Monday, February 21, 2011

Active Sniffing and Passive Sniffing

 


Passive Sniffing


A packet sniffer is seldom the only tool used for an attack. This is because a sniffer can work only in a common collision domain. A common collision domain is a network segment that is not switched or bridged (i.e. connected through a hub). Any traffic that is not switched or bridged on a network segment can be seen by all machines on that segment. As sniffers gather packets at Data Link Layer it can potentially grab all the packets on the LAN of the machine running the Sniffer program.
This is because on a network with a hub implements a broadcast medium shared by all systems on the LAN. Any data sent across the LAN is actually sent to each and every machine connected to the LAN. If an attacker runs a Sniffer on one system on LAN, he can gather data sent to and from any other system on the LAN. Majority of the Sniffer tools are ideally suited to sniff data in a hub environment. These tools are called passive sniffers as they passively wait for the data to be sent and capture them. They are efficient in silently gathering the data from the LAN.

Note
In passive sniff ing, the intruder gets access to the network by any of the following methods.

  • By compromising the physical security. An example of this can be the intruder walking into the building with his laptop and capturing data by plugging in to access the network.

  • Using a Trojan horse. Many Trojans have sniffing capability built into them. For instance, the Back Orifice server has a plugin known as "Butt Trumpet". Butt Trumpet will send the attacker an email when the server has been installed. Once the attacker knows that the victim's machine has been compromised, the attacker can then install a packet sniffer and use it.

Active Sniffing



One countermeasure against passive sniffing is to replace the network hub with a switch. Unlike a hub based network, switched ethernet does not broadcast all information to all systems on the LAN. The switch regulates the flow of data between its ports by actively monitoring the MAC address on each port, which helps it pass data only to its intended target.
In other words, the main difference between a switch and hub is that while a hub has no mapping, and thus broadcasts line data to every port on the device, a switch looks at the MAC address associated with each frame passing through it and sends the data to the required connection on the switch.
The switch thereby limits the data that a passive sniffer can gather. If there is a passive sniffer activated on a switched LAN, the sniffer will only be able to see data going to and from one machine - i.e. the system on which it is installed.
However, it must be noted that the development of switched networks was driven by the need for more bandwidth, and not for the need of more secure networks. Since the evolution was not driven by security needs, there are ways to circumvent this network posture and sniff the traffic.
So how does an attacker sniff on a switched LAN? The sniffers for a switched LAN actively inject traffic into the LAN to enable sniffing of the traffic. Hence the term 'active sniffing'. Some of the methods used in the attack include ARP Spoofing, MAC Flooding and MAC Duplicating etc.
EtherFlood


  • EtherFlood floods a switched network with Ethernet frames with random hardware addresses.

  • The effect on some switches is that they start sending all traffic out on all ports so that the attacker is able to sniff all traffic on the network.
In a switched network, the ARP table ensures that IP addresses are mapped to MAC addresses . However, this does not stop sniffing, as we see in ARP Spoofing. One way to sniff in a switched network is to convert the functionality of a switch to that of a hub.
In other words, to make a switch change its default directed output to broadcast method . One way of accomplishing this is to foil the switch by flooding the network with too many frames. When this happens, some switches become unable to perform the IP to MAC mappings and then "fail out" to broadcasting.

Tools
EtherFlood floods a switched network with Ethernet frames with random hardware addresses. The effect on some switches is that they start sending all traffic out on all ports so that sniffing of the switched network traffic is possible.

dsniff


  • dsniff is a collection of tools for network auditing and penetration testing.

  • dsniff, filesnarf, mailsnarf, msgsnarf, urlsnarf, and webspy passively monitor a network for interesting data (passwords, e-mail, files, etc.).

  • arpspoof, dnsspoof, and macof facilitate the interception of network traffic normally unavailable to an attacker (e.g, due to layer-2 switching).

  • sshmitm and webmitm implement active monkey-in-the-middle attacks against redirected SSH and HTTPS sessions by exploiting weak bindings in ad-hoc PKI.

dsniff is a collection of tools for network auditing and penetration testing. dsniff, filesnarf, mailsnarf, msgsnarf, urlsnarf, and webspy passively monitor a network for interesting data (passwords, e-mail, files, etc.).
Written by Dug Song, this collection of tools (bundled with the main dsniff utility) has certain unique functionality. However, they can be categorized as having similar baseline functionality. In general, the tools dsniff, filesnarf, mailsnarf, msgsnarf, urlsnarf, and webspy can be used to sniff on a compromised host behind a firewall and look for interesting content.
These tools can be put to good use by network administrators or be used to obtain sensitive information such as login information that is sent in the clear or is weakly encrypted. These tools can also auto detect various messaging protocols (about 30 are included) when dsniff is launched with the "-m" option.
urlsnarf is capable of intercepting all http requests from the network it is deployed on, and formatting them into the Common Log Format (CLF) used by MS IIS and Apache. This makes it possible to conduct a log analysis by using suitable programs to interpret the results obtained from urlsnarf. urlsnarf is hard-coded to listen on ports 80 (where clear text http resides) as well as port 3128 (MS-proxy) and 8080 (generic proxy).
arpspoof, dnsspoof, and macof work on the interception of switched network traffic that is usually unavailable to a sniffer program due to the segment switching that occurs at the ISO layer 2 level. sshmitm and webmitm implement active man-in-the-middle attacks against redirected SSH and HTTPS sessions by exploiting weak bindings in ad-hoc PKI.

No comments:

Post a Comment