Sniffing – Spoofing - Session
Hijacking
Isbat Uzzin Nadhori
Informatical Engineering
PENS-ITS
Sniffing
Sniffing merupakan usaha untuk membaca
Packet sniffing is listening (with SW) to the raw network device for data packets that fit certain criteria.
A “Packet Sniffer” is needed to collect those data packets. It must be capable of working with the type of network interface supported by the OS.
Packets are all in binary format. A “Protocol Analyzer” helps making sense of it all. It
recognizes which bits belong to header fields of protocols in which data is embedded.
It can be useful to debug, at bit level, an application that sends and receives messages through a TCP/IP connection.
Ethereal: runs on all popular platforms, including Unix, Linux and Windows. It is a powerful protocol analyzer. Open source. tcpdump, Natas (Windows), nfswatch and Web
Packet Sniffer (Unix) are other examples of free sniffers. LanWatch, Etherpeek, Sniff’em are examples of
commercial sniffers.
Packet Sniffing
Packet Sniffing
What is packet snifng?
Ethreal
Now known as Wireshark
http://www.wireshark.org/
Install wireshark on GNU/Linux.
#apt-get install wireshark
...damn it so easy install wireshark on GNU
Packet Snifng
Packet Snifng
(2.1) Introduction to Ethereal
Click this button to show available interfaces
Packet Snifng
Packet Snifng
(2.2) Introduction to Ethereal
While the snifer is running, this window shows how many packets, belonging to each diferent protocol, are being captured.
Packet Snifng
Packet Snifng
List of captured packets
Protocol Analyzer
Packet in binary format
The selected packet is analyzed below
The selected packet is analyzed below
The selected piece of the packet is highlighted below
The selected piece of the packet is highlighted below
Packet Snifng
Packet Snifng
(5.1)
Example:
Analysis of packets exchanged between an
LLRP Reader (IP: 206.169.229.171) and a Client
(IP: 18.58.0.254)
TCP connection establishment:
• Step 1: Client initiates connection [SYN flag set and informs about its initial Sequence Number.
• Step 2: Reader accepts, acknowledges the previous message and informs about the initial Sequence Number chosen for the reverse direction [SYN, ACK flags set .
• Step 3: Client acknowledges the previous message [ACK flag set .
Once the connection is established, LLRP data transfer can take place.
Wait … what is LLRP
Low Level Reader Protocol (LLRP)
Standard
Is protocol for an interface between RFID Readers and Clients.
The interface protocol is called low-level because it provides control of
RFID air protocol operation timing and access to air protocol command
parameters.
The design of this interface recognizes that in some RFID systems,
there is a requirement for explicit knowledge of RFID air protocols and
the ability to control Readers that implement RFID air protocol
communications. It also recognizes that coupling control to the physical
layers of an RFID infrastructure may be useful for the purpose of
mitigating RFID interference.
RFID
RFID (bahasa Inggris: Radio Frequency Identification) atau
Identifikasi Frekuensi Radio adalah sebuah metode identifikasi
dengan menggunakan sarana yang disebut label RFID atau
transponder untuk menyimpan dan mengambil data jarak jauh.
Label atau kartu RFID adalah sebuah benda yang bisa dipasang
atau dimasukkan di dalam sebuah produk, hewan atau bahkan
manusia dengan tujuan untuk identifikasi menggunakan
gelombang radio. Label RFID terdiri atas mikrochip silikon dan
antena. Label yang pasif tidak membutuhkan sumber tenaga,
sedangkan label yang aktif membutuhkan sumber tenaga untuk
dapat berfungsi.
Question ..
Masih inget dengan TCP/UDP ?
Masih inget dengan Connection Oriented
dan Connection Less Oriented ?
TCP ?
Packet Snifng
Packet Snifng
(5.2)
Example:
TCP Connection Establishment. Step 1.
Packet Snifng
Packet Snifng
(5.3)
Example:
TCP Connection Establishment. Step 2.
Packet Snifng
Packet Snifng
(5.4)
Example:
TCP Connection Establishment. Step 3.
Link Layer Protocol: Ethernet. Protocol’s header contains source and destination MAC addresses Network Layer Protocol: IP. Protocol’s header contains source and destination IP addresses
Transport Layer Protocol: TCP. Protocol’s header contains source and destination ports. Sequence and Acknowledgement numbers are useful to follow the order in which messages
were sent. In TCP protocol, frst sequence number is randomly generated. To make it easier to follow, Ethereal displays relative numbers, that is, as if the frst one would be zero.
These are the data bits sent by the application
Packet Snifng
Packet Snifng
Question ...
Masih inget
dengan TCP
layer dan
Packet Snifng
Packet Snifng
(5.6)
Example:
LLRP data transfer.
Client sends to the Reader GET_READER_CAPABILITIES LLRP message
04 01 00 00 00 0b
00 00 00 01 00
0000 0100 0000 0001 0000 0000 0000 0000 0000 0000 0000 1011
0000 0000 0000 0000 0000 0000 0000 0001 0000 0000
Application Data:
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
Rsvd = 000 Ver = 0 01 Message Type = 00 0000 0001 = “1” Message Length [31:16] = 0000 0000 0000 0000 Message Length [15:0] = 0000 0000 0000 1011 = “11” Message ID [31:16] = 0000 0000 0000 0000
Message ID [15:0] = 0000 0000 0000 0001 Requested Data = 0000 0000
Session Hijacking
Session Hijacking adalah mengambil alih sebuah session pada satu
koneksi jaringan.
Tipe :
–Active session hijacking
attacker mengambil alih sebuah session yang terjadi dengan cara
memutuskan sebuah komunikasi yang terjadi. Attacker bertindak sebagai man-in-the-middle dan aktif dalam komunikasi antara client dengan server. Serangan ini membutuhkan keahlian untuk menebak nomer sequence (SEQ) dari server, sebelum client dapat merespon server. Passive session hijacking
Spoofing
In
spoofing (fooling, deceiving)
, an
attacker impersonates someone else.
This allows him/her to exploit the
Type of Spoofing
ARP Spoofing
Attacker change MAC address client with MAC Address Attacker
IP spoofing
Attacker uses IP address of another computer to acquire information or gain access
Email spoofing
Attacker sends email but makes it appear to come from someone else
Web spoofing
Attacker tricks web browser into communicating with a different web server than the user intended.\
IP Spoofing
IP spoofing is the creation of TCP/IP packets with
somebody else's IP address in the header.
Routers use the destination IP address to forward packets,
but ignore the source IP address.
The source IP address is used only by the destination
machine, when it responds back to the source.
When an attacker spoofs someone’s IP address, the victim’s
reply goes back to that address.
Since the attacker does not receive packets back, this is
Email Spoofing
3 Basic way to perform :
–
Aliasing
Email Spoofing
One simple form of email spoofing is to create a
valid email account (on yahoo or hotmail) and
put someone else’s name in the alias field.
In
mail relaying
, an attacker uses a mail server to
send mail to someone in a different domain
When email is sent by a user, the
From
: address
Web Spoofing
One way to lure people to a malicious site is to give it a
URL that is similar to that of a legitimate site, e.g.,
www.paypai.com
wwwFirstNationalBank.com
Another way is for the attacker to provide HTML with a
mislabeled link to another page, e.g., in an email.
Example
:
MitM Attacks
‘Man-in-the-Middle’ refers to a machine that is set up so that traffic between
two other machines must pass through the MitM machine.
Difficult to setup, especially over the Internet. Not so difficult in a LAN
environment.
Provides no additional advantages over a ‘sniffer’ – is actually just a way to
implement a sniffer.
Defense:
Encryption – however, MitM can refer to an intermediate encrypter Strong perimeter security for Internet MitM attacks.
Countermeasure
IP Spoofing
Protect against with good firewall rules – keep your machines from launching a spoofed IP – router filters
Limit configuration access on machines
Programs like arpwatch that keep track of IP/MAC pairings
The best way to protect against source routing spoofing is to simply disable source routing at your routers.
Email Spoofing
Most email servers today do not allow email relaying. They only allow emails to be sent to/from their range of IP addresses. They insure that the recipient’s domain is the same domain as the mail server. The attacker can run his own email server, but then he is easier to trace.
Defense - Do not allow Email relaying on your STMP servers
Web Spoofing
Use a ‘server-side certificate’. Still, users should Examine the browser location/status line
Examine links in HTML source code.