Archive
Sniffing in a Switched Network .. The Idea
Sniffing on a network is one of the everyday tasks you need so as to monitor some of the critical stuff on your network. The attackers also sniff on your network to see the traffic or alter it, which is a big compromise to your security.
First, I want to clarify some confusion between a Hub Based and a Switch Based network
Suppose I have these three machines:
Victim 1 :
Port: 1
IP: 10.0.0.1
MAC : 00-00-00-00-00-01
Victim 2:
Port: 2
IP: 10.0.0.2
MAC : 00-00-00-00-00-02
Attacker :
Port: 10
IP: 10.0.0.10
MAC : 00-00-00-00-00-10
In a hub based network (I guess you can’t find any these days):
The hub, some how, has a huge collision.
The drawback on the hub was the shared bandwidth and the big collision which affected the network performance badly. Hubs were the bottleneck no.1
Long ago, I tried to check sniffing on a hub based network. Just using a sniffer on the attacker’s machine and you can see the traffic between all the machines connected to the hub.
If the traffic is sent from victim1 to victim2, the hub sends the traffic from port 1 to all the other ports, and then other machines just drop the traffic coz they don’t match the destination IP / Mac in the header parts.
If you try something like ethereal now on your machine in a switched network, you get nothing. Just the traffic from / to your machine only..
Why??
It is because you have a switch.
In a switched Network:
The switch controls the collision domains. The switch has some memory to know which machine is connected to which port. This is all based on the Mac Addresses. (while the hub doesn’t really care about that stuff). So if the traffic is sent from victim1 to victim2 on a switch, the attacker can’t get the traffic because the switch sends the traffic from port 1 to port 2.
The Idea of sniffing in a switched network:
So, in a switched network you need the switch to send the traffic from victim1 to the attacker which then sends it back to victim 2. The attacker machine then acts as a ‘Router’. It routes the traffic from victim 1 to victim 2 through it. This is what we simply call the “MIM” or “Main In the Middle” Attack.
MIM is done by altering the Arp Tables by a process called “ARP Poisoning”.
So how is the ARP Poisoning done??
ARP: Address resolution Protocol.
Its role is to map IP addresses to the MAC addresses.
In victim 1:
ARP Table has these entries:
IP: 10.0.0.2
MAC: 00-00-00-00-00-02
But after poisoning
IP : 10.0.0.2
MAC: 00-00-00-00-00-10
So, the traffic is sent to the attacker’s machine
The same stuff is on Victim 2 ‘s ARP table:
Before Poisoning :
IP: 10.0.0.1
MAC: 00-00-00-00-00-01
After Poisoning:
IP: 10.0.0.1
MAC: 00-00-00-00-00-10
When a machine is on a network, it sends an ARP Request saying “ Who has the IP Address 10.0.0.2” ?
Then machine 10.0.0.2 sends the ARP Reply that machine with the MAC 00-00-00-00-00-02 has the 10.0.0.2 address.
The good news (or bad … I don’t know) is that machines can respond to an ARP Reply message even if they don’t make a request. So, the Arp poisoning goes flooding the Arp tables by incorrect ARP Reply messages with MAC addresses to change the IP / MAC mapping.
You don’t need to do this stuff manually.
The tools that you use for sniffing in a switched network can do this stuff for you.
How to stop something like that?
. IPSec signs the hops / path that the packets travel from source to destination. So, if any of the hops is altered, the packet is rejected. (I’ll try to make some detailed posts on IPSec later).
. MAC Filtering allows you to hard code the MAC address on each port, so that if the MAC address in the headers is changed, the switch will not pass it.
Tamer Maher 