Packet sniffing in switched LANs
- 1. Packet Sniffing in Switched Local Area Networks By Ishraq Fatafta
- 2. Agenda O What is Packet sniffing O Switched VS Hubed Networks O Packet sniffing attacks O Packet sniffing detection. O Packet sniffing prevention. O Conclusion.
- 3. Packet Sniffing O Packet Sniffing is a technique used to listen to the packets flow in the network. O Packet sniffer (network analyzer) is a tool (hardware or software) used to listen to the packets flow in the network.
- 4. Packet Sniffer uses O Network Engineers, System Administrators and Security professionals O Analyze network problems. O Find traffic bottlenecks and troubleshoot problems. O Monitor network usage. O Intruders O Search for plain-text passwords and user names. O Hijacking sensitive information such as credit card information and financial data. O Analyzing network traffic.
- 5. Packet Sniffer components O Hardware O Usually a standard network adaptor. O Capture drive O This is the main part of a sniffer that captures the data, filters it and stores it in the buffer. O Buffer O Used to store captured filtered data for later analysis. O Real-time analysis O This feature provide a little bit of analysis for faults and performance issues as data captured from the wire. O Decode O Responsible for displaying the data with description for human interpretation. O Packet editing/transmission O Used to modify packets and re-transmit them over the network.
- 6. Packet Sniffer components: Hardware
- 7. Packet Sniffer components: Software
- 8. Packet Sniffer components: Software
- 9. Packet sniffing in non- switched networks O Called shared environment. O Hosts are connected to a Hub. O simply a repeater. It takes the signal coming in on one of its ports, amplifies it, and sends it back out on its other ports. O Packets broadcasted to all hosts in the network.
- 10. Cont. Packet sniffing in non- switched networks
- 11. Cont. Packet sniffing in non- switched networks O Promiscuous mode or promisc mode is a configuration of a network card that makes the card pass all traffic it receives to the central processing unit rather than just frames addressed to it.
- 12. Packet sniffing in switched networks O Hosts are connected via Switch. O Lockup table (ARP Cache, MAC table) with the MAC address and IP address of all hosts. O Packets transmitted only to the designated host.
- 13. Cont. Packet sniffing in switched networks
- 14. ARP: Address Resolution Protocol O Computer networking protocol for determining a network host's hardware address (Link Layer) when only its Internet Layer (IP)(Network Layer address) is known. O Request (“who-has”): specifies the IP address of the host whose MAC address we want to find out. O Reply (“is-at”): the answer a host should send specifying the MAC address associated to that IP address.
- 15. Cont. ARP: Address Resolution Protocol IP Address MAC Address Type 129.119.103.1 00-E0-2B-13-68- Dynamic 00 129.119.103.2 ??-??-??-??-??- Dynamic ARP Cache ?? O Entries are either Static or Dynamic. O Fixed size. O Gratuitous ARP.
- 16. Packet Sniffing Attacks O ARP Spoofing and ARP Cache poisoning. O MAC Flooding. O MAC Duplicating. O Switch Port Stealing.
- 17. Packet Sniffing Attacks: ARP Spoofing O Perform Man-In-the-Middle Attack O ARP Cache poisoning O Send forged ARP Gratuitous reply (A-MAC, V-IP) O Cache is stateless, update with forged reply. O Attacker receives traffic. O Store for later analysis. O IP Forwarding to the victim.
- 19. Cont. ARP Spoofing IP Address MAC Address Host B IP address Host B MAC address Host C IP address Host C MAC address ARP cache before poisoning IP Address MAC Address Host B IP address Host C MAC address Host C IP address Host C MAC address ARP cache after poisoning
- 20. Packet Sniffing Attacks: MAC Flooding O Also called “switch jamming”. O MAC table has fixed size. O Attacker floods the switch with forged MAC address requests. O Switch enters Hub-liked mode. O Forward traffic to all ports. O Attacker sniffs the traffic.
- 21. Packet Sniffing Attacks: MAC Duplicating (Cloning) O Attacker updates its own MAC address with the victim MAC address. O Can be done using “ifconfig” in Linux. O Switch forwards traffic to both hosts. O No IP forwarding is used.
- 22. Packet Sniffing Attacks: Switch Port Stealing O Flood the switch with forged gratuitous reply with (A-MAC, V-IP). O All replies contains (A-MAC), traffic is forwarded to the attacker only. O Should be carried out very fast.
- 23. Packet Sniffing Detection O Packet sniffing is a passive attack. O Sometimes it generate additional traffic specially when used with an active attack. O Detection based on technique used: O RARP. O ARP Cache poisoning. O Arpwatch O Decoy method
- 24. Packet Sniffing Detection: Reverse ARP (RARP) O Used to detect MAC Duplicating. O Send a Request for the IP address of a known MAC address. O Multiple replies means this machine is sniffing the network.
- 25. Packet Sniffing Detection: ARP Cache Poisoning O Perform a counter attack on the sniffing machine. O Three phases: O Poison the cache of each host in the network with fake entries. O Establish a TCP connection. O Sniff the LAN to capture packets with fake entries.
- 26. ARP Cache Poisoning: Phase 1 O Send a forged gratuitous reply with fake IP address and a valid MAC address to bypass the software filter. O Attacker’s host will update its own cache. O What IP address to select as the fake one to poison only the sniffer host?
- 27. Cont. ARP Cache Poisoning: Phase 1: Software filtering Hardware Windows9x Windows2k Linux Addresses /ME /NT Norm Promis Norm Promis Norm Promis FF:FF:FF:FF:FF:F F FF:FF:FF:FF:FF:F - - - E FF:FF:00:00:00:00 - - - FF:00:00:00:00:00 - - - - 01:00:00:00:00:00 - - - - - 01:00:5E:00:00:00 - - - - - 01:00:5E:00:00:01
- 28. Cont. ARP Cache Poisoning: Phase 2 O Broadcast a TCP packet with a fake source address to the network. O Non-sniffing machines will reply with ARP request. O Sniffing machines will reply with ICMP error message or TCP connection can be performed.
- 29. Cont. ARP Cache Poisoning: Phase 3 O Use a sniffer to detect machines that responded with a ICMP error or TCP message.
- 30. Packet Sniffing Detection: Arpwatch O Tool that uses lipbcap to store a database with (IP-MAC) pairs. O Records every operation made on the network and send it via Email. O Software are not 100% accurate.
- 31. Packet Sniffing Detection: Decoy Method O Administrator establishes a connection between a host and virtual server. O Uses a plain-text UserName and Password. O Intrusion detection system activated once credentials used.
- 32. Packet Sniffing Prevention “Prevention is better than cure”
- 33. Packet Sniffing Prevention O Port Security and Static ARP entries. O Authentication techniques. O Secured protocols. O Encryption.
- 34. Packet Sniffing Prevention: Port Security and Static ARP entries O Port Security on Switch O Once IP-MAC is set, it can’t be changed. O Only Administrator can change them. O Static ARP entries O Not timed out. O Not replaced by forged ARP replies. O Constraint to the size of the network. O Overhead to maintain cache and keep it up-to-date.
- 35. Packet Sniffing Prevention: Authentication O Kerbros O Credentials no stored on the server. O Not transmitted over the network. O One time passwords O Used only once. O Authentication service that only protect credentials and not other types of traffic. O Prone to passwords guessing attacks.
- 36. Packet Sniffing Prevention: Secured Protocols O Never send data in plain-text O SSH for telnet. O SFTP for FTP. O VPN for cleat text traffic. O Virtual private networks (VPN) O All traffic is encrypted. O Additional overhead. O Can be sniffed if exposed to Trojans
- 37. Packet Sniffing Prevention: Encryption O Only the payloads are scrambled, ensuring that packets reach the correct destinations. O Attacker can see where traffic was headed and where it came from, but not what it carries. O Additional overhead. O Use of strong encryption techniques. O layer three encryption technologies such as IPSec
- 38. Packet Sniffing Prevention: Before Encryption
- 39. Packet Sniffing Prevention: After Encryption
- 40. Conclusion O Switched Networks are vulnerable to various security attacks, Sniffing is one of them. O Sniffing is a passive attack that we need to be aware of in order to protect against it. O Replacing Hubs with Switches doesn’t mean we are prone against sniffing. O Lack of optimal solution to protect our networks doesn’t mean we can’t protect them.
Editor's Notes
- #5: Packet sniffing tools can be used either in legal or illegal forms. Legal forms which called commercial sniffers that are used by network administrator to monitor the network and detect security breaches. Illegal forms which called underground sniffers that are used by hackers and network intruders to gain access to unauthorized date and steal sensitive information.
- #6: A packet sniffing as mentioned before can be either a software installed in a designated places throughout the network or can be a piece of hardware (a wired tape device) that is plugged in the network to monitor traffic.
- #12: Each frame includes the hardware (Media Access Control) address. When a network card receives a frame, it normally drops it unless the frame is addressed to that card. In promiscuous mode, however, the card allows all frames through, thus allowing the computer to read frames intended for other machines or network devices.
- #15: Who has:It is almost always sent as a broadcast frame, so asto hopefully reach the host with the desired IPaddress when we don’t know its MAC address.Is-at:. Itis almost always sent as a unicast frame directed tothe MAC address of the machine that sent therequest.
- #21: The attack starts by having the attacker flood the network with forged gratuitous ARP packets that each contains unique source MAC addresses. This causes some switches to go into a hub-like mode forwarding all traffic to all ports. What happens is that once the CAM table is full, the traffic without a CAM entry floods on the local VLAN. The already existing traffic with existing entries in the CAM table will not be forwarded out on all of the ports. Now, with the traffic being broadcasted to everyone, there will be no trouble sniffing it.
- #22: It's not difficult to imagine that, since all frames on the network are routed based on their MAC address, that the ability to impersonate another host would work to our advantage. That's just what MAC duplicating does. You reconfigure Node B to have the same MAC address as the machine whose traffic you're trying to sniff. This is easy to do on a Linux box if you have access to the 'ifconfig' command. This differs from ARP Spoofing because, in ARP Spoofing, we are 'confusing' the host by poisoning it's ARP cache. In a MAC Duplicating attack, we actually confuse the switch itself into thinking two ports have the same MAC address. Since the data will be forwarded to both ports, no IP forwarding is necessary.
- #23: This process should be carried very fast because any transmission of new packets with the original destination MAC address will update the cache with the correct binding.
- #31: and records every operation made on network from installing new hosts to changing IP address of existing hosts. In addition, it can detect if anyone is missing with the network settings and try to change their IP address to the server or the gateway and send all these operations via Email. When the MAC address associated with an IP changes (referred toas a flip-flop), an email is sent to an administrator.Tests showed that running Parasite on a network caused a flood of flip-flops, leaving the MAC ofthe attacker present in Arpwatch’s emails. Ettercap caused several flip flops, but would be difficult todetect on a DHCP-enabled network where flip flops occur at regular intervals.
- #32: A network administrator can deceive sniffing hosts by performing a decoy method. It is carried out by establishing a connection between a host and a virtual server using plain-text username and password. Once a sniffer try to use these credentials, intrusion detection system is activated and reports intruding attempt.
- #36: Kerbros: authentication service that performs two –way authentication between any two parties.
- #37: Virtual private networks (VPNs) can provide prevention against sniffing since all transmitting of data is used in encrypted form. So despite the overhead of sending encrypted data, it makes it hard to a sniffer to preach the security of VPNs, but this does not mean that VPNs are not prone to sniffing because once a host is compromised to Trojan with a sniffer plugged-in to it, a sniffer not only can sniff encrypted traffic but also unencrypted traffic before it gets into the VPN.