728x90
반응형
Sniffing and Spoofing Part1
Network Basics Revisited
Network Hardware
Hubs(=(multi-port) repeater): A hub is generally a box with multiple RJ-45 ports
No more than a repeating device that operates on the physical layer
ex. if com 포트 1 of a 4-prot hub -data-> com 포트2, the hubs sends those pacekts to prots 2,3, and 4
=> hubs broadcast data to every port, and each non-destination computer discards the data.
Layer-2 Switches
Like a hub, a switch is designed to repeat packets.
However, unlike a hub, rather than broadcasting data to every port, a switch sends data to only the destination computer (to reduce traffic)
- = (MAC) bridge, switching hub, bridging hub, etc.
- Switches store the layer 2 address of every connected device in a content- addressable memory (CAM) table
- Also called MAC (forwarding) table, and sometimes incorrectly called ARP table
- When a packet is transmitted, using the CAM table as reference, the switch determines to which port(s) to send the packet
Layer-3 Routers
A router is an advanced network device with a much higher level of functionality than a switch or a hub
- Responsible for forwarding packets between two or more networks.
The flow of traffic when computer A on one network transmits data to computer X on another network through a router
MAC Table OR MAC Forwarding Table(Layer2)
- The MAC table is used by the switch to map MAC Addresses to a specific interface on the switch. These usually expire every 5 minutes or so, and are updated by reading the source address of the frame entering the interface. Your switch should have a MAC/CAM Table as a layer 2 device
- In a managed layer two switch, there is a forwarding table plus an ARP table but the latter is only used for the management interface to talk to interested hosts (i.e. the PC you are using to configure the switch.)
ARP Table(Layer 3)
- The ARP table is used to map MAC Addresses to IP addresses. If no ARP entry exists, an ARP broadcast is sent out, and the table is updated with the response. These usually expire after 2-4 hours. Each host connected to the network should maintain its own ARP Table
- In a managed layer 3 switch there will be a forwarding table plus an ARP table, since it needs it for the management interface plus router functionality exists to perform forwarding between subnets
Types of Network Traffic
Broadcast Traffic
A broadcast packet is a packet that’s sent to all ports on a network segment, regardless of whether a given port is a hub or switch
- On layer 2, the MAC address ff:ff:ff:ff:ff:ff is the reserved broadcast address, and any traffic sent to this address is broadcast to the entire network segment
- Layer 3 also has a specific broadcast address, but it varies based on the network address range in use (e.g., if your computer has an address of 192.168.0.20 and a 255.255.255.0 subnet mask, then 192.168.0.255 is the broadcast address)
Multicast Traffic
Multicast is a means of transmitting a packet from a single source to multiple destinations simultaneously
- To use as little bandwidth as possible
Unicast Traffic
A unicast packet is transmitted from one computer directly to another
Broadcast Domain
The extent to which broadcast packets can travel is called the broadcast domain, which is the network segment where any computer can directly transmit to another computer without going through a router
Packet Analysis and Packet Sniffers
Packet analysis(= packet sniffing, protocol analysis)
- The process of capturing and interpreting live data as it flows across a network in order to better understand what is happening on that network
- performed by a packet sniffer, a hardware device or a software tool used to capture raw network data going across the wire
Applications of Packet Analysis
- Understanding network characteristics
- Learning who is on a network
- Determining who or what is utilizing available bandwidth
- Identifying peak network usage times
- Identifying malicious activity
- Finding unsecured and bloated applications
Tapping into the Wire
A key decision for effective packet analysis is where to physically position a packet sniffer to appropriately capture the data. Packet analysts often refer to placing the packet sniffer as sniffing the wire, tapping the network, or tapping into the wire
- Because the devices on a modern network (switches and routers) each handle traffic differently, you must take into account the physical setup of the network you are analyzing
Living Promiscuously
- Before discussing sniffer placement, let's try to how to make a packet sniffer machine
- To sniff packets on a network using your laptop, you need a network interface card (NIC) that supports a promiscuous mode driver
- Promiscuous mode is what allows a NIC to view all packets crossing the wire
- In Wi-Fi (IEEE 802.11), a similar mode called monitor mode is available
- When operating in promiscuous mode, the NIC passes every packet it sees to the host’s processor, regardless of addressing
- Most modern NICs support promiscuous mode, and Wireshark includes the libpcap/WinPcap driver, which allows it to switch your NIC directly into promiscuous mode from the Wireshark GUI
Sniffing Around Hubs
- Sniffing on a network only with hubs is a dream for any packet analyst
- You’ll be able to see all communication to and from that computer, as well as all communication between any other devices plugged into that hub
- Unfortunately for us, hub-based networks are rare because of the headaches they cause network administrators (e.g., low network throughput, high packet collision probability)
- Visibility window represents the devices on the network whose traffic you can see with a packet sniffer
Sniffing in a Switched Environment
- Switches are the most common type of connection device used in modern networks
- When you connect a sniffer to a port on a switch, you can see only broadcast traffic and the traffic transmitted and received by the device the sniffer is installed on
- There are four primary ways to capture this traffic: port mirroring, hubbing out, using a tap, and ARP cache poisoning
Port Mirroring(= Port SPANing;SPAN=Switched Port Analyzer)
- In this type of setup, you must have access to the command line or web management interface of the managed switch on which the target computer is located
- Also, the switch must support port mirroring and have an empty port into which you can plug your sniffer
- Many enterprise-grade switches support port mirroring
- When port mirroring, be aware of the throughput of the ports you are mirroring
- Some switch manufacturers allow you to mirror multiple ports to one port, functionality that may be useful when analyzing the communication between two or more devices on a single switch
- However, if you have a 24-port switch and you mirror 23 full-duplex 100Mbps ports to one port, you have potentially 4,600Mbps (=4.6Gbps) flowing to that port
- This is well beyond the physical threshold of a single port, so you could cause packet loss or network slowdowns if the traffic reaches a certain level
- This is sometimes referred to as oversubscription
- In these situations, switches have been known to completely drop excess packets or even “pause” their internal circuitry, preventing communication altogether
- => port mirroring is usually not reliable
• Especially at high throughput levels, port mirroring can provide inconsistent results and cause data loss that can be hard to track down
Hubbing Out
- With this technique, you place the target device and your analyzer system on the same network segment by plugging them both directly into a hub
- Many people think of hubbing out as “cheating,” but it’s really a valid solution when you can’t perform port mirroring but still have physical access to the switch the target device is plugged into
- In most situations, hubbing out reduces the duplex of the target device from full (bi-directional) to half (one-directional)
- Finding "True" Hubs are not easy: When hubbing out, be sure that you’re using a true hub and not a falsely labeled switch
- When you find something you believe is a hub, test it to make sure
- Since hubs are so antiquated, they’re not mass-produced much anymore_It’s almost impossible to buy a true hub off the shelf, so you’ll need to be creative in order to find one
Using a Tap
- A network tap is a hardware device that you can place between two points on your cabling system to capture the packets between those two points
- a specialized piece of hardware designed for network analysis
- 2가지 type
- Nonaggregated tap: four ports and requires separate interfaces for monitoring traffic bidirectionally
- Aggregated tap: only three ports and can monitor bidirectionally with only a single interface
ARP Cache Poisoning(= ARP spoofing)
- an advanced form of tapping into the wire on a switched network
- It works by sending ARP messages to an Ethernet switch or router with fake MAC (layer 2) addresses in order to intercept the traffic of another computer
- To deceive the target computer, the sniffer will reroute traffic with the MAC address of the target computer
- You can use Cain & Abel (http://www.oxid.it) for ARP cache poisoning
- This technique is commonly used by attackers to send falsely addressed packets to client systems in order to intercept certain traffic or cause denial- of-service (DoS) attacks on a target
- Not desirable when the target is with very high network utilization; it will make performance degradation (so that several SSL-based communication trials can be failed)
Sniffing in a Routed Environment
All the techniques for tapping into the wire on a switched network are available on routed networks as well
- The only major consideration when dealing with routed environments is the importance of sniffer placement when you are troubleshooting a problem that spans multiple network segments
Sniffer Placement in Practice
Summary
- Network revisited
- Packet sniffing
- Port mirroring
- Hubbing out
- Using a tap
- ARP cache poisioning
728x90
반응형
'Computer Science > 네트워크' 카테고리의 다른 글
| [Network Security] Firewall (0) | 2022.11.22 |
|---|---|
| [Network Security] Attacks on the TCP protocol (0) | 2022.11.19 |
| [Network Security] DNS and DNS attack (0) | 2022.10.12 |
| [TCP/IP Networks] 8. TCP Connection Establishment and Termination (0) | 2022.10.06 |
| [TCP/IP Networks] 7. TCP: Transmission Control Protocol (0) | 2022.10.01 |
