This document discusses packet sniffing in switched local area networks. It begins by defining packet sniffing and describing the differences between switched and hubbed networks. It then outlines several packet sniffing attacks like ARP spoofing and switch port stealing. The document also proposes methods for detecting packet sniffing like ARP cache poisoning and preventing it through techniques such as port security, authentication, encryption and secured protocols. It concludes by emphasizing that switched networks are still vulnerable to sniffing and that while no solution is perfect, networks can be protected.

1. Packet Sniffing in
Switched Local Area
Networks
By Ishraq Fatafta

2. Agenda
O What is Packet sniffing
O Switched VS Hubed Networks
O Packet sniffing attacks
O Packet sniffing detection.
O Packet sniffing prevention.
O Conclusion.

3. Packet Sniffing
O Packet Sniffing is a technique used to
listen to the packets flow in the network.
O Packet sniffer (network analyzer) is a tool
(hardware or software) used to listen to
the packets flow in the network.

4. Packet Sniffer uses
O Network Engineers, System Administrators
and Security professionals
O Analyze network problems.
O Find traffic bottlenecks and troubleshoot
problems.
O Monitor network usage.
O Intruders
O Search for plain-text passwords and user
names.
O Hijacking sensitive information such as credit
card information and financial data.
O Analyzing network traffic.

5. Packet Sniffer components
O Hardware
O Usually a standard network adaptor.
O Capture drive
O This is the main part of a sniffer that captures the data, filters it
and stores it in the buffer.
O Buffer
O Used to store captured filtered data for later analysis.
O Real-time analysis
O This feature provide a little bit of analysis for faults and
performance issues as data captured from the wire.
O Decode
O Responsible for displaying the data with description for human
interpretation.
O Packet editing/transmission
O Used to modify packets and re-transmit them over the network.

6. Packet Sniffer components:
Hardware

7. Packet Sniffer components:
Software

8. Packet Sniffer components:
Software

9. Packet sniffing in non-
switched networks
O Called shared environment.
O Hosts are connected to a Hub.
O simply a repeater. It takes the signal
coming in on one of its ports, amplifies it,
and sends it back out on its other ports.
O Packets broadcasted to all hosts in the
network.

10. Cont. Packet sniffing in non-
switched networks

11. Cont. Packet sniffing in non-
switched networks
O Promiscuous mode or promisc mode is a
configuration of a network card that
makes the card pass all traffic it receives
to the central processing unit rather than
just frames addressed to it.

12. Packet sniffing in switched
networks
O Hosts are connected via Switch.
O Lockup table (ARP Cache, MAC table)
with the MAC address and IP address of
all hosts.
O Packets transmitted only to the
designated host.

13. Cont. Packet sniffing in
switched networks

14. ARP: Address Resolution
Protocol
O Computer networking protocol for
determining a network host's hardware
address (Link Layer) when only its
Internet Layer (IP)(Network Layer
address) is known.
O Request (“who-has”): specifies the IP
address of the host whose MAC address
we want to find out.
O Reply (“is-at”): the answer a host should
send specifying the MAC address
associated to that IP address.

15. Cont. ARP: Address Resolution
Protocol
ARP Cache
O Entries are either Static or Dynamic.
O Fixed size.
O Gratuitous ARP.
IP Address MAC Address Type
129.119.103.1 00-E0-2B-13-68-
00
Dynamic
129.119.103.2 ??-??-??-??-??-
??
Dynamic

16. Packet Sniffing Attacks
O ARP Spoofing and ARP Cache poisoning.
O MAC Flooding.
O MAC Duplicating.
O Switch Port Stealing.

17. Packet Sniffing Attacks:
ARP Spoofing
O Perform Man-In-the-Middle Attack
O ARP Cache poisoning
O Send forged ARP Gratuitous reply (A-MAC,
V-IP)
O Cache is stateless, update with forged
reply.
O Attacker receives traffic.
O Store for later analysis.
O IP Forwarding to the victim.

18. Cont. ARP Spoofing

19. Cont. ARP Spoofing
IP Address MAC Address
Host B IP address Host B MAC address
Host C IP address Host C MAC address
IP Address MAC Address
Host B IP address Host C MAC address
Host C IP address Host C MAC address
ARP cache after poisoning
ARP cache before poisoning

20. Packet Sniffing Attacks:
MAC Flooding
O Also called “switch jamming”.
O MAC table has fixed size.
O Attacker floods the switch with forged
MAC address requests.
O Switch enters Hub-liked mode.
O Forward traffic to all ports.
O Attacker sniffs the traffic.

21. Packet Sniffing Attacks:
MAC Duplicating (Cloning)
O Attacker updates its own MAC address
with the victim MAC address.
O Can be done using “ifconfig” in Linux.
O Switch forwards traffic to both hosts.
O No IP forwarding is used.

22. Packet Sniffing Attacks:
Switch Port Stealing
O Flood the switch with forged gratuitous
reply with (A-MAC, V-IP).
O All replies contains (A-MAC), traffic is
forwarded to the attacker only.
O Should be carried out very fast.

23. Packet Sniffing Detection
O Packet sniffing is a passive attack.
O Sometimes it generate additional traffic
specially when used with an active attack.
O Detection based on technique used:
O RARP.
O ARP Cache poisoning.
O Arpwatch
O Decoy method

24. Packet Sniffing Detection:
Reverse ARP (RARP)
O Used to detect MAC Duplicating.
O Send a Request for the IP address of a
known MAC address.
O Multiple replies means this machine is
sniffing the network.

25. Packet Sniffing Detection:
ARP Cache Poisoning
O Perform a counter attack on the sniffing
machine.
O Three phases:
O Poison the cache of each host in the
network with fake entries.
O Establish a TCP connection.
O Sniff the LAN to capture packets with fake
entries.

26. ARP Cache Poisoning:
Phase 1
O Send a forged gratuitous reply with fake
IP address and a valid MAC address to
bypass the software filter.
O Attacker’s host will update its own cache.
O What IP address to select as the fake one
to poison only the sniffer host?

27. Cont. ARP Cache Poisoning:
Phase 1: Software filtering
Hardware
Addresses
Windows9x
/ME
Windows2k
/NT
Linux
Norm Promis Norm Promis Norm Promis
FF:FF:FF:FF:FF:F
F
     
FF:FF:FF:FF:FF:F
E
-  -  - 
FF:FF:00:00:00:00 -  -  - 
FF:00:00:00:00:00 -  - - - 
01:00:00:00:00:00 - - - - - 
01:00:5E:00:00:00 - - - - - 
01:00:5E:00:00:01      

28. Cont. ARP Cache Poisoning:
Phase 2
O Broadcast a TCP packet with a fake
source address to the network.
O Non-sniffing machines will reply with ARP
request.
O Sniffing machines will reply with ICMP
error message or TCP connection can be
performed.

29. Cont. ARP Cache Poisoning:
Phase 3
O Use a sniffer to detect machines that
responded with a ICMP error or TCP
message.

30. Packet Sniffing Detection:
Arpwatch
O Tool that uses lipbcap to store a database
with (IP-MAC) pairs.
O Records every operation made on the
network and send it via Email.
O Software are not 100% accurate.

31. Packet Sniffing Detection:
Decoy Method
O Administrator establishes a connection
between a host and virtual server.
O Uses a plain-text UserName and
Password.
O Intrusion detection system activated once
credentials used.

32. Packet Sniffing Prevention
“Prevention is better than
cure”

33. Packet Sniffing Prevention
O Port Security and Static ARP entries.
O Authentication techniques.
O Secured protocols.
O Encryption.

34. Packet Sniffing Prevention:
Port Security and Static ARP entries
O Port Security on Switch
O Once IP-MAC is set, it can’t be changed.
O Only Administrator can change them.
O Static ARP entries
O Not timed out.
O Not replaced by forged ARP replies.
O Constraint to the size of the network.
O Overhead to maintain cache and keep it
up-to-date.

35. Packet Sniffing Prevention:
Authentication
O Kerbros
O Credentials no stored on the server.
O Not transmitted over the network.
O One time passwords
O Used only once.
O Authentication service that only protect
credentials and not other types of traffic.
O Prone to passwords guessing attacks.

36. Packet Sniffing Prevention:
Secured Protocols
O Never send data in plain-text
O SSH for telnet.
O SFTP for FTP.
O VPN for cleat text traffic.
O Virtual private networks (VPN)
O All traffic is encrypted.
O Additional overhead.
O Can be sniffed if exposed to Trojans

37. Packet Sniffing Prevention:
Encryption
O Only the payloads are scrambled,
ensuring that packets reach the correct
destinations.
O Attacker can see where traffic was
headed and where it came from, but not
what it carries.
O Additional overhead.
O Use of strong encryption techniques.
O layer three encryption technologies such
as IPSec

38. Packet Sniffing Prevention:
Before Encryption

39. Packet Sniffing Prevention:
After Encryption

40. Conclusion
O Switched Networks are vulnerable to
various security attacks, Sniffing is one of
them.
O Sniffing is a passive attack that we need
to be aware of in order to protect against
it.
O Replacing Hubs with Switches doesn’t
mean we are prone against sniffing.
O Lack of optimal solution to protect our
networks doesn’t mean we can’t protect
them.