Packet Sniffing inSwitched Local Area Networks By Ishraq Fatafta
AgendaO What is Packet sniffingO Switched VS Hubed NetworksO Packet sniffing attacksO Packet sniffing detection.O Packet sniffing prevention.O Conclusion.
Packet SniffingO Packet Sniffing is a technique used to listen to the packets flow in the network.O Packet sniffer (network analyzer) is a tool (hardware or software) used to listen to the packets flow in the network.
Packet Sniffer usesO Network Engineers, System Administrators and Security professionals O Analyze network problems. O Find traffic bottlenecks and troubleshoot problems. O Monitor network usage.O Intruders O Search for plain-text passwords and user names. O Hijacking sensitive information such as credit card information and financial data. O Analyzing network traffic.
Packet Sniffer componentsO Hardware O Usually a standard network adaptor.O Capture drive O This is the main part of a sniffer that captures the data, filters it and stores it in the buffer.O Buffer O Used to store captured filtered data for later analysis.O Real-time analysis O This feature provide a little bit of analysis for faults and performance issues as data captured from the wire.O Decode O Responsible for displaying the data with description for human interpretation.O Packet editing/transmission O Used to modify packets and re-transmit them over the network.
Packet sniffing in non- switched networksO Called shared environment.O Hosts are connected to a Hub. O simply a repeater. It takes the signal coming in on one of its ports, amplifies it, and sends it back out on its other ports.O Packets broadcasted to all hosts in the network.
Cont. Packet sniffing in non- switched networks
Cont. Packet sniffing in non- switched networksO Promiscuous mode or promisc mode is a configuration of a network card that makes the card pass all traffic it receives to the central processing unit rather than just frames addressed to it.
Packet sniffing in switched networksO Hosts are connected via Switch.O Lockup table (ARP Cache, MAC table) with the MAC address and IP address of all hosts.O Packets transmitted only to the designated host.
ARP: Address Resolution ProtocolO Computer networking protocol for determining a network hosts hardware address (Link Layer) when only its Internet Layer (IP)(Network Layer address) is known.O Request (“who-has”): specifies the IP address of the host whose MAC address we want to find out.O Reply (“is-at”): the answer a host should send specifying the MAC address associated to that IP address.
Cont. ARP: Address Resolution Protocol IP Address MAC Address Type 220.127.116.11 00-E0-2B-13-68- Dynamic 00 18.104.22.168 ??-??-??-??-??- Dynamic ARP Cache ?? O Entries are either Static or Dynamic. O Fixed size. O Gratuitous ARP.
Packet Sniffing AttacksO ARP Spoofing and ARP Cache poisoning.O MAC Flooding.O MAC Duplicating.O Switch Port Stealing.
Packet Sniffing Attacks: ARP SpoofingO Perform Man-In-the-Middle AttackO ARP Cache poisoning O Send forged ARP Gratuitous reply (A-MAC, V-IP) O Cache is stateless, update with forged reply.O Attacker receives traffic.O Store for later analysis.O IP Forwarding to the victim.
Cont. ARP Spoofing IP Address MAC AddressHost B IP address Host B MAC addressHost C IP address Host C MAC address ARP cache before poisoning IP Address MAC AddressHost B IP address Host C MAC addressHost C IP address Host C MAC address ARP cache after poisoning
Packet Sniffing Attacks: MAC FloodingO Also called “switch jamming”.O MAC table has fixed size.O Attacker floods the switch with forged MAC address requests.O Switch enters Hub-liked mode.O Forward traffic to all ports.O Attacker sniffs the traffic.
Packet Sniffing Attacks:MAC Duplicating (Cloning)O Attacker updates its own MAC address with the victim MAC address.O Can be done using “ifconfig” in Linux.O Switch forwards traffic to both hosts.O No IP forwarding is used.
Packet Sniffing Attacks: Switch Port StealingO Flood the switch with forged gratuitous reply with (A-MAC, V-IP).O All replies contains (A-MAC), traffic is forwarded to the attacker only.O Should be carried out very fast.
Packet Sniffing DetectionO Packet sniffing is a passive attack.O Sometimes it generate additional traffic specially when used with an active attack.O Detection based on technique used: O RARP. O ARP Cache poisoning. O Arpwatch O Decoy method
Packet Sniffing Detection: Reverse ARP (RARP)O Used to detect MAC Duplicating.O Send a Request for the IP address of a known MAC address.O Multiple replies means this machine is sniffing the network.
Packet Sniffing Detection: ARP Cache PoisoningO Perform a counter attack on the sniffing machine.O Three phases: O Poison the cache of each host in the network with fake entries. O Establish a TCP connection. O Sniff the LAN to capture packets with fake entries.
ARP Cache Poisoning: Phase 1O Send a forged gratuitous reply with fake IP address and a valid MAC address to bypass the software filter.O Attacker’s host will update its own cache.O What IP address to select as the fake one to poison only the sniffer host?
Cont. ARP Cache Poisoning: Phase 2O Broadcast a TCP packet with a fake source address to the network.O Non-sniffing machines will reply with ARP request.O Sniffing machines will reply with ICMP error message or TCP connection can be performed.
Cont. ARP Cache Poisoning: Phase 3O Use a sniffer to detect machines that responded with a ICMP error or TCP message.
Packet Sniffing Detection: ArpwatchO Tool that uses lipbcap to store a database with (IP-MAC) pairs.O Records every operation made on the network and send it via Email.O Software are not 100% accurate.
Packet Sniffing Detection: Decoy MethodO Administrator establishes a connection between a host and virtual server.O Uses a plain-text UserName and Password.O Intrusion detection system activated once credentials used.
Packet Sniffing Prevention “Prevention is better than cure”
Packet Sniffing PreventionO Port Security and Static ARP entries.O Authentication techniques.O Secured protocols.O Encryption.
Packet Sniffing Prevention:Port Security and Static ARP entries O Port Security on Switch O Once IP-MAC is set, it can’t be changed. O Only Administrator can change them. O Static ARP entries O Not timed out. O Not replaced by forged ARP replies. O Constraint to the size of the network. O Overhead to maintain cache and keep it up-to-date.
Packet Sniffing Prevention: AuthenticationO Kerbros O Credentials no stored on the server. O Not transmitted over the network.O One time passwords O Used only once.O Authentication service that only protect credentials and not other types of traffic.O Prone to passwords guessing attacks.
Packet Sniffing Prevention: Secured ProtocolsO Never send data in plain-text O SSH for telnet. O SFTP for FTP. O VPN for cleat text traffic.O Virtual private networks (VPN) O All traffic is encrypted. O Additional overhead. O Can be sniffed if exposed to Trojans
Packet Sniffing Prevention: EncryptionO Only the payloads are scrambled, ensuring that packets reach the correct destinations.O Attacker can see where traffic was headed and where it came from, but not what it carries.O Additional overhead.O Use of strong encryption techniques. O layer three encryption technologies such as IPSec
ConclusionO Switched Networks are vulnerable to various security attacks, Sniffing is one of them.O Sniffing is a passive attack that we need to be aware of in order to protect against it.O Replacing Hubs with Switches doesn’t mean we are prone against sniffing.O Lack of optimal solution to protect our networks doesn’t mean we can’t protect them.