Hacker Techniques, Tools, and Incident Handling Notes

Ethical Hacking

  • Textbooks:

    • CEH Certified Ethical Hacker All-in-One Exam Guide, Fourth Edition 4th Edition by Matt Walker.

    • Hands-On Ethical Hacking and Network Defense 3rd Edition by Michael Simpson, Nicholas Antill.

Sniffing

  • Sniffing is the process of scanning and monitoring captured data packets passing through a network using sniffers.

  • Sniffing is performed by using promiscuous ports. Enabling promiscuous mode on a network interface allows capturing all traffic, even if it's not intended for that interface.

  • Attackers can capture various types of traffic, including Syslog, DNS, web, and email traffic.

  • By capturing packets, attackers can reveal sensitive information like usernames, passwords, and data from protocols like HTTP, POP, IMAP, SMTP, NMTP, FTP, Telnet, and Rlogin.

Working of Sniffers

  • An attacker connects to the target network to sniff packets.

  • Sniffers turn the Network Interface Card (NIC) into promiscuous mode, capturing all packets.

  • Promiscuous mode: NIC responds to every packet it receives, regardless of the intended recipient.

  • If connected to a network with a hub, all traffic is transmitted to all ports.

  • Switches forward unicast packets to specific ports based on MAC address tables.

  • Attackers can alter switch configurations to copy traffic passing through one port to the port they are connected to.

Types of Sniffing

  • Passive Sniffing

  • Active Sniffing

Passive Sniffing

  • Involves monitoring packets without sending additional data packets.

  • In a hub-based network, all hosts can see all traffic, making it easy for attackers to capture traffic.

  • Hubs are outdated; modern networks use switches.

Active Sniffing

  • Requires the attacker to send additional packets to the connected device (switch) to start receiving packets.

  • Techniques include MAC flooding, DHCP attacks, DNS poisoning, ARP poisoning, and spoofing.

Sniffing in the OSI Model

  • Sniffers operate at the Data Link layer of the OSI model.

  • Networking layers in the OSI model work independently; upper layers are unaware of sniffing at the Data Link layer.

MAC Attacks: MAC Address Table / CAM Table

  • MAC Address:

    • Media Access Control Address: also known as physical address of a device.

    • A 48-bit unique identification number assigned to a network device for communication at the data link layer.

    • Composed of a 24-bit Object Unique Identifier (OUI) and a 24-bit Network Interface Controller (NIC) specific number.

  • CAM Table:

    • Each switch has a fixed-size dynamic Content Addressable Memory (CAM) table.

    • The CAM table stores information like MAC addresses on physical ports and their associated VLAN parameters.

How CAM Works

  • Switches learn the MAC addresses of devices by observing incoming frames.

  • The switch records the source MAC address and the associated port in its MAC address table.

  • Switches use this information to make intelligent frame forwarding decisions.

  • Switches age MAC addresses and remove them from the table after a certain duration (default is 300 seconds, t=300t=300).

  • Switches dynamically learn MAC addresses by default.

MAC Flooding

  • A technique where an attacker sends random MAC addresses mapped with random IPs to overflow the CAM table's storage capacity.

  • Flooding the CAM table with fake MAC address and IP pairs until it is full.

  • When the CAM table is full, the switch acts like a hub, broadcasting packets on all ports, which allows the attacker to sniff packets easily.

  • The "macof" utility in Unix/Linux can be used for MAC flooding.

  • Macof sends random source MAC and IP addresses, flooding the switch's CAM tables (131,000 entries per minute) with bogus entries.

Defend Against MAC Attacks

  • Port Security: Binds MAC addresses of known devices to physical ports and defines violation actions.

  • If an attacker connects their device to a secured port, the port will shut down or restrict the attacker.

DHCP Attacks: Dynamic Host Configuration Protocol (DHCP) Operation

  • DHCP dynamically allocates IP addresses so they can be automatically assigned and reused.

  • DHCP client sends a DHCP-Discover/Solicit packet via UDP broadcast to find a DHCP server.

  • DHCP server replies with a DHCP-Offer/Advertise packet, offering configuration parameters.

  • DHCP client sends a DHCP-Request packet to the DHCP server to request configuration parameters.

  • DHCP server sends a DHCP-Acknowledgement/Reply packet containing configuration parameters.

  • DHCP relay agent forwards DHCP packets between the server and client.

DHCP Starvation Attack

  • A denial-of-service (DoS) attack where an attacker broadcasts forged DHCP requests to lease all available DHCP addresses.

  • Legitimate users are unable to obtain or renew IP addresses, losing network access.

  • Tools like "Dhcpstarv" or "Yersinia" can be used to perform DHCP starvation attacks.

Rogue DHCP Server Attack

  • Involves deploying a rogue DHCP server in the network along with a starvation attack.

  • When the legitimate DHCP server is under a DoS attack, DHCP clients receive configuration parameters from the rogue server, directing traffic towards it.

Defend Against DHCP Starvation and Rogue Server Attack

  • Enable port security to defend against DHCP starvation attacks.

  • Configure MAC address limits on switch ports to drop packets from exceeding MAC addresses.

  • Enable DHCP snooping to allow the switch to accept DHCP transactions only from trusted ports.

ARP Poisoning

  • Address Resolution Protocol (ARP) is a stateless protocol for resolving IP addresses to MAC addresses.

  • Network devices broadcast ARP queries to find other machines' MAC addresses.

  • When a machine needs to communicate with another, it checks its ARP table.

  • If the MAC address is not found, an ARP_REQUEST is broadcasted.

  • Machines compare the IP address in the ARP_REQUEST to their own IP address.

  • If a machine identifies with the address, it responds with its IP and MAC address.

  • The requesting machine stores the address pair in its ARP table, and communication takes place.

ARP Spoofing Attack

  • ARP packets can be forged to send data to the attacker's machine.

  • Attackers flood a target computer's ARP cache with forged entries, also known as poisoning.

ARP Poisoning Tools

  • Cain & Abel: Allows sniffing packets of various protocols on switched LANs by hijacking IP traffic of multiple hosts concurrently.

  • WinArpAttacker: Sends IP conflict packets to target computers as fast as possible and diverts all communications.

Defending ARP Poisoning

  • Dynamic ARP Inspection (DAI) is used with DHCP snooping.

  • IP-to-MAC bindings are tracked from DHCP transactions to protect against ARP poisoning.

  • DHCP snooping is required to build MAC-to-IP bindings for DAI validation.

MAC Spoofing/Duplicating

  • MAC duplicating attack is launched by sniffing a network for MAC addresses of active clients and reusing one of those addresses.

  • An attacker intercepts and uses a legitimate user's MAC address to receive all traffic destined for that user.

  • Allows an attacker to gain network access and take over someone's identity.

MAC Spoofing Tool

  • SMAC: A MAC Address Changer (Spoofer) that allows users to change the MAC address for any network interface card (NIC) on Windows systems.

Defending MAC Spoofing

  • DHCP Snooping and Dynamic ARP inspection are effective techniques to mitigate MAC spoofing attacks.

  • Source guard feature is configured on client-facing Switch ports.

  • Source guard uses dynamic DHCP snooping or static IP source binding to match IP addresses to hosts on untrusted Layer 2 access ports.

DNS Poisoning

  • Domain Name System (DNS) translates human-readable domain names into IP addresses.

  • When a DNS server receives a request it doesn't have, it queries another DNS server.

  • The DNS server with the translation replies to the requesting DNS server, and the client's query is resolved.

  • DNS poisoning tricks a DNS server into believing it has received authentic information when it has not.

  • Allows an attacker to replace IP address entries for a target site on a DNS server with the IP address of a server they control.

  • The attacker can create fake DNS entries for the server (containing malicious content) with the same names as that of the target server.

How to Defend Against DNS Spoofing

  • Resolve all DNS queries to a local DNS server.

  • Block DNS requests from going to external servers.

  • Configure the firewall to restrict external DNS lookup.

  • Implement an Intrusion Detection System (IDS) and deploy it correctly.

  • Secure internal machines.

Sniffing Tool: Wireshark

  • Captures and interactively browses network traffic.

  • Uses Winpcap to capture packets on networks supported by Winpcap.

  • Captures live network traffic from Ethernet, IEEE 802.11, PPP/HDLC, ATM, Bluetooth, USB, Token Ring, Frame Relay, FDDI networks.

  • Captured files can be programmatically edited via command-line.

  • A set of filters for customized data display can be refined using a display filter.

Network Packet Analyzer

  • OmniPeek displays a Google Map showing the locations of all public IP addresses of captured packets.

  • This feature monitors the network in real time and shows where traffic is coming from.

Additional Sniffing Tools

  • Network Probe: http://www.objectplanet.com

  • WebSiteSniffer: http://www.nirsoft.net

  • ICQ Sniffer: http://www.etherboss.com

  • CommView: http://www.tamos.com

  • NetResident: http://www.tamos.com

  • Kismet: http://www.kismetwireless.net

  • MaaTec Network Analyzer: http://www.maatec.com

  • AIM Sniffer: http://www.effetech.com

  • Alchemy Network Monitor: http://www.mishelpers.com

  • Netstumbler: http://www.netstumbler.com