Course Name: Ethical Hacking

EL
Faculty Name: Prof. Indranil Sen Gupta

PT
N
Department : Computer Science and Engineering

Topic
Lecture 41: Packet Sniffing (Part 1)
 Network analysis and sniffing
 Wireshark packet analysis tool

EL
PT
N
What is Sniffing?

• What is network analysis or Sniffing?

• It is a process of analyzing network activity by capturing network traffic.
• Sniffer is a program that monitors the data travelling around the network.

EL
• Example tools: Wireshark, Solarwinds, Kismet, burpsuit, and many others.

PT
N
• Features of a network analyzer or sniffer:
a) Support for multiple protocols
b) Graphical user interface
c) Statistical report generation

3
What is Wireshark?

• It is an open source tool for profiling network traffic and analyzing packets.
• Often referred to as a network analyzer, network protocol analyzer or sniffer.
• Can be downloaded from: http://www.wireshark.org

EL
• What is does really?

PT
N
• Captures network data and displays them in a readable format.
• Log network traffic for forensics and evidence.
• Analyze network traffic generated by various applications.

4
How Packet Sniffer works?

• Ethernet is the most widely used protocol used in a LAN.

• At the data-link layer level.

• While running Wireshark the machine’s network interface card (NIC) is put in

EL
promiscuous mode.

PT
N
• In this mode, the sniffer can read all traffic on the network segment to which the NIC is
connected (irrespective of the sender and the receiver).
• Requires root privilege to set the NIC to promiscuous mode.
• If the LAN uses a switch, then packets from other network segments cannot be
captured.

5
Packet Capture using Wireshark

Method 3: Go to capture menu

and click on start capturing.

Method 2: Select network

EL
PT
and click on capture.

N
Method 1: To start capturing double
click on the network adapter.

6
 Packet Information
Packet Capturing Starts No: Frame number
Time: Time in second
Source: source address
Destination: Destination address
Protocol: Protocol that is used for
communication
Length: Length of packet in bytes

EL
Packet summary

PT
Info: Info of the packet (Type

N
version etc.)

Protocol Window

Offset Data in Hexadecimal Data in ASCII Data

Window

7
Filtering different type of packets

• To filter packets put filter name in filter bar and press <enter> or the arrow.
• Restrict the packets that are displayed in summary window.
• For correct filter, bar will convert from white to green and for wrong filter it will be shown as
red.

EL
PT
N

8
Demonstration: Wireshark

EL
PT
N

9
 N
PT
EL
10
 Course Name: Ethical Hacking

EL
Faculty Name: Prof. Indranil Sen Gupta

PT
N
Department : Computer Science and Engineering

Topic
Lecture 42: Packet Sniffing (Part 2)
 Packet capturing demo using Wireshark
 Sniffing countermeasures
 Sniffing detection

EL
PT
N
Demonstration: Password Capture

EL
PT
N

13
 Sniffing Countermeasure
• Restrict the physical access to the network media to ensure that a packet sniffer
cannot be installed.
• Use encryption to protect confidential information.
• Permanently add the MAC address of the gateway to the ARP cache.

EL
PT
• Use static IP addresses and static ARP tables to prevent attackers from adding the

N
spoofed ARP entries for machines in the network.
• Use IPv6 instead of IPv4 protocol.

14
 Sniffing Countermeasure (contd.)
• Use encrypted sessions such as SSH instead of Telnet, Secure Copy (SCP) instead
of FTP, SSL for email connection, etc. to protect wireless network users against
sniffing attacks.
• Use HTTPS instead of HTTP to protect user names and passwords.

EL
• Use switch instead of hub as switch delivers data only to the intended recipient.

PT
N
• Use SFTP, instead of FTP for secure transfer of files.
• Use PGP and S/MIPE, VPN, IPSec, SSL/TLS, Secure Shell (SSH) and One-time
passwords (OTP).

15
Sniffing Detection

• Nmap's NSE script allows us to check if a target on a local Ethernet has its
network card in promiscuous mode.
• Command to detect NIC in promiscuous mode:

EL
nmap --script=sniffer-detect [Target IP Address/Range of IP add]

PT
N

16
Demonstration: Sniffing Detection

EL
PT
N

17
 N
PT
EL
18
 Course Name: Ethical Hacking

EL
Faculty Name: Prof. Indranil Sen Gupta

PT
N
Department : Computer Science and Engineering

Topic
Lecture 43: Packet Sniffing (Part 3)
 Sniffing with Ettercap and Burpsuite
 HTTPS and DNS Sniffing

EL
PT
N
 Ettercap Sniffing Tools
• Ettercap is a free and open source network security tool for man-in-the-middle
attacks on LAN.
• It can be used for computer network protocol analysis and security auditing. It
runs on various Unix-like operating systems including Linux, Mac OS X, BSD and

EL
Solaris, and on Microsoft Windows.

PT
N
• It is capable of intercepting traffic on a network segment, capturing passwords,
and conducting active eavesdropping against a number of common protocols.
• Ettercap has plugin support so that the features can be extended by adding new
plugins.

21
 Features of Ettercap
• IP-based Filtering: We can filter packets based on IP source and destination.
• MAC-based Filtering: packets can be filtered based on MAC address, useful for
sniffing connections through a gateway.
• Character injection into an established connection: characters can be injected

EL
PT
into a server (emulating commands) or to a client (emulating replies) while

N
maintaining a live connection.
• SSH1 support: the sniffing of a username and password, and even the data of an
SSH1 connection. Ettercap is the first software capable of sniffing an SSH
connection in full duplex.

22
 Features of Ettercap
• HTTPS support: the sniffing of HTTP SSL secured data—even when the
connection is made through a proxy.
• Plug-in support: creation of custom plugins using Ettercap's API.
• Packet filtering/dropping: setting up a filter that searches for a particular string

EL
PT
(or hexadecimal sequence) in the TCP or UDP payload and replaces it with a

N
custom string/sequence of choice, or drops the entire packet.
• TCP/IP stack fingerprinting: determine the OS of the victim host and its network
adapter.
• And many more features available.

23
 BurpSuite Sniffing Tools
• Burpsuit is an integrated platform for performing security testing of web
applications.
• The tool is written in Java and developed by PortSwigger Security.
• It can be used for computer network protocol analysis and security auditing. It

EL
PT
has two versions free version and a professional version.

24
 Various Modules of BurpSuite
• Target: The target tool gives an overview of target applications content and
functionality.
• Proxy: Gives direct view of how target applications works by working as proxy
server or as a man-in-the-middle between you and your server such that you can

EL
intercept, inspect and modify the raw traffic.

PT
N
• Spider: Used for automotive crawling web applications.
• Scanner: Used for finding vulnerabilities in web applications.
• Intruder: it is used for automating customized attacks against web applications.
• Repeater: Is used for manipulating and reissuing HTTP requests and analyzing
application response.

25
Demonstration: Sniffing using Burpsuit

EL
PT
N

26
 N
PT
EL
27
 Course Name: Ethical Hacking

EL
Faculty Name: Prof. Indranil Sen Gupta

PT
N
Department : Computer Science and Engineering

Topic
Lecture 44: Social Engineering Attack
 Social engineering attacks
 Types of social engineering attacks
 Social engineering countermeasures

EL
PT
N
Social Engineering Attack

• Social engineering is the art of convincing people to reveal confidential

information.
• Social engineers lure targets to provide information by promising something for nothing
(greediness).

EL
PT
• Common targets of social engineering:

N
• Help desk personnel
• Technical support executives
• System administrators
• Frustrated employees etc.

30
 Phases in a Social Engineering Attack
a) Research on Target Company:
• Dumpster diving, websites, employees, tour company, etc.
b) Select Victim:
• Select most vulnerable victim such as greedy employee.

EL
c) Develop Relationship:

PT
N
• Develop relationship with the selected victim.
d) Exploit the Relationship:
• Collect sensitive information such as financial information, current technologies etc.

31
Types of Social Engineering Attack

a) Human-based Social Engineering:

• Collect sensitive information by direct interaction with victims.

b) Computer-based Social Engineering:

EL
• Social engineering is carried out with the help of computers.

PT
N
c) Mobile-based Social Engineering:
• Social engineering is carried out with the help of mobile applications.

32
 (a) Human Based Social Engineering
• Impersonation:
• The attacker pretends to be someone legitimate or authorized person – most common.
• Reverse Social Engineering:
• A situation in which an attacker presents himself as an authority and the target seeks his

EL
advice offering the information that he needs.

PT
• Piggybacking:

N
• An authorized person allows (intentionally or unintentionally) an unauthorized person to pass
through a secure door. “I forgot my ID badge at home. Please help me”

33
 (a) Human Based Social Engineering (contd.)
• Tailgating:
• An unauthorized person, wearing a fake ID badge, enters a secured area by closely following
an authorized person through a door requiring key access.
• Eavesdropping:

EL
• Interception of audio, video, or written communication. It can be done using communication

PT
channels such as telephone lines, email, instant messaging, etc.

N
• Shoulder Surfing:
• Uses direct observation techniques such as looking over someone's shoulder to get
information such as passwords, PINs, account numbers, etc.

34
 (b) Computer-based Social Engineering
• Pop-up Windows:
• Windows that suddenly appears while surfing the Internet and ask for users' information to
login or sign-in or for providing help.
• Chain Letters:

EL
• Chain letters are emails that offer free gifts such as money and software on the condition

PT
that the user has to forward the mail to the said number of persons.

N
• Instant Chat Messenger:
• Gathering personal information by chatting with a selected online user to get information
such as birth dates, maiden names, emails, contact information etc.

35
 (b) Computer-based Social Engineering (contd.)
• Phishing:
• An illegitimate email falsely claiming to be from a legitimate site attempts to acquire the
user's personal or account information. Phishing emails or pop-ups redirect users to fake
webpages of mimicking trustworthy sites that ask them to submit their personal information.
• Spear Phishing:

EL
PT
• A direct, targeted phishing attack aimed at specific individuals within an organization.

N
Attackers send a message with specialized, social engineering content directed at a specific
person or a small group of people.

36
 (c) Mobile-based Social Engineering
• Publishing Malicious Apps, Fake Security Applications:
• Attackers create malicious apps with attractive features and similar names to that of popular
apps, and publish them on major app stores. Unaware users download these apps and get
infected by malware that sends credentials to attackers.
• Using SMS:

EL
PT
• Send messages which looks like very important message from bank/company etc and need

N
urgent call in the given number.
• Victim calls to check account then attacker asks for information such as credit/debit card
numbers etc.

37
Demonstration: Phishing using
SEToolkit

EL
PT
N

38
 Social Engineering Countermeasures
• Good policies and procedures are ineffective if they are not taught and reinforced
by the employees.
• Password Policies:
• Periodic password change, Avoiding guessable passwords, Account blocking after failed

EL
attempts.

PT
N
• Physical Security Policies:
• Identification of employees by issuing ID cards, uniforms, etc. Escorting the visitors, Access
area restrictions.

39
 Social Engineering Countermeasures (contd.)
• Training:
• Include all security policies and methods to increase awareness on social engineering.
• Access privileges:
• There should be administrator, user, and guest accounts with proper authorization.

EL
• Classification of Information:

PT
N
• Categorize the information as top secret, proprietary, for internal use, for public use, etc.
• Background Check and Proper Termination Process:
• Insiders with a criminal background and terminated employees are easy targets.

40
 Social Engineering Countermeasures (contd.)
• Anti-Virus/Anti-Phishing Defenses:
• Use multiple layers of anti-virus defenses at end-user and mail gateway levels to minimize
social engineering attacks.
• Two-Factor Authentication:

EL
• Instead of fixed passwords, use two-factor authentication for high-risk network services such

PT
N
as VPNs and modem pools.

41
 N
PT
EL
42
 Course Name: Ethical Hacking

EL
Faculty Name: Prof. Indranil Sen Gupta

PT
N
Department : Computer Science and Engineering

Topic
Lecture 45: Denial of Service Attack
 Denial of service attack
 Various attack tools

EL
PT
N
 Denial-of-Service Attack
• It is an attack on a computer or network that reduces, restricts or prevents
accessibility of system resources to its legitimate users.
• In a DoS attack, attackers flood a victim system with non-legitimate service requests or
traffic to overload its resources.

EL
• It leads to unavailability of a particular website and show network performance.

PT
• A distributed denial-of-service (DDoS) attack involves a multitude of

N
compromised systems attacking a single target, thereby causing denial of
service for users of the targeted system.

45
 DoS / DDoS Attack Techniques
• Bandwidth Attacks:
• Overwhelm network equipment.
• It cannot be done using single system, an attacker uses several computers to flood a victim.
• SYN Attack:

EL
• The attacker sends a large number of SYN request to victim server with fake source IP

PT
N
addresses.
• The target machine sends back a SYN/ACK in response to the request and waits for the ACK
to complete the session setup.
• The target machine does not get the response because the source address is fake.

46
 DoS / DDoS Attack Techniques (contd.)
• SYN Flooding:
• Takes advantage of a flaw in how most hosts implement the TCP three-way handshake.
• When Host B receives the SYN request from A, it must keep track of the partially-opened
connection in a "listen queue" for at least 75 seconds.
• A malicious host can exploit the small size of the listen queue by sending multiple SYN

EL
PT
requests the a host, but never replying to the SYN/ACK.

N
• ICMP Flood Attack:
• The attacker send a large number of ICMP packets directly or through reflection networks
to victims causing it to be overwhelmed and subsequently stop responding to legitimate
TCP/IP requests.

47
 DoS/DDoS Attack Techniques (cont.)
• Application-Level Flood Attacks:
• This results in the loss of services of a particular network, such as emails, network resources,
the temporary ceasing of applications and services, and more.
• The attackers exploit weaknesses in programming source code to prevent the application
from processing legitimate requests.

EL
PT
• Using application-level flood attacks, attackers attempts to: (a) Flood web applications to

N
legitimate user traffic, (b) Disrupt service to a specific system or person, for example,
blocking a user's access by repeating invalid login attempts.

48
Botnets

• Bots are software applications that run automated tasks over the Internet and
perform simple repetitive tasks, such as web spidering and search engine
indexing.

EL
• A botnet is a huge network of the compromised systems and can be used by an

PT
attacker to launch denial-of-service attacks.

49
DoS / DDoS Attack Tools: Slowloris

• This is the most effective tool for DDoS attack. It works by opening thousands of
connections to the targeted web server and holding them open for a long time.
• This is achieved by sending partial HTTP requests, and none of them will be

EL
completed ever. It requires minimal bandwidth to target web server and no after

PT
effects.

50
DoS / DDoS Attack Tools: Low Orbit Ion Cannon (LOIC)

• It is an open source network stress testing and DoS attack software written in C#.
• This tool performs a DOS attack by sending UDP, TCP, or HTTP on the target with the intention
of disrupting its services
• It is mainly used for DoS attack on small servers. It is available on Linux, Windows, and

EL
PT
Android as well.

N
• LOIC basically turns computer’s network connection into a firehose of garbage
requests, directed towards a target web server.

51
DoS / DDoS Attack Tools: RUDY (R U Dead Yet ?)
• R.U.D.Y. is a popular low and slow attack tool that is designed to crash a web
server by submitting long form fields.
• The attack browses the target website and detects embedded web forms. Once the forms are
identified, it sends a legitimate HTTP POST request with an abnormally long ‘content-length’
header field and then it starts injecting the form with information, one byte-sized packet at a

EL
PT
time.

N
• Many more tools are available.

52
Demonstration: DoS using “Slowloris
script”

EL
PT
N

53
Demonstration: LOIC Tool

EL
PT
N

54
Demonstration: Ping of Death

EL
PT
N

55
 Countermeasures
• Shut down all the services until the attack has subsided.
• Install anti-virus and anti-Trojan software and keep these up-to-date.
• Increase awareness of security issues and prevention techniques.
• Disable unnecessary services, uninstall unused applications, and scan all the files

EL
received from external sources.

PT
N
• Increase bandwidth on critical connections to absorb additional traffic generated
by an attack.
• Replicate servers to provide additional failsafe protection.

56
 N
PT
EL
57