Sniffing Traffic (Whiteboard)

[toggle_content title="Transcript"] Sniffing is one of the most important tools or techniques that you can master in your penetration testing career. It all comes down to protocol analysis at the end of the day. So let us look at a few of the concepts here. First major picture here is there are hardware sniffers and then there are software sniffers. Most of the ones that we are going to cover are going to be software based. Although they are a variety of hardware based sniffers or protocoling analyzers which can be used ultimately the profile or enumerate information on traffic. Second major concepts, when an organization realistically has to choose which route are they going to go in terms of accessing the networks. So they could use hub which is a little bit of an outdated technique but nonetheless everybody can hear each other on hub or they can setup, span of switch port analysis this is basically port duplicating so between a source and destination they span port is configured to listen to that source and destination and mirror that traffic to a listening port or they can use some sort of hardware pack which can be relatively expensive. So the larger the organization you increase the likelihood of them actually using network tabs. The smaller the organization and this where they start using hubs and spam ports. Where spam ports are I would suggest are basically the norm, also we have to be a master at TCP/IP protocol stack both version 4 & 6 Next concept is the concept of promiscuous mode interface now if you have installed something like wire shark you are going to get prompted for an additional piece of software to get installed which basically allows your network adapter to be used as a sniffing interface. So if you think about it in terms of sending and receiving now you can receive everybody else's traffic on the network and then of course there is the concept of hubs versus switching hub - everybody hears everybody on a hub. It is literally a very loud contentious type of device where on a switch only the source and destination actually hear each other. So port 1 wants to talk to port 2, port 3, port 4 or the rest of the ports they don't hear that. That introduces the concept of a collusion demand, However, anybody that broadcasts out any sort of traffic whether be it DETP or name resolution or whatever it is. Everybody is going to hear everybody in a hub and switch for broad cast based traffic. Now routers on the other hand they will not for broadcast because routers they contain the broadcaster name. Also the major concept here is protocols when you are sniffing traffic you actually get to see these protocols and work. You want to learn how DNS works, sniff DNS traffic. Do you want to learn how DHTP works? Sniff DNS traffic. This literally would do wonders for your career in terms of actually understanding how different protocols work. Next let us go into threats now the major threat here is disclosure. Now if we look at this from a principle base point of view. You basically have integrity and confidentiality in play but disclosure is the obvious one because you are listening to somebody else's traffic but that disclosure can lead to a man in the middle of tap which ultimately could change the integrity of the network traffic. Also the threats... You can summarize most of this until whatever protocol is in play. For example DNS or email like SMTP or POP3 or IMAP or Web traffic or chat or file transfer protocols or even router updates or telnet traffic if anybody is still using that. Nonetheless you can summarize all of that in clear text. Clear text has the ability to be listened to and that is where sniffing comes into play. So it doesn't matter if it is syslog traffic or web traffic or email if it is clear text you can read the exact traffic on the network. Therefore the holy grail becomes passwords. if you are sniffing traffic and if you can get a username and password dig that out of a data field that is it. Now you can access that system and you would be surprised how many passwords are encrypted in the application but as soon as that application talks to another application they actually send the passwords in clear text. Next we can move over to wiretapping because leads us to different types of attacks that ultimately will take place. So max spoofing, spoofing meaning we take over somebody else's mac address or we can manipulate the process or if it is DHCP related we can perhaps grab all of the available DHCP addresses from the DHCP server therefore are doing an attack on availability and legitimate users cannot get a DHCP address or spoofing Pretending to be somebody else this is where we can trick switches sending a copy of somebody else's traffic to us or mac duplicating it if we can listen to our request and we can learn a mac address then we can use that in a duplication attempt. A good counter measure to that is locking down on switch ports or ultimately on other attack on availability mac flooding there is a couple of great tours like mac off and your senior which are very easy to use. They flood the network with a 151,000 floods per minute of just bogus traffic. So if we look at this from a principal based point of view. Disclosure is obvious here but also you can be vulnerable to an integrity attack or even an availability attack as well. And then we can start playing into the some of the protocols specifics for example if you are sniffing dttp traffic then you can learn about how DTP works and then you can see when does a particular computer do a DHTP discover or offer or a request or things like that all of the details of DHCP. You can do mac and arp analysis. Now, this is realistically learning about how can tables work the easiest way to get this is from a switches point of view. When a computer advertises through a switch the switch will look at the source analyze the mac address in play and then record that address and map that to a particular port and no wonder when the reply comes back from the other computer. You get that reply as well. It builds it is own table well that is how things are normally supposed to work. Well hackers have learnt over the years to manipulate that process for example when a piece of traffic gets advertised to host C on a network please send another copy of that to host D. So therefore disclosure ultimately happens and then you can go into DNS. DNS has it own subject matter but you can learn a lot about hosts. Remember DNS has our whole name and mapping table. So if you can get physical access to a a network and just filter basically DNS. Well you can learn a lot about the way that network is configured. Everything from active directory to web servers mail servers etc. So some of the tools that are absolute critical for you to walk away from this sniffing concept was absolutely without a doubt wire shock. You must know wire shock and how to do all of the filters now the cool part about wire shock is that fields actually change from red to green. So if you have got the right filter and the right exact format it will be green. Green for go, red for no, so if you mistyped your filter it won't let you actually get any results from that next is T shock which is a terminal piece for wire shock. So it just displays from command prompt if you will or wind dump or TCP dump these are absolutely critical from a network analysis point of view because firewall engineers, network engineers, system administrators they realistically should know at the least the basics of TCP dump. But hackers have also learnt TCP flow which separates traffic into different files. So that help you isolate what goes on in the network and really focus on one particular host. So we talked about concepts we talked about the threats, we talked about the different protocols and the tools that are in play. Let us look at some of the counter measures. So since the obvious attack here on confidentiality what encryption is going from a defensive point of view. Encryption in any way we perform is going to be your best friend. It does n't matter if it is protocol encryption like https or smtp anything combined with ssl or tls or any application layer encryption that is going to help you a lot defensively. It also makes the penetration testers job a lot more difficult because instead of getting plain text. Now that you are getting cyber text and that means they have to crack encryption just to be able to get the juicy stuff. Lock down physical access this by far one of the easiest things to do to prevent the penetration tester from getting access to your network. However, it is typically a system administration headache. So in very large enterprises where they have CCNA's and CCNP's or professional network engineers working there. Locking down the ports is very much common - but in a Mom and Pop shop it more or less never happens. Really depends on the size of the organization, also mac address assigning. For example if you have a mac address for default gateway every client that is using your default gateway shall have that mac address hard coded that way the penetration tester can insert him or herself into the middle of that conversation. By advertising I am the default gateway send the traffic to me and I will forward it to the real default gateway. So this if you actually assign that then that defeats a lot of the replay in the man in the middle style attacks. Also static mac address entries or anything static that means that the network administrator is actually assigning the stuff and that is huge because that restricts the penetration tester in what they can do and how they can manipulate the different types of traffic. Also what are you going with IP version 4 versus version 6 are you encrypting your traffic. Are you protecting it or are you authenticating your sources. If you are only monitoring and you only have IP version 4 intrusion detection. The network is also speaking IP version 6. We are also going to sniff IPv6 traffic in addition to IPv4 traffic. For that matter any other protocol traffic like NWlink or SPX or NetBIOS or whatever the other protocol is. Whatever the communication protocol is. Also tunneling if you look at it from a defensive point of view if you encapsulate your traffic in another protocol like GRE or layer 2 fording or PPTP or layer protocol at least from the outside of the protocol what I can see. Also ICMP tunneling http tunneling those are good counter measures. Because that it makes the penetration tester's work that much harder. Also the concept of privilege or coop to make easy notes here. Concept of these privileges are huge because you are not going to give anybody on the network any additional access to something that they don't require. So you only give access to people to what they need and no more. That really makes the penetration testers job difficult. Also one time passwords are one time passwords because even if I can sniff a password it is only used one time. Well then realistically - even though I have captured it it is useless. Also encryption, SSH or anything that is wrapped by SSL or TLS because when I am sniffing the traffic the only thing that I realistically get to see is the outside encryption layer. I don't get to see the actual protocols in work. Those are the most common countermeasures we have talked about the potential threats. We have talked about the most common things that we will go after DNS mac and arp responses. DHCP because you can learn about the different hosts in the network. The basic concepts of wiretapping and concepts in general but what we do hands on examples we are actually going to be focusing on tools like wire shock, t shock, tcp dump, tcp flow and things like that. These are going to be absolutely critical for the penetration tester to absolutely master. Now in all of my experience in penetration testing. I can talk a lot of it up to just spending a lot of time doing hands on and analyzing network traffic. The more I listen to traffic the more I understand how things are supposed to work and you would be surprised what you would find. If it is in clear text – so with that let us go ahead and look at some of the hands on tools. [/toggle_content] In this whiteboard lecture we cover network traffic sniffing. Network sniffing is the idea of actually watching what's happening on another network through another device. Usually hackers will be looking for all the data, packets and traffic on your system, hence knowing how to sniff traffic is an essential skill. 
Recommended Study Material
Learn on the go.
The app designed for the modern cyber security professional.
Get it on Google Play Get it on the App Store

Our Revolution

We believe Cyber Security training should be free, for everyone, FOREVER. Everyone, everywhere, deserves the OPPORTUNITY to learn, begin and grow a career in this fascinating field. Therefore, Cybrary is a free community where people, companies and training come together to give everyone the ability to collaborate in an open source way that is revolutionizing the cyber security educational experience.

Cybrary On The Go

Get the Cybrary app for Android for online and offline viewing of our lessons.

Get it on Google Play

Support Cybrary

Donate Here to Get This Month's Donor Badge



Skip to toolbar

We recommend always using caution when following any link

Are you sure you want to continue?