Sniffer
Module Objects
ATHENA
Wiretapping
Sniffer Threats
Mac attack
DHCP attack
ARP poisoning attack
Spoofing Attack
DNS poisoning
Countermeasures
Wiretapping
Wiretapping is the process of monitoring the telephone and Internet conservation by a third party.
Attackers connect a listening device ( hardware, software, or both of them ) to get the information on the
circuit between to host or two phones
Types of Wiretapping:
Active Wiretapping
It only monitors and
records the traffic
Passive Wiretapping
It only monitors and
records and also
alters the traffic
ATHENA
Sniffer Threats
By
By configure
configure a
a network
network
A
A packet
packet sniffer
sniffer can
can only
only
Email traffic
adapter
adapter in
in a
a promiscuous
promiscuous
Capture
Capture packet
packet information
information
mode,
mode, an
an attacker
attacker can
can
Within
Within a
a given
given network
network
capture
capture and
and analyze
analyze
Web traffic
Telnet traffic
traffic
traffic on
on network
network
Access and sniff !!!
Syslog
Chat sessions
traffic
Attacker can steal sensitive
information by sniffing the
network
Many
Many enterprise
enterprise network
network
switch
switch port
port is
is open.
open. The
The
FTP
Password
DNS Traffic
attacker
attacker can
can sniff
sniff easily
easily
network
network and
and gain
gain access
access
to
to the
the network
network
Router
configuration
ATHENA
Laptop
Laptop can
can plug
plug into
into the
the
How a sniffer works
Sniffer turns the NIC of a system to the promiscuous mode so that it listens to all the data
transmitted on its segment.
Sniffer can constantly read all information entering the computer through the NIC by
decoding the information encapsulation in the data packet
ATHENA
Hacker attack the switching
Mac flooding
DNS Poisoning
ARP Poisoning
DHCP spoofing
Password sniffer
Spoofing attack
ATHENA
I’ll have something after sniffing ??
Send huge traffic
to switch
Type of sniffing: Passive Sniffing
Passive sniffing means sniffing through a hub. On a hub the traffic is sent to all port
Passive sniffing involves sending no packets, and monitor the packets sent by the other
Active sniffing involves sending out multiple network probes to identify Aps. Hub usage is
outdated today
Hub, AP insecure
ATHENA
Type of sniffing: Active Sniffing
When a sniffing is performed on a switch network, it is known as active sniffing
Active sniffing relies on injecting packet ( ARP ) into a network that cause traffic
ARP
ARP spoofing
spoofing
Mac
Mac Flooding
Flooding
Active
sniffing
DHCP
DHCP
starvation
starvation
ATHENA
Mac
Mac
duplicate
duplicate
Protocols Vulnerable to sniffing
Password and data sent in clear text
Data sent in clear text
Telnet and Rlogin
Keystrokes including user names and passwords
ATHENA
HTTP
SMTP
Password and data sent in clear text
POP3
Password and data sent in clear text
FTP
Password and data sent in clear text
IMAP
Tie to Data Link Layer in OSI Model
Sniffer operate at the Data Link Layer of OSI model. They do not adhere to the same rules as
applications and services that reside further up the stack
If one layer is hacked, communication are compromised without the other layers being aware of
problem
ATHENA
Hardware Protocol Analyzers
A hardware protocol analyzer is
an piece of equipment that
It capture data packet and
captures signals without
analyzes its content according
altering the traffic in a cable
to certain predetermined rules
segment
It can be used to monitor
network usage and identify
malicious network traffic
generated by hacking software
installed in the network
ATHENA
SPAN Port
ATHENA
Module Objects
ATHENA
Wiretapping
Sniffer Threats
Mac attack
DHCP attack
ARP poisoning attack
Spoofing Attack
DNS poisoning
Countermeasures
MAC Address Flooding
Mac flooding involves flooding switch with numerous request
Switch have limited memory for mapping various Mac address to the physical port on switch
Mac flooding make use of this limitation to bombard switch with the fake Mac addresses until switch can not keep
up
Switch then acts as a hub by broadcasting packets to all machines on the network and attacker can sniffer the traffic
easily
Numerous mac
addresses
Switch
Attacker receive traffic of
users
ATHENA
Hub
Mac address/Cam table
All content addressable memory CAM tables have a fixed size
It store information such as Mac address available on physical ports with their associate vlan
parameters
ATHENA
How CAM work
ATHENA
How CAM work
ATHENA
What happen when CAM Table is full ?
Once the CAM table of the switch is full, additional ARP request traffic will flood every port
on the switch
ATHENA
This will basically turn a switch into a hub
This attack will also fill the CAM tables of adjacent switches
MAC Flooding: macof
ATHENA
Macof is a linux tool that is a part of dsniff collection
Macof sends random source MAC and IP address
This tool floods the switche’s CAM tables ( 131000 per min ) by sending bogus Mac entries
MAC Flooding: Yersinia
ATHENA
Defend against Mac attack
ATHENA
Module Objects
ATHENA
Wiretapping
Sniffer Threats
Mac attack
DHCP attack
ARP poisoning attack
Spoofing Attack
C0untermeasures
How does DHCP operate ?
DHCP Server maintain TCP/IP configuration information in a database such as valid TCP/IP
configuration parameters, valid IP addresses, duration of the lease offered by the server
ATHENA
It provide address configuration to DHCP – enable clients in the form of a lease offer
How does DHCP operate ?
ATHENA
DHCP Starvation Attack
Attacker broadcast discovery request for entire DHCP scope and tries lease all of the the DHCP
addresses available in the DHCP scope.
This is a Denial of Service attack using DHCP leases
Attacker use Gobbler that will exhaust DHCP scope
DHCP
Server
My mac addresses are random
ATHENA
Client