CEHv12-08 - Network and Perimeter Hacking - Sniffing

In Security

Network sniffing

Definition:
Straightforward in hub-based networks, as the traffic on a segment passes through all the hosts associated with that segment. However, most networks today work on switches. A switch is an advanced computer networking device. The major difference between a hub and a switch is that a hub transmits line data to each port on the machine and has no line mapping, whereas a switch looks at the Media Access Control (MAC) address associated with each frame passing through it and sends the data to the required port. A MAC address is a hardware address that uniquely identifies each node of a network.
Packet sniffers are used to convert the host system’s NIC to promiscuous mode. The NIC in promiscuous mode can then capture the packets addressed to the specific network.
Types:
- Passive Sniffing: does not require any packets to be sent. It only captures and monitors the packets flowing in the network.
- Active Sniffing:searches for traffic on a switched LAN by actively injecting traffic into the LAN; it also refers to sniffing through a switch (Port mirroring).
  - Active sniffing involves sending out multiple network probes to identify access points. The following is the list of different active sniffing techniques:
  - MAC Flooding: Involves flooding the CAM table with fake MAC address and IP pairs until it is full
  - DNS Poisoning: Involves tricking a DNS server into believing that it has received authentic information when, in reality, it has not
  - ARP Poisoning: Involves constructing a large number of forged ARP request and reply packets to overload a switch
  - DHCP Attacks: Involves performing a DHCP starvation attack and a rogue DHCP server attack
  - Switch port stealing: Involves flooding the switch with forged gratuitous ARP packets with the target MAC address as the source
  - Spoofing Attack: Involves performing MAC spoofing, VLAN hopping, and STP attacks to steal sensitive information
Basic attacks:
- *AC flooding using macof: technique used to compromise the security of network switches that connect network segments or network devices. Attackers use the MAC flooding technique to force a switch to act as a hub, so they can easily sniff the traffic.
  - macof, from dsniff is a Unix and Linux tool that is a part of the dsniff collection. It floods the local network with random MAC addresses and IP addresses, causing some switches to fail and open in repeating mode, thereby facilitating sniffing. This tool floods the switch’s CAM tables (131,000 per minute) by sending forged MAC entries. When the MAC table fills up, the switch converts to a hub-like operation where an attacker can monitor the data being broadcast (macof -i eth0 -d [Target IP Address]).
- VLAN hopping attack: attacking host on a VLAN (Virtual LAN, the share network) to gain access to traffic on other VLANs. You may use Frogger.
  - Switch spoofing: attacking host imitates a trunking switch.
  - Double tagging:
    1. Attacker prepends two VLAN tags to frames.
    2. Second tag is the target host.
    3. First switch removes first innocent VLAN tag and sends packet to second switch.
    4. Allows bypassing security mechanisms and reaching the target hosts.
    5. Replies are not forwarded to the attacker host.
- STP (Spanning Tree Protocol) attack:
  - Definition: An attack on the Spanning Tree Protocol (STP, protocol that ensures a loop-free topology in Ethernet networks by prevents network loops that can occur in redundant switch configurations) to manipulate the network topology. It uses BPDU (Bridge Protocol Data Units) to communicate between switches and select a root bridge, determining the shortest path and disabling redundant links.
  - Method: An attacker sends spoofed STP BPDUs (Bridge Protocol Data Units) to become the root bridge.
  - Effect: Can reroute traffic through the attacker’s device, enabling data interception and network disruption.

DHCP sniffing attacks

An attacker floods the DHCP server by sending a large number of DHCP requests and uses all available IP addresses that the DHCP server can issue. As a result, the server cannot issue any more IP addresses, leading to a Denial-of-Service (DoS) attack. Because of this issue, valid users cannot obtain or renew their IP addresses, and thus fail to access their network. This attack can be performed by using various tools such as Yersinia and Hyenae.

DORA process refers to the 4 step communication for a device to get IP assigned from a DHCP server which are DISCOVER, OFFER, REQUEST, ACKNOWLEDGE.
Attacks:
1. DHCP Starvation Attack
  - Definition: an attacker sends numerous DHCP requests with spoofed MAC addresses to exhaust the DHCP server’s pool of IP addresses.
  - Effect: legitimate clients cannot obtain IP addresses, leading to denial of service.
  - Method: the attacker uses tools like dhcpstarv to automate the process of sending fake DHCP requests.
2. DHCP Spoofing Attack:
  - Definition: an attacker sets up a rogue DHCP server on the network to respond to DHCP requests from clients.
  - Effect: the rogue server can assign malicious IP addresses, gateways, or DNS servers, redirecting traffic and intercepting data.
  - Method: the attacker listens for DHCP requests and responds faster than the legitimate DHCP server.
3. DHCP Lease Hijacking:
  - Definition: an attacker monitors the network for DHCP requests and responses, then sends a DHCP request to lease an IP address intended for a legitimate client.
  - Effect: the attacker can impersonate the legitimate client, intercepting their traffic and gaining unauthorized access.
  - Method: the attacker needs to be quick to send the request before the legitimate client.
Tools:
- Yersinia: network tool that can launch various DHCP attacks, including spoofing and starvation. It takes advantage of weaknesses in different network protocols such as DHCP. It pretends to be a solid framework for analyzing and testing the deployed networks and systems (yersinia -I )
- dhcpstarv: automates DHCP starvation attacks.
- dhcpxflood: Another tool for flooding a network with DHCP requests.

ARP poisoning

ARP is the Address Resolution Protocol: it resolves IP addresses to MAC addresses and cCan be used for obtaining MAC addresses of devices on the network.
- Packets are ARP_REQUEST and ARP_REPLY.
- Commands:
  - arp -a: displays current ARP cache.
  - arp -d *: clears ARP cache.
ARP table: used to map MAC addresses to ip addresses. Every network interface has its own ARP table.
- If no ARP entry exist:
  1. Computer A broadcasts an APR request in network asking for the MAC address from a specific IP.
  2. Computer B replies its MAC and IP address
  3. Computer A inserts it to its ARP table for future use
ARP spoofing: method of attacking an Ethernet LAN. ARP spoofing succeeds by changing the IP address of the attacker’s computer to the IP address of the target computer. A forged ARP request and reply packet find a place in the target ARP cache in this process. As the ARP reply has been forged, the destination computer (target) sends the frames to the attacker’s computer, where the attacker can modify them before sending them to the source machine (User A) in an MITM attack.
Tools: arpspoof from dsniff: redirects packets from a target host (or all hosts) on the LAN intended for another host on the LAN by forging ARP replies. This is an extremely effective way of sniffing traffic on a switch.
1
2
3
arpspoof -i eth0 -t 10.10.1.1 10.10.1.11
# -i: specifies network interface
# -t: specifies target IP address

DNS poisoning

DNS Poisoning, also known as DNS Cache Poisoning, is an attack technique used to redirect traffic from a legitimate domain to a malicious IP address. This allows attackers to capture sensitive information or perform phishing attacks. It exploits the DNS resolution process, manipulating DNS cache or settings.

DNS resolution process:
1. Local check: the machine checks if it is the requested domain.
2. Resolver cache: checks the cached DNS entries stored locally.
3. Host file: checks entries in the host file (e.g., /etc/hosts).
4. DNS server: if not found locally, the query is sent to the configured DNS server, which may query higher-level authoritative servers.
Attack Techniques:
1. Host file modification: Malware or an attacker may edit the local host file to redirect domains.
2. Malicious DNS server configuration: Attackers configure malicious DNS servers using DHCP responses, setting a malicious IP for DNS queries.
3. Cache poisoning: Injects fake DNS records into the resolver cache, causing repeated redirections to attacker-controlled sites.

Tools for DNS poisoning:

Ettercap: commonly used for man-in-the-middle attacks, DNS spoofing, and other network-based attacks.

# clear cache before on Windows
Ipconfig /flushdns
# after editing etter.dns file to set malicious DNS responses
# finally capture and manipulate requests
sudo ettercap -T -q -i <interface> -P dns_spoof -M arp // //

DerpNSpoof a lightweight command-line tool for DNS spoofing and poisoning.
Bettercap: an alternative to Ettercap, providing DNS spoofing features.

Mitigations

Use DNSSEC: prevents unauthorized changes to DNS records by authenticating responses.
Enable DNS Security Features: such as DNS filtering and validation checks.
Secure DNS Settings: ensure DNS configurations are secure, preventing unauthorized modifications.

Sniffing defenses

Restrict the physical access to the network media
Encryption is, by far, the best option.
Use Access Control Lists (ACLs) on router/firewall to only allow authorized devices/IP ranges.
Permanently add the MAC address of the gateway to the ARP cache.
Use static IP addresses and static ARP tables.
Use switch instead of hub as switch delivers data only to the intended recipient.
Use PGP and S/MIPE, VPN, IPSec (ryptographic tunnel protocol), SSL/TLS, Secure Shell (SSH), One-time passwords (OTP).
Retrieve MAC directly from NIC instead of OS to prevent MAC address spoofing.
Use tools to determine if any NICs are running in the promiscuous mode.