Network Sniffing and Protocol Analysis Overview

Slide Note
Embed
Share

Learn about network sniffing, a process of capturing and interpreting network traffic, its analogies like wiretapping, environmental considerations, and protocol analysis. Understand the risks, authorization requirements, and tools like Wireshark. Explore examples of Nmap Port Scans and monitoring web connections.

rosenblum_a
rosenblum_a Follow

Uploaded on Oct 02, 2024 | 0 Views

Download Presentation

Please find below an Image/Link to download the presentation.

The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author. Download presentation by click this link. If you encounter any issues during the download, it is possible that the publisher has removed the file from their server.

E N D

Presentation Transcript

  1. JMU GenCyber Boot Camp Summer, 2016

  2. Network Sniffing Sometimes it is possible observe/record traffic traveling on a network Network traffic may contain valuable information: Usernames and passwords Encrypted Unencrypted E-mail, web requests (and replies), data files Etc. A sniffer is a piece of software that captures network traffic

  3. Analogy - Wiretapping The FBI conducts wiretaps Go to a judge and get a court order authorizing the wiretap Who? What? When? Why? With the help of the phone company, can listen to/record a suspect s phone conversations to obtain evidence

  4. Analogy Wiretapping (cont) Sniffer allows an administrator (or attacker) to record/listen in on conversations between computers May need authorization to monitor network traffic Electronic Communications Privacy Act https://www.cdt.org/issue/wiretap-ecpa May not need authorization to monitor network traffic Trap and Trace / Pen register Consent May not care - attackers

  5. Sniffing - Environment Some networks use shared media so passive sniffing is very easy Network interface cards can be placed in promiscuous mode so that they do not ignore traffic to other hosts Wireless network traffic can also be captured (but may be encrypted) Sniffing is more difficult (but not impossible) in switched environments

  6. Protocol Analysis Captured network packets contain binary data which is difficult to interpret Most sniffers include a protocol analysis component which organizes and displays the (human-readable) contents of the traffic Example: Wireshark

  7. Example An Nmap Port Scan Target host: 192.168.78.141 Start Wireshark Source host: 192.168.78.142 Perform a TCP-connect scan nmap sT <target host> View results

  8. Example A Web Connection Target host: 192.168.78.141 Start Wireshark Source host: 192.168.78.142 Open a text-based web browser Get default web page on the target host View results

  9. Example An FTP Connection Target host: 192.168.78.141 Start Wireshark Source host: 192.168.78.142 Use the ftp client ftp <target host> View results

  10. Example An SFTP Connection Target host 192.168.78.142 Source host 192.168.78.141 Use the sftp client sftp guest@<target host> View results

  11. Man-in-the-Middle In a switched environment a host only receives: Traffic destine for itself Broadcast traffic Cannot see traffic between other hosts Man-in-the-middle = insert yourself as an (undetected) intermediary between communicating hosts

  12. Man-in-the-middle (cont) Normal: I Alice Bob Man-in-the-middle: I Alice Bob

  13. Man-in-the-middle (cont) How to achieve man-in-the-middle in a switched environment? Exploit address resolution protocols

  14. Address Resolution All network communications must be carried out over physical networks Each machine has a unique physical address Programs (and humans) use IP addresses to specify the machine to which a message is sent The address resolution problem need to map IP address to physical address

  15. The Address Resolution Problem Hosts A and B are on the same physical network B wants to communicate with A but only knows A s IP address A B C D E

  16. The Address Resolution Protocol (ARP) Host A wants to resolve the IP address IB Host A broadcasts a special (ARP) packet that asks the host with IP address IB to respond with its physical address All hosts receive the request Host B recognizes its IP address Host B sends a reply containing its physical address

  17. ARP Phase 1: A X B Y Phase 2: A X B Y

  18. ARP Caches Each host maintains a cache of recently- used mappings Information in the cache expires after a set time has elapsed When sending an ARP request a host includes its IP-to-physical address binding All machines on a physical network snoop ARP packets for mappings

  19. Demo ARP Cache Host.141 has not communicated with .143 .141 s ARP cache probably doesn t contain an entry for .143 Host .141 makes a web request to .143 ARP for .143 s physical address Added to .141 s cache Web request sent and reply received

  20. ARP Cache Poisoning Broadcast ARP replies associating your physical address with a given IP address Other hosts receive this message and put the mapping into their ARP cache When a machine wants to communicate with the given IP address it sends the frame to your physical address You read the frame and then forward it on to the real destination host

  21. Cain and Abel A man-in-the-middle LAN attack tool Sniffer Protocol analyzer URL: http://www.oxid.it/cain.html Can be used to poison hosts ARP caches

  22. Demo ARP Cache Poisoning Hosts .142 and .143 may or may not have communicated ARP caches may or may not contain entries for each other Start Cain (on .141) and poison both .142 and .143 s ARP caches: .142 s HW address associated with .141 s IP .143 s HW address associated with .141 s IP

  23. ARP Cache Poisoning - Result .142 and .143 will communicate with each other May not realize that their communications are flowing through a third-party All communications will flow through .141 .141 can read/store traffic .141 forwards between the two hosts

  24. Example An FTP Connection Switched Environment Source host: .143 Destination host: .142 Attacker: .141 Using: Cain and Abel

  25. ARP Poisoning Can: Read traffic Modify traffic

  26. Example DNS Spoofing Switched Environment Source host: .143 Destination host: Google Attacker: .141 Using: Cain and Abel

  27. Example SSH Downgrade Switched Environment Source host: my laptop Destination host: .147 Attacker: .141 Using: Cain and Abel

  28. ARP Poisoning What attackers look for: Sensitive, unencrypted communications Web requests/replies, e-mail, FTP Weakly-encrypted communications Old versions of SSH, RDC

  29. ARP Poisoning - Countermeasures Static ARP tables/smart switch ARPwatch IDS

  30. Summary Network traffic may contain valuable information: Usernames and passwords Encrypted Unencrypted E-mail, web requests (and replies), data files Etc. ARP poisoning can allow an attacker to capture and modify network traffic as a man-in-the-middle: Cain and Abel

Related


Understanding OSI Model and TCP/IP Protocol Suite in Computer Networking

Understanding OSI Model and TCP/IP Protocol Suite in Computer Networking

gwendolyn
Understanding Mobile Computing and TCP/IP Protocol Suite

Understanding Mobile Computing and TCP/IP Protocol Suite

ambrosia
Understanding EIGRP: A Comprehensive Overview

Understanding EIGRP: A Comprehensive Overview

rebeca
Understanding Novell NetWare: A Comprehensive Overview

Understanding Novell NetWare: A Comprehensive Overview

park_ig
Understanding User Datagram Protocol (UDP) in Unix and Network Programming

Understanding User Datagram Protocol (UDP) in Unix and Network Programming

mordecaih
Understanding SFTP Server Functionality with ACS 5.x by Mohammad Azharuddin AAA Team

Understanding SFTP Server Functionality with ACS 5.x by Mohammad Azharuddin AAA Team

aimenmo
Understanding Snort: A Comprehensive Overview

Understanding Snort: A Comprehensive Overview

emry520
MAAP Protocol Overview in IEEE 1722: Address Acquisition and Message Format

MAAP Protocol Overview in IEEE 1722: Address Acquisition and Message Format

chace
Understanding EIGRP Network Protocol

Understanding EIGRP Network Protocol

balzano_m
Adaptive Tree-based Convergecast Protocol

Adaptive Tree-based Convergecast Protocol

zofia
London Homeless Coalition (LHC) Death Communication Protocol

London Homeless Coalition (LHC) Death Communication Protocol

cinder
Sync HotStuff: Practical Synchronous State Machine Replication

Sync HotStuff: Practical Synchronous State Machine Replication

buffaloe_w
Understanding OSI Model and TCP/IP Protocol Suite

Understanding OSI Model and TCP/IP Protocol Suite

marlie
Enhanced Family Court Police Disclosure Protocol for 2024

Enhanced Family Court Police Disclosure Protocol for 2024

kloa
Essential Elements of Clinical Trial Protocols

Essential Elements of Clinical Trial Protocols

rjmi
Understanding Network Time Protocol (NTP) for Clock Synchronization in Distributed Systems

Understanding Network Time Protocol (NTP) for Clock Synchronization in Distributed Systems

agak455
IEEE 802.11-20/1761r1 Ranging Protocol for 11bd

IEEE 802.11-20/1761r1 Ranging Protocol for 11bd

ted
Understanding Network Analysis: Whole Networks vs. Ego Networks

Understanding Network Analysis: Whole Networks vs. Ego Networks

kayliee
Network Slicing with OAI 5G CN Workshop Overview

Network Slicing with OAI 5G CN Workshop Overview

justice
Understanding Man-in-the-Middle Attacks and Network Security Threats

Understanding Man-in-the-Middle Attacks and Network Security Threats

crash
Important Networking Concepts Overview

Important Networking Concepts Overview

bernice
Security and Privacy in 3G/4G/5G Networks: The AKA Protocol

Security and Privacy in 3G/4G/5G Networks: The AKA Protocol

muey769
Instant Communications in Emergency Situations: Clear Channel Network Protocol

Instant Communications in Emergency Situations: Clear Channel Network Protocol

ewell
Modernizing Network Security with nQUIC Noise-Based Packet Protection

Modernizing Network Security with nQUIC Noise-Based Packet Protection

katarina

More Related Content

Understanding ARP, ICMP, and DHCP in TCP/IP Protocol Stack
Understanding ARP, ICMP, and DHCP in TCP/IP Protocol Stack
Introduction to Network Analysis Using .NET
Introduction to Network Analysis Using .NET
Network Monitoring Workshop - Incident Response Overview
Network Monitoring Workshop - Incident Response Overview
Transportation Network Modeling and Analysis with C.Coupled SE Platform
Transportation Network Modeling and Analysis with C.Coupled SE Platform
Overview of Inter-Display Protocol Standardization with Wayland/Weston
Overview of Inter-Display Protocol Standardization with Wayland/Weston
Overview of HTTP Protocol and Output Control Functions
Overview of HTTP Protocol and Output Control Functions
Network Compression Techniques: Overview and Practical Issues
Network Compression Techniques: Overview and Practical Issues
Web App Security: Common Attacks and Preventive Measures
Web App Security: Common Attacks and Preventive Measures
Understanding SNMP (Simple Network Management Protocol)
Understanding SNMP (Simple Network Management Protocol)
Analytical Strategies for Identifying Off-Note in Fragrances
Analytical Strategies for Identifying Off-Note in Fragrances
Modeling and Generation of Realistic Network Activity Using Non-Negative Matrix Factorization
Modeling and Generation of Realistic Network Activity Using Non-Negative Matrix Factorization
Comprehensive ICU Protocol for Sedation, Analgesia, and Delirium Control by Dr. Vinod Srivastava
Comprehensive ICU Protocol for Sedation, Analgesia, and Delirium Control by Dr. Vinod Srivastava
Meridian: An SDN Platform for Cloud Network Services
Meridian: An SDN Platform for Cloud Network Services
Understanding Routing Protocols in Network Layer
Understanding Routing Protocols in Network Layer
Understanding TCP Protocol and Reliability in Networking
Understanding TCP Protocol and Reliability in Networking
Understanding the Key Articles of the Nagoya Protocol on Access to Genetic Resources and Benefit-Sharing
Understanding the Key Articles of the Nagoya Protocol on Access to Genetic Resources and Benefit-Sharing
Local MAC Address Assignment Protocol (LAAP) and 802.1CQ
Local MAC Address Assignment Protocol (LAAP) and 802.1CQ
Understanding I2C Bus Interface and Protocol
Understanding I2C Bus Interface and Protocol
Understanding Snort: An Open-Source Network Intrusion Detection System
Understanding Snort: An Open-Source Network Intrusion Detection System
Understanding the Nagoya Protocol on Access and Benefit Sharing
Understanding the Nagoya Protocol on Access and Benefit Sharing
Maine EMS 2019 Protocol Update: Final Thoughts and Training Considerations
Maine EMS 2019 Protocol Update: Final Thoughts and Training Considerations
Network Design Challenges and Solutions in Business Data Communications
Network Design Challenges and Solutions in Business Data Communications
International Relations and Protocol Division Presentation to Presiding Officers on Operations
International Relations and Protocol Division Presentation to Presiding Officers on Operations
Tamper-Evident Pairing (TEP) Protocol for Secure Wireless Pairing Without Passwords
Tamper-Evident Pairing (TEP) Protocol for Secure Wireless Pairing Without Passwords