.png)
Module08 Sniffing
Module 8: Sniffing
Learn about packet-sniffing techniques and how to use them to discover
network vulnerabilities, as well as countermeasures to defend against sniffing
attacks. Hands-On Lab Exercises: Over 10 hands-on exercises wit h real-life
simulated targets to build skills on how to:
> Perform MAC flooding, ARP poisoning, MITM and DHCP starvation attack
> Spoof a MAC address of Linux machine
> Perform network sniffing using various sniffing tools
> Detect ARP poisoning in a switch-based network
Key topics covered:
> Network Sniffing
> Wiretapping
> MAC Flooding
> DHCP Starvation Attack
> ARP Spoofing Attack
> ARP Poisoning
> ARP Poisoning Tools
> MAC Spoofing
> STP Attack
> DNS Poisoning
> DNS Poisoning Tools
> Sniffing Tools
> Sniffer Detection Techniques
> Promiscuous Detection Tools
Section 01: Sniffing Concepts
Sniffing Concepts
Open systems interconnection (OSI) model:
The Open Systems Interconnection model (OSI model) is a conceptual model that 'provides a common basis for the coordination of [ISO] standards development for the purpose of systems interconnection'.
Media access control (MAC) address:
A media access control address (MAC address) is a unique identifier assigned to a network interface controller (NIC) for use as a network address in communications within a network segment. This use is common in most IEEE 802 networking technologies, including Ethernet, Wi-Fi, and Bluetooth. Within the Open Systems Interconnection (OSI) network model, MAC addresses are used in the medium access control protocol sublayer of the data link layer.
Network switch:
A network switch (also called switching hub, bridging hub, and, by the IEEE, MAC bridge) is networking hardware that connects devices on a computer network by using packet switching to receive and forward data to the destination device.
Network interface card:
A network interface controller (NIC, also known as a network interface card, network adapter, LAN adapter or physical network interface, and by similar terms) is a computer hardware component that connects a computer to a computer network.
Address resolution protocol (ARP) spoofing:
In computer networking, ARP spoofing, ARP cache poisoning, or ARP poison routing, is a technique by which an attacker sends (spoofed) Address Resolution Protocol (ARP) messages onto a local area network.
Media access control (MAC) flooding:
In computer networking, a media access control attack or MAC flooding is a technique employed to compromise the security of network switches.
Network sniffing attack:
Sniffing attack in context of network security, corresponds to theft or interception of data by capturing the network traffic using a packet sniffer (an application aimed at capturing network packets). When data is transmitted across networks, if the data packets are not encrypted, the data within the network packet can be read using a sniffer.
Protocol analyzer:
A protocol analyzer is a tool (hardware or software) used to capture and analyze signals and data traffic over a communication channel. Such a channel varies from a local computer bus to a satellite link, that provides a means of communication using a standard communication protocol (networked or point-to-point).
Wiretapping:
Telephone tapping (also wire tapping or wiretapping in American English) is the monitoring of telephone and Internet-based conversations by a third party, often by covert means.
Lawful interception:
Lawful interception (LI) refers to the facilities in telecommunications and telephone networks that allow law enforcement agencies with court orders or other legal authorization to selectively wiretap individual subscribers.
Section 02: MAC Attacks
Media access control (MAC) address:
A media access control address (MAC address) is a unique identifier assigned to a network interface controller (NIC) for use as a network address in communications within a network segment. This use is common in most IEEE 802 networking technologies, including Ethernet, Wi-Fi, and Bluetooth. Within the Open Systems Interconnection (OSI) network model, MAC addresses are used in the medium access control protocol sublayer of the data link layer.
Content addressable memory (CAM) table:
Content Addressable Memory (CAM) table is a system memory construct used by Ethernet switch logic which stores information such as MAC addresses available on physical ports with their associated VLAN Parameters.
Media access control (MAC) flooding:
In computer networking, a media access control attack or MAC flooding is a technique employed to compromise the security of network switches.
Section 03: DHCP Attacks
Dynamic host configuration protocol (DHCP):
The Dynamic Host Configuration Protocol (DHCP) is a network management protocol used on Internet Protocol (IP) networks for automatically assigning IP addresses and other communication parameters to devices connected to the network using a client–server architecture.
Section 04: ARP poisoning
Address resolution protocol (ARP):
The Address Resolution Protocol (ARP) is a communication protocol used for discovering the link layer address, such as a MAC address, associated with a given internet layer address, typically an IPv4 address. This mapping is a critical function in the Internet protocol suite. ARP was defined in 1982 by RFC 826, which is Internet Standard STD 37.
Address resolution protocol (ARP) spoofing:
In computer networking, ARP spoofing, ARP cache poisoning, or ARP poison routing, is a technique by which an attacker sends (spoofed) Address Resolution Protocol (ARP) messages onto a local area network.
Section 05: ARP poisoning
Spoofing
Media Access Control (MAC) spoofing:
MAC spoofing is a technique for changing a factory-assigned Media Access Control (MAC) address of a network interface on a networked device. The MAC address that is hard-coded on a network interface controller (NIC) cannot be changed. However, many drivers allow the MAC address to be changed.
VLAN hopping:
VLAN hopping is a computer security exploit, a method of attacking networked resources on a virtual LAN (VLAN). The basic concept behind all VLAN hopping attacks is for an attacking host on a VLAN to gain access to traffic on other VLANs that would normally not be accessible.
Spanning tree protocol (STP):
The Spanning Tree Protocol (STP) is a network protocol that builds a loop-free logical topology for Ethernet networks. The basic function of STP is to prevent bridge loops and the broadcast radiation that results from them.
Section 06: DNS poisoning
Domain name system (DNS):
The Domain Name System (DNS) is the hierarchical and distributed naming system used to identify computers reachable through the Internet or other Internet Protocol (IP) networks.
DNS spoofing:
DNS spoofing, also referred to as DNS cache poisoning, is a form of computer security hacking in which corrupt Domain Name System data is introduced into the DNS resolver's cache, causing the name server to return an incorrect result record, e.g. an IP address. This results in traffic being diverted to the attacker's computer (or any other computer).
Section 07: Sniffing Tools and Countermeasures
Wireshark:
Wireshark is the world’s foremost and widely-used network protocol analyzer. It lets you see what’s happening on your network at a microscopic level and is the de facto (and often de jure) standard across many commercial and non-profit enterprises, government agencies, and educational institutions. Wireshark development thrives thanks to the volunteer contributions of networking experts around the globe and is the continuation of a project started by Gerald Combs in 1998.
Countermeasures
Restrict physical access to all hardware.
Use encryption for all protocols and services.
Implement MAC filtering.
Segment your networks.
nmap:
Nmap is a network scanner created by Gordon Lyon. Nmap is used to discover hosts and services on a computer network by sending packets and analyzing the responses. Nmap provides a number of features for probing computer networks, including host discovery and service and operating system detection.
0 Comments: