31 Packet Analysis

Hiteishi Diwanji

epgp books

Packet Analysis

How network traffic can be captured?

 

Traffic can be captured on a switched network from an end device in six ways.

 

  1. Port mirroing
  2. Capturing traffic from central device/ tapping
  3. ARP cache poisoning
  4. Flooding
  5. DHCP redirection
  • The device configured in nonpromiscuous mode, drops frames not destined for it.NIC configured in promiscuous mode, captures frames starting from the data link layer to the application layer.

Hubs and switches:

 

Device in promiscuous mode, captures data from plugged in RJ-45 wall jack.

 

Capturing traffic from central device(Hub)/ tapping

  • Hubs are multiport devices, multiport repeaters.
  • Hubs operate in broadcast mode, captures traffic from OSI layer 1(physical layer) and broadcasts traffic on each port. Systems connected to hub share the broadcast domain resulting in same collision domain.
  • In case two or more systems try to capture medium at the same time for sending packets through the same hub, results in collision. Collision increases with increase in traffic, hence average throughput decreases.

Capturing traffic from switches

  • Switches are intelligent in communication.
  • Switches look up the source and destination MAC address of each passing data frame and forwards towards that destination only.
  • Switch learns about connected devices through active ports.

Content address memory

  • Switch captures Ethernet frame coming on the port, examines MAC address of the source mentioned in the frame and looks up in the table stored in memory to find entry for the source MAC address.
  • This stored table of memory is a Content addressable memory(CAM) table.
  • CAM table is RAM, gets refreshed on power off.
  • Holds the mapping of the MAC address with the switch port.
  • Due to segmented traffic, hacker trying to sniff on one port cannot observe traffic on other ports.

Switches

 

  • Switch work at layer 2, layer 3. At higher layers, switches can interpret different headers.
  • VLANs(Virtual LANs) adopts some router functionality.
  • VLANS creates logical LAN means collection of devices residing on physically separate LANs can communicate among themselves.

Steps involved in redirecting traffic to the sniffer (active sniffing).

  • Port mirroring on a managed switch
  • ARP cache flooding
  • Flooding
  • DHCP redirection
  • Redirection and interception with ICMP

Managed and unmanaged switch

  • Unmanaged switch acts like plug and play device.
  • Managed device provides more functionality
  1. Priority of service can be set.
  2. Unique VLANs can be configured.
  3. SNMP monitoring can be used.
  4. Port mirroring can be set up.
  5. Enable a spanning tree algorithm.

Port mirroring

 

  • On a switched network, It is difficult to examine traffic on monitoring device.
  • Port mirroring is used to examine traffic.
  • Switch maintains port segmentation. By configuring port mirroring one port can receive copies of all packets destined for all other ports, or only from one designated port.

ARP cache poisoning

  • Address resolution protocol cache poisoning allows attacker to seize communications between among network devices.

ARP finds MAC addresses for known IP addresses. ARP Request:

 

Alpha broadcasts an ARP request to all stations on the network: “What is the hardware address of Router137?”

ARP cache

 

  • ARP cache holds the IP address, the MAC address and timer for each entry.
  • The timer is different for different vendors. Windows operating system uses 2 minutes and a Linux system uses 15 minutes.
C:\Users\laptop>arp -a
Interface: 192.168.1.7 — 0xb
Internet Address Physical Address Type
192.168.1.1 c4-a8-1d-cc-93-71 dynamic
192.168.1.255 ff-ff-ff-ff-ff-ff static
224.0.0.22 01-00-5e-00-00-16 static
224.0.0.252 01-00-5e-00-00-fc static
255.255.255.255 ff-ff-ff-ff-ff-ff static

 

 

How ARP cache poisoning works?

  • For cache poisoning pertaining to ARP, unwanted ARP replies are sent.
  • When system raises an ARP request, receives ARP reply and trusts that it has come from the right device.
  • ARP does not have verification mechanism to bifurcate responding device is the same for whom the request was generated.
  • Operating system does not map ARP replies to ARP requests. ARP replies can be absorbed by operating system even though ARP request was not produced.

 

ARP cache poisoning-spoofing

  • False(Not genuine) ARP requests or replies are sent to the switch, in order to maneuver traffic to be sent to the sniffing system. Bogus ARP requests get stored at switch and at other devices upon receiving the packet.
  • The switch and these devices forward the information to the ARP cache. This maps the attacker device with the address of the spoofed device.
  • The Router MAC address is spoofed so all outgoing traffic gets captured by the attacker.

ARP cache poisoning with man in the middle attack

 

Exploits that occur:

  • Modify the packets before they are sent to their actual destination.
  • Perform packet analysis to extract information that is useful.
  • Record the packets and replay to attempt session replay later.

Flooding

  • MAC flooding captures the redirected network traffic.
  • This is a brute force attack to attempt to overload switch’s CAM table.
  • Switches construct a lookup table for mapping MAC addresses to the switch port numbers. In case the CAM table is filled up, then storing more entries in switch is not possible, leads some ports to fail open state.
  • In fail open state, frames get flooded to all ports of the switch. This gives opportunity to an attacker to sniff traffic.
  • Large amounts of traffic gets injected, this may disable the port.

DHCP redirection

  • Dishonest DHCP server targets to malign DHCP requests.
  • Hacker sets up its own DHCP server. Attacker broadcasts forged DHCP requests and leases out available DHCP addresses within the scope of DHCP. Before accessing internet, users have to pass through this DHCP server.
  • DHCP server will not send Renew IP addresses to authorized users.
  • The network access is compromised. Packets before reaching to internet, passes through the attacker system where attacker performs packet analysis.

Redirection and Interception with ICMP

  • This indicates misuse ICMP protocol.
  • Default router sends redirection to the host to indicate that certain destination can be reached through a better route.
  • A host accepts an ICMP redirect if looks legitimate and has come from the default gateway for the destination it is redirecting. In case of redirection, the traffic passes to the attacker system. This is possible for the lack of validation.
  • Upon receiving an ICMP redirect message, the host modifies its routing table as per the message.

Preventing packet capture

  • Dynamic address inspection
  • DHCP snooping
  • VLAN hopping prevention

Dynamic address Inspection

  • Dynamic Address resolution protocol inspection(DAI) can prohibit this attack.
  • DAI validates ARP packets.

DAI inspects IP-to-MAC address binding. This binding is stored in lookup table that is trusted

  • Attackers cannot initiate ARP cache poisoning attacks due to DAI. DAI monitors the number of ARP packets incoming to the port of the switch that is secured. The port is disabled by the switch if the rate of incoming ARP packets is more than the defined threshold, the switch disables the port. The state of the port is disabled until it is reset.

 

DHCP snooping

  • Implemented at Data link layer.
  • Layer 2 switch is enabled for inspection of frames. This inspection is carried out on a specific port to verify that DHCP offers are legitimate.
  • DHCP probing ensures that hosts holds the assigned IP addresses and certifies that access is possible to DHCP servers who are authorized.
  • If messages are not generated from trusted DHCP servers, DHCP probing drops DHCP messages.

Preventing VLAN hopping

  • Though user is authorized to access part of VLAN, all unused ports are configured to be access ports to prevent that user from gaining access. Place all unused ports in shutdown state.

 

Detecting Packet capture

  • Monitor ARP traffic
  • Watch DNS transaction
  • Listen for responses if packets are invalid
  • Test network latency
  • Perform local detection.
you can view video on Packet Analysis

Suggested Reading:

 

  1. Cryptography and Network Security Principles and Practice by William Stallings, sixth Edition, PEARSON.
  2. Security in Computing by Charles Pfleeger & Shari Lawrence Pfleeger, fourth Edition, PEARSON.
  3. Network Security by Charlie Kaufman, Radia Perlman, Mike Speciner, second Edition, PHI.
  4. The Complete Reference – Network Security by Roberta Bragg, Mark Rhodes-Ousley & Keith Strassberg, Tata McGraw Hill
  5. Network Security Bible by Eric Cole, Ronald Krutz, James Conley, Wiley
  6. Hacking 6 Exposed by Stuart McClure, Joel Scambray & George Kurtz , Tata McGraw Hill .
  7. www.snort.org
  8. https://nmap.org