sniffing<\/p>\n\n\n\n
the objective of sniffing is to steal:<\/strong> protocols vulnerable to sniffing<\/strong> ……………………..<\/p>\n\n\n\n span(switched port analyzer),is also called port mirroring,port monitoring<\/p>\n\n\n\n span terminology:<\/strong> identify what devices are available on the network:<\/strong> span tools: ………………………………………………………………………………<\/p>\n\n\n\n types of sniffing …<\/p>\n\n\n\n types of sniffing attack<\/p>\n\n\n\n techniques for active sniffing<\/strong> ………………………………………………..<\/p>\n\n\n\n arp spoofing<\/strong> how does arp spoofing work \u5229\u7528arp\u7684\u653b\u64ca\u4e3b\u8981\u6709<\/strong> threats of arp poisoning<\/strong> \u9632\u8b77: arp spoofing tool ………………………………………………..<\/p>\n\n\n\n mac flooding<\/strong> tools for mac flooding ………………………………………………<\/p>\n\n\n\n mac duplicating ……………………………………………….<\/p>\n\n\n\n dhcp starvation attack<\/strong> tool:globber<\/p>\n\n\n\n ………………………………………………..<\/p>\n\n\n\n dns poisoning<\/strong> type of dns poisoning:<\/strong> …<\/p>\n\n\n\n intranet dns spoofing<\/strong> intrenet dns spoofing<\/strong> …<\/p>\n\n\n\n proxy server dns poisoning<\/strong> …<\/p>\n\n\n\n dns cache poisoning<\/strong> IANA \u63d0\u4f9b\u4e86\u4e00\u500b\u7dda\u4e0a\u6aa2\u6e2c\u5de5\u5177Cross-Pollination Check,\u53ef\u6e2cDNS Server\u662f\u5426\u6709DNS cache poisoning \u6f0f\u6d1e ……………………………………………………………………………………………………………………………………………………<\/p>\n\n\n\n win sniffer tool<\/p>\n\n\n\n interactive tcp reply tool web linux sniffing tools<\/p>\n\n\n\n dsniff package:\u5305\u542b\u4ee5\u4e0b\u5c0f\u5de5\u5177 Dsniff\uff1a\u4e00\u6b3e\u8d85\u5f37\u7684\u7db2\u7d61\u8a55\u4f30\u548c\u6ef2\u900f\u6aa2\u6e2c\u5de5\u5177\u5957\u88dd ………………………………………………………………………………………………….<\/p>\n\n\n\n detecting sniffing<\/p>\n\n\n\n steps to detect sniffing:<\/strong> sniffer detecting methods:<\/strong> ………………………………………………..<\/p>\n\n\n\n countermeasures<\/strong><\/p>\n\n\n\n small netowrk<\/strong> large network<\/strong> detect tool SMB(Server Message Block) signing<\/strong> sniffing the objective of snif …<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"fifu_image_url":"","fifu_image_alt":"","_jetpack_memberships_contains_paid_content":false,"footnotes":"","jetpack_publicize_message":"","jetpack_publicize_feature_enabled":true,"jetpack_social_post_already_shared":false,"jetpack_social_options":{"image_generator_settings":{"template":"highway","default_image_id":0,"font":"","enabled":false},"version":2}},"categories":[39],"tags":[],"class_list":["post-409","post","type-post","status-publish","format-standard","hentry","category-concept"],"jetpack_publicize_connections":[],"jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/posts\/409","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/comments?post=409"}],"version-history":[{"count":0,"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/posts\/409\/revisions"}],"wp:attachment":[{"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/media?parent=409"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/categories?post=409"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/tags?post=409"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}
password
email text,message,…\u7b49
files in transfer<\/p>\n\n\n\n
\u56e0data sent is clear text
\u5305\u62ec telnet,rlogin,http,snmp,nntp,pop,ftp<\/p>\n\n\n\n
ingress traffic:traffic that enters the switch
egress traffic:traffic that leaves the switch
source span port:a port that is monitored with use of the span feature
source span vlan:a vlan whose traffic is monitored with use of the span feature
destination span port:\u5c07sniffer data\u9001\u7d66network analyzer\u7684port,\u6b64port\u901a\u5e38\u6703\u76f4\u63a5\u9023\u5230network analyzer
reflector port:copies packets onto an rspan vlan
monitor port:destination span port<\/p>\n\n\n\n
network view:scans the network for devices
the dude sniffer
look@lan<\/p>\n\n\n\n
wireshark
pilot
tcpdump:\u9700\u5148\u88ddlibpcap
ps:tcpslice,\u5206\u6790tcpdump -w\u88fd\u7684\u6a94\u6848
tcpflow: \u985e\u4f3ctcpdump\u7684tool,tcpflow reconstructs the actual data streams and stores each flow in a separate file for later analysis<\/p>\n\n\n\n
passive sniffing:<\/strong>
\u3000through a hub
\u3000easy to sniff
\u3000it is difficult be detect
active sniffing:<\/strong>
\u3000through a switch
\u3000difficult to sniff
\u3000can easily be detected<\/p>\n\n\n\n
arp spoofing
mac flooding
mac duplicating<\/p>\n\n\n\n
\u6216\u7a31arp\u653b\u64ca,\u5f88\u5e38\u898b\u7684\u653b\u64ca,\u800c\u4e14\u5f88\u96e3\u6293<\/p>\n\n\n\n
\u767c\u51fa\u6a19\u6e96\u7684ARP\u8acb\u6c42\u6216ARP\u56de\u61c9\u4f86\u64fe\u4e82\u6216\u7ac4\u6539\u67d0\u96fb\u8166\u6216\u8def\u7531\u5668\u5167\u6b63\u5e38\u7684ARP\u8868\uff0c\u800c\u5c0e\u81f4\u8a72\u8a2d\u5099\u767c\u51fa\u7684\u8cc7\u6599\u5305\u8aa4\u50b3\u76ee\u7684\u5730\uff0c\u6216\u4f7fOSI\u7684\u7b2c\u4e8c\u5c64\u4e59\u592a\u7db2\u548c\u7b2c\u4e09\u5c64\u7121\u6cd5\u9023\u63a5\u9032\u800c\u7671\u7613\u7db2\u8def
\u539f\u7406:\u85c9\u7531\u767c\u51faarp request\u6216arp reply\u4f86\u64fe\u4e82\u6216\u7ac4\u6539\u67d0\u8a2d\u5099\u5167ARP\u8868,\u800c\u5c0e\u81f4\u8a72\u8a2d\u5099\u767c\u51fa\u7684\u8cc7\u6599\u5305\u8aa4\u50b3\u76ee\u7684\u5730
ex:\u67093\u53f0\u6a5f\u5668\u5206\u70ba\u5225pc1,pc2,pc3,\u4e14ip\/mac\u5206\u5225\u70baip1\/mac1,ip2 \/mac2,ip3\/mac3,
\u5176\u4e2dpc3\u662f\u653b\u64ca\u8005,\u653b\u64ca\u65b9\u5f0f\u5982\u4e0b
1,pc3\u9001\u51faarp reply\u7d66pc1,\u4f46\u8a0a\u606f\u4f86\u6e90\u88ab\u8a2d\u5b9a\u6210ip2\/mac3(\u6b63\u5e38\u60c5\u6cc1\u4e0b\u61c9\u70baip3\/mac3)
2,pc1\u76f8\u4fe1\u6b64arp reply\u4e26\u66f4\u65b0arp table,\u56e0\u6b64\u5f80pc2\u7684mac\u8b8a\u70bamac3
3,pc1\u6b64\u6642\u8981\u9001\u8cc7\u6599\u5230pc2,\u9019\u6642\u8cc7\u6599\u5c31\u6703\u9001\u5230mac3
4,pc3\u6536\u5230pc1\u8981\u7d66 pc2\u7684\u8cc7\u6599,\u653b\u64ca\u6210\u529f<\/p>\n\n\n\n
man-in-middle attack:\u540c\u6642\u6b3a\u9a19\u96d9\u65b9,\u5247\u53ef\u4e0d\u5f71\u97ffpc1\u548cpc2\u7684\u901a\u8a0a\u9054\u5230\u76e3\u8996\u6548\u679c
Session Hijacking:\u5229\u7528ARP\u6b3a\u9a19\u5c07\u4f7f\u7528\u8005\u6b63\u5e38\u7684\u9023\u7dda\u6436\u904e\u4f86
arp\u653b\u64ca\u53ef\u5206\u70ba
\u60e1\u610f\u653b\u64ca:\u5229\u7528\u5de5\u5177\u6709\u610f\u5716\u7684\u653b\u64ca\u7279\u5b9a\u76ee\u6a19,\u6613\u507d\u88dd\u597d\u64cd\u4f5c,\u56e0\u6b64\u8f03\u96e3\u89e3\u6c7a
\u4e2d\u6bd2\u800c\u653b\u64ca:\u4f7f\u7528\u8005\u4e2d\u6bd2\u800c\u7522\u751farp\u653b\u64ca<\/p>\n\n\n\n
ddos attacks
intercept data
collect passwords
manipulate data
tap voip phone calls<\/p>\n\n\n\n
1
tune ids sensors to look for large amount of arp traffic on local subnets
2
use private vlans
3
\u8a2d\u5b9astatic arp table\u9632\u4e0a\u88abarp spoofing
\u5728\u500b\u4eba\u96fb\u8166\u7684\u7db2\u8def\u4e0a,\u5c07gateway\u7684ip\u548cmac\u4f4d\u7f6e\u8a2d\u5b9a\u597d
ex:arp -d netsh -c interface ipv4 add neighbors <“\u5340\u57df\u9023\u7dda”> < ip > < mac><\/p>\n\n\n\n
arpspoof:linux
ettercap:linux,win
arpspyx:mac
cain and abel:\u539f\u672c\u662f\u5bc6\u78bc\u56de\u5fa9\u5de5\u5177,\u767c\u5c55\u5230\u6700\u5f8c\u529f\u80fd\u9f4a\u5168
irs:arp attack tool
arpworks tool<\/p>\n\n\n\n
\u767c\u9001\u5927\u91cf\u932f\u8aa4\u7684\u4f4d\u5740\u8cc7\u8a0a\u7d66switch,\u8b93switch\u7684\u4f4d\u5740\u8868\u7a7a\u9593\u6ea2\u51fa,\u70ba\u4e86\u8981\u53ef\u6b63\u5e38\u904b\u4f5c,\u5c0e\u81f4switch\u8b8a\u6210\u5ee3\u64ad\u6a21\u5f0f,\u9054\u5230sniffer\u6a5f\u5668a\u548c\u6a5f\u5668c\u4e4b\u9593\u7684\u901a\u4fe1
\u4e3b\u8981\u91dd\u5c0dswitch
\u4f46\u9700\u8981 switch\u53ef\u4ee5\u88ab\u653b\u64ca\u624d\u6709\u6548\u679c<\/p>\n\n\n\n
macof:linux
etherflood:linux,win<\/p>\n\n\n\n
\u6a21\u64ec\u6210\u5225\u4eba\u7684mac
threat:
attack \u53efsniffer\u5230\u771f\u6b63mac\u7684\u6240\u6709traffic
\u7576\u8a2d\u5099\u6709\u9650\u5236mac\u7684\u5b58\u53d6\u6642,client\u53ef\u89c0\u5bdf\u7db2\u8def\u4e0a\u662f\u5426\u6709\u53ef\u5b58\u53d6\u7684mac,\u5728\u5c07\u81ea\u5df1\u7684 mac\u8a2d\u5b9a\u6210\u8a72mac
ex:ap with mac filtering enabled<\/p>\n\n\n\n
attacker\u7528\u5047\u4f86\u6e90\u4e0d\u65b7\u8981\u6c42dhcp server,\u8017\u76e1\u6240\u6709dhcp\u53ef\u7528ip
\u67b6\u8a2d rouge dhcp\u5c07\u4e0d\u6b63\u78ba\u7684\u7db2\u8def\u8cc7\u8a0a\u7d66client,attacker\u5c31\u53ef\u9032\u884cMITM<\/p>\n\n\n\n
\u6539\u8b8a dns\u8a18\u9304,\u8b93user\u5230\u6b63\u5e38\u7db2\u5740\u4f46\u537b\u9023\u5230\u60e1\u610fip<\/p>\n\n\n\n
intranet dns spoofing
internet dns spoofing
proxy server dns poisoning
dns cache poisoning<\/p>\n\n\n\n
works well against switches with arp poisoning the router
step:
1 hacker runs fake dns server
2 hacker runs arp poisoning by spoofing victims’s dns ip mac to fake dns server
3 victim dns request goes to fake dns server
4 fake dns server reply dns response to fake ip
5 victim’s browser connect to fake ip,the fake ip is fake website
6 hacker’s fake website sniffs the credential and redirects the request to real website
\u5be6\u4f5c\u5de5\u5177:
ettercap
…<\/p>\n\n\n\n
works across networks.easy to set up and implement
step:
1 hacker runs fake dns server
2 hacker infects victim’s pc by changing victim’s dns ip address to fake dns server
3 victim dns request goes to fake dns server
4 fake dns server reply dns response to fake ip
5 victim’s browser connect to fake ip,the fake ip is fake website
6 hacker’s fake website sniffs the credential and redirects the request to real website<\/p>\n\n\n\n
works across networks.easy to set up and implement
step:
1 hacker runs proxy server
2 hacker infects victim’s pc by changing victim’s proxy address to hacker’s proxy server
3 victim web request goes through hacker’s proxy server
4 hacker’s proxy server send victim’s request to fake website
5 hacker’s fake website sniffs the credential and redirects the request to real website<\/p>\n\n\n\n
step:
1 attacker send a request to dns
2 dns\u7684cache\u82e5\u7121\u6b64\u8a18\u9304,\u5247\u9001\u4e00\u500bid=777\u7684\u5c01\u5305\u5411\u4e0a\u5c64dns\u67e5\u8a62,\u4e26\u7b49\u5f85\u4e0a\u5c64dns\u50b3\u56deid=777\u7684\u5c01\u5305
3 \u6b64\u6642attacker\u50b3\u9001\u5927\u91cf\u507d\u9020\u4e0a\u5c64dns\u7684\u5c01\u5305\u7d66dns,\u5305\u62ecid=777
4 dns\u770b\u5230id=777,\u65bc\u662f\u66f4\u65b0\u81ea\u5df1\u7684cache,\u56e0\u6b64\u73fe\u5728\u7684cache\u662fattacker\u7684\u60e1\u610f\u4f4d\u7f6e
5 client\u67e5\u8a62\u7684\u8a72\u7db2\u5740\u6642,dns\u6839\u64dacache\u5c07client\u5c0e\u5411\u60e1\u610f\u4f4d\u7f6e
ps:\u9019\u5c07\u6703\u662f\u500b\u5341\u5206\u56b4\u91cd\u7684\u5b89\u5168\u6027\u6f0f\u6d1e\uff01
\u53c3\u8003\u5f71\u7247
http:\/\/www.checkpoint.com\/defense\/advisories\/public\/dnsvideo\/index.html
\u5be6\u4f5c\u5de5\u5177:
metasploit\u4e2d\u7684dns spoof\u6a21\u7d44<\/p>\n\n\n\n
http:\/\/recursive.iana.org\/
\u6b64\u6aa2\u6e2c\u5de5\u5177\u6703\u56de\u61c9\u4e09\u7a2e\u5b89\u5168\u8b66\u793a\uff1a
Highly vulnerable – \u6975\u6613\u53d7\u50b7\u7684 ( \u9ad8\u5ea6\u98a8\u96aa ) ( \u7d05\u8272\u5e95 )
Vulnerable – \u6613\u53d7\u50b7\u7684( \u4f4e\u5ea6\u98a8\u96aa, \u4f46\u9084\u662f\u6709\u98a8\u96aa ) ( \u68d5\u8272\u5e95 )
Safe – \u5b89\u5168\u7b49\u7d1a ( \u7da0\u8272\u5e95 )<\/p>\n\n\n\n
nemesis
effetech:http sniffer
ace password sniffer
win sniffer
msn sniffer
smartsniff:\u8f15\u91cf\u7d1a\u5de5\u5177
netwitness:session capture sniffer
komodia’s packet crafter:custom tcp\/ip packets
engage packet builder
smac:\u66f4\u6539\u7db2\u5361mac
netsetman
ntop:network traffic probe
etherape: \u5c07\u7db2\u8def\u72c0\u6cc1\u756b\u6210\u756b
network probe
maa tec network analyzer
snort
windump:\u985e\u4f3ctcpdump,\u9700\u5148\u88ddwinpcap
etherpeek
netintercept
colasoft etherlook
aw ports traffic analyzer
colasoft capsa network analyzer
commview:\u53ef\u770b\u76ee\u524d\u901a\u8a0a
sniffem
netresident
ip sniffer
sniphere
ie http analyzer
billsniff
url snooper
etherdetect packet sniffer
effetech http sniffer
analogx packetmon
calasoft msn monitor
ipgrab
etherscan analyzer
infowatch traffic monitor<\/p>\n\n\n\n
www.nirsoft.net
………………………………………………..<\/p>\n\n\n\n
arpspoof:arp spoof tool
dnsspoof:dns spoof tool
dsniff:password sniffer
filesnarf:\u53efcopy\u7d93\u904enfs\u7684\u6a94\u6848
mailsnarf:\u91dd\u5c0dmail
msgsnarf:\u91dd\u5c0dmessage
sshmitm:ssh monkey-in-the-middle
tcpkill:\u5c07tcp connection\u963b\u65b7,\u91cd\u65b0\u9023\u7dda\u4e4b\u5f8c\u53ef\u914d\u5408MITM
tcpnice:slows down tcp connections on a lan
urlsnarf
webspy:displays sniffed url’s in netscape in real time
webmitm:http\/https monkey-in-the-middle<\/p>\n\n\n\n
\u7531Dug Song\u7cbe\u5fc3\u8a2d\u8a08\u4e26\u5ee3\u53d7\u6b61\u8fce\u7684\u9019\u6b3e\u5957\u88dd\u5305\u542b\u5f88\u591a\u5de5\u5177\u3002
Dsniff\u3001filesnarf\u3001mailsnarf\u3001msgsnarf\u3001urlsnarf\u548c webspy\u901a\u904e\u88ab\u52d5\u76e3\u8996\u7db2\u7d61\u4ee5\u7372\u5f97\u654f\u611f\u6578\u64da\uff08\u4f8b\u5982\u5bc6\u78bc\u3001\u90f5\u4ef6\u5730\u5740\u3001\u6587\u4ef6\u7b49\uff09\u3002
Arpspoof\u3001dnsspoof\u548cmacof\u80fd\u5920\u6514\u622a\u4e00\u822c\u5f88\u96e3\u7372\u53d6\u5230\u7684 \u7db2\u7d61\u901a\u8a0a\u4fe1\u606f\uff08\u4f8b\u5982\u7531\u65bc\u4f7f\u7528\u4e86\u7b2c\u4e8c\u5c64\u8f49\u63db\uff08layer-2 switching\uff09\uff09\u3002
Sshmitm\u548cwebmitm\u901a\u904ead- hoc PKI\u4e2d\u5f31\u7d81\u5b9a\u6f0f\u6d1e\u5c0dssh\u548chttps\u6703\u8a71\u9032\u884c\u91cd\u5b9a\u5411\u5be6\u65bd\u52d5\u614bmonkey-in-the-middle\uff08\u5229\u7528\u4e2d\u9593\u4eba\u653b\u64ca\u6280\u8853\uff0c\u5c0d\u6703\u8a71\u9032\u884c\u52ab\u6301\uff09\u653b\u64ca\u3002
Windows \u7248\u672c\u53ef\u4ee5\u5728\u9019\u88e1\u7372\u53d6\u3002\u7e3d\u4e4b\uff0c\u9019\u662f\u4e00\u500b\u975e\u5e38\u6709\u7528\u7684\u5de5\u5177\u96c6\u3002\u5b83\u80fd\u5b8c\u6210\u5e7e\u4e4e\u6240\u6709\u5bc6\u78bc\u55c5\u63a2\u9700\u8981\u4f5c\u7684\u5de5\u4f5c\u3002<\/p>\n\n\n\n
1 check system\u662f\u5426run promiscuous mode
2 run arpwatch \u770bmac\u662f\u5426\u88ab\u4fee\u6539
3 \u4f7f\u7528\u5de5\u5177monitor the network for stange packets<\/p>\n\n\n\n
ping method
arp method
source-route method
decoy method
reverse dns method
latency method
tdr(time-domain reflectometers)<\/p>\n\n\n\n
use of static ip addresses and static arp tables<\/p>\n\n\n\n
network switch port security features should be enabled
use of arpwatch to monitor ethernet activity<\/p>\n\n\n\n
arp watch
promiscan
antisniff
prodetect
network packet analyzer capsa<\/p>\n\n\n\n
smb signing\u958b\u555f\u6578\u4f4d\u5b89\u5168\u7c3d\u7f72, \u5b83\u653e\u7f6e\u5728\u6bcf\u4e00\u500b SMB \u8b93\u7528\u6236\u7aef\u8207\u4f3a\u670d\u5668\u7aef\u6838\u5c0d, \u6b64\u9a57\u8b49\u53ef\u589e\u52a0\u5b89\u5168\u6027, \u963b\u6b62\u6709\u4eba\u5728\u7db2\u8def\u4e2d\u9593\u9032\u884c\u8a0a\u606f\u653b\u64ca.
\u6ce8\u610f: \u4f60\u5fc5\u9700\u5728\u5168\u90e8\u7684 NT \u53ca 98 \u6a5f\u5668\u555f\u7528 SMB Signing, \u5426\u5247\u4f60\u5c07\u7121\u6cd5\u9023\u63a5\u5230\u5176\u4ed6\u672a\u555f\u7528 SMB Signing \u7684\u7cfb\u7d71.
ps:\u53ef\u53c3\u8003 http:\/\/support.microsoft.com\/support\/kb\/articles\/q230\/5\/45.ASP<\/p>\n","protected":false},"excerpt":{"rendered":"