Introduction
Sniffing, spoofing and hijacking are considered advanced hacking activities in most networks. If you have in your
possession the right tools, a good position and an understanding of the protocols involved, it can be accomplished and
is extremely powerful. Checks and balances are so many between security, usability, design requirements and company
policy that there is almost always an opening somewhere if the attacker can find it.
Administrators can no longer just run a sniffer for troubleshooting reasons as too much sensitive data is on the network.
With network infrastructure changes, for example Layer 2 switching, sniffing has become more and more difficult.
However, sniffing is still a crucial part of research and being able to understand what attacks do. It is important
to be able to stage attacks in an environment that would allow the researcher to analyze the traffic various tools can
make even if sniffing is not part of the attack itself. Many tools incorporate an encryption layer to avoid this and any
other IDS tools. This is why that, from a defensive viewpoint, it is important not only to mandate encryption for
some things but forbid its use in others.
Countermeasures may not discourage attackers against sniffing. Spoofing, Man in the Middle and session hijacking are all
possible work-around steps when sniffing is not possible.
How Sniffing Works
Passive Sniffing
Sniffers are also known as protocol analyzers, however its use will determine which label is applied. Some only collect
or display while others can calculate statistical details will also providing reports. Reconstruction of captured traffic
is another activity that is common. They can view the data as a complete Layer 7 file rather than a network conversation.
Sniffers themselves do not interact with the packets captured, it just displays the packets or collects them into files
that are known as trace files and used for later analysis. The reasons for capturing traffic vary. Some examples
are Trojan horse malware, troubleshooting tools and network forensics.
Passive sniffing tools are able to capture packets sent from or received by the network interface of the host it is
running on. This usually doesn't require elevated permissions. Sniffing all traffic contained within a network
segment however is more complex.
If the sniffer is running in the promiscuous mode, however, it must have sufficient privileges and the NIC must
be able to see all of the network traffic.
In the promiscuous mode, the driver tells the nIC to ignore the first 48 bits of the Layer 2 frame header; this is where
the hardware address of the NIC resides.
On wired network NICs, the promiscuous mode driver comes in two types, the WinPcap for Windows and the
LibPcap for Linux. Each of these are installed with sniffing software such as Wireshark but can also
be downloaded and installed separately. Wireless networks have the equivalent concept that is called
Monitor Mode. Most wireless NICs have either the monitor mode capability disabled in the firmware or require
specific drivers for that particular wireless device.
All network packets will be visible if the NIC on the host is accessing the network through a hub-like device at the
physical layer (Layer 1). However, most of today's networks use Layer 2 switching in order to reduce collision segments
and manage traffic with greater efficiency. If this is the case, active sniffing techniques will be required. Wireless
networks are basically working on physical hubs and signal leakage does not mean that the attacker has to be plugged
into the device. This is the primary reason manufactures make it hard to access the monitor ode capabilities of their
wireless devices.
Active Sniffing
When the host attempting to capture traffic cannot see all of the packets, active sniffing must be used. Some techniques
are used by attackers to capture packets under these circumstances. Because these techniques are active, they will create
noise and the attackers will be most successful if they know who their targets are in advance and do not try to sniff
everything. There are three techniques commonly used:
- ARP Poisoning
- MAC Flooding
- MAC Duplicating (Spoofing)
ARP Poisoning - This form of attack happens when an attacker changes the Media Access Control (MAC)
address and attacks an Ethernet LAN by changing the target computer's ARP cache with a forged ARP request and reply
packets. This modifies the layer where the Ethernet MAC address is changed into the hacker's known MAC address with the
intent to monitor it. ARP replies are forged and therefore the target computer unintentionally sends the frames to the
hacker's computer first instead of sending it to the original destination. The result is both the user's data and
privacy are compromised. An effective ARP poisoning attempt is undetectable to the user.
MAC Flooding - Most switches learn about what NICs are connected to the interfaces. This information
is stored in a Content Addressable Memory (CAM) table. There is a limited amount of space for this information and if
the attacker floods the switch with enough ARP traffic causing it to fill the CAM table, the switch will go to a fail-safe
mode or enter a "hub mode" passing all traffic. This is the result of the switch being unable to learn about new hardware
addresses and still not wanting to bring the network down.
There is a counter-measure for MAC Flooding and that is to configure port security on the switch. This can be done by
limiting the number of addresses it can learn on each interface or by how much memory each interface is allowed to use.
MAC Duplicating (Spoofing) - To spoof the address, an attacker will configure their NIC to have the
same address as another NIC on the network. It is possible to have two hosts with the same MAC address on a local
network. The layers above Layer 2 don't notice this and the switch might forward frames out every interface that has
a MAC address there.
Some hardware, such as Wireless Access Points (WAPs) are configured with an Access Control List (ACL) that allows only
hosts with certain MAC addresses to connect. An attacker can sniff these MAC addresses from clear text management
frames and learn what addresses are allowed and can be spoofed and thus allow access to the network.
Packet Capturing Tools
There are four common tools used to capture packets. These are:
- Command Line Tools
- Capture Filters
- Graphic Tools
- Display Filters
Command Line Tools
There are a few primary command line tools used for packet capturing. There is tcpdump, which was named
Windump for Windows, tshark for Wireshark. There are special purpose sniffers in the dsniff suite
such as mailsnarf and urlsnarf. These look for specific data only.
The packets that are obtained can be dumped into files and opened by the tools that provide a graphic interface later.
Another reason for the use of command line sniffers is that there is less overhead and this can mean a more accurate
packet capture.
Capture Filters
Capture filters are a good choice for when you be specific about what you want to detect and capture as the can tell
the sniffer what to pick up and what to ignore. The benefits hers is that you won't be getting data you are not supposed
to have, data that might be harmful or data that is just not interesting. There is a downside though and that is if your
filter is not quite right, you could miss some data that is important.
The syntax for capture filters is tcpdump. Most capture rules can be read like an English sentence which make
the data easy to understand.
There are three elements that make up capture rules. They are the Operator, the Keywords and the Variable Data.
Operators
| Operator |
Symbol |
Meaning |
| is |
= = |
when equal to |
| and |
& |
all of these things |
| or |
| |
any of these things |
| not |
! |
other than this |
| gt |
> |
greater than |
| lt |
< |
less than |
Keywords
| Keyword |
Meaning |
| host |
the target object |
| net |
the network ID |
| src |
source |
| dst |
destination |
| port |
port |
| TCP |
Transmission Control Protocol |
| ether |
Ethernet |
| IP |
Internet Protocol |
| broadcast |
Traffic sent to all |
Variable Data (examples)
| Variable Data |
Meaning |
| 192.168.1.1 |
host IP address |
| 192.168.1.0 |
network ID |
| 0x42 |
The value 42 in HEX. |
| 0x56524659 |
The HEX equivalent of the string VRFY. |
| [0:2] |
byte offset, start at byte 0 then look at byte 2 |
Graphic Tools used for Packet Analysis
There are many Packet Analysis tools on the market but Wireshark is the premier protocol analyzer that is free
of cost to use. Wireshark runs the same way on either the Windows or Linux platforms.
With Wireshark you can draw graphics and diagrams as well as assist creating a report that displays statistical analyses
of network bandwidth. Wireshark also allows you to right-click on a TCP packet and then chose "Follow TCP Stream". This
will rebuild an entire Layer 7 protocol session.
Exploiting Vulnerable Protocols
Protocols Vulnerable to Sniffing
There are many protocols that send critical information across the network in clear text. Some of these protocols that
send credentials in plain text include:
- HTTP
- SNAP (Community String)
- NNTP
- POP
- FTP
- IMAP
Many of these protocols have now been replaced or updated with more secure options. If administrators require the use
of older versions, they might set up encrypted tunnels such as Secure Shell (SSH) to protect them.
To avoid detection, it is best to use a "receive only" cable to connect to the host on the network. This solves the
Layer 1 problem by removing the physical ability for he sniffer to reply to scans. Here is an example.
- Sniffer
- IP: 10.0.0.1
- MAC: AA:BB:CC:DD:EE:FF
A scanner sends traffic to an IP address of 10.0.0.1 but spoofs the target MAC address as something random like
A4:FE:65:D5:1F:6D. The NIC should ignore the frame because it is incorrect, however in promiscuous mode, this fact will
be ignored and the packet will be passed up to Layer 3. Since the logical address, (MAC) does not match, the network
software in the OS protocol stack will accept the packet and process it. If a higher layer has a way to disagree
with the bits and respond, there will be a response and the sniffer is detected.
How Session Hijacking Works
Session hijacking takes place when the trust of two host, services or accounts is compromised by an attacker who is known
as the Man-In-The-Middle (MiTM)
Session hijacking can happen in multiple ways. There are web-based hijacks, wireless AP hijacks, also known as an
evil twin attack and TCP session based hijacks. The principle is the same in all attacks and that is to attack
the lower layers on the OSI model than the actual session is occurring on. As an example, in a TCP attack, the idea
is to let Layers 5 to 7 establish trust and then take the Layer 4 socket.
The Difference Between Spoofing, MiTM and Hijacking
Spoofing is a technique that is useful in social engineering. It is the basic art of pretending to
be something else. There is a problem with spoofing, however, and that is the receiving host will reply to the party
that seemed to have sent the data. In this case, the masquerading party has to become that party or be able to
eavesdrop into the conversation. Although there are uses for spoofing, it is more often a component in an attack
rather than the only technique used.
Man-In-The-Middle (MiTM) attacks also involve social engineering. The goal of the attacker is to
be transparent but still be able to send and accept traffic to and from the true endpoints of the communication. This
is similar as using a courier to deliver a package for you; basically the same principle, however an attacker must do
this without target knowing about this.
True session hijacking s the ultimate example of a combination of techniques that can completely take over an established
session after the authentication phase has completed.
Illustrated by using a TCP session hijack, we can demonstrate the sequence of events that take place.
Tracking the Connection - The targets of the attackers must be identified and the characteristics
of their connections must be observed. The attackers must predict the sequence numbers and window sizes that will
allow the attacker to construct packets in advance of the attack. These constructed packets will then be injected
at the right time.
Desynchronizing the Connection - Assuming the attacker wants to impersonate the target and the target
is communicating with the server, the target needs to be knocked offline. If this step is not accomplished, the
server will see echoes which will be traffic from both the target and the attacker. This will "confuse" the server
causing it to drop the connection.
The target needs to be convinced that they are no longer to the server while leaving the server while the server is
still expecting data. This can be done by different means.
- Sending NULL data to the server spoofing the target's IP address as the source will cause it to expect traffic the
real client is not prepared to send.
- By using the SYN/ACK and FIN flags will make the server think it is at a different place in the conversation which
is a place that the server knows but the target doesn't.
The target is in the Denial of Service state to keep it from trying to recover. The attacker will then attempt to
sniff the traffic coming from the server since he is really not the destination of the traffic. This is done by the
attacker spoofing the target's IP address.
Injecting the Attacker's Packet - At this point the packets can be injected in the form of disruptive
data that will be trusted or commands sent that will cause the conversation to continue.
Session Hijacking Types
There are four basic types of Session Hijacking. These types include:
- TCP Hijacking
- UDP Hijacking
- RST Hijacking
- Session Tokens
TCP Hijacking is an attack that involves having an accurate understanding of the current state of
synchronization between two hosts. The handshake is observed and sequence number must be set in the injected packets
to be accepted inside the current window.
After this form of attack was discovered, Request For Comment (RFC) 1948 was created to suggest that Initial Sequence
Numbers (ISN) are not implemented every four microseconds as previously suggested in RFC 972, but rather should involve
a Pseudo Random Number Generator (PRNG). This would impact the ability to predict the number.
RST Hijacking is a form of DoS attack where packets are injected into an established TCP stream that
convinces one side that the other is confused and wants to terminate the conversation. The simplicity is to set the
RST flag, set the ACK number so it is in the windows and spoof one side of the conversation.
UDP Hijacking does not involve any of the complexity of TCP. There are no flags or SEQ / ACK numbers
that have to be kept track of and since the UDP protocol does not require the receiving host to even respond at all,
let alone acknowledge that there is even a source port in which to respond, this makes the MiTM attack and Dos attack
much easier.
Session Token or authentication is required whether or not an application uses TCP or UDP. With this,
it may be possible for the attacker to capture the session token from the network or from a MiTM attack and then replay
the token to the server.
HTTP is a stateless environment and session hijacking is based on the HTTP session token. The Cross-Site Request
Forgery Attack (CSRF) is an example of a session hijack. The application tries to create a sense of "state" using
unique strings that will be bounced back and forth. When trust is established, the abuse can begin by replaying
a challenge or issuing commands that are trusted. This way the attacker can capture information via a proxy server or
by stealing cookies.
Session Hijacking Countermeasures
Since the arrival of session hijacking, the TCP Protocol specification has received modifications making the sequence
number prediction extremely difficult. The TCP Protocol has a 32 bit field making about 4.3 million possible values that
can be chosen for the Initial Sequence Numbers (ISN). This would make the attacker have to sniff enough connections
from a host to make a prediction of what an ISN would be in the future. Even with the use of a Pseudo-Random Number
Generator (PRNG), this task would be extremely challenging.
Taking this again a step further, circuit level gateway firewalls by translating the ISN at the same time as the network
address and ports are being translated during the initiation of an outbound connection by the host. This in effect
makes it a Layer 4 proxy server. The circuit level gateway is a man-in-the-middle attack but does not interfere with
Layer 7 data.
Internet Protocol Security (IPSec) uses an integrity check that will not accept forged packets. Between these
countermeasures, session hijacking treats are well mitigated but the presence of the idea is important both from an
academic standpoint and to illustrate the importance of maintaining such countermeasures.
There are other forms of session hijacking are more difficult to prevent. Session hijacks based on HTTP session IDs
must not be sniffed, guessed or predicted. This involves the use of SSL and random number generation for the token.
Wireless evil-twin attacks are prevented with the use of WPA-Enterprise or plain physical situational awareness.