9:06 AM
chethan
Let us discuss about Sniffers and process of Sniffing. Before starting this topic I assume that you have basic understanding of concepts of Networking.
A snifer is basically a program or software or hardware that can capture packets travelling through the network.
The process of capturing data by the sniffer is known as snffing. Remember Sniffing is done in LAN not in WAN.
Sniffing is of two types:
Active sniffing
Passive sniffingPassive sniffing is carried out in common collision domain. Collision Domain is a network in which whenever packet is sent by any host,
all hosts response to that packet in that network & if during same time some other machine transmitts a packet then a collision will occur in network. For eg: HUB is a layer 1 device which operates at physical layer of OSI model. It creates a single collision domain. The internal structure of HUB is based on Bus topology. It operates at layer 1 of OSI model.
So when any packet is sent by one machine connected to HUB then this packet will be broadcasted to all other machines attached to that same HUB.
This type of network is called Colision Domain.
So in order to perform this type of sniffing we only need to install sniffer on one of the machine in collision domain & we'll get all packets that transmit through the network. I know there was no much fun in this.
How to prevent your network from passive sniffing ?
In order to prevent the passive sniffing, we need to prevent the broadcasting of the packets in our packet.Now how to prevent braodcasting ?
As HUB is broadcasting device so we need to use some intelligent device instead of HUB. The solution is to replace HUB with Switch. Beware this will increase cost of your n/w too.
How a switch works ?
Switch is layer 2 device & works using MAC addresses. There are also switches that work at layer 3 of OSI model. The internal structure of switch is based on start topology. Switch basically has a Content Addressable Memory(CAM). This memory contains a table in which there is information about the MAC address of machines attached to its ports. In starting the CAM is empty & it is filled slowly when the communication starts within the network.
The switch functions in three steps:
1. Broadcasting (Packets are sent to all machines in n/w)
2. Multicasting (Packets are sent to specific group of machines in n/w)
3. Unicasting (Packets are sent to single specific machine in n/w)
Consider a new switch is installed in network,So at first time when a machine 'A' attached to switch send a packet to other machine 'B' using its IP address, now as switch doesn't understand IP address so it will broadcast this packet to all ports, to all the machines attached to the switch. Now all the machines other than 'B' will discard the packet and only machine 'B' will reply. So, now the switch will note the MAC address of the machine 'A' and 'B' in its table in CAM. Now switch knows on which ports the machine 'A' and 'B' are attached. Now if machine 'A' send packet to 'B' then now switch will not broadcast the packet but it will directly be sent to 'B' machine. This is called unicasting. Now if machine 'A' sends packet to machine other than 'B'
then switch will broadcast packet to all other machines but not to 'B' machine. This is called multicasting. Multicasting is special type of broadcasting in which broadcasting is done to specific group only.
Switch notes the MAC address of the machines whenever a communication takes place untill all the MAC addresses are collected in table in CAM. When all MAC addresses are collected in CAM now switch will perform unicasting.
Now let us discuss Active sniffing.
Active sniffing is carried out in network that have different collision domains. eg: A switch network have different collision domains.Each port of switch is one
collision domain. There are following ways to carry out Active sniffing.
1. Arp Spoofing
2. MAC flooding
3. MAC duplicatingArp Spoofing:
ARP is Address Resolution Protocol. It is used to resolve the IP address of machine to its MAC address. which means it is used to get MAC of machine who's IP
is known. Now ARP is stateless, which mean you can make an ARP reply even if no ARP request is made..!! ;-) Now when an attacker's machine wants to sniff it will send fake malacious ARP packets to other victim machine so that, the victim machine sends packets to attacker machine. In this attack basically the gateway of network is spoofed.This is how it works. Let an attacker machine 'A'with IP address 10.0.0.1 wants to get packets of victim machine with IP 10.0.0.2, let the IP address of gateway is 10.0.0.3, Now the attacker machine 10.0.0.1 will send malacious ARP reply packet to gateway 10.0.0.3, associating its MAC address with 10.0.0.2(victim IP)
now gateway will think that attacker's machine is victim's machine. At same time attacker send malacious ARP packet to victim machine 10.0.0.2, associating it MAC address with 10.0.0.3(gatewy IP), now the Victim's machinw will think that attacker's machine is gateway. Now the gateway will send all the packets belonging to victim machine 10.0.0.2 to attacker's machine and victim's machine will send all packets belonging to gateway 10.0.0.3 to attacker's machine. Thus attackers now sits between Gateway & Victim machine. It is like MAN in Middle Attack. Now the attacker uses IP forwarding technique to send all packets from victim to gateway through it & vice-versa. Now as all packets are being sent and received between gateway and victim machine so, victim remains unaware about the interception of packets by the attacker..!!
MAC Flooding:
This type of attack targets the limited capability of a switch to hold MAC address to physical port mappings. In this we try to make switch to operate like HUB(to broadcast all packets). As I told you before that a switch has table in memory(CAM).
This memory has a limited size. It can hold only some specific number of MAC entries. Now in this type of attack the attacker will send lot of spoofed ARP reply packets in the network. Now when there ar so many entries in a switch, thid causes a switch to operate
in failopen mode. In this mode the switch will broadcast all the packets to all ports, like HUB. Now attacker can sniff every packet on network.
MAC duplicating:
In this attack the attacker first sniffs the network for MAC addresses of other machines on n/w. Then it try to use one of that MAC addresses. By this intruder can get all packets that are destined for that
MAC address. This attack works as follow:
Suppose a n/w is already functioning. Let victim's IP be 10.0.0.1 & MAC be ab:1c:4b:2b:56:0b , and victim is already communicating in network. Now attacker with IP 10.0.0.2 joins the network.
Now attacker sniffs the MAC of victim, then the attacker will start making ARP reply in network by associating its IP 10.0.0.2 with MAC ab:1c:4b:2b:56:0b ,
now every machine on network will consider attacker's machine as victim's machine, and all packets destined to victim will now be recieved to attacker.
This attack is mainly used in Wireless networks.
In order to implement these type of attacks we first need to get IP, MAC of machines working on network. After getting this information then u can implement sniffing attacks.
The arp attack can be done by using arp command. type arp/? in cmd to know more. There are many sniffer software available to perform sniffing. As follow:
In order to sniff IP & MAC of machines u can use following s/w:
Wireshark, Look@LAN, The Dude sniffer, Network view. etc
For ARP attack:
ARP spoof, ArpSpyX, Ethercap, Cain and Abel etc.
For MAC flooding:
Macof, Etherflood.
There are also tools available to halt sniffing known as anti-sniffers.
Once again Hacking is a crime. Beware when you use this information & these tools...!!!
Crypto will not be held responsible for any damage..!!!
Any suggestion is welcome.
How to prevent Active sniffing ?
It can be prevented to some extent by using Port Security feature of a switch.In this feature we manually allocate or assign MAC address to the ports of the switch.
Now the switch will only receive packets from the MAC address that are defined by us. For eg: If i define fastethernet port 1 to MAC address a0:bc:1d:67:0a:2a
now the fastethernet port 1 of switch will accept packets from this a0:bc:1d:67:0a:2a MAC only.
Posted in: web hackings
0 comments:
Post a Comment