Thursday, July 29, 2010

Sniffers and process of Sniffing

For Educational purpose only. I shall not be responsible for any damage.

Let us discuss about Sniffers and process of Sniffing. Before starting this topic I assume that you have basic understanding of concepts of Networking.
A snifer is basically a program or software or hardware that can capture packets travelling through the network. The process of capturing data by the sniffer is known as snffing. Remember Sniffing is done in LAN not in WAN.

Sniffing is of two types:
Active sniffing
Passive sniffing

Passive sniffing is carried out in common collision domain. Collision Domain is a network in which whenever packet is sent by any host, all hosts response to that packet in that network & if during same time some other machine transmitts a packet then a collision will occur in network. For eg: HUB is a layer 1 device which operates at physical layer of OSI model. It creates a single collision domain. The internal structure of HUB is based on Bus topology. It operates at layer 1 of OSI model. So when any packet is sent by one machine connected to HUB then this packet will be broadcasted to all other machines attached to that same HUB. This type of network is called Colision Domain. So in order to perform this type of sniffing we only need to install sniffer on one of the machine in collision domain & we'll get all packets that transmit through the network. I know there was no much fun in this.

How to prevent your network from passive sniffing ?
In order to prevent the passive sniffing, we need to prevent the broadcasting of the packets in our packet. Now how to prevent braodcasting ?
As HUB is broadcasting device so we need to use some intelligent device instead of HUB. The solution is to replace HUB with Switch. Beware this will increase cost of your n/w too. Switch device don't broadcast packets everytime. So if sniffer is installed on one machine in the network then it can't intercept all the packets transmitting through the network because there would not be much broadcasts in Switch network..!! You can understand this by knowing how a switch works.

How a switch works ?
Switch is layer 2 device & works using MAC addresses. There are also switches that work at layer 3 of OSI model. The internal structure of switch is based on start topology. Switch basically has a Content Addressable Memory(CAM). This memory contains a table in which there is information about the MAC address of machines attached to its ports ie. MAC to port mapping. In starting the table in CAM is empty & it is filled slowly when the communication starts within the network.
The switch functions in three steps:
1. Broadcasting (Packets are sent to all machines in n/w)
2. Multicasting (Packets are sent to specific group of machines in n/w)
3. Unicasting (Packets are sent to single specific machine in n/w)

Consider a new switch is installed in network,So at first time when a machine 'A' attached to switch send a packet to other machine 'B' using its IP address, now as switch doesn't understand IP address & it doesn't knows machine 'B' MAC address so it will broadcast this packet to all ports, to all the machines attached to the switch. Now all the machines other than 'B' will discard the packet and only machine 'B' will reply. So, now the switch will note the MAC address of the machine 'A' and 'B' & the ports on which they are connected in its table in CAM. Now switch knows on which ports the machine 'A' and 'B' are attached. Now if machine 'A' again sends a packet to 'B' then, now switch will not broadcast the packet but it will directly be sent to 'B' machine. This is called Unicasting. Now if machine 'A' sends packet to any machine other than 'B'
then switch will broadcast packet to all other machines but not to 'B' machine. This is called multicasting. Multicasting is special type of broadcasting in which broadcasting is done to specific group only.
Switch notes the MAC address of the machines whenever a communication takes place untill all the MAC addresses are collected in table in CAM. When all MAC addresses are collected in CAM now switch will perform unicasting.

Now let us discuss Active sniffing.

Active sniffing is carried out in network that have different collision domains. eg: A switch network have different collision domains.Each port of switch is one collision domain. There are following ways to carry out Active sniffing.
1. Arp Spoofing
2. MAC flooding
3. MAC duplicating

Arp Spoofing:
ARP is Address Resolution Protocol. It is used to resolve the IP address of machine to its MAC address. which means it is used to get MAC of machine who's IP is known. Now ARP is stateless, which mean you can make an ARP reply even if no ARP request is made..!! ;-) Now when an attacker's machine wants to sniff it will send fake malicious ARP packets to other victim machine so that, the victim machine sends packets to attacker machine. In this attack basically the gateway of network is spoofed.This is how it works. Let an attacker machine 'A'with IP address 10.0.0.1 wants to get packets of victim machine with IP 10.0.0.2, let the IP address of gateway is 10.0.0.3, Now the attacker machine 10.0.0.1 will send malicious ARP reply packet to gateway 10.0.0.3, associating its MAC address with 10.0.0.2(victim IP) now gateway will think that attacker's machine is victim's machine. At same time attacker send malicious ARP packet to victim machine 10.0.0.2, associating it MAC address with 10.0.0.3(gatewy IP), now the Victim's machine will think that attacker's machine is gateway. Now the gateway will send all the packets belonging to victim machine 10.0.0.2 to attacker's machine and victim's machine will send all packets belonging to gateway 10.0.0.3 to attacker's machine. Thus attackers now sits between Gateway & Victim machine. It is like MAN in Middle Attack. Now the attacker uses IP forwarding technique to send all packets from victim to gateway through it & vice-versa. Now as all packets are being sent and received between gateway and victim machine so, victim remains unaware about the interception of packets by the attacker..!!



MAC Flooding:
This type of attack targets the limited capability of a switch to hold MAC address to physical port mappings. In this we try to make switch to operate like HUB(to broadcast all packets). As I told you before that a switch has table in memory(CAM). This memory has a limited size. It can hold only some specific number of MAC entries. Now in this type of attack the attacker will send lot of spoofed ARP reply packets in the network. Now when there ar so many entries in a switch, thid causes a switch to operate in failopen mode. In this mode the switch will broadcast all the packets to all ports, like HUB. Now attacker can sniff every packet on network.

MAC duplicating:
In this attack the attacker first sniffs the network for MAC addresses of other machines on n/w. Then it try to use one of that MAC addresses. By this intruder can get all packets that are destined for that MAC address. This attack works as follow:
Suppose a network is already functioning. Let victim's IP be 10.0.0.1 & MAC be ab:1c:4b:2b:56:0b , and victim is already communicating in network. Now attacker with IP 10.0.0.2 joins the network. Now attacker sniffs the MAC of victim, then the attacker will start making ARP reply in network by associating its IP 10.0.0.2 with MAC ab:1c:4b:2b:56:0b ,
now every machine on network will consider attacker's machine as victim's machine, and all packets destined to victim will now be recieved to attacker.
This attack is mainly used in Wireless networks.

How to prevent Active sniffing ?
It can be prevented by using Port Security feature of a switch.In this feature we manually allocate or assign MAC address to the ports of the switch. Now the switch will only receive packets from the MAC address that are defined by us. For eg: If I define fast ethernet port 1 to MAC address a0:bc:1d:67:0a:2a now the fast ethernet port 1 of switch will accept packets from this a0:bc:1d:67:0a:2a MAC only.

In order to implement Sniffing, we first need to get IP, MAC of machines working on network. After getting this information then u can implement sniffing attacks.
The arp attack can be done by using arp command. type arp/? in cmd in windows OS to know more. There are many sniffer software available to perform sniffing. As follow:

In order to sniff IP & MAC of machines u can use following s/w:
Wireshark, Look@LAN, The Dude sniffer, Network view. etc

For ARP attack:
ARP spoof, ArpSpyX, Ethercap, Cain and Abel etc.

For MAC flooding:
Macof, Etherflood.

Once again Hacking is a crime. Beware when you use these tools...!!!
Crypto will not be responsible for any damage..!!!

No comments:

Post a Comment