Sniffing & Keylogger

Deff Arnaldy, M.Si0818 0296 4763deff_arnaldy@yahoo.com

1

Overview

• Konsep sniffing • Capturing Live Network Data• Explorasi hasil capturing • Countermeasure sniffing• Keyloggers

2

Konsep Sniffing

• Sniffer adalah program yang membaca dan menganalisa setiapprotokol yang melewati mesin di mana program tersebutdiinstal

• Secara default, sebuah komputer dalam jaringan (workstation)hanya mendengarkan dan merespon paket-paket yangdikirimkan kepada mereka. Namun demikian, kartu jaringan(network card) dapat diset oleh beberapa program tertentu,sehingga dapat memonitor dan menangkap semua lalu lintasjaringan yang lewat tanpa peduli kepada siapa paket tersebutdikirimkan.

• Aktifitasnya biasa disebut dengan Sniffing

3

Sniffing

• Targets Data Link layer of protocol stack• Sniffer – gathers traffic off network

• This data can include userIDs passwords transmitted by telnet, DNS queries and responses, sensitive emails, FTP passwords, etc.

• Allows attacker to read data passing a given machine in real time.

• Two types of sniffing:• Active • Passive

4

Sniffing

Passive• Attacker must have

account on LAN• Done over a hub• Usually once access is

gained on one computer attacker uses passwords to get in other computers

Active• Attacker still needs an

account• Several different attacks:

- Parsing Packets- Flooding- Spoofed ARP Messages- DNS Spoofing- HTTPS and SSH spoofing

5

Passive Sniffinguser1

Server

user2

Bad guy

HUBBLAH

- Message gets sent to all computers on hub

6

Active Sniffinguser1

Server

user2

Bad guy

SwitchBLAH

- Message gets sent to only requesting computer by looking at MAC address

7

Dsniff

• Offers several ways around a switch• Available for OpenBSD, Linux, Solaris, and there is a

version for Windows • Very popular and versatile • In conjunction with sshmitm and webmitm, conducts all

the above attacks

8

Major Problems with Sniffing

• Any mischievious machine can examine any packet on a BROADCAST medium

• Ethernet is BROADCAST• at least on the segments over which it travels

• Getting passwords is the first step in exploiting a machine• email is plaintext and vulnerable

9

What does one sniff?

• passwords• email• financial account information• confidential information• low-level protocol info to attack

• hardware addresses• IP addresses• routing, etc

10

What are the components of a packet sniffer?

1.  Hardware : standard network adapters .2. Capture Filter : This is the most important part . It captures 

the network traffic from the wire, filters it for the particular traffic you want, then stores the data in a buffer.

3.  Buffers : used to store the frames captured by the Capture Filter . 

11

What are the components of a packet sniffer?

4. Real‐time analyzer: a module in the packet sniffer program used for traffic analysis and to shift the traffic for intrusion detection. 

5. Decoder : "Protocol Analysis" . 

12

How does a Sniffer Work?

Sniffers also work differently depending on the type of network they are in.

1. Shared Ethernet2. Switched Ethernet

13

How can I detect a packet sniffer?

• Ping method  • ARP method • DNS method

14

Packet Sniffer Mitigation

The following techniques and tools can be used to mitigate sniffers: Authentication—Using strong authentication, such as one‐time 

passwords, is a first option for defense against packet sniffers.  Switched infrastructure—Deploy a switched infrastructure to counter 

the use of packet sniffers in your environment.  Antisniffer tools—Use these tools to employ software and hardware 

designed to detect the use of sniffers on a network.  Cryptography—The most effective method for countering packet 

sniffers does not prevent or detect packet sniffers, but rather renders them irrelevant. 

Host A Host BRouter A Router B

15

Top 11 Packet Sniffers

• Wireshark• Kismet• Tcpdump• Cain and Abel• Ettercap• Dsniff• NetStumbler• Ntop• Ngrep• EtherApe• KisMAC

16

Working of Cain & Abel

17

What are sniffers used for?

• Detection of clear‐text passwords and usernames from the network. 

• Conversion of data to human readable format so that people can read the traffic. 

• Performance analysis to discover network bottlenecks. • Network intrusion detection in order to discover hackers.

18

Prevention of Sniffing

• Segmentation into trustworthy segments• bridges• better yet .. switched hubs

• Not enough “not to allow sniffing”• easy to add a machine on the net• may try using X-terminals vs workstations

19

Prevention of Sniffing(more)

• Avoid password transmission• one solution is r..family

• rlogin, rcp, rsh, etc• put trusted hosts in .rhosts• many SAs don’t want users to use them

• Using encrypted passwords• Kerberos• PGP public keys

20

Keylogger

• If all other attempts to gather passwords fail, then a keystroke logger is the tool of choice for hackers

• Keystroke loggers (keyloggers) can be implemented either using hardware or software

21

• Hardware keyloggers are small hardware devices that connect the keyboard to the PC and save every keystroke into a file or in the memory of the hardware device

• In order to install a hardware keylogger, a hacker must have physical access to the system

22

• Software keyloggers are pieces of stealth software that sit between the keyboard hardware and the operating system so that they can record every keystroke.

• Software keyloggers can be deployed on a system by Trojans or viruses

23

References

• http://netsecurity.about.com/cs/hackertools/a/aa121403.htm• http://e‐articles.info/e/a/title/Packet‐Sniffing:‐Sniffing‐Tools‐Detection‐Prevention‐Methods/

• http://sectools.org/sniffers.html• http://en.wikipedia.org/wiki/Cain_and_Abel_(software)• http://www.authorstream.com/Presentation/chinmayzen‐79529‐packet‐sniffers‐education‐ppt‐powerpoint/

• http://www.youtube.com/watch?v=O00LENbtiIw

24