packet sniffing and spoofing
play

Packet Sniffing and Spoofing 1 Shared Networks Every network - PowerPoint PPT Presentation

May 04, 2023 •219 likes •625 views

Packet Sniffing and Spoofing 1 Shared Networks Every network packet reaches every computer's network Interface card, which then filters packets based on the MAC address. A network packet has multiple concatenated components. 2 How Packets

  1. Packet Sniffing and Spoofing 1

  2. Shared Networks Every network packet reaches every computer's network Interface card, which then filters packets based on the MAC address. A network packet has multiple concatenated components. 2

  3. How Packets Are Received Applications only receive packets that are meant for the CPU and the registered port User Space Protocol Stack Protocol Stack Kernel only receive packets that are meant for Link Level Driver the CPU Kernel Kernel buffer DMA transfer of packet to kernel memory check if destination address matches the Network Card card's MAC address Hardware All packets on the network arrive here network packet NIC - Network Interface Card a physical/logical link between a machine • and a network each has a MAC address • 3 hear all the frames on the wire •

  4. Promiscuous Mode • The frames that are not destined to a given NIC are discarded • When operating in promiscuous mode, NIC passes every frame received from the network to the kernel • If a sniffer program is registered with the kernel, it will be able to see all the packets • In Wi-Fi, it is called Monitor Mode 4

  5. Promiscuous Mode Application can receives all packets that the NIC receives. User Space Protocol Stack Kernel receive all packets that the NIC receives Link Level Driver Kernel Kernel buffer DMA transfer of packet to kernel memory Network No filtering done if the network card is Card(P) working in promiscuous mode Hardware All packets on the network arrive here network packet 5

  6. Packet Sniffing • Packet sniffing describes the process of capturing live data as they flow across a network • Applications that register with the kernel so as to capture all packets seen in the network. • Typically requires superuser permissions • Let us first see how computers receive packets. 6

  7. Receiving Packets Using Socket Domain: IPV4. Other alternatives are AF_INET6, etc. Type: datagram, connectionless, fixed length, unreliable Create the socket Provide information about server associate an address with the socket using bind() Receive packets 7

  8. Receiving Packets Using Socket Create the socket Provide information about server htons(): unsigned short from host order to network order htonl(): unsigned long from host order to network order ntohs() : unsigned short network to host order Receive packets ntohl() : unsigned long, network to host order 8

  9. Endianness • Endianness: a term that refers to the order in which a given multi- byte data item is stored in memory. – Little Endian : store the most significant byte of data at the highest address – Big Endian : store the most significant byte of data at the lowest address 9

  10. Endianness In Network Communication • Computers with different byte orders will “misunderstand” each other. – Solution: agree upon a common order for communication – This is called “network order”, which is the same as big endian order • All computers need to convert data between “host order” and “network order” . 10

  11. Receiving Packets Using Raw Socket Creating a raw socket Capture all types of packets Enable the promiscuous mode Wait for packets 11

  12. Normal Socket vs Raw Socket A s RAW SOCKET w h ad r p • An application creating a normal socket like a stream or datagram, will not receive the packet headers. Information like MAC address, source IP, etc. is not received. Instead only the payload present in each packet. • In raw sockets, the headers are not clipped. Application obtains an unintercepted packet. 12

  13. Flooding of Packets in User Space • Applications that register with the kernel so as to capture all packets seen in the network. • Typically, sniffers are only interested in a small subset of packets, all the other packets are discarded. – Improves performance considerably (less processing time) – Would require much less expensive hardware • Filtering must be as close to the NIC as possible (filter as early as possible) • BSD packet filtering (BPF) provides a means by which sniffers can specify to the kernel, the packets they are interested in. 13

  14. BSD Packet Filter (BPF) • BPF allows a user- program to attach a filter to the socket, which tells the kernel to discard unwanted packets. • An example of the compiled BPF code is shown here. 14

  15. BSD Packet Filter (BPF) setsockopt(sock, SOL_SOCKET, SO_ATTACH_FILTER, &bpf, sizeof(bpf)) • A compiled BPF pseudo-code can be attached to a socket through setsockopt() • When a packet is received by kernel, BPF will be invoked • An accepted packet is pushed up the protocol stack. See the diagram on the following slide. 15

  16. Packet Flow With/Without Filters 16

  17. Limitations of the Approach • The simple sniffer – Not portable across different operating systems – Not easy to set filters – Not explore any optimization to improve performance • PCAP library – Still uses raw sockets internally, but its API is standard across all platforms. OS-specifics are hidden by PCAP’s implementation. – Allows programmers to specify filtering rules using human readable Boolean expressions 17

  18. Packet Sniffing Using the PCap API Initialize a raw socket, set the network device into promiscuous mode. Filter fills compiled BPF program in fp. Has the Invoke this function for every captured packet form struct bpf_program *fp filled with the packet received; contains the raw ICMP packet 18

  19. Processing Captured Packet: Ethernet Header 19

  20. Processing Captured Packet: Ethernet Header The packet argument contains a copy of the packet, including the Ethernet header. We typecast it to the Ethernet header structure. Now we can access the field of the structure 20

  21. Processing Captured Packet: IP Header *packet *(packet + sizeof(struct ethheader)) 21

  22. Processing Captured Packet: IP Header Find where the IP header starts and typecast it to the IP Header structure. Now we can easily access the fields in the IP header. 22

  23. Further Processing Captured Packet • If we want to further process the packet, such as printing out the header of the TCP, UDP and ICMP, we can use the similar technique. – We move the pointer to the beginning of the next header and type-cast – We need to use the header length field in the IP header to calculate the actual size of the IP header • In the following example, if we know the next header is ICMP, we can get a pointer to the ICMP part by doing the following: 23

  24. Packet Spoofing • When some critical information in the packet is forged, we refer to it as packet spoofing. • Many network attacks rely on packet spoofing. • Let us see how to send packets without spoofing. 24

  25. Sending Normal Packets Using Sockets Testing netcat ( nc ) command to run • a UDP server on 10.0.2.5 . run the program on the left • from another machine message delivered to the • server machine 25

  26. Manipulating Transmitted Packets • Generally, transmitting packets has only control of few fields in the header. – e.g., destination IP address can be set, source IP address is not set – OS will automatically fill these fields before transmitting the packet to the hardware • Spoofing – Permits manipulation of critical fields in the packet headers – Creates unrealistic / bogus packets • E.g., Transmit a TCP packet with SYN and FIN bits turned on • The response from the receiver is unpredictable (depends on the OS ) – Is used in many network attacks • E.g., TCP SYN Flooding, TCP session hijacking, DNS cache poisoning attack • Supplied information depends on the type of attack being carried out 26

  27. Spoofing Packets Using Raw Sockets Two major steps in packet spoofing • Constructing the packet • Sending the packet out 27

  28. Spoofing Packets: Step 1. Constructing the Packet Fill in the ICMP Header Find the starting point of the ICMP header, and typecast it to the ICMP structure Fill in the ICMP header fields 28

  29. Spoofing Packets: Step 1. Constructing the Packet Fill in the IP Header Typecast the buffer to the IP structure Fill in the IP header fields Finally, send out the packet 29

  30. Spoofing Packets: Step 2. Sending Packets Using Raw Sockets We use setsockopt() to enable IP_HDRINCL on the socket. For raw socket programming, since the destination information is already included in the provided IP header, we do not need to fill all the fields Since the socket type is raw socket, the system will send out the IP packet as is. 30

  31. Spoofing UDP Packets Constructing UDP packets is similar, except that we need to include the payload data now. 31

  32. Spoofing UDP Packets (continued) Testing: Use the nc command to run a UDP server on 10.0.2.5 . We then spoof a UDP packet from another machine. We can see that the spoofed UDP packet was received by the server machine. 32

  33. Sniffing and Then Spoofing • In many situations, we need to capture packets first, and then spoof a response based on the captured packets. • Procedure (using UDP as example) – Use PCAP API to capture the packets of interests – Make a copy from the captured packet – Replace the UDP data field with a new message and swap the source and destination fields – Send out the spoofed reply 33

  34. UDP Packet 34

  35. UDP Packet (Continued) 35

  36. Packing Sniffing Using Scapy 36

  37. Spoofing ICMP & UDP Using Scapy 37

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Packet Sniffing and Spoofing Chester Rebeiro IIT Madras Some of the slides borrowed from the

Packet Sniffing and Spoofing Chester Rebeiro IIT Madras Some of the slides borrowed from the

Packet Sniffing and Spoofing Chester Rebeiro IIT Madras Some of the slides borrowed from the book Computer Security: A Hands on Approach by Wenliang Du Shared Networks Every network packet reaches every computer's network Interface

960 views • 59 slides
Lab 1: Packet Sniffing and Wireshark Fengwei Zhang SUSTech CS 315 Computer Security 1 Packet

Lab 1: Packet Sniffing and Wireshark Fengwei Zhang SUSTech CS 315 Computer Security 1 Packet

Lab 1: Packet Sniffing and Wireshark Fengwei Zhang SUSTech CS 315 Computer Security 1 Packet Sniffer Packet sniffer is a basic tool for observing network packet exchanges in a computer Capturing (sniffs) packets being

485 views • 13 slides
Lab 1: Packet Sniffing and Wireshark Fengwei Zhang Wayne State University Course: Cyber

Lab 1: Packet Sniffing and Wireshark Fengwei Zhang Wayne State University Course: Cyber

Lab 1: Packet Sniffing and Wireshark Fengwei Zhang Wayne State University Course: Cyber Security Practice 1 Packet Sniffer Packet sniffer is a basic tool for observing network packet exchanges in a computer Capturing (sniffs)

593 views • 14 slides
Network Network sniffing sniffing packet capture and analysis packet

Network Network sniffing sniffing packet capture and analysis packet

Network Network sniffing sniffing packet capture and analysis packet capture and analysis October 2, 2020 Administrative submittal instructions submittal instructions Administrative answer the lab

366 views • 17 slides
Lab 1: Packet Sniffing and Wireshark Fengwei Zhang Wayne State University CSC 5991 Cyber

Lab 1: Packet Sniffing and Wireshark Fengwei Zhang Wayne State University CSC 5991 Cyber

Lab 1: Packet Sniffing and Wireshark Fengwei Zhang Wayne State University CSC 5991 Cyber Security Prac@ce 1 Packet Sniffer Packet sniffer is a basic tool for observing network packet exchanges in a computer Capturing (sniffs)

172 views • 14 slides
TCP/IP: sniffing, ARP attacks, IP fragmentation Network Security Lecture 3 Recap and overview

TCP/IP: sniffing, ARP attacks, IP fragmentation Network Security Lecture 3 Recap and overview

TCP/IP: sniffing, ARP attacks, IP fragmentation Network Security Lecture 3 Recap and overview Last time Today TCP/IP Attacks IP Sniffing Ethernet Spoofing ARP Hijacking (ARP) Tools/libraries Libnet,

729 views • 37 slides
How to do Packet Sniffing on Linux (tcpdump) NetBeez Webinar Panos Vouzis Co-founder and COO

How to do Packet Sniffing on Linux (tcpdump) NetBeez Webinar Panos Vouzis Co-founder and COO

How to do Packet Sniffing on Linux (tcpdump) NetBeez Webinar Panos Vouzis Co-founder and COO Agenda What is tcpdump? Lab set-up tcpdump usage Output breakdown Saving to file Filtering (host, port, traffic

582 views • 11 slides
The Problem IP Spoofing CS 239 Existing Internet protocols and Advanced Topics in Network

The Problem IP Spoofing CS 239 Existing Internet protocols and Advanced Topics in Network

The Problem IP Spoofing CS 239 Existing Internet protocols and Advanced Topics in Network infrastructure allow forgery of some IP Security packet header fields Peter Reiher In particular, the source address field can often be

400 views • 3 slides
disclaimer: half-baked ideas IP spoofing is a well-known problem a key component of such

disclaimer: half-baked ideas IP spoofing is a well-known problem a key component of such

disclaimer: half-baked ideas IP spoofing is a well-known problem a key component of such DDoS attacks addressing spoofing attempts to eliminate spoofing, not adopted IETF BCPs 38-84, ISOC MANRS scrubbing centers (eg Akamai,

700 views • 19 slides
Introduction to Vulnerability Assessment Labs Ge Zhang ge.zhang@kau.se Dvg-C03 Karlstad

Introduction to Vulnerability Assessment Labs Ge Zhang ge.zhang@kau.se Dvg-C03 Karlstad

Introduction to Vulnerability Assessment Labs Ge Zhang ge.zhang@kau.se Dvg-C03 Karlstad University Schedule 3 Attacking methods Password cracking ARP spoofing & sniffing Port Scanning 1 Defense methods

315 views • 31 slides
Introduction to Packet Tracer What is Packet Tracer? Packet Tracer is a protocol simulator

Introduction to Packet Tracer What is Packet Tracer? Packet Tracer is a protocol simulator

Introduction to Packet Tracer What is Packet Tracer? Packet Tracer is a protocol simulator developed by Dennis Frezzo and his team at Cisco Systems. Packet Tracer (PT) is a powerful and dynamic tool that displays the various protocols used in

419 views • 17 slides
Gen Gener eral In Inter eres ests: Secure Proximity / Distance Measurement GPS Spoofing and

Gen Gener eral In Inter eres ests: Secure Proximity / Distance Measurement GPS Spoofing and

Gen Gener eral In Inter eres ests: Secure Proximity / Distance Measurement GPS Spoofing and Spoofing Detec:on Usable Authen:ca:on (2FA) Security of Blockchains / Cryptocurrencies Trusted Compu:ng Secure Proximi mity / Distance Measureme

589 views • 30 slides
A Reproducibility Study of IP Spoofing Detection in Inter-Domain Traffic Jasper Eumann,

A Reproducibility Study of IP Spoofing Detection in Inter-Domain Traffic Jasper Eumann,

A Reproducibility Study of IP Spoofing Detection in Inter-Domain Traffic Jasper Eumann, Raphael Hiesgen, Thomas C. Schmidt, Matthias Whlisch t.schmidt@haw-hamburg.de Spoofing Detection in Interdomain Traffic Starting Point: Our

326 views • 8 slides
A Reproducibility Study of IP Spoofing Detection in Inter-Domain Traffic Jasper Eumann

A Reproducibility Study of IP Spoofing Detection in Inter-Domain Traffic Jasper Eumann

A Reproducibility Study of IP Spoofing Detection in Inter-Domain Traffic Jasper Eumann October 9, 2019 iNET RG, Hamburg University of Applied Sciences Overview IP Spoofing Mitigation in General Detection in Inter-Domain Traffic

778 views • 42 slides
University of Warwick Sniffing out Tuberculosis Dr J.A. Covington Biomedical Sensors Lab School

University of Warwick Sniffing out Tuberculosis Dr J.A. Covington Biomedical Sensors Lab School

University of Warwick Sniffing out Tuberculosis Dr J.A. Covington Biomedical Sensors Lab School of Engineering A life in smell H 2 Flow Sensor Filter Detector Motivation Point of care Rapid Patient acceptable

474 views • 14 slides
Cyber@UC Meeting 49 Systems Exploitation: Sniffing, Man in the Middle, etc If Youre New!

Cyber@UC Meeting 49 Systems Exploitation: Sniffing, Man in the Middle, etc If Youre New!

Cyber@UC Meeting 49 Systems Exploitation: Sniffing, Man in the Middle, etc If Youre New! Join our Slack: ucyber.slack.com SIGN IN! (Slackbot will post the link in #general) Feel free to get involved with one of our committees:

464 views • 21 slides
Shadow MACs: Scalable Label-switching for Commodity Ethernet Kanak Agarwal, Colin Dixon*, Eric

Shadow MACs: Scalable Label-switching for Commodity Ethernet Kanak Agarwal, Colin Dixon*, Eric

Shadow MACs: Scalable Label-switching for Commodity Ethernet Kanak Agarwal, Colin Dixon*, Eric Rozner, John Carter IBM Research, Austin, TX * now at Brocade 1 SDN: The Future! Rose-colored glasses: Fine-grained, dynamic control

719 views • 19 slides
IPv6 Security awareness By Musa Stephen HONLUE Trainer@AFRINIC Stephen.honlue@afrinic.net 1

IPv6 Security awareness By Musa Stephen HONLUE Trainer@AFRINIC Stephen.honlue@afrinic.net 1

IPv6 Security awareness By Musa Stephen HONLUE Trainer@AFRINIC Stephen.honlue@afrinic.net 1 04/12/2015' Presentation Objectives ! Create awareness of IPv6 Security implications. ! Highlight technical concepts on IPv6 weaknesses ! Describe

822 views • 36 slides
IoT, SDR, and Car Security Aaron Luo Who am I Aaron Luo Come from Taiwan Start

IoT, SDR, and Car Security Aaron Luo Who am I Aaron Luo Come from Taiwan Start

IoT, SDR, and Car Security Aaron Luo Who am I Aaron Luo Come from Taiwan Start security research since 15 th Community Experience CHROOT/HITCON (security group) - member III,CSIST (government organizations) - training course

1.36k views • 110 slides
NuFirewall Open-source authenticating firewall NuFirewall - RMLL 2010 NuFirewall - RMLL 2010

NuFirewall Open-source authenticating firewall NuFirewall - RMLL 2010 NuFirewall - RMLL 2010

NuFirewall Open-source authenticating firewall NuFirewall - RMLL 2010 NuFirewall - RMLL 2010 Who's that guy ? Eric Leblond CTO EdenWall Technologies NuFW project leader Netfilter developper Ulogd2 maintener Regit

1.06k views • 24 slides
CSE 127: Introduction to Security Lecture 11: Network Attacks Nadia Heninger and Deian Stefan

CSE 127: Introduction to Security Lecture 11: Network Attacks Nadia Heninger and Deian Stefan

CSE 127: Introduction to Security Lecture 11: Network Attacks Nadia Heninger and Deian Stefan UCSD Fall 2019 Some material from Stefan Savage, David Wagner, and Nick Weaver Threat Modeling for Network Attacks Basic security goals:

804 views • 31 slides
Case Studies - Case Studies - Eduroam in Slovenia Eduroam in Slovenia Rok Pape ARNES -

Case Studies - Case Studies - Eduroam in Slovenia Eduroam in Slovenia Rok Pape ARNES -

1 Akademska in raziskovalna mrea Slovenije Case Studies - Case Studies - Eduroam in Slovenia Eduroam in Slovenia Rok Pape ARNES - Academic and research network of Slovenia aaa-podpora@arnes.si Eurocamp, Ljubljana, April 2006 2 Start

1.25k views • 18 slides
MiTM Attack MiTM Attack Edri Guy Edri Guy May 29 ,2013 May 29 ,2013 PC-Labs May 29 2013

MiTM Attack MiTM Attack Edri Guy Edri Guy May 29 ,2013 May 29 ,2013 PC-Labs May 29 2013

MiTM Attack - Haifa-Sec MiTM Attack MiTM Attack Edri Guy Edri Guy May 29 ,2013 May 29 ,2013 PC-Labs May 29 2013 MiTM Attack - Haifa-Sec MiTM Attack - Haifa-Sec DISCLAIMER DISCLAIMER 1 The following discussion is for informational

552 views • 33 slides
Security in Mobile and Wireless Networks APRICOT Tutorial Perth Australia 27 February, 2006

Security in Mobile and Wireless Networks APRICOT Tutorial Perth Australia 27 February, 2006

Security in Mobile and Wireless Networks APRICOT Tutorial Perth Australia 27 February, 2006 Ray Hunt, Associate Professor Dept. of Computer Science and Software Engineering University of Canterbury, New Zealand 1 Security Issues in Wireless

1.52k views • 131 slides

More recommend