CEH v5 Module 07 Sniffers.pdf

8/9/2019 CEH v5 Module 07 Sniffers.pdf

http://slidepdf.com/reader/full/ceh-v5-module-07-snifferspdf 1/106

Module VIISniffers

Ethical Hacking Version 5





EC-CouncilCopyright © by EC-Council

All Rights reserved. Reproduction is strictly prohibited

Module Objective

This module will familiarize you with the following topics:

Sniffing Protocols vulnerable to sniffing

Types of sniffing

ARP and ARP spoofing attack

Tools for ARP spoofing MAC flooding

Tools for MAC flooding

Sniffing tools

Types of DNS poisoning Raw sniffing tools

Detecting sniffing

Countermeasures





Module Flow

Sniffing Definition

Countermeasures

Types of Sniffing

Protocols Vulnerableto Sniffing

Tools for MAC Flooding

MAC Flooding

Raw Sniffing Tools

Detection of SniffingTools for ARP Spoofing

ARP and ARP Spoofing Attack

Types of DNS Poisoning

Sniffer Hacking Tools





Definition: Sniffing

A program or device that captures vital

information from the network trafficspecific to a particular network

Sniffing is a data interception

technology

The objective of sniffing is to steal:

• Passwords (from email, the web,

SMB, ftp, SQL, or telnet)

• Email text

• Files in transfer (email files, ftp files,

or SMB)





Protocols Vulnerable to Sniffing

Protocols that are susceptible to sniffers include:

• Telnet and Rlogin: Keystrokes including user names and passwords

• HTTP: Data sent in clear text

• SMTP: Passwords and data sent in clear text

• NNTP: Passwords and data sent in clear text

• POP: Passwords and data sent in clear text

• FTP: Passwords and data sent in clear text

• IMAP: Passwords and data sent in clear text





Tool: Network View – Scans the Network

for Devices





The Dude Sniffer

Developed by Mikro Tik, the Dude network monitor is a new application

which can improve the way you manage your network environment

Functions:

• Automatically scans all devices within specified subnets

• Draws and lays out a map of your networks

• Monitors services of your devices• Alerts you in case some service has problems

It is written in two parts:

• Dude Server, which runs in a background

• Dude Client, which may connect to local or remote dude server

Download this tool from

http://www.eccouncil.org/cehtools/dude.zip





Screenshots





Screenshots





Screenshots





Ethereal

Ethereal is a network

protocol analyzer for

UNIX and Windows

It allows the user to

examine data from a

live network or from a

capture file on a disk The user can

interactively browse

the captured data,

viewing summary anddetailed information

for each packet

captured





Display Filters in Ethereal

Display filters are used to change the view of packetsin captured files

Display Filtering by Protocol

• Example: type the protocol in the filter box

• arp, http, tcp, udp, dns

Filtering by IP Address

• ip.addr == 10.0.0.4

Filtering by multiple IP Addresses

• ip.addr == 10.0.0.4 or ip.addr ==10.0.0.5

Monitoring Specific Ports

• tcp.port==443

• ip.addr==192.168.1.100 machine

ip.addr==192.168.1.100 && tcp.port=443

Other Filters

• ip.dst == 10.0.1.50 && frame.pkt_len >

400

• ip.addr == 10.0.1.12 && icmp &&

frame.number > 15 && frame.number < 30

• ip.src==205.153.63.30 or

ip.dst==205.153.63.30





Following the TCP Stream in Ethereal

Ethereal reassembles all of the packets in

a TCP conversation and displays the

ASCII in an easy-to-read format

This makes it easy to pick out usernames

and passwords from insecure protocols

such as Telnet and FTP

Example: Follow the stream of the HTTP

session and save the output to a file. You

should then be able to view the

reconstructed HTML content offline

Command: Selecting a TCP packet in the

Summary Window and then selecting

Analyze -> Follow TCP Stream from

the menu bar will display the Follow TCP

Stream window. You can also right-click

on a TCP packet in the Summary Window

and choose Follow TCP Stream to display

the window





tcpdump

tcpdump is a common computer network debugging tool thatruns under the command line. It allows the user to intercept and

display TCP/IP and other packets being transmitted or receivedover a network to which the computer is attached











Active Sniffing

Switch Attacker

Sniffing through a switch

Difficult to sniff

Can easily be detected

Techniques for active sniffing:• MAC flooding• ARP spoofing

Attacker tries to poison the

switch by sending bogus MACaddresses

Switch looks at the MAC addressassociated with each frame, sendingdata only to the connected port

LAN





What is Address Resolution Protocol?

Address Resolution Protocol is a

network layer protocol used to

convert an IP address to a physical

address (called a MAC address), such

as an Ethernet address

To obtain a physical address, the host broadcasts an ARP request to the

TCP/IP network

The host with the IP address in the

request replies with its physical

hardware address on the network





ARP Spoofing Attack

ARP resolves IP addresses to the MAC (hardware) address of theinterface to send data

ARP packets can be forged to send data to the attackers’ machines

An attacker can exploit ARP poisoning to intercept network traffic between two machines on the network

By MAC flooding a switch's ARP table with spoofed ARP replies, the

attacker can overload the switches and then packet sniff the network while the switch is in “forwarding mode”







ARP Poisoning

Step 1: Legitimate user sends ARP request, which the Switch broadcasts onto the wire

Step 2: Another legitimate userresponds to the ARP request

Step 3: Malicious usereavesdrops on the ARP requestand responds after thelegitimate user, spoofing thelegitimate response and sendinghis malicious MAC address tothe originator of the request

Step 4: Information for IPaddress 10.1.1.1 is now beingsent to MAC address 9:8:7:6:5:4

Hey 10.1.1.1 are you there?

Yes I' am here. This is10.1.1.1 and my MACaddress is 1:2:3:4:5:6

No, I' am 10.1.1.1 and myMAC address is

9:8:7:6:5:4

Legitimate User

Attacker

Internet

Switch





Mac Duplicating

MAC duplicating attack is launched by

sniffing the network for the MAC addresses

of clients that are actively associated with a

switch port and re-using one of those

addresses

By listening to traffic on the network, amalicious user can intercept and use a

legitimate user's MAC address

The attacker will receive all traffic destined

for that legitimate user

This technique works on Wireless Access

Points with MAC filtering enabled





Mac Duplicating Attack

Step 1: Malicious user sniffsthe network for MAC addresses

of currently associatedlegitimate users and then usesthat MAC address to attackother users associated to thesame switch port

Legitimate User

Attacker

Internet

Switch

My MAC addressis A:B:C:D:E

N o ! M y M

A C A d d r e

s s i s

A : B : C : D :

E

Switch Rule: Allow access tothe network only if your MACaddress is A:B:C:D:E







Ettercap

A tool for IP-based sniffing in a switched network, MAC-based sniffing, OSfingerprinting, ARP poisoning-based sniffing, and so on





MAC Flooding

MAC flooding involves flooding the switch with numerous requests

Switches have a limited memory for mapping various MAC

addresses to the physical ports on the switch

MAC flooding makes use of this limitation to bombard the switch

with fake MAC addresses until the switch cannot keep up

The switch then acts as a hub by broadcasting packets to all the

machines on the network

After this, sniffing can be easily performed







• Macof (Linux-based tool)• Etherflood (Linux and Windows)





Linux Tool: Macof

Macof floods the local network with random MAC

addresses, causing some switches to fail to open in

repeating mode, which facilitates sniffing

macof [ - i i nt er f ace] [ - s sr c] [ - d dst ]

[ -e tha] [ -x sport] [ -y dport] [ -nt i mes]







Windows Tool: EtherFlood

EtherFlood floods a switched network with Ethernet frames with randomhardware addresses

The effect on some switches is that they start sending all traffic out on allports so that the attacker is able to sniff all traffic on the sub-network

http://ntsecurity.nu/toolbox/etherflood/





Threats of ARP Poisoning

Internal network attacks are typicallyoperated via ARP Poisoning attacks

Everyone can download on the InternetMalicious software used to run ARP Spoofingattacks

Using fake ARP messages, an attacker candivert all communication between twomachines so that all traffic is exchanged via his

PC

By means, such as a man-in-the-middleattack , the attacker can, in particular:

• Run Denial of Service (DoS) attacks

• Intercept data• Collect passwords

• Manipulate data

• Tap VoIP phone calls





DHCP Starvation Attack

A DHCP starvation attack works by broadcasting DHCP requests withspoofed MAC addresses

This is easily achieved with attack tools such as gobbler If enough requests are sent, the network attacker can exhaust the address

space available to the DHCP servers for a period of time

The network attacker can then set up a rogue DHCP server on his or her

system and respond to new DHCP requests from clients on the network. By placing a rogue DHCP server on the network, a network attacker can

provide clients with addresses and other network information

Since DHCP responses typically include default gateway and DNS serverinformation, the network attacker can supply his or her own system as thedefault gateway and DNS server resulting in a "man-in-the-middle" attack

Download Gobbler tool at http://www.eccouncil.org/cehtools/gobbler.zip





IRS – ARP Attack Tool

Many servers and network devices like routers and switches provide featureslike ACLs, IP Filters, Firewall rules, and so on, to give access to their Servicesonly to particular network addresses (usually Administrators’ workstations)

This tool scans for IP restrictions set for a particular service on a host

It combines “ARP Poisoning” and “Half-Scan” techniques and tries spoofedTCP connections to the selected port of the target

IRS is not a port scanner but a “valid source IP address” scanner for a givenservice





ARPWorks Tool

ArpWorks is a utility for sending customized ‘ARP announce’

packets over the network

All ARP parameters, including the Ethernet Source MAC addresscan be changed as you like

Other features are: IP to MAC revolver, subnet MAC discovery,

host isolation, packets redirection, and general IP conflict





Tool: Nemesis

Nemesis provides an interface to craft and inject a variety ofarbitrary packet types. Also used for ARP Spoofing

Nemesis Supports the following protocols:• arp

• dns

• ethernet

• icmp

• igmp

• ip

• ospf

• rip

• tcp

• udp





Sniffer Hacking Tools (dsniff package)

Sniffer hacking tools (These tools are available on theLinux CD-ROM)

arpspoof Intercepts packets on a switched LAN

dnsspoof

Forges replies to DNS address and pointer queries

dsniff Password sniffer

filesnarf

Sniffs files from NFS traffic

mailsnarf Sniffs mail messages in Berkeley mbox format

msgsnarf

Sniffs chat messages





Sniffer Hacking Tools (cont’d)

sshmitm

SSH monkey-in-the-middle

tcpkill Kills TCP connections on a LAN

tcpnice

Slows down TCP connections on a LAN

urlsnarf

Sniffs HTTP requests in Common Log Format

webspy

Displays sniffed URLs in Netscape in real time

webmitm

HTTP/HTTPS monkey-in-the-middle





Linux Tool: Arpspoof

Arpspoof redirects packets from a target host intendedfor another host on the LAN by forging ARP replies

Arpspoof is the effective way of sniffing traffic on aswitch

ar pspoof [ - i i nt er f ace] [ - t t ar get ]

host





Linux Tool: Dnsspoof

Dnsspoof forges replies to arbitrary DNS address/pointerqueries on the LAN. DNS spoofing is useful in bypassing

hostname-based access controls, or in implementing a variety of man-in-the-middle attacks

dnsspoof [ - i i nt er f ace] [ - f host sf i l e]

[ expr essi on]





Linux Tool: Dsniff

Dsniff is a password sniffer which handles FTP, Telnet, SMTP, HTTP, POP,poppass, NNTP, IMAP, SNMP, LDAP, Rlogin, RIP, OSPF, PPTP MS-CHAP,NFS, VRRP, and so on

Dsniff automatically detects and minimally parses each applicationprotocol, only saving the interesting bits, and uses Berkeley DB as its outputfile format, only logging unique authentication attempts. Full TCP/IPreassembly is provided by libnids

dsni f f [ - c] [ - d] [ - m] [ - n] [ - i i nt er f ace] [ - s snapl en]

[ - f servi ces] [ - t t r i gger [ , . . . ] ] ] [ - r | - w savef i l e][ expr essi on]







Linux Tool: Mailsnarf

Mailsnarf outputs email messages sniffed from SMTPand POP traffic in Berkeley mbox format, suitable for

offline browsing with your favorite mail readermai l snar f [ - i i nt er f ace] [ [ - v] pat t er n[ expr essi on] ]







Linux Tool: Sshmitm

Sshmitm proxies and sniffs SSH traffic redirected bydnsspoof capturing SSH password logins, and optionally

hijacking interactive sessions Only SSH protocol version 1 is (or ever will be) supported.

This program is far too dangerous

sshmi t m [ - d] [ - I ] [ - p por t ] host [ por t ]





Linux Tool: Tcpkill

Tcpkill kills specified in-progress TCP connections(useful for libnids-based applications which require a full

TCP 3-way handshake for TCB creation)

t cpki l l [ - i i nt er f ace] [ - 1. . . 9] expr essi on





Linux Tool: Tcpnice

Tcpnice slows down specified TCP connections on a LAN via active traffic shaping

t cpni ce [ - I ] [ - i i nt er f ace] [ - n i ncr ement ]expr essi on

l l f





Linux Tool: Urlsnarf

Urlsnarf outputs all requested URLs sniffed from HTTP traffic in CLF(Common Log Format, used by almost all web servers), suitable foroffline post-processing with your favorite web log analysis tool (analog,

wwwstat, and so on)

ur l snar f [ - n] [ - i i nt er f ace] [ [ - v] pat t er n[ expr essi on] ]

i l b





Linux Tool: Webspy

Webspy sends URLs sniffed from a client to your local Netscape

browser for display, updated in real time (as the target surfs, your

browser surfs along with them, automatically). Netscape must be

running on your local X display ahead of time

webspy [ - i i nt er f ace] host

Li T l W b i





Linux Tool: Webmitm

Webmitm transparently proxies and sniffs HTTP/HTTPS traffic

redirected by dnsspoof, capturing most secure SSL-encrypted

webmail logins and form submissions

webmi t m [ - d]





2. Internet DNS Spoofing (Remote





e e S Spoo g ( e o e

Network) Send a Trojan to Rebecca’s machine and change her DNS IP address to that of the attacker’s

Works across networks. Easy to set up and implement

Rebecca types www.xsecurity.com in her

Web Browser

Hacker runs DNS

Server in RussiaIP: 200.0.0.2

D N S R e q u e s t g o e s t o 2 0 0 .0 .0 .2

W h a t i s t h e I P a d d r e s s o f w w w .x s e c u r i t y .c o m

Real Website www.xsecurity.com

IP: 200.0.0.45

Hacker’s fake website sniffs the credentialand redirects the request to real website

55

Fake WebsiteIP: 65.0.0.2

Hacker’s infects Rebecca’s computer bychanging her DNS IP address to: 200.0.0.2

D N S R e s p o n s e

w w w

.x s e c u r i t y .c o m i s l o c a t e d a t 6 5 .0 .0 .2

R e b e c c a ’ s B r o w s e r c o n n e c t s t o 6 5 .0 .0 .2

11

22

33

44

Internet DNS Spoofing





Internet DNS Spoofing

To redirect all the DNS request traffic going from hostmachine to come to you

1. Set up a fake website on your computer

2. Install treewalk and modify the file mentioned in the readme.txt to your IPaddress. Treewalk will make you the DNS server

3. Modify the file dns-spoofing.bat and replace the IP address with your IPaddress

4. Trojanize the dns-spoofing.bat file and send it to Jessica (ex: chess.exe)

5. When the host clicks the trojaned file, it will replace Jessica’s DNS entry in herTCP/IP properties with that of your machine’s

6. You will become the DNS server for Jessica and her DNS requests will gothrough you

7. When Jessica connects to XSECURITY.com, she resolves to the fakeXSECURITY website; you sniff the password and send her to the real website

3 Proxy Server DNS Poisoning





3. Proxy Server DNS Poisoning

Send a Trojan to Rebecca’s machine and change her proxy server settings in Internet Explorer tothat of the attacker’s

Works across networks. Easy to set up and implement

Rebecca types www.xsecurity.com in her

Web Browser

Hacker runs Proxy

Server in RussiaIP: 200.0.0.2

Real Website www.xsecurity.com

IP: 200.0.0.45

Hacker’s fake website sniffs the credentialand redirects the request to real website

44

Fake WebsiteIP: 65.0.0.2

Hacker sends Rebecca’s request to Fake website

22

3311

A l l R e b e c c a ’ s W

e b r e q u e s t s g o e s t h r o u g h

H a c k e r ’ s m a c h i n e

Hacker’s infects Rebecca’s computer bychanging her IE Proxy address to:200.0.0.2

4 DNS Cache Poisoning





4. DNS Cache Poisoning

To perform a cache poisoning attack, the attacker exploits a flaw in

the DNS server software that can make it accept incorrect

information

If the server does not correctly validate DNS responses to ensure

that they have come from an authoritative source, the server will

end up caching the incorrect entries locally and serve them to users

that make the same request

• For example, an attacker poisons the IP address DNS entries for a

target website on a given DNS server, replacing them with the IP

address of a server he controls

• He then creates fake entries for files on the server he controls with

names matching those on the target server

Interactive TCP Relay





Interactive TCP Relay

It operates as a simple

TCP tunnel listening on

a specific port andforwarding all traffic to

the remote host and port

The program can

intercept and edit the

traffic passing through it

The traffic can be edited

with the built-in HEXeditor



HTTP Sniffer: EffeTech



EC-CouncilCopyright © by EC-Council All Rights reserved. Reproduction is strictly prohibited

HTTP Sniffer: EffeTech

An HTTP protocol packet sniffer and network analyzer

Captures IP packets containing HTTP protocol

Enables on-the-fly content viewing while monitoring andanalyzing

Parses and decodes HTTP protocol, and generates a web

traffic report for reference



Ace Password Sniffer




Ace Password Sniffer

Can monitor and capture passwords through FTP, POP3,

HTTP, SMTP, Telnet, and some web mail passwords

Can listen on LAN and capture passwords of any network user

Ace Password Sniffer works passively and is hard to detect

If a network is connected through a switch, the sniffer can be

run on the gateway or proxy server, which can get all network

traffic

Screenshot




Screenshot

MSN Sniffer




MSN Sniffer

Captures MSN chat on a network

It records MSN conversations automatically

All intercepted messages can be saved as HTML files forlater processing and analyzing

Everything will be recorded without being detected

Capturing Messages

Sniffer

Chatting

MSN Sniffer




MSN Sniffer

SmartSniff




SmartSniff

SmartSniff is a

TCP/IP packet

capture program

that allows you to

inspect network

traffic that passes

through your

network adapter

Valuable tool to

check what

packets your

computer issending to the

outside world

Session Capture Sniffer: NetWitness




p

NetWitness is the MOST POWERFUL sniffer in the market

The patented technology recreates “sessions” and displays them

on the screen

The Law enforcement agencies in the U.S. like FBI use this tool

NetWitness audits and monitors all traffic on the network

Interprets the activities into a format that network engineers andnon-engineers alike can quickly understand

Records all activities, and transforms the “take” into a densetransactional model describing the network, application, andcontent levels of those activities

Session Capture Sniffer: NWreader




p

FTP Sessionscaptured

Cain and Abel



EC-Council Copyright © by EC-Council All Rights reserved. Reproduction is strictly prohibited

MSCACHE Hashes Dumper

MSCACHE Hashes Dictionary and Brute-Force Crackers

Sniffer filter for SIP-MD5 authentications

SIP-MD5 Hashes Dictionary and Brute-Force Crackers

Off-line capture file processing compatible with winpcap, tcpdump,

and ethereal format

Cain’s sniffer can extract audio conversations based on SIP/RTP

protocols and save them into WAV files

Cain and Abel



EC-Council Copyright © by EC-Council


Packet Crafter Craft Custom TCP/IPPackets





Packets

SMAC





SMAC is a MAC Address Modifying Utility (spoofer)for Windows 2000, XP, and Server 2003 systems. It displays networkinformation of available network adapters on one screen. The built-inlogging capability allows it to track MAC address modification activities

NetSetMan Tool





NetSetMan allows you to quickly switch between pre-configured network settings

It is ideal for ethical hackers that have to connect to different networks all the time

and need to update their network settings each time

NetSetMan allows you to create 6 profiles including IP address settings, Subnet Mask,

Default Gateway, and DNS servers

Raw Sniffing Tools





Sniffit

Aldebaran

Hunt

NGSSniff Ntop

pf

IPTraf

Etherape

Snort

Windump/tcpdump

Etherpeek

Mac Changer

Iris

NetIntercept

WinDNSSpoof

Features of Raw Sniffing Tools





Data can be intercepted “off the wire” from a live

network connection, or read from a captured file

Can read captured files from tcpdump

Command line switches to the editcap program that

enables the editing or conversion of the captured files

Display filter enables the refinement of the data

Sniffit





Sniffit is a packet sniffer for TCP/UDP/ICMP packets

It provides detailed technical information about the packets and

packet contents in different formats

By default it can handle Ethernet and PPP devices, but can be

easily forced into using other devices

Aldebaran





Aldebaran is an advanced LINUX sniffer/network

analyzer

It supports sending data to another host, dump file

encryption, real-time mode, packet content scanning,

network statistics in HTML, capture rules, colored

output, and more

Hunt





Hunt is used to watch TCP connections, intrude onthem, or reset them

It is meant to be used on Ethernet, and has activemechanisms to sniff switched connections

Features:

• It can be used for watching, spoofing, detecting, hijacking, andresetting connections

• MAC discovery daemon for collecting MAC addresses, sniffdaemon for logging TCP traffic with the ability to search for a

particular string





Pf





Pf is Open BSD’s system for filtering TCP/IP traffic and

performing Network Address Translation

It is also capable of normalizing and conditioning

TCP/IP traffic, and providing bandwidth control and

packet prioritization

IPTraf



EC-Council

Copyright © by EC-Council All Rights reserved. Reproduction is strictly prohibited

IPTraf is a network

monitoring utility for IP

networks. It interceptspackets on the network and

gives out various pieces of

information about the current

IP traffic over it IPTraf can be used to monitor

the load on an IP network,

the most used types of

network services, and theproceedings of TCP

connections, and others

EtherApe



EC-Council


EtherApe is a graphical

network monitor for Unix

Featuring link layer, IP, and

TCP modes, it displays

network activity graphically

It can filter traffic to be

shown, and can read trafficfrom a file as well as live

from the network



Netfilter



EC-Council


Netfilter and iptables are the

framework inside the Linux

2.4.x kernel which enablespacket filtering, network

address translation (NAT), and

other packet mangling

Netfilter is a set of hooks

inside the Linux 2.4.x kernel's

network stack which allows

kernel modules to register

callback functions called every

time a network packet

traverses one of those hooks

Features

Stateful packet filtering

(connection tracking)

All kinds of network address

translation

Flexible and extensible

infrastructure

Netfilter



EC-Council


Network Probe



EC-Council

Copyright © by EC-Council


This network monitor and

protocol analyzer gives the

user an instant picture ofthe traffic situation on the

target network

All traffic is monitored in

real time

All the information can be

sorted, searched, and

filtered by protocols, hosts,conversations, and

network interfaces

Maa Tec Network Analyzer



EC-Council



MaaTec Network Analyzer

is a tool that is used for

capturing, saving, and

analyzing network traffic

Features:

• Real-time network

traffic statistics

• Scheduled network

traffic reports

• Online view of

incoming packets

• Multiple data color

options

Tool: Snort



EC-Council



There are three main modes in which

Snort can be configured: sniffer, packet

logger, and network intrusion detection

system

Sniffer mode reads the packets off of the

network and displays them for you in a

continuous stream on the console

Packet logger mode logs the packets tothe disk

Network intrusion detection mode is the

most complex and configurable

configuration, allowing Snort to analyzenetwork traffic for matches against a

user-defined rule set

Tool: Windump



EC-Council



WinDump is the porting to the Windows platform of tcpdump, themost used network sniffer/analyzer for UNIX

Tool: Etherpeek



EC-Council



Ethernet network traffic and protocolanalyzer. By monitoring, filtering,

decoding, and displaying packet data, itfinds protocol errors and detectsnetwork problems such as unauthorizednodes, misconfigured routers, andunreachable devices

Mac Changer



EC-Council



MAC changer is a Linux utility for setting a specific

MAC address for a network interface

It enables the user to set the MAC address randomly. It

allows specifying the MAC of another vendor or setting

another MAC of the same vendor

The user can also set a MAC of the same kind (such as a

wireless card)

It offers a choice of vendor MAC list of more than 6200

items

Iris



EC-Council



It allows for the reconstruction of network traffic in a format that is simple to use andunderstand. It can show the web page of any employee who is watching it during workhours

NetIntercept



EC-Council



A sniffing tool that studies external break-in attempts, watches for the misuse ofconfidential data, displays the contents of an unencrypted remote login or web session,categorizes or sorts traffic by dozens of attributes, and searches traffic by criteria such asemail headers, websites, and file names

WinDNSSpoof



EC-Council



This tool is a simple DNS ID Spoofer for

Windows 9x/2K

To use it, you must be able to sniff traffic of the

computer being attacked

Usage : wds -h

Example : wds -n www.microsoft.com -i

216.239.39.101 -g 00-00-39-5c-45-3b

How to Detect Sniffing?



EC-Council



You will need to check which machines are running in promiscuous

mode

Run ARPWATCH and notice if the MAC address of certain machines

has changed (Example: router’s MAC address)

Run network tools like HP OpenView and IBM Tivoli network health

check tools to monitor the network for strange packets

AntiSniff Tool



EC-Council



AntiSniff tool can detect machines on the network that are runningin promiscuous mode

ArpWatch Tool



EC-Council



ArpWatch is a tool that monitors Ethernet activity and keeps a

database of Ethernet/IP address pairings

It also reports certain changes via email

Place triggers when your router’s MAC address changes on your

network

Countermeasures



EC-Council



Restriction of physical access to network media ensures that a

packet sniffer cannot be installed

The best way to be secured against sniffing is to use Encryption. It

would not prevent a sniffer from functioning but will ensure that

what a sniffer reads is not important

ARP Spoofing is used to sniff a switched network, so an attacker will

try to ARP spoof the gateway. This can be prevented by permanently

adding the MAC address of the gateway to the ARP cache



Countermeasures (cont’d)



EC-Council



There are various tools to detect a sniffer in a

network:

• ARP Watch

• Promiscan

• Antisniff • Prodetect

Countermeasures (cont’d)



EC-Council



Small Network

• Use of static IP addresses and static ARP tables which prevents

hackers from adding spoofed ARP entries for machines in the

network

Large Networks• Network switch Port Security features should be enabled

• Use of ArpWatch to monitor Ethernet activity



Summary



EC-Council



Sniffing allows to capture vital information from network traffic. It

can be done over the hub or the switch (passive or active)

Passwords, emails, and files can be grabbed by means of sniffing ARP poisoning can be used to change the Switch mode of the

network to Hub mode and subsequently carry out packet sniffing

Ethereal, Dsniff, Sniffit, Aldebaran, Hunt, and NGSSniff are some

of the most popular sniffing tools

The best way to be secured against sniffing is to use encryption,

and apply the latest patches or other lockdown techniques to the

system



EC-Council





EC-Council



CEH v5 Module 07 Sniffers.pdf

Documents