آیا در شبکه هایی که از سوئیچ به جای هاب استفاده می کنند هم می توان عمل Sniffing را انجام داد؟ :P

بله.
راه ها :
1: Mac flood
2: ARP

ممنون
مطلبی راجع به این مورد مطالعه کردم که می کفت ابزارهایی مثل macof موجود در مجموعه dsniff از طریق فرستادن تعداد زیادی مک آدرس جعلی به سوئیچ و پر کردن بافر آن موجب می شوند که سوئیچ بسته های وارده را به تمامی جهات بفرستد
آیا شما می توانید توضیح بیشتر یا لینکی برای مطالعه بیشتر به من بدهید؟ :flower:

mefakon writes: You are probably familiar with how easy it is to sniff traffic on a shared network and how traffic is sent. But I will explain a bit about how a hub works on a shared network as an introduction anyway.

The way that traffic is handled on a shared network may be compared to the way mail is distributed during a mail call at military boot camp. One person stands at the middle of the room and shouts out the names on the letters as everybody stands around and listens for their own name to be called. Everyone hears whom the letter is addressed to, but only the person whom the mail is actually for would (normally) pick up the letter. In this example, the person shouting out names would represent the hub, while the people expecting letters would represent the workstations on the LAN.

If a user on the shared network puts his network card in promiscuous mode and installs a sniffing program, their computer will be able to collect all of the traffic on the network, instead of only the traffic that is addressed specifically to their computer.

This is the main feature with a switched network, you will not recive traffic that is not addressed to you. It would be like, taking the example above, if the mailman had a list of all the persons and their names living at that barrack along with their picture. He goes throug the mails one by one and reads whom the mail is addressed to, finds this person by looking at the list and gives him the mail. This way noone can steal anyone elses mail.. or can they?


ARP - Introduction
The address resolution protocol (ARP) is a protocol that used by the Internet Protocol (IP), specifically IPv4, to map IP network addresses together with the hardware addresses used by a data link protocol. ARP operates below the network layer as a part of the interface between the OSI network and OSI link layer. It is used when IPv4 is used over Ethernet.

When data is sent over an Ethernet network two hardware addresses are used, which identify the source and destination of each frame sent. The hardware address is also known as the Medium Access Control (MAC) address, in reference to the standards which define Ethernet.


___ ARP Request (dest:FF-FF-FF-FF-FF-FF) ___
| | ----------------------------------------> | |
|___| |___|
/____/ <---------------------------------------- /____/
Host-A ARP Reply (dest:MAC-A) Host-B


On a switched Ethernet/IP network when Host-A wants to send a packet to Host-B it needs to know the Host-B MAC address (MAC-B) in order to communicate. Host-A will ask for MAC-B with an ARP request packet sent in brodcast (FF-FF-FF-FF-FF-FF). Only the machine with the specified IP address (HOST-B) will answer to this request with an ARP reply packet sent back in unicast directly to the Host-A MAC address (MAC-A).
At this point Host-A will send IP packets with destination IP-B using MAC-B as destination address in the Ethernet frame. ARP Request and Reply packets are sent only if the Host doesn't know the MAC address of the target machine, once the MAC address is learned the ARP cache will be used.

Example: (Host-A wants to talk to Host-B)

1) Host-A --> Check the ARP cache if IP-B/MAC-B mapping exist.
2) Host-A --> ARP Request - What is the MAC address associated with IP-B?
3) Host-B --> ARP Reply - My MAC address is MAC-B and my ip address is IP-B.
4) Host-A --> Updates the ARP cache and sends packets to IP-B using MAC-B.


00-AA-BB-CC-DD-21 00-AA-BB-CC-DD-22
| |
Switch Route Table | | 00-AA-BB-CC-DD-99
________________________ | | /
|Port |MAC-Address | | / /
|_____|__________________| | /
| 2 |00-AA-BB-CC-DD-21 | | /
| 3 |00-AA-BB-CC-DD-22 | | | |
| 5 |00-AA-BB-CC-DD-99 | 1 2 3 4 5
|_____|__________________| _|_|_|_|_|_
| |
| Switch |
|___________|


A network switch constructs it's route table by extracting the source MAC address from the Ethernet frame of each packet processed. And using this only sending the data to the port of the destination MAC address. If an entry in the route table doesn't exist the switch will forward the packet out all it's ports.

So normally, on a switched network, you can only see traffic from/to yourself and brodcast/mutlicast traffic. The switch will forward all the traffic between two communicating hosts on a MAC address basis, and thus excluding any eavesdropping host from the traffic flow.

Because ARP request packets are sent in brodcast (FF-FF-FF-FF-FF-FF) the switch will forward them out all it's ports. By listening to this traffic anyone can quickly learn the correct IP-MAC mapping of every host on the LAN. This is important to know when sniffing traffic on the network since one has to redirect the traffic to it's real destination, after forcing it to take the path through a sniffer, so that the communication between the two hosts wont be interrupted and the eavesdropping can continue.

So how can one do this you ask? Well.. ARP is a stateless protocol that does not require authentication so a simple ARP reply packet sent to a host will force an update of it's ARP cache. By manipulating the ARP cache of two communicating hosts one can redirect the dataflow and get the traffic to go anywhere on the network.

Example:

Host-A
IP address: 192.168.0.1
MAC address: 00-AA-BB-CC-DD-21
Host-B
IP address: 192.168.0.2
MAC address: 00-AA-BB-CC-DD-22
Sniffer
IP address: 192.168.0.3
MAC address: 00-AA-BB-CC-DD-99

Before poisoning

Host-A ARP cache Host-B ARP cache
_____________________________ _____________________________
| IP addr | MAC addr | | IP addr | MAC addr |
|___________|_________________| |___________|_________________|
|192.168.0.2|00-AA-BB-CC-DD-22| |192.168.0.1|00-AA-BB-CC-DD-21|
|___________|_________________| |___________|_________________|


After poisoning

Host-A ARP cache Host-B ARP cache
_____________________________ _____________________________
| IP addr | MAC addr | | IP addr | MAC addr |
|___________|_________________| |___________|_________________|
|192.168.0.2|00-AA-BB-CC-DD-99| |192.168.0.1|00-AA-BB-CC-DD-99|
|___________|_________________| |___________|_________________|


The sniffer host sends a poison packet to Host-A (with the spoofed IP of Host-B) which tells it that Host-A can find IP-B at the MAC 00-AA-BB-CC-DD-99. At the same time it tells to Host-B (with the spoofed IP of Host-A) that it can find IP-A at the MAC 00-AA-BB-CC-DD-99 aswell. At this point all communication between Host-A and Host-B will flow through the sniffer host bypassing the main feature of the switch.

Note that if there is no traffic after a timeout period a dynamic entry in the ARP cache of the two hosts will be flushed out. For this reason the sniffer host must continue poisoning the hosts at regular intervals.
Also note that ARP poisoning does not insert a new entry in the ARP cache, it can only update and existing one. The mapping must already be present in the cache in order to manipulate it.


There are tools for this out in the wild, but I will not mention their names nor how to use them in this text. If you don't know what you are doing you can do alot of damage, and if you do know what you are doing you can do even more damage.

There is basically three things one can do to be protected against this kind of attack.

1) Use a ARP monitoring tool, that watches the cache and stores every new IP-MAC combination in it's own list. If a combination is already known, the program compares it with the cache to see if has changed. This method will spot an attack, but not stop it.

2) Use strong encryption on all data sent over the network, this way there is no point in sniffing the traffic since it will only read as garbage. This method will protect you against someone trying to eavesdrop on your switched traffic. But this will not protect you against a denial of service attack. That is if someone redirects all traffic to a computer that is not configured as a router and knows the real IP-MAC mappings.

3) The third and best way is to use static ARP entries, that is type in all IP-MAC pairs, of all computers on the LAN, manually into all computers ARP caches. This is a bit cumbersome since there might be hundreds or thousands of computers on the network. But this method is the only one that will completly protect you against this type of attack.

Well thats all for tonight kids and remember, it's "down the road" not "accross the street". Make it count! :D

:تشویق: :flower: :)