Kỹ Thuật Tấn Công Bằng Sniffer

Sniffer ThreatsAttacker can steal sensitive information by sniffing the network Attacker can steal sensitive information by sniffing the network Email traffic Web traffic Chat sessio

Sniffer

 Wiretapping is the process of monitoring the

telephone and Internet conservation by a third party.

software, or both of them ) to get the information on the circuit between to host or two phones

telephone and Internet conservation by a third party.

software, or both of them ) to get the information on the circuit between to host or two phones

Wiretapping

Sniffer Threats

Attacker can steal

sensitive information by sniffing the network

Attacker can steal

sensitive information by sniffing the network

Email traffic

Web traffic

Chat sessions

FTP Passwor d

Router configurati on

DNS Traffic

Syslog traffic

Telnet traffic

By configure a network

adapter in a promiscuous

mode, an attacker can

capture and analyze

traffic on network

By configure a network

adapter in a promiscuous

mode, an attacker can

capture and analyze

traffic on network

Many enterprise network

switch port is open The

attacker can sniff easily

Many enterprise network

switch port is open The

attacker can sniff easily

A packet sniffer can only Capture packet information Within a given network

A packet sniffer can only Capture packet information Within a given network

Laptop can plug into the network and gain access

How a sniffer works

 Sniffer turns the NIC of a system to the

promiscuous mode so that it listens to all the

data transmitted on its segment.

 Sniffer can constantly read all information

entering the computer through the NIC by

decoding the information encapsulation in

the data packet

 Sniffer turns the NIC of a system to the

promiscuous mode so that it listens to all the

data transmitted on its segment.

 Sniffer can constantly read all information

entering the computer through the NIC by

decoding the information encapsulation in

the data packet

Hacker attack the switching

to switch

Type of sniffing: Passive Sniffing

 Passive sniffing means sniffing through a hub

On a hub the traffic is sent to all port

 Passive sniffing involves sending no packets, and monitor the packets sent by the other

 Active sniffing involves sending out multiple network probes to identify Aps Hub usage is outdated today

Type of sniffing: Active Sniffing

known as active sniffing

network that cause traffic

Active sniffin g

Active sniffin g

ARP spoofing

ARP spoofing

Mac duplicat e

Mac duplicat e

DHCP starvatio

DHCP starvatio

Mac Flooding

Mac Flooding

Protocols Vulnerable to sniffing

Telnet and

Rlogin

Telnet and

Data sent in clear text

Password and data sent in clear text Password and data sent in clear text

Tie to Data Link Layer in OSI

Model

model They do not adhere to the same rules as applications and services that reside further up the stack

compromised without the other layers being aware of problem

Hardware Protocol Analyzers

It capture data packet and analyzes its content according to certain predetermined

rules

It can be used

to monitor network usage and identify malicious

A hardware protocol analyzer is an piece of equipment that captures signals without altering the traffic in a cable segment

SPAN Port

MAC Address Flooding

 Mac flooding involves flooding switch with numerous request

 Switch have limited memory for mapping various Mac address to the physical port on switch

 Mac flooding make use of this limitation to bombard

switch with the fake Mac addresses until switch can not keep up

 Switch then acts as a hub by broadcasting packets to all machines on the network and attacker can sniffer the traffic easily Numerous

mac addresses

Attacker receive traffic

of users

Switch

Mac address/Cam table

have a fixed size

available on physical ports with their associate vlan parameters

How CAM work

How CAM work

What happen when CAM Table is full ?

additional ARP request traffic will flood every

port on the switch

 This will basically turn a switch into a hub

adjacent switches

MAC Flooding: macof

collection

address

( 131000 per min ) by sending bogus Mac entries

MAC Flooding: Yersinia

Defend against Mac attack

How does DHCP operate ?

information in a database such as valid TCP/IP configuration parameters, valid IP addresses, duration of the lease offered by the server

clients in the form of a lease offer

How does DHCP operate ?

DHCP Starvation Attack

DHCP scope and tries lease all of the the DHCP

addresses available in the DHCP scope

scope

DHCP Server

My mac addresses are random

Rogue DHCP Server Attack

and provide DHCP address to user

DHCP Server

1 DHCP Discovery (broadcast)

2 DHCP Offer (unicast) from

Rogue Server

3 DHCP Request ( broadcast )

4 DHCP Ack ( unicast) from Rogue DHCP Server

How to defend Against DHCP Starvation and Rogue DHCP Attack

What is Address Resolution

Protocol (ARP) ?

physical address that is recognized in a local network

another, it looks up arp table, if the mac address is not found in the table, the arp is broadcasted over network

address to mac address

 If one of them identifiers, with this address, the

machine will respond to arp which will store the

ARP Spoofing attack

ARP packet can be forged to send data

to the attacker machine

ARP packet can be forged to send data

to the attacker machine

ARP spoofing involves constructing the

large number of forged ARP request

and reply packets to overload switch

ARP spoofing involves constructing the

large number of forged ARP request

and reply packets to overload switch

Attackers flood a target computer’s cache with forged entries which is also

Switch is set in “forwarding mode” after ARP table is flooded with spoofed arp replies and attacker can sniff all the

network packets

ARP Spoofing attack

Threat of ARP Poisoning

 Using ARP messages, an attacker can

divert all communications between two machines so that all traffic is exchanged via his/her PC

ARP Poisoning Tools

 Cain Abel

 Ettercap

 Winarpattacker

 Dsniff

How to defend against ARP

Poisoning ?

 Use DHCP snooping Binding Table and Dynamic ARP Inspection

Mac Spoofing/ Duplicating

network for Mac address of clients who are

actively associated with a switchport and re-use one

of those address

 By listening to the traffic on the network, a malicious

user can intercept and use a legitimate user’s

mac address to receive all the traffic destined for

Spoofing attack threats

 Mac spoofing

can gain access to the network

already on the network

 IP spoofing

Mac spoofing tool

 Smac ( window )

 Macchanger ( linux )

How to defend Against Mac spoofing ?

DNS Poisoning

Server into believing that it has receive

authenticatic information when, in reality, it has not

 It results in substitution of a false internet provide address at the domain name service level where web addresses are converted into numberic internet

provider addresses

• Intranet DNS spoofing ( local network )

Intranet DNS Spoofing

area network and be able sniff packets

the router

Attacker poisons the router and redirect DNS request to his machine

DNS request

to real

www.abc.co m

web site

Real web site www.abc.com

IP: 203.134.1.1

Internet DNS Spoofing

machine with a trojan and changes her DNS IP

address to PC of attacker

Fake web site

IP 194.168.1.1

Real web site

www.abc.com

IP: 203.134.1.1

Atta cke

r in fec

DN

S re qu

est

to 1 93.1 68.1 .1

DN

S re spo nse

ww w.a bc.c om

is l oca

ted at

19 4.1 68.1 .1

Victim browser to 194.168.1.1

Proxy Server DNS Poison

changes her proxy settings in IE to attacker

ge

her pro

xy s etti ng

194 16 8.1 .1

All vic

tim we

b re qu

est

go t hro

ugh ha cke r

ma chin e

Attacker send victim request

DNS Cache Poisoning

 DNS cache poisoning involves change or adding

records in the resolver cache of DNS, so that a DNS

query for a domain returns an IP address of a fake web

site set by attacker

 If the server can not validate that DNS response have

come from an authoritative source, it will cache the

incorrect entries locally and serve them users who make

the same request

Internal DNS Authority Server for abc.com

with

ip o f fa

ke w ebsi te

DNS cache at user is uploaded with IP of fake web site

Redirect to fake web site

How to defend against DNS

spoofing

1 Resolve all DNS queries to local DNS

3 Implement DNSSEC

5 Configure firewall

to restrict external

DNS lookup

7 Use DNS existent Domain (NXDomain) rate

non-limiting

• 2 Block DNS request from going to external servers

• 4 Configure DNS resolver to use a new random source port from its available range for each outgoing query

• 6 Restrict DNS recursing service, either full or parital to

authorized users

Countermeasures

Sniffing Prevention Techniques

How to detect sniffing ?

Detect sniffer

Detect sniffer