week 9What is Sniffing? + What is network analysis or Sniffing? + laa pean of anaying network act by capturing network ale + Sniferiss progam thet montor he data trveng around the network, + ample ols: Wieshar, Slain, Ks; burps and many others + Features ofa network analyzer or sniffer: 12) oppor for mute preted 1) Graphs userimertace Stu repert generation What is Wireshark? + Itis an open source tool for profiling network trafic and analyzing packets + Often eet ta as network ana, netwerk pote nae rst + can be downloaded Kom: bp /ynewdresharong + What i does really? * captures network ota and slays them in a readable format + Lopnetwak atte erlerenses and evidence + Andy network aff generated by varlous applets. How Packet Sniffer works? + Ethernet is the most widely used protocol used ina LAN. + athe atastekayer ee + While running Wireshark the machine's network interface card (NIC) ls put In ‘promiscuous mode. + Inthe mede, he ser cn red al traftc an the network segment to which the NCI ann ected respective of the sender andthe recelve) + Reques et prego Sette Cte promiscuous mode, + ithe LAN uses sth, then caches ram ther network sgment can captured Packet Capture using WiresharkDemonstration: Password Capture Sniffing Countermeasure + Restrict the physical access to the network media to ensure that a packet sniffer cannot be installed. + Use encryption to protect confidential information. + Permanently add the MAC address of the gateway to the ARP cache. + Use static IP addresses and static ARP tables to prevent attackers from adding the spoofed ARP entries for machines in the network. * Use IPv6 instead of IPva protocol Sniffing Countermeasure (contd.) “+ Use encrypted sessions such as SSH instead of Telnet, Secure Copy (SCP) instead Cf FTP, SSL for email connection, etc. to protect wireless network users against sniffing attacks. + Use HTTPS instead of HTTP to protect user names and passwords. + Use switch instead of hub as switch delivers data only to the intended recipient. + Use SFTP, instead of FTP for secure transfer of files. * Use PGP and s/MIPE, VPN, IPSec, SSL/TLS, Secure Shell SSH) and One-time passwords (OTP). Sniffing Detection ‘+ Nmap's NSE scrip allows us to check ifa target on a local Ethernet has its network card in promiscuous mode. + Command to detect NICin promiscuous mode: ‘nmap ~-script=snifierdetect [Target (P Address/Range of P add]Ettercap Sniffing Tools + Ettercap isa free and open source network security tool for man-in-the-middle attacks on LAN. + Itean be used for computer network protocol analysis and security aucitng, It ‘uns on various Unix-like operating systems including Linus, Mac OS X, BSD and, Solaris, and on Microsoft Windows. + ttis capable of intercepting traffic on a network segment, capturing passwords, and conducting active eavesdropping against a number of common protocols. + Ettercap has plugin support so that the features can be extended by addi plugins. Features of Ettercap + l-based Filtering: We can filter packets based on IP source and destination. ‘+ MAC-based Filtering: packets can be filtered based on MAC address, useful for sniffing connections through a gateway. * Character injection into an established connection: characters can be injected Into a server {emulating commands) orto a cient (emulating replies) while ‘maintaining alive connection. + SSH suppor: the sniffing ofa username and password, and even the data of ‘SSH connection. Ettercap isthe first software capable of sniffing an SSH connection in full duplex. Features of Ettercap ‘+ HTTPS support: the sniffing of HTTP SSL secured data—even when the connection is made through a proxy. + Plug-in support: creation of custom plugins using Ettercap's APL + Packet filtering/dropping: setting up a filter that searches fora particular string {orhexadecimal sequence) in the TCP of UDP payload and replaces it with a custom string/sequence of choice, or drops the entire packet. + TCP/IP stack fingerprinting: determine the OS of the victim host and its networ adapter. + And many more features available. BurpSuite Sniffing Tools + Burpsuit is an integrated platform for performing security testing of web applications. * The tool is written in ava and developed by PortSwigger Security. + Itcan be used for computer network protocol analysis and security auditing. It thas two versions free version and a professional version,applications. * The tool is written in Java and developed by PortSwigger Security. + It'can be used for computer network protocol analysis and security auditing. It hhas two versions free version and a professional version. ——E—( its Various Modules of BurpSuite + Target: The target tool glves an overview of target applications content and functionality. + Proxy: Gives direct view of how target applications works by working as proxy server or as a man-in-the-middle between you and your server such that you can intercept, inspect and modify the raw traffic. + Spider: Used for automotive crawling web applic ions. * Scanner: Used for finding vulnerabilities in web applications. + Intruder: itis used for automating customized attacks against web applicay + Repeater: Is used for manipulating and reissuing HTTP requests and Demonstration: Sniffing using Burpsuit ® sat) © NPTEL ONLINE CERTIFICATION COURSES ThankOe De Social Engineering Attack * Social engineering is the art of convincing people to reveal confidential Information. + Social engineers ure targets to provide information by promising someting for noting (greedines). * Common targets of social engineering + Help desk personnel + Technical support executives + System administrators + Frustrated employees etc. Phases in a Social Engineering Attack ‘a)_ Research on Target Company: + Dumpster diving, websites, employees, tour company, ee b) Select Victim: * Select most vulnerable victim suchas greedy employee. ©). Develop Relationship: g + Develop relationship wih the selected victim. 4) Exploit the Relationship: + Collet sensitive information such as financial information, current technologies ete Types of Social Engineering Attack a) Human-based Social Engineering: + Collect sensitive information by direct interaction with victims. bb). Computer-based Social Engineering + Social engineering i carried out withthe Delp of computers. ©). Mobile-based Social Engineering: + Social engineering i cared outwith the help of mobile applications. (a) Human Based Social Engineering + Impersonation: + The attacker pretends tobe Someone legitimate or authored erin ~ ost conn. + Reverse Socal Engineering: + Asiuation in whch a attacker retention authority and the age seks is advice offering the Information hate needs. + Plggybacking: i + An authored prion allows teins or unintertionay) an nauthoaed erin to pss tirougha secure door. “orgot my 10 badge at home. Peas help me(a) Human Based Social Engineering (contd.) + Tailgating: + An unauthorized person, wearing a fake IO badge, enters secured area by closely following an authoried person though a door requiring key access. + Eavesdropping: + interception of au, video, or written communication. can be done using communication channels suchas telephone nes, mal Instant messaging, et + Shoulder Surfing: + Uses direct observation techniques such as looking over Someone's shoulder to get Information suchas password, PINs, account numbers, et. (b) Computer-based Social Engineering + Pop-up Windows: + Windows that suddenly appears while suring the Intemet and ask for users information to Jogi. or sinn or fr prowling help. * Chain Letters: + Chain eters are mals that offer free gis suchas money and sofware on the condition ‘that the user has to forward the malo thessid numberof persons. + Instant Chat Messenger: + Gathering personal information by chating with a selected online user to get iformation such as bith dats, malden ames, ema comtact information et. {b) Computer-based Social Engineering (contd.) + Phishing: + Anillgtimate email falsely claiming tobe from alegimate ste attempts to acquire the ‘users personal or account information. Pishing emails or pop-ups redirect users to fake webpages of miicking trustworthy sites that as them to submatthelr personal information. * Spear Phishing +A direct, targeted phishing attack aimed at Speci indviduals within an organization. ‘Attackers senda message wth spedalzed, socal engineering content avec ata specie person ora smal group of people. {c) Mobile-based Social Engineering + Publishing Malicious Apps, Fake Security Applications: + srackers create malicious apps with attractive features and sinor names to that of popular apps, and publish them on major app stores. Unaware users download these apps and get infected by maiware that sends credentials to attackers, + Using SMS: E + Send messages which loos like very important message frm bank/company etc and need urgent cal inthe gven number. + Viti calito check account then attacker asks for information such as ereit/deit card numbers ec.Demonstration: Phishing using SEToolkit Social Engineering Countermeasures + Good policies and procedures are ineffective if they are not taught and reinforced by the employees. + Password Policies: + Pesodc password change, Avoiding guessabe passwords, Account blocking afer faled attempts. se + Physical Security Policies: + entiation of employees by issuing IO card, uniforms, ete Escorting the vistors, Access area restrictions Social Engineering Countermeasures (contd.) «Training: + lnclude at ecurty poles and methods to Increase awareness on social engineering. + Access privileges: + There should be administrator, user, and quest accounts with proper authorization. + Classification of information: S + Categorize the information s top secret, proprietary, for Internal use, for public use, ee + Background Check and Proper Termination Process: «+ lnsiders with a criminal background and terminated employees are easy targets Social Engineering Countermeasures (contd.) + Anti-Virus/Antl-Phishing Defenses: + Use multiple layer of anrus defenses at end-user and mall gateway levels to minimize socal engineering attack. + Two-Factor Authentication: + instead of ined passwords, use two-factor Suhentication for high-risk metwork services such {38 VPNs and modem poo!Denial-of-Service Attack + tis an attack on a computer or network that reduces, restricts or prevents accessibility of system resources to its legitimate users. + na D0S attack attackers flood a vitim system with nor-leitimate service requests or traffic to overioad its resourees. + ieastounaroobty of parulr webs dnd show network performance * Adistributed denial-of-service (DDoS) attack involves a multitude of compromised systems attacking a single target, thereby causing denial of service for users ofthe targeted system. DoS / DDoS Attack Techniques + Bandwidth Attacks: * Overwhelm network equipment + Tteannot be done using single system, an attacker uses several computersto flood victim + SYN Attack: +The attacker sends large umber of SYN request to ici server with foe source IP adresses. + The target machine sends back 2 SYN/ACK In response othe request and wats forthe ACK. te compete the sesion setup. + The target machine doesnot get the response because the source address fake, DoS / DDoS Attack Techniques (contd.) aw i how most hots implement the TCP tvee-way handshake, + When Host 8 receives the SYN request fom A, I must kep trac ofthe partially opened onnertion in a "isten queve" for atleast 75 seconds. + Amalicous host can exploit the small ie ofthe fsten queue by sending multiple SYN ‘request the a host, but never rephying tothe SYN/ACK. ‘+ TEMP Flood attack: + The attacer senda large numberof ICMP packets directly or through refetion networks ta victims causing Ito be overwhelmed and subsequently stop responding testa Tepe eequests DoS/DDoS Attack Techniques (cont.) + Application-Level Flood Attacks: ‘+ Ths results in the loss of services of a particular network, suchas emals, network resources, the temporary ceasing of applications and services, and more. +The attackers exploit weaknesses in programming source code to prevent the application {rom processing eptimate request. + Using application evel food attacks, attackers attempt to: a) Food web applications to legitimate user afc, (b) Disrupt sevice toa speci system or person for example, Docking a user’ access by repeating imalid login attemptsBotnets * Bots are software applications that run automated tasks over the Internet and perform simple repetitive tasks, such as web spidering and search engine indexing * Abotnet is a huge network of the compromised systems and can be used by an attacker to launch denial-of-service attacks. DoS / DDoS Attack Tools: Slowloris * This s the most effective tool for DDoS attack. It works by opening thousands of ‘connections to the targeted web server and holding them open for a long time. + This s achieved by sending partial HTTP requests, and none of them will be completed ever. It requires minimal bandwidth to target web server and no after effects DoS / DDoS Attack Tools: Low Orbit lon Cannon (LOIC) 1 open source network stress testing and Dos attack software writen in CH. + This too performs a DOS attack by sending UDP, TCR. or HTTP on the target with the intention ‘of carving its services + 1s mainly used for DoS attack on small serv. It is avalible on Linus, Windows, and Ane as wel, * LOIC basically turns computer's network connection into a firehose of garbage requests, directed towards a target web server. DoS / DDoS Attack Tools: RUDY (R U Dead Yet ?) + RU.OY. is 2 popular low and slow attack tool that is designed to crash a web server by submitting long form fields. + The attack browses the target website and detects embedded web forms. Once the forms ae dentifed, it sends a legitimate HTTP POST request with an abnormally lng ‘content-length’| header eld and then starts ilectig the form with information, one bye-sed packet at 2 time. ‘+ Many more tools are available.Demonstration: LOIC Tool Countermeasures * Shut down all the services until the attack has subsided. * Install anti-virus and anti-Trojan software and keep these up-to-date. * Increase awareness of security issues and prevention techniques. * Disable unnecessary services, uninstall unused applications, and scan all the files received from external sources. : * Increase bandwidth on critical connections to absorb additional traffic generated by an attack. * Replicate servers to provide additional failsafe protection.