Man in the middle attack
Hi !
I allways read on security articales about a hacker sniffing the network for example, trying to capure password traveling the wires in clear text . my question is really how does it done please answer I'm not a hacker just I really want to know how it can be done. I understand that in order to capure tcp or udp frames the hacker needs to place a sniffer ,but in order to capure some password or any traffic not destinated to his pc he will need to place the sniffer some where else (if he place it in his home computer and even enable promiscius mode on his nic it wount help capuring any thing 'cause from the ISP to his pc he will see only replays to sessions that he started,am I wrong about that?). does one needs to install a sniffer on an ISP machine to capure passwords travling the wires? or maybe to become "the man in the middle attack"? the same about SSL.... thanks very much. |
If the attacker is on the same Ethernet segment as you (on an office network perhaps), then he/she can capture all packets to/from your machine. If the data's going over the Internet, then the hacker will have to be somewhere on the route your data takes, e.g. at your ISP. You're right though, an attacker on his home PC wouldn't be able to capture packets going from your machine to another on the Internet.
Dave |
To sniff a network connection you need to be in one of two place. The orignating network or the destination network. You can't sniff from just anywhere. Mostly when people talk about sniffing networks they're talking about sniffing networks that use a Hub. Hubs just basicly broadcast the info to all the computers plugged in and trust that only the computer that information is destined for will pick it up and the rest will ignore it.
It is however possible to sniff switched lans too, but its more complicated. The basics are Computer A wants to send info to Computer B. You're computer C and you want that information so you pretend to be Computer B (if you're interested in how this is done lookup "ARP POISIONING"). From there you take what info you want while rerouting the info to computer C. so it looks like this [Computer A] -> [Computer C Intercepting] -> [Computer B] That is also the basis for the man in the middle attack. You set yourself up as a router between the 2 target systems. |
However, using freeware sniffer you cannot do much.
I have no success with that. Maybe the commercial sniffers are more effective! |
The problem is not because the sniffer is freeware, the problem is that you're on a switched network rather than a hub. For instance, ettercap can do sniffing on a switched network by using ARP poisoning.
|
And what is the deeper difference between switched and hub ethernets?
|
I could be wrong but I think switches are like amps. hubs are passive.
J |
what are the amps?
|
Here's a def:
'Network switches look nearly identical to hubs, but a switch generally contains more "intelligence" (and a slightly higher price tag) than a hub. Unlike hubs, network switches are capable of inspecting the data packets as they are received, determining the source and destination device of that packet, and forwarding that packet appropriately. By delivering messages only to the connected device that it was intended for, network switches conserve network bandwidth and offer generally better performance than hubs.' J |
Switches create seperate 'collison domains' for each port, so that messages from one machine (or network segment) are only recieved by the destination machine (or segment).
Hubs just broadcast all messages they recieve onto all of the ports, so all machines on a hub recieve all messages. Therefore attacks are easier to carry out on hubbed networks, because all messages are broadcast to all machines. Dave |
Alright, then how can a switched network to be sniffed if the switches protect from that "attack"
|
Quote:
That is how a switched lan is sniffed. :D Don't worry if it seems a little over your head right now. Do a little reading on the TCP/IP protocals and it'll make some more sense. |
One added twist on ARP poisoning is MAC flooding. On some switches, if the ARP table becomes overloaded with MAC entries, it will go into a broadcast mode and in essence becomes a "hub", which you can then sniff traffic off normally. Btw, there are several freeware/open source sniffing packages are extremely effective.
*NOTE: Doing any kind of ARP spoofing/poisoning/flooding is not advisable unless you own the switch or have permission before hand (or are prepared to be beaten by the sysadmin).* |
Can the switched sniffer be detected by the admins and how?
And can decrypt SSH connections? |
First, its important to understand things.
Local networks can be sniffed pretty easily. What i mean by local network is anything which is on the same side of the router as the target. Regardless of whether you have a hub or a switch, its pretty easy to sniff either one. So if you have a box at home, plugged into a switch which is then plugged into a broad band router box (ie one of those small lynksys style boxes) anything else on that switch can sniff your traffic. Additionally, the hosts you are talking to can also be sniffed on their end of the traffic (ie anything plugged into their switch). You may not consider this a threat. After all, you might think: I own the only boxed plugged into my local LAN (there is only one), and if the host on the other end is getting sniffed, there are probably bigger problems to deal with. The company that owns that hose more than likely owns that whole LAN on which it is connected. But, thats not the end of the story. The are a few other ways traffic can be sniffed. First, a cablemodem uses a bus architecture (bus = all nodes share the same communication channel) so if you know what you are doing you can hack your cable modem see all the traffic on that network. In my opinion this isn't too hard to do. Second, each step of the journey your packet makes across the internet is on a "local lan". Meaning, as it gets passed from router to router, it is being placed on some network, for which someone could possibly sniff. This is not very likely, but its still possible. Third, there are those L33T hakers who can play with routers. They can hack into routers and mess up the routing protocols. Then they can have all the traffic re-routed through them. This is also not very likely to happen. The moral off the story is that your really cant trust the traffic as it travels the net. If the data you are sending is sensative, it should be encrypted. Quote:
SSH does have some problems if your session is not setup properly. Basically if you only use ssh version 2 and are sure you are accepting the correct host keys. Then you can consider your traffic safe. Quote:
|
All times are GMT -5. The time now is 08:26 PM. |