Professional Documents
Culture Documents
Version 5
Module VII
Sniffers
Scenario
Copyright © by EC-Council
EC-Council All Rights reserved. Reproduction is strictly prohibited
Module Flow
Sniffing Definition Tools for MAC Flooding
Protocols Vulnerable
to Sniffing Sniffer Hacking Tools
ARP and
ARP Spoofing Attack Raw Sniffing Tools
Copyright © by EC-Council
EC-Council All Rights reserved. Reproduction is strictly prohibited
Definition: Sniffing
Copyright © by EC-Council
EC-Council All Rights reserved. Reproduction is strictly prohibited
Protocols Vulnerable to Sniffing
Copyright © by EC-Council
EC-Council All Rights reserved. Reproduction is strictly prohibited
Tool: Network View – Scans the Network
for Devices
Copyright © by EC-Council
EC-Council All Rights reserved. Reproduction is strictly prohibited
The Dude Sniffer
Copyright © by EC-Council
EC-Council All Rights reserved. Reproduction is strictly prohibited
Screenshots
Copyright © by EC-Council
EC-Council All Rights reserved. Reproduction is strictly prohibited
Screenshots
Copyright © by EC-Council
EC-Council All Rights reserved. Reproduction is strictly prohibited
Screenshots
Copyright © by EC-Council
EC-Council All Rights reserved. Reproduction is strictly prohibited
Ethereal
~ Ethereal is a network
protocol analyzer for
UNIX and Windows
~ It allows the user to
examine data from a
live network or from a
capture file on a disk
~ The user can
interactively browse
the captured data,
viewing summary and
detailed information
for each packet
captured
Copyright © by EC-Council
EC-Council All Rights reserved. Reproduction is strictly prohibited
Display Filters in Ethereal
~ Display filters are used to change the view of packets
in captured files
~ Display Filtering by Protocol
• Example: type the protocol in the filter box
• arp, http, tcp, udp, dns
~ Filtering by IP Address
• ip.addr == 10.0.0.4
~ Filtering by multiple IP Addresses
• ip.addr == 10.0.0.4 or ip.addr ==
10.0.0.5
~ Monitoring Specific Ports
• tcp.port==443
• ip.addr==192.168.1.100 machine
ip.addr==192.168.1.100 && tcp.port=443
~ Other Filters
• ip.dst == 10.0.1.50 && frame.pkt_len >
400
• ip.addr == 10.0.1.12 && icmp &&
frame.number > 15 && frame.number < 30
• ip.src==205.153.63.30 or
ip.dst==205.153.63.30
Copyright © by EC-Council
EC-Council All Rights reserved. Reproduction is strictly prohibited
Following the TCP Stream in Ethereal
~ Ethereal reassembles all of the packets in
a TCP conversation and displays the
ASCII in an easy-to-read format
~ This makes it easy to pick out usernames
and passwords from insecure protocols
such as Telnet and FTP
~ Example: Follow the stream of the HTTP
session and save the output to a file. You
should then be able to view the
reconstructed HTML content offline
~ Command: Selecting a TCP packet in the
Summary Window and then selecting
Analyze -> Follow TCP Stream from
the menu bar will display the Follow TCP
Stream window. You can also right-click
on a TCP packet in the Summary Window
and choose Follow TCP Stream to display
the window
Copyright © by EC-Council
EC-Council All Rights reserved. Reproduction is strictly prohibited
tcpdump
Copyright © by EC-Council
EC-Council All Rights reserved. Reproduction is strictly prohibited
Tcpdump Commands
~ Exporting tcpdumps to a file
• # tcpdump port 80 -l > webdump.txt & tail -f webdump.txt
• # tcpdump -w rawdump
• # tcpdump -r rawdump > rawdump.txt
• # tcpdump -c1000 -w rawdump
• # tcpdump -i eth1 -c1000 -w rawdump
~ You can select several hosts on your LAN, and capture the traffic that passes between them
• # tcpdump host workstation4 and workstation11 and workstation13
~ Capture all the LAN traffic between workstation4 and the LAN, except for workstation11
• # tcpdump -e host workstation4 and workstation11 and workstation13
~ You can capture all packets except those for certain ports
• # tcpdump not port 110 and not port 25 and not port 53 and not port 22
~ Filter by protocol
• # tcpdump udp
• # tcpdump ip proto OSPFIGP
Copyright © by EC-Council
EC-Council All Rights reserved. Reproduction is strictly prohibited
Types of Sniffing
Copyright © by EC-Council
EC-Council All Rights reserved. Reproduction is strictly prohibited
Passive Sniffing
Attacker
HUB
Copyright © by EC-Council
EC-Council All Rights reserved. Reproduction is strictly prohibited
Active Sniffing
Switch Attacker
Switch looks at the MAC address
associated with each frame, sending
data only to the connected port
Copyright © by EC-Council
EC-Council All Rights reserved. Reproduction is strictly prohibited
ARP Spoofing Attack
Copyright © by EC-Council
EC-Council All Rights reserved. Reproduction is strictly prohibited
How Does ARP Spoofing Work?
Copyright © by EC-Council
EC-Council All Rights reserved. Reproduction is strictly prohibited
ARP Poisoning
Legitimate User
Copyright © by EC-Council
EC-Council All Rights reserved. Reproduction is strictly prohibited
Mac Duplicating Attack
My MAC address
is A:B:C:D:E
Legitimate User
s i
of currently associated
B: C
A: M A
Attacker
Copyright © by EC-Council
EC-Council All Rights reserved. Reproduction is strictly prohibited
Tools for ARP Spoofing
Copyright © by EC-Council
EC-Council All Rights reserved. Reproduction is strictly prohibited
Ettercap
Copyright © by EC-Council
EC-Council All Rights reserved. Reproduction is strictly prohibited
MAC Flooding
Copyright © by EC-Council
EC-Council All Rights reserved. Reproduction is strictly prohibited
Tools for MAC Flooding
Copyright © by EC-Council
EC-Council All Rights reserved. Reproduction is strictly prohibited
Linux Tool: Macof
Copyright © by EC-Council
EC-Council All Rights reserved. Reproduction is strictly prohibited
Copyright © by EC-Council
EC-Council All Rights reserved. Reproduction is strictly prohibited
Windows Tool: EtherFlood
~ EtherFlood floods a switched network with Ethernet frames with random
hardware addresses
~ The effect on some switches is that they start sending all traffic out on all
ports so that the attacker is able to sniff all traffic on the sub-network
~ http://ntsecurity.nu/toolbox/etherflood/
Copyright © by EC-Council
EC-Council All Rights reserved. Reproduction is strictly prohibited
Threats of ARP Poisoning
Copyright © by EC-Council
EC-Council All Rights reserved. Reproduction is strictly prohibited
DHCP Starvation Attack
Copyright © by EC-Council
EC-Council All Rights reserved. Reproduction is strictly prohibited
IRS – ARP Attack Tool
~ Many servers and network devices like routers and switches provide features
like ACLs, IP Filters, Firewall rules, and so on, to give access to their Services
only to particular network addresses (usually Administrators’ workstations)
~ This tool scans for IP restrictions set for a particular service on a host
~ It combines “ARP Poisoning” and “Half-Scan” techniques and tries spoofed
TCP connections to the selected port of the target
~ IRS is not a port scanner but a “valid source IP address” scanner for a given
service
Copyright © by EC-Council
EC-Council All Rights reserved. Reproduction is strictly prohibited
ARPWorks Tool
Copyright © by EC-Council
EC-Council All Rights reserved. Reproduction is strictly prohibited
Tool: Nemesis
~ Nemesis provides an interface to craft and inject a variety of
arbitrary packet types. Also used for ARP Spoofing
~ Nemesis Supports the following protocols:
• arp
• dns
• ethernet
• icmp
• igmp
• ip
• ospf
• rip
• tcp
• udp
Copyright © by EC-Council
EC-Council All Rights reserved. Reproduction is strictly prohibited
Sniffer Hacking Tools (dsniff package)
Copyright © by EC-Council
EC-Council All Rights reserved. Reproduction is strictly prohibited
Sniffer Hacking Tools (cont’d)
sshmitm
SSH monkey-in-the-middle
tcpkill
Kills TCP connections on a LAN
tcpnice
Slows down TCP connections on a LAN
urlsnarf
Sniffs HTTP requests in Common Log Format
webspy
Displays sniffed URLs in Netscape in real time
webmitm
HTTP/HTTPS monkey-in-the-middle
Copyright © by EC-Council
EC-Council All Rights reserved. Reproduction is strictly prohibited
Linux Tool: Arpspoof
Copyright © by EC-Council
EC-Council All Rights reserved. Reproduction is strictly prohibited
Linux Tool: Dnsspoof
Copyright © by EC-Council
EC-Council All Rights reserved. Reproduction is strictly prohibited
Linux Tool: Dsniff
~ Dsniff is a password sniffer which handles FTP, Telnet, SMTP, HTTP, POP,
poppass, NNTP, IMAP, SNMP, LDAP, Rlogin, RIP, OSPF, PPTP MS-CHAP,
NFS, VRRP, and so on
~ Dsniff automatically detects and minimally parses each application
protocol, only saving the interesting bits, and uses Berkeley DB as its output
file format, only logging unique authentication attempts. Full TCP/IP
reassembly is provided by libnids
dsniff [-c] [-d] [-m] [-n] [-i interface] [-s snaplen]
[-f services] [-t trigger[,...]]] [-r|-w savefile]
[expres- sion]
Copyright © by EC-Council
EC-Council All Rights reserved. Reproduction is strictly prohibited
Linux Tool: Filesnarf
Copyright © by EC-Council
EC-Council All Rights reserved. Reproduction is strictly prohibited
Linux Tool: Mailsnarf
Copyright © by EC-Council
EC-Council All Rights reserved. Reproduction is strictly prohibited
Linux Tool: Msgsnarf
Copyright © by EC-Council
EC-Council All Rights reserved. Reproduction is strictly prohibited
Linux Tool: Sshmitm
Copyright © by EC-Council
EC-Council All Rights reserved. Reproduction is strictly prohibited
Linux Tool: Tcpkill
Copyright © by EC-Council
EC-Council All Rights reserved. Reproduction is strictly prohibited
Linux Tool: Tcpnice
Copyright © by EC-Council
EC-Council All Rights reserved. Reproduction is strictly prohibited
Linux Tool: Urlsnarf
~ Urlsnarf outputs all requested URLs sniffed from HTTP traffic in CLF
(Common Log Format, used by almost all web servers), suitable for
offline post-processing with your favorite web log analysis tool (analog,
wwwstat, and so on)
urlsnarf [-n] [-i interface] [[-v] pattern
[expression]]
Copyright © by EC-Council
EC-Council All Rights reserved. Reproduction is strictly prohibited
Linux Tool: Webspy
Copyright © by EC-Council
EC-Council All Rights reserved. Reproduction is strictly prohibited
Linux Tool: Webmitm
webmitm [-d]
Copyright © by EC-Council
EC-Council All Rights reserved. Reproduction is strictly prohibited
DNS Poisoning Techniques
Copyright © by EC-Council
EC-Council All Rights reserved. Reproduction is strictly prohibited
1. Intranet DNS Spoofing (Local
Network)
~ For this technique, you must be connected to the local area network (LAN) and be able to sniff
packets
~ Works well against switches with ARP poisoning the router
1
IP 10.0.0.254 www.xsecurity.com
IP: 200.0.0.45
DNS Request
Rebec
ca’s b
r owser
3
DN co n n e Hacker poisons Hacker’s fake website sniffs the credential
S 10.0.0 cts to
Re .5 the router and all and redirects the request to real website
4
s po the router traffic
2
ns
e is forwarded to
his machine
Rebecca types om
y.c
cu
rit .0.
5 Hacker sets up fake
www.xsecurity.com in her x s e 0.0
ww
w .
da
t 1 Website
Web Browser ate
is l
o c www.xsecurity.com
IP: 10.0.0.3 IP: 10.0.0.5
Hacker runs
arpspoof/dnsspoof
www.xsecurity.com
Copyright © by EC-Council
EC-Council All Rights reserved. Reproduction is strictly prohibited
2. Internet DNS Spoofing (Remote
Network)
~ Send a Trojan to Rebecca’s machine and change her DNS IP address to that of the attacker’s
~ Works across networks. Easy to set up and implement
Real Website
www.xsecurity.com
IP: 200.0.0.45
2 ww
w.
4 Re
be c
ca’
sB
W xs row
ha D ec ser
ti N u r D N con
st S ity S ne c
he Re .c o R ts t Hacker’s fake website sniffs the credential
IP qu m sp e o6
is on and redirects the request to real website
ad e s t 5.0
5
dr go l oc e s .0.
es es at 2
so t ed
fw 2 o at
ww 00 65
3
.xs .0.0 .0
.0
e c .2 .2
Rebecca types ur
ity
. co
1
www.xsecurity.com in her m
Web Browser
Hacker’s infects Rebecca’s computer by
changing her DNS IP address to: 200.0.0.2
Fake Website
IP: 65.0.0.2
Hacker runs DNS
Server in Russia Copyright © by EC-Council
EC-Council IP: 200.0.0.2 All Rights reserved. Reproduction is strictly prohibited
Internet DNS Spoofing
Real Website
www.xsecurity.com
IP: 200.0.0.45
2 Al
l Re
b ec
ca
’s Hacker’s fake website sniffs the credential
H We and redirects the request to real website
ac b
4
ke re
r’s qu
m est
Rebecca types ac s g
hi o
n e es
3
www.xsecurity.com in her t hr
ou
gh
Web Browser
1
Hacker’s infects Rebecca’s computer by
Hacker sends Rebecca’s request to Fake website
Fake Website
IP: 65.0.0.2
Hacker runs Proxy
Server in Russia Copyright © by EC-Council
EC-Council IP: 200.0.0.2 All Rights reserved. Reproduction is strictly prohibited
4. DNS Cache Poisoning
Copyright © by EC-Council
EC-Council All Rights reserved. Reproduction is strictly prohibited
Interactive TCP Relay
~ It operates as a simple
TCP tunnel listening on
a specific port and
forwarding all traffic to
the remote host and port
~ The program can
intercept and edit the
traffic passing through it
~ The traffic can be edited
with the built-in HEX
editor
Copyright © by EC-Council
EC-Council All Rights reserved. Reproduction is strictly prohibited
Interactive Replay Attacks
John sends a message to Dan. The Dan
John
attacker intercepts the message, changes
the content, and sends it to Dan
sk
de
M
ail
r
ou
:Y
cl nd
ry
ou
to a
ar
ea
es ed
e pr
ut fir
om
in e
ote
m ar
d
1 5 ou
ve : Y
h a ail
M
ATTACKER
Copyright © by EC-Council
EC-Council All Rights reserved. Reproduction is strictly prohibited
HTTP Sniffer: EffeTech
Copyright © by EC-Council
EC-Council All Rights reserved. Reproduction is strictly prohibited
HTTP Sniffer: EffeTech
Copyright © by EC-Council
EC-Council All Rights reserved. Reproduction is strictly prohibited
Ace Password Sniffer
Copyright © by EC-Council
EC-Council All Rights reserved. Reproduction is strictly prohibited
Screenshot
Copyright © by EC-Council
EC-Council All Rights reserved. Reproduction is strictly prohibited
MSN Sniffer
Capturing Messages
Sniffer
Chatting
Copyright © by EC-Council
EC-Council All Rights reserved. Reproduction is strictly prohibited
MSN Sniffer
Copyright © by EC-Council
EC-Council All Rights reserved. Reproduction is strictly prohibited
SmartSniff
~ SmartSniff is a
TCP/IP packet
capture program
that allows you to
inspect network
traffic that passes
through your
network adapter
~ Valuable tool to
check what
packets your
computer is
sending to the
outside world
Copyright © by EC-Council
EC-Council All Rights reserved. Reproduction is strictly prohibited
Session Capture Sniffer: NetWitness
Copyright © by EC-Council
EC-Council All Rights reserved. Reproduction is strictly prohibited
Session Capture Sniffer: NWreader
FTP Sessions
captured
Copyright © by EC-Council
EC-Council All Rights reserved. Reproduction is strictly prohibited
Cain and Abel
Copyright © by EC-Council
EC-Council All Rights reserved. Reproduction is strictly prohibited
Cain and Abel
Copyright © by EC-Council
EC-Council All Rights reserved. Reproduction is strictly prohibited
Packet Crafter Craft Custom TCP/IP
Packets
Copyright © by EC-Council
EC-Council All Rights reserved. Reproduction is strictly prohibited
SMAC
Copyright © by EC-Council
EC-Council All Rights reserved. Reproduction is strictly prohibited
Raw Sniffing Tools
~ Sniffit ~ Snort
~ Aldebaran ~ Windump/tcpdump
~ Hunt
~ Etherpeek
~ NGSSniff
~ Mac Changer
~ Ntop
~ Iris
~ pf
~ NetIntercept
~ IPTraf
~ WinDNSSpoof
~ Etherape
Copyright © by EC-Council
EC-Council All Rights reserved. Reproduction is strictly prohibited
Features of Raw Sniffing Tools
Copyright © by EC-Council
EC-Council All Rights reserved. Reproduction is strictly prohibited
Sniffit
Copyright © by EC-Council
EC-Council All Rights reserved. Reproduction is strictly prohibited
Aldebaran
Copyright © by EC-Council
EC-Council All Rights reserved. Reproduction is strictly prohibited
Hunt
Copyright © by EC-Council
EC-Council All Rights reserved. Reproduction is strictly prohibited
NGSSniff
Copyright © by EC-Council
EC-Council All Rights reserved. Reproduction is strictly prohibited
Ntop
Copyright © by EC-Council
EC-Council All Rights reserved. Reproduction is strictly prohibited
Pf
Copyright © by EC-Council
EC-Council All Rights reserved. Reproduction is strictly prohibited
IPTraf
~ IPTraf is a network
monitoring utility for IP
networks. It intercepts
packets on the network and
gives out various pieces of
information about the current
IP traffic over it
~ IPTraf can be used to monitor
the load on an IP network,
the most used types of
network services, and the
proceedings of TCP
connections, and others
Copyright © by EC-Council
EC-Council All Rights reserved. Reproduction is strictly prohibited
EtherApe
~ EtherApe is a graphical
~ A user may either look at traffic within a network, end to end IP, or
even port to port TCP
~ Data can be captured “off the wire” from a live network connection,
or read from a tcpdump capture file
Copyright © by EC-Council
EC-Council All Rights reserved. Reproduction is strictly prohibited
Netfilter
Copyright © by EC-Council
EC-Council All Rights reserved. Reproduction is strictly prohibited
Network Probe
Copyright © by EC-Council
EC-Council All Rights reserved. Reproduction is strictly prohibited
Tool: Snort
Copyright © by EC-Council
EC-Council All Rights reserved. Reproduction is strictly prohibited
Tool: Windump
Copyright © by EC-Council
EC-Council All Rights reserved. Reproduction is strictly prohibited
Tool: Etherpeek
Copyright © by EC-Council
EC-Council All Rights reserved. Reproduction is strictly prohibited
Mac Changer
Copyright © by EC-Council
EC-Council All Rights reserved. Reproduction is strictly prohibited
Iris
It allows for the reconstruction of network traffic in a format that is simple to use and
understand. It can show the web page of any employee who is watching it during work
hours
Copyright © by EC-Council
EC-Council All Rights reserved. Reproduction is strictly prohibited
NetIntercept
A sniffing tool that studies external break-in attempts, watches for the misuse of
confidential data, displays the contents of an unencrypted remote login or web session,
categorizes or sorts traffic by dozens of attributes, and searches traffic by criteria such as
email headers, websites, and file names
Copyright © by EC-Council
EC-Council All Rights reserved. Reproduction is strictly prohibited
WinDNSSpoof
Copyright © by EC-Council
EC-Council All Rights reserved. Reproduction is strictly prohibited
How to Detect Sniffing?
Copyright © by EC-Council
EC-Council All Rights reserved. Reproduction is strictly prohibited
AntiSniff Tool
~ AntiSniff tool can detect machines on the network that are running
in promiscuous mode
Copyright © by EC-Council
EC-Council All Rights reserved. Reproduction is strictly prohibited
ArpWatch Tool
Copyright © by EC-Council
EC-Council All Rights reserved. Reproduction is strictly prohibited
Countermeasures
would not prevent a sniffer from functioning but will ensure that
Copyright © by EC-Council
EC-Council All Rights reserved. Reproduction is strictly prohibited
Countermeasures (cont’d)
Copyright © by EC-Council
EC-Council All Rights reserved. Reproduction is strictly prohibited
Countermeasures (cont’d)
Copyright © by EC-Council
EC-Council All Rights reserved. Reproduction is strictly prohibited
Countermeasures (cont’d)
~ Small Network
• Use of static IP addresses and static ARP tables which prevents
hackers from adding spoofed ARP entries for machines in the
network
~ Large Networks
• Network switch Port Security features should be enabled
Copyright © by EC-Council
EC-Council All Rights reserved. Reproduction is strictly prohibited
What happened next?
Copyright © by EC-Council
EC-Council All Rights reserved. Reproduction is strictly prohibited
Summary
Copyright © by EC-Council
EC-Council All Rights reserved. Reproduction is strictly prohibited
Copyright © by EC-Council
EC-Council All Rights reserved. Reproduction is strictly prohibited
Copyright © by EC-Council
EC-Council All Rights reserved. Reproduction is strictly prohibited