Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
CNIT 124:
Advanced Ethical
Hacking
Ch 7: Capturing Traffic
Updated 10-5-17
Topics
• Switches, Hubs and Wireless networks
• Wireshark
– Promiscuous mode and Monitor mode
– Filters
– Following a Stre...
Switches, Hubs and Wireless
Networks
Hubs
• Operate at OSI layer 1
• Repeat every bit out all ports
– Except the receiving port
• Don't read addresses or any o...
Ethernet
• NIC reads Destination MAC address
• First 6 bytes of frame
Ethernet Promiscuous Mode
• If Destination MAC != NIC's hardware
address
– Packet is discarded
• Unless NIC is in "Promisc...
Wireless LANs
• No Encryption is just like Hubs
• WEP uses same key for every packet
• WPA generates a different key for e...
Encrypted WPA2 Traffic
Decrypted Traffic
Wireshark
Promiscuous Mode in Wireshark
• Edit, Preferences
• Click "Capture" on left side
• "Capture packets in promiscuous mode on...
Monitor Mode in Wireshark
• Edit, Preferences
• Click "Capture" on left side
• On the right side, on the "Interfaces" line...
Display Filters
• frame contains attack
• Expression... button
Following a Stream
Extracting Files
• File, Export Objects, HTTP
ARP Cache Poisoning
ARP Cache Poisoning
• Client tricked into sending packets to the
wrong MAC Address
• Attacker must be on target's LAN
DNS Cache Poisoning
DNS Cache Poisoning (Client)
• Attacker sends false DNS replies
• Target is tricked into storing the wrong IP
address for ...
DNS Cache Poisoning (Server)
• Attacker can poison remote, shared DNS
servers
– Like Comcast DNS servers
• Affects many us...
SSLstrip
sslstrip Proxy Changes HTTPS to
HTTP
Target

Using

Facebook
Attacker: 

sslstrip
Proxy

in the 

Middle
To
Internet
HTTP
...
Sslstrip Vulnerability
• If you go directly to an HTTPS URL, you
are not vulnerable
• But many sites use a 302 redirect fr...
CNIT 124: Ch 7: Capturing Traffic
CNIT 124: Ch 7: Capturing Traffic
CNIT 124: Ch 7: Capturing Traffic
CNIT 124: Ch 7: Capturing Traffic
CNIT 124: Ch 7: Capturing Traffic
Upcoming SlideShare
Loading in …5
×

CNIT 124: Ch 7: Capturing Traffic

310 views

Published on

Slides for a college course in "Advanced Ethical Hacking" at CCSF. Instructor: Sam Bowne

Course Web page:

https://samsclass.info/124/124_F17.shtml

Based on "Penetration Testing: A Hands-On Introduction to Hacking" by Georgia Weidman -- ISBN-10: 1593275641, No Starch Press; 1 edition (June 8, 2014)

Published in: Education
  • Be the first to comment

  • Be the first to like this

CNIT 124: Ch 7: Capturing Traffic

  1. 1. CNIT 124: Advanced Ethical Hacking Ch 7: Capturing Traffic Updated 10-5-17
  2. 2. Topics • Switches, Hubs and Wireless networks • Wireshark – Promiscuous mode and Monitor mode – Filters – Following a Stream • ARP Cache Poisoning • DNS Cache Poisoning • SSLstrip
  3. 3. Switches, Hubs and Wireless Networks
  4. 4. Hubs • Operate at OSI layer 1 • Repeat every bit out all ports – Except the receiving port • Don't read addresses or any other content • Ethernet NICs were designed for hubs
  5. 5. Ethernet • NIC reads Destination MAC address • First 6 bytes of frame
  6. 6. Ethernet Promiscuous Mode • If Destination MAC != NIC's hardware address – Packet is discarded • Unless NIC is in "Promiscuous mode" – Every packet passed on to higher levels, regardless of MAC address • Also applies to outgoing traffic
  7. 7. Wireless LANs • No Encryption is just like Hubs • WEP uses same key for every packet • WPA generates a different key for each device – WPA and WPA2 use keys derived from an EAPOL handshake, which occurs when a machine joins a Wi-Fi network, to encrypt traffic. Unless all four handshake packets are present for the session you're trying to decrypt, Wireshark won't be able to decrypt the traffic.
  8. 8. Encrypted WPA2 Traffic
  9. 9. Decrypted Traffic
  10. 10. Wireshark
  11. 11. Promiscuous Mode in Wireshark • Edit, Preferences • Click "Capture" on left side • "Capture packets in promiscuous mode on all network cards" on right side
  12. 12. Monitor Mode in Wireshark • Edit, Preferences • Click "Capture" on left side • On the right side, on the "Interfaces" line, click Edit • Wireless adapter may show a "Monitor mode" option • Not all cards or drivers allow this
  13. 13. Display Filters • frame contains attack • Expression... button
  14. 14. Following a Stream
  15. 15. Extracting Files • File, Export Objects, HTTP
  16. 16. ARP Cache Poisoning
  17. 17. ARP Cache Poisoning • Client tricked into sending packets to the wrong MAC Address • Attacker must be on target's LAN
  18. 18. DNS Cache Poisoning
  19. 19. DNS Cache Poisoning (Client) • Attacker sends false DNS replies • Target is tricked into storing the wrong IP address for a domain name • Attacker is usually on the same LAN – May not always be required • DNSSEC might stop this someday – But not today
  20. 20. DNS Cache Poisoning (Server) • Attacker can poison remote, shared DNS servers – Like Comcast DNS servers • Affects many users • Dan Kaminsky figured this out • Patched in 2008 • DNSSEC will patch it more thoroughly
  21. 21. SSLstrip
  22. 22. sslstrip Proxy Changes HTTPS to HTTP Target
 Using
 Facebook Attacker: 
 sslstrip Proxy
 in the 
 Middle To Internet HTTP HTTPS
  23. 23. Sslstrip Vulnerability • If you go directly to an HTTPS URL, you are not vulnerable • But many sites use a 302 redirect from HTTP to HTTPS, rendering them vulnerable

×