Sniffing & Keylogger Deff Arnaldy, M.Si 0818 0296 4763 [email protected] 1.

1

Sniffing & Keylogger

Deff Arnaldy, M.Si

0818 0296 4763

[email protected]

2Overview

• Konsep sniffing • Capturing Live Network Data• Explorasi hasil capturing • Countermeasure sniffing• Keyloggers

3Konsep Sniffing

• Sniffer adalah program yang membaca dan menganalisa setiap protokol yang melewati mesin di mana program tersebut diinstal

• Secara default, sebuah komputer dalam jaringan (workstation) hanya mendengarkan dan merespon paket-paket yang dikirimkan kepada mereka. Namun demikian, kartu jaringan (network card) dapat diset oleh beberapa program tertentu, sehingga dapat memonitor dan menangkap semua lalu lintas jaringan yang lewat tanpa peduli kepada siapa paket tersebut dikirimkan.

• Aktifitasnya biasa disebut dengan Sniffing

4Sniffing

• Targets Data Link layer of protocol stack• Sniffer – gathers traffic off network

• This data can include userIDs passwords transmitted by telnet, DNS queries and responses, sensitive emails, FTP passwords, etc.

• Allows attacker to read data passing a given machine in real time.

• Two types of sniffing:• Active • Passive

5Sniffing

Passive• Attacker must have

account on LAN• Done over a hub• Usually once access is

gained on one computer attacker uses passwords to get in other computers

Active• Attacker still needs an

account• Several different attacks: - Parsing Packets

- Flooding

- Spoofed ARP Messages

- DNS Spoofing

- HTTPS and SSH spoofing

6

Passive Sniffinguser1

Server

user2

Bad guy

HUBBLAH

BLAH

BLAHBLAH

- Message gets sent to all computers on hub

7

Active Sniffinguser1

Server

user2

Bad guy

SwitchBLAH

BLAH

- Message gets sent to only requesting computer by looking at MAC address

8Dsniff

• Offers several ways around a switch• Available for OpenBSD, Linux, Solaris, and there is a

version for Windows • Very popular and versatile • In conjunction with sshmitm and webmitm, conducts all

the above attacks

9

Major Problems with Sniffing

• Any mischievious machine can examine any packet on a BROADCAST medium

• Ethernet is BROADCAST• at least on the segments over which it travels

• Getting passwords is the first step in exploiting a machine• email is plaintext and vulnerable

10

What does one sniff?

• passwords• email• financial account information• confidential information• low-level protocol info to attack

• hardware addresses• IP addresses• routing, etc

11

What are the components of a packet sniffer?

1. Hardware : standard network adapters .2. Capture Filter : This is the most important part . It captures

the network traffic from the wire, filters it for the particular traffic you want, then stores the data in a buffer.

3. Buffers : used to store the frames captured by the Capture Filter .

12

What are the components of a packet sniffer?

4. Real-time analyzer: a module in the packet sniffer program used for traffic analysis and to shift the traffic for intrusion detection.

5. Decoder : "Protocol Analysis" .

13

How does a Sniffer Work?

Sniffers also work differently depending on the type of

network they are in.1. Shared Ethernet2. Switched Ethernet

14

How can I detect a packet sniffer?

• Ping method • ARP method • DNS method

15

Packet Sniffer Mitigation

The following techniques and tools can be used to mitigate sniffers: Authentication—Using strong authentication, such as one-time

passwords, is a first option for defense against packet sniffers. Switched infrastructure—Deploy a switched infrastructure to counter

the use of packet sniffers in your environment. Antisniffer tools—Use these tools to employ software and hardware

designed to detect the use of sniffers on a network. Cryptography—The most effective method for countering packet

sniffers does not prevent or detect packet sniffers, but rather renders them irrelevant.

Host A Host BRouter A Router B

16Top 11 Packet Sniffers

• Wireshark• Kismet• Tcpdump• Cain and Abel• Ettercap• Dsniff• NetStumbler• Ntop• Ngrep• EtherApe• KisMAC

17

Working of Cain & Abel

18

What are sniffers used for?

• Detection of clear-text passwords and usernames from the network.

• Conversion of data to human readable format so that people can read the traffic.

• Performance analysis to discover network bottlenecks. • Network intrusion detection in order to discover hackers.

19

Prevention of Sniffing

• Segmentation into trustworthy segments• bridges• better yet .. switched hubs

• Not enough “not to allow sniffing”• easy to add a machine on the net• may try using X-terminals vs workstations

20

Prevention of Sniffing(more)

• Avoid password transmission• one solution is r..family

• rlogin, rcp, rsh, etc• put trusted hosts in .rhosts• many SAs don’t want users to use them

• Using encrypted passwords• Kerberos• PGP public keys

21Keylogger

• If all other attempts to gather passwords fail, then a keystroke logger is the tool of choice for hackers

• Keystroke loggers (keyloggers) can be implemented either using hardware or software

22

• Hardware keyloggers are small hardware devices that connect the keyboard to the PC and save every keystroke into a file or in the memory of the hardware device

• In order to install a hardware keylogger, a hacker must have physical access to the system

23

• Software keyloggers are pieces of stealth software that sit between the keyboard hardware and the operating system so that they can record every keystroke.

• Software keyloggers can be deployed on a system by Trojans or viruses

24

References

• http://netsecurity.about.com/cs/hackertools/a/aa121403.htm• http://e-articles.info/e/a/title/Packet-Sniffing:-Sniffing-Tools-Detectio

n-Prevention-Methods/• http://sectools.org/sniffers.html• http://en.wikipedia.org/wiki/Cain_and_Abel_(software)• http://www.authorstream.com/Presentation/chinmayzen-79529-pack

et-sniffers-education-ppt-powerpoint/• http://www.youtube.com/watch?v=O00LENbtiIw