nov 27, 2014 sangwook lee com850 computer hacking and security 0x440 network sniffing

Nov 27, 2014

Sangwook Lee

COM850 Computer Hacking and Secu-rity

0x440Network Sniffing

Table of Contents

• Network Sniffing

• Sniffing Tools

• ARP Spoofing

0X440 NETWORK SNIFFING

What is the Network Sniffing

The act of capturing pack-ets that aren’t necessarily meant for public viewing is

called SNIFFING

0X440 NETWORK SNIFFING

Two Sniffing Flows According to Network

• Non-switched network environment1. Setting the promiscuous mode 2. Packet-capturing

• Switched network environment1. ARP spoofing2. Packet-capturing

0X440 NETWORK SNIFFING

Non-switched vs. Switched Network

• The flow of traffic in a non-switched network (cont.)

It should be noted that step 3 and 4 can be reversed in or-der

0X440 NETWORK SNIFFING

Non-switched vs. Switched Network

• The flow of traffic in a non-switched network Step 1 Node A transmits a frame to Node CStep 2 Hub will broadcast this frame to active portSetp 3 Node B will receive the frame and will ex-amine the address in the frame. After determining that it is not the intended host, it will discard the frameStep 4 Node C will receive the frame and will ex-amine the address in the frame. After determining that it is the intended host. it will process the frame further

0X440 NETWORK SNIFFING

Non-switched vs. Switched Network

• The flow of traffic in a switched network (cont.)

How to generate Canary

0X440 NETWORK SNIFFING

Non-switched vs. Switched Network

• The flow of traffic in a switched networkStep 1 Node A transmits a frame to Node CStep 2 The switch will examine this frame and determine what the intended host is. It will then set up a connection between Node A and Node C so that they have a ‘private’ connectionSetp 3 Node C will receive the frame and will ex-amine the address. After determining that it is the intended host, it will process the frame further

0X440 NETWORK SNIFFING

Sniffing Non-switched Network

• For a host to be used as a sniffing agent,– NIC must be set to the promiscuous mode

After the promiscuous mode is set...

NIC no longer drop network frames which are addressed to

other hosts

0X440 NETWORK SNIFFING

Sniffing Non-switched Network

• Setting the promiscuous mode

$ sudo ifconfig eth0 promisc

0X440 NETWORK SNIFFING

Packet Capturing Tools

• Sniffers– tcpdump– dsniff

• Raw socket sniffer– raw_tcpsniff – pcap_sniff (with libpcap)– decode_sniff (with libpcap)

0X440 NETWORK SNIFFING

Sniffer: tcpdump

$ sudo tcpdump –X ‘ip host <victim IP>’

0X440 NETWORK SNIFFING

Sniffer: dsniff

$ sudo dsniff –n

0X440 NETWORK SNIFFING

Packet Capturing Tools

• Sniffers– tcpdump– dsniff

• Raw socket sniffer– raw_tcpsniff– pcap_sniff (with libpcap)– decode_sniff (with libpcap)

0X440 NETWORK SNIFFING

# Raw Socket

• Raw socket is an network socket that allows direct sending and receiving of Internet protocol packets without any protocol-specific transport layer for-matting

• Raw socket is specified by suing SOCK_RAW as the type

• There are multiple protocol options– IPPROTO_TCP, IPPROTO_UDP, IPROTO_ICMP

0X440 NETWORK SNIFFING

Raw Socket Sniffer: raw_tcpsniff

raw_tcpsniff.c

0X440 NETWORK SNIFFING

Raw Socket Sniffer: raw_tcpsniff

$ gcc –o raw_tcpsniff raw_tcpsniff.c

$ sudo ./raw_tcpsniff

0X440 NETWORK SNIFFING

Raw Socket Sniffer with Libpcap: pcap_sniff

pcap_sniff.c

0X440 NETWORK SNIFFING

Raw Socket Sniffer with Libpcap: pcap_sniff

$ gcc –o pcap_sniff pcap_sniff.c –lpcap

$ sudo ./pcap_sniff

0X440 NETWORK SNIFFING

Raw Socket Sniffer with Libpcap: decode_sniff

decode_sniff.c

0X440 NETWORK SNIFFING

Raw Socket Sniffer with Libpcap: decode_sniff

decode_sniff.c

0X440 NETWORK SNIFFINGRaw Socket Sniffer with Libpcap:

Decode_sniff

decode_sniff.c

0X440 NETWORK SNIFFING

Raw Socket Sniffer with Libpcap: decode_sniff

$ gcc –o decode_sniff decode_sniff.c –lpcap

$ sudo ./decode_sniff

0X440 NETWORK SNIFFING

Sniffing Switched Networks

• ARP spoofing

One of the basic operations of the Ethernet proto-col revolves around ARP (Address Resolution Proto-col) requests and replies. In general, when Node A wants to communicate with Node C on the network, it sends an ARP request. Node C will send an ARP reply which will include the MAC address. Even in a switched environment, this initial ARP request is sent in a broadcast manner. It is possible for Node B to craft and send an unsolicited, fake ARP reply to Node A. This fake ARP reply will specify that Node B has the MAC address of Node C. Node A will unwittingly send the traffic to Node B since it pro-fesses to have the intended MAC address.

0X440 NETWORK SNIFFING

Sniffing Switched Network

• ARP spoofing using NEMESIS (cont.)– Attacker• IP: 1.1.1.20• MAC: 00:00:00:BB:BB:BB

– Victim1• IP: 1.1.1.10• MAC: 00:00:00:AA:AA:AA

– Victim2• IP: 1.1.1.30• MAC: 00:00:00:CC:CC:CC

0X440 NETWORK SNIFFING

Sniffing Switched Network

• ARP spoofing using NEMESIS (cont.)

$ sudo nemesis arp –v –r –d eth0 –S 1.1.1.10 –D 1.1.1.30 -h 00:00:00:BB:BB:BB -m 00:00:00:CC:CC:CC -H 00:00:00:BB:BB:BB -M 00:00:00:CC:CC:CC

$ sudo nemesis arp –v –r –d eth0 –S 1.1.1.30 –D 1.1.1.10 -h 00:00:00:BB:BB:BB -m 00:00:00:AA:AA:AA -H 00:00:00:BB:BB:BB -M 00:00:00:AA:AA:AA

Attacker (System B) → Victim2 (System C)

Attacker (System B) → Victim1 (System A)

0X440 NETWORK SNIFFING

Sniffing Switched Network

• ARP spoofing using NEMESIS

ARP Cache of Victim1 (System A)

ARP Cache of Victim2 (System C)

the end