantages and disadvantages, and
  presents some recommendations to make network
  systems and their data more secure.

5
INTRODUCTION

• A computer to be able to listen to all
  communications on the network must be in a
  multi-partners mode. Such mode is known as the
  promiscuous mode
•    Through packed Sniffers computers can
  transfer to the promiscuous mode.
•      Attackers love packet Sniffere.
•    Sniffers are valuable tools needed by network
  administrators to do network trouble shooting, to
  perform network security analysis and to measure
  the performance of network system.

6
INTRODUCTION - 2

•   Sniffers are used by law enforcement agencies
  to monitor network systems.
•   Anti sniff packages are available to determine
  whether or not a suspected remote computer is
  listening in to all communications on the
  network.
•    Several methods utilized by anti sniff
  package to identify suspected computers on the
  network are discussed in this paper.

7
What sniffing packages used for?

• Sniffing packages used for
•         Network traffic analysis to
• 1.    Identify the type of network application
  used.
• 2.    Identify the hosts using the network.
• 3.    Identify the bottlenecks.
• 4.  Capture data sniffing packages used for
• troubleshooting of network applications.
• 5.    Create network traffic logs.

8
More usages of sniffing packages

•   Gathering private data such as passwords,
  credit cards information, email messages, .. etc.
•    Establishing connection with senders while
  using authentication provided by receiver.
•     Modifying and resending data to recipients.

9
SNIFFERS AND NETWORK ARCHITECTURES

• Sniffing is possible because most network
  architectures use shared medium and protocols
  that presume only intended computer receives and
  reads the message.

10
Case Ethernet architecture

• Computer A sends a message to Computer C.
  Since all computers share the same line Computers
  B and D can listen to messages if they are in
  promiscuous (multi partner) mode. In this case
  the message was not change but the privacy was
  compromised since data was only copied and not
  modified.

11
Case Routed network

• Routed protocol, means that sent message might
  be handled by several hosts.
• Any of the hosts can copies the message or
  changes the message and forwarded to others
  hosts. The final recipient of the message will
  never know that the message was modified. Thus
  the security risk taking in routed protocol is
  much greater than Ethernet architecture.

12
DIFFERENT METHODS FOR DTECTING ACTIVE SNIFFERS

• Theoretically it is impossible to detect active
  Sniffers if they only listen without sending
  anything i.e. if they are in passive mode.
  Practically there are some methods can be used to
  identify suspected computers that are trying to
  listen to messages not intended for them.
• Some Popular Methods To Identify Suspected
  Computers Are

13
1. PING METHOD.

•         A computer is uniquely identified on the
  network by its serial number of its network
  computer card. This hardware address is called
  MAC (Media Access Control address).
•         Sniffer always turns off MAC filter on
  its host device, thus it can receive all messages
  that are intended or not intended for that
  device.

14
1. PING METHOD.

• How to identify suspected computers ?
•         Send a message to the suspected device
  using a wrong MAC address and a corrected IP
  address, the device should not respond if it has
  MAC address filter on, but if it runs in a
  promiscuous mode it will respond to the message.
  Thus a computer, which is listening, is
  identified.
• New problems to be solved
•         The newer sniffer devices/programs have
  built-in filters, which prevent such kind of
  responses.

15
2. ARP Address Resolution Protocol METHOD.

• ARP is a TCP/IP protocol maps an IP address into
  physical address.
• The ARP method uses arp packets.
• On a network when a computer sends arp request to
  a broadcast address, all those computers see that
  request send an arp answer with their IP to MAC
  address mapping.
• How suspected computers identified?
• If such request is sent to a regular
  non-broadcast address, there should not be any
  reply, if a reply is received that computer will
  be a suspected sniffer device.

16
3. DNS METHOD.

• The DNS method works on the
  assumption that many attackers use IP addresses
  to find DSN names.
• Most sniffer programs have a feature
  to do a reverse DNS lookup using an IP to get the
  hostname.
• How suspected computers identified?
• An anti sniff package places itself
  in a promiscuous mode and sends a message to
  fictitious hosts such as charge BankC.com. The
  address of all computers that use reverse lookup
  request referencing the fictitious hosts are
  flagged as being suspected computers.

17
4. SOURCE-ROUTE METHOD

• IP header has an option of loose source routing.
• Routers ignore destination IP address and instead
  will forward message to the next IP in
  source-route option.
• How to identify suspected computers ?
• Turn off packet routing on a specific computer
  and the packet should be dropped at that
  computer. A computer that sniffs messages
  responds to such message that the packed was
  dropped on the computer, which the package was
  dropped.
• For instance, you send a message from computer A
  to computer B, but you route it through computer
  C first. If you turn off packet routing on
  computer C, then packet should be dropped. Thus,
  if computer B responds to such message, that was
  dropped at C, it means computer B sniffed the
  message.

18
5. DECOY METHOD.

• This method sets up a victim computer that will
  repeatedly run script to login to a remote server
  using a dummy account with no real permissions,
  and try to find any hacker who tries to use that
  dummy account to login to the remote server.
• How to identify suspected computers?
•         Setup a victim computer that will
  repeatedly run script to login to a remote server
  using a dummy account with no real permissions.
•         Any hacker who gets such login
  information tries login to remote server.
•         Any login attempt not originated from
  the victim computer indicates that someone was
  sniffing on your network and stole that account
  number information.

19
6. OTHER METHODs.

• There are many more methods that can be used to
  detect sniffing activities
• None works 100 of the time, because hackers
  already know them and try to work around those
  detection methods.
• One of the among the best software packages
  that use all the above methods to find sniffing
  activities is
• AntiSniff package (http//www.securitysoftwaretec
  h.com/antisniff/)

20
Protocols targeted for sniffing by hackers

• Protocols that transmit data in plain text
  format make it easy for hackers to get what they
  want. Some of protocols targeted for sniffing
  are
• 1.     telnet
• 2.     rlogin (user sessions and passwords)
• 3.     HTTP(passwords, web-based emails)
• 4.     Simple Network Management Protocol
  (passwords)
• 5.     Network News Transfer Protocol
  (passwords)
• 6.     Post Office Protocol (passwords, emails)
• 7.     File Transfer Protocol (passwords)
• 8.     Internet Message Access Protocol
  (passwords, emails).

21
METHODS TO ENFORCE NETWORK SECURITY

• switched network
• Use of switched network eliminates use of
  shared wire.
• Switch knows the location of every device on
  the network, and sends data directly to the
  intended recipient without transmitting the
  message all over the network.
• The diagram in the next slide compares two
  network of computers one interconnected by a hub
  and the other interconnected by a switch.

22
Switch And Hub Networks
Hub
Switch

•  
• Hubs send communications to all
• connected computers.
• Switch, on the other hand,
  remembers what
• computer is connected to what port
  on the
• switch, thus it forwards message
  only to one
• computer.

23
Data encryption Method

•    This one of the oldest security routines used
  to enforce security.
•    Many software algorithms and software
  packages are available to encrypt data.
•    You can encrypt you messages before sending
  them, e.g. PGP (Pretty Good Privacy) is being
  used to encrypt email messages.
• You can choose a secure protocol with
  built-in encryption schemes, e.g. SSH (Secure
  Shell) instead of telnet of rlogin.

24
Some disadvantages of encrypting over plain text
messages

•    Encrypting increases the message size as
  well as response time, since message has to be
  not only encrypted on one end, but also decrypted
  by the recipient on the other end.
•   It might not be a reasonable solution for
  some setups that require very high response time.
  

25
Some important usages of sniffing methods

• Sniffing methods can be used for
•   Network management.
•  Traffic analysis can identify who is using what
  network resource in what way. For instance, you
  can identify users who use most of your
  bandwidth, then you can find out whether they use
  it for a legitimate purpose or not.
•   Because most network applications use fixed
• port numbers you can filter traffic and
  identify software that are being used..
•   Maximizing network performances.

26
More usages of sniffing methods

• Not all packets capturing is intended to
  compromise security. For instance, during
  programming of a network application programmers
  might want to see the network traffic that local
  computer generates, so that troubleshooting of
  the application can go much faster.
•    It is also possible to use sniffer to create
  log of all network traffic, so that serve as
  evidence in case security is compromised on some
  other system on the network. Those logs can be
  used to track down the intruders and to support
  legal action to bring those hackers to justice.

27
CONCLUSION

•  The security threat that sniffers pose can be
  minimized using combination of switched networks
  and encryption.
• Sniffers can be sometimes detected using
  sniffing detection software.
•   Network professionals to manage networks for
  identifying problems and monitoring usage of
  network resources have used sniffers for a long
  time.
• Hackers utilize Sniffing packages to attack
  networked computers to steal information.
•   It may be impossible to make sure that no one
  uses sniffing packages against you, but it is
  important to make sure that unauthorized people
  could not get useful information.

28
REFERENCES.

• 1. Web Server Security, Maintenance by Eric
  Larson Bruan
• 2.http//lin.fsid.cvut.cz/kra/index.html
• 3. http//www.eeye.com/
• 4. http//neworder.box.sk/
• 5. http//www.securitysoftwaretech.com/
• 6. http//www.winsniffer.com/
• 7. http//www.snifferpro.co.uk/
• 8. http//stein.cshl.org/lstein/talks/WWW6/sni
  ffer/
• 9. http//www.atstake.com/
• 10. http//www.swrtec.de/clinux/
• 11. http//stein.cshl.org/lstein/talks/WWW6/snif
  fer/