/pcq/media/agency_attachments/L8pkS8gpnodJThOdAfv1.jpg)
Follow UsNetwork sniffers are the most commonly used tools by hackers. They can, as the name suggests, sniff any data traveling on your network. Some popular sniffers are dsniff, ettercap and snort. These tools don’t need a genius to operate; anybody with some amount of computer knowledge can use them.
|
/pcq/media/post_attachments/8c50452680d22359e7db7d71f78f6e626a4f166ccc35099d1f574e785f47ec7b.jpg)
We’ll use ettercap, the most powerful sniffer amongst the ones mentioned above, to see both sides of the coin of
hacking–how ettercap can attack a network and how a network administrator can use it to sniff out trouble from his network. Only by knowing both the sides can a network administrator secure his network better.
Ettercap has an ncurses-based interface, making it very easy to use. Moreover, it can not only suck just about any type of data from the network, but can also work on a switched network by spoofing the IP address of the host and not raise an alarm such as an IP conflict.
How it works
A switched network is considered safe as data from one host travels only to the intended recipient and does not get broadcasted over the entire network. Unfortunately, for software like ettercap even a switched network is not difficult to compromise. It can poison the switch’s ARP
(Address Resolution Protocol) cache by attaching the host’s IP address to its own MAC address which then leads to the transmission of all the data to the
ettercap machine instead of the actual host. After logging the data, ettercap forwards it to the host machine so that normal transactions can continue. This method of hacking is called ‘Man in the Middle’ attack and the ARP poisoning used here is called spoofing. To perform this kind of attack the network’s gateway is generally spoofed.
Let’s do it
Since unlike other sniffers, ettercap doesn’t need any other libraries (such as libpcap or libnids), installing it requires installing just one file. To start with you will need a machine running any version of Linux. Place this month’s PCQ Essential CD in the cd-drive and copy and install ettercap file as follows.
#cp ettercap-0.6.9-1.7.2.i386 ~
#cd
#rpm —ivh ettercap-0.6.9-1.7.2.i386
Getting usernames and passwords
Once installed, simply run the ettercap command from any terminal window. An ncurses-based interface will open with a list of all the IP addresses on your network in two columns, one being the source and the other the destination. Here, you select a pair of source and destination IPs to start the ‘Man in the Middle’ attack. To get maximum data (traffic), select the IP address of your network’s gateway in the Destination column and leave the Source column blank. This will capture data traveling from any node to the gateway. Now press ‘a’ and a new interface will open. Just leave this interface for five minutes and you will find a flood of data being collected. When you scroll through this data, you might find usernames and passwords (if present in the data stream) displayed at the bottom left-hand corner of the interface.
|
/pcq/media/post_attachments/2f1871083da7ae5cc36c5d97bb3b6abb3b24790d626e8909c9f79adf942c7085.jpg)
IM hack
Now let’s get a little wilder. At the right most column of the main screen, you will see the application that is transmitting the data stream. Select a data stream that looks like an instant messenger (for example, Y! MSG) and hit enter. You will see the actual data traveling from both ends in two columns. The data contains the actual text with some junk characters. To filter the junk characters press the ‘t’ key once. You can also log this conversation in a text file. Just hit the ‘l’ key and it will start
logging.
File theft
ettercap has lots of built-in plug-ins for different tasks, one of which is very effective if you want to steal all files present in any HTTP stream. For example, if anyone is accessing a paid bollywood site to see Ash’s latest pictures, you can steal those pictures directly from the stream. To do so press the ‘p’ key. This will open a new pop-up where you will see 28 different plug-ins. Hit Enter on the 13th plug-in called H30_thief and it will start stealing the files. The stolen files will be saved in a directory called Theft Files under the current directory from where you are running
ettercap.
These are just a few examples to give you an idea of the threat your network faces. You can do a lot more with
ettercap.
Anindya Roy
... and for the Good Guys
/pcq/media/post_attachments/acd224d7db6eac14e9a9aa0cb246947440b24a8ea60fd85faa188687259c1f4c.jpg) |
| The window here shows some suspecious ARP behaviour which can be a spoofing attack |
Now let’s see how to put ettercap to ‘good’ use. We will set up an IDS (Intrusion Detection System) to trap these sniffers.
In a switched network, every switch retains an ARP (Address Resolution Protocol) cache that contains the IP and MAC addresses of each machine connected to it. This helps the switch to know which data packet should be sent where. Generally, when someone on a switched network tries to spoof someone’s IP address, then the IP-MAC address pair in the switch’s ARP cache undergoes a flip-flop. For example, assume your gateway’s IP:MAC address pair is 192.168.3.1 and 00:D0:B7:9C:95:55 while the attacking machine’s pair is 192.168.3.2 and 00:0B:CD:E8:B6:1B. If the gateway’s IP is spoofed, then the MAC addresses of the gateway and the attacking machine will be changed. So, the gateway’s IP:MAC address pair will look like 192.168.3.1, 00:0B:CD:E8:B6:1B, and the attacking machine’s will be 192.168.3.2, 00:D0:B7:9C:95:55. Now any packets that are addressed to the gateway will actually reach the attacking machine, which will record this data and then forward it to the gateway (compromised machine).
Use Arpwatch
One way of detecting this spoof attack is to use a tool called Arpwatch, which is a part of PCQLinux 8.0. It monitors the ARP caches of all the switches on the subnet it’s running on. You can run it from a terminal window by simply typing arpwatch. This will start the arpwatch daemon, after which you just have to keep checking any e-mail from arpwatch that reach root@localhost. The moment it detects a flip-flop, it will send you a mail with Flip Flop in the subject line. You’ll then be able to identify whether a machine has been spoofed and the IP address of the attacking machine. A word of caution when using this utility is that you have to continuously monitor the mail id for a flip-flop occurrence and take action immediately.
Use Ettercap
Besides Arpwatch, you can use ettercap itself to find other instances of ettercap running on your network. Sounds shocking, but then if a gun can be used to enforce or break the law, then why not a sniffer? Let’s see how.
|
/pcq/media/post_attachments/50cbd23c5a9afd2a9e4928f355f970e1c4531afa629854fb95cd142468a4dba2.jpg)
Ettercap has two different plug-ins, one for searching ettercap only and the other for searching any suspicious ARP behavior on the network. To start an ettercap search, just press the ‘p’ key and select the first plug-in and then quit the plug-in window. It will continue searching for ettercap traces from all machines and show you the list at the top of the interface.
To search for other sniffers or any suspicious ARP activity again open the plug-in window by pressing the ‘p’ key and select the 15th plug-in called arpcop. Selecting it will open a new window and show if any IP is trying to spoof or not. We tested it with both ettercap and dsniff and it found them both very easily. You can also isolate the hacker (spoofing machine) from the network by using ettercap using another plug-in called leech.
Kill that connection
If you identify a attacker who is trying to access a website he shouldn’t be, then first start ettercap, spoof the hacker’s machine with your network’s gateway and wait for any http stream coming. When found, hit the ‘k’ key to kill the particular stream. You can also isolate this host from the network using ettercap. To do so, start ettercap and select the host in the destination column and hit the ‘a’ key. Next press the ‘p’ key to open the plug-in box and then select the 23rd plugin called leech. It will open a pop-up box and ask for a confirmation if you really want to isolate the host or not. Type ‘yes’ and hit Enter. The host will be completely isolated from the network.
Anindya Roy