PDA

View Full Version : Securing network against sniffing



snake eyes
11-12-2008, 02:38 AM
Hello people.
I am working in an organisation which has one fairly large network with 6 VLANs, WiFi, layer 2&3 switches, multiple servers etc. There is one server running Squid proxy.
Now the thing is that this network really insecure from inside. Anybody running ettercap or any other good sniffer can capture almost every username and password. I let ettercap running for 30 minutes in one subnet and it captured nearly 20 passwords, all in plain text.
Is there anything that I can do to make the network secure against this? Or even a single computer ?

Only password that wasn't caught in plain text was Yahoo. It showed hash and its salt. Can anybody post some information why is it so?
Is it possible to capture passwords from other subnets using ettercap? I tried doing so by scanning all live hosts (whole network) and making a list which was loaded into ettercap. But unlike local hosts that are picked up by default, the Host List shows no MAC addresses. I guess, ARP spoofing wouldn't work.
I can put my PC in same subnet as that of proxy server, but even then it didn't owrk.

imported_wyze
11-12-2008, 06:02 AM
Hello people.
I am working in an organisation which has one fairly large network with 6 VLANs, WiFi, layer 2&3 switches, multiple servers etc. There is one server running Squid proxy.
Now the thing is that this network really insecure from inside. Anybody running ettercap or any other good sniffer can capture almost every username and password. I let ettercap running for 30 minutes in one subnet and it captured nearly 20 passwords, all in plain text.
Is there anything that I can do to make the network secure against this? Or even a single computer ?

SSL / TLS implementation???

Virchanza
11-12-2008, 07:15 AM
Is there anything that I can do to make the network secure against this?

Either physically secure the cables from tampering, or encrypt the data being sent along them. Either that or voodoo.



Is it possible to capture passwords from other subnets using ettercap?


Depends what you mean by "other subnets". If the other subnet is on a separate broadcast domain (i.e. on a separate LAN), then that means you have to go through a router to access the other subnet. You won't be able to see anything behind a router unless it's actually being sent into your LAN via a particular port on the router.

It's possible though, to have two subnets on the one broadcast domain (i.e. without a router in between). For instance, get a four-port hub and four PC's (let's call them A,B,C,D).

A = 192.168.1.5/24
B = 192.168.1.6/24
C = 10.10.10.1/24
D = 10.10.10.2/24

A and B are on the same subnet. C and D are on the same subnet. Although there are two different subnets, they're both on the same wire, they share the same Ethernet broadcast domain. Computer A will be able to see the frames that are exchanged between C and D. Also, if A wants to send a packet to C, it doesn't necessarily have to go through a router, it can just add a route to its routing table which says that network 10.10.10.0/24 is on the wire (I actually tried this out before).

So if the other subnet is behind a router, you won't be able to sniff (imagine what it would do to the internet if you could). If you're on the same Ethernet broadcast domain, then there's hope.

snake eyes
11-17-2008, 04:09 AM
Naah.. not on same subnet. A layer 3 switch separates every VLAN. I was just wondering if it was possible to spoof MAC/IP of proxy server as my PC is on same subnet. I tried that but didn't work out well.
Securing cables isn't an issue as subnets are connected by underground optical fibres. :D Most users are on WiFi anyway and WEP key is more or less secure.

Wyze
I'm using SSL on Mozilla but its problematic. No every sites support SSL including the intrantet and even my gmail passwords are getting captured :-s

terminal86
11-17-2008, 04:42 AM
Most users are on WiFi anyway and WEP key is more or less secure.


Are you serious? :eek:
Congratulations to your organisation.. :rolleyes:

Barry
11-17-2008, 06:48 AM
Naah.. not on same subnet. A layer 3 switch separates every VLAN. I was just wondering if it was possible to spoof MAC/IP of proxy server as my PC is on same subnet. I tried that but didn't work out well.
Securing cables isn't an issue as subnets are connected by underground optical fibres. :D Most users are on WiFi anyway and WEP key is more or less secure.

Wyze
I'm using SSL on Mozilla but its problematic. No every sites support SSL including the intrantet and even my gmail passwords are getting captured :-s

About as secure as a screen door.

snake eyes
11-19-2008, 02:24 AM
About as secure as a screen door.

:o
Give me some slack folks. All I meant was that my issue is more related to sniffing rather than somebody using WiFi without my authorization. Threat is from internal users not external.

imported_wyze
11-19-2008, 06:11 AM
:o
Give me some slack folks. All I meant was that my issue is more related to sniffing rather than somebody using WiFi without my authorization. Threat is from internal users not external.

Static ARP tables would be a good start.

Barry
11-19-2008, 09:26 AM
:o
Give me some slack folks. All I meant was that my issue is more related to sniffing rather than somebody using WiFi without my authorization. Threat is from internal users not external.

They can sniff over the wireless just as easily as the wire. Easier actually.

streaker69
11-19-2008, 09:33 AM
:o
Give me some slack folks. All I meant was that my issue is more related to sniffing rather than somebody using WiFi without my authorization. Threat is from internal users not external.

If your concern is about internal users, using unauthorized software, ie sniffers, then employ a PC auditing package. Have a IT policy that states that only software that is purchased and installed by IT may be used on company PC's. When your auditing software turns up such stuff, bust their ass.

If someone is using a personal PC on the corporate LAN, and I don't know many companies that allow such things, then you have another issue. In that case, you could whitelist MAC addresses that are allowed on the LAN, and when a MAC address shows up that isn't allowed you could receive an alert telling you where the device is located and from there, appropriate action could be taken.

snake eyes
11-20-2008, 03:58 AM
If your concern is about internal users, using unauthorized software, ie sniffers, then employ a PC auditing package. Have a IT policy that states that only software that is purchased and installed by IT may be used on company PC's. When your auditing software turns up such stuff, bust their ass.

If someone is using a personal PC on the corporate LAN, and I don't know many companies that allow such things, then you have another issue. In that case, you could whitelist MAC addresses that are allowed on the LAN, and when a MAC address shows up that isn't allowed you could receive an alert telling you where the device is located and from there, appropriate action could be taken.

Thanks for the replies.
The laptops and PCs number in 1000s. We have a Squid proxy, DHCP and Symantec antivirus . With such a high no. of users its almost impossible to go through log files that amount to a GB just in few weeks. Blocking MAC address is an option but with new laptops being brought in almost every month it becomes difficult.
Also if intruder keeps on changing his MAC, this isn't of much use.
Can you guys suggest any software (except Snort) that can do this kind of work?
Apart from that, is there really any way to stop the passwords from being transmitted in plain text? Preferably at the user end. Even if some solution stops this in a small but critical subnet, my work will be done.

Andy90
11-20-2008, 06:40 AM
We have a client that runs two networks.

First is corporate, no un-auth PCs, and a restricted proxy. Tie this down with enforced transparent proxy and domain/username LDAP authentication? (so only machines joined to domain can authenticate)

Second is a wireless one, WEP, no proxy, just straight out, this is for personal computers, used for lunch hour and bit of personal stuff etc.

Give them the choice, a second network with less restrictions, and they may choose to leave the corporate lan?

streaker69
11-20-2008, 08:05 AM
Thanks for the replies.
The laptops and PCs number in 1000s. We have a Squid proxy, DHCP and Symantec antivirus . With such a high no. of users its almost impossible to go through log files that amount to a GB just in few weeks. Blocking MAC address is an option but with new laptops being brought in almost every month it becomes difficult.
Also if intruder keeps on changing his MAC, this isn't of much use.
Can you guys suggest any software (except Snort) that can do this kind of work?
Apart from that, is there really any way to stop the passwords from being transmitted in plain text? Preferably at the user end. Even if some solution stops this in a small but critical subnet, my work will be done.

If you're using the latest version of Symantec EndPoint Protection, then you can configure it to whitelist known applications.

If you're using a Windows Domain, then you can GPO what the users can and cannot do on their machines, right down to limiting applications that can be installed. If they can't install anything then there is no sniffing.

If you're a company of that size, I would expect that you'd have a fairly strict Computer Usage Policy approved by HR. If you find someone violating that policy they should be reported and appropriate action should be taken. Normally it only takes a couple of people to be made an example of regarding those policies and the rest just fall in line.

PeppersGhost
11-20-2008, 05:22 PM
Is there anything that I can do to make the network secure against this?


The answer is no.

snake eyes
11-22-2008, 02:39 AM
Tell you wht, I checked this thing on my home internet connction and same thing happens there too. I let etttercap run for 3-4 hours and I had a list of nearly 30 passwords. Email, 1 shopping site, 1 railway ticket booking site, 2 matrimony and adult friendship sites among others :D

I cant force my stupid ISP to change the security system.
Connection in my house comes via a cat5 cable connected to some kind . There is mac address binding, so that a particular IP is bound to a single mac address only



nmap -v -sV 10.130.193.1 (--------> Gateway)

Starting Nmap 4.50 ( http://insecure.org ) at 2008-11-22 13:21 GMT
Initiating ARP Ping Scan at 13:21
Scanning 10.130.193.1 [1 port]
Completed ARP Ping Scan at 13:21, 0.01s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 13:21
Completed Parallel DNS resolution of 1 host. at 13:21, 2.62s elapsed
Initiating SYN Stealth Scan at 13:21
Scanning 10.130.193.1 [1711 ports]
Completed SYN Stealth Scan at 13:21, 8.39s elapsed (1711 total ports)
Initiating Service scan at 13:21
SCRIPT ENGINE: Initiating script scanning.
Host 10.130.193.1 appears to be up ... good.
Interesting ports on 10.130.193.1:
Not shown: 1710 filtered ports
PORT STATE SERVICE VERSION
113/tcp closed auth
MAC Address: 00:09:0F:30:B7:0C (Fortinet)

Read data files from: /usr/local/share/nmap
Service detection performed. Please report any incorrect results at http://insecure.org/nmap/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 11.314 seconds
Raw packets sent: 3423 (150.610KB) | Rcvd: 3 (134B)





This is really scary. I change my passowrds every 2-3 months. But even that precaution is useless now. :eek:

Amlord1
12-09-2008, 10:33 AM
If your concern is about internal users, using unauthorized software, ie sniffers, then employ a PC auditing package. Have a IT policy that states that only software that is purchased and installed by IT may be used on company PC's. When your auditing software turns up such stuff, bust their ass.

If someone is using a personal PC on the corporate LAN, and I don't know many companies that allow such things, then you have another issue. In that case, you could whitelist MAC addresses that are allowed on the LAN, and when a MAC address shows up that isn't allowed you could receive an alert telling you where the device is located and from there, appropriate action could be taken.

Or, you could use some old school software, (netcat) and put a backdoor on their computer, Go in later and put a keg logger; then you can see EVERYONE who they are stealing from. Just make sure you have permission from the network admin, if that isn't you.Any unauthorized computer on a network should be fair game, especially since such actions can be considered surveillance.

streaker69
12-09-2008, 10:36 AM
Or, you could use some old school software, (netcat) and put a backdoor on their computer, Go in later and put a keg logger; then you can see EVERYONE who they are stealing from. Just make sure you have permission from the network admin, if that isn't you.Any unauthorized computer on a network should be fair game, especially since such actions can be considered surveillance.

I'm sure that works if your network is in a frat house. :)

Amlord1
12-09-2008, 10:41 AM
Are you serious? :eek:
Congratulations to your organisation.. :rolleyes:

lol, terminal86 is right... There is no such thing as a secure wireless encryption.. Some just take longer than others...

Amlord1
12-09-2008, 11:46 AM
I'm sure that works if your network is in a frat house. :)

lol, As I have said before I'm still an amateur at this. So I appreciate constructive (or humorous) criticism. :D

carboncopy
12-12-2008, 08:31 PM
Someone might be familiar with this....

I was at a hotel once and I was connected to the wifi with my laptop. I tried to assign myself a static IP address and i got an error due to an IP conflict. I ran a program that scanned the subnet and for some reason, all of the IP addresses were taken by the same device. I am assuming it was the same device because all of the IPs had the same MAC address. The only IPs that did not have the same MAC were the ones that had been assigned to devices via DHCP.

I don't know what it was that the hotel was using to do that, but it definitely improved their security. Assuming that trying to run ettercap would stop all traffic and not allow for any MITM attacks.

Andy90
12-15-2008, 10:40 AM
Arp Bridge/Proxy I think the term is?

killadaninja
12-15-2008, 11:23 AM
About as secure as employing micheal jakson as the body guard for your 13 year old son

Implement some auditing software across the whole network. The software at my university doesnt allow hardly anything to be executed. And if you want to execute something you have to ask for permission. However i did write a bat script that i dropt into the startup folder, using a simple elevation trick I managed to bypass this security. I executed nmap, then went and got a technician to come and see what i had done.
I then had to teach the so called technician how to add a line of code to the unallowed sect of the auditing conf. Point is know your software , exactly what, how and why it works. As for wirless like i said before its only secure untill someone finds a way to make it unsecure, You dont want your network being vulnarable to this new attack, So make sure when your network has been infiltrated, pulling out infor is still hard work. So with the right restrictions right security right data encryption and proper monitering of your network your making it as safe as can be FOR NOW.

purehate
12-15-2008, 12:03 PM
About as secure as employing micheal jakson as the body guard for your 13 year old son

Implement some auditing software across the whole network. The software at my university doesnt allow hardly anything to be executed. And if you want to execute something you have to ask for permission. However i did write a bat script that i dropt into the startup folder, using a simple elevation trick I managed to bypass this security. I executed nmap, then went and got a technician to come and see what i had done.
I then had to teach the so called technician how to add a line of code to the unallowed sect of the auditing conf. Point is know your software , exactly what, how and why it works. As for wirless like i said before its only secure untill someone finds a way to make it unsecure, You dont want your network being vulnarable to this new attack, So make sure when your network has been infiltrated, pulling out infor is still hard work. So with the right restrictions right security right data encryption and proper monitering of your network your making it as safe as can be FOR NOW.

In the future please edit your posts instead of making a new post 5 mins later.

killadaninja
12-15-2008, 01:38 PM
sorry Ph was an accident ll make sure it dont happen again

snake eyes
12-16-2008, 04:35 AM
Using Bridge ARP (i hope it's the correct term, I've never heard or used it though) is not feasible as the no. of PCs involved is too much with numerous layer 2 switches in different blocks.
Setting permissions on individual PCs is not possible either. Only a few PCs are in domain and we have only that much licenses of anti-virus software.
These are the few major roadblocks.
I tried using SSH, HTTPS for logging into servers and external websites, but found out that most of these passwords were being sniffed out too. Considering how many times we need to remotely login onto our servers from different locations (subnets) , it gets serious. I've been looking for a foolproof way to ensure that passwords don't get sniffed in the network like it's possible now. Catching the guys who do it is a bit difficult considering no. of users involved and available manpower and resources.

Dudeman02379
12-16-2008, 10:36 AM
Using Bridge ARP (i hope it's the correct term, I've never heard or used it though) is not feasible as the no. of PCs involved is too much with numerous layer 2 switches in different blocks.
Setting permissions on individual PCs is not possible either. Only a few PCs are in domain and we have only that much licenses of anti-virus software.
These are the few major roadblocks.
I tried using SSH, HTTPS for logging into servers and external websites, but found out that most of these passwords were being sniffed out too. Considering how many times we need to remotely login onto our servers from different locations (subnets) , it gets serious. I've been looking for a foolproof way to ensure that passwords don't get sniffed in the network like it's possible now. Catching the guys who do it is a bit difficult considering no. of users involved and available manpower and resources.

It would be much easier to manage if all of your computers were members of the domain. Why aren't they? If it is a windows network maybe look into an IPSEC solution for encrypting lan traffic. Also I'm not exactly sure but aren't there IDS systems that would detect LAN sniffing?

Amlord1
12-18-2008, 09:59 PM
Okay. I just thought of this, and it's probably a long shot.

You know how some firewall programs block programs that you want to run on your computer?

Would it be possible to use (or write) a network-wide firewall that would block certain programs (i.e. C&A, Metasploit, Ettercap, etc.) that are commonly and primarily used for the gaining of illegal information? If it's a corporate network, there should be no reason for the use of those on a PC or ESPECIALLY a corporate computer to have it installed, or to be using it. From experience, it's nearly impossible to get around the admin settings... well, that's unless you go and download a bootable slax cd.. which isn't hard at all, as long as you know you arn't downloading a virus.... Still, it could be made more secure...

Feedback please.

streaker69
12-18-2008, 10:07 PM
Okay. I just thought of this, and it's probably a long shot.

You know how some firewall programs block programs that you want to run on your computer?

Would it be possible to use (or write) a network-wide firewall that would block certain programs (i.e. C&A, Metasploit, Ettercap, etc.) that are commonly and primarily used for the gaining of illegal information? If it's a corporate network, there should be no reason for the use of those on a PC or ESPECIALLY a corporate computer to have it installed, or to be using it. From experience, it's nearly impossible to get around the admin settings... well, that's unless you go and download a bootable slax cd.. which isn't hard at all, as long as you know you arn't downloading a virus.... Still, it could be made more secure...

Feedback please.

If you're talking about someone running one of these applications on a computer owned by said corporation, you wouldn't need a firewall, you'd just enable a group policy that does not allow them to be installed/run on the machine. This is rather easily done.

If you're talking about an intruder on the local LAN using their own machine you could take other measures. For your plan to work, you'd have to have a firewall capable of blocking those on every single machine, so you're talking about a software firewall on the OS. This of course would get cumbersome fast and rather impractical.

In cases like this, physical security would be better. Unused network ports are disabled at the switch and can only be enabled by a request to IT. MAC addresses are whitelisted and unknown MAC's found on the network send alerts to IT. As a policy, no outside machines may be connected to the corporate LAN, guest machines may be connected only inside a DMZ from the normal LAN.

IDS/IPS sensors could be placed at various places on the LAN looking for suspicious traffic. Anything noticed would be alerted to IT. This all goes to a layered security approach, there is no one solution.

purehate
12-18-2008, 10:13 PM
Okay. I just thought of this, and it's probably a long shot.

You know how some firewall programs block programs that you want to run on your computer?

Would it be possible to use (or write) a network-wide firewall that would block certain programs (i.e. C&A, Metasploit, Ettercap, etc.) that are commonly and primarily used for the gaining of illegal information? If it's a corporate network, there should be no reason for the use of those on a PC or ESPECIALLY a corporate computer to have it installed, or to be using it. From experience, it's nearly impossible to get around the admin settings... well, that's unless you go and download a bootable slax cd.. which isn't hard at all, as long as you know you arn't downloading a virus.... Still, it could be made more secure...

Feedback please.

No because things like ettercap and C & A are "sniffers" and dont work with ports. The basically redirect arp requests. Metasploit or any other exploit framework for that matter cant be blocked because any shell code can pretty much be use with any port. There is now way to "port" block a exploit. You either need the service running on that port or you dont. The key is never letting a attacker any where near you LAN so that these tools are never used. The weakest link these days in a corporation is web applications so another key thing to do is keep your web servers in a DMZ so even if they are compromised the "evil hackers" still cannot access your LAN. This can all easily be done with hardware fire walls and cisco routers (or whatever you use).

Amlord1
12-18-2008, 10:39 PM
No because things like ettercap and C & A are "sniffers" and dont work with ports. The basically redirect arp requests. Metasploit or any other exploit framework for that matter cant be blocked because any shell code can pretty much be use with any port. There is now way to "port" block a exploit. You either need the service running on that port or you dont. The key is never letting a attacker any where near you LAN so that these tools are never used. The weakest link these days in a corporation is web applications so another key thing to do is keep your web servers in a DMZ so even if they are compromised the "evil hackers" still cannot access your LAN. This can all easily be done with hardware fire walls and cisco routers (or whatever you use).


If you're talking about someone running one of these applications on a computer owned by said corporation, you wouldn't need a firewall, you'd just enable a group policy that does not allow them to be installed/run on the machine. This is rather easily done.

If you're talking about an intruder on the local LAN using their own machine you could take other measures. For your plan to work, you'd have to have a firewall capable of blocking those on every single machine, so you're talking about a software firewall on the OS. This of course would get cumbersome fast and rather impractical.

In cases like this, physical security would be better. Unused network ports are disabled at the switch and can only be enabled by a request to IT. MAC addresses are whitelisted and unknown MAC's found on the network send alerts to IT. As a policy, no outside machines may be connected to the corporate LAN, guest machines may be connected only inside a DMZ from the normal LAN.

IDS/IPS sensors could be placed at various places on the LAN looking for suspicious traffic. Anything noticed would be alerted to IT. This all goes to a layered security approach, there is no one solution.


Both make sense. Thanks. :)