Difference between pages "Internships" and "Sniffer"

From ForensicsWiki
(Difference between pages)
Jump to: navigation, search
m (Interns and Training=)
 
(Sniffers)
 
Line 1: Line 1:
This page describes internship opportunities in the field of computer forensics. Please feel free to add your own.
+
'''Sniffer''' (network sniffer) is a tool that can intercept, log and sometimes parse traffic passing over a network or part of a network.
  
=USA=
+
== Common Uses ==
  
1. Check out this page: http://www.rit.edu/~gtfsbi/forensics/internships.htm it has a load of internships although all are not stipend paying
+
* Analyze network problems;
2. Internet Crimes Against Children.  ICAC has offices in almost every state.
+
* Detect intrusion attempts;
3. Check with companies that do computer forensics. Examples include Kroll and Pinkerton.
+
* Monitor network usage;
4. Explore the Scholarship for Service and Scholarship for Work programs offered by the US Government.
+
* Spy on other users and collect sensitive information such as passwords.
  
==Vermont==
+
== Detection of network sniffers ==
Vermont ICAC (Internet Crimes Against Children). http://www.vtspecialcrimes.org/
+
  
Vermont State Patrol. They are almost always understaffed, and may have suggestions working with Counties and Cities. It requires a that you are not a felon and can pass a 7-year background check -- but a lot of places are so backlogged they are putting on reserve deputies to work cyber crime. http://www.dps.state.vt.us/vtsp/bci.html
+
=== Passive sniffing ===
  
=Legal Issues=
+
Generally, it is impossible to detect passive sniffing programs.
  
== Interns and Training==
+
* Detecting promiscuous mode
In the Nebraska Cyber Crime Task Force an issue arose which stopped college students from being allowed to work as interns; they do not have the formal training that official forensic officers have and can damage critical evidence. This was a valid comment by the director of the State Patrol's Forensic Lab. A number of us in the room ran through ways to do away with this potential problem (please note this is not at all related to releasing confidential information, but rather the destruction of the original forensic evidence).
+
  
''Here is a possible solution.'''
+
It is possible to detect network interfaces in promiscuous mode by sending requests (ICMP, ARP, etc) with destination IP address of a suspect machine and wrong destination MAC address. Network interfaces in promiscuous mode will pass this request and a suspect machine will reply (network interfaces in non-promiscuous mode will drop this packet).
The disk is duplicated, and the duplicate is given to the Universities Forensic Lab Manager, who assigns cases. The intern then performs forensics and records offsets, or other methods to form a "recipe" to find what they found. This receipe can then be passed back to Law Enforcement and they can recreate the examination. This method saves LE a lot of time, and gives good experience to not just one student intern, but can be given to many interns. For more information on this novel solution contact:
+
  
Dr. Blaine Burnham (bburnham@mail.unomaha.edu)
+
* Detecting reverse DNS lookup requests
Executive Director, Nebraska University Consortium on Information Assurance
+
  
Dr. Burnham is the Director of NUCIA and a Senior Research Fellow for the College of Information Science and Technology. Most recently, he was the Director of the Georgia Tech Information Security Center. Previously, Burnham worked in a variety of information assurance roles at the National Security Agency (NSA), Los Alamos National Laboratory, and Sandia Laboratory.
+
Some sniffing programs do automatic reverse DNS lookups on the IP addresses they see. It is possible to detect such programs by correlating network traffic and reverse DNS lookup requests.
  
To see the top class labs that are available at this institution see:
+
* Detecting network sniffers using a [[honeypot]] (monitoring connections to fake accounts)
  
http://nucia.unomaha.edu/steal/labs.php
+
=== Active sniffing ===
  
<-END COMMENT->
+
Many sniffing programs provide special techniques to intercept traffic on a switched network:
 +
 
 +
* ARP spoofing;
 +
* Fake DHCP server;
 +
* ICMP redirection.
 +
 
 +
As well as the ability to sniff encrypted data:
 +
 
 +
* Man-in-the-middle attacks.
 +
 
 +
These active sniffing techniques can be detected in various ways.
 +
 
 +
== Cheating network sniffers ==
 +
 
 +
* IP fragmentation
 +
 
 +
Some sniffing programs cannot handle IP fragmentation correctly.
 +
 
 +
* Shortcomings in TCP reassemblers
 +
 
 +
It is possible to cheat some TCP reassemblers by sending TCP packets with low IP TTL values (this TCP packet may not reach the destination host, but will be analysed by a network sniffer). This will break the resulting TCP stream.
 +
 
 +
* [[Encryption]]: [[VPN]] tunnels, SSH tunnels, [[Tor]].
 +
 
 +
* [[Hidden channels]]
 +
 
 +
== Sniffers ==
 +
 
 +
* [[tcpdump]]
 +
* [[Wireshark]]
 +
* [[Xplico]]
 +
* [[NetworkMiner]]
 +
* [http://www.oxid.it/cain.html Cain & Abel]
 +
* [http://ettercap.sourceforge.net/ ettercap] (unsupported, last version - 2005/05/29)
 +
* [http://monkey.org/~dugsong/dsniff/ dsniff] (obsolete, last stable version - 2000/12/17)
 +
* [http://justniffer.sourceforge.net/ justniffer]
 +
 
 +
 
 +
[[Category:Network Forensics]]

Latest revision as of 18:14, 23 May 2009

Sniffer (network sniffer) is a tool that can intercept, log and sometimes parse traffic passing over a network or part of a network.

Common Uses

  • Analyze network problems;
  • Detect intrusion attempts;
  • Monitor network usage;
  • Spy on other users and collect sensitive information such as passwords.

Detection of network sniffers

Passive sniffing

Generally, it is impossible to detect passive sniffing programs.

  • Detecting promiscuous mode

It is possible to detect network interfaces in promiscuous mode by sending requests (ICMP, ARP, etc) with destination IP address of a suspect machine and wrong destination MAC address. Network interfaces in promiscuous mode will pass this request and a suspect machine will reply (network interfaces in non-promiscuous mode will drop this packet).

  • Detecting reverse DNS lookup requests

Some sniffing programs do automatic reverse DNS lookups on the IP addresses they see. It is possible to detect such programs by correlating network traffic and reverse DNS lookup requests.

  • Detecting network sniffers using a honeypot (monitoring connections to fake accounts)

Active sniffing

Many sniffing programs provide special techniques to intercept traffic on a switched network:

  • ARP spoofing;
  • Fake DHCP server;
  • ICMP redirection.

As well as the ability to sniff encrypted data:

  • Man-in-the-middle attacks.

These active sniffing techniques can be detected in various ways.

Cheating network sniffers

  • IP fragmentation

Some sniffing programs cannot handle IP fragmentation correctly.

  • Shortcomings in TCP reassemblers

It is possible to cheat some TCP reassemblers by sending TCP packets with low IP TTL values (this TCP packet may not reach the destination host, but will be analysed by a network sniffer). This will break the resulting TCP stream.

Sniffers