Questions about this topic? Sign up to ask in the talk tab.

Difference between revisions of "Sniffing"

From NetSec
Jump to: navigation, search
 
(7 intermediate revisions by 4 users not shown)
Line 1: Line 1:
 
{{cleanup}}
 
{{cleanup}}
'''Sniffing''' is basically electronic eavesdropping. This is where some networking theory comes into play. There are two very commonly used network devices. One of these devices is a switch, the other is a hub. A hub repeats traffic from its uplink port down all child lines, while a switch translates traffic and sends it across the specific wire and interface associated with the traffic’s destination. On a hub based network, sniffing is easy – one can simply look at all the traffic coming over the wire with a common tool like “Cain and Abel”  after only turning the sniffer on.
+
'''Sniffing''' is the process of electronic eavesdropping at the [[network]] layer.
 +
 
 +
 
 +
There are two very commonly used network devices. One of these devices is a switch, the other is a hub. A hub repeats traffic from its uplink port down all child lines, while a switch translates traffic and sends it across the specific wire and interface associated with the traffic’s destination. On a hub based network, sniffing is easy – one can simply look at all the traffic coming over the wire with a common tool like “Cain and Abel”  after only turning the sniffer on.
  
 
Common sniffers are in programs like
 
Common sniffers are in programs like
Line 11: Line 14:
 
* ethereal
 
* ethereal
  
There are multiple [[applications]] capable of sniffing, but for the sake of simplicity, only techniques using Cain & Abel and WireShark will be documented here.
+
All encryption [[protocols]] including GPG/PGP, DES, 3DES, DSA, DSA, SSL, and TLS rely on something called key exchange. If the attacker is able to monitor the connection at the beginning during the key exchange, all the data is compromised, including [[HTTPS]], [[SSH]], [[SFTP]], TLS connections, etc.
  
[[Cain]] is a “swiss army knife” type tool for windows networks, capable of exploiting [[Design Flaws|design flaws]] on the local machine, deploying [[Abel]], a windows service for maintaining access, exploiting [[Design Flaws|design flaws]] on the remote machine, and exploiting unsafe [[Protocols|TCP/IP]] configurations. One of its key features is an exploitation vector in [[ARP]], or the [[ARP|Address Resolution Protocol]]. The exploitation vector that Cain uses is called [[Arp poisoning]]. Normal traffic flows on a network as follows:
+
Once a host has become the victim of a [[man in the middle]], there are multiple exploitable [[vulnerability|vulnerabilities]] based on posing as the router. Several vulnerabilities affect [[DNS]] ('''D'''ynamic '''N'''ame '''S'''ervice).  
  
  Client Machine --> Router --> [Other Routing Hops] --> Destination
+
The two most prominent vulnerabilities involving DNS and [[man in the middle]] [[exploitation]] are ''DNS cache poisoning'' and ''DNS request hijacking''. Both vulnerabilities have the same affect, merely on different scopes.
  
[[Arp poisoning]] attacks allow an attacker to tell remote machines within the context of the same subnet or Ethernet routing (switch or hub) that the [[IP address]] of a machine is owned by a particular MAC or hardware address.  The reason that this can be exploited is because by poisoning the [[ARP]] cache and the [[ARP]] table it is possible to route traffic through the local machine before it gets to the router, making the network flow look more like:
 
  
  Poisoned [Victim] Machine --> Fake [Attacker] Router --> Real Router --> [Other Hops] --> Destination
 
  
This exploitation in the [[Design Flaws|design flaws]] of the [[ARP|Address Resolution Protocol]] is called a Man-in-the-Middle or [[MITM attack]].  There are a myriad of tools capable of performing this exploitation, however they all have the same effect.  When used in conjunction with a sniffer, it is possible for an attacker to monitor all connections between the client and server, to eavesdrop on login and [[password]] credentials as they are sent to the server, to impersonate the poisoned machine, and even to inject packets into an ongoing dataflow, [[TCP connection]], or [[UDP stream]].
 
  
This affects virtually all windows networks. It is very rare to see a windows network that cannot be [[Arp poisoning|ARP poisoned]]. Some would think that encryption would prevent an attacker from gaining sensitive login information, however this is simply untrue. All encryption [[protocols]] including GPG/PGP, DES, 3DES, DSA, DSA, SSL, and TLS rely on something called [[Cryptography|key exchange]]. If the attacker is able to monitor the connection at the beginning during the key exchange, all the data is compromised, including [[HTTPS]], [[Protocols|SSH]], [[Protocols|SFTP]], TLS connections, etc.
+
When a victim of a [[DNS]] [[man in the middle]] attempts to connect to one server by its DNS name, a false [[IP address]] is returned instead of the server’s actual IP address. An attacker could use this vulnerability in order to harvest data and [[authentication credential]]s more easily, or use this to deploy an exploit or even combine it with a [[Social Engineering]] attack in order to trick an administrator into disclosing credentials or activating another process that would aid the attacker’s timing during a [[second-order-injection attack]]. All in all, dynamic ARP caches are considered a “critical” vulnerability because of the amount of information which can be gleaned from an MITM attack.
  
Once a host has been [[ARP]] poisoned, there are multiple exploitable vulnerabilities based on posing as the router. Several vulnerabilities affect [[DNS]], or the Dynamic Name Service. The two most prominent vulnerabilities involving [[DNS]] and [[ARP]] are [[DNS]] cache poisoning and [[DNS]] request hijacking. Both vulnerabilities have the same affect. When a user attempts to connect to one server by its [[DNS]] name, a false [[IP address]] is returned instead of the server’s actual [[IP address]]. An attacker could use this [[vulnerability]] in order to harvest data and [[authentication credentials]] more easily, or use this to deploy an exploit or even combine it with a [[Social_Engineering]] attack in order to trick an administrator into disclosing credentials or activating another process that would aid the attacker’s timing during a [[second-order-injection attack]]. All in all, dynamic [[ARP]] caches are considered a “critical” [[vulnerability]] because of the amount of information which can be gleaned from an [[MITM attack]].
 
  
MITM affects every [[Protocols|TCP/IP]] protocol and as mentioned previously, can be used for connection hijacking and [[spoofing]]. Not only can [[Packet|packets]] be spoofed and forged TO the victim machine, however, they can also be spoofed and forged FROM the victim machine. While this can be used for attacking, there are also several other exploitations that performing an MITM will allow an attacker to do.
 
  
VoIP or [[SIP]] hijacking refers to exploiting Voice over IP using a [[vulnerability]] in the [[SIP]] during an [[MITM attack]]. This will allow an attacker to intercept VoIP phone calls made to or from a victim VoIP phone.
+
MITM affects every TCP/IP protocol and as mentioned previously, can be used for connection hijacking and [[spoofing]]. Not only can packets be spoofed and forged TO the victim machine, however, they can also be spoofed and forged FROM the victim machine. While this can be used for attacking, there are also several other exploitations that performing an MITM will allow an attacker to do.
  
Another main feature of Cain is its authentication engine. On windows-based networks, Cain is capable of [[spoofing]] challenge reset requests, and [[spoofing]] checksum packets during a network authentication (connections for file or printer sharing) that tell the client machine that the server does not support NTLM Version 2. [[Spoofing]] challenge resets forces the client machine to release multiple challenges, which gives the cracker and cryptanalysis engine (also built into Cain) better ability to decrypt the hashes – reducing the time taken to crack them. Spoofed checksums force a downgrade of the network NTLM authentication, tricking the client computer into using NTLM Version 1, a much weaker and more easily cracked [[cryptography|encryption]] algorithm than NTLM Version 2. This allows an attacker to crack [[password]] hashes faster and therefore gain access more quickly.
+
VoIP or [[SIP]] hijacking refers to exploiting Voice over IP using a vulnerability in the SIP during an MITM attack. This will allow an attacker to intercept VoIP phone calls made to or from a victim VoIP phone.
  
There are other ways to hijack connections, however most of them have been antiquated due to upgrades in the [[Protocols|TCP/IP]] protocol. Years ago, attackers would hijack connections with what is called [[Protocols|TCP]] Sequence hijacking, or ISN Hijacking.
+
Another main feature of Cain is its authentication engine. On windows-based networks, Cain is capable of [[spoofing]] challenge reset requests, and [[spoofing]] checksum packets during a network authentication (connections for file or printer sharing) that tell the client machine that the server does not support NTLM Version 2. [[Spoofing]] challenge resets forces the client machine to release multiple challenges, which gives the cracker and cryptanalysis engine (also built into Cain) better ability to decrypt the hashes – reducing the time taken to crack them. Spoofed checksums force a downgrade of the network NTLM authentication, tricking the client computer into using NTLM Version 1, a much weaker and more easily cracked [[cryptography|encryption]] algorithm than NTLM Version 2. This allows an attacker to crack [[password]] hashes faster and therefore gain access more quickly.
  
[[Category:Network Security]]
+
There are other ways to hijack connections, however most of them have been antiquated due to upgrades in the TCP/IP protocol. Years ago, attackers would hijack connections with what is called TCP Sequence hijacking, or ISN Hijacking.

Latest revision as of 10:21, 20 October 2012

Sniffing is the process of electronic eavesdropping at the network layer.


There are two very commonly used network devices. One of these devices is a switch, the other is a hub. A hub repeats traffic from its uplink port down all child lines, while a switch translates traffic and sends it across the specific wire and interface associated with the traffic’s destination. On a hub based network, sniffing is easy – one can simply look at all the traffic coming over the wire with a common tool like “Cain and Abel” after only turning the sniffer on.

Common sniffers are in programs like

  • Net Tools
  • WireShark
  • IP Tools
  • IPTraf
  • NetMon
  • ettercap
  • ethereal

All encryption protocols including GPG/PGP, DES, 3DES, DSA, DSA, SSL, and TLS rely on something called key exchange. If the attacker is able to monitor the connection at the beginning during the key exchange, all the data is compromised, including HTTPS, SSH, SFTP, TLS connections, etc.

Once a host has become the victim of a man in the middle, there are multiple exploitable vulnerabilities based on posing as the router. Several vulnerabilities affect DNS (Dynamic Name Service).

The two most prominent vulnerabilities involving DNS and man in the middle exploitation are DNS cache poisoning and DNS request hijacking. Both vulnerabilities have the same affect, merely on different scopes.



When a victim of a DNS man in the middle attempts to connect to one server by its DNS name, a false IP address is returned instead of the server’s actual IP address. An attacker could use this vulnerability in order to harvest data and authentication credentials more easily, or use this to deploy an exploit or even combine it with a Social Engineering attack in order to trick an administrator into disclosing credentials or activating another process that would aid the attacker’s timing during a second-order-injection attack. All in all, dynamic ARP caches are considered a “critical” vulnerability because of the amount of information which can be gleaned from an MITM attack.


MITM affects every TCP/IP protocol and as mentioned previously, can be used for connection hijacking and spoofing. Not only can packets be spoofed and forged TO the victim machine, however, they can also be spoofed and forged FROM the victim machine. While this can be used for attacking, there are also several other exploitations that performing an MITM will allow an attacker to do.

VoIP or SIP hijacking refers to exploiting Voice over IP using a vulnerability in the SIP during an MITM attack. This will allow an attacker to intercept VoIP phone calls made to or from a victim VoIP phone.

Another main feature of Cain is its authentication engine. On windows-based networks, Cain is capable of spoofing challenge reset requests, and spoofing checksum packets during a network authentication (connections for file or printer sharing) that tell the client machine that the server does not support NTLM Version 2. Spoofing challenge resets forces the client machine to release multiple challenges, which gives the cracker and cryptanalysis engine (also built into Cain) better ability to decrypt the hashes – reducing the time taken to crack them. Spoofed checksums force a downgrade of the network NTLM authentication, tricking the client computer into using NTLM Version 1, a much weaker and more easily cracked encryption algorithm than NTLM Version 2. This allows an attacker to crack password hashes faster and therefore gain access more quickly.

There are other ways to hijack connections, however most of them have been antiquated due to upgrades in the TCP/IP protocol. Years ago, attackers would hijack connections with what is called TCP Sequence hijacking, or ISN Hijacking.