Professional Documents
Culture Documents
Packet Sniffing
1
Presented By:
Soumitra Kumar Jana(06/CS/55)
Chandan Paul(06/CS/84)
Sankha De(06/CS/61)
Shantanu Das(06/CS/104)
2
Topics to be discussed
INTRODUCTION TO PACKET SNIFFING
WHO USES PACKET SNIFFERS AND WHY
TYPES OF SNIFFING
PROTOCOLS VULNERABLE TO SNIFFING
INTERNET BASICS
PACKET SNIFFERS
HOW SNIFFERS WORK?
SOME TECHNIQUES FOR IMPLEMENTING SNIFFING
SOME POPULAR PACKET SNIFFERS
EXPLOITS OF PACKET SNIFFERS
HOW TO DETECT SNIFFING
COUNTERMEASURES
CONCLUSION
3
The Network Today:
4
Introduction to Packet Sniffing
Host A Host B
Router A Router B
6
Who Uses Packet Sniffers and Why?
System administrators
-- To monitor the flow of network traffic
--Troubleshoot communication problems
--Understand system problems and
performance
--Intrusion detection
--Debug network protocol implementations
--Detection of erroneous packet flow through
the network
--Gather and report network usage and
statistics.
(Continued...)
Malicious individuals (intruders)
--Capture cleartext data
--Passively collect data on vulnerable protocols
FTP, POP3, IMAP, SMATP, rlogin, HTTP etc
Passive Active
Sniffing Sniffing
11
Packet Sniffers
A "Packet Sniffer" is a utility that sniffs without modifying the network's
packets in any way. By comparison, a firewall sees all of a computer's
packet traffic as well, but it has the ability to block and drop any packets
that its programming dictates. Packet sniffers merely watch, display, and
log this traffic.
12
How They Work(Continues...)
Normally, an Ethernet NIC will discard any traffic not
specifically addressed to itself or the network broadcast address,
so the card must be put in a special state called promiscuous mode
to enable it to receive all packets floating by on the wire.Once the
network hardware is in promiscuous mode, the sniffer software
can capture and analyze any traffic that traverses the local
Ethernet segment.
This limits the range of a sniffer somewhat because it
will not be able to listen to traffic outside of the local network’s
collision domain (that is, beyond routers, switches, or other
segmenting devices).
Obviously, a sniffer judiciously placed on a backbone,
internetwork link, or other network aggregation point will be able
to monitor a greater volume of traffic than one placed on an
isolated Ethernet segment.This is the basic understanding of the
function of a sniffer.
13
Some Techniques for
Implementing Packet Sniffing
ARP Spoofing or ARP Poisioning
The process of falsifying the source Media Access Control
(MAC) addresses of packets being sent on an Ethernet
network is called ARP spoofing or ARP poisoning. ARP
spoofing involves sending forged ARP replies to redirect
network traffic to the attacking host. If the attacking host is
only listening to traffic and not participating in it, legitimate
hosts are usually unaware that the packets they are
transmitting are being redirected to an attacker and are not
reaching their intended destinations.
Tools used –Cain & Abel,Ettercap etc.
14
(Continues...)
MAC duplicating
MAC duplicating attack is launched by sniffing network for MAC
addresses of clients who are actively associates with a switch-port.By
listening to the traffic on the network a malicious user can intercept and
use a legitimate user’s MAC address and he got all the traffic destined for
that legitimate user.
MAC Flooding
MAC flooding is an attack that tries to flood the internal memory of
Ethernet switches using large numbers of spoofed Media Access Control
(MAC) addresses. Switches has limited memory for mapping the MAC
addresses to the physical ports on switch.MAC flooding uses this
limitation and floods the switch with fake MAC addresses until the
switch can’t keep up.Switch then acts like a hub by broadcasting packets
to all machines in the network.After that sniffing is easily performed.
Tools used-Etherflood.
15
(Continues...)
IP Based Spoofing
This is the original way of packet sniffing.It works by putting the
network card into promiscuous mode and sniffs all packets.This
method only works in non-switched networks.All the modern
sniffers uses this technique.
DNS Poisoning
DNS spoofing provides DNS servers with false information to
impersonate DNS servers.The DNS server beleives that it has got
authentic information when, in reality,it does not.
Intranet DNS Poisoning(LAN)
Internet DNS Poisoning(Remote Network)
Proxy Server DNS Poisoning
DNS Cache Poisoning
16
Some Popular Packet sniffers
Linux/Unix-based sniffers use libpcap, which must be installed prior
to installing any sniffer.
tcpdump, a command-line based packet sniffer.
tcpshow (tcpdump-based analysis).
Wireshark (Packet sniffer GUI) [Formerly Ethereal]
ngreg — network grep (Command line tool to apply regular expressions
to tcpdump output).
Dsniff-is a password sniffer handles FTP,Telnet,SMTP,HTTP,POP etc.
Windows-based sniffers use WinPcap, which must be installed prior
to installing any sniffer.
1.Wireshark(Packet sniffer GUI) [Formerly Ethereal]
2.Capsa Network Analyzer (Packet Sniffer) from Colasoft
3.Cain & Abel from Oxid.it
4. WinDump, a DOS command-line packet sniffer
5.CommViewer
17
Wireshark
Wireshark (formerly Ethereal) is a UNIX- and Windows-based open
source network monitoring tool. Stable release is 1.2.4.Wireshark is a
software that "understands" the structure of different networking
protocols. Thus, it is able to display the encapsulation and the fields
along with their meanings of different packets specified by different
networking protocols. Wireshark uses pcap to capture packets, so it can
only capture the packets on the networks supported by pcap.
Data can be captured "from the wire" from a live network connection or
read from a file that records the already-captured packets.
Live data can be read from a number of types of network, including
Ethernet, IEEE 802.11, PPP, and loopback.
Captured network data can be browsed via a GUI, or via the terminal
(command line) version of the utility, tshark.
Decodes over 750 protocols .
Compatible with many other sniffers .
18
MENU BAR
DISPLAY
FILTER
SPECIFICATI
ON
Listing of
All the
Packets
Details of
Selected
Packet
Header
Packet
Content in
Hex & ASCII
Code
1
Selected
TCP
Details of the selected Packet
packet (#43262) #43262
Accessing
http://en.wikipedia.org
with source ip
10.10.39.155.The
destination ip for this
packet is 10.10.3.254
21
Cain and Abel
Cain and Abel (sometimes called simply "Cain") is a Windows
password recovery tool. It can recover many kinds of passwords using
methods such as network packet sniffing, cracking various password
hashes by using methods such as dictionary attacks, brute force and
cryptanalysis attacks. Cryptanalysis attacks are done via rainbow tables
which can be generated with the winrtgen.exe program provided with
Cain and Abel.
TCP/UDP Traceroute with DNS Resolver
Dumping protected storage passwords -Reveals locally stored passwords of
Outlook, Outlook Express, Outlook Express Identities, Outlook 2002, Internet
Explorer and MSN Explorer.
APR(ARP Poison Routing)- Enables sniffing on switched networks.
Sniffer -Captures passwords, hashes and authentication information while they
are transmitted on the network.
IP to MAC Address resolver
• Used for remote purposes such as Remote Console,Remote Route Table
Manager,Remote TCP/UDP Table Viewer etc. 22
Start/Stop Sniffer
Button
Start/Stop APR
Traceroute any web
address
Sniffer Operations
Lists network
computers with
MAC,Hostname
2
Lists all computers on the
subnet
Username,passwords and
web address is retrieved
Lists all computers
in the subnet
Session
Session
Hijacking
Hijacking
LAN View
LAN View
WAN
APR Poisoning
View
Status
2
Exploits of Packet Sniffers
One disturbingly powerful aspect of packet sniffers is
their ability to place the hosting machine's network
adapter into "promiscuous mode." Network adapters
running in promiscuous mode receive not only the data
directed to the machine hosting the sniffing software,
but also ALL of the traffic on the physically connected
local network.
By placing a packet sniffer on a network in
promiscuous mode, a malicious intruder can capture
and analyze all of the network traffic. Within a given
network, username and password information is
generally transmitted in clear text which means that
the information would be viewable by analyzing the
packets being transmitted.
27
How to Detect Sniffing?
There are two basic approaches to detecting sniffers:
1. host based
2. network based
The most direct host-based approach is to determine
whether the target system’s network card is operating in
promiscuous mode. On UNIX, several programs can
accomplish this, including Check Promiscuous Mode (cpm)
Sniffers are also visible in the Process List and tend to create
large log files over time, so simple UNIX scripts using ps,
grep can illuminate suspicious sniffer-like activity. But these
techniques are not always effective. 28
(Continued...)
Check whether the MAC address of some
machine(such as a Router) has changed.
29
Countermeasures
Host A Host B
Router A Router B
31
References
• http://en.wikipedia.org
• http://www.cet.nau.edu/~mc8/Socket/Tutorials/sec
tion1.html
• http://www.tcpdump.org/pcap.htm
• http://mixter.void.ru/rawip.html
• http://www.coders.eu.org/manualy/win/wskfaq/exa
mples/rawping.html
• http://www.wireshark.org
• http://www.oxid.it
THANK
YOU
33