Sniffing

1
Sniffing
2
Introduction

• Sniffing is passively eavesdropping on the
  network.
• A way for hackers to gain information on the
  network. E.g.
• Username
• Password
• Can also be used as an investigating technique.

3
LAN Structure

• Computers and network devices such as printers
  are interconnected by a shared transmission
  medium.
• Cabling system
• Twisted-pair cable
• Coaxial cable
• Optical fiber

4
(a)
(b)
Ethernet Processor
ROM
Figure 6.10
5

• Computer and network devices are connected to the
  cabling system through
• Network interface card (NIC)
• NIC
• NIC is assigned with a unique physical address
  burned into the ROM
• First three bytes specify the card vendor
• remaining bytes specify a unique number for that
  vendor.

6

• Contain hardware that allows it to recognize
• Its physical address
• Broadcast address
• Multicast addresses that direct frames to groups
  of stations.
• Can be set to run in promiscuous mode where it
  listens to all transmissions.
• Used by system administrator to troubleshoot the
  network.
• Used by hackers to intercept unencrypted
  passwords and other information.

7
LAN Topology
8
(No Transcript)
9
(a)
transceivers
(b)
Bus Topology
Figure 6.55
10

• 10BaseT (An example of Star topology)
• Use two unshielded twisted pairs of copper wires
  operating at 10Mbps.
• The advantage of twisted pair is low cost and its
  prevalence in existing office wiring (for
  telephone)
• Connected to a hub.
• Star topology.
• Use CSMA-CD protocol.
• The star topology of 10BaseT provides three
  approaches to operating the LAN.

11

• First approach
• The hub monitors all transmissions from the
  stations.
• When there is only one transmission, the hub
  repeats the transmission on the other lines.
• If there is a collision, the hub sends a jamming
  signal to all the stations.
• This action causes the stations to implement the
  backoff algorithm.
• The stations are said to be in the same collision
  domain.

12

• Second approach
• operating the hub as an Ethernet switch.
• Each input port buffers incoming transmissions.
• The incoming frames are examined and transferred
  to the appropriate outgoing ports.
• Each incoming line is in its own collision
  domain, so collisions will not occur if only a
  single station is attached to a line.
• It is possible to have several stations share an
  input line using another hub.

13

• Third approach
• Stations transmit in full-duplex mode.
• Each port in the switch has only a single station
  attached to it.
• Introducing a dedicated transmission line for
  each direction enables transmissions to take
  place in both directions simultaneously without
  collisions.
• The stations can continue to operate the CSMA-CD
  algorithm, but they will never encounter
  collisions.

14
Single collision domain
(a)
High-Speed Backplane or Interconnection fabric
(b)
? ? ? ?
Star Topology
Figure 6.56
15
How sniffers work?

• A packet sniffer is a program that eavesdrops on
  the network traffic.
• It captures data as it passes across the network.
• Normal Condition
• Data is placed in frames for the local area
  network.
• Each frame is addressed to a particular MAC
  (media access control) address.

16

• Each network interface card (NIC) and network
  device has a unique MAC address.
• Usually MAC address is not allowed to be changed.
• NIC only receives packets destined to its
  specific MAC address, and all other packets are
  ignored.
• Promiscuous mode
• When the NIC is in promiscuous mode, it will pass
  the data from every frame to the protocol stack
  regardless of the MAC address.

17
Header contains source and destination port
numbers
TCP Header
Header contains source and destination IP
addresses transport protocol type
IP Header
Header contains source and destination physical
addresses network protocol type
Frame Check Sequence
Ethernet Header
18
Writing a Simple Sniffer
Socket()
Bind()
Promiscuous mode
Recvfrom()
19
Socket calls for connection-oriented
communication (Just to refresh your memory)
20
Server
socket()
Client
socket()
bind()
bind()
recvfrom()
blocks until server
sendto()
data
receives data from client
sendto()
data
recvfrom()
close()
close()
Socket calls for connectionless
communication (Just to refresh your memory)
21

• Int socket(int family, int type, int protocol)
• Create an endpoint for communication
• Family identifies the family by address or
  protocol
• We are only concerned with AF_INET
• Type identifies the semantics of communication
• SOCK_STREAM
• Sequence of bytes, does not preserve message
  boundary
• SOCK_DGRAM
• In blocks of bytes called datagram

22

• SOCK_RAW
• Access to internal network interface (superuser)
• SOCK_PACKET
• To get Ethernet packets (for Linux).
• Protocol identifies protocol (0 - default)
• SOCK_STREAM, AF_INET (TCP)
• SOCK_DGRAM, AF_INET(UDP)
• ETH_P_ALL
• Get Ethernet packets.

23

• Int bind(int sd, struct sockaddr name, int
  namelen)
• Assign an address to the socket.
• sd is the socket descriptor return by the socket
  call.
• name is a pointer to an address structure.
• namelen is the size of address structure.
• Note For TCP or UDP connection, usually
  sockaddr_in structure is used to assign the
  values. sockaddr is just for casting purpose.

24

• struct sockaddr
• sa_family_t sa_family /
  address family /
• char sa_data14 /
  up to 14 bytes of direct
  address /
• sa_familiy AF_INET
• Sa_data name of the interface
• In our sniffer, sockaddr is used to assign the
  value.

25

• ioctl operation
• has traditionally been the system interface.
• Used by network programming for
• Obtaining interface information.
• Set the interface configuration.
• Accessing the routing table.
• ARP cache.
• Here we will use this function to set the network
  interface to promiscuous mode.

26

• Ioctl(int fd, int request, /void arg /)
• fd sockfd
• request type of the request
• SIOCGIFFLAGS
• Return the interface flags in the ifr_flags
  member
• SIOCSIFFLAGS
• Set the interface flags from the ifr_flags member
• arg address of an ifr record

27

• Recvfrom(sockfd, buf, sizeof(buf) )
• Get the next available packet.
• Here is the code for a simple sniffer
• (from Chapter 9 of Hack proofing your network)

28

• Sniffer can then examine the data and pick off
  interesting information.
• Header information.
• Username and password.
• Common application protocols that are interested
  by hackers.
• telnet (port 23)
• ftp (port 21)
• Pop (port 110)
• Imap (port 143)
• NNTP (port 119)
• Rexec (port 512)

29

• rlogin (port 513)
• X11 (port 6000)
• Magic cookie
• NFS files Handles
• Windows NT authentication
• SMTP (Port 25)
• HTTP (Port 80)
• It can also watch TCP, IP, UDP, ICMP, ARP, RARP.

30
What can a sniffer do?

• Determine the local gateway of an unknown network
  via passive sniffing.
• Become a simple password sniffer
• Parsing each application protocol and saving
  interesting formation.
• Output all requested URLs sniffed from HTTP
  traffic and analyze them offline.
• Send URLs sniffed from a client to your local
  Netscape browser for display.

31

• Intercept packets from a target host by forging
  ARP replies.
• Flood the local network with random MAC addresses
• Cause some switches to fail open in repeating
  mode.

32
Detection of Quiet Sniffers

• Properties
• Collect data only
• Does not respond to any of the information
• Does not generate its own traffic
• Requires physical checking
• Ethernet connections
• Check the configuration of network card
• e.g. ifconfig -a

33
Detection of Malicious sniffer

• DNS Test
• Create numerous fake TCP connections.
• Expecting a poorly written sniffer to
• pick up on those connections.
• Resolve the IP addresses of the nonexistent
  hosts.
• When a reverse DNS lookup occurs, a sniffer
  detection tool sniffs the lookup request to see
  if the target is the nonexistent host.

34

• Ping Test
• Construct an ICMP echo request
• Set the IP address to that of the suspected host.
• Deliberately choose a mismatched MAC address.
• Most systems will ignore this packet since its
  hardware address is wrong.
• In some systems, if the NIC is in promiscuous
  mode, the sniffer will grab this packet as a
  legitimate packet and respond accordingly.
• If the suspected host replies to our request, we
  know that it is in promiscuous mode.
• Clever attackers are of course aware of this and
  update their sniffers to filter out these packets.

35

• ICMP Ping Latency Test
• Ping the suspected host and take the round trip
  time.
• Create a lot of fake TCP connections.
• We expect the sniffer to be processing those
  packets and the latency will increase.
• Ping the suspected host again to see if the round
  trip time is increased.

36

• ARP Test
• Send out an ARP request to the suspect host with
  all valid information except a bogus destination
  MAC address.
• A machine that is not in promiscuous mode would
  never see the packet.
• If a machine is in promiscuous mode, the ARP
  request would be seen and the kernel would
  process it and reply.

37
Sniffer Countermeasures

• The best countermeasure for a sniffer is not to
  allow the hacker to have access to your systems.
• Use switches instead of hubs.
• With a hub, all traffic is shown to each system
  on the LAN.
• In a switched environment, frames are shown only
  to the interface where the MAC address actually
  resides.

38
Hub
T1 MAC address aaaaaaaaaaaa
T2 MAC address bbbbbbbbbbbb
T3 MAC address cccccccccccc
Accept the frame
Ignore the frame
No frame received
39
Hub
T1 MAC address aaaaaaaaaaaa
Hacker MAC address bbbbbbbbbbbb
T3 MAC address cccccccccccc
Accept the frame
When the NIC is run in promiscuous mode, the
frame will be accepted.
No frame received
40
Switch
T1 MAC address aaaaaaaaaaaa
Hacker MAC address bbbbbbbbbbbb
T3 MAC address cccccccccccc
Accept the frame
No frame is received
No frame is received
41

• However, some new sniffers have the capability to
  sniff on switched networks.
• The best way to avoid damage by sniffers is not
  to pass usernames and passwords over the network
  in form of clear text.
• Encryption is the key idea.
• Use SSH instead of telnet.
• Use HTTPS instead of HTTP
• Use SCP and SFTP for file transfer.

42
Advanced Sniffing Techniques

• Is switch really safe?
• Switches keep an internal list of the MAC
  addresses of the hosts that are on its ports.
• Traffics is sent to a port, only if the
  destination hosts is recorded as being present on
  that port.
• Attackers have created new methods to get around
  these technology advancements.

43

• ARP Spoofing
• It is possible to overwrite the ARP cache on many
  operating systems.
• It is possible to associate the MAC address with
  the default gateways IP address.
• Cause all outgoing traffic from the target host
  to be transmitted to the hackers host.
• Hacker can also forge ARP replies.
• Dsniff sniffer by Dug Song includes a program
  named arpredirect for exactly this purpose.

44

• ARP Flooding
• A switch must keep a table of all MAC addresses
  appear on each port.
• If a large number of addresses appear on a single
  port, some switches begin to send all traffic to
  that port.
• Dsniff sniffer includes a program named macof
  that facilitates the flooding of a switch with
  random MAC addresses

45

• Routing Games
• Change the routing table of the host you wish to
  monitor
• All traffic on a network will pass through your
  host
• Sending a fake route advertisement message via
  the Routing Information Protocol (RIP).
• Declaring yourself as the default gateway.
• Enable IP forwarding, and the default gateway is
  set to the real network.
• All outbound traffic from the host will pass
  through your host and onto the real network
  gateway.
• Cannot receive return traffic.

46
Some commons sniffers

• Tcpdump
• http//www.tcpdump.org
• Hunt
• http//www.cri.cz/kra/index.html
• Linux-Sniff
• http//packetstorm.securify.com
• Sniffit
• http//rpmfind.net/linux/RPM/freshmeat/sniffit/ind
  ex.html

47

• Ethereal
• http//ethereal.zing.org
• Snort
• http//www.snort.org
• Karpski
• http//mojo.calyx.net/btx/karpski.html
• Gnusniff
• http//www.ozemail.com.au/peterhawkins/gnusniff.h
  tml
• Dsniff
• http//www.monkey.org/dugsong

48
Reference

• Kevin L. Poulsen,, Hack Proofing Your Network
  Internet Tradecraft, Chapter 9, p. 260-284.