Sniffing – Spoofing - Session

Hijacking

Isbat Uzzin Nadhori

Informatical Engineering

PENS-ITS

Sniffing



Sniffing merupakan usaha untuk membaca

Packet sniffing is listening (with SW) to the raw network device for data packets that fit certain criteria.

A “Packet Sniffer” is needed to collect those data packets. It must be capable of working with the type of network interface supported by the OS.

Packets are all in binary format. A “Protocol Analyzer” helps making sense of it all. It

recognizes which bits belong to header fields of protocols in which data is embedded.

It can be useful to debug, at bit level, an application that sends and receives messages through a TCP/IP connection.

 Ethereal: runs on all popular platforms, including Unix, Linux and Windows. It is a powerful protocol analyzer. Open source.  tcpdump, Natas (Windows), nfswatch and Web

Packet Sniffer (Unix) are other examples of free sniffers.  LanWatch, Etherpeek, Sniff’em are examples of

commercial sniffers.

Packet Sniffing

Packet Sniffing

What is packet snifng?

Ethreal



Now known as Wireshark



http://www.wireshark.org/



Install wireshark on GNU/Linux.



#apt-get install wireshark



...damn it so easy install wireshark on GNU

Packet Snifng

Packet Snifng

(2.1) Introduction to Ethereal

Click this button to show available interfaces

Packet Snifng

Packet Snifng

(2.2) Introduction to Ethereal

While the snifer is running, this window shows how many packets, belonging to each diferent protocol, are being captured.

Packet Snifng

Packet Snifng

List of captured packets

Protocol Analyzer

Packet in binary format

The selected packet is analyzed below

The selected packet is analyzed below

The selected piece of the packet is highlighted below

The selected piece of the packet is highlighted below

Packet Snifng

Packet Snifng

(5.1)

Example:

Analysis of packets exchanged between an

LLRP Reader (IP: 206.169.229.171) and a Client

(IP: 18.58.0.254)

TCP connection establishment:

• Step 1: Client initiates connection [SYN flag set and informs about its initial Sequence Number.

• Step 2: Reader accepts, acknowledges the previous message and informs about the initial Sequence Number chosen for the reverse direction [SYN, ACK flags set .

• Step 3: Client acknowledges the previous message [ACK flag set .

Once the connection is established, LLRP data transfer can take place.

Wait … what is LLRP



Low Level Reader Protocol (LLRP)

Standard



Is protocol for an interface between RFID Readers and Clients.



The interface protocol is called low-level because it provides control of

RFID air protocol operation timing and access to air protocol command

parameters.



The design of this interface recognizes that in some RFID systems,

there is a requirement for explicit knowledge of RFID air protocols and

the ability to control Readers that implement RFID air protocol

communications. It also recognizes that coupling control to the physical

layers of an RFID infrastructure may be useful for the purpose of

mitigating RFID interference.

RFID



RFID (bahasa Inggris: Radio Frequency Identification) atau

Identifikasi Frekuensi Radio adalah sebuah metode identifikasi

dengan menggunakan sarana yang disebut label RFID atau

transponder untuk menyimpan dan mengambil data jarak jauh.

Label atau kartu RFID adalah sebuah benda yang bisa dipasang

atau dimasukkan di dalam sebuah produk, hewan atau bahkan

manusia dengan tujuan untuk identifikasi menggunakan

gelombang radio. Label RFID terdiri atas mikrochip silikon dan

antena. Label yang pasif tidak membutuhkan sumber tenaga,

sedangkan label yang aktif membutuhkan sumber tenaga untuk

dapat berfungsi.

Question ..



Masih inget dengan TCP/UDP ?



Masih inget dengan Connection Oriented

dan Connection Less Oriented ?



TCP ?

Packet Snifng

Packet Snifng

(5.2)

Example:

TCP Connection Establishment. Step 1.

Packet Snifng

Packet Snifng

(5.3)

Example:

TCP Connection Establishment. Step 2.

Packet Snifng

Packet Snifng

(5.4)

Example:

TCP Connection Establishment. Step 3.

Link Layer Protocol: Ethernet. Protocol’s header contains source and destination MAC addresses Network Layer Protocol: IP. Protocol’s header contains source and destination IP addresses

Transport Layer Protocol: TCP. Protocol’s header contains source and destination ports. Sequence and Acknowledgement numbers are useful to follow the order in which messages

were sent. In TCP protocol, frst sequence number is randomly generated. To make it easier to follow, Ethereal displays relative numbers, that is, as if the frst one would be zero.

These are the data bits sent by the application

Packet Snifng

Packet Snifng

Question ...



Masih inget

dengan TCP

layer dan

Packet Snifng

Packet Snifng

(5.6)

Example:

LLRP data transfer.

Client sends to the Reader GET_READER_CAPABILITIES LLRP message

04 01 00 00 00 0b

00 00 00 01 00

0000 0100 0000 0001 0000 0000 0000 0000 0000 0000 0000 1011

0000 0000 0000 0000 0000 0000 0000 0001 0000 0000

Application Data:

0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1

Rsvd = 000 Ver = 0 01 Message Type = 00 0000 0001 = “1” Message Length [31:16] = 0000 0000 0000 0000 Message Length [15:0] = 0000 0000 0000 1011 = “11” Message ID [31:16] = 0000 0000 0000 0000

Message ID [15:0] = 0000 0000 0000 0001 Requested Data = 0000 0000

Session Hijacking

 Session Hijacking adalah mengambil alih sebuah session pada satu

koneksi jaringan.

 Tipe :

–Active session hijacking

attacker mengambil alih sebuah session yang terjadi dengan cara

memutuskan sebuah komunikasi yang terjadi. Attacker bertindak sebagai man-in-the-middle dan aktif dalam komunikasi antara client dengan server. Serangan ini membutuhkan keahlian untuk menebak nomer sequence (SEQ) dari server, sebelum client dapat merespon server. Passive session hijacking

Spoofing



In

spoofing (fooling, deceiving)

, an

attacker impersonates someone else.



This allows him/her to exploit the

Type of Spoofing



ARP Spoofing

Attacker change MAC address client with MAC Address Attacker



IP spoofing

Attacker uses IP address of another computer to acquire information or gain access



Email spoofing

Attacker sends email but makes it appear to come from someone else



Web spoofing

Attacker tricks web browser into communicating with a different web server than the user intended.\

IP Spoofing



IP spoofing is the creation of TCP/IP packets with

somebody else's IP address in the header.



Routers use the destination IP address to forward packets,

but ignore the source IP address.



The source IP address is used only by the destination

machine, when it responds back to the source.



When an attacker spoofs someone’s IP address, the victim’s

reply goes back to that address.



Since the attacker does not receive packets back, this is

Email Spoofing



_{3 Basic way to perform :}

–

Aliasing

Email Spoofing



One simple form of email spoofing is to create a

valid email account (on yahoo or hotmail) and

put someone else’s name in the alias field.



In

mail relaying

, an attacker uses a mail server to

send mail to someone in a different domain



When email is sent by a user, the

From

: address

Web Spoofing



One way to lure people to a malicious site is to give it a

URL that is similar to that of a legitimate site, e.g.,

www.paypai.com

wwwFirstNationalBank.com



Another way is for the attacker to provide HTML with a

mislabeled link to another page, e.g., in an email.

Example

:

MitM Attacks

 ‘Man-in-the-Middle’ refers to a machine that is set up so that traffic between

two other machines must pass through the MitM machine.

 Difficult to setup, especially over the Internet. Not so difficult in a LAN

environment.

 Provides no additional advantages over a ‘sniffer’ – is actually just a way to

implement a sniffer.

 Defense:

Encryption – however, MitM can refer to an intermediate encrypter Strong perimeter security for Internet MitM attacks.

Countermeasure

 IP Spoofing

Protect against with good firewall rules – keep your machines from launching a spoofed IP – router filters

Limit configuration access on machines

Programs like arpwatch that keep track of IP/MAC pairings

The best way to protect against source routing spoofing is to simply disable source routing at your routers.

 Email Spoofing

Most email servers today do not allow email relaying. They only allow emails to be sent to/from their range of IP addresses. They insure that the recipient’s domain is the same domain as the mail server. The attacker can run his own email server, but then he is easier to trace.

Defense - Do not allow Email relaying on your STMP servers

 Web Spoofing

Use a ‘server-side certificate’. Still, users should Examine the browser location/status line

Examine links in HTML source code.