Time
31 hours 29 minutes
Difficulty
Beginner
CEU/CPE
30

Video Description

Traffic Sniffing, FTP Bounce and Smurf This lesson covers packet sniffing, FTP bounce and Smurf. Packing sniffing involves capturing network traffic. A way to mitigate packet sniffing is to secure WiFi, eliminate hubs and encrypt traffic. File transfer protocol bounce connects to FTP server with port to specify port on another client. FTP bounce sends data to open port on specific client. Smurf sends a forged ICMP packet into the network specifying broadcast recipient. Smurf attacks have mostly been eliminated by advancements in routers and how we respond to ICMP echo requests.

Video Transcription

00:04
our next attack that we're gonna talk about is packet sniffing. Now we've mentioned packet sniffing a couple times, but essentially what packet sniffing is capturing network traffic data? Looking at the packets and seeing if we can identify any data that's going back and forth. See, seeing if we combine anything such as user data
00:20
files that they may be transferring maybe even credentials, that they're sending back and forth
00:25
essentially, packet sniffing Is someone sitting out there on our network trying t o listen and trying to see if they can intercept the data that we're sending back and forth on our network? We talked about this a little bit with man in the middle attacks where someone could be sitting in the middle, intercepting our traffic, listening to it and then passing the data on. But this can also be done on our network in general,
00:45
especially networks that utilize WiFi in utilize hubs.
00:49
Remember, hubs actually send the data that they receive into a port to all the other ports. So if we have any clients connecting to that port, they're gonna receive the traffic. We have a hub in the middle.
01:00
We have a
01:03
client sending computer.
01:06
We had a receiving server
01:08
and then over on the side. We have someone who is just sniffing the packets
01:15
on a hub.
01:17
Any data that sent to anyone goes to everyone.
01:21
So if the client is sending data to the server, that data is not only going to the server,
01:26
but a copy is also sent to the person who's sniffing the packets. So this person is essentially eavesdropping into that conversation so they can see all the communications that air going back and forth
01:38
the same thing. If we have a wireless network
01:42
wife, I cannot distinguish between
01:46
different clients. We can't have one client connected wirelessly on Lee sending to the wireless access point and then the wireless access point on Lee sending to the server. Wireless net Wireless is in the air. Wireless signals go everywhere through the air. So if we have a
02:05
1/3 party
02:07
who is sitting near the wireless access point, especially
02:12
than any signals that are gonna go to the wireless access point,
02:16
this third party can also sniff those. They can hear them so our wireless access point almost acts like a hub. In that respect, Any signals that go anywhere. This person who's listening in can hear that traffic. So that's also another concern of wireless networks. Switch networks,
02:35
networks that you you live switches are bit better because, remember, switches will only send packets to the recipients to a particular Mac address. So the only sin data down a port that it needs to go to. But if through means such as our are poisoning
02:53
through means of our Mac address smoothing,
02:54
we could
02:57
we could exploit that. We could sit, we could still have a man in the middle who is taking that traffic and then just passing it along later so we could still have packets anything that potentially goes on on a on a switch network. So we need to watch out for it. So how we gonna make How are we going to mitigate this packet sniffing?
03:15
Well, we need to do things such as securing our WiFi. We need to make sure that we have a strong
03:20
wireless network encryption. We need toe perform all of our wireless network security strategies in order to prevent unauthorized users from sitting on our wireless and just listening to data going along. We want to eliminate hubs if at all possible, try and replace them with switches because hubs are very insecure and hubs were going afford those packets to everybody.
03:39
And it's possible you also want to encrypt our traffic. If we ourselves are sitting on a wireless network, maybe we're sitting on an open wireless network and we don't want somebody sniffing in on our data that maybe we want to set up a VPN. We want to start encrypting our traffic, sending our data through an encrypted tunnel,
03:57
because even if someone is still packet sniffing, even if someone is capturing our packets,
04:01
all they're seeing is encrypted data, so it's not of any use to them. So securing our wireless eliminating hubs encrypting our traffic are different ways that we can help reduce this packet sniffing. Also doing things such as making sure that we eliminate unauthorized devices on our network.
04:18
Implementing a 22.1 ex network access control with
04:23
some sort of with a radius or tax plus authentication helps eliminate devices off our network. That shouldn't be there that could potentially list be listening the traffic that's going around
04:34
next we have FTP bounce now ftp bounce is essentially utilize using a vulnerability with the Port Command to be able to connect to someone who's not the FTP server. So
04:48
if we have an FTP server set up, say we have a R FTP server here
04:55
we have a malicious computer here
04:59
and then we have
05:00
a standard bystander won't standard
05:05
target computer right here. An FTP balance, in a nutshell, is going to be when this malicious computer
05:13
establishes a connection to the FTP server is going to issue. It's gonna issue a port command and it's going to specify a port on the target computer that is not open right now. So it's so it's going to initiate a session with this FTP server and FTP server is going to say, OK,
05:31
which port would you like to communicate on?
05:34
Which court would you like to start transferring files on? And then you're going to say, Oh, I'd like to start trains, bring files on port 4447 on this computer.
05:46
So the FTP server now begins to initiate sesh a session with the target computer and the target computer. Recognizing the trusted FTP server is going to say OK, open up and see if we could start transmitting data on this port.
06:00
And now the attacker computer is essentially bouncing its data that it wants to send to the target computer off the trusted FTP server.
06:10
So an FTP bounce. I's gonna allow us to send that data to that nap newly open port that we've established on this on the target computer this
06:19
had in order to mitigate FTP bounce. We may want we want to look at updating our FTP servers because this has been widely mitigated just by how FTP server software software works. Now on the port command is no longer a widely viable command.
06:38
It's not something this isn't something that we can just
06:41
do like we use like we used to could, um, we can't just issue this poor command and bounce off the FTP server and send this data sin sin new data to a newly opened port on the target computer. But if we're utilizing old FTP servers and our environment,
06:59
we're not updating our FTP servers.
07:00
It is something that we want to take a look at it, something that we want to be aware of and something that may want to push us to updating our systems in our in our network. Next, we have a smart attack.
07:12
A Smurf attack
07:15
is a forged ICMP echo request that is sent to
07:21
a network on a scent to a cent to broadcast. And so what this does is it causes all of the devices in our network to send responses to that forged I p i p host, and essentially perform a denial of service on that I p host. Well, what? What do we mean when we say that
07:41
Well,
07:43
we're going to have our We're gonna have our network here
07:46
and
07:47
on the permit of aren't perimeter of our network. We have our router
07:55
on the inside of our network. We have
07:58
multiple computers,
08:01
and then we have a server, and this server is going to be the target.
08:07
Now, on the outside of our network Or maybe even on the inside of our network,
08:13
we have a malicious
08:15
attacker computer.
08:16
Now we've talked about ICMP echo requests before ICMP echo requests are essentially what we're doing when we send a ping command on DDE, that pain command is going to request a an echo back to make sure that they can connect now. An ICMP echo request is just using a little bit of data or not. It's not a ton of data that's being transferred,
08:37
but
08:37
it is still data that is being processed by our computer. So it is still requiring network usage. It's still requiring resource is on our computer. That's receiving the echo reply back. So everywhere is everywhere the packet goes, it's still using network Resource is
08:54
what this attacker is going to do is it's going to send a packet
09:00
with a spoofed i p source address. So
09:05
our server here is 1 92.1 68.0 dot 17.
09:11
Even though this malicious computer is not this I p address, it's going to send the packet
09:18
through the router That says that its source address is 1 92.1 68 0.17 It's spoofs the I P address,
09:26
and this is an icy and piek a request
09:28
so it sends it in through the router into the network, and it sends an ICMP echo request
09:35
from us. From a forged address of 1 92.1 68 that 17 r zero got 17 to
09:46
the network broadcast, So 1 92.1 68 0.2 55
09:52
So essentially because it's sending it to broadcast,
09:56
It's saying, I want you to I I want to send an I C and P Echo request to everyone on this network, and I want to make it look like it's coming from this computer.
10:07
So now all of these computers are going to sent receive a
10:11
paying request. They're all going to receive this ping request.
10:16
I see this ICMP echo request
10:18
and once they receive it,
10:20
they're going to see the spoofed source and they're going to start sending
10:26
the server. They're going to start sending what they see as the source
10:31
echoes echoes back, Let's say, Oh yeah, Hey, I'm online.
10:35
And if we have a lot of networks on our computer, essentially, what we're doing is this one Computer is multiplying itself by however many computers we have on our network, and essentially, it'll just send those packets over and over and over and over, and then all will be say we have 150 computers on that network.
10:54
We now have 150 computers on our network
10:56
that are sending constant echo requests are they're sending constant echo replies to this spoofed server. So now this spoof server can't do its job. It can't do any network connectivity because all of its network handling is being is just receiving these eco over responses back.
11:13
So that's our Smurf. That's that's our smart attack.
11:16
We're sending an icy and P forged pack it into a network specifying broadcast as the recipient and specifying a the target as the forge source.
11:28
Now this has been mostly mitigated. Mostly
11:33
it's not as common, not very common, and networks anymore
11:39
because we have devices now that can filter out these these fours, two requests
11:46
and
11:48
routers know what will no longer pass the pat past. These packets that are coming from that looked like the eyepiece sources forged this pat. This router will receive a packet with a spoofed source i p. Address of 1 92.1 68 0 about 17 and the router will say that's not right,
12:07
that your own, that you're on an external network. That's an internal I p address. I'm not gonna forward this to my internal. I'm not gonna forward this to my internal network,
12:16
so it drops that packet.
12:16
Routers will also have also stopped fording these broadcast packets. So we're sending a request to broadcast. And then the router won't Ford that because it's to a broadcast address. That's why we've talked about our broadcast domains now
12:33
are on one side of a router.
12:35
So smart attacks and most has mostly been eliminated by advancements in router security and advancements and how we respond to ICMP Echo requests and how broadcast will not respond to these ICMP echo requests. But it is still a no attack, and it is still a technique that we have to be aware off.
12:54
So thank you for joining us here today on Cyber thing,
12:58
I say we talked about one of my favorite subjects different attacks, techniques and mitigations that we need to be aware of for different security vulnerabilities in our network. We talked about everything from malware and viruses, buffer overflows to Smurf attacks and ftp ftp bounces. So
13:16
keep an eye on your networks. Don't just set up your network securely once
13:20
and then assume that they're going to be all set. We need to check logs we need to provide user training. We need to do patch management and we to update our software. And we need to make sure that we have some sort of incident response in incidents response in place in some sort of plan in place that if something does happen,
13:37
were able to clean it up and were able to respond to it as it quickly, isn't it? And as effectively
13:41
as possible. So hopefully this video got you thinking a little bit more about security. Maybe even got you a little bit excited about security. Maybe even got you a little bit excited about programming when we talked about Buffalo overflows. And we hope to see here next time for more of our exciting videos on cyber.

Up Next

CompTIA Network+

This CompTIA Network+ certification training provides you with the knowledge to begin a career in network administration. This online course teaches the skills needed to create, configure, manage, and troubleshoot wireless and wired networks.

Instructed By

Instructor Profile Image
Anthony Harris
Systems Analyst and Administrator at SAIC
Instructor