CEH Ch. 4 Sniffing and Evasion
Host-Based IDS
IDSs are also defined not only by what they use to make decisions but also where they're located and their span of influence. A HIDS is usually a software program that resides on the host itself. Most often a HIDS is signature based, although anomaly and heuristic engines get better and better every day, and its entire job is to watch that one host. It looks for traffic or events that would indicate a problem for the host itself. Popular examples of HIDS: Cybersafe, Tripwire, Norton Internet Security, and even firewalls and other features built into the operating system.
IDS Evasion Tools
Nessus (also a great vulnerability scanner) ADMmutate (able to create multiple scripts that won't be easily recognizable by signature fields) NIDSbench (an older tool used for playing with fragment bits) Inundator (a flooding tool) IDSInformer is another great tool that can use captured network traffic to craft, from start to finish, a test file to see what can make it through undetected. Packet Generator (packet-generating tool) PackETH (packet-generating tool)
Span Port
One in which the switch configuration has been altered to send a copy of all frames from one port, or a succession of ports, to another. Also called port mirroring. Difficult to do.
ARP Poisoning (Sniffing Technique)
Or ARP Spoofing is the process of maliciously changing an ARP cache on a machine to inject faulty entries. Relatively easy to achieve. Most modern switches have built-in defenses for too many ARP broadcasts coming across the wire (for example, you can configure Dynamic ARP Inspection using DHCP snooping inside Cisco's IOS). Admins can also use a wide variety of network monitoring tools, such as XArp, to watch for this, and some network admins manually add the default gateway MAC permanently (by using the arp -s command) into the ARP cache on each device. There are tools that make ARP flooding as easy as pressing a button: Cain and Abel, WinArpAttacker, Ufasoft, dsniff.
DNS Spoofing (Sniffing Technique)
Or DNS poisoning, is much the same as ARP poisoning just with DNS entries.
MAC Spoofing (Sniffing Technique)
Or MAC duplication, is a simple process of figuring out the MAC address of the system you wish to sniff traffic from and changing your MAC to match it.
Port Address Translation (PAT)
Or NAT Overload, is a NAT method in which multiple internal hosts, using private IP addressing, can be mapped through a single public IP address using the session IDs and port numbers. An internal global IP address can support in excess of 65,000 concurrent TCP & UDP connections.
IPv6 (Internet Protocol version 6)
Originally engineered to mitigate the coming disaster of IPv4 address depletion (which, of course, didn't happen as quickly as everyone thought, thanks to network address translation and private networking). It uses a 128-bit address instead of the 32-bit IPv4 version and is represented as eight groups of four hexadecimal digits separated by colons. The IPv6 loopback address is ::1 (The double colon can be used only once in an address because it confuses routers and renders the address useless) IPv6 makes traditional network scanning very, very difficult. However, should an attacker get a hold of a single machine inside a native IPv6 network, the "all hosts" link local multicast address will prove quite handy.
Wiretapping
Our last entry in fundamental sniffing concepts has to do with law enforcement and what they do in regard to sniffing. Lawful Interception is the process of legally intercepting communication between two (or more parties) for surveillance on telecommunications, VoIP, data, and multiservice networks.
Passive vs Active Sniffing
Passive sniffing is essentially plugging in a sniffer, and without any other action on your part , start pulling data packets to view at your leisure. Passive sniffing only works if your machine's NIC is part of the same collision domain as the targets. Active sniffing requires some additional work on your part, either from packet injection or manipulation stance or from forcing network devices to play nicely with your efforts.
Transport & Network Layer Protocols susceptible to sniffing:
Protocols at the Transport and Network layers can also provide relevant data. TCP & UDP work in the Transport layer and provide the port numbers that both sides of a data exchange are using. TCP also adds sequence numbers. IP is the protocol working at the Network layer, there is a load of information you can glean just from the packets themselves. An IP packet header contains source & destination IP addresses. It also holds the quality of service for the packet (Type of Service field) and info on fragmentation of packets along the way (Identification and Fragment Offset fields), which can prove useful in crafting your own fragmented packets later. sample p. 136
CAM Table
Short for the Content Addressable Memory table, a CAM table holds all the MAC-address-to-port mappings on a switch. The CAM table gets updated very often. And if it's empty, or full, everything is sent to all ports. Similar to ARP cache but CAM is MAC addresses mapped to ports and ARP cache is MAC addresses mapped to IP addresses.
Application Layer Protocols Susceptible to Sniffing:
Simple Mail Transport Protocol (SMTP) - Everything sent via SMTP, with no encryption added at another layer, is sent as clear text, meaning it can be easily read by someone sniffing the wire. File Transfer Protocol (FTP) - Although FTP requires a user ID and password to access the server (usually), the information is passed in clear text over the wire. Trivial File Transfer Protocol (TFTP) - Passes everything in clear text, and you can pull keystrokes from a sniffed telnet session (user name, password). SNMPv1 (Simple Network Management Protocol v1) & NNTP (Network News Transfer Protocol) - Send passwords and data over in clear text. IMAP (Internet Message Access Protocol) & POP3 (Post Office Protocol) - Send passwords and data over in clear text. HTTP (Hyper Text Transfer Protocol) - Data sent in the clear. Several Application layer protocols have information readily available to captured traffic--you just need to learn where to look for it. Sometimes data owners will use an insecure application protocol to transport information that should be kept secret.
Network-Based IDS (sniffing & other attack roadblocks; evasion)
Sits on the network perimeter. Its job, normally, is to watch traffic coming into, and leaving, the network. Whether signature or anomaly based, an NIDS will sit outside or inside the firewall (either works so long as the NIDs is placed where it can see all traffic) and will be configured to look for everything from port and vulnerability scans to active hacking attempts and malicious traffic. A large network may even employ multiple NIDSs at various locations in the network, for added security. An exterior NIDS outside the firewall would watch the outside world, whereas one placed just inside the firewall on the DMZ could watch your important server and file access.
Evasion Basics
Slow down, scan smaller footprints, and take your time--it will eventually pay off. Slower is not only the better choice for hiding your attacks, it's really the preferred choice nearly every time. Only the impatient and uneducated run for nmap's -T5 switch as their primary choice. The pros will slow things down with the -T1 switch and get better, more useful results to browse through.
Snort runs in 3 different modes:
Sniffer mode - Exactly what it sounds like and lets you watch packets in real time as they come across your network tap. Packet Logger mode - Saves packets to disk for review at a later time. Network Intrusion Detection System mode - Analyzes network traffic against various rule sets you pick from, depending on your network's situation.
tcpdump Basic flags
TCP Flag/tcpdump/Flag Meaning SYN S Syn packet, a session establishment request. ACK A Ack packet, acknowledges sender's data. FIN F Finish flag, indication of termination. RESET R Reset, indication of immediate abort of connection. PUSH P Push, immediate push of data from sender URGENT U Urgent, takes precedence over other data. NONE A dot. Placeholder, usually for ACK.
MAC Address (aka physical address)
The MAC address that is burned onto a NIC is actually made of two sections. The first half of the address, consisting of 3 bytes (24 bits), is known as the organizational unique identifier and is used to identify the card manufacturer. The second half is a unique number burned in at manufacturing to ensure no two cards on any given subnet will have the same address.
Planning Tool for Resource Integration (PRISM)
The NSA wiretaps a gigantic amount of foreign Internet traffic that just happens to come through U.S. servers and routers. PRISM is the data tool used to collect said foreign intelligence passing through Uncle Sam's resources.
Wireshark (Sniffing Tool)
The most popular sniffer available, mainly because it's free, stable, and works really well. You can capture packets from wired or wireless networks, and provides a fairly easy-to-use interface. It also offers an almost innumerable array of filters you can apply to any given sniffing session, and you can fine-tune your results to exactly what you're looking for.
Snort (sniffing & other attack roadblocks; evasion)
The most widely deployed IDS in the world, Snort is an open source IDS that, "combines the benefits of signature, protocol, and anomaly-based inspection." It is a powerful sniffer, traffic-logging, and protocol-analyzing tool that can detect buffer overflows, port scans, operating system fingerprinting, and almost every conceivable external attack or probe you can imagine. Its rule sets (signature files) are updated constantly, and support is easy to find.
Firewalking (Firewall Evasion technique)
The process of systematically testing ("walking") each port on a firewall to map rules and determine accessible ports. This is generally a noisy attack, and, you will, most likely, get caught. Firewalking tools: Firewalk
IPv6 Scopes
The scope for multicast or anycast defines how far the address can go. Link Local - Applies only to hosts on the same subnet. Only systems on your network segment get the message. Site Local - Applies only to hosts within the same organization (that is, private site addressing). Similar to Link Local but is more akin to setting up your private networks using predefined ranges. Global - Includes everything.
Screened Subnet (aka public facing zone)
The screened subnet of your DMZ is connected to the Internet and hosts all the public-facing servers and services your organization provides. These bastion hosts sit outside your internal firewall and are designed to protect internal network resources from attack: they're called bastions because they can withstand Internet traffic attacks. The Private Zone holds all the internal hosts that, other than responding to a request from inside that zone, no Internet host has any business dealing with. Lastly, because your firewall has two or more interfaces, it is referred to as multi-homed.
Wireshark Filter Combinations
There are innumerable filter combinations in Wireshark but for the test make sure that you know the following: == Equal to && The packet will display only if both arguments appear. or Means the packet will display if either argument appears
tcpdump (sniffing tool)
There's also a Windows version (WinDump). A command-line tool that simply prints out a description of the contents of packets on a network interface that match a given filter (Boolean expression).
MAC Flooding (Sniffing Technique)
This does not work on a lot of modern switches. If you don't know how to reconfigure the switch OS to set up a span port, or you just don't have the credentials to log in and try it you can try MAC Flooding. The idea is simple: send so many MAC addresses to the CAM table it can't keep up, effectively turning it into a hub. Because the CAM is finite in size, it fills up fairly quickly, and entries begin rolling off the list. Etherflood & Macof are MAC flooding tools. ECC defines some versions of MAC flooding as "switch port stealing." The idea is the same--flood the CAM with unsolicited ARPs. But instead of attempting to fill the table, You're only interested in updating the information regarding a specific port, causing something called a "race condition," where the switch keeps flipping back and forth between the bad MAC and the real one.
IPv6 Address Types
Unicast - A packet addressed for, and intended to be received by, only one host interface. Multicast - A packet that is addressed in such a way that multiple host interfaces can receive it. Anycast - A packet addressed in such a way that any of a large group of hosts can receive it, with the nearest host (in terms of routing distance) opening it.
The process of sniffing comes down to a few items of great importance:
What state the network interface card (NIC) is in, what access medium you are connected to, and what tool you're running.
How do you put tcpdump interface in listening mode?
-i
How do you write to a tcpdump file?
-w
Two types of Honeypots
1. High Interaction Honeypot - Simulates all services and applications and is designed to be completely compromised. Examples include, Symantec, Decoy Server, and Honeynets. 2. Low Interaction Honeypot - Simulates a limited number of services and cannot be compromised completely (by design). Examples include, Specter, Honeyd, KFSensor.
What is the IPv4 loopback address (Denoting the software loopback of your own machine)?
127.0.0.1
Bastion Host
A computer placed outside a firewall to provide public services to other Internet sites, and hardened to resist external attacks.
Promiscuos Mode
A configuration of a network card that makes the card pass all traffic it receives to the central processing unit rather than just frames addressed to it--a feature normally used for packet sniffing and bridged networking for hardware virtualization. Windows machines use WinPcap for this; Linux uses libcap. A sniffer needs your NIC card to run in promiscuous mode. This means that, regardless of address, if the frame is passing on the wire, the NIC will grab it and pull it in for a look.Because NICs are designed to pay attention only to unicast messages addressed appropriately, multicast messages, or broadcast messages, you need something that forces it to behave for your sniffer. In other words, your NIC will "see" everything passing by on the wire, but it only pulls in and examines things it recognizes as addressed to the host. If you wish for it to pull everything in for a look, you have to tell it to do so. WinPcap is an example of a driver that allows the operating system to provide low-level network access and is used by a lot of sniffers on Windows machine NICs. On Linux, libcap is used.
Collision Domain
A domain composed of all the systems sharing any given physical transport media. Systems within a collision domain may collide with each other during the transmission of data. Collisions can be managed by CSMA/CD (Carrier Sense Multiple Access/Collision Detection) or CSMA/CA (Carrier Sense Multiple Access/Collision Avoidance). Collision domains are composes of all the machines sharing any given transport medium. A switch splits the collision domain and an attacker can only see what's on the host machine. Switches split collision domains, so that each system connected to the switch resides in its own little collision domain. If it's shared media using a hub it's only one collision domain and an attacker can see all traffic in that domain regardless of host.
Session Splicing (Evasion Techniques)
A fancy term for fragmentation, is a method used to prevent IDS detection by dividing the request into multiple parts that are sent in different packets. SYN segments, for example, usually have nothing but padding in the data payload. Why not slide small fragments of your own code in there to reassemble later? You can even try purposefully sending the segments out of order or sending adjustments with the IP fragment field. The IDS might not pick up on this. Again, patience and time pay off.
HTTP Tunneling (Evasion Techniques)
A firewall evasion technique whereby packets are wrapped in HTTP, as a covert channel to the target. Because port 80 is almost never filtered by a firewall, you can craft port 80 segments to carry payload for protocols the firewall may have otherwise blocked. HTTP beacons and HTTP tunnels are the de facto standard implant technology for hackers.
Stateful Inspection Firewall
A firewall that examines the state of a connection as well as simple address, port, and protocol rules to determine how to process a packet.
Anomaly Based IDS (sniffing & other attack roadblocks; evasion)
A hardware or software device that examines streams of packets for unusual or malicious behavior. Anomaly or behavior based IDSs make decisions on alerts based on learned behavior and "normal" patterns--anything out of the ordinary for a normal day sounds the alarm. Behavior based systems are better at picking up the latest attacks because they would definitely be out of the norm, but such systems are also know to drive admins crazy with false positives. Anomaly-based IDS is difficult because most network admins simply can't know everything going on in their network.
Signature Based IDS (sniffing & other attack roadblocks; evasion)
A hardware or software device that examines streams of packets for unusual or malicious behavior. This is done via a signature list, where the IDS compares packets against a list of known traffic patterns that indicate an attack. A signature-based system is only as good as the signature list itself; if you don't keep it up to date, newer intrusion methods may go undetected.
Honeypots
A host designed to collect data on suspicious activity. It's a system set up as a decoy to entice attackers. The idea is to load it up with not too easy vulnerabilities a hacker can exploit. Wherever the honeypot is located, it needs to be walled off to prevent it becoming a launching pad for further attacks.
Spoofing (Sniffing Technique)
A method of falsely identifying the source of data packets; often used by hackers to make it more difficult to trace where an attack originated. Examples of spoofing types: IP, MAC, DNS, IRDP
Address Resolution Protocol (ARP) (Data link layer)
A protocol used to map a known IP address to a physical (MAC) address. It's defined in RFC 826. The ARP Table is a list of IP addresses and corresponding MAC addresses stored on a local computer. ARP's entire purpose in life is to resolve IP addresses to machine (MAC) addresses. While each IP packet provides the network address (needed to route the packet across different networks to its final destination), the frame must have a MAC address of a system inside its own subnet to deliver the message. So as the frame is being built inside the sending machine, the system sends an ARP_REQUEST to find out what MAC address inside the subnet can process the message. Basically it asks the entire subnet, via a broadcasted message, "Does anyone have a physical address for the IP address I have here in this packet? If so, please let me know so I can build a frame and send it on." If a machine on the local subnet has that exact IP, it will respond with an ARP_REPLY directly to the sender saying "Why yes, I'm the holder of that IP address, and my MAC address is........" The frame can then be built and the message sent. If the IP address of the packet being sent is not inside the same subnet, the route table on your host already knows the packet should be sent to the default gateway (local router port). If it doesn't happen to remember the default gateway's MAC address, it'll send out a quick ARP request to pull it. Once the packet is properly configured and delivered to the default gateway, the router will open it, look in the route table, and build a new frame for the next subnet along the route path. As that frame is being built, it will again send another ARP request: "Does anyone have a physical address for the IP address I have here in this packet? If so , please let me know so I can build a frame and send it on." This continues on each subnet until the packet finds its true destination. ARP retains a cache on machines as it works. The protocol works on a broadcast basis. In other words, requests ("Does anyone have the MAC for this IP address?") and replies ("I do. Here's my physical address--please add it to your cache.") are broadcast to every machine on the network. The cache is dynamic meaning the information in it doesn't stay there forever, and when your system gets an updated ARP message, it will overwrite the cache with the new information. For example, Machine A shuts down for a while and sends no further messages. Eventually, all system caches will delete its entry, almost as if it never existed. Suppose also that Machine B changes its NIC and now has a new MAC address. As soon as it sends its first ARP message, all systems on the network receiving it will update their caches with this new MAC address.
How does ARP help a hacker?
A system on your subnet will build frames and send them out with physical address entries based on its ARP cache. If you were to, somehow, change the ARP cache on machine A and alter the cached MAC address of Machine B to your system's MAC, you would receive all communication Machine A intended to send to Machine B. Suppose you changed the ARP entry for the default gateway on all systems in your subnet to your own machine. Now you're getting all messages everyone was trying to send out of the local network, often the Internet. Attackers o this by sending something called a gratuitous ARP. It is a special packet that updates the ARP cache of other systems before they even ask for it--in other words, before they send an ARP_REQUEST. Its original intent when created was to allow updates for outdated information, which helps with things like IP conflicts, clustering, and all sorts of legitimate issues. I
Active vs Passive Wire Tapping
Active wiretapping involves interjecting something into the communication (traffic), for whatever reason. Passive only monitors and records the data.
Dynamic Host Configuration Protocol (DHCP)
Allows dynamic IP address allocation so users do not have to have a preconfigured IP address to use the network. A DHCP server (or more than one) on your network is configures with a pool of IP addresses. You tell it which ones it can hand out, which ones are reserved for static systems already, how long systems can keep (or lease) the address, and a few other goodies, and then turn it loose. When a system comes on the network, it sends a broadcast message known as a DHCPDISCOVER packet, asking if anyone knows where a DHCP server is. The DHCP relay agent will respnd with the server's info and then send a DDHCPOFFER packet back to the system, letting it know the server is there and available. The system then sends back a DHCPREQUEST packet, asking for an IP. In the final step, the server responds with a DHCPACK message, providing the IP and other configuration information the system needs. Acronym DORA-Discover, Offer, Request, & Acknowledge to help remember.
Sniffing
Also known as wiretapping by law enforcement types. Sniffing is the art of capturing packets as they pass on a wire, or over the airwaves, to review for interesting information.
Firewall (sniffing & other attack roadblocks; evasion)
An appliance within a network that is designed to protect internal resources from unauthorized external access. Firewalls work with a set of rules, explicitly stating what is allowed to pass from one side of the firewall to the other. Additionally, most firewalls work with an implicit deny principle, which means it there is not a rule defined to allow the packet to pass, it is blocked. Much like IDSs, the placement of firewalls is important. In general, a firewall is placed on the edge of a network, with one port facing outward, at least one port facing inward, and another port facing toward a DMZ. Some networks will apply additional firewalls throughout the enterprise to segment for all sorts of reasons.
ICMP Router Discovery Protocol (IRDP) Spoofing (Sniffing Technique)
An attack where the hacker sends spoofed ICMP Router Discovery Protocol messages through a network, advertising whatever gateway he wants all the systems to start routing messages to.
DHCP Starvation (Sniffing Technique)
An attack whereby the malicious agent attempts to exhaust all available addresses from the server. It's more of a denial-of-service attack but don't be surprised to see it in the sniffing questions. First, the attacker sends unending, forged DHCP requests to the server on the subnet. The server will attempt to fill each and every request, which results in its available IP address pool running out quickly. Any legitimate system attempting to access the subnet now cannot pull a new IP or renew its current lease. Starvation attack tools include: Yersinia, DHCPstarv. Configuring DHCP snooping on your network device is considered the proper mitigation technique against this attack.
Network Tap (sniffing & other attack roadblocks; evasion)
Any kind of connection that allows you to see all traffic passing by. Generally used in reference to a NIDS (network-based IDS) to monitor all traffic. Where you place the tap determines exactly what, and how much, traffic you'll be able to see. Second, your tap should be capable of keeping up with the data flow.
Flooding (Evasion Techniques)
By flooding the network the ethical hacker could set up some fake attacks, guaranteed to trigger a few alerts, along with tons and tons of traffic. The sheer volume of alerts might be more than the staff can deal with, and you may be able to slip by unnoticed.
Sniffer
Computer software or hardware that can intercept and log traffic passing over a digital network.
Other firewall hacking Tools
CovertTCP, ICMP Shell, 007 Shell
Other Sniffing Tools
Ettercap - Powerful sniffer and man-in-the-middle suite of programs. Can be used as a passive sniffer, active sniffer, and an ARP poisoning tool. Other sniffers include: Capsa Network Analyzer, Sniff-O-Matic, EtherPeek, WinDump, & WinSniffer
What is the MAC address of broadcast messages?
FF:FF:FF:FF:FF:FF
Application Level Firewall
Filters traffic much like a proxy--allowing specific applications (services) in and out of the network based on its rule set.
Best method for Firewall evasion
is to have a compromised machine on the inside initiate all communication for you. Usually firewalls--stateful or packet filtering--don't bother looking at packets with internal source addresses leaving the network.
Circuit Level Gateway Firewall
Works at the Session layer and allows or prevents data streams--it's not necessarily concerned with each packet. They monitor TCP handshaking between packets to determine whether a requested session is legitimate.
