Ethical Hacking - Overview
Ethical Hacking - Sniffing
Sniffing is a data interception technology. Sniffer is a program that monitor or reading all network traffic passing in and out over a network. Telnet, Relogin, FTP, NNTP, SMTP, HTTP, IMAP that all protocol are vulnerable for sniffing because it send data and password in clear text. Sniffing can be use both the ways legally or illegally like for monitor network traffic, network security and for stealing information like password, files from the network. Sniffing can be done both way one is from command line utility and other is from GUI interface. Many network engineers; security professionals and even crackers use these techniques to sniff the network. Sniffing technique also use for ethical hacking.
the main purpose of sniffing is to analyse the incoming and outgoing packets, keep in mind when you connect to a web server or to any network (computer) you sends your data via wired connection or wireless connection in the form of packets, your data goes in the form of packets.
A packet contain the source (Sender) and the destination (Receiver) IP and MAC address and also it contains the data that are going to be sent. So just imagine if someone get this packet than he/she can easily know what you have send, an attacker can easily sniff your confidential information (credit card, paypal, passwords etc), so the sniffing is the important attack that should be consider as a security measure.
is not a good thing, however it is not true the Positive usage of sniffer is also its regular usage, which aim is to maintain network and system working normally.
-Recording and analysing traffic
-Decrypting packets and displaying in clear text
-Converting data to readable format-
-Showing relevant information like IP, protocol, host or server name and so on.
While the negative usage is open and
- Catching password, which is the main reason for most illegal uses of sniffing tool
-Capturing special and private information of transactions, like username, credit ID, account, and password
-Recording email or instant message and resuming its content
The famous used tools for sniffing purposes are:
-Kismet(for wireless sniffing)
-NetStumbler(for wireless sniffing)
-Kismac(for wireless sniffing)
-Cain and abel
How it works:
- As data streams back and forth on the network, the program looks at, or "sniffs," each packet. A packet is a part of a message that has been broken up.
Normally, a computer only looks at packets addressed to it and ignores the rest of the traffic on the network. But when a packet sniffer is set up on a computer, the sniffer's network interface is set to promiscuous mode. This means that it is looking at everything that comes through. The amount of traffic largely depends on the location of the computer in the network. A client system out on an isolated branch of the network sees only a small segment of the network traffic, while the main domain server sees almost all of it.
A packet sniffer can usually be set up in one of two ways:
-Unfiltered - captures all of the packets
-Filtered - captures only those packets containing specific data elements
Packets that contain targeted data are copied onto the hard disk as they pass through. These copies can then be analyzed carefully for specific information or patterns.
When you connect to the Internet, you are joining a network maintained by your Internet service provider(ISP). The ISP's network communicates with networks maintained by other ISPs to form the foundation of the internet.
. A packet sniffer located at one of the servers of your ISP would potentially be able to monitor all of your online activities, such as:
Which Web sites you visit
What you look at on the site
Whom you send e-mail to
What's in the e-mail you send
What you download from a site
What streaming events you use, such as audio, video and internet telephony
From this information, employers can determine how much time a worker is spending online.
Types of Packet Sniffing
There are basically three types of packet sniffing:
-ARP Sniffing: ARP sniffing involves information packets that are sent to the administrator through the ARP cache of both network hosts. Instead of sending the network traffic to both hosts, it forwards the traffic directly to the administrator.
-IP Sniffing: IP sniffing works through the network card by sniffing all of the information packets that correspond with the IP address filter. This allows the sniffer to capture all of the information packets for analysis and examination.
-MAC Sniffing: MAC sniffing also works through a network card which allows the device to sniff all of the information packets that correspond with the MAC address filter.
TYPES OF SNIFFING:
A packet sniffer is seldom the only tool used for an attack. This is because a sniffer can work only in a common collision domain. A common collision domain is a network segment that is not switched or bridged (i.e. connected through a hub). Any traffic that is not switched or bridged on a network segment can be seen by all machines on that segment. As sniffers gather packets at Data Link Layer it can potentially grab all the packets on the LAN of the machine running the Sniffer program.
This is because on a network with a hub implements a broadcast medium shared by all systems on the LAN. Any data sent across the LAN is actually sent to each and every machine connected to the LAN. If an attacker runs a Sniffer on one system on LAN, he can gather data sent to and from any other system on the LAN. Majority of the Sniffer tools are ideally suited to sniff data in a hub environment. These tools are called passive sniffers as they passively wait for the data to be sent and capture them. They are efficient in silently gathering the data from the LAN.
In passive sniff ing, the intruder gets access to the network by any of the following methods.
By compromising the physical security. An example of this can be the intruder walking into the building with his laptop and capturing data by plugging in to access the network.
Using a Trojan horse. Many Trojans have sniffing capability built into them. For instance, the Back Orifice server has a plugin known as "Butt Trumpet". Butt Trumpet will send the attacker an email when the server has been installed. Once the attacker knows that the victim's machine has been compromised, the attacker can then install a packet sniffer and use it.
One countermeasure against passive sniffing is to replace the network hub with a switch. Unlike a hub based network, switched ethernet does not broadcast all information to all systems on the LAN. The switch regulates the flow of data between its ports by actively monitoring the MAC address on each port, which helps it pass data only to its intended target.
In other words, the main difference between a switch and hub is that while a hub has no mapping, and thus broadcasts line data to every port on the device, a switch looks at the MAC address associated with each frame passing through it and sends the data to the required connection on the switch.
The switch thereby limits the data that a passive sniffer can gather. If there is a passive sniffer activated on a switched LAN, the sniffer will only be able to see data going to and from one machine - i.e. the system on which it is installed.
However, it must be noted that the development of switched networks was driven by the need for more bandwidth, and not for the need of more secure networks. Since the evolution was not driven by security needs, there are ways to circumvent this network posture and sniff the traffic.
So how does an attacker sniff on a switched LAN? The sniffers for a switched LAN actively inject traffic into the LAN to enable sniffing of the traffic. Hence the term 'active sniffing'. Some of the methods used in the attack include ARP Spoofing, MAC Flooding and MAC Duplicating etc.
Protocols which are affected
Protocols such as the tried and true TCP/IP were never designed with security in mind and therefore do not offer much resistance to potential intruders. Several rules lend themselves to easy sniffing −
HTTP − It is used to send information in the clear text without any encryption and thus a real target.
SMTP (Simple Mail Transfer Protocol) − SMTP is basically utilized in the transfer of emails. This protocol is efficient, but it does not include any protection against sniffing.
NNTP (Network News Transfer Protocol)− It is used for all types of communications, but its main drawback is that data and even passwords are sent over the network as clear text.
POP (Post Office Protocol) − POP is strictly used to receive emails from the servers. This protocol does not include protection against sniffing because it can be trapped.
FTP (File Transfer Protocol) − FTP is used to send and receive files, but it does not offer any security features. All the data is sent as clear text that can be easily sniffed.
IMAP (Internet Message Access Protocol) − IMAP is same as SMTP in its functions, but it is highly vulnerable to sniffing.
Telnet − Telnet sends everything (usernames, passwords, keystrokes) over the network as clear text and hence, it can be easily sniffed.