Question

In: Computer Science

As a result of your successful completion of SEC435 and subsequent earning of your Certified Ethical...

As a result of your successful completion of SEC435 and subsequent earning of your Certified Ethical Hacker (CEH) certification, you've decided to offer your services as a penetration tester/consultant. You are in the process of putting together the "toolkit" you will use during your engagements.

Discuss which sniffing tools you would include in your toolkit, why you would choose these tools, and the capabilities and benefits each will bring to your testing process. Also discuss how you will address the challenges of sniffing on a switched network in the testing process.

Solutions

Expert Solution

Sniffing tools with benefits

Wireshark

Wireshark is one of the most popular tools used today (formerly known as Ethereal) for network traffic analysis. It works on the same concept of a sniffer that we discussed above i.e. it will sniff the packets destined for a NIC. It provides a coloring scheme to distinguish packets and can trace a full stream for a particular protocol. By default TCP traffic –green, DNS traffic-blue, UDP traffic-light blue, TCP with problems-black. It even gives you the option to specify the private key and let you decrypt the encrypted traffic on the fly. Filters are also provided to drill down for a specific keyword, protocol among the packet stream. It also gives you previously captured files

Tcpdump

Tcpdump is a very common packet analyzer that is used under a command line for most Unix-like OS. It uses libpcap to capture packets. It can read network packets and write output to stdout or to a file over which a grep-like command can use to filter. Otherwise, we can also apply BPF based filter class to capture only packets for protocols we are interested in.

Kismet

Kismet is an open source wireless network sniffer, and it is capable of detecting 802.11 a/b/g wireless network around. Kismet is a passive sniffer which helps it to discover the hidden wireless networks while keeping itself under covers. It works with wireless cards that support monitor mode, and because it works in passive mode, the client adapter is put into rfmon mode and is not associated with any wireless Access Point (AP) which means that the end point Kismet client cannot maintain a network control. Some features of kismet include:

· Logging standard compatible with tcpdump and Wireshark

· 802.11 sniffing

· Modular architecture- client/server

· Lightweight remote sniffing

Ettercap

It is one of the oldest tools but still very useful one. It is capable of intercepting traffic on a network segment, capturing passwords and is helpful in protocol eavesdropping. It supports features like sniffing of live connections, content filtering, etc. It supports both active and passive dissection of many protocols and includes many features for network and host analysis. It works in 2 main options:

· Unified mode

· Bridged mode

Dsniff

It is a collection of tools written by Dug Song. Some of the members of the toolset include:

· Dsniff: It is a password sniffer which handles protocols such as FTP, HTTP, SMTP, etc. It uses Berkley DB as its output file format

· Dnsspoof: It forges DNS responses for a DNS server on the local network.

· Webmitm: It sniffs HTTP/HTTPS redirected by dnsspoof.

· Sshmitm: It sniffs SSH traffic provided by dnsspoof.

Other members include filesnarf, macof, mailsnarf, sshow, tcpkill, tcpnice, urlsnarf, etc.

inSSIDer

It is a wifi sniffer, and it is available now in commercial version only. It is available for both Windows and OS X (beta version). It scans for wireless networks with your WiFi adapter, and it also lists a lot of useful information about each network like their strengths, measures channel use, etc. It is very similar to operate on both Windows and OS X.

Cain and Abel

Many of you might wonder what Cain and Abel is doing in this list as it is a popular password cracking tool but we need to understand that it inherits the properties of a sniffing tool to obtain passwords. It is designed for Windows only. BPF filters are built into the tool by default though it is mainly built to sniff password and other authentication information from the network. It supports various protocols like FTP, HTTP, IMAP, etc.

Caspa

Caspa comes both as a free and commercial version and is designed for Windows OS only. It works in 3 stages namely: Data capture, Data Analysis, and Data output. In Data capture, it captures the packet by its NDIS and TDI protocol driver. In Data analysis, it analyzes the packets though it’s various analyzers like HTTP analyzer, Email Analyzer, FTP analyzer, IM analyzer, etc. and output the analysis to GUI. Its features are:

· Detection of DDoS, Worm Attack, TCP scanning, etc.

· Supports multiple network monitoring behavior monitoring including HTTP,DNS,FTP etc.

· Powerful conversion analysis.

· In-depth packet decoding.

Aircrack-ng

It is also a suite of tools used to capture wireless traffic and then crack weak keys such as WEP, WPA, WPA2-PSK. It follows following procedure:

· With airmon-ng first wireless network interface is put into monitor mode

· Then with airdump-ng, information about access points which are in range is collected.

· Notice the BSSID and Channel of the AP to be sniffed.

· Now use airodump-ng is used to dump data for AP listed above

· The process can be speed up by aireplay-ng which injects and replay the packets from AP.

· Once the captured data is above 50k, aircrack-ng can be used to crack the WEP keys.

identify a Sniffer

Identifying the type of sniffer can depend on how sophisticated the attack is. It is possible that the sniffer may go undetected for a large amount of time hiding in the network. There is some anti-sniffer software available in the market to catch the intruders but it may be possible that the sniffers get away with it creating a false sense of security. A sniffer can be software installed onto your system, a hardware device plugged in, sniffer at a DNS level or other network nodes etc. Practical networks are complex and so it becomes difficult to identify sniffers. Since identification is tough, we will be discussing ways to render the sniffed information useless to the attacker.

The challenges of sniffing on a switched network in the testing process.

As we are aware that the network follows a layered approach, each layer has a dedicated task that the next layer adds up to it. Till now we have not discussed that on what layer sniffing attacks happen. Sniffing attacks work on various layers depending on the motive of the attack. Sniffers can capture the PDU’s from various layers but layer 3 (Network) and 7 (Application) are of key importance. Out of all the protocols, some are susceptible to sniffing attacks. Secured version of protocols are also available but if some systems are still using the unsecured versions then the risk of information leakage becomes considerable. Let’s discuss some of the protocols that are vulnerable to sniffing attacks.

1) HTTP:

Hypertext transfer protocol is used at layer 7 of the OSI model. This is an application layer protocol that transmits the information in plain text. This was fine, when there were static websites or websites that did not required any input from the user. Anyone can set up a MITM proxy in between and listen to all the traffic or modify that traffic for personal gains. Now when we have entered into the web 2.O world, we need to ensure that the user’s interaction is secured. This is ensured by using the secured version of HTTP i.e. HTTPS. Using https, the traffic is encrypted as soon as it leaves layer 7.

2) TELNET:

Telnet is a client-server protocol that provides communication facility through virtual terminal. Telnet does not encrypt the traffic by default. Anyone having access to a switch or hub that connects the client and the server can sniff the telnet traffic for username and password. SSH is used as an alternate to the unsecured telnet. SSH uses cryptography to encrypt the traffic and provides confidentiality and integrity to the traffic.

3) FTP:

FTP is used to transfer files between client and server. For authentication FTP used plain text username and password mechanism. Like telnet, an attacker can sniff the traffic to gain credentials and access all the files on the server. FTP can be secured by sung SSL/TLS or can be replaced by a more secured version called SFTP (SSH file transfer protocol).

4) POP:

It stands for Post office protocol and is used by email clients to download the emails form the mail server. It also used plain text mechanism for communication hence it is also vulnerable to sniffing attacks. POP is followed by POP2 and POP3 which are little bit more secure than the original version.

5) SNMP:

Simple network management protocol is used for communication with managed network devices on the network. SNMP uses various messages for communication and community strings for performing client authentication. Community strings in effect are just like password that is transmitted in clear text. SNMP has been superseded by SNMPV2 and V3, v3 being the latest and most secure.

Precautionary measures against Sniffing attacks

  1. Connect to trusted networks: Do you trust a free Wi-Fi offered by the coffee shop next door? Connecting to any public network will have a risk that the traffic might be sniffed. Attackers choose these public places exploiting the user’s lack of knowledge. Public networks are setup and then may or may not be monitored for any intrusions or bugs. Attackers can either sniff that network or create a new network of their own with similar names so that the users get tricked into joining that network. An attacker sitting at an airport can create a Wi-Fi with the name of “Free Airport Wi-Fi” and the nearby users may connect to it sending all the data through the attackers’ sniffer node. The word of caution here is that you should only connect to the network you trust – home network, office network etc.   

  2. Encrypt! Encrypt! Encrypt! : Encrypt all the traffic that leaves your system. This will ensure that even if the traffic is being sniffed, the attacker will not be able to make sense of it. One thing here to be noted is that security work on defense in depth principle. Encrypting he data does not mean that now everything is safe. The attacker might be able to capture a lot of data and run crypto attacks to get something out of it. Use of secured protocols ensures that the traffic is encrypted and renders security for the traffic. Websites using https protocol are more secure than the ones that use HTTP – how is that achieved? Encryption.

  3. Network scanning and monitoring: Networks must be scanned for any kind of intrusion attempt or rogue devices that may be setup in span mode to capture traffic. Network admins must monitor the network as well so as to ensure the device hygiene. IT team can use various techniques to determine the presence of sniffers in the network. Bandwidth monitoring is one, an audit of devices which are set to promiscuous mode etc.

Challenges in testing packet sniffers

One way to mitigate against the threat of packet sniffing tools is to try to detect if they are used on the network.

a) Testing in a non-switched network

Detecting tools designed to run in a non-switched environment is difficult. This is because the tools are usually “passive”. They work by putting the network interface card into promiscuous mode, allowing any network traffic that reaches the card to be examined. Akin to a radio receiver, sniffers do not necessarily cause extra, suspicious traffic to be transmitted on the network, so how can they be discovered? A number of techniques can be used to try to detect machines whose network cards are running in promiscuous mode, and likely to be sniffing traffic. Many of the techniques used rely on detecting specific weaknesses in TCP/IP stacks. L0pht’s antisniff28 employs knowledge of the idiosyncrasies of TCP/IP stacks in NT and Unix to detect machines running in promiscuous mode.

b) Testing in a switched network

As part of the Information Security Reading Room Author retains full rights. As indicated previously, sniffing in a switched environment implies a man-in-themiddle attack. Eavesdropping in this case will be “active” in that network traffic will be delivered to the attacking machine, then forwarded onto the true recipient. Detecting this is somewhat easier than detecting the “passive” tools. It is possible to detect techniques such as ARP spoofing – software such as LBNL’s arpwatch29 can detect suspicious ARP network traffic, and inform a network administrator. Newer tools, such as Security Friday’s promiscan30 use multiple techniques to detect sniffers. Ultimately, however, software cannot be relied upon to reliably detect all instances of network sniffing with one hundred percent accuracy.


Related Solutions

Upon the successful completion of this module, you should understand the following concepts: IN YOUR OWN...
Upon the successful completion of this module, you should understand the following concepts: IN YOUR OWN WORDS AND SHOULD BE AT LEAST 100 WORDS 1- Networking 2- Negotiations process 3- Ethics and influencing
Upon the successful completion of this module, you should understand the following concepts: IN YOUR OWN...
Upon the successful completion of this module, you should understand the following concepts: IN YOUR OWN WORDS AND SHOULD BE AT LEAST 100 WORDS 1- Different sources and appropriate uses of power 2- Political behaviour 3- Developing political skills 4- Networking 5- Negotiations process 6- Ethics and influencing
Upon the successful completion of this module, you should understand the following concepts: YOUR OWN WORDS:...
Upon the successful completion of this module, you should understand the following concepts: YOUR OWN WORDS: 1- Message receiving process 2- Importance of feedback 3- Providing coaching feedback 4- Performance formula 5- Mentoring 6- Conflict management styles 7- Conflict resolution model
International Standard in Auditing 560(ISA560) “Subsequent Events”, stipulates that some subsequent events will result in adjusting...
International Standard in Auditing 560(ISA560) “Subsequent Events”, stipulates that some subsequent events will result in adjusting the financial statements while are non-adjusting. Required Explain what makes some events, Adjusting while others Non adjusting items II) For each of the following items, assume that the partner is expressing an opinion on Lafarge’ financial statements for the year ended December 31, 2018; that he completed fieldwork on January 21, 2019; and that he now is preparing his opinion to accompany the financial...
What type of subsequent events may arise on the completion of Audit work? [8 Marks]
What type of subsequent events may arise on the completion of Audit work? [8 Marks]
a)A firm operating under perfect completion is earning an economic profit of K20m, in a long...
a)A firm operating under perfect completion is earning an economic profit of K20m, in a long run, is this a feasible outcome and why? b) what are the implications of a having a kinked demand curve under oligopoly markets c) what is the key different between perfect competition and monopolistic competition?
How does SWOT analysis play a role in successful completion of a project?
How does SWOT analysis play a role in successful completion of a project?
Upon successful completion of the MBA program, imagine you work in the analytics department for a...
Upon successful completion of the MBA program, imagine you work in the analytics department for a consulting company. Your assignment is to analyze the following databases: Hospital Provide a detailed, four part, statistical report with the following sections: Part 1 - Preliminary Analysis Part 2 - Examination of Descriptive Statistics Part 3 - Examination of Inferential Statistics Part 4 - Conclusion/Recommendations Part 1 - Preliminary Analysis Generally, as a statistics consultant, you will be given a problem and data. At...
Suppose as a result of the COVID-19 outbreaks and the subsequent extensive lockdown measures, the Australian...
Suppose as a result of the COVID-19 outbreaks and the subsequent extensive lockdown measures, the Australian economy goes into a deep recession. Assume also that China has somehow avoided the recession as it could successfully contain the virus in the early stage of the spread. Use the exchange rate market model and relevant diagrams to answer the following questions. (a) All else equal, how is this economic weakness in Australia likely to affect the value of the dollar against the...
After completion of mitosis in a human cell, the result is a. genetically identical haploid somatic...
After completion of mitosis in a human cell, the result is a. genetically identical haploid somatic cells b. genetically unique diploid somatic cells c. genetically identical diploid gamete cells d. genetically unique haploid gamete cells e. genetically identical diploid somatic cells
ADVERTISEMENT
ADVERTISEMENT
ADVERTISEMENT