What is sniffing | Sniffing and its Types | Ethical Hacking

Module Objectives 

This module starts with an overview of sniffing concepts and provides an insight into MAC, DHCP, ARP, MAC spoofing, and DNS poisoning attacks. Later the module discusses various tools, countermeasures, and sniffing detection techniques. The module ends with an overview of penetration (pen) testing steps that an ethical hacker should follow to perform the security assessment of a target.

At the end of this module, you will be able to:

 

Describe the sniffing concepts

Explain different MAC attacks

Explain different DHCP attacks

Describe the ARP poisoning

Explain different MAC spoofing attacks

Describe the DNS poisoning

Use different sniffing tools

Apply sniffing countermeasures

 

Apply various techniques to detect sniffing

Perform sniffing penetration testing

 

BI Sniffing Concepts Countermeasures

@] Sniffing Techniques Sniffing Detection Techniques

@] Sniffing Tools Sniffing Pen Testing

 

Sniffing Concepts 

This section describes network sniffing and threats, how a sniffer works, active and passive sniffing, how an attacker hacks a network using sniffers, protocols vulnerable to sniffing, sniffing in the data link layer of the OSI model, hardware protocol analyzers, SPAN ports, wiretapping, and lawful interception.packet Sniffing

 How a Sniffer Works

Packet sniffing is a process of monitoring and 4 Sniffer turns the NIC of a system to the promiscuous capturing all data packets passing through a given mode so that it listens to all the data transmitted on network using a software application or hardware its segment device

 

Attacker PC ir

It allows an attacker to observe and access the wade entire network traffic from a given point

_ Promiscuous Mode

Packet sniffing allows an attacker to gather sensitive information such as Telnet passwords, email traffic, syslog traffic, router configuration, web traffic, DNS traffic, FTP password, chat sessions, account information, etc.

 

Network Sniffing

 

Packet sniffing is a process of monitoring and capturing all data packets passing through a given network by using a software application or a hardware device. Sniffing is straightforward in hub- based networks, as the traffic on a segment passes through all the hosts associated with that segment. However, most networks today work on switches. A switch is an advanced computer networking device. The major difference between a hub and a switch is that a hub transmits line data to each port on the machine and has no line mapping, whereas a switch looks at the Media

Access Control (MAC) address associated with each frame passing through it and sends the data to the required port. A MAC address is a hardware address that uniquely identifies each node of a network.

 

An attacker needs to manipulate the functionality of the switch in order to see all the traffic passing through it. A packet sniffing program (also known as a sniffer) can capture data packets only from within a given subnet, which means that it cannot sniff packets from another network.

Often, any laptop can plug into a network and gain access to it. Many enterprises’ switch ports are open. A packet sniffer placed on a network in promiscuous mode can capture and analyze all of the network traffic. Sniffing programs turn off the filter employed by Ethernet network interface cards (NICs) to prevent the host machine from seeing other stations’ traffic. Thus, sniffing programs can see everyone’s traffic.

 

Though most networks today employ switch technology, packet sniffing is still useful. This is because installing remote sniffing programs on network components with heavy traffic flows such as servers and routers is relatively easy. It allows an attacker to observe and access the entire network traffic from one point. Packet sniffers can capture data packets containing sensitive information such as passwords, account information, syslog traffic, router configuration, DNS traffic, Email traffic, web traffic, chat sessions, FTP password, etc. It allows an attacker to read passwords in clear-text, the actual emails, credit card numbers, financial transactions, etc. It also allows an attacker to sniff SMTP, POP, IMAP traffic, POP, IMAP, HTTP

Basic, Telnet authentication, SQL database, SMB, NFS, and FTP traffic. An attacker can gain a lot of information by reading captured data packets and then use that information to break into the network. An attacker carries out attacks that are more effective by combining these techniques with the active transmission.

 

The following diagrammatic representation depicts an attacker sniffing the data packets between two legitimate network users:

 

Switch

FIGURE : Packet sniffing scenario

How a Sniffer Works

 

The most common way of networking computers is through an Ethernet. A computer connected

to a local area network (LAN) has two addresses: a MAC Address and an Internet Protocol (IP)

Address. A MAC address uniquely identifies each node in a network and is stored on the NIC itself.

The Ethernet protocol uses the MAC address to transfer data to and from a system while building

data frames. The Data Link Layer of the OSI model uses an Ethernet header with the MAC address

of the destination machine instead of the IP address. The Network Layer is responsible for

mapping IP network addresses to the MAC address as required by the Data Link Protocol. It initially looks for the MAC address of the destination machine in a table, usually called the ARP cache. If there is no entry for the IP address, an ARP broadcast of a request packet goes out to all machines on the local sub-network. The machine with that particular address responds to the source machine with its MAC address. The source machine’s ARP cache adds this MAC address to the table. The source machine, in all its communications with the destination machine, then uses this MAC address.

 

There are two basic types of Ethernet environments, and sniffers work differently in each. The

two types of Ethernet environments are:

 

= Shared Ethernet

 

In a shared Ethernet environment, a single bus connects all the hosts that compete for bandwidth. In this environment, all the other machines receive packets meant for one machine. Thus, when machine 1 wants to talk to machine 2, it sends a packet out on the network with the destination MAC address of machine 2, along with its own source MAC address. The other machines in the shared Ethernet (machine 3 and machine 4) compare the frame’s destination MAC address with their own and discard the unmatched frame.

However, a machine running a sniffer ignores this rule and accepts all the frames. Sniffing in a shared Ethernet environment is passive and hence difficult to detect.

 

= Switched Ethernet

 

In a switched Ethernet environment, the hosts connect with a switch instead of a hub.

The switch maintains a table that tracks each computer’s MAC address and the physical port on which that MAC address is connected, and then delivers packets destined for a particular machine. The switch is a device that sends packets to the destined computer only, and does not broadcast it to all the computers on the network. This results in a better utilization of the available bandwidth and improved security. Hence, the process of putting a machine NIC into promiscuous mode to gather packets does not work. As a result, many people think that switched networks are totally secure and immune to sniffing. However, this is not true.

 

Though the switch is more secure than a hub, sniffing the network is possible using the following

methods:

 

= ARP Spoofing

 

ARP is stateless. The machine can send an ARP reply even without asking for it and accepts such a reply. When a machine wants to sniff the traffic originating from another system, it can ARP spoof the gateway of the network. The ARP cache of the target machine will have a wrong entry for the gateway. In this way, all the traffic destined to pass through the gateway will now pass through the machine that spoofed the gateway MAC address.

 

= MAC Flooding

 

Switches keep a translation table that maps various MAC addresses to the physical ports

on the switch. As a result, they can intelligently route packets from one host to another. However, switches have limited memory. MAC flooding makes use of this limitation to bombard switches with fake MAC addresses until the switches can no longer keep up.

Once this happens to a switch, it will enter into the fail-open mode, wherein it starts acting as a hub by broadcasting packets to all the ports on the switch. Once that happens, it becomes easy to perform sniffing. Macof is a utility that comes with the dsniff suite and helps the attacker to perform MAC flooding.

 

Once a switch turns into a hub, it starts broadcasting all packets it receives to all the computers in the network. By default, promiscuous mode is turned off in network machines, so the NICs accept only those packets that are addressed to a user's machine, and discard the packets sent to the other machines. Sniffer turns the NIC of a system to the promiscuous modeso that it listens to all the data transmitted on its segment. A sniffer can constantly monitor all the network traffic to a computer through the NIC by decoding the information encapsulated in the data packet. Attackers configure the NIC in their machines to runin promiscuous mode, so that the card starts accepting all the packets. In this way, the attacker can view all the packets that are transmitting in the network.

Passive sniffing refers to the traffic is sent to all In a network that use hut the networkcan see  attacker can easily Hub usage is an outde proach, now use switches MAC Flooding

_ DNS Poisoning

Note: Passive sniffing provides

 

Types of Sniffing

 

Attackers run sniffers to convert the host system's NIC to promiscuous mode. As discussed earlier, the NIC in promiscuous mode can then capture the packets addressed to the specific network.

 

There are two types of sniffing. Each is used for different types of networks. The two types are:

= Passive sniffing

= Active sniffing

 

Passive Sniffing

 

Passive sniffing involves sending no packets. It just captures and monitors the packets flowing in the network. A packet sniffer alone is not preferred for an attack because this works only in a common collision domain. A common collision domain is the sector of the network that is not switched or bridged (i.e., connected through a hub). Common collision domains are present in hub environments. A network that uses hubs to connect systems uses passive sniffing. In such networks, all hosts in the network can see all the traffic. Hence, it is easy to capture traffic going through the hub by using passive sniffing. Attackers use the following passive sniffing methods to get control over the target network:

 

= Compromising the physical security: An attacker who succeeds in compromising the physical security of the target organization can walk into the organization with a laptop and try to plug into the network and capture sensitive information about the organization.

 

= Using a Trojan horse: Most Trojans have built-in sniffing capability. An attacker can install Trojans with built-in sniffing capabilities on a victim's machine to compromise it. After compromising the victim's machine, the attacker can install a packet sniffer and perform

sniffing.

 

Most modern networks use switches instead of hubs. A switch eliminates the risk of passive sniffing. However, a switch is still vulnerable to active sniffing.

 

Note: Passive sniffing provides significant stealth advantages over active sniffing.

 

Active Sniffing

Active sniffing searches for traffic on a switched LAN by actively injecting traffic into the LAN.

Active sniffing also refers to sniffing through a switch. In active sniffing, the switched Ethernet does not transmit information to all the systems connected through LAN as it does in a hub-based network. For this reason, a passive sniffer is unable to sniff data on a switched network. It is easy to detect these sniffer programs and highly difficult to perform this type of sniffing.

 

Switches examine data packets for source and destination addresses, and then transmit them to the appropriate destination. Therefore, it is cumbersome to sniff switches. However, attackers can actively inject ARP traffic into a LAN to sniff around a switched network and capture the traffic. Switches maintain their own ARP cache in a Content Addressable Memory (CAM). CAM is a special type of memory that maintains the record of which host is connected to which port. A sniffer takes all the information visible on the network and records it for future review. An attacker can see all the information in the packet, including data that should remain hidden.

 

To summarize types of sniffing, passive sniffing does not send any packets; it only monitors the packets sent by others. Active sniffing involves sending out multiple network probes to identify access points.

 

The following is the list of different active sniffing techniques:

= MAC flooding

= DNS poisoning

= ARP poisoning

= DHCP attacks

= Switch port stealing

= Spoofing attack

= MITM attack 

MITM

‘The traffic destined for the victim machine is redirected to The hacker extracts passwords and sensitive data from

the attacker the redirected traffic

How an Attacker Hacks the Network Using Sniffers

Attackers use sniffing tools to sniff packets and monitor network traffic on the target network.The steps that an attacker follows to make use of sniffers to hack a network is illustrated below.

 

= Step 1: An attacker who decides to hack a network first discovers the appropriate switch

to access the network and connects a system to one of the ports on the switch.

FIGURE: Discovering a switch to access the network

 

= Step 2: An attacker who succeeds in connecting to the network tries to determine

network information such as topology of the network by using network discovery tools.

 

FIGURE: Using network discovery tools to learn topology

 

= Step 3: By analyzing the network topology, the attacker identifies the victim’s machine to target his/her attacks.

FIGURE 8.4; Identifying victim’s machine

= Step 4: An attacker who identifies a target machine uses ARP spoofing techniques to send a fake (spoofed) Address Resolution Protocol (ARP) messages.

 Protocols Vulnerable to Sniffing

The following protocols are vulnerable to sniffing. The main reason for sniffing these protocols is to acquire passwords:

■   Telnet and Rlogin

Telnet is a protocol used for communicating with a remote host (via port no. 23) on a network by using a command line terminal, rlogin enables an attacker to log into a network machine remotely via TCP connection. Both the protocols fail to provide encryption; so the data traversing between the clients connected through any of these protocols is in plain text and vulnerable to sniff. Attackers can sniff keystrokes including usernames and passwords.

■    HTTP

Due to vulnerabilities in the default version of HTTP, websites implementing HTTP transfer user data across the network in plain text, which the attackers can read to steal user credentials.

■   SNMP

SNMP is a TCP/IP based protocol used for exchanging management information between devices connected on a network. The first version of SNMP (SNMPvl) does not offer strong security, which leads to transfer of data in clear text format. Attackers exploit the vulnerabilities in this version in order to acquire passwords in plain text.

■    NNTP

Network News Transfer Protocol (NNTP) distributes, inquires, retrieves, and posts news articles using a reliable stream-based transmission of news among the ARPA-lnternet community. The protocol fails to encrypt the data which gives an attacker the opportunity to sniff sensitive information.

■    POP

The Post Office Protocol (POP) allows a user's workstation to access mail from a mailbox server. A user can send mail from the workstation to the mailbox server via the Simple Mail Transfer Protocol (SMTP). Attackers can easily sniff the data flowing across a POP network in cleartext because of the protocol's weak security implementations.

■    FTP

File Transfer Protocol (FTP) enables clients to share files between computers in a network. This protocol fails to provide encryption; so attackers sniff data as well as user credentials by running tools like Cain & Abel.

■    IMAP

Internet Message Access Protocol (IMAP) allows a client to access and manipulate electronic mail messages on a server. This protocol offers inadequate security, which allows attackers to obtain data and user credentials in clear text.

Sniffing in the Data Link Layer of the OSI Model

The Open Systems Interconnection (OSI) model describes network functions as a series of seven layers. Each layer provides services to the layer above it and receives services from the layer below.

The Data Link layer is the second layer of the OSI model. In this layer, data packets are encoded and decoded into bits. Sniffers operate at the Data Link layer and can capture the packets from the Data Link layer. Networking layers in the OSI model are designed to work independently of each other; if a sniffer sniffs data in the Data Link layer, the upper OSI layer will not be aware of the sniffing.

Hardware Protocol Analyzers

A hardware protocol analyzer is a device that interprets traffic passing over a network. It captures signals without altering the traffic segment. Its purpose is to monitor network usage and identify malicious network traffic generated by hacking software installed on the network. It captures a data packet, decodes it, and analyzes its content according to predetermined rules. It allows an attacker to see the individual data bytes of each packet passing through the network.

When compared to software protocol analysers, hardware protocol analysers are capable of capturing more data without packet drops at the time of data overload. Hardware protocol analyzers provide a wide range of network connection options varying from LAN, WAN, and wireless to circuit-based Telco network lines. They are capable of displaying bus states and low- level events such as high-speed negotiation (K/J chirps), transmission errors and retransmissions, etc. The analysers provide accurate timestamps of the captured traffic. However, hardware analyzers are more expensive and tend to be out of reach for individual developers, hobbyists, and ordinary hackers.

Hardware protocol analyzers from different companies include:

■ N2X N5540A Agilent Protocol Analyzer Source: https://www.valuetronics.com

The Agilent N2X is a test solution for testing the development and deployment of network services for converging network infrastructures. Service providers, network equipment manufacturers (NEMs), and component manufacturers can verify service attributes of the entire networks end-to-end, while also isolating problems down to individual networking devices and subsystems. Two different types of card can be configured simultaneously allowing for test scenarios that use a combination of port types.

- Keysight E2960B

Source: http://www.keysight.com

Keysight E2960B tests as well as debugs. It includes a protocol analyzer that supports xl through xl6 link widths, with intuitive spreadsheet style visualization. It offers EASY flow and context-sensitive display for a clear protocol viewing. The analyzer includes unique logic capabilities such as lane view, fast ASPM sync time, and trigger an ordered set.

Some of the hardware protocol analyzers are listed below:

■    RADCOM PrismLite Protocol Analyzer (https://cybarcode.com)

■   STINGA Protocol Analyzer (http://utelsystems.com)

■    NETSCOUT's OneTouch AT Network Assistant (http://enterprise.netscout.com)

■    NETSCOUT's OptiView XG Network Analysis Tablet (http://enterprise.netscout.com)

■   Agilent (Keysight) Technologies 8753ES (https://www.microlease.com)

■   Agilent (Keysight) Technologies E8364B (https://www.microlease.com)

■    U4421A Protocol Analyzer (http://www.keysight.com)

■    U4431A Ml PI M-PHY Protocol Analyzer (http://www.keysight.com)

SPAN Port

Switched Port Analyzer (SPAN) is a Cisco switch feature, also known as "port mirroring," that monitors network traffic on one or more ports on the switch. SPAN port is a port that is configured to receive a copy of every packet that passes through a switch. It helps to analyze and debug data, identify errors, and investigate unauthorized network access on a network. When the port mirroring is on, the network switch sends a copy of the network packets from the source port to destination port, which studies the network packets with the help of a network analyzer. There can be one or more sources, but there should be only one destination port on the switch. Source ports are the ports whose network packets are monitored and mirrored. The user can simultaneously monitor the traffic of multiple ports, such as the traffic on all the ports of a specific VLAN.

Wiretapping

Wiretapping or telephone tapping is a method of monitoring telephone or Internet conversations by a third party with covert intentions. In order to perform wiretapping, the attacker first selects a target person or host on the network to wiretap and then connects a listening device (hardware, software, or a combination of both) to the circuit carrying information between two phones or hosts. Typically, the attacker uses a small amount of electrical signal generated by the telephone wires to tap the conversation. This allows attackers to monitor, intercept, access, and record information contained in the data flow in a communication system.

Wiretapping Methods

The following are ways to perform wiretapping:

 ■   The official tapping of telephone lines

 ■   The unofficial tapping of telephone lines 

■    Recording the conversation

■    Direct line wiretap 

■    Radio wiretap

Types of Wiretapping

There are two types of wiretapping that an attacker can use to monitor, record, and even alter the data flow in the communication system.

■   Active Wiretapping

In hacking terminology, active wiretapping is an MITM attack. This allows an attacker to monitor and record the traffic or data flow in a communication system. The attacker can also alter or inject data into the communication or traffic.

■    Passive Wiretapping

Passive wiretapping is snooping or eavesdropping. This allows an attacker to monitor and record traffic. By observing the recorded traffic flow, the attacker can snoop for a password or other information.

Note: Wiretapping without a warrant or the consent of the persons conducting the conversation is a criminal offense in most countries, and it is a punishable offense depending on the country's law.

Lawful Interception

Lawful interception refers to legally intercepting data communication between two endpoints for surveillance on the traditional telecommunications, VoIP, data, and multiservice networks. Lawful interception (LI) obtains data from a communication network for analysis or evidence. This is useful in activities like infrastructure management and protection, as well as cyber­ security-related issues. Here, the network operator or service provider legally sanctions access to private network data for monitoring private communications like telephone calls and email messages. Such operations are carried out by the Law Enforcement Agencies (LEAs).

This type of interception is necessary only to monitor messages exchanged on suspicious channels in which the users are engaged in illegal activity. Countries around the world are making strides to standardize this type of procedure for interception.

The figure above shows the Telco/ISP lawful solution provided by Decision Computer Group. The solution consists of one tap or access, and multiple systems for reconstruction of intercepted data. The tap/access switch collects traffic from the Internet service provider (ISP) network, sorts the traffic by IP domain, and serves it to the E-Detective (ED) systems that decode and reconstructs the intercepted traffic into its original format. The tool performs this with the help of supporting protocols such as POP3, IMAP, SMTP, P2P and FTP, Telnet, etc. The Centralized Management Server (CMS) manages all the ED systems.

Sniffing Technique: MAC Attacks

Attackers use various sniffing techniques such as MAC attacks, DHCP attacks, ARP poisoning, spoofing attacks, DNS poisoning, etc. to steal and manipulate sensitive data. Attackers use these techniques to get control over the target network by reading captured data packets and then using that information to break into the network.

This section discusses MAC attacks or MAC flooding. Attackers use the MAC flooding technique to force a switch to act like hub, so that they can easily sniff the traffic.

MAC Address

A MAC address uniquely identifies each node of a network. Each device in the network has a MAC address associated with a physical port on the network switch, which makes it possible to designate a specific single point of the network. A MAC address is used as a network address for most IEEE 802 network technologies, including Ethernet. Logically, the MAC protocol in the OSI reference model uses MAC addresses for information transfer.

A MAC address is 48 bits, which splits into two sections, each containing 24 bits. The first section contains the ID number of the organization that manufactured the adapter and is called the Organizationally Unique Identifier. The next section contains the serial number assigned to the NIC adapter and is called the NIC Specific.

The MAC address contains 12-digit hexadecimal numbers, divided into three or six groups. The first six digits indicate the manufacturer, while the next six digits indicate the adapter's serial number. For example, consider the MAC address D4-BE-D9-14-C8-29. The first six digits, i.e., D4BED9 indicate the manufacturer (Dell, Inc.), while the next six digits 14C829 indicate the serial number of the adapter.

CAM Table

The CAM (Content Addressable Memory) table is a dynamic table of fixed size. It stores information such as MAC addresses available on physical ports along with VLAN parameters associated with them. When a machine sends data to another machine in a network, the data passes through the switch. The switch searches for the destination MAC address (located in the Ethernet frame) in its CAM table, and once the MAC address is found, it forwards data to the machine through the port with which the MAC address is bound. This method of transferring data in a switched network is more secure than that of a hub-based network, in which the hub forwards the incoming traffic to all the machines in the network.

How CAM Works

A CAM table refers to the dynamic form of content and works with the Ethernet switch. The Ethernet switch maintains the connections between the ports. A CAM table keeps track of MAC address locations on a switch, but the table is limited in size. If the CAM table is flooded with more MAC addresses than it can hold, the switch will turn into a hub. The CAM table does this to ensure the delivery of data to the intended host. Attackers exploit this vulnerability in the CAM table to sniff network data. An attacker who can connect to the shared switch of the Ethernet segment can easily sniff network data.

Refer to the diagram below for the working of CAM table. It shows three machines: Machine A, Machine B and Machine C, each holding MAC address A, B and C. The machine A holding the MAC address A wants to interact with Machine B.

Machine A broadcasts an ARP request to the switch. The request contains the IP address of the target machine (Machine B), along with the source machine's (Machine A) MAC and IP addresses. The switch then broadcasts this ARP request to all the hosts in the network and waits for the reply.

What Happens When CAM Table Is Full?

As discussed, a CAM table contains network information such as MAC addresses available on physical switch ports and associated VLAN parameters. The CAM table's limited size renders it susceptible to attacks from MAC flooding. MAC flooding bombards the switch with fake source MAC addresses until the CAM table is full. Hereafter, the switch broadcasts all incoming traffic to all ports. This changes the behavior of the switch to reset to its learning mode, broadcasting on every port like a hub. The switch then works like a hub through which you (the attacker) monitor the frames sent from victim host to another host without any CAM table entry. This attack also fills the CAM tables of adjacent switches.

The figure given above illustrates how a CAM table can be flooded with fake MAC addresses to monitor the frames sent from the victim host to another host without any CAM table entry.

MAC Flooding

MAC flooding is a technique used to compromise the security of network switches that connect network segments or network devices. Attackers use the MAC flooding technique to force a switch to act as a hub, so that they can easily sniff the traffic.

In a switched network, an Ethernet switch contains a CAM ta ble that stores a II the MAC addresses of devices connected in the network. A switch acts as an intermediate device between one or more computers in a network. It looks for Ethernet frames, which carry the destination MAC address, tally this address with the MAC address in its CAM table, and forwards the traffic to the destined machine. Unlike a hub, which broadcasts the data across the network, the switch sends data only to the intended recipient. Thus, a switched network is more secure when compared to a hub network. However, the size of CAM table is fixed, and it can store only a limited number of MAC addresses in it, an attacker may send a huge number of fake MAC address to the switch. No problem occu rs until the MAC address table is full. Once the MAC address table is fu II, any further requests may force the switch to enter "fail-open mode." In the fail-open mode, the switch starts behaving like a hub and broadcasts the incoming traffic through all the ports in the network. The attacker then turns ON his machine's NIC to promiscuous mode to enable the machine to accept all the traffic entering it. In this way, attackers can sniff the traffic easily and can steal sensitive information.

Mac Flooding Switches with macof Source: https://monkey.org

Macof is a Unix/Linux tool that is a part of the dsniff collection. It floods the local network with random MAC addresses and IP addresses, causing some switches to fail and open in repeating mode, thereby facilitating sniffing. This tool floods the switch's CAM tables (131,000 per min) by  sending forged MAC entries. When the MAC table fills up, and the switch converts to hub-like operation, an attacker can monitor the data being broadcast.

Switch Port Stealing

Switch Port Stealing sniffing technique uses MAC flooding to sniff the packets. The attacker floods the switch with forged gratuitous ARP packets with target MAC address as the source and his/her own MAC address as the destination. A race condition of the attacker's flooded packets and target host packets will occur, and thus, the switch has to change his MAC address binding constantly between two different ports. In such case, if the attacker is fast enough, he/she will able to direct the packets intended for the target host toward his switch port. Here, the attacker manages to steal the target host switch port and sends an ARP request to the stolen switch port to discover target hosts' IP address. When the attacker gets an ARP reply, this indicates that the target host's switch port binding has been restored and the attacker can now be able to sniff the packets sent toward the targeted host.

Assume  that  there  are  three  machines  in  a  network:  Host  A,  target's  Host  B  and  attacker's Host C.

2.     The   attacker's   machine   runs   a   sniffer   that   turns   the   machine's   NIC   adapter   to promiscuous mode.

3. Host A associated with the IP address (10.0.0.1) wants to communicate with Host B associated with the IP address (10.0.0.2). Therefore, host A sends an ARP request (I want to communicate with 10.0.0.2. What is the MAC address of 10.0.0.2?).

4.   The switch broadcasts this ARP request to all the machines in the network.

5. Before Host B (the target machine) can respond to the ARP request, the attacker responds to the ARP request by sending an ARP reply containing the spoofed MAC and IP addresses (I am 10.0.0.2, and my MAC address is bb-cc-dd-ee-ff-gg).

The attacker can achieve this by launching an attack such as Denial of Service (DoS) on Host B, which slows down its response.

6.   Now the ARP cache in the switch records the spoofed MAC and IP addresses.

7. The spoofed MAC address of target Host B (bb-cc-dd-ee-ff-gg) and the port connect to the attacker's machine (Port C) and update the switch's CAM table. Now, a connection is established between Host A and the attacker's machine (Host C).

How to Defend against MAC Attacks

To protect a port, this feature identifies and limits the MAC addresses of the machines that can access the port. If you assign a secure MAC address to a secure port, then the port will forward only the packets with source addresses that are inside the group of defined addresses.

A security violation occurs:

■   When a port is configured as a secure port, and the maximum number of secure MAC addresses is reached

■   When the MAC address of the machine that is attempting to access the port does not match any of the identified secure MAC addresses

Once the maximum number of secure MAC addresses on the port is set, the secure MAC addresses are included in an address table in any of the following three ways:

■   You can configure all secure MAC addresses by using the switch port, port-securing mac- address interface configuration command.

■   You can allow the port to dynamically configure secure MAC addresses with the MAC addresses of the connected devices.

■    You can configure a number of addresses and allow the rest to be dynamically configured. Port security limits MAC flooding attacks and locks down ports, sending an SNMP trap.

In the figure given below, the attacker floods the switch CAM tables with fake MAC addresses and thus threatens security by turning a switch into a hub.

Configuring Port Security on Cisco switch Sou rce: https://www. cisco.com

You can use the following Cisco port security feature to defend against MAC attacks: ■    switch port port-security

Enables port security on the interface.

■   switchport port-security maximum 1 vlan access

Sets the maximum number of secure MAC addresses for the interface. The range is 1 to 3072. The default is 1.

■    switchport port-security violation restrict

Sets  the  violation  mode,  the  action  to  be  taken  when  a  security  violation  {restrict  | shutdown} is detected.

■    switch port port-security aging time 2

Sets the aging time for the secure port.

■    switchport port-security aging type inactivity

The type keyword sets the aging type as absolute or inactive. ■    snmp-server enable traps port-security trap-rate 5

Controls the rate at which SNMP traps are generated.

Sniffing Technique: DHCP Attacks

This section discusses the DHCP attacks. A DHCP attack is an active sniffing technique used by the attackers to steal and manipulate sensitive data. This section describes how DHCP works, DHCP starvation attacks, tools used for starvation attacks, rogue server attacks, and the ways to defend against DHCP attacks.

How DHCP Works

Dynamic Host Configuration Protocol (DHCP) is a client/server protocol that provides an IP address to an IP host. In addition to the IP address, the DHCP server also provides configuration- related information such as the default gateway and subnet mask. When a DHCP client device boots up, it participates in traffic broadcasting.

DHCP  can  assign  IP  configuration  to  hosts  connecting  to  a  network.  The  distribution  of  IP configuration to hosts simplifies the administrator's work to maintain IP networks.

DHCP servers maintain TCP/IP configuration information in a database such as valid TCP/IP configuration parameters, valid IP addresses, and duration of the lease offered by the server. It provides address configurations to DHCP-enabled clients in the form of a lease offer.

Working of DHCP:

1.   The client broadcasts DHCPDISCOVER/SOUCIT request asking for DHCP Configuration Information.

2.   DHCP-relay agent captures the client request and unicasts it to the DHCP servers available in the network.

3.   DHCP server unicasts DHCPOFFER/ADVERTISE, which contains client and server's MAC address.

4.   Relay agent broadcasts DHCPOFFER/ADVERTISE in the clients subnet.

5.   The client broadcasts DHCPREQUEST/REQUEST asking DHCP server to provide the DHCP configuration information.

6.   DHCP server sends unicast DHCPACK/REPLY message to the client with the IP config and information.

DHCP Request/Reply Messages

A device that already has an IP address can use the simple request/reply exchange to get other configuration parameters from a DHCP server. When the DHCP client receives a DHCP offer, the client immediately responds by sending back a DHCP request packet. Devices that are not using DHCP to acquire IP addresses can still utilize DHCP's other configuration capabilities. A client can broadcast a DHCPINFORM message to request that any available server send its parameters on the usage of the network. DHCP servers respond with the requested parameters and/or default parameters carried in DHCP options of a DHCPACK message. If a DHCP request comes from a hardware address that is in the DHCP server's reserved pool and the request is not for the IP address that this DHCP server offered, the DHCP server's offer is invalid. The DHCP server can put that IP address back into the pool and offer it to another client.

IPv4 DHCP Packet Format

DHCP enables communication on an IP network by configuring network devices. It assigns IP addresses and other information to computers so that they can communicate on the network in a client-server mode. DHCP has two functionalities: one is delivering host-specific configuration parameters and the other is allocating network addresses to hosts.

A series of DHCP messages are used in the communication between DHCP servers and DHCP clients. The DHCP message has the same format as that of the BOOTP message. This is because it maintains compatibility of DHCP with BOOTP relay agents, thus eliminating the need for changing the BOOTP client's initialization software in order to interoperate with DHCP servers.

DHCP Starvation Attack

In a DHCP starvation attack, an attacker floods the DHCP server by sending a large number of DHCP requests and uses all of the available IP addresses that the DHCP server can issue. As a result, the server cannot issue any more IP addresses, leading to Denial-of-Service (DoS) attacks. Because of this issue, valid users cannot obtain or renew their IP addresses, and thus fail to access their network. An attacker broadcasts DHCP requests with spoofed MAC addresses with the help of tools such as Gobbler.

DHCP Starvation Attack Tools

DHCP starvation attack tools send a large number of requests to a DHCP server leading to exhaustion of server's address pool. After which DHCP server is not able to allocate configurations to new clients.

■ Yersinia

Source: http://www.yersinia.net

Yersinia is a network tool designed to take advantage of some weakness in different network protocols like DHCP. It pretends to be a solid framework for analyzing and testing the deployed networks and systems.

Some of the DHCP starvation attack tools are listed below: ■    Hyenae (https://sourceforge.net)

■    dhepstarv (https://github.com) ■    Gobbler (https://sourceforge.net) ■    DHCPig (https://github.com)

Rogue DHCP Server Attack

In addition to DHCP starvation attacks, an attacker can perform MITM attacks such as sniffing. An attacker who succeeds in exhausting the DHCP Server's IP address space can set up a Rogue DHCP Server on the network which is not under the control of the network administrator. The Rogue DHCP server impersonates a legitimate server and offers IP addresses and other network information to other clients in the network, acting itself as a default gateway. Clients connected to the network with the addresses assigned by the Rogue Server will now become victims of MITM and other attacks, where packets forwarded from a client's machine will reach the rogue server first.

In a rogue DHCP server attack, an attacker will introduce a rogue server into the network. This rogue server has the ability to respond to clients' DHCP discovery requests. Although both the rogue and actual DHCP servers respond to the request, the client accepts the response that comes first. In a case where the rogue server gives the response earlier than the actual DHCP server, the client takes the response of the rogue server. The information provided to the clients by this rogue server can disrupt their network access, causing DoS.

The DHCP response from the attacker's rogue DHCP server may assign the IP address that serves as a client's default gateway. As a result, the attacker's IP address receives all the traffic from the client. The attacker then captures all the traffic and forwards this traffic to the appropriate default gateway. The client thinks that everything is functioning correctly. This type of attack is difficult to detect by the client for long periods.

Sometimes, the client uses a rogue DHCP server instead of the standard DHCP server. The rogue server directs the client to visit fake websites in an attempt to gain their credentials.

To mitigate a rogue DHCP server attack, set the connection between the interface and the rogue server as untrusted. That action will block all ingress DHCP server messages from that interface.

How to Defend Against DHCP Starvation and Rogue Server Attack

Defend Against DHCP Starvation

Enable port security to defend against DHCP starvation attack. Port security limits the maximum number of MAC addresses on the switch port. When the limit is exceeded, the switch drops subsequent MAC address requests (packets) coming from external sources which safeguard the server against a DHCP starvation attack.

FIGURE 8.14: Defending against DHCP Starvation attack

IOS Switch Commands Source: https://www.cisco.com

■ switch port port-security

The   switch   port   port-security   command   configures   the   switch   port   parameters to enable port security.

■   switch port port-security maximum 1

The    switch    port    port-security    maximum    command    configures    the    maximum number of secure MAC addresses for the port.

The   switch   port   port-security   maximum   1   command   configures   the   maximum number of secure MAC addresses for the port as 1.

■   switchport port-security violation restrict

The    switch    port    port-security    violation    command    sets    the    violation    mode and the necessary action in case of detection of a security violation.

The switch port port-security violation restrict command drops packets with unknown source addresses until a sufficient number of secure MAC addresses are removed.

■   switch port port-security aging time 2

The    switch    port    port-security    aging    time    command    configures    the    secure MAC address aging time on the port.

The   switch   port   port-security   aging   time   2   command   sets   the   aging   time   as 2 minutes.

■    switchport port-security aging type inactivity

The    switch    port    port-security    aging    type    command    configures    the    secure MAC address aging type on the port.

The     switch     port     port-security     aging     type     inactivity     command     sets     the aging type as inactivity aging.

■   switch port port-security mac-address sticky

Enablessticky learning on the interface by entering only the mac-address sticky keywords. When sticky learning is enabled, the interface adds all secure MAC addresses that are dynamically learned to the running configuration and converts these addresses to sticky secure MAC addresses.

Defend Against Rogue Server Attack

The DHCP snooping feature that is available on switches can mitigate against rogue DHCP servers. It is configured on the port on which the valid DHCP server is connected. Once configured, DHCP snooping does not allow other ports on the switch to respond to DHCP discover packets sent by clients. Thus, even an attacker who manages to build a rogue DHCP server and connects to the switch cannot respond to DHCP discover packets.

FIGURE 8.15: Defending against Rogue Server attack

IOS Global Commands

Source: https://www.cisco.com

■    ip dhep snooping vlan 4,104

Enable or disable DHCP snooping on one or more VLANs. ■    no ip dhep snooping information option

To disable the insertion and the removal of the option-82 field, use the no IP dhep snooping information option in global configuration command. To configure an aggregation, switch to drop incoming DHCP snooping packets with option-82 information from an edge switch, use the no IP dhep snooping information option allow-untrusted global configuration command.

■    ip dhep snooping

Enable DHCP snooping option globally.

Note: All ports in the VLAN are untrusted by default.

Sniffing Technique: ARP Poisoning

This section discusses the ARP poisoning technique generally used by attackers to perform sniffing on the target network. Using this method, the attacker can steal sensitive information, prevent network and web access, and perform DoS and MITM attacks such as sniffing.

What Is Address Resolution Protocol (ARP)?

Address Resolution Protocol (ARP) is a stateless TCP/IP protocol that maps IP network addresses to the addresses (hardware addresses) used by a data link protocol. Using this protocol, a user can easily obtain the MAC address of any device on a network. Apart from the switch, the host machines also use the ARP protocol for obtaining MAC addresses. ARP is used by the host machine when a machine wants to send a packet to another device where it has to mention the destination MAC address in the packet sent. So, in order to write the destination MAC address in the packet, the host machine should know the MAC address of the destination machine. The OS also maintains the MAC address table (ARP table).

The process of obtaining the MAC address using ARP is as follows:

■    The source machine generates an ARP request packet containing the source MAC address, source IP address and destination IP address, and sends it to the switch.

■    On receiving the packet, the switch reads the MAC address of the source and searches for this address in its CAM table.

■ The switch updates all the new entries in it. If the entry is not found in the table, the switch adds the MAC address and its respective incoming port to its CAM table and broadcasts the ARP request packet into the network.

■    Each device in the network receives the broadcast ARP request packet and compares the destination IP address in the packet with its own IP address.

■    Only the system whose IP address matches the destination, IPaddress replies with an ARP reply packet.

■ The ARP reply message is then read by the switch, which adds the entry to its MAC table and forwards the message to the destination machine, i.e., the machine that sent the ARP request.

■    Further, this machine updates the destination machine's IP and MAC address entries into its ARP table, and now communication can take place.

Consider  an  ARP  example  that  shows  two  machines  connected  in  a  network.  The  respective hostnames, IP, and MAC addresses are:

B                 192.54.67.15              00-14-20-01-23-47

Before communicating with host B, host A first checks for a record of host B's MAC address in the ARP cache. If host A finds the record of a MAC address, it communicates directly with host B. Otherwise, it has to access host B's MAC address by using the ARP protocol.

Host A queries all the hosts on the LAN. If the query was phrased in plain English, it might sound like this: "Hello, who is 192.54.67.15? This is 194.54.67.10. My MAC address is 00:lb:48:64:42:e4. I need your MAC address."

Here, host A sends the Broadcast - Request data packet to host B. On receiving the ARP request packet, host B updates its ARP cache table with host A's IP and MAC addresses, and sends an ARP reply packet to host A that would be phrased in English as, "Hey, this is 192.54.67.15; my MAC address is 00-14-20-01-23-47."

On receiving the ARP reply, host A updates its ARP cache table with host B's IP and MAC addresses. After establishing a connection between these two hosts, they communicate with each other.

ARP Spoofing Attack

ARP resolves IP addresses to the MAC (hardware) address of the interface to send data. ARP packets can be forged to send data to the attacker's machine. ARP Spoofing involves constructing a large number of forged ARP request and reply packets to overload a switch. If the machine sends an ARP request, it assumes that the ARP reply comes from the right machine. ARP provides no means of verifying the authenticity of the responding device. Even systems that have not made an ARP request can also accept the ARP reply coming from other devices. Attackers use this flaw in ARP to create malformed ARP replies containing spoofed IP and MAC addresses. Assuming it to be the legitimate ARP reply, the victim's computer blindly accepts the ARP entry into its ARP table. Once the ARP table is flooded with spoofed ARP replies, the attacker sets the switch in forwarding mode, which intercepts all the data that flows from the victim machine without the victim being aware of the attack. Attackers flood a target computer's ARP cache with forged entries which is also known as poisoning. ARP spoofing is an intermediary to perform attacks such as DoS, MITM, and Session Hijacking.

How Does ARP Spoofing Work

ARP spoofing is a method of attacking an Ethernet LAN. When a legitimate user initiates a session with another user in the same Layer 2 broadcast domain, the switch broadcasts an ARP request using the recipient's IP address, while the sender waits for the recipient to respond with a MAC address. An attacker eavesdropping on this unprotected Layer 2 broadcast domain can respond to the broadcast ARP request and replies to the sender by spoofing the intended recipient's IP address. The attacker runs a sniffer and turns the machine's NIC adapter to promiscuous mode.

ARP spoofing is a method of attacking an Ethernet LAN. ARP spoofing succeeds by changing the IP address of the attacker's computer to the IP address of the target computer. A forged ARP request and reply packet find a place in the target ARP cache in this process. As the ARP reply has been forged, the destination computer (target) sends frames to the attacker's computer, where the attacker can modify the frames before sending them to the source machine (User A) in an MITM attack. In addition, the attacker can also launch a DoS attack by associating a non-existent MAC address to the IP address of the gateway, or may sniff the traffic passively and then forward it to the target destination.

Threats of ARP Poisoning

With the help of ARP poisoning, an attacker can use fake ARP messages to divert all communications between two machines so that all traffic redirects via the attacker's PC.

The threats of ARP poisoning include:

■    Packet Sniffing: Sniffs traffic over a network or a part of the network

■    Session Hijacking: Steals valid session information and uses it to gain unauthorized access to an application

■    VoIP Call Tapping: Uses port mirroring which allows the VoIP call tapping unit to monitor all network traffic, and picks only the VoIP traffic to record by MAC address

■    Manipulating Data: ARP spoofing allows attackers to capture and modify data, or stops the flow of traffic

■    MITM Attack: Attacker performs an MITM attack where the attacker resides between the victim and server

■    Data Interception: Intercepts IP address, MAC address, and VLANs connected to the switch in a network

■ Connection Hijacking: In a network, the hardware addresses are supposed to be unique and fixed, but a host may move when its hostname changes and uses some other protocol. In connection hijacking, an attacker can manipulate a client's connection to take complete control.

■ Connection Resetting: The wrong routing information could be transmitted due to some hardware/software error. In such cases, if a host fails to initiate a connection, that host should inform the Address Resolution module to delete its information. Receiving data  from that host should reset a connection timeout in the ARP entry used to transmit data to that host. That entry in the ARP module is deleted if the host does not send any information for a certain time.

■    Stealing Passwords: An attacker uses forged ARP replies and tricks target hosts into sending sensitive information such as usernames, passwords, etc.

■ Denial-of-Service (DoS) Attack: Links multiple IP addresses with a single MAC address of the target host that will be overloaded with huge amount of traffic which is intended for different IP addresses.

ARP Poisoning Tools

Ufasoft Snif

Source: http://ufasoft.com

Ufasoft Snif is an automated ARP poisoning tool that sniffs passwords and emails messages on a wired network or Wi-Fi network. It Captures and analyzes packets going through the network. The application includes ICQ/IRC/MSN/email sniffers (formerly known as ICQ Sniffer products) and intercepts ICQ, IRC, and email messages across a LAN. It is possible to observe these messages at the same time that real users receive them. All intercepted messages are stored in files, which can later be processed and analyzed. There are two versions: IcqSnif with GUI, and console-only IcqDump. The functionality is the same, except that the user can select specific machines to ARP-spoof in the GUI version.

Some of the ARP poisoning tools are listed below: 

■    BetterCAP (https://www.bettercap.org)

 ■    Ettercap (https://github.com)

■   ArpSpoofTool (https://sourceforge.net) 

■    MITMf (https://github.com)

■    Cain & Abel (http://www.oxid.it) 

■   Arpoison (https://sourceforge.net) 

■    hping3 (http://www.hping.org)

How to Defend Against ARP Poisoning

Implementation of Dynamic ARP Inspection (DAI) prevents poisoning attacks. DAI is a security feature that validates ARP packets in a network. When DAI activates on a VLAN, all ports on the VLAN are considered to be untrusted by default. DAI validates the ARP packets using a DHCP snooping binding table. The DHCP snooping binding table consists of MAC addresses, IP addresses, and VLAN interfaces acquired by listening to DHCP message exchanges. Hence, you must enable DHCP snooping before enabling DAI. Otherwise, establishing a connection between VLAN devices based on ARP is not possible. Consequently, a self-imposed DoS may result on any device in that VLAN.

To validate the ARP packet, the DAI performs IP address-to-MAC address binding inspection stored in the DHCP snooping database before forwarding the packet to its destination. If any invalid IP address binds a MAC address, the DAI will discard the ARP packet. It eliminates the risk of MITM attacks. DAI ensures the relay of only valid ARP requests and responses.

If the host systems in a network hold static IP addresses, the DHCP snooping will not be possible, or other switches in the network cannot run dynamic ARP inspection. In such situations, you have to perform static mapping that associates an IP address to a MAC address on a VLAN to prevent an ARP poisoning attack.

Implement software that runs custom scripts to monitor ARP tables. This script can compare the current ARP table to the list of known MAC addresses and IP addresses. If there is a mismatch in the list of valid MAC/IP pairs, the switch will drop the packet. Such scripts are helpful to defend against ARP poisoning attacks by monitoring the MAC/IP pairs on important LAN machines like servers, gateways, etc.

Implementation of cryptographic protocols as HTTP Secure (HTTPS), Secure Shell (SSH), Transport Layer Security (TLS), and various other networking cryptographic protocols prevents against ARP spoofing attack by encrypting data before transmission and authenticating it after it is received.

Configuring DHCP Snooping and Dynamic ARP Inspection on Cisco Switches

As discussed, DHCP snooping must be enabled before enabling the dynamic ARP inspection (DAI). DHCP snooping is a security feature that builds and maintains a DHCP snooping binding table and filters untrusted DHCP messages. A Cisco switch with DHCP snooping enabled can inspect DHCP traffic flow at a layer two segment and track IP addresses to switch ports mapping.

To configure DHCP snooping on a Cisco switch, make sure to enable DHCP snooping both globally and per access VLAN. To enable DHCP snooping, execute the following commands:

Configuring DHCP Snooping in Global configuration mode

Switch (conf ig) # ip dhep snooping

Configuring DHCP Snooping for a VLAN

Switch(config)# ip dhep snooping vlan 10 Switch(config)# AZ

To view the DHCP snooping status

Switch# show ip dhep snooping Switch DHCP snooping is enabled.

KRP Spoofing Detection Tools

■   XArp

Source: http://www.xarp.net

XArp is a security application that detects ARP-based attacks. It detects critical network attacks that firewalls cannot cover. It uses advanced techniques to detect ARP attacks like ARP spoofing. The detection mechanism relies on two techniques: inspection modules and discoverers. Inspection modules look at ARP packets and check their correctness and validity with respect to the databases they have built up. Discoverers actively validate IP- MAC mappings and actively detect attackers. The mechanism detects ARP attacks and keeps data private. It even monitors whole subnets for ARP attacks. This application screens the whole subnet for ARP attacks using different security levels and fine-tuning possibilities. A local network that is subject to ARP attacks inspects every ARP packet and reports attacks against remote machines.

Some of the ARP spoofing detection tools are listed below: 

■ Capsa Network Analyzer (http://www.colasoft.com) 

■ ArpON (http://arpon.sourceforge.net)

■   ARP AntiSpoofer (https://sourceforge.net) 

■   ARPStraw (https://github.com)

■   shARP (https://github.com)

Sniffing Technique: Spoofing Attacks

Besides ARP spoofing, an attacker can also use MAC spoofing and IRDP spoofing to sniff the traffic of a target network. This section describes spoofing techniques that help attackers to steal sensitive information.

MAC Spoofing/Duplicating

MAC duplicating refers to spoofing a MAC address with the MAC address of a legitimate user on the network. A MAC duplicating attack involves sniffing a network for MAC addresses of legitimate clients connected to the network. In this attack, the attacker first retrieves the MAC addresses of clients who are actively associated with the switch port. Then the attacker spoofs a MAC address with the MAC address of the legitimate client. If the spoofing is successful, then the attacker can receive all the traffic destined for the client. Thus, an attacker can gain access to the network and take over the identity of someone on the network.

MAC Spoofing Technique: Windows

There are two methods for MAC spoofing in Windows 10 OS:

Method 1: If the network interface card supports clone MAC address then follow these steps:

1.   Click on Start and search for Control Panel and open it, then navigate to Network and Internet ->Networking and Sharing Center.

2.   Click on the Ethernet and then click on the Properties in the Ethernet Status window.

MAC Spoofing Tools

■   Technitium MAC Address Changer

Source: https://technitium.com

Technitium MAC Address Changer (TMAC) allows you to change (spoof) Media Access Control (MAC) Address of your Network Interface Card (NIC) instantly. It has a very simple user interface and provides ample information regarding each NIC in the machine. Every NIC has a MAC address hard coded in its circuit by the manufacturer. This hard coded MAC address is used by windows drivers to access Ethernet Network (LAN). This tool can set a new MAC address to your NIC, bypassing the original hard coded MAC address.

Some of the MAC spoofing tools are listed below:

■    MAC Address Changer (http://www.novirusthanks.org) 

■    Change MAC Address (https://lizardsystems.com)

 ■    GhostMAC (http://ghostmac.fevermedia.ro)

■   Spoof-Me-Now (https://sourceforge.net) 

■   SMAC (http://www.klcconsulting.net) 

■   Spoof MAC (https://github.com)

■   Win7 MAC Address Changer (http://www.zokali.com)

IRDP Spoofing

The ICMP Router Discovery Protocol (IRDP) is a routing protocol that allows a host to discover the IP addresses of active routers on its subnet by listening to router advertisement and solicitation messages on its network. The attacker can add default route entries on a system remotely by spoofing router advertisement messages. Since IRDP does not require any authentication, the target host will prefer the default route defined by the attacker to the default route provided by the DHCP server. The attacker accomplishes this by setting the preference level and the lifetime of the route at high values to ensure that the target hosts will choose it as the preferred route. This attack succeeds if the attacker launching the attack is on the same network as the victim. In the case of a Windows system configured as a DHCP client, the Windows checks the received router advertisements for entries. If there is only one, then it checks whether the IP source address is within the subnet. If the address is within the subnet, then it adds the default route entry; otherwise, it ignores the advertisement.

An attacker can use this to send spoofed router advertisement messages so that all the data packets travel through the attacker's system. Thus, the attacker can sniff the traffic and collect valuable information from the data packets. Attackers can use IRDP spoofing to launch MITM, DoS, and passive sniffing attacks.

■    Passive Sniffing: In a switched network, the attacker spoofs IRDP traffic to re-route the outbound traffic of target hosts through the attacker's machine.

■    MITM: Once sniffing starts, the attacker acts as a proxy between the victim and destination. The attacker plays an MITM role and tries to modify the traffic.

■    DoS: IDRP spoofing allows remote attackers to add wrong route entries into victims routing table. The wrong address entry causes DoS.

Prevent IRDP spoofing attacks by disabling IRDP on hosts, if the OS permits it.

How to Defend Against MAC Spoofing

Performing security assessments is the primary aim of an ethical hacker. An ethical hacker attacks a target network or organization with the knowledge and authorization of its management, to find loopholes in the security architecture. But the job does not end there. Finding those loopholes is a minor task. The most crucial task of ethical hacking is to apply the appropriate countermeasures to security loopholes in order to fix them.

Once you test the network for MAC spoofing attacks and collect security loopholes, you should apply countermeasures to protect the network again from MAC spoofing. Many MAC spoofing countermeasures can be applied to specific network architectures and loopholes. Apply the appropriate countermeasures to your network.

To detect MAC spoofing, it is necessary to know all the MAC addresses in the network. The best way to defend against MAC address spoofing is to place the server behind the router. This is because routers depend only on IP addresses, whereas switches depend on MAC addresses for communication in a network. Making changes to Port security interface configuration is another way to prevent MAC spoofing attacks. Once you enable the port security command, it allows you to specify the MAC address of the system connected to the specific port. It also a Hows for specific action to be taken if a port security violation occurs.

You  can  also  implement  the  following  techniques  to  defend  against  MAC  address  spoofing attacks:

■ DHCP Snooping Binding Table: The DHCP snooping process filters untrusted DHCP messages and helps to build and bind a DHCP binding table. This table contains the MAC address, IP address, lease time, binding type, VLAN number, and interface information to correspond with untrusted interfaces of a switch. It acts as a firewall between untrusted  hosts and DHCP servers. It also helps in differentiating between trusted and untrusted interfaces.

■ Dynamic ARP Inspection: The system checks the IP to MAC address binding for each ARP packet in a network. While performing a Dynamic ARP inspection, the system will automatically drop invalid IP to MAC address bindings.

■ IP Source Guard: IP Source Guard is a security feature in switches that restricts the IP traffic on untrusted Layer 2 ports by filtering traffic based on the DHCP snooping binding database. It prevents spoofing attacks when the attacker tries to spoof or use the IP address of another host.

■     Encryption:  Encrypt  the  communication  between  the  access  point  and  computer  to prevent MAC spoofing.

■    Retrieval off MAC Address: You should always retrieve the MAC address from the NIC directly instead of retrieving it from the OS.

■ Implementation of IEEE 802.IX suites: It is a type of network protocol for port-based Network Access Control (PNAC), and its main purpose is to enforce access control at the point where a user joins the network.

■ AAA (Authentication, Authorization and Accounting): Use of AAA (Authentication, Authorization and Accounting) server mechanism in order to filter MAC addresses subsequently.  

Sniffing Technique: DNS Poisoning

This section describes DNS poisoning techniques to sniff the DNS traffic of a target network. Using this technique, an attacker can obtain the ID of the DNS request by sniffing and can send a malicious reply to the sender before the actual DNS server.

DNS Poisoning Techniques

DNS is the protocol that translates a domain name (e.g., www.eccouncil.org) into an IP address (e.g., 208.66.172.56). The protocol uses DNS tables that contain the domain name and its equivalent IP address stored in a distributed large database. In DNS poisoning, also known as DNS spoofing, the attacker tricks a DNS server into believing that it has received authentic information when in reality, it has not received any. The attacker tries to redirect the victim to a malicious server instead of the legitimate server. The attacker does this by manipulating the DNS table entries in the DNS. It results in substitution of a false IP address at the DNS level where web addresses are converted into numeric IP addresses.

When the victim tries to access a website, the attacker manipulates the entries in the DNS table so that the victim's system redirects the URL to the attacker's server. The attacker replaces IP address entries for a target site on a given DNS server with IP address of the server (malicious server) he/she controls. The attacker can create fake DNS entries for the server (containing malicious content) with the same names as that of the target server. Thus, the victim connects to the attacker's server without realizing it. Once the victim connects to the attacker's server, the attacker can compromise the victim's system and steal data.

Similarly, an attacker can compromise a target system by conducting a DNS poisoning attack. To launch a DNS poisoning attack, follow these steps below:

■   Set up a fake website on your computer.

■    Install treewalk and modify the file mentioned in the readme.txt to your IP address. Treewalk will make your system the DNS server.

■    Modify the file dns-spoofing.bat and replace the IP address with your IP address. ■   Trojanize the dns-spoofing.bat file and send it to the victim.

■    When the victim clicks on the Trojanned file, it will replace the victim's DNS entry in TCP/IP properties with that of your machine.

■   You will become the DNS server for the victim, whose DNS requests will go through you. ■    When the victim tries to open a password-protected website, the browser resolves

instead to a fake website. Then, sniff the password and send her to the real website DNS poisoning is possible using the following techniques:

■    Intranet DNS Spoofing

■    Internet DNS Spoofing

■    Proxy Server DNS Poisoning 

■    DNS Cache Poisoning

Intranet DNS Spoofing

An attacker can perform an intranet DNS spoofing attack on a switched LAN with the help of the ARP poisoning technique. To perform this attack, the attacker must be connected to the LAN and be able to sniff the traffic or packets. An attacker who succeeds in sniffing the ID of the DNS request from the intranet can send a malicious reply to the sender before the actual DNS server.

In the diagram above, the attacker poisons the router by running arpspoof/dnsspoof to redirect DNS requests of clients to the attacker's machine. When a client (Rebecca) sends a DNS request to the router, the poisoned router sends the DNS request packet to the attacker's machine. Upon receiving the DNS request, the attacker sends a fake DNS response that redirects the client to a fake website set up by the attacker. The attacker owns the website and can see all the information submitted by the client to that website. Thus, the attacker can sniff sensitive data such as passwords, etc., submitted to the fake website. The attacker retrieves the required information and then redirects the client to the real website.

Internet DNS Spoofing

Internet DNS poisoning is also known as remote DNS poisoning. Attackers can perform DNS spoofing attacks on a single or multiple victims anywhere in the world. In order to perform this attack, the attacker sets up a rogue DNS server with a static IP address.

Attackers perform Internet DNS spoofing with the help of Trojans when the victim's system connects to the Internet. It is an MITM attack in which the attacker changes the primary DNS entries of the victim's computer. The attacker replaces the victim's DNS IP address with the fake IP address that resolves to the attacker's system. Thus, the victim's traffic redirects to the attacker's system. At this point, the attacker can easily sniff the victim's confidential information.

The figure in the slide above illustrates an attacker performing Internet DNS spoofing. The attacker infects Rebecca's machine with a Trojan and changes her DNS IP address to that of the attacker's.

Proxy Server DNS Poisoning

In the proxy server DNS poisoning technique, the attacker sets up a proxy server on the attacker's system. The attacker also configures a fraudulent DNS and makes its IP address a primary DNS entry in the proxy server. The attacker changes the proxy server settings of the victim with the help of a Trojan. The proxy serves as a primary DNS and redirects the victim's traffic to the fake website where the attacker can sniff the confidential information of the victim and then redirect the request to the real website.

In the above figure, an attacker sends a Trojan to Rebecca's machine that changes her proxy server settings in Internet Explorer to that of the attacker’s and redirects it to a fake website.

How to Defend Against DNS Spoofing

Major DNS implementations have reported attacks using DNS spoofing, and this vulnerability still affects a large number of organizations. This is because of lack of information when performing DNS queries which allow attackers to spoof DNS responses. You have seen how an attacker carries out different types of DNS spoofing attacks. Let us know how to defend a network from these types of attacks.

Countermeasures that help prevent DNS spoofing attacks:

■    Implement Domain Name System Security Extension (DNSSEC)

■    Use Secure Socket Layer (SSL) for securing the traffic

■    Resolve all DNS queries to local DNS server

■    Block DNS requests being sent to external servers

■    Configure firewall to restrict external DNS lookup

■    Implement intrusion detection system (IDS) and deploy it correctly

■    Configure DNS resolver to use a new random source port for each outgoing query

■    Restrict DNS recusing service, either full or partial, to authorized users

■    Use DNS Non-Existent Domain (NXDOMAIN) Rate Limiting

■   Secure your internal machines

■    Use static ARP and IP table

■    Use Secure Shell (SSH) encryption

■    Do not allow outgoing traffic to use UDP port 53 as a default source port

■   Audit the DNS server regularly to remove vulnerabilities

■    Use sniffing detection tools

■    Do not open suspicious files

■   Always use trusted proxy sites

■ If a company handles its own resolver, it should be kept private and well protected

■    Randomize source and destination IP addresses

■    Randomize Query ID

■    Randomize case in the name requests

■    Use Public Key Infrastructure (PKI) to protect server

■    Maintain a single or a specific range of IP addresses to log in to the systems

■    Implement packet filtering for both inbound and outbound traffic

Sniffing Tools

System administrators use automated tools to monitor their network, but attackers misuse these tools to sniff network data. This section describes tools that an attacker can use for sniffing.