0
Ethical Hacking andCountermeasuresVersion 6    Module X    Sniffers
Scenario        Jamal, is an electrician who fixes electrical and        network cables. H was called i f a regular       ...
Module Objective             This module will familiarize you with:             •   Sniffing             •   Protocols vul...
Module Flow               Sniffing Definition    Tools for MAC Flooding             Protocols Vulnerable                  ...
Definition: Sniffing    Sniffing is a data interception technology    Sniffer is a program or device that captures        ...
Protocols Vulnerable to Sniffing             Protocols that are susceptible to             sniffers i l d               if...
Types of Sniffing                      There are two types of                             sniffing              Passive sn...
Passive Sniffing                                                                            Attacker                   HUB...
Active Sniffing                               Switch                                           Attacker                  S...
What is Address Resolution                  Protocol (ARP)       ARP is a network layer protocol used to convert an IP    ...
Tool: Network View – Scans the             Network for Devices                                                            ...
The Dude Sniffer     Developed by Mikro Tik, the Dude network monitor is a new     application which can improve the way y...
The Dude Sniffer: Screenshot 1                                                           Copyright © by EC-CouncilEC-Counc...
The Dude Sniffer: Screenshot 2                                                           Copyright © by EC-CouncilEC-Counc...
The Dude Sniffer: Screenshot 3                                                           Copyright © by EC-CouncilEC-Counc...
Look@LAN                                                                                     Copyright © by EC-CouncilEC-C...
Look@LAN                                                                                     Copyright © by EC-CouncilEC-C...
Look@LAN                                                                                     Copyright © by EC-CouncilEC-C...
Wireshark    Wireshark is a network    protocol analyzer for UNIX    and Windows    It allows user to examine    data from...
Display Filters in Wireshark   Display filters are used to change the view of packets in captured files     Display Filter...
Following the TCP Stream in                   Wireshark  Wireshark reassembles all packets in a TCP conversation and displ...
Following the TCP Stream in             Wireshark (cont’d)                        (cont d)                                ...
Pilot     Pilot is a powerful network analysis tool with an accessible     and visually-oriented user interface d i       ...
Pilot: Screenshot 1                                                              Copyright © by EC-CouncilEC-Council      ...
Pilot: Screenshot 2                                                              Copyright © by EC-CouncilEC-Council      ...
Pilot: Screenshot 3                                                              Copyright © by EC-CouncilEC-Council      ...
Cain and Abel                                       It allows easy recovery                                               ...
Cain and Abel (cont’d)     MSCACHE hashes Dumper     MSCACHE hashes dictionary and brute-force crackers     Sniffer filter...
Cain and Abel: Features       Remote Registry Editor       SIREN codec support in VoIP sniffer       Supports new AES-128b...
Cain and Abel: Screenshot 1                                                           Copyright © by EC-CouncilEC-Council ...
Cain and Abel: Screenshot 2                                                          Copyright © by EC-CouncilEC-Council  ...
Cain and Abel: Screenshot 3                                                          Copyright © by EC-CouncilEC-Council  ...
Cain and Abel: Screenshot 4                                                          Copyright © by EC-CouncilEC-Council  ...
Cain and Abel: Screenshot 5                                                           Copyright © by EC-CouncilEC-Council ...
Tcpdump   Tcpdump is a common   computer network   debugging tool that runs   under command li     d            d line   I...
Tcpdump Commands             Exporting tcpdumps to a file               p     g p     p             • # tcpdump port 80 -l...
Tcpdump Commands (cont’d)             Capture all the LAN traffic between workstation4             and the LAN, except for...
Wiretap        Wiretapping is the monitoring of telephone and Internet        conversations by a third party        The mo...
RF Transmitter Wiretaps        In radio frequency (RF) transmitter tap technique, a small RF        transmitter is attache...
Infinity Transmitter        An infinity transmitter is the device used as a wiretap to        monitor th communication    ...
Slave Parallel Wiretaps     Slave Parallel Wiretaps device works in the same way as infinity     transmitter and combines ...
Switched Port Analyzer (SPAN)      The Switched Port Analyzer (SPAN) feature, also called port mirroring or port      moni...
SPAN Port        SPAN port is the port to which sniffer is attached and configured to receive a        copy of every packe...
Lawful Intercept     Lawful intercept is a process that enables a Law Enforcement Agency (LEA) to     perform electronic s...
Benefits of Lawful Intercept      Allows multiple LEAs to run a lawful intercept on the same target without each      othe...
Network Components Used for                  Lawful Intercept             Mediation Device:             • A mediation devi...
ARP Spoofing Attack    ARP resolves IP addresses to MAC (hardware)                                      (       )    addre...
How Does ARP Spoofing Work    When a legitimate user initiates a              g    session with another user in the    sam...
ARP Poisoning              Hey 10.1.1.1 are                you there?                                                     ...
Mac Duplicating   MAC duplicating attack is launched by sniffing network   for MAC addresses of clients who are actively a...
Mac Duplicating Attack      My MAC address       is A:B:C:D:E                                            Switch Rule: Allo...
ARP Spoofing Tools                                                     Copyright © by EC-CouncilEC-Council                ...
Tools for ARP Spoofing   Tools for ARP Spoofing             Arpspoof (Linux-based tool)             Ettercap (Linux and Wi...
Ettercap         A tool f IP-based sniffing i a switched network, MAC-based sniffing, OS              l for   b d iffi in ...
ArpSpyX      ArpSpyX passively sniffs network ARP packets and displays IP and MAC      address of the machine that generat...
ArpSpyX: Screenshot                                                         Copyright © by EC-CouncilEC-Council           ...
MAC Flooding Tools                                                     Copyright © by EC-CouncilEC-Council                ...
MAC Flooding  MAC flooding involves flooding switch with             g                 g  numerous requests       Switches...
Tools for MAC Flooding             Tools for MAC Flooding                 Macof (Linux-based tool)              Etherflood...
Linux Tool: Macof        Macof floods local network random MAC addresses,        causing some switches to fail to open in ...
Macof: Screenshot                                                            Copyright © by EC-CouncilEC-Council          ...
Windows Tool: EtherFlood                                                                 The effect on some switches is   ...
Threats of ARP Poisoning     Internal network attacks are typically operated via ARP Poisoning attacks     Everyone can do...
IRS – ARP Attack Tool     Many servers and network devices like routers and switches     provide features like ACLs IP Fil...
IRS – ARP Attack Tool:             Screenshot                                                          Copyright © by EC-C...
ARPWorks Tool                                                               Other features are: IP         ArpWorks is a u...
Tool: Nemesis  Nemesis provides an interface to craft and inject a variety of arbitrary packet  types  It is also used for...
IP-based Sniffing    IP-based Sniffing is the original way of packet sniffing    It works by putting network card into the...
IP-based Sniffing: Screenshot                                                           Copyright © by EC-CouncilEC-Counci...
Linux Sniffing Tools                          g                                                      Copyright © by EC-Cou...
Linux Sniffing Tools (dsniff package)     Sniffer hacking tools (These tools are available on the Linux CD-ROM)         ar...
Linux Sniffing Tools (cont’d)         sshmitm         • SSH monkey in the middle               monkey-in-the-middle       ...
Linux Tool: Arpspoof    Arpspoof redirects packets from a target host    intended f another h         d d for     h host o...
Linux Tool: Dnsspoof    Dnsspoof forges replies to arbitrary DNS address/pointer    queries on the LAN    DNS spoofing is ...
Linux Tool: Dsniff     Dsniff is a password sniffer which handles FTP, Telnet, SMTP, HTTP, POP,     poppass, NNTP IMAP SNM...
Dsniff: Screenshot                                                             Copyright © by EC-CouncilEC-Council        ...
Linux Tool: Filesnarf     Filesnarf saves files sniffed from NFS traffic in the current     working directory       • file...
Linux Tool: Mailsnarf        Mailsnarf outputs email messages sniffed from SMTP and POP        traffic in Berkeley mbox fo...
Linux Tool: Msgsnarf        Msgsnarf records the selected messages from AOL Instant        Messenger,        Messenger ICQ...
Linux Tool: Sshmitm   Sshmitm proxies and sniffs SSH traffic redirected by dnsspoof capturing   SSH password l i          ...
Linux Tool: Tcpkill       Tcpkill kills specified in progress TCP connections (useful                               in-pro...
Linux Tool: Tcpnice     Tcpnice slows down the specified TCP connections on a     LAN via active traffic shaping       • t...
Linux Tool: Urlsnarf   Urlsnarf outputs all requested URLs sniffed from HTTP traffic in CLF   (Common Log Format, used by ...
Linux Tool: Webspy      Webspy sends URLs sniffed from a client to local Netscape browser to      display,      display up...
Webspy: Screenshot                                                         Copyright © by EC-CouncilEC-Council            ...
Linux Tool: Webmitm        Webmitm transparently proxies and sniffs HTTP/HTTPS        traffic redirected by dnsspoof captu...
DNS Poisoning Techniques                                                        Copyright © by EC-CouncilEC-Council       ...
DNS Poisoning Techniques    The substitution of a false Internet provider address at the domain    name service level (e.g...
1. Intranet DNS Spoofing (Local                                 Network)    For this technique, you must be connected to t...
2. Internet DNS Spoofing (Remote                    Network)   Internet DNS Spoofing sends a Trojan to Rebecca’s machine a...
Internet DNS Spoofing   To redirect all DNS request traffic going from the host machine to come to you   1. Set up a fake ...
3. Proxy Server DNS Poisoning    Send a Trojan to Rebecca’s machine and change her proxy server settings in Internet    Ex...
4. DNS Cache Poisoning      To      T perform a cache poisoning attack, th attacker exploits a fl i            f         h...
Interactive TCP Relay   Interactive TCP Relay operates as   a simple TCP tunnel listening on a   specific port and forward...
Interactive Replay Attacks               John sends a message to Dan. The                       Dan   John               a...
Raw Sniffing Tools                                                     Copyright © by EC-CouncilEC-Council                ...
Raw Sniffing Tools       Sniffit                     Snort       Aldebaran                                   Windump/tcpdu...
Features of Raw Sniffing Tools     Data can be intercepted “off the wire” from a live network connection, or read     from...
HTTP Sniffer: EffeTech                                                                          It parses and             ...
HTTP Sniffer: EffeTech                                                          Copyright © by EC-CouncilEC-Council       ...
Ace Password Sniffer   Ace Password Sniffer can monitor and capture                                          p   passwords...
Ace Password Sniffer: Screenshot                                                           Copyright © by EC-CouncilEC-Cou...
Win Sniffer   Win Sniffer allows network administrators to capture passwords of any network user   Win Sniffer monitors in...
Win Sniffer: Screenshot                                                           Copyright © by EC-CouncilEC-Council     ...
MSN Sniffer                                                    All intercepted         MSN Sniffer                        ...
MSN Sniffer: Screenshot                                                          Copyright © by EC-CouncilEC-Council      ...
SmartSniff    SmartSniff is a TCP/IP packet capture program that allows you to inspect    the network traffic that passes ...
Session Capture Sniffer:                   NetWitness      The patented technology recreates “sessions” and displays them ...
Session Capture Sniffer:             NWreader                                                       FTP Sessions          ...
Packet Crafter Craft Custom             TCP/IP Packets                                                           Copyright...
SMAC    SMAC is a MAC Address    Modifying Utility (spoofer) for    Windows 2000, XP, and    Server 2003 systems    It dis...
NetSetMan Tool     NetSetMan allows you to quickly switch between pre-configured network settings     It is ideal for ethi...
Ntop  Ntop is a network  traffic probe that  shows the network  usage  In interactive mode, it  displays the network     p...
EtherApe  EtherApe is a graphical  network monitor for Unix  Featuring link layer, IP,  and TCP modes, it displays        ...
EtherApe Features      Network traffic is displayed graphically. The more talkative a node is, the      bigger is its repr...
Network Probe    Network Probe network monitor    and protocol analyzer gives the    user an instant picture of the    tra...
Maa Tec Network Analyzer   MaaTec Network   Analyzer i a t l th t i   A l       is tool that is   used for capturing,   sa...
Tool: Snort                           There are three main modes in which                           Snort can be configure...
Tool: Windump       WinDump is the porting to the Windows platform of tcpdump, the       most used network sniffer/analyze...
Tool: Etherpeek                                    Ethernet network traffic and                                    protoco...
NetIntercept    A sniffing tool that studies external break-in attempts, watches for the misuse of confidential data,    d...
NetIntercept: Screenshot 1                                                           Copyright © by EC-CouncilEC-Council  ...
NetIntercept: Screenshot 2                                                           Copyright © by EC-CouncilEC-Council  ...
Colasoft EtherLook    Colasoft EtherLook is a TCP/IP network monitoring tool for Windows-based    platforms    It monitors...
Colasoft EtherLook: Screenshot 1                                                           Copyright © by EC-CouncilEC-Cou...
Colasoft EtherLook: Screenshot 2                                                             Copyright © by EC-CouncilEC-C...
AW Ports Traffic Analyzer       Atelier Web Ports Traffic Analyzer is a network       traffic sniffer and l          ff   ...
AW Ports Traffic Analyzer:             Screenshot                                                           Copyright © by...
Colasoft Capsa Network Analyzer   Colasoft Capsa Network Analyzer is a TCP/IP Network Sniffer and Analyzer that   offers r...
Colasoft Capsa Network Analyzer :             Screenshot                                                             Copyr...
CommView    CommView is a program for monitoring the network activity capable of    capturing and analyzing packets on any...
CommView: Screenshot                                                        Copyright © by EC-CouncilEC-Council           ...
Sniffem               Sniffem is a Windows packet sniffer and network analyzer               that captures, monitors, and ...
Sniffem: Screenshot                                                          Copyright © by EC-CouncilEC-Council          ...
NetResident       NetResident is a network traffic monitor that       captures, stores,       captures stores and analyzes...
NetResident: Screenshot                                                          Copyright © by EC-CouncilEC-Council      ...
IP Sniffer      IP sniffer is a protocol analyzer that uses XP/2K Raw Socket features      It supports filtering rules, ad...
IP Sniffer: Screenshot                                                           Copyright © by EC-CouncilEC-Council      ...
Sniphere     Sniphere is a WinPCAP network sniffer that supports most of common     protocols     It can be used on ethern...
Sniphere: Screenshot                                                          Copyright © by EC-CouncilEC-Council         ...
IE HTTP Analyzer       IE HTTP Analyzer is an add-in for Internet Explorer,       that allows to capture HTTP/HTTPS traffi...
IE HTTP Analyzer: Screenshot                                                          Copyright © by EC-CouncilEC-Council ...
TH3 Professional Developper CEH sniffers
TH3 Professional Developper CEH sniffers
TH3 Professional Developper CEH sniffers
TH3 Professional Developper CEH sniffers
TH3 Professional Developper CEH sniffers
TH3 Professional Developper CEH sniffers
TH3 Professional Developper CEH sniffers
TH3 Professional Developper CEH sniffers
TH3 Professional Developper CEH sniffers
TH3 Professional Developper CEH sniffers
TH3 Professional Developper CEH sniffers
TH3 Professional Developper CEH sniffers
TH3 Professional Developper CEH sniffers
TH3 Professional Developper CEH sniffers
TH3 Professional Developper CEH sniffers
TH3 Professional Developper CEH sniffers
TH3 Professional Developper CEH sniffers
TH3 Professional Developper CEH sniffers
TH3 Professional Developper CEH sniffers
TH3 Professional Developper CEH sniffers
TH3 Professional Developper CEH sniffers
TH3 Professional Developper CEH sniffers
TH3 Professional Developper CEH sniffers
TH3 Professional Developper CEH sniffers
TH3 Professional Developper CEH sniffers
TH3 Professional Developper CEH sniffers
TH3 Professional Developper CEH sniffers
TH3 Professional Developper CEH sniffers
TH3 Professional Developper CEH sniffers
TH3 Professional Developper CEH sniffers
TH3 Professional Developper CEH sniffers
TH3 Professional Developper CEH sniffers
TH3 Professional Developper CEH sniffers
TH3 Professional Developper CEH sniffers
TH3 Professional Developper CEH sniffers
TH3 Professional Developper CEH sniffers
Upcoming SlideShare
Loading in...5
×

TH3 Professional Developper CEH sniffers

1,770

Published on

Sniffers

Published in: Education, Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
1,770
On Slideshare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
118
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Transcript of "TH3 Professional Developper CEH sniffers"

  1. 1. Ethical Hacking andCountermeasuresVersion 6 Module X Sniffers
  2. 2. Scenario Jamal, is an electrician who fixes electrical and network cables. H was called i f a regular k bl He ll d in for l inspection at the premises of XInsurance Inc. Jamal was surprised at his findings during a routine check of the AC ducts in the enterprise. The LAN wires were laid through the ducts. He H was ttempted t fi d th i f t d to find the information fl i ti flowing through the LAN wires. What can Jamal do to sabotage the network? What information can he obtain and how sensitive is the information that he would obtain? Copyright © by EC-CouncilEC-Council All Rights Reserved. Reproduction is Strictly Prohibited
  3. 3. Module Objective This module will familiarize you with: • Sniffing • Protocols vulnerable to sniffing • Types of sniffing • ARP and ARP spoofing attack • Tools for ARP spoofing • MAC flooding • Tools for MAC flooding • Sniffing tools • Types of DNS poisoning • Raw sniffing tools • Detecting sniffing g g • Countermeasures Copyright © by EC-CouncilEC-Council All Rights Reserved. Reproduction is Strictly Prohibited
  4. 4. Module Flow Sniffing Definition Tools for MAC Flooding Protocols Vulnerable to Sniffing Sniffer Hacking Tools Types of Sniffing Types of DNS Poisoning ARP and ARP Spoofing Attack Raw Sniffing Tools Tools for ARP Spoofing Detecting Sniffing MAC Flooding Countermeasures Copyright © by EC-CouncilEC-Council All Rights Reserved. Reproduction is Strictly Prohibited
  5. 5. Definition: Sniffing Sniffing is a data interception technology Sniffer is a program or device that captures p g p the vital information from the network traffic specific to a particular network The objective of sniffing is to steal: • Passwords (from email, the web, SMB, ftp, SQL, or telnet) • Email text • Files in transfer (email files, ftp files, or SMB) Copyright © by EC-CouncilEC-Council All Rights Reserved. Reproduction is Strictly Prohibited
  6. 6. Protocols Vulnerable to Sniffing Protocols that are susceptible to sniffers i l d iff include: • Telnet and Rlogin: Keystrokes including user names and passwords • HTTP: Data sent in the clear text • SMTP: Passwords and data sent in clear text • NNTP: Passwords and data sent in clear text • POP: Passwords and data sent in clear text • FTP: Passwords and data sent in clear text • IMAP: Passwords and data sent in clear text Copyright © by EC-CouncilEC-Council All Rights Reserved. Reproduction is Strictly Prohibited
  7. 7. Types of Sniffing There are two types of sniffing Passive sniffing Active sniffing Sniffing through a iffi h h Sniffing through a iffi h h Hub Switch Copyright © by EC-CouncilEC-Council All Rights Reserved. Reproduction is Strictly Prohibited
  8. 8. Passive Sniffing Attacker HUB It is called passive because it is difficult to p detect “Passive sniffing” means sniffing through a hub Passive sniffing An attacker simply connects the laptop to the LAN hub d h b and starts sniffing iffi Copyright © by EC-CouncilEC-Council All Rights Reserved. Reproduction is Strictly Prohibited
  9. 9. Active Sniffing Switch Attacker Switch looks at MAC address associated with each frame, sending data only to the connected port An attacker tries to poison switch by sending bogus MAC addresses Sniffing through a switch Difficult to sniff Can easily be detected Techniques for active sniffing: • MAC flooding • ARP spoofing LAN Copyright © by EC-CouncilEC-Council All Rights Reserved. Reproduction is Strictly Prohibited
  10. 10. What is Address Resolution Protocol (ARP) ARP is a network layer protocol used to convert an IP address to a physical address ( p y (called a MAC address), such ), as an Ethernet address To obtain a physical address, host broadcasts an ARP request to the TCP/IP network The host with the IP address in the request replies with its physical hardware address on the network Copyright © by EC-CouncilEC-Council All Rights Reserved. Reproduction is Strictly Prohibited
  11. 11. Tool: Network View – Scans the Network for Devices Copyright © by EC-CouncilEC-Council All Rights Reserved. Reproduction is Strictly Prohibited
  12. 12. The Dude Sniffer Developed by Mikro Tik, the Dude network monitor is a new application which can improve the way you manage your network environment Functions: • Automatically scans all devices within the specified subnets • Draws and lays out a map of your networks • Monitors services of your devices • Alerts you in case some service has problems It is written in two parts: • Dude Server, which runs in a background , g • Dude Client, which may connect to local or remote dude server Copyright © by EC-CouncilEC-Council All Rights Reserved. Reproduction is Strictly Prohibited
  13. 13. The Dude Sniffer: Screenshot 1 Copyright © by EC-CouncilEC-Council All Rights Reserved. Reproduction is Strictly Prohibited
  14. 14. The Dude Sniffer: Screenshot 2 Copyright © by EC-CouncilEC-Council All Rights Reserved. Reproduction is Strictly Prohibited
  15. 15. The Dude Sniffer: Screenshot 3 Copyright © by EC-CouncilEC-Council All Rights Reserved. Reproduction is Strictly Prohibited
  16. 16. Look@LAN Copyright © by EC-CouncilEC-Council Note: This slide is not in your courseware All Rights Reserved. Reproduction is Strictly Prohibited
  17. 17. Look@LAN Copyright © by EC-CouncilEC-Council Note: This slide is not in your courseware All Rights Reserved. Reproduction is Strictly Prohibited
  18. 18. Look@LAN Copyright © by EC-CouncilEC-Council Note: This slide is not in your courseware All Rights Reserved. Reproduction is Strictly Prohibited
  19. 19. Wireshark Wireshark is a network protocol analyzer for UNIX and Windows It allows user to examine data from a live network or from a capture file on a disk User can interactively browse captured data, viewing summary, and detailed information for each packet captured Copyright © by EC-CouncilEC-Council All Rights Reserved. Reproduction is Strictly Prohibited
  20. 20. Display Filters in Wireshark Display filters are used to change the view of packets in captured files Display Filtering by Protocol • Example: Type the protocol in the filter box • arp, http, tcp, udp, dns Filtering by IP Address •ip.addr == 10.0.0.4 Filtering by multiple IP Addresses g y p •ip.addr == 10.0.0.4 or ip.addr == 10.0.0.5 Monitoring Specific Ports •tcp.port==443 pp 443 •ip.addr==192.168.1.100 machine ip.addr==192.168.1.100 && tcp.port=443 Other Filters •ip.dst == 10.0.1.50 && frame.pkt_len > 400 p 5 p 4 •ip.addr == 10.0.1.12 && icmp && frame.number > 15 && frame.number < 30 •ip.src==205.153.63.30 or ip.dst==205.153.63.30 Copyright © by EC-CouncilEC-Council All Rights Reserved. Reproduction is Strictly Prohibited
  21. 21. Following the TCP Stream in Wireshark Wireshark reassembles all packets in a TCP conversation and displays ASCII in an easy-to-read f t d format t This makes it easy to pick out usernames and passwords from the insecure protocols such as T l l h Telnet and FTP d Example: Follow the stream of HTTP session and save the output to a file file. Command: Selecting a TCP packet in Summary Window and then selecting Analyze -> Follow TCP Stream from menu bar will display “Follow TCP Follow Stream window” You can also right-click on a TCP packet in Summary Window and choose “Follow g p y TCP Stream” to display window Copyright © by EC-CouncilEC-Council All Rights Reserved. Reproduction is Strictly Prohibited
  22. 22. Following the TCP Stream in Wireshark (cont’d) (cont d) Copyright © by EC-CouncilEC-Council All Rights Reserved. Reproduction is Strictly Prohibited
  23. 23. Pilot Pilot is a powerful network analysis tool with an accessible and visually-oriented user interface d i d i ll i t d i t f designed t i d to increase your troubleshooting effectiveness Benefits: • Integrated with Wireshark d ih i h k • Powerful Network Analysis Engine • Pilot Views: Flexible Analysis and Visualization Paradigm g • Pilot Charts: Innovative Visualization Components • Drill-Down: An Innovative Analysis Paradigm • Unparalleled Wireless Support with AirPcap • Superior Reporting Capabilities Copyright © by EC-CouncilEC-Council All Rights Reserved. Reproduction is Strictly Prohibited
  24. 24. Pilot: Screenshot 1 Copyright © by EC-CouncilEC-Council All Rights Reserved. Reproduction is Strictly Prohibited
  25. 25. Pilot: Screenshot 2 Copyright © by EC-CouncilEC-Council All Rights Reserved. Reproduction is Strictly Prohibited
  26. 26. Pilot: Screenshot 3 Copyright © by EC-CouncilEC-Council All Rights Reserved. Reproduction is Strictly Prohibited
  27. 27. Cain and Abel It allows easy recovery It covers some security of various kinds of aspects/weakness passwords by sniffing present in protocols Cain & Abel is a the network, cracking standards, standards password recovery tool d l encrypted passwords d d authentication methods using Dictionary, Brute- and caching Force, and mechanisms Cryptanalysis attacks Copyright © by EC-CouncilEC-Council All Rights Reserved. Reproduction is Strictly Prohibited
  28. 28. Cain and Abel (cont’d) MSCACHE hashes Dumper MSCACHE hashes dictionary and brute-force crackers Sniffer filter for SIP-MD5 authentications SIP-MD5 Hashes Dictionary and Brute-Force Crackers Off line Off-line capture file processing compatible with winpcap, tcpdump, and Wireshark format Cain’s sniffer can extract audio conversations based on SIP/RTP protocols and save them into WAV files Copyright © by EC-CouncilEC-Council All Rights Reserved. Reproduction is Strictly Prohibited
  29. 29. Cain and Abel: Features Remote Registry Editor SIREN codec support in VoIP sniffer Supports new AES-128bit Keyfobs in RSA SecurID Token Calculator Microsoft SQL S Mi ft Server 2005 P Password Extractor via ODBC dE t t i Fixed a bug in Internet Explorer 7 AutoComplete password decoder Default HTTP users and passwords fields update Automatic recognition of AirPcap TX capability based on channels Copyright © by EC-CouncilEC-Council All Rights Reserved. Reproduction is Strictly Prohibited
  30. 30. Cain and Abel: Screenshot 1 Copyright © by EC-CouncilEC-Council All Rights Reserved. Reproduction is Strictly Prohibited
  31. 31. Cain and Abel: Screenshot 2 Copyright © by EC-CouncilEC-Council All Rights Reserved. Reproduction is Strictly Prohibited
  32. 32. Cain and Abel: Screenshot 3 Copyright © by EC-CouncilEC-Council All Rights Reserved. Reproduction is Strictly Prohibited
  33. 33. Cain and Abel: Screenshot 4 Copyright © by EC-CouncilEC-Council All Rights Reserved. Reproduction is Strictly Prohibited
  34. 34. Cain and Abel: Screenshot 5 Copyright © by EC-CouncilEC-Council All Rights Reserved. Reproduction is Strictly Prohibited
  35. 35. Tcpdump Tcpdump is a common computer network debugging tool that runs under command li d d line It allows user to intercept and display TCP/IP and other packets being transmitted or received over a network to which the computer is attached Copyright © by EC-CouncilEC-Council All Rights Reserved. Reproduction is Strictly Prohibited
  36. 36. Tcpdump Commands Exporting tcpdumps to a file p g p p • # tcpdump port 80 -l > webdump.txt & tail -f webdump.txt • # tcpdump -w rawdump w • # tcpdump -r rawdump > rawdump.txt • # tcpdump -c1000 -w rawdump • # tcpdump -i eth1 -c1000 -w rawdump Captures traffic on a specific port • # tcpdump port 80 You can select several hosts on your LAN and capture the traffic that passes between them • # tcpdump host workstation4 and workstation11 and workstation13 Copyright © by EC-CouncilEC-Council All Rights Reserved. Reproduction is Strictly Prohibited
  37. 37. Tcpdump Commands (cont’d) Capture all the LAN traffic between workstation4 and the LAN, except for workstation11 LAN • # tcpdump -e host workstation4 and workstation11 and workstation13 Capture all packets except those for certain ports • # tcpdump not port 110 and not port 25 and not port 53 and not port 22 Filter by protocol • # tcpdump udp • # tcpdump ip proto OSPFIGP Capture traffic on a specific host and restrict by protocol • # tcpdump host server02 and ip # tcpdump host server03 and not udp # tcpdump host server03 and ip and igmp and not udp Copyright © by EC-CouncilEC-Council All Rights Reserved. Reproduction is Strictly Prohibited
  38. 38. Wiretap Wiretapping is the monitoring of telephone and Internet conversations by a third party The monitoring connection was applied to the wires of the telephone line being monitored and a small amount of the electrical signal carrying th conversation get t l t i l i l i the ti t tapped d Copyright © by EC-CouncilEC-Council All Rights Reserved. Reproduction is Strictly Prohibited
  39. 39. RF Transmitter Wiretaps In radio frequency (RF) transmitter tap technique, a small RF transmitter is attached to the telephone li or within the i i h d h l h line i hi h telephone instrument In these wiretaps, a dio fl ct ations from the telephone iretaps audio fluctuations conversation modulate the transmitter carrier that transmit the conversation into free air space Copyright © by EC-CouncilEC-Council All Rights Reserved. Reproduction is Strictly Prohibited
  40. 40. Infinity Transmitter An infinity transmitter is the device used as a wiretap to monitor th communication it the i ti It operates independent of the telephone instrument and requires its own telephone li i i l h line It can be called from a remote telephone and activated with a tone signal i l Copyright © by EC-CouncilEC-Council All Rights Reserved. Reproduction is Strictly Prohibited
  41. 41. Slave Parallel Wiretaps Slave Parallel Wiretaps device works in the same way as infinity transmitter and combines these f t t itt d bi th features with a parallel wiretap ith ll l i t The slave is connected anywhere with the target telephone line In these wiretaps, an attacker needs a working telephone line located in p g p the same cable, cross-connect, or closet as the target line Once lines are connected to the slave, the eavesdropper can call his , pp leased telephone line and activate the slave After activation, the slave automatically connects the eavesdroppers telephone line to the target telephone line Copyright © by EC-CouncilEC-Council All Rights Reserved. Reproduction is Strictly Prohibited
  42. 42. Switched Port Analyzer (SPAN) The Switched Port Analyzer (SPAN) feature, also called port mirroring or port monitoring, monitoring selects network traffic for analysis by a network analyzer The network analyzer can be a Cisco SwitchProbe device or other Remote Monitoring (RMON) probe SPAN feature applies on switches because of a fundamental difference that switches have with hubs In a single local SPAN session, you can monitor source port traffic such as received (Rx), transmitted (Tx), or bidirectional (both) traffic Copyright © by EC-CouncilEC-Council All Rights Reserved. Reproduction is Strictly Prohibited
  43. 43. SPAN Port SPAN port is the port to which sniffer is attached and configured to receive a copy of every packets sent from the source host to the destination host • Source (SPAN) port: A port that is monitored with the use of the SPAN feature • Destination (SPAN) port: A port that monitors source ports, usually where a network analyzer is connected Copyright © by EC-CouncilEC-Council All Rights Reserved. Reproduction is Strictly Prohibited
  44. 44. Lawful Intercept Lawful intercept is a process that enables a Law Enforcement Agency (LEA) to perform electronic surveillance on an individual (a target) as authorized by a judicial or administrative order The surveillance is performed through the use of wiretaps on traditional telecommunications and Internet services in voice, data and multiservice voice data, networks The LEA delivers a request for a wiretap to the targets service p q p g provider, who is , responsible for intercepting data communication to and from the individual The service provider uses the targets IP address or session to determine which target s of its edge routers handles the targets traffic (data communication) The service provider then intercepts the targets traffic as it passes through the router and sends a copy of the i d d f h intercepted traffic to the LEA without the targets d ffi h ih h knowledge. Copyright © by EC-CouncilEC-Council All Rights Reserved. Reproduction is Strictly Prohibited
  45. 45. Benefits of Lawful Intercept Allows multiple LEAs to run a lawful intercept on the same target without each other s others knowledge Does not affect subscriber services on the router Supports wiretaps in both the input and output direction Supports wiretaps of individual subscribers that share a single physical interface i f Neither the network administrator nor the calling parties is aware that packets are being copied or that the call is being tapped Hides information about lawful intercepts from all but the most privileged users Provides two secure interfaces for performing an intercept: one for setting up the wiretap and one for sending the intercepted traffic to the LEA Copyright © by EC-CouncilEC-Council All Rights Reserved. Reproduction is Strictly Prohibited
  46. 46. Network Components Used for Lawful Intercept Mediation Device: • A mediation device (supplied by a third-party vendor) handles most of the processing for the lawful intercept Intercept Access Point: • An intercept access point ( (IAP) is a device that provides ) d h d information for the lawful intercept Collection Function: • The collection function is a program that stores and processes traffic intercepted by the service provider Copyright © by EC-CouncilEC-Council All Rights Reserved. Reproduction is Strictly Prohibited
  47. 47. ARP Spoofing Attack ARP resolves IP addresses to MAC (hardware) ( ) address of interface to send data ARP packets can be forged to send data to the attacker’s machine An attacker can exploit ARP poisoning to intercept the network traffic between two machines on the network By MAC flooding a switchs ARP table with spoofed ARP replies, the attacker can overload switches and then packet sniff network while switch is in “forwarding mode” Copyright © by EC-CouncilEC-Council All Rights Reserved. Reproduction is Strictly Prohibited
  48. 48. How Does ARP Spoofing Work When a legitimate user initiates a g session with another user in the same Layer 2 broadcast domain, an ARP request is broadcasted using the recipients IP address and the recipient s sender waits for the recipient to respond with a MAC address Malicious user eavesdrops on this unprotected Layer 2 broadcast domain and can respond to a broadcast ARP request and reply to b d d l the sender by spoofing the intended recipients MAC address Copyright © by EC-CouncilEC-Council All Rights Reserved. Reproduction is Strictly Prohibited
  49. 49. ARP Poisoning Hey 10.1.1.1 are you there? Step 2: Another legitimate user responds to the ARP request Step 1: Legitimate user sends ARP request, which the Switch broadcasts onto the wire Yes I am here. This is I here 10.1.1.1 and my MAC address is 1:2:3:4:5:6 No, I am 10.1.1.1 and my Switch MAC address is 9:8:7:6:5:4 Legitimate User Step 3: Malicious user Step 4: Information for IP eavesdrops on the ARP request address 10.1.1.1 is now being and responds after the sent to MAC address 9:8:7:6:5:4 legitimate user spoofs the legitimate l iti t response and sends d d his malicious MAC address to Internet the originator of the request Attacker Copyright © by EC-CouncilEC-Council All Rights Reserved. Reproduction is Strictly Prohibited
  50. 50. Mac Duplicating MAC duplicating attack is launched by sniffing network for MAC addresses of clients who are actively associated with a switch port and re-use one of those addresses By listening to the traffic on the network, a malicious user can intercept and use a legitimate users MAC address An attacker will receive all the traffic destined for that the legitimate user This technique works on Wireless Access Points with MAC filtering enabled Copyright © by EC-CouncilEC-Council All Rights Reserved. Reproduction is Strictly Prohibited
  51. 51. Mac Duplicating Attack My MAC address is A:B:C:D:E Switch Rule: Allow access to Switch the network only if your MAC address is A B C D E A:B:C:D:E Legitimate User Step 1: Malicious user sniffs the network for MAC addresses of currently associated legitimate users and then uses that MAC address to attack other users Internet associated t th same switch i t d to the it h Attacker port Copyright © by EC-CouncilEC-Council All Rights Reserved. Reproduction is Strictly Prohibited
  52. 52. ARP Spoofing Tools Copyright © by EC-CouncilEC-Council All Rights Reserved. Reproduction is Strictly Prohibited
  53. 53. Tools for ARP Spoofing Tools for ARP Spoofing Arpspoof (Linux-based tool) Ettercap (Linux and Windows) Cain and Able ArpSpyX (Mac OS) Copyright © by EC-CouncilEC-Council All Rights Reserved. Reproduction is Strictly Prohibited
  54. 54. Ettercap A tool f IP-based sniffing i a switched network, MAC-based sniffing, OS l for b d iffi in i h d k b d iffi fingerprinting, ARP poisoning-based sniffing, and so on Copyright © by EC-CouncilEC-Council All Rights Reserved. Reproduction is Strictly Prohibited
  55. 55. ArpSpyX ArpSpyX passively sniffs network ARP packets and displays IP and MAC address of the machine that generates p g packet ArpSpyX supports two methods of scanning: • The first method is a passive mode which only listens for traffic without sending any packets • The second method is active and will send out arp who-has requests for every IP address on your subnet Features of ArpSpyX include: • Easily gathering MAC Addresses of the network machines remotely • Quickly identifying new clients on your wireless network • Identifying ARP Poisoning attacks by tracking multiple MAC Addresses for i l f a single IP Address dd • Creating a text file containing all IP addresses on your network Copyright © by EC-CouncilEC-Council All Rights Reserved. Reproduction is Strictly Prohibited
  56. 56. ArpSpyX: Screenshot Copyright © by EC-CouncilEC-Council All Rights Reserved. Reproduction is Strictly Prohibited
  57. 57. MAC Flooding Tools Copyright © by EC-CouncilEC-Council All Rights Reserved. Reproduction is Strictly Prohibited
  58. 58. MAC Flooding MAC flooding involves flooding switch with g g numerous requests Switches have a limited memory for mapping various y pp g MAC addresses to the physical ports on switch MAC flooding makes use of this limitation to bombard it h ith fake b b d switch with f k MAC addresses until th dd til the switch cannot keep up Switch then acts as a hub by broadcasting packets to all machines on the network After this, sniffing can be easily performed Copyright © by EC-CouncilEC-Council All Rights Reserved. Reproduction is Strictly Prohibited
  59. 59. Tools for MAC Flooding Tools for MAC Flooding Macof (Linux-based tool) Etherflood (Linux and Windows) Copyright © by EC-CouncilEC-Council All Rights Reserved. Reproduction is Strictly Prohibited
  60. 60. Linux Tool: Macof Macof floods local network random MAC addresses, causing some switches to fail to open in the repeating mode, which facilitates sniffing , g • macof [-i interface] [-s src] [-d dst] [-e tha] [-x sport] [-y dport] [-n times] Copyright © by EC-CouncilEC-Council All Rights Reserved. Reproduction is Strictly Prohibited
  61. 61. Macof: Screenshot Copyright © by EC-CouncilEC-Council All Rights Reserved. Reproduction is Strictly Prohibited
  62. 62. Windows Tool: EtherFlood The effect on some switches is EtherFlood floods a switched that they t t th t th start sending all di ll network with Ethernet frames traffic out on all ports so that with random hardware the attacker is able to sniff all addresses traffic on sub-network Copyright © by EC-Council Source: http://ntsecurity.nu/toolbox/etherflood/EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
  63. 63. Threats of ARP Poisoning Internal network attacks are typically operated via ARP Poisoning attacks Everyone can download on Internet Malicious software which is used to run ARP Spoofing attacks Using fake ARP messages, an attacker can divert all communication between two machines so that all traffic is exchanged via his PC By means, such as a man-in-the-middle attack, the attacker can, in particular: • Run Denial of Service (DoS) attacks • Intercept data • Collect passwords p • Manipulate data • Tap VoIP phone calls Copyright © by EC-CouncilEC-Council All Rights Reserved. Reproduction is Strictly Prohibited
  64. 64. IRS – ARP Attack Tool Many servers and network devices like routers and switches provide features like ACLs IP Filters Firewall rules and so on ACLs, Filters, rules, on, to give access to their services only to the particular network addresses (usually Administrators’ workstations) This tool scans for IP restrictions set for a particular service on a host It combines “ARP Poisoning” and “Half-Scan” techniques and tries spoofed TCP connections to the selected port of the target IRS is not a port scanner but a “valid source IP address” scanner for a given service Copyright © by EC-CouncilEC-Council All Rights Reserved. Reproduction is Strictly Prohibited
  65. 65. IRS – ARP Attack Tool: Screenshot Copyright © by EC-CouncilEC-Council All Rights Reserved. Reproduction is Strictly Prohibited
  66. 66. ARPWorks Tool Other features are: IP ArpWorks is a utility All ARP parameters, to MAC revolver, for sending customized including Ethernet subnet MAC discovery, ‘ARP announce’ Source MAC address host isolation, packets packets over the can be changed redirection, redirection and network general IP conflict Copyright © by EC-CouncilEC-Council All Rights Reserved. Reproduction is Strictly Prohibited
  67. 67. Tool: Nemesis Nemesis provides an interface to craft and inject a variety of arbitrary packet types It is also used for ARP Spoofing Nemesis supports the following protocols: • arp • dns • ethernet • icmp • igmp • p ip • ospf • rip • tcp • udp Copyright © by EC-CouncilEC-Council All Rights Reserved. Reproduction is Strictly Prohibited
  68. 68. IP-based Sniffing IP-based Sniffing is the original way of packet sniffing It works by putting network card into the promiscuous mode and sniffing all packets matching the IP address filter IP address filter can capture all packets even though it is not set This method only works in non-switched networks AntiSniff • AntiSniff program determines if a device is listening to the traffic on the local network • AntiSniff DNS test is vulnerable to a buffer overflow that would allow an attacker t execute an arbitrary code b sending a malformed DNS packet t tt k to t bit d by di lf d k t to the system running AntiSniff Copyright © by EC-CouncilEC-Council All Rights Reserved. Reproduction is Strictly Prohibited
  69. 69. IP-based Sniffing: Screenshot Copyright © by EC-CouncilEC-Council All Rights Reserved. Reproduction is Strictly Prohibited
  70. 70. Linux Sniffing Tools g Copyright © by EC-CouncilEC-Council All Rights Reserved. Reproduction is Strictly Prohibited
  71. 71. Linux Sniffing Tools (dsniff package) Sniffer hacking tools (These tools are available on the Linux CD-ROM) arpspoof • Intercepts packets on a switched LAN dnsspoof • Forges replies to DNS address and pointer queries dsniff • Password sniffer filesnarf • Sniffs files from NFS traffic mailsnarf • Sniffs mail messages in Berkeley mbox format msgsnarf • Sniffs chat messages Copyright © by EC-CouncilEC-Council All Rights Reserved. Reproduction is Strictly Prohibited
  72. 72. Linux Sniffing Tools (cont’d) sshmitm • SSH monkey in the middle monkey-in-the-middle tcpkill • Kills TCP connections on a LAN tcpnice • Slows down TCP connections on a LAN urlsnarf • Sniffs HTTP requests in Common Log Format webspy ebsp • Displays sniffed URLs in Netscape in real time webmitm • HTTP/HTTPS monkey-in-the-middle Copyright © by EC-CouncilEC-Council All Rights Reserved. Reproduction is Strictly Prohibited
  73. 73. Linux Tool: Arpspoof Arpspoof redirects packets from a target host intended f another h d d for h host on the LAN b f h by forging ARP replies Arpspoof is the effective way of sniffing traffic on a switch • arpspoof [-i interface] [-t target] host Copyright © by EC-CouncilEC-Council All Rights Reserved. Reproduction is Strictly Prohibited
  74. 74. Linux Tool: Dnsspoof Dnsspoof forges replies to arbitrary DNS address/pointer queries on the LAN DNS spoofing is useful in bypassing hostname-based access controls, or in implementing a variety of man-in-the-middle attacks • dnsspoof [-i interface][-f hostsfile] [expression] Copyright © by EC-CouncilEC-Council All Rights Reserved. Reproduction is Strictly Prohibited
  75. 75. Linux Tool: Dsniff Dsniff is a password sniffer which handles FTP, Telnet, SMTP, HTTP, POP, poppass, NNTP IMAP SNMP LDAP Rlogin RIP OSPF, poppass NNTP, IMAP, SNMP, LDAP, Rlogin, RIP, OSPF PPTP MS-CHAP MS CHAP, NFS, VRRP, and so on Dsniff automatically detects and minimally parses each application protocol, only saving interesting bits and uses Berkeley DB as its output file format, only bits, format logging unique authentication attempts Full TCP/IP reassembly is provided by libnids • dsniff [-c] [-d] [-m] [-n] [-i interface] [-s snaplen] [-f services] [-t trigger[,...]]] [-r|-w savefile] [expres- sion] Copyright © by EC-CouncilEC-Council All Rights Reserved. Reproduction is Strictly Prohibited
  76. 76. Dsniff: Screenshot Copyright © by EC-CouncilEC-Council All Rights Reserved. Reproduction is Strictly Prohibited
  77. 77. Linux Tool: Filesnarf Filesnarf saves files sniffed from NFS traffic in the current working directory • filesnarf [-i interface] [[-v] pattern [expression]] Copyright © by EC-CouncilEC-Council All Rights Reserved. Reproduction is Strictly Prohibited
  78. 78. Linux Tool: Mailsnarf Mailsnarf outputs email messages sniffed from SMTP and POP traffic in Berkeley mbox format, suitable for offline browsing with your favorite mail reader • mailsnarf [-i interface] [[-v] pattern [expression]] Copyright © by EC-CouncilEC-Council All Rights Reserved. Reproduction is Strictly Prohibited
  79. 79. Linux Tool: Msgsnarf Msgsnarf records the selected messages from AOL Instant Messenger, Messenger ICQ 2000, IRC MSN Messenger, or Yahoo Messenger 2000 IRC, Messenger chat sessions • msgsnarf [-i interface] [[-v] pattern [expression] Copyright © by EC-CouncilEC-Council All Rights Reserved. Reproduction is Strictly Prohibited
  80. 80. Linux Tool: Sshmitm Sshmitm proxies and sniffs SSH traffic redirected by dnsspoof capturing SSH password l i d logins, and optionally hij ki i d i ll hijacking interactive sessions i i Only O l SSH protocol version 1 i ( ever will b ) supported t l i is (or ill be) t d • sshmitm [-d] [-I] [-p port] host [port] Copyright © by EC-CouncilEC-Council All Rights Reserved. Reproduction is Strictly Prohibited
  81. 81. Linux Tool: Tcpkill Tcpkill kills specified in progress TCP connections (useful in-progress for libnids-based applications which require a full TCP 3- way handshake for TCB creation) • tcpkill [-i interface] [-1...9] expression Copyright © by EC-CouncilEC-Council All Rights Reserved. Reproduction is Strictly Prohibited
  82. 82. Linux Tool: Tcpnice Tcpnice slows down the specified TCP connections on a LAN via active traffic shaping • tcpnice [-I] [-i interface] [-n increment] [ I] [ i [ n expression Copyright © by EC-CouncilEC-Council All Rights Reserved. Reproduction is Strictly Prohibited
  83. 83. Linux Tool: Urlsnarf Urlsnarf outputs all requested URLs sniffed from HTTP traffic in CLF (Common Log Format, used by almost all web servers) suitable for offline Format servers), post-processing with your favorite web log analysis tool (analog, wwwstat, and so on) • urlsnarf [-n] [-i interface] [[-v] pattern [expression]] [ n] [ i [[ v] Copyright © by EC-CouncilEC-Council All Rights Reserved. Reproduction is Strictly Prohibited
  84. 84. Linux Tool: Webspy Webspy sends URLs sniffed from a client to local Netscape browser to display, display updated in real time (as target surfs browser surfs along with surfs, them, automatically) Netscape must be running on your local X display ahead of time • webspy [ ebspy [-i interface] host te ace] ost Copyright © by EC-CouncilEC-Council All Rights Reserved. Reproduction is Strictly Prohibited
  85. 85. Webspy: Screenshot Copyright © by EC-CouncilEC-Council All Rights Reserved. Reproduction is Strictly Prohibited
  86. 86. Linux Tool: Webmitm Webmitm transparently proxies and sniffs HTTP/HTTPS traffic redirected by dnsspoof capturing most secure dnsspoof, SSL-encrypted webmail logins and form submissions • webmitm [-d] Copyright © by EC-CouncilEC-Council All Rights Reserved. Reproduction is Strictly Prohibited
  87. 87. DNS Poisoning Techniques Copyright © by EC-CouncilEC-Council All Rights Reserved. Reproduction is Strictly Prohibited
  88. 88. DNS Poisoning Techniques The substitution of a false Internet provider address at the domain name service level (e.g., where web addresses are converted into (e g numeric Internet provider addresses) DNS poisoning is a technique that tricks a DNS server into believing i i i h i h i k i b li i that it has received authentic information when, in reality, it has not Types of DNS Poisoning: Intranet DNS Spoofing (Local network) Internet DNS Spoofing (Remote network) Proxy Server DNS Poisoning DNS Cache Poisoning Copyright © by EC-CouncilEC-Council All Rights Reserved. Reproduction is Strictly Prohibited
  89. 89. 1. Intranet DNS Spoofing (Local Network) For this technique, you must be connected to the local area network (LAN) and be able to sniff packets It works well against switches with ARP poisoning the router What is the IP address of www.xsecurity.com it Router Real Website 1 IP 10.0.0.254 www.xsecurity.com IP: 200.0.0.45 DNS Request 3 Hacker poisons Hacker’s fake website sniffs the the router and credential and redirects the request to 2 4 all the router real website traffic is forwarded to his machine Rebecca types Hacker sets up fake www.xsecurity.com in her y Website Web Browser www.xsecurity.com IP: 10.0.0.3 IP: 10.0.0.5 Hacker runs arpspoof/dnsspoof f/d f www.xsecurity.com Copyright © by EC-CouncilEC-Council All Rights Reserved. Reproduction is Strictly Prohibited
  90. 90. 2. Internet DNS Spoofing (Remote Network) Internet DNS Spoofing sends a Trojan to Rebecca’s machine and changes her DNS IP address to that of the attacker’s It works across networks and is easy to set up and implement Real Website www.xsecurity.com IP: 200.0.0.45 2 4 Hacker’s fake website sniffs the credential and redirects the request to real website 5 Rebecca types 3 1 www.xsecurity.com in her W b B h Web Browser Hacker’s infects Rebecca’s computer by changing her DNS IP address to: 200.0.0.2 Fake Website IP: 65.0.0.2 Hacker runs DNS Server in Russia IP: 200.0.0.2 Copyright © by EC-CouncilEC-Council All Rights Reserved. Reproduction is Strictly Prohibited
  91. 91. Internet DNS Spoofing To redirect all DNS request traffic going from the host machine to come to you 1. Set up a fake website on your computer 2. Install treewalk and modify the file mentioned in readme.txt to your IP address; Treewalk will make you the DNS server 3. Modify file dns-spoofing.bat and replace the IP address with your IP address 4. Trojanize the dns-spoofing.bat file and send it to Jessica (ex: chess.exe) 5. When host clicks trojaned file, it will replace Jessica’s DNS entry in her TCP/IP properties with that of your machine’s 6. You will become the DNS server for Jessica and her DNS requests will go through you 7. When Jessica connects to XSECURITY.com, she resolves to fake XSECURITY website; you sniff the password and send her to the real website Copyright © by EC-CouncilEC-Council All Rights Reserved. Reproduction is Strictly Prohibited
  92. 92. 3. Proxy Server DNS Poisoning Send a Trojan to Rebecca’s machine and change her proxy server settings in Internet Explorer to that of the attacker’s It works across networks and is easy to set up and implement Real Website www.xsecurity.com IP: 200.0.0.45 2 Hacker’s fake website sniffs the credential and redirects the request t di t th q t to Rebecca types 4 the real website 3 www.xsecurity.com in her Web Browser 1 Hacker’s infects Rebecca’s computer by changing her Hacker sends Rebecca’s request to Fake website IE Proxy address to: 200.0.0.2 Fake Website IP: 65.0.0.2 Hacker runs Proxy Server in Russia IP: 200.0.0.2 Copyright © by EC-CouncilEC-Council All Rights Reserved. Reproduction is Strictly Prohibited
  93. 93. 4. DNS Cache Poisoning To T perform a cache poisoning attack, th attacker exploits a fl i f h i i tt k the tt k l it flaw in the DNS server software that can make it accept incorrect information If the server does not correctly validate DNS responses to ensure that they have come from an authoritative source, the server will end up caching the incorrect entries locally and serve them to users that make the same request • For example, an attacker poisons the IP address DNS entries for a target example website on a given DNS server, replacing them with the IP address of a server he/she controls • He then creates fake entries for files on the server he/she controls with names matching those on the target server hi h h Copyright © by EC-CouncilEC-Council All Rights Reserved. Reproduction is Strictly Prohibited
  94. 94. Interactive TCP Relay Interactive TCP Relay operates as a simple TCP tunnel listening on a specific port and forwarding all traffic to the remote host and port The program can intercept and edit the traffic passing through it The traffic can be edited with the built-in HEX editor Copyright © by EC-CouncilEC-Council All Rights Reserved. Reproduction is Strictly Prohibited
  95. 95. Interactive Replay Attacks John sends a message to Dan. The Dan John attacker intercepts the message, changes p g g the content, and sends it to Dan ATTACKER Copyright © by EC-CouncilEC-Council All Rights Reserved. Reproduction is Strictly Prohibited
  96. 96. Raw Sniffing Tools Copyright © by EC-CouncilEC-Council All Rights Reserved. Reproduction is Strictly Prohibited
  97. 97. Raw Sniffing Tools Sniffit Snort Aldebaran Windump/tcpdump Hunt H Etherpeek NGSSniff Mac Changer Ntop Iris pf NetIntercept IPTraf WinDNSSpoof Etherape Copyright © by EC-CouncilEC-Council All Rights Reserved. Reproduction is Strictly Prohibited
  98. 98. Features of Raw Sniffing Tools Data can be intercepted “off the wire” from a live network connection, or read from a captured file It can read the captured files from tcpdump Command line switches to the editcap program that enables the editing or conversion of the captured files Display filter enables the refinement of the data Copyright © by EC-CouncilEC-Council All Rights Reserved. Reproduction is Strictly Prohibited
  99. 99. HTTP Sniffer: EffeTech It parses and It enables on-the- An HTTP It captures IP decodes the fly content protocol packet packets HTTP protocol, viewing while sniffer and containing HTTP g and generates a g monitoring and network analyzer protocol web traffic report analyzing for reference Copyright © by EC-CouncilEC-Council All Rights Reserved. Reproduction is Strictly Prohibited
  100. 100. HTTP Sniffer: EffeTech Copyright © by EC-CouncilEC-Council All Rights Reserved. Reproduction is Strictly Prohibited
  101. 101. Ace Password Sniffer Ace Password Sniffer can monitor and capture p passwords through FTP, POP3, HTTP, SMTP, Telnet, and some web mail passwords It can listen on LAN and capture passwords of any network user Ace Password Sniffer works passively and is hard to detect If a network is connected through a switch, the sniffer can be run o the g b on gateway o p o y y or proxy server, which can get all the network traffic Copyright © by EC-CouncilEC-Council All Rights Reserved. Reproduction is Strictly Prohibited
  102. 102. Ace Password Sniffer: Screenshot Copyright © by EC-CouncilEC-Council All Rights Reserved. Reproduction is Strictly Prohibited
  103. 103. Win Sniffer Win Sniffer allows network administrators to capture passwords of any network user Win Sniffer monitors incoming and outgoing network traffic and decodes FTP, POP3, g g g , 3, HTTP, ICQ, SMTP, Telnet, IMAP, and NNTP usernames and passwords Administrators can assess the danger of clear text passwords in the network and develop ways to improve security using win sniffer It has integrated technology that allows to reconstruct network traffic in a format that is simple to use and understand It has one of the most intuitive packet filtering system, allowing you to look only at the system desired packets Copyright © by EC-CouncilEC-Council All Rights Reserved. Reproduction is Strictly Prohibited
  104. 104. Win Sniffer: Screenshot Copyright © by EC-CouncilEC-Council All Rights Reserved. Reproduction is Strictly Prohibited
  105. 105. MSN Sniffer All intercepted MSN Sniffer messages can be Everything will It records MSN captures MSN saved as HTML be recorded conversations chat on a files for later without being automatically network k processing and i d detected d d analyzing Capturing Messages p g g Sniffer Chatting Copyright © by EC-CouncilEC-Council All Rights Reserved. Reproduction is Strictly Prohibited
  106. 106. MSN Sniffer: Screenshot Copyright © by EC-CouncilEC-Council All Rights Reserved. Reproduction is Strictly Prohibited
  107. 107. SmartSniff SmartSniff is a TCP/IP packet capture program that allows you to inspect the network traffic that passes through your network adapter It is a valuable tool to check what packets your computer is sending to the outside world Copyright © by EC-CouncilEC-Council All Rights Reserved. Reproduction is Strictly Prohibited
  108. 108. Session Capture Sniffer: NetWitness The patented technology recreates “sessions” and displays them on the screen The Law enforcement agencies in the U.S. like FBI use this tool US NetWitness audits and monitors all traffic on the network It evaluates activities into a format that like-minded network engineers and non-engineers can quickly understand It records all activities, and transforms the “take” into a dense transactional model describing the network application and content levels of those network, application, activities Copyright © by EC-CouncilEC-Council All Rights Reserved. Reproduction is Strictly Prohibited
  109. 109. Session Capture Sniffer: NWreader FTP Sessions captured Copyright © by EC-CouncilEC-Council All Rights Reserved. Reproduction is Strictly Prohibited
  110. 110. Packet Crafter Craft Custom TCP/IP Packets Copyright © by EC-CouncilEC-Council All Rights Reserved. Reproduction is Strictly Prohibited
  111. 111. SMAC SMAC is a MAC Address Modifying Utility (spoofer) for Windows 2000, XP, and Server 2003 systems It displays the network information of available network adapters on one t k d t screen The built-in logging capability allows it to track MAC address modification activities Copyright © by EC-CouncilEC-Council All Rights Reserved. Reproduction is Strictly Prohibited
  112. 112. NetSetMan Tool NetSetMan allows you to quickly switch between pre-configured network settings It is ideal for ethical hackers who have to connect to different networks all the time and need to update their network settings each time It allows you to create 6 p y profiles including IP address settings, Subnet Mask, Default g g , , Gateway, and DNS servers Copyright © by EC-CouncilEC-Council All Rights Reserved. Reproduction is Strictly Prohibited
  113. 113. Ntop Ntop is a network traffic probe that shows the network usage In interactive mode, it displays the network p y status on the user’s terminal In web mode, it acts as a web server, creating an html dump of the p network status Copyright © by EC-CouncilEC-Council All Rights Reserved. Reproduction is Strictly Prohibited
  114. 114. EtherApe EtherApe is a graphical network monitor for Unix Featuring link layer, IP, and TCP modes, it displays , p y the network activity graphically It can filter traffic to be shown, and can read traffic from a file as well as live from the network Copyright © by EC-CouncilEC-Council All Rights Reserved. Reproduction is Strictly Prohibited
  115. 115. EtherApe Features Network traffic is displayed graphically. The more talkative a node is, the bigger is its representation A user may select what level of the protocol stack to concentrate on A user may either look at the traffic within a network, end to end IP, or eve port port C even po t to po t TCP Data can be captured “off the wire” from a live network connection, or read from a tcpdump capture file Data display can be refined using a network filter Copyright © by EC-CouncilEC-Council All Rights Reserved. Reproduction is Strictly Prohibited
  116. 116. Network Probe Network Probe network monitor and protocol analyzer gives the user an instant picture of the traffic situation on the target network All traffic is monitored in real time All the information can be th i f ti b sorted, searched, and filtered by protocols, hosts, conversations, and network interfaces Copyright © by EC-CouncilEC-Council All Rights Reserved. Reproduction is Strictly Prohibited
  117. 117. Maa Tec Network Analyzer MaaTec Network Analyzer i a t l th t i A l is tool that is used for capturing, saving, and analyzing the network traffic Features: • Real-time network traffic statistics • S h d l d network Scheduled t k traffic reports • Online view of incoming packets • Multiple d l l data color l options Copyright © by EC-CouncilEC-Council All Rights Reserved. Reproduction is Strictly Prohibited
  118. 118. Tool: Snort There are three main modes in which Snort can be configured: sniffer, packet logger, and network i l d k intrusion detection i d i system Sniffer mode reads the packets off of the network and displays them for you in a continuous stream on the console Packet logger mode logs the packets to the disk Network intrusion detection mode is the most complex and configurable configuration, allowing Snort to analyze the t th network t ffi f matches against a k traffic for t h i t user-defined rule set Copyright © by EC-CouncilEC-Council All Rights Reserved. Reproduction is Strictly Prohibited
  119. 119. Tool: Windump WinDump is the porting to the Windows platform of tcpdump, the most used network sniffer/analyzer for UNIX Copyright © by EC-CouncilEC-Council All Rights Reserved. Reproduction is Strictly Prohibited
  120. 120. Tool: Etherpeek Ethernet network traffic and protocol analyzer. By monitoring, filtering, decoding, and displaying packet data, it finds protocol errors and detects network p problems such as unauthorized nodes, misconfigured routers, and unreachable devices Copyright © by EC-CouncilEC-Council All Rights Reserved. Reproduction is Strictly Prohibited
  121. 121. NetIntercept A sniffing tool that studies external break-in attempts, watches for the misuse of confidential data, displays the contents of an unencrypted remote login or web session, categorizes or sorts traffic by dozens of attributes, and searches traffic by criteria such as email headers, websites, and file names Copyright © by EC-CouncilEC-Council All Rights Reserved. Reproduction is Strictly Prohibited
  122. 122. NetIntercept: Screenshot 1 Copyright © by EC-CouncilEC-Council All Rights Reserved. Reproduction is Strictly Prohibited
  123. 123. NetIntercept: Screenshot 2 Copyright © by EC-CouncilEC-Council All Rights Reserved. Reproduction is Strictly Prohibited
  124. 124. Colasoft EtherLook Colasoft EtherLook is a TCP/IP network monitoring tool for Windows-based platforms It monitors the real time traffic flowing around the local network and to/from the Internet efficiently Traffic Analysis module enables to capture the network traffic in real time, displays data received and sent by every host in LAN in different views Colasoft EtherLook has 3 advanced analysis modules: • E il Analysis M d l C t Email A l i Module: Captures email messages and restores it il d t its contents including sender, recipient, subject, protocol, etc • Web Analysis Module: Allows detailed tracking of web accesses from the network • Login Analysis Module: Analyzes all data logins within the network and records all the related data Copyright © by EC-CouncilEC-Council All Rights Reserved. Reproduction is Strictly Prohibited
  125. 125. Colasoft EtherLook: Screenshot 1 Copyright © by EC-CouncilEC-Council All Rights Reserved. Reproduction is Strictly Prohibited
  126. 126. Colasoft EtherLook: Screenshot 2 Copyright © by EC-CouncilEC-Council All Rights Reserved. Reproduction is Strictly Prohibited
  127. 127. AW Ports Traffic Analyzer Atelier Web Ports Traffic Analyzer is a network traffic sniffer and l ff ff d logger that allows you to h ll monitor all Internet and network traffic on your PC and view the actual content of the packets This includes all traffic initiated by software products, web sites etc. The capability to audit what fl h flows i and out of every piece of software in d f i f f is critical for security aware users Atelier Web Ports Traffic Analyzer provides Real-time mapping of ports to processes (applications and services) and shows the history since boot time of every TCP, UDP, or RAW port opened through Winsock Copyright © by EC-CouncilEC-Council All Rights Reserved. Reproduction is Strictly Prohibited
  128. 128. AW Ports Traffic Analyzer: Screenshot Copyright © by EC-CouncilEC-Council All Rights Reserved. Reproduction is Strictly Prohibited
  129. 129. Colasoft Capsa Network Analyzer Colasoft Capsa Network Analyzer is a TCP/IP Network Sniffer and Analyzer that offers real time monitoring and data analyzing of the network traffic It also offers Email Analysis, Web Analysis, and Transaction Analysis modules, which allow you to quickly view the email traffic It also offers custom filtering options, data export, customizable interface, and more Copyright © by EC-CouncilEC-Council All Rights Reserved. Reproduction is Strictly Prohibited
  130. 130. Colasoft Capsa Network Analyzer : Screenshot Copyright © by EC-CouncilEC-Council All Rights Reserved. Reproduction is Strictly Prohibited
  131. 131. CommView CommView is a program for monitoring the network activity capable of capturing and analyzing packets on any Ethernet network It gathers information about data flowing on a LAN and decodes the analyzed data With CommView, you can view the list of network connections and vital IP statistics and examine individual packets It decodes the IP packets down to the lowest layer with full analysis of the main IP protocols: TCP, UDP, and ICMP It also provides full access to the raw data It saves the captured packets to log files for future analysis Copyright © by EC-CouncilEC-Council All Rights Reserved. Reproduction is Strictly Prohibited
  132. 132. CommView: Screenshot Copyright © by EC-CouncilEC-Council All Rights Reserved. Reproduction is Strictly Prohibited
  133. 133. Sniffem Sniffem is a Windows packet sniffer and network analyzer that captures, monitors, and decodes data traveling through the network including Dialup or DSL uplink It features advanced hardware and software filtering options, TCP/IP traffic monitoring, as well as an IP address book h b k that assigns aliases f f i li for frequently encountered IP l d addresses Sniffem also comes with a built-in scheduler to enable capturing at the user defined intervals Copyright © by EC-CouncilEC-Council All Rights Reserved. Reproduction is Strictly Prohibited
  134. 134. Sniffem: Screenshot Copyright © by EC-CouncilEC-Council All Rights Reserved. Reproduction is Strictly Prohibited
  135. 135. NetResident NetResident is a network traffic monitor that captures, stores, captures stores and analyzes all the packet traffic from selected protocols It reconstructs each event and displays a preview of the web page, email message, or other communication that takes place, including transmitted (unencrypted) passwords NetResident supports standard HTTP, FTP, and Mail protocols, as well as special protocols via plug- ins (ICQ, MSN, News) NetResident runs as a local service Copyright © by EC-CouncilEC-Council All Rights Reserved. Reproduction is Strictly Prohibited
  136. 136. NetResident: Screenshot Copyright © by EC-CouncilEC-Council All Rights Reserved. Reproduction is Strictly Prohibited
  137. 137. IP Sniffer IP sniffer is a protocol analyzer that uses XP/2K Raw Socket features It supports filtering rules, adapter selection, packet decoding, advanced protocol description, and more Detailed information about each packet is provided in a tree-style view, and the right-click menu allows to resolve or scan the selected source IP address Additional features include: • Adapter statistics • IP traffic monitoring • Traceroute • Ping • Port scanning • TCP/UDP/ICMP spoofing options • Open tcp/udp ports attached to process • M address changing Mac dd h i • DNS/WINS/SNMP/WHOIS/DHCP queries Copyright © by EC-CouncilEC-Council All Rights Reserved. Reproduction is Strictly Prohibited
  138. 138. IP Sniffer: Screenshot Copyright © by EC-CouncilEC-Council All Rights Reserved. Reproduction is Strictly Prohibited
  139. 139. Sniphere Sniphere is a WinPCAP network sniffer that supports most of common protocols It can be used on ethernet devices and supports PPPoE modems Sniphere allows to set filters based on IP, Mac Address, ports, protocol etc. and also decodes packages i t an easy t understand f l d d k into to d t d format t In addition, session logs can be saved in XML format and selected packets copied to clipboard Sniphere supports most common protocols, including IP, TCP, UDP, and ICMP Copyright © by EC-CouncilEC-Council All Rights Reserved. Reproduction is Strictly Prohibited
  140. 140. Sniphere: Screenshot Copyright © by EC-CouncilEC-Council All Rights Reserved. Reproduction is Strictly Prohibited
  141. 141. IE HTTP Analyzer IE HTTP Analyzer is an add-in for Internet Explorer, that allows to capture HTTP/HTTPS traffic in real- p / time It displays a wide range of information, including Header, Content, Cookies, Query Strings, Post data, and redirection URLs It also provides cache information and session c ea g, clearing, as well as HTTP status code information e o at o and several filtering options A useful developer tool for performance analysis, debugging, and diagnostics IE HTTP Analyzer integrates into lower part of IE browser window and can be opened/closed from IE toolbar Copyright © by EC-CouncilEC-Council All Rights Reserved. Reproduction is Strictly Prohibited
  142. 142. IE HTTP Analyzer: Screenshot Copyright © by EC-CouncilEC-Council All Rights Reserved. Reproduction is Strictly Prohibited
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.

×