AThena CachPhatHienTanCong Sniffer Trong Mang LAN

92 Nguyn nh Chiu, DaKao, Qun 1, Tp HCM www.Athena.Edu.Vn Hotline : 38244041 090 78 79 477

Gio vin hng dn : V Thng Nhm thc hin : 0512253 Bi Xun Phong 0512213 Phan Bo Lc 0512211 Ha Thnng Lc 0512205 Nguyn Kinh Lun 0512187 Quch Minh KhnhTi liu nghin cu an ninh mng - www.Athena.Edu.Vn 1


Contents I. Cc khi nim cn bn v Sniffer. ................................................................................... 3 1.2 Sniffer c s dng nh th no ? ........................................................................... 3 1.3 Qu trnh Sniffer c din ra nh th no ? ............................................................. 4 1.4 a ch Ethernet MAC l g ? ..................................................................................... 5 1.4.1 Gii thiu : ........................................................................................................... 5 1.4.2 Chi tit v a ch Ethernet MAC : ...................................................................... 5 II Cc phng php pht hin Sniffer trn h thng mng : ............................................... 5 2.1 Phng php dng Ping: ............................................................................................ 6 2.2 Phng php s dng ARP: ....................................................................................... 7 2.3 Phng php s dng DNS : ...................................................................................... 7 2.4 Phng php Source-Route : ..................................................................................... 8 2.5 Phng php ging by (Decoy) :.............................................................................. 9 2.6 Phng php kim tra s chm tr ca gi tin (Latency) : ........................................ 9 III Phng php ngn chn Sniffer trn h thng mng : ................................................... 9 3.1 Cc h thng mng c nguy c Sniffer : .................................................................... 9 3.2 Cc giao thc c nguy c Sniffer: ............................................................................ 10 3.3 Phng php ngn chn Sniffer d liu ? ................................................................ 10 3.4 Phng php ngn chn Sniffer Password : ............................................................ 12 3.5 Phng php ngn chn Sniffer trn thit b phn cng : ........................................ 12 3.6 Mt s thut ng : .................................................................................................... 13 IV Chng trnh XARP : ................................................................................................... 15 4.1 Gii thiu : ............................................................................................................... 15 4.2 Giao din chng trnh : .......................................................................................... 15 4.3 Cc mc bo mt trong XARP : .............................................................................. 16 4.4 Demo pht hin tn cng ARP Poisoning :.............................................................. 17Ti liu nghin cu an ninh mng - www.Athena.Edu.Vn 2


I. Cc khi nim cn bn v Sniffer. 1.1 i nt v Sniffer : Khi u Sniffer l tn mt sn phm ca Network Associates c tn l Sniffer Network Analyzer. Sniffer c hiu n gin nh l mt chng trnh c gng nghe ngng cc lu lng thng tin trn mi trng mng my tnh. Nhng giao dch gia cc h thng mng my tnh thng l nhng d liu dng nh phn (Binary). Bi vy nghe ln v hiu c nhng d liu dng nh phn ny, cc chng trnh Sniffer phi c tnh nng c bit nh l s phn tch cc nghi thc (Protocol Analysis), cng nh tnh nng gii m (Decode) cc d liu dng nh phn hiu c chng. Trong mt h thng mng s dng nhng giao thc kt ni chung v ng b. Bn c th s dng Sniffer bt c Host no trong h thng mng ca bn. Ch ny c gi l ch hn tp (promiscuous mode).

1.2 Sniffer c s dng nh th no ? Sniffer thng c s dng vo 2 mc ch : o Mt cng c gip cho cc qun tr mng theo di v bo tr h thng mng ca mnh. o Mt chng trnh c ci vo mt h thng mng my tnh vi mc ch nh hi, nghe ln cc thng tin trn on mng ny... Mt s tnh nng ca Sniffer :Ti liu nghin cu an ninh mng - www.Athena.Edu.Vn 3


o Cc Hacker s dng bt tn ngi s dng (Username) v mt khu khng c m ho (Clear Text Password) trong h thng mng ca bn. o Gip cc nh qun tr theo di cc thng tin d liu trn ng truyn. H c th c v hiu c ngha ca nhng d liu . o Gip cc nh qun tr gim st lu lng ca h thng qua cc qun tr vin c th phn tch nhng li ang mc phi trn h thng lu lng ca mng. V d nh : Ti sao gi tin t my A khng th gi c sang my B... etc o Mt s cng c Sniffer cn c th t ng pht hin v cnh bo cc cuc tn cng ang c thc hin vo h thng mng m n ang hot ng (Intrusion Detecte Service). Cc Sniffer gip ghi li thng tin v cc gi d liu, cc phin truyn Phc v cho cng vic phn tch, khc phc cc s c trn h thng mng. 1.3 Qu trnh Sniffer c din ra nh th no ? Cng ngh Ethernet c xy dng trn mt nguyn l chia s. Theo khi nim ny th tt c cc my tnh trn mt h thng mng cc b u c th chia s ng truyn ca h thng mng . Hiu mt cch khc tt c cc my tnh u c kh nng nhn thy lu lng d liu c truyn trn ng truyn chung . Nh vy phn cng Ethernet c xy dng vi tnh nng lc v b qua tt c nhng d liu khng thuc ng truyn chung vi n. Qu trnh lc c thc hin d trn nguyn l b qua tt c nhng Frame c a ch MAC khng hp l i vi n. Sniffer tt tnh nng lc ny v s dng ch hn tp (promiscuous mode) th c th nhn thy tt c lu lng thng tin trn h thng mng.Ti liu nghin cu an ninh mng - www.Athena.Edu.Vn 4


1.4 a ch Ethernet MAC l g ? 1.4.1 Gii thiu : Khi nhiu my tnh trn mng c th cng chia s mt ng truyn. Th bn thn mi my phi c mt thng tin nhn dng khc nhau. Khi bn gi d liu t bn ngoi h thng mng Ethernet bn phi bit r a ch ni bn cn gi d liu n. Thng tin dng nhn dng tng my tnh trn mng l a ch Ethernet MAC. 1.4.2 Chi tit v a ch Ethernet MAC : MAC l mt dy 12 s Hex. a ch MAC l mt dy s 48 bits. o 48 bits ny tip tc c chia i. o 24 bit u tin xc nh tn hng sn xut Ethernet Card ca bn. o 24 bit cn li l s hiu Serial c gn bi nh sn xut. m bo trn nguyn tc khng c 2 Ethernet Card c trng mt a ch MAC. 24 bit th 2 cn c gi l OUI (Organizationally Unique Identifier). o Tuy nhin OUI c di thc s ch l 22 bit, 2 bit cn d li s c s dng cho nhng mc ch khc. 1 bit c ch nh nu n l a ch Broadcast/Multicast (a ch loan bo tin chung trn mt h thng mng). 1 bit cn li c s dng nu cn thit lp li a ch cc b cho mt Adapter. II Cc phng php pht hin Sniffer trn h thng mng : V mt l thuyt th rt kh c th pht hin c s hin din ca cc chng trnh Sniffer trn h thng. Bi chng bt v c gng c cc gi tin, chng khng gy ra s xo trn hay mt mt Packet nghim trng no trn ng truyn c. Tuy nhin trn thc t li c nhiu cch pht hin ra s hin din ca cc Sniffer. Khi ng n l trn mt my tnh khng c s truyn thng th s khng c du hiu g. Tuy nhin nu c ci t trn mt my tnh khng n l v c s truyn thng, bn thn Sniffer s pht sinh ra lu lng thng tin. Bn c thTi liu nghin cu an ninh mng - www.Athena.Edu.Vn 5


truy vn ngc DNS tm thng tin lin quan n nhng a ch IP. Sau y l mt s phng php pht hin Sniffer. 2.1 Phng php dng Ping: Hu ht cc chng trnh Sniffer c ci t trn cc my tnh trong mng s dng TCP/IP Stack. Bi vy khi bn gi yu cu n nhng my tnh ny, chng s phn hi li cho bn kt qu. Bn hy gi mt yu cu phn hi ti a ch IP ca my tnh no trong mng (my m bn cn kim tra xem c b ci t Sniffer hay khng), nhng khng thng qua Adapter Ethernet ca n. Ly v d c th : 1. Bn nghi ng my tnh c a ch IP l 10.0.0.1, c a ch MAC l 00-40-05-A4-79-32. b ci t Sniffer. 2. Bn ang trong cng mt h thng mng Ethernet m bn nghi ng c k tin hnh Sniffer. 3. Bn thay i a ch MAC ca bn thnh l 00-40-05-A4-79-33. 4. Bn Ping n a ch IP v a ch MAC mi. 5. Trn nguyn tc khng mt my tnh no c th nhn thy c th nhn thy c Packet ny. Bi Adapter Ethernet ch chp nhn nhng a ch MAC hp l ca chnh n. 6. Nu bn thy s tr li t a ch m bn nghi ng khng phi trn a ch lc ca MAC (MAC Address Filter) trn Ethernet CardMy tnh c a ch IP 10.0.0.1 b ci t Sniffer.

Bng cc k thut ca mnh cc Hacker vn c th n trnh c phng php nu trn. Cc Hacker s s dng nhng MAC Address

Ti liu nghin cu an ninh mng - www.Athena.Edu.Vn 6


o. Rt nhiu h thng my tnh trong c Windows c tch hp kh nng MAC Filtering. Windows ch kim tra nhng byte u tin. Nu mt a ch MAC c dng FF-00-00-00-00-00, th n gin Windows s coi n l FF-FF-FF-FF-FF-FF. y l s h cho php cc Hacker c th khai thc nh la h thng my tnh ca bn. K thut pht hin Sniffer n gin ny thng c s dng trn cc h thng Ethernet da trn Switch v Bridge. 2.2 Phng php s dng ARP: Phng php pht hin Sniffer ny tng t nh phng php dng Ping. Khc bit ch chng ta s s dng nhng Packet ARP. thc hin qu trnh bn cn gi mt Packet ARP n mt a ch no trong mng (khng phi Broadcast). Nu my tnh tr li li Packet ARP bng a ch ca chnh n. Th my tnh ang ci t Sniffer ch hn tp (Promiscuous Mode). Mi Packet ARP u cha y thng tin v ngi gi v ngi nhn. Khi Hacker gi mt Packet ARP n a ch loan truyn tin (Broadcast Address), n bao gm thng tin v a ch IP ca bn v a ch MAC c phn gii bi Ethernet. t pht sau mi my tnh trong h thng mng Ethernet u nh thng tin ny. Bi vy khi Hacker gi cc Packet ARP khng i qua Broadcast Address. Tip anh ta s ping n Broadcast Address. Lc ny bt c my tnh no tr li li anh ta m khng bng ARPing, anh ta c th chp c cc thng tin v a ch MAC ca my tnh ny bng cch s dng Sniffer chp cc khung ARP (ARP Frame).

2.3 Phng php s dng DNS : Rt nhiu chng trnh Sniffer c tnh nng phn gii ngc cc a IP thnh DNS m chng nhn thy (nh dsniff). Bi vy khi quan stTi liu nghin cu an ninh mng - www.Athena.Edu.Vn 7


lu lng truyn thng ca DNS bn c th pht hin c Sniffer ch hn tp (Promiscuous Mode). thc hin phng php ny, bn cn theo di qu trnh phn gii ngc trn DNS Server ca bn. Khi bn pht hin c nhng hnh ng Ping lin tc vi mc ch thm d n nhng a ch IP khng tn ti trn h thng mng ca bn. Tip l nhng hnh ng c gng phn gii ngc nhng a ch IP c bit t nhng Packet ARP. Khng g khc y l nhng hnh ng ca mt chng trnh Sniffer. 2.4 Phng php Source-Route : Phng php ny s dng nhng thng tin nh a ch ngun v a ch ch trong mi Header ca IP pht hin hnh ng Sniffer trn tng on mng. Tin hnh ping t mt my tnh ny n mt my tnh khc. Nhng tnh nng Routing trn my tnh ngun phi c v hiu ho. Hiu n gin l lm th no gi tin ny khng th i n ch. Nu nh bn thy s tr li, th n gin h thng mng ca bn b ci t Sniffer. s dng phng php ny bn cn s dng vo mt vi tu chn trong Header IP. Router s b qua nhng a ch IP n v tip tc chuyn tip n nhng a ch IP trong tu chn Source-Route ca Router. Ly mt v d c th : o Bob v Anna cng nm trn mt on mng. Khi c mt ngi khc trn cng on mng gi cho c ta vi Packet IP v ni chuyn chng n cho Bob. Anna khng phi l mt Router, cho nn c ta s Drop tt c Packet IP m ngi kia mun chuyn ti Bob (bi c ta khng th lm vic ny). Mt Packet IP khng c gi n Bob, m anh ta vn c th tr



li li c. iu ny v l, vy anh ta s dng cc chng trnh Sniffer. 2.5 Phng php ging by (Decoy) : Tng t nh phng php s dng ARP nhng n c s dng trong nhng phm vi mng rng ln hn (gn nh l khp ni). Rt nhiu giao thc s dng cc Password khng c m ho trn ng truyn, cc Hacker rt coi trng nhng Password ny, phng php ging by ny s tho mn iu . n gin bn ch cn gi lp nhng Client s dng Service m Password khng c m ho nh : POP, FTP, Telnet, IMAP...Bn c th cu hnh nhng User khng c quyn hn, hay thm ch nhng User khng tn ti. Khi Sniffer c nhng thng tin c coi l qu gi ny cc Hacker s tm cch kim tra, s dng v khai thc chng...Bn s lm g k tip ??? 2.6 Phng php kim tra s chm tr ca gi tin (Latency) : Phng php ny s lm gim thiu s lu thng trn h thng mng ca bn. Bng cch gi mt lng thng tin ln n my tnh m bn nghi l b ci t Sniffer. S khng c hiu ng g ng k nu my tnh hon ton khng c g. Bn ping n my tnh m bn nghi ng b ci t Sniffer trc thi gian chu ti v trong thi gian ch ti. quan st s khc nhau ca 2 thi im ny. Tuy nhin phng php ny t ra khng my hiu qu. Bn thn nhng Packet IP c gi i trn ng truyn cng gy ra s trm tr v tht lc. Cng nh nhng Sniffer chy ch User Mode c x l c lp bi CPU cng cho ra nhng kt qu khng chnh xc. III Phng php ngn chn Sniffer trn h thng mng : 3.1 Cc h thng mng c nguy c Sniffer :Ti liu nghin cu an ninh mng - www.Athena.Edu.Vn 9


Cable Modem DSL ADSL Switched Network Wireless like IEEE 802.11 a.k.a. AirPort (h thng mng khng dy)

3.2 Cc giao thc c nguy c Sniffer:

Telnet, Rlogin SNMP NNTP POP, IMAP, SMTP FTP 3.3 Phng php ngn chn Sniffer d liu ? C l cch n gin nht ngn chn nhng k mun Sniffer d liu l s dng cc giao thc m ho chun cho d liu trn ng truyn. Khi m ho d liu, nhng k tn cng c c th Sniffer c d liu, nhng chng li khng th c c n... sdfds SSL (Secure Socket Layer) : Mt giao thc m ho c pht trin cho hu ht cc Webserver, cng nh cc Web Browser thng dng. SSL c sTi liu nghin cu an ninh mng - www.Athena.Edu.Vn 10


dng m ho nhng thng tin nhy cm gi qua ng truyn nh : S th tin dng ca khch hng, cc password v thng tin quan trng. PGP v S/MIME: E-mail cng c kh nng b nhng k tn cng c Sniffer. Khi Sniffer mt E-mail khng c m ho, chng khng ch bit c ni dung ca mail, m chng cn c th bit c cc thng tin nh a ch ca ngi gi, a ch ca ngi nhnChnh v vy m bo an ton v tnh ring t cho E-mail bn cng cn phi m ho chng S/MIME c tch hp trong hu ht cc chng trnh gi nhn Mail hin nay nh Netscape Messenger, Outlock ExpressPGP cng l mt giao thc c s dng m ho E-mail. N c kh nng h tr m ho bng DSA, RSA ln n 2048 bit d liu. OpenSSH: Khi bn s dng Telnet, FTP2 giao thc chun ny khng cung cp kh nng m ho d liu trn ng truyn. c bit nguy him l khng m ho Password, chng ch gi Password qua ng truyn di dng Clear Text. iu g s xy ra nu nhng d liu nhy cm ny b Sniffer. OpenSSH l mt b giao thc c ra i khc phc nhc im ny: SSH (s dng thay th Telnet), SFTP (s dng thay th FTP) VPNs (Virtual Private Networks): c s dng m ho d liu khi truyn thng trn Internet. Tuy nhin nu mt Hacker c th tn cng v tho hip c nhng Node ca ca kt ni VPN , th chng vn c th tin hnh Sniffer c. Mt v d n gin,l mt ngi dng Internet khi lt Web s nhim RAT (Remoto Access Trojan), thng th trong loi Trojan ny thng c cha sn Plugin Sniffer. Cho n khi ngi dng bt cn ny thit lp mt kt ni VPN. Lc ny Plugin Sniffer trong Trojan s hot ng v n c kh nng c c nhng d liu cha c m ho trc khi a vo VPN. phng chng cc cuc tn cng kiu ny: bn cn nng cao thc cnh gic cho nhng ngi s dng trong h thng mng VPN ca bn, ng thi s dng cc chng trnh qut Virus pht hin



v ngn chn khng h thng b nhim Trojan. 3.4 Phng php ngn chn Sniffer Password : ngn chn nhng k tn cng mun Sniffer Password. Bn ng thi s dng cc giao thc, phng php m ho password cng nh s dng mt gii php chng thc an ton (Authentication): SMB/CIFS: Trong mi trng Windows/SAMBA bn cn kch hot tnh nng LANmanager Authencation. Keberos: Mt gii php chng thc d liu an ton c s dng trn Unix cng nh Windows Stanford SRP (Secure Remote Password): Khc phc c nhc im khng m ho Password khi truyn thong ca 2 giao thc FTP v Telnet trn Unix: Df 3.5 Phng php ngn chn Sniffer trn thit b phn cng : Vic thay th Hub ca bn bng nhng Switch, n c th cung cp mt s phng chng hiu qu hn. Switch s to ra mt Broadcast Domain n c tc dng gi n nhng k tn cng nhng gi ARP khng hp l (Spoof ARP Packet). Tuy nhin cc Hacker vn c nhng cch thc kho lo vt qua s phng th ny. Cc yu cu truy vn ARP cha ng nhng thng tin chnh xc t IP cho n MAC ca ngi gi. Thng thng gim bt lu lng ARP trn ng truyn, a s cc my tnh s c v s dng cc thng tin t b m (Cache) m chng truy vn c t Broadcast.Ti liu nghin cu an ninh mng - www.Athena.Edu.Vn 12


Bi vy mt Hacker c th Redirect nhng my tnh gn mnh vt qua s phng th ny bng cch gi nhng gi ARP cha ng nhng thng tin v a ch IP ca Router n chnh a ch MAC ca anh ta. Tt c nhng my tnh trong h thng mng cc b ny s nhm tng anh ta l Router v s thit lp phin truyn thng i qua my tnh ca anh ta. Mt cuc tn cng DOS tng t trn mt h thng mng cc b, khi thnh cng s vng mc tiu m h mun tn cng ra khi mng. ri bt u s dng chnh a ch IP ca my tnh va b tn cng ny. Nhng k tn cng s kho lo tha k v s dng nhng kt ni ny. Bn than Windows khi pht hin c hnh ng ny, n khng hnh ng g c m li t t ng Stack TCP/IP ca chnh mnh v cho php kt ni ny tip tc. phng chng li cc cuc tn cng dng bn ch cn s dng cc cng c IDS (Intrusion Detecte Service). Cc IDS nh BlackICE IDS, Snort s t ng pht hin v cnh bo v cc cuc tn cng dng ny. Hu ht cc Adapter Ethernet u cho php cu hnh a ch MAC bng tay. Hacker c th to ra cc a ch Spoof MAC bng cch hng vo cc a ch trn Adapter. khc phc iu ny, hu ht cc Switch u khng cho php t cu hnh li cc a ch MAC. 3.6 Mt s thut ng : Ethernet : Mt cng ngh ni mng c nng lc mnh c s dng trong hu ht cc mng LAN. Wireless : Cc cng ngh ni mng khng dy. Serial Direct Cable Connection : Cng ngh kt ni my tnh bng Cable truyn nhn d liu. PPP (Point-to-Point Protocol) : Mt giao thc kt ni Internet tin cy thng qua Modem.



IP (Internet Protocol) : Giao thc c dng x l c ch truyn d liu thc t. L c s cho vic nh hng v vn chuyn d liu trn Internet. ICMP (Internet Control Message Protocol) : Giao thc x l cc thng bo trng thi cho IP, v d nh bo li v cc thay i mng c th nh hng n vic nh tuyn. ARP (Address Resolution Protocol) : Giao thc chuyn cc a ch mng sang a ch phn cng vt l tng dng cc thng ip Broadcast. Dng xc nh a ch mng. RARP (Reverse Address Resolution Protocol) : Lm cng vic ngc li ARP, chuyn a ch phn cng t mt my sang a ch IP. TCP (Transmission Control Protocol) : Mt giao thc, dch v da trn kt ni, iu ny cho php cc my nhn v gi d liu c th truyn thng vi nhau vo mi lc, mi ni. UDP (User Datagram Protocol) : Mt giao thc, mt dch v khng kt ni, hai my gi v nhn s khng truyn thng vi nhau thng qua mt kt ni lin tc. Telnet : Giao thc cho php ng nhp t xa ngi ding trn my ny c th kt ni vi my kia v s hot ng nh l ngi my vy. FTP (File Transfer Protocol) : Giao thc truyn d liu t my ny sang my khc ding giao thc TCP. SMTP (Simple Mail Transfer Protocol) : Giao thc dng truyn nhn th in t gia cc my. DNS (Domain Name Service) : Xc nh cc a ch my tnh t tn ch sang s. Cn rt nhiu giao thc dch v khc tng 7. Nhng do khun kh bi vit ln ti ch nu mt s giao thc dch v c bn.



IV Chng trnh XARP :4.1 Gii thiu : XARP l mt cng c giao din ha dng gim st ARP Cache ca my tnh.N gi request nh k n bng ARP cache ca my tnh v bo co nhng thay i v vic nh x gia a ch IP v a ch MAC trong ARP cache.Do vy n c th c s dng pht hin ra kiu tn cng ARP Poisoning trong mng LAN. XARP l 1 chng trnh min ph.N c th chy trn h iu hnh windows 2000 hoc windows xp. 4.2 Giao din chng trnh : Normal View :

Advance View :



4.3 Cc mc bo mt trong XARP : Minimal : l mc security thp nht, mc ny XARP s khng thc hin vic discovery m ch thc hin vic detect 1 cch b ng.Cc module gim st c trong XARP s pht hin ra nhng phng thc tn cng c bn. Basic : phng thc ny thao tc vi 1 chin lc pht hin ra nhng tn cng mc nh m t s pht hin cc phng thc tn cng chun.y l mc bo mt c ngh cho mi mi trng. High : high security level thm vo phng thc discovery network,tc pht hin ca n cao hn cc phng thc trn,tuy nhin n phi gi thm nhiu gi tin discovery vo trong mng.Trong 1 vi mi trng,dng mc ny c th cho ra nhng cnh bo sai. Aggressive : aggressive security level s enable tt c cc module gim st tt c cc gi tin ARP v gi nhng gi tin discovery vi tn sut caoTi liu nghin cu an ninh mng - www.Athena.Edu.Vn 16


hn.S dng mc bo mt ny cng c th cho ra nhng cnh bo tn cng sai. 4.4 Demo pht hin tn cng ARP Poisoning : u tin t 1 my trong mng LAN chng ta m chng trnh Cain ln bt u thc hin vic sniffer v tn cng dng ARP Poisoning :

Tip theo trong chng trnh Cain ta tin hnh chn interface tin hnh vic sniffer trong LAN :



Sau khi chn card mng ta thc hin sniffer bng cch click vo button Start/Stop Sniffer trn hnh :



Sau ,trong mc host gc di mn hnh ta scan a ch mac address ca tt c cc host trong mng s c hnh sau :



Tip theo nhn nt start/stop arp,sau add a ch ip ca nhng my m chng ta mun gim st :



Trong my c ip 192.168.1.100 ta m chng trnh XARP ci t,s dng mc bo mt basic,ta pht hin c vic tn cng ARP Poisoning thng qua cnh bo ca chng trnh :



V y l thng k ca chng trnh v tt c cnh bo (hng mu chnh l cnh bo v vic thay i a ch mac address):



S dng XARP l 1 cch chng li vic tn cng ARP Poisoning trong mng LAN hiu qu.


AThena CachPhatHienTanCong Sniffer Trong Mang LAN

Documents

Transcript of AThena CachPhatHienTanCong Sniffer Trong Mang LAN