Intercepti on [1 ed.]
422 51 802KB
English Pages 58 [18]
Polecaj historie
![Intercepti on [1 ed.]](https://dokumen.pub/img/200x200/intercepti-on-1nbsped-d-3184739.jpg)
![Intercepti on [1 ed.]](https://dokumen.pub/img/200x200/intercepti-on-1nbsped-j-7537528.jpg)
![Intercepti on [1 ed.]](https://dokumen.pub/img/200x200/intercepti-on-1nbsped-l-3658525.jpg)
![Intercepti on [1 ed.]](https://dokumen.pub/img/200x200/intercepti-on-1nbsped-r-3937383.jpg)
![Intercepti on [1 ed.]](https://dokumen.pub/img/200x200/intercepti-on-1nbsped-p-4390716.jpg)
![Intercepti on [1 ed.]](https://dokumen.pub/img/200x200/intercepti-on-1nbsped.jpg)
Citation preview
CSE363
Offensive Security
2020-02-03
Network Traffic Sniffing
Michalis Polychronakis Stony Brook University
L7
Application
L6
Presentation
L5
Session
L4
Transport
L3
End-to-End
Basic Internet Protocols (OSI Model vs. Reality) HTTP, BGP, DHCP, DNS, SPDY, SMTP, FTP, SMTP, IMAP, SSH, SSL/TLS, LDAP, NTP, RTP, SNMP, TFTP, …
Deliver to:
Based on:
TCP, UDP, SCTP, …
Dst. application
Port number
Network
IP, ICMP, IPsec, …
Dst. host
IP address
L2
Data Link
Eth, 802.11, ARP, …
Next hop
MAC address
L1
Physical
Wire/air/pigeon
Network interface (NIC)
2
© XKCD - https://xkcd.com/2105/
3
Streams vs. Packets send(
);
data
Socket
Segment
TCP
data chunk 1
Packet
IP
TCP
Frame
ETH
IP
TCP
data chunk 1
TCP
data chunk 1
IP
data chunk 2
…
TCP
data chunk 2
…
TCP
data chunk 2
ETH
IP
…
Network 4
Ethernet Most commonly used data link layer protocol for LANs Communication based on frames 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | | | 48 bits +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Destination Address | | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 48 bits | | Source Address | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Type (16 bits) | | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | | | | Payload (46-1500 bytes) | | | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | 32 bits CRC | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
5
Internet Protocol (IP) Routing: deliver packets from a source to a destination based on the destination IP address Through several hops (routers) – see traceroute Connectionless, best effort: no ordering or delivery guarantees Source IP address is not authenticated
can be easily spoofed!
IPv6: most recent version, uses 128-bit addresses IPv4 space has been exhausted IPv6 deployment is slow
Packets too large for the next hop are fragmented into smaller ones Maximum transmission unit (MTU)
6
IPv4
IPv6
0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |Version| IHL |Type of Service| Total Length | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Identification |Flags| Fragment Offset | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Time to Live | Protocol | Header Checksum | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Source Address | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Destination Address | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Options | Padding | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |Version| Traffic Class | Flow Label | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Payload Length | Next Header | Hop Limit | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | | | Source | | Address | | | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | | | Destination | | Address | | | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 7
Transmission Control Protocol (TCP) Provides reliable virtual circuits to user processes Connection-oriented, reliable transmission Packets are shuffled around, retransmitted, and reassembled to match the original data stream
Sender: breaks data stream into packets Attaches a sequence number on each packet
Receiver: reassembles the original stream Acknowledges receipt of received packets Lost packets are sent again
8
TCP
0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Source Port | Destination Port | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Sequence Number | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Acknowledgment Number | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Data | |U|A|P|R|S|F| | | Offset| Reserved |R|C|S|S|Y|I| Window | | | |G|K|H|T|N|N| | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Checksum | Urgent Pointer | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Options | Padding | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | .... data .... | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
9
TCP 3-way Handshake
Client
Server
Sequence/acknowledgement numbers Retransmissions, duplicate filtering, flow control
Seq: the position of the segment’s data in the stream The payload of this segment contains data starting from X
Ack: the position of the next expected byte in the stream All bytes up to X received correctly, next expected byte is X+1
10
Active vs. Passive Attacks Passive: the attacker eavesdrops but does not modify the message stream in any way Traffic snooping, wiretapping, passive reconnaissance, listening for unsolicited/broadcast traffic, traffic analysis, … This lecture
Active: the attacker may transmit messages, replay old messages, modify messages in transit, or drop selected messages from the wire Spoofing, data injection/manipulation (man-in-the-middle/man-on-the-side), session replay, DoS, malicious requests/resp., … Future lectures 11
Network Sniffing A network interface in promiscuous mode captures all or subset of the traffic that reaches it Even if it is not destined for that machine
WiFi: shared medium trivial Hub: broadcasts packets to all ports trivial (but hubs are now rare) Switch: learns device-to-port mappings and forwards packets only to the appropriate port still possible! ARP cache poisoning, CAM table exhaustion
Wiretapping (wire, optical fiber) Physically “tap” the wire 12
What about encrypted WiFi? WEP: same pre-shared RC4 key for all clients From within: can freely sniff and decrypt all packets using the same key From outside: broken, can trivially crack the key (even brute force takes a short time)
WPA-PSK: a different “pairwise transient key” derived from the preshared key is generated for every client From within: can sniff and decrypt a client’s packets if the association process is witnessed (4-way PSK handshake) Not a problem! force a re-association by sending a deauth packet to the victim Injection is then trivial through a connected and authenticated client on the AP WPA-Enterprise (802.1X) doesn’t suffer from this (but is less commonly used) From outside: crack the WiFi password (mainly using wordlists) 13
Native support in Wireshark
© Wireshark - https://wiki.wireshark.org/HowToDecrypt802.11
14
Network Taps For up to 100Mbit/s can be completely passive Gigabit and above needs power for demodulating the signal Fiber optical network taps are also completely passive
Most high-end switches/routers can mirror traffic
15
Passive Network Monitoring Main benefit: non-intrusive (invisible on the network)
Basis for a multitude of defenses IDS/IPS, network visibility, network forensics Sophisticated attackers may erase all evidence on infected hosts captured network-level data may be all that is left
Packet capture What: packet headers or full packet payloads How: network taps, router/switch span/mirror ports
Netflow export What: connection-level traffic summaries How: built-in capability in routers, passive collectors 16
Packet Capture Tools Libpcap/Winpcap: user-level packet capture Standard interface used by most passive monitoring applications
PF_RING: High-speed packet capture Zero-copy, multicore-aware
tcpdump: just indispensable
TODAY
Wireshark: tcpdump on steroids, with powerful GUI dsniff: password sniffing and traffic analysis ngrep: name says it all Kismet: 802.11sniffer
many more… 17
Packet Parsing/Manipulation/Generation Decode captured packets (L2 – L7) Generate and inject new packets Tools Libnet: one of the oldest Scapy: powerful python-based framework
TODAY
Nemesis: packet crafting and injection utility Libdnet: low-level networking routines dpkt: packet creation/parsing for the basic TCP/IP protocols
many more… 18