Spoofing and Sniffing

Notes from: Internet Security Professional Reference, 2nd ed
National Computer Security Association New Riders Publishing

Sniffing login: dgame passwd: ######## SNIFFER .

Spoofing David is that you? Yes I’m here! Aaron Tom David .

Major Problems with Sniffing • Any mischievious machine can examine any packet on a BROADCAST medium • Ethernet is BROADCAST – at least on the segments over which it travels • Getting passwords is the first step in exploiting a machine • email is plaintext and vulnerable .

Spoofing & OSI TCP socket IP DNS ARP IP • Penetration techniques exploit any and all levels of the model • Attacks vary based upon the vulnerability at that level Physical ethernet .

What does one sniff? • • • • • passwords email financial account information confidential information low-level protocol info to attack – hardware addresses – IP addresses – routing. etc .

Prevention of Sniffing • Segmentation into trustworthy segments – bridges – better yet .. switched hubs • Not enough “not to allow sniffing” – easy to add a machine on the net – may try using X-terminals vs workstations .

rhosts • many SAs don’t want users to use them • Using encrypted passwords – Kerberos – PGP public keys .. rsh. rcp.Prevention of Sniffing(more) • Avoid password transmission – one solution is r. etc • put trusted hosts in .family • rlogin.

MAC level Spoofing • Focus on ethernet (widespread use) • Cards have unique addresses at manufacturer • Many cards CAN be reconfigured by user – bridge has no MAC address but sends with source address of the originator • faking address has opportunity for mischief .

Prevention MAC spoofing • VERY difficult • Intelligent hubs – can be made to expect certain MACs on ports – but machines can still be swapped • physical measures .

• How it works: – Broadcast and ask if anyone knows – Response is typically from that IP .ARP spoofing • What is ARP? IP->MAC mapping • Make some machine think that the IP address it is searching for is you.

effect depends on OS – some OS overwrite earlier response – other OS ignore unless it’s current entry expires • Original can be disconnected by – Power – Wiring (connectivity) .ARP spoofing (more) • If 2 machines (real and fake) respond.

.. • Use an arp server – Don’t let the machine respond for itself – make administration a little more cumbersone but is probably worth it! – but. server can be spoofed .Prevention of ARP spoofing • Basic Premise: ARP TRUSTS RESPONSE • If the machine is one you need to trust: – make a PERMANENT entry in arp cache – arp -p ..