April 16, 2016

GHR 108 – Sniffers

Objectives for Sniffers

  • Topic 108.1 – Passive Sniffing
  • Topic 108.2 – Active Sniffing
  • Topic 108.3 – WireShark
  • Topic 108.4 – Tcpdump
  • Topic 108.5 – Countermeasures

Topic 108.1 – Passive Sniffing

  • RULE : A network interface must be placed into promiscuous mode in order to see traffic other that what has been addressed to it.
  • RULE : Historically when hubs where used in networks, you could connect to any port while in promiscuous mode and sniff all of the traffic on the collision domain.  This stopped working when network switches became the standard.
  • RULE : On a switched network you have to configure port mirroring on the switch to forward all traffic such as a particular VLAN, the firewall’s interface, router’s interface, etc. into another port in which you connect your sniffer.
  • RULE : To configure a Cisco switch to mirror (a.k.a. SPAN) VLAN1 and forward traffic to the sniffer connected to interface fa0/6:
    • monitor session 1 source vlan 1
    • monitor session 1 destination interface Fa0/6 ingress untagged vlan 1
  • RULE : On large multi-switch networks, you will need to find a point where traffic is aggregated for best effect.  
  • RULE : Sniffing traffic in wiring closet on the edge of the network isn’t as good as sniffing the core switch in the main data center.

Topic 108.2 – Active Sniffing

  • RULE : If passive sniffing isn’t an option, then active sniffing techniques must be used in order to get traffic to the attacker.
  • RULE : Active sniffing techniques:
    • Address Resolution Protocol (ARP) poisoning.
    • Media Access Control (MAC) flooding.
    • DHCP Starvation.
  • RULE : ARP is used by a machine to get the destination MAC address in which to forward traffic on the same local area network (LAN) for an IP address:
    • 10:23:01.950790 ARP, Request who-has 10.0.19.50 tell red1.darkredteam.com, length 46
    • 10:23:01.950799 ARP, Reply 10.0.19.50 is-at 04:0e:60:d0:91:2f (oui Unknown), length 28
  • RULE : There is no security built into ARP.  The machine just trusts the ARP Replies that it receives from the network and stores them in the ARP Cache.
  • RULE : The ARP Cache only stores the entries for a specified about of time.  After that time expires then they are dropped from the ARP Cache.
  • RULE : You can check the ARP cache on Windows:
    • C:\Users\userbob>arp -a
    • Interface: 10.128.110.1 --- 0xc
      Internet Address Physical Address    Type
      10.128.110.2     07-f4-18-4f-0f-5d   dynamic
      10.128.110.254   06-1e-fe-00-9d-58   dynamic
      10.128.110.255   ff-ff-ff-ff-ff-ff   static
      224.0.0.22       01-00-5e-00-00-16   static
      224.0.0.252      01-00-5e-00-00-fc   static
      239.255.255.250  01-00-5e-7f-ff-fa   static
  • RULE : You can check the ARP Cache on Linux and OS X:
    • userbob@red1.darkredteam.com:~$ arp -a
      firewall.darkredteam.com (10.255.0.2) at 00:34:56:83:92:27 [ether] on enp5s0
      fileserver.darkredteam.com (10.255.0.240) at 00:11:22:42:6a:62 [ether] on enp5s0
      host17.darkredteam.com (10.255.0.50) at 11:5e:6f:d0:98:29 [ether] on enp5s0
      host44.darkredteam.com (10.255.0.19) at 00:56:df:78:c7:c0 [ether] on enp5s0
  • RULE : The attacker can send ARP Reply packets with the real IP address of a network egress device such as a router or firewall but using his MAC address instead of the real MAC.  This brings traffic to the attacker’s network interface for sniffing, session-replay, and other man-in-the-middle attacks.
  • RULE : If the attacker that has ARP Poisoned the LAN and doesn’t forward the traffic to the real network egress device, all traffic will stop at his machine and not continue to the true destination, which results in a Denial Of Service (DoS) to that LAN.
  • RULE : To avoid creating a DoS attack while sniffing.  IP Forwarding is configured on linux and OS X:
    • Just temporarily – userbob@red1.darkredteam.com:~$ sysctl -w net.ipv4.ip_forward=1
    • Or permanently in the /etc/sysctl.conf file by adding this line – net.ipv4.ip_forward = 1
  • RULE : IP Forwarding on Windows is set in the registry by setting IPEnableRouter  to 1 at HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\IPEnableRouter.
  • RULE : MAC Flooding is less effective now days since the switches have more memory, but the early low end switches could only hold so many MAC addresses in memory (CAM table) before running out, after which the switch would forward traffic to all ports including the attacker’s port where a sniffer was.
  • RULE : DHCP starvation is a technique in which the attacker floods the LAN with fake DHCP address request packets to use all of the remaining available DHCP addresses from the DHCP server.  Then the attacker can start a rogue DHCP server and tell the clients that he is the default gateway, and traffic comes to the attacker to be sniffed and forwarded.
  • RULE : Metasploit can perform these attacks.

Topic 108.3 – Wireshark

  • RULE : Wireshark is the most popular GUI sniffer.
  • RULE : Wireshark runs on:
    • Linux
    • OS X
    • Windows
  • RULE : Some of Wireshark’s features include:
    • Deep inspection of protocols.
    • Live capture and offline analysis.
    • Display filtering.
    • VoIP analysis.
    • Live data can be read from wired Ethernet as well as wireless IEEE 802.11 networks.
    • Decryption support for many protocols, including IPsec, ISAKMP, Kerberos, SNMPv3, SSL/TLS, WEP, and WPA/WPA2.
    • Coloring rules can be applied to the packet list to make it easier to identify specific traffic types.
    • Output can be exported to different file formats like XML, CSV, or plain text.
    • Remote capture interfaces allows Wireshark to receive capture data from other machines running a capture daemon or service process so you can see traffic beyond just your local interfaces.
  • RULE : Captured traffic is only useful if you can find what you are looking for afterwards, filtering the traffic is the key.
  • RULE : There are 2 filtering methods.  Capture filters only capture specific traffic that you define and reduce the clutter to sift thru later.  Display filters allow you to focus on specific traffic that has already been captured.
  • RULE : The syntax for capture filters and display filters are not the same.
  • RULE : To perform a capture filter you configure the Capture Options before starting a capture.  You can select a saved filter or create a new one.
  • RULE : Capture filter syntax examples:
    • To capture only traffic to and from a single machine use, host blueserver1 or host 10.1.1.30.
    • To capture only traffic sourced from a machine use, src host 10.1.1.30.
    • To capture only traffic destined for a machine use, dst host blueserver1.
    • To capture only traffic between single machine 2 other servers that it talks to use, host blueserver1 and \(redpc1 or redpc2\).
    • To capture only IP traffic to and from a single machine use, ip host blueserver1.
    • To capture only HTTP traffic use, tcp port 80.
    • To capture only traffic on a single TCP port use, tcp port 8009 or tcp src port 8009 or tcp dst port 8009.
    • To capture only traffic on a subnet use, net 10.1.1.0/24 or src net 10.1.1.0/24 or dst net 10.1.1.0/24.
    • To capture only a range of ports use, tcp portrange 22-443.
    • To capture only traffic on a VLAN use, vlan 2.
    • To not capture any broadcast nor multicasts use, not broadcast and not multicast.
  • RULE : Display filter syntax examples:
    • To display only traffic to and from a single machine use, ip.addr == 10.1.1.30.
    • To display only traffic sourced from a single machine use, ip.src == 10.1.1.30.
    • To display only traffic destined for a single machone use, ip.dst == 10.1.1.30.
    • To display only traffic for a specific machine (10.1.1.30) while not displaying traffic from another machine (10.1.1.7) use, !(ip.addr==10.1.1.7) && ip.addr==10.1.1.30.
    • To display only traffic for a subnet use, ip.addr == 10.1.1.0/24.
    • To display only traffic on a specific TCP port use, tcp.port == 80.
    • To display only traffic on a few TCP ports use, tcp.port in {21 23 80} or tcp.port == 21 || tcp.port == 23 || tcp.port == 80.
    • To display only traffic for a specific protocol just type it, igmp or udp or dhcp or icmp.
    • To display only traffic for ports greater than a value use, udp.port > 5600.
    • To display only traffic for ports greater than but also equal to a value use, tcp.port >= 1024.

Topic 108.4 – Tcpdump

  • RULE : Tcpdump is a sniffer that runs from a command line.
  • RULE : Tcpdump runs on:
    • Linux
    • OS X
  • RULE : To display packets to the screen type tcpdump at the command line.
  • RULE : To write the captured packets to a file type use, tcpdump -w somefilename.cap.
  • RULE : Since the output is typically text send to the command line, there isn’t a lot of real estate in which format the captured data so filtering out everything that you don’t want to see is important.
  • RULE : The filtering syntax of capturing packets with Tcpdump is the same as with Wireshark.
    • To capture only traffic to and from a single machine use, host blueserver1 or host 10.1.1.30.
    • To capture only traffic sourced from a machine use, src host 10.1.1.30.
    • To capture only traffic destined for a machine use, dst host blueserver1.
    • To capture only traffic between single machine 2 other servers that it talks to use, host blueserver1 and \(redpc1 or redpc2\).
    • To capture only IP traffic to and from a single machine use, ip host blueserver1.
    • To capture only HTTP traffic use, tcp port 80.
    • To capture only traffic on a single TCP port use, tcp port 8009 or tcp src port 8009 or tcp dst port 8009.
    • To capture only traffic on a subnet use, net 10.1.1.0/24 or src net 10.1.1.0/24 or dst net 10.1.1.0/24.
    • To capture only a range of ports use, tcp portrange 22-443.
    • To capture only traffic on a VLAN use, vlan 2.
    • To not capture any broadcast nor multicasts use, not broadcast and not multicast.