You are on page 1of 33

Seminar Topic

Packet Sniffing

1
Presented By:
Soumitra Kumar Jana(06/CS/55)
Chandan Paul(06/CS/84)
Sankha De(06/CS/61)
Shantanu Das(06/CS/104)

CSE 7th SEM,HIT


Under the Guidance of:
Ms. Jayeeta Majumdar
Lecturer, CSE ,HIT

2
Topics to be discussed
 INTRODUCTION TO PACKET SNIFFING
 WHO USES PACKET SNIFFERS AND WHY
 TYPES OF SNIFFING
 PROTOCOLS VULNERABLE TO SNIFFING
 INTERNET BASICS
 PACKET SNIFFERS
 HOW SNIFFERS WORK?
 SOME TECHNIQUES FOR IMPLEMENTING SNIFFING
 SOME POPULAR PACKET SNIFFERS
 EXPLOITS OF PACKET SNIFFERS
 HOW TO DETECT SNIFFING
 COUNTERMEASURES
 CONCLUSION
  3
The Network Today:

4
Introduction to Packet Sniffing
Host A Host B
Router A Router B

Sniffing is a data interception technology.The term


sniffing commonly is used to describe protocol
analysis, the process of viewing and analyzing the
contents of packets on a network.
Tools used for this purpose are properly called
protocol analyzers, but the term sniffer also is
widely used for such tools.
Protocol analyzers or sniffers are network
troubleshooting tools that provide a detailed view
of network traffic. 5
(Continued...)
A network analyzer is just software running on a
computer with a networkcard. It works by placing
the network card in promiscuous mode, which
enables the card to see all the traffic on the
network, even traffic not destined to the network-
analyzer host. The network analyzer performs the
following functions:
 Captures all network traffic.
 Interprets or decodes what is found into a human-
readable format.
 Displays it all in chronological order.

6
Who Uses Packet Sniffers and Why?
System administrators
-- To monitor the flow of network traffic
--Troubleshoot communication problems
--Understand system problems and
performance
--Intrusion detection
--Debug network protocol implementations
--Detection of erroneous packet flow through
the network
--Gather and report network usage and
statistics.
(Continued...)
Malicious individuals (intruders)
--Capture cleartext data
--Passively collect data on vulnerable protocols
 FTP, POP3, IMAP, SMATP, rlogin, HTTP etc

 Capture VoIP Data.

--Mapping the target network


--Traffic pattern discovery
--Actively break into the network (backdoor techniques)
Types of Sniffing
Sniffing

Passive Active
Sniffing Sniffing

Passive sniffing means Active sniffing means


sniffing through a hub.It sniffing through a
is passive because it is switch.It is easy to
difficult to detect.An detect.Attacker tries to
attacker simply connects poison the switch by
to the hub from his/her sending bogus MAC
machine. address.
9
Protocols Vulnerable to Sniffing
Protocols that are suspectible to sniffers include-
Telnet :Keystrokes including usernames and passwords.
HTTP:Data sent in the clear text.
SMTP:Password and data sent in the clear text.
POP: Password and data sent in the clear text.
FTP: Password and data sent in the clear text.
IMAP
VoIP
SNMP etc.
10
INTERNET Today
Internet is based on TCP/IP architecture. The model defines four (or five)
layers.
Physical Layer
Data Link Layer: Ethernet, 802.11(2)
Network Layer: IPv4 (IPv6)(3)
Transport Layer: TCP, UDP(4)
Application Layer: SMTP, HTTP, FTP(5)

11
Packet Sniffers
A "Packet Sniffer" is a utility that sniffs without modifying the network's
packets in any way. By comparison, a firewall sees all of a computer's
packet traffic as well, but it has the ability to block and drop any packets
that its programming dictates. Packet sniffers merely watch, display, and
log this traffic.

How They Work


An Ethernet sniffer is software that works in concert with the network
interface card (NIC) to blindly suck up all traffic within “earshot” of the
listening system, rather than just the traffic addressed to the sniffing
host.

12
How They Work(Continues...)
 Normally, an Ethernet NIC will discard any traffic not
specifically addressed to itself or the network broadcast address,
so the card must be put in a special state called promiscuous mode
to enable it to receive all packets floating by on the wire.Once the
network hardware is in promiscuous mode, the sniffer software
can capture and analyze any traffic that traverses the local
Ethernet segment.
 This limits the range of a sniffer somewhat because it
will not be able to listen to traffic outside of the local network’s
collision domain (that is, beyond routers, switches, or other
segmenting devices).
 Obviously, a sniffer judiciously placed on a backbone,
internetwork link, or other network aggregation point will be able
to monitor a greater volume of traffic than one placed on an
isolated Ethernet segment.This is the basic understanding of the
function of a sniffer.
13
Some Techniques for
Implementing Packet Sniffing
ARP Spoofing or ARP Poisioning
The process of falsifying the source Media Access Control
(MAC) addresses of packets being sent on an Ethernet
network is called ARP spoofing or ARP poisoning. ARP
spoofing involves sending forged ARP replies to redirect
network traffic to the attacking host. If the attacking host is
only listening to traffic and not participating in it, legitimate
hosts are usually unaware that the packets they are
transmitting are being redirected to an attacker and are not
reaching their intended destinations.
Tools used –Cain & Abel,Ettercap etc.
14
(Continues...)
MAC duplicating
MAC duplicating attack is launched by sniffing network for MAC
addresses of clients who are actively associates with a switch-port.By
listening to the traffic on the network a malicious user can intercept and
use a legitimate user’s MAC address and he got all the traffic destined for
that legitimate user.
MAC Flooding
 MAC flooding is an attack that tries to flood the internal memory of
Ethernet switches using large numbers of spoofed Media Access Control
(MAC) addresses. Switches has limited memory for mapping the MAC
addresses to the physical ports on switch.MAC flooding uses this
limitation and floods the switch with fake MAC addresses until the
switch can’t keep up.Switch then acts like a hub by broadcasting packets
to all machines in the network.After that sniffing is easily performed.
 Tools used-Etherflood.

15
(Continues...)
IP Based Spoofing
 This is the original way of packet sniffing.It works by putting the
network card into promiscuous mode and sniffs all packets.This
method only works in non-switched networks.All the modern
sniffers uses this technique.
DNS Poisoning
DNS spoofing provides DNS servers with false information to
impersonate DNS servers.The DNS server beleives that it has got
authentic information when, in reality,it does not.
Intranet DNS Poisoning(LAN)
Internet DNS Poisoning(Remote Network)
Proxy Server DNS Poisoning
DNS Cache Poisoning

16
Some Popular Packet sniffers
 Linux/Unix-based sniffers use libpcap, which must be installed prior
to installing any sniffer.
tcpdump, a command-line based packet sniffer.
tcpshow (tcpdump-based analysis).
Wireshark (Packet sniffer GUI) [Formerly Ethereal]
ngreg — network grep (Command line tool to apply regular expressions
to tcpdump output).
Dsniff-is a password sniffer handles FTP,Telnet,SMTP,HTTP,POP etc.
 Windows-based sniffers use WinPcap, which must be installed prior
to installing any sniffer.
1.Wireshark(Packet sniffer GUI) [Formerly Ethereal]
2.Capsa Network Analyzer (Packet Sniffer) from Colasoft
3.Cain & Abel from Oxid.it
4. WinDump, a DOS command-line packet sniffer
5.CommViewer
17
Wireshark
Wireshark (formerly Ethereal) is a UNIX- and Windows-based open
source network monitoring tool. Stable release is 1.2.4.Wireshark is a
software that "understands" the structure of different networking
protocols. Thus, it is able to display the encapsulation and the fields
along with their meanings of different packets specified by different
networking protocols. Wireshark uses pcap to capture packets, so it can
only capture the packets on the networks supported by pcap.
Data can be captured "from the wire" from a live network connection or
read from a file that records the already-captured packets.
Live data can be read from a number of types of network, including
Ethernet, IEEE 802.11, PPP, and loopback.
Captured network data can be browsed via a GUI, or via the terminal
(command line) version of the utility, tshark.
Decodes over 750 protocols .
Compatible with many other sniffers .
18
MENU BAR

DISPLAY
FILTER
SPECIFICATI
ON

Listing of
All the
Packets

Details of
Selected
Packet
Header

Packet
Content in
Hex & ASCII
Code
1
Selected
TCP
Details of the selected Packet
packet (#43262) #43262

Raw data (content of


packet # 43262)
CS420: High Speed Multimedia and Multiservice
Networks 20
Filtering
HTTP
Packets
Only

Accessing
http://en.wikipedia.org
with source ip
10.10.39.155.The
destination ip for this
packet is 10.10.3.254

21
Cain and Abel
Cain and Abel (sometimes called simply "Cain") is a Windows
password recovery tool. It can recover many kinds of passwords using
methods such as network packet sniffing, cracking various password
hashes by using methods such as dictionary attacks, brute force and
cryptanalysis attacks. Cryptanalysis attacks are done via rainbow tables
which can be generated with the winrtgen.exe program provided with
Cain and Abel.
 TCP/UDP Traceroute with DNS Resolver
 Dumping protected storage passwords -Reveals locally stored passwords of
Outlook, Outlook Express, Outlook Express Identities, Outlook 2002, Internet
Explorer and MSN Explorer.
 APR(ARP Poison Routing)- Enables sniffing on switched networks.
 Sniffer -Captures passwords, hashes and authentication information while they
are transmitted on the network.
 IP to MAC Address resolver
• Used for remote purposes such as Remote Console,Remote Route Table
Manager,Remote TCP/UDP Table Viewer etc. 22
Start/Stop Sniffer
Button

Start/Stop APR
Traceroute any web
address
Sniffer Operations

Lists network
computers with
MAC,Hostname

2
Lists all computers on the
subnet

Username,passwords and
web address is retrieved
Lists all computers
in the subnet

APR(ARP Poison Routing)


ARP Poison Routing

Session
Session
Hijacking
Hijacking
LAN View
LAN View

WAN
APR Poisoning
View
Status
2
Exploits of Packet Sniffers
One disturbingly powerful aspect of packet sniffers is
their ability to place the hosting machine's network
adapter into "promiscuous mode." Network adapters
running in promiscuous mode receive not only the data
directed to the machine hosting the sniffing software,
but also ALL of the traffic on the physically connected
local network.
By placing a packet sniffer on a network in
promiscuous mode, a malicious intruder can capture
and analyze all of the network traffic. Within a given
network, username and password information is
generally transmitted in clear text which means that
the information would be viewable by analyzing the
packets being transmitted.
27
How to Detect Sniffing?
There are two basic approaches to detecting sniffers:
1. host based
2. network based
 The most direct host-based approach is to determine
whether the target system’s network card is operating in
promiscuous mode. On UNIX, several programs can
accomplish this, including Check Promiscuous Mode (cpm)

 Sniffers are also visible in the Process List and tend to create
large log files over time, so simple UNIX scripts using ps,
grep can illuminate suspicious sniffer-like activity. But these
techniques are not always effective. 28
(Continued...)
 Check whether the MAC address of some
machine(such as a Router) has changed.

 Network-based sniffer detection has been


hypothesized for a long time. One of the first proof of
concepts, Anti-Sniff, was created by L0pht.

 Run network tools like HP OpenView or IBM Tivoli to


monitor network for strange packets.

29
Countermeasures
Host A Host B
Router A Router B

The following techniques and tools can be used to mitigate sniffers:


Authentication—Using strong authentication, such as one-time
passwords, is a first option for defense against packet sniffers.
Switched infrastructure—Migrating to Switched Network
Topologies . Shared Ethernet is extremely vulnerable to sniffing.
Antisniffer tools—Use these tools to employ software and hardware
designed to detect the use of sniffers on a network.
Cryptography—The best way to defeat sniffing is to encrypt network
traffic using Internet Protocol Security (IPSec) or some other
mechanism. This won’t stop attackers from sniffing your network, but it
will make it harder for them to gain anything useful from their efforts. 30
Conclusion
Its a cruel irony in information security that many of the
features that make using computers easier or more efficient and
the tools used to protect and secure the network can also be
used to exploit and compromise the same computers and
networks. This is the case with packet sniffing.
Detecting rogue packet sniffers on your network is not an easy
task. By its very nature the packet sniffer is passive. It simply
captures the packets that are traveling to the network interface
it is monitoring. That means there is generally no signature or
erroneous traffic to look for that would identify a machine
running a packet sniffer. There are ways to identify network
interfaces on your network that are running in promiscuous
mode though and this might be used as a means for locating
rogue packet sniffers.

31
References
• http://en.wikipedia.org
• http://www.cet.nau.edu/~mc8/Socket/Tutorials/sec
tion1.html
• http://www.tcpdump.org/pcap.htm
• http://mixter.void.ru/rawip.html
• http://www.coders.eu.org/manualy/win/wskfaq/exa
mples/rawping.html
• http://www.wireshark.org
• http://www.oxid.it
THANK
YOU
33

You might also like