PRACTICAL-5

Aim: Explain Sniffing, Spoofing, Man-In-Middle and Replay attacks.

 Sniffing: -
➢ Sniffing is a process of monitoring and capturing all data packets passing through given network.
➢ Sniffers are used by network/system administrator to monitor and troubleshoot network traffic.
➢ Attackers use sniffers to capture data packets containing sensitive information such as password,
account information etc. Sniffers can be hardware or software installed in the system. By placing a
packet sniffer on a network in promiscuous mode, a malicious intruder can capture and analyse all
of the network traffic.
There are two types:
➢ Active Sniffing:
Sniffing in the switch is active sniffing. A switch is a point to point network device. The switch
regulates the flow of data between its ports by actively monitoring the MAC address on each port,
which helps it pass data only to its intended target. In order to capture the traffic between target
sniffers has to actively inject traffic into the LAN to enable sniffing of the traffic. This can be done
in various ways.
➢ Passive Sniffing:
This is the process of sniffing through the hub. Any traffic that is passing through the non-switched
or unbridged network segment can be seen by all machines on that segment. Sniffers operate at the
data link layer of the network. Any data sent across the LAN is actually sent to each and every
machine connected to the LAN. This is called passive since sniffers placed by the attackers
passively wait for the data to be sent and capture them.
How can I protect myself?
➢ To keep information confidential, use encrypted connections. You might also consider encrypting
all sensitive data being sent over the Internet or network (e.g., e-mails). For example, e-mails can
be encrypted using PGP, anyone still using Telnet should consider using SSH instead, and instead
of FTP you can use SFTP.
 Spoofing: -
➢ Spoofing, in general, is a fraudulent or malicious practice in which communication is sent from an
unknown source disguised as a source known to the receiver. Spoofing is most prevalent in
communication mechanisms that lack a high level of security.
Types of Spoofing:-
➢ IP Spoofing:-
IP (Internet Protocol) forms the third layer of the ISO model. It is the network protocol
which is used for the transmission of messages over the internet. Every email message sent has
details in the message header of the IP address of the sender (source address). Hackers and
scammers alter the header details to mask their true identity by editing the source address. The
emails then appear to have been transmitted by a trusted source. There are two types of IP spoofing.
➢ Man In the Middle Attacks - As the name suggests, communication between the original sender
of the message and the desired recipient is intercepted. The content of the message is then modified
without the knowledge of either party. The attacker feeds the packet with his own message. The
victim is deceived into thinking the contents of the message are authentic.
➢ Denial of Service (DoS) Attacks - In this practice, the message packet between the sender and the
recipient is intercepted and the source address is spoofed. The connection is literally hijacked. The
recipient is then flooded with more packets than their bandwidth or resources can handle. This
overloads and effectively shuts down the victim's system.

➢ Email Spoofing:-
➢ Among the most widely-used attacks, email spoofing often involves things like requests for
personal data or financial transactions. The emails appear to be from trusted senders — such as
customers, co-workers, or managers — but they are actually from cybercriminals who deliberately
disguise themselves to gain your trust and your help with the action they want you to take. The
request could be for a money transfer or permission to access a system.
➢ Additionally, spoof emails sometimes contain attachments that install malware — such as Trojans
or viruses — when opened. In many cases, the malware is designed to go beyond infecting your
computer and spread to your entire network.
➢ This aspect of spoofing relies heavily on social engineering — the ability to convince a human user
to believe that what they're seeing is legitimate, prompting them to take action and open an
attachment, transfer money, et cetera.
➢ Smurf Attack:-
➢ A smurf attack is a type of denial of service attack in which a system is flooded with spoofed ping
messages. This creates high computer network traffic on the victim’s network, which often renders
it unresponsive.
➢ Smurfing takes certain well-known facts about Internet Protocol and Internet Control Message
Protocol (ICMP) into account. ICMP is used by network administrators to exchange information
about network state, and can also be used to ping other nodes to determine their operational status.
The smurf program sends a spoofed network packet that contains an ICMP ping. The resulting echo
responses to the ping message are directed toward the victim’s IP address. Large number of pings
and the resulting echoes can make the network unusable for real traffic.

 Man-In-Middle attacks: -
➢ A man-in-the-middle (MITM) attack is a form of eavesdropping where communication between
two users is monitored and modified by an unauthorized party. Generally, the attacker actively
eavesdrops by intercepting a public key message exchange and retransmits the message while
replacing the requested key with his own.
➢ In the process, the two original parties appear to communicate normally. The message sender does
not recognize that the receiver is an unknown attacker trying to access or modify the message before
retransmitting to the receiver. Thus, the attacker controls the entire communication.
➢ This term is also known as a Janus attack or a fire brigade attack.

➢ The MITM intercepts communications between two systems and is performed when the attacker is
in control of a router along normal point of traffic. The attacker in almost all cases is located on the
same broadcast domain as the victim. For instance, in an HTTP transaction, a TCP connection exists
between client and server. The attacker splits the TCP connection into two connections – one
between the victim and the attacker and the other between attacker and the server. On intercepting
the TCP connection, the attacker acts as a proxy reading, altering and inserting data in intercepted
communication. The session cookie reading the HTTP header can easily be captured by the intruder.

 Replay Attack: -
➢ A replay attack is a category of network attack in which an attacker detects a data transmission and
fraudulently has it delayed or repeated.
➢ The delay or repeat of the data transmission is carried out by the sender or by the malicious entity,
who intercepts the data and retransmits it.
➢ In other words, a replay attack is an attack on the security protocol using replays of data
transmission from a different sender into the intended into receiving system, thereby fooling the
participants into believing they have successfully completed the data transmission.
➢ Replay attacks help attackers to gain access to a network, gain information which would not have
been easily accessible or complete a duplicate transaction.
➢ A replay attack is also known as a playback attack.
How It Works:-
Consider this real-world example of an attack. A staff member at a company asks for a financial transfer
by sending an encrypted message to the company's financial administrator. An attacker eavesdrops on
this message, captures it, and is now in a position to resend it. Because it's an authentic message that
has simply been resent, the message is already correctly encrypted and looks legitimate to the financial
administrator.
In this scenario, the financial administrator is likely to respond to this new request unless he or she has
a good reason to be suspicious. That response could include sending a large sum of money to the
attacker's bank account.
Stopping a Replay Attack :-
Preventing such an attack is all about having the right method of encryption. Encrypted messages carry
"keys" within them, and when they're decoded at the end of the transmission, they open the message.
In a replay attack, it doesn't matter if the attacker who intercepted the original message can read or
decipher the key. All he or she has to do is capture and resend the entire thing — message and key —
together.
To counter this possibility, both sender and receiver should establish a completely random session key,
which is a type of code that is only valid for one transaction and can't be used again.
Another preventative measure for this type of attack is using timestamps on all messages. This prevents
hackers from resending messages sent longer ago than a certain length of time, thus reducing the
window of opportunity for an attacker to eavesdrop, siphon off the message, and resend it.
Another method to avoid becoming a victim is to have a password for each transaction that's only used
once and discarded. That ensures that even if the message is recorded and resent by an attacker, the
encryption code has expired and no longer works.