Corporate Network Spying - dc414.org · PDF fileCorporate Network Spying ... • Co-author...
-
Upload
nguyentuyen -
Category
Documents
-
view
217 -
download
4
Transcript of Corporate Network Spying - dc414.org · PDF fileCorporate Network Spying ... • Co-author...
![Page 1: Corporate Network Spying - dc414.org · PDF fileCorporate Network Spying ... • Co-author of Penetration Testing and Network Defense (Cisco Press, 2005) ... a lab environment)](https://reader038.fdocuments.in/reader038/viewer/2022110222/5aaa00eb7f8b9a9a188da9cc/html5/thumbnails/1.jpg)
Corporate Network Spying
Andrew WhitakerDirector of Enterprise InfoSecInfoSec Academy / Training Camphttp://www.infosecacademy.com http://www.trainingcamp.com/
![Page 2: Corporate Network Spying - dc414.org · PDF fileCorporate Network Spying ... • Co-author of Penetration Testing and Network Defense (Cisco Press, 2005) ... a lab environment)](https://reader038.fdocuments.in/reader038/viewer/2022110222/5aaa00eb7f8b9a9a188da9cc/html5/thumbnails/2.jpg)
Who is this guy?
• Director of security course offerings for InfoSec Academy (division of Training Camp)
• Teaches ethical hacking / pentesting courses• Co-author of Penetration Testing and Network Defense (Cisco Press,
2005)• Author of other books/articles relating to security / networking• Pentester of numerous financial and healthcare institutions• M.Sc., Computer Science; CISSP, CEH, CCSP, CCNP, CCNA, CCDA,
MCSE, CNE, A+, Network+, Security+, CTP, et al.
![Page 3: Corporate Network Spying - dc414.org · PDF fileCorporate Network Spying ... • Co-author of Penetration Testing and Network Defense (Cisco Press, 2005) ... a lab environment)](https://reader038.fdocuments.in/reader038/viewer/2022110222/5aaa00eb7f8b9a9a188da9cc/html5/thumbnails/3.jpg)
Training Camp
• InfoSec Academy division is world leader in teaching information security– Authorized CISSP– Certified Ethical Hacker– Licensed Penetration Tester– Sarbanes Oxley– HIPAA Compliance Training– Certified Information Systems Auditor (CISA)– Much, much more…
![Page 4: Corporate Network Spying - dc414.org · PDF fileCorporate Network Spying ... • Co-author of Penetration Testing and Network Defense (Cisco Press, 2005) ... a lab environment)](https://reader038.fdocuments.in/reader038/viewer/2022110222/5aaa00eb7f8b9a9a188da9cc/html5/thumbnails/4.jpg)
What this is / What this is not
• What this is– Training on corporate network spying– Designed for those with beginner to intermediate skills
• What this is not– Discussion of hot new exploit (which may only be theoritical or work in
a lab environment)– An overly technical discussion that only 1% of the techie world can
understand
![Page 5: Corporate Network Spying - dc414.org · PDF fileCorporate Network Spying ... • Co-author of Penetration Testing and Network Defense (Cisco Press, 2005) ... a lab environment)](https://reader038.fdocuments.in/reader038/viewer/2022110222/5aaa00eb7f8b9a9a188da9cc/html5/thumbnails/5.jpg)
Agenda
• What the heck is this network spying thing?• Who does it?• Legal cases (to scare the begeezes out of ya)• How to get past those darn switches• General tools of the trade: Windump / TCPdump, Ethereal• Analyzing common protocols
– FTP, MSN IM, Web, SMTP/POP• Demos to make you druel
![Page 6: Corporate Network Spying - dc414.org · PDF fileCorporate Network Spying ... • Co-author of Penetration Testing and Network Defense (Cisco Press, 2005) ... a lab environment)](https://reader038.fdocuments.in/reader038/viewer/2022110222/5aaa00eb7f8b9a9a188da9cc/html5/thumbnails/6.jpg)
What is Network Spying?
• Wiretapping• Targeted packet capturing
![Page 7: Corporate Network Spying - dc414.org · PDF fileCorporate Network Spying ... • Co-author of Penetration Testing and Network Defense (Cisco Press, 2005) ... a lab environment)](https://reader038.fdocuments.in/reader038/viewer/2022110222/5aaa00eb7f8b9a9a188da9cc/html5/thumbnails/7.jpg)
Who Spies on Networks?
• Legitimate: Law enforcement– FBI– NSA
• Legitimate: Corporations with consent– Admins– Your boss
• Illegitimate: The "bad" guys– Hacker hobbyists– Corporate espionage
![Page 8: Corporate Network Spying - dc414.org · PDF fileCorporate Network Spying ... • Co-author of Penetration Testing and Network Defense (Cisco Press, 2005) ... a lab environment)](https://reader038.fdocuments.in/reader038/viewer/2022110222/5aaa00eb7f8b9a9a188da9cc/html5/thumbnails/8.jpg)
Who Spies on Networks?
• Law Enforcement– Patent #5,937,422 "Semantic Forests"
• NSA solution• Captures voice conversation• Automatic speech transcription
– Carnivore• Abandoned in 2005• Part of DragonWare suite
– Carnivore – packet capturing– Packeteer – reassembles packets– Coolminer – searching captured packets
![Page 9: Corporate Network Spying - dc414.org · PDF fileCorporate Network Spying ... • Co-author of Penetration Testing and Network Defense (Cisco Press, 2005) ... a lab environment)](https://reader038.fdocuments.in/reader038/viewer/2022110222/5aaa00eb7f8b9a9a188da9cc/html5/thumbnails/9.jpg)
Who Spies on Networks?
• Corporations– PC Magazine reported 77% of companies spy on employees– Typically e-mail and web surfing– Justifications:
• To ensure employee productivity• To ensure company is void of illegal activity• To protect trade secrets
![Page 10: Corporate Network Spying - dc414.org · PDF fileCorporate Network Spying ... • Co-author of Penetration Testing and Network Defense (Cisco Press, 2005) ... a lab environment)](https://reader038.fdocuments.in/reader038/viewer/2022110222/5aaa00eb7f8b9a9a188da9cc/html5/thumbnails/10.jpg)
Who Spies on Networks?
• Hacker hobbyists– Hey, look Ma, a wireless network!
• Corporate espionage– Tech companies especially at risk– Example: Oracle & Microsoft
![Page 11: Corporate Network Spying - dc414.org · PDF fileCorporate Network Spying ... • Co-author of Penetration Testing and Network Defense (Cisco Press, 2005) ... a lab environment)](https://reader038.fdocuments.in/reader038/viewer/2022110222/5aaa00eb7f8b9a9a188da9cc/html5/thumbnails/11.jpg)
Legal and Ethical Considerations
• 4th Amendment • 1994 Communications Assistance for Law Enforcement• Federal Electronic Communications Privacy Act (18 U.S.C. § 2511)• PATRIOT Act
![Page 12: Corporate Network Spying - dc414.org · PDF fileCorporate Network Spying ... • Co-author of Penetration Testing and Network Defense (Cisco Press, 2005) ... a lab environment)](https://reader038.fdocuments.in/reader038/viewer/2022110222/5aaa00eb7f8b9a9a188da9cc/html5/thumbnails/12.jpg)
Cases
• Katz vs. United States, 1967• 2004 Nicodemo Scarfo ("Little Nicky")
![Page 13: Corporate Network Spying - dc414.org · PDF fileCorporate Network Spying ... • Co-author of Penetration Testing and Network Defense (Cisco Press, 2005) ... a lab environment)](https://reader038.fdocuments.in/reader038/viewer/2022110222/5aaa00eb7f8b9a9a188da9cc/html5/thumbnails/13.jpg)
What You Need To Begin
• Commercial: Network Forensics Analysis Tools (NFAT)• Packet capturing tool
– Open-source vs. commercial– General vs. targeted– remote-vs. local– switched vs. shared
![Page 14: Corporate Network Spying - dc414.org · PDF fileCorporate Network Spying ... • Co-author of Penetration Testing and Network Defense (Cisco Press, 2005) ... a lab environment)](https://reader038.fdocuments.in/reader038/viewer/2022110222/5aaa00eb7f8b9a9a188da9cc/html5/thumbnails/14.jpg)
Sniffing on Switched Networks
![Page 15: Corporate Network Spying - dc414.org · PDF fileCorporate Network Spying ... • Co-author of Penetration Testing and Network Defense (Cisco Press, 2005) ... a lab environment)](https://reader038.fdocuments.in/reader038/viewer/2022110222/5aaa00eb7f8b9a9a188da9cc/html5/thumbnails/15.jpg)
Hubs…mmm…good
UserA UserCUserB
Frame from UserA is always propagated to UserB & UserC
![Page 16: Corporate Network Spying - dc414.org · PDF fileCorporate Network Spying ... • Co-author of Penetration Testing and Network Defense (Cisco Press, 2005) ... a lab environment)](https://reader038.fdocuments.in/reader038/viewer/2022110222/5aaa00eb7f8b9a9a188da9cc/html5/thumbnails/16.jpg)
How Switches Work
UserA
Fa0/1 Fa0/2 Fa0/3
UserCUserB
![Page 17: Corporate Network Spying - dc414.org · PDF fileCorporate Network Spying ... • Co-author of Penetration Testing and Network Defense (Cisco Press, 2005) ... a lab environment)](https://reader038.fdocuments.in/reader038/viewer/2022110222/5aaa00eb7f8b9a9a188da9cc/html5/thumbnails/17.jpg)
How Switches Work
UserA UserB UserC
Fa0/1 Fa0/2 Fa0/3
MAC Table
FA 0/1 01C9:44BB:00A1 (USER A)
FA 0/2 ???
FA0/3 ???
User A sends a frame to user B.
![Page 18: Corporate Network Spying - dc414.org · PDF fileCorporate Network Spying ... • Co-author of Penetration Testing and Network Defense (Cisco Press, 2005) ... a lab environment)](https://reader038.fdocuments.in/reader038/viewer/2022110222/5aaa00eb7f8b9a9a188da9cc/html5/thumbnails/18.jpg)
How Switches Work
UserA UserB UserC
Fa0/1 Fa0/2 Fa0/3
MAC Table
FA 0/1 01C9:44BB:00A1 (USER A)
FA 0/2 ???
FA0/3 ???
Frame is duplicated out to UserB and UserC.
![Page 19: Corporate Network Spying - dc414.org · PDF fileCorporate Network Spying ... • Co-author of Penetration Testing and Network Defense (Cisco Press, 2005) ... a lab environment)](https://reader038.fdocuments.in/reader038/viewer/2022110222/5aaa00eb7f8b9a9a188da9cc/html5/thumbnails/19.jpg)
How Switches Work
UserA UserB UserC
Fa0/1 Fa0/2 Fa0/3
MAC Table
FA 0/1 01C9:44BB:00A1 (USER A)
FA 0/2 0BB0:0E44:2221 (USER B)
FA0/3 ???
![Page 20: Corporate Network Spying - dc414.org · PDF fileCorporate Network Spying ... • Co-author of Penetration Testing and Network Defense (Cisco Press, 2005) ... a lab environment)](https://reader038.fdocuments.in/reader038/viewer/2022110222/5aaa00eb7f8b9a9a188da9cc/html5/thumbnails/20.jpg)
How Switches Work
UserA UserB UserC
Fa0/1 Fa0/2 Fa0/3
MAC Table
FA 0/1 01C9:44BB:00A1 (USER A)
FA 0/2 0BB0:0E44:2221 (USER B)
FA0/3 ???
![Page 21: Corporate Network Spying - dc414.org · PDF fileCorporate Network Spying ... • Co-author of Penetration Testing and Network Defense (Cisco Press, 2005) ... a lab environment)](https://reader038.fdocuments.in/reader038/viewer/2022110222/5aaa00eb7f8b9a9a188da9cc/html5/thumbnails/21.jpg)
How To Get Around This Problem
• Five Solutions:1. ARP Poisoning method 12. ARP Poisoning method 23. MAC Duplicating4. MAC Flooding5. Port Mirroring
![Page 22: Corporate Network Spying - dc414.org · PDF fileCorporate Network Spying ... • Co-author of Penetration Testing and Network Defense (Cisco Press, 2005) ... a lab environment)](https://reader038.fdocuments.in/reader038/viewer/2022110222/5aaa00eb7f8b9a9a188da9cc/html5/thumbnails/22.jpg)
ARP Poisoning Method 1
• A.K.A. ARP spoofing• Sending crafted replies to ARP requests
UserA10.0.0.11
UserB10.0.0.12
UserC10.0.0.13
Fa0/1 Fa0/2 Fa0/3What is the MAC address for UserB?
I'm here! Here's my MAC
I heard that. Here's the same MAC.
MAC Table
FA 0/1 01C9:44BB:00A1 (USER A)
FA 0/2 0BB0:0E44:2221 (USER B)
FA0/3 0BB0:0E44:2221 (spoofed)
![Page 23: Corporate Network Spying - dc414.org · PDF fileCorporate Network Spying ... • Co-author of Penetration Testing and Network Defense (Cisco Press, 2005) ... a lab environment)](https://reader038.fdocuments.in/reader038/viewer/2022110222/5aaa00eb7f8b9a9a188da9cc/html5/thumbnails/23.jpg)
ARP Poisoning Method 2
UserA10.0.0.11
UserC10.0.0.13
Fa0/1 Fa0/2 Fa0/3
Fa0/4
Router10.0.0.1
What is the Mac address of the router?
ARP Reply
ARP Reply
MAC Table
FA 0/1 01C9:44BB:00A1 (USER A)
FA 0/2 0BB0:0E44:2221 (USER B)
FA0/3 0040:5B50:387E (spoofed)
Fa0/4 0040:5B50:387E (Router)
UserB10.0.0.12
![Page 24: Corporate Network Spying - dc414.org · PDF fileCorporate Network Spying ... • Co-author of Penetration Testing and Network Defense (Cisco Press, 2005) ... a lab environment)](https://reader038.fdocuments.in/reader038/viewer/2022110222/5aaa00eb7f8b9a9a188da9cc/html5/thumbnails/24.jpg)
MAC Duplicating
• Used to target traffic sent to a single host (such as a server)• ARP for a host you want to target to get its MAC address
UserA10.0.0.11
Fa0/1 Fa0/3
What is the MAC address of 10.0.0.11?
My MAC is 01C9:44BB:00A1
New spoofed MAC address: 01C9:44BB:00A1
Switch will send all traffic destined for UserA to UserC as well.
UserC10.0.0.13
![Page 25: Corporate Network Spying - dc414.org · PDF fileCorporate Network Spying ... • Co-author of Penetration Testing and Network Defense (Cisco Press, 2005) ... a lab environment)](https://reader038.fdocuments.in/reader038/viewer/2022110222/5aaa00eb7f8b9a9a188da9cc/html5/thumbnails/25.jpg)
MAC Flooding
• MAC addresses are stored in CAM table• Content Addressable Memory (CAM)
table– Switch must find an exact binary
match– Information to do a lookup is
called a key– Key is fed into a hashing
algorithm to produce a pointer into the table
![Page 26: Corporate Network Spying - dc414.org · PDF fileCorporate Network Spying ... • Co-author of Penetration Testing and Network Defense (Cisco Press, 2005) ... a lab environment)](https://reader038.fdocuments.in/reader038/viewer/2022110222/5aaa00eb7f8b9a9a188da9cc/html5/thumbnails/26.jpg)
MAC Flooding
• CAM is limited on switches (typically 64k)• If filled up, switch can no longer store new addresses• Switch effectively turns into a hub
![Page 27: Corporate Network Spying - dc414.org · PDF fileCorporate Network Spying ... • Co-author of Penetration Testing and Network Defense (Cisco Press, 2005) ... a lab environment)](https://reader038.fdocuments.in/reader038/viewer/2022110222/5aaa00eb7f8b9a9a188da9cc/html5/thumbnails/27.jpg)
MAC Flooding
• MACOF (part of Dsniff)• http://www.monkey.org/~dugsong/dsniff/
![Page 28: Corporate Network Spying - dc414.org · PDF fileCorporate Network Spying ... • Co-author of Penetration Testing and Network Defense (Cisco Press, 2005) ... a lab environment)](https://reader038.fdocuments.in/reader038/viewer/2022110222/5aaa00eb7f8b9a9a188da9cc/html5/thumbnails/28.jpg)
Port Mirroring
• Port mirroring is a legitimate method of mirroring one port to another port• Cisco calls this switched port analyzer (SPAN)
– Remote SPAN (RSPAN) can send traffic from one or more ports or an entire VLAN to another port on a different switch
– There can be more than one source and more than one destination (up to 64 destination ports!)
• SPAN can copy traffic in one of three ways:– Rx SPAN– Tx SPAN– Rx/Tx SPAN
![Page 29: Corporate Network Spying - dc414.org · PDF fileCorporate Network Spying ... • Co-author of Penetration Testing and Network Defense (Cisco Press, 2005) ... a lab environment)](https://reader038.fdocuments.in/reader038/viewer/2022110222/5aaa00eb7f8b9a9a188da9cc/html5/thumbnails/29.jpg)
Port Mirroring
1) Specify sourcemonitor session session_number source
{interface interface-id | vlan vlan-id} [, | -] [both | rx | tx]
2) Specify destinationmonitor session session_number destination
{interface interface-id [, | -] [encapsulation replicate]
![Page 30: Corporate Network Spying - dc414.org · PDF fileCorporate Network Spying ... • Co-author of Penetration Testing and Network Defense (Cisco Press, 2005) ... a lab environment)](https://reader038.fdocuments.in/reader038/viewer/2022110222/5aaa00eb7f8b9a9a188da9cc/html5/thumbnails/30.jpg)
Port MirroringSwitch(config)#monitor session 1 source interface
fastethernet 0/1 , 0/2 bothSwitch(config)#monitor session 1 destination fastethernet
0/3
UserA UserB UserC
Fa0/1 Fa0/2 Fa0/3
![Page 31: Corporate Network Spying - dc414.org · PDF fileCorporate Network Spying ... • Co-author of Penetration Testing and Network Defense (Cisco Press, 2005) ... a lab environment)](https://reader038.fdocuments.in/reader038/viewer/2022110222/5aaa00eb7f8b9a9a188da9cc/html5/thumbnails/31.jpg)
Packet Capturing Software
• Tons!!!• PacketStorm Security (http://packetstormsecurity.org/sniffers/) has almost
200 different sniffers• Most popular freeware utilities:
– Windump / Tcpdump– Ethereal (Now Wireshark)
![Page 32: Corporate Network Spying - dc414.org · PDF fileCorporate Network Spying ... • Co-author of Penetration Testing and Network Defense (Cisco Press, 2005) ... a lab environment)](https://reader038.fdocuments.in/reader038/viewer/2022110222/5aaa00eb7f8b9a9a188da9cc/html5/thumbnails/32.jpg)
Windump / TCPDump
• Developed by Loris Degioanni, Gianluca Varenni, Fulvio Risso, John Bruno, Piero Viano
• Http://www.tcpdump.org & http://www.winpcap.org/windump/default.htm• Requires winpcap / libpcap library
![Page 33: Corporate Network Spying - dc414.org · PDF fileCorporate Network Spying ... • Co-author of Penetration Testing and Network Defense (Cisco Press, 2005) ... a lab environment)](https://reader038.fdocuments.in/reader038/viewer/2022110222/5aaa00eb7f8b9a9a188da9cc/html5/thumbnails/33.jpg)
Using WinDump / TCPDump
• tcpdump [ -ABdDeflLnNOpqRStuUvxX ] [ -c count ]
[ -C file_size ] [ -F file ]
[ -i interface ] [ -m module ] [ -M secret ]
[ -r file ] [ -s snaplen ] [ -T type ] [ -w file ]
[ -W filecount ]
[ -E spi@ipaddr algo:secret,... ]
[ -y datalinktype ] [ -Z user ] [ expression ]
![Page 34: Corporate Network Spying - dc414.org · PDF fileCorporate Network Spying ... • Co-author of Penetration Testing and Network Defense (Cisco Press, 2005) ... a lab environment)](https://reader038.fdocuments.in/reader038/viewer/2022110222/5aaa00eb7f8b9a9a188da9cc/html5/thumbnails/34.jpg)
Using WinDump / tcpdump
• Display interfaces: windump –D • Use interface: windump –i <interface # or identifier>• Print out in Ascii: windump –A• Log to file: windump –w file.log• Read from log: windump –r file.log• Verbose output: windump –vvv
![Page 35: Corporate Network Spying - dc414.org · PDF fileCorporate Network Spying ... • Co-author of Penetration Testing and Network Defense (Cisco Press, 2005) ... a lab environment)](https://reader038.fdocuments.in/reader038/viewer/2022110222/5aaa00eb7f8b9a9a188da9cc/html5/thumbnails/35.jpg)
Windump Example23:23:52.991879 IP (tos 0x0, ttl 128, id 11231, offset 0, flags [DF], proto: TCP (6), length: 48)
A152B.2436 > www.defcon.org.80: S, cksum 0x86d6 (correct), 916679930:916679930(0) win 16384 <mss 1460,nop,nop,sackOK>
[email protected]..(. [email protected]:23:53.116681 IP (tos 0x0, ttl 47, id 35735, offset 0, flags [none], proto: TCP (6), length: 44)
www.defcon.org.80 > A152B.2436: S, cksum 0x2304 (correct), 451321314:451321314(0) ack 916679931 win 65535 <mss 1460>
E..,..../..]..(...9.P .....6.l.`...#.........23:23:53.116738 IP (tos 0x0, ttl 128, id 11232, offset 0, flags [DF], proto: TCP (6), length: 40)
A152B.2436 > www.defcon.org.80: ., cksum 0xf650 (correct), 1:1(0) ack 1 win 17520E..([email protected]..(. ..P6.l.....P.Dp.P..23:23:53.117616 IP (tos 0x0, ttl 128, id 11233, offset 0, flags [DF], proto: TCP (6), length: 495)
A152B.2436 > www.defcon.org.80: P 1:456(455) ack 1 win [email protected]..(. ..P6.l.....P.Dp1/..GET /html/defcon-14/html/dc-css/defconblue
![Page 36: Corporate Network Spying - dc414.org · PDF fileCorporate Network Spying ... • Co-author of Penetration Testing and Network Defense (Cisco Press, 2005) ... a lab environment)](https://reader038.fdocuments.in/reader038/viewer/2022110222/5aaa00eb7f8b9a9a188da9cc/html5/thumbnails/36.jpg)
Ethereal / Wireshark
• Packet analyzer• Original author was Gerald Combs • Now supported by over 100 programmers• Can 'dissect' 759 protocols• Linux & Windows friendly• Now licensed through CACE Technologies
http://www.wireshark.org/
![Page 37: Corporate Network Spying - dc414.org · PDF fileCorporate Network Spying ... • Co-author of Penetration Testing and Network Defense (Cisco Press, 2005) ... a lab environment)](https://reader038.fdocuments.in/reader038/viewer/2022110222/5aaa00eb7f8b9a9a188da9cc/html5/thumbnails/37.jpg)
Ethereal / Wirehsark
![Page 38: Corporate Network Spying - dc414.org · PDF fileCorporate Network Spying ... • Co-author of Penetration Testing and Network Defense (Cisco Press, 2005) ... a lab environment)](https://reader038.fdocuments.in/reader038/viewer/2022110222/5aaa00eb7f8b9a9a188da9cc/html5/thumbnails/38.jpg)
Ethereal / Wireshark
• To view entire conversation, right-click and choose Follow TCP Stream
![Page 39: Corporate Network Spying - dc414.org · PDF fileCorporate Network Spying ... • Co-author of Penetration Testing and Network Defense (Cisco Press, 2005) ... a lab environment)](https://reader038.fdocuments.in/reader038/viewer/2022110222/5aaa00eb7f8b9a9a188da9cc/html5/thumbnails/39.jpg)
Ethereal / Wireshark
![Page 40: Corporate Network Spying - dc414.org · PDF fileCorporate Network Spying ... • Co-author of Penetration Testing and Network Defense (Cisco Press, 2005) ... a lab environment)](https://reader038.fdocuments.in/reader038/viewer/2022110222/5aaa00eb7f8b9a9a188da9cc/html5/thumbnails/40.jpg)
Password Capturing
• The following protocols send passwords in plain text– Telnet– FTP– POP– SMTP– Just to name a few!
• Even if password is not in plain text, it is often easily cracked
![Page 41: Corporate Network Spying - dc414.org · PDF fileCorporate Network Spying ... • Co-author of Penetration Testing and Network Defense (Cisco Press, 2005) ... a lab environment)](https://reader038.fdocuments.in/reader038/viewer/2022110222/5aaa00eb7f8b9a9a188da9cc/html5/thumbnails/41.jpg)
Tool: Cain and Abel
• Developed by Massimiliano Montoro• http://www.oxid.it/index.html• Password recovery tool that supports packet capturing• Can even capture & replay voice conversations
![Page 42: Corporate Network Spying - dc414.org · PDF fileCorporate Network Spying ... • Co-author of Penetration Testing and Network Defense (Cisco Press, 2005) ... a lab environment)](https://reader038.fdocuments.in/reader038/viewer/2022110222/5aaa00eb7f8b9a9a188da9cc/html5/thumbnails/42.jpg)
Cain and Abel
![Page 43: Corporate Network Spying - dc414.org · PDF fileCorporate Network Spying ... • Co-author of Penetration Testing and Network Defense (Cisco Press, 2005) ... a lab environment)](https://reader038.fdocuments.in/reader038/viewer/2022110222/5aaa00eb7f8b9a9a188da9cc/html5/thumbnails/43.jpg)
Cain and Abel
![Page 44: Corporate Network Spying - dc414.org · PDF fileCorporate Network Spying ... • Co-author of Penetration Testing and Network Defense (Cisco Press, 2005) ... a lab environment)](https://reader038.fdocuments.in/reader038/viewer/2022110222/5aaa00eb7f8b9a9a188da9cc/html5/thumbnails/44.jpg)
Cain and Abel
![Page 45: Corporate Network Spying - dc414.org · PDF fileCorporate Network Spying ... • Co-author of Penetration Testing and Network Defense (Cisco Press, 2005) ... a lab environment)](https://reader038.fdocuments.in/reader038/viewer/2022110222/5aaa00eb7f8b9a9a188da9cc/html5/thumbnails/45.jpg)
Cain and Abel
![Page 46: Corporate Network Spying - dc414.org · PDF fileCorporate Network Spying ... • Co-author of Penetration Testing and Network Defense (Cisco Press, 2005) ... a lab environment)](https://reader038.fdocuments.in/reader038/viewer/2022110222/5aaa00eb7f8b9a9a188da9cc/html5/thumbnails/46.jpg)
Cain and Abel
![Page 47: Corporate Network Spying - dc414.org · PDF fileCorporate Network Spying ... • Co-author of Penetration Testing and Network Defense (Cisco Press, 2005) ... a lab environment)](https://reader038.fdocuments.in/reader038/viewer/2022110222/5aaa00eb7f8b9a9a188da9cc/html5/thumbnails/47.jpg)
Cain and Abel
![Page 48: Corporate Network Spying - dc414.org · PDF fileCorporate Network Spying ... • Co-author of Penetration Testing and Network Defense (Cisco Press, 2005) ... a lab environment)](https://reader038.fdocuments.in/reader038/viewer/2022110222/5aaa00eb7f8b9a9a188da9cc/html5/thumbnails/48.jpg)
Tool: Dsniff
• http://www.monkey.org/~dugsong/dsniff/• Dsniff can be used to listen only for passwords
![Page 49: Corporate Network Spying - dc414.org · PDF fileCorporate Network Spying ... • Co-author of Penetration Testing and Network Defense (Cisco Press, 2005) ... a lab environment)](https://reader038.fdocuments.in/reader038/viewer/2022110222/5aaa00eb7f8b9a9a188da9cc/html5/thumbnails/49.jpg)
Tool: Ettercap
• http://ettercap.sourceforge.net/• Can be used to sniff passwords• Active and passive capturing capabilities• Content filtering
![Page 50: Corporate Network Spying - dc414.org · PDF fileCorporate Network Spying ... • Co-author of Penetration Testing and Network Defense (Cisco Press, 2005) ... a lab environment)](https://reader038.fdocuments.in/reader038/viewer/2022110222/5aaa00eb7f8b9a9a188da9cc/html5/thumbnails/50.jpg)
Tool: Ettercap
![Page 51: Corporate Network Spying - dc414.org · PDF fileCorporate Network Spying ... • Co-author of Penetration Testing and Network Defense (Cisco Press, 2005) ... a lab environment)](https://reader038.fdocuments.in/reader038/viewer/2022110222/5aaa00eb7f8b9a9a188da9cc/html5/thumbnails/51.jpg)
Analysis of E-mail Traffic
HELO Used to initiate communication to an SMTP serverEHLO Same as HELOMAIL FROM: Address you are sending e-mail from (easy to spoof!)RCPT TO: Destination of e-mailSIZE=# of bytes Not necessary. Specifies size of e-mail in bytes.DATA The message body. Terminated with a single period (.) on
a line by itself.QUIT Terminates the SMTP sessionVRFY username Verify that a username is valid. Excellent way to enumerate
users.EXPN name Like VRFY, can verify a username. EXPN can also list out
all usernames in a distribution list.
SMTP Commands
![Page 52: Corporate Network Spying - dc414.org · PDF fileCorporate Network Spying ... • Co-author of Penetration Testing and Network Defense (Cisco Press, 2005) ... a lab environment)](https://reader038.fdocuments.in/reader038/viewer/2022110222/5aaa00eb7f8b9a9a188da9cc/html5/thumbnails/52.jpg)
Analysis of E-mail Traffic
• POP Commands (RFC 1225)•USER•PASS•QUIT•STAT•LIST•RETR•DELE•LAST•RSET
![Page 53: Corporate Network Spying - dc414.org · PDF fileCorporate Network Spying ... • Co-author of Penetration Testing and Network Defense (Cisco Press, 2005) ... a lab environment)](https://reader038.fdocuments.in/reader038/viewer/2022110222/5aaa00eb7f8b9a9a188da9cc/html5/thumbnails/53.jpg)
Analysis of E-mail Traffic
![Page 54: Corporate Network Spying - dc414.org · PDF fileCorporate Network Spying ... • Co-author of Penetration Testing and Network Defense (Cisco Press, 2005) ... a lab environment)](https://reader038.fdocuments.in/reader038/viewer/2022110222/5aaa00eb7f8b9a9a188da9cc/html5/thumbnails/54.jpg)
Analysis of E-mail Traffic
![Page 55: Corporate Network Spying - dc414.org · PDF fileCorporate Network Spying ... • Co-author of Penetration Testing and Network Defense (Cisco Press, 2005) ... a lab environment)](https://reader038.fdocuments.in/reader038/viewer/2022110222/5aaa00eb7f8b9a9a188da9cc/html5/thumbnails/55.jpg)
Analysis of E-mail Traffic
![Page 56: Corporate Network Spying - dc414.org · PDF fileCorporate Network Spying ... • Co-author of Penetration Testing and Network Defense (Cisco Press, 2005) ... a lab environment)](https://reader038.fdocuments.in/reader038/viewer/2022110222/5aaa00eb7f8b9a9a188da9cc/html5/thumbnails/56.jpg)
Analysis of E-mail Traffic
![Page 57: Corporate Network Spying - dc414.org · PDF fileCorporate Network Spying ... • Co-author of Penetration Testing and Network Defense (Cisco Press, 2005) ... a lab environment)](https://reader038.fdocuments.in/reader038/viewer/2022110222/5aaa00eb7f8b9a9a188da9cc/html5/thumbnails/57.jpg)
Analysis of E-mail Traffic:Ettercap
![Page 58: Corporate Network Spying - dc414.org · PDF fileCorporate Network Spying ... • Co-author of Penetration Testing and Network Defense (Cisco Press, 2005) ... a lab environment)](https://reader038.fdocuments.in/reader038/viewer/2022110222/5aaa00eb7f8b9a9a188da9cc/html5/thumbnails/58.jpg)
Tool: Mailsnarf
• Part of Dsniff: http://www.monkey.org/~dugsong/dsniff/• Dug Song• Listens only for e-mail
![Page 59: Corporate Network Spying - dc414.org · PDF fileCorporate Network Spying ... • Co-author of Penetration Testing and Network Defense (Cisco Press, 2005) ... a lab environment)](https://reader038.fdocuments.in/reader038/viewer/2022110222/5aaa00eb7f8b9a9a188da9cc/html5/thumbnails/59.jpg)
Tool: Mailsnarf
![Page 60: Corporate Network Spying - dc414.org · PDF fileCorporate Network Spying ... • Co-author of Penetration Testing and Network Defense (Cisco Press, 2005) ... a lab environment)](https://reader038.fdocuments.in/reader038/viewer/2022110222/5aaa00eb7f8b9a9a188da9cc/html5/thumbnails/60.jpg)
Analysis of FTP Traffic
![Page 61: Corporate Network Spying - dc414.org · PDF fileCorporate Network Spying ... • Co-author of Penetration Testing and Network Defense (Cisco Press, 2005) ... a lab environment)](https://reader038.fdocuments.in/reader038/viewer/2022110222/5aaa00eb7f8b9a9a188da9cc/html5/thumbnails/61.jpg)
Analysis of FTP Traffic
![Page 62: Corporate Network Spying - dc414.org · PDF fileCorporate Network Spying ... • Co-author of Penetration Testing and Network Defense (Cisco Press, 2005) ... a lab environment)](https://reader038.fdocuments.in/reader038/viewer/2022110222/5aaa00eb7f8b9a9a188da9cc/html5/thumbnails/62.jpg)
Analysis of FTP Traffic
![Page 63: Corporate Network Spying - dc414.org · PDF fileCorporate Network Spying ... • Co-author of Penetration Testing and Network Defense (Cisco Press, 2005) ... a lab environment)](https://reader038.fdocuments.in/reader038/viewer/2022110222/5aaa00eb7f8b9a9a188da9cc/html5/thumbnails/63.jpg)
Analysis of FTP Traffic
![Page 64: Corporate Network Spying - dc414.org · PDF fileCorporate Network Spying ... • Co-author of Penetration Testing and Network Defense (Cisco Press, 2005) ... a lab environment)](https://reader038.fdocuments.in/reader038/viewer/2022110222/5aaa00eb7f8b9a9a188da9cc/html5/thumbnails/64.jpg)
Analysis of FTP Traffic
![Page 65: Corporate Network Spying - dc414.org · PDF fileCorporate Network Spying ... • Co-author of Penetration Testing and Network Defense (Cisco Press, 2005) ... a lab environment)](https://reader038.fdocuments.in/reader038/viewer/2022110222/5aaa00eb7f8b9a9a188da9cc/html5/thumbnails/65.jpg)
Analysis of FTP Traffic
![Page 66: Corporate Network Spying - dc414.org · PDF fileCorporate Network Spying ... • Co-author of Penetration Testing and Network Defense (Cisco Press, 2005) ... a lab environment)](https://reader038.fdocuments.in/reader038/viewer/2022110222/5aaa00eb7f8b9a9a188da9cc/html5/thumbnails/66.jpg)
Analysis of FTP Traffic
![Page 67: Corporate Network Spying - dc414.org · PDF fileCorporate Network Spying ... • Co-author of Penetration Testing and Network Defense (Cisco Press, 2005) ... a lab environment)](https://reader038.fdocuments.in/reader038/viewer/2022110222/5aaa00eb7f8b9a9a188da9cc/html5/thumbnails/67.jpg)
Analysis Of FTP Traffic: Ettercap
![Page 68: Corporate Network Spying - dc414.org · PDF fileCorporate Network Spying ... • Co-author of Penetration Testing and Network Defense (Cisco Press, 2005) ... a lab environment)](https://reader038.fdocuments.in/reader038/viewer/2022110222/5aaa00eb7f8b9a9a188da9cc/html5/thumbnails/68.jpg)
Analysis of FTP Traffic: Ettercap
Shows directory listing of FTP server
![Page 69: Corporate Network Spying - dc414.org · PDF fileCorporate Network Spying ... • Co-author of Penetration Testing and Network Defense (Cisco Press, 2005) ... a lab environment)](https://reader038.fdocuments.in/reader038/viewer/2022110222/5aaa00eb7f8b9a9a188da9cc/html5/thumbnails/69.jpg)
Analysis of MSN Messenger [email protected]: "We need to send feds to the Defcon conference. Hackers are bad…very bad.
[email protected]: "No, there is no need to send a fed…I am sure nobody will do anything illegal there.
![Page 70: Corporate Network Spying - dc414.org · PDF fileCorporate Network Spying ... • Co-author of Penetration Testing and Network Defense (Cisco Press, 2005) ... a lab environment)](https://reader038.fdocuments.in/reader038/viewer/2022110222/5aaa00eb7f8b9a9a188da9cc/html5/thumbnails/70.jpg)
Analysis of MSN Messenger Traffic
• MSN Sniffer• www.effetech.com• Also have ICQ Sniffer, AIM Sniffer, HTTP Sniffer, ACE Password Sniffer,
and much more
![Page 71: Corporate Network Spying - dc414.org · PDF fileCorporate Network Spying ... • Co-author of Penetration Testing and Network Defense (Cisco Press, 2005) ... a lab environment)](https://reader038.fdocuments.in/reader038/viewer/2022110222/5aaa00eb7f8b9a9a188da9cc/html5/thumbnails/71.jpg)
Analysis of MSN Messenger Traffic
![Page 72: Corporate Network Spying - dc414.org · PDF fileCorporate Network Spying ... • Co-author of Penetration Testing and Network Defense (Cisco Press, 2005) ... a lab environment)](https://reader038.fdocuments.in/reader038/viewer/2022110222/5aaa00eb7f8b9a9a188da9cc/html5/thumbnails/72.jpg)
Web Traffic:URLSnarf
• Part of dsniff, written by Dug Song• http://www.monkey.org/~dugsong/dsniff/• urlsnarf [-n] [-i interface] [[-v] pattern [expression]]
-n Do not resolve IP to hostname-i Interface-v "versus mode" Invert the pattern you are matchingpattern Specify regular expression to matchExpression Specify a tcpdump filter expression to select traffic to dump
![Page 73: Corporate Network Spying - dc414.org · PDF fileCorporate Network Spying ... • Co-author of Penetration Testing and Network Defense (Cisco Press, 2005) ... a lab environment)](https://reader038.fdocuments.in/reader038/viewer/2022110222/5aaa00eb7f8b9a9a188da9cc/html5/thumbnails/73.jpg)
Web Traffic: URLSnarf
![Page 74: Corporate Network Spying - dc414.org · PDF fileCorporate Network Spying ... • Co-author of Penetration Testing and Network Defense (Cisco Press, 2005) ... a lab environment)](https://reader038.fdocuments.in/reader038/viewer/2022110222/5aaa00eb7f8b9a9a188da9cc/html5/thumbnails/74.jpg)
Tool: Ettercap
![Page 75: Corporate Network Spying - dc414.org · PDF fileCorporate Network Spying ... • Co-author of Penetration Testing and Network Defense (Cisco Press, 2005) ... a lab environment)](https://reader038.fdocuments.in/reader038/viewer/2022110222/5aaa00eb7f8b9a9a188da9cc/html5/thumbnails/75.jpg)
Countermeasures
• Port Security• IPSec
![Page 76: Corporate Network Spying - dc414.org · PDF fileCorporate Network Spying ... • Co-author of Penetration Testing and Network Defense (Cisco Press, 2005) ... a lab environment)](https://reader038.fdocuments.in/reader038/viewer/2022110222/5aaa00eb7f8b9a9a188da9cc/html5/thumbnails/76.jpg)
Demo Time