Monthly Archives: February 2016

CNS 320 Lesson 9 – Sniffing

Leave a reply

Lesson 9 – Sniffing

Screen Shot 2016-02-06 at 9.59.41 AM.png

Screen Shot 2016-02-06 at 9.59.45 AM.png

  • In the old days, most LANs used hubs.  When a packet would come into the LAN, the hub would send it to everyone.  If the packet said its destination was your network card’s MAC address, you would take it and process it.  If it *didn’t* have your MAC, you were supposed to politely ignore it.  Yeah…you can guess how this ends.
  • Nowadays, LANs use “switches” instead of hubs.  Switches are smarter and keep track of which MAC address is hooked into which port on the switch.  That way, it only sends the packet to the computer it’s intended for.  This makes sniffing other people’s traffic more difficult…but we’ll see how attackers can get around this.
  • NOTE: later, we’ll talk more in depth about wireless networks.  Since they use radio signals that propagate out in all directions, they inherently have many of the same problems as hubs do.

Screen Shot 2016-02-06 at 9.59.46 AM.png

  • Rlogin or rsh is an old remote access protocol for logging into Linux/Unix servers.  It and telnet are both plain-text and have mostly been replaced by SSH, which is encrypted.  Rlogin/rsh usually operates on TCP port 513.
  • NNTP = Network News Transfer Protocol, the protocol used for sharing Usenet posts.  TCP 119 is reserved for it.

Screen Shot 2016-02-06 at 12.36.20 PM.png

  • Network taps sit inline between switches, routers, and/or hosts and listen in on the packets being sent.  Troubleshooting tools and intrusion detection systems (IDS) are two types of tools that often employ taps in order to monitor the network.
  • Port mirroring (SPAN as it’s called in Cisco products) is a feature of the router or switch itself and can more intelligently filter what data to intercept

Screen Shot 2016-02-06 at 9.59.49 AM.png

Screen Shot 2016-02-06 at 9.59.50 AM.png

Screen Shot 2016-02-06 at 9.59.51 AM.png

Screen Shot 2016-02-06 at 9.59.52 AM.png

Screen Shot 2016-02-06 at 9.59.53 AM.png

Screen Shot 2016-02-06 at 10.00.06 AM.png

Screen Shot 2016-02-06 at 10.00.07 AM.png

Screen Shot 2016-02-06 at 10.00.08 AM.png

Screen Shot 2016-02-06 at 10.00.10 AM.png

  • Intranet Spoofing: Acting as a device on the same internal network
  • Internet Spoofing: Acting as a device on the Internet
  • Proxy Server DNS Poisoning: Modifying the DNS entries on a proxy server so the user is redirected to a different host system
  • DNS Cache Poisoning: Modifying the DNS entries on any system so the user is redirected to a different host

Screen Shot 2016-02-06 at 10.00.11 AM.png

Screen Shot 2016-02-06 at 10.00.12 AM.png

Screen Shot 2016-02-06 at 10.00.16 AM.png

  • Ping method: if you suspect a certain IP address is a sniffer, send it a ping packet with its valid IP addresses but the wrong MAC address.  If it responds anyway, it’s the sniffer.
  • ARP method: send out a non-broadcast ARP message. Next, we send a broadcast ping packet with our IP address but a different MAC address. Only a machine that has our correct MAC address from the sniffed ARP frame will be able to respond to our broadcast ping request.
  • Source-route method: send out a ping, but with a loose-source route so that it will be routed through another machine on your network segment. Most computers won’t route packets like this, but if you get a response, it’s like the machine is running in promiscuous mode.
  • Decoy method: this method involves sending false information over the wire (such as fake username/password combos) and seeing if anyone acts on it.
  • Reverse DNS method: many sniffer programs will automatically perform reverse DNS lookups of the addresses we sniff. If you start seeing two machines have remarkably similar DNS traffic, one could be sniffing the other.
  • Latency method: flood the network with traffic.  The sniffer will start to creak under the strain.  If you see a machine on the network suddenly having very high latency when responding to requests, it might be the one sniffing.
  • TDR: TDRs are tools for testing electrical cables.  They are capable of detecting hardware taps and sniffers.

Screen Shot 2016-02-06 at 10.00.17 AM.png

  • Port security, or MAC filtering, will lock a specific MAC address to a specific port on a switch.  This way, it prevents ARP spoofing.
  • You could also go to the trouble of making a static ARP table and ignoring any spoofers sending out unsolicited APR replies.
  • The most common method is to use network IDS/IPS products that look for suspicious traffic, like floods of unsolicited ARP replies or large volumes of DNS traffic.
  • The best way to deal with sniffers is to make them pointless.  If you use public-key encryption (like TLS), it won’t matter if you’re being sniffed; the eavesdropper won’t be able to read your packets anyway.

Screen Shot 2016-02-06 at 10.00.18 AM.png

  • In the labs for this lesson, I would have my students work through a tcpdump tutorial (http://danielmiessler.com/study/tcpdump/). Most of them were already very familiar with Wireshark, but few had used tcpdump on the command line.
  • After that, we’d pair up and play with sniffing traffic.  I would start them out with the relatively-simple arpspoof utility and then start using the more advanced ettercap.