CHAPTER- 1

INTRODUCTION

1.1 Brief Overview of Packet Sniffing: Packet sniffing is a method of tapping each packet as it flows across the network; i.e., it is a technique in which a user sniffs data belonging to other users of the network. Packet sniffers can operate as an administrative tool or for malicious purposes. It depends on the user's intent. Network administrators use them for monitoring and validating network traffic. Packet sniffers are basically applications. They are programs used to read packets that travel across the network layer of the Transmission Control Protocol/Internet Protocol (TCP/IP) layer. (Basically, the packets are retrieved from the network layer and the data is interpreted.) Packet sniffers are utilities that can be efficiently used for network administration. At the same time, it can also be used for nefarious activities. However, a user can employ a number of techniques to detect sniffers on the network and protect the data from sniffers. The technique behind packet sniffing on shared bus broadcast LANs is explained.

1.2 Description: Imagine this: you're sitting in your local coffee shop sucking down your morning caffeine fix before heading into the office. You catch up on your work e-mail, you check Facebook and you upload that financial report to your company's FTP server. Overall, it's been a constructive morning. By the time you get to work, there's a whirlwind of chaos throughout the office. That incredibly sensitive financial report you uploaded was somehow leaked to the public, and your boss is outraged by the crass and unprofessional e-mail you just sent him. Was there some hacker lurking in the shadows that broke into your company's network and decided to lay the blame on you? More than likely not. This mischievous ne'er-do-well probably was sitting in the coffee shop you stopped at and seized the opportunity. Without some form of countermeasures; your data isn't safe on public networks. This example is a worst-case scenario on the far end of the spectrum, but it isn't so far-fetched. There are people out there who are capable of stealing your data. The best defence is to know what you can lose, how it can get lost and how to defend against it. Packet sniffing, or packet analysis, is the process of capturing any data passed over the local network and looking for any information that may be useful. Most of the time, we system administrators use packet sniffing to troubleshoot network problems

Packet Sniffing 1

(Like finding out why traffic is so slow in one part of the network) or to detect intrusions or compromised workstations (like a workstation that is connected to a remote machine on port 6667 continuously when you don't use IRC clients), and that is what this type of analysis originally was designed for. But, that didn't stop people from finding more creative ways to use these tools. The focus quickly moved away from its original intent—so much so that packet sniffers are considered security tools instead of network tools now. Finding out what someone on your network is doing on the Internet is not some arcane and mystifying talent anymore. Tools like Wireshark, Ettercap or NetworkMiner give anybody the ability to sniff network traffic with a little practice or training. These tools have become increasingly easy to use and continue to make things easier to comprehend, which makes them more usable by a broader user base.

Packet Sniffing 2

CHAPTER-2LITERATURE SURVEY

2.1 Literature Review: This chapter reviews temporal relation of network and internet technologies followed by in depth review of the work related to network threats and security. “A network is a conduit for information; it can be as simple as two tin cans tied together with a string or as complicated as the internet”. Networks can develop at various levels: individual (social network), organizational, inter-organizational, and international etc. Castells explains that a network “is constituted by the intersection of segments of autonomous systems of goals” . The evolution of the internet has been widely chronicled. Resulting from a research project that established communications among a handful of geographically distributed systems, the Internet now covers the globe as a vast collection of networks made up of millions of systems. Government corporations, banks, and schools conduct their day-to-day business over the Internet. With such widespread use, the data that resides on and flows across the network varies from banking and securities transactions to medical records, proprietary data, and personal correspondence. The Internet is the “world’s largest collection of networks that reaches universities, government labs, commercial enterprises, and military installations in many countries. 2.1.1 OSI Model and Various Protocols: The flow of information from a software application in one computer through a network medium to a software application in another computer is described in the following section. Also the open system interconnection (ISO) reference model and various protocols supporting interconnection infrastructure are explained here in greater detail. 1.1.1 Open System Interconnection Model The OSI reference model is a conceptual model composed of seven layers, each specifying a particular set of network functions. The model was developed by the International Organization for Standardization (ISO) in 1984, and it is now considered the primary architectural model for inter computer communications. The OSI model divides the tasks involved with moving information between networked computers into seven smaller, more manageable task groups. A task or group of tasks is then assigned to each

Packet Sniffing 3

of the seven OSI layers. Each layer is reasonably self-contained so that the tasks assigned to each layer can be implemented independently. This enables the solutions offered by one layer to be updated without adversely affecting the other layers. 1. Layer 7 Application 2. Layer 6 Presentation 3. Layer 5 Session 4. Layer 4 Transport 5. Layer 3 Network 6. Layer 2 Data link 7. Layer 1 PhysicalThe seven layers of the OSI reference model can be divided into two categories: upper layers and lower layers. The physical layer and the data link layer are implemented in hardware and software. The lowest layer, t2he physical layer, is closest to the physical network medium (the network cabling, for example) and is responsible for actually placing information on the medium.2.1.2 Internet Protocol (IP): The Internet Protocol (IP) is a network-layer (Layer 3) protocol that contains addressing information and some control information that enables packets to be routed. IP is documented in and is the primary network-layer protocol in the Internet protocol suite. Along with the Transport Control Protocol (TCP), IP represents the heart of the Internet protocols. IP has two primary responsibilities: providing connectionless, best-effort delivery of datagram’s through an internetwork; and providing fragmentation and reassembly of datagram’s to support data links with different maximum-transmission unit (MTU) sizes. There is no notion of a virtual circuit or “phone call’ at the IP level: every packet stands alone. IP is an unreliable datagram service. No guarantees are made that packets will be delivered, delivered only once, or delivered in any particular order. Nor is there any check for packet correctness. The checksum in the IP header covers only the header. A packet travelling a long distance will travel through many hops. Each hop terminates in a host or router, which forwards the packet to the next hop based on routing information. During these travels a packet may be fragmented into smaller pieces if it is too long for a hop. A router may drop packets if it is too congested. Packets may arrive out of order, or even duplicated, at the far end. There is usually no notice of these actions:

Packet Sniffing 4

higher protocol layers (i.e., TCP) are supposed to deal with these problems and provide a reliable circuit to the application.2.1.3 Transport Control Protocol (TCP): The TCP provides reliable transmission of data in an IP environment. TCP corresponds to the transport layer (Layer 4) of the OSI reference model. Among the services TCP provides are stream data transfer, reliability, efficient flow control, full-duplex operation, and multiplexing. With stream data transfer, TCP delivers an unstructured stream of bytes identified by sequence numbers. This service benefits applications because they do not have to chop data into blocks before handing it off to TCP. Instead, TCP groups bytes into segments and passes them to IP for delivery.2.1.4 Address Resolution Protocol (ARP): IP packets are usually sent over Ethernets. The Ethernet devices do not understand the 32-bit IP addresses: they transmit Ethernet packets with 48-bit Ethernet addresses. Therefore, an IP driver must translate an IP destination address into an Ethernet destination address. The Address Resolution Protocol (ARP) is used to determine these mappings. ARP works by sending out an Ethernet broadcast packet containing the desired IP address. The destination host, or another system acting on its behalf, replies with a packet containing the IP and Ethernet address pair. This is cached by the sender to reduce unnecessary ARP traffic.2.1.5 Internet Control Message Protocol (ICMP): The Internet Control Message Protocol is the low-level mechanism used to influence the behaviour of TCP and UDP connections. It can be used to inform hosts of a better route to a destination, to report trouble with a route, or to terminate a connection because of network problems. It also supports the single most important low- level monitoring tool for system and network administrators: the ping program. Many ICMP messages received on a given host are specific to a particular connection or are triggered by a packet sent by that machine. In such cases, the IP header and the first 64 bits of the transport header are included in the ICMP message. The intent is to limit the scope of any changes dictated by ICMP. Thus, a Redirect message or a Destination Unreachable message should be connection-specific. These protocols evolved out of many drafts proposals (Request for Comment (REC) documents) and existed in the networks for many years. These protocols apart from being the basis of Internet communication exhibit certain vulnerabilities which had given rise to

Packet Sniffing 5

hacking attacks. Network Security in general and these protocol vulnerabilities in specific, leading to number of attacks is discussed in the following sections of this chapter. Subsequent chapters give more detailed attack information based on exploits and vulnerabilities.2.2 Problem Formulation: Every network security implementation is based on some model, which could be either specified or assumed. Based on the literature survey it is apparent that mostly perimeter security model based on firewalls and IDS, is in use: which is reactive in nature. Reactive approach, obviously with above mentioned risks lacks the robustness and provides false sense of security infrastructure. With tremendous complexity and hacking ease looming around; challenge is to build security into the network itself. This will lead to self healing and self defending network infrastructure. To achieve this security has to be proactive i.e. should be part of the switching fabric that carries all the traffic: benign and malicious. There is compelling need to combine reactive and proactive security measures in order to have an integrated approach to the security across the information value chain. Keeping this in view, it is proposed to design and develop, A Proactive Network Surveillance Framework. Proposed Framework aims to provide learning vision to the network attacks thus exhibiting ability to react intelligently. Proactive network security framework will be based on a “military Doctrine” which would address and eradicate major shortcomings of existing security system Research Work will be Defence depth sometimes also called elastic defence concept for implementation purposes. Defence in depth seeks to delay rather than prevent the advance of an attacker, buying time by yielding space. The idea of defence in depth is now widely used to describe non-military strategies like network security. Successive layers of defence may use different technologies or tactics. The inner layers of defence can support the outer layer and an attacker must breach each line of defence in turn. This gives an engineering solution which emphasizes redundancy - a system that keeps working even when a single component fails e.g. an aircraft with four engines will be less likely to suffer total engine failure than a single-engine aircraft: no matter how much effort goes into making the single engine reliable. Different security vectors within the network, helps to prevent a shortfall in any one defence leading to total system failure. Subsequent chapters will elaborate upon framework design, implementation, deployment and testing.

Packet Sniffing 6

2.3 Need of Packet Sniffing: Most of the Internet runs in plain text, which means that most of the information you look at is viewable by someone with a packet sniffer. This information ranges from the benign to the sensitive. You should take note that all of this data is vulnerable only through an unencrypted connection, so if the site you are using has some form of encryption like SSL, your data is less vulnerable.

The most devastating data, and the stuff most people are concerned with, is user credentials. Your user name and password for any given site are passed in the clear for anyone to gather. This can be especially crippling if you use the same password for all your accounts on-line. It doesn't matter how secure your bank Web site is if you use the same password for that account and for your Twitter account. Further, if you type your credit-card information into an unsecure Web page, it is just as vulnerable, although there aren't many (if any) sites that continue this practice for that exact reason.

Packet Sniffing 7

CHAPTER-3

OPERATING PRINCIPLES

3.1 Working of Packet Sniffing: Now, you know that these tools are out there, but how exactly do they work? First, packet sniffing is a passive technique. No one actually is attacking your computer and delving through all those files that you don't want anyone to access. It's a lot like eavesdropping. My computer is just listening in on the conversation that your computer is having with the gateway. Typically, when people think of network traffic, they think that it goes directly from their computers to the router or switch and up to the gateway and then out to the Internet, where it routes similarly until it gets to the specified destination. This is mostly true except for one fundamental detail. Your computer isn't directly sending the data anywhere. It broadcasts the data in packets that have the destination in the header. Every node on your network (or switch) receives the packet, determines whether it is the intended recipient and then either accepts the packet or ignores it.

For example, let's say you're loading the Web page http://example.com on your computer "PC". Your computer sends the request by basically shouting "Hey! Somebody get me http: //example.com!", which most nodes simply will ignore. Your switch will pass it on to where it eventually will be received by example.com, which will pass back its index page to the router, which then shouts "Hey! I have http://example.com for PC!” which again will be ignored by everyone except you. If others were on your switch with a packet sniffer, they'd receive all that traffic and be able to look at it. Picture it like having a conversation in a bar. You can have a conversation with someone about anything, but other people are around who potentially can eavesdrop on that conversation, and although you thought the conversation was private, eavesdroppers can make use of that information in any way they see fit. Most of the packet sniffers work as a pcap application. The normal flow in a pcap application is to initialize network interface, then further set the filter, to filter the packets to be accepted and rejected. Packets are accepted and log is maintained continuously until the interface is closed, and further processes the packets captured.

Packet Sniffing 8

3.1.1 Shared Ethernet: In a shared Ethernet environment, all hosts are connected to the same bus and compete with one another for bandwidth. In such an environment packets meant for one machine are received by all the other machines. Thus, any machine in such an environment placed in promiscuous mode will be able to capture packets meant for other machines and can therefore listen to all the traffic on the network.

3.1.2 Switched Ethernet: An Ethernet environment in which the hosts are connected to a switch instead of a hub is called a Switched Ethernet. The switch maintains a table keeping track of each computer's MAC address and delivers packets destined for a particular machine to the port on which that machine is connected. The switch is an intelligent device that sends packets to the destined computer only and does not broadcast to all the machines on the network, as in the previous case. This switched Ethernet environment was intended for better network performance, but as an added benefit, a machine in promiscuous mode will not work here. As a result of this, most network administrators assume that sniffers don't work in a Switched Environment.

Fig 3.1: A Capture of a Packet of Someone Trying to Log In to a Web Site

Packet Sniffing 9

CHAPTER-4

A PACKET SNIFFER STRUCTURE

4.1 Components of a Packet Sniffer:

1. Hardware: standard network adapters.

2. Capture Filter : This is the most important part. It captures the network traffic from the wire, filters it for the particular traffic you want, and then stores the data in a buffer.

3. Buffers: used to store the frames captured by the Capture Filter.

4. Real-time analyzer: a module in the packet sniffer program used for traffic analysis and to shift the traffic for intrusion detection.

5. Decoder: "Protocol Analysis”.

6. Packet editing/Transmission: some products contain features that allow you to edit your own network packets and transmit them onto the network.

4.2 Packet sniffer Tools: There are some kinds of tools used for Packet Sniffing, such as:

Wireshark, Kismet, Tcpdump, Cain and Abel, Ettercap, Dsniff, NetStumbler, Ntop, Ngrep, EtherApe, KisMAC, Hunt.

Packet Sniffing 10

CHAPTER-5

TYPES OF SNIFFING

5.1 Sniffing methods: There are three types of sniffing methods. Some methods work in non-switched networks while others work in switched networks. The sniffing methods are: IP-based sniffing, MAC-based sniffing, and ARP-based sniffing.

Passive sniffing: Sniffing through a Hub. It is called passive because it is difficult to detect. “Passive sniffing” means sniffing through a hub.Attacker simply connects the laptop to the hub and starts sniffing.

Active sniffing: Sniffing through a Switch. It is difficult to sniff. It can be easily detected. Techniques for active sniffing: 5.1.1 ARP (Address Resolution protocol) spoofing: When a legitimate user initiates a session with another user in the same Layer 2 broadcast domain, an address resolution protocol (ARP) request is broadcasted using the recipient's IP address and the sender waits for the recipient to respond with a MAC address A malicious user eavesdropping on this unprotected Layer 2 broadcast domain can respond to the broadcast ARP request and reply to the sender by spoofing the intended recipient's MAC address.5.1.2 MAC flooding: MAC flooding involves flooding the switch with numerous requests. Switches have a limited memory for mapping various MAC addresses to the physical ports on the switch. MAC flooding makes use of this limitation to bombard the switch with fake MAC addresses until the switch cannot keep up. The switch then acts as a hub by broadcasting packets to all the machines on thenetwork. After this, sniffing can be easily performed.5.1.3 IP-based sniffing: This is the original way of packet sniffing. It works by putting the network card into promiscuous mode and sniffing all packets matching the IP address filter. Normally, the IP address filter isn’t set so it can capture all the packets. This method only works in non-switched networks.

Packet Sniffing 11

5.1.4 MAC-based sniffing: This method works by putting the network card into promiscuous mode and sniffing all packets matching the MAC address filter.5.1.3 ARP-based sniffing: This method works a little different. It doesn’t put the network card into promiscuous mode. This isn’t necessary because ARP packets will be sent to us. This happens because the ARP protocol is stateless. Because of this, sniffing can be done on a switched network. To perform this kind of sniffing, you first have to poison the ARP cache1 of the two hosts that you want to sniff, identifying yourself as the other host in the connection. Once the ARP caches are poisoned, the two hosts start their connection, but instead of sending the traffic directly to the other host it gets sent to us. We then log the traffic and forward it to the real intended host on the other side of the connection. This is called a man-in-the-middle attack. See Diagram 1 for a general idea of the way it works.

Fig 5.1: ARP sniffing method

CHAPTER-6

Packet Sniffing 12

ADVANTAGES & DISADVANTAGES

OF PACKET SNIFFING

6.1 Advantages: Sniffing programs are found in two forms. 1) Commercial packet sniffers are used to help maintain networks. 2) Underground packet sniffers are used by attackers to gain unauthorized access to remote hosts. A sniffing program used for Searching for clear-text usernames and passwords from the network. Conversion of network traffic into human readable form. Network analysis to find bottlenecks. Network intrusion detection to monitor for attackers. Using a sniffer in an illegitimate way is considered a passive attack. It does not directly interface or connect to any other systems on the network. However, the computer that the sniffer is installed on could have been compromised using an active attack. The passive nature of sniffers is what makes detecting them so difficult. The following list describes a few reasons why intruders are using sniffers on the network. Network Monitoring Analysing the bandwidth used. Determining the hackers if any are trying to access. Know the IP address of different systems connected to your system. Analyze the traffic flowing through the network. A packet sniffer located at one of the servers of your ISP would potentially be able to monitor all of your online activities, such as:

Which website you visit

What you look at on the site

Whom you send e-mail to

What you download from a site

What streaming events you use, such as audio, video and internet telephony.

From this information, employers can determine how much time a worker is spending online and if that worker is viewing inappropriate materials.

6.2 Disadvantages: A packet sniffer is not just a hacker's tool. It can be used for network troubleshooting and other useful purposes. However, in the

Packet Sniffing 13

wrong hands, a packet sniffer can capture sensitive personal information that can lead to invasion of privacy, identity theft, and other serious eventualities. Only a single and most destructive disadvantage of packet sniffing is: Configuring your network device to read all network packets that arrive which might contain Trojan horses, you might also open doors to allow intruders access to your confidential data and network files.

Packet Sniffing 14