Sniffer Buster Progress Report-Computer Sciences Applications-Project Report, Study Guides, Projects, Research of Applications of Computer Sciences

Download Sniffer Buster Progress Report-Computer Sciences Applications-Project Report and more Study Guides, Projects, Research Applications of Computer Sciences in PDF only on Docsity! I Table of Contents Table of Contents ---------------------------------------------------------------------------------- I List of Tables --------------------------------------------------------------------------------------- II List of Figures ------------------------------------------------------------------------------------ III Abstract --------------------------------------------------------------------------------------------- IV Project Time Line --------------------------------------------------------------------------------- V 1. Anti Sniffing ------------------------------------------------------------------------------------- 1 2. Basics of Promiscuous Node Detection ---------------------------------------------- 2 2.1 NIC Filters ------------------------------------------------------------------------------- 2 2.1.1 Hardware Filters ------------------------------------------------------------------- 2 2.1.1.1 Unicast ---------------------------------------------------------------------------------- 2 2.1.1.2 Multicast -------------------------------------------------------------------------------- 2 2.1.1.3 All Multicast --------------------------------------------------------------------------- 3 2.1.1.4 Broadcast ------------------------------------------------------------------------------- 3 2.1.1.5 Promiscuous --------------------------------------------------------------------------- 3 2.1.2 Software Filters -------------------------------------------------------------------- 3 2.1.2.1 Linux ------------------------------------------------------------------------------------ 3 2.1.2.2 Microsoft Windows ------------------------------------------------------------------- 5 3. Detection Techniques ----------------------------------------------------------------------- 9 3.1 Host based Promiscuous mode detection ------------------------------------------ 9 3.2 Remote sniffer and promiscuous mode detection ------------------------------- 10 3.2.1 ARP based Detection Technique ------------------------------------------------ 10 3.2.1.1 Packet description -------------------------------------------------------------------- 11 3.2.2 MAC based Detection Techniques ---------------------------------------------- 12 3.2.3 DNS based Detection Technique ------------------------------------------------ 13 3.2.4 Network and Machine Latency Techniques ----------------------------------- 13 3.2.4.1 RTT based Detection Technique --------------------------------------------------- 13 3.2.4.2 Ping drop technique ------------------------------------------------------------------ 15 3.2.5 Decoy method based on FTP, Telnet and POP3 ----------------------------- 16 3.2.6 Conclusions ------------------------------------------------------------------------ 16 docsity.com II 4. References -------------------------------------------------------------------------------------- 17 List of Tables Table 2-1 Normal mode vs. Promiscuous mode packet filtering of Linux ------------------ 4 Table 2-2 Normal vs. Promiscuous mode software based packet filtering of Windows and Linux --------------------------------------------------------------------------------------------------- 8 Table 3-1 ARP packet structure ------------------------------------------------------------------- 11 docsity.com V Project Time Line The project time line is shown in the table below. docsity.com 2nd Half 1st Half May | Jun val | Aug | Sep [Oct [Nov | Dec | Jan | Feb [Mar | Apr | May [dun VI docsity.com  1 Chapter 1 1. Anti Sniffing Sniffers are now common tools to steal data from the network so there is a need to stop this kind of activity that harms the individuals as well as organizations. Anti sniffing is an activity to detect or prevent the sniffing activity in a network. Sniffing is done by using softwares that are called Sniffers. Sniffers are freely available and uses different kind of techniques i.e. IP based sniffing, MAC based etc. Sniffers, Sniffing techniques and etc are described in detail in midterm progress report that was submitted previously. Detection of sniffers or sniffing activity is not an easy task as they does not generate any false traffic that can be used to identify them instead they steal/capture all the traffic of the network. Though there are techniques that are (can be) used to detect sniffing activities. To detect a sniffer we have to detect the promiscuous mode of the NIC because for the sniffing activity to happen, first the network card should be in promiscuous mode which is the fundamental rule of sniffing. Promiscuous and Normal mode are two basic modes of NIC filtering of network packets. In the upcoming chapter various NIC filters are described that are used to filter the traffic. NIC filters include Hardware and Software filters that work together to get the intended data. docsity.com 4  OTHERHOST packets: Packets that contains the destination address other than the NIC of the computer. Now by looking into the ARP module of the Linux it can be seen that it first rejects all the TO_OTHERHOST packets then it processes the Broadcast, Multicast and TO_US packets respectively. The table given below shows the hardware and software filter’s responses against different kinds of packets. Table 2-1 Normal mode vs. Promiscuous mode packet filtering of Linux TO_US packets TO_US packets pass through the software and the hardware filter irrespective of whether it is Normal mode or Promiscuous mode. So the ARP module responds regardless of mode. OTHERHOST packets In Normal mode of operation the hardware filter of the NIC rejects these packets. In promiscuous mode OTHERHOST packets pass through the hardware filter but are rejected by the software filter. So in any case, Normal or Promiscuous mode, these packets are rejected. Broadcast packets Broadcast packets pass through both of the filters irrespective of the mode, whether Normal or Promiscuous. docsity.com 5 Multicast packets In Normal mode the packets that contains the Multicast address that is not present in the multicast table are rejected. But in case of Promiscuous mode of operation these packets pass through the hardware as well as software filter even if it is not present in the list. Software filter gets them pass because of the fact that it doesn’t block the multicast packets when the group bit is on, regardless of the false address. Because of that these kinds of packets can be used for the detection of promiscuous mode. 2.1.2.2 Microsoft Windows As Microsoft Windows is closed source so different kind of experiments are performed that are discussed in reference [2] and [4] to check the response of the software filter. The list with the description of the hardware addresses that are used to guess the response of software filter are here under. Broadcast address FF:FF:FF:FF:FF:FF (Br) This is a broadcast address, so every node present in the network should receive this and give response to it. ARP request packets use broad cast address. Fake broadcast address FF:FF:FF:FF:FF:FE (B47) This is a fake broadcast address missing the last 1 bit. Why this is used? The reason is to check whether the software filter examines all bits of the address or not or whether it will respond or not. Fake broadcast 16 bits FF:FF:00:00:00:00 (B16) This address is also a fake broadcast address in which only the first 16 bits are the same as the broadcast address other are set zero. This is to check whether the software filter examines all bits of the address or not or whether it will respond or not. This may be classified as a broadcast address and replied when the filter function only checks the first word of the broadcast address. Fake broadcast 8 bits FF:00:00:00:00:00 (B8) docsity.com 6 This address is also a fake broadcast address containing only the first 8 bits same as the broadcast address. This may also be classified as a broadcast address and replied if the filter function only checks the first byte of the broadcast address. Fake broadcast 4 bits F0:00:00:00:00:00 (B4) This address is a fake broadcast address in which only the first 4 bits are the same as the broadcast address. This may be classified as a broadcast address and replied when the filter function only checks the first 4 bits of the broadcast address. Group bit address 01:00:00:00:00:00 (Gr) This is an address with only the group bit set. This is to check whether this address is considered as a multicast address as Linux does. Multicast address 0 01:00:5E:00:00:00 (M0) Multicast address 0 is usually not used. So we use this as an example of a multicast address not registered in the multicast list of the NIC. The hardware filter should reject this packet. However, this packet may be misclassified to be a multicast address when the software filter does not completely check all bits. The system kernel thus may reply to such packet when the NIC is set to promiscuous mode. Multicast address 1 01:00:5E:00:00:01 (M1) Multicast address 1 is an address that all hosts in the local network should receive. In the other word, the hardware filter will pass this kind of packets by default. But it is possible that the NIC does not support multicast mode and does not respond, but this hypothesis was not available because all the available cards on the market bear multicasting. So this is to check whether the host supports multicast addresses. Multicast address 2 01:00:5E:00:00:02 (M2) Multicast address 2 is used to all routers in the local networks. So we use this as an example of a multicast address not registered in the multicast list of the NIC. The hardware filter should reject this packet and also is not accepted by the software filter. The system kernel check the hardware result and one notices while the software filter docsity.com 9 Chapter 3 3. Detection Techniques The most common techniques used for detection of sniffers and machines running in promiscuous mode are described below. These techniques also referred as tests. 3.1 Host based Promiscuous mode detection This method is for Linux to check whether it is in promiscuous mode or not. To check simple command ifconfig is used if the machine is clean then the output will be similar to below diagram. Figure 3-1 Output of ifconfig if machine is not in promiscuous mode If the machine is in promiscuous mode then the output of the ifconfig command looks like as shown hereunder in the diagram. Figure 3-2 outtput of ifconfig if machine is in promiscuous mode However the ifconfig command can be trojanized, so this method is not useful if the ifconfig command is trojanized. However some tools are present for this e.g. cpm (check promiscuous mode). docsity.com 10 3.2 Remote sniffer and promiscuous mode detection The techniques used to detect the sniffers and promiscuous modes of the other systems present in the network are categorized as remote sniffer and promiscuous mode techniques. These techniques include,  ARP based detection technique  MAC based detection technique  DNS based detection technique  Network and machine latency techniques  Decoy method based on FTP, Telnet and POP3 3.2.1 ARP based Detection Technique This technique, as from his name it is clear, uses ARP packets to detect the promiscuous mode and sniffing activity in the network. This technique basically works by checking whether the target system responds to the ARP packet or not which are not meant to be treated under normal communication. Under the results of the experiments described in the previous section it is clear that ARP packets can be used to detect the promiscuous nodes present in the network whether running Windows or Linux. All we have to do is to create and send an ARP packet that is only meant to be treated and respond by suspicious host. Considering and analyzing the results of the previous described experiments we have to create an ARP request packet that will be treated by the suspicious hosts. According to the results we can use fake 47 bit or fake 16 bit address to check that the target system is in promiscuous mode as packet containing fake 47 bit or fake 16 bit address as destination address are only treated if the network card is in promiscuous mode. Other hosts that are not in promiscuous mode will simply reject these packets. Now let us see how this technique works. Let suspected target system’s IP is known; now we have to construct a packet that can only pass the filter in promiscuous mode. So we use either fake broadcast 47 bit or 16 bit address as destination hardware address and known IP address for the construction of packet. The constructed packet will look like as given below. docsity.com 11 Table 3-1 ARP packet structure 3.2.1.1 Packet description 1. Usually an ARP request packet contains broadcast address (FF FF FF FF FF FF) as the destination that is meant to be received by every host present in the host. But here we are using fake address (FF FF FF FF FF FE) so that only the system or machine that is in promiscuous mode will be able to receive this packet. 2. Ethernet address of the sender is the hardware address of the sender here 00 11 22 33 44 55 is used. 3. Field 3 contains protocol type we are using protocol type of ARP is 08 06. 4. Hardware address space for Ethernet is 01 that is in field 4. 5. Protocol address space for Internet Protocol or IP is 08 00. 6. Byte length of the hardware address is the length of hardware address in bytes as hardware address consists of 6 bytes so 06 is given in field 6. 7. Byte length of the Internet protocol IPv4 is 4 bytes. 8. Opcode is the operation code for ARP packets which is 1 if the packet is ARP request packet and 2 if the packet is ARP reply packet. As we are sending ARP request packet so its code is 01. docsity.com 14 the packet. As in promiscuous mode packets are sent directly to the software filter of the operating system without lower level hardware filtering, round trip time of a packet increases because of huge amount of data to be processed by the kernel of operating system. This technique uses the training data for the decision that whether a certain machine’s NIC is in promiscuous mode or not. This data is collected by first sending the packets to a host in normal mode and calculating the time consumed to get a response packet. Then the network card of that machine is put into promiscuous mode and time is calculated again by sending same packets. These measurements are then used to calculate the averages, standard deviations and percentages. These calculated averages, standard deviations and percentages are in fact called the training data. The collected data can be divided into two populations one for normal mode and the other for promiscuous mode. To show that the two averages of the sampled RTT measurements are statistically different enough and therefore represent two different populations (the normal mode and the promiscuous mode populations) the zstatistics model is used. This z-statistics model allows making a judgment about whether or not a host’s NIC is set to the promiscuous mode. To implement this technique first the suspicious host must be identified. This can be done by several available tools, such as Nmap. Then, a number of request packets should be sent to the suspicious host in order to collect the corresponding RTT measurements. So far, the suspicious host can be either in the normal mode or in the promiscuous mode. Two z-statistics are computed in order to get the difference. The first one, called the normal mode zstatistics, uses the training data related to the OS of the suspicious host for the normal mode, as the first population, and the collected data in the real world, as the second population. The second z-statistics, called the promiscuous mode z-statistics, uses the training data related to the OS of the suspicious host for the promiscuous mode, as the first population, and the collected data, as the second population. If the normal mode z- statistics is less than the z value then we may conclude that the host’s NIC is almost 99 percent set to the normal mode, else, the host’s NIC is set to the promiscuous mode. The figure below shows this decision making process. docsity.com 15 Figure 3-4 RTT technique decision making process This technique looks good but there are some limits involved in this technique that are the RTT detection technique is a probabilistic technique. Many known and unknown factors, such as the OS of the suspicious host and the LAN traffic, can affect considerably the results generated by any anti-sniffer based on this technique. When the LAN is under heavy traffic, this probabilistic technique can generate a false decision regarding whether the suspicious host's NIC is set to the promiscuous mode or the normal mode. This is due mainly to the RTT measurements taken, which may lead to a false decision. In addition, an advanced sniffer may attempt to put heavy traffic in the network to let the anti- sniffer generate false results. Finally, to work appropriately, this technique needs to send heavy traffic on the network and then take the RTT measurements. Such action may cause some damage to the network's hosts and services, such as denial-of-service attacks. 3.2.4.2 Ping drop technique In this technique a large amount of ICMP echo packets are sent to the suspicious system and the packets sent are tracked. As the response time of the system increases if it docsity.com 16 is in promiscuous mode, due to large amount of data processing involved since all the data from the network is directly passed to the kernel of the operating system. When a large number of ping packets are sent to some or most of them dropped by the targeted system. The number of that dropped packets are calculated and on this calculation decision is made whether the targeted machine is in promiscuous mode or not. This technique also has a limitation that is if the network is under heavy traffic than it may be possible that time increases due to heavy load on network or on intermediate nodes (hub or switch) and the packet sent never reach at its destination and maximum number of packets drops on intermediate nodes then the decision will be wrong. 3.2.5 Decoy method based on FTP, Telnet and POP3 In this method first false accounts with usernames and passwords are generated and some files under these accounts are added to the servers whose names attracted the attacker. Secondly connections are established and detector is launched to sniff or analyze the traffic. When the attacker tries to connect to the server using same user name and password the detector give an alert that same name and password is used by another user, hence the attacker will be detected. This method can be used for all three mentioned servers. 3.2.6 Conclusions Sniffers are not easy to detect these days however there are techniques that can be implemented to detect the promiscuous nodes and sniffers in a network. One technique may not be enough for the detection of promiscuous node so a set or a combination of techniques can be used to do the task in a right way without getting the false results. docsity.com