08.md

Module 8 - Sniffing

concepts

• sniffers operate at the second layer of the OSI model: data link
• network sniffing
  • types of ethernet
    • shared
    • switched
      • ARP spoofing - A machine can send an ARP reply even without asking for it
      • MAC flooding
• types of sniffing
  • passive sniffing (hub environment)
    • compromising physical security
    • using a trojan horse
    • Passive sniffing provides significant stealth advantages over active sniffing
  • active sniffing (switch environment)
    • MAC flooding - is a technique used to compromise the security of network switches that connect network segments or devices
    • DNS spoofing (or DNS cache poisoning) - corrupted DNS data is introduced into the DNS resolver's cache causing the name server to return an incorrect result record
      1. query of the DNS resolver,
      2. overload the DNS with poisoned responses that contain several IP addresses of the malicious website.
      3. poisoned response from the cache
    • ARP poisoning
    • DHCP attacks
    • Switch port stealing
    • Spoofing attack
• vulnerable (that send info in clear text)
  • telnet
  • rlogin
  • http
  • pop
  • imap
  • smtp
  • nntp
  • ftp
• hardware protocol analyzer
  • Voyager M4x Protocol Analyzer
  • N2X N5540A Agilent Protocol Analyzer
• span port
• wiretapping (or telephone tapping) - refers to the monitoring of telephone or Internet conversations by a third party with covert intentions
  • active (MITM)
  • passive (snooping or eavesdropping)
• lawful interception
• sniffing techniques
  • mac
    • 48 bits: 24 bits for OUI (Organization Unique Identifier), 24 bits for NIC specific
    • CAM table
    • sniffing
      • flooding (flooding the CAM table) - when the CAM table becomes full, the switch acts as a hub by broadcasting packets to all machines on the network. This gives an advantage to the attacker and can sniff all packets coming from the switch.
      • switch port stealing
      • spoofing (and defense technique using snooping table)
  • dhcp
    • starvation attack
    • rogue server attack
  • arp
    • spoofing attack
    • poisoning attack
  • IRDP (ICMP Router Discovery Protocol) spoofing
  • VLAN Hopping
    • switch spoofing - the attacker connects a rogue switch into the network by tricking a legitimate switch and thereby creating a trunk link between them
    • double tagging
  • STP (Spanning Tree Protocol) attack - spoofing of the root bridge in the topology (usually a switch)
    • After launching a successful STP manipulation attack, the next step should be creating a SPAN entry on the spoofed root bridge and redirecting the traffic to the cybercriminal’s computer.
  • DNS
    • poisoning
    • spoofing
    • difference between intranet and internet
    • cache poisoning
• How to defend agains MAC spoofing
  • DHCP snooping bind table - filters untrusted DHCP messages and helps to build and bind a DHCP binding table
  • Dynamic ARP inspection (DAI) - checks the IP–MAC address binding for each ARP packet in a network preventing a class of man-in-the-middle attacks (prevents DHCP database snooping)
  • IP Source guard - is a security feature in switches that restricts the IP traffic on untrusted layer 2 ports by filtering traffic based on the DHCP snooping binding database
  • Encryption
  • Retrieval of MAC address
  • Implementation of IEEE 802.1X Suites - protocol for port-based Network Access Control (PNAC), and its main purpose is to enforce access control at the point where a user joins the network
  • AAA (Authentication, Authorization and Accounting)
• sniffing detection
  • nmap 'sniffer-detect' script (promiscious)

wireshark special

• filters
  • <protocol> to filter by protocol
  • ip.addr to filter by ip address
  • ip.src to filter by ip address
  • ip.dst to filter by ip address

tools

• macof (MAC flooding)
• yearsinia (DHCP starvation attack)
• XArp (ARP spoofing detection tools)
• wireshark

---

Back to index | Go to next module