sniffing
the objective of sniffing is to steal:
password
email text,message,…等
files in transfer
protocols vulnerable to sniffing
因data sent is clear text
包括 telnet,rlogin,http,snmp,nntp,pop,ftp
……………………..
span(switched port analyzer),is also called port mirroring,port monitoring
span terminology:
ingress traffic:traffic that enters the switch
egress traffic:traffic that leaves the switch
source span port:a port that is monitored with use of the span feature
source span vlan:a vlan whose traffic is monitored with use of the span feature
destination span port:將sniffer data送給network analyzer的port,此port通常會直接連到network analyzer
reflector port:copies packets onto an rspan vlan
monitor port:destination span port
identify what devices are available on the network:
network view:scans the network for devices
the dude sniffer
look@lan
span tools:
wireshark
pilot
tcpdump:需先裝libpcap
ps:tcpslice,分析tcpdump -w製的檔案
tcpflow: 類似tcpdump的tool,tcpflow reconstructs the actual data streams and stores each flow in a separate file for later analysis
………………………………………………………………………………
types of sniffing
passive sniffing:
through a hub
easy to sniff
it is difficult be detect
active sniffing:
through a switch
difficult to sniff
can easily be detected
…
types of sniffing attack
techniques for active sniffing
arp spoofing
mac flooding
mac duplicating
………………………………………………..
arp spoofing
或稱arp攻擊,很常見的攻擊,而且很難抓
how does arp spoofing work
發出標準的ARP請求或ARP回應來擾亂或竄改某電腦或路由器內正常的ARP表,而導致該設備發出的資料包誤傳目的地,或使OSI的第二層乙太網和第三層無法連接進而癱瘓網路
原理:藉由發出arp request或arp reply來擾亂或竄改某設備內ARP表,而導致該設備發出的資料包誤傳目的地
ex:有3台機器分為別pc1,pc2,pc3,且ip/mac分別為ip1/mac1,ip2 /mac2,ip3/mac3,
其中pc3是攻擊者,攻擊方式如下
1,pc3送出arp reply給pc1,但訊息來源被設定成ip2/mac3(正常情況下應為ip3/mac3)
2,pc1相信此arp reply並更新arp table,因此往pc2的mac變為mac3
3,pc1此時要送資料到pc2,這時資料就會送到mac3
4,pc3收到pc1要給 pc2的資料,攻擊成功
利用arp的攻擊主要有
man-in-middle attack:同時欺騙雙方,則可不影響pc1和pc2的通訊達到監視效果
Session Hijacking:利用ARP欺騙將使用者正常的連線搶過來
arp攻擊可分為
惡意攻擊:利用工具有意圖的攻擊特定目標,易偽裝好操作,因此較難解決
中毒而攻擊:使用者中毒而產生arp攻擊
threats of arp poisoning
ddos attacks
intercept data
collect passwords
manipulate data
tap voip phone calls
防護:
1
tune ids sensors to look for large amount of arp traffic on local subnets
2
use private vlans
3
設定static arp table防上被arp spoofing
在個人電腦的網路上,將gateway的ip和mac位置設定好
ex:arp -d netsh -c interface ipv4 add neighbors <“區域連線”> < ip > < mac>
arp spoofing tool
arpspoof:linux
ettercap:linux,win
arpspyx:mac
cain and abel:原本是密碼回復工具,發展到最後功能齊全
irs:arp attack tool
arpworks tool
………………………………………………..
mac flooding
發送大量錯誤的位址資訊給switch,讓switch的位址表空間溢出,為了要可正常運作,導致switch變成廣播模式,達到sniffer機器a和機器c之間的通信
主要針對switch
但需要 switch可以被攻擊才有效果
tools for mac flooding
macof:linux
etherflood:linux,win
………………………………………………
mac duplicating
模擬成別人的mac
threat:
attack 可sniffer到真正mac的所有traffic
當設備有限制mac的存取時,client可觀察網路上是否有可存取的mac,在將自己的 mac設定成該mac
ex:ap with mac filtering enabled
……………………………………………….
dhcp starvation attack
attacker用假來源不斷要求dhcp server,耗盡所有dhcp可用ip
架設 rouge dhcp將不正確的網路資訊給client,attacker就可進行MITM
tool:globber
………………………………………………..
dns poisoning
改變 dns記錄,讓user到正常網址但卻連到惡意ip
type of dns poisoning:
intranet dns spoofing
internet dns spoofing
proxy server dns poisoning
dns cache poisoning
…
intranet dns spoofing
works well against switches with arp poisoning the router
step:
1 hacker runs fake dns server
2 hacker runs arp poisoning by spoofing victims’s dns ip mac to fake dns server
3 victim dns request goes to fake dns server
4 fake dns server reply dns response to fake ip
5 victim’s browser connect to fake ip,the fake ip is fake website
6 hacker’s fake website sniffs the credential and redirects the request to real website
實作工具:
ettercap
…
intrenet dns spoofing
works across networks.easy to set up and implement
step:
1 hacker runs fake dns server
2 hacker infects victim’s pc by changing victim’s dns ip address to fake dns server
3 victim dns request goes to fake dns server
4 fake dns server reply dns response to fake ip
5 victim’s browser connect to fake ip,the fake ip is fake website
6 hacker’s fake website sniffs the credential and redirects the request to real website
…
proxy server dns poisoning
works across networks.easy to set up and implement
step:
1 hacker runs proxy server
2 hacker infects victim’s pc by changing victim’s proxy address to hacker’s proxy server
3 victim web request goes through hacker’s proxy server
4 hacker’s proxy server send victim’s request to fake website
5 hacker’s fake website sniffs the credential and redirects the request to real website
…
dns cache poisoning
step:
1 attacker send a request to dns
2 dns的cache若無此記錄,則送一個id=777的封包向上層dns查詢,並等待上層dns傳回id=777的封包
3 此時attacker傳送大量偽造上層dns的封包給dns,包括id=777
4 dns看到id=777,於是更新自己的cache,因此現在的cache是attacker的惡意位置
5 client查詢的該網址時,dns根據cache將client導向惡意位置
ps:這將會是個十分嚴重的安全性漏洞!
參考影片
http://www.checkpoint.com/defense/advisories/public/dnsvideo/index.html
實作工具:
metasploit中的dns spoof模組
IANA 提供了一個線上檢測工具Cross-Pollination Check,可測DNS Server是否有DNS cache poisoning 漏洞
http://recursive.iana.org/
此檢測工具會回應三種安全警示:
Highly vulnerable – 極易受傷的 ( 高度風險 ) ( 紅色底 )
Vulnerable – 易受傷的( 低度風險, 但還是有風險 ) ( 棕色底 )
Safe – 安全等級 ( 綠色底 )
……………………………………………………………………………………………………………………………………………………
win sniffer tool
interactive tcp reply
nemesis
effetech:http sniffer
ace password sniffer
win sniffer
msn sniffer
smartsniff:輕量級工具
netwitness:session capture sniffer
komodia’s packet crafter:custom tcp/ip packets
engage packet builder
smac:更改網卡mac
netsetman
ntop:network traffic probe
etherape: 將網路狀況畫成畫
network probe
maa tec network analyzer
snort
windump:類似tcpdump,需先裝winpcap
etherpeek
netintercept
colasoft etherlook
aw ports traffic analyzer
colasoft capsa network analyzer
commview:可看目前通訊
sniffem
netresident
ip sniffer
sniphere
ie http analyzer
billsniff
url snooper
etherdetect packet sniffer
effetech http sniffer
analogx packetmon
calasoft msn monitor
ipgrab
etherscan analyzer
infowatch traffic monitor
tool web
www.nirsoft.net
………………………………………………..
linux sniffing tools
dsniff package:包含以下小工具
arpspoof:arp spoof tool
dnsspoof:dns spoof tool
dsniff:password sniffer
filesnarf:可copy經過nfs的檔案
mailsnarf:針對mail
msgsnarf:針對message
sshmitm:ssh monkey-in-the-middle
tcpkill:將tcp connection阻斷,重新連線之後可配合MITM
tcpnice:slows down tcp connections on a lan
urlsnarf
webspy:displays sniffed url’s in netscape in real time
webmitm:http/https monkey-in-the-middle
Dsniff:一款超強的網絡評估和滲透檢測工具套裝
由Dug Song精心設計並廣受歡迎的這款套裝包含很多工具。
Dsniff、filesnarf、mailsnarf、msgsnarf、urlsnarf和 webspy通過被動監視網絡以獲得敏感數據(例如密碼、郵件地址、文件等)。
Arpspoof、dnsspoof和macof能夠攔截一般很難獲取到的 網絡通訊信息(例如由於使用了第二層轉換(layer-2 switching))。
Sshmitm和webmitm通過ad- hoc PKI中弱綁定漏洞對ssh和https會話進行重定向實施動態monkey-in-the-middle(利用中間人攻擊技術,對會話進行劫持)攻擊。
Windows 版本可以在這裡獲取。總之,這是一個非常有用的工具集。它能完成幾乎所有密碼嗅探需要作的工作。
………………………………………………………………………………………………….
detecting sniffing
steps to detect sniffing:
1 check system是否run promiscuous mode
2 run arpwatch 看mac是否被修改
3 使用工具monitor the network for stange packets
sniffer detecting methods:
ping method
arp method
source-route method
decoy method
reverse dns method
latency method
tdr(time-domain reflectometers)
………………………………………………..
countermeasures
small netowrk
use of static ip addresses and static arp tables
large network
network switch port security features should be enabled
use of arpwatch to monitor ethernet activity
detect tool
arp watch
promiscan
antisniff
prodetect
network packet analyzer capsa
SMB(Server Message Block) signing
smb signing開啟數位安全簽署, 它放置在每一個 SMB 讓用戶端與伺服器端核對, 此驗證可增加安全性, 阻止有人在網路中間進行訊息攻擊.
注意: 你必需在全部的 NT 及 98 機器啟用 SMB Signing, 否則你將無法連接到其他未啟用 SMB Signing 的系統.
ps:可參考 http://support.microsoft.com/support/kb/articles/q230/5/45.ASP