Questions about this topic? Sign up to ask in the talk tab.

Sniffing

From NetSec
Revision as of 17:38, 24 April 2012 by MinnaBeauvais (Talk | contribs) (Fixed the retarded number of samelinks, ie. you don't need to link to every instance of ARP to page ARP... Just the first will do.)

Jump to: navigation, search

Sniffing is basically electronic eavesdropping. This is where some networking theory comes into play. There are two very commonly used network devices. One of these devices is a switch, the other is a hub. A hub repeats traffic from its uplink port down all child lines, while a switch translates traffic and sends it across the specific wire and interface associated with the traffic’s destination. On a hub based network, sniffing is easy – one can simply look at all the traffic coming over the wire with a common tool like “Cain and Abel” after only turning the sniffer on.

Common sniffers are in programs like

  • Net Tools
  • WireShark
  • IP Tools
  • IPTraf
  • NetMon
  • ettercap
  • ethereal

There are multiple applications capable of sniffing, but for the sake of simplicity, only techniques using Cain & Abel and WireShark will be documented here.

Cain is a “swiss army knife” type tool for windows networks, capable of exploiting design flaws on the local machine, deploying Abel, a windows service for maintaining access, exploiting design flaws on the remote machine, and exploiting unsafe TCP/IP configurations. One of its key features is an exploitation vector in ARP, or the Address Resolution Protocol. The exploitation vector that Cain uses is called Arp poisoning. Normal traffic flows on a network as follows:

 Client Machine --> Router --> [Other Routing Hops] --> Destination

Arp poisoning attacks allow an attacker to tell remote machines within the context of the same subnet or Ethernet routing (switch or hub) that the IP address of a machine is owned by a particular MAC or hardware address. The reason that this can be exploited is because by poisoning the ARP cache and the ARP table it is possible to route traffic through the local machine before it gets to the router, making the network flow look more like:

 Poisoned [Victim] Machine --> Fake [Attacker] Router --> Real Router --> [Other Hops] --> Destination

This exploitation in the design flaws of the Address Resolution Protocol is called a Man-in-the-Middle or MITM attack. There are a myriad of tools capable of performing this exploitation, however they all have the same effect. When used in conjunction with a sniffer, it is possible for an attacker to monitor all connections between the client and server, to eavesdrop on login and password credentials as they are sent to the server, to impersonate the poisoned machine, and even to inject packets into an ongoing dataflow, TCP connection, or UDP stream.

This affects virtually all windows networks. It is very rare to see a windows network that cannot be ARP poisoned. Some would think that encryption would prevent an attacker from gaining sensitive login information, however this is simply untrue. All encryption protocols including GPG/PGP, DES, 3DES, DSA, DSA, SSL, and TLS rely on something called key exchange. If the attacker is able to monitor the connection at the beginning during the key exchange, all the data is compromised, including HTTPS, SSH, SFTP, TLS connections, etc.

Once a host has been ARP poisoned, there are multiple exploitable [[vulnerabilities based on posing as the router. Several vulnerabilities affect DNS, or the Dynamic Name Service. The two most prominent vulnerabilities involving DNS and ARP are DNS cache poisoning and DNS request hijacking. Both vulnerabilities have the same affect. When a user attempts to connect to one server by its DNS name, a false IP address is returned instead of the server’s actual IP address. An attacker could use this vulnerability in order to harvest data and authentication credentials more easily, or use this to deploy an exploit or even combine it with a Social Engineering attack in order to trick an administrator into disclosing credentials or activating another process that would aid the attacker’s timing during a second-order-injection attack. All in all, dynamic ARP caches are considered a “critical” vulnerability because of the amount of information which can be gleaned from an MITM attack.

MITM affects every TCP/IP protocol and as mentioned previously, can be used for connection hijacking and spoofing. Not only can packets be spoofed and forged TO the victim machine, however, they can also be spoofed and forged FROM the victim machine. While this can be used for attacking, there are also several other exploitations that performing an MITM will allow an attacker to do.

VoIP or SIP hijacking refers to exploiting Voice over IP using a vulnerability in the SIP during an MITM attack. This will allow an attacker to intercept VoIP phone calls made to or from a victim VoIP phone.

Another main feature of Cain is its authentication engine. On windows-based networks, Cain is capable of spoofing challenge reset requests, and spoofing checksum packets during a network authentication (connections for file or printer sharing) that tell the client machine that the server does not support NTLM Version 2. Spoofing challenge resets forces the client machine to release multiple challenges, which gives the cracker and cryptanalysis engine (also built into Cain) better ability to decrypt the hashes – reducing the time taken to crack them. Spoofed checksums force a downgrade of the network NTLM authentication, tricking the client computer into using NTLM Version 1, a much weaker and more easily cracked encryption algorithm than NTLM Version 2. This allows an attacker to crack password hashes faster and therefore gain access more quickly.

There are other ways to hijack connections, however most of them have been antiquated due to upgrades in the TCP/IP protocol. Years ago, attackers would hijack connections with what is called TCP Sequence hijacking, or ISN Hijacking.