Sniffing

Sniffing
CEH V11
CEH V11
Module 8
Module 8
Ethical Hacker
Ethical Hacker

CEH
Certified Ethical Hacker

"To beat a hacker

, you need to think like a hacker
MOST ADVANCED HACKING COURSE

1
Module Objectives CEH
.
Wed Aim

OverviewofSniffingConcepts

Understanding VariousSniffingTechniques

UnderstandingHowtoDefendAgainstVarious
SniffingTechniques

Overview of Various Sniffing Tools

Understanding
DifferentSniffingCountermeasures

UnderstandingDifferentTechniques
and Toolsto DetectSniffing

Eopyright
. try.-C
O EDamacilAllFoghts
,
Reserved
&
Reprocactioni
Suricty
.
Prohitated

2
Module Flow CEH

Sniffing Concepts 3 Sniffing Tools

2 Sniffing Techniques 4 Countermeasures

5 Sniffing Detection Techniques

.
Copyright
ObyEt
-GhatiL allRants
.
Resanwd
s
&
Reprociction
Strictly
Proboter
.

3
Network Sniffing CEH
Carital Whel Muster

Packet Sniffing How a Sniffer Works

Packetsniffingis the processof monitoring and Asniffer turnsthe NICof asystemto the
capturing alldata packetspassing through a given promiscuous mode so that it listensto allthe data
network using a software application or hardware transmitted onits segment
device

Attacker PC
It allows an attacker to observe and access the running NICCard in
Promiscuous Mode
entire network traffic from agiven point
Attacker forces A
switch to behave
Packet sniffing allows an attacker to gather as ahub

sensitive information suchas Telnet passwords

, ***************

email traffic
, syslog traffic
, router configuration
,
web traffic
, DNS traffic
, FTP passwords
, chat Internet
,
sessions and account information Switch

CopyrightUbyiB
-Catcael AllRights
). ,
Resurved
Roproduction
- Strictly,Prohibitut
es

4
 The major difference between a hub and a switch is that a hub
transmits
line datato eachporton themachineandhasnolinemapping
, whereas
a switch
looksat the Media AccessControl )(MAC addressassociatedwith eachframe passingthrough it
and sendsthe datato the requiredport
. A MACaddress
is a hardwareaddressthatuniquely
identifies each node of a network
.

Sniffing programsturn off the filter employed by Ethernet

network interface cards )(NICs to prevent the host machine from seeing other stations
' .
traffic
,
Thus sniffing programs can monitor all traffic
.

5
 A switch isis more
Aswitch more secure
secure than a hub
than a ,hub, sniffing
sniffing the
the network
network is
is possible
possible using the following
using the following methods:
:
methods

.
ARP Spoofing
▪ ARP Spoofing ARP
ARP maps aa IP address
address to a permanent physical
permanent physical
machine
machine address
address in
in a
a local
local area network (LAN)
area network )(LAN
▪ ARP
ARP is
is stateless.
.
stateless

▪ A
.
A machine
machine cancan send
send an ARP reply even
anARPreply without asking for it and
evenwithout anditit can accept such aa reply
canacceptsuch .reply.
When aa machine
▪ When machine wants
wants to sniff the
tosniff the traffic
traffic originating from another
originating from another system,
,
system itit can ARP
ARP spoof
spoof the gateway
gateway of
the network
the .network.

ARP cache of
▪ The ARPcache of the target machine
the target machine will have
have an incorrect entry
an incorrect entry for
for the
the gateway
.gateway.
,Thus, all the
▪ Thus the traffic destined to
traffic destined to pass through
through the
the gateway
gateway will
will now pass through
throughthe
the machine
machine that
that spoofed the
gateway MACaddress
gateway MAC .address.

MAC Flooding
▪ MAC Flooding
Switches maintain
▪ Switches maintain aa translation
translation table
table that
that maps
maps various
various MAC
MAC addresses
addresses to the physical ports
the physical ports on the
the switch
.switch.
Switches have
▪ Switches have aa limited
limited memory.
.
memory
▪ MAC
MAC flooding makes use of this limitation
flooding makes limitation to
to bombard
bombard switches
switches with fake
fake MAC addresses until
MACaddresses until the
the switches
switches
can no
can no longer keep up.
longer keep .
up

this happens
▪ Once this
.
happens toto a switch,
,
switch will enter fail
it will -ofail-open
pen ,mode, wherein
mode wherein itit starts
starts acting hub by
acting as a hub by broadcasting
broadcasting
to all the
packets to the ports
ports on
on the .switch.
theswitch

6
Types of Sniffing CEN
I*

Passive Sniffing Active Sniffing

Passivesniffing refersto sniffingthrough a hub

, Active sniffingis usedto sniffa switch
-based network
wherein the traffic is sent to all ports
Active sniffinginvolvesinjectingAddressResolution
It involves monitoring packets sent by others without Packets )(ARP into the network to flood the switch's
sendingany additionaldatapacketsin the network ContentAddressableMemory()CAM table , whichkeeps
traffic track of host
-port connections
In a network that uses hubsto connectsystems
, all
hostson the network canseethe alltraffic
, and Active Sniffing Techniques
,
therefore the attackercaneasilycapturetraffic going
through the hub
MAC Flooding DHCP Attacks
Hubusageisanoutdatedapproach
. Mostmodern
networks now use switches

DNS Poisoning Switch PortStealing

* FORTE
ROD
*..
FPLE

Attacker Hub LAN

ARP Poisoning SpoofingAttack
:
NotePassive
sniffingprovides
significant
stealthadvantages
overactivesniffing

.
Copyrient
DbyEX
-GmaiL AllRights
.
Reserved
Reproduction
&Strictly
Probostett

7
How an Attacker Hacks the Network Using Sniffers EH
WheelHsim

An attackerconnects
hisdesktop
/laptop to a switchport /she
He runsdiscovery
toolstolearnaboutnetworktopology

•...........................> © • * *••-----..
D

Figure 8.4
: Discoveringa switch to accessthe network Figure8.5
: Usingnetworkdiscoverytoolsto learntopology

/she
He identifiesa victim's machineto target his
/her
/she
He poisonsthevictim'smachinebyusingARPspoofing
attacks
techniques

G
*..........

MiTM

Figure 8.6
: Identifying the victim's machine Figure 8.7
: Attacker sending fake ARP messages

The traffic destined for the victim's machine is redirected to The hackerextractspasswordsand sensitivedatafrom
the attacker the redirected traffic

0300
10 1814
-0717

Figure 8.9
: Attacker extractingsensitiveinformation
Figure 8.8
: Redirecting the traffic to the attacker
.
Copyright
ObyEb
.-Council All Rights
.Resurved
-Strictly
Reproductiones Prahout

8
Protocols Vulnerable toSniffing C EH
The 7

Telnet Keystrokesincludingusernames
Passwords and data are sent in
and and passwordsare sent in clear IMAP
clear text
Rlogin text

SMTP
Passwords and data are sent in
HTTP Data is sent in clear text and
clear text
NNTP

Passwords and data are sent Passwords and data are sent
POP FTP
in clear text in clear text

:
Copyright
Oby ,Et
-Coumet AllRights
,
Reserved
,
Roproductione
StrickyProhout

9
 Hardware Protocol Analyzers CEH

A hardwareprotocolanalyzerisa pieceof equipmentthatcapturessignalswithout alteringthe trafficina cablesegment

It can be used to monitor networkusageand identify maliciousnetwork traffic generatedby hackingsoftware installed
in the network

It captures data packet

, decodesit, and analyzes
itscontentbasedon certainpredeterminedrules

Itallowsthe attackerto seeindividualdatabytes of eachpacketpassing

throughthe cable

Voyager M4x N2X N55404 Agilent

Protocol Analyzer Protocol Analyzer Hardware Protocol Analyzers

KeysightE2960B
(https
www.keysight.com
://
STING ProtocolAnalyzer
)(https
utelsystems.com
://
S 5C
22,03AC
C RC
OS
E NETSCOUT's
OneTouch
ATNetworkAssistant
(https
enterprise.netscout.com
://
NETSCOUTs
OptiViewXGNetworkAnalysisTablet://
(https
enterprise.netscout.com

Agilent()Keysight Technologies
8753ES://
)(https
www.microleose.com
e
Figur: Voyage
8.11
r M4x
Protocol
Analyzer Figure
: N2X
8.12 N5540A
Agilent
Protocol
Analyzer

Copyright
DbyED
,-Calmed AllFoghts
.
Resurved
,
Reproductiones
Strictly
.
Proharut

10
10
SPAN Port CEH
hie late

A SPANport is port that is configuredto receive a copy

of every packet that passes through a switch

Internet

When connected to the SPANport

,
IDS
an attacker cancompromise the ................
entire network
Protocol Analyzer

Host Host Host Host Host Host Host

....>
Host
SPAN Port IDS Port

:::
G J
:::: J
:::::

Figure 8.13
: Working of SPAN stul

11
11
Switched Port
Switched Port Analyzer
Analyzer

SPAN is
• SPAN is aa Cisco
Cisco switch
switch feature
,feature, also
also known
known as
as “port ,"mirroring,” that
"port mirroring that monitors
monitors network
network traffic
traffic on
on one or
one or

more ports
more ports on the
the switch.
.
switch

• A SPAN
SPANport is
isaa port that is configured
thatis to receivea
configuredto receive a copy of everypacket
copyof every packet that passes through a switch
passesthrougha .switch.
When port
• When port mirroring is on, network switch
, the network
on switch sends aacopy
copy of the
the network packets from the source
source
port to the destination
tothe ,port, which
destination port which studies
studies the network packets
packets with
with the help of
thehelp of aa network analyzer
.analyzer.

• The user can simultaneously

simultaneously monitor
monitor the
the traffic
traffic of multiple ports
multiple ports

12
12
Wiretapping CEH
Wheel

Wiretappingisthe processof the monitoringof telephoneandInternet conversations

by a third party

Attackers
connectalisteningdevice
,(hardwaresoftware
, or acombination
ofboth
) to the circuitcarrying
information betweentwo phonesor hostson the Internet

It allows ar attacker to monitor

, ,
intercept ,
access and record information contained in a dataflow in a
communication system

Active Wiretapping Passive Wiretapping

It monitors
, ,records alters
, and It only monitors and recordsthe
also injects data into the traffic andcollects knowledge
Types of
communication or traffic regarding the data it contains
Wiretapping

:
Note Wiretappingwithoutawarrantor theconsentof the concerned
personisacriminaloffensein mostcountries
Copyright
ObyEb
.-CamEll Allfoghts
,
Resurved
Reprodoctione
Strictly
Profastu

13
13
 Lawful Interception C EH
Ite nuie

Lawfulinterceptionrefersto legallyinterceptingdatacommunicationbetweentwo endpoints forsurveillanceon

the traditional telecommunications
, Voiceover Internet Protocol ),
(VoIP data
, and multiservice networks

Court order
/request for wiretap Service
Provider

System for real

-time
Legal Authority reconstruction of
intercepted data Service provider
:

<
..
.. Access
Switch
T
/ ap
an access switch
/tap
exchange router
on
User 1

411
Storage
Exchange :
User
System
Law enforcement Router
agencies can access
intercepted data
whenever required User 3

Central Management Server()CMS Internet

Figure 8.14
: /ISP
Telco lawful solution
This type of interception monitor messages exchanged on suspicious
interception is necessary only to monitor suspicious channels in
in which
which the
the users
users are
are
engagedin
engaged in illegal activity
.activity. Countriesaroundthe
Countries around the worldare
world are making strides tostandardize
to standardize this type
typeof procedureforinterception
of procedure for .interception.

14
14
Module Flow CEH
Wid luis

Sniffing Concepts 3 Sniffing Tools

2 Sniffing Techniques 4 Countermeasures

5 Sniffing Detection Techniques

Copyright
8 byEB
,-Cac0 All Rochits
,
Resurved
Reproductions
Strictly.Prohiott

15
15
MAC /CAM
Address Table CEH
16hd anim

Each switch has afixed

-size dynamic Content Addressable Memory )(CAM table
TheCAMtablestores informationsuch asMACaddresses
availableon physicalportswith theirassociated
virtual LAN()VLAN parameters

MAC Address CAM Table

3 Bytes 3 Bytes vlan MAC Add Type Learn Age Ports

255 .ad34.123g
00d3 Dynamic Yes Gi5
/2
Organizationally Unique Network Interface
Identifier )(OUI Controller )(NIC Specific 5 .df45.45t6
as23 Dynamic Yes 0 /5
Gi2

5 er23.23er.t5e3 Dynamic Yes 0 /6

Gi1
8 Bits
Table 8.1
: CAM table

a8 a2

: Unicast
0
: Multicast
1

: Globally unique
0
: Locallyadministered
1

Figure 8.15
: MAC address
Copyright
ObyEb
.-ConsO AllRights
.
Reserved
Reproduction
eStrictly
Prohitud

16
16
 How CAM
How CAM works
works
•
•
If the CAM
If the table is
CAMtable is flooded
flooded with more MAC
with more MAC addresses
addresses than
than itit can
can hold
,hold, the
the switch
switch will turn into
will turn into aa hub.
.
hub

The CAM
• The
•
table does
CAM table does this
this to
to ensure
ensure the
the delivery
delivery of
of data
data to
to the
the intended .host.
intended host

• Attackers exploit
Attackers exploit this vulnerability in the
this vulnerability CAM table
the CAM table to sniff
sniff network
network data.
.
data

•
•
attacker who
An attacker who can connect
connect to
to the
the shared
shared switch
switch of the Ethernet segment
the Ethernet segment can easily
easily sniff network data.
sniff network .
data

•
•
Refer to
Refer to the diagrams of
the diagrams of the working of
the working of the
the CAM
CAM table
.table. Three machines are
Three machines are shown:
:
shown Machine ,A, Machine
Machine A ,B, and
Machine B and
Machine C
Machine ,C, each
each holding addresses A,
holding MAC addresses , B,
A , and
B and C.
.
C

Machine A
• Machine ,A, holding
holding the
the MAC address A
MACaddress ,A, wants
wants to interact
interact with Machine
Machine B.
.
B

MachineA broadcasts anARPrequestto the switch

. TherequestcontainstheIPaddressofthe
target machine (Machine B
), along with the sourcemachine's (Machine A) MAC and IP
.addresses The switch then broadcaststhis ARP requestto all the hostsin the network and
waitsfor thereply
.
ARP for B
MAC PORT *
aota MAC B
1 ARP for B

Port 1
e
.........
om MAC C
3 MAC A B is unknown
, broadcasts
ARP for
the ARP
CAM Table

Figure 8.16
: Working of CAMtable step
-1
17
17
Machine Bpossessesthe /d
target
estination IP address
, so it sends an ARPreply along with its
MAC address
. The CAM table stores this MAC address along with the port on which this
machine is connected
.

MAC PORT I am MAC B

90.1 MAC B
......
SHaRam I am MAC B
Port 1

MAC A A is on port
:
MAC C
CAM Table :
Learn B is on port 2

Figure 8.17
: Working ofCAM table step
-2

Now the connection is successfully established

, and Machine A forwards the traffic to Machine
, whileMachineC isunableto seethe trafficflowingbetweenthem
B .
MAC PORT Traffic A
oo MAC B
Traffic A
B
Port :
*O
oftr *t3a MAC C
MAC A B is on port 2 Does not see traffic to B
CAM Table

Figure8.18
: Workingof CAMtablestep
-3

18
18
What Happens When a CAM Table Is Full
? CEH
Wad lute

Oncethe CAMtable fillsupon aswitch

, additionalARPrequest traffic floods every port on the switch

Thiswill changethe behaviorofthe switch to reset toits learningmode

, broadcastingonevery port
like a hub

This attack will alsofill the CAMtables of adjacent switches

The figure
The figure illustrates
illustrates howa
how a CAM
CAM table
table can
can be
be flooded
flooded with
with fake
fake MAC
MAC addresses to
monitor the
monitor the frames sent from
frames sent from the victim host
the victim to another
host to another host
host without any CAM
without any CAM table .entry.
table entry

Y is on Port 3
MAC PORT Traffic A B
& MAC B
PO
Traffic A -------> B

Port

MAC A POm MAC C

Traffic A -----> B
C Z is on Port 3
MAC Ccan see the traffic from A to B

Figure 8.19
: Floodinga CAMtable Totaturt

19
19
MAC Flooding CEH

MAC floodinginvolvesthe flooding of the CAM Mac Flooding Switches with macof
table with fakeMAC address and IPpairs until it is macof is a Unix
/Linux tool that is a part of the dsniff
full collection

macof sends random source MAC and IP addresses

The switchthen actsas ahubby broadcasting
packets to all machineson the network
, and Thistoolfloodsthe switch'sCAMtables(131,000 permin
)
by sendingbogusMAC entries
,
therefore the attackers can sniffthe traffic easily
File Edit View Search Terminal Help
parrot
@
root
]-[*]-[
macof
# - i eth0 -n 10
: 2f
5d : :6
3d
98
9 c
4 5b
:9a 73
1f
:1 5 0.0.0.0.21067 > 0.0.0.0.45855
: 5 746864890
:74686
4890 (0
) win 512
: e8
7f : cc
: 4a
:5 1
9 74
4
0
:8 8
0
b 3c 0.0.0.0.39850 > 0.0.0.0.49263
: S 586168580
:5861
)
(0
68580 win 512

**
MAC
User 1 8f9
14
5
7
:2 3 fc :4
bb 22
21
:8 7 db 0.0.0.0.48709 > 0.0.0.0.15710
: S 1044800461
:1044
Address Flood )
(0
800461 win 512
:1e :9
12
f4
e : :3
9f 97
848 :55
ec 0.0.0.0.9433> 0.0.0.0.62409
: S 1330659371
:1330659
)
(0
371 win 512
05
53
3
:2 8 :42
c7 3f :1
4fa
6 c :d6
el 0.0.0.0.57830 > 0.0.0.0.6910
: S 628366088
:62836
Attacker Switch 6088 (0
) win 512
729
60
4
:ce c
f1 97d
a6
6
c2
:a 4
5 0.0.0.0.58215 > 0.0.0.0.56497
: S447162501
:4471
)
(0
62501 win
04
27
5
2
:7 5
e
6
3 : b9
cb : :6
57
b9
8 9
d 0.0.0.0.17385 > 0.0.0.0.28393
: S 1018850322
:101
)8850322
(0 win 512
23
35
:C : 59
5e :b6 :
8f : 9d
6a : : ea
2b : ec 0.0.0.0.27895 > 0.0.0.0.61217
: S 1066823910
:1066
User 2 )
(0
823910 win 512
: :a0
95 68 c: 1d
: fc b9
: f1
: 77
a4
6
:9 e 0.0.0.0.60630 > 0.0.0.0.3405
: S 99214739
:99214739
)
(0 win 512
:e
le d6
4
ab
:1 3 dd
:af 77
4
:2 e
6 0.0.0.0.56144 > 0.0.0.0.16970
: S 1864068613
:18640
)
(0
68613 512

Figure8.21
: MACfloodingusingmacof

20
20
Assume that there are three machines in a :
network Host A
, the target's Host B
, and the
attacker's Host C
.

Machine MAC Address IP Address Ports

Host A bfce
caa
d
-fe b
d 10.0.0.1 Port A

Host B cfcg
bb
d
fe
-g d
e 10.0.0.2 Port B

Host C dfh
cc
fe
g
-h d
e
g 10.0.0.3 Port C

Table 8.2
: Details of three hosts in a network

The switch'sARPcacheand MAC table containthe following values

:
MAC Table

Vlan MAC Address Type Learn Age Ports IP MAC

255 Host A bfce

caa
d
-fe b
d 10.0.0.1 0 Port A 10.0.0.1 bfce
aa
c
d
-fe b
d

5 Host B cfcg
bb
d
fe
-g d
e 10.0.0.2 0 Port B 10.0.0.2 cbb
d
fe
g
-fcg
d
e
5 Host C dfh
cc
fe
g
-h d
e
g 10.0.0.3 0 Port C 10.0.0.3 dfh
cc
fe
g
-h d
e
g
Table 8.3
: MAC table Table 8.4
: ARP cache table

21
21
 . Switch portstealing is asniffing technique used by an attacker who spoofsboth the IP
1

Port
addressand the MAC addressof the target machine(Host B ).
Port

Stealing
Machine MAC Address IP Address
Stealing Host A bfce
caa
d
-fe b
d 10.0.0.1
Ports

Port A

Host B cfcg
bb
d
fe
-g d
e 10.0.0.2 Port B

Host C cfcg
bb
d
fe
-g d
e 10.0.0.2 Port C

Table8.5
: Switchupdated with aspoofed entry

.
2 The attacker's machine runs a sniffer that turns the machine's NIC adapter to
promiscuous mode
.

. Host A
3 , associated with the IPaddress ),
1
( 0.0.0.1 wants to communicate with Host B
,
associatedwith the IP address ).
(10.0.0.2 Therefore
, host A sendsan ARPrequest (I
want to communicate with 10.0.0.2
. What is the MAC address of 10.0.0.2
?).
. The switch broadcasts this ARP request to all the machines in the network
4 .

.
5 Before Host B (the target machine
) can respond to the ARP request
, the attacker
responds to the ARPrequest by sendingan ARPreply containing the spoofed MAC and
IP addresses (I am 10.0.0.2
, and my MAC addressis ).
cfcg
bb
d
fe
-g d
e
The attacker canachievethis bylaunching an attack such as denial of service()DoS on
HostB
, whichslowsdownitsresponse
.

22
22
.
6 Nowthe ARPcache inthe switchrecords the spoofed MACand IPaddresses
.

IP MAC

10.0.0.1 bfce
caa
d
-fe b
d

10.0.0.2 cfcg
bb
d
fe
-g d
e
10.0.0.2 cfcg
bb
d
fe
-g d
e
Table8.6
: ARPcache updated with a spoofed entry

.
7 The spoofedMAC addressof target HostB )-g c(bfcg
d
fe b
d
e andthe port connect to
the attacker's machine (Port C
) and updatethe switch's CAMtable
. ,
Now aconnection is
established between Host A and the attacker's machine (Host C
).

VLAN MAC Address Type Learn Age Ports

255 Host A aa
cb
d
fe
-fce
b
d 10.0.0.1 0 Port A

Host B cfcg
bb
d
fe
-g d
e 10.0.0.2 0 Port B

Host C cfcg
bb
d
fe
-g d
e 10.0.0.2 0 Port C

Table8.7
: MACTableupdatedwith a spoofedentry

. ,Now the systemwill forward all the packets directed towards Host Bto HostC through
8
PortC
, i.e
., the attacker's machine
.
,
Thus an attacker cansniff the packets sent to Host B
.

23
23
How to Defend against MAC Attacks CEH
Thie -

0c
00
1
:c Only 1 MAC Address
0d
00
4
:d a
b Allowed onthe Switch Port

132,000
Bogus MACs

Figure 8.23
: FloodingCAMtables
Figure 8.24
: Blocking MACflooding
Configuring Port Security on Cisco Switch
: As shown the figure
shown in the ,figure, the
the number of MAC addresses allowed
MACaddresses allowed on the switch
switch port
port is
is
switchport port
-security limitedtoone
limited to ;one; therefore
,therefore, the
theMAC
MAC requests arerecognized
requests are recognized asflooding
as .flooding. Port
Portssecurity
ecurity
switchport port
-security maximum 1van access locks down
locks down the
the port
port and
and sends
sends an
an SNMP
SNMP trap
trap

switchportport
-security violationrestrict
Portsecurity canbeused to restrict inbound traffic
switchport port
-security agingtime2
from only aselected setof MAC addressesand limit
switchportport
-security agingtypeinactivity
MAC flooding attack
snmpserverenabletrapsport
-security -rate
trap 5

:
Copyright
Oby.Eb
-Caucu AllghtsResurved
. Roproduction
isStrictly
Prohibitut

24
24
 How DHCP Works CEH
INks Adie

Dynamic Host Configuration Protocol )D

DynamicHostConfigurationProtocol( (DHCP) network management protocol used on IP
HCP is a networkmanagementprotocolused networks for
IPnetworks for automatically assigning
automaticallyassigning
IP addresses
addresses and other
other communication parameters to devices connected
communication parameters connected to
to the network
network using aaclient
client–server .architecture.
-server architecture

DHCPserversmaintainTCP
/IP configurationinformation
, suchasvalidTCP
/IP configurationparameters
, valid
IPaddresses
, and theduration of the lease offeredby the server
, inaa database
It provides address configurationsto DHCP
-enabled clients inthe form of a lease offer

DHCPDISCOVER
)(IPv4 / Send My DHCP
SOLICIT )(IPv6 )(Broadcast Configuration Information
....................) --•--•..............

-relay
DHCP agent

DHCPREQUEST )(IPv4 / REQUEST()IPv6 )(Broadcast

User DHCP Server

DHCPACK)(IPv4 / Reply)(IPv6 )(Unicast
Here Is YourConfiguration
IP Address
: 10.0.0.20
Subnet :
Mask 255.255.255.0
Default :
Routers 10.0.0.1
DNS Servers
: ,
192.168.168.2 192.168.168.3
Lease :
Time 2 days

Figure 8.25
: Working of DHCP

25
25
 DHCP Starvation Attack EH
Thad Aries

• Attacker
Attacker floods the theDHCP
DHCP server by sendingnumerous
by sending numerous DHCP requestsand
requests and
uses
uses all of the available IP addresses that the DHCP server can issue
all of the available IP addresses that the DHCP server can .issue. DHCP Starvation Attack Tool
: Versinia
• As
As aa result
,result, the
the server
server cannot
cannot issue
issue any
any more
more IP ,
addresses
IP addresses, leading
leading toto aa DoS
DoS yersinia 0.8.2
SIP
by Slay & tomac
DIP
DHCPmode
MessageType Iface Last seen
17
17
•[
:2
])9

.attack.
attack 0.0.0.0 255.255.255.255 DISCOVER etho 18 Dec :2
17
179
0.0.0.0 255.255.255.255 DISCOVER etho 18 Dec :2
17
179
• Because
Because of this issue,
,
issue valid users cannot obtain
valid obtainor
or renew their
their IP ;
addresses
IP addresses; 0.0.0.0 255.255.255.255 DISCOVER etho 18 Dec :2
17
179
0.0.0.0 255 255.255.255 DISCOVER eth0 18 Dec :2
17
179
,thus, they
thus they fail
fail to access
access their
their network
.network. 0.0.0.0 255.255.255.255 DISCOVER eth0 18Dec :2
17
179

•
0.0.0.0 255.255.255.255 DISCOVER etho 18 Dec :2
17
179
An attacker broadcasts
An attacker broadcasts DHCPDHCP requests
requests with
with spoofed
spoofed MAC
MAC addresses
addresseswithwith 0.0.0.0 255.255.255.255DISCOVER eth0 18 Dec :2
17
179
the
the help
help of tools suchsuch as Yersinia,
,
Yersinia ,
Hyenae
Hyenae, and .
Gobbler
and Gobbler. 0.0.0.0
0.0.0.0
255.255.255.255
255.255.255.255
DISCOVER
DISCOVER
eth0
eth0
18 Dec :2
17
17
18 Dec :2
17
17
9
9
0.0.0.0 255.255.255.255 DISCOVER etho 18 Dec 2:17
17
9

S
..
...
.*.
**A
sisHM A
M
A
CR
O
Dl
n
O
User DHCPServer

C
4
:2
b
1re
d
a
Total Packets
: 154037 DHCPPackets
: 154037 MACSpoofing[X
]

lB C
A
sic-C
re
d
a
Server runs out of IP

A
User will be
unable to get the
valid IP address

s
y
M
l
za
e
E
g
L C
A
Md
a
s
e
-3:4
h c2
2 s
r
b:
a
ss
dre
ids
addresses to allocate
to valid users

DHCPScope
DHCPFields
Source 41
02
3
6
0
:5 8
3
6
2

000.000.000.000
CH02
41
3
6
0
:5 8
3
6
2
I
Destination MACFF

000.000.000.000
Extra
: FF
: FF
: FF
: FF
: FF
SIP 000.000.000.000 DIP 255.255.255.255 SPort 00068 Port 00067
Op01 Htype 01 HLEN06 Hops 00 Xid 643C9869Secs 0000Flags 8000
000.000.000.000 GI 000.000.000.000

‡
10.10.10.1 Figure8.28
: ScreenshotofYersinia
10.10.10.2 DHCP
dhcpstarv(://
)https
github.com
Attacker sends many 10.10.10.3 Starvation
different DHCPrequests Attack Tools Gobbler ://
)(https
sourceforge.net
with many source MACs
DHCPig(://
/https
github.com
10.10.10.254
Attacker
O
.-
Copyrignt
byEf
-SometiLAllToghts
.
Reserved
Reprodicuion
&strictly
Prob
anted
Figure8.27
: DHCPstarvationattack 26
 Rogue DHCP Server Attack CEH
Inas Saim

• Attacker can
Attacker can perform
perform MITM
MITM attacks such assniffing
as .sniffing.
• An attacker who
An attacker who succeedsin
succeeds in exhausting
exhausting the DHCP server's
the DHCP server’s IP address space
IP address space can
can set
set up
up aa rogue
rogue DHCP
DHCP server on the
server on the network
,network,
which
which isis not
not under the control
under the control ofof the
the network .
administrator
network administrator.
• The
The rogue
rogue DHCP
DHCP server impersonatesaa legitimate
server impersonates legitimate server
serverand
and offers
offers IP addressesand
IP addresses network information
and other network information toto other
other clients in
the network
,network, acting asa default gateway.
as a default .
gateway
• Clients connectedto
Clients connected to thenetwork
the network with theaddressesassigned
with the addresses assigned by therogueserver
by the will now
rogue server will nowbecomevictimsof MITM and
become victims of MITM and other
other
,attacks, whereby
attacks whereby packets
packets forwardedfromaclient'smachine
forwarded from a client’s machine will will reachtherogueserverfirst
reach the rogue server .first.

DHCPDISCOVERY
)(IPv4 / SOLICIT
)(IPv6 )(Broadcast

DHCPOFFER )(IPv4 / ADVERTISE

)(IPv6 )(Unicast fromRogueServer

DHCPREQUEST
)(IPv4 /REQUEST
)(IPv6 )(Broadcast
............. .....................
DHCP Server
DHCPACK )(IPv4 / REPLY
)(IPv6 )(Unicast from RogueServer

User

Byrunning a roughDHCPserver
, anattacker
IP :
Address 10.0.0.20 cansend incorrect TCP
/IP setting
Subnet :
Mask 255.255.255.0
Default :
Routers 10.0.0.1
WrongDefaultGateway- Attackeris the gateway
DNS Servers
: ,
192.168.168.2
192.168.168.3 Wrong DNS server Attacker is the DNS server
Lease :
Time 2 days
WrongIP Address› DoSwith spoofed IP

Internet Rogue Server

Figure 8.29
: Rogue DHCPserver attack
27
27
 How to Defend Against DHCPStarvation andRogue Server
C EH
Attacks Imam Stim

Defend
Defend Against
Against DHCP
DHCP Starvation
Starvation Enable DHCPsnooping
, whichallowsthe switchto accept
a DHCPtransaction directed from a trusted port
• Enable
Enable port security to
port security to defend
defend against
against aa DHCP
DHCP starvation
starvation
.attack.
attack Defend
Defend Against
Against Rogue Server Attack
Rogue Server Attack
• Port
Port security limits the maximum
security limits maximum number
number of MAC
MAC addresses
addresses • DHCP
DHCP snooping
snooping feature
feature that
that is available on
on switches can mitigate against
on the
on the switch
switch port
.port. rogueDHCP .
servers
rogue DHCP servers.
• When the limit
limit is ,
exceeded
is exceeded, switchdrops
the switch drops subsequent
subsequent • It isconfigured
It is configured onon the
the port
port on which the valid DHCP server
valid DHCP .
connected
server is connected.
MAC
MAC addressrequests( )packets from
address requests (packets) from external sources
,sources, • Once configured,
,
configured DHCP snoopingdoesnot
DHCP snooping does not allow
allow other
other ports
ports on the switch
switch
which
which safeguards the server against a DHCP
DHCP starvation
starvation to respond to DHCP Discover packets sent by
to respond to DHCP Discover packets sent by clients..
clients
.attack.
attack • ,Thus, evenan
Thus even an attackerwho
attacker who manages
manages to build aa rogue
rogueDHCP server
serverand
and
connectsto theswitch
connects to the cannotrrespond
switch cannot espondtoto DHCPDiscoverpackets
.
DHCP Discover packets.
DHCP Snooping
Enabled Trusted

DHCP
Server DHCP
Untrusted Untrusted
Server

Attacker User
Attacker User

Figure 8.30
: Defending against a DHCPstarvation attack Figure :
8.31 Defending against a rogue server attack
.
Copyright
ObyED
-SounciL AllRantsReserved
Reproduction
isStnctlyProbintet

28
28
 What Is Address Resolution Protocol )?
(ARP EH
AddressResolutionProtocol()ARP is a statelessprotocolusedfor resolvingIP addresses
to machine )(MAC addresses
All network devices (that need to communicate on the network
) broadcast ARP queries on the network to discoverother machines
' MAC addresses
When one machine needs to communicate with another
, it looks up the P address in its ARP table
. If the MACaddress is not found in
in the table
, the
ARP REQUESTis broadcast over the network

All machineson thenetwork will comparethis IPaddressto their own IPaddress

If one ofthe machines on the network identifies with this Paddress
, it will respondto theARP REQUESTwith itsIP address)(confirmation and MAC
.
address The requestingmachine will store the address pair in theARPtable andstart the communication

ARP REQUEST CENCommandPrompt 0

,
Hello I need the MAC address of 10.10.10.3
I want to connect
: \Users \Adminarp
to 10.10.10.3
, but I
IP :ID 10.10.10.1
need MAC address :
Interface 169.254.138.25 0x3
:
MAC 15
00
0
2
-4 4
0
1
3
Internet Address Physical Address Type
ARP REQUEST 169.254.255.255 ff
ff
-E static
224.0.0.22 -00
01 static
,
Hello I need the MAC address of 10.10.10.3
224.0.0.252 00
-01 static
239.255.255.250 00
-01 static
IP ID
: 10.10.10.2 255.255.255.255 ff I
ff
T
-F static
:
MAC 16
00
0
2
-4 4
0
1
3
IP ID
: 194.54.67.10 :
Interface 10.10.10.10 Oxe
:
MAC 14
00
6
4
:e b
8
2
ARP REQUEST Internet Address Physical Address Type
,
Hello I need the MAC address of 10.10.10.3 10.10.10.1 00
-5 0
5 cO 00 00 dynamic
10.10.10.2 50
00
-1 dynamic
ARP REPLY I am 10.10.10.3
. MAC address is00
10
-2 4 10.10.10.255 ff
-ff static
224.0.0.22 00
-01 static
IP ID
: 10.10.10.3
224.0.0.252 00
-01 static
:
MAC 17
00
0
2
-4 4
0
1
3
239.255.255.250 00
-01 static
Connection Established

Figure 8.32
: Working of ARP protocol Figure 8.33
: ARP cache 29
ARP Spoofing Attack CEH
Mad au

,
Yes I am here
This is 10.1.1.1 and my
MAC address is -A1
B1
ARP packetscan be forged to D11
C1
E
-F
send data to the attacker's
machine Poisoned ARP cache

MAC
ARP spoofinginvolves
10.1.1.0 21
8
9
5
-6 8
9
5
6
constructing many forged ARP
I want to connect to 10.1.1.1 26
11
3
4
5
-6 2
3
4
5
request andreply packets to ,
10.1.1.1 but I need User B User C
10.1.1.2 84
55
6
5
3
-4 8
6
5
3
overload the switch a MAC address
Switch broadcasts
Sends ARPrequestonto Actual legitimate user
The switch is set in ARP request the wire responds to the ARPrequest
"forwarding "
mode after the .....
é ......
é

ARP table is flooded with

spoofed ARPreplies
, and
attackers can then sniff all the
User A
1)( 0.1.1.0
Switch
a
..
..... Malicioususereavesdropson
network packets Sends his malicious
MAC address the ARP request and User D
responsesandspoofs asthe
s
Attacker
floodatarget legitimate user
computer's ARPcachewith I am 10.1.1.1 and
my MACaddressis
forged entries
, which is also 26
11
3
4
5
-6 2
3
4
5
knownaspoisoning
Information for IP address Attacker
10.1.1.1 is now being sent to
MAC address -6
26
11
3
4
5 2
3
4
5

Figure 8.34
: Workingof anARPspoofingattack
30
 Threats of ARP Poisoning CEH
1

Usingfake ARPmessages
, anattackercandivert all communicationsbetweentwo machines
, resulting in all
traffic being exchangedvia the attacker's PC

• Packet :
Sniffing
Packet Sniffing: Sniffs traffic over
Sniffs traffic over aa network
network or
or aa part
part of
of the
the network
.network.

Session Hijacking:
• Session :
Hijacking Steals valid session
Stealsvalid session information
information and uses
usesitit to gain unauthorized access
togain to an
accessto an application
.application.

• VoIP
VoIP Call :
Tapping
Call Tapping: Usesportmirroring
Uses port ,mirroring, whichallowsthe VolPcalltapping
which allows the VoIP unittomonitorall
call tapping unit to monitor all networktraffic
network traffic
Manipulating Data
• Manipulating :Data: ARP spoofing allows
ARPspoofing allows attackers to capture
attackers to capture and
and modify
modify data,
,
data or stops the
or the flow
flow of traffic
.traffic.
iMan-in-the-Middle
• -M
tMan
n
heiddle Attack:
:
Attack attacker performs
An attacker performs a MITM
MITM attack they reside
attack where they reside between the victim
between the victim and
server.
.
server

Data Interception:
• Data :
Interception Intercepts IP
Intercepts ,addresses, MAC
IP addresses MAC addresses,
,
addresses and VLANs
and VLANs connected to the
connected to the switch
switch in
in aa network
.network.

• Connection Hijacking:
•
:
Hijacking ,hijacking, anattacker
In connection hijacking an attacker can
can manipulate a client's
client’s connection
connection to take
take
complete control
complete .control.
.
Copyright
ObyEn
.-SonadiL AllRight.Reserved
&
Reprocuction
StralyProt
-cited

31
31
 Connection Resetting:
• Connection :
Resetting

Stealing Passwords
• Stealing :Passwords: An attacker uses
An attacker forged ARP
uses forged ARP replies and tricks
replies and tricks target
target hosts
hosts into
into sending
sending sensitive
sensitive

information such
information such as usernames
usernames and
and passwords.
.
passwords

• DoS :Attack: Links multiple

DoSAttack multiple IP addresses with
IPaddresses with aa single
single MAC
MAC address
address of
of the
the target host that
target host that is intended
intended for

different IPaddresses
different IP ,addresses, which
which will be overloaded
will be with aa huge
overloaded with huge amount
amount of
of traffic
.traffic.

32
32
 ARP Poisoning Tools CEH
This Nim

arpspoof redirectspacketsfrom a target host(or

BetterCAP
arpspoof all hosts
) on the LAN intended for another host on www.bettercop.org
://
https
the LAN byforging ARPreplies
Parrot Terminal
Obtained ARP cache and MAC
File Edit View Search Terminal Help address is replaced with that of Ettercap
arpspoof
# -1 eth0 -t 10.10.10.2 10.10.10.10 the attacker's system
-project.org
www.ettercop
://
http
:c
0 29
0
:1 6
1 06
:5 0 a4
fa
:4 6 0806 42
: arp reply 10.10.10.10 - at :1
IS 21
C
0 9
6
:0 c: 129
:d 6
1 06
:5 0 :a4
fa
4 6 0806 42
: arp reply 10.10.10.10 1s
-a t o
:c 29
:d
1 l6
c:
@: 29
d
:1 1
6 06
:5 0 a4
fa
:4 6 0866 42
: arp reply 10.10.10.10 -at
is :c
0 29
d
:1 6
1
@: c: :1
29
d 6
1 06
:5 0 a4
fa
:4 6 0806 42
: arp reply 10.10.10.10 -at
is :c
0 29
d
:1 6
1
:c
O 29
d
:1 6
1 06
:5 0 a4
fa
:4 6 0806 42
: arp reply 10.10,10.10 -at
is :c
0 29
d
:1 I6 dsniff
:c
D 29
:1 6 d1 :5
060 a4
fa
:4 6 080642
: arp reply 10.10.10.10 is
- at :1
c21
0 9
6 https
www.monkey.arg
://
c:
@: 29
d
:1 6
1 06
:5 0 a4
fa
:4 6 0806 42
: arp reply 10.10.10.10 -at
is 21
C
0
d
:1 9
6
:
c
@: 29
:1 6 d1 :5
060 : a6
fa :44 0806 42
: arp reply 10.10,10.10 1s
-at c21
0
:1 9
6

Parrot Terminal MITMf

Reverse command so that the github.com
://
https
File Edit View Search Terminal Help
attacker cansend replies both ways
arpspoof -1 ethe -t 10.10.10.10 10.10.10.2
:C
B 29
0
:1 6
1 23
C
0
6
1
:9 9
0
4 0806 42
: amp reply 10.10.10.2 0
:C 29
:d
1 6
1
:c
O 29
0
:1 6
1 23
0
5
9
:4 9
0 0806 42
: arp reply 10.10.10,2 1s
-at :c
0 29
0
:1 6
1
:c
P 29
d
:1 6
1 20
C
0
:6 9 :93
f4 0806 42
: arp reply 10.10.10
.: -at
is 21
C
0
d
:1 9
6 Arpoison
:c
0 29
d
:1 6
1 c20
0
:b 9 :93
f4 080642
: arp reply 10.10.10.2 1s
-at :c
0 29
d
:1 6
1
@:c: :1
29
d 6
1 :c
0 b3
29
1
:9 0
4 0806 42
: arp reply 10.10.10.2 -at :c
0 29
d
:1 l6 sourceforge.net
://
https
:c
B 29
d
:1 6
1 : :b
0 20
c 9 :93
f4 0806 42
: arp reply 10.10.10.2 1s
-at :c
o 29
d
:1 6
1
c:
@: 29
d
:1 l6 20
C
0
:b 9 :93
f4 0806 42
: arp reply 10.10.10.2 15
-at 21
c
0
d
:1 9
6
@:c: 129
:d 6
1 :0€: b0
:29 f43
:9 0806 42
: arp reply 10.10.10.2 -a
1st c26
0
d
:1 9 Copyright
ObyED
.-GinaniLAllRights
.
Retaried
Reproduction
: Strictly
is Probcited
:c
B 29
0
:1 1
6 20
c
B
:b 9 :93
f4 0806 42
: arp reply 10.10.10.1 is
- at :1 c21
0
d 9
6
: c
0 : :129
d 6
1 0€:
6
29
1
:9 0
4
3 0806 42
: arp reply 10.10.10.2 a15
-t c21
0
:d
1 9
6
33
33
 How to
How to Defend Against ARP
Defend Against ARP Poisoning
Poisoning

Dynamic ARP
• Dynamic Inspection )(D
ARPInspection (DAI) prevents poisoning
Al prevents .attacks.
poisoning attacks

DAI is
• DAl a security
is a security feature
feature that
that validates ARP packets
validates ARP packets in
in aa network
.network.

DAI activates on a VLAN

• When DAIactivates ,VLAN,all
all ports
ports on the
the VLAN are considered
VLANare considered to be untrusted by default
untrusted by .default.

DAI validates
• DAI validates the ARP packets
the ARP packets using a DHCP
using a DHCP snooping
snooping binding .table.
binding table

The DHCP
• The
•
snooping binding
DHCP snooping table consists
binding table consists of
of MAC ,addresses, IP
MAC addresses IP addresses,
,
addresses and
and VLAN .interfaces.
VLAN interfaces

• Hence, you must

,Hence you must enable
enable DHCP
DHCP snooping before enabling
snooping before enabling DAI.
.
DAI

validate the
• To validate
•
the ARP
ARP packet
,packet, the
the DA
DAI performs
performs IP-address-to-MAC-address
tIP
M
-a
oddress
AC binding inspection
binding stored in
inspection stored in the
the
DHCP snooping database
DHCPsnooping before forwarding
databasebefore forwarding the
the packet
packet to its destination
.destination.

• If any
any invalid
invalid IP
IP address
address binds
binds a MAC ,address, the
MACaddress the DAI
DAI will discard
discard the
the ARP .packet. This
ARPpacket This eliminates
eliminates the
the

risk of
risk of MITM .attacks.
MITM attacks

34
34
 How to Defend Against ARP Poisoning C EH
Inas

ImplementDynamic ARPInspection UsingDHCPSnoopingBindingTable

ship hep snooping binding

MacAddress IpAddress Lease Type VLAN Interface
10.10.10.1
MAC A
1a
3
2
;d
:1 2
cfb 10.10.10.8 125864 -
dhcp /18
FastEthernet3
snooping
No ARP entry in the

.*
binding table then
DHCPSnoopingEnabled discard the packet
DynamicARPInspectionEnabled

ARP 10.10.10.1
..**.......................
Saying 10.10.10.2
is MAC C

10.10.10.2 ARP 10.10.10.2 10.10.10.5

MAC B Saying 10.10.10.1 MAC C
is MAC C

Check the MAC and IP fields to see if the ARP from the
interface is inthe binding
; if not
, traffic is blocked

Figure 8.36
: DefendingagainstARPpoisoning

35
35
ARP Spoofing Detection Tools C EH
Imam Mim

XArpis a securitytool that helpsadministrators detect ARPattacks CapsaNetwork Analyzer

KArp
and ensure data privacy www.colasoft.com
://
https

warp+ureegistered
version
Fie WArp
Professional
Help
ArpON
sourceforge.net
://
https
StatusARP attacksdetected
! Securitylevelsetto
: basic

meddetected Altado Thebasic

secunty
leveloperates
a
defaultattack
: detectionstrateov
BendthehanoiendePattads
, belo thatcandetectall standard.actade
Madtaroloots Then
athewaggested
level
fordefiadt ARPAntiSpoofer
errors antia
.
sourceforge.net
://
https
Getdemo
Protesonal
noel
Penisesarelp
. TiroDesoonat

ARPStraw
MAC Host Vendor Intertace Online Cache Firstseen
github.com
://
https
10.10 10.1 -035
RDOW ,VmwareInc
. Do8
- InteltRo
8 -
unkno 11
/2 2
019 10
16
:5
10.10.10.2 00
-3 10.10.102 ,
Vmware.
Inc D8 - Intel
/o &. .
unkno 11
/2 2
019 /1038
18

X 30.70.10.19
10.10.10,13
10.10.10.19 -
-
00
-
50
00
Windows10
PARROT
,
,
Vrmare
,
Vmwire
www.goodshov.Ummtre
.,
Inc
.
Ine
.
Int
DoRInter00&
Cad- Intel o B
.
0.8-Intel) & únino
.
.
unkno
unkno
..
yes
10 11
/2

11
/2
2
019
/ 019
11
2 2
2
019
:58
16.10
:18
16
5 0
/1058
16
10.70.10.254 004 10.10.10.254 ,
Vimmate .
Inc •B • Intel
D )
/F .
B -
unknie yes 11
/2 2
019 16
16
:0 1
shARP
github.com
://
https
KArp122- 5mappings
- 2interfaces
- 5alerts
www.xorp.net
://
http

Copyright
ObyED
-GonniL AllRights
.
Risend :
Reprocuctions
Strictly
Probiotert

36
36
MAC Spoofing
/Duplicating CEH
I a

A MACduplicating attackis launchedby sniffing anetwork for MACaddressesof clientswho areactivelyassociatedwith a

switch port andre
-using one of those addresses
Bylistening
tothetrafficonthenetwork
, amalicious
usercaninterceptandusealegitimate
user'sMACaddress
toreceive
all the traffic destined for the user

This attackallowsanattacker to gain accessto the network andtake oversomeone'sidentity on the network

My MAC address Switch Rule

: Allow accessto the network only
is :fe
bfce
caa
d b
d if yourMAC addressis :fe
bfce
caa
d b
d

•..................

Switch Attacker sniffs the network for MAC addressesof

Legitimate User
the currently associatedusersand then usesthat
!
No My MAC addressto attackother users associated to
MAC Address is the same switch port
bfce
caa
d
:fe b
d

Attacker

Internet

Figure 8.38
: MAC spoofing
/duplicating attack
.
Copyright
O byEt
- LIL All Rights ReservedReproduction is Stnctly Prototer

37
37
 MAC Spoofing Technique
: Windows CEH
HAhel

In Windows 10 OS ClickStartand searchfor ControlPanelandopenit, thennavigateto

Network and Internet - Networking andSharing Center
Method1
: If thenetworkinterfacecardsupports
clone MACaddress
, then follow these steps
:
Click on Ethernet and then click on Properties in the Ethernet Status window
RealtekPIe GBEFamilyControllerProperties X

General Advanced Driver Details Events

In the EthernetPropertieswindow
, clickontheConfigurebuttonandthen
Thefollowingproperties
areavailable
forthisnetworkadapter
. Click click on the Advanced tab
the propertyyouwantto change
on theleft
, andthen selectitsvalue
on the right
.
:
Property :
Value

FlowControl 000A959D6816 Underthe "Property section

, browseforNetworkAddressandclickonit
interrupt Moderation
Network Address
Priority &VLAN
O NotPresent
Receive Buffers Onthe rightside
, under,"
"Value typein the newMACaddress
you wouldlike
Speed Duplex
Transmit Buffers New MAC to assignand click OK
Address :
Note Enter the MAC addressnumber without a":" between the number pairs

Type""/a
ipconfig
ll or 'net configrdr
" in thecommandprompt toverifythe
changes

If the changes
arevisiblethen reboot the system
, otherwisetry method2
(change MACaddressin the registry
)

OK Cancel -&
Expurignt
by.ib
-ConnelAll.foghtReserved
, Reproductions
Strictly
Profitut

38
38
 MAC Spoofing Technique
: Windows )(Cont'd CEH
Ines Quie

Method 2
: Stepsto change
the MACaddressintheRegistry
he Earnies hosp
PressWin +R toopen Run
, type regedt32tostartthe (40007be
e
T
-b
0 676471
sad
ic1
ice 10018
A Dosa
registry editor 14606
4
H
-b 72
325
let
ee ;00000be10218
a stranuntie WARAT
NOCO
)'
-S
USPChechaumOfoaSe ,St
ma
:
Note Donot type Regedittostart theregistryeditor NUT
grumPCheckwumCHlowdD_410,52
Thiage
Go to Ndh
Azaptivers
L Eunise 82G AT
"HYSTEM
S
\C KEY_LOCAL_MACHINE
urrentControlSet
on PROTethd
810
, DiVoR axoconcoo4
)(1.12
\C8002be10318
trol
e
4d36e972
\(
1
b
}-0 325
1ce
fc1
lass and 0059 rende BEGSZ ,PONVEN
SOBADEN101
0084 natanceltt REDAZ POWeRReG DEv_1dD
/pOISADa
IsUesTsd
double click on it to expand thetree DowerDute 80 SE 1013
-2 0
*0005
2008 ,ENARY
RED DoDe2 caa022al d
4igit subkeysrepresentingnetwork adapterswill be
-d
SEe REDSE realityE13
.4LLigahd
:
Newer
Connection

NI
E
B
displayed(starting with 0000
, ,
0001 ,
0002 .)
etc RED S2 :12506
12
H4slypaPre
Searchforthe proper"DriverDesc keyto findthedesired el Indudedi
14t Shing

interface Untierene
eljindSaction
Him
okAtomis New MAC
-click
Right on the appropriate subkeyandadd
, new string 4 ntaler Address 2 00110142
-00
Continatatior Value582
value""NetworkAddress (data type"$
"R| EG_
2 to contain Properties 00 de95 % 51
-16
the new MAC address -405
14055077

(dtice
-e
S
*#
Right clickon the "NetworkAddress stringvalue on the instancald ESANSAAC
NANS
HIS-A CF
-MOZZESHERS
4( 036377
:4325 -810818
80026
right side and select Modify
... t-
-•
14064773
/ hathudindex
4
# REGDWORD Seb0008000
- 0 68
/2 )
dosedie REDS2 5
Inthe "Edit String
" dialogue
,box "Value data
" fieldenter .
IntertacontadTr REAL
OWORD 001058 18140dc4641
)(132331081378233084
:0l25
14
.-e 6487d 080020e1031
E ahara REDS2 Microsoft
the new MAC address and click "ON REG S2
caNing or lete
:
Disable and then re
-enable the network interfacethat was
Does72
e40e
-1 325 -00002
ef5 /03187.0001
be
changed or reboot the system

Copyright
E by.it-ChawouAllRights
.
Reserved
Sticky
=-
Reprocuction Prohibut

39
39
 Registry
Editor
File Edit View Favorites Help
(4800Zbe10318
e
1
-b
0 d36e971
325
1ce
fc1 Name Type Deta
(4800Zbe10318
9
€
e
1
b
-0 d36
72
325
1ce
fc1 ) "TransmitBuffers
alt 512
REG_SZ
at !P.*U. DPCHecksumOffload REG_SZ 3
0001
)ahi ... *UDPChecksumOffloadIP REGSZ 3
Linkage
) AdaptivelFS
at REGSZ 0
Ndi
all RucType RFG 57 5
PROSeNdi
0002
Pd Characteristics REGDWORD 0X00000084
)(132
0003 all Componentid REG SZ DEV_10D3
&
PCIWVEN_8086
0004 ah DeviceinstancelD REG_SZ \V070015AD
PCI
.D
S
_
$
& EN_80868
UBSY
EV_10D3
0005 DriverDate REGSZ 3015
-2 0
90 DriverDateData REG BINARY 00 0012cea062 d001
006 Al DriverDesc REG SZ )
(R
Intel 82574LGigabit NetworkConnection
0008 ) DriverVersion
alt REG SZ 12.12.50.6
0009 1 IrTypePre
0010 4h includedi
EditString
0011 ab InfPath
0012
Vale :
name New MAC
ali Infection
|NetworkAddress Address
0013 ** InstallTim 120011 0047 03
Configuration At ITR Vale data
:

e
1
b
-0
Properties
(48002be10318
d36973
325
1ce
fc1
| Loglinks
at :95 Sd
000s 68.76
MasterSia
(48002be10318
9
€
e
1
-b
0 436
74
325
1ce
fc1
|Matching
(49002be10318
e
1
b
-0 436c975
325
1ce
fc1
|ah NetC
/qinstanceld REGSZ (F022E64EB555
4
-9
0 A96
131
3CF
363544C
(48002be10318
1
323
-€
b
-0 4362377
1ce
fe1
(48002be10318
9
€
e
1
b
-0 d36
78
325
1ce
fc1
1 NetLuidindex REG_DWORD 0x00008000 )(32768
abl NetworkAddress REG SZ
(48002be10318
9
€
e
1
b
-0 d36
79
325
1ce
fc1
(48002be
9
€
e
1
b
-0 d36
7b
325
1ce
fc1 10318 14 NetworkinterfaceinstallT
... REGQWORD 0x1d51191a8dc4641
)(132031081378235969
(48002be10318
9
€
e
1
b
-0 d36
7d
325
1ce
fc1 do ProviderName REGSZ Microsoft
(48002be
9
€
e
1
b
-0 436
7e
325
1ce
fc1 10318
- AliWaitAutoNegComplete
REGSZ 2

\HKEY_LOCAL_MACHINESYSTEM
Computer CurrentControl5et
ControlClass
(48002be
9
€
e
1
b
-0 d36
72
325
1ce
fc1 /NOI
10318

40
40
MAC Spoofing Tools C EH

Technitium TechnitiumMACAddressChanger)(TMAC
SMAC
MAC Address allows you to change)(spoof theMedia
www.kicconsulting.net
://
http
Access Control )(MAC Addressof your
Changer
Network Interface Card()NIC instantly

H Technitium
MACAddress
Changer
v6-by Shreyas
Zare X
File Action Options Help MAC AddressChanger
Network Connections Changed MACAddress Link Status Speed www.oovirusthanks.org
://
https
M LocalArea Connection
* 1 No 00
-0 0 ,
Down Non Operational O bps
V Ethernet No -
50 , Operational
Up gbps
M LocalAreaConnection
* 2 No -
16 , NonOperational
Up 0 bps
M LocalAreaConnection
* 4 No -
26 ,
Up NonOperational 0 bps
Change MAC Address
Information IPAddressPresets Wizardsystems.com
://
https
•ConnectionDetails

Connection Ethernet Original MACAddress

Device RealtekPCleGB FamilyController 50
Unknown Vendor
Hardware ID POIWEN_10ECH
Config ID -9
(8413
9CC5221 Active MAC Address Easy Mac Changer
-94
50 )(Original 101907
github.com
://
https
/IPv4
:TCP Enabled /IPv6
:TCP Enabled Unknown Vendor

ChangeMACAddress
58 93 - 96 - 38 - 38 - 16 "Random
MACAddress
(56
]-9 8
3 RuckusWireless:(Address 880WestMaudeAve
. Mow
Spoof
-N e
v Automatically
restart
network
connection
toapplychanges sourceforge.net
://
https
V MakenewMACaddress persistent
Received130.91MB(137268355bytes
)
Use'02asfirstoctetofMACaddressWhy
? -Speed 11.09KB
/s (11354bytes
]
Sent 202 61MB(212449471bytes
)
ChangeNow
! ReADIETic
-Speed 11,93KB
/s (12217 bytes
) Copyright
ObyEB
.-hwaniL AllNgot.Rotarved
s
&
Repracuiction
stnally
Prob
.anted

41
41
IRDP Spoofing CEH
16

ICMPRouterDiscoveryProtocol()IRDP is arouting protocolthat allowsahostto discovertheIPaddressesof active

routersontheirsubnetbylisteningto routeradvertisement
andsolicitingmessages
ontheirnetwork
TheattackersendsaspoofedIRDProuteradvertisementmessage
to the hostonthesubnet
. causingit to changeits
default router to whatever the attacker chooses

Thisattackallowsthe attackerto sniff thetraffic andcollectvaluableinformation from the packets

Attackerscan useIRDPspoofing to launchman
tin
,-m
heiddle oervice
denial
,-s f andpassivesniffing attacks

Router
Internet
user

A NAI
Attacker Router
Attacker

Routing Table

.
Ecoyright
ObyEl
-GonaniLAllRights
.
Risarved
:
Repronuctions
Stnctly
.
Frotbiter

42
42
VLAN Hopping CEH
4640 Ster

VLAN hoppingis a technique usedto target network resourcespresent ona virtualLAN

It canbeperformedbyusingtwo primarymethods
: SwitchSpoofing andDoubleTagging
AttackersperformVLANhoppingattacksto stealsensitiveinformationsuchaspasswords
, ,
modify corruptor deletedata
,
install malicious codesor programs
, andspread viruses
, Trojans
, and wormsthroughout the network

Switch Spoofing Rogue Legitimate

Attackers connect a rogue switch ontothe network by Switch Switch
Trunk
tricking alegitimateswitchand therebycreatingatrunk
link between them Unauthorized
Trunk VLAN 10 VLAN 20
• After establishing a trunk
After ,link, the traffic
trunk link traffic from multiple
multiple
VLANs can
VLANs can besent
be sent to
to and through
throughthe the rogueswitch
rogue ,switch,
therefore allowing an
therefore an attacker
attacker to to sniff
sniff and viewview the
packet content
packet .content.
• This attack is successful only
iSsuccessful only when
whenthe the legitimate switch
is configured
configured toto negotiate
negotiate aa trunk ,connection, or when
trunk connection when
the interface
the interface is configured
configured withwith "d“dynamic
ynamic auto ,"auto,”
"d“dynamic desirable,” or “trunk”
ynamic desirable
," "trunk mode. .
mode Serverl Server2
Attacker

Figure 8.43
: Illustration of switch spoofing

.
Copyright
Obyif-Gonnail allRants
Reserved
Refrocittion
s
& Strictly
Probtun
/o

43
43
 Inner
Double Tagging Switch 2
Switch 1
Attackersadd and modify tags in the Ethernet frame
, thereby Trunk

allowingtheflow oftraffic throughanyVLANin thenetwork

VLAN VLAN 20
Outer Inner
• The Ethernet frame that
Ethernet frame that is sent by the
the attacker
attacker contains two 802.1Q
contains two ,tags,
802.1Q tags
inner and
inner ;outer;
and outer
• the inner
the inner tag is the
the VLAN tag
tag of
of aa target
target switch
switch that
that the
the attacker
attacker
wants to
wants reach
to reach

• the outer
outertagtag is the native VLANofVLAN of the attacker
.attacker.
• Whentheswitch
When the switch receives receivesthe Ethernet
Ethernet,fframe,
rame it strips off
offthe outertag
the outer , as
tag, as
Attacker
itit is
is the
the same
same as the tag
as the tag for
for the
the native
native VLAN
,VLAN, and
and forwards the frame
forwards the frame with
with Server1 Server2
VLAN 1
an inner
an inner tag
tag on all its
on all its trunk
trunk interfaces.
.
interfaces
• This allows
allowsan attacker to bypassthe
anattacker bypass the network mechanism by jumping
networkmechanismby jumpingfromfrom Figure8.44
: Illustrationof double tagging
his native VLAN to the victim’s VLAN(s), and also allows him/her to send
his native VLAN to the victim's )
s
(
VLAN
, and also allows h
/
him
er to send
the traffic
the traffic to
to other
other VLANs.
.
VLANs
• This attack is possible only if the switch switch ports
ports are configured
configured to use native
.VLANs.
VLANs

44
44
 Tree Protocol
Spanning Tree Protocol((STP)
)STP
STP is used
• STPis used in LAN-switched
-switched
LAN networks with the primaryfunction
networkswith primary function of removing potential loops within the network.
removingpotentialloops .
network
STP Attack STP ensures
• STP that the
ensures that the traffic
traffic inside
inside the
the network
network follows
follows an
an optimized path to
optimized path to enhance
enhance network
network performance.
.
performance In
In
this process, a switch inside
this ,
process aswitch inside the network appointed
network is appointed as the root bridge.
.
bridge
After the selection
• Afterthe selection of the root bridge,
,
bridge other
other switches in the network
switchesinthe network connectto
connect to it by selecting a root
byselectinga .port.
rootport

Attackers
connecta rogueswitchinto thenetworktochangetheoperationsofthe STP
protocolandsniffallthe
network traffic
Attackersconfiguretherogueswitchsuchthat its priority is lessthan that ofanyother switchin the network
, which
makesit the root bridge
, thusallowingtheattackersto sniff allthe traffic flowingin the network
Traffic flow

nOW Switch 1
MiC
frater Server
Priority =32765

Root
Bridge
Rogue Switch
Priority =0
Traffic flow Switch 2 Traffic flow

Attacker sniffs all Priority = 32769 User

the network traffic

Attacker -oter
Proc

45
45
 How to Defend Against MAC Spoofing CEH

Use DHCPSnooping Binding Table

, Dynamic ARPInspection
, andIP Source Guard

sh ip dep snooping binding

MacAddress IpAddress Lease Type VLAN Interface
10.10.10.1
2a
: 4fc
33
:2 :1c
4a 10.10.10.9 185235 -
dhcp /18
FastEthernet3
MAC A
snooping

.
DHCPSnoopingEnabled If IP and MACentry in the bindingtable
Dynamic ARPInspection Enabled does not match
, then discardthe packet
IP Source Guard Enabled
,

Traffic Sent with IP

10.10.10.5 Mac B

Traffic Sent with IP

10.10.10.2 10.10.10.2 Mac C 10.10.10.5
MAC B MAC C
Received Traffic Source
IP 10.10.10.2 Mac B

Check the MAC and IP fields to see if the traffic from the
interfaceisin the bindingtable
; if not
, then traffic isblocked

Figure 8.46
: Defending against MACspoofing

46
46
Youcanalsoimplement
You can also implement thefollowing techniques
the following techniques to defend
to against MAC
defendagainst MAC address spoofing attacks
addressspoofing : :

DHCP Snooping Binding

• DHCPSnooping :Table: The
Binding Table DHCP snooping process
TheDHCPsnooping process filters
filters untrusted
untrusted DHCP messages and
DHCPmessages and helps toto
build and
build and bind a DHCP
bind a DHCP binding
binding table
.table. This
This table
table contains
contains the MAC address
the MAC ,address, IP
IP address,
,
address lease time
lease ,time, binding
binding
,type, VLAN number,
type ,
number and interface
and interface information
information toto correspond
correspond with untrusted
untrusted interfaces
interfaces of
of a switch
.switch. It acts
acts
as aa firewall
as between untrusted
firewall between untrusted hosts
hosts and
and DHCP .servers.
DHCP servers

• Dynamic ARP Inspection:

Dynamic ARP :
Inspection system checks
The system checks the
the IP–MAC
-MAC
IP address binding for
address binding for each
each ARP packet in a
ARPpacket
.network. While
network While performing
performing aa DAI
,DAI, the
the system
system will automatically
automatically drop
drop invalid
invalid IP–MAC
- MAC address
IP address bindings.
.
bindings

• IP
• IP Source
Source Guard:
:
Guard IP Source
IP Guard is
Source Guard is aa security feature in
security feature switches that
in switches that restricts the IP
restricts the IP traffic on untrusted
traffic on untrusted
layer 2 ports
layer2 by filtering traffic
portsby traffic based onthe
on the DHCP snooping binding database
DHCPsnooping .database. It prevents spoofing attacks
spoofingattacks
when the
when the attacker
attacker tries
tries to spoof or
to spoof or use the IP
use the IP address of another
address of another host.
.
host

• :Encryption
Encryption: Encrypt
Encrypt tthe
he communication
communication betweenthe
between theaccesspointand computerto
access point and computer topreventMACspoofing
.
prevent MAC spoofing.

Retrieval of
• Retrieval MAC :Address: Youshould
ofMACAddress You should always
always retrieve the MAC address from the NICdirectly
MACaddress NIC directly instead of
of
retrieving it
retrieving from the
it from the OS
.OS.

47
47
How to Defend Against VLAN Hopping CEH
Thee Sate

Defend against Switch Spoofing Defend against DoubleTagging

Explicitly configure the ports asaccess ports

and ensure that all access ports are
configured not to negotiate trunks

switchport

switchport

not to negotiate trunks

Switch
trunk

Switch
:

-i(cfonfig
)#

-i(cfonfig
nonegotiate
)#
:

mode access

mode nonegotiate

Ensurethat all trunk ports areconfigured

switchport

switchport
mode

mode
Il
H
Ensure that each accessport is assigned with
VLANexceptthedefault VLAN[VLAN 1

switchport access vlan

trunk native

ports are explicitlytagged

vlan dot1q tag

:

native
):

Ensure that the native VLANs on all trunk

ports are changedto an unused VLANID

switchport
:

van

Ensure that the native VLANs on all trunk

999

.
Copyright
Oby.El
-GomunilAllRights
.
Reserwd
Reprocuctiones
Strictly
Probioter

48
48
How to Defend Against STPAttacks C EH
To prevent an ST attack
, the following security features must be implemented
:

BPDU Guard (B ridge Protocol

(Bridge Protocol D ata Unit)
Data )
Unit Loop Guard
Toenable the BPDUguard onall PortFastedge Toenablethe loopguardonaninterface
:
:
ports configure terminal
configure terminal
interface gigabiteethernet
interface gigabiteethernet
slot
p/ ort
/port
slot
-tree
spanning guard loop
-tree
spanning portfast bpduguard

Root Guard UDLD (Unidirectional Link Detection

)
Toenable the rootguardfeature on an To enable UDLD on an interface
:
:
interface
configure terminal
configure terminal
interface gigabiteethernet /port
slot
interface gigabiteethernet /port
slot
udld ( enable disable aggressive
-tree
spanning guard root 1

.
Copyright
ObyE
-GonnaiL AllRights
Reserwd
Reprac
Jction
&Strictly
Prat.cited

49
49
DNS Poisoning Techniques CEH
Imi M

DNSpoisoningisa technique that tricks a DNSserver It allowsthe attackerto replaceIP addressentries

into believingthat it hasreceivedauthenticinformation for atarget siteon agiven DNSserverwith theIP
when it hasnot received any address of the server he
/she controls
It results in the substitution of a false IP address at the The attacker can create fake DNS entries for the
DNS level where the web addresses are converted into server c( ontaining maliciouscontent
) with names
numeric IP addresses similar to that of the target server

Intranet DNS Attacker

Victims
Spoofing(Local
network

Internet DNS
DNS Cache
Spoofing (Remote Poisoning
)
network

Proxy Server
DNS Server DNS Poisoning .,
DNSAttackScripts

Copyright
Oby8.-GaunciLAllRights
. .
Reserved
Reproc
ittionisSincly
.
Fratinder

50
50
Intranet DNSSpoofing CEH
- 1

In thistechnique
, the attacker'ssystemmust be connectedto the local areanetwork()LAN andbe ableto sniff
packets
It workswell againstswitcheswith ARPPoisonRouting
What is the
IP address of Router
?
www.xsecurity.com Real Website
IP 10.0.0.254
www.xsecurity.com
DNS Request : 200.0.0.45
IP

. r con
wse
Bro
s to
nect
10.0
.0.5
John
Attacker poisons the
:(IP 10.0.0.3
) Attacker sniffs the
router and redirects DNS
credential and
requeststo his machine
redirects therequest
to real website

www.xsecurity.com
is located at
10.0.0.5
ker
Attac
sets
.comup
fake
ecurity
ww.xs site
Web
(I0.5
:10.0.
)P
DNS Response Attacker runs
/dnsspoof
arpspoof Fake Website

ter
Figure 8.47
: Intranet DNSspoofing

51
51
Internet DNSSpoofing C EH
Shas

Internet DNSSpoofing
, the attackerinfects John'smachinewith aTrojanand changeshis DNSIP address
to that of the attacker's

What is the
IP address of
?
www.xsecurity.com
John's Browser
connects to 65.0.0.2
O
.............................. 20 .........................
Attacker sniffs thecredential
and redirects therequest to
John
:(IP 10.0.0.5
)
.
.. om
rity.c
secu
.-
www
dat
ate
loc
. .2
0.0
65.
DNS

.........
nse
Respo Fake Website
: 65.0.0.2
IP
eal website
Real Website
www.xsecurity.com
:
IP 200.0.0.45

DNS Request
to 200.0.0.2

Attacker runs DNS Server

Attacker infectsJohn's computerby inRussia(:IP 200.0.0.2

)
changing his DNSIP addressto 200.0.0.2

Figure 8.48
: Internet DNS Spoofing
52
52
Proxy Server DNS Poisoning CEH
This Anim

TheattackersendsaTrojantoJohn'smachinethat changeshisproxyserversettingsin InternetExplorer

to
that of the attacker's and redirects to the fake website
Manualproxysetup
Useaprosyserverfor Ethernet
orWi
-Fi .
connections
These
What is the settings don't applyto VPNconnections
,
IP address of Real Website
Ea prory
www.xsecurity.com
? www.xsecurity.com
:(IP 200.0.0.45
)
200.0.0.2 8080

Usetheproxyserver
esceptfor addresses
thatstartwitht/

John Attacker's fake website sniffs

e proary the credential and redirects the
:(IP 10.0.0.5
)
request to the real website

All of John's Web

requests go through
Attacker's machine
d
...................
............................
Attacker sends John's
.....................
Attacker infects John's request to the Fakewebsite
computer by changinghis IE Fake Website
Proxy address to 200.0.0.2 Attacker runs Proxy Server
:(IP 65.0.0.2
)
in Russia IP
: 200.0.0.2

Figure 8.49
: Proxy server DNS poisoning
53
53
DNS Cache Poisoning CEH
Shad Anim

DNScachepoisoningrefers to altering or addingforged DNS recordsinto the DNSresolver cacheso that a DNS
queryis redirected
to amalicioussite
If the DNSresolver cannot validate that the DNSresponses have been receivedfrom an authoritative source
, it
will cachetheincorrect entries locally
, and serve them to userswho makea similar request

What is the Query for DNSinfo Query for DNSinfo

IP address of ....................... .....................
m
www.xsecurity.co
?
...............................
DNS cache at user is updated
User with IP of fake website Internal DNS
Authoritative

Redirected to a fake website

..... DNS server
xsecutity.com
for

Send DNSresponse
with IP of a fake
website
Attacker's fake website sniffs the
credential and redirects the
request to thereal website
111

Real Website Fake Website Attacker RogueDNS

Prob oted
:

Figure 8.50
: DNScachepoisoning
54
54
DNS Poisoning Tools CEH
This Suie

DerpNSpoofis a DNSpoisoningtool that assistsin DNSSpoof

github.com
://
https
DerpNSpoof spoofing the DNS query packet of a certain IP
address or a group of hosts inthe network

)
(1 -poison
DNS
•- github.com
://
https

DarpUaRE
Codedby Adrian Fernandez)(G
Armatu
adrtanfaS P Ettercap
-project.org
www.ertercop
://
http
-
TIT Options to use
:
ion
« - SpoofTheOS querypacketsof a cortain IP address
calls - Spoof the ONSquery packets of all hosts
It :
Examples
ay thon3 DerpASpoof
-py .
192 160.1.28Byfile.tat 14 Evilgrade
mython3Derml5poof.pyall nyfilo.tat
5! github.com
://
https
|
(L Spoofing DNSresponses
.
SpoofedresponseSent to
. |:
[192.160.1.174 Redirecting |TexampLedomain1
.com to
T Spoofedresponse sent to ]:
# [192.168.1.174 Redirecting .(exampledomain1com
]
Spuofed response sent to ];
[192.168.1.174 Redirecting ](exampledomainl.com
Spoofed response sent to 1192.168.1.174
|! Redirecting . xampledomaln1 com
[e ] TORNADO
LATSpooled responsu sent 1192.168.1.17413 Redirecting .(exampledomadn1 com
]
[# Spnofedresponse
sent to .[192 168.1.174
|: Redtrecting.(exampledomainl
] to
com github.com
://
https

github.com
://
https

.
Copyright
ObyEN
-ConuniLAllRants
.
Resend
Reproduction
&StallyProbititer

55
55
How to Defend Against DNS Spoofing CEH

Implement a Domain NameSystemSecurityExtension Restrict the DNSrecusingservice

, either fully or
)(DNSSEC partially
, to authorized users

UseDNS Non
-Existent Domain()NXDOMAIN Rate
Usea SecureSocketLayer )(SSL for securingthe traffic
Limiting

Resolveall DNSqueriesto a local DNSserver 10 Secureyourinternalmachines

BlockDNSrequestsbeingsentto externalservers Use a static ARP and IP table

Configurea firewalltorestrict externalDNSlookups UseSecure Shell()SSH encryption

Implement anintrusion detection system()IDS and Do not allow outgoing traffic to useUDPport 53 asa
deploy it correctly default source port

Configure the DNS resolverto use anew random source

Auditthe DNS
serverregularlyto remove
vulnerabilities
port foreachoutgoingquery
.
Copyright
ObyEN
,-Gowazil AllRights
Rosarved
Reproduction
&Strictly
Probtoted

56
56
Module Flow C EH
16 is

Sniffing Concepts 3 Sniffing Tools

2 Sniffing Techniques 4 Countermeasures

5 Sniffing Detection Techniques

CopyrightOtryEN
.-GoalsiL AllrantsRasarved
nepranuctido
=-suviclly
.
Frobister

57
57
Sniffing Tool
: Wireshark CEH
Inter Setim

)"Etherett 0 X
It lets you capture and Frie .
Analyse SoninticsTilephony WirelessTools Help
interactively browse the FIS
= GARD
traffic running on a .
Expression

Deatnatoo ProtocolLangt
computer network 6.744690 fd151460515a2o1Ped
. fre21riiffc812222 ICMPV5 B6 Neighbor Soliettation for fe881125056ff rec0
:2222 from 00154
/5
:0008
5
/1 60515026 freziErffc012221 DCPPV6 96Netglibor Solicitation for fed811250156tf fec812222 from 00l1f12
72217
, 194,32 TOR SE TRACT- 4
Wiresharkuses
. Winpcapto 0.146791 muse 5d161
:63 mare :4
84
166 ARO mo 10,20,18.10ds mt PaiR
: 2975d061
160
capture packets on its own .
EA 51701 10,10.90.1 279.295.205
-2 50 550P 236 N
-STARCH• NITTP
-
/1
supported networks 6000
13
:5
-/1 045
476 ff00 :7
ffcl
1
:: 227 $
TOP a nimighporSolicitati ::
m :50ff
250 :7222
Ffmco fr :1612
.20
200.244.255,250 55OP 230 M
-SEARCH - HTTP
.
/1 1
5800
640
-:1 49420 :ffed
ffaaces
-2 227 to pvo
. m liwighterSalseitationfa ::
180 fec0
250,30ff
:2 422 from00
:f2
captures live network id :0
27
816 Broadcast ARO 47 kho hen10.10.10.21 Tell 10.18.18.10 (duplicate unsof 10.10.10
.

traffic from Ethernet

, IEEE are :5
63
5d1 mart :
Saab 44 Do 18
:10.10.30 It Mewe: De
: :5
99
290001
-251.295.250
14 5509 206 MOSEARCHHITRA.L
,
802.11 /HD_C
,PPP ,
ATM 18.714490 Starbrid61
:32157 Broadclet ARJ 42 thohas18.10.10.22
Tell10.19.18.18
(duplicateuseof10.18.10
,Bluetooth USB
, Token Ring
, cA 1 toss hits
), an bytes captured (can bite
) on
Etherni Starbrid_81
27
+
.:0 0 #7
1
100
70
2
:0
)./
1
0 :
Det 27072
:c
IPVOmCWIE_ff :(45 53
: )-2
ca
:ff 7
2
FrameRelay
, andFDDI InternetProtosalVersionB
, Seet :
1
:=
fed :2221
ffc0
Internet Control Message
networks

5a
FE
- 88
26 :38
22

A set of filters for

customized data displays
88
B
8: IEt-o21
4R 7
%92.50
€ 6420
2
56
80 98
Be 75be 90.00

can be used
.
wreshar Ethe G190872124240N0408DE :
Packetsa 1Dopiaren
: 94(100.0741
•Dropper
: 010.0740
))Profie
: Defae
www.wireshorkc.org
://
https

.
Copyright
ObytN
-GununiL
AllRights
.
Reserved
:
Reproduction
Stnicty
Probated

58
58
Display Filters in Wireshark C EH
Gamed the tute

Display filters are used to changethe view of packets inthe captured files

Display
Filtering by :
Example Typethe protocol inthe filter box
; ,
arp ,
http ,
top ,
udp ,
dns or ip
Protocol

Monitoring .
top 23
==
port
the Specific ip.addr
192.168.1.100
-= machine
Ports .
ip -192.168.1.100
addr 66 top.port
-23

Filtering by 10.0.0.4 or
ip.addr
Multiple IP
ip
. addr -= 10.0.0.5
Addresses

Filtering by . addr == 10.0.0.4

ip
IP Address

ip.dst 10.0.1.50 66 frame.pkt len 400

Other
-10.0.1.12
ip.addr 66 iomp 66 frame
, number > 15 6
& .
frame number < 30
Filters
e ip
. 205.153.63.30
==
sr or ip.dst
205.153.63.30
=

Copyright
ObyiB
.-Coumen
AllFoetits
,
Resurved
Reproduction
-StretyProhatur
e

59
59
Sniffing Tools C EH
Shi Mis

SteelCentral SteelCentralPacketAnalyzerprovidesa Capsa CapsaNetwork Analyzercapturesall data transmitted

Packet graphicalconsolefor high
-speed packet Network over the network and provides a wide range of
Analyzer analysis Analyzer analysisstatisticsin anintuitiveand graphicalway

0.55418 /Smin
Come Antyr atProjectI Can Cape113
We GalOs

fria

-I J o threatie
airs her T
-@- 40 Slew l
G Ended Ore Teeal a tRie
at line Ly fat k trie PenelloiceE
*MiNE Easi

EA
SH
D %fate tica

I SLEE rabel
it

ed lisage to fat l

a lato

the lem
:
TE 00 US We WOODIA

www.nverbed.com
://
https www.colasoft.com
://
https
Copyright
ObyEh
.-GhanniLAllRights
.
Reserved
Reproduction
isStrictly
Prohibited

60
60
 Sniffing Tools )(Cont'd CEH
toast Master

Omspotl
OmniPeek Observer Analyzer
A Eden Ht Action www.wavisolutions.com
://
https
OmniPeek sniffer Butter stag
apt all packaita
StopGagione
displays aGoogle
Map in the a tr
PRTG Network Monitor
AUDITION Packet Source Intravon Phon
ID Hags SueKeatveTime
holacelAccicabon
OmniPeek capture or luig incal 1 10.107A
. Ge E 0 100 www.poessier.com
://
https
1.197.44 SenereDitoel N 4,11800 MITES AP
window showing 18.17,49 ¿ Secesteta
, locas 44 0,244705 4110 400
.
Server2612LocaL | 15,107.4.90 84 0,714821 4717 ATTE
the locations of all /cI
C
1.10.20.1 5301 119 24.007779 .350 5536
.10.10.1
an 55001 119 15.007252 SSOP 253P
the public IP
Abra
Lucit 18.10.30.5 550 110 26.8000NISSOPROOP SolarWinds DeepPacket
.6.8
R.R # 27
G -400176 UNL
addresses of
Get
Con
Seim
4,8.3.8 /bRt
Serve
%, 10043 156 27.381508 Ins
Inspection and Analysis
alicatona ,.
server2919 dotal : 20
. 108
. -200
72 78 27.188787 H4115 www.solonwinds.com
://
https
captured packets Mel
S
Tuart Inta
PrO
Apress FLagsi 4a00000000
Voice&deu Stasiese -0000
4
co Packet Loretas 84 Xplico
Ancia -:
äestam 56.305359120
13
:0 9 /131
11 www.xplico.org
://
https
noaak Attacaet .
TIRe 2
FeetMap Destinationr
Seattes 00 19
/ More le
Stacktice Protocol Typet 6a0000Interest
, Protospe
APART IP MEsio Lit tec
= interset dentocal Pataccal
Nado Version 4 la a bil
Protescali Hester Length mol TAL
Diet Services
: ON80 000C2 -TrOuSee Colasoft Packet Builder
www.colasoft.com
://
https
Captiong Tramwe Partetu
, 12061 .
Databan Br1720

www.nveaction.com
://
https

.
Copyright
ObyED
.-Caunall AllRoghts
.
Reserved
Reproduction
: Strictly
e Prohitad

61
61
Packet Sniffing Tools for Mobile Phones CEH
.
Nass Ante

Sniffer Wicap FaceNiff Packet Capture

0 22.53
...
Capturina
STOP 01
2
-0 40
22
:3 7
. miay
6 ? alast
1 :258
155 ,
250 bponury UT m 528T
, 0105t r
5
FA Teb0 DUll to dimEn .
M Gmail
174104 r/to An (DE
0.004220 vial INCE UNTIE CARTB
Peas iSa 11012110Fo
13 10512554258 WINHECERE
. GiPpi
B
bponury Limane DO 24 s
O 3100 R
155.155
7
- 50 21112140 T09
MalE rames
, cERA
D
Tan He edgesat ep :00pril fies

Bartosz Testowy Packet Capture anundre

D amiss la VALEUZONUR MIFEE
*
L m -IO
0.327 NO P
: TOL
-251
11 231
Google Account 01 vo7il
NO 10 2 ,Manager Google Beckup
o niotsr
Transport Google Contacts
Sync GooglePlay
,services GoogleServices
0.115811 Fromework
171,30077 15 N 7
0,001 Aal
A Polest a-AN Te Oli
0.015879 190.180.1
-3
14
:1
% 25 Unlock
applRequest
new key fieinwebule Google Account AT 0122 AN
E ManagerGoogle Backup
Cats Bats Took Dims Expect mi ...
Import ,
Transport GoogleContacts
play.googie.com
://
https faceniff.ponury.net
://
http ply.google.com
://
https

:
Copyright
ObyEN
-GonanilAllRights
.
Reserved
Reproduction
isStrictly
Prob.bted

62
62
Module Flow CEH
Dar te
I% falm

Sniffing Concepts 3 Sniffing Tools

2 Sniffing Techniques 4 Countermeasures

5 Sniffing Detection Techniques

Copyright
ObyEN
-BonaiL AlRights
.
Riserved
.&
Reproductioe
Strictly
Protoboat

63
63
HowtoDefend
AgainstSniffing C EH
as
%
m peter

Restrict physical access to the network media to ensure that apacket sniffer cannot be installed

02 Use -e
tond
end encryption to protect confidentialinformation

03 Permanently addthe MACaddress of the gateway to the ARP cache

Usestatic IP addressesand ARPtables to preventattackersfrom addingspoofed ARPentries for

04
machines in the network

05
Turnoff network identification broadcasts
, and if possible
, restrict the network to authorizedusers
to protect the network from being discoveredwith sniffing tools

06 Use IPv6 instead of IPv4 protocol

Use encrypted sessions

, such asSSHinsteadof Telnet
, SecureCopy )(SCP instead of FTP
, and SSLfor
07
email connections
, to protect wirelessnetworkusersagainst sitting attacks
.
Copyrient
Bhy.,
-liatiL
El AllRants
.
Rasarind
Reprno
uttioe
isStrictly
Probniter

64
64
How to Defend Against Sniffing )(Cont'd CEH
-
Ina nute

Use HTTPSinstead of HTTPto protect usernames Always encrypt wirelesstraffic with a strong
and passwords encryption protocol suchas WPAand WPA2

Use a switch instead of a hub as a switch delivers Retrieve the MAC directlyfrom the NIC insteadof
09
data to the intended recipient only the OS
; this prevents MAC addressspoofing

UseSecureFileTransferProtocol(),
SFTP instead Use tools to determine if any NICsare running in
of FTP for the secure transfer of files the promiscuous mode

UsePGPandS ,/MIME ,
VPN,
IPSec /TLS
,SSL Secure Usetheconceptof Access
Control List)(ACL to
allow access to only a fixed range of trusted IP
Shell ),
(SSH and One
-time passwords)(OTPs addresses in a network

Copyright
ObyEb
.-Colmed AllRight
. .
Resurved
&
Reprueaction
StualyProhiotun

65
65
Module Flow CEH
1

Sniffing Concepts 3 Sniffing Tools

2 Sniffing Techniques 4 Countermeasures

5 Sniffing Detection Techniques

.
Copyright
ObyEn
-Boweril AllRights
.
Ratered
RepracucioS
Stnchy
-oten
Prot

66
66
How to DetectSniffing CEH
Ia

Check the Devices

Running in Run IDS Run Network Tools
Promiscuous Mode

You need to check which Run IDS and see if the MAC Run network tools such as
machines arerunning in the addressof anyof the machines Capsa Portable Network
promiscuous mode has changed(:Example router's Analyzer to monitor the
Promiscuous mode allows a
MAC address
) network for detecting strange
packets
network device to intercept
and read each network IDS can alert the administrator Enables you to collect
,
packet that arrives in its about suspicious activities ,
consolidate ,
centralize and
entirety analyze traffic data across
different network resources and
technologies
.
•C
-
0

COPyrIght
Oby.L
-SomatilAllRights
.
Rosaived
Reproductab
&Sticky
.
Probioned

67
67
Sniffer Detection Techniques
: Ping Method and DNS Method CEH

Ping Message DNS Method

,(10.0.0.1 BF
AA
C
D
E
):F B
E
C
D
DO
.....
SURROUSROSASUROSSSES
Most of thesniffersperformreverse DNSlookupsto identify
the machine from the IP address
Response Received
Admin Suspect Machine
................
,
10.0.0.4 ,
10.0.0.1
Ping )(192.168.0.1
25
36
3
4
S
-KE
G6
2 26
11
3
4
5
-6 2
3
4
5
IP ID
: 192.168.168.1
:
MAC 15
00
0
2
-4 4
0
1
3
Figure 8.61
: Promiscuous mode
Ping Message Reverse
,(10.0.0.1 BF
AA
C
D
E
):F B
E
C
D Ping )(192.168.0.2 DNS Lookup

*
JS
#::: IP ID
: 194.54.67.10 IP ID
: 192.168.168.2
:
MAC 16
00
0
2
-4 4
0
1
3
No Response :
MAC 14
00
6
4
:e b
8
2 DNS Server
Admin Suspect Machine
,
10.0.0.4 ,
10.0.0.1
25
36
3
4
S
-KE
G6
2 26
11
3
4
5
-6 2
3
4
5 Ping )(192.168.0.3

Figure8.62
: -promiscuous
Non mode
IP ID
: 192.168.168.3

Sendsaa ping requestto the suspectmachinewith its IP :

MAC 17
00
0
2
-4 4
0
1
3

addressand an incorrect MAC address

. The Ethernet adapter Figure8.63
: Sniffingdetectionusingthe DNSmethod
rejectsit, as the MACaddressdoesnot match
, whereasthe
suspect machinerunningthe sniffer respondstoit asit does A machine
generating
reverse
DNSlookuptrafficisverylikely
not reject packetswitha differentMACaddress to berunning a sniffer

Copyright
Obyth
,-baall allRights
.
Reserved
Reproduction
&Sinicity
Probinitert

68
68
Sniffer Detection Techniques
: ARP Method CEH

Only the machine in the -Broadcast

Non ARP
promiscuous mode (machine C
) •*** * *. . ** ..**..****>
caches the ARP information (IP
and MACaddressmapping
) ARP Request
IP ID
: 192.168.168.1
:
MAC 15
00
0
2
-4 4
0
1
3

A machine in the promiscuous

mode responds to the ping -Broadcast
Non ARP
message as it has the correct
information about the host ...........
G
Ping Reply
sending the ping requests in its IP ID
: 192.168.168.2
IP ID
: 194.54.67.10
cache
; the rest of themachines :
MAC 12
00
6
:4 b
8
4 :
MAC 16
00
0
2
-4 4
0
1
3
will send an ARP probe to
-Broadcast
Non ARP
identify thesourceof theping
request
ARP Request
IP ID
: 192.168.168.3
:
MAC 17
00
0
2
-4 4
0
1
3

Figure 8.64
: Detectingsniffing viathe ARPmethod

Copyriant
ObyEB
-G . All Raghts
EL .ReservedReproductionis StrictlyProhad

69
69
 Promiscuous Detection Tools CEH
Inte

Nap's NSEscript allowsyou to checkif asystemon alocal

NetScanTools Pro includes a Promiscuous Mode
Ethernet has its network card in the promiscuous mode
NetScan Scanner tool to scan your subnet for network
Nmap Command to detect NICin promiscuous mode
:
interfaceslisteningfor all ethernetpacketsin the
Tools Pro
nap sniffer
=
-dcript
etect (Target IP promiscuous mode
/Range
Address of IP addresses
]

n
Sca Tools Profie Help
demo- NetScan
Tools
&Pro
Demo
Version
Build
2019 based
-3
7 onversion
11.86.3
:
Target 9
10.10.10.1 :
Profile Cancel File Edit Accessibility
View (P46 Help
:
Command map-script sniffer
-detect 10.10.10.19 o
Welcome ClickheretoBuyNowl Manual Promiscuous
ModeScanner
Hosts Services map OutputPorts
/ HostsTopologyHostDetailsScans Automated Tools
Lisethistool to find * Broadcast
31bit 2 Multicast
Address
0 E7Group
BitAddress AddNote
05 Host nap --
script sniffer
-detect 10.10.10.19 Details Manual Tools tall
) networkadapters
istening
in promiscuousmode
. Broadcast
15bit | multicast
52 Address
1 Automated
INO
m
www.goodshapping.co
)(10.10.10.19 Starting Nmap7.80 https
nmap.org
:// at -2
12
2019
1 :58
16 Broadcast
abit 52Multicast
Address
3 1P40
Standard Time
Nap scan report for www.goodshopping.com
)(10.10.10.19 PingScanner Scanning
andAnalysts
Complete
Add toFavorites
Hostis up (8.00s latency
). Network
Interface
Do Scan
Not shown
: 978 closed ports
PORT STATE SERVICE hereto
,(13 10.10,10
) -tr ‹)82574
, Gigabit
Network
Connection
Port Scanner stop
/tcp
21 open ftp
/tco
80 open http
Start IP Address 1PAddrenaMAC
Addreas1
/F Hanut
.., HostnameB31B16 B5 GRPMOMI H3 Analyata
/tcp
111 open rpchind 10.10.10.10 00
- ,
VMware.
Inc WINDOW310 X y Maybe
/tep
135 open marpe Promiscuous
Mode 10.10.10.13 00
- ,Vivere Inc
. PARROT
/tcp
139 open netbios
-ssn End IP Address
10.10.10.19 00
- ,
Wwware .
Inc www.go X
... X % X Xx ProM SCUDDEMode
/tcp
443 open nttps
/tcp
445 open microsoft
-ds Real
Time
Blackiet
,
Check
/tcp
636 open ldapss1
/tcp
990 open ftps p Resolve
IPs
to
- Hostnames
/tcp
3389 open -sms
werver
bt
RFC
Reference
Library
/tcp
5061 open sip
-tis Packet
Delay
)(ms
/tcp
8080 open http
-proxy FavoriteTools
10
MACAddress
: 07
00
2
8
3
:EC
9
02 )(VMware
Active Discovery
Tonis
Host script :
results
PassiveDiscovery
Tools
-detect
:_sniffer Likely in promiscuous mode(:tests "11111111
")
DNS Tools
Nap done
: IP address(1 host up
) scannedin 4.28 seconds PacketLevel
Tools
FilterHosts

70
70
Module Summary C EH
Hid luie

D O In thismodule
, wehavediscussedthefollowing
:
Sniffing concepts alongwith protocols vulnerableto sniffingand varioushardware
protocol analyzers

Varioussniffingtechniquessuch asMACattacks
, DHCPattacks
, ARPpoisoning
,
spoofingattacks
, DNSpoisoning
, . alongwith their countermeasures
etc
Various sniffing tools

Various countermeasuresthat are to be employed in order to prevent sniffing

attacks

The moduleconcludedwith a detaileddiscussionon varioussniffingdetection

techniques
0 in the next module
, we will discussin detail how attackers
, as well as ethical hackers
and ,pen
-testers performsocialengineering
to stealcritical informationrelatedto the
target organization

Copyright
ObyEB
.-ConcO All:Right
,
Reserved
Reprodactionas
Stricky
Prohiannd

71
71