Today let us know about Sniffing attacks, what are sniffing attacks? What are all different types of sniffing attacks and How to defend against sniffing attacks online. So lets get started..
Packet sniffing is a process of monitoring and capturing all data packets passing through a given network using software or hardware device.
Attackers use sniffers to capture data packets containing sensitive information such a passwords, bank account information,etc..
Types of sniffing:
Passive Sniffing: It means sniffing through a hub, on a hub the traffic is sent to all the ports. As per modern days hub usage is out-dated and replaced by switches.
Active Sniffing: It is used to sniff a switch-based network. It involves injecting ARP packets into the network to flood the switches.
Protocols Vulnerable to sniffing:
1).HTTP: Data Sent in clear text
2).TELNET and Rlogin: Keystrokes including usernames and passwords
3).POP: Passwords and data sent in clear text
The types of sniffing attacks are:
*MAC Flooding: It involves flooding switch with numerous request. Switches have the limited memory in CAM(Content Addressable Memory) table. It involves flooding of CAM table with fake MAC address and IP pairs until it is full. Switch then acts as a hub broadcasting messages to all the machines in the network and attackers can sniff the traffic easily.
macof is a linux tool that is a part of dsniff collection. It sends random source MAC and IP address. This tool floods the switch’s CAM tables by sending bogus MAC entries.
Yersinia is another popular tool that performs MAC Flooding
Defending against MAC Flooding attacks:
Configure your Port security on CISCO Switch, which can be used to restrict inbound traffic from only a selected set of MAC addresses and limit MAC flooding attack.
DHCP Starvation attack:Attacker broadcasts forged DHCP requests and tries to lease all of the DHCP addresses available in the DHCP scope. This results in failure to obtain or renew an IP address requests via DHCP by a legitimate user.
DHCP attack tools:
Rogue DHCP Server attack: Attacker sets rogue DHCP server in the network and responds to DHCP requests with bogus IP addresses which results in the compromised network access.
Defending against DHCP Starvation attack and Rogue DHCP erver attacks:
*Enable port security to defend against DHCP starvation attacks which drops the packets from further MAC’s once the limit is reached.
*Enable DHCP Snooping that allows switch to accept DHCP transaction coming only from a trusted port.
*Address Resolution Protocol(ARP) Posioning: ARP packets can be forged to send data to attackers machine. It involves constructing a large number of forged ARP request and replay attacks to overload a switch. Switch is set to forwarding mode after ARP table is flooded wih spoofed ARP replies and attackers can sniff all the nework packets. Attackers flood a target computers ARP cache with forged entries , which is also known as poisoning.
Threats of ARP poisoning involves Stealing passwords, DoS attack, Session hijacking, etc..
ARP poisoning tools:
*Cain and able
*Ufasoft Sniff, etc
Defending against ARP poisoning:
*Implement Dynamic ARP inspection using DHCP Snooping Binding Table, which checks MAC and IP fields to see if the ARP from the interface is in the binding; if not the traffic is blocked.
*Xarp is a tool that detects ARP attacks and secure private data.
*MAC Spoofing Attack: It is launched by sniffing a network of MAC addresses of clients who are actively associated with a switch port and re-using one of those addresses. By listening to the traffic on the network, the attacker will use one of the valid users MAC address to receive all the destined to the user. This allows the attacker gain access to the network and take over his identity which is already in the network.
Smac is a MAC address changer that allows users to change the MAC address for an network interface card in windows machine.
Defending against MAC Spoofing:
*Use DHCP Snooping Binding Table, Dynamic ARP Inspection, and IP Source Guard.
*DNS Poisoning: It is a technique that tricks a DNS server into believing that it has received authentic information when , in reality, it has not.
Intranet DNS Spoofing: In this technique the attacker is connected to victims LAN which enables him to switch the packets in the network. This technique works well against the switches by ARP poisoning the router.
Attacker infects the victims machine by a Trojan and changes his/her DNS IP address to that of attackers.
Proxy Server DNS Spoofing: Attacker sends at Trojan to victims machine that changes her proxy server settings to that of attackers and redirects to fake websites.
DNS Cache Poisoning: It refers to alterning or adding forged DNS records into the DNS resolver cache so that DNS query is redirected to malicious site.
Defending against DNS Spoofing:
*Resolve all DNS queries to local DNS server.
*Block DNS requests from going to external servers.
*Configure firewall to restrict external DNS lookup.
*Implement IDS and deploy it correctly
The best snifing Tools are:
*OmniPeek Network Analyser
Defending Against Sniffing Attacks:
*Restrict physical access to the network media.
*Use encryption to protect confidential information.
*Use ipv6 instead of ipv4.
*Pemanently add MAC address of the gateway to the ARP cache.
*Use encrypted sessions such as SSH instead of TELNET,Secure Copy(SCP) instead of FTP, etc..
I think this helped readers to know about Sniffing attacks and defending against them!! :D
Thank you.. ;)
Article by: Kartik Durg [J-BOY] J