Module Objectives

Upon completion of this module you will be able to understand the fundamental concepts of sniffing and its use in hacking activities. Sniffers can be of great help to a network administrator as well and can aid in securing the network by detecting abnormal traffic.

In this module you will be presented with:

• An overview of sniffers (sometimes known as network protocol analyzers)

• A cracker's perspective in using tools such as sniffers

• Basic distinctions between active and passive sniffing

• Understanding attack methodology such as ARP Spoofing and redirection,

• DNS and IP Sniffing and Spoofing

• HTTPs Sniffing and

• Illustrations of various tools that are used in the above context.

Readers are encouraged to read the references cited in earlier modules regarding various network protocols for a better understanding of this module.

 

Concept

A sniffer is a piece of software that captures the traffic on a network. They are available for several platforms in both commercial and open -source variations. Some of simplest packages use a command line interface and dump captured data to the screen, while sophisticated ones use GUI, graph traffic statistics, track multiple sessions and offer several configuration options.

Sniffers are also the engines for other programs. Network Intrusion Detection Systems (NIDS) use sniffers to match packets against a rule-set designed to flag anything malicious or strange . Network utilization and monitoring programs often use sniffers to gather data necessary for metrics and analysis. It is to be noted that sniffers do not intercept or alter the data it captures.

The most common way of networking computers is through Ethernet. The Ethernet protocol works by broadcasting packets to all hosts on the network, with the packet header containing the MAC address of the machine that is meant to receive the packet. All others are supposed to ignore it. A NIC (Network Interface Card, also known as Ethernet card) that is accepting all packets, regardless of the intended machine is said to be in promiscuous mode. A sniffer is a program that sets the desired NIC into promiscuous mode.

Threat

A sniffer attack is commonly used to grab logins and passwords that are traveling around on the network. This is what is known as a passive attack because the attacker does not directly interface with any machine which the attacker may be trying to compromise.

Before we can explore how some sniffing tools are used by attackers towards malicious ends, let us examine what enables the tool to work. However, on a LAN, several PCs share a common connection to the Internet. The devices that come into play here include hubs, switches and routers among others.

A switch performs the layer 2 or Data-Link layer function. That is, it simply looks at each packet or data unit and determines from a physical address (the "MAC address") which device a data unit is intended for and switches it out toward that device. A hub is a place of convergence where data arrives from one or more directions and is forwarded out in one or more other directions. The distinction seems to be that the hub is the place where data comes together and the switch is what determines how and where data is forwarded from the place where data comes together.

If the network is not switched, the traffic destined for any machine on a segment is broadcast to every machine on that segment. This means that a computer actually sees the data traveling to and from each of its neighbors, but ignores it, unless otherwise instructed.

The sniffer program works by asking a computer, specifically its Network Interface Card (NIC), to stop ignoring all the traffic headed to other computers and pay attention to them. It does this by placing the NIC in a state known as promiscuous mode. Once a NIC is promiscuous, (a status that requires administrative or root privileges) a machine can see all the data transmitted on its segment. The program then begins to constantly read all information entering the PC through the network card. A sniffer can therefore peel away the layers of encapsulation and decode the relevant information stored within. This includes information such as source computer, destination computer, targeted port number, payload etc - in short, every piece of information exchanged between two computers.

 

Note

A packet sniffer is nefariously known for its ability to "sniff" plain text passwords. On a normal LAN there are thousands of packets being conversed by numerous machines every minute. Therefore, anything transmitted in plaintext, such as passwords, web pages, database queries and messaging over the network will be vulnerable to sniffing.

A sniffer can easily be customized to capture specific traffic like telnet sessions or e-mail. Once network traffic has been captured, an attacker can swiftly extract sensitive information such as logins, passwords and the text of messages to extend their attack. The disturbing part of the entire process is that users may remain clueless about the leakage of information until they are visibly compromised. This is because sniffers cause no damage or disturbance to a network environment.

Data is transmitted in the binary form over the network. Packet sniffers capture binary data passing through the network, and most of them decode this data into a human readable form. Another feature supported by popular sniffers is protocol analysis. This makes it even easier for attackers, as they can target specific protocols in accordance with their intent.

On most sniffers there is a varying degree of the analysis that takes place. This may be simple analysis involving just breaking down the information packet. Others are more complex involving detailed information contained in the packet (i.e., highlights a password for a service). We will explore some sniffers in this module and see the functionality offered by them.

It must be borne in mind that sniffer have beneficial applications as well. In fact, majority of them were designed for legitimate purposes. However, like double edged swords, the end sought by their means lies in the mind of the user .

 

Tools

Ethereal is a free network protocol analyzer for UNIX and Windows. It allows the user to examine data from a live network or from a capture file on disk. Interactive browsing of the captured data, viewing summary and detailed information for each packet are part of the basic functionality of the sniffer. Ethereal has several powerful features, including a display filter language and the ability to view the reconstructed stream of a TCP session.

Recent versions of Ethereal have included many enhancements to the interface. Live data can be read from Ethernet, FDDI, PPP, Token-Ring, IEEE 802.11, Classical IP over ATM, and loopback interfaces (at least on some platforms; not all of those types are supported on all platforms). Let us take a closer look. We run Ethereal over the LAN (which is not switched) and take a look at the captured data. We sort by the protocol and notice a POP session.

Ethereal lets us follow the entire conversation as shown in the screenshot below.

We are able to reconstruct the client-server conversation as displayed by two different colors. We are able to make out the email service provider, the user name and password from the reconstruction of the sniffed packets. That is not all. We were also able to pick a chat thread from the thousands of packets that passed by in the two minutes.

 

Tools

The main distribution site for Snort is http://www.snort.org. Snort is distributed under the GNU GPL license by the author Martin Roesch. Snort is a lightweight network IDS, capable of performing real-time traffic analysis and packet logging on IP networks. It can perform protocol analysis, content searching/matching.

Snort logs packets in either tcpdump binary format or in Snort's decoded ASCII format to logging directories that are named based on the IP address of the foreign host. In our lab, we start using Snort as a packet sniffer and a packet analyzer. Apart from running in a promiscuous mode, we will also see how it will help us log interesting IPs. Using Snort as a packet sniffer and packet analyzer is an easy process. The man pages are very helpful.

From the command line prompt we set Snort to a verbose display of the packets sniffed and analyzed . e.g. - The command given below captures all the packets belonging to the class C internal IP's of the type 192.168.20.*.

C:\>snort -v -d -e -i etho -h 192.168.20.0/24 ^- 1 log

The '-v' switch brings forth a verbose response.

The '-d' switch helps in dumping the decoded application layer data

While '-e' shows the decoded Ethernet headers.

The '-i' switch specifies the interface to be monitored for packet analysis.

The '-h' switch specifies which class of network packets has to be captured.

The -l option tells snort to dump the packets in the log file.

The packets are captured in hex format by default (this can be changed to binary -b) and sorted by IP address to facilitate easy mapping and decoding of data.

06/22-16:36:44.959860 0:C1:26:E:AF:10 -> 0:A0:C5:4B:52:FC type:0x800 len:0x4D

192.168.2.96:1629 -> 203.124.250.69:53 UDP TTL:128 TOS:oxo ID:38429 IpLen:20 DgmLen:63

Len: 43

00 02 0100 00 00 01 00 00 00 00 00 00 03 77 77 77 .............www

09 61 69 72 6C 69 6E 65 72 73 03 6E 65 74 00 00 .airliners.net..

01 00 01 ...

 

Tools

WinDump is the porting to the Windows platform of tcpdump, the most prolific network sniffer/analyzer for UNIX. Porting is currently based on version 3.5.2. WinDump is fully compatible with tcpdump and can be used to watch and diagnose network traffic according to various complex rules.

WinDump is simple to use and works at the command prompt level. The syntax that we have used as seen in our screenshot here, is Windump -n -S -vv. The -n option tells Windump to display IP addresses instead of the computers' names . The -S option indicates that the actual TCP/IP sequence numbers should be shown. If this option is omitted, relative numbers will be shown. The -vv options make the output more verbose, adding fields such as time to live and IP ID number to the sniffed information.

Let's take a closer look at how WinDump records various types of packets. Here's a TCP example, which shows a data packet with the PUSH and ACK flags set. First, we have the WinDump log entry for the packet. Immediately after it is the same entry, but with an explanation added for each field:

20:50:00.037087 IP (tos 0x0, ttl 128, id 2572, len 46) 192.168.2.24.1036 > 64.12.24.42.5190: P [tcp sum ok] 157351:157357(6) ack 2475757024 win 8767 (DF)

The above entry can be deciphered as 20:50:00.037087 [timestamp] IP [protocol header follows ] (tos 0x0, ttl 128, id 2572, len 46) 192.168.2.24.1036 [source IP:port] > 64.12.24.42.5190: [destination IP:port] P [push flag] [tcp sum ok] 157351:157357 [sequence numbers] (6) [bytes of data] ack 2475757024 [ acknowledgement and sequence number] win 8767 [window size ] (DF) [don't fragment set]

The next example is UDP.

20:50:11.190427 [timestamp] IP [protocol header follows] (tos 0x0, ttl 128, id 6071, len 160) 192.168.2.28.3010 [source IP:port] > 192.168.2.1.1900: [destination IP:port] udp [protocol] 132

ICMP log entry looks as given below.

20:50:11.968384 [timestamp] IP [protocol header follows] (tos 0x0, ttl 128, id 8964, len 60) 192.168.2.132 [source IP] > 192.168.2.1: [destination IP] icmp [protocol type] 40: [Time to live] echo request seq 43783 [sequence number]

Finally, WinDump will also capture ARP requests and replies.

20:50:37.333222 [timestamp] arp [protocol] who-has 192.168.2.1 [destination IP] tell 192.168.2.118 [source IP]

20:50:37.333997 [timestamp] arp [protocol] reply 192.168.2.1 [destination IP] is-at 0:a0:c5:4b:52: fc [MAC address]

 

Tools

EtherPeek can capture packets in multiple configurable Capture windows, each with its own dedicated capture buffer.

It not only does a very good drill-down all the way to byte level, properly categorized by header etc., it has an expert feature that quickly analyzes all the packets and presents the user with categories of groups of packets worth looking further at. It even has a packet generator that lets the user create/replay/alter packets for transmission.

EtherPeek has a visual interface and a drilldown capability that is helpful. For instance, we could get a graphical output of our capture. Note the other tabs in the screenshot below. A hacker can study his packet capture according to the protocol, nodes on the network, filter conversations and apply filters to check interesting packets.

We tried to follow a large packet and the tool could give us a detailed analysis as shown in the screenshot below.

We wanted to probe further. EtherPeek lets us select related packets by several options. We chose conversation. EtherPeek lets us build packets in the order of exchange. Etherpeek builds the webpage (as it is HTTP protocol) and we are able to read the data as we would read it on the original page itself. For instance an attacker can intercept mails , passwords, instant messages etc.

EtherPeek also lets the user search for a particular pattern across packets to find relationships etc.

 

A packet sniffer is seldom the only tool used for an attack. This is because a sniffer can work only in a common collision domain. A common collision domain is a network segment that is not switched or bridged (i.e. connected through a hub). Any traffic that is not switched or bridged on a network segment can be seen by all machines on that segment. As sniffers gather packets at Data Link Layer it can potentially grab all the packets on the LAN of the machine running the Sniffer program.

This is because on a network with a hub implements a broadcast medium shared by all systems on the LAN. Any data sent across the LAN is actually sent to each and every machine connected to the LAN. If an attacker runs a Sniffer on one system on LAN, he can gather data sent to and from any other system on the LAN. Majority of the Sniffer tools are ideally suited to sniff data in a hub environment. These tools are called passive sniffers as they passively wait for the data to be sent and capture them. They are efficient in silently gathering the data from the LAN.

Note

In passive sniff ing, the intruder gets access to the network by any of the following methods . By compromising the physical security. An example of this can be the intruder walking into the building with his laptop and capturing data by plugging in to access the network. Using a Trojan horse. Many Trojans have sniffing capability built into them. For instance, the Back Orifice server has a plugin known as "Butt Trumpet". Butt Trumpet will send the attacker an email when the server has been installed. Once the attacker knows that the victim's machine has been compromised, the attacker can then install a packet sniffer and use it.

 

One countermeasure against passive sniffing is to replace the network hub with a switch. Unlike a hub based network, switched ethernet does not broadcast all information to all systems on the LAN. The switch regulates the flow of data between its ports by actively monitoring the MAC address on each port, which helps it pass data only to its intended target.

In other words, the main difference between a switch and hub is that while a hub has no mapping, and thus broadcasts line data to every port on the device, a switch looks at the MAC address associated with each frame passing through it and sends the data to the required connection on the switch.

The switch thereby limits the data that a passive sniffer can gather. If there is a passive sniffer activated on a switched LAN, the sniffer will only be able to see data going to and from one machine - i.e. the system on which it is installed.

However, it must be noted that the development of switched networks was driven by the need for more bandwidth, and not for the need of more secure networks. Since the evolution was not driven by security needs, there are ways to circumvent this network posture and sniff the traffic.

So how does an attacker sniff on a switched LAN? The sniffers for a switched LAN actively inject traffic into the LAN to enable sniffing of the traffic. Hence the term 'active sniffing'. Some of the methods used in the attack include ARP Spoofing, MAC Flooding and MAC Duplicating etc.

 

In a switched network, the ARP table ensures that IP addresses are mapped to MAC addresses . However, this does not stop sniffing, as we see in ARP Spoofing. One way to sniff in a switched network is to convert the functionality of a switch to that of a hub.

In other words, to make a switch change its default directed output to broadcast method . One way of accomplishing this is to foil the switch by flooding the network with too many frames. When this happens, some switches become unable to perform the IP to MAC mappings and then "fail out" to broadcasting.

Tools

EtherFlood floods a switched network with Ethernet frames with random hardware addresses. The effect on some switches is that they start sending all traffic out on all ports so that sniffing of the switched network traffic is possible.

 

Tools

dsniff is a collection of tools for network auditing and penetration testing. dsniff, filesnarf, mailsnarf, msgsnarf, urlsnarf, and webspy passively monitor a network for interesting data (passwords, e-mail, files, etc.).

Written by Dug Song, this collection of tools (bundled with the main dsniff utility) has certain unique functionality. However, they can be categorized as having similar baseline functionality. In general, the tools dsniff, filesnarf, mailsnarf, msgsnarf, urlsnarf, and webspy can be used to sniff on a compromised host behind a firewall and look for interesting content.

These tools can be put to good use by network administrators or be used to obtain sensitive information such as login information that is sent in the clear or is weakly encrypted. These tools can also auto detect various messaging protocols (about 30 are included) when dsniff is launched with the "-m" option.

urlsnarf is capable of intercepting all http requests from the network it is deployed on, and formatting them into the Common Log Format (CLF) used by MS IIS and Apache. This makes it possible to conduct a log analysis by using suitable programs to interpret the results obtained from urlsnarf. urlsnarf is hard-coded to listen on ports 80 (where clear text http resides) as well as port 3128 (MS-proxy) and 8080 (generic proxy).

arpspoof, dnsspoof, and macof work on the interception of switched network traffic that is usually unavailable to a sniffer program due to the segment switching that occurs at the ISO layer 2 level. sshmitm and webmitm implement active man-in-the-middle attacks against redirected SSH and HTTPS sessions by exploiting weak bindings in ad-hoc PKI.

 

A possible way to sniff information would be to control an ARP table of a computer. ARP spoofing involves changing the MAC to IP address entries, causing traffic to be redirected from the legitimate system to an unauthorized system of the attacker's choice.

This is achieved by sending out a forged ARP packet to the target system, telling it that its default gateway has changed to the attacker's system. This way, whenever the target system sends traffic on the network, it will send it to the attacker's system first, which then forwards the packet on to its original destination as if nothing ever happened .

Attack Methods

Let us take a closer look at the attack methodology. There are switches that are not foiled by MAC flooding. These switches stop storing new MAC addresses once their memory reaches a given limit. In this scenario, an attacker can use DSniff's tool called arpspoof. arpspoof allows an attacker to manipulate ARP traffic on a LAN by redefining the ARP table.

Usually, such attempts are preceded by the scanning and enumeration phases where the attacker draws up a map of the network and discovers the network topology. Looking at the network topology the attacker can decipher the IP address of the default router for the LAN. He then sets up the attack by configuring the IP layer of the attacker's machine to forward any packet it receives from the LAN to the IP address of the default router (IP forwarding). The next step in the attack is sending the fake ARP replies to the victim's machine.

This ARP changes the victims ARP table by remapping the default router's IP (layer 3) to attacker own MAC address (layer2). The victim machine sends the data, forwarding it to what it thinks is the default router (but unknowingly using the attackers MAC address).

The attacker sniffs the information using any kind of sniffing tool. The attacker's machine will promptly forward the victim's traffic to default router on the LAN. Upon reaching the default router the traffic is transmitted to the outside world. The attacker is now sniffing in a switched environment.

 

One of the precautionary measures advocated to check information leakage by sniffing, is to use a secure protocol. While the S's in HTTPS, SSL and SSH stands for secure, the underlying basis of this is a trust relationship between public keys.

When an HTTPS connection is established, the server sends a certificate which the browser verifies. This certificate is like a digital driver's license identifying the Web server - that, it is indeed who it claims to be. This is endorsed by a certification authority by placing its digital signature on the certificate.

The browser on its part verifies the signature on the certificate to ensure that it is authentic and to verify server's identity. If the certificate was signed by a trusted Certificate Authority, an SSL connection will be established. Now, an SSL connection uses a session key to encrypt all data sent by server and client.

On the other hand, SSH does not support digital certificates though it is based on the public key cryptography. With SSH, a session key is transmitted in an encrypted fashion using a public key stored on the server. As such, these protocols SSL and SSH are sound from a security standpoint. The problem however lies in the basis of these protocols, namely trust certificates and public keys.

For SSL, if a web server sends the browser a certificate and if the browser does not recognize the certificate, it will prompt the user for his consent /approval to accept the certificate. For SSH the user will be warned that server's public key has changed. Nevertheless, he will still be permitted to establish connection to the server, thereby exposing him to attacks. Let us see how dsniff can be used by crackers to exploit this aspect.

 

Attack Methods

How does an attacker exploit this vulnerability using a tool such as dsniff? The attacker will use webmitm and sshmitm tools from the dsniff package for attacking HTTPS or SSH.

Attackers position themselves between two systems and actively participate in the connection to gather data. The attacker may also run the dnsspoof program configured to send false DNS information so that a DNS query for a given website will resolve to the attacker's IP address. Then the attacker will activate webmitm program such that it will transparently proxy all HTTP and HTTPS traffic it receives.

The DNS spoof program detects DNS request for www.website.com and redirects the client to attacker's machine. The ARP table convinces the victim's machine that it is indeed talking to the intended web server. The victim's browser starts to establish a secure connection.

All messages for establishing SSL connection are sent to webmitm running on the attacker's machine. webmitm acts as a SSL proxy, establishing two SSL connections - one from victim to the attacker's machine and the other from attacker's machine to the actual web server. When establishing the SSL session between the victim machine and the attacker machine, webmitm will send the attacker's own certificate.

The victim's browser will notice that the certificate is not signed by a trusted Certificate Authority and show a message to the user asking the user whether to accept this un-trusted certificate or not. The normal tendency is to accept it, thinking it is some error message.

 

Each of the tools included in the dsniff distribution has some unique function. In general, the tools dsniff, filesnarf, mailsnarf, msgsnarf, urlsnarf, and webspy are used to passively monitor a vulnerable shared network. By overloading the switch, a hacker could have access to all the data passing through the switch.

Tools

One tool for doing this is called "macof. Dsniffs "macof" generates random MAC addresses exhausting the switch's memory. It is capable of generating 155,000 MAC entries on a switch per minute. Some switches than revert to acting like a hub.

The whole process of sniffing another's mail becomes an easy task with mailsnarf. Once the attacker has access to the target subnet, he can use mailsnarf to capture mail traffic that passes through the network subnet or Ethernet switch.

Tools

Mailsnarf makes it possible to save the messages in standard mail format, so that the attacker can use just about any e-mail client to read what is captured as easily as he can read mail from his inbox. Mailsnarf reassembles and displays e-mail traffic in a legible manner, thus enabling the attacker to read other users' e-mail in real time.

Tools

urlsnarf is a tool for monitoring Web traffic. urlsnarf grabs all the HTTP requests from the captured network traffic and outputs the results in the Common Log Format (CLF), as used by Web servers such as Apache or IIS.

The only drawback of urlsnarf is that at present, it is hard coded to monitor TCP ports 80 (clear-text HTTP), 3128 (MS-proxy), and 8080 (generic/squid proxy). HTTP traffic going to other TCP ports is ignored. Because urlsnarf generates output as CLF log lines, the output can be piped to any log analysis program that uses CLF Web server logs.

Tools

The webspy package (webspy.exe) is a hacking tool. By the usage webspy 111.111.111.111 the program intercepts all HTTP traffic to and from the IP addresses 111.111.111.111 and passes it off to a local browser. This will open Netscape or IE and the traffic sent to the attacker's browser will match that of the target. He can then follow targets around as they surf the net. However, Webspy won't follow targets over ssl connection or reveal information entered into form fields (like passwords).

 

Tools

Ettercap is a multipurpose sniffer/interceptor/logger for switched LAN. It supports active and passive dissection of many protocols (including ciphered ones) and includes many features for network and host analysis. It has several features that make it a popular sniffer with the security community and the black hats as well.

With Ettercap, the attacker can emulate commands on behalf of the server or choose to emulate replies on behalf of the client. This is usually done to keep the connection alive . This makes it possible for the attacker to sniff login information, username and passwords, and even the data of a SSH1 connection in a full duplex mode. The attacker can sniff http SSL secured data even if the connection is made via a proxy server. He is also capable of sniffing remote traffic through a GRE tunnel from a remote Cisco router and making a man in the middle attack on it. He can perform man in the middle attack against PPTP tunnels as well. He can be innovative and create his own plug-ins using ettercap's API. Attackers can set up filters that search for a particular string (even hex) in the TCP or UDP payload and replace it with their payload or drop the entire packet. They can fingerprint the OS of the victim host including its network adapter using ettercap.

Ettercap makes it possible for attackers to issue selective denial of service by killing select connections from the connections list. They can traverse the LAN and enumerate hosts in the LAN, gather information about open ports, services version, type of the host (gateway, router or simple host) and estimated distance in hop. They can also connect to a port with a client and decode unknown protocols or inject data to it (only in arp based mode). Apart from the above, the attacker can choose to guard his territory by actively or passively finding other poisoners on the LAN. The website has a forum where further detailed technical details are discussed by the authors.

 

Tools

SMAC is a Windows MAC Address Modifying Utility that allows users to change MAC address for most Network Interface Cards (NIC) on the Windows 2000, XP, and 2003 Server systems. This is irrespective of whether the manufactures of the cards permit the change. It must be noted that SMAC does not burn a new address on the hardware and the new MAC addresses the user change will sustain from reboots..

SMAC has 2 modes of operation: [WBEM ON] and [WBEM OFF]. If the "Windows Management Instrumentation (WMI)" service is running, it will be running on [WBEM ON] mode. Otherwise, it is on [WBEM OFF] mode. The [WBEM ON] mode shows more information. The tool also allows the user to log and track SMAC activities.

SMAC takes advantage of the NdisReadNetworkAddress function in the Microsoft Device Driver Development Kit (DDK.) NdisReadNetworkAddress(...) is called by the network adapter driver to obtain a user specified MAC address in the registry. After the driver confirms that there is a valid MAC address specified in the registry key, the driver then programs the MAC address to its hardware registers to override the burnt-in MAC address.

SMAC was designed originally as a security vulnerability testing tool for MAC address authorization and authentication systems, Intrusion Detection Systems and MAC address based software licenses testing tool. When changing MAC address, the user must ensure that they assign MAC addresses according to IANA Number Assignments database.

 

Tools

MAC changer is a Linux utility for setting a specific MAC address for a network interface. It enables the user to set the MAC address randomly. It allows specifying the MAC of another vendor or setting another MAC of the same vendor. The user can also set a MAC of the same kind (e.g.: wireless card). It offers a choice of vendor MAC list (more than 6200 items) to choose from. The latest version is 1.3 and it offers more than 35 wireless cards as well.

Usage Examples:

# macchanger eth1

Current MAC: 00:40:96:43:ef:9c [wireless] (Cisco/Aironet 4800/340)

Faked MAC: 00:40:96:43:ef:9d [wireless] (Cisco/Aironet 4800/340)

# macchanger -A eth1

Current MAC: 00:40:96:43:39:a6 [wireless] (Cisco/Aironet 4800/340)

Faked MAC: 00:10:5a:1e:06:93 (3Com, Fast Etherlink XL in a Gateway 2000)

 

Tools

Iris is an advanced data and network traffic analyzer, a "sniffer", that collects, stores, organizes and reports all data traffic on the network. Iris has advanced integrated technology that allows it to reconstruct network traffic, all with a push of a button.

Iris can reconstruct raw data in packets and turn it into complete HTTP, SMTP and POP3 sessions in their original format. The user can view both outgoing and incoming email messages, web browsing sessions, instant messenger exchanges, non-encrypted web-based email and FTP transfers. Using this, the user can set up automated screens to monitor the Web-browsing patterns of the network. With Iris, the user is able to read the actual text of an email - as well as any attachments - exactly as it was sent. Iris will reconstruct the actual html pages that network users have visited and even simulate cookies for entry into password-protected websites .

Iris provides a larger variety of statistical measurements such as pie charts and bar graphs, and provides information on protocol distribution, top hosts, packet-size distribution and bandwidth usage. Iris' Packet Editor gives the ability to create custom or spoof packets and to send them across the Internet, to specific ports or addresses, or repeatedly across the network. Iris has a fast packet injector that handles up to 9000 packets per second.

Iris can be easily configured to only capture specific data through any combination of packet filters. Packet filters can be based on the hardware or protocol layer, any number of key words, MAC or IP address, source and destination port, custom data and size of the packets. ^[1]

 

Tools

NetIntercept from Sandstorm enterprises belongs to the category of Network Forensics Analysis Tools (NFAT) that is gaining popularity these days. Using a network forensics tool a user can spy on people's email, learn passwords, determine Web pages viewed , and even spy on the contents of a person's shopping cart. The tremendous power these forensic tools have over today's networks makes them subject to abuse. The difference is in range or depth of network monitoring. These tools can be used for full content network monitoring - not just filters.

NetIntercept 1.2 captures LAN traffic using a standard Ethernet interface card placed in promiscuous mode and a modified UNIX kernel. The capture subsystem runs continuously, whether or not the GUI is active. NetIntercept performs stream reconstruction on demand. When the user selects a range of captured network traffic to analyze, NetIntercept assembles those packets into network connection data streams. The reconstructed streams are then presented to the NetIntercept analysis subsystem for identification and analysis. Once TCP streams are reconstructed and parsed, some of the objects that they contain need to be stored for long periods of time. Examples of such objects are web pages, files transferred by FTP, and e-mail attachments.

Besides controlling data capture and analysis, the GUI offers sophisticated search criteria. A user can find one or many network connections according to the time of day, source or destination hardware or Internet address, source or destination TCP or UDP port name or number, username associated with the connection, electronic mail sender, recipient(s) or subject header, file name or World Wide Web URI associated with the transfer, specific protocols or content types recognized in the connection's contents. Once a connection has been identified, the user can drill down to view the search criteria extracted from it. ^[2]

 

Concept

DNS Spoofing is said to have occurred when a DNS entry points to another IP instead of the legitimate IP address. Let us see how this is done.

Typically, a DNS Server contains the records only for the machines of the domain it has authority over. If it has to answer queries about machines outside its domain, it has to send a request to the other DNS Server which handles these machines. As frequent communication is not practical, the DNS server keeps a cache and stores in it all the replies returned by other DNS servers.

When an attacker wants to poison a DNS cache, he will use a faulty DNS - which can be his own domain running a hacked DNS server. The DNS server is termed as hacked because the IP address records are manipulated to suit the attacker's needs.

Attack Methods

The attack methodology goes like this. The attacker sends a request to the target DNS Server asking it to resolve www.attacker.com (attacker's domain). As the target DNS does not have the pointing record in its cache, it seeks the answer from the responsible name server (which is the attacker's DNS server). While replying to the target DNS server, the hacked DNS server transfers all the records, including the manipulated records, to the target server. This process is called zone transfer. The DNS server is poisoned as long as the cache is not cleared or updated. This way, the attacker can make some records point to spoofed addresses or even remain silent and let all the traffic pass through his server.

Countermeasures

Countermeasures include implementing much of the anti-spoofing rules on the border routers of network. This can be as simple as not allowing anything out with a source IP address not belonging to the network or anything in with a source IP address belonging to the network.

The next level of protection can reside on the access routers. This could also be used in order to prevent IP spoofing at its most common source. While these filters can be sometimes tricky when it comes to combining dynamic IP and 'multi-POP' static IP routing, if implemented well, these filters can completely prevent IP spoofing that originates from an access network.

 

Tools

This is a simple tool for spoofing the DNS ID for Windows 9x/2K. In order to use the user must be able to sniff traffic of the computer being attacked. However, it does not work in a switched network, as a switched network requires ARP Cache Poisoning tools like winarp_sk or winarp_mim.

A personal firewall must be configured to block UDP 53 destination port to check outgoing DNS traffic in order to ensure that the DNS Server does not answer before WinDNSSpoof does. The working of WinDNSSpoof then takes care of spoofing only those packets that are required to - while the rest are allow to go through. This is made possible by specifying the MAC address of the DNS server or the default gateway in case the DNS server is in another network.

Usage: wds -h

Example: wds -n www.targetsite.com -i 216.239.39.101 -g 00-00-39-5c-45-3b