CEH Certified || Ethical Hacker = — ; a a ' : ; ‘ A : F ss Module 08: SniffingEthical Hacking and Countermeasures ‘eam 31250 Cerfied thea ker siting Module Objectives ¢ EH o Cvervew of Siting Concepts . ™ Understanding Diferent Techniques and Tools to Detect Sifing Module Objectives This module starts with an overview of sniffing concepts and provides an insight into MAC, DHCP, ARP, MAC spoofing, and DNS poisoning attacks. Later, the module discusses various sniffing tools, countermeasures, and detection techniques. At the end of this module, you will be able to: * Describe sniffing concepts «Explain different MAC attacks Explain different DHCP attacks Describe ARP poisoning * Explain different spoofing attacks Describe DNS poisoning Apply a defense mechanism against various sniffing techniques * Use different sniffing tools * Apply various sniffing countermeasures Apply various techniques to detect sniffing attacks Module 08 Page 1077 Ethical Making and Countermeasures Copyright © by E-Cauncil ‘Al Rights Reserved. Reproduction Sel ProhiatedEthic Hacking and Countermeasures ‘eam 31250 Cerfied thea ker siting Module Flow Salting Tots Sniffing Techniques Countermeasures sti Detntoa | Sniffing Concepts This section describes network sniffing and threats, how a sniffer works, active and passive sniffing, how an attacker hacks a network using sniffers, protocols vulnerable to sniffing, sniffing in the data link layer of the Open Systems Interconnection (OSI) model, hardware protocol analyzers, Switched Port Analyzer (SPAN) ports, wiretapping, and lawful ‘Module 08 Page 1078 Ethical Making and Countermeasures Copyight © by E-Caunedl ‘Al Rights Reserved. Reproduction Sel ProhiatedEthical Hacking and Countermeasures ‘eam 31250 Cerfied thea ker siting Network Sniffing Packet Sniffing How a Sniffer Works |G Packet sniffing isthe process of monitoring and | Asner turns the NIC ofa system to the ‘capturing all data packets passing through a given [promiscuous mode so that It listens to allthe data network using a software application or hardware transmitted on its segment device |G Mtallows an attacker to observe and access the ‘entire network traffic from a given point |G Packet sniffing allows an attacker to gather Sensitive information such 3s Telnet passwords, email traffic, syslog traffic, router configuration, web traffic, ONS traffic, FTP passwords, chat sessions, and account information ‘Network Sniffing Packet sniffing is the process of monitoring and capturing all data packets passing through a given network using a software application or hardware device. Sniffing is straightforward in hub-based networks, as the traffic on a segment passes through all the hosts associated with that segment. However, most networks today work on switches. A switch is an advanced computer networking device. The major difference between a hub and a switch is that a hub transmits line data to each port on the machine and has no line mapping, whereas a switch looks at the Media Access Control (MAC) address associated with each frame passing through it and sends the data to the required port. A MAC address is a hardware address that uniquely identifies each node of a network. An attacker needs to manipulate the functionality of the switch to see all the traffic passing through it. A packet sniffing program (also known as a sniffer) can capture data packets only from within a given subnet, which means that it cannot sniff packets from another network. Often, any laptop can plug into a network and gain access to it. Many enterprises’ switch ports are open. A packet sniffer placed on a network in promiscuous mode can therefore capture and analyze all the network traffic. Sniffing programs turn off the filter employed by Ethernet network interface cards (NICs) to prevent the host machine from seeing other stations’ traffic. Thus, sniffing programs can monitor all traffic. Although most networks today employ switch technology, packet sniffing is still useful. This is because installing remote sniffing programs on network components with heavy traffic flows such as servers and routers is relatively easy. It allows an attacker to observe and access the entire network traffic from one point. Packet sniffers can capture data packets containing sensitive information such as passwords, account information, syslog traffic, router configuration, DNS traffic, email traffic, web traffic, chat sessions, and FTP passwords, This Module Page 1072 Ethical Making and Countermeasures Copyright © by E-Cauncil ‘Al Rights Reserved. Reproduction Sel ProhiatedEthical Hacking and Countermeasures ‘eam 31250 Cerfied thea ker siting allows an attacker to read passwords in cleartext, the actual emails, credit card numbers, financial transactions, etc. It also allows an attacker to sniff SMTP, POP, IMAP traffic, IMAP, HTTP Basic, telnet authentication, SQL database, SMB, NFS, and FTP traffic. An attacker can gain a substantial amount of information by reading captured data packets; then, the attacker can use that information to break into the network. An attacker carries out more effective attacks by combining these techniques with active transmission, The following network users: gram depicts an attacker sniffing the data packets between two legitimate Copy of data passing through the switch ‘atacker Figure 8.1: Packet sniffing scenacio How a Sniffer Works The most common way of networking computers is through an Ethernet connection. A computer connected to a local area network (LAN) has two addresses: a MAC address and an Internet Protocol (IP) address. A MAC address uniquely identifies each node in a network and is stored on the NIC itself. The Ethernet protocol uses the MAC address to transfer data to and from a system while building data frames. The data link layer of the OSI model uses an Ethernet header with the MAC address of the destination machine instead of the IP address. The network layer is responsible for mapping IP network addresses to the MAC address as required by the data link protocol. It initially looks for the MAC address of the destination machine in a table, usually called the Address Resolution Protocol (ARP) cache. If there is no entry for the IP address, an ARP broadcast of a request packet goes out to all machines on the local sub- network. The machine with that particular address responds to the source machine with its MAC address. The source machine’s ARP cache adds this MAC address to the table. The source machine, in all its communications with the destination machine, then uses this MAC address. There are two basic types of Ethernet environments, and sniffers work differently in each. ‘These two types are: = Shared Ethernet In a shared Ethernet environment, a single bus connects all the hosts that compete for bandwidth. In this environment, all the other machines receive packets meant for one machine. Thus, when machine 1 wants to talk to machine 2, it sends a packet out on the ‘Module 8 Page 1080 Ethical Making and Countermeasures Copyright © by E-Cauncil ‘Al Rights Reserved. Reproduction Sel ProhiatedEthical Hacking and Countermeasures ‘eam 31250 Cerfied thea ker siting network with the destination MAC address of machine 2, along with its own source MAC address. The other machines in the shared Ethernet (machines 3 and 4) compare the frame's destination MAC address with their own and discard the unmatched frame. However, a machine running a sniffer ignores this rule and accepts all the frames. Sniffing in a shared Ethernet environment is passive and, hence, difficult to detect. "Switched Ethernet In a switched Ethernet environment, the hosts connect with a switch instead of a hub. The switch maintains a table that tracks each computer's MAC address and the physical Port on which that MAC address is connected, and then delivers packets destined for a Particular machine. The switch is a device that sends packets to the destined computer only; furthermore, it does not broadcast them to all the computers on the network. This results in better utilization of the available bandwidth and improved security. Hence, the process of putting a machine NIC into promiscuous mode to gather packets does not work. As a result, many people think that switched networks are secure and immune to sniffing. However, this is not true. Although a switch is more secure than a hub, sniffing the network is possible using the following methods: ARP Spoofing ARP is stateless. A machine can send an ARP reply even without asking for it; furthermore, it can accept such a reply. When a machine wants to sniff the traffic originating from another system, it can ARP spoof the gateway of the network. The ARP cache of the target machine will have an incorrect entry for the gateway. Thus, all the traffic destined to pass through the gateway will now pass through the machine that spoofed the gateway MAC address. * MACFlooding ‘Switches maintain a translation table that maps various MAC addresses to the physical ports on the switch. As a result, they can intelligently route packets from one host to another. However, switches have a limited memory. MAC flooding makes use of this limitation to bombard switches with fake MAC addresses until the switches can no longer keep up. Once this happens to a switch, it will enter fail-open mode, wherein it starts acting as a hub by broadcasting packets to all the ports on the switch. Once that happens, it becomes easy to perform sniffing. macof is a utlity that comes with the sniff suite and helps the attacker to perform MAC flooding. ‘Once a switch turns into a hub, it starts broadcasting all packets it receives to all the computers in the network. By default, promiscuous mode is turned off in network machines; therefore, the NICs accept only those packets that are addressed to a user’s machine and discard the packets sent to the other machines. A sniffer turns the NIC of a system to promiscuous mode so that it listens to all the data transmitted on its segment. A sniffer can constantly monitor all the network traffic to a computer through the NIC by decoding the information encapsulated in the data packets. Attackers configure the NIC in their machines to run in promiscuous mode so that ‘Module Page 081 Ethical Making and Countermeasures Copyright © by E-Cauncil ‘Al Rights Reserved. Reproduction Sel ProhiatedEthical Hacking and Countermeasures ‘eam 31250 Cerfied thea ker Saitfing the card starts accepting all the packets. Thus, the attacker can view all the packets that are being transmitted in the network. Attacker PC fim running NIC Card in Promiscuous Mode Attacker forces AS je switeh to behave Internet Figure 8.2: Working ofa sniffer ‘Module 08 Page 1082 Ethical Making and Countermeasures Copyright © by E-Cauncil ‘Al Rights Reserved. Reproduction Sel ProhiatedEthic Hacking and Countermeasures ‘eam 31250 Cerfied thea ker siting ge | Types of Sniffing CEH Passive Sniffing Kotive Sniffing rea stig rts ling rough ahah, fe see sng seo la ented nto wherein ve tales sent toll ports ‘a Active sniffing involves injecting Address Resolution {tives moniring packets ent by others without Packt (A9} oe new oMood Ne sus Sending ay ode data pacha the network Contant resale Meron (CAMI abl, whch kop wm bce ostpr connectors (8 a chi a et bet pte tretsom the netue conse teal lhe ond Active Sniting Techniques there, te ter on esl capture oc ng ‘org tba MAC Flooding Hc atads (ug sn cuted appro. est modern eg olucamale é | > ons rong some or steing | — v0 | pane Poboning spoctingatace | i i in ii an ‘Types of Sniffing Attackers run sniffers to convert the host system's NIC to promiscuous made. As discussed earlier, the NIC in promiscuous mode can then capture packets addressed to the specific network. There are two types of sniffing. Each is used for different types of networks. The two types are: Passive sniffing Active sniffing Passive Sniffing Passive sniffing involves sending no packets. It simply captures and monitors the packets flowing in the network. A packet sniffer alone is not preferred for an attack because it works only in a common collision domain. A common collision domain is the sector of the network that is not switched or bridged (i.e., connected through a hub). Common collision domains are present in hub environments. A network that uses hubs to connect systems uses passive sniffing. In such networks, all hosts in the network can see all the traffic. Hence, it is easy to capture traffic through the hub using passive sniffing. Attacker Hub Figure 8.3: Passive saifing ‘Module 8 Page 1082 Ethical Making and Countermeasures Copyight © by E-Caunedl ‘Al Rights Reserved. Reproduction Sel ProhiatedEthical Hacking and Countermeasures ‘eam 31250 Cerfied thea ker siting Attackers use the following passive sniffing methods to gain control over a target network: * Compromising physical security: An attacker who succeeds in compromising the physical security of a target organization can walk into the organization with a laptop and try to plug into the network and capture sensitive information about the organization. "Using a Trojan horse: Most Trojans have in-built sniffing capability. An attacker can install these on a victim’s machine to compromise it. After compromising the victim's machine, the attacker can install a packet sniffer and perform sniffing. Most modern networks use switches instead of hubs. A switch eliminates the risk of passive sniffing. However, a switch is still vulnerable to active sniffing, Note: Passive sniffing provides significant stealth advantages over active sniffing Active Sniffing Active sniffing searches for traffic on a switched LAN by actively injecting traffic into it. Active sniffing also refers to sniffing through a switch. In active sniffing, the switched Ethernet does not transmit information to all the systems connected through LAN as it does in a hub-based network. For this reason, a passive sniffer is unable to sniff data on a switched network, It is easy to detect these sniffer programs and highly difficult to perform this type of sniffing. ‘Switches examine data packets for source and destination addresses and then transmit them to the appropriate destinations. Therefore, it is cumbersome to sniff switches. However, attackers ‘can actively inject ARP traffic into a LAN to sniff around a switched network and capture the traffic. Switches maintain their own ARP cache in Content Addressable Memory (CAM). CAM is a special type of memory that maintains a record of which host is connected to which port. A sniffer records all the information visible on the network for future review. An attacker can see all the information in the packets, including data that should remain hidden. To summarize the types of sniffing: passive sniffing does not send any packets; it only monitors the packets sent by others. Active sniffing involves sending out multiple network probes to identify access points. The following is alist of different active sniffing techniques: = MAC flooding "DNS poisoning + ARP poisoning = DHCP attacks "Switch port stealing Spoofing attack ‘Module 8 Page 108 Ethical Making and Countermeasures Copyright © by E-Cauncil ‘Al Rights Reserved. Reproduction Sel ProhiatedEthical Hacking and Countermeasures ‘eam 31250 Cerfied thea ker siting How an Attacker Hacks the Network Using Sniffers C/EH @ &~ 25 @ & @ ay apne patos te vets metre by ie ARE pcofag ‘chau ae oa” nase How an Attacker Hacks the Network Using Sniffers Attackers use sniffing tools to sniff packets and monitor network traffic on a target network. The steps that an attacker follows to make use of si below. fers to hack a network are illustrated Step 1: An attacker who decides to hack a network first discovers the appropriate switch to access the network and connects @ system or laptop to one of the ports on the switch. as Figure 8.4: Discovering a suitch to access the network Step 2: An attacker who succeeds in connecting to the network tries to determine network information such as the topology of the network by using network discovery tools. Figure 8S: Using network discovery tools to learn topology ‘Module 8 Page 3085 Ethical Making and Countermeasures Copyight © by E-Caunedl ‘Al Rights Reserved. Reproduction Sel ProhiatedEthic Hacking and Countermeasures ‘eam 31250 Cerfied thea ker siting = Step 3: By analyzing the network topology, the attacker identifies the victim's machine to target his/her attacks Figure 8.6: ldenttying the victim's machine Step 4: An attacker who identifies a target machine uses ARP spoofing techniques to send fake (spoofed) Address Resolution Protocol (ARP) messages. OB. =e Figure 8.7: attacker sending fake ARP messages mil Step 5: The previous step helps the attacker to divert all the traffic from the victim's ‘computer to the attacker's computer. This is a typical man-in-the-middle (MITM) type of attack Figure 8.8: Redivecting the traffic to the attacker Step 6: Now, the attacker can see all the data packets sent and received by the victim. The attacker can now extract sensitive information from the packets, such as passwords, usernames, credit card details, and PINs. Figure 8.9: Attacker extracting sensitive information ‘Module 08 Page 1086 Ethical Making and Countermeasures Copyright © by E-Cauncil ‘Al Rights Reserved. Reproduction Sel ProhiatedEthical Hacking and Countermeasures ‘eam 31250 Cerfied thea ker Saitfing Protocols Vulnerable to Sniffing Telnet |G Keystrokes incuingverames ‘and anipeswordraresertingesr | rap |“ Patworand data resent n Riogin || tox sure wrrp || @ oa bsertinceertet tnd || © Peswordsand data ar snt in xwre 12 raaword an tae sent 1 ssword an tae sent Bee imclear text in clear text Protocols Vulnerable to Sniffing The following protocols are vulnerable to sniffing. The main reason for sniffing these protocols is to acquire passwords. Telnet and Rlogin Telnet is a protocol used for communicating with a remote host (via port 23) on a network using a command-line terminal. rlogin enables an attacker to log into a network machine remotely via a TCP connection. Neither of these protocols provides encryption; therefore, data traveling between clients connected through any of these protocols are in plaintext and vulnerable to sniffing. Attackers can sniff keystrokes, including usernames and passwords. HTTP Due to vulnerabilities in the default version of HTTP, websites implementing HTTP transfer user data across the network in plaintext, which attackers can read to steal user credentials. ‘SNMP Simple Network Management Protocol (SNMP) is a TCP/IP-based protocol used for exchanging management information between devices connected on a network. The first version of SNMP (SNMPv1) does not offer strong security, which leads to the transfer of data in a cleartext format. Attackers exploit the vulnerabilities in this version to acquire passwords in plaintext. ‘Module 8 Page 1087 Ethical Making and Countermeasures Copyright © by E-Cauncil ‘Al Rights Reserved. Reproduction Sel Prohiated