94 - Bao Cao Chuyen de - Tim Hieu Sniffer - Nguyen Chi Bao

BO CO CHUYN 4-TM HIU V SNIFFER
MC LC
MC LC .................................................................................................................1 CHNG I: L THUYT V SNIFFER ............................................................2 I. Cc khi nim cn bn v Sniffer .................................................................2 1.1 Mt s thut ng : ..........................................................................................2 a ch Ethernet MAC l g ? .....................................................................4 1.2 i nt v Sniffer : ........................................................................................5 1.3 Sniffer c s dng nh th no ? ...............................................................6 1.4 Phn loi Sniffing .........................................................................................7 II . Cc phng php pht hin Sniffer trn h thng mng :.........................9 2.1 Phng php dng Ping:..............................................................................10 2.3 Phng php s dng DNS : .......................................................................13 2.4 Phng php Source-Route : .......................................................................13 2.5 Phng php ging by (Decoy) : ...............................................................14 2.6 Phng php kim tra s chm tr ca gi tin (Latency) : .........................14 III Phng php ngn chn Sniffer trn h thng mng : .............................14 3.1 Cc h thng mng c nguy c Sniffer : .....................................................14 3.2 Cc giao thc c nguy c Sniffer: ............................................................15 3.3 Phng php ngn chn Sniffer d liu ?...............................................15 3.4 Phng php ngn chn Sniffer Password : ................................................16 3.5 Phng php ngn chn Sniffer trn thit b phn cng .............................17 CHNG II: PHN THC HNH LAP ..........................................................18 CHNG III: MT VI CCH CHNG SNIFFER TRONG LAN .............36 CHNG IV:TI LIU THAM KHO ............................................................42 CHNG V: KT LUN ....................................................................................43
Trang 1 NGUYN CH BO- MSSV: 2985.52- LP 52PM2
CHNG I: L THUYT V SNIFFER

I. Cc khi nim cn bn v Sniffer
1.1 Mt s thut ng : Ethernet : Mt cng ngh ni mng c nng lc mnh c s dng trong hu ht cc mng LAN. Wireless : Cc cng ngh ni mng khng dy. Serial Direct Cable Connection : Cng ngh kt ni my tnh bng Cable truyn nhn d liu. PPP (Point-to-Point Protocol) : Mt giao thc kt ni Internet tin cy thng qua Modem. IP (Internet Protocol) : Giao thc c dng x l c ch truyn d liu thc t. L c s cho vic nh hng v vn chuyn d liu trn Internet. ICMP (Internet Control Message Protocol) : Giao thc x l cc thng bo trng thi cho IP, v d nh bo li v cc thay i mng c th nh hng n vic nh tuyn. ARP (Address Resolution Protocol) : Giao thc chuyn cc a ch mng sang a ch phn cng vt l tng dng cc thng ip Broadcast. Dng xc nh a ch mng.
RARP (Reverse Address Resolution Protocol) : Lm cng vic ngc li ARP, chuyn a ch phn cng t mt my sang a ch IP. TCP (Transmission Control Protocol) : Mt giao thc, dch v da trn kt ni, iu ny cho php cc my nhn v gi d liu c th truyn thng vi nhau vo mi lc, mi ni. UDP (User Datagram Protocol) : Mt giao thc, mt dch v khng kt ni, hai my gi v nhn s khng truyn thng vi nhau thng qua mt kt ni lin tc. Telnet : Giao thc cho php ng nhp t xa ngi ding trn my ny c th kt ni vi my kia v s hot ng nh l ngi my vy. FTP (File Transfer Protocol) : Giao thc truyn d liu t my ny sang my khc dng giao thc TCP.

SMTP (Simple Mail Transfer Protocol) : Giao thc dng truyn nhn th in t gia cc my. DNS (Domain Name Service) : Xc nh cc a ch my tnh t tn ch sang s. Cn rt nhiu giao thc dch v khc tng 7. Nhng do khun kh bi vit ln ti ch nu mt s giao thc dch v c bn. a ch Ethernet MAC l g ? a ch MAC (Media Access Control) : l kiu a ch vt l, c trng cho mt thit b hoc mt nhm cc thit b trong mng LAN. a ch ny c dng nhn din cc thit b gip cho cc gi tin lp 2 c th n ng ch. Mt a ch MAC bao gm 6 byte v thng c vit di dng hexa, vi cc thit b ca Cisco, a ch ny c vit di dng s hexa ,v d: 0000.0C12.FFFF l mt a ch MAC hp l. m bo a ch MAC ca mt thit b l duy nht, cc nh sn xut cn phi ghi a ch ln ROM ca thit b phn cng v nh danh ca nh sn xut s c xc nh bi 3 byte u OUI (Organizationally Unique Identifier). a ch MAC c phn lm 3 loi - Unicast: y l loi a ch dng i din cho mt thit b duy nht. - Multicast: y l loi a ch i din cho mt nhm cc thit b trong mng LAN. a ch c dng trong trng hp mt ng dng c th mun trao i vi mt nhm cc thit b. Bng cch gi i mt bn tin c a ch multicast; tt c cc thit b trong nhm u nhn v x l gi tin trong khi cc thit b cn li trong mng s b qua. Giao thc IP cng h tr truyn multicast. Khi mt gi tin IP multicast c truyn qua mt mng LAN, a ch MAC multicast tng ng vi a ch IP s l 0100.5exxx.xxxx. - Broadcast: a ch ny i din cho tt c cc thit b trong cng mt mng LAN. iu cng c ngha l nu mt gi tin c a ch MAC l FFFF.FFFF.FFFF c gi i th tt c cc thit b trong mng LAN u phi thu nhn v x l.

1.2 i nt v Sniffer : Khi u Sniffer l tn mt sn phm ca Network Associates c tn l Sniffer Network Analyzer. Sniffer c hiu n gin nh l mt chng trnh c gng nghe ngng cc lu lng thng tin trn h thng mng Sniffer c s dng nh mt cng c nh qun trinh mng theo di v bo tr h thng mng. V mt tiu cc, Sniffer c s dng nh mt cng c vi mc ch nghe ln cc thng tin tr mng ly cc thng tin qua trng Sniffer da vo phng thc tn cng ARP bt cc gi tin c truyn qua mng Nhng giao dch gia cc h thng mng my tnh thng l nhng d liu dng nh phn (Binary). Bi vy nghe ln v hiu c nhng d liu dng nh phn ny, cc chng trnh Sniffer phi c tnh nng c bit nh l s phn tch cc nghi thc (Protocol Analysis), cng nh tnh nng gii m (Decode) cc d liu dng nh phn hiu c chng. Trong mt h thng mng s dng nhng giao thc kt ni chung v ng b. Bn c th s dng Sniffer bt c Host no trong h thng mng ca bn. Ch ny c gi l ch hn tp (promiscuous mode). Mt s cc ng dng ca Sniffer c s dng nh DSNiff, Snort,Cain, ettercap, sniffer pro

1.3 Sniffer c s dng nh th no ? Sniffer thng c s dng vo 2 mc ch : Mt cng c gip cho cc qun tr mng theo di v bo tr h thng mng ca mnh. Mt chng trnh c ci vo mt h thng mng my tnh vi mc ch nh hi, nghe ln cc thng tin trn on mng ny... Nhng iu kin c th Sniffer c th xy ra Sniff c th hot ng trong mng Lan , Wan, mng Wlan iu kin cn ch l dng chung subnetMark khi sniffer Ngoi ra cn dng mt s tool bt v phn tch gi tin Mt s tnh nng ca Sniffer : Cc Hacker s dng bt tn ngi s dng (Username) v mt khu khng c m ho (Clear Text Password) trong h thng mng ca bn. Gip cc nh qun tr theo di cc thng tin d liu trn ng truyn. H c th c v hiu c ngha ca nhng d liu . Gip cc nh qun tr gim st lu lng ca h thng qua cc qun tr vin c th phn tch nhng li ang mc phi trn h thng lu lng ca mng. V d nh : Ti sao gi tin t my A khng th gi c sang my B... etc Mt s cng c Sniffer cn c th t ng pht hin v cnh bo cc cuc tn cng ang c thc hin vo h thng mng m n ang hot ng (Intrusion Detecte Service). Cc Sniffer gip ghi li thng tin v cc gi d liu, cc phin truyn Phc v cho cng vic phn tch, khc phc cc s c trn h thng mng.

1.4 Phn loi Sniffing Sniffing c chia lm 2 loi l: Passive Sniffing ( Sniffing th ng) v Active Sniffing ( Sniffing ch ng )
a- Passive Sniffing
Gi l Passive Sniffing bi v cc attacker th ng nm trn mng Lan ch i cc gi d liu c gi i v bt ly chng.iu s hiu qu trong vic m thm thu nhp cc d liu t mng Lan - Mi trng : Hot ng ch yu trong mi trng khng c cc thit b chuyn mch gi. Ph bin hin nay l cc dng mch s dng HUB hay cc mch khng dy( Wireless) - C ch hot ng: Do khng c cc thit b chuyn mch gi nn cc host phi broadcast cc gi tin i trong mng t c th bt gi tin li xem( d Host nhn gi tin khng phi l ni n ca gi tin - c im: do cc my t boardcast cc gi nn hnh thc sniff ny rt kh pht hin Passive Sniffing thc hin sniffing thng qua Hub
b- Active Sniffing

- Mi trng: Ch yu hot ng trong mi trng c cc thit b chuyn mch gi.Ph bin hin nay l cc dng mng s dng Switch - C ch hot ng: ch yu hin nay thng s dng c ch ARP v RARP( 2 c ch chuyn i IP sang MAC v t MAC sang IP) bng cch pht i cc gi tin u c, m c th y l pht i cc gi thng bo cho my gi gi tin l: Ti l ngi nhn mc d khng phi ngi nhn - c im: do phi gi gi tin nn c th chim bng thng mng. Nn nu sniffing qu nhiu trong mng th lng gi gi i s rt ln( do lin tc gi cc gi tin gi mo) c th dn n nghn mng hay gy qu ti trn chnh NIC ca my ang dng sniffing ( tht nt c chai) - Ngoi ra cc sniffer cn dng 1 s k thut p dng d liu i qua NIC ca mnh nh: - MAC flooding: lm trn b nh switch t switch s chy ch forwarding m khng chuyn mch gi - Gi MAC : cc sniffer s thay i MAC ca mnh thnh cc MAC ca mt my hp l v qua c chc nng lc ca MAC ca thit b - u c DHCP thay di gateway ca client..
II . Cc phng php pht hin Sniffer trn h thng mng :

V mt l thuyt th rt kh c th pht hin c s hin din ca cc chng trnh Sniffer trn h thng. Bi chng bt v c gng c cc gi tin, chng khng gy ra s xo trn hay mt mt Packet nghim trng no trn ng truyn c. Tuy nhin trn thc t li c nhiu cch pht hin ra s hin din ca cc Sniffer. Khi ng n l trn mt my tnh khng c s truyn thng th s khng c du hiu g. Tuy nhin nu c ci t trn mt my tnh khng n l v c s truyn thng, bn thn Sniffer s pht sinh ra lu lng thng tin. Bn c th truy vn ngc DNS tm thng tin lin quan n nhng a ch IP. Sau y l mt s phng php pht hin Sniffer.

2.1 Phng php dng Ping: Hu ht cc chng trnh Sniffer c ci t trn cc my tnh trong mng s dng TCP/IP Stack. Bi vy khi bn gi yu cu n nhng my tnh ny, chng s phn hi li cho bn kt qu. Bn hy gi mt yu cu phn hi ti a ch IP ca my tnh no trong mng (my m bn cn kim tra xem c b ci t Sniffer hay khng), nhng khng thng qua Adapter Ethernet ca n. Ly v d c th : 1. Bn nghi ng my tnh c a ch IP l 10.0.0.1, c a ch MAC l 00-40-05A4-79-32. b ci t Sniffer. 2. Bn ang trong cng mt h thng mng Ethernet m bn nghi ng c k tin hnh Sniffer. 3. Bn thay i a ch MAC ca bn thnh l 00-40-05-A4-79-33. 4. Bn Ping n a ch IP v a ch MAC mi. 5. Trn nguyn tc khng mt my tnh no c th nhn thy c th nhn thy c Packet ny. Bi Adapter Ethernet ch chp nhn nhng a ch MAC hp l ca chnh n. 6. Nu bn thy s tr li t a ch m bn nghi ng khng phi trn a ch lc ca MAC (MAC Address Filter) trn Ethernet CardMy tnh c a ch IP 10.0.0.1 b ci t Sniffer. Bng cc k thut ca mnh cc Hacker vn c th n trnh c phng php nu trn. Cc Hacker s s dng nhng MAC Address o. Rt nhiu h thng my tnh trong c Windows c tch hp kh nng MAC Filtering. Windows ch kim tra nhng byte u tin. Nu mt a ch MAC c dng FF-00-00-00-00-00, th n gin Windows s coi n l FF-FF-FF-FF-FF-FF. y l s h cho php cc Hacker c th khai thc nh la h thng my tnh ca bn. K thut pht hin Sniffer n gin ny thng c s dng trn cc h thng Ethernet da trn Switch v Bridge. 2.2 Phng php s dng ARP: y l phng php ch yu cc attack tn cng

Phng php pht hin Sniffer ny tng t nh phng php dng Ping. Khc bit ch chng ta s s dng nhng Packet ARP. y l dng tn cng rt nguy him , gi l Man In The Middle. Trong trng hp ny ging nh b t my nghe ln, phin lm vic gia my gi v nhn vn din ra bnh thng nn ngi s dng khng h hay bit mnh b tn cng
S lc qu trnh hot ng: Trn cng mt mng, Host A v Host B mun truyn tin cho nhau , cc packet s c a xung tng Datalink ng gi, cc Host phi ng gi MAC ngun, MAC ch v Frame. Nh vy trc khi qu trnh truyn d liu, cc Host phi hi a ch MAC ca nhau Nu nh host A khi ng qu trnh hi MAC trc, n s hi broadcast gi tin ARP request cho tt c cc Host hi MAC host B, lc Host B c MAC ca Host A, sau Host B ch tr li cho Host A Mac ca Host B( ARP reply) C 1 Host C lin tc gi ARP reply cho Host A v Host B a ch Mac ca Host C, nhng li t li a ch IP l Host A v Host B,lc ny Host A c ngh my B c Mac l C. Nh vy cc gi tin m Host A gi cho Host B b a n Host C, gi tin Host B tr li cho Host A cng a n Host C.Nu Host C bt chc nng forwarding th coi nh Host A v Host B khng h hay bit rng mnh b tn cng ARP
HOST A HOST B
HOST C
V d: Ta c m hnh gm cc host Attacker: l my hacker dng tn cng ARP IP: 10.0.0.11 MAC: 0000.0000.1011 Victim: l my b tn cng IP: 10.0.0.12 MAC: 0000.0000.1012 HostA IP: 10.0.0.13 MAC: 0000.0000.1013 - u tin, HostA mun gi d liu cho Victim, cn phi bit a ch MAC ca Victim lin lc. HostA s gi broadcast ARP Request ti tt c cc my trong cng mng LAN hi xem IP 10.0.0.12 (IP ca Victim) c a ch MAC l bao nhiu. - Attacker v Victim u nhn c gi tin ARP Request, nhng ch c Victim gi tr li gi tin ARP Reply li cho HostA. ARP Reply cha thng tin v IP 10.0.0.12 v MAC 0000.0000.1012 ca Victim - HostA nhn c gi ARP Realy t Victim, bit c a ch MAC ca Victim l 0000.0000.1012 s bt u thc hin lin lc truyn d liu n Victim. Attacker khng th xem ni dung d liu c truyn gia HostA v Victim My Attacker mun thc hin ARP attack i vi my Victim. Attacker mun mi gi tin HostA gi n my Victim u c th chp li c xem trm - Attacker thc hin gi lin tc ARP Reply cha thng tin v IP ca Victim 10.0.0.12, cn a ch MAC l ca Attacker 0000.0000.1011. - HostA nhn c ARP Reply ngh rng IP Victim 10.0.0.12 c a ch MAC l 0000.0000.1011. HostA lu thng tin ny vo bng ARP Cache v thc hin kt ni.

- Lc ny mi thng tin, d liu HostA gi ti my c IP 10.0.0.12 (l my Victim) s gi qua a ch MAC 0000.0000.1011 ca my Attacker. 2.3 Phng php s dng DNS : Rt nhiu chng trnh Sniffer c tnh nng phn gii ngc cc a IP thnh DNS m chng nhn thy (nh dsniff). Bi vy khi quan st lu lng truyn thng ca DNS bn c th pht hin c Sniffer ch hn tp (Promiscuous Mode). thc hin phng php ny, bn cn theo di qu trnh phn gii ngc trn DNS Server ca bn. Khi bn pht hin c nhng hnh ng Ping lin tc vi mc ch thm d n nhng a ch IP khng tn ti trn h thng mng ca bn. Tip l nhng hnh ng c gng phn gii ngc nhng a ch IP c bit t nhng Packet ARP. Khng g khc y l nhng hnh ng ca mt chng trnh Sniffer. 2.4 Phng php Source-Route : Phng php ny s dng nhng thng tin nh a ch ngun v a ch ch trong mi Header ca IP pht hin hnh ng Sniffer trn tng on mng. Tin hnh ping t mt my tnh ny n mt my tnh khc. Nhng tnh nng Routing trn my tnh ngun phi c v hiu ho. Hiu n gin l lm th no gi tin ny khng th i n ch. Nu nh bn thy s tr li, th n gin h thng mng ca bn b ci t Sniffer. s dng phng php ny bn cn s dng vo mt vi tu chn trong Header IP. Router s b qua nhng a ch IP n v tip tc chuyn tip n nhng a ch IP trong tu chn Source-Route ca Router. Ly mt v d c th : o Bob v Anna cng nm trn mt on mng. Khi c mt ngi khc trn cng on mng gi cho c ta vi Packet IP v ni chuyn chng n cho Bob. Anna khng phi l mt Router, cho nn c ta s Drop tt c Packet IP m ngi kia mun chuyn ti

Bob (bi c ta khng th lm vic ny). Mt Packet IP khng c gi n Bob, m anh ta vn c th tr li li c. iu ny v l, vy anh ta s dng cc chng trnh Sniffer. 2.5 Phng php ging by (Decoy) : Tng t nh phng php s dng ARP nhng n c s dng trong nhng phm vi mng rng ln hn (gn nh l khp ni). Rt nhiu giao thc s dng cc Password khng c m ho trn ng truyn, cc Hacker rt coi trng nhng Password ny, phng php ging by ny s tho mn iu . n gin bn ch cn gi lp nhng Client s dng Service m Password khng c m ho nh : POP, FTP, Telnet, IMAP...Bn c th cu hnh nhng User khng c quyn hn, hay thm ch nhng User khng tn ti. Khi Sniffer c nhng thng tin c coi l qu gi ny cc Hacker s tm cch kim tra, s dng v khai thc chng...Bn s lm g k tip ??? 2.6 Phng php kim tra s chm tr ca gi tin (Latency) : Phng php ny s lm gim thiu s lu thng trn h thng mng ca bn. Bng cch gi mt lng thng tin ln n my tnh m bn nghi l b ci t Sniffer. S khng c hiu ng g ng k nu my tnh hon ton khng c g. Bn ping n my tnh m bn nghi ng b ci t Sniffer trc thi gian chu ti v trong thi gian ch ti. quan st s khc nhau ca 2 thi im ny. Tuy nhin phng php ny t ra khng my hiu qu. Bn thn nhng Packet IP c gi i trn ng truyn cng gy ra s trm tr v tht lc. Cng nh nhng Sniffer chy ch User Mode c x l c lp bi CPU cng cho ra nhng kt qu khng chnh xc.
III Phng php ngn chn Sniffer trn h thng mng :

3.1 Cc h thng mng c nguy c Sniffer : Cable Modem DSL ADSL

Switched Network Wireless like IEEE 802.11 a.k.a. AirPort (h thng mng khng dy)
3.2 Cc giao thc c nguy c Sniffer: Telnet, Rlogin: T hp bn phm bao gm User v password SNMP: Mt khu v d liu c gi trong vn bn r rng NNTP: Mt khu v d liu c gi trong vn bn r rng POP, IMAP, SMTP: Mt khu v d liu c gi trong vn bn r rng FTP: Mt khu v d liu c gi trong vn bn r rng HTTP: D liu c gi trong vn bn r rng
3.3 Phng php ngn chn Sniffer d liu ? C l cch n gin nht ngn chn nhng k mun Sniffer d liu l s dng cc giao thc m ho chun cho d liu trn ng truyn. Khi m ho d liu, nhng k tn cng c c th Sniffer c d liu, nhng chng li khng th c c n... SSL (Secure Socket Layer) : Mt giao thc m ho c pht trin cho hu ht cc Webserver, cng nh cc Web Browser thng dng. SSL c s dng m ho nhng thng tin nhy cm gi qua ng truyn nh : S th tin dng ca khch hng, cc password v thng tin quan trng. PGP v S/MIME: E-mail cng c kh nng b nhng k tn cng c Sniffer. Khi Sniffer mt E-mail khng c m ho, chng khng ch bit c ni dung ca mail, m chng cn c th bit c cc thng tin nh a ch ca ngi gi, a ch ca ngi nhnChnh v vy m bo an ton v tnh ring t cho E-mail bn cng cn phi m ho chng S/MIME c tch hp trong hu ht cc chng trnh gi

nhn Mail hin nay nh Netscape Messenger, Outlock ExpressPGP cng l mt giao thc c s dng m ho E-mail. N c kh nng h tr m ho bng DSA, RSA ln n 2048 bit d liu. OpenSSH: Khi bn s dng Telnet, FTP2 giao thc chun ny khng cung cp kh nng m ho d liu trn ng truyn. c bit nguy him l khng m ho Password, chng ch gi Password qua ng truyn di dng Clear Text. iu g s xy ra nu nhng d liu nhy cm ny b Sniffer. OpenSSH l mt b giao thc c ra i khc phc nhc im ny: SSH (s dng thay th Telnet), SFTP (s dng thay th FTP) VPNs (Virtual Private Networks): c s dng m ho d liu khi truyn thng trn Internet. Tuy nhin nu mt Hacker c th tn cng v tho hip c nhng Node ca ca kt ni VPN , th chng vn c th tin hnh Sniffer c. Mt v d n gin,l mt ngi dng Internet khi lt Web s nhim RAT (Remoto Access Trojan), thng th trong loi Trojan ny thng c cha sn Plugin Sniffer. Cho n khi ngi dng bt cn ny thit lp mt kt ni VPN. Lc ny Plugin Sniffer trong Trojan s hot ng v n c kh nng c c nhng d liu cha c m ho trc khi a vo VPN. phng chng cc cuc tn cng kiu ny: bn cn nng cao thc cnh gic cho nhng ngi s dng trong h thng mng VPN ca bn, ng thi s dng cc chng trnh qut Virus pht hin v ngn chn khng h thng b nhim Trojan. 3.4 Phng php ngn chn Sniffer Password : ngn chn nhng k tn cng mun Sniffer Password. Bn ng thi s dng cc giao thc, phng php m ho password cng nh s dng mt gii php chng thc an ton (Authentication): SMB/CIFS: Trong mi trng Windows/SAMBA bn cn kch hot tnh nng LANmanager Authencation.

Keberos: Mt gii php chng thc d liu an ton c s dng trn Unix cng nh Windows Stanford SRP (Secure Remote Password): Khc phc c nhc im khng m ho Password khi truyn thong ca 2 giao thc FTP v Telnet trn Unix: 3.5 Phng php ngn chn Sniffer trn thit b phn cng Vic thay th Hub ca bn bng nhng Switch, n c th cung cp mt s phng chng hiu qu hn. Switch s to ra mt Broadcast Domain n c tc dng gi n nhng k tn cng nhng gi ARP khng hp l (Spoof ARP Packet). Tuy nhin cc Hacker vn c nhng cch thc kho lo vt qua s phng th ny. Cc yu cu truy vn ARP cha ng nhng thng tin chnh xc t IP cho n MAC ca ngi gi. Thng thng gim bt lu lng ARP trn ng truyn, a s cc my tnh s c v s dng cc thng tin t b m (Cache) m chng truy vn c t Broadcast. Bi vy mt Hacker c th Redirect nhng my tnh gn mnh vt qua s phng th ny bng cch gi nhng gi ARP cha ng nhng thng tin v a ch IP ca Router n chnh a ch MAC ca anh ta. Tt c nhng my tnh trong h thng mng cc b ny s nhm tng anh ta l Router v s thit lp phin truyn thng i qua my tnh ca anh ta. Mt cuc tn cng DOS tng t trn mt h thng mng cc b, khi thnh cng s vng mc tiu m h mun tn cng ra khi mng. ri bt u s dng chnh a ch IP ca my tnh va b tn cng ny. Nhng k tn cng s kho lo tha k v s dng nhng kt ni ny. Bn thn Windows khi pht hin c hnh ng ny, n khng hnh ng g c m li t t ng Stack TCP/IP ca chnh mnh v cho php kt ni ny tip tc. phng chng li cc cuc tn cng dng bn ch cn s dng cc cng c IDS (Intrusion Detecte Service). Cc IDS nh BlackICE IDS, Snort s t ng pht hin v cnh bo v cc cuc tn cng dng ny.
Hu ht cc Adapter Ethernet u cho php cu hnh a ch MAC bng

tay. Hacker c th to ra cc a ch Spoof MAC bng cch hng vo cc a ch trn Adapter. khc phc iu ny, hu ht cc Switch u khng cho php t cu hnh li cc a ch MAC.
CHNG II: PHN THC HNH LAP

PHN CHUN B CHO THC HNH S dng 2 h thng PC , s dng cng c my o Vmware( Wmware Workstation ) thc hnh y ti s a ra m hnh thc hnh nh sau : Trong my Attack v my Victim s s dng Windows XP Professional sp2 ..Hai my cng trong mt lp mng 192.168.1.x v i ra mi trng Internet bng Router LinkSys A300 c a ch IP l 192.168.1.1 .

Cng c h tr sniffer c s dng - Cain & Abel v4.9.8 Cain & Abel l mt cng c giao din ha dng gim st ARP Cache ca my tnh.N gi request nh k n bng ARP cache ca my tnh v bo co nhng thay i v vic nh x gia a ch IP v a ch MAC trong ARP cache.Do vy n c th c s dng pht hin ra kiu tn cng ARP Poisoning trong mng LAN. XARP l 1 chng trnh min ph.N c th chy trn h iu hnh windows 2000 hoc windows xp phin bn mi nht l 4.9.39 dnh cho Windown 7
QU TRNH THC HIN

Bc 1: Qu trnh ci t Ta bt u qu trnh ci t cng c Sniffer Cain & Abel, trong qu trnh ci t cng c Cain cn c thm phn mm h tr WinPcap c th sniffer trn h thng mng .

Chn Next
Chn Next
Nh ni ban u qu trnh Sniffer c th tin hnh c th cn c gi phn mm h tr WinPcap, ta tin hnh ci t WinPcap, chn Install .
Chn Ok ri Next .
Nhn OK bt u ci WinPcap 4.02
Chn I Argee ->

Qu trnh ci t WinPcap bt u
n Finsih kt thc qu trnh ci t Bc 2: Qu trnh ci t thng s bt u qu trnh Sniffera Kt thc qu trnh ci t!ta bt tay vo cu hnh c th bt u sniffer Trong VD sau y s l cch thc sniffer 1 ti khong gm User v Password ca ti khong Gmail Bc 1: Thc hin trn my Attack, ta chy cng c Cain & Abel
( Giao din chnh ca chng trnh Cain and Abel)
Bn chn cng c TAB Sniffer
Kch vo phn Configure cu hnh mng giao tip tin hnh sniffer. Ti y chng ta chn card mng s dng tin hnh sniffer v tnh nng APR . Check vo Option kch hot hay khng kch hot tnh nng. -Sniffer tng thch vi Winpcap version 2.3 hay cao hn . Version ny h tr card mng rt nhiu .Mng phn thc hnh ny l 192.168.119.128

Tab ARP:
-y l ni bn c th config ARP . Mc nh Cain ngn cch 1 chui gi gi ARP t nn nhn trong vng 30 giy . y thc s l iu cn thit bi v vic xm nhp vo thit b c th s gy ra s khng lu thng tnh hiu . T dialog ny bn c th xc nh thi gian gia mi ln thc thi ARP, xc nh thng s t s to cho ARP lu thng nhiu,ngc li s kh khn hn trong vic xm nhp . -Ti mc ny, ta cn ch ti phn Spoofing Options: +Mc u tin cho php ta s dng a ch MAC v IP thc ca my m mnh dang s dng. +Mc th hai cho php s dng mt IP v a ch MAC gi mo. (Lu a ch ta chn phi khng trng vi IP ca my khc) Khi click vo tab filters and ports, ta s thy mt s thng tin v giao thc v cc con s port tng ng vi giao thc . Fliter and Ports Tab: -Ti y bn c th chn kch hot hay khng kch hot cc port ng dng TCP/UDP
Sau khi chn th n Apply v Ri OK n vo biu tng Start Sniffer( nh hnh v)
Chn Start ARP, ri chn Add To List( du + ) Su s hin ra mt Bng MAC Address Scanner Chn phn All hosts in my subnet -> OK
y l qu trnh qut ton b trn h thng mng ta mun Sniffer
Kt qu l danh sch cc my c trong h thng mng ta mun Sniffer .
Sau Ta chn Tab ARP

Trong bng trn cng bn phi, ta nhn chut vo trong bng hin ra Add to List (dy +) .
Chn a ch Router Sniffer 192.168.119.1 . Bn phi ta bi en ht chn ht ( OK) Chn Start ARP
Trn my Victim( i tng Sniffer)

Ta vo trang http://nhaccuatui.com
Sau khi ng nhp vo trang web nhc , bn sang my attack v th TAB password, sau chn phn HTTP

s lu cc thng tin m victim va ng nhp ti khon
Kt qu sau khi sniffer l ta ly c password v Username cng nh ti khong ca Victim trn trang web Qu trnh sniffer kt thc. V thng tin ca bn c sniffer ly cp
BO CO CHUYN 4-TM HIU V SNIFFER CHNG III: MT VI CCH CHNG SNIFFER TRONG LAN
Hin nay, khi ngi dng s dng cc dch v web yu cu phi ng nhp ID nh mail, ti khan din n v.v. Trong h thng mng LAN hay wirelessLAN vic b k xu s dng cc chng trnh nh cain&Abel, wireShark hay Ethereal capture, th vic b l ID l iu lm nhiu ngi au u. Nhng cch sau y phn no hn ch c vn ny. Th nht: cc chng trnh thuc dng ny ban u phi qut cc a ch IP trong mng, khi c IP ri th hacker mi tin hnh sniffer! Do cch u tin l v hiu ha Netbios name nhm ngn cn s d tm IP ca cc chng trnh ny.
Th hai: v mt c cu th cc chng trnh ny lm vic da trn phng thc thay i bng ARP v tn cng theo kiu "Man in the midle". Cch khc phc: kha cng bng ARP v chn dng ARP startic, c th lm vic ny trn tng Client, hay c th config trc tip trn Router! t bo v mnh th c th kha cng ARP trn my trnh b sniffer. Phng php phng chng phng chng sniffer trong mng Lan ta phi m ha bng ARP ca tng my client hoc cu hnh trn router bo v c h thng mng. Cc bc thc hin nh sau: B1: Khi ng CMD trn Windown (Start -> Run -> g cmd -> Enter hoc Windown + R) B2: Vo CMD, ta kim tra ARP bng lnh sau : Arp a Kt qu nh sau:
ct Type trong hnh v ta thy cc bng ARP ca cc my tnh trong mngLan u ch dynamic, kha khng cho thay i thng tin trong cc bng ARP ny ta cn phi chuyn sang ch static. B3: Kha cc bng ARP bng dng lnh sau: Arp s [a ch ip my cn kha ARP] [a ch Mac ca my tnh ] V d: arp -s 192.168.1.33 00-26-18-b7-22-db

B4: Kim tra li bng ARP lc ny ta s thy my tnh c a ch ip l 192.168.1.33 bng ARP chuyn sang Static.
Tuy nhin ch l cch hn ch ch khng phi hon ton gip bn an ton tht s . V bn cn bit lm th no pht hin rng mnh ang b u c, cng c hu hiu nht s gip bn lm iu ny chnh l trnh duyt WEB( y ti dng l IE 7) V y l du hiu cnh bo ca trnh duyt khi c k no c tnh dng cain&Abel trong mng. Cain&Abel thay i hay lm gi mo cc CA pht ti cc Victim ca n. Th nhng khi cc CA ny c so snh vi CA mc nh ca Windows th ngay lp tc Windows pht hin ra s sai lch ca CA m n nhn t Cain&Abel, V pht ra thng ip cnh bo ngay trn trnh duyt IE khi ta login vo mt site s dng giao thc https Cc phn mm sniffer s gi mo thng tin ca certificate ca cc my ch mail server hoc web server nhm nh cp thng tin, nhng tt c s b Internet Explorer pht hin, chn li v hi thm.
y l mt thng ip cnh bo ht sc r rng, tuy nhin ngi dng bnh thng th li khng n cnh bo bt thng ny, v tt nhin l vn v t click vo dng "Continue to this webside". Th nhng IE li pht ra mt thng ip khc v thng bo trn Address v yu cu ngi dng kim tra CA bng cch xem li n mt ln na trc khi g username v password. Nu ngi dng vn v t b qua v g username password vo th coi nh cng khng cho hacker.
Trong trng hp nhn c thng bo t trnh duyt Internet Explorer nh trn(khi truy cp vo gmail th bit l Certificate xn ri !), ti khuyn bn nn chn Click here to close this webpage m bo rng nhng thng tin v ti khon v mt khu ca mnh vn cn an ton. iu cng c ngha rng trong h thng Lan m bn s dng truy cp internet xut hin ca cc Hacker ang ngi u ch chc tm mt khu ca bn. Qua bi vit mong rng s ng gp thm kinh nghim gip bn hn ch nhng him ha n t vic s dng dch v Internet trong mi trng nhiu ngi s dng. Qua cng gip bn hiu rng ti khon v mt khu ngn hng, email, qun tr website ca bn s b nh cp rt d dng v bt c lc no.
CHNG IV:TI LIU THAM KHO

1. Gio trnh CEHv6 2. Gio trnh Qun trnh mng ca Athena 3. Kin thc ca forum HVAonline 4. Google.com
CHNG V: KT LUN
Em xin chn thnh cm n s hng dn nhit tnh v tn tm ca ging vin NGUYN H DNG hng dn em c hon thnh bo co chuyn 4 ny. Bo co tht s cho em tm hiu k cng hn nhng yu cu c bn v vic bo mt v an ton thng tin ca h thng mng my tnh hin nay, bit v tm quan trng ca s bo mt, cng nh tm hiu c su hn v cc cch tn cng ca hacker c th cnh bo , phng trnh, v i ph vi vic tn cng Trong qu trnh lm bo co chuyn , ch thc hin trn cc my o ln c th cha st vi thc t nn khng th trnh khi s st, bo co cn s si...Mong thy c th gp kin chng em c th han thin c kho nng qun tr v c th c thm kinh nghim trong lnh vc lp trnh mng v vn hnh mng, vn an ton v bo mt thng tin trn h thng mng my tnh Rt mong c thy gp chn thnh cho em c th tm hiu su hn v mt h thng an ton v bo mt thng tin hn na
Trn thnh cm n thy!!! H Ni, thng 3 nm 2011 Sinh vin Nguyn Ch Bo

94 - Bao Cao Chuyen de - Tim Hieu Sniffer - Nguyen Chi Bao

Uploaded by

Copyright:

Available Formats

You might also like

94 - Bao Cao Chuyen de - Tim Hieu Sniffer - Nguyen Chi Bao

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

94 - Bao Cao Chuyen de - Tim Hieu Sniffer - Nguyen Chi Bao

Uploaded by

Copyright:

Available Formats

BO CO CHUYN 4-TM HIU V SNIFFER

Trang 1 NGUYN CH BO- MSSV: 2985.52- LP 52PM2

BO CO CHUYN 4-TM HIU V SNIFFER

CHNG I: L THUYT V SNIFFER

Trang 2 NGUYN CH BO- MSSV: 2985.52- LP 52PM2

BO CO CHUYN 4-TM HIU V SNIFFER

BO CO CHUYN 4-TM HIU V SNIFFER

Trang 4 NGUYN CH BO- MSSV: 2985.52- LP 52PM2

BO CO CHUYN 4-TM HIU V SNIFFER

Trang 5 NGUYN CH BO- MSSV: 2985.52- LP 52PM2

BO CO CHUYN 4-TM HIU V SNIFFER

Trang 6 NGUYN CH BO- MSSV: 2985.52- LP 52PM2

BO CO CHUYN 4-TM HIU V SNIFFER

Trang 7 NGUYN CH BO- MSSV: 2985.52- LP 52PM2

BO CO CHUYN 4-TM HIU V SNIFFER

Trang 8 NGUYN CH BO- MSSV: 2985.52- LP 52PM2

BO CO CHUYN 4-TM HIU V SNIFFER

II . Cc phng php pht hin Sniffer trn h thng mng :

Trang 9 NGUYN CH BO- MSSV: 2985.52- LP 52PM2

BO CO CHUYN 4-TM HIU V SNIFFER

Trang 10 NGUYN CH BO- MSSV: 2985.52- LP 52PM2

BO CO CHUYN 4-TM HIU V SNIFFER

Trang 11 NGUYN CH BO- MSSV: 2985.52- LP 52PM2

BO CO CHUYN 4-TM HIU V SNIFFER

BO CO CHUYN 4-TM HIU V SNIFFER

BO CO CHUYN 4-TM HIU V SNIFFER

III Phng php ngn chn Sniffer trn h thng mng :

BO CO CHUYN 4-TM HIU V SNIFFER

BO CO CHUYN 4-TM HIU V SNIFFER

Trang 16 NGUYN CH BO- MSSV: 2985.52- LP 52PM2

BO CO CHUYN 4-TM HIU V SNIFFER

Trang 17 NGUYN CH BO- MSSV: 2985.52- LP 52PM2

BO CO CHUYN 4-TM HIU V SNIFFER

Hu ht cc Adapter Ethernet u cho php cu hnh a ch MAC bng

CHNG II: PHN THC HNH LAP

Trang 18 NGUYN CH BO- MSSV: 2985.52- LP 52PM2

BO CO CHUYN 4-TM HIU V SNIFFER

QU TRNH THC HIN

Trang 19 NGUYN CH BO- MSSV: 2985.52- LP 52PM2

BO CO CHUYN 4-TM HIU V SNIFFER

Trang 20 NGUYN CH BO- MSSV: 2985.52- LP 52PM2

BO CO CHUYN 4-TM HIU V SNIFFER

Trang 21 NGUYN CH BO- MSSV: 2985.52- LP 52PM2

BO CO CHUYN 4-TM HIU V SNIFFER

Nhn OK bt u ci WinPcap 4.02

Trang 22 NGUYN CH BO- MSSV: 2985.52- LP 52PM2

BO CO CHUYN 4-TM HIU V SNIFFER

Chn I Argee ->

BO CO CHUYN 4-TM HIU V SNIFFER

Trang 24 NGUYN CH BO- MSSV: 2985.52- LP 52PM2

BO CO CHUYN 4-TM HIU V SNIFFER

Trang 25 NGUYN CH BO- MSSV: 2985.52- LP 52PM2

BO CO CHUYN 4-TM HIU V SNIFFER

( Giao din chnh ca chng trnh Cain and Abel)

Bn chn cng c TAB Sniffer

Trang 26 NGUYN CH BO- MSSV: 2985.52- LP 52PM2

BO CO CHUYN 4-TM HIU V SNIFFER

Trang 27 NGUYN CH BO- MSSV: 2985.52- LP 52PM2