CHNG 11: SNIFFER

Nguyn Vn Hi
Mt k nghe ln (sniffer) c th l cng c bt gi tin (packet) hay bt khung tin (frame). N (sniffer) chn cc gi tin trao i trong mng v hin th n nh dng Comment-line hay GUI (Graphical user interface) cho hacker c th theo di. Mt vi sniffer tinh vi th hiu cc gi tin v c th ghp cc lung gi tin thnh d liu ban u nh l e-mail hay ti liu no .

1. Sniffers l g?
Theo t in th sniff l : ngi , nh hi, nghe ln. Cn Sniffer ni chung cc phng thc bt, phn tch gi tin trn mng mt cch b mt. Sniffer s dng bt (capture) lu lng mng (traffic) trao i gia hai h thng. Ph thuc vo cch nghe ln v mc bo mt trong h thng nh th no, mt hacker c th s dng mt sniffer tm ra tn ng nhp, mt m v cc thng tin b mt khc trao i trong mng. Mt vi cuc tn cng v loi cng c hacking th i hi phi s dng sniffer ly c cc thng tin quan trng c gi t h thng m hacker nhm ti.

2. Cc phng thc d dng b sniffer

Cc phn mm nghe ln lm vic bng cch bt cc gi tin m ch khng phi l a ch MAC ca h thng (h thng ca sniffer) m l cho mt a ch MAC ca mc tiu. N c bit nh l ch hn tp (promicuous). Bnh thng, mt h thng trong mng ch c v p ng cho nhng lu lng mng c gi trc tip cho a ch MAC ca n. Nhng ch hn tp, h thng c tt c cc lu lng mng v gi n n sniffer x l. Ch hn tp c bt card mng bng s ci t ca phn mm iu khin c bit. Mt vi cng c hacking sniffing bao gm b phn iu khin ch hn tp thun tin cho cng vic ca n. Mt vi phng thc khng m ha d liu th rt d dng b sniffing. Cc phng thc nh HTTP, POP3, SNMP (Simple Network Manager Protocol), v FTP l nhng phng thc ph bin rt d b bt cc gi tin bng cch s dng sniffer v theo di bi mt hacker ly cc gi tr thng tin nh tn s dng hay mt m.

Hacking Tool
Ethereal: l mt phn mm nghe ln min ph c th bt cc gi tin t cc kt ni LAN c dy v khng dy. Phin bn cui cng c i tn thnh s. Ethereal l mt chng trnh ph bin v c a thch bi v n min ph nhng c vi mt hn ch. Mt vi user khng c nhiu kinh nghim c th cm thy kh khn vit cc b lc trong Ethereal bt ch mt vi loi gi tin truyn qua mng. Snort: l mt h thng pht hin xm nhp (Intrusion Detection System) cng c kh nng sniffing. N c th s dng pht hin hng lot cc cuc tn cng v c gng d tm, nh l trn b m , qut cng n, tn cng GI, thm d SMB (Server Message Block). Windump: l phin bn Windows ca tcpdump, dng lnh (tcpdump) phn tch mng ca Unix. Windump th hon ton ging nh tcpdump v c th s dng theo di, chun on, v lu lu lng mng vo a theo nhng quy tc khc nhau. Etherpeek: l mt cng c sniffer tuyt vi cho mng c dy vi b lc m rng v kh nng theo di cc cuc hi thoi TCP/IP. Phin bn mi nht ca Etherpeek c i tn thnh OmniPeek. Winsniffer: l mt cng c sniffer password rt hiu qu. N theo di lu lng mng vo v ra ca h thng v gii m FTP, POP3, HTTP, ICQ, SMTP (Simple Mail Tranfer Protocol), telnet, IMAP (Internet Message Access Protocol), v NNTP (Network News Tranfer Protocol), tn ngi dng v mt khu. Iris: l mt phng thc phn tch lu lng mng v d liu tt, n thu thp, lu tr t chc v bo co tt c cc d liu lu thng trong mng. Khng ging nh cng c sniffer khc, Iris th c th to li cc lu lng mng, nh l ha, ti liu, v email bao gm cc file nh km.

3. K thut Sniffing
C hai loi sniffer khc nhau: ch ng v b ng. Passive Sniffing lin quan n cc cng vic lng nghe v bt cc lu lng mng v n th rt hu dng trong kt ni mng s dng Hubs. Active Sniffing lin quan n vic thc hin nh la giao thc phn gii a ch (ARP), hay tn cng lm trn lu lng trong switch nhm bt cc lu lng trong mng. Ging nh ci tn ca n, Active sniffing th c th b pht hin nhng passive sniffing th khng . Trong mng s dng Hubs hay thit b mng khng dy lm h thng kt ni. Tt c cc my ch trong mng th c th nhn thy tt c cc lu lng; v vy mt active

sniffer c th bt cc lu lng gi n v gi i t tt c cc my ch kt ni thng qua hub.

Mng s dng Switch th c s hot ng khc bit. Switch th theo di d liu c gi n n v c gng gi tip cc gi tin n cho cc im ch c xc nh bng a ch MAC. Switch th khng i bng a ch MAC ca tt c cc h thng v s cng m chng dng kt ni. N th cho php switch c th chia nh mng thnh cc on v ch gi d liu cho ch n c a ch MAC chnh xc. Mt mng s dng switch th c th lm tng lng lu thng trn mng tt hn v bo mt hn so vi mt mng chia s dng hubs.

ARP poisoning
ARP cho php kt ni mng c th d tm a ch IP ra thnh a ch MAC. Khi mt my ch s dng TCP/IP trong mng LAN c gng lin lc vi nhng my khc, n th cn a ch MAC hoc a ch phn cng ca my ch m n c gng kt ni. u tin n tm trong b nh ARP ca n tm a ch MAC nu a ch MAC tn ti; Nu a ch MAC khng tn ti, n (my ch cn kt ni ) lan truyn mt yu cu ARP hi : Ai c a ch IP ti ang cn?. Nu my ch c a ch IP lng nghe c cu hi ARP, n s p ng vi a ch MAC ca n v mt phin kt ni s dng TCP/IP c th bt u.

ARP poisoning l mt cng ngh, n dng tn cng mt mng Ethernet, n cho php mt hacker c th nghe ln d liu trong mng LAN s dng Switch hoc c th dng ton b lu thng trn mng. ARP poisoning s dng ARP spoofing( gi mo) vi mc ch l gi gi hoc gi mo, tin nhn ARP cho mng LAN Ethernet. Cc gi tin cha a ch MAC khng ng to s nhm ln ca cc thit b mng nh l cc thit b chuyn mch mng (switch). Kt qu l gi tin uc gi ti cho mt my c th b nhm ln sang mt my khc (cho php nghe ln cc gi tin) hoc khng gi n c my ch (tn cng DoS). ARP spoofing c th s dng trong tn cng Man in the middle, trong tt c cc gi tin lu thng qua mng c i qua mt my ch bi cch thc hin ca ARP spoofing v b phn tch tm ra mt khu v thng tin khc.

 trnh khi cc cuc tn cng ARP spoofing, phi thng xuyn thm a ch MAC ca gateway vo b nh ARP trong h thng. Bn c th thc hin cng vic trn h thng Windows bng cch s dng lnh : ARP s ti ca s dng lnh (comman line) v ni thm vo a ch IP v a ch MAC ca gateway. Lm nh vy s trnh c hacker ghi b nh ARP thc hin ARP spoofing trn h thng nhng n li tr nn kh khn khi qun l trong mt mi trng ln v s lng ca h thng. Trong mi trng doanh nghip, vic bo mt da trn port c th c kch hot trn switch ch cho php 1 a ch MAC trn 1 port.

Hacking Tool

C ba cng c ph bin dng thc hin ARP Spoofing c th k n nh: Arpspoof: Cng c dnh cho h iu hnh Linux Ettercap: c Windows v Linux ArpSpyX: H iu hnh MAC OS Ethereal l phn mm sniffer min ph c th bt cc gi tin trong kt ni LAN c dy hay khng c dy. Mt vi v d v b lc Ethereal:
Ip.dst eq www.eccouncil.org

bt

cc

gi

tin

webserver

www.eccouncil.org
Ip.src == 192.168.1.1 bt cc gi tin n t my ch 192.168.1.1 Eth.dst eq ff:ff:ff:ff:ff:ff bt cc gi tin broadcast layer 2

MAC flooding
Sniffer mt gi tin trong mng s dng switch khng th bt tt c lu lng mng nh l n c th lm trong mng s dng Hub; thay vo , n bt cc gi tin i vo hoc i ra khi h thng. N th cn thit phi s dng mt cng c (thm additional) bt tt c cc lu lng mng trong mng s dng switch. V c bn th c 2 cch

 thc hin cng vic active sniffer v bt switch gi lu lng mng chy qua switch v cho h thng ang dng sniffer ARP spoofing v flooding. Nh ni trn : ARP spoofing tc ng n a ch MAC trn cng vo ca mng (gateway) v do nhn c tt c lu lng mng a n cho gateway trn h thng sniffer. Mt hacker cng c th lm trn mt Switch vi rt nhiu lu lng mng lm cho n ngng hot ng nh Switch m thay vo n hot ng nh mt Hub, gi tt c lu lng mng cho tt c cc port. Cuc tn cng Actice sniffing cho php mt h thng vi mt sniffer bt tt c lu lng mng.

K thut DNS Spoofing

DNS spoofing (DNS poisioning) l 1 k thut nh la DNS server tin rng n th nhn c cc thng tin chng thc trong khi n th cha h nhn c s chng thc . Mt khi DNS server b u c, cc thng tin thng b lu tr trong 1 khong thi gian, sau s lan rng nh hng ca cuc tn cng ti cc ngi dng ca server. Khi ngi dng yu cu 1 a ch website c th no , a ch s d trn DNS server tm a ch IP tng ng. Nu DNS server b xm nhp, ngi dng s c chuyn n 1 trang web khc trang web yu cu, v d l 1 trang web gi. thc hin mt cuc tn cng DNS, k tn cng s khai thc mt l hng trong phn mm my ch DNS lm cho n chp nhn cc thng tin khng chnh xc. Nu my ch khng phn ng chnh xc cc yu cu DNS m bo rng h n t nhng ngun ng tin cy, my ch s kt thc b nh m khng ng v phc v cho nhng ngi dng c yu cu tip theo. K thut ny c th s dng thay th ni dung ty cho mt tp hp cc nn nhn vi ni dung ty thuc vo la chn ca k tn cng. V d, mt k tn cng u c DNS ca cc a ch IP cho mt trang web mc tiu trn mt DNS server nht nh, thay th chng (IP) bng cc a ch IP ca my ch do hacker iu khin. K tn cng sau s tao ra cc tp tin gi trn my ch ny vi vi tn (file) th trng vi tn file trn my ch b tn cng. Nhng tp tin ny c th cha cc ni dung c hi, nh l worm hay virut. Mt ngi s dng my tnh truy cp vo my ch DNS b u c th bi la vi suy ngh l ci ni dung c cung cp bi my ch b tn cng v v tnh downloads cc tp tin c ni dung c hi.

Cc kiu k thut tn cng DNS spoofing :

Intranet spoofing hot ng nh 1 thit b cng thuc mng ni b.

Internet spoofing hot ng nh 1 thit b trn Internet.

u c server DNS proxy sa i cc mc DNS trong proxy server chuyn ngi dng sang mt h thng my ch khc.

u c b nh DNS sa i cc mc DNS mt vi h thng chuyn ngi dng sang mt h thng khc.

Hacking Tools
EtherFlood c s dng lm trn mt Ethernet switch vi lu lng mng lm cho n tr thnh Hub. Bng cch ny, mt k tn cng c th bt tt c cc lu lng trong mng m theo quay lut th n l ch bt cc lu lng n v i t h thng ca h, nh l mt trng hp ca swith. Dsniff l mt tp hp cc cng c thit k Unix-executable thc hin kim sot h thng mng nh l s xm nhp mng. Cc cng c di y th c cha trong Dsniff : filesnarf, mailsnarf, msgsnarf, urlsnarf, v webspy. Nhng cng c ny th gm st th ng mt mng chia s d b xm nhp (nh l mt mng LAN ni m sniffer sau bt k mt tng la no nm bn ngoi) ly i cc d liu cn thit (password, email, files, v ...). Sshmitm v wevmitm k tha man-in-the-midle ch ng tn cng chng li vic chuyn hng cc SSH (secure shell) v phin HTTPS. Arpspoof, dnsspoof , and macof lm vic nhm chn cc lu lng mng i qua 1 switch m thng th khng c 1 chng trnh sniffer no bi v tnh cht ca switch. bit c cc vn xung quanh vic chuyn mch gi layer 2, dsniff gi mo cc thit b rng n l 1 gateway m d liu phi chy qua n i ra bn ngoi mng. IP restrictions Scanner (IRS) thng c s dng d tm s gii hn IP c thit lp cho tng dch v ring trn my ch. N phi hp u c ARP vi TCP n hoc k thut half-scan v kim tra tng tn cc kt ni TCP gi mo la chn cng ca mc tiu. IRS qut tm my ch v cc thit b mng nh Routers, Switchs

m xc nh cc c im kim sot truy cp nh access-control list(ACLs), b lc IP, v cc quy tc tng la. sTerm l 1 Telnet client vi cc tnh nng c o : n c th thit lp mt phin Telnet hai chiu n my ch mc tiu, m khng bao gi gi a ch IP tht v a ch MAC tht trong bt c gi no. S dng ARP poisoning , MAC spoofing, v cng ngh IP spoofing, sTerm c th thc s trnh c ACLs, quy tc tng la, v vic gii hn IP trn my ch m cc thit b mng. Cain & Abel l nhng cng c tn cng a nng trn windows. N cho php d dng khi phc cc loi mt khu khc nhau bng cch nghe ln trn mng. B cc mt khu c m ha s dng t in, brute-force (Trong lp trnh my tnh, y l phng php nhm gii quyt mt bi ton kh bng cch lp i lp li mt th tc n gin nhiu ln. My tnh tin hnh kim tra li chnh t bng phng php brute force (bt p th bo) ny. Chng khng kim tra chnh t thc s, m ch so snh tt c cc t trong ti liu ca bn vi cc t ca mt t in chnh t ci s n.); ghi m cc cuc gi VoIP, gii m cc mt khu c xo trn, tm ra cc hp mt khu, pht hin ra cc mt khu c lu tr trong b nh v phn tch cc phng thc nh tuyn. Phin bn cui cng bao gm nhiu c im mi ging nh ARP poisoning Routing(APR) , n th cho php sniffing trong switch ca mng LANs v tn man-inthe-middle. Cc sniffer trong phin bn ny cn c th phn tch cc phng thc m ha nh: SSH-1 v HTTPs, v n bao gm cc b lc bt cc thng tin xc thc(credential) t mt mng ln cc c ch xc thc. Packet Craffer l mt cng c thng c s dng to ra cc gi tin TCP/IP/UDP ca khch hng. Cng c ny c th thay i a ch ngun ca cc gi tin thc hin vic IP spoofing v c th iu khin IP flags v TCP flags, s th t(sequence numbers), s ASK(ask number). SMAC l mt cng c c th thay i a ch MAC ca h thng. N gip cho hacker gi mo a ch MAC khi thc hin cuc tn cng. MAC Changer l mt cng c c s dng gi mo a ch MAC trn Unix. N c th s dng thit lp cc a ch MAC c th cho tng interface khc nhau, thit lp a ch MAC ngu nhin , thit lp a ch MAC ca mt nh cung cp khc, thit lp mt a ch MAC khc ca cng nh sn xut, thit lp 1 a ch MAC cng loi hoc thm ch hin th danh sch a ch MAC ca nh cung cp chn la. WinDNSSpoof l cng c gi mo DNS ID n gin dnh cho Windows . s dng n trong mng s dng Switch , bn phi c kh nng Sniff lu lng mng ca my b tn cng. Do , n c th c kt hp vi 1 cng c ARP spoofing hay flooding.

Distributed DNS Flooder gi mt s lng ln cc truy vn to ra 1 cuc tn cng DOS(denies of service), v hiu ha DNS. Nu phn mm Deamon truy vn cc bn ghi(logs) khng chnh xc, nh hng ca cuc tn cng s c khuch i.

4. M t cc bin php phng chng Sniffing

Cch bo mt tt nht phng chng li mt Sniffer trong mng l s m ha. Mc d s m ha khng trnh khi s Sniffing, nhng n lm cho bt k d liu no b bt bng sniffing tr nn v dng bi v hacker khng th hiu c thng tin . S m ha nh l AES v RC4 hoc RC5 c th s dng trong cng ngh VPN v l nhng tiu chun chung phng chng Sniffer.

Countermeasures Tool
netINTERCEPTOR l mt tng la chng li spam v virus. N c nhiu la chn b lc nng cao v c th hc hi v thch ng v n c th nhn c cc loi th rc mi (spam). N cng ngn chn v cch ly cc e-mail mi nht b nhim Trojan, ngn chn Trojan khi s ci t v c th ci t 1 sniffer. Sniffdet l vic thit lp s kim tra pht hin Sniffer t xa trong mi trng TCP/IP. Sniffdet thc hin cc bi kim tra khc nhau pht hin cc my(machines) chy ch romiscuous hay vi mt Sniffer. WinTCPKill l mt cng c chm dt kt ni TCP trn windows. Cng c ny i hi kh nng s dng mt Sniffer sniff cc lu lng n v i ca my b tn cng. Trong mng s dng Switch, WinTCPKill c th s dng mt cng c u c b nh ARP (ARP cache poisoning) thc hin vic ARP spoofing.

5. Tng kt bi hc
Lm sao Sniffer: mt sniffer hot ng ch hn hp(promiscuous), ngha l n bt tt c cc lu lng m khng ch ti MAC ch trong cc frame. S khc nhau gia sniffing trn mt mng s dng hubs v mng s dng switch : tt cc cc lu lng th c broadcast bi Hubs, nhng n th c chia lm nhiu segment bi mt switch. Sniff trong mng s dng Switch, th cc cng c Flooding hay ARP Spoofing phi c s dng. S khc bit gia active sniffing v passive sniffing: Active Sniffing s dng la Switch b tn cng thnh 1 Hub switch gi tt c c lu lng mng n k tn cng. Passive sniffer: bt cc gi tin c broadcast trn mng.