Gathering Data from Networks:
Sniffers

Using a program or device to monitor data
traveling through a network

Good use: Network management & monitoring

Bad use: Steal passwords, email, files

4 layer model




Application
Transport
Internet
Network Access







Source Port
Destination Port
Sequence Number
Ack Number
Data Offset
Reserved
Control Bits



Urgent Pointer
Options
URG, ACK, PSH, RST, SYN, FIN
Window
Checksum

Promiscuous Mode


Most commonly sniffed (unencrypted)


Capture packets headed for target’s MAC
HTTP, POP3, IMAP, SNMP, FTP, Telnet, NNTP
Passive versus Active

Passive needs
 Hub (called: shared Ethernet)
 Wireless AP
 Port mirroring on switch (called: switched Ethernet)
 Example: use Trojan to install Back Orifice on target
machine. Attacker gets email from “Butt Trumpet” plug-in
after installation. Now packet sniffer can be installed.

Passive versus Active

Active needs
 ARP spoofing: spoof the gateway’s MAC address
 MAC flooding/Traffic-flooding attack: flood switch with
fake MAC addresses to overcome the limited memory;
causes “failopen mode”
 MAC duplicating





Hard to detect since no trace is left
Look for machines in promiscuous mode
Run ‘arpwatch’ for changed MAC addresses
Use ‘HP OpenView’ or ‘IBM Tivoli’ for strange
packets
Best: encryption



AES
RC4
RC5

ARP poisoning



Uses ARP spoofing to redirect packets
Result: DoS and MITM
Countermeasures

Static ARP entries in cache

Wireshark: aka Ethereal


open source protocol analyzer; capture traffic in real time
Snort: also packet logger
IDS: detects threats, such as buffer overflows, stealth port
scans, CGI attacks, SMB probes and NetBIOS queries,
NMAP and other port scanners, well-known backdoors
and system vulnerabilities, and DDoS clients, and alerts
the user about them. It develops a new signature to find
vulnerabilities.
 Snortsnarf: converts data collected from Snort into Web
pages for easier reading


Sandhain

open source multi-platform application that is used for
checking the integrity of centralized files & detecting
host-based intrusion (HIDS)

Overcoming switched networks

ARP spoofing
 sniff data frames on a LAN or stop the traffic altogether


Overwhelm a switch (macof)
DNS Spoofing / Poisoning
 Feed the DNS server with incorrect information
 Intranet Spoofing
 Internet Spoofing
 Proxy Server DNS Poisoning
 DNS Cache Poisoning
 Kaminsky DNS Vulnerability – Summer 2008
 http://unixwiz.net/techtips/iguide-kaminsky-dns-vuln.html


Wireshark
Dsniff: collection of tools


Dnspoof




Forges replies to DNS queries
Alerts of spoofed packets
Cain & Abel


Filesnarf, mailsnarf, urlsnarf, msgsnarf (Instant
Messages) webspy, arpspoof, dnsspoof, macof
MITM attacks; sniffing; ARP poisoning
EtherPeek
Ethercap





SMAC
Hunt
TCPDump: command-line tool
Network Probe
Snort