Seminar Topic

1
Seminar Topic

• Packet Sniffing

2

• Presented By
• Soumitra Kumar Jana(06/CS/55)
• Chandan Paul(06/CS/84)
• Sankha De(06/CS/61)
• Shantanu Das(06/CS/104)
• CSE 7th SEM,HIT
• Under the Guidance of
• Ms. Jayeeta Majumdar
• Lecturer, CSE ,HIT

3
Topics to be discussed

• INTRODUCTION TO PACKET SNIFFING
• WHO USES PACKET SNIFFERS AND WHY
• types of sniffing
• protocols vulnerable to sniffing
• Internet Basics
• packet sniffers
• how sniffers work?
• SOME TECHNIQUES FOR IMPLEMENTING SNIFFING
• SOME POPULAR PACKET SNIFFERS
• exploits of packet sniffers
• how to detect sniffing
• countermeasures
• conclusion
•  

4
The Network Today
5
Introduction to Packet Sniffing
Host A
Host B
Router A
Router B

• Sniffing is a data interception technology.The
  term sniffing commonly is used to describe
  protocol analysis, the process of viewing and
  analyzing the contents of packets on a network.
• Tools used for this purpose are properly called
  protocol analyzers, but the term sniffer also is
  widely used for such tools.
• Protocol analyzers or sniffers are network
  troubleshooting tools that provide a detailed
  view of network traffic.

6
(Continued...)

• A network analyzer is just software running on a
  computer with a networkcard. It works by placing
  the network card in promiscuous mode, which
  enables the card to see all the traffic on the
  network, even traffic not destined to the
  network-analyzer host. The network analyzer
  performs the following functions
• Captures all network traffic.
• Interprets or decodes what is found into a
  human-readable format.
• Displays it all in chronological order.

7
Who Uses Packet Sniffers and Why?

• System administrators
• -- To monitor the flow of network
  traffic
• --Troubleshoot communication problems
• --Understand system problems and
  performance
• --Intrusion detection
• --Debug network protocol
  implementations
• --Detection of erroneous packet flow
  through the network
• --Gather and report network usage and
  statistics.

8
(Continued...)

• Malicious individuals (intruders)
• --Capture cleartext data
• --Passively collect data on vulnerable protocols
• FTP, POP3, IMAP, SMATP, rlogin, HTTP etc
• Capture VoIP Data.
• --Mapping the target network
• --Traffic pattern discovery
• --Actively break into the network (backdoor
  techniques)

9
Types of Sniffing
Sniffing
Passive Sniffing
Active Sniffing

• 
  Passive sniffing means sniffing through a hub.It
  is passive because it is difficult to detect.An
  attacker simply connects to the hub from his/her
  machine.

• Active sniffing means sniffing through a
  switch.It is easy to detect.Attacker tries to
  poison the switch by sending bogus MAC address.

10
Protocols Vulnerable to Sniffing

• Protocols that are suspectible to sniffers
  include-
• Telnet Keystrokes including usernames and
  passwords.
• HTTPData sent in the clear text.
• SMTPPassword and data sent in the clear text.
• POP Password and data sent in the clear text.
• FTP Password and data sent in the clear text.
• IMAP
• VoIP
• SNMP etc.
• 
  
  10

11
INTERNET Today

• Internet is based on TCP/IP architecture. The
  model defines four (or five) layers.
• Physical Layer
• Data Link Layer Ethernet, 802.11(2)
• Network Layer IPv4 (IPv6)(3)
• Transport Layer TCP, UDP(4)
• Application Layer SMTP, HTTP, FTP(5)

12
Packet Sniffers

• A "Packet Sniffer" is a utility that sniffs
  without modifying the network's packets in any
  way. By comparison, a firewall sees all of a
  computer's packet traffic as well, but it has the
  ability to block and drop any packets that its
  programming dictates. Packet sniffers merely
  watch, display, and log this traffic.
• How They Work
• An Ethernet sniffer is software that works
  in concert with the network interface card (NIC)
  to blindly suck up all traffic within earshot
  of the listening system, rather than just the
  traffic addressed to the sniffing host.

13
How They Work(Continues...)

• ? Normally, an Ethernet NIC will discard any
  traffic not specifically addressed to itself or
  the network broadcast address, so the card must
  be put in a special state called promiscuous mode
  to enable it to receive all packets floating by
  on the wire.Once the network hardware is in
  promiscuous mode, the sniffer software can
  capture and analyze any traffic that traverses
  the local Ethernet segment.
• ? This limits the range of a sniffer somewhat
  because it will not be able to listen to traffic
  outside of the local networks collision domain
  (that is, beyond routers, switches, or other
  segmenting devices).
• ? Obviously, a sniffer judiciously placed on a
  backbone, internetwork link, or other network
  aggregation point will be able to monitor a
  greater volume of traffic than one placed on an
  isolated Ethernet segment.This is the basic
  understanding of the function of a sniffer.

14
Some Techniques for Implementing Packet Sniffing

• ARP Spoofing or ARP
  Poisioning
• The process of falsifying the source Media Access
  Control (MAC) addresses of packets being sent on
  an Ethernet network is called ARP spoofing or ARP
  poisoning. ARP spoofing involves sending forged
  ARP replies to redirect network traffic to the
  attacking host. If the attacking host is only
  listening to traffic and not participating in it,
  legitimate hosts are usually unaware that the
  packets they are transmitting are being
  redirected to an attacker and are not reaching
  their intended destinations.
• Tools used Cain Abel,Ettercap etc.

15
(Continues...)

• MAC
  duplicating
• MAC duplicating attack is launched by
  sniffing network for MAC addresses of clients who
  are actively associates with a switch-port.By
  listening to the traffic on the network a
  malicious user can intercept and use a legitimate
  users MAC address and he got all the traffic
  destined for that legitimate user.
• 
  MAC Flooding
• MAC flooding is an attack that tries to flood
  the internal memory of Ethernet switches using
  large numbers of spoofed Media Access Control
  (MAC) addresses. Switches has limited memory for
  mapping the MAC addresses to the physical ports
  on switch.MAC flooding uses this limitation and
  floods the switch with fake MAC addresses until
  the switch cant keep up.Switch then acts like a
  hub by broadcasting packets to all machines in
  the network.After that sniffing is easily
  performed.
• Tools used-Etherflood.

16
(Continues...)

• IP Based
  Spoofing
• This is the original way of packet sniffing.It
  works by putting the network card into
  promiscuous mode and sniffs all packets.This
  method only works in non-switched networks.All
  the modern sniffers uses this technique.
• DNS
  Poisoning
• DNS spoofing provides DNS servers with false
  information to impersonate DNS servers.The DNS
  server beleives that it has got authentic
  information when, in reality,it does not.
• Intranet DNS Poisoning(LAN)
• Internet DNS Poisoning(Remote Network)
• Proxy Server DNS Poisoning
• DNS Cache Poisoning

17
Some Popular Packet sniffers

• Linux/Unix-based sniffers use libpcap, which
  must be installed prior to installing any
  sniffer.
• tcpdump, a command-line based packet sniffer.
• tcpshow (tcpdump-based analysis).
• Wireshark (Packet sniffer GUI) Formerly
  Ethereal
• ngreg network grep (Command line tool to apply
  regular expressions to tcpdump output).
• Dsniff-is a password sniffer handles
  FTP,Telnet,SMTP,HTTP,POP etc.
• Windows-based sniffers use WinPcap, which must
  be installed prior to installing any sniffer.
• 1.Wireshark(Packet sniffer GUI) Formerly
  Ethereal
• 2.Capsa Network Analyzer (Packet Sniffer) from
  Colasoft
• 3.Cain Abel from Oxid.it
• 4. WinDump, a DOS command-line packet sniffer
• 5.CommViewer

18
Wireshark

• Wireshark (formerly Ethereal) is a UNIX- and
  Windows-based open source network monitoring
  tool. Stable release is 1.2.4.Wireshark is a
  software that "understands" the structure of
  different networking protocols. Thus, it is able
  to display the encapsulation and the fields along
  with their meanings of different packets
  specified by different networking protocols.
  Wireshark uses pcap to capture packets, so it can
  only capture the packets on the networks
  supported by pcap.
• Data can be captured "from the wire" from a live
  network connection or read from a file that
  records the already-captured packets.
• Live data can be read from a number of types of
  network, including Ethernet, IEEE 802.11, PPP,
  and loopback.
• Captured network data can be browsed via a GUI,
  or via the terminal (command line) version of the
  utility, tshark.
• Decodes over 750 protocols .
• Compatible with many other sniffers .

19
MENU BAR

• DISPLAY FILTER SPECIFICATION

Listing of All the Packets
Details of Selected Packet Header
Packet Content in Hex ASCII Code
20
Selected TCP Packet 43262
Details of the selected packet (43262)
Raw data (content of packet 43262)
21
Filtering HTTP Packets Only
Accessing http//en.wikipedia.org with source ip
10.10.39.155.The destination ip for this packet
is 10.10.3.254
22
Cain and Abel

• Cain and Abel (sometimes called simply
  "Cain") is a Windows password recovery tool. It
  can recover many kinds of passwords using methods
  such as network packet sniffing, cracking various
  password hashes by using methods such as
  dictionary attacks, brute force and cryptanalysis
  attacks. Cryptanalysis attacks are done via
  rainbow tables which can be generated with the
  winrtgen.exe program provided with Cain and Abel.
  
• TCP/UDP Traceroute with DNS Resolver
• Dumping protected storage passwords -Reveals
  locally stored passwords of Outlook, Outlook
  Express, Outlook Express Identities, Outlook
  2002, Internet Explorer and MSN Explorer.
• APR(ARP Poison Routing)- Enables sniffing on
  switched networks.
• Sniffer -Captures passwords, hashes and
  authentication information while they are
  transmitted on the network.
• IP to MAC Address resolver
• Used for remote purposes such as Remote
  Console,Remote Route Table Manager,Remote TCP/UDP
  Table Viewer etc.

23
Start/Stop APR

• Start/Stop Sniffer
• Button

Traceroute any web address
Sniffer Operations
Lists network computers with MAC,Hostname
24
Lists all computers on the subnet
Username,passwords and web address is retrieved

• Lists all computers in the subnet

APR(ARP Poison Routing)
25
ARP Poison Routing

• Session
• Hijacking

Session Hijacking
26
LAN View
LAN View
WAN View
APR Poisoning Status
27
Exploits of Packet Sniffers

• One disturbingly powerful aspect of packet
  sniffers is their ability to place the hosting
  machine's network adapter into "promiscuous
  mode." Network adapters running in promiscuous
  mode receive not only the data directed to the
  machine hosting the sniffing software, but
  also ALL of the traffic on the physically
  connected local network.
• By placing a packet sniffer on a network in
  promiscuous mode, a malicious intruder can
  capture and analyze all of the network traffic.
  Within a given network, username and password
  information is generally transmitted in clear
  text which means that the information would be
  viewable by analyzing the packets being
  transmitted.

28
How to Detect Sniffing?

• There are two basic approaches to detecting
  sniffers
• 1. host based
• 2. network based
• The most direct host-based approach is to
  determine whether the target systems network
  card is operating in promiscuous mode. On UNIX,
  several programs can accomplish this, including
  Check Promiscuous Mode (cpm)
• Sniffers are also visible in the Process List
  and tend to create large log files over time, so
  simple UNIX scripts using ps, grep can illuminate
  suspicious sniffer-like activity. But these
  techniques are not always effective.

29
(Continued...)

• Check whether the MAC address of some
  machine(such as a Router) has changed.
• Network-based sniffer detection has been
  hypothesized for a long time. One of the first
  proof of concepts, Anti-Sniff, was created by
  L0pht.
• Run network tools like HP OpenView or IBM Tivoli
  to monitor network for strange packets.

30
Countermeasures
Host A
Host B
Router A
Router B

• The following techniques and tools can be
  used to mitigate sniffers
  AuthenticationUsing strong authentication, such
  as one-time passwords, is a first option for
  defense against packet sniffers.
• Switched infrastructureMigrating to Switched
  Network Topologies . Shared Ethernet is extremely
  vulnerable to sniffing.
• Antisniffer toolsUse these tools to employ
  software and hardware designed to detect the use
  of sniffers on a network.
• CryptographyThe best way to defeat sniffing
  is to encrypt network traffic using Internet
  Protocol Security (IPSec) or some other
  mechanism. This wont stop attackers from
  sniffing your network, but it will make it harder
  for them to gain anything useful from their
  efforts.

31
Conclusion

• Its a cruel irony in information security that
  many of the features that make using computers
  easier or more efficient and the tools used to
  protect and secure the network can also be used
  to exploit and compromise the same computers and
  networks. This is the case with packet sniffing.
• Detecting rogue packet sniffers on your network
  is not an easy task. By its very nature the
  packet sniffer is passive. It simply captures the
  packets that are traveling to the network
  interface it is monitoring. That means there is
  generally no signature or erroneous traffic to
  look for that would identify a machine running a
  packet sniffer. There are ways to identify
  network interfaces on your network that are
  running in promiscuous mode though and this might
  be used as a means for locating rogue packet
  sniffers.

32
References

• http//en.wikipedia.org
• http//www.cet.nau.edu/mc8/Socket/Tutorials/secti
  on1.html
• http//www.tcpdump.org/pcap.htm
• http//mixter.void.ru/rawip.html
• http//www.coders.eu.org/manualy/win/wskfaq/exampl
  es/rawping.html
• http//www.wireshark.org
• http//www.oxid.it

33

• THANK YOU