2. What is Sniffing ?
● Sniffing is a technique for gaining access through
Network-Based attack.
● A sniffer is a program that gathers traffic from the
local network, and is useful for attackers looking
to swipe data as well as network administrator
trying to troubleshoot problems.
● Using sniffer , an attacker can read data passing
by a given machine in real time or store the
data.
3. What does one sniff ?
A sniffer can grab anything sent across the LAN ,
including
● UserIds and passwords
● Web Pages being visited
● Email messages
● Files shared using the Network File System
● Chat sessions
● DNS queries
4. Non-Promiscuous Mode
In non-Promiscous mode, a sniffer gathers data going to
and from its host system only.
Ethernet controller only gets interrupted when one of the
following conditions are met :-
● Destination MAC Address= My MAC Address
● Destination MAC Address= Broadcast MAC
● Destination MAC Address is found in the list of group
MAC(Multicast group)
All other packets are dropped
5. Promiscuous Mode
● In Promiscuous mode ,a sniffer gathers all
traffic passing by the network interface
● The controller passes all traffic it receives to
the central processing unit (CPU) rather than
passing only the frames that the controller is
intended to receive
● This mode is normally used for packet sniffing
6. Types of Sniffing
● Passive Sniffing
Sniffing performed on a hub is known as passive
sniffing.
● Active Sniffing
When sniffing is performed on a switched network,it
is known as active sniffing.
8. Passive Sniffing
● In Passive Sniffing any data sent across the
LAN is actually sent to each and every machine
connected to the LAN.
● Therefore,the sniffer will be able to gather data
sent to and from any other system on the LAN.
10. Active Sniffing
● Looks for associated MAC address and sends
data only to the required connection on the
switch.
● Therefore,the sniffer will be able to see data
going to and from its machine only.
● All of the other interesting information flowing
on the LAN will be unavailable to the sniffer.
11. Sniffing via switched LAN
● In Active Sniffing we Injects traffic into the LAN to
redirect victim’s traffic to attacker
● Active sniffing can be performed by two ways :-
1. MAC flooding
2. Poisoning ARP(address resolution protocol) table
12. Dsniff (Sniffer tool)
● Dsniff is a set of password sniffing and network traffic
analysis tools
● Big advantage of Dsniff is the amazing number of
protocols that it interpret.Eg Telnet,Ftp,Http
● Nearly every sniffer can dump raw bits grabbed off the
network.However , these raw bits are pretty much useless,
unless the attacker can interpret what they mean.
13. Foiling Switches with floods
● Initiated via Dsniff’s Macof program
● It works by sending out a flood of traffic with
random MAC address on the LAN.
● As the number of different MAC addresses in
use on the network increases,the switch
dutifully stores the MAC addresses used by
each link on the switch.
● When switch’s memory becomes exhausted,
the switch will start forwarding data to all links
on the switch
● At this point, Dsniff can capture desired packets
14.
15. Foiling Switches with Spoofed ARP
Messaged
● Some switches are not subject to this MAC flooding
attack because they stop storing new MAC address
when the remaining capacity of their memory
reaches a given limit.
● To sniff in a switched environment where MAC
flooding doesn't work,Dsniff includes a tool called
arpspoof
● As the name applies , arpspoof allows an attacker to
manipulate Address Resolution Protocol(ARP) traffic
17. Step 1.
First we configure the Ip layer of the attacker's machine to forward any
traffic it receives from the LAN to the IP address of the default router
Step 2.
The attacker activates the Dsniff arpspoof program,which sends fake ARP
replies to the victim's machine.
Step 3.
The attacker's fake ARP messages changes the victim's ARP table by
remapping the default router's IP address to the attacker's MAC address
Essentially,the attacker tells the victim that to access the default router,use
the attacker's MAC address,thereby poisoning the ARP table of the Victim.
Once the poisoned ARP message takes effect, all traffic from the victim
machine to the outside world will be sent to tha attacker's machine.
Steps involved in Arpspoofing
18. Steps involved in Arpspoofing
Step 4.
Victim sends the data,forwarding it to what it thinks is the
default router,but using the attacker's MAC address.
Step 5.
The attacker sniffs the information from the line
Step 6.
The attackers machine forwards the victim's traffic to the
actual default router on the LAN because we configured the
attacker's machine for IP forwarding
30. Sniffing and Spoofing DNS
● DNS maps domain names to IP addresses.
● Dsniff includes a program called dnsspoof that lets an
attacker send a false DNS response to a victim,which
will make the victim access the attacker's machine
when they intended to access another machine
● If a user wants to surf to www.icicibank.com,the
attacker can trick the client into connecting to the
attacker's Web Server, where the attacker could
display a fake bank login screen,gathering the victim's
userID and password.
31. Step 1.
The attacker fires up the dnsspoof program from the Dsniff
suite.This program sniffs the LAN.
Step 2.
The victim tries to resolve the name www.icicibank.com using DNS
Step 3.
The attacker sniffs the DNS query from the line.
Steps involved in Dnsspoof
32. Steps involved in Dnsspoof
Step 4.
Attacker immediately sends a fake DNS response
This response will have a lie, claimimg that www.icicibank.com
should resolve to Attackers web server rather than the original server
The victim machine will cache this incorrect DNS entry.At some later
time,the real response from the real DNS server will arrive,but it will
be ignored by the victim's machine
Step 5.
Finally ,the victim's browser makes a connection with the Attacker's
Web Server instead of desired destination
37. Sniffing HTTPS and SSH
● Security in HTTPS and SSH built on a trust model of
underlying public key Infrastructure
– HTTPS server sends to browser a certificate containing
server’s public key signed by a Certificate Authority
– SSL connection uses a session key randomly generated
by server to encrypt data between server and client
– With SSH, a session key is transmitted in an encrypted
fashion using a private key stored on the server
38. Sniffing HTTPS and SSH
● Dsniff takes advantage of poor trust decisions made by a clueless
user via man-in-the middle attack
– Web browser user may trust a certificate that is not signed by a trusted party
– SSH user can still connect to a server whose public key has changed
● Name of the tools in the Dsniff suite for attacking HTTPS and SSH
are
– Webmitm
– Sshmitm
Here mitm stands for Monkey-in-the-Middle Attack
39. Step 1.
The attacker first runs the dnsspoof program configured to send false
DNS information so that a DNS query for a given Web-Site will resolve to
the attacker's IP address.Additionally,the attacker activates the webmitm
program which will trnsparently proxy all HTTP and HTTPS traffic.
Step 2.
The dnsspoof program detects a DNS request and send a DNS reply
directing the client to the attacker's machine
Step 3
Victim's browser start to establish an SSL connection.
Steps involved in Sniffing an HTTPS
connection
40. Steps involved in Sniffing an HTTPS
connection
Step 4
Webmitm then acts as an SSL proxy, establishing two separate SSL
connections:
--one from the victim to the attacker's machine by sending its own
certificate ,and
--the other from the attacker's machine to the actual Web Server.
Step 5
As far as the Web Server is concerned, it has established a valid
SSL connection with the client,not knowing that it is actually
communicating with the attacker's machine in the middle
44. Bogus Certificate
● Webmitm must send the attacker's certificate to the victim so that
the attacker can establish its own SSL connection with the victim to
decrypt the data passed from the browser.
● When the victim's browser establishes the SSL session to the
attacker,it will notice that certificate is not signed by a trusted
Certificate authority.
● The browser will notice that the DNS name in the certificate does
not match the name of the website that the user is trying to access.
45.
46.
47.
48. Dsniff’s sshmitm
● Allows attacker to view data sent across an
SSH session
● Supports sniffing of SSH protocol version 1
● Just like the Web browsers, the SSH client
will complain that it doesn't recognize the
public key inserted by the attacker
49.
50.
51. TCPNICE
● It forces other connection to “play nice” with their tcp
connections
● It basically reduces the speed of TCP connection by
following methods
--Inject TCP tiny window advertisements.
--Inject ICMP source quench replies.
--Inject ICMP fragmentation-needed replies with tiny
next-hop MTUs.
● It lets the attacker slow such connections down so a sniffing
tool can more easily keep the data.
52.
53.
54.
55. TCPKILL
● It terminate the existing/in-progress TCP
connection
● It’s usage is very primitive ( kill all connections
from port number xx , or from IP address
x.x.x.x etc )
● It allows attacker to sniff the UserID and
password on subsequent new session
56.
57.
58. Sniffing Defenses
● Use HTTPS for encrypted web traffic
● Use SSH for encrypted login sessions
● Pay attention to warning messages on
your browser and SSH client
● Get rid of hubs
● Use static ARP tables on the end
systems,hard coding the MAC
addresses for all systems on the LAN