Sniffing and Spoofing. By Shaify Mehta (C.P.H, www.shaify.

com) :

Abstract:
Sniffing and spoofing are the important task to analysis the network and get over the network. Sniffing is the electronic form of eavesdropping. Sniffing is the most effective

to analyze the traffic from the main source to other source whether it is in encrypted or unencrypted form. While in bad manner it is used by hacker to capture the data. Data can contain the private information like passwords, email ids, various database records, and contents of the mails, download stuff Etc. , Which can easily use by the hacker and can do wrong things. Spoofing is done with the help of sniffing because with the help of sniffing it is more effective.

technique which is used to attack over the network and gain over the network. Sniffing captures the network traffic includes packets, ports etc. while spoofing is the technique to get the identity of another computer with the special privileges so as to get over to the network. For the hackers it is the most useable technique to get over the network. Hackers first sniff the network so as to determine from which location the traffic comes, then capture them and spoof the network.

How sniffing works:

Sniffing is not done without identifying the network and target. Once hacker has found the possible network then

Introduction:
Sniffing and spoofing are the most effective security threats which target the network infrastructure. Both works at the low level supporting the application that uses the network. Sniffing is a passive security attack. Sniffing word comes from the word sniff the ether where ether is Ethernet network while spoofing is the active security attack. Spoofing follows the term masquerade. Masquerade means fooling the other machines on the network into accepting the other user into real or original network. Spoofing do the job of disturbing the data and inject that data which behaves Like real or original to the other machines. But the main difference In sniffing and spoofing is that sniffing does not interrupt and alters the data but spoofing does. Sniffing can be used in the good and bad manner. In good manner it is used by the network analyzer

hacker main task is to identify the machine or target. Sniffing is done by a tool named sniffer. Sniffer captures all the packets.

Packet Sniffing Techniques:

1) ARP Based Sniffing. Address Resolution Protocol is a network protocol. It is stateless protocol. ARP based sniffing is done on the switched network. To use ARP based sniffing we need two hosts which we want to investigate or get over the host and identifying our self the other host between the two hosts. After selecting the hosts we Poison ARP cache of the two hosts. As soon as the ARP caches are poisoned the hosts connect but instead of sending the traffic directly to the other host it gets sent to the administrator who then logs the

traffic and forwards it to the real host on the other side of the connection.

POP: Passwords and data are sent in the clear text across the network. FTP: Passwords and data are sent in the clear text across the

2) I.P Based Sniffing.

Internet Protocol based sniffing is done when we put the network into promiscuous mode. In this type of sniffing all packets related to the IP address are filter. IP based sniffing works on the non-switched networks.

network. IMAP: Passwords and data are sent in the clear text across the network.

Protecting Against Sniffing & Eavesdropping:

Now wired networks upgrade from repeaters and hubs to switched environment. These switches would send only the

3) MAC Based Sniffing.

MAC-based sniffing works by putting the network card into promiscuous mode and sniffing all packets that match the MAC address filter.

traffic intended for a specific host over each individual port, making it too difficult to sniff the entire networks traffic but unfortunately this is not an option for wireless networks due to the nature of wireless communications.

Protocols Vulnerable to Sniffing:

Telnet and Re-login: With sniffing, keystrokes of a user can be captured as they are typed, including the users username and password. Some tools can capture all text and dump it into a terminal emulator, which can reconstruct exactly what the end user is seeing. This can produce a real time viewer on the remote users screen.

The only way to protect wireless users from attackers who might be sniffing is to utilize encrypted sessions wherever possible: SSL for e-mail connection, SSH instead of Telnet, and Secure Copy (SCP) instead of File Transfer Protocol (FTP). To protect a network from being discovered with sniffing

HTTP: The default version of HTTP has many loop-holes . Basic authentication is used by many websites, which usually send passwords across the wire in the plain text. Many websites use a technique that prompts the user for a username and password that are sent across the network in the plain text. Data sent is in clear text. SNMP: SNMP traffic that is SNMPv1 has no good security. SNMP passwords are sent in clear text across the networks. NNTP: Passwords and data are sent in the clear text across the network.

tools, it is important to turn off any network identification broadcasts and if possible, close down the network to any unauthorized users.

Detecting a Sniffer:
Sniffers are a major source of contemporary attacks. The ifconfig command is used to detect if a sniffer has been installed.

The ifconfig command displays the current configuration of your network interface. Most Ethernet adaptors are configured to accept only messages intended for them. An attacker must set a computers adaptor to promiscuous mode, in order to listen to (and record) everything on its segment of the Ethernet. Antisniff, that scans networks to determine if any NICs are running in promiscuous mode. These detection tools should run regularly, since they act as an alarm of sorts, triggered by evidence of a sniffer. Promqry 1.0, developed by Tim Rains at Microsoft can be used in identifying Sniffers. According to Tim Rains many network sniffer detection tools rely on bugs in the operating system and sniffer behavior for their discovery work. Promqry is different in that it can query systems to learn if any have a network interface operating in promiscuous mode, which as you know is a mode commonly use by network sniffing software. A command line version and a version with a GUI of Microsofts site. Promqry 1.0 is available at

from another valid IP address. In IP address spoofing, IP packets are generated with fake source IP addresses in order to impersonate other systems or to protect the identity of the sender. To explain this clearly, in IP address spoofing, the IP address information placed on the source field of the IP header is not the real IP address of the source computer, where the packet was originated. By changing the source IP address, the actual sender can make it look like the packet was sent by another computer and therefore the response from the target computer will be sent to the fake address specified in the packet and the identity of tha attacker is also protected.

How Spoofing works:

Spoofing is the technique to get the identity of another computer with the special privileges so as to get over to the network which means fooling the other machines on the network into accepting the other user into real or original network. Examining the IP header, we can see that the first 12 bytes (or the top 3 rows of the header) contain various information about the packet. The next 8 bytes (the next 2 rows), however, contains the source and destination IP addresses. Using one of several tools, an attacker can easily modify these addresses specifically the source address field.

Spoofing Types:
2) SMS Based Spoofing. 1) I.P Based Spoofing. SMS spoofing is a relatively new technology which uses the IP address spoofing is a type of attack when an attacker assumes the source Internet Protocol (IP) address of IP packets to make it appear as though the packet is coming short message service (SMS), available on most mobile phones and personal digital assistants, to set who the message appears to come from by replacing the originating

mobile number (Sender ID) with alphanumeric text. Spoofing has both legitimate uses (setting the company name from which the message is being sent, setting your own mobile number, or a product name) and illegitimate uses (such as impersonating another person, company, and product).

impersonate another network device. A user may wish to legitimately spoof the MAC address of a previous hardware device in order to reacquire connectivity after hardware failure.

3) CALL Based Spoofing.

Caller Spoofing is the practice of causing the telephone network to display a number on the recipient's caller ID display which is not that of the actual originating station; the term is commonly used to describe situations in which the motivation is considered malicious by the speaker. 1) Source Number 2) Destination Number 3) Caller Id Number E-mail spoofing is a term used to describe (usually fraudulent) e-mail activity in which the sender address and other parts of the e-mail header are altered to appear as though the e-mail originated from a different source. E-mail spoofing is a technique commonly used for spam e-mail and phishing to hide the origin of an e-mail message.

5) Email Based Spoofing.

4) MAC Based Spoofing.

MAC spoofing is a technique for changing a factoryassigned Media Access Control (MAC) address of a network interface on a networked device. The changing of the assigned MAC address may allow the bypassing of access control lists on servers or routers, either hiding a computer on a network or allowing it to

Protect Against Spoofing Protection:

It is possible to protect a network against IP spoofing by using Ingress filtering which uses packets to filter the inbound traffic. The system has the capability to determine if the packets are coming from within the system or from an outside source. Transmission Control Protocols can also be deployed through a number sequence that is used to create a secure connection to other systems. This method can be enhanced by disconnecting the source routing on the network to prevent hackers from exploiting some of the spoofing capabilities.

References:
http://www.techiwarehouse.com/engine/423a5281/IPSpoofing-and-Sniffinghttp://www.spamlaws.com/how-IP-spoofing-works.html http://en.wikipedia.org/wiki/Spoofing_attack