ETHICAL

HACKING
ATTACKS THROUGH
SNIFFING

2
 INTRODUCTION
• We find that, as passengers, while navigating
through the security check in areas at Airports, go
through a series of background checks,
conducted at various levels, by the staff, using a
variety of tools.
• The intention of these security checks is to detect
and conduct investigation on passengers carrying
suspected illegal items.
• Sniffing is a similar technique that employs
sniffing tools for observing all the packets
transferred via network. This method helps the
network experts to resolve network issues, and
also to capture the usernames and passwords.
3
NETWORK SNIFFING
Sniffing is a process of monitoring and capturing data
packets as they pass over the wires or in airwaves in
network. It is a sort of wiretapping applied to a
computer network.
The tool which performs sniffing is known as sniffer.

4
 MAC ATTACKS

• A switch only knows how to perform flooding and forwarding.

• When connected to the Internet from the computer, a table is created mapping the IP address to the
physical address of the computer on LAN.
• When a switch receives a broadcast or multicast frame, it floods the frame to all the ports.
• If a switch receives a unicast message and knows where to send the port number, it will forward the
frame to that single port. If it does not know the port number, then it will flood the ports with that
frame.
• This results in an inefficient delivery of packet, so it needs to learn the port number. After sending the
packet, it waits for the ARP message.

5
 MAC FLOODING

• A switch only knows how to perform flooding and forwarding.

• When connected to the Internet from the computer, a table is created
mapping the IP address to the physical address of the computer on LAN.
• When a switch receives a broadcast or multicast frame, it floods the
frame to all the ports.
• If a switch receives a unicast message and knows where to send the port
number, it will forward the frame to that single port. If it does not know
the port number, then it will flood the ports with that frame.
• This results in an inefficient delivery of packet, so it needs to learn the
port number. After sending the packet, it waits for the ARP message. 6
 Defending against MAC Attacks
One of the best method to prevent MAC attacks is to enable port security on the switch.
Port security is a feature found in high-end switches that ties the MAC address to a physical port.
The first step in securing a switch is to shut down all the unused ports or assign them to an unused
VLAN. All the ports in a switch are enabled by default.
In Cisco IOS, the port security can be configured using the following codes:
Switch(config)#int fa0/1
Switch(config-if)#switchport mode access
Switch(config-if)#switchport port-security
Switch(config-if)#switchport port-security ?
mac-address Secure mac address
Maximum Max secure addresses 7

violation Security violation mode

 DHCP ATTACKS
One of the best method to prevent MAC attacks is to enable port security on the switch.
Port security is a feature found in high-end switches that ties the MAC address to a physical
port.
The first step in securing a switch is to shut down all the unused ports or assign them to an
unused VLAN. All the ports in a switch are enabled by default.
In Cisco IOS, the port security can be configured using the following codes:
Switch(config)#int fa0/1
Switch(config-if)#switchport mode access
Switch(config-if)#switchport port-security
Switch(config-if)#switchport port-security ?
mac-address Secure mac address
Maximum Max secure addresses 8

violation Security violation mode

 DHCP ATTACKS

• A DHCP server is configured in a network with a

pool of IP address. You can use features which
can configure the pool, decide which IP
addresses it can assign, for how much time, and
which are reserved.
• DHCP eases the chores of prolonged manual
configurations of the network settings on the
network device. It follows the client-server
model.
ADD A FOOTER 9
 DHCP STARVATION ATTACK

• In the DHCP starvation attack, the attacker broadcasts numerous DHCP request messages with fake
source MAC addresses.
• If DHCP server in the network start responding to all these requests, then all the IP addresses available
gets depleted in a very short time span.
• The DHCP starvation attacks can be performed using tools such as Yersinia and DHCPstarvation.

10
 ROGUE DHCP SERVER ATTACK

A rogue DHCP server is the DHCP server on network setup

by an attacker or any unauthenticated user, who is not
under the control of the network administrators.
A home wireless router or modem with the DHCP
capabilities is actually an accidental rogue device.
This is used by attackers for reconnaissance attacks,
sniffing and Man-in-the-Middle attacks.
Rogue DHCP server replies with IP address and other
details that represent attacker’s host as DNS server or
default gateway.

ADD A FOOTER 11
 Defending against DHCP Attack

• There are two techniques which helps in defending DHCP starvation attack and rogue
server attack:
• Port security
• DHCP snooping
• Switch(config)# ip dhcp snooping
• Switch(config)# ip dhcp snooping vlan 42
• Switch(config)# interface fastetherne1/0
• Switch(config-if)# ip dhcp snooping trust 12
 ARP POISONING

• Address Resolution Protocol is used to map IP address

to MAC address.
• ARP table is maintained for saving the MAC address to
IP address mapping.
• When a device connected on the network needs to
communicate in the network, it broadcasts ARP
queries to find out MAC addresses of other hosts.

13
ARP SPOOFING
• ARP spoofing or ARP poisoning is an attack where the ARP
cache on a target host is corrupted via faulty entries by an
attacker.
• This results in linking of the IP address of the legitimate host
with attacker’s machine’s MAC address.
• This way, the attacker obtains access to the data within that IP
address.
• ARP spoofing can stop the data transmission, intercept or
modify the data. 14
 MAC SPOOFING ATTACK
• MAC spoofing technique is used for changing the MAC address that is assigned to
the network device by the manufacturer.
• In a MAC spoofing attack, the MAC address of attacker’s host replaces the original
MAC address of the destination. So the target host sends all the data to attacker
instead of the actual host.

15
 DNS POISONING

• DNS cache poisoning, is also known as DNS spoofing, which is a kind of attack that
exploits DNS vulnerabilities.
• It impresses upon the DNS server that it has received authentic information.
• It diverts Internet traffic away from the legitimate servers towards fake ones.
• It substitutes with the false IP address while the web addresses are being converted into
numeric IP addresses.
Intranet Internet
DNS DNS
Spoofing Spoofing

Proxy server
DNS Cache 16
DNS
Poisoning
poisoning
 Defending Against DNS Spoofing

• Always secure your DNS resolver. It should be restricted to only users within the network
and not open to external users.
• Secure your DNS server against cache poisoning using a random source port instead of
UDP port 53 and randomizing the query ID.
• Resolve each and every DNS queries to a local DNS server and block DNS requests, so
that it cannot go to external servers.
• Implement DNSSEC. It digitally signs the DNS queries so that attacker will not be able to
forge that.
• Configure a firewall and restrict external DNS lookup.
17
 VARIOUS SNIFFING TOOLS

Wireshark Tcpdump WinDump Dsniff

Capsa OmniPeek
EtherApe Network Network Observer
Analyzer Analyzer

18
 COUNTERMEASURES

• Limit the physical access to the network media to avoid the installation of a packet sniffer
• Use static ARP table and static IP addresses to protect it from attackers from adding the
spoofed ARP entries.
• Switch off network identification broadcasts and restrict the network access only to
authorized users to ensure that the network is not being identified by sniffing tools.
• Use HTTPS and avoid HTTP to protect the user, information like names and passwords.
• Use switch instead of a hub because switch transfers data only to a particular recipient.
• Use SFTP, and avoid using FTP for secure communication to transfer files.
• Use IPv4 protocol.
• Use encrypted sessions like SSL for email connection, SSH instead of Telnet, Secure Copy 19

(SCP) instead of FTP to fight against sniffing attacks.

THANK YOU!

CONTACT US!
Phone:
+91 – 72597-87316
Email:
[email protected]