21-11-2012, 11:43 AM
Packet Sniffing In a Switched Environment
[attachment=40467]
Abstract
This paper focuses on the threat of packet sniffing in a switched environment, and
briefly explores the effect in a non-switched environment. Detail is given on a
number of techniques, such as “ARP (Address Resolution Protocol) spoofing”, which
can allow an attacker to eavesdrop on network traffic in a switched environment.
Third party tools exist that permit sniffing on a switched network. The result of
running some of these tools on an isolated, switched network is presented, and
clearly demonstrates that the threat they pose is real and significant.
The final section covers ways to mitigate the threat of network sniffing in both nonswitched
and switched environments. The thesis of this paper is that encryption is
the only true defence to the threat of sniffing.
Introduction
For most organizations, packet sniffing is largely an internal threat. A third party on
the Internet, for instance, could not easily use packet sniffing software to eavesdrop
on traffic on a corporate LAN. But since the greatest threat to corporate systems
frequently is internal1, we should not take comfort from this.
There are many reasons that businesses are updating their network infrastructure,
replacing aging hubs with new switches. A frequently stated driver for moving to a
switched environment is that “it increases security”. However, the thinking behind
this is somewhat flawed. Packet sniffing in a switched environment is possible --
anyone equipped with a laptop (and armed with a selection of freely available
software) may be able to monitor communication between machines on a switched
network.
Packet sniffing tools have been available from the early days of networked
computing environments. The tools are powerful software, which facilitate troubleshooting
for network administrators. However, in the hands of a malicious third
party, they are a devastating hacking tool, which can be used to glean passwords
and other sensitive information from a LAN.
Packet Sniffing in a non-switched environment
In a non-switched environment, the latest generation of packet sniffing tools is
highly effective at reaping passwords and other sensitive information from the
network.
A large number of commonly used protocols either transmit data in plaintext (which
can easily be sniffed), or they do not use strong enough encryption to prevent a
sniffing and cracking attack. Examples of plaintext protocols include smtp, pop3,
snmp, ftp, telnet and http. Perhaps the best known encrypted protocol that is
vulnerable to sniffing and cracking attacks is Microsoft’s LM (LAN Manager) protocol,
used for authenticating Windows clients.
Microsoft has tried to address the glaring weaknesses in LM, with the introduction of
NTLM (V1 and V2). NTLM is an improvement, but is still susceptible to a sniffing and
cracking attack. Hidenobu Seki, the author of ScoopLM and BeatLM tools (qv) gave a
fascinating presentation4 covering the detail of LM, NTLM v1 and v2 and how it can
be cracked at BlackHat’s “Windows Security 2002 Briefings and Training”.
Packet Sniffing in a switched environment
Switches
On the surface, it would seem that replacing hubs by switches will mitigate the
packet sniffing threat to a large extent. The fact that switches will only send
network traffic to the machine that it is destined for implies that if machine A is
communicating with machine B, machine C will not be able to eavesdrop on their
conversation. In Figure 3, let us assume that machine A instigates a telnet
connection to machine B.
How to sniff in a switched environment
It’s all about the “man-in-the-middle”13. Sniffing traffic in a switched environment
is achieved by setting up a “man–in-the-middle” attack. The attacker uses a variety
of techniques to force network traffic to/ from the victim to go to the attacker’s
machine. When this occurs, the attacker can inspect (or even modify) the victim’s
network traffic.
There are a large number of techniques that permit sniffing in a switched
environment. Common techniques include ARP spoofing, MAC flooding, MAC
duplicating, ICMP redirection, DHCP spoofing and port stealing.
The tools covered in this paper all use the ARP spoofing technique, so this is covered
in detail. An excellent description of ARP spoofing, MAC flooding and other
techniques can be found in Sean Whalen’s paper on the Packet Storm website14.
Another useful resource describing popular approaches to switched network sniffing
is the main page for the sniffing tool, ettercap15.
Wireless networks
Since the first draft of this paper, wireless networks have gone mainstream, and are
now found in many businesses and home setups.
Many wireless networks -- especially public hotspots -- have no security at all. On
such networks, packet sniffing via man-in-the-middle techniques can be very
powerful. Any sensitive information (such as usernames and passwords) that is not
using secure protocols can be discovered trivially. Further, attacks against secure
protocols such as SSL undermine commonly held dogmas that browsing to https
sites (even on untrusted networks) is safe.
[attachment=40467]
Abstract
This paper focuses on the threat of packet sniffing in a switched environment, and
briefly explores the effect in a non-switched environment. Detail is given on a
number of techniques, such as “ARP (Address Resolution Protocol) spoofing”, which
can allow an attacker to eavesdrop on network traffic in a switched environment.
Third party tools exist that permit sniffing on a switched network. The result of
running some of these tools on an isolated, switched network is presented, and
clearly demonstrates that the threat they pose is real and significant.
The final section covers ways to mitigate the threat of network sniffing in both nonswitched
and switched environments. The thesis of this paper is that encryption is
the only true defence to the threat of sniffing.
Introduction
For most organizations, packet sniffing is largely an internal threat. A third party on
the Internet, for instance, could not easily use packet sniffing software to eavesdrop
on traffic on a corporate LAN. But since the greatest threat to corporate systems
frequently is internal1, we should not take comfort from this.
There are many reasons that businesses are updating their network infrastructure,
replacing aging hubs with new switches. A frequently stated driver for moving to a
switched environment is that “it increases security”. However, the thinking behind
this is somewhat flawed. Packet sniffing in a switched environment is possible --
anyone equipped with a laptop (and armed with a selection of freely available
software) may be able to monitor communication between machines on a switched
network.
Packet sniffing tools have been available from the early days of networked
computing environments. The tools are powerful software, which facilitate troubleshooting
for network administrators. However, in the hands of a malicious third
party, they are a devastating hacking tool, which can be used to glean passwords
and other sensitive information from a LAN.
Packet Sniffing in a non-switched environment
In a non-switched environment, the latest generation of packet sniffing tools is
highly effective at reaping passwords and other sensitive information from the
network.
A large number of commonly used protocols either transmit data in plaintext (which
can easily be sniffed), or they do not use strong enough encryption to prevent a
sniffing and cracking attack. Examples of plaintext protocols include smtp, pop3,
snmp, ftp, telnet and http. Perhaps the best known encrypted protocol that is
vulnerable to sniffing and cracking attacks is Microsoft’s LM (LAN Manager) protocol,
used for authenticating Windows clients.
Microsoft has tried to address the glaring weaknesses in LM, with the introduction of
NTLM (V1 and V2). NTLM is an improvement, but is still susceptible to a sniffing and
cracking attack. Hidenobu Seki, the author of ScoopLM and BeatLM tools (qv) gave a
fascinating presentation4 covering the detail of LM, NTLM v1 and v2 and how it can
be cracked at BlackHat’s “Windows Security 2002 Briefings and Training”.
Packet Sniffing in a switched environment
Switches
On the surface, it would seem that replacing hubs by switches will mitigate the
packet sniffing threat to a large extent. The fact that switches will only send
network traffic to the machine that it is destined for implies that if machine A is
communicating with machine B, machine C will not be able to eavesdrop on their
conversation. In Figure 3, let us assume that machine A instigates a telnet
connection to machine B.
How to sniff in a switched environment
It’s all about the “man-in-the-middle”13. Sniffing traffic in a switched environment
is achieved by setting up a “man–in-the-middle” attack. The attacker uses a variety
of techniques to force network traffic to/ from the victim to go to the attacker’s
machine. When this occurs, the attacker can inspect (or even modify) the victim’s
network traffic.
There are a large number of techniques that permit sniffing in a switched
environment. Common techniques include ARP spoofing, MAC flooding, MAC
duplicating, ICMP redirection, DHCP spoofing and port stealing.
The tools covered in this paper all use the ARP spoofing technique, so this is covered
in detail. An excellent description of ARP spoofing, MAC flooding and other
techniques can be found in Sean Whalen’s paper on the Packet Storm website14.
Another useful resource describing popular approaches to switched network sniffing
is the main page for the sniffing tool, ettercap15.
Wireless networks
Since the first draft of this paper, wireless networks have gone mainstream, and are
now found in many businesses and home setups.
Many wireless networks -- especially public hotspots -- have no security at all. On
such networks, packet sniffing via man-in-the-middle techniques can be very
powerful. Any sensitive information (such as usernames and passwords) that is not
using secure protocols can be discovered trivially. Further, attacks against secure
protocols such as SSL undermine commonly held dogmas that browsing to https
sites (even on untrusted networks) is safe.