Documentos de Académico
Documentos de Profesional
Documentos de Cultura
Nguyn Vn Hi
Mt k nghe ln (sniffer) c th l cng c bt gi tin (packet) hay bt khung tin (frame). N (sniffer) chn cc gi tin trao i trong mng v hin th n nh dng Comment-line hay GUI (Graphical user interface) cho hacker c th theo di. Mt vi sniffer tinh vi th hiu cc gi tin v c th ghp cc lung gi tin thnh d liu ban u nh l e-mail hay ti liu no .
1. Sniffers l g?
Theo t in th sniff l : ngi , nh hi, nghe ln. Cn Sniffer ni chung cc phng thc bt, phn tch gi tin trn mng mt cch b mt. Sniffer s dng bt (capture) lu lng mng (traffic) trao i gia hai h thng. Ph thuc vo cch nghe ln v mc bo mt trong h thng nh th no, mt hacker c th s dng mt sniffer tm ra tn ng nhp, mt m v cc thng tin b mt khc trao i trong mng. Mt vi cuc tn cng v loi cng c hacking th i hi phi s dng sniffer ly c cc thng tin quan trng c gi t h thng m hacker nhm ti.
Hacking Tool
Ethereal: l mt phn mm nghe ln min ph c th bt cc gi tin t cc kt ni LAN c dy v khng dy. Phin bn cui cng c i tn thnh s. Ethereal l mt chng trnh ph bin v c a thch bi v n min ph nhng c vi mt hn ch. Mt vi user khng c nhiu kinh nghim c th cm thy kh khn vit cc b lc trong Ethereal bt ch mt vi loi gi tin truyn qua mng. Snort: l mt h thng pht hin xm nhp (Intrusion Detection System) cng c kh nng sniffing. N c th s dng pht hin hng lot cc cuc tn cng v c gng d tm, nh l trn b m , qut cng n, tn cng GI, thm d SMB (Server Message Block). Windump: l phin bn Windows ca tcpdump, dng lnh (tcpdump) phn tch mng ca Unix. Windump th hon ton ging nh tcpdump v c th s dng theo di, chun on, v lu lu lng mng vo a theo nhng quy tc khc nhau. Etherpeek: l mt cng c sniffer tuyt vi cho mng c dy vi b lc m rng v kh nng theo di cc cuc hi thoi TCP/IP. Phin bn mi nht ca Etherpeek c i tn thnh OmniPeek. Winsniffer: l mt cng c sniffer password rt hiu qu. N theo di lu lng mng vo v ra ca h thng v gii m FTP, POP3, HTTP, ICQ, SMTP (Simple Mail Tranfer Protocol), telnet, IMAP (Internet Message Access Protocol), v NNTP (Network News Tranfer Protocol), tn ngi dng v mt khu. Iris: l mt phng thc phn tch lu lng mng v d liu tt, n thu thp, lu tr t chc v bo co tt c cc d liu lu thng trong mng. Khng ging nh cng c sniffer khc, Iris th c th to li cc lu lng mng, nh l ha, ti liu, v email bao gm cc file nh km.
3. K thut Sniffing
C hai loi sniffer khc nhau: ch ng v b ng. Passive Sniffing lin quan n cc cng vic lng nghe v bt cc lu lng mng v n th rt hu dng trong kt ni mng s dng Hubs. Active Sniffing lin quan n vic thc hin nh la giao thc phn gii a ch (ARP), hay tn cng lm trn lu lng trong switch nhm bt cc lu lng trong mng. Ging nh ci tn ca n, Active sniffing th c th b pht hin nhng passive sniffing th khng . Trong mng s dng Hubs hay thit b mng khng dy lm h thng kt ni. Tt c cc my ch trong mng th c th nhn thy tt c cc lu lng; v vy mt active
Mng s dng Switch th c s hot ng khc bit. Switch th theo di d liu c gi n n v c gng gi tip cc gi tin n cho cc im ch c xc nh bng a ch MAC. Switch th khng i bng a ch MAC ca tt c cc h thng v s cng m chng dng kt ni. N th cho php switch c th chia nh mng thnh cc on v ch gi d liu cho ch n c a ch MAC chnh xc. Mt mng s dng switch th c th lm tng lng lu thng trn mng tt hn v bo mt hn so vi mt mng chia s dng hubs.
ARP poisoning
ARP cho php kt ni mng c th d tm a ch IP ra thnh a ch MAC. Khi mt my ch s dng TCP/IP trong mng LAN c gng lin lc vi nhng my khc, n th cn a ch MAC hoc a ch phn cng ca my ch m n c gng kt ni. u tin n tm trong b nh ARP ca n tm a ch MAC nu a ch MAC tn ti; Nu a ch MAC khng tn ti, n (my ch cn kt ni ) lan truyn mt yu cu ARP hi : Ai c a ch IP ti ang cn?. Nu my ch c a ch IP lng nghe c cu hi ARP, n s p ng vi a ch MAC ca n v mt phin kt ni s dng TCP/IP c th bt u.
ARP poisoning l mt cng ngh, n dng tn cng mt mng Ethernet, n cho php mt hacker c th nghe ln d liu trong mng LAN s dng Switch hoc c th dng ton b lu thng trn mng. ARP poisoning s dng ARP spoofing( gi mo) vi mc ch l gi gi hoc gi mo, tin nhn ARP cho mng LAN Ethernet. Cc gi tin cha a ch MAC khng ng to s nhm ln ca cc thit b mng nh l cc thit b chuyn mch mng (switch). Kt qu l gi tin uc gi ti cho mt my c th b nhm ln sang mt my khc (cho php nghe ln cc gi tin) hoc khng gi n c my ch (tn cng DoS). ARP spoofing c th s dng trong tn cng Man in the middle, trong tt c cc gi tin lu thng qua mng c i qua mt my ch bi cch thc hin ca ARP spoofing v b phn tch tm ra mt khu v thng tin khc.
trnh khi cc cuc tn cng ARP spoofing, phi thng xuyn thm a ch MAC ca gateway vo b nh ARP trong h thng. Bn c th thc hin cng vic trn h thng Windows bng cch s dng lnh : ARP s ti ca s dng lnh (comman line) v ni thm vo a ch IP v a ch MAC ca gateway. Lm nh vy s trnh c hacker ghi b nh ARP thc hin ARP spoofing trn h thng nhng n li tr nn kh khn khi qun l trong mt mi trng ln v s lng ca h thng. Trong mi trng doanh nghip, vic bo mt da trn port c th c kch hot trn switch ch cho php 1 a ch MAC trn 1 port.
Hacking Tool
C ba cng c ph bin dng thc hin ARP Spoofing c th k n nh: Arpspoof: Cng c dnh cho h iu hnh Linux Ettercap: c Windows v Linux ArpSpyX: H iu hnh MAC OS Ethereal l phn mm sniffer min ph c th bt cc gi tin trong kt ni LAN c dy hay khng c dy. Mt vi v d v b lc Ethereal:
Ip.dst eq www.eccouncil.org
bt
cc
gi
tin
webserver
www.eccouncil.org
Ip.src == 192.168.1.1 bt cc gi tin n t my ch 192.168.1.1 Eth.dst eq ff:ff:ff:ff:ff:ff bt cc gi tin broadcast layer 2
MAC flooding
Sniffer mt gi tin trong mng s dng switch khng th bt tt c lu lng mng nh l n c th lm trong mng s dng Hub; thay vo , n bt cc gi tin i vo hoc i ra khi h thng. N th cn thit phi s dng mt cng c (thm additional) bt tt c cc lu lng mng trong mng s dng switch. V c bn th c 2 cch
thc hin cng vic active sniffer v bt switch gi lu lng mng chy qua switch v cho h thng ang dng sniffer ARP spoofing v flooding. Nh ni trn : ARP spoofing tc ng n a ch MAC trn cng vo ca mng (gateway) v do nhn c tt c lu lng mng a n cho gateway trn h thng sniffer. Mt hacker cng c th lm trn mt Switch vi rt nhiu lu lng mng lm cho n ngng hot ng nh Switch m thay vo n hot ng nh mt Hub, gi tt c lu lng mng cho tt c cc port. Cuc tn cng Actice sniffing cho php mt h thng vi mt sniffer bt tt c lu lng mng.
u c server DNS proxy sa i cc mc DNS trong proxy server chuyn ngi dng sang mt h thng my ch khc.
Hacking Tools
EtherFlood c s dng lm trn mt Ethernet switch vi lu lng mng lm cho n tr thnh Hub. Bng cch ny, mt k tn cng c th bt tt c cc lu lng trong mng m theo quay lut th n l ch bt cc lu lng n v i t h thng ca h, nh l mt trng hp ca swith. Dsniff l mt tp hp cc cng c thit k Unix-executable thc hin kim sot h thng mng nh l s xm nhp mng. Cc cng c di y th c cha trong Dsniff : filesnarf, mailsnarf, msgsnarf, urlsnarf, v webspy. Nhng cng c ny th gm st th ng mt mng chia s d b xm nhp (nh l mt mng LAN ni m sniffer sau bt k mt tng la no nm bn ngoi) ly i cc d liu cn thit (password, email, files, v ...). Sshmitm v wevmitm k tha man-in-the-midle ch ng tn cng chng li vic chuyn hng cc SSH (secure shell) v phin HTTPS. Arpspoof, dnsspoof , and macof lm vic nhm chn cc lu lng mng i qua 1 switch m thng th khng c 1 chng trnh sniffer no bi v tnh cht ca switch. bit c cc vn xung quanh vic chuyn mch gi layer 2, dsniff gi mo cc thit b rng n l 1 gateway m d liu phi chy qua n i ra bn ngoi mng. IP restrictions Scanner (IRS) thng c s dng d tm s gii hn IP c thit lp cho tng dch v ring trn my ch. N phi hp u c ARP vi TCP n hoc k thut half-scan v kim tra tng tn cc kt ni TCP gi mo la chn cng ca mc tiu. IRS qut tm my ch v cc thit b mng nh Routers, Switchs
m xc nh cc c im kim sot truy cp nh access-control list(ACLs), b lc IP, v cc quy tc tng la. sTerm l 1 Telnet client vi cc tnh nng c o : n c th thit lp mt phin Telnet hai chiu n my ch mc tiu, m khng bao gi gi a ch IP tht v a ch MAC tht trong bt c gi no. S dng ARP poisoning , MAC spoofing, v cng ngh IP spoofing, sTerm c th thc s trnh c ACLs, quy tc tng la, v vic gii hn IP trn my ch m cc thit b mng. Cain & Abel l nhng cng c tn cng a nng trn windows. N cho php d dng khi phc cc loi mt khu khc nhau bng cch nghe ln trn mng. B cc mt khu c m ha s dng t in, brute-force (Trong lp trnh my tnh, y l phng php nhm gii quyt mt bi ton kh bng cch lp i lp li mt th tc n gin nhiu ln. My tnh tin hnh kim tra li chnh t bng phng php brute force (bt p th bo) ny. Chng khng kim tra chnh t thc s, m ch so snh tt c cc t trong ti liu ca bn vi cc t ca mt t in chnh t ci s n.); ghi m cc cuc gi VoIP, gii m cc mt khu c xo trn, tm ra cc hp mt khu, pht hin ra cc mt khu c lu tr trong b nh v phn tch cc phng thc nh tuyn. Phin bn cui cng bao gm nhiu c im mi ging nh ARP poisoning Routing(APR) , n th cho php sniffing trong switch ca mng LANs v tn man-inthe-middle. Cc sniffer trong phin bn ny cn c th phn tch cc phng thc m ha nh: SSH-1 v HTTPs, v n bao gm cc b lc bt cc thng tin xc thc(credential) t mt mng ln cc c ch xc thc. Packet Craffer l mt cng c thng c s dng to ra cc gi tin TCP/IP/UDP ca khch hng. Cng c ny c th thay i a ch ngun ca cc gi tin thc hin vic IP spoofing v c th iu khin IP flags v TCP flags, s th t(sequence numbers), s ASK(ask number). SMAC l mt cng c c th thay i a ch MAC ca h thng. N gip cho hacker gi mo a ch MAC khi thc hin cuc tn cng. MAC Changer l mt cng c c s dng gi mo a ch MAC trn Unix. N c th s dng thit lp cc a ch MAC c th cho tng interface khc nhau, thit lp a ch MAC ngu nhin , thit lp a ch MAC ca mt nh cung cp khc, thit lp mt a ch MAC khc ca cng nh sn xut, thit lp 1 a ch MAC cng loi hoc thm ch hin th danh sch a ch MAC ca nh cung cp chn la. WinDNSSpoof l cng c gi mo DNS ID n gin dnh cho Windows . s dng n trong mng s dng Switch , bn phi c kh nng Sniff lu lng mng ca my b tn cng. Do , n c th c kt hp vi 1 cng c ARP spoofing hay flooding.
Distributed DNS Flooder gi mt s lng ln cc truy vn to ra 1 cuc tn cng DOS(denies of service), v hiu ha DNS. Nu phn mm Deamon truy vn cc bn ghi(logs) khng chnh xc, nh hng ca cuc tn cng s c khuch i.
Countermeasures Tool
netINTERCEPTOR l mt tng la chng li spam v virus. N c nhiu la chn b lc nng cao v c th hc hi v thch ng v n c th nhn c cc loi th rc mi (spam). N cng ngn chn v cch ly cc e-mail mi nht b nhim Trojan, ngn chn Trojan khi s ci t v c th ci t 1 sniffer. Sniffdet l vic thit lp s kim tra pht hin Sniffer t xa trong mi trng TCP/IP. Sniffdet thc hin cc bi kim tra khc nhau pht hin cc my(machines) chy ch romiscuous hay vi mt Sniffer. WinTCPKill l mt cng c chm dt kt ni TCP trn windows. Cng c ny i hi kh nng s dng mt Sniffer sniff cc lu lng n v i ca my b tn cng. Trong mng s dng Switch, WinTCPKill c th s dng mt cng c u c b nh ARP (ARP cache poisoning) thc hin vic ARP spoofing.
5. Tng kt bi hc
Lm sao Sniffer: mt sniffer hot ng ch hn hp(promiscuous), ngha l n bt tt c cc lu lng m khng ch ti MAC ch trong cc frame. S khc nhau gia sniffing trn mt mng s dng hubs v mng s dng switch : tt cc cc lu lng th c broadcast bi Hubs, nhng n th c chia lm nhiu segment bi mt switch. Sniff trong mng s dng Switch, th cc cng c Flooding hay ARP Spoofing phi c s dng. S khc bit gia active sniffing v passive sniffing: Active Sniffing s dng la Switch b tn cng thnh 1 Hub switch gi tt c c lu lng mng n k tn cng. Passive sniffer: bt cc gi tin c broadcast trn mng.