View
236
Download
0
Category
Preview:
Citation preview
Sniffing & Keylogger
Deff Arnaldy, M.Si0818 0296 4763deff_arnaldy@yahoo.com
1
Overview
• Konsep sniffing • Capturing Live Network Data• Explorasi hasil capturing • Countermeasure sniffing• Keyloggers
2
Konsep Sniffing
• Sniffer adalah program yang membaca dan menganalisa setiapprotokol yang melewati mesin di mana program tersebutdiinstal
• Secara default, sebuah komputer dalam jaringan (workstation)hanya mendengarkan dan merespon paket-paket yangdikirimkan kepada mereka. Namun demikian, kartu jaringan(network card) dapat diset oleh beberapa program tertentu,sehingga dapat memonitor dan menangkap semua lalu lintasjaringan yang lewat tanpa peduli kepada siapa paket tersebutdikirimkan.
• Aktifitasnya biasa disebut dengan Sniffing
3
Sniffing
• Targets Data Link layer of protocol stack• Sniffer – gathers traffic off network
• This data can include userIDs passwords transmitted by telnet, DNS queries and responses, sensitive emails, FTP passwords, etc.
• Allows attacker to read data passing a given machine in real time.
• Two types of sniffing:• Active • Passive
4
Sniffing
Passive• Attacker must have
account on LAN• Done over a hub• Usually once access is
gained on one computer attacker uses passwords to get in other computers
Active• Attacker still needs an
account• Several different attacks:
- Parsing Packets- Flooding- Spoofed ARP Messages- DNS Spoofing- HTTPS and SSH spoofing
5
Passive Sniffinguser1
Server
user2
Bad guy
HUBBLAH
- Message gets sent to all computers on hub
6
Active Sniffinguser1
Server
user2
Bad guy
SwitchBLAH
- Message gets sent to only requesting computer by looking at MAC address
7
Dsniff
• Offers several ways around a switch• Available for OpenBSD, Linux, Solaris, and there is a
version for Windows • Very popular and versatile • In conjunction with sshmitm and webmitm, conducts all
the above attacks
8
Major Problems with Sniffing
• Any mischievious machine can examine any packet on a BROADCAST medium
• Ethernet is BROADCAST• at least on the segments over which it travels
• Getting passwords is the first step in exploiting a machine• email is plaintext and vulnerable
9
What does one sniff?
• passwords• email• financial account information• confidential information• low-level protocol info to attack
• hardware addresses• IP addresses• routing, etc
10
What are the components of a packet sniffer?
1. Hardware : standard network adapters .2. Capture Filter : This is the most important part . It captures
the network traffic from the wire, filters it for the particular traffic you want, then stores the data in a buffer.
3. Buffers : used to store the frames captured by the Capture Filter .
11
What are the components of a packet sniffer?
4. Real‐time analyzer: a module in the packet sniffer program used for traffic analysis and to shift the traffic for intrusion detection.
5. Decoder : "Protocol Analysis" .
12
How does a Sniffer Work?
Sniffers also work differently depending on the type of network they are in.
1. Shared Ethernet2. Switched Ethernet
13
How can I detect a packet sniffer?
• Ping method • ARP method • DNS method
14
Packet Sniffer Mitigation
The following techniques and tools can be used to mitigate sniffers: Authentication—Using strong authentication, such as one‐time
passwords, is a first option for defense against packet sniffers. Switched infrastructure—Deploy a switched infrastructure to counter
the use of packet sniffers in your environment. Antisniffer tools—Use these tools to employ software and hardware
designed to detect the use of sniffers on a network. Cryptography—The most effective method for countering packet
sniffers does not prevent or detect packet sniffers, but rather renders them irrelevant.
Host A Host BRouter A Router B
15
Top 11 Packet Sniffers
• Wireshark• Kismet• Tcpdump• Cain and Abel• Ettercap• Dsniff• NetStumbler• Ntop• Ngrep• EtherApe• KisMAC
16
Working of Cain & Abel
17
What are sniffers used for?
• Detection of clear‐text passwords and usernames from the network.
• Conversion of data to human readable format so that people can read the traffic.
• Performance analysis to discover network bottlenecks. • Network intrusion detection in order to discover hackers.
18
Prevention of Sniffing
• Segmentation into trustworthy segments• bridges• better yet .. switched hubs
• Not enough “not to allow sniffing”• easy to add a machine on the net• may try using X-terminals vs workstations
19
Prevention of Sniffing(more)
• Avoid password transmission• one solution is r..family
• rlogin, rcp, rsh, etc• put trusted hosts in .rhosts• many SAs don’t want users to use them
• Using encrypted passwords• Kerberos• PGP public keys
20
Keylogger
• If all other attempts to gather passwords fail, then a keystroke logger is the tool of choice for hackers
• Keystroke loggers (keyloggers) can be implemented either using hardware or software
21
• Hardware keyloggers are small hardware devices that connect the keyboard to the PC and save every keystroke into a file or in the memory of the hardware device
• In order to install a hardware keylogger, a hacker must have physical access to the system
22
• Software keyloggers are pieces of stealth software that sit between the keyboard hardware and the operating system so that they can record every keystroke.
• Software keyloggers can be deployed on a system by Trojans or viruses
23
References
• http://netsecurity.about.com/cs/hackertools/a/aa121403.htm• http://e‐articles.info/e/a/title/Packet‐Sniffing:‐Sniffing‐Tools‐Detection‐Prevention‐Methods/
• http://sectools.org/sniffers.html• http://en.wikipedia.org/wiki/Cain_and_Abel_(software)• http://www.authorstream.com/Presentation/chinmayzen‐79529‐packet‐sniffers‐education‐ppt‐powerpoint/
• http://www.youtube.com/watch?v=O00LENbtiIw
24
Recommended