Athena_Sniff-Phuong Phap Phong Chong Sniffer

7/22/2019 Athena_Sniff-Phuong Phap Phong Chong Sniffer

1/19

02 Bis Dinh Tien Hoang Street, Dakao Ward, District 1, HCMC Tel: (848) 824 4041 Fax: (848) 910 57351

E-mail:[email protected] URL: www.athena.edu.vn

Y O ULL L O V E T H E W A Y W E M I N D Y O U R K N O W L E D G E

Trang 1 / 19

1. SNIFF L G?

a. Sniffer l mt hnh thc nghe ln trn hthng mng, da trnnhng c im ca cchTCP/IP.

b. Sniffer l mt kthut bo mt, c pht trin nhm gip nhngnh Qun trmng khai thc mng hiu qu hn v c thkim tracc dliu ra vo mng, cng nhcc dliu chy trong mng.

2. SNIFF C CHC NNG RA SAO?

a. c pht trin thu thp cc gi tin trong hthng.

b. Mc ch ban u l gip cc nh qun trmng qun l tt hthng,kim tra cc li hay cc gi tin l.

c. Sau ny cc hacker dung phng php ny ly ti khon, mtkhu hay cc thong tin nhy cm khc.

d. Bin thca Sniffer l cc chng trnh nghe ln bt hp php nh:cng cnghe ln Yahoo, MSN, n cp password Email vv

3. NHNG IU KIN NO SNIFF C THXY RA?

a. Sniff c thhot ng trong mng LAN, mng WAN, mng WLAN.

b. iu kin cn chl cng chung Subnet Mark khi Sniffer.

c. Ngoi ra ta cn cn mt cng cbt v phn tch gi tin.

4. C BAO NHIU LOI SNIFF CHNG HOT NG NHTHNO?

a. Active sniff

i. Mi trng: chyu hot ng trong mi trng c cc thitbchuyn mch gi. Phbin hin nay l cc dng mng sdng switch.

ii. Cchhot ng: chyu hin nay thng dng cchARPv RARP (2 cchchuyn i tIP sang MAC v tMAC sangIP) bng cch pht i cc gi tin u c, m cthy l


2/19




Trang 2 / 19

pht i cc gi thng bo cho my gi gi tin l ti l nginhn mc khng phi l ngi nhn.iii. c im: do phi gi gi tin i nn c thchim bng thng

mng. Nu sniff qu nhiu my trong mng th lng gi gi isrt ln (do lin tc gi i cc gi tin gimo) c thdn nnghn mng hay gy qu ti trn chnh NIC ca my angdng sniff (tht nt cchai).

iv. Ngoi ra cc sniffer cn dng 1 skthut p dng dliui qua NIC ca mnh nh:

1. MAC flooding: lm trn bnhswitch t switch schy chforwarding m khng chuyn mch gi.

2. GiMAC: cc sniffer sthay i MAC ca mnh thnhMAC ca mt my hp lv qua c chc nng lcMAC ca thit b.

3. u c DHCP thay i gateway ca client.

4.

b. Passive sniff

i. Mi trng: chyu hot ng trong mi trng khng c ccthit bchuyn mch gi. Phbin hin nay l cc dng mngsdng hub, hay cc mng khng dy.

ii. Cchhot ng: do khng c cc thit bchuyn mch ginn cc host phi broadcast cc gi tin i trong mng t cthbt gi tin li xem (d host nhn gi tin khng phi l nn ca gi tin )

iii. c im: do cc my tbroadcast cc gi nn hnh thc sniffny rt kh pht hin.

5. PHT HIN SNIFF TRONG MANG NHTHNO?

a. Active sniff

i. Da vo qu trnh u c arp ca sniffer pht hin


3/19




Trang 3 / 19

1. V phi u c arp nn sniffer slin tc gi cc gi tinu c ti cc victim. Do , ta c thdng mt scng cbt gi trong mng c thpht hin.

2. Mt cch khc ta c thkim tra bng arp ca host. Nuta thy trong bng arp ny c 2 MAC ging nhau th lcny c khnng mng ang bsniffer.

ii. Da trn bng thng

1. Do qu trnh gi gi tin u c ca sniffer nn qu trnhny c thchim bng thng, ty ta c thdng 1 scng ckim tra bng thng pht hin.

2. Tuy nhin cch ny khng hiu quv chnh xc cngkhng cao.

iii. Cc cng cpht hin sniff hay pht hin u c arp

1. Xarp

2. Arpwatch

3. Symantec EndPoint

4.

b. Passive sniff

i. Kh c khnng pht hin, v bt khost no trong mngcng c thbt c gi tin.

ii. Tuy nhin dng mng loi sniff ny hot ng chyu dng

mng thng dng trong gia nh rt t sdng cho doanhnghip.

iii. Tuy nhin, hin nay cc doanh nghip thng dng mngkhng dy cho cc my tnh xch tay th c thsdng thmcc tnh nng lc Mac ca thit b, hay c thxc thc bng tikhon, mt khu hay kha truy cp.


4/19




Trang 4 / 19

6. PHNG CHNG SNIFF RA SAO?

a. Active sniff

i. Ngi qun tr:

1. Cng c:

a. Kim tra bng thng: nhnu trn cc snifferc thgy nghn mng do c thdng cccng ckim tra bng thng. Tuy nhin, cch lmny khng hiu qu.

b. Bt gi tin: cc sniffer phi u c arp nn sgiarp i lin tc, nu dng cc cng cny ta c ththy c ai ang sniff trong mng. Cch ny

tng i hiu quhn, nhng c mt vi cngcsniff c thgiIP v MAC nh la.

2. Thit b:

a. i vi thit bta c thdng cc loi c chcnng lc MAC phng chng.

b. Ring vi switch c thdng thm chc nngVLAN trunking, c thkt hp thm chc nngport security (tng i hiu qudo dng VLAN

v kt hp thm cc chc nng bo mt).3. Khc: Ngoi ra ta c thcu hnh SSL, tuy hiu qu,

nhng cha cao.


5/19




Trang 5 / 19

ii. Ngi dng:

1. Sdng arp dng tnh

Bng ARP trong windown


6/19




Trang 6 / 19

Sdng ARP tnh trong windown

Bng ARP thay i sau khi dng ARP tnh

2. Dng cc cng cpht hin sniff ( ktrn): khi cthay i vthng tin arp th cc cng cny scnhbo cho ngi sdng.


7/19




Trang 7 / 19

3. Cn trng vi cc thng bo ththng hay trnh duytweb: do mt scng csniff c thgiCA (cain & abel)nn khi bsniff hthng hay trnh duyt c ththngbo l CA khng hp l.

4. Tt chc nng Netbios (ngi dng cp cao) qutrnh qut host ca cc sniffer khng thc hin c.Tuy nhin cch ny kh c thp dng thc tnguynnhn l do switch c th lu MAC trong bng thngtin ca n thng qua qu trnh hot ng.

b. Passive sniff

i. Dng sniff ny rt kh pht hin cng nhphng chng.

ii. Thay thcc hub bng cc switch, lc ny cc gi tin skhngcn broadcast i na, nhng lc ny ta li ng trc nguy cbsniff dng active.

7. MT SCNG CSNIFF V PHNG CHNG SNIFF

a. Cng csniff

i. Ettercap

1. Chy trn hlinux, hin nay c cphin bn chowindow.

2. C khnng pht hin v c lp sniffer.

3. L mt cng ckh mnh trong linux


8/19




Trang 8 / 19

ii. Cain & abel

1. Chy trn window, c thm mt schc nng gii m,d mt khu

2. l mt cng cmnh trong window

iii. HTTP sniffer

1. Mt cng cnghe ln cc truy cp vo website

iv. vDHCP

1. Mt cng cu c DHCP n gin

v. b. Cng cpht hin sniff

i. Xarp

ii. Arpwatch

iii. Cwatch

iv. ARP cache watcher

v.

8. TNG KT

a. Sniff l hnh thc nghe ln thng tin trn mng nhm khai thc hiuquhn ti nguyn mng, theo di thng tin bt hp php. Tuynhin, sau ny cc hacker dng sniff ly cc thng tin nhy cm.Do , sniff cng l mt hnh thc hack.

b. Sniff thng tc ng n cc gi tin, t tc ng mnh n phn hthng nn sniff rt kh pht hin. Do , tuy sniff hot ng n ginnhng rt hiu qu.

c. Do gn nhkhng trc tip tc ng ln hthng mng nn cchnh thc sniff sau khi hot ng thng t li du vt hay huqunghim trng.


9/19




Trang 9 / 19

d. Tuy hin nay cc cchsniff c bin php phng chng v phthin, nhng cc bin php ny cng khng thc shiu qu trongmt vi trng hp, do , ngi khai thc cc hthng mng nncn thn trong qu trnh khai thc, truy cp mng trnh mt mtthng tin quan trng.

e. hn chsniff trn cc hthng, cc nh qun trnn c mt chnhsch nhm hn chnhiu ngi tip xc phn vt l ca hthng,subnet ca LAN, cu hnh VLAN, port secure trn switch. Tin hnhtheo di cc gi tin trong mng, m ha thng tin, kim tra cc NICang chpromicuous.

f. i vi ngi dng nn c kcc thng bo ththng nhCA,trong mt strng hp do ccharp hot ng nn khi gidanhMAC c hin tng thng bo trng IP trong mng.

9. LAB: PHT HIN SNIFF V PHNG TRNH (SDNG CC CNG CPHN TCH GI)

a. M hnh LAB:

i. Victim:

1. IP: 192.168.1.37

2. MAC: 00-0C-29-FA-73-35

3. OS: XP PRO SP2

4. Khng dng cc cng cno, chra mng v lm vic.


10/19




Trang 10 / 19

ii. Anyone:1. IP: 192.168.1.35

2. MAC: 00-0C-29-D8-24-04

3. OS: XP PRO SP2

4. Monitor mng bng Ettercap.


11/19




Trang 11 / 19

iii. Sniffer:

1. IP: 192.168.1.33

2. MAC: 00-0C-29-BC-45-4D

3. OS: XP PRO SP2


12/19




Trang 12 / 19

4. Sniffer mng bng Cain & abel

b. LAB:

i. Trc tin ta chy ettercap trn anyone. Sau , ta chn Sniff/Unified sniffing. K, ta chn NIC tng ng, OK.

ii. Nu mun lng nghe thng tin trong mng nhwireshark tachn menu Start/ Start sniffing.


13/19




Trang 13 / 19

iii. Host: cho php ta qut cc NICs ang chy trong mng.

iv. Target: thm cc host vo mc ny tin thao tc.

v. View: xem cc kt ni tcc my trong mng n cc hostkhc, thng tin my v mt stnh nng khc.

vi. Mitm: menu ny chuyn dng cho cc chc nng u c.

vii. By gichng ta bt u detect cc ri ro trong mng bng

cch chn Plugins/ Manage the plugins. Vi menu ny ta cththc hin mt sthao tc phng thhay detect ri ro. Khimn hnh manage hin ln ta chcn chn thao tc cn thchin v double click. Dng chc nng arp-cop. Ta chn chcnng search_promisc kim tra c NICs no ang promiscmode khng, nu cha c NICs no bt chc nng promisc thsc:


14/19




Trang 14 / 19


15/19




Trang 15 / 19

viii. Ktip ta sniffer bt u chy cain & abel v thc hin sniffng thi scan host. Sau , ta dng wireshark victim xemc chuyn g xy ra? Sniffer bt u qut cc my trong mng.


16/19




Trang 16 / 19

ix. Ta quay vanyone v xem ththng tin. Ta sthy c li cnhbo v sthy IP cc NICs ang promisc mode (bao gm cvictim, do victim bt wireshark nn NIC schny):


17/19




Trang 17 / 19

x. Tt wireshark victim i,chuyn cain & abel ca sniffer sangu c arp.


18/19




Trang 18 / 19

xi. Ta quay li anyone, bt chc nng scan_poisioner v xem cchuyn g xy ra hay khng?

xii. Trc khi scan-poisioner ny chy th arp-cop cng sxuthin ln mt lot nhng cnh bo tng tnhscan-poisoner,

nhng c im khc l arp-cop chy lien tc, bt ckhi nocng c thdetected ra ngi u c, cn poisoiner th chthc hin ti duy nht thi im ta dng chc nng ny.

xiii. Sau khi deteced c thphm u c hay sniff ta c thdng chc nng leech trong ettercap c lp my ny.


19/19




T 19 / 19

10.TNG KT LAB

a. Tuy ettercap c nhiu chc nng kh mnh, nhng theo kinh nghimth phin bn window khng mnh bng phin bn trn linux, chGUI ca ettercap cng khng mnh bng Text mode.

b. i vi ngi qun trnn thng xuyn monitor mng bng cccng cmonitor.

c. Ettercap l mt cng cmnh sniffer, n c thbt cc gi tinkm an ton mt cch r rng. Do , ta nn thay cc giao thc kman ton (ftp, telnet, smb) bng cc giao thc an ton hn, hay gia cthm chng (SSL, port secure, VPN+IPSec )

d. Ngoi ra ta c thdng cc IDS mm nhGFI, Snort, Xarp kimtra thng tin lung dliu trong mng.

Athena_Sniff-Phuong Phap Phong Chong Sniffer

Documents

Transcript of Athena_Sniff-Phuong Phap Phong Chong Sniffer