. 1 Sniffing and Evasion Chapter #4: CIS 4500 Outline n Describe sniffing concepts, including active and passive sniffing and protocols susceptible to sniffing n Describe ethical hacking techniques for Layer 2 traffic n Describe sniffing tools and understand their output n Describe sniffing countermeasures n Learn about intrusion detection system (IDS), firewall, and honeypot types, use, and placement n Describe signature analysis within Snort n Describe IDS, firewall, and honeypot evasion techniques Sniffing and Evasion 2 CIS 4500 Phases of Hacking Sniffing and Evasion 3 CIS 4500 Essentials n Sniffing (also known as wiretapping) is the art of capturing packets as they pass on a wire, or over the airwaves, to review for interesting information. n This information could simply be addresses to go after or information on another target. n It can also be as high value as a password or other authentication code. Sniffing and Evasion 4
7
Embed
Sniffing and Evasion - Metropolitan State University …rowdysites.msudenver.edu/~fustos/cis4500/pdf/chapter04.pdfn Packet The protocol data unit (PDU) that exists at the Internet
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
.
1
Sniffing and Evasion
Chapter #4:
CIS 4500
Outline
n Describe sniffing concepts, including active and passive sniffing
and protocols susceptible to sniffing
n Describe ethical hacking techniques for Layer 2 traffic
n Describe sniffing tools and understand their output
n Describe sniffing countermeasures
n Learn about intrusion detection system (IDS), firewall, and
honeypot types, use, and placement
n Describe signature analysis within Snort
n Describe IDS, firewall, and honeypot evasion techniques
Sniffing and Evasion 2
CIS 4500
Phases of Hacking
Sniffing and Evasion 3 CIS 4500
Essentials
n Sniffing (also known as wiretapping) is the art of capturing
packets as they pass on a wire, or over the airwaves, to
review for interesting information.
n This information could simply be addresses to go after or
information on another target.
n It can also be as high value as a password or other
authentication code.
Sniffing and Evasion 4
.
2
CIS 4500
Network Terms
n Node Any device, including routers and hosts, which runs
an implementation of IP.
n Router A node that can forward IP packets not explicitly
addressed to itself. On an IPv6 network, a router also
typically advertises its presence and host configuration
information.
n Host A node that cannot forward IP packets not explicitly
addressed to itself (a non-router). A host is typically the
source and the destination of IP traffic. Sniffing and Evasion 5 CIS 4500
Network Terms
n LAN segment A portion of a subnet consisting of a single
medium that is bounded by bridges or Layer 2 switches.
n Subnet One or more LAN segments that are bounded by
routers and use the same IP address prefix.
n Network Two or more subnets connected by routers.
Another term for network is internetwork.
n Neighbor A node connected to the same subnet as
another node.
Sniffing and Evasion 6
CIS 4500
Network Terms
n Interface The representation of a physical or logical
attachment of a node to a subnet. E.g. physical interface is
a NIC; logical interface is a tunnel interface that is used to
send IPv6 packets across an IPv4 network.
n Address An identifier that can be used as the source or
destination of IP packets and that is assigned at the
Internet layer to an interface or set of interfaces.
n Packet The protocol data unit (PDU) that exists at the
Internet layer and comprises an IP header and payload. Sniffing and Evasion 7 CIS 4500
Network
n NIC
n they are designed to pay attention only to unicast messages
addressed appropriately, multicast messages, or broadcast
messages
n it sees all the messages but only pulls its own
n for sniffing it needs to work in promiscuous mode
n needs a special driver to do that
Sniffing and Evasion 8
.
3
CIS 4500
Network
n Ethernet runs with multiple systems sharing a wire and
negotiating time to talk based on Carrier Sense Multiple
Access/Collision Detection (CSMA/CD)
n NIC will only act on unicast messages addressed for the
host, and broadcast/multicast messages for the subnet
Sniffing and Evasion 9
A B
C
router
A B
C
shared media/hub
CIS 4500
Network Models
Sniffing and Evasion 10
CIS 4500
TCP Packet Header
Sniffing and Evasion 11 CIS 4500
IP Packet Header
Sniffing and Evasion 12
.
4
CIS 4500
ARP
n ARP’s entire propose is to resolve IP addresses to machine
(MAC) addresses
n Works on a broadcast basis
n Cache is dynamic – updates, deletes
Sniffing and Evasion 13 CIS 4500
ARP
n Attackers can change cached info by sending something
called a gratuitous ARP
n It is a special packet that updates the ARP cache of other
systems before they even ask for it — before they send an
ARP_REQUEST
Sniffing and Evasion 14
CIS 4500
ARP
Sniffing and Evasion 15 CIS 4500
Preparation for next class
n VMWNinja2
n metasploit – change phpinfo.php
n Exercise with Wireshark
n Change of network card configuration -> advanced ->
mirroring
n set WinXP to source
n set Kali to destination
Sniffing and Evasion 16
.
5
CIS 4500 Sniffing and Evasion 17 CIS 4500 Sniffing and Evasion 18
CIS 4500 Sniffing and Evasion 19 CIS 4500 Sniffing and Evasion 20
.
6
CIS 4500 Sniffing and Evasion 21 CIS 4500 Sniffing and Evasion 22
CIS 4500 Sniffing and Evasion 23 CIS 4500 Sniffing and Evasion 24