Design a client side Code Generator for Generating an OTP to Preventing
Password Phishing and Sniffing.
1
Mohammad Jawad Kadhim, 2 Mr. Ajendra Isaacs
M. Sc Scholar. Dept. of CS&IT, SHIATS – DU, Allahabad, India, Email: mu4su@yahoo.com
Assistant Professor. Dept. of CS&IT , SHIATS – DU, Allahabad, India, Email: davidisaacs2001@gmail.com
ABSTRACT
Hackers are constantly penetrating networks to stealing password,
personal and financial data in so many ways like Phishing,
Sniffing, social engineering and other methods.
In this paper we will discuss the ability of creating a Code
Generator in the Client Side to generate a one-time password to
reduce the possibilities of stealing password.
At first the web page will create password with two parts, the first
part will send directly to the user through a small software which
the user need to download it and install it in his PC, while the
second part will received by an SMS massage or email for one
time only and no need to send any SMS massage after that.
In merging the two parts in the Client side the new password will
generate, and in the same time the same password has been
generated in the web site.
This password are used only once, when you need to enter to your
page again you need to ask the software in your side to generate a
new password and that exactly happened when you logout from
your account in the sever side.
Index Terms
Phishing, Sniffing, Prevent Password Stealing, One Time
Password, OTP, Code Generator, Client Side Code Generator.
I. INTRODUCTION
Phishing and sniffing are the mostly used to steal password and
other authentication information.
In Phishing they spoofed e-mail messages that seem to come from
legitimate source. Trojans, malware and other malicious software
are also used for phishing attacks. Since, SMTP protocol does not
validate or authenticate the sender of the email; anyone can claim
to be a valid sender such as from banks, credit card companies and
other agencies. Cyber criminals make sure that the message
appears as trustworthy as possible that includes formats similar to
the legitimate message. By using such social engineering
techniques they are able to allure the victims to respond to those
messages.[1]
In the other hand, sniffing is that the attacker insert itself between
the two communicating host to obtain the message, And steal
passwords and personal information.
In Ethernet, when both sides of communication is sending message
they will need not only the network logical address but also the
network physical address. So it presents a problem how to get the
MAC address based on IP address, ARP protocol is used for
processing this problem[1]. The ARP table will keep the reflection
between the IP and MAC address and is updated unceasingly. The
network attacker using several spoofing method to attack the
network by the disadvantage of the ARP protocol and it has
seriously threaten the network security
In this paper, we will prevent the both attacks using a new
mechanism of implementing the onetime Password (opt).
The research has been done by PHP5 and MySQL for the server
side and VB.Net for the client side.
The structure of the paper is:
1- Section 2 provides a brief overview of the different types
of phishing and sniffing attacks.
2- Section 3 different phishing and sniffing techniques.
3- Section 4 presents an example that shows the mechanism
of preventing using the code generators..
4- Section 5 presents future work and concludes the article.
II. PHISHING & SNIFFING ATTACKS
II.I TYPES OF PHISHING ATTACKS
Phishing attacks are not limited to spoofed emails only; it includes
search engines, man-in-middle, malware, Trojans, instant
messaging, social networking sites and etc. Below are some major
categories of phishing.
II.I.I Clone Phishing
It is a type of an attack where a legitimate previously delivered
email containing an attachment o-r link has had its content and
recipient address (es) taken and used to create a cloned email.
The attachment or link within the email is replaced with a
malicious version and then sent from an email address spoofed to
appear to come from the original sender [6]. It may claim to be a
re-send of the original or an updated version to the original. This
technique could be used to pivot (indirectly) from a previously
infected machine and gain a foothold on another machine, by
exploiting the social trust associated with the inferred connection
due to both parties receiving the original email [7].
II.I.II Spear Phishing
It is a technique where specific victim is targeted. The information
about the victim is known prior to the attack and the email is sent
from the source known by the victim. Due to the nature of the trust
on receiving email, this kind of attack has high probability to be
successful. An example would be
II.II TYPES OF SNIFFING ATTACKS
II.II.I External network sniffing
Assuming host A and host B are in the same network and will
communicate with each other, the host C is out of the network,
Illustrated in Fig.1
Figure.1 External network sniffing.
If the attacker C wants to sniffing the communication content
between host A and host B, it must pass the router. Considering
the message survival time from inside net to outside net, the
attacker modifies its TTL of IP grouping to make sure it has
enough time sending out response package to the destination
host. The host C send out ARP response package to host A.
The format of the package is as Table1:
Destination
Source Mac
Source IP
Destination
MAC
Address
Address
IP Address
Address
0C-1C-2C-3C4C-CC
10.1.1.200
0A-1A-2A3A-4A-AA
10.1.1.100
Table 1 ARP response package send to host A.
When host A receives ARP response package it updates buffer,
after being spoofed host A send message to host B by the MAC
address of attacking host C. ARP is a LAN(Local Area
Network) protocol, for host is external network so host A can
not send message to router, at this time host C will update the
routing table of host A through ICMP(Internet Control
Message Protocol), it send the message which should send to
host B fist to router and then retransmit to attacker. So attacker
realizes the sniffing by this process. So does host B.[14]
II.II.II Internal network sniffing
Assuming that host A will communicate with host B, the
attacker C will sniffing the content of the communication.
Illustrated in Fig.2
Figure.2 Internal network sniffing
Based on knowing the IP address the attacker C can get the
MAC address of the host by collecting ARP request/response
message or by the PING command of ICMP protocol. The host
set NIC(Network Interface Card) as promiscuous state with
retransmitting function. The host C will carry on ARP
Spoofing and send response package to host A. The format of
the package is as Table 2:
Destination
Source Mac
Source IP
Destination
MAC
Address
Address
IP Address
Address
0C-1C-2C-3C4C-CC
10.1.1.200
0A-1A-2A3A-4A-AA
10.1.1.100
Table 2 ARP response package send to host A
For the disadvantage of the ARP protocol, the host A will
receive the response package constructed by host C and update
the ARP buffer, to avoid spoofing failure, host C must send out
ARP response package ceaselessly to keep proofing. With the
same principle host C send out ARP response package to host
B. The format of the package is as Table 3:
Destination
Source Mac
Source IP
Destination
MAC
Address
Address
IP Address
Address
0C-1C-2C-3C4C-CC
10.1.1.200
0B-1B-2B-3B4B-BB
10.1.1.100
Table 3 ARP response package send to host B.
The communication between host A and host B is interdicted
by the attacker, the attacker can receive and retransmit the
message of both sides without detecting. .[14]
III. PHISHING & SNIFFING
TECHNIQUES
III.I PHISHING TECHNIQUES
Many techniques are developed to conduct phishing attacks.
Malicious person with novice computer skills can use tools
which are available freely on the internet to conduct a
devastating phishing attack and make them less susceptible.
Web Spoofing is a method in which forged website looks
similar to the legitimate one so that users can enter their
confidential information. Email spoofing may occur in
different forms, but all have a similar result: a user receives
email that appears to have originated from one source when it
actually was sent from another source. Email spoofing is often
an attempt to trick the user into making a damaging statement
or releasing sensitive information (such as passwords) [8].
III.II.III. ARP based Sniffing
III.I.I Web Spoofing
Web Spoofing is a security attack that allows an adversary to
observe and modify all web pages sent to the victim's machine,
and observe all information entered into forms by the victim.
Web Spoofing works on both of the major browsers and is not
prevented by "secure" connections. The attacker can observe
and modify all web pages and form submissions, even when
the browser's "secure connection" indicator is lit. The user sees
no indication that anything is wrong [9].
Once this information is collected, the attacker can use it to buy
things with the victims' credit cards, access their bank
accounts, and establish false identities. Website spoofing is a
growing phenomenon, and puts consumers at considerable risk
for identity theft and credit card fraud [10].
This method works a little different. It does not put the network
card into promiscuous mode.
This is not necessary because ARP packets will be sent to us.
This is an effective method for sniffing in switched
environment. Here sniffing is possible due to of being stateless
nature of Address Resolution Protocol [15].
IV. Preventing password phishing & sniffing
There many techniques used to prevent password stealing; one
of them is the one time password (OTP) which also has
deferent mechanisms to implement.
In our paper we will use small software installed in the client
side to generate the OTP rather than using the SMS or Email
messages to transfer the OTP to the user in each time.
The process will go exactly as the next figure.
The attack is initiated when the victim visits a malicious Web
page, or receives a malicious email message. [9]
III.I.II E-mail spoofing
Email spoofing is email activity in which the sender address
and other parts of the email header are altered to appear as
though the email originated from a different source. Because
core SMTP doesn't provide any authentication, it is easy to
impersonate and forge emails [11]. Distributors of spam often
use spoofing in an attempt to get recipients to open, and
possibly even respond to, their solicitations. Spoofing can be
used legitimately. Classic examples of senders who might
prefer to disguise the source of the e-mail include a sender
reporting mistreatment by a spouse to a welfare agency or a
"whistle-blower" who fears retaliation [12].
Figure.3 accessing modes.
IV.I Getting
password).
an
account
(user
name
&
At first, the user needs to register himself in the web site by
giving the following information
The focus of this paper is to use the above mentioned
information to prevent the attacks using APPT.
III.II. SNIFFING TECHNIQUES
Three types of sniffing techniques are used:
III.II.I. IP Based Sniffing
IP based sniffing is the most commonly used method of packet
sniffing. In this method a requirement of setting network card
into promiscuous mode exist. When network card is set into
promiscuous mode then host will be able to sniff all packets. A
key point in the IP based sniffing is that it uses an IP based
filter, and the packets matching the IP address filter is captured
only.
Normally the IP address filter is not set so it can capture all the
packets. This method only works in non switched network
[15].
III.II.II. MAC based Sniffing
This is another method of packet sniffing. This is as like IP
based sniffing. Same concept of IP based sniffing is also used
here besides using an IP based filter. Here also a requirement
of setting network card into promiscuous mode exists. Here in
place of IP address filter a MAC address filter is used and
sniffing all packets matching the MAC addresses [15].
Figure.4 The Registering Interface of the website.
After pressing SUBMIT QUERY there are several actions will
occur:
a- Account creating and password generating.

The system will generate a password of two parts.

First part is generated from the entered data and
saved in the database. After that combine with the
execution file which the user needs to download and
install in his PC.

Second part is generated from a random number and
also saved in the database but before generating the
second part, the same random number will sent to the
user by SMS and EMAIL for once.
Figure.7 The code board interface in the client side code
generator illustrating the three codes needed.
Figure.5 Password Generating Stages.
b-
As you see, the software generate three encrypted codes by the
same algorithm of the main web site but in a different
environments. The next time we need to generate a new
password we only need to enter the numerical side of the
password rather than the code we received by the SMS and
Email and in our example the code is (3996).
After inserting this code the result will be:
Software downloading.
After an account has been created, the system will ask you
to download the Code Generator (CG).
This (CG) will be responsible of Generating:

OTP.

Confirmation Code.

PIN code.
IV.II Code Generation.
When the software installed, a small encrypted file will take a
place inside the PC. This small file contains the first part of the
password generated from the personal information of the user.
In starting the installed software, it will ask as to enter a code.
Figure.8 The next generating of codes after inserting a new
number.
IV.III Accessing the web site.
In most web sites, the login to the web site will done by the
user name and the password. But in our web site the
Confirmation code will generated and the user will asked to
compare it with the confirmation code in his side, if it’s match
then the PIN code is required, otherwise there is now way to
access the web site
Figure.6 The code inserting interface in the client side code
generator.
In the first time only we will use the code sent by an SMS and
Email but in the next times we will use the numeric side of the
generated password.
In that time the generation algorithm will generate the:

Password.

Confirmation Code.

PIN Code.
Figure.9 The authentication page of the web site after inserting
the user name and password and generating the confirmation
code and asking for PIN code.
http://brianpennington.co.uk/2013/01/30/rsas-januaryonline-fraud-report-2013-including-an-excellentsummary-of-phishing-in-2012/
[6] CSI ONSITE - Phishing techniques, Clone Phishing http://www.csionsite.com/2012/phishing/
Published:
March 12, 2012
[7] Clone Phishing - Phishing from Wikipedia, the free
encyclopedia, http://en.wikipedia.org/wiki/Phishing
Accessed: 20 February 2013 at 14:42
Figure.10 The code generator of codes display the same
confirmation code in figure 9.
IV.IV Preventing Password Phishing & Sniffing.
In the phishing and sniffing attack the main goal is to gain the
personal information like user names and passwords and use
them, but in our case we have the following scenarios:

If they steal the user name and password they don’t
have the confirmation code and the PIN code.

If they download the Code Generator, they will not
have the same information file.

If they steal our Code Generator or control our PC
remotely they don’t have the numerical part of the
password to generate the new password beside the
confirmation code and PIN code.
V. Conclusion.
Phishing and sniffing is two of the most powerful mechanisms
to steal information and used to hijack the accounts. There is a
lot of solution proposed to prevent these kinds of attacks but
until now the attacks are continuing.
This paper present different (OTP) generating mechanism to
prevent phishing and sniffing rather than the previous methods,
in this method we use a same algorithm to generate the same
OTP in a different sides and beside the OTP we propose more
security by an encrypted confirmation code and PIN code.
The future work will focus on creating a Code Generator for
the mobile phone for portable use and synchronize generations
with the PC Code Generator to provide the concept of using
this idea rather than the previous methods.
VI. REFERENCES
[1] Ahmed Alamgir khan. Preventing Phishing Attacks using
One Time Password and User Machine Identification.
International Journal of Computer Application. Volume
68.No. 3.April 2013.
[2] Why Phish Should Not Be Treated as Spam By Norman
M.
Sadeh
and
Ph.D.
http://www.drdobbs.com/security/why-phish-should-notbe-treated-as-spam/240001777, published May 18, 2012
[3] Computerworld QuickStudy: Phishing By Russell Kay,
http://www.computerworld.com/s/article/89096/Phishing
Accessed: 27 March 2013
[4] Koprowski, Gene J., “Beware of ‘Spoofing’ Scams,” UPI
Technology News, January 2004.
[5] RSA’s January 2013 Online Fraud Report,
[8] Cert Carnegie Mellon University, Spoofed Email,
http://www.cert.org/tech_tips/email_spoofing.html
Accessed: March 10, 2012
[9] Princeton University, Department of Computer Science,
http://sip.cs.princeton.edu/WebSpoofing Accessed: 09
March 2013
[10] Toni McConnel, Security Sentinel Website Spoofing 101
http://www.iapplianceweb.com/story/oeg20031028s0033
.htm Accessed: 09 March 2013
[11] Email spoofing From Wikipedia, the free encyclopedia
http://en.wikipedia.org/wiki/Email_spoofing
Accessed:
March 11, 2012
[12] Posted by Margaret Rouse, Security: Email spoofing,
http://searchsecurity.techtarget.com/definition/emailspoofing Accessed: March 12, 2012
[13] Anti Phishing Working Group. Origins of the word
"phishing". http://www.antiphishing/org/word_phish.html.
Accessed: March 10, 2012
[14] Yang Liu, Kaikun Dong , Lan Dong, Bin Li. Research of the
ARP Spoofing Principle and Defensive Algorithm, Wseas
Transaction on Communication. ISSN: 1109-2742. Issue
5, volume 7, May 2008.
[15] Rupam1, Atul Verma2, Ankita Singh3. An Approach to
Detect Packets Using Packet Sniffing. International
Journal of Computer Science & Engineering Survey
(IJCSES) Vol.4, No.3, June 2013.