3. What is packet sniffing?
• A method of monitoring each packet as it flows through the network.
• A technique in which a user sniffs data belonging to other users of the
network.
LAN
Machine A Machine DMachine CMachine B
Sniffer
4. Packet Sniffer
• Programs used to read packets that travel across the network layer.
• Also referred to as a protocol analyzer, packet analyzer, network monitor or
network analyzer.
• Captures all of the packets of data that pass through a given network
interface.
Types:
1. Commercial packet sniffers: used by network administrators to help
maintain networks.
2. Underground packet sniffers: used by those folks who sniff sensitive
information for personal gain.
5. Packet Sniffer
Some Uses:
1. Gather and report network statistics.
2. Solve communication problems. E.g. find out why computer A cannot
communicate with computer B.
3. Analyze network performance. E.g. identify bottlenecks in the network.
4. Retrieve usernames and passwords of people logging onto the
network.
5. Detect network intruders.
7. Network Interface Controller (NIC)
• The hardware interface between a computer and a network.
• The computer uses the NIC to connect to a router, which is connected to
the internet.
NIC promiscuous mode:
• By default, you cannot access network traffic on other computers.
• The network packets have destination addresses and the network
adapter ignores the packets not addressed to you.
• Promiscuous mode turned on, adapter accepts all packets
flowing within the network segment.
8. Monitoring Traffic
Hub-based Networks :
• When a packet arrives, the hub simply retransmits it to its other ports.
• Sufficient to turn on promiscuous mode to get access to all the network
traffic.
Switch-based Networks :
• Majority of local networks are switch-based.
• Switch - maintains a table of MAC addresses and ports.
• When a packet arrives, the switch validates the recipient’s MAC address
in the table and selects the corresponding port to route the packet.
• Thus prevents other packets from coming to your network segment.
9. Monitoring Traffic
• ARP spoofing
• MAC flooding
• MAC Duplicating
Switch
Attacker
Victim
Victim
• ICMP redirection
• DHCP spoofing
• Port stealing
Sniffing Techniques
10. MAC Flooding:
• Switches maintain a ‘MAC table’.
• MAC Table has MAC addresses of the host computers on the network
which are connected to ports of the switch.
• AIM: Take down this MAC table.
• Attacker sends Ethernet frames to the switch in huge number.
• Thus flooding the switch memory used to store MAC table.
• Forcing MAC addresses of legitimate users to be pushed out.
• Switch now enters into a fail-open mode and behaves like a hub.
Sniffing Techniques
11. Address Resolution Protocol (ARP)
• To map logical address (IP addresses)
to physical address (MAC address) in
a LAN.
• Physical address Known within
LAN
• Logical address Known outside
of LAN
• “ARP is a stateless protocol that
does not require authentication, so
a simple ARP reply packet sent to
each host will force an update in
their ARP cache.”
Broadcast
Domain
Host A
Host D
Host CHost B
Initiates
ARP Request
ARP Request
ARP RequestARP Request
ARP Reply
ARP Reply
12. • Each host maintains a mapping table of MAC/IP address pairs.
• E.g. Host A wants the MAC address corresponding to an IP address.
• Host A sends a broadcast ARP request.
• All computers in the network compares the received IP address with its
own IP address.
• Host B, which has the requested IP address, sends a unicast reply with
its MAC address.
• Host A updates its ARP cache.
• Updates ARP cache without any authentication - WEAKNESS
Address Resolution Protocol (ARP)
13. ARP Spoofing
• Nothing prevents other computers from replying to the ARP request.
• Attacker sends “fake” ARP messages.
• Thus mapping attacker’s MAC address with another victim’s IP address.
• All packets sent to the victim will now be directed to the attacker.
Steps:
1.
Switch
Attacker Z
Victim B
Victim A
Requests
MAC address
Requests MAC
address
14. ARP Spoofing
2. 3
3.
Attacker
Now Has
IP address and MAC of the victims.
Attacker Z
Victim B
Victim A
Switch
Sends Z’s MAC address
and B’s IP address
Sends Z’s MAC address
and A’s IP address
15. ARP Spoofing
4.
5.
Attacker Z
Victim A
AND
Victim B
Updates their ARP cache
Has access to all A’s and B’s packets
IP Addresses MAC Addresses
B’s IP Address Z’s MAC Address
Z’s IP Address Z’s MAC Address
A’s ARP Cache
IP Addresses MAC Addresses
A’s IP Address Z’s MAC Address
Z’s IP Address Z’s MAC Address
B’s ARP Cache
16. ARP Spoofing
ARP Cache Re-poisoning:
• Attacker needs to re-poison the cache on a regular basis.
• OS refreshes ARP cache frequently.
17. Sniffer Detection
• Difficult in non-switched environments as the sniffers are usually ‘passive’.
• Easier in switched environments as they are usually ‘active’.
• Detecting machines running on promiscuous mode:
• Generate packets that do not have valid addresses and send them out.
If a machine accepts the packet, it is running a sniffer.
• Monitor ARP cache to see if there is a duplication for a machine.
• Commercial tools like AntiSniff, Neped, ARP Watch and Snort can non -
intrusively detect sniffers.
18. References
• ‘Packet sniffing: a brief introduction’
http://ieeexplore.ieee.org.ezproxy.gsu.edu/document/1166620/?reload=true
• ‘Detection of ARP Spoofing: A command line execution method’
http://ieeexplore.ieee.org.ezproxy.gsu.edu/document/6828085/
• https://landetective.com/products/internet-monitor/manual/traffic-analysis.html
Date visited - Nov 28, 2017.
• ‘A Security Framework against ARP Spoofing’
http://ieeexplore.ieee.org.ezproxy.gsu.edu/stamp/stamp.jsp?arnumber=7359227
• https://www.ukessays.com/essays/information-technology/the-history-of-
packet-sniffing-information-technology-essay.php Date visited - Dec 10, 2017.
• http://www.omnisecu.com/ccna-security/dhcp-starvation-attacks-and-dhcp-
spoofing-attacks.php Date visited - Dec 10, 2017