Network Protocol Analyzers (Sniffers)
Total Page:16
File Type:pdf, Size:1020Kb
Network Protocol Analyzers (Sniffers) What are Network Protocol Analyzers (Packet Sniffers)? Wireshark Examples: • Ping (ICMP request & reply) • ARP • Nmap SYN scan • FTP (clear text password) • HTTP POST (clear text password) • IP Spoofing with Nmap • MAC Spoofing via Nmap • MITM via ARP Spoofing using Nping Page 1 Network Protocol Analyzers (Sniffers) Capture Packets from Network Interface Network Interface Card (NIC) – promiscuous mode Remember: switched networks do not forward packets Page 2 Network Protocol Analyzers (Sniffers) Popular Packet Sniffers: Capsa Network Analyzer Cain and Abel Carnivore (FBI) dSniff ettercap Fiddler Lanmeter Microsoft Network Monitor NarusInsight ngrep Network Grep SkyGrabber snoop tcpdump Wireshark (formerly known as Ethereal) http://en.wikipedia.org/wiki/Packet_analyzer Page 3 Network Protocol Analyzers (Sniffers) Page 4 Network Protocol Analyzers (Sniffers) Local Capture No Filter Update list of packets in real time Page 5 Network Protocol Analyzers (Sniffers) Wireshark Page 6 Network Protocol Analyzers (Sniffers) Ping Page 7 Network Protocol Analyzers (Sniffers) Request Ping Reply Page 8 Network Protocol Analyzers (Sniffers) ARP PC_22:3e:db 00:98:76:54:2f:db Address Resolution Protocol (ARP) – network layer address to link layer address Network Protocol Analyzers (Sniffers) ARP PC_12:2e:db (00:12:34:56:7f:db) Request PC_12:2e:db (00:12:34:56:7f:db) PC_12:2e:db (00:12:34:56:7f:db) PC_22:3e:db (00:98:76:54:2f:db) Response PC_12:2e:db (00:12:34:56:7f:db) PC_22:3e:db (00:98:76:54:2f:db) Page 10 Network Protocol Analyzers (Sniffers) Nmap SYN scan Item 9 – SMTP – no SYN-ACK Item 11 – Microsoft-DS (port 445) – SYN Item 16 – Microsoft-DS (port 445) – SYN-ACK (Port 445 – SMB over IP) PC_22:3e:db (00:98:76:54:2f:db) Network Protocol Analyzers (Sniffers) FTP – clear text password username pswd username username pswd Page 12 Network Protocol Analyzers (Sniffers) HTTP POST with clear text password Page 13 Network Protocol Analyzers (Sniffers) IP Spoofing with Nmap -S 192.168.1.254 (spoofed IP address) Page 14 Network Protocol Analyzers (Sniffers) IP Spoofing with Nmap Port checks from non-existent IP address Page 15 Network Protocol Analyzers (Sniffers) MAC Spoofing via Nmap Step 1: Generate new MAC address using nmap -spoof-mac 0 (generates a MAC address) Page 16 Network Protocol Analyzers (Sniffers) MAC Spoofing Step 2: Change the MAC address: ifconfig sudo ifdown eth0 sudo ifconfig eth0 hw ether CA:3B:3E:91:D1:3E sudo ifup eth0 ifconfig Page 17 Network Protocol Analyzers (Sniffers) MAC Spoofing - Original MAC Spoofing - Spoofed Page 18 Network Protocol Analyzers (Sniffers) Copyright 2013 Stacy (Dene’) Nelson Page 19 Network Protocol Analyzers (Sniffers) Copyright 2013 Stacy (Dene’) Nelson Page 20 Network Protocol Analyzers (Sniffers) Copyright 2013 Stacy (Dene’) Nelson Page 21 Network Protocol Analyzers (Sniffers) Copyright 2013 Stacy (Dene’) Nelson Page 22 Network Protocol Analyzers (Sniffers) Copyright 2013 Stacy (Dene’) Nelson Page 23 .