School of Computer Sciences Universiti Sains Malaysia Penang

CST 233 Information Security & Assurance

Assignment 2
TITLE STUDENT NAME : Scanning and Analysis tools- Packets Sniffers : SOH SIN SIANG

MATRIC NUMBER : 107630 LECTURER : Dr. Aman Jantan

TABLE OF CONTENT
1. INTRODUCTION..3 2. PACKETS SNIFFERS5 3. HOW DOES A PACKET SNIFFER WORKS?.6 4. SNIFFING METHOD AND CASE STUDIES OF IT.7 PACKET SNIFFING IN NON-SWITCHED ENVIRONMENT...8 PACKET SNIFFING IN SWITCHED ENVIRONMENT11 5. HOW TO AVOID/MITIGATE THE THREAT FROM PACKET SNIFFING..19 6. CONCLUSION..21 7. REFERENCES..21

Introduction
What are scanning and analysis tools Scanning and analysis tools are computer programs that used to find vulnerabilities in systems, and security holes in individual system components. For examples, the vulnerabilities of specific hosts, routers, or even firewalls. Many scanning and anaylsis tools are developed by hackers community, or so called, hackerware. Most of them are open source and free of charge. Some of these tools are extremely complex while some of them are rather simple. Hackers use scanning and analysis tools to find the vulnerabilities of the network while the same tools can also be used by network defenders to find potential vulnerabilities and secure it. This paper will focus on one of the scanning and analysis tools, that is packet sniffer. Categories of scanning and analysis tools There are several categories of scanning and analysis tools. The following are the categories of scanning and analysis tools. 1. port scanners Port scanners are tools used by both attackers and defenders to identify the computers that are active on a network, as well as the ports and services active on those computers. 2. network mappers Network mappers are tools that identify all systems connected to a network.

3. OS detection tools Tools that detect target hosts operating system. Knowing a hosts OS is critical is one is to exploit the hosts vulnerabilities. For example, the known bugs of that OS. 4. Firewall analysis tools Helps in understanding and discovery of firewall rules and assist the administrator in analyzing the rules to determine exactly what they allow and what they reject 5. Vulnerability scanners Software tools that assess security vulnerabilities in network & hosts and produce a set of scan results. 6. Packet sniffers A network tool that collects copies of packets from the network and analyzes them. More details on this category will be explored in this paper. 7. Wireless sniffers A software or maybe hardware that is capable of capturing & decoding packets as they pass over airwaves.

Packets sniffers
What is packet sniffers A packet sniffer is a tool that plugs into a computer network and monitors all network traffic. It monitors traffic destined to itself as well as to all other hosts on the network. Packet sniffers can be run on both non-switched and switched networks. Packet sniffing in a non-switched environment is well understood technology while in a switched environment; it is more of a challenge to eavesdrop on network traffic. More details on the different of sniffing in a non-switched and switched environment will be discussed in the following section. Uses of a packet sniffer Sniffing programs are usually found in two forms. Commercial packet sniffers are used to help to observe and maintain networks, while underground packet sniffers are used by attackers to gain unauthorized access to remote hosts. Below are some common uses of sniffing programs: Searching for clear text usernames and passwords from the network. Conversion of network traffic into human readable form. Network analysis to find bottlenecks or problems. Network intrusion detection to monitor for attackers. Filter suspicious content from network traffic

How does a packet sniffer work?

A packet sniffer works by looking at every packet sent in the network, including packets not intended for itself. This is accomplished in a variety of ways. These sniffing methods will be described below. Sniffers also work differently depending on the type of the network they are in. In a shared Ethernet environment, all hosts are connected to the same bus and compete with one another for bandwidth. In such an environment packets meant for one machine are received by all the other machines. This, any machines in such an environment placed in promiscuous mode will be able to capture packets meant for other machine and can therefore listen to all the traffic on the network. In a switched Ethernet, hosts are connected to a switch instead of a hub. The switch maintains a table to keep track of each computers MAC address and delivers packets destined for a particular machine to the port on which that machine is connected. The switch is an intelligent device that sends packets to the destined computer only and does not broadcast to all the machines on the network, as in the previous case. This switched Ethernet environment was intended for better network performance, but as an added benefit, a machine in promiscuous mode will not work here. As a result of this, most network administrators assume that sniffers dont work in a switched environment.

Sniffing methods and case studies of it

There are three types of sniffing methods. Some method work in non-switched network while others work in switched networks. The sniffing methods are: IP-based sniffing, MAC-based sniffing, and ARP-based sniffing. IP-based sniffing This is the usual way of packet sniffing. It works by putting the network card into promiscuous mode and sniffing all packets matching the IP address filter. Normally, the IP address isnt set so it can capture all the packets. This method only works in non-switched networks. MAC-based sniffing This method works by putting the network card into promiscuous mode and sniffing all packets matching the MAC address filter. ARP-based sniffing This method works a little different. It doesnt put the network card into promiscuous mode. This isnt necessary because ARP packets will be sent to us. This happens because the ARP protocol is stateless. Because of this sniffing can be done on a switched network. More details on ARP based sniffing will be discussed in the following session.

Packet sniffing in a non-switched environment

In a non-switched environment, the latest generation of packet sniffing tools is highly effective at reaping passwords and other sensitive information from the network. A large number of commonly used protocols either transmit data in plaintext (which can easily be sniffed), or they do not use strong enough encryption to prevent a sniffing and cracking attack. Examples of plaintext protocols include smtp, pop3, snmp, ftp , telnet and http. Perhaps the best known encrypted protocol that is vulnerable to sniffing and cracking attacks is Microsofts LM (LAN Manager) protocol, used for authenticating Windows clients. Tools to sniff in a non-switched environment(case studies) Dsniff For plaintext protocols, to eavesdrop on username, password, and other sensitive information , a very useful tool is dsniff from Dug Song. The dsiff tool is available for various flavors of unix, and also windows. In addition to sniffing the plaintext protocols mentioned above, dsniff is exceptionally good at filtering the sniffed traffic to display onlyinteresting information such as usernames and passwords. A sample run of dsniff is shown in figure 1, showing the windows port of dsniff harvesting passwords on a small network.

ScoopLM Another example of password sniffing and cracking tool, is the ScoopLM tools, which is freeware and downloadable from the internet. ScoopLM will sniff windows 2000/xp and LM /NTLM encrypted passwords. Its brother, BeatLM, enables cracking of encrypted passwords that ScoopLM has harvested by brute-force or dictionary attacks. Together, they are a significant threat to the security of Microsoft networking in a non-switched environment.

Figure 2: ScoopLM scniffing username and password

Figure 2 shows a sample run of ScoopLM, sniffing windows usernames and encrypted passwords. The sniffed usernames and passwords can then be saved to a temporary file, and loaded into BeatLM to be cracked. The two examples given show us how simple it is to discover sensitive information by eavesdropping on a non-switched network. This fact has helped to drive businesses to replace hubs in their network by switches. There are many other good reasons for doing this, for example, increasing network performance. Replacing hubs by switches in the belief that it will totally cure the problem of sniffing is wrong and misguided. The following section will demonstrate why.

Packet sniffing environment

Switches

in

switched

On the surface, it would seem that replacing hubs by switches will mitigate the packet sniffing threat to a large extent. The fact that switches will only send network traffic to the machine that it is destined for implies that if machine is communicating with machine B, machine C will not be able to eavesdrop on their conversation. In figure 3, let us assume that machine A instigates a telnet connection to machine B.

In the situation above, Machine C cannot easily see the network traffic for the telnet session passing between Machines A and B. The switch ensures that this traffic does not travel over any unnecessary ports, it only flows over the ports that machine A and B are connected to. However, a number of techniques exist that will subvert the statement above, enabling C to snoop on the network traffic between A and B.

How to sniff in a switched environment Sniffing traffic in a switched environment is achieved by setting up a man-in-the middle attack. The attackers use a variety of techniques to force network traffic to/ from the victim to go to the attackers machine. When this occur, the attacker can inspects (or even modify) the victims network traffic. There are a numbers of techniques that permit sniffing in a switched environment. Common techniques include ARP spoofing, MAC flooding, MAC duplicating, ICMP redirection, DHCP spoofing and port stealing. The following section will discuss in details about ARP spoofing as ARP spoofing is a classic man-in-the-middle attack. ARP spoofing Taking the previous examples of machines A, B, and C, assumes C wanted to eavesdrop on network traffic between A and B. For a man-in-middle attack, C pretends to A that it is B. then when A sends traffic destined for B, it is intercepted by C. C passes this information onto B, pretending that it came from A. Similarly, C also performs a comparable role for traffic from B, which is destined for A. the goal of the man-in-the-middle attack is shown in figure 4.

In more detail, using ARP spoofing to complete the man-in-the-middle-attack, two steps, detailed below, need to be performed. First, we need to understand how A and B will normally communicate. A requires Bs MAC address. To get this, A will check in its ARP cache to see if it already has Bs MAC address. If this is the case, it will use the MAC address pulled from the ARP cache. IF this is not the case, A will broadcast an ARP request. B will respond with its MAC( and IP) address. Bs IP address and corresponding MAC address will be stored in As ARP caches, for future use. A can now send packets of data to B. for B to communicate with A, a similar process will take place.

Let us now assume that A and B have established each others MAC addresses, and are communicating through a switch. How can C eavesdrop on the conversation? This is where ARP spoofing comes into play. 1. The first step is for C to pretend to A that it is in fact B. if this can be achieved, network traffic destined for B will be routed to C. Likewise, C must pretend to B that it is in fact A. How can this be achieved? The answer is that C poisons the ARP cache on A and B. C sends a spoofed ARP packet to A, instructing A to send packets destined for B to C. the spoofed ARP packet C sends forces A to update its own ARP cache. In As updated ARP cache, Bs IP address maps to Cs MAC address. This means future communication from A which is destined for B will go via C. The following tables show what happens to As ARP cache; IP addresses [Bs IP Address] [Cs IP Address] MAC addresses [Bs MAC Address] [Bs MAC Address] Table1:Machine As ARP cache-before C sends spoofed ARP packet IP addresses [Bs IP Address] [Cs IP Address] MAC addresses [Cs MAC Address] [Cs MAC Address] Table 2: Machine As ARP cache-after C sends spoofed ARP packet

C also does something similar to B. It sends a spoofed ARP packet to B, instructing B to update its ARP cache so that As IP address maps to Cs MAC address. Once this has been done, packets that A attempts to send to B are routed to C. packets that B attempts to send to A are routed to C as well. 2. There is one more important step. Machine C also has to ensure that traffic it receives is sent on to its true destination. So, for example, when A sends traffic destined for B, it is intercepted by C, but sendt on from C to B. this can easily be achieved by IP forwarding, a facility supported by many operating systems. Alternatively, an application can take

responsibility for forwarding the traffic to its true destination. Once the above steps have been performed, C will be intercepting network traffic between A and B.

Tools to sniff in a switched environment (case studies) The number of tools that enable sniffing in a switched environment is on the increase. Ettercap will be covered in this section. Ettercap Ettercap, a tool that describes itself as a powerful and flexible tool for man-in-themiddle attacks. It runs on many leading platforms including Windows, Linux, and Mac OsX. It can easily be downloaded from the internet as open source. Before running ettercap, the ARP cache on machine A and B were checked, via the arp/a command. As expected, the ARP cache on A was storing the true IP and MAC addresses of B and C:

Similarly, the ARP cache on B was storing the true IP and MAC addresses of A and C. Next, ettercap was run on Machine C, and set to sniff traffic between A and B. at this stage, ettercap performs ARP spoofing to set up the man-in-the-middle attack. Re-examining the ARP caches on A and B is illuminating: note how machine Cs Mac address replaces the true MAC addresses for machines A and B:

Now traffic between A and B was being intercepted by C. Similar to dsniff, ettercap has in-built knowledge of a large number of network protocols. It can highlight interesting areas of sniffed traffic, such as usernames and passwords. The following diagram shows ettercap eavesdropping the start of a telnet session between A and B:

During a sniffing session, ettercap may detect a large number of usernames and passwords. The data may be saved to simple ASCII file for examination later on.

How to avoid/mitigate the threat from packet sniffing

Detecting packet sniffers One way to mitigate against the threat of packet sniffing tools is to try to detect if they are used on the network. Detecting in a non-switched environment

Detecting tools designed to run in a non-switched environment is difficult. This is because the tools are usually passive. They work by putting the network interface card into promiscuous mode, allowing any networj traffic that reaches the card to be examined. Akin to a radio receiver, sniffers do not necessarily cause extra, suspicious traffic to be transmitted on the netowkr, so how can they be discovered? A number of techniques can be used to try to detect machines whose network cards are running in promiscuous mode, and likely to be sniffing traffic. Many of the techniques used rely on detecting specific weaknesses in TCP/IP stacks. LOphts antisniff employs knowledge of the idiosyncrasies of TCP/IP stacks to detect machines running in promiscuous mode. Detecting in a switched environment

As indicated previously, sniffing in switched environment implies a man-in-themiddle attack. Eavesdropping in this case will be active in that network traffic

will be delivered to the attacking machine, then forwarded onto the true recipient. Detecting this is somewhat easier than detecting the passive tools. It is possible to detect techniques such as ARP spoofing-software such as LBNLs arpwatch can detect suspicisous ARP network traffic, and inform a network administrator. Locking down the network environment Solutions such as Microsofts Software Restriction Policies and AppSense can help to ensure that only approved software is runpacket sniffing tools and other hacking tools could be prevented from executing. Encryption The most viable solution to protect against packet sniffing is encryption. Instead of halting the use of cleartext protocols, one possibility is to encrypt all network traffic by using IPSec33. By encrypting using IPSec, it is possible to continue to use plaintext protocols - all data is encapsulated by IPSec, and is encrypted for its transfer across the network. Thus legacy applications that may rely on using older, plaintext protocols will be unaffected. IPSec is completely transparent to applications and to users. It is an open standard, supported by many vendors, including Microsoft and Cisco. Furthermore, many Unix implementations support IPSec. The easy configurability of IPSec within Windows further increases its accessibility.

Implementation of a layer three encryption technology such as IPSec solves the sniffing problem completely. The scalability, widespread availability and seamless operation of IPSec highlight it as a pragmatic solution to the problem of network eavesdropping.

Conclusion
Scanning and analysis tools can be used at both bright and dark side. Security professional will use them as the tools to find out the vulnerability of their system and try to cover and enforce their system to free from vulnerabilities, while hackers will use them as the tools to find out the vulnerabilities of certain system and try to exploit through the vulnerabilities. Packet sniffer is a tool where both hackers and security professional often used. Packet sniffer can be used in both switch and non-switch network environment. Packet sniffer can capture things like clear text passwords and usernames or other sensitive information and material. Since sniffing is possible in both the environment, its a good practice for user to encrypt their data commmuncations.

References
[1]http://www.linuxjournal.com/article/5869 [2]http://en.wikipedia.org/wiki/Packet_analyzer [3]http://www.surasoft.com/articles/packetsniffing-2.php [4]http://www.windowsecurity.com/whitepapers/Sniffing_network_wiretap_sniffer_FAQ_.html

Figure 1:http://students.mimuw.edu.pl/SO/Projekt06-07/temat5-g8/raczkowski/dsniff.png Figure 2:http://www.opennet.ru/base/sec/arp_snif2.jpg Figure 5: http://images.ientrymail.com/securitypronews/ettercap_2.gif Figure 9: http://www.securemac.com/images/ettercap/ettercaphosts.gif