How to Test for Sniffing Vulnerabilities

Posted by Serge Truth on July 19, 2011 at 11:28 AM

Summary

Sniff VulnerabiltiesNetwork eavesdropping or network sniffing attacks consist of intercepting network traffic between two target network nodes, and capturing network packets exchanged between nodes. Attackers commonly use this vulnerability to retrieve sensitive information, including users’ passwords. This attack is applicable to different types of environments, including Local Area Networks (LANs) interconnected by hubs or switches, as well as to Wireless Local Area Networks (WLANs).

Follow these steps to test for network eavesdropping bugs:

  • Step 1: Understand attack scenarios
  • Step 2: Analyze causes and countermeasures
  • Step 3: Execute test cases

Step 1: Understand Attack Scenarios

First, it is necessary to understand the different attack scenarios related to this bug:

  • Networks using hubs
  • Switched networks
  • WLAN networks
  • Sniffing packets on the Internet

Scenario 1: Networks using hubs

Hub networks work by broadcasting every network frame every host connected to the hub. Upon receiving a frame from the hub, each host checks if the frame is addressed to it. If it is, the host processes the frame. If it’s not, the host ignores the frame.

In this scenario, the attacker simply needs to be connected to the same hub as the target host. Then, the attacker starts monitoring network traffic in promiscuous mode, capturing all packets sent to the target host.

In detail:

  1. Attacker connects to same hub as one of the target nodes.
  2. Attacker executes network monitoring tool in promiscuous mode to capture packets exchanged between hosts.

 

Scenario 2: Switch-based LANs

Switched networks are different than hub-based networks because they don’t work on the principle of broadcasts. Instead, the switch sends frames to each of the hosts connected to the switches independently, depending on the recipient. Therefore, an attacker needs an extra condition (besides being connected to the same switch) in order to redirect the network traffic between the switch and the target host through the attacker. A common way to meet this condition is to use an ARP poisoning attack, although other attacks such as DHCP spoofing, port stealing, and DNS spoofing, are also possible.

In detail:

  1. The attacker connects to the same switch as one of the target nodes.
  2. The attacker executes an attack that duplicates/redirects network traffic between switch and target node in the same switch.
  3. The attacker uses a network monitoring tool to capture packets exchanged between two hosts.

Scenario 3: WLAN networks

Wireless Local Area Networks (WLANs) consist of a set of host computers connected through radio waves to an access point (or base station), which in turn is physically connected to a hub or switch using a traditional wired connection. Wireless networks can either be unprotected, allowing any computer to become part of the network, or encrypted, requiring a key to allow computers to become members of the network.  

In this scenario, the attacker follows the same steps of either hub or switch eavesdropping; the only difference is that the attacker must first become part of the network. This is simple if the network is unprotected; the attacker only needs a wireless interface and proximity to the WLAN’s access point. If the WLAN is encrypted, the attacker must first obtain the network’s encryption key and become part of the network. Once the attacker is part of the WLAN, he starts getting all packets in promiscuous mode (if the access point is in front of a hub) or executes an additional attack such as ARP poisoning (if the access point is in front of a switch) to complete the attack. Properly configured wireless access points can help to mitigate this attack.

Scenario 4: Sniffing packets on the Internet

Network connections that occur between two nodes that are far from each other need to travel though the Internet. Usually they are sent across a series of routers set up by Internet Service Providers (ISPs). In this scenario, the attacker is not in the same LAN or WLAN as one of the target nodes; now the attacker is somewhere in the Internet, as if he was really tapping the wire. This can be done in two ways. First, an attacker might programmatically exploit flaws in the design of the Border Gateway Protocol (BGP). When a user navigates to a site, a DNS server provides the user’s computer with an IP for the destination. This IP is then looked up in a BGP table belonging to the user’s ISP in order to find the best route for the request. However, BGP works based on trust, and allows any ISP or network to advertise a range of IP addresses and routes for an origin IP. An attacker may advertise a malicious route for one of the target nodes’ IPs and thus compromise the router, allowing for an eavesdropping attack [i]. Second, a malicious ISP provider has unlimited access to all of its routers and can read the contents of all connections that pass through its routers. If sensitive data travels unencrypted, a malicious ISP administrator can easily read it.

Step 2: Analyze Causes and Countermeasures

Next, it is necessary to understand what leads to network eavesdropping attacks and how to protect against them.

Protecting at the network level

The first type of protection available against eavesdropping attacks is done at the network level, and depends on the kind of network.

Hub networks

By design, networks connected via hubs are vulnerable to eavesdropping attacks. As mentioned in the previous section, a LAN composed of hubs works by broadcasting network frames to all of the hosts connected to the hub. Network eavesdropping attacks on hub networks are possible only by sniffing packets in promiscuous mode, which is a mode of operation of a network interface in which the computer reads each packet that passes through it in its entirety, even if it is not addressed to the computer. This way, instead of discarding all packets that are not intended for the host, the attacker is able to read the contents of all packets, even if they are not meant to be read by the attacker’s computer. To protect against this scenario, administrators must execute network tools such as Anti Sniff (http://packetstormsecurity.org/sniffers/antisniff/), which detects computers that have an interface in promiscuous mode.

Switched networks

Network eavesdropping attacks on switched networks are caused by different factors, depending on the condition executed to redirect/duplicate the traffic between the switch and the target host on the LAN (see scenario 2 in previous section). These methods include Man-in-the-Middle attacks on switch networks where the attacker’s purpose is to sniff the network traffic as part of ARP poisoning, DHCP spoofing, DNS spoofing, and port stealing exploits.

To defend against each scenario, network administrators must address each case differently. For instance, if the attack is executed through ARP poisoning, the cause can be attributed to the design of the ARP protocol allowing remote ARP table modifications. Network administrators may use network inspection tools to defend against ARP poisoning at the network level, and may use tools like Xarp to defend at the host level. For more information see How to - Test for ARP Poisoning Bugs. The same applies to other attacks that require a specific protection based on the attack type. For more information about Man-in-the-Middle attacks on network switches, see  How to - Test for Man-in-the-Middle Bugs.

Wireless networks

Wireless networks are vulnerable to attacks for two reasons.

First, to be vulnerable, a wireless network must allow an attacker to join the network. This happens when the WLAN’s access point is unprotected/unencrypted and allows anyone to join. To protect against this condition, network administrators must use proper encryption (Wireless Protected Access - or WPA and Wired Equivalent Privacy - or WEP). Since these protocols have fallen target to cryptographic attacks, it is necessary to configure them using large enough keys (at least 128 bits) and strong passwords.

Second, in addition to securing access to the WLAN, it is necessary to countermeasure the risk of network eavesdropping attacks by using the defenses listed above, depending on whether the access point is in front of a hub or a switch.

BGP attacks

BGP attacks are caused by the nature of the BGP protocol, which allows for unauthenticated updates of BGP tables. To defend against BGP attacks, use techniques such as route filtering and secure BGP (S-BGP). Setting the appropriate router filters prevents against malicious updates, because the router will only allow a predefined set of routes, blocking any malicious route that might be set by an attacker. S-BGP is more secure because it requires strong authentication (based on public-key cryptography) of a router before it performs an update, and because it uses IPSec between connected BGP routers to protect against unauthorized routers. However, for S-BGP to be properly implemented, many ISPs will need to agree to use it in their routers.

Using encryption at the application/configuration level

Developers must complement any of these network-level defenses with proper encryption of sensitive data that travels over the network. If sensitive data is encrypted before being sent over the network, a successful eavesdropping attack will not be sufficient to read it; the attacker will only see ciphertext in the sniffed packets and not the actual sensitive data in plaintext. There are encryption protocols that go hand-in-hand with authentication (ensuring that the recipient is really who he claims to be). For instance, developers should consider using protocols such as TLS/SSL and IPSec for encrypting and authenticating connections, as well as PGP for sending encrypted email messages or sensitive files. It is important that web applications encrypt login requests from their clients before sending these requests to the application. This can be easily be done in frameworks such as ASP .NET by using forms authentication and setting the SSL-required flag. In the same way, web developers can mark cookies SSL-required so that sensitive data doesn’t travel unencrypted in cookies.

Step 3: Execute Test Cases

Now that you’ve reviewed all the theoretical aspects of network eavesdropping, it is necessary to execute test cases to check if your network is vulnerable.

Test for network eavesdropping on a LAN composed of hubs

Follow these steps to test for network eavesdropping on a LAN composed of hubs:

  1. Connect a computer to the same hub as the target host.
  2. Download and install Wireshark (http://www.wireshark.org/download.html).
  3. Start Wireshark and start capturing network traffic from the interface corresponding to the hub network. Make sure to start capturing in promiscuous mode.

Expected results: If the target host is vulnerable, you will see the captured packets sent to and from the target host in Wireshark.

Test for network eavesdropping on a switched LAN

Follow these steps to test for network eavesdropping on a switched LAN:

  1. Connect a computer to the same switch as the target host.
  2. Download and install Cain (http://www.oxid.it/cain.html) and Wireshark (http://www.wireshark.org/download.html).
  3. Run Cain.
  4. Click Configure in the menu and select the network interface (note that it can be a wireless interface for the next test case).
  5. Click the Sniffer tab and then the Hosts sub-tab.
  6. Start the sniffer and click the plus (+) sign.
  7. Select a range of IPs to scan their MAC addresses (include the target box in the range), and then click OK. Both the gateway’s and the target host’s IPs (and their MACs) should appear in the hosts list.
  8. Click the ARP poisoning sub-tab.
  9. Click on the plus (+) sign and add an ARP route from the victim to the gateway.
  10. Start the ARP poisoning attack by pressing the ARP button. As soon as the victim becomes active, its status changes from “idle” to “poisoning.” The lower pane will begin to show the packets being intercepted.
  11. Start Wireshark and start capturing network traffic from the same interface selected in Cain.

Expected results: A successful ARP poisoning attack will be visible in both in Cain and Wireshark. In Cain, the lower pane of the Sniffer->ARP tab shows the packets being sniffed.  If the target host is vulnerable, you will see the captured packets sent to and from the target host in Wireshark.

 

Test for network eavesdropping on a WLAN

Follow these steps to test for network eavesdropping on a WLAN: 

  1. If the WLAN is unprotected/unencrypted, go to step 4.
  2. Download a WEP/WAP cracking tool such as Aircrack (http://www.aircrack-ng.org/doku.php).
  3. Use Aircrack to break encryption and connect to the WLAN.
  4. Once in network, follow one of the two test cases above (depending on whether the access point is connected by a switch or a hub).

Expected results: If the WLAN is protected, it should resist to the cryptographic attack in step 3, making it impossible to follow with the eavesdropping attack (step 4). If the network is unprotected, then the eavesdropping attack from step 4 must be checked, depending on the test case scenario (hub vs. switch).

Test for network eavesdropping on a BGP router

Follow these steps to test for network eavesdropping on a BGP router: 

  1. Log in to computer outside of the LAN/WLAN of two target nodes.
  2. Discover the IP of one of the target nodes.
  3. Discover the BGP router for one of the target nodes.
  4. Send UDPATE BGP packets to the router found in step 2, advertising a false route for the destination IP address (found in step 1) to the computer used for this test.

Expected results: The router is vulnerable if it modifies its BGP tables with the false route advertised in step 4.

Conclusions

Network eavesdropping attacks consist of monitoring network traffic between two target nodes. The attack is achieved by joining the network of one of the two target nodes, such as a hub LAN, switched LAN, or WLAN. Once the attacker is in the network, he uses different techniques, depending on the type of network, to start capturing network traffic. For instance, in networks composed of hubs, the attacker just needs to run a network sniffer in promiscuous mode; in switched networks an extra condition, such as an ARP poisoning attack, is required. Wireless networks require the attacker to join the network before executing the attack on the hub or switch behind the access point. If encryption is used on the wireless access point, it would need to be circumvented prior to further testing.  All of these variations have different protection methods, depending on the attack type. Testing for them is done with the aid of network attack and monitoring tools.

 

[i] Revealed: The Internet's Biggest Security Hole. http://blog.wired.com/27bstroke6/2008/08/revealed-the-in.html

Topics: developer guidance, application security

Serge Truth

Written by Serge Truth

Serge is a Content Lead here at Security Innovation. He is an IT and Information Security professional, certified by the Committee on National Security Systems Instruction.