Home Add to Favorite Contact Submit  
             28 March, 2024
 

    
Category:  Articles » Computers » Software

 

How To Sniff A Switched Network And Protect Against It

Popularity:
         Views: 1907
2008-01-30 05:04:54     
Article by Brian Carpio

Introduction

Up until now all the main stream information about sniffing a switched network has told you that if you are host c trying to watch traffic between host a and b it's impossible because they are inside of different collision domains.

This document will teach you that it is possible due to flaws and security problems within TCP/IP.

We will be utilizing two programs one is called arpspoof and the other fragrouter.

TCP/IP Overview

As most of you know TCP/IP utilizes ARP (Address Resolution Protocol) to convert IP addresses into hardware addresses. This hardware address is referred to as a MAC (Media Access Control) address. Once the destination's MAC address is determined, the encapsulated IP packed can be transmitted to the host. Every host on the network must have a unique MAC address for them to communicate on an Ethernet LAN.

Within Ethernet ARP there are four types of messages:

ARP request - A request for a destination hosts MAC address this is usually sent to all hosts in a broadcast domain.

ARP reply - This is a response to the ARP request and tells the hardware address of the destination host.

RARP request - This is a Reverse ARP request. This requests the IP address of a known MAC address.

RARP reply - This is a response to the RARP request and tells the IP address of the requested MAC address

All Ethernet hosts and switches keep a list of known MAC addresses and their corresponding IP address. The only time a ARP request is sent to the network is when a request for an IP address NOT in the hosts table is requested which occurs when a new host is requested or when the MAC entry on the table times out.

Sniffing traffic on network utilizing a hub is easy because all traffic is transmitted to each host on the network. Sniffing a switched network presents a problem because the switch knows which MACs are plugged into which ports, the only time a broadcast is sent to the entire network is when an ARP or RARP request is sent out.

Since there is no way built into TCP/IP to verify which MACs are associated with which IP addresses but to ask or look it it's ARP table this opens TCP/IP up for exploitation.

So the goal of a malicious hacker would be to trick your system into updating it's ARP table so that data goes to the attacker instead.

There are many ways to do this, but for the purpose of this document we will cover arpspoof from dsniff.

Network Setup

We have a pretty basic network setup here 3 hosts connect by a switch.

HostA: 192.168.0.2 MAC: 00:08:74:95:65:11

HostB: 192.168.0.3 MAC: 00:08:74:46:EB:08

HostC: 192.168.0.4 MAC: 00:02:B3:A4:7F:8B

For the purpose of this document we are HostC a linux box. Host B and Host C or something else, doesn't really matter HostA could be a Sun box and HostB could be it's default router, HostA could be a PC and HostB a Sun box, etc...

On HostC will will download and install dsniff

Src: http://monkey.org/~dugsong/dsniff/

Pkg: http://www.rpmfind.net

On HostC we will also download and install fragrouter

http://www.securityfocus.com/tools/176

>> tar zxvf fragrouter-1.6.tar.gz

>> ./configure

>> make

>> make install

Running Fragrouter

This app is very simple. We just want to do normal IP forwarding, we want the traffic to make it to the destination we just want to see it first.

>> fragrouter -B1

Running ARPSPOOF

The man page gives a completed explanation of how to use arpspoof. Of this document we will run arp spoof like this (again we want to watch traffic from host a to host b)

>> arpspoof -t HostA HostB

The man page for arpspoof says that -t . Target is the box that you want to spoof the arp tables on, meaning we want to update HostA's ARP tables telling it that the MAC address of HostB is 00:02:B3:A4:7F:8B (which is you look above is the MAC address of HostC.

Frgrouter will just route the packets on to HostB.

Preventing Against This Type of Attack

Well there are a few ways to go about this.

1) You can gather all the MAC information for every host on your network and feed that into a startup script using arp -p. The problem with this is that every host will need to be updated if/when a network card gets replaced. -- BAD IDEA

2) Solaris - Change the default arp_cleanup_interval. The default is 5 min. which means Solaris keeps arp values in it's arp cache for 5 minutes.

ndd -set /dev/arp arp_cleanup_interval 6000

3) Arpwatch - This is one of the greatest tools for protecting your self against this type of attack.

You can download for linux from rpmfind.net and Solaris from sunfreware.com.

Example of logs:

Jun 23 10:22:02 hostA arpwatch: new station 192.168.0.5 00:02:B3:A4:7F:8B

Jun 23 10:22:02 hostA arpwatch: changed ethernet address 192.168.0.3 00:02:B3:A4:7F:8B

(00:08:74:46:EB:08)

The log on hostA which is running arpwatch show that hostB's (192.168.0.3) MAC address has changed to what we know is hostC. You can easily setup scripts which monitor for this type of activity.

In Summary

As you can tell this document provides a basis for arp spoofing, however this basic idea lays the way for SSH and SSL man-in-the-middle attacks. Once a box is compromised and used as a gateway in a network the entire network's security becomes open for exploitation.

About The Author

Brian Carpio is a senior Solaris/Linux system architect and has worked for some of the largest companies in the world. Currently he is a freelance Linux/Solaris consultant for his own company, The Tek, LLC. http://thetek.net

Specialized in: It Security Consulting - It Consulting Company And Services - Linux Consultant - Voip Business Phone Systems
URL: http://thetek.net
Print article      Bookmark this page
Related Articles 
Automate FTP workflows and save valuable time and money (Popularity: ): These days, no business leader wants to be paying to get routine work done that can easily be automated. Most employees would rather focus on their major skills and grow their careers as well, rather than work with regular, monotonous processes. Yet those routine and repetitive processes are also critical in any functioning business. Transferring and synchronizing files between a local computer and a remote FTP or SFTP server is ...
How to expand your business with Catalog Management Software and a Central Repository ? (Popularity: ): Have you reached a stagnant point in your business and feel you need to innovate to achieve success? Does the expansion of your business feature in your scope of innovative ideas at the moment?If yes, then you would need to put in some features to overcome your present challenges. Businesses across the world are all changing their structure to be more visible in this digital age. Making the most of ...
What are the different Marketing Platforms to expand your e-commerce Business? (Popularity: ): Customers help a business succeed. Marketing helps a business gain those customers!When companies had brick-and-mortar stores to sell their products, customers from around the area would purchase items. It meant that the scope of the business was limited to a neighborhood.Then the internet caught on, and e-Commerce facilities became available to businesses. So an enterprise no longer depended on a physical store to showcase and sell its products. It also ...
Powerful business email with MDaemon Messaging Server (Popularity: ): For some years, many have been claiming the end of email as a mainstream way to keep in touch. Nothing could be further from the truth, especially when it comes to business communications. In fact, it is safe to say that email is still one of the most important tools in any business. Indeed, a company's ability to survive depends on it. MDaemon Messaging Server helps alleviate many of the ...
Bring out the best in your photos with ACDSee Professional photo software (Popularity: ): Bringing out the best in your digital photos requires the right tools. Chances are that as a professional photographer, you will be looking for something that supports a wide variety of RAW photo formats. ACDSee Photo Studio Professional does just that. Editing RAW files lets you tweak the image as it was taken, giving you unprecedented control over the outcome.ACDSee Photo Studio Professional is more than a professional photo editor. ...


Related Business 
The Switched LAN Page (Popularity: ): Product evaluations & white papers on switched LAN technologies and emerging IP-based applications requiring switched infrastructures.
Sync Research, Inc. (Popularity: ): Develops, markets and supports advanced networking products which adapt IBM systems network architecture to emerging switched wide-area network services such as frame relay. (Nasdaq: SYNX).
NANP Administration (Popularity: ): North American Numbering Plan for the Public Switched Telephone Network
Scalable Networks (Popularity: ): Networking consultants specializing in building and supporting switched, bridged and routed backbone network infrastructures.
Ettercap (Popularity: ): Ettercap is a multipurpose sniffer/interceptor/logger for switched LAN. It supports active and passive dissection of many protocols (even ciphered ones) and includes many feature for network and host analysis.
AltiGen Communications, Inc. (Popularity: ): Designs, manufactures and markets server-based telecommunications systems which allow businesses to use the internet and the public switched telephone network interchangeably to carry voice and data communications. (Nasdaq: ATGN)
TriGeo Network Security, Inc. (Popularity: ): TriGeo Network Security, Inc., is a software development and services firm providing network security services and an overlay software solution that centralizes and enhances existing third party network security tools to protect against internal and external attacks.
Rainforest Action Network (Popularity: ): Works to protect the Earth's rainforests and support the rights of their inhabitants through education, grassroots organizing, and non-violent direct action. The site encourages visitors to take action to protect the rainforests.
Franklin Press, Inc. (Popularity: ): Prepress, printing, and finishing, including scratch and sniff projects and labeling. Plymouth.
Switched On Electrical & Lighting Solutions (SOELS) (Popularity: ): Switched On Electrical & Lighting Solutions (SOELS) are licensed electricians specializing in supplying and installing leading lighting technologies into residential, commercial and industrial buildings throughout Melbourne and Adelaide. When talking about energy efficient lighting, LED lights are known to be of latest technology, wherein LED stands for Light Emitting Diode, which is a semiconductor device that has the ability to convert electricity into the illuminant.