1. Introduction to Sniffing
In this section we’re going to talk about the basics of packet sniffing. Give you some examples of packet snippers’arp, cache poisoning and DNS snooping, as well as SSL snipping, fake certificate, injection sniffing voiceover, IP calls sniffing, remote desktop connections and some stiffing countermeasures.
2. Packet Sniffers, PCap & WinPcap, Wireshark, TCP Reassembly, Packetyzer
So let’s start off this section talking about packet sniffers. Or sometimes it’s referred to as a packet analyzer. Also it’s known as a network analyzer, protocol analyzer, or more than likely, just a packet sniffer. All of these examples are a program or a piece of computer hardware that can intercept and log traffic over digital network. As data streams flow across the network, sniffer captures each packet and if needed, decodes the packet’s raw data showing the various fields in the packet and analyzes its content according to the appropriate RFC or other specifications. Now, packet capturing is a process of intercepting and logging that traffic on wired broadcast lands.
Depending upon the network structure, whether it’s a hub or a switch, one can capture traffic on all or just parts of the network from a single machine within the network. However, there are some methods to avoid traffic narrowing by switches to gain access to traffic from other systems on the network. In other words, arp spoofing. For network monitoring purposes, it may be desirable to monitor all data packets in the land by using a network switch or a Socalled monitoring port whose purpose is to mirror all packets passing through the ports of the switch when the system’s computers are connected to the switch port. Let’s give you some examples of different types of packet sniffers.
The different sniffers could be used for different purposes, like analyzing problems, detecting network intrusions, detecting network misuse by internal external users, documenting regulatory compliance through logging all perimeter and endpoint traffic gain information for affecting a network intrusion isolate exploited systems, monitor wand bandwidth utilization, a number of different things. Some examples of them would be Wireshark, which is probably the most popular version. It’s a port of the old Ethereo program TCP Dump and Wind Dump Omnipek, which generally has built in wizards in it to help you packetizer and cane and able. And we’re going to talk about each one of these first.
Let’s start off with Pcap and win pcap? In the field of network administration, pcap, or packet capture, consists of an application layer interface, an API for capturing network traffic. Unix systems implement Pcap in the live Pcap library. Windows uses a port of this, known as the Wind Pcap library. Most monitoring software use one or other of these. The Pcap API is written in C, so languages such as Java. net and other scripting languages generally use a wrapper that’s written around that. Windpcap is used in a number of different tools such as Wireshark, wind dump, snort, cane, enable, promotect, and a host of Linux ones using Pcap. Now, Wireshark is a free and open source packet analyzer.
It’s used for network troubleshooting, analysis, software and communications protocol development, and even education. Originally named Ethereal, in May of 2006, the project was renamed Wireshark due to trademark issues. Now, one of Wireshark’s claim to fame is that it can reassemble data. Basically, what we’re doing is we’re stripping out all the content from the different frames of the protocol, the overhead and just giving us just the data portion of the packet. So what one person said was in blue, the next person said was red, the next person said was in blue, and so on. The tool that I’m going to demonstrate for you is called Packetizer and I like it best because it actually shows a Sin Synac app in the frame and shows the information distributed in them.
I’m going to do this demonstration from our remote lab. So I’m going to choose one of my machines and I know that I have the packetizer installed in XP attacker so I’m going to choose it and click on Open Console. So the first thing I’m going to do is come down here to this little security button here and click on Net Tools and then I’m going to click on Packetizer. Now when Packetizer starts up, it’s going to try and use the generic dialogue, but I need to choose the VMware card. So I’m going to click OK right here and let’s make this just a little bit bigger so we can all see it very easily. And what I’m going to plan on doing is starting a capture. But I want to do a couple of things.
First I’m going to open up a command prompt and I’m going to try and ping Google. com and I’ll be able to hopefully show you all of the pieces of this. So I’m immediately going to start my card over here. Then I’m going to come over here and press Enter. And if all goes well, I should have grabbed the necessary packets to see all of this. Now I’m going to just show this in a little bit different format here. I’m going to stop the packet capturing and I’m going to see if I could find when I did. Okay, so as you can see, the first thing that happened is VMware did a who has that IP address 1041 one, which is my default gateway tell this particular machine, the machine I’m logged on to and then it basically told it it’s at this Mac address.
Then it came back here and did a DNS query to Google. Then another one right here and here is my Icmp ping request and here is my reply. Now this next one I’m going to go ahead and set up grabbing my card here, making this a little bit larger and I want the three frames here. What I’ve got set up here is I’m going to go ahead and clear the Arp cache and I do that with Arpstar D. I’m then going to start and look for Cnn. com, do both of them without too much problems. And there’s my CNN. So I’m going to stop my Packet capture and let’s take a look at what we’ve got. Now let’s first start off by looking for the Arp and it looks like it’s going to be looking for it at about 559.
So I would venture to say that’s where my package are going to start. Okay? And you can see right here it started the Arp and who is at this IP address, so on and so forth. Then it came out and did a DNS query for W Cnn. com. Then once we go out to W Cnn. com, we should be able to find a Sin Act packet. Pretty there. It looks like that’s going to be it. There I would venture to say. And what I’m going to do is right click on this and follow TCP flow. Okay? So I’ve got Sin Synac AC and it pushes data to me. I acknowledge that. I acknowledge the data, then I make another request and so on. I can look at the trace and I can look at the decode of the packet. Here is what I requested right here. And here is what it replied with. Pretty cool.
3. TCP Dump & WinDump, Network Miner Wildpackets, Cain and Able, Passive Sniffing
Now, tcp Dump and Wind Dump are common packet analyzers that run into the command line. It allows the user to intercept and display tcp IP and other packets being transmitted or received over a network to which the computer is attached. tcp dump works on most unixlike operating systems. linux, solaris, bsd, osx and the others. In those systems, tcp Dump uses the Live pcal library to capture package. The Port of tcp dump for Windows is called Wind Dump and it uses Wind pcap. The Windows Port of Live pcap. tcp Dump prints the contents of network packets. It can read packets from a network interface card or from a previously created sage packet file.
It’s also possible to use tcp Dump for the specific purpose of intercepting and displaying communications of another user or computer. There are some packet analyzers that have what I’ve referred to as built in wizards. Some of these tools are from Wild packets. They have one that is an Etherpeak, which is an expert voice network analyzer with wizards in it to tell you where your problem is one for ethernet and one for an expert ethernet network analyzer. In computer networking, it’s also very important for us to know where our cards that are in promiscuous mode are located.
Now, a computer in networking promiscuous mode or prominent mode is a mode for a wired network interface card or even a wireless network card that causes the controller to pass all of the traffic it receives to the central processing unit rather than only the frames that are destined for it to receive. This mode is normally used for packet sniffing and takes the place that takes place on a router or a computer connected to a hub. Instead of a switch or one being part of a wireless network lamb, it’s important for us to be able to detect if you’re in promiscuous Mode and if you have the 16th bit set, it determines that you’re in promiscuous mode.
So consequently, we can do this with things like cane and able to determine if you’re in promiscuous Mode. There are other tools like prominence scan to see if you’re in promiscuous mode. Regardless, if you’re in promiscuous Mode and you are the network administrator, you need to know about it. Then we have something called passive sniffing. Passive sniffing is a concept where the hubs see all the traffic in that particular collision domain. Sniffing is performed on a hub known as a passive sniffing. I doubt very seriously you can even find a hub anymore, maybe off of ebay or something like that, but I doubt very seriously you can even buy one anymore.
Because most of our networks use switches these days, being able to sniff passively is probably going to be a function of the switch where we put it into the mode that allows that sort of thing. More than likely you’re going to use something like active sniffing. And active sniffing is sniffing traffic on a land that is built to do that. But packets have to be injected that cause the data to be rerouted, or some other mechanism has to be done to allow that network to be rerouted. sniffers are operated at the data link layer of the osi model. This means that they don’t have to play by the same rules as applications and services that reside further up the stack. snippers can grab whatever they see on the wire and record it for later review.
They allow the user to see all data contained in the packet, even information that should remain hidden. This is contrary to things like tcp dump and Wind dump, which can be used in such a mode that they don’t allow you to grab the information, but only the headers of the packet. A hacker has two choices for modifying the route of packet. He can try and manipulate it by layer two routing or ethernet routing mechanisms things such as switch forwarding table flooding, arp cache poisoning, or Mac spoofing. Or he can control it perhaps by layer three routing mechanisms like dns poisoning, source routing, advertising, bogus routes or icmp redirect messages, or even putting up a rogue dhcp server.
4. Active Sniffing & Methods, Switch Table Flooding
When switching is performed on a switch network it’s also known as Active stiffing and Active Stiffing relies on injected packets to inject into the network that cause traffic activistiffing required to bypass the segmentation that switches provide. Switches maintain their own Arp cache type of special memory known as a content addressable memory or a cam table, keeping track of which hosts can connected to which ports. Sniffers often operate at the data link layer of the OSI model. This means that they do not have to play by the same rules as applications and services that reside further up the stack so sniffers can grab whatever they see on the wire and record it for later review.
They allow the user to see all the data contained in the packet, even information that should remain hidden. Now, when I talk about this in class, I normally bring up this particular diagram. So let’s assume for just a moment that we have a packet coming in to the switch from Mac address A destined for Mac address B. All right, let’s say, for example, that we just turned the switch off and turned it back on. More than likely this cam table is going to be completely empty. It’s not going to know what Mac addresses are at which ports. So consequently it’s going to need to go into what’s called a flood position. This means that it forwards each packet to every port except the port it came in on.
So it automatically learns about A when it came in from A and when it’s going into B when B responds, it will know that B resides here and then eventually C and D will respond and it’ll know where it is. Then it’s going to set its convergence register, meaning that it knows where every piece is. But a hacker that comes along may inject thousands of unwanted or undesirable packets and causes cantable to overflow. In most small switches you have about 1024 different Mac addresses that are downstream. This one right here only has four ports, but it could have another switch attached to it which has other ports on it. And then thus number 4 May may contain maybe an E and an F as an example, which sometime it comes up 1024 entries.
Because of a huge amount of Mac addresses coming into its table, it unsets its convergence register. Thus it goes back into a flood position. Now, I’m going to show you what the application that we use to do that with going to open up our online lab. I’m going to make sure that we open up our Kali Linux and I’m going to just simply type in the utility that’s used for this. The utility is called Mac off. And when I type that in, you can see thousands of Mac addresses that come through here which are going to overflow that cam table. I’m going to press CTRL C on that because I don’t want to flood my cam table completely.
So it would come back here and add all these addresses from whatever port that I’m coming in on. Once it got to 1024, it would start to flood again.This is what’s referred to as a cam table overflow or a Mac flood. So Ether Flood and Mac offer tools that’s in thousands of Ethernet frames containing random hardware addresses onto a switch network segment. This process can overload the switch’s forwarding table, a cam table, maps, of course, to the IP and Mac addresses. Then it behaves like a hub. Now, there are some countermeasures to this. You’ve you can use network monitoring software to detect a herd, to detect a surge in the number of packets. Also, some newer switches, like the Catalyst, they won’t fail over as a hub. They’ll just simply stop.
5. Arp Cache Posioning
The thing that I’d like to talk about next is something called an Arp cache poison. And before you understand what an Arp cache poison is, we need to make sure everyone understands exactly how the normal Arp operation actually works. So what you will typically see here is we send out a packet, and it goes to both locations because it’s a broadcast. All right? We send it out to all because it’s looking for who is 192 168 one one. Please tell me at one two. It then sends a packet back to just one two, and the entry is placed in its Arp cache. Now, this entry lasts for two minutes on a Windows machine. It can last up to 8 hours on a Cisco router, depending upon the model.
Now, let’s see if we can look at something that’s a little bit more nefarious. Let’s say we have a hacker, and the hacker is interested in remember that we’ve already got this in our Arp cache right here, and it knows to send it to this machine. But the hacker is going to forge a packet and send out what’s called a Gratuitous Arp. And the Gratuitous Arp can be sent any time on TCP IP version four and overwrite whatever’s in somebody’s Arp cache, it sends this out and it forges where it’s supposed to go to. Thus overriding and saying, if you want to send it to one one, send it to this Mac address, which is the hacker. Now, naturally, the hacker is going to receive that, do any dirty work that he wants to with it.
So he’s going to copy the user and ID and password out of here and then send it on to the recipient, no one being the wiser. So this is how an Arc cache poison works. An Arc cache poison has been done for many, many years, ever since the TCP IP version four has been implemented. We just simply tell it with a Gratuitous Arp where we wanted to go to, and it does just that. It receives the gratuitous arp. Wasn’t that nice that you sent that to me? Now I don’t even have to send out an art broadcast. I know where it is. Now, we were a little bit more trusting back then, I guess, because to this day, this still works on IP version four. In order for us to do an Arp cache poison, we can view the Arp cache by Arp A and clear the Arp cache by Arp D.
And I’m going to show you some of these things in our online lab. So what we’ve got right here is a tool called Cane Enable. And I’m going to go into the Sniffer tab, and I’m just going to get rid of all these entries right here. And I’m going to click the plus sign, and I’m going to tell it that I want all of my host and subnet to test for all tests. I’m going to click okay. And it’s going to go out and try and isolate all of the hosts in my subnet. All right. The one I’m particularly interested in in this 157 and it looks like it found that one as well. It’s then going to go through and see if any of these are in Promiscuous mode. It’s going to see if any of them are in the broadcast domain, all kinds of stuff. So you can see this one here is in Promiscuous mode with the B 16 bit set and it’s going to look for a number of different bits on each of them. Okay, now that it’s done, you can see several of them are in Promiscuous mode and I’m going to be interested in this one, this 157. So what I’m going to do is I’m going to open up a command prompt right here. I’m going to type in Arpa and you can see Arpa. It already knows where its default gateway is. And now what I’m going to do is I’m going to type in Arpstar D and this is going to clear my Arp cache. You can see no entries are found at this point.
Now I’m going to tell it that I want to some website somewhere and find let’s see if I can find Google. Okay, there we go. Now if I look in the Art cache now it’ll definitely have an entry in it because it would have had to have done an Arp broadcast. So it’s found the entry for 41 one. I want you to notice that it’s at C eight. That’s the ending Mac address. Okay, great. Now I’m going to go over to my Arp cache poison table and I’m going to click in here. I’m going to poison in between this, this IP address and this IP address, if you recall, was 157. So I’m going to poison in between 157 one.
So it’s default gateway going to click OK? And I’m just going to do an Arpa again just to tell you that it still is C eight. All right. Now I’m going to turn the poisoning on. Okay? So now I’m going to type in Arpa and I want you to notice it’s no longer C Eight, it’s 83. I wonder who that might happen to be. Well, you can see it right here in the Mac address on the screen 83. What’s happening here is the Windows Seven machine thinks the XP machine is the default gateway. Also the default fall gateway thinks the XP machine is this Windows Seven machine. And so it’s acting as a man in the middle, intercepting all of its information.
