All posts by Ramesh Jha

What is sniffing|sniffers?

Sniffing is the simple process in which the network interface card is used to receive and monitor data that is not intended for that machine.The device or software that does sniffing are known as sniffer or more simply a network analyzer.Sniffing programs are very useful in gathering sensitive information like telnet username and password,ftp username and password.,credit card numbers,bank account details..and so on.Hence sniffing techniques are widely used by the attackers and hackers to monitor the key information that the hacker is interested in.In a network all the NIC(Network Interface card) have the unique mac(Media Access Control) address.In general the NIC responds to that packets only which contains its own mac address in the frames destination field or the broadcast address in the destination field.Network Interface cards also supports a mode known as promiscuous mode,in which it can receive all data packets and traffic that travels across the network.In promiscuous mode NIC generates a hardware interrupt to the CPU every packet’s frame they encounter(instead of the only the frames having the mac address or broadcast address)s.So the sniffer puts the NIC in to the promiscuous mode and capture/monitor the data packets traveling around the network by passing the all traffic to the operating systems TCP/IP stack.Hence a sniffer or network analyzer is also helpful in troubleshooting the networks and used by the network administrators.

Why sniffing threatens network security?

The sensitive information that can be collected by sniffers are :
1. Passwords(eg.ftp,telnet,pop,imap.. loging password)
2. Bank account numbers
3. Any other Private data
4. Low level Protocol Information

Some common Sniffing softwares(sniffers)

* dsniff
* Esniff.c
* TCPDump
* sniffit

How to spoof dns cache?dns cache poisoning/hacking

Spoofing DNS Cache:

DNS i.e domain name system is distributed database with a hierarchical structure used to translate the human friendly host names into the IP address,in TCP/IP Network.So when a computer wants to communicate with www.sudobits.com then it first sends a query to the local DNS server and the dns server checks its databases to find the corresponding ip address.If the local server fails then it tries to communicate with the other remote dns servers,and finally
it returns the corresponding IP address to the users computer(If there is no problem on sudobits.com servers).After this events the users computer and local dns server(if failed to resolve) updates its database so that in future it can use that ip address-host name maps without any further queries with the other dns servers.There are many available methods for spoofing the dns cache but the simple concept is to alter the corresponding map between the host name and IP address in the dns cache of the victim computer or dns server.
Two simple methods to poison the dns cache –

1. Hacker sends a dns query to the local dns and before the local dns server gets the true result fr0m the remote server,the local dns server is flooded by the fake reply(By hacker),thus the local dns cache gets spoofed.

2. In this method the hacker poison the host names by their fake website IP address,so when the user sends the request to the infected dns server,then it maps to the fake website.

dns cache spoofing and poisoning
How to protect the dns by spoofing/poisoning
Use Open DNS : It will protect you fr0m the dns cache spoofing as well as other benefits.For more info : http://www.opendns.com/
credit : CpGlobal

Hacking ARP(Address Resolution Protocol)

What is ARP?

ARP i.e Address Resolution Protocol is a lower level(in TCP/IP stack)protocol which is used to convert IP address to MAC(Media Access Control) address.IP addresses are dynamic(In general) but mac addresses ,a link layer address, are almost static as they are allocated by the NIC(Network Interface Card) manufacturer.Hence ARP is used to associates a relation between these IP addresses with static hardware address(MAC).

How The ARP works?

Whenever a router or switch or computer recieves a data packet with the destination IP address,then the device uses its ARP table to to look up the corresponding MAC address.Suppose,if the packet’s IP address does not have a corresponding MAC address in the ARP table,then the device will send an ARP broadcast request on that local network to find out the MAC address for the IP address.At this point,the computer which owns the IP address will take an appropriate response(or simply ARP reply) to the arp broadcast request packets.When the device,that sent the arp broadcast request request,gets the responsse then it stores that mac address to IP address in its cache memory.Now if the another packets arrives there for the same IP then it sends it to the mac address(just cached),without repeating the arp broadcast request and arp-replay process again.

How to hack ARP/Abuse ARP/Poison ARP

In this process the main critical point is that there is no authantication mechanism used here to verify that whether the ARP reply is coming fr-o-m the same computer that owns the IP address, or not.Using this loophole in the arp mechanism,it can be hacked easily if attacker sends fake request to abuse the device.Another problem is that suppose a computer sends an ARP reply without any broadcast request then it caches this mac to IP address for the future use.Hence arp can be hacked or attacked or abused in two ways –
1.First Method : In this method the hacker first listen for the arp broadcast requests and takes appropriate responses with their MAC address.This method is not so usefull and efficient due to the reason that the hacker has not only to wait for the victims arp broadcast request but also to send the replay before the true host reply.
2.Second Method : The second method to poison the network is to send arp reply to target device,so the target device will update its IP-MAC table in cache memory with the recieved mac address.Hence this method is simple and more effective than the first one.

Learning Bash-Shell Commands-Tutorial-3

1. mv command : It is used for file from one directories to another.You have to first enter the file_name(that you want to move) and then
the new location of that file.
SYNTAX : mv filename new_location
rk10@rk-desktop:~/Desktop/log$ ls
passwd.txt
rk10@rk-desktop:~/Desktop/log$ cd ../
rk10@rk-desktop:~/Desktop$ cd test
rk10@rk-desktop:~/Desktop/test$ ls
login.txt  xyz.txt
rk10@rk-desktop:~/Desktop/test$ mv login.txt /home/rk10/Desktop/log
rk10@rk-desktop:~/Desktop/test$ cd ../log
rk10@rk-desktop:~/Desktop/log$ ls
login.txt  passwd.txt
rk10@rk-desktop:~/Desktop/log$

2. mkdir commmand : It is used for creating new directories.You have to just specify the name of the directory after mkdir,it will create a directory in the current working directory.
SYNTAX : mkdir : mkdir new_directory
rk10@rk-desktop:~/Desktop/log$ ls
login.txt  passwd.txt
rk10@rk-desktop:~/Desktop/log$ mkdir eagle
rk10@rk-desktop:~/Desktop/log$ ls
eagle login.txt  passwd.txt
rk10@rk-desktop:~/Desktop/log$

3. less command : Its works as a text reader because it can display text files contents.
SYNTAX : less file_name.txt
rk10@rk-desktop:~/Desktop/log$ less login.txt //press CTRL+Z to come back to command promopt.
this is the content of the file login.txt….
[1]+  Stopped                 less login.txt
rk10@rk-desktop:~/Desktop/log$

4. stat command : It is very usefull in veiwing file statistics,e.g creation date,modification date etc.stat command gives the complete status of the file.
SYNTAX : stat file_name
rk10@rk-desktop:~/Desktop/log$ stat login.txt
File: `login.txt’
Size: 37 Blocks: 8          IO Block: 4096   regular file
Device: 808h/2056d Inode: 1024062     Links: 1
Access: (0644/-rw-r–r–)  Uid: ( 1000/rk10)   Gid: ( 1000/rk10)
Access: 2010-03-14 19:31:46.000000000 +0530
Modify: 2010-03-14 19:31:25.000000000 +0530
Change: 2010-03-14 19:31:25.000000000 +0530
rk10@rk-desktop:~/Desktop/log$

Learning bash-commands- tutorial-2

An easy way to learn linux commands-tutorial-2
1. pwd command : To see the current working directory use pwd command.
SYNTAX : pwd
rk10@rk-desktop:~$ pwd
/home/rk10
rk10@rk-desktop:~$
#For more information on cd command just type help cd ,in your bash shell.
2. cp command : It is used for copying the files from one directory to another.Here I am copying the file xyz.txt from home directory to the desktop.
SYNTAX : cp filename destination
rk10@rk-desktop:~/Desktop/test$ ls            #test directory is empty at this time
rk10@rk-desktop:~/Desktop/test$ cd ../
rk10@rk-desktop:~/Desktop$ cp xyz.txt /home/rk10/Desktop/test
rk10@rk-desktop:~/Desktop$ cd test
rk10@rk-desktop:~/Desktop/test$ ls
xyz.txt
rk10@rk-desktop:~/Desktop/test$
3. ls command : It is used to display the files and sub directories in the current working directory.
SYNTAX : ls
rk10@rk-desktop:~/Desktop/security$ ls
black_listed_IP  firestarter-events.txt  my_id
dns1.txt                netstat_1.txt
rk10@rk-desktop:~/Desktop/security$
4. rm command : It is used to delete the file,but note that the files will be deleted permanently.
SYNTAX : rm filename
rk10@rk-desktop:~/Desktop/test$ ls
abc.txt
rk10@rk-desktop:~/Desktop/test$ rm abc.txt
rk10@rk-desktop:~/Desktop/test$ ls
rk10@rk-desktop:~/Desktop/test$