tcp ip sniffing arp attacks ip fragmentation
play

TCP/IP: sniffing, ARP attacks, IP fragmentation Network Security - PowerPoint PPT Presentation

Apr 09, 2024 •343 likes •729 views

TCP/IP: sniffing, ARP attacks, IP fragmentation Network Security Lecture 3 Recap and overview Last time Today TCP/IP Attacks IP Sniffing Ethernet Spoofing ARP Hijacking (ARP) Tools/libraries Libnet,

  1. TCP/IP: sniffing, ARP attacks, IP fragmentation Network Security Lecture 3

  2. Recap and overview Last time Today • TCP/IP • Attacks • IP • Sniffing • Ethernet • Spoofing • ARP • Hijacking (ARP) • Tools/libraries • Libnet, libpcap • TCP/IP • Fragmentation Eike Ritter Network Security - Lecture 3 2

  3. Exercise • Alice (192.168.1.1) wants to send an IP datagram to Bob (192.168.1.2) • What happens? (fill in the blanks) Alice Bob Eike Ritter Network Security - Lecture 2 3

  4. LAN attacks Attack Security violation Attacker goal Sniffing Confidentiality Access to information Spoofing Authenticity Impersonation of trusted host Hijacking Confidentiality, Impersonation, access to information Integrity, Authenticity Denial of Service Availability Disruption Eike Ritter Network Security - Lecture 2 4

  5. Network sniffing • The attacker sets his/her network interface in promiscuous mode so that all packets can be received (not only those directed to the attacker’s host) • Can access all the traffic on the segment • Note: sniffing on University network is a “disciplinary offence” Eike Ritter Network Security - Lecture 2 5

  6. Network sniffing • Many protocols (e.g., POP, TELNET, HTTP, IMAP) transfer sensitive information (e.g., authentication credentials) in the clear • By sniffing the traffic, it is possible to collect credentials, files, content of visited web pages, emails, etc. • Many tools available Eike Ritter Network Security - Lecture 2 6

  7. tcpdump • Tool to sniff and analyze the traffic on a network segment • One of the “standard” network tools • Based on libpcap, which provides a platform- independent library and API to perform traffic sniffing • Allows one to specify an expression that defines which packets have to be printed • Requires root privileges to set the interface in promiscuous mode (regular users can read traffic data saved in a file) Eike Ritter Network Security - Lecture 2 7

  8. tcpdump: command line options • -i: use the given network interface • -r: read packets from a file • -w: write packets to a file • -s: specify the amount of data to be sniffed for each packet (0 means catch whole packets) • -n: do not convert addresses to names • -x: print the data of each packet in hex Eike Ritter Network Security - Lecture 2 8

  9. tcpdump: filters • If a filter expression is provided, tpcdump only processes packets matching the expression • Expression consists of one or more primitives • Primitives are composed of a qualifier and a value • Operators can be used to create complex filter expressions Eike Ritter Network Security - Lecture 2 9

  10. tcpdump filters – cont’d Qualifiers Operators • Type • Logical: and, or, not • host (host 192.168.0.1) • src host 192.168.0.01 and dst host google.com • net (net 192.168) • port (port 80) • Relational: <, >, >=, <=, =, != • Dir: direction of traffic • Binary: +, -, *, /, &, | • src (src host 192.168.0.1) • Data: proto[expr:size] • dst • expr: offset • Proto: protocol of interest • size: # bytes of interest • Ether (ether src host • ip[0] & 0xf > 5: filters IP 00:0c:29:ab:2c:18) datagrams with options • ip • arp[7] = 2: ARP replies • arp Eike Ritter Network Security - Lecture 2 10

  11. Wireshark Eike Ritter Network Security - Lecture 2 11

  12. Detecting sniffers • Sniffers work by putting the network interface in promiscuous mode • Ifconfig (BSD Unix/Apple Output) • $ ifconfig en1 en1:flags=8963<UP,BROADCAST,SMART,RUNNING,PROMISC,SIMPLEX,MULTICAST> mtu 1500 ether d8:a2:5e:ab:cd:ef inet 10.4.59.191 netmask 0xffff0000 broadcast 10.4.255.255 media: autoselect status: active • On recent Linux versions, this will not (always) work due to changes in how the state of the interface is maintained in the kernel that have not been ported back to tools • Instead, read interface flags from /sys filesystem • If flags & 0x100 then interface is in promiscuous mode (/include/linux/if.h) # cat /sys/class/net/eth0/flags 0x1003 # tcpdump –i eth0 & # cat /sys/class/net/eth0/flags 0x1103 Eike Ritter Network Security - Lecture 2 12

  13. Detecting sniffers – cont’d • Remote detection is difficult since sniffers are typically passive programs • Suspicious DNS lookups • Sniffer attempts to resolve names associated with IP address (e.g., tcpdump without –n option) • Generate traffic to/from IP addresses and detect attempts to resolve their names • $ ping 173.194.37.104 16:27:38.657863 IP 172.16.48.130 > 173.194.37.104: ICMP echo request, id 21009, seq 1, length 64 16:27:38.659014 IP 172.16.48.139.57105 > 172.16.48.2.53: 20764+ PTR? 104.37.194.173.in-addr.arpa. (45) • Latency • Since NIC is in promiscuous mode, it will need to process every packet Analyze response time of host A (e.g., sending ping packets) • • Generate lots of traffic to other hosts and analyze response time of host A Eike Ritter Network Security - Lecture 2 13

  14. IP spoofing • A host impersonates another host by sending a datagram that has the address of some other host as the source address • The attacker sniffs the network looking for replies from the attacked host • Replies would be directed to the spoofed host Response to spoofed datagram From: 192.168.0.1 192.168.0.3 192.168.0.2 192.168.0.1 Eike Ritter Network Security - Lecture 3 14

  15. IP spoofing goals • Impersonate sources of security-critical information (e.g., a DNS server or an NFS server) • Exploit address-based authentication • Many tools available Eike Ritter Network Security - Lecture 3 15

  16. Hijacking • Sniffing/Spoofing are the bases for hijacking • The attacker waits for an client request • Then, races against the legitimate host to produce a reply that will be accepted by the client • ARP, UDP, and TCP-based variations of this attack Eike Ritter Network Security - Lecture 3 16

  17. Hijacking ARP • ARP does not provide any means of authentication • Racing against the queried host it is possible to provide a fake IP address/link-level address mapping • Fake ARP queries can be used to store wrong ARP mappings in a host cache, in certain configurations - In Linux, /proc/sys/net/ipv4/conf/*/arp_accept should be set to 1 • In both cases, the net effect is the redirection of traffic to the attacker • Denial of service (DoS) • Man-in-the-middle attack (MITM) Eike Ritter Network Security - Lecture 3 17

  18. Hijacking ARP Spoofed ARP reply ARP request Legitimate ARP response Host3: 192.168.0.3 host2: 192.168.0.2 host1: 192.168.0.1 00:30:48:dd:ec:2b 00:30:48:dd:ec:12 00:30:48:de:0b:3a Eike Ritter Network Security - Lecture 3 18

  19. Switched Ethernet • Switched Ethernet does not allow direct sniffing • ARP spoofing can be used to bypass this protection • MAC flooding • Switches maintain a table with MAC address/port mappings • In some cases, flooding the switch with bogus MAC addresses will overflow table memory and revert the behavior from “switch” to “hub” • MAC spoofing • Reconfigure the host to have the same MAC address as the machine whose traffic you're trying to sniff • The switch will record this in its table and send the traffic to you Eike Ritter Network Security - Lecture 3 19

  20. Capturing and forging packets Libpcap libnet • Library to forge packets • Library to sniff network Useful to send raw or • traffic malformed packets • Allows to easily filter and • https://github.com/sam- github/libnet process packets • Good tutorial: • http://www.tcpdump.org/ http://repura.livejournal.com/ 31673.html • Good tutorial: • Documentation: http://www.tcpdump.org/p http://libnet.sourcearchive.co • cap.html m/documentation/1.1.2.1-4/ Eike Ritter Network Security - Lecture 3 20

  21. libpcap • pcap_lookupdev • Finds a device to sniff from • pcap_open_live • Opens a device (returns a handle) • pcap_compile and pcap_setfilter • Compile a tcpdump-like traffic filter and applies it • pcap_loop • Registers a callback to be invoked for every received packet Eike Ritter Network Security - Lecture 3 21

  22. libpcap • void pcap_handler(u_char *user, const struct pcap_pkthdr *hdr, const u_char *pkt) • The pcap packet header ( hdr ) contains basic information about the packet • When it was captured ( ts ) • The length of the portion that was captured ( caplen ) • The length of the packet ( len ) • The actual packet ( pkt ) is returned as a pointer to memory • Packets can be parsed by “casting” it to appropriate protocol-specific structures • Remember that endianness is important! • ntohs, ntohl • htons, htonl Eike Ritter Network Security - Lecture 3 22

  23. libnet • libnet_init • Initializes the library • libnet_autobuild_ethernet • Builds ethernet header • libnet_autobuild_arp • libnet_autobuild_ipv4 • libnet_build_tcp • … • libnet_write • Writes packet to wire • Libnet_clear_packet • Clears current packet Eike Ritter Network Security - Lecture 3 23

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Fragmentation Considered Vulnerable Yossi Gilad &amp; Amir Herzberg Computer Science Department,

Fragmentation Considered Vulnerable Yossi Gilad &amp; Amir Herzberg Computer Science Department,

Fragmentation Considered Vulnerable Yossi Gilad &amp; Amir Herzberg Computer Science Department, Bar Ilan University Overview IP fragmentation recap `Easy case fragment miss -association attacks Fragmentation attacks in tunnels

238 views • 23 slides
Institutional challenges Outline Why Fragmentation? Overview on the reasons and levels of SSN

Institutional challenges Outline Why Fragmentation? Overview on the reasons and levels of SSN

Topic # 3 Fragmentation of Social Safety Nets: Institutional challenges Outline Why Fragmentation? Overview on the reasons and levels of SSN program fragmentation (Inas) Case studies of Pakistan (Shereen), Kenya (Stefanie), and

488 views • 18 slides
Network Network sniffing sniffing packet capture and analysis packet

Network Network sniffing sniffing packet capture and analysis packet

Network Network sniffing sniffing packet capture and analysis packet capture and analysis October 2, 2020 Administrative submittal instructions submittal instructions Administrative answer the lab

366 views • 17 slides
Security of Symmetric Encryption in the Presence of Ciphertext Fragmentation Alexandra Boldyreva,

Security of Symmetric Encryption in the Presence of Ciphertext Fragmentation Alexandra Boldyreva,

Ciphertext Fragmentation and Related Problems Formalizing Fragmentation Security Notions Constructions and Comparison Security of Symmetric Encryption in the Presence of Ciphertext Fragmentation Alexandra Boldyreva, Jean Paul Degabriele , Kenny

924 views • 43 slides
CS 356: Computer Network Architectures Lecture 10: IP Fragmentation, ARP, and ICMP Xiaowei Yang

CS 356: Computer Network Architectures Lecture 10: IP Fragmentation, ARP, and ICMP Xiaowei Yang

CS 356: Computer Network Architectures Lecture 10: IP Fragmentation, ARP, and ICMP Xiaowei Yang xwy@cs.duke.edu Overview Homework 2-dimension parity IP fragmentation ARP ICMP Fragmentation and Reassembly (not required for

847 views • 42 slides
1 Connection Establishment Data Exchange Clients connect to an SSH server on port Once

1 Connection Establishment Data Exchange Clients connect to an SSH server on port Once

Where in the stack is security? Attacks can be targeted at any layer of the 16: protocol stack Application layer: Password and data sniffing, Forged Exploits and Defenses Up and transactions, Security holes, Buffer Overflows?

1.15k views • 9 slides
University of Warwick Sniffing out Tuberculosis Dr J.A. Covington Biomedical Sensors Lab School

University of Warwick Sniffing out Tuberculosis Dr J.A. Covington Biomedical Sensors Lab School

University of Warwick Sniffing out Tuberculosis Dr J.A. Covington Biomedical Sensors Lab School of Engineering A life in smell H 2 Flow Sensor Filter Detector Motivation Point of care Rapid Patient acceptable

474 views • 14 slides
Cyber@UC Meeting 49 Systems Exploitation: Sniffing, Man in the Middle, etc If Youre New!

Cyber@UC Meeting 49 Systems Exploitation: Sniffing, Man in the Middle, etc If Youre New!

Cyber@UC Meeting 49 Systems Exploitation: Sniffing, Man in the Middle, etc If Youre New! Join our Slack: ucyber.slack.com SIGN IN! (Slackbot will post the link in #general) Feel free to get involved with one of our committees:

464 views • 21 slides
Measurement of jet fragmentation at ATLAS Andy Buckley, University of Glasgow for the ATLAS

Measurement of jet fragmentation at ATLAS Andy Buckley, University of Glasgow for the ATLAS

Measurement of jet fragmentation at ATLAS Andy Buckley, University of Glasgow for the ATLAS Collaboration QCD@LHC, Buffalo, 16 July 2019 Jet fragmentation colour singlet In leading-order QCD, well-separated jets and partons are exactly

308 views • 18 slides
Smartcard protocol sniffing Introduction to the theoretical and practical issues involved in

Smartcard protocol sniffing Introduction to the theoretical and practical issues involved in

Introduction Logging the communication Re-engineering the protocol Creating a simulacrum Smartcard protocol sniffing Introduction to the theoretical and practical issues involved in cloning/simulating existing smartcards Bernd Fix,

768 views • 60 slides
QCD Phenomenology at High Energy Bryan Webber CERN Academic Training Lectures 2008 Lecture 4:

QCD Phenomenology at High Energy Bryan Webber CERN Academic Training Lectures 2008 Lecture 4:

QCD Phenomenology at High Energy Bryan Webber CERN Academic Training Lectures 2008 Lecture 4: Jet Fragmentation and Hadron-Hadron Processes Jet Fragmentation Fragmentation functions Small-x fragmentation Average multiplicity

670 views • 34 slides
How to do Packet Sniffing on Linux (tcpdump) NetBeez Webinar Panos Vouzis Co-founder and COO

How to do Packet Sniffing on Linux (tcpdump) NetBeez Webinar Panos Vouzis Co-founder and COO

How to do Packet Sniffing on Linux (tcpdump) NetBeez Webinar Panos Vouzis Co-founder and COO Agenda What is tcpdump? Lab set-up tcpdump usage Output breakdown Saving to file Filtering (host, port, traffic

582 views • 11 slides
Fragmentation Data Message Alexandru Mancas CCSDS Spring Meetings 2019, NASA Ames, USA ESA

Fragmentation Data Message Alexandru Mancas CCSDS Spring Meetings 2019, NASA Ames, USA ESA

Fragmentation Data Message Alexandru Mancas CCSDS Spring Meetings 2019, NASA Ames, USA ESA UNCLASSIFIED - For Official Use Agenda 1. Need for a Fragmentation Data Message 2. Example of fragmentation data gathering March 2019 ASAT test 3.

1.1k views • 30 slides
CS 356: Computer Network Architectures Lecture 11: IP Fragmentation, ARP, and ICMP Xiaowei Yang

CS 356: Computer Network Architectures Lecture 11: IP Fragmentation, ARP, and ICMP Xiaowei Yang

CS 356: Computer Network Architectures Lecture 11: IP Fragmentation, ARP, and ICMP Xiaowei Yang xwy@cs.duke.edu Overview Wrapping up from last leture IP fragmentation ARP ICMP The longest prefix matching algorithm 1. Search

788 views • 52 slides
Jet Fragmentation and Fractal Observables Ben Elder Massachusetts Institute of Technology July

Jet Fragmentation and Fractal Observables Ben Elder Massachusetts Institute of Technology July

Jet Fragmentation and Fractal Observables Ben Elder Massachusetts Institute of Technology July 17, 2017 Based on work with: Massimiliano Procura, Jesse Thaler, Wouter Waalewijn, and Kevin Zhou Ben Elder (MIT) Jet Fragmentation and Fractal

474 views • 20 slides
Modifiable Nutritional and Lifestyle Factors in Sperm DNA Fragmentation Ciara Wright PhD DipNT

Modifiable Nutritional and Lifestyle Factors in Sperm DNA Fragmentation Ciara Wright PhD DipNT

Modifiable Nutritional and Lifestyle Factors in Sperm DNA Fragmentation Ciara Wright PhD DipNT mNTOI Director, Glenville Nutrition www.glenvillenutrition.ie Why test DNA fragmentation? Men with abnormal 15% of men semen analyses with a

428 views • 20 slides
Or Routing is as Insecure as the Rest of the Flippin Internet, but its Scarier Steven M

Or Routing is as Insecure as the Rest of the Flippin Internet, but its Scarier Steven M

This Space Intentionally Left Blank to Hold Space Just in Case Routing Security Appears Or Routing is as Insecure as the Rest of the Flippin Internet, but its Scarier Steven M Bellovin &lt;smb@cs.columbia.edu&gt; Randy Bush

478 views • 14 slides
Dude, wheres that IP? Circumventing measurement-based IP geolocation Phillipa Gill Presented

Dude, wheres that IP? Circumventing measurement-based IP geolocation Phillipa Gill Presented

Dude, wheres that IP? Circumventing measurement-based IP geolocation Phillipa Gill Presented By: Yashar Ganjali Sanaa Taha Bernard Wong University of Waterloo David Lie Outline Introduction IP-to-Location Mapping Geolocation

559 views • 25 slides
The Traffic Monitoring Portal Site The Traffic Monitoring Portal Site Jungu Kang Jungu Kang

The Traffic Monitoring Portal Site The Traffic Monitoring Portal Site Jungu Kang Jungu Kang

The Traffic Monitoring Portal Site The Traffic Monitoring Portal Site Jungu Kang Jungu Kang jgkang@ certcc.or.kr jgkang@ certcc.or.kr KrCERT/CC KrCERT/CC KrCERT/CC, KISA Contents Contents I. Methodology to predict incidents II.

635 views • 14 slides
Basic Tools &amp; Techniques Guevara Noubir Northeastern University noubir@ccs.neu.edu Counter

Basic Tools &amp; Techniques Guevara Noubir Northeastern University noubir@ccs.neu.edu Counter

Practical Network Security: Basic Tools &amp; Techniques Guevara Noubir Northeastern University noubir@ccs.neu.edu Counter Hack Reloaded, Ed Skoudis, 2005, Prentice-Hall. Threats to Communication Networks Security was an add-on to many network

456 views • 10 slides
Local Network Attacks John Kristoff jtk@depaul.edu +1 312 362-5878 DePaul University Chicago,

Local Network Attacks John Kristoff jtk@depaul.edu +1 312 362-5878 DePaul University Chicago,

Local Network Attacks John Kristoff jtk@depaul.edu +1 312 362-5878 DePaul University Chicago, IL 60604 FIRST TC 2002 John Kristoff - DePaul University 1 Agenda Overview Theoretical and example attacks How to

450 views • 17 slides
Network Security Fundamentals Security Training Course Dr. Charles J. Antonelli The University

Network Security Fundamentals Security Training Course Dr. Charles J. Antonelli The University

Network Security Fundamentals Security Training Course Dr. Charles J. Antonelli The University of Michigan 2013 Network Security Fundamentals Module 9 Linux Security &amp; Logging Linux Security Real-World Linux Security RHEL

739 views • 41 slides
Creating Web Farms with Linux (Linux High Availability and Scalability) Horms (Simon Horman)

Creating Web Farms with Linux (Linux High Availability and Scalability) Horms (Simon Horman)

Creating Web Farms with Linux (Linux High Availability and Scalability) Horms (Simon Horman) horms@verge.net.au December 2001 For Presentation in Tokyo, Japan http://verge.net.au/linux/has/ http://ultramonkey.org/ Introduction This

533 views • 25 slides
ARP TOOLKIT WEBINAR January 22, 2020 Adventist Retirement Welcome! Were excited to be able to

ARP TOOLKIT WEBINAR January 22, 2020 Adventist Retirement Welcome! Were excited to be able to

Adventist Retirement ARP TOOLKIT WEBINAR January 22, 2020 Adventist Retirement Welcome! Were excited to be able to present this new tool to you! This is a tool it does not negate YOU submitting status code and date information

398 views • 16 slides

More recommend