Computers communicate using networks. These networks could be on a local area network LAN or exposed to the internet. Network sniffers are programs that capture low-level package data that is been transmitted over a network. An attacker can analyze this information to discover valuable information such as user ids and passwords.
In this article, i will introduce you to common network sniffing techniques and tools used to sniff networks. I will also look at counter measures that you can put in place to protect sensitive information been transmitted over a network.
What is IP and MAC Addresses
IP Address is the acronym for Internet Protocol address. An internet protocol address is used to uniquely identify a computer or device such as printers, storage disks on a computer network. There are currently two versions of IP addresses. IPv4 uses 32 bit numbers. Due to the massive growth of the internet, IPv6 has been developed and it uses 128 bit numbers.
IPv4 addresses are formatted in four groups of numbers separated by dots. The minimum number is 0 and the maximum number is 255. An example of an IPv4 address looks like this;
IPv6 addresses are formatted in groups of six numbers separated by full colons. The group numbers are written as 4 hexadecimal digits. An example of an IPv6 address looks like this;
In order to simplify the representation of the IP addresses in text format, leading zeros are omitted and group of zeros are completed omitted. The above address in a simplified format is displayed as;
MAC Address is the acronym for media access control address. MAC addresses are used to uniquely identify network interfaces for communication at the physical layer of the network. MAC addresses are usually embedded into the network card.
A MAC address is like a serial number of a phone while the IP address is like the phone number.
We will assume you are using windows for this exercise. Open the command prompt.
Enter the command
You will get detailed information about all the network connections available on your computer. The results shown below are for a broadband modem to show the MAC address and IPv4 format and wireless network to show IPv6 format.
What is network sniffing?
Computers communicate by broadcasting messages on a network using IP addresses. Once a message has been sent on a network, the recipient computer with the matching IP address responds with its MAC address.
Network sniffing is the process of intercepting data packets sent over a network.This can be done by specialized software program or hardware equipment. Sniffing can be used to;
- Capture sensitive data such as login credentials
- Eavesdrop on chat messages
- Capture files been transmitted over a network
The following are protocols that are vulnerable to sniffing
The above protocols are vulnerable if login details are sent in plain text
Passive and Active Sniffing
Before we look at passive and active sniffing, let’s look at two major devices used to network computers; hubs and switches.
A hub works by sending broadcast messages to all output ports on it except the one that has sent the broadcast. The recipient computer responds to the broadcast message if the IP address matches. This means when using a hub, all the computers on a network can see the broadcast message. It operates at the physical layer (layer 1) of the OSI Model.
The diagram below illustrates how the hub works.
A switch works differently; it maps IP/MAC addresses to physical ports on it. Broadcast messages are sent to the physical ports that match the IP/MAC address configurations for the recipient computer. This means broadcast messages are only seen by the recipient computer. Switches operate at the data link layer (layer 2) and network layer (layer 3).
The diagram below illustrates how the switch works.
Passive sniffing is intercepting packages transmitted over a network that uses a hub. It is called passive sniffing because it is difficult to detect. It is also easy to perform as the hub sends broadcast messages to all the computers on the network.
Active sniffing is intercepting packages transmitted over a network that uses a switch. There are two main methods used to sniff switch linked networks, ARP poisoning and MAC flooding.
What is ARP Poisoning?
ARP is the acronym for Address Resolution Protocol. It is used to convert IP address to physical addresses [MAC address] on a switch. The host sends an ARP broadcast on the network and the recipient computer responds with its physical address [MAC Address]. The resolved IP/MAC address is then used to communicate.ARP poisoning is sending fake MAC addresses to the switch so that it can associate the fake MAC addresses with the IP address of a genuine computer on a network and hijack the traffic.
ARP Poisoning Countermeasures
Static ARP entries: these can be defined in the local ARP cache and the switch configured to ignore all auto ARP reply packets. The disadvantage of this method is, it’s difficult to maintain on large networks. IP/MAC address mapping have to be distributed to all the computers on the network.
ARP poisoning detection software: these systems can be used to cross check the IP/MAC address resolution and certify them if they are authenticate. Uncertified IP/MAC address resolutions can then be blocked.
Operating System Security: this measure is dependent on the operating system been used. The following are the basic techniques used by various operating systems.
Linux based: these work by ignoring unsolicited ARP reply packets.
- Microsoft windows: the ARP cache behavior can be configured via the registry. The following list includes some of the software that can be used to protect networks against sniffing;
- AntiARP– provides protection against both passive and active sniffing
- Agnitum Outpost Firewall–provides protection against passive sniffing
- XArp– provides protection against both passive and active sniffing
- Mac OS: ArpGuard can be used to provide protection. It protects against both active and passive sniffing.
Hacking Activity: Configure ARP entries in Windows
We are using Windows 7 for this exercise but the commands should be able to work on other versions of windows as well.
Open the command prompt and enter the following command
- aprcalls the ARP configure program located in Windows/System32 directory
- -a is the parameter to display to contents of the ARP cache
You will get results similar to the following
Note: dynamic entries are added and deleted automatically when using TCP/IP sessions with remote computers.
Static entries are added manually and are deleted when the computer is restarted, the network interface card restarted or other activities that affect it.
Adding static entries
Open the command prompt then use the ipconfig /all command to get the IP and MAC address
The MAC address is represented using the Physical Address and the IP address is IPv4Address
Enter the following command
arp –s 192.168.1.38 60-36-DD-A6-C5-43
Note: The IP and MAC address will be different from the ones used here. This is because they are unique.
Use the following command to view the ARP cache
You will get the following results
Note the IP address has been resolved to the MAC address we provided and it is of a static type.
Deleting an ARP cache entry
Use the following command to remove an entry
arp –d 192.168.1.38
What is a MAC Flooding?
MAC flooding is a network sniffing technique that floods the switch MAC table with fake MAC addresses. This leads to overloading the switch memory and makes it act as a hub. Once the switch has been compromised, it sends the broadcast messages to all computers on a network. This makes it possible to sniff data packets as they sent on the network.
Counter Measures against MAC flooding
- Some switches have port security feature. This feature can be used to limit the number of MAC addresses on the ports. It can also be used to maintain a secure MAC address table in addition to the one provided by the switch.
- Authentication, Authorization and Accounting serverscan be used to filter discovered MAC addresses.
Sniffing Counter Measures
- Restriction to network physical mediahighly reduces the chances of a network sniffer been installed
- Encrypting messagesas they are transmitted over the network greatly reduces their value as they are difficult to decrypt.
- Changing the network to a Secure Shell (SSH)network also reduces the chances of the network been sniffed.
Hacking Activity: Sniff network traffic
In this practical scenario, we are going to use Wireshark to sniff data packets as they are been transmitted over HTTP protocol. For this example, we will sniff the network using Wireshark, then login to a web application that does not use secure communication. We will login to a web application on http://www.techpanda.org/
The login address is firstname.lastname@example.org and the password is Password2010.
Note:we will login to the web app for demonstration purposes only. The technique can also sniff data packets from other computers that are on the same network as the one that you are using to sniff. The sniffing is not only limited to techpanda.org, it sniffs all HTTP and other protocols data packets.
Sniffing the network using Wireshark
The illustration below shows you the steps that you will carry out in order to complete this exercise without confusion
Download Wireshark from this link http://www.wireshark.org/download.html
- Open Wireshark
- You will get the following screen
- Select the network interface you want to sniff. Note for this demonstration, we are using a wireless network connection. If you are on a local area network, then you should select the local area network interface.
- Click on start button as shown above
- Open your web browser and type in http://www.techpanda.org/
- The login email is email@example.com, the password is Password2010
- Click on submit button
- A successful logon should give you the following dashboard
- Go back to Wireshark and stop the live capture
- Filter for HTTP protocol results only using the filter textbox
- Locate the Info column and look for entries with the HTTP verb POST and click on it
- Just below the log entries, there is a panel with a summary of captured data. Look for the summary that says Line-based text data: application/x-www-form-urlencoded
- You should be able to view the plaintext values of all the POST variables submitted to the server via HTTP protocol.
- Network sniffing is intercepting packages as they are transmitted over the network
- Passive sniffing is done on a network that uses a hub. It is difficult to detect.
- Active sniffing is done on a network that uses a switch. It is easy to detect.
- ARP poisoning works by sending fake MAC addresses to the switch
- MAC flooding works by flooding the MAC table address list with fake MAC addresses. this makes the switch to operate like a HUB
- Security measures as outlined above can help protect the network against sniffing.