Author: Roshan Poudel
1.1 Problem
Domain According to Nepal telecommunication authority, Nepal’s internet penetration rate is 63% as of 2018. With these increasing number, the responsibility of network monitoring has increased for network and security professionals. They are highly dependent upon the traditional packet sniffer tools like Wireshark, tcpdump. However, the data provided by such tools is very large and sometimes even network professional have difficult time to filter and get the required result. Also, these industry standard tools require sound knowledge of networking protocols which makes them unsuitable for laymen and end users.
1.2 Proposed Solution
After, reviewing some of the problems from diverse range of internet background, we can conclude that http protocol is excessively used in Nepal’s internet space for transferring web credentials(shodan,2019). This definitely justifies that majority of end users are unknown about basic security concepts about the ssl and encryption. Similarly, majority of data provided by traditional packet sniffer are almost useless. In order to capture a basic cookie or password in network packets traditional tools provide data of whole seven layers. It is quite difficult to filter if the sniffers are operated for a long time to get secret confidential values. Hence, packet sniffer to sniff secret credentials can be a handy tool for network and security professionals either for troubleshooting or penetration testing purpose.
1.3 Aims and Objectives:
The primary aims of this paper is to develop advance sniffer to sniff secret credentials; unlike traditional tool that provide big chunk of data and consumes large time to filter required result.
1.3.1 Objectives
In order to conquer the aim some the objectives that will be followed are:
• Comprehensive study of networking protocols like TCP, UDP, ICMP etc. for the development of the sniffer.
• Intense research on packet sniffing from various sources like IEEE, SANS, research 6 gate to study relevant journals and research papers.
• Practical approach will be taken for which proof of concept and real time case study will be included as the part of the report.
• Critical evaluation of advantages ,disadvantages and prevention of packet sniffing will be performed.
• “Nepal electronic act 2063” will be taken into legal and ethical consideration during the development of the security tool secret credentialssniffer.
Chapter 2: Background and Literature Review
2.1 In Depth: Packet Sniffer
Packet sniffer is a program running in a network attached Device that passively receives all data link layer frames passing through the device’s network adapter. It is also known as Network or Protocol Analyzer or Ethernet Sniffer. The packet sniffer captures the data that is addressed to other machines, saving it for later analysis. It can be used legitimately by a network or system administrator to monitor and troubleshoot network traffic. Using the information captured by the packet sniffer an administrator can identify erroneous packets and use the data to pinpoint bottlenecks and help maintain efficient network data transmission. The security threat presented by sniffers is their ability to capture all incoming and outgoing traffic, including clear-text passwords and usernames or other sensitive material. In theory, it’s impossible to detect these sniffing tools because they are passive in nature.
Applications of packet sniffing program :
• Logging network traffic. Solving communication problems (either the system or the transmission medium.)
• Analyzing networkperformance. This waythebottlenecks presentinthe network can be discovered, or the part of the network where data is lost can be found.
• Detecting network intruders
2.2 Case Study
2.2.1 Troubleshooting IP Phone Service with Packet Sniffing
This case study is related to troubleshooting the ip phone service with packet sniffing. A customer using an IP phone service at a call center reported that calls would suddenly be disconnected several times a day during peak calling periods. The problem persisted despite replacing the VoIP gateway. Network Professionals checked calling conditions using the captured-data analysis support tool and found that the event would typically occur when the number of calls had risen dramatically, which occurred just after 10:00 AM. Hence, it is considered the possibility that the non-transmission of RTCP packets from the VoIP gateway was related in some way to the large number of calls.
2.2.2 Analysis of Case Study
The practical implementation of packet sniffing in realtime scenario was elaborated above. The problem in the ip phone which was solved by trouble shooting the network. Packet Sniffers were uses during the phase of trouble shooting. While troubleshooting RTCP packets were captured and the issue was identified. The identification of problem and issue present in VOIP calls was facilitated by Packet Sniffing technique. Packet Sniffing can be used in more complex scenarios like wise.
2.3 Open Systems Interconnection Model (OSI Model)
OSI model is theoretical strategy that describes how the data and information goes across the internet . It is composed of seven sub layers which govern the protocols and network devices. The model operates from the top as application layer and ends to physical layer. The various protocols either the web protocols like HTTP, FTP or network protocols like ARP operate depending upon the principle of OSI Model. The original objective of the OSI model was to provide a set of design standards for equipment manufacturers so they could communicate with each other. The OSI model defines a hierarchical architecture that logically partitions the functions required to support system-to-system communication.
The basic functionality of OSI layers are as follows :
7. Application: It Provides different services to the application and interact with the user. Web protocols like http, ftp operate in this layer.
6. Presentation: Converts the information to various encoding and encryption methods. This layer is inclined with the syntax and semantics of the information transmitted.
5. Session: Handles problems which are not communication issues to maintain persistence session.
4. Transport: Accepts data from session layer and provides end to end communication control.
3. Network: Control operation of subnet, facilates routing congestion , control and accounting.
2. Data Link: Provides error control. Majorly deals with LAN protocols.
1. Physical: Connects the entity to the transmission media
2.3.1 Packet Sniffing with respect to Networking Protocols
Network Protocols operate in various layers of OSI Model. Networking protocols are used for communication and transferring information into various nodes of the network. Network Protocols rely upon network packets for transferring information and credentials. Hence, Network Packets are key targets of packet sniffing programs. Various networking protocols have different mechanism for transferring information. Some of the application layer protocols like http, ftp, telnet transfer the information and credentials in plain text. This 10 makes these protocol suspecible to packet sniffing attack. An attacker can launch various attacks like ARP spoofing to capture credentials that are transferred in plain text. At such, the confidentiality and integrity of information is completely disturbed as s/he can manipulate and bring amendment in the data. Presentation layer protocols ssl, tls, converts information into various encrypted text . with combination of protocols from application layer and presentation layer like https, ssh transfer credentials in encrypted form which makes them resistant to packet sniffing attack. These networking protocols implement cryptographic algorithm to convert information into encrypted cipher which prevents sniffing attack. Some of the protocols are secure version over their unsecure protocol. Example, https over http, ssh over telnet etc. Finally, to maintain confidentiality, integrity and availability of information, encrypted and secure protocols should be always be used that transfer information in encrypted text.
2.4 Advantages of Packet Sniffer
• Network Professional use ittotroubleshoot networkandsecurityprofessional useit in penetration testing purposes.
• Students use them for educational purpose in academics.
2.5 Disadvantages of Packet Sniffer
• CyberCriminals usethemtosnifffor secret credentialsanddisrupt confidentialityand integrity of network packets.
• Sniffer can corruptthe packetdata whichimpacts integrity ofinformation shared.
2.6 Proof of Concept on HTTP Protocol of Application Layer:
In this section the practical demonstration of sniffer program is performed. For this purpose , a site without SSL is hosted in local host. Authentication Credentials are entered, and sniffer program was successful in sniffing the secret credentials only.
Phase 1:
In this phase the sniffer program is operated to examine all the incoming and outgoing secret credentials that transfer in plain text. These secret credentials could be username, email, passwords, token , hash etc. They can be provided by user with proper regular expression.
Phase 2:
The website without SSL was hosted in localhost. Secret Authentication Credentials are entered in it which obviously travels in plain text due to absence of https. The sniffer program is active in background and continuously monitoring each single packet for secret credential that are passing through computer.
Phase 3:
In this phase , the performance and working of sniffer program is demonstrated. Since the secret credentials are entered into the website each single packet was monitored by program. As, soon as the program discovers the username and password travelling in plain text, it ejects the result with the time of capture and other useful information. The program captures other credentials like cookie, session id with regex match provided.
2.7 Prevention against Packet Sniffing
PacketSniffingis serious issue and encryptionstand with us inthis regard. Prevention mechanisms are:
• All the secret and confidential information should only be transferred via secure channel. Using HTTPS, the secure version of HTTP, will prevent packet sniffers from seeing the traffic on the websites we are visiting.
• One effective way to protect from packet sniffers is to tunnel connectivity with virtual private networkVPN. A VPN encrypts the traffic beingsent between computer and the destination.
3.1 Codes:
from scapy.all import
* import time
import datetime G = ‘\033[92m’ # green
R = ‘\033[91m’ # red
W = ‘\033[0m’ #
white
current_time=datetime.datetime.today()
def sniff_for_secret_credentials(packet):
a=open(‘secret_text.txt’,’r’).readlines()
if packet:
print(‘%s[+] Monitoring the Packets for Secret Credentials. ‘%R) print(” “)
time.sleep(6)
print(‘———-%s[+]ALERT !! Secret Credentials Captured ——- ‘%G) print(” “)
print(‘%s Time:
‘%W +
str(current_time))
print(‘ Username: ‘ + packet[‘Username’] or packet[a]) print(‘ Password: ‘ + packet[‘Password’]or packet[a])
print(‘ Port:
‘ + str(packet.dport))
print(‘ Destination: ‘ +
packet[IP].dst
) print(‘\n’)
sniff(prn=sniff_for_secret_cr edentials)
Source:
Stay connected