Sniffing &
Keylogger
Deff Arnaldy, M.Si
0818 0296 4763
deff_arnaldy@yahoo.com
1
•
•
•
•
•
Konsep sniffing
Capturing Live Network Data
Explorasi hasil capturing
Countermeasure sniffing
Keyloggers
Overview
2
• Sniffer adalah program yang membaca dan menganalisa setiap
protokol yang melewati mesin di mana program tersebut
diinstal
• Secara default, sebuah komputer dalam jaringan (workstation)
hanya mendengarkan dan merespon paket-paket yang
dikirimkan kepada mereka. Namun demikian, kartu jaringan
(network card) dapat diset oleh beberapa program tertentu,
sehingga dapat memonitor dan menangkap semua lalu lintas
jaringan yang lewat tanpa peduli kepada siapa paket tersebut
dikirimkan.
• Aktifitasnya biasa disebut dengan Sniffing
Konsep Sniffing
3
•
•
Targets Data Link layer of protocol stack
Sniffer – gathers traffic off network
•
•
•
This data can include userIDs passwords transmitted
by telnet, DNS queries and responses, sensitive
emails, FTP passwords, etc.
Allows attacker to read data passing a given machine
in real time.
Two types of sniffing:
•
•
Active
Passive
Sniffing
4
Passive
• Attacker must have
account on LAN
• Done over a hub
• Usually once access is
gained on one computer
attacker uses passwords to
get in other computers
Sniffing
Active
• Attacker still needs an
account
• Several different attacks:
- Parsing Packets
- Flooding
- Spoofed ARP Messages
- DNS Spoofing
- HTTPS and SSH spoofing
5
Passive Sniffing
user1
BLAH
HUB
user2
Server
- Message gets sent to all
computers on hub
Bad
guy
6
Active Sniffing
user1
BLAH
Switch
user2
Server
- Message gets sent to only
requesting computer by looking
at MAC address
Bad
guy
7
• Offers several ways around a switch
• Available for OpenBSD, Linux, Solaris, and there is a
version for Windows
• Very popular and versatile
• In conjunction with sshmitm and webmitm, conducts all
the above attacks
Dsniff
8
• Any mischievious machine can examine any packet on a
BROADCAST medium
• Ethernet is BROADCAST
• at least on the segments over which it travels
• Getting passwords is the first step in exploiting a machine
• email is plaintext and vulnerable
Major Problems with
Sniffing
9
What does one sniff?
•
•
•
•
•
passwords
email
financial account information
confidential information
low-level protocol info to attack
• hardware addresses
• IP addresses
• routing, etc
10
1. Hardware : standard network adapters .
2. Capture Filter : This is the most important part . It captures
the network traffic from the wire, filters it for the particular
traffic you want, then stores the data in a buffer.
3. Buffers : used to store the frames captured by the Capture
Filter .
What are the components
of a packet sniffer?
11
4. Real-time analyzer: a module in the packet sniffer
program used for traffic analysis and to shift the traffic
for intrusion detection.
5. Decoder : "Protocol Analysis" .
What are the components
of a packet sniffer?
12
Sniffers also work differently depending on the type of
network they are in.
1. Shared Ethernet
2. Switched Ethernet
How does a Sniffer Work?
13
How can I detect a packet
sniffer?
• Ping method
• ARP method
• DNS method
14
Packet Sniffer Mitigation
Host A

Router A
Router B
Host B
The following techniques and tools can be used to mitigate sniffers:
 Authentication—Using strong authentication, such as one-time
passwords, is a first option for defense against packet sniffers.
 Switched infrastructure—Deploy a switched infrastructure to counter
the use of packet sniffers in your environment.
 Antisniffer tools—Use these tools to employ software and hardware
designed to detect the use of sniffers on a network.
 Cryptography—The most effective method for countering packet
15
sniffers does not prevent or detect packet sniffers, but rather renders
them irrelevant.
•
•
•
•
•
•
•
•
•
•
•
Wireshark
Kismet
Tcpdump
Cain and Abel
Ettercap
Dsniff
NetStumbler
Ntop
Ngrep
EtherApe
KisMAC
Top 11 Packet Sniffers
16
Working of Cain & Abel
17
• Detection of clear-text passwords and usernames from
the network.
• Conversion of data to human readable format so that
people can read the traffic.
• Performance analysis to discover network bottlenecks.
• Network intrusion detection in order to discover hackers.
What are sniffers used
for?
18
• Segmentation into trustworthy segments
• bridges
• better yet .. switched hubs
• Not enough “not to allow sniffing”
• easy to add a machine on the net
• may try using X-terminals vs workstations
Prevention of Sniffing
19
• Avoid password transmission
• one solution is r..family
• rlogin, rcp, rsh, etc
• put trusted hosts in .rhosts
• many SAs don’t want users to use them
• Using encrypted passwords
• Kerberos
• PGP public keys
Prevention of Sniffing
(more)
20
• If all other attempts to gather passwords fail, then a
keystroke logger is the tool of choice for hackers
• Keystroke loggers (keyloggers) can be implemented
either using hardware or software
Keylogger
21
• Hardware keyloggers are small hardware devices that
connect the keyboard to the PC and save every keystroke
into a file or in the memory of the hardware device
• In order to install a hardware keylogger, a hacker must
have physical access to the system
22
• Software keyloggers are pieces of stealth software that sit
between the keyboard hardware and the operating system
so that they can record every keystroke.
• Software keyloggers can be deployed on a system by
Trojans or viruses
23
References
• http://netsecurity.about.com/cs/hackertools/a/aa121403.htm
• http://e-articles.info/e/a/title/Packet-Sniffing:-Sniffing-ToolsDetection-Prevention-Methods/
• http://sectools.org/sniffers.html
• http://en.wikipedia.org/wiki/Cain_and_Abel_(software)
• http://www.authorstream.com/Presentation/chinmayzen-79529packet-sniffers-education-ppt-powerpoint/
• http://www.youtube.com/watch?v=O00LENbtiIw
24