Ethical Hacking: Sniffing Concepts and Attacks

Introduction to Sniffing Concepts

  • Definition of Sniffing: Sniffing is the process of monitoring and capturing all data packets passing through a given network using specific sniffing tools. It is effectively a form of wiretap applied to computer networks.

  • Network Vulnerability: Many enterprises leave switch ports open, allowing anyone in the same physical location to connect an Ethernet cable to the network.

  • Mechanism of a Sniffer:

    • Promiscuous Mode: A sniffer turns the Network Interface Card (NIC) of a system into promiscuous mode. This allows the NIC to listen to all data transmitted on its network segment, regardless of its destination.

    • Decoding Information: The sniffer constantly monitors network traffic to a computer by decoding the information encapsulated within the data packets.

  • Types of Sniffing:

    • Passive Sniffing: This involves sniffing through a hub where traffic is sent to all ports. The attacker only monitors packets sent by others without injecting additional packets. Note that hub usage is largely outdated as modern networks use switches.

    • Active Sniffing: This is used to sniff switch-based networks. It involves injecting Address Resolution Protocol (ARP) packets into the network to flood the switch's Content Addressable Memory (CAM) table.

  • Active Sniffing Techniques: These include MAC Flooding, DNS Poisoning, ARP Poisoning, DHCP Attacks, Switch Port Stealing, and Spoofing Attacks.

Vulnerable Protocols and Hacking Methodology

  • Protocols Vulnerable to Sniffing: The following protocols are vulnerable because they send data in clear text:

    • HTTP: Data and credentials sent in clear text.

    • Telnet and Rlogin: Captures keystrokes, including usernames and passwords.

    • POP (Post Office Protocol): Passwords and emails sent in clear text.

    • IMAP (Internet Message Access Protocol): Passwords and data sent in clear text.

    • SMTP and NNTP: Passwords and data sent in clear text.

    • FTP (File Transfer Protocol): Passwords and data sent in clear text.

  • Typical Attacker Workflow:

    1. The attacker connects their laptop to an available switch port.

    2. They run discovery tools to learn the network topology.

    3. They identify the victim machine to target.

    4. The attacker poisons the victim machine using ARP spoofing techniques.

    5. Traffic destined for the victim is redirected to the attacker.

    6. The hacker extracts passwords and sensitive data from the redirected traffic.

Layer Interaction and Protocol Analyzers

  • OSI Model Layer: Sniffers operate at the Data Link layer (Layer 2\text{Layer } 2) of the OSI model.

  • Layer Independence: OSI layers operate independently. If a sniffer captures data at the Data Link layer, higher layers (such as the Application or Transport layers) will not be aware of the interception.

  • Hardware Protocol Analyzer: This is a specialized piece of equipment (e.g., the Agilent Advisor J2300EJ2300E) that captures signals without altering the traffic in a cable segment.

    • It monitors network usage and identifies malicious traffic from hacking software.

    • It captures, decodes, and analyzes packet content according to predetermined rules.

    • It allows an attacker to see individual data bytes of every packet.

  • SPAN Port (Port Mirroring): Switch Port Analyzer (SPAN) ports allow copying of traffic from one port to another for monitoring.

MAC Attacks and CAM Table Operations

  • MAC Address Specifics: A MAC address consists of 4848 bits, which is equivalent to 66 bytes (Note: transcript mentions 44 bytes, but standard is 66).

  • CAM Table (Content Addressable Memory):

    • Switches have a fixed-size dynamic CAM table.

    • The CAM table stores MAC addresses available on physical ports along with their associated Virtual Local Area Network (VLAN) parameters.

  • CAM Table Saturation: When the CAM table becomes full, additional ARP requests flood every port.

    • The switch resets its learning mode to broadcasting on every port, essentially acting as a hub.

    • This attack can fill the CAM tables of adjacent switches as well.

  • MAC Flooding: This attack involves flooding the CAM table with fake MAC address and IP address pairs until it is full, allowing attackers to sniff broadcasted traffic.

  • Switch Port Stealing:

    • An attacker floods the switch with forged ARP packets where the target MAC is the source and the attacker's MAC is the destination.

    • A race condition occurs between the attacker's packets and the target host's packets.

    • The switch constantly changes the MAC address binding between the ports.

    • If the attacker is fast enough, traffic for the target host is directed to the attacker's port.

    • The attacker then sends an ARP request to the stolen port to find the target's IP; once an ARP reply is received, the target's binding is restored, and the attacker can sniff the traffic.

  • Defense Against MAC Attacks: Implement Port Security on switches to restrict inbound traffic to a specific set of MAC addresses and limit the number of MAC addresses per port.

DHCP Attacks and Mechanisms

  • DHCP Operation (DORA/Relay Process):

    1. Client Broadcast: Client sends a DHCPDISCOVER/SOLICITDHCPDISCOVER/SOLICIT request.

    2. Relay Agent: Captures the request and unicasts it to the DHCP servers.

    3. Server Offer: DHCP server unicasts DHCPOFFER/ADVERTISEDHCPOFFER/ADVERTISE (contains client and server MACs).

    4. Relay Agent Broadcast: DHCPOFFER is broadcasted in the client's subnet.

    5. Client Request: Client broadcasts a DHCPREQUEST/REQUESTDHCPREQUEST/REQUEST.

    6. Server Acknowledgment: DHCP server sends a unicast DHCPACK/REPLYDHCPACK/REPLY with IP configuration.

  • DHCP Starvation Attack: A Denial-of-Service (DoS) attack where an attacker broadcasts forged DHCP requests to lease all available IP addresses in the DHCP scope. This prevents legitimate users from obtaining an IP.

    • Tools: DhcpstarvDhcpstarv, YersiniaYersinia.

  • Rogue DHCP Server Attack: An attacker sets up a fake DHCP server that provides bogus IP addresses, resulting in compromised network access.

  • Defenses:

    • Enable Port Security to limit MAC addresses on edge ports.

    • Enable DHCP Snooping, which ensures the switch only accepts DHCP transactions from trusted ports.

ARP Poisoning and Spoofing

  • Address Resolution Protocol (ARP): Resolves IP addresses to MAC addresses.

    • If a MAC is not found in the local ARP table, an ARPREQUESTARP_{REQUEST} is broadcasted.

    • The corresponding machine sends an ARPREPLYARP_{REPLY}.

  • ARP Spoofing Attack: Constructs large numbers of forged ARP request/reply packets to overload a switch.

    • Attackers flood the ARP cache of a target with forged entries (Poisoning).

    • This can divert communications between two machines through the attacker's PC.

  • Threats: Packet sniffing, VoIP tapping, Session hijacking, Data interception/manipulation, Stealing passwords, Man-in-the-Middle (MITM) attacks, Connection resetting.

  • Tools: Cain&AbelCain \, \& \, Abel, WinArpAttackerWinArpAttacker, UfasoftSnifUfasoft \, Snif.

  • Defenses:

    • Implement Dynamic ARP Inspection (DAI) using the DHCP Snooping binding table.

    • Use detection tools like XArpXArp.

MAC Spoofing and DNS Poisoning

  • MAC Spoofing/Duplicating: Intercepting and using a legitimate user's MAC address to take over their identity on the network.

    • Tool: SMACSMAC.

    • Defenses: Use DHCP Snooping Binding Table, Dynamic ARP Inspection, and IP Source Guard.

  • DNS Poisoning: Tricking a DNS server into believing it has received authentic information, substituting false IP addresses for domain names.

    • Intranet DNS Spoofing: Occurs on the LAN; works well against switches using ARP poisoning on the router.

    • Internet DNS Spoofing: An attacker infects a victim with a Trojan to change their machine's DNS server IP address to the attacker's server.

    • Proxy Server DNS Poisoning: A Trojan changes proxy settings in Internet Explorer to redirect to a fake website.

    • DNS Cache Poisoning: Adding forged records into the DNS resolver cache. If the resolver cannot validate the source, it serves the incorrect entries to users.

  • Defenses Against DNS Spoofing:

    • Resolve all queries to a local DNS server and block requests to external servers.

    • Configure firewalls to restrict external lookups.

    • Use a new random source port for each outgoing query.

    • Restrict DNS recursive services to authorized users.

    • Use DNS Non-Existent Domain (NXDOMAINNXDOMAIN) Rate Limiting.

    • Deploy Intrusion Detection Systems (IDS) and secure internal machines.

    • Implement DNSSECDNSSEC (Domain Name System Security Extensions).

Sniffing Tools and Wireshark Filters

  • Wireshark: A tool to capture and interactively browse network traffic across various mediums (Ethernet, 802.11802.11, PPP/HDLCPPP/HDLC, ATM, Bluetooth, USB, etc.).

  • Other Sniffing Tools: SteelCentralPacketAnalyzerSteelCentral \, Packet \, Analyzer, CapsaNetworkAnalyzerCapsa \, Network \, Analyzer, OmniPeekOmniPeek, ColasoftPacketBuilderColasoft \, Packet \, Builder, Tcpdump/WindumpTcpdump/Windump.

  • Wireshark Display Filters Syntax:

    • Protocol: arparp, httphttp, tcptcp, udpudp, dnsdns, ipip

    • Ports: tcp.port==23tcp.port == 23

    • IP Address: ip.addr==192.168.1.100ip.addr == 192.168.1.100

    • Source/Destination: ip.src==205.153.63.30ip.src == 205.153.63.30 or ip.dst==205.153.63.30ip.dst == 205.153.63.30

    • Compound: ip.addr==192.168.1.100&&tcp.port==23ip.addr == 192.168.1.100 \, \&\& \, tcp.port == 23

    • Logical OR: ip.addr==10.0.0.4orip.addr==10.0.0.5ip.addr == 10.0.0.4 \, \text{or} \, ip.addr == 10.0.0.5

    • Advanced: ip.dst == 10.0.1.50 \, \&\& \, frame.pkt\_len > 400

    • Range: ip.addr == 10.0.1.12 \, \&\& \, icmp \, \&\& \, frame.number > 15 \, \&\& \, frame.number < 30

    • Flags: tcp.flags.reset==1tcp.flags.reset == 1 (for TCP resets).

    • Requests: http.requesthttp.request (for HTTP GET requests).

    • Content: tcpcontainstraffictcp \, \text{contains} \, \text{traffic}.

General Sniffing Countermeasures and Detection

  • Countermeasures:

    • Hardware: Use switches instead of hubs and restrict physical access.

    • MAC/IP Security: Permanently add gateway MAC to ARP cache; retrieve MAC from NIC instead of OS; use static IP addresses and static ARP tables.

    • Protocols: Use IPv6IPv6; use encrypted protocols like HTTPSHTTPS, SFTPSFTP, VPNVPN, IPSecIPSec, SSL/TLSSSL/TLS, and SSHSSH.

    • Wireless: Encrypt traffic with WPAWPA or WPA2WPA2.

  • Detection Techniques:

    • Ping Method: Send a ping to a machine with its IP but an incorrect MAC address. A machine in promiscuous mode (sniffer) will respond rather than reject it.

    • ARP Method: A machine in promiscuous mode caches information and replies to pings immediately, whereas other machines send an ARP probe first.

    • DNS Method: Observe machines generating high volumes of reverse DNS lookup traffic, as sniffers often perform these lookups.

  • Detection Tools:

    • PromqryUI: Microsoft tool to detect NICs in promiscuous mode.

    • Nmap: Use the script: nmap–script=sniffer-detect[TargetIPAddress]nmap \, \text{--script=sniffer-detect} \, [Target \, IP \, Address].

Summary of Key Points

  • Sniffing allows attackers to capture confidential data like emails, passwords, and chat logs.

  • Active sniffing is required for switch-based networks.

  • Layer 22 sniffing is transparent to upper layers of the OSI model.

  • Key defense strategies include using static ARP tables, encryption (SSHSSH, SCPSCP, SSLSSL), and protocol-specific security (DNSSECDNSSEC, DHCP Snooping).