sniffing via dsniff

of 59 /59

Upload: kshitij-tayal

Post on 19-Aug-2014




3 download




Page 1: Sniffing via dsniff


By -


Page 2: Sniffing via dsniff

What is Sniffing ?

● Sniffing is a technique for gaining access through Network-Based attack.

● A sniffer is a program that gathers traffic from the local network, and is useful for attackers looking to swipe data as well as network administrator trying to troubleshoot problems.

● Using sniffer , an attacker can read data passing by a given machine in real time or store the data.

Page 3: Sniffing via dsniff

What does one sniff ?

A sniffer can grab anything sent across the LAN , including

● UserIds and passwords ● Web Pages being visited ● Email messages● Files shared using the Network File System● Chat sessions● DNS queries

Page 4: Sniffing via dsniff

Non-Promiscuous Mode

In non-Promiscous mode, a sniffer gathers data going to and from its host system only.

Ethernet controller only gets interrupted when one of the following conditions are met :-

● Destination MAC Address= My MAC Address● Destination MAC Address= Broadcast MAC● Destination MAC Address is found in the list of group

MAC(Multicast group)

All other packets are dropped

Page 5: Sniffing via dsniff

Promiscuous Mode

● In Promiscuous mode ,a sniffer gathers all traffic passing by the network interface

● The controller passes all traffic it receives to the central processing unit (CPU) rather than passing only the frames that the controller is intended to receive

● This mode is normally used for packet sniffing

Page 6: Sniffing via dsniff

Types of Sniffing

● Passive Sniffing

Sniffing performed on a hub is known as passive sniffing.

● Active Sniffing

When sniffing is performed on a switched network,it is known as active sniffing.

Page 7: Sniffing via dsniff

Passive Sniffing :Sniffing Through a Hub

Page 8: Sniffing via dsniff

Passive Sniffing

● In Passive Sniffing any data sent across the LAN is actually sent to each and every machine connected to the LAN.

● Therefore,the sniffer will be able to gather data sent to and from any other system on the LAN.

Page 9: Sniffing via dsniff

Active Sniffing : Sniffing Throgh a Switch

Page 10: Sniffing via dsniff

Active Sniffing

● Looks for associated MAC address and sends data only to the required connection on the switch.

● Therefore,the sniffer will be able to see data going to and from its machine only.

● All of the other interesting information flowing on the LAN will be unavailable to the sniffer.

Page 11: Sniffing via dsniff

Sniffing via switched LAN

● In Active Sniffing we Injects traffic into the LAN to redirect victim’s traffic to attacker

● Active sniffing can be performed by two ways :-

1. MAC flooding

2. Poisoning ARP(address resolution protocol) table

Page 12: Sniffing via dsniff

Dsniff (Sniffer tool)

● Dsniff is a set of password sniffing and network traffic analysis tools

● Big advantage of Dsniff is the amazing number of protocols that it interpret.Eg Telnet,Ftp,Http

● Nearly every sniffer can dump raw bits grabbed off the network.However , these raw bits are pretty much useless, unless the attacker can interpret what they mean.

Page 13: Sniffing via dsniff

Foiling Switches with floods● Initiated via Dsniff’s Macof program● It works by sending out a flood of traffic with

random MAC address on the LAN.● As the number of different MAC addresses in

use on the network increases,the switch dutifully stores the MAC addresses used by each link on the switch.

● When switch’s memory becomes exhausted, the switch will start forwarding data to all links on the switch

● At this point, Dsniff can capture desired packets

Page 14: Sniffing via dsniff
Page 15: Sniffing via dsniff

Foiling Switches with Spoofed ARP Messaged

● Some switches are not subject to this MAC flooding attack because they stop storing new MAC address when the remaining capacity of their memory reaches a given limit.

● To sniff in a switched environment where MAC flooding doesn't work,Dsniff includes a tool called arpspoof

● As the name applies , arpspoof allows an attacker to manipulate Address Resolution Protocol(ARP) traffic

Page 16: Sniffing via dsniff

Network Diagram before Sniffing

Page 17: Sniffing via dsniff

Step 1.

First we configure the Ip layer of the attacker's machine to forward any traffic it receives from the LAN to the IP address of the default router

Step 2.

The attacker activates the Dsniff arpspoof program,which sends fake ARP replies to the victim's machine.

Step 3.

The attacker's fake ARP messages changes the victim's ARP table by remapping the default router's IP address to the attacker's MAC address

Essentially,the attacker tells the victim that to access the default router,use the attacker's MAC address,thereby poisoning the ARP table of the Victim.

Once the poisoned ARP message takes effect, all traffic from the victim machine to the outside world will be sent to tha attacker's machine.

Steps involved in Arpspoofing

Page 18: Sniffing via dsniff

Steps involved in Arpspoofing

Step 4.

Victim sends the data,forwarding it to what it thinks is the default router,but using the attacker's MAC address.

Step 5.

The attacker sniffs the information from the line

Step 6.

The attackers machine forwards the victim's traffic to the actual default router on the LAN because we configured the attacker's machine for IP forwarding

Page 19: Sniffing via dsniff

Network Diagram after Sniffing

Page 20: Sniffing via dsniff

Step 1 – Configure IP Forwarding

Page 21: Sniffing via dsniff

Check ARP Table before Arpspoof

Page 22: Sniffing via dsniff

Check ARP Table before Arpspoof

Page 23: Sniffing via dsniff

Step2 – Send Fake ARP Response to Target Machine

Page 24: Sniffing via dsniff

Step2 – Send Fake ARP Response to Router

Page 25: Sniffing via dsniff

Man-in-the-Middle Attack Successfull

Page 26: Sniffing via dsniff

URLSNARF – It grabs list of all URLs from HTTP traffic

Page 27: Sniffing via dsniff

WEBSPY – It views a target web browsing in real time

Page 28: Sniffing via dsniff


Page 29: Sniffing via dsniff
Page 30: Sniffing via dsniff

Sniffing and Spoofing DNS

● DNS maps domain names to IP addresses.● Dsniff includes a program called dnsspoof that lets an

attacker send a false DNS response to a victim,which will make the victim access the attacker's machine when they intended to access another machine

● If a user wants to surf to,the attacker can trick the client into connecting to the attacker's Web Server, where the attacker could display a fake bank login screen,gathering the victim's userID and password.

Page 31: Sniffing via dsniff

Step 1.

The attacker fires up the dnsspoof program from the Dsniff suite.This program sniffs the LAN.

Step 2.

The victim tries to resolve the name using DNS

Step 3.

The attacker sniffs the DNS query from the line.

Steps involved in Dnsspoof

Page 32: Sniffing via dsniff

Steps involved in Dnsspoof

Step 4.

Attacker immediately sends a fake DNS response

This response will have a lie, claimimg that should resolve to Attackers web server rather than the original server

The victim machine will cache this incorrect DNS entry.At some later time,the real response from the real DNS server will arrive,but it will be ignored by the victim's machine

Step 5.

Finally ,the victim's browser makes a connection with the Attacker's Web Server instead of desired destination

Page 33: Sniffing via dsniff

A DNS attack using Dsniff

Page 34: Sniffing via dsniff
Page 35: Sniffing via dsniff
Page 36: Sniffing via dsniff
Page 37: Sniffing via dsniff

Sniffing HTTPS and SSH

● Security in HTTPS and SSH built on a trust model of underlying public key Infrastructure – HTTPS server sends to browser a certificate containing

server’s public key signed by a Certificate Authority

– SSL connection uses a session key randomly generated by server to encrypt data between server and client

– With SSH, a session key is transmitted in an encrypted fashion using a private key stored on the server

Page 38: Sniffing via dsniff

Sniffing HTTPS and SSH

● Dsniff takes advantage of poor trust decisions made by a clueless user via man-in-the middle attack

– Web browser user may trust a certificate that is not signed by a trusted party– SSH user can still connect to a server whose public key has changed

● Name of the tools in the Dsniff suite for attacking HTTPS and SSH are – Webmitm– Sshmitm

Here mitm stands for Monkey-in-the-Middle Attack

Page 39: Sniffing via dsniff

Step 1.

The attacker first runs the dnsspoof program configured to send false DNS information so that a DNS query for a given Web-Site will resolve to the attacker's IP address.Additionally,the attacker activates the webmitm program which will trnsparently proxy all HTTP and HTTPS traffic.

Step 2.

The dnsspoof program detects a DNS request and send a DNS reply directing the client to the attacker's machine

Step 3

Victim's browser start to establish an SSL connection.

Steps involved in Sniffing an HTTPS connection

Page 40: Sniffing via dsniff

Steps involved in Sniffing an HTTPS connection

Step 4

Webmitm then acts as an SSL proxy, establishing two separate SSL connections:

--one from the victim to the attacker's machine by sending its own certificate ,and

--the other from the attacker's machine to the actual Web Server.

Step 5

As far as the Web Server is concerned, it has established a valid SSL connection with the client,not knowing that it is actually communicating with the attacker's machine in the middle

Page 41: Sniffing via dsniff

Sniffing an HTTPS connection

Page 42: Sniffing via dsniff
Page 43: Sniffing via dsniff
Page 44: Sniffing via dsniff

Bogus Certificate

● Webmitm must send the attacker's certificate to the victim so that the attacker can establish its own SSL connection with the victim to decrypt the data passed from the browser.

● When the victim's browser establishes the SSL session to the attacker,it will notice that certificate is not signed by a trusted Certificate authority.

● The browser will notice that the DNS name in the certificate does not match the name of the website that the user is trying to access.

Page 45: Sniffing via dsniff
Page 46: Sniffing via dsniff
Page 47: Sniffing via dsniff
Page 48: Sniffing via dsniff

Dsniff’s sshmitm

● Allows attacker to view data sent across an SSH session

● Supports sniffing of SSH protocol version 1● Just like the Web browsers, the SSH client

will complain that it doesn't recognize the public key inserted by the attacker

Page 49: Sniffing via dsniff
Page 50: Sniffing via dsniff
Page 51: Sniffing via dsniff


● It forces other connection to “play nice” with their tcp connections

● It basically reduces the speed of TCP connection by following methods

--Inject TCP tiny window advertisements.

--Inject ICMP source quench replies.

--Inject ICMP fragmentation-needed replies with tiny next-hop MTUs.

● It lets the attacker slow such connections down so a sniffing tool can more easily keep the data.

Page 52: Sniffing via dsniff
Page 53: Sniffing via dsniff
Page 54: Sniffing via dsniff
Page 55: Sniffing via dsniff


● It terminate the existing/in-progress TCP connection

● It’s usage is very primitive ( kill all connections from port number xx , or from IP address x.x.x.x etc )

● It allows attacker to sniff the UserID and password on subsequent new session

Page 56: Sniffing via dsniff
Page 57: Sniffing via dsniff
Page 58: Sniffing via dsniff

Sniffing Defenses

● Use HTTPS for encrypted web traffic● Use SSH for encrypted login sessions ● Pay attention to warning messages on

your browser and SSH client● Get rid of hubs ● Use static ARP tables on the end

systems,hard coding the MAC addresses for all systems on the LAN

Page 59: Sniffing via dsniff