Scribd
Upload
128 views

CEH Lesson 4 - Snipping, Session Hijacking, and DoS

This document discusses sniffers, session hijacking, and denial-of-service attacks. It defines sniffers as programs that collect network traffic and explains both passive and active sniffing. It also describes how attackers can use ARP poisoning and MAC flooding to conduct active sniffing on a switched network. Session hijacking and denial-of-service attacks are also summarized, along with common tools used for each type of attack.

Uploaded by

Louise Real
Copyright
© © All Rights Reserved
Available Formats
Download as PPT, PDF, TXT or read online on Scribd
128 views

CEH Lesson 4 - Snipping, Session Hijacking, and DoS

This document discusses sniffers, session hijacking, and denial-of-service attacks. It defines sniffers as programs that collect network traffic and explains both passive and active sniffing. It also describes how attackers can use ARP poisoning and MAC flooding to conduct active sniffing on a switched network. Session hijacking and denial-of-service attacks are also summarized, along with common tools used for each type of attack.

Uploaded by

Louise Real
Copyright
© © All Rights Reserved
Available Formats
Download as PPT, PDF, TXT or read online on Scribd
You are on page 1/ 25

Certified Ethical Hacker

Lesson 4
Sniffers, Session Hijacking, and
Denial-of-Service
Lesson 5
Objectives

After reading this lesson you will be able to:


 Define sniffers and how they are used by hackers
 Describe active and passive sniffing
 Know sniffing tools
 Explain session hijacking
 Explain denial-of-service
Sniffers

 A program that could be used to collect information that goes


through the network
 Can place a host network card in promiscuous mode
– Collects all packets that the system sees, not just the ones addressed
to it
 Passive:
– Sniffing performed on a hub
– Not common in most current network environments
 Active:
– Sniffing performed on a switched network
– Use port mirroring or switch mirroring to collect all traffic that passes
through the switch
 Sniffers operate at the data link layer
Active Sniffing

 The attacker must be either on the local


network or at a point where traffic passes
through.
 Overcoming sniffing limitations on a switched
network:
– MAC flooding
– ARP Poisoning
Address Resolution Protocol
(ARP)
 ARP resolves known IP addresses to unknown MAC
addresses.
 ARP communication consists of two message types:
– ARP request
– ARP reply
 Does not verify the responding device is who it says it is.
 ARP cache:
– Stores the IP address, MAC address, and time of
each entry.
– Run arp – a command to see the ARP cache.
ARP Poisoning and Flooding

 Sending phony ARP requests or replies to the switch in


an attempt to steer traffic to the sniffing system.
 Spoofing the router’s MAC address enables the attacker
to capture all outbound traffic and carry out man-in-the–
middle attacks.
 Tools:
– Arpspoof
– Ufasoft Sniff
– WinARPAttacker
– Ettercap
– Cain and Abel
– WINDNSSpoof
MAC flooding

 Seek to overload the switch content addressable memory (CAM)


table.
 Frames start flooding all ports on the switch.
 Drawbacks:
– Generates a lot of network traffic
– Requires a second machine to perform the capture
 Tools:
– EtherFlood
– SMAC
– Macof
 Other techniques:
– DHCP starvation
– DHCP snooping
Rogue DHCP Server
Tools for Sniffing

 Wireshark
– Displays multiple views of captured data:
• Summary
• Details
• Hex
– Filters can be set up to view specific types of traffic:
• Capture filters
• Display filters
 CACE Pilot
 Omnipeek
 Dsniff
 TCPdump
 Windump
Wireshark
 Sniffers, such as Wireshark, can display multiple views of captured traffic. Three
 main views are available:
– Summary
– Detail
– Hex
Number Conversion
Wireshark Filters
 An important feature of a sniffer such as Wireshark is the capability it has to set up
 filters to view specific types of traffic. Filters can be defined in one of two ways:
– Capture filters: Used when you know in advance what you are looking for.
 They allow you to predefine the type of traffic captured. For example, you
 could set a capture filter to capture only HTTP traffic.
– Display filters: Used after the traffic is captured. Although you might have
 captured all types of traffic, you could apply a display filter to show only ARP
 packets. Display filter examples include the following:
– Filter by IP address (for example, ip.addr==192.168.123.1)
– Filter by multiple IP addresses (for example, ip.addr==192.168.123.1 or
ip.addr==192.168.123.2)
– Filter by protocol such as ARP, ICMP, HTTP, or BGP
– Filter by port (for example, tcp.port==23)
– Filter by activity (for example, tcp.flags.reset==1)
Countermeasures

 Implement port security:


– Configure each switch with the MAC address of devices allowed to
send/receive traffic.
– Known as Dynamic ARP Inspection (DAI) in Cisco devices.
– IP Source Guard:
• Restricts IP traffic on untrusted Layer 2 ports
– Can be time-consuming on large networks.
 Use encryption:
– IPsec, VPNs, SSL, and PKI
 Arpwatch tool:
– Keeps track of ethernet/ip address pairings and reports unusual traffic
 Build static ARP entries:
– Inefficient and time-consuming
Session Hijacking

 Exploiting a weakness in TCP and network


communication and taking over the connection
 Has a sniffing component but the attacker injects
packets into the network
 Steps:
– Identify an active session.
– Predict the sequence number.
– Take one of the parties offline.
– Take control of the session.
Identifying an Active Session

 First step in session hijacking process


 Easier if attacker and victim are on the same network
segment:
– Passive sniffing if there is a hub
– Active sniffing if there is a switch
 Challenging task when on a different segment:
– Attacker needs to do blind sequence number
prediction.
– Attacker can send packets to the server to sample
sequence numbers.
Predict Sequence Numbers

 Every byte of data transmitted with TCP must have a


sequence number:
– Used to keep track of data and support reliability
 Attackers need to predict the sequence number so that
they can inject packets before the session ends.
 Prediction results depend on the OS.
 Could use tools such as Nmap, Ettercap, and Hunt.
Session Hijacking

 The hackers goal is to take the user offline after they


predict the sequence number.
– Denial-of-service
– Source routing attacks
– Tricks server that the hacker is the legitimate user
 The attacker takes control of the session and uses the
connection to execute the commands.
Application Layer Hijacking

 Objective is to steal or predict a session token


 Techniques
– Session sniffing
– Predictable session token ID
– Man-in-the-middle attacks
– Man–in–the–browser attacks
– Client-side attacks
Session Hijacking Tools

 Ettercap
 Hunt
 TTY Watcher
 IP Watcher
 T-Sight
 Application layer session hijacking
– Firesheep
– Hamster
– Session thief
– Temper IE
Preventing Session Hijacking

 Two main methods:


– Prevention:
• Limiting incoming connections.
• Rejecting Internet packets that originate from a
local address.
• Use encryption.
• Disable FTP and Telnet if not needed or use
SSH.
– Detection
Denial-of-Service
 Targets the availability of a system or network
 Types of DoS:
– Bandwidth consumption:
• Blocks a machine or a group of machines from using network bandwidth
• Smurf
• Fraggle
• Chargen
– SYN Flood attacks:
• Directs the flood of traffic at an individual service on a machine
• Type of resource starvation attack
• SYN flood – sends large number of packets with SYN flag set
– Program and application attacks:
• Causes a critical error on a machine to halt its capability of operating
• Ping of Death
• Teardrop
• Land
Distributed Denial-of-Service
 Similar to DoS but the attacker uses multiple machines to carry out the attack
 Two phases:
– Preattack:
• Attacker compromises other computers to act as masters and zombies.
• Puts a distance between the attacker’s machine and the targeted system.
– Actual attack:
• The master instructs zombies to start the attack.
 Two components of DDoS attack:
– Software:
• Client software
• Daemon software
– Hardware:
• Master
• Zombie
• Target
DDoS Tools
 Tribal Flood Network (TFN):
– UNIX-based tool
– Can be used to launch ICMP, Smurf, UDP, and SYN flood attacks
– Master uses UDP port 31335 and TCP port 27665
 Trinoo:
– Launches a coordinated UDP flood attack
– Easy to use
 Stacheldraht:
– A hybrid between TFN and Trinoo
– Uses encryption
– Uses TCP port 16660 by default
 TFN2K
 WinTrinoo
 Shaft
 MStream
 Trinity
DoS and DDoS, Countermeasures

 Use principle of least privilege.


 Close unused ports.
 Disable nonessential services.
 Implement bandwidth limitation.
 Apply the latest patches and security fixes.
 Allow only necessary traffic.
 Use IDS.
Lesson 4
Summary
 Explain sniffers.
 Describe active and passive sniffing.
 Explain ARP poisoning and MAC flooding.
 Know sniffing tools.
 Explain session hijacking.
 Be familiar with session hijacking tools.
 Describe DoS and DDos.
 Know DoS and DDoS tools.
 Be familiar with DoS countermeasures.

You might also like