Sniffer Buster-Computer Sciences Applications-Project Report, Study Guides, Projects, Research of Applications of Computer Sciences

Download Sniffer Buster-Computer Sciences Applications-Project Report and more Study Guides, Projects, Research Applications of Computer Sciences in PDF only on Docsity! Table of Contents Table of Contents ---------------------------------------------------------------------------------- i List of Tables --------------------------------------------------------------------------------------- ii List of Figures ------------------------------------------------------------------------------------ iii Abstract --------------------------------------------------------------------------------------------- iv Project Time Line --------------------------------------------------------------------------------- v 1. Sniffing in shared Networks ------------------------------------------------------------ 1 1.1 Types of Network Interface Card (NIC) Filters ------------------------------------- 3 1.1.1 Unicast ------------------------------------------------------------------------------- 3 1.1.2 Multicast ----------------------------------------------------------------------------- 4 1.1.3 All multicast ------------------------------------------------------------------------- 4 1.1.4 Broadcast ---------------------------------------------------------------------------- 4 1.2 Promiscuous mode of Sniffing --------------------------------------------------------- 5 1.3 IP based Sniffing ------------------------------------------------------------------------- 5 1.4 MAC based Sniffing --------------------------------------------------------------------- 6 2. Sniffing in Switched networks --------------------------------------------------------- 7 2.1 ARP Cache poisoning MAN in the Middle ------------------------------------------ 7 2.2 MAC Flooding--------------------------------------------------------------------------- 12 2.3 MAC Duplicating / Port Stealing ----------------------------------------------------- 14 References ----------------------------------------------------------------------------------------- 17 docsity.com ii List of Tables Table 1-1 Packet processing difference for IP --------------------------------------------------- 6 Table 1-2 Packet Processing Difference for MAC ---------------------------------------------- 6 docsity.com v Project Time Line The project time line is shown in the table below. docsity.com 1 Chapter 1 1. Sniffing in shared Networks In shared Ethernets every entity i.e. host/computer is connected to shared media usually hubs are used to connect hosts. A packet sent to one host is available to all the hosts present in the network but it works as only the targeted host or set of hosts will receive the packets. Broadcasting is used to communicate in shared Ethernet that is sending the data over the network that is available to all hosts. Every data packet in Ethernet contains an Ethernet header that consists of;  Source MAC:  Destination MAC:  Ethernet Type (=0x0806 for ARP message) The following figure 1-1 shows an Ethernet header and structure of Ethernet packet. The Destination Host field is for Ethernet Destination Host address (0-5, 6 byte), Source Host is Ethernet Source Host address field (6-11, 6 byte), Ethernet Type is for Ethernet packet Type i.e.0x0806 for ARP (12-14, 6 byte) and below part is packet’s other data. Figure 1-1 Ethernet Packet Header Communication in Ethernets is dependent on the MAC or physical addresses of the Network Interface Cards (NICs) which consists of 6 bytes Hexadecimal code separated by colons in a group of two or more. Technically speaking every network interface card in the world contains a unique physical or MAC address which is built-in and is allotted during manufacturing by the company that produces it. NIC also contains a Cache that is used to store physical and IP addresses of the other hosts that are present in the network. docsity.com 2 Every time a new machine/host present in Ethernet communicate with any other host its MAC and IP addresses are added into the cache of NIC card. In Ethernet ARP (Address Resolution Protocol) plays an important role in communication and data transfers between the machines. RFC 286 defines ARP mainly. ARP is used to map MAC addresses with the IP addresses. More about ARP is described in the later part of this report here an example is given how IP and MAC address are resolved using ARP. For this purpose let there is a host A with IP address as 172.30.10.5 and MAC address ab:cd:ef:gh:ij:kl and wants to communicate with another host in the network that have an IP address 172.30.10.7 and unknown MAC address. A setup is shown in the figure 1-2 below. Figure 1-2 Setup before communication starts Now host A constructs an ARP request packet that have A’s IP and MAC address and B’s IP address but MAC address FF:FF:FF:FF:FF:FF that is broad cast address so that every one in the Ethernet can get the packet. The packet will be available at all ports but only that host which is in this case host B will receive the packet as it contains the IP address of B. All other hosts will ignore the message because of difference in IP addresses. When the host B receives the message it IPs MACs 172.30.10.7 aa:00:01:00:00:22 IPs MACs 172.30.10.5 ab:cd:ef:gh:ij:kl docsity.com 5 1.2 Promiscuous mode of Sniffing The purpose of sniffing is only achieved by putting the network card into promiscuous mode of operation in both Ethernet environments Shared and Switched. In shared Ethernet one way of sniffing is putting the network card into promiscuous mode and sniffing all the traffic present in the network. In promiscuous mode of operation Network interface card doesn’t use the MAC and IP filters for the identifications of the packets instead of that all the data packets are passed onto the operating systems kernel where further processing is done. The following figure 1-5 shows the promiscuous mode of sniffing. H1 (host 1), H2 (host 2), H3 (host 3) are in normal mode but h4 (host 4) is in promiscuous mode and gets all the packets. Figure 1-5 Noarmal vs Promiscuous mode Now considering the figure H1, H2, H3 will get the traffic that is only destined for them but H4 will get all the traffic that is sent by any other host either H1 sent to H2 or H2 sends to H3 or H1 sends to H3 or vice versa. 1.3 IP based Sniffing This is meant as the original type of sniffing. In IP based sniffing first network card is put into promiscuous mode then the packets are captured by comparing source IP addresses of the packets using IP filter. IP filter can filter the data for one or more than one IP addresses at the same time that is how we can sniff/capture the data coming from one or more machines/hosts. This technique is used for sniffing one or more specific host’s data that are targeted by the user. See table 1-1 to know the difference of packet processing. docsity.com 6 Table 1-1 Packet processing difference for IP 1.4 MAC based Sniffing MAC based sniffing is another type of sniffing that is done by putting the network card into promiscuous mode of operation and using a MAC address filter that will filter the traffic based on MAC addresses given to the filter. In this way we also can sniff/capture data coming from one or more hosts. In this way all the data is not captured only the data that is to be needed is captured that is coming from the target host at that time. Table 1-2 shows packet processing. Table 1-2 Packet Processing Difference for MAC IP based filtering Normal mode Promiscuous mode Others… Others… Others… NO IP matching/checks IP matching/checks NO IP matching/checks MAC matching/checks MAC matching/checks NO MAC matching/checks IP based filtering Normal mode Promiscuous mode Others… Others… Others… IP filter IP matching/checks NO IP matching/checks MAC matching/checks MAC matching/checks NO MAC matching/checks Packet processing Packet processing docsity.com 7 Chapter 2 2. Sniffing in Switched networks Ethernet is a broadcast protocol in nature and everyone can receive data coming from any other machine. Since sniffing in shared Ethernet is very easy as hubs have nothing to do to limit the broadcast nature of the Ethernet and we just have to connect to it. System connected to switches in Ethernet does limit the communication in Ethernet. Traffic or data is no longer broadcasted over the network instead switches keep track of the addresses of the devices connected to its ports. To perform this switches have a cache and they knew that at which specific port the device with that specific MAC address is connected but this not meant as a security feature but performance feature of the switch that limits the extra traffic over the network. Switches limit the ARP traffic using the cache of MAC and IP addresses. If a new device attached to the switch at its port when communication begins it refreshes its table and enter the new entry in the table. Sniffing can also be done in switched Ethernet due to the fact that ARP that it is a stateless protocol and not keep track of its communication. Most of the sniffing techniques are based on this feature of ARP. Techniques of sniffing in switched network/Ethernet are described below. 2.1 ARP Cache poisoning MAN in the Middle There are four main types of ARP packets that are used to communicate within Ethernet.  ARP request: an ARP request packet that is used to know the MAC/physical address of the other machine usually sent as broadcast packet.  ARP reply: ARP reply packet gives the MAC address of the destination host to the requesting one. docsity.com 10 Here we are considering that victim1 and victim2 are communicating with each other as shown in figure 2-3 and we have to intercept and steal the data that is passing between them. In first step we/attacker manipulate the ARP cache of the victim1 so that it sends traffic to the attacker instead of sending it to victim2. Figure 2-3 Setup for ARP cache poisoning attack Attacker constructs a packet that will be an ARP reply packet and force an update in the cache of the victim1. The ARP packet contains the IP address of the Victim2 (192.30.10.3) but MAC address of the attacker. vittim1 will when construct a packet that it have to send to victim2 will look for its address in its cache but in cache due the manipulation that is made by ARP reply packet it finds IP address of victim2 but MAC of attacker. Victim1 uses that address and sent the data over the network that will be sent to attacker by the switch due to MAC address. Now the data is coming directly to the attacker instead of coming towards victim2 as shown in figure 2-4. docsity.com 11 Figure 2-4 Status after poisoning victim1's cache Half part is done now to hide the attacker that victim2 not find that data is not approaching its destination the packet will be forward to the victim2. This can be done easily by enabling IP forwarding functionality available in operating systems. In this way only one way traffic can be captured by the attacker to capture the full session same method will be used to poison the ARP cache of the victim2 so that the data will be pass through attacker. After poisoning victim2’s cache will also contains the IP address of victim1 but MAC address of attacker as shown in figure 2-5 and send data to attacker and the attacker then forwards the traffic to victim1. docsity.com 12 Figure 2-5 Status after poisoning cache of victim1 and victim2 This is how man in the middle attack completes. In this part attacker is playing the role of man in the middle. 2.2 MAC Flooding Every Switch in an Ethernet contains a table that contains the MAC addresses entries that they use to map against the physical ports. By mapping MAC addresses to Physical ports they send packets only to the destined host and not any other. This is how the packets are routed intelligently by the switches as shown in the figure 2-6 below. docsity.com 15 Target: MAC address: tt:00:00:00:00:02 Then the packet will contains; Sender’s MAC address: tt:00:00:00:00:02 Receiver’s MAC address: a a:00:00:00:00:01 In other words the attacker that is actually sending the packet, according to the destination address mentioned in receiver’s field, is the receiver of the packet and is sending the packets for itself. But it is just to fool the switch. The attacker flood the switch with the packets as mentioned earlier but this process of flooding is different from that of used in previous MAC Flooding used in previous section. As the destination of the packet is the attacker itself the packets are sent back to the attacker and no other host will be able to notice the presence of such kind of packets as shown in figure 2-8. In the figure Host3 is doing the flooding. Figure 2-8 MAC flooding for Port Stealing attack Now when data packets that are destined for the target host comes to the switch a race condition will be started as the target host will send packets too. The switch will notice that same MAC address is available at two of its ports then it constantly changes the binding of MAC addresses to the port. But the binds one port with one MAC address at a time. Now if the attacker is fast than the target then it wins and gets the packets intended docsity.com 16 for the target. This is not the end the attacker will send an ARP request packet for the IP address of the target to check that its port is in attacker’s use or it is restored or not and stops flooding. If reply comes than it means that the port is restored now the attacker will start flooding again and this process continues. This is how ports can be steal in the network and the packets are captured or data is sniffed. docsity.com 17 References [1] Sumit Dhar [Information Security Management Team Reliance Infocomm], Sniffers Basics and Detection”, [Version1.0-1], dharvsnl@yahoo.com. [2] Daiji Sanai, “Detection of Promiscuous Nodes using ARP Packets”, version 1.0, 31-Aug-2001. e-mail: hyler@securityfriday.com URL: http://www.securityfriday.com [3] Ryan Spangler, “Packet Sniffer Detection with AntiSniff”, Department of Computer and Network Administration, University of Wisconsin – Whitewater, May-2003. [4] DiabloHorn , Kimatrix, “ARP Poisoning In Practice”. URL: http://www.kd-team.com [5] Robert Wagner, Jeff Bryner, “Address Resolution Protocol Spoofing and Man-in- the-Middle Attacks”, Updated June 2006. [6] Ryan Spangler, “Packet Sniffing on Layer 2 Switched Local Area Networks”, Packetwatch Research, December 2003. URL: http://www.packetwatch.net [7] Colasoft Co., Ltd. URL: http://www.colasoft.com/resources/ [8] Google Pakistan. URL: http://www.google.com.pk/ [9] Wikipedia the free encyclopedia. URL: http://www.wikipedia.com docsity.com