Enviar búsqueda
Cargar
Ceh V5 Module 07 Sniffers
•
4 recomendaciones
•
5,415 vistas
Mina Fawzy
Seguir
ethical hacking book
Leer menos
Leer más
Tecnología
Meditación
Denunciar
Compartir
Denunciar
Compartir
1 de 106
Descargar ahora
Descargar para leer sin conexión
Recomendados
Ceh v5 module 07 sniffers
Ceh v5 module 07 sniffers
Vi Tính Hoàng Nam
Computer Security
Computer Security
AkNirojan
Introduction to Social engineering | Techniques of Social engineering
Introduction to Social engineering | Techniques of Social engineering
Prem Lamsal
INFORMATION SECURITY SYSTEM
INFORMATION SECURITY SYSTEM
ANAND MURALI
Network security (vulnerabilities, threats, and attacks)
Network security (vulnerabilities, threats, and attacks)
Fabiha Shahzad
Application Security | Application Security Tutorial | Cyber Security Certifi...
Application Security | Application Security Tutorial | Cyber Security Certifi...
Edureka!
Network Security
Network Security
Abdul Qadir Pattal
Cyber security fundamentals
Cyber security fundamentals
Cloudflare
Recomendados
Ceh v5 module 07 sniffers
Ceh v5 module 07 sniffers
Vi Tính Hoàng Nam
Computer Security
Computer Security
AkNirojan
Introduction to Social engineering | Techniques of Social engineering
Introduction to Social engineering | Techniques of Social engineering
Prem Lamsal
INFORMATION SECURITY SYSTEM
INFORMATION SECURITY SYSTEM
ANAND MURALI
Network security (vulnerabilities, threats, and attacks)
Network security (vulnerabilities, threats, and attacks)
Fabiha Shahzad
Application Security | Application Security Tutorial | Cyber Security Certifi...
Application Security | Application Security Tutorial | Cyber Security Certifi...
Edureka!
Network Security
Network Security
Abdul Qadir Pattal
Cyber security fundamentals
Cyber security fundamentals
Cloudflare
DoS Attack - Incident Handling
DoS Attack - Incident Handling
Marcelo Silva
Module 8 System Hacking
Module 8 System Hacking
leminhvuong
CNIT 140: Perimeter Security
CNIT 140: Perimeter Security
Sam Bowne
Network Security
Network Security
Manoj Singh
Network security
Network security
Estiak Khan
Chapter- I introduction
Chapter- I introduction
Dr.Florence Dayana
Network Security ppt
Network Security ppt
SAIKAT BISWAS
NETWORK SECURITY
NETWORK SECURITY
afaque jaya
Network Security Nmap N Nessus
Network Security Nmap N Nessus
Utkarsh Verma
Password Cracking
Password Cracking
Sina Manavi
Network scanning
Network scanning
oceanofwebs
cyber security
cyber security
NiharikaVoleti
Malware and security
Malware and security
Gurbakash Phonsa
Virus and malware presentation
Virus and malware presentation
Amjad Bhutto
malware analysis
malware analysis
20CS201AkashR
Cyber security
Cyber security
Manjushree Mashal
Computer Security risks Shelly
Computer Security risks Shelly
Adeel Khurram
Chapter 1: Overview of Network Security
Chapter 1: Overview of Network Security
Shafaan Khaliq Bhatti
Cyber Security
Cyber Security
Arshad Khan
Social engineering
Social engineering
Vîñàý Pãtêl
526 alea interneterako
526 alea interneterako
Anboto Komunikabideak
Presentazione Gestione Albo Fornitori Web
Presentazione Gestione Albo Fornitori Web
Fastcom Group SRL
Más contenido relacionado
La actualidad más candente
DoS Attack - Incident Handling
DoS Attack - Incident Handling
Marcelo Silva
Module 8 System Hacking
Module 8 System Hacking
leminhvuong
CNIT 140: Perimeter Security
CNIT 140: Perimeter Security
Sam Bowne
Network Security
Network Security
Manoj Singh
Network security
Network security
Estiak Khan
Chapter- I introduction
Chapter- I introduction
Dr.Florence Dayana
Network Security ppt
Network Security ppt
SAIKAT BISWAS
NETWORK SECURITY
NETWORK SECURITY
afaque jaya
Network Security Nmap N Nessus
Network Security Nmap N Nessus
Utkarsh Verma
Password Cracking
Password Cracking
Sina Manavi
Network scanning
Network scanning
oceanofwebs
cyber security
cyber security
NiharikaVoleti
Malware and security
Malware and security
Gurbakash Phonsa
Virus and malware presentation
Virus and malware presentation
Amjad Bhutto
malware analysis
malware analysis
20CS201AkashR
Cyber security
Cyber security
Manjushree Mashal
Computer Security risks Shelly
Computer Security risks Shelly
Adeel Khurram
Chapter 1: Overview of Network Security
Chapter 1: Overview of Network Security
Shafaan Khaliq Bhatti
Cyber Security
Cyber Security
Arshad Khan
Social engineering
Social engineering
Vîñàý Pãtêl
La actualidad más candente
(20)
DoS Attack - Incident Handling
DoS Attack - Incident Handling
Module 8 System Hacking
Module 8 System Hacking
CNIT 140: Perimeter Security
CNIT 140: Perimeter Security
Network Security
Network Security
Network security
Network security
Chapter- I introduction
Chapter- I introduction
Network Security ppt
Network Security ppt
NETWORK SECURITY
NETWORK SECURITY
Network Security Nmap N Nessus
Network Security Nmap N Nessus
Password Cracking
Password Cracking
Network scanning
Network scanning
cyber security
cyber security
Malware and security
Malware and security
Virus and malware presentation
Virus and malware presentation
malware analysis
malware analysis
Cyber security
Cyber security
Computer Security risks Shelly
Computer Security risks Shelly
Chapter 1: Overview of Network Security
Chapter 1: Overview of Network Security
Cyber Security
Cyber Security
Social engineering
Social engineering
Destacado
526 alea interneterako
526 alea interneterako
Anboto Komunikabideak
Presentazione Gestione Albo Fornitori Web
Presentazione Gestione Albo Fornitori Web
Fastcom Group SRL
01 br gtfr_2011-08-05
01 br gtfr_2011-08-05
dmidmsa
27. emitir facturas a deudores
27. emitir facturas a deudores
Emagister
Global Pension Funds & Alternative Investments Summit
Global Pension Funds & Alternative Investments Summit
Lisa Krow
3.2 Técnicas y herramientas SEO
3.2 Técnicas y herramientas SEO
Brox Technology
Honeywell Access OKH2N26 Data Sheet
Honeywell Access OKH2N26 Data Sheet
JMAC Supply
Arpwall - protect from ARP spoofing
Arpwall - protect from ARP spoofing
Ammar WK
Implementación EGSI en el Instituto Espacial
Implementación EGSI en el Instituto Espacial
Mónica Duque
Ce hv8 module 08 sniffing
Ce hv8 module 08 sniffing
polichen
Xdr ppt
Xdr ppt
Nidhi Thakkar
Ce Hv6 Module 42 Hacking Database Servers
Ce Hv6 Module 42 Hacking Database Servers
Kislaychd
Ce Hv6 Module 44 Internet Content Filtering Techniques
Ce Hv6 Module 44 Internet Content Filtering Techniques
Kislaychd
Ce Hv6 Module 43 Cyber Warfare Hacking Al Qaida And Terrorism
Ce Hv6 Module 43 Cyber Warfare Hacking Al Qaida And Terrorism
Kislaychd
The Hackers Dictionary
The Hackers Dictionary
alanocu
2012 State of Mobile Survey Global Key Findings
2012 State of Mobile Survey Global Key Findings
Symantec
TCP/IP Exercises
TCP/IP Exercises
Felipe Suarez
Waterhole Attack
Waterhole Attack
Symantec
prova
prova
guest4e3d2e
TH3 Professional Developper google hacking
TH3 Professional Developper google hacking
th3prodevelopper
Destacado
(20)
526 alea interneterako
526 alea interneterako
Presentazione Gestione Albo Fornitori Web
Presentazione Gestione Albo Fornitori Web
01 br gtfr_2011-08-05
01 br gtfr_2011-08-05
27. emitir facturas a deudores
27. emitir facturas a deudores
Global Pension Funds & Alternative Investments Summit
Global Pension Funds & Alternative Investments Summit
3.2 Técnicas y herramientas SEO
3.2 Técnicas y herramientas SEO
Honeywell Access OKH2N26 Data Sheet
Honeywell Access OKH2N26 Data Sheet
Arpwall - protect from ARP spoofing
Arpwall - protect from ARP spoofing
Implementación EGSI en el Instituto Espacial
Implementación EGSI en el Instituto Espacial
Ce hv8 module 08 sniffing
Ce hv8 module 08 sniffing
Xdr ppt
Xdr ppt
Ce Hv6 Module 42 Hacking Database Servers
Ce Hv6 Module 42 Hacking Database Servers
Ce Hv6 Module 44 Internet Content Filtering Techniques
Ce Hv6 Module 44 Internet Content Filtering Techniques
Ce Hv6 Module 43 Cyber Warfare Hacking Al Qaida And Terrorism
Ce Hv6 Module 43 Cyber Warfare Hacking Al Qaida And Terrorism
The Hackers Dictionary
The Hackers Dictionary
2012 State of Mobile Survey Global Key Findings
2012 State of Mobile Survey Global Key Findings
TCP/IP Exercises
TCP/IP Exercises
Waterhole Attack
Waterhole Attack
prova
prova
TH3 Professional Developper google hacking
TH3 Professional Developper google hacking
Similar a Ceh V5 Module 07 Sniffers
an_introduction_to_network_analyzers_new.ppt
an_introduction_to_network_analyzers_new.ppt
Iwan89629
Ceh v5 module 03 scanning
Ceh v5 module 03 scanning
Vi Tính Hoàng Nam
Module 5 Sniffers
Module 5 Sniffers
leminhvuong
Tc pdump mod
Tc pdump mod
Sini
File000140
File000140
Desmond Devendran
Exploiting Network Protocols To Exhaust Bandwidth Links 2008 Final
Exploiting Network Protocols To Exhaust Bandwidth Links 2008 Final
masoodnt10
The Bot Stops Here: Removing the BotNet Threat - Public and Higher Ed Securit...
The Bot Stops Here: Removing the BotNet Threat - Public and Higher Ed Securit...
Eric Vanderburg
Packet Analysis - Course Technology Computing Conference
Packet Analysis - Course Technology Computing Conference
Cengage Learning
XMPP, HTTP and UPnP
XMPP, HTTP and UPnP
ITVoyagers
Module 7 (sniffers)
Module 7 (sniffers)
Wail Hassan
topicCybersecurity_4
topicCybersecurity_4
Anne Starr
File000141
File000141
Desmond Devendran
Chap 1 Network Theory & Java Overview
Chap 1 Network Theory & Java Overview
Ministry of Higher Education
Ceh v5 module 18 linux hacking
Ceh v5 module 18 linux hacking
Vi Tính Hoàng Nam
Firewall Facts
Firewall Facts
DAVID RAUDALES
Application Protocol
Application Protocol
Chandnigupta80
Nmap & Network sniffing
Nmap & Network sniffing
Mukul Sahu
Network Penetration Testing
Network Penetration Testing
Mohammed Adam
Network Scanning Phases and Supporting Tools
Network Scanning Phases and Supporting Tools
Joseph Bugeja
Oracle Enterprise manager SNMP and Exadata
Oracle Enterprise manager SNMP and Exadata
Mike Chafin
Similar a Ceh V5 Module 07 Sniffers
(20)
an_introduction_to_network_analyzers_new.ppt
an_introduction_to_network_analyzers_new.ppt
Ceh v5 module 03 scanning
Ceh v5 module 03 scanning
Module 5 Sniffers
Module 5 Sniffers
Tc pdump mod
Tc pdump mod
File000140
File000140
Exploiting Network Protocols To Exhaust Bandwidth Links 2008 Final
Exploiting Network Protocols To Exhaust Bandwidth Links 2008 Final
The Bot Stops Here: Removing the BotNet Threat - Public and Higher Ed Securit...
The Bot Stops Here: Removing the BotNet Threat - Public and Higher Ed Securit...
Packet Analysis - Course Technology Computing Conference
Packet Analysis - Course Technology Computing Conference
XMPP, HTTP and UPnP
XMPP, HTTP and UPnP
Module 7 (sniffers)
Module 7 (sniffers)
topicCybersecurity_4
topicCybersecurity_4
File000141
File000141
Chap 1 Network Theory & Java Overview
Chap 1 Network Theory & Java Overview
Ceh v5 module 18 linux hacking
Ceh v5 module 18 linux hacking
Firewall Facts
Firewall Facts
Application Protocol
Application Protocol
Nmap & Network sniffing
Nmap & Network sniffing
Network Penetration Testing
Network Penetration Testing
Network Scanning Phases and Supporting Tools
Network Scanning Phases and Supporting Tools
Oracle Enterprise manager SNMP and Exadata
Oracle Enterprise manager SNMP and Exadata
Último
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
Safe Software
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)
Allon Mureinik
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
vu2urc
Developing An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of Brazil
V3cube
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
Pooja Nehwal
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
hans926745
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
Delhi Call girls
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
apidays
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
The Digital Insurer
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
Principled Technologies
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
Martijn de Jong
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
debabhi2
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
Rafal Los
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024
The Digital Insurer
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
Malak Abu Hammad
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
Roshan Dwivedi
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
giselly40
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
HampshireHUG
Slack Application Development 101 Slides
Slack Application Development 101 Slides
praypatel2
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
ThousandEyes
Último
(20)
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
Developing An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of Brazil
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
Slack Application Development 101 Slides
Slack Application Development 101 Slides
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
Ceh V5 Module 07 Sniffers
1.
Ethical Hacking Version 5
Module VII Sniffers
2.
Scenario
Jamal, is an electrician who fixes electrical and network cables. He was called in for a regular inspection at the premises of XInsurance Inc. Jamal was surprised at his findings during a routine check of the AC ducts in the enterprise. The LAN wires were laid through the ducts. He was tempted to find the information flowing through the LAN wires. What can Jamal do to sabotage the network? What information can he obtain and how sensitive is the information that he would obtain? Copyright © by EC-Council EC-Council All Rights reserved. Reproduction is strictly prohibited
3.
Module Objective
This module will familiarize you with the following topics: Sniffing Protocols vulnerable to sniffing Types of sniffing ARP and ARP spoofing attack Tools for ARP spoofing MAC flooding Tools for MAC flooding Sniffing tools Types of DNS poisoning Raw sniffing tools Detecting sniffing Countermeasures Copyright © by EC-Council EC-Council All Rights reserved. Reproduction is strictly prohibited
4.
Module Flow
Sniffing Definition Tools for MAC Flooding Protocols Vulnerable to Sniffing Sniffer Hacking Tools Types of Sniffing Types of DNS Poisoning ARP and ARP Spoofing Attack Raw Sniffing Tools Tools for ARP Spoofing Detection of Sniffing MAC Flooding Countermeasures Copyright © by EC-Council EC-Council All Rights reserved. Reproduction is strictly prohibited
5.
Definition: Sniffing
A program or device that captures vital information from the network traffic specific to a particular network Sniffing is a data interception technology The objective of sniffing is to steal: • Passwords (from email, the web, SMB, ftp, SQL, or telnet) • Email text • Files in transfer (email files, ftp files, or SMB) Copyright © by EC-Council EC-Council All Rights reserved. Reproduction is strictly prohibited
6.
Protocols Vulnerable to
Sniffing Protocols that are susceptible to sniffers include: • Telnet and Rlogin: Keystrokes including user names and passwords • HTTP: Data sent in clear text • SMTP: Passwords and data sent in clear text • NNTP: Passwords and data sent in clear text • POP: Passwords and data sent in clear text • FTP: Passwords and data sent in clear text • IMAP: Passwords and data sent in clear text Copyright © by EC-Council EC-Council All Rights reserved. Reproduction is strictly prohibited
7.
Tool: Network View
– Scans the Network for Devices Copyright © by EC-Council EC-Council All Rights reserved. Reproduction is strictly prohibited
8.
The Dude Sniffer
Developed by Mikro Tik, the Dude network monitor is a new application which can improve the way you manage your network environment Functions: • Automatically scans all devices within specified subnets • Draws and lays out a map of your networks • Monitors services of your devices • Alerts you in case some service has problems It is written in two parts: • Dude Server, which runs in a background • Dude Client, which may connect to local or remote dude server Download this tool from http://www.eccouncil.org/cehtools/dude.zip Copyright © by EC-Council EC-Council All Rights reserved. Reproduction is strictly prohibited
9.
Screenshots
Copyright © by EC-Council EC-Council All Rights reserved. Reproduction is strictly prohibited
10.
Screenshots
Copyright © by EC-Council EC-Council All Rights reserved. Reproduction is strictly prohibited
11.
Screenshots
Copyright © by EC-Council EC-Council All Rights reserved. Reproduction is strictly prohibited
12.
Ethereal
Ethereal is a network protocol analyzer for UNIX and Windows It allows the user to examine data from a live network or from a capture file on a disk The user can interactively browse the captured data, viewing summary and detailed information for each packet captured Copyright © by EC-Council EC-Council All Rights reserved. Reproduction is strictly prohibited
13.
Display Filters in
Ethereal Display filters are used to change the view of packets in captured files Display Filtering by Protocol • Example: type the protocol in the filter box • arp, http, tcp, udp, dns Filtering by IP Address • ip.addr == 10.0.0.4 Filtering by multiple IP Addresses • ip.addr == 10.0.0.4 or ip.addr == 10.0.0.5 Monitoring Specific Ports • tcp.port==443 • ip.addr==192.168.1.100 machine ip.addr==192.168.1.100 && tcp.port=443 Other Filters • ip.dst == 10.0.1.50 && frame.pkt_len > 400 • ip.addr == 10.0.1.12 && icmp && frame.number > 15 && frame.number < 30 • ip.src==205.153.63.30 or ip.dst==205.153.63.30 Copyright © by EC-Council EC-Council All Rights reserved. Reproduction is strictly prohibited
14.
Following the TCP
Stream in Ethereal Ethereal reassembles all of the packets in a TCP conversation and displays the ASCII in an easy-to-read format This makes it easy to pick out usernames and passwords from insecure protocols such as Telnet and FTP Example: Follow the stream of the HTTP session and save the output to a file. You should then be able to view the reconstructed HTML content offline Command: Selecting a TCP packet in the Summary Window and then selecting Analyze -> Follow TCP Stream from the menu bar will display the Follow TCP Stream window. You can also right-click on a TCP packet in the Summary Window and choose Follow TCP Stream to display the window Copyright © by EC-Council EC-Council All Rights reserved. Reproduction is strictly prohibited
15.
tcpdump
tcpdump is a common computer network debugging tool that runs under the command line. It allows the user to intercept and display TCP/IP and other packets being transmitted or received over a network to which the computer is attached Copyright © by EC-Council EC-Council All Rights reserved. Reproduction is strictly prohibited
16.
Tcpdump Commands
Exporting tcpdumps to a file • # tcpdump port 80 -l > webdump.txt & tail -f webdump.txt • # tcpdump -w rawdump • # tcpdump -r rawdump > rawdump.txt • # tcpdump -c1000 -w rawdump • # tcpdump -i eth1 -c1000 -w rawdump Captures traffic on a specific port • # tcpdump port 80 You can select several hosts on your LAN, and capture the traffic that passes between them • # tcpdump host workstation4 and workstation11 and workstation13 Capture all the LAN traffic between workstation4 and the LAN, except for workstation11 • # tcpdump -e host workstation4 and workstation11 and workstation13 You can capture all packets except those for certain ports • # tcpdump not port 110 and not port 25 and not port 53 and not port 22 Filter by protocol • # tcpdump udp • # tcpdump ip proto OSPFIGP To capture traffic on a specific host and restrict by protocol • # tcpdump host server02 and ip # tcpdump host server03 and not udp # tcpdump host server03 and ip and igmp and not udp Copyright © by EC-Council EC-Council All Rights reserved. Reproduction is strictly prohibited
17.
Types of Sniffing
There are two types of sniffing • Passive sniffing – Sniffing through a Hub • Active sniffing – Sniffing through a Switch Copyright © by EC-Council EC-Council All Rights reserved. Reproduction is strictly prohibited
18.
Passive Sniffing
Attacker HUB It is called passive because it is difficult to detect “Passive sniffing” means sniffing through a hub Attacker simply connects the laptop to the hub and starts sniffing LAN Copyright © by EC-Council EC-Council All Rights reserved. Reproduction is strictly prohibited
19.
Active Sniffing
Switch Attacker Switch looks at the MAC address associated with each frame, sending data only to the connected port Attacker tries to poison the switch by sending bogus MAC addresses Sniffing through a switch Difficult to sniff Can easily be detected Techniques for active sniffing: • MAC flooding • ARP spoofing LAN Copyright © by EC-Council EC-Council All Rights reserved. Reproduction is strictly prohibited
20.
What is Address
Resolution Protocol? Address Resolution Protocol is a network layer protocol used to convert an IP address to a physical address (called a MAC address), such as an Ethernet address To obtain a physical address, the host broadcasts an ARP request to the TCP/IP network The host with the IP address in the request replies with its physical hardware address on the network Copyright © by EC-Council EC-Council All Rights reserved. Reproduction is strictly prohibited
21.
ARP Spoofing Attack
ARP resolves IP addresses to the MAC (hardware) address of the interface to send data ARP packets can be forged to send data to the attackers’ machines An attacker can exploit ARP poisoning to intercept network traffic between two machines on the network By MAC flooding a switch's ARP table with spoofed ARP replies, the attacker can overload the switches and then packet sniff the network while the switch is in “forwarding mode” Copyright © by EC-Council EC-Council All Rights reserved. Reproduction is strictly prohibited
22.
How Does ARP
Spoofing Work? When a legitimate user initiates a session with another user in the same Layer 2 broadcast domain, an address resolution protocol (ARP) request is broadcasted using the recipient's IP address and the sender waits for the recipient to respond with a MAC address A malicious user eavesdropping on this unprotected Layer 2 broadcast domain can respond to the broadcast ARP request and reply to the sender by spoofing the intended recipient's MAC address Copyright © by EC-Council EC-Council All Rights reserved. Reproduction is strictly prohibited
23.
ARP Poisoning
Hey 10.1.1.1 are you there? Step 2: Another legitimate user responds to the ARP request Step 1: Legitimate user sends ARP request, which the Switch broadcasts onto the wire Yes I' am here. This is 10.1.1.1 and my MAC address is 1:2:3:4:5:6 No, I' am 10.1.1.1 and my Switch MAC address is 9:8:7:6:5:4 Legitimate User Step 3: Malicious user Step 4: Information for IP eavesdrops on the ARP request address 10.1.1.1 is now being and responds after the sent to MAC address 9:8:7:6:5:4 legitimate user, spoofing the legitimate response and sending his malicious MAC address to Internet the originator of the request Attacker Copyright © by EC-Council EC-Council All Rights reserved. Reproduction is strictly prohibited
24.
Mac Duplicating
MAC duplicating attack is launched by sniffing the network for the MAC addresses of clients that are actively associated with a switch port and re-using one of those addresses By listening to traffic on the network, a malicious user can intercept and use a legitimate user's MAC address The attacker will receive all traffic destined for that legitimate user This technique works on Wireless Access Points with MAC filtering enabled Copyright © by EC-Council EC-Council All Rights reserved. Reproduction is strictly prohibited
25.
Mac Duplicating Attack
My MAC address is A:B:C:D:E Switch Rule: Allow access to Switch the network only if your MAC address is A:B:C:D:E Legitimate User s i Step 1: Malicious user sniffs ss :E e D dr the network for MAC addresses C: Ad of currently associated B: C A: M A legitimate users and then uses y M that MAC address to attack o! N other users associated to the same switch port Internet Attacker Copyright © by EC-Council EC-Council All Rights reserved. Reproduction is strictly prohibited
26.
Tools for ARP
Spoofing Tools for ARP Spoofing • Arpspoof (Linux-based tool) • Ettercap (Linux and Windows) Copyright © by EC-Council EC-Council All Rights reserved. Reproduction is strictly prohibited
27.
Ettercap
A tool for IP-based sniffing in a switched network, MAC-based sniffing, OS fingerprinting, ARP poisoning-based sniffing, and so on Copyright © by EC-Council EC-Council All Rights reserved. Reproduction is strictly prohibited
28.
MAC Flooding
MAC flooding involves flooding the switch with numerous requests Switches have a limited memory for mapping various MAC addresses to the physical ports on the switch MAC flooding makes use of this limitation to bombard the switch with fake MAC addresses until the switch cannot keep up The switch then acts as a hub by broadcasting packets to all the machines on the network After this, sniffing can be easily performed Copyright © by EC-Council EC-Council All Rights reserved. Reproduction is strictly prohibited
29.
Tools for MAC
Flooding Tools for MAC Flooding • Macof (Linux-based tool) • Etherflood (Linux and Windows) Copyright © by EC-Council EC-Council All Rights reserved. Reproduction is strictly prohibited
30.
Linux Tool: Macof
Macof floods the local network with random MAC addresses, causing some switches to fail to open in repeating mode, which facilitates sniffing macof [-i interface] [-s src] [-d dst] [-e tha] [-x sport] [-y dport] [-n times] Copyright © by EC-Council EC-Council All Rights reserved. Reproduction is strictly prohibited
31.
Copyright © by
EC-Council EC-Council All Rights reserved. Reproduction is strictly prohibited
32.
Windows Tool: EtherFlood
EtherFlood floods a switched network with Ethernet frames with random hardware addresses The effect on some switches is that they start sending all traffic out on all ports so that the attacker is able to sniff all traffic on the sub-network http://ntsecurity.nu/toolbox/etherflood/ Copyright © by EC-Council EC-Council All Rights reserved. Reproduction is strictly prohibited
33.
Threats of ARP
Poisoning Internal network attacks are typically operated via ARP Poisoning attacks Everyone can download on the Internet Malicious software used to run ARP Spoofing attacks Using fake ARP messages, an attacker can divert all communication between two machines so that all traffic is exchanged via his PC By means, such as a man-in-the-middle attack, the attacker can, in particular: • Run Denial of Service (DoS) attacks • Intercept data • Collect passwords • Manipulate data • Tap VoIP phone calls Copyright © by EC-Council EC-Council All Rights reserved. Reproduction is strictly prohibited
34.
DHCP Starvation Attack
A DHCP starvation attack works by broadcasting DHCP requests with spoofed MAC addresses This is easily achieved with attack tools such as gobbler If enough requests are sent, the network attacker can exhaust the address space available to the DHCP servers for a period of time The network attacker can then set up a rogue DHCP server on his or her system and respond to new DHCP requests from clients on the network. By placing a rogue DHCP server on the network, a network attacker can provide clients with addresses and other network information Since DHCP responses typically include default gateway and DNS server information, the network attacker can supply his or her own system as the default gateway and DNS server resulting in a "man-in-the-middle" attack Download Gobbler tool at http://www.eccouncil.org/cehtools/gobbler.zip Copyright © by EC-Council EC-Council All Rights reserved. Reproduction is strictly prohibited
35.
IRS – ARP
Attack Tool Many servers and network devices like routers and switches provide features like ACLs, IP Filters, Firewall rules, and so on, to give access to their Services only to particular network addresses (usually Administrators’ workstations) This tool scans for IP restrictions set for a particular service on a host It combines “ARP Poisoning” and “Half-Scan” techniques and tries spoofed TCP connections to the selected port of the target IRS is not a port scanner but a “valid source IP address” scanner for a given service Copyright © by EC-Council EC-Council All Rights reserved. Reproduction is strictly prohibited
36.
ARPWorks Tool
ArpWorks is a utility for sending customized ‘ARP announce’ packets over the network All ARP parameters, including the Ethernet Source MAC address can be changed as you like Other features are: IP to MAC revolver, subnet MAC discovery, host isolation, packets redirection, and general IP conflict Copyright © by EC-Council EC-Council All Rights reserved. Reproduction is strictly prohibited
37.
Tool: Nemesis
Nemesis provides an interface to craft and inject a variety of arbitrary packet types. Also used for ARP Spoofing Nemesis Supports the following protocols: • arp • dns • ethernet • icmp • igmp • ip • ospf • rip • tcp • udp Copyright © by EC-Council EC-Council All Rights reserved. Reproduction is strictly prohibited
38.
Sniffer Hacking Tools
(dsniff package) Sniffer hacking tools (These tools are available on the Linux CD-ROM) arpspoof Intercepts packets on a switched LAN dnsspoof Forges replies to DNS address and pointer queries dsniff Password sniffer filesnarf Sniffs files from NFS traffic mailsnarf Sniffs mail messages in Berkeley mbox format msgsnarf Sniffs chat messages Copyright © by EC-Council EC-Council All Rights reserved. Reproduction is strictly prohibited
39.
Sniffer Hacking Tools
(cont’d) sshmitm SSH monkey-in-the-middle tcpkill Kills TCP connections on a LAN tcpnice Slows down TCP connections on a LAN urlsnarf Sniffs HTTP requests in Common Log Format webspy Displays sniffed URLs in Netscape in real time webmitm HTTP/HTTPS monkey-in-the-middle Copyright © by EC-Council EC-Council All Rights reserved. Reproduction is strictly prohibited
40.
Linux Tool: Arpspoof
Arpspoof redirects packets from a target host intended for another host on the LAN by forging ARP replies Arpspoof is the effective way of sniffing traffic on a switch arpspoof [-i interface] [-t target] host Copyright © by EC-Council EC-Council All Rights reserved. Reproduction is strictly prohibited
41.
Linux Tool: Dnsspoof
Dnsspoof forges replies to arbitrary DNS address/pointer queries on the LAN. DNS spoofing is useful in bypassing hostname-based access controls, or in implementing a variety of man-in-the-middle attacks dnsspoof [-i interface][-f hostsfile] [expression] Copyright © by EC-Council EC-Council All Rights reserved. Reproduction is strictly prohibited
42.
Linux Tool: Dsniff
Dsniff is a password sniffer which handles FTP, Telnet, SMTP, HTTP, POP, poppass, NNTP, IMAP, SNMP, LDAP, Rlogin, RIP, OSPF, PPTP MS-CHAP, NFS, VRRP, and so on Dsniff automatically detects and minimally parses each application protocol, only saving the interesting bits, and uses Berkeley DB as its output file format, only logging unique authentication attempts. Full TCP/IP reassembly is provided by libnids dsniff [-c] [-d] [-m] [-n] [-i interface] [-s snaplen] [-f services] [-t trigger[,...]]] [-r|-w savefile] [expres- sion] Copyright © by EC-Council EC-Council All Rights reserved. Reproduction is strictly prohibited
43.
Linux Tool: Filesnarf
Filesnarf saves files sniffed from NFS traffic in the current working directory filesnarf [-i interface] [[-v] pattern [expression]] Copyright © by EC-Council EC-Council All Rights reserved. Reproduction is strictly prohibited
44.
Linux Tool: Mailsnarf
Mailsnarf outputs email messages sniffed from SMTP and POP traffic in Berkeley mbox format, suitable for offline browsing with your favorite mail reader mailsnarf [-i interface] [[-v] pattern [expression]] Copyright © by EC-Council EC-Council All Rights reserved. Reproduction is strictly prohibited
45.
Linux Tool: Msgsnarf
Msgsnarf records selected messages from AOL Instant Messenger, ICQ 2000, IRC, MSN Messenger, or Yahoo Messenger chat sessions msgsnarf [-i interface] [[-v] pattern [expression]] Copyright © by EC-Council EC-Council All Rights reserved. Reproduction is strictly prohibited
46.
Linux Tool: Sshmitm
Sshmitm proxies and sniffs SSH traffic redirected by dnsspoof capturing SSH password logins, and optionally hijacking interactive sessions Only SSH protocol version 1 is (or ever will be) supported. This program is far too dangerous sshmitm [-d] [-I] [-p port] host [port] Copyright © by EC-Council EC-Council All Rights reserved. Reproduction is strictly prohibited
47.
Linux Tool: Tcpkill
Tcpkill kills specified in-progress TCP connections (useful for libnids-based applications which require a full TCP 3-way handshake for TCB creation) tcpkill [-i interface] [-1...9] expression Copyright © by EC-Council EC-Council All Rights reserved. Reproduction is strictly prohibited
48.
Linux Tool: Tcpnice
Tcpnice slows down specified TCP connections on a LAN via active traffic shaping tcpnice [-I] [-i interface] [-n increment] expression Copyright © by EC-Council EC-Council All Rights reserved. Reproduction is strictly prohibited
49.
Linux Tool: Urlsnarf
Urlsnarf outputs all requested URLs sniffed from HTTP traffic in CLF (Common Log Format, used by almost all web servers), suitable for offline post-processing with your favorite web log analysis tool (analog, wwwstat, and so on) urlsnarf [-n] [-i interface] [[-v] pattern [expression]] Copyright © by EC-Council EC-Council All Rights reserved. Reproduction is strictly prohibited
50.
Linux Tool: Webspy
Webspy sends URLs sniffed from a client to your local Netscape browser for display, updated in real time (as the target surfs, your browser surfs along with them, automatically). Netscape must be running on your local X display ahead of time webspy [-i interface] host Copyright © by EC-Council EC-Council All Rights reserved. Reproduction is strictly prohibited
51.
Linux Tool: Webmitm
Webmitm transparently proxies and sniffs HTTP/HTTPS traffic redirected by dnsspoof, capturing most secure SSL-encrypted webmail logins and form submissions webmitm [-d] Copyright © by EC-Council EC-Council All Rights reserved. Reproduction is strictly prohibited
52.
DNS Poisoning Techniques
The substitution of a false Internet provider address at the domain name service level (e.g., where web addresses are converted into numeric Internet provider addresses) DNS poisoning is a technique that tricks a DNS server into believing it has received authentic information when, in reality, it has not Types of DNS Poisoning: 1. Intranet DNS Spoofing (Local network) 2. Internet DNS Spoofing (Remote network) 3. Proxy Server DNS Poisoning 4. DNS Cache Poisoning Copyright © by EC-Council EC-Council All Rights reserved. Reproduction is strictly prohibited
53.
1. Intranet DNS
Spoofing (Local Network) For this technique, you must be connected to the local area network (LAN) and be able to sniff packets Works well against switches with ARP poisoning the router What is the IP address of www.xsecurity.com Router Real Website 1 IP 10.0.0.254 www.xsecurity.com IP: 200.0.0.45 DNS Request Rebec ca’s b r owser 3 DN co n n e Hacker poisons Hacker’s fake website sniffs the credential S 10.0.0 cts to Re .5 the router and all and redirects the request to real website 4 s po the router traffic 2 ns e is forwarded to his machine Rebecca types om .c ity 0.5 Hacker sets up fake ur www.xsecurity.com in her sec .0. w .x t 10 Website Web Browser ww da ate is l oc www.xsecurity.com IP: 10.0.0.3 IP: 10.0.0.5 Hacker runs arpspoof/dnsspoof www.xsecurity.com Copyright © by EC-Council EC-Council All Rights reserved. Reproduction is strictly prohibited
54.
2. Internet DNS
Spoofing (Remote Network) Send a Trojan to Rebecca’s machine and change her DNS IP address to that of the attacker’s Works across networks. Easy to set up and implement Real Website www.xsecurity.com IP: 200.0.0.45 2 ww w. 4 Re be c ca’ sB W xs row ha D ec ser ti N u r DN con st S ity S ne c he Re .c o R ts t Hacker’s fake website sniffs the credential IP qu m es o6 po and redirects the request to real website ad e s t is 5.0 5 dr go lo n se .0. es es ca 2 so t te o d fw 2 at ww 00 65 3 .xs .0.0 .0 .0 e c .2 .2 Rebecca types ur ity . co 1 www.xsecurity.com in her m Web Browser Hacker’s infects Rebecca’s computer by changing her DNS IP address to: 200.0.0.2 Fake Website IP: 65.0.0.2 Hacker runs DNS Server in Russia Copyright © by EC-Council EC-Council IP: 200.0.0.2 All Rights reserved. Reproduction is strictly prohibited
55.
Internet DNS Spoofing
To redirect all the DNS request traffic going from host machine to come to you 1. Set up a fake website on your computer 2. Install treewalk and modify the file mentioned in the readme.txt to your IP address. Treewalk will make you the DNS server 3. Modify the file dns-spoofing.bat and replace the IP address with your IP address 4. Trojanize the dns-spoofing.bat file and send it to Jessica (ex: chess.exe) 5. When the host clicks the trojaned file, it will replace Jessica’s DNS entry in her TCP/IP properties with that of your machine’s 6. You will become the DNS server for Jessica and her DNS requests will go through you 7. When Jessica connects to XSECURITY.com, she resolves to the fake XSECURITY website; you sniff the password and send her to the real website Copyright © by EC-Council EC-Council All Rights reserved. Reproduction is strictly prohibited
56.
3. Proxy Server
DNS Poisoning Send a Trojan to Rebecca’s machine and change her proxy server settings in Internet Explorer to that of the attacker’s Works across networks. Easy to set up and implement Real Website www.xsecurity.com IP: 200.0.0.45 2 Al l Re b ec ca ’s Hacker’s fake website sniffs the credential H We and redirects the request to real website ac b 4 ke re r’s qu m est Rebecca types ac s g hi o n e es 3 www.xsecurity.com in her t hr ou gh Web Browser 1 Hacker’s infects Rebecca’s computer by Hacker sends Rebecca’s request to Fake website changing her IE Proxy address to: 200.0.0.2 Fake Website IP: 65.0.0.2 Hacker runs Proxy Server in Russia Copyright © by EC-Council EC-Council IP: 200.0.0.2 All Rights reserved. Reproduction is strictly prohibited
57.
4. DNS Cache
Poisoning To perform a cache poisoning attack, the attacker exploits a flaw in the DNS server software that can make it accept incorrect information If the server does not correctly validate DNS responses to ensure that they have come from an authoritative source, the server will end up caching the incorrect entries locally and serve them to users that make the same request • For example, an attacker poisons the IP address DNS entries for a target website on a given DNS server, replacing them with the IP address of a server he controls • He then creates fake entries for files on the server he controls with names matching those on the target server Copyright © by EC-Council EC-Council All Rights reserved. Reproduction is strictly prohibited
58.
Interactive TCP Relay
It operates as a simple TCP tunnel listening on a specific port and forwarding all traffic to the remote host and port The program can intercept and edit the traffic passing through it The traffic can be edited with the built-in HEX editor Copyright © by EC-Council EC-Council All Rights reserved. Reproduction is strictly prohibited
59.
Interactive Replay Attacks
John sends a message to Dan. The Dan John attacker intercepts the message, changes the content, and sends it to Dan sk de M ail r ou :Y cl nd ry ou to a ar ea es ed e pr ut fir om in e ote m ar d 1 5 ou ve : Y h a ail M ATTACKER Copyright © by EC-Council EC-Council All Rights reserved. Reproduction is strictly prohibited
60.
HTTP Sniffer: EffeTech
An HTTP protocol packet sniffer and network analyzer Captures IP packets containing HTTP protocol Enables on-the-fly content viewing while monitoring and analyzing Parses and decodes HTTP protocol, and generates a web traffic report for reference Copyright © by EC-Council EC-Council All Rights reserved. Reproduction is strictly prohibited
61.
HTTP Sniffer: EffeTech
Copyright © by EC-Council EC-Council All Rights reserved. Reproduction is strictly prohibited
62.
Ace Password Sniffer
Can monitor and capture passwords through FTP, POP3, HTTP, SMTP, Telnet, and some web mail passwords Can listen on LAN and capture passwords of any network user Ace Password Sniffer works passively and is hard to detect If a network is connected through a switch, the sniffer can be run on the gateway or proxy server, which can get all network traffic Copyright © by EC-Council EC-Council All Rights reserved. Reproduction is strictly prohibited
63.
Screenshot
Copyright © by EC-Council EC-Council All Rights reserved. Reproduction is strictly prohibited
64.
MSN Sniffer
Captures MSN chat on a network It records MSN conversations automatically All intercepted messages can be saved as HTML files for later processing and analyzing Everything will be recorded without being detected Capturing Messages Sniffer Chatting Copyright © by EC-Council EC-Council All Rights reserved. Reproduction is strictly prohibited
65.
MSN Sniffer
Copyright © by EC-Council EC-Council All Rights reserved. Reproduction is strictly prohibited
66.
SmartSniff
SmartSniff is a TCP/IP packet capture program that allows you to inspect network traffic that passes through your network adapter Valuable tool to check what packets your computer is sending to the outside world Copyright © by EC-Council EC-Council All Rights reserved. Reproduction is strictly prohibited
67.
Session Capture Sniffer:
NetWitness NetWitness is the MOST POWERFUL sniffer in the market The patented technology recreates “sessions” and displays them on the screen The Law enforcement agencies in the U.S. like FBI use this tool NetWitness audits and monitors all traffic on the network Interprets the activities into a format that network engineers and non-engineers alike can quickly understand Records all activities, and transforms the “take” into a dense transactional model describing the network, application, and content levels of those activities Copyright © by EC-Council EC-Council All Rights reserved. Reproduction is strictly prohibited
68.
Session Capture Sniffer:
NWreader FTP Sessions captured Copyright © by EC-Council EC-Council All Rights reserved. Reproduction is strictly prohibited
69.
Cain and Abel
MSCACHE Hashes Dumper MSCACHE Hashes Dictionary and Brute-Force Crackers Sniffer filter for SIP-MD5 authentications SIP-MD5 Hashes Dictionary and Brute-Force Crackers Off-line capture file processing compatible with winpcap, tcpdump, and ethereal format Cain’s sniffer can extract audio conversations based on SIP/RTP protocols and save them into WAV files Copyright © by EC-Council EC-Council All Rights reserved. Reproduction is strictly prohibited
70.
Cain and Abel
Copyright © by EC-Council EC-Council All Rights reserved. Reproduction is strictly prohibited
71.
Packet Crafter Craft
Custom TCP/IP Packets Copyright © by EC-Council EC-Council All Rights reserved. Reproduction is strictly prohibited
72.
SMAC
SMAC is a MAC Address Modifying Utility (spoofer) for Windows 2000, XP, and Server 2003 systems. It displays network information of available network adapters on one screen. The built-in logging capability allows it to track MAC address modification activities Copyright © by EC-Council EC-Council All Rights reserved. Reproduction is strictly prohibited
73.
NetSetMan Tool
NetSetMan allows you to quickly switch between pre-configured network settings It is ideal for ethical hackers that have to connect to different networks all the time and need to update their network settings each time NetSetMan allows you to create 6 profiles including IP address settings, Subnet Mask, Default Gateway, and DNS servers Copyright © by EC-Council EC-Council All Rights reserved. Reproduction is strictly prohibited
74.
Raw Sniffing Tools
Sniffit Snort Aldebaran Windump/tcpdump Hunt Etherpeek NGSSniff Mac Changer Ntop Iris pf NetIntercept IPTraf WinDNSSpoof Etherape Copyright © by EC-Council EC-Council All Rights reserved. Reproduction is strictly prohibited
75.
Features of Raw
Sniffing Tools Data can be intercepted “off the wire” from a live network connection, or read from a captured file Can read captured files from tcpdump Command line switches to the editcap program that enables the editing or conversion of the captured files Display filter enables the refinement of the data Copyright © by EC-Council EC-Council All Rights reserved. Reproduction is strictly prohibited
76.
Sniffit
Sniffit is a packet sniffer for TCP/UDP/ICMP packets It provides detailed technical information about the packets and packet contents in different formats By default it can handle Ethernet and PPP devices, but can be easily forced into using other devices Copyright © by EC-Council EC-Council All Rights reserved. Reproduction is strictly prohibited
77.
Aldebaran
Aldebaran is an advanced LINUX sniffer/network analyzer It supports sending data to another host, dump file encryption, real-time mode, packet content scanning, network statistics in HTML, capture rules, colored output, and more Copyright © by EC-Council EC-Council All Rights reserved. Reproduction is strictly prohibited
78.
Hunt
Hunt is used to watch TCP connections, intrude on them, or reset them It is meant to be used on Ethernet, and has active mechanisms to sniff switched connections Features: • It can be used for watching, spoofing, detecting, hijacking, and resetting connections • MAC discovery daemon for collecting MAC addresses, sniff daemon for logging TCP traffic with the ability to search for a particular string Copyright © by EC-Council EC-Council All Rights reserved. Reproduction is strictly prohibited
79.
NGSSniff
NGSSniff is a network packet capture and analysis program Packet capture is done via windows sockets raw IP or via Microsoft network monitor drivers It can carry out packet sorting, and it does not require the installation of any drivers to run it It carries out real-time packet viewing Copyright © by EC-Council EC-Council All Rights reserved. Reproduction is strictly prohibited
80.
Ntop
Ntop is a network traffic probe that shows network usage In interactive mode, it displays the network status on the user’s terminal In web mode, it acts as a web server, creating an html dump of the network status Copyright © by EC-Council EC-Council All Rights reserved. Reproduction is strictly prohibited
81.
Pf
Pf is Open BSD’s system for filtering TCP/IP traffic and performing Network Address Translation It is also capable of normalizing and conditioning TCP/IP traffic, and providing bandwidth control and packet prioritization Copyright © by EC-Council EC-Council All Rights reserved. Reproduction is strictly prohibited
82.
IPTraf
IPTraf is a network monitoring utility for IP networks. It intercepts packets on the network and gives out various pieces of information about the current IP traffic over it IPTraf can be used to monitor the load on an IP network, the most used types of network services, and the proceedings of TCP connections, and others Copyright © by EC-Council EC-Council All Rights reserved. Reproduction is strictly prohibited
83.
EtherApe
EtherApe is a graphical network monitor for Unix Featuring link layer, IP, and TCP modes, it displays network activity graphically It can filter traffic to be shown, and can read traffic from a file as well as live from the network Copyright © by EC-Council EC-Council All Rights reserved. Reproduction is strictly prohibited
84.
EtherApe Features
Network traffic is displayed graphically. The more talkative a node is, the bigger its representation A user may select what level of the protocol stack to concentrate on A user may either look at traffic within a network, end to end IP, or even port to port TCP Data can be captured “off the wire” from a live network connection, or read from a tcpdump capture file Data display can be refined using a network filter Copyright © by EC-Council EC-Council All Rights reserved. Reproduction is strictly prohibited
85.
Netfilter
Netfilter and iptables are the Features framework inside the Linux 2.4.x kernel which enables Stateful packet filtering packet filtering, network (connection tracking) address translation (NAT), and All kinds of network address other packet mangling translation Netfilter is a set of hooks inside the Linux 2.4.x kernel's Flexible and extensible network stack which allows infrastructure kernel modules to register callback functions called every time a network packet traverses one of those hooks Copyright © by EC-Council EC-Council All Rights reserved. Reproduction is strictly prohibited
86.
Netfilter
Copyright © by EC-Council EC-Council All Rights reserved. Reproduction is strictly prohibited
87.
Network Probe
This network monitor and protocol analyzer gives the user an instant picture of the traffic situation on the target network All traffic is monitored in real time All the information can be sorted, searched, and filtered by protocols, hosts, conversations, and network interfaces Copyright © by EC-Council EC-Council All Rights reserved. Reproduction is strictly prohibited
88.
Maa Tec Network
Analyzer MaaTec Network Analyzer is a tool that is used for capturing, saving, and analyzing network traffic Features: • Real-time network traffic statistics • Scheduled network traffic reports • Online view of incoming packets • Multiple data color options Copyright © by EC-Council EC-Council All Rights reserved. Reproduction is strictly prohibited
89.
Tool: Snort
There are three main modes in which Snort can be configured: sniffer, packet logger, and network intrusion detection system Sniffer mode reads the packets off of the network and displays them for you in a continuous stream on the console Packet logger mode logs the packets to the disk Network intrusion detection mode is the most complex and configurable configuration, allowing Snort to analyze network traffic for matches against a user-defined rule set Copyright © by EC-Council EC-Council All Rights reserved. Reproduction is strictly prohibited
90.
Tool: Windump
WinDump is the porting to the Windows platform of tcpdump, the most used network sniffer/analyzer for UNIX Copyright © by EC-Council EC-Council All Rights reserved. Reproduction is strictly prohibited
91.
Tool: Etherpeek
Ethernet network traffic and protocol analyzer. By monitoring, filtering, decoding, and displaying packet data, it finds protocol errors and detects network problems such as unauthorized nodes, misconfigured routers, and unreachable devices Copyright © by EC-Council EC-Council All Rights reserved. Reproduction is strictly prohibited
92.
Mac Changer
MAC changer is a Linux utility for setting a specific MAC address for a network interface It enables the user to set the MAC address randomly. It allows specifying the MAC of another vendor or setting another MAC of the same vendor The user can also set a MAC of the same kind (such as a wireless card) It offers a choice of vendor MAC list of more than 6200 items Copyright © by EC-Council EC-Council All Rights reserved. Reproduction is strictly prohibited
93.
Iris
It allows for the reconstruction of network traffic in a format that is simple to use and understand. It can show the web page of any employee who is watching it during work hours Copyright © by EC-Council EC-Council All Rights reserved. Reproduction is strictly prohibited
94.
NetIntercept
A sniffing tool that studies external break-in attempts, watches for the misuse of confidential data, displays the contents of an unencrypted remote login or web session, categorizes or sorts traffic by dozens of attributes, and searches traffic by criteria such as email headers, websites, and file names Copyright © by EC-Council EC-Council All Rights reserved. Reproduction is strictly prohibited
95.
WinDNSSpoof
This tool is a simple DNS ID Spoofer for Windows 9x/2K To use it, you must be able to sniff traffic of the computer being attacked Usage : wds -h Example : wds -n www.microsoft.com -i 216.239.39.101 -g 00-00-39-5c-45-3b Copyright © by EC-Council EC-Council All Rights reserved. Reproduction is strictly prohibited
96.
How to Detect
Sniffing? You will need to check which machines are running in promiscuous mode Run ARPWATCH and notice if the MAC address of certain machines has changed (Example: router’s MAC address) Run network tools like HP OpenView and IBM Tivoli network health check tools to monitor the network for strange packets Copyright © by EC-Council EC-Council All Rights reserved. Reproduction is strictly prohibited
97.
AntiSniff Tool
AntiSniff tool can detect machines on the network that are running in promiscuous mode Copyright © by EC-Council EC-Council All Rights reserved. Reproduction is strictly prohibited
98.
ArpWatch Tool
ArpWatch is a tool that monitors Ethernet activity and keeps a database of Ethernet/IP address pairings It also reports certain changes via email Place triggers when your router’s MAC address changes on your network Copyright © by EC-Council EC-Council All Rights reserved. Reproduction is strictly prohibited
99.
Countermeasures
Restriction of physical access to network media ensures that a packet sniffer cannot be installed The best way to be secured against sniffing is to use Encryption. It would not prevent a sniffer from functioning but will ensure that what a sniffer reads is not important ARP Spoofing is used to sniff a switched network, so an attacker will try to ARP spoof the gateway. This can be prevented by permanently adding the MAC address of the gateway to the ARP cache Copyright © by EC-Council EC-Council All Rights reserved. Reproduction is strictly prohibited
100.
Countermeasures (cont’d)
Another way to prevent the network from being sniffed is to change the network to SSH There are various methods to detect a sniffer in a network: • Ping method • ARP method • Latency method • Using IDS Copyright © by EC-Council EC-Council All Rights reserved. Reproduction is strictly prohibited
101.
Countermeasures (cont’d)
There are various tools to detect a sniffer in a network: • ARP Watch • Promiscan • Antisniff • Prodetect Copyright © by EC-Council EC-Council All Rights reserved. Reproduction is strictly prohibited
102.
Countermeasures (cont’d)
Small Network • Use of static IP addresses and static ARP tables which prevents hackers from adding spoofed ARP entries for machines in the network Large Networks • Network switch Port Security features should be enabled • Use of ArpWatch to monitor Ethernet activity Copyright © by EC-Council EC-Council All Rights reserved. Reproduction is strictly prohibited
103.
What happened next?
Jamal returns to his office and snoops a protocol analyzer into the premise of XInsurance Inc. He goes to the same room where he had found the wires lying in the AC duct. Jamal cuts one of the LAN wires and attaches the protocol analyzer to the partially-cut wire to sniff the traffic. He could get the following information: • Various protocols used • Some raw data that was not encrypted Copyright © by EC-Council EC-Council All Rights reserved. Reproduction is strictly prohibited
104.
Summary
Sniffing allows to capture vital information from network traffic. It can be done over the hub or the switch (passive or active) Passwords, emails, and files can be grabbed by means of sniffing ARP poisoning can be used to change the Switch mode of the network to Hub mode and subsequently carry out packet sniffing Ethereal, Dsniff, Sniffit, Aldebaran, Hunt, and NGSSniff are some of the most popular sniffing tools The best way to be secured against sniffing is to use encryption, and apply the latest patches or other lockdown techniques to the system Copyright © by EC-Council EC-Council All Rights reserved. Reproduction is strictly prohibited
105.
Copyright © by
EC-Council EC-Council All Rights reserved. Reproduction is strictly prohibited
106.
Copyright © by
EC-Council EC-Council All Rights reserved. Reproduction is strictly prohibited
Descargar ahora