Tìm hiểu Sniffer

MC LC LI CM N ............................................................................................................. 3 PHN I: GII THIU TI .................................................................................. 4 PHN II: NI DUNG ................................................................................................ 5 CHNG I: CC GIAO THC LIN QUAN .........................................................
. 5 1.1 GIAO THC PHN GII A CH-ARP (ADDRESS RESOLUTION GIAO THC CU HNH HOST NG-DHCP (DYNAMIC HOST
PROTOCOL) ...........................................................................................................5 1.2
CONFIGURATION PROTOCOL) .......................................................................10 1.3 1.4 1.5 SPANNING TREE PROTOCOL (STP) .....................................................13 MNG LANS O-VLAN (VIRTUAL LOCAL AREA NETWORK) ......17 H THNG PHN GII TN MIN-DNS (DOMAIN NAME SYSTEM) .22 1.6 A CH MAC (MEDIA ACCESS CONTROL) .......................................25
CHNG II: TNG QUAN V SNIFFER ............................................................ 28 2.1 2.2 2.3 2.4 NH NGHA SNIFFER ............................................................................28 PHN LOI SNIFFER ...............................................................................28 MT SN PHNG PHP PHT HIN SNIFFER ...............................29 CC PHNG PHP PHNG CHNG SNIFFER .................................33
CHNG III: CC LOI SNIFFER V CCH PHNG CHNG ..................... 35 3.1 3.2 3.3 3.4 3.5 3.6 3.7 MAC FLOODING .......................................................................................35 DHCP STARVATION ................................................................................39 ROGUE DHCP SERVER ...........................................................................45 ARP POISONING .......................................................................................49 DNS POISONING .......................................................................................55 MAC SPOOFING........................................................................................63 VLAN HOPPING ........................................................................................65
TM HIU V MINH HA SNIFFER
3.8
SPANNING TREE PROTOCOL ATTACK...............................................71
PHN III: TNG KT V NH GI ................................................................. 77 1. KT QU T C .................................................................................78 2. HNG PHT TRIN ..................................................................................78 PHN IV: TI LIU THAM KHO ...................................................................... 79
LI CM N Trc tin, nhm em xin gi li cm n chn thnh nht ti thy inh Cng oan, ngi thy tn tnh gip , ch bo nhm trong sut qu trnh lm tiu lun. Bn cnh , xin chn thnh cm n khoa Cng ngh Thng tin, B mn Mng my tnh, trng i hc S Phm K Thut TP.HCM to iu kin thun li cho nhm thc hin ti ny. Nhm em cng xin gi li bit n su sc ti thy, c trong trng i hc S Phm K Thut TP.HCM. Thy, c du dt, truyn li cho chng em khng ch nhng kin thc chuyn ngnh m cn dy bo chng em o lm ngi, rn luyn cho chng em ngh lc, kht vng vn ln, pht huy kh nng t duy sng to trong mi lnh vc. Cui cng, nhm xin c cm n gia nh, bn b, nhng ngi thn yu nht. Mi ngi lun bn cnh ng vin, khuyn khch chng em trong sut thi gian hc tp v nghin cu. D c gng hon thnh ti tiu lun ng yu cu, nhng do thi gian hn hp v kh nng cn hn ch nn chc chn s c nhng thiu st khng trnh khi. Nhm mong nhn c s thng cm v ch bo ca cc qu thy c . TP.HCM, thng 1 nm 2013 Nhm thc hin: Phan Hunh Trung v Nguyn c Ph
PHN I: GII THIU TI Hin nay, khi cng ngh thng tin ang pht trin mt cch mnh m, mng my tnh l mt thnh phn khng th thiu i vi cc h thng thng tin ca mi t chc. Hn na, hu ht cc giao dch, dch v ca x hi u c trin khai trn mng. Nhng liu khi tham gia vo hot ng trn mng thng tin ca chng ta c thc s an ton, l cu hi m nhiu ngi thng xuyn t ra v i tm li gii p. Nu chng ta khng khc phc nhng im yu ny th mi trng mng s tr thnh mt mnh t mu m cho nhng hacker xm nhp, gy ra s tht thot thng tin, tin bc. Do bo mt trong mng ang l mt vn quan trng hng u. Hiu c cc vn , nhm quyt nh chn ti Tm hiu v minh ha mt s k thut Sniffer. ti ny s tp trung m phng cc phng thc tn cng tng qut trn mng thng qua cc chng trnh Sniffer v tm hiu cc cch pht hin cng nh phng chng Sniffer sao cho hiu qu nht. Ni dung ti gm 4 phn: phn gii thiu ti, phn ni dung, phn tng kt v phn ti liu tham kho. Phn ni dung ca bi tiu lun c chia thnh 4 chng: chng u tin gii thiu cc giao thc lin quan n Sniffer. Chng tip theo s gii thiu tng quan v Sniffer, phn loi cc loi Sniffer, cc giao thc d b Sniffer v phng php pht hin cng nh phng chng Sniffer hiu qu. Chng cui cng l trnh by cc loi Sniffer v cc minh ha c th.
PHN II: NI DUNG CHNG I: CC GIAO THC LIN QUAN 1.1 Giao thc phn gii a ch-ARP (Address Resolution Protocol) 1.1.1 Khi nim ARP l phng thc phn gii a ch ng gia a ch lp network v a ch lp data-link. S d cn phi c giao thc chuyn i nh vy l do c nhiu giao thc lp 3 nh IP, IPX, Appletalk mi giao thc li c qui c v a ch logic ring. Khi c ng gi vo mt frame ti lp th tt c cc a ch ny cn phi c qui i thnh mt kiu a ch thng nht (a ch MAC) nhm gip cho mi thit b c th trao i vi cc thit b khc khi chng nm trong cng mt mi trng truyn dn vt l. Ban u ARP ch c s dng trong mng Ethernet phn gii a ch IP v a ch MAC. Nhng ngy nay ARP c ng dng rng ri v dng trong cc cng ngh khc da trn lp hai.
Hnh 1.1. V tr ca ARP 1.1.2 Cu trc bng tin ARP Hardware type: xc nh kiu mng phn cng: Ethernet, Token ring. Protocol: xc nh kiu ca giao thc lp network. HLEN: di a ch MAC: 48 bits (Ethernet), 32 bits (Token ring). PLEN: di a ch IP.
Hnh 1.2. Cu trc bn tin ARP Operation: xc nh kiu thng ip ARP (Request/Respone) Sender HA/ Target HA: a ch MAC my gi/my nhn. Sender IP/ Target IP: a ch IP my gi/my nhn. Qu trnh thc hin ARP c bt u khi mt thit b ngun trong mt mng IP c nhu cu gi mt gi tin IP. Trc ht thit b phi xc nh xem a ch IP ch ca gi tin c phi nm cng trong mng ni b ca mnh hay khng. Nu ng vy th thit b s gi trc tip gi tin n thit b ch. Nu a ch IP ch nm trn mng khc, th thit b s gi gi tin n mt trong cc Router nm cng trn mng ni b Router ny lm nhim v forward gi tin. C hai trng hp ta u thy c l thit b phi gi tin IP n mt thit b IP khc trn cng mng ni b. Ta bit rng vic gi gi tin trong cng mng thng qua Switch l da vo a ch MAC hay a ch phn cng ca thit b. Sau khi gi tin c ng gi th mi bt u c chuyn qua qu trnh phn gii a ch ARP v c chuyn i. ARP v c bn l mt qu trnh 2 chiu request/response gia cc thit b trong cng mng ni b. Thit b ngun request bng cch gi mt bn tin broadcast trn ton mng. Thit b ch response bng mt bn tin unicast n thit b ngun.
1.1.3 C ch hot ng
Cc bc hot ng ca ARP B1. Source Device Checks Cache: Trong bc ny, thit b s kim tra cache (b m) ca mnh. Nu c a ch IP ch tng ng vi MAC no ri th lp tc chuyn ln bc 9. B2. Source Device Generates ARP Request Message: Bt u khi to gi tin ARP Request vi cc trng a ch nh trn. B3. Source Device Broadcasts ARP Request Message: Thit b ngun qung b gi tin ARP Request trn ton mng. B4. Local Devices Process ARP Request Message: Cc thit b trong mng u nhn c gi tin ARP Request. Gi tin c x l bng cch cc thit b u nhn vo trng a ch Target Protocol Address. Nu trng vi a ch ca mnh th tip tc x l, nu khng th hy gi tin. B5. Destination Device Generates ARP Reply Message: Thit b vi IP trng vi IP trong trng Target Protocol Address s bt u qu trnh khi to gi tin ARP Reply bng cch ly cc trng Sender Hardware Address v Sender Protocol Address trong gi tin ARP nhn c a vo lm Target trong gi tin gi i. ng thi thit b s ly a ch datalink ca mnh a vo trng Sender Hardware Address. B6. Destination Device Updates ARP Cache: Thit b ch (thit b khi to gi tin ARP Reply) ng thi cp nht bng nh x a ch IP v MAC ca thit b ngun vo bng ARP cache ca mnh gim bt thi gian x l cho cc ln sau. B7. Destination Device Sends ARP Reply Message: Thit b ch bt u gi gi tin Reply c khi to n thit b ngun. Gi tin reply l gi tin gi unicast. B8. Source Device Processes ARP Reply Message: Thit b ngun nhn c gi tin reply v x l bng cch lu trng Sender Hardware Address trong gi reply nh a ch phn cng ca thit b ch.
B9. Source Device Updates ARP Cache: Thit b ngun update vo ARP cache ca mnh gi tr tng ng gia a ch network v a ch datalink ca thit b ch. Ln sau s khng cn cn ti request.
Hnh 1.3. Qu trnh gi/nhn bn tin ARP 1.1.4 ARP Caching ARP l mt giao thc phn gii a ch ng. Qu trnh gi gi tin Request v Reply s tiu tn bng thng mng. Chnh v vy cng hn ch ti a vic gi gi tin Request v Reply s cng gp phn lm tng kh nng hat ng ca mng. T sinh ra nhu cu ca ARP Caching. ARP Cache c dng ging nh mt bng tng ng gia a ch hardware v a ch IP. C hai cch a cc thnh phn tng ng vo bng ARP: Static RP Cache Entries: y l cch m cc thnh phn tng ng trong bng ARP c a vo ln lt bi ngi qun tr. Cng vic c tin hnh mt cch th cng. Dynamic ARP Cache Entries: y l qu trnh m cc thnh phn a ch hardware/IP c a vo ARP cache mt cch hon ton t ng bng phn mm sau khi hon tt qu trnh phn gii a ch. Chng c lu trong cache trong mt khong thi gian v sau s c xa.
Dynamic Cache c s dng rng ri hn v tt c cc qu trnh din ra t ng v khng cn n s tng tc ca ngi qun tr. Tuy nhin static cache vn c phm vi ng dng nht nh ca n. l trng hp m cc workstation nn c static ARP entry n router v file server nm trong mng. iu ny s hn ch vic gi cc gi tin thc hin qu trnh phn gii a ch. Tuy nhin ngoi hn ch ca vic phi nhp bng tay, static cache cn thm hn ch na l khi a ch IP ca cc thit b trong mng thay i th s dn n vic phi thay i ARP cache. Qu trnh xa thng tin trong Cache Ta xt trng hp bng cache ca mt thit b A, trong c cha thng tin v thit b B trong mng. Nu cc thng tin trong cache c lu mi mi, s c mt s vn nh sau xy ra: a ch phn cng thit v c thay i: y l trng hp khi thit b B c thay i card mng hay thit b giao tip, lm thay i a ch MAC ca thit b. iu ny lm cho cc thng tin trong cache ca A khng cn ng na. a ch IP ca thit b c thay i: Ngi qun tr hay nh cung cp thay i a ch IP ca B, cng lm cho thng tin trong cache ca A b sai lch. Thit b c rt ra khi mng: Khi B c rt ra khi mng nhng A khng c bit, v gy lng ph v ti nguyn ca A lu thng tin khng cn thit v tn thi gian tm kim. trnh c nhng vn ny, cc thng tin trong dynamic cache s c t ng xa sau mt khong thi gian nht nh. Qu trnh ny c thc hin mt cch hon ton t ng khi s dng ARP vi khong thi gian thng l 10 hoc 20 pht. Sau mt khong thi gian nht nh c lu trong cache , thng tin s c xa i. Ln s dng sau, thng tin s c update tr li.
1.1.5 Giao thc phn gii a ch ngc RARP (Reverse ARP) RARP l giao thc phn gii a ch ngc. Qu trnh ny ngc li vi qu trnh ARP trn, ngha l cho trc a ch mc lin kt, tm a ch IP tng ng. Nh vy RARP c s dng pht hin a ch IP, khi bit a ch vt l MAC. Khun dng gi tin RARP tng t nh khun dng gi ARP trnh by, ch khc l trng Operation c gi tr 00003 cho m lnh yu cu (RARP Request) v c gi tr 00004 cho m lnh tr li (RARP Reply). Nguyn tc hot ng ca RARP ngc vi ARP, ngha l my bit trc a ch vt l MAC tm a ch IP tng ng ca n. 1.2 Giao thc cu hnh Host ng-DHCP (Dynamic Host Configuration Protocol) 1.2.1 Khi nim. Giao thc cu hnh host ng (DHCP) lm vic theo c ch Client-Server. DHCP cho php cc DHCP Client trong mt mng nhn cu hnh IP ca mnh t mt DHCP Server. Khi s dng DHCP th cng vic qun l IP ca ngi qun tr s t hn v phn ln IP ca Client c ly v t Server. Server chy DHCP thc hin tin trnh xc nh a ch IP cp cho Client. Client s dng a ch c cp t Server trong mt khong thi gian nht nh do ngi qun tr mng quy nh. Khi thi ny ht hn th Client phi yu cu cp li a ch mi mc d thng thng Client s vn c cp li a ch c. DHCP s dng giao thc UDP (User Datagram Protocol) lm giao thc vn chuyn ca n. Client gi thng ip cho server trn port 67. Server gi thng ip cho Client trn port 68. u im ca DHCP: Qun l TCP/IP tp trung. Gim gnh nng cho cc nh qun tr h thng. Gip h thng mng lun c duy tr n nh v linh hot.
10
1.2.2 C ch hot ng ca DHCP. Giao thc DHCP lm vic theo m hnh Client/Server. Theo , qu trnh tng tc gia DHCP Client v Server din ra theo 4 bc sau y IP Lease Request: u tin, client s broadcast mt message tn l DHCPDISCOVER, v Client lc ny cha c a ch IP cho nn n s dng mt a ch source (ngun) l 0.0.0.0 v cng v Client khng bit a ch ca DHCP Server nn n s gi n mt a ch broadcast l 255.255.255.255. Lc ny gi tin DHCPDISCOVER ny s broadcast ln ton mng. Gi tin ny cng cha mt a ch MAC (Media Access Control - l a ch m mi mt network adapter (card mng) s c nh sn xut cp cho v l m s phn bit cc card mng vi nhau) v ng thi n cng cha computer name ca my Client DHCP Server c th bit c Client no gi yu cu n. IP Lease Offer: Nu c mt DHCP hp l (ngha l n c th cp a ch IP cho mt Client) nhn c gi tin DHCPDISCOVER ca Client th n s tr li li bng mt gi tin DHCPOFFER, gi tin ny i km theo nhng thng tin sau: MAC address ca Client. Mt IP address cp cho (offer IP address). Mt subnetmask. Thi gian thu. a ch IP ca DHCP cp IP cho Client ny.
Lc ny DHCP Server s c gi li mt IP offer (cp) cho Client n khng cp cho DHCP Client no khc. DHCP Client ch mt vi giy cho mt offer, nu n khng nhn mt offer n s rebroadcast (broadcast gi DHCPDISCOVER) trong khong thi gian l 2, 4, 8 v 16 giy, bao gm mt khong thi gian ngu nhin t 0 - 1000 mili giy. Nu DHCP Client khng nhn mt offer sau 4 ln yu cu, n s dng mt a ch IP trong khong 169.254.0.1 n 169.254.255.254 vi subnetmask l
11
255.255.0.0. N s s dng trong mt s trong khong IP v vic s gip cc DHCP Client trong mt mng khng c DHCP Server thy nhau. DHCP Client tip tc c gng tm kim mt DHCP Server sau mi 5 pht. IP Lease Selection: DHCP client nhn c gi tin DHCPOFFER th n s phn hi broadcast li mt gi DHCPREQUEST chp nhn ci offer . DHCPREQUEST bao gm thng tin v DHCP Server cp a ch cho n. Sau , tc c DHCP Server khc s rt li cc offer (trng hp ny l trong mng c nhiu hn 1 DHCP Server) v s gi li IP address cho cc yu cu xin IP address khc. IP Lease Acknowledgement: DHCP server nhn c DHCPREQUEST s gi tr li DHCP Client mt DHCPACK cho bit l chp nhn cho DHCP Client thu IP address . Gi tin ny bao gm a ch IP v cc thng tin cu hnh khc (DNS Server, WINS Server... ). Khi DHCP Client nhn c DHCPACK th cng c ngha l kt thc qu trnh tm kim ca mnh. C ch t ng refresh li thi gian ng k (lease time). By gi ta coi nh l DHCP Client ng k c mt IP address ri. Theo mc nh ca DHCP Server th mi IP lease ch c c 8 ngy. Nu theo nh mc nh (8 ngy) th mt DHCP Client sau mt khong thi gian l 50% (tc l 4 ngy) n s t ng xin li IP address vi DHCP m n xin ban u. DHCP Client lc ny s gi mt s gi mt DHCPREQUEST trc tip (unicast) n DHCP Server m n xin ban u. Nu m DHCP Server "cn sng", n s tr li bng mt gi DHCPACK renew (cho thu mi li) ti DHCP Client, gi ny bao gm thng cc thng s cu hnh mi cp nht nht trn DHCP Server. Nu DHCP Server " cht", th DHCP Client ny s tip tc s dng cu hnh hin thi ca n.
12
Hnh 1.4. Th t cc gi tin trong DHCP Nu sau 87.5% (7 ngy) ca thi gian thu hin thi ca n, n s broadcast mt DHCPDISCOVER update a ch IP ca n. Vo lc ny, n khng kim ti DHCP Server ban u cho n thu na m n l s chp nhn bt c mt DHCP Server no khc. Nu thi gian ng k ht th Client s ngay lp tc dng li vic s dng IP address ng k . V DHCP Client sau s bt u tin trnh thu mt a ch nh ban u. 1.3 Spanning Tree Protocol (STP) 1.3.1 Khi nim Trong h thng mng, ngi qun tr lun thit k h thng c tnh sn sng cao (HA-High Availability). V th, ngi qun tr lun thit k h thng lun c ng d phng phng nhng trng hp nhng ng chnh b mt kt ni. Nhng nh th s d dn ti hin tng lp (loop) trong mng, v th ta cn c giao thc STP. STP l mt giao thc ngn chn s lp vng, cho php cc Switch truyn thng vi nhau pht hin vng lp vt l trong mng. Sau giao thc ny s nh r mt thut ton m Switch c th to ra mt topology lun l cha loopfree. Ni cch khc STP s to mt cu trc cy ca free-loop gm cc l v cc
13
nhnh ni ton b mng lp 2.Cc nguyn nhn chnh dn n s chm tr hoc thm ch s ng caqSwitch:
Hnh 1.5. M hnh STP Bo Broadcast Bo Broadcast l hin tng rt nhiu frame chy lin tc trong mi trng cc Switch u vng. Lm cho tc h thng mng chm v c th lm treo cc Switch tc t thp. Instability MAC-address Table y l hin tng bng CAM khng n nh. Bng CAM trong Switch s cp nht lin tc mi khi c mt gi tin c gi i trong mng. Multiple Frame Copies y l hin tng thit b u cui nhn rt nhiu frame do cc frame ny chy vng trong h thng. Hin tng ny s lm cho thit b ch s chy chm v tc x l ca card mng khng p ng mt lc rt nhiu frame. 1.3.2 C ch hot ng. STP l mt giao thc hot ng lp 2, n s dng mt gii thut tm ra cc vng lp trong mng v tc ng ca mt mng khng b loop. Gii thut chng Loop trong STP c thc hin ln lt qua 3 bc: Bc 1: la chn mt Switch gc (root bridge) trong s cc Switch trn mng.
14
Bc 2: La chon mt root port (l mt cng duy nht trn m Switch s dng i ti gc) trn cc Switch khc (tr gc). Bc 3: La chn mt designated port (l mt cng duy nht m mt colision domain s dng i ti gc. Vic tnh ton Spanning Tree da trn hai khi nim khi to ra vng lp logic trong cu trc mng l BridgeID v Cost. BridgeID (BID): l mt trng gm 8 byte, gm 2 trng con: a ch MAC: c 6 byte c gn cho Switch, s dng di dng Hexa.
-
Bridge Priority: l u tin c chiu di l 2 byte to thnh 216 gi tr t 0 n 65535, c gi tr mc nh l 32768
Hnh 1.6. Bridge ID Cost: l chi ph i ti Root Bridge c gi tr thp nht, chi ph c tnh bng tng cost trn cc on ng i ti ch.
Hnh 1.7. Cost

TM HIU V MINH HA SNIFFER 15
1.3.3 Hot ng ca Spanning Tree Thut ton Spanning Tree s c thc hin trnh t theo cc bc sau: Bc 1: Sau khi Switch c khi ng, n gi gi tin BPDU (Bridge Protocol Data Units), gi tin ny gm Switch Bridge ID v Root ID 2 giy/ln. Bc 2: Trong pha khi to ban u mi th Switch u coi n l Root Bridge. Bc 3: Nu Switch nhn c Root ID trong bn tin BPDU ca Switch neighbour m nh hn Root ID ca n th n s coi Switch neighbour l Root Bridge (Switch c Root ID nh hn th s c bu lm Root Bridge). Bc 4: Switch sau s forward bn tin BPDU vi Root ID nh hn ny ti cc Switch k cn n. Bc 5: Switch vi Root ID nh nht c coi l Root Bridge trong topo Spanning-Tree. Bc 6: Trong trng hp 2 Switch c Root ID bng nhau, chng s tin hng qu trnh bu chn thng qua a ch MAC address. Switch no c a ch MAC address nh hn th c coi l Root Bridge. Bc 7: Sau khi xc nh c Root Bridge, trn cc Non-Root Bridge s tm ra cc Port m c Cost n Root Bridge nh nht c bu lm Root Port. Cost n Root Bridge c tnh bng tng Cost trn cc Segment t n ti ch. Cost bng 10^8/BW. o Bc 7.1: Nu Cost trn cc cng ca Switch n Root Bridge l ging nhau th n s chn Port no c kt ni ti Switch c Bridge ID nh hn th port c gi l Root port. o Bc 7.2: Gi s cc cng cng ni n mt Switch, iu c ngha l Bridge ID m cc port da vo a ra chn la l 1, l ging nhau, th n s da vo Port ID trn cc Switch m n kt ni ti. Port no m kt ni ti Port ID c Port Priority nh hn th c chn l Root Port.
16
Hnh 1.8. Qu trnh hot ng ca STP Bc 8: Sau khi xc nh Root Port, trn mi Segment cc cp Switch s tin hnh bu chn Designated Port. Nhim v ca Designated Port l: Gi cc bn tin PBDU v Replay BPDU ca Root gi ti. Qu trnh bu chn Designated Port tng t qu trnh bu chn Root Port ( 1.Da vo cost; 2.Da vo Switch Priority ; 3.Da vo Port ID ca Switch )
-
Bc 9: Cc port cn li c xc nh l Block Port.
1.4 Mng LANs o-VLAN (Virtual Local Area Network) 1.4.1 Khi nim VLAN l mt mng LAN o. Mi VLAN c xem nh mt mng con ring (c IP c chia nh mt mng con) v c to ra bng cch cu hnh trn thit b chuyn mch lp 2. Mt VLAN tp trung mt nhm thit b mng (in thoi IP, PC, Server, my in) v c thit k da trn cc yu cu t ra t cc doanh nghip. V d, thit b mng trong mt phng ban s c cu hnh trong mt VLAN. Mi VLAN s c qun l da trn s VLAN ID (s xc nh khi cu hnh VLAN) vi mt tn VLAN tng ng (tn VLAN ny t ty ). VLAN ID c th t theo quy nh t 0 n 4095.
17
Hnh 1.9. VLAN ID 1.4.2 Chc nng ca VLAN Vic cu hnh VLAN trong doanh nghip c rt nhiu ngha. Mc ch ra i ca VLAN l gip gim chi ph h tng, nng cao c tnh bo mt, ngoi ra VLAN cn c rt nhiu chc nng nh: VLAN gip cho h thng mng c linh hot: H thng mng s c linh hot nu nh cu hnh VLAN v khi mun thm hay bt cc thit b mng vo VLAN rt n gin, ch cn cu hnh hay hy cu hnh trn cng ca Switch cho thit b vi VLAN tng ng. Mc khc, vic cu hnh VLAN lm cho vic di chuyn cc thit b mng mt cch d dng bng cch ngi qun tr ch cn cu hnh li cc cng Switch ri t cc thit b vo cc VLAN theo yu cu. Tng kh nng bo mt: i vi h thng mng khng cu hnh VLAN th ngi dng vi cc thit b mng u c th truy cp vo nhau, khi b tn cng tt c cc thit b u nh hng . i vi cc h thng cu hnh VLAN th cc thit b cc VLAN khc nhau khng th truy cp vo nhau, khi b tn cng ch c cc thit b mng thuc VLAN tng ng b nh hng.
18
Gim min qung b (broadcast domain): H thng khng cu hnh VLAN l mt min broadcast, mi gi broadcast s gi n tt c cc thit b trong mng. Khi cu hnh VLAN th mng LAN s c chia nh lm nhiu segment (on mng), nu khi c gi tin broadcast th n ch c truyn duy nht trong VLAN . Tit kim bng thng mng: Khi h thng mng m rng, s lng ngi dng tng ln v nhu cu s dng bng thng cng tng ln v do bng thng v kh nng thc thi ca h thng mng s gim. Khi cu hnh VLAN th n s lm gim broadcast domain v gi tin broadcast ch c truyn i trong VLAN tng ng v gip tit km bng thng ca h thng. H tr cho cn bng ti v d phng: VLAN gip cho vic truyn d liu c th i theo nhiu ng khc nhau nh c ch ngn chn s lp vng ca gi tin.
1.4.3 Cc kiu VLAN Khi VLAN c cung cp hay to ra thit b Switch th cc thit b mng u cui phi c gn vo VLAN tng ng theo s thit k. Da trn tnh nng VLAN c th c cu hnh tnh hay ng m ngi qun tr mng c th dng mt trong 2 phng php sau thit lp thnh vin cho VLAN (gn thit b vo VLAN tng ng).
19
Static VLAN (Port based VLAN):
Hnh 1.10. Static VLAN y l cch cu hnh VLAN tnh, tc l vic gn cc thit b mng vo lm thnh vin ca VLAN da vo cc cng vt l trn Switch, ni cch khc th cc cng ca Switch c gn vi cc VLAN ring bit. Khi thit b mng kt ni vt l n n mt cng trn Switch th thit b ny s c t ng gn vo VLAN c cu hnh t trc. Trong kiu cu hnh VLAN ny th ngi qun tr mng s cu hnh cc cng trn Switch gn cho cc VLAN bng tay. Mt hay nhiu cng trn Switch s c cu hnh vo mt VLAN vi mt VLAN ID. Mc d hai thit b mng c kt ni vo cng mt Switch nhng lu lng mng gia hai thit b khng th trao i vi nhau v hai VLAN ny khng cng mt VLAN ID. Dynamic VLAN (MAC address base VLAN): y l cch cu hnh VLAN ng, vic cu hnh s da trn a ch MAC ca thit b thnh vin VLAN. Khi mt thit b mng kt ni n mt cng ca Switch th thit b mng ny s khng c t ng c gn vo VLAN nh Static VLAN. M khi mt thit b mng kt ni n mt cng ca Switch, Switch phi truy vn n mt c s d liu gn thit b mng vo lm thnh vin ca VLAN. C s d liu ny c gi l VMPS (VLAN Membership Policy Server) database. Ngi qun tr phi thc hin gn a ch MAC ca cc thit b thnh vin VLAN tng ng trong VMPS database trn TFTP (Trivial File
20
Transfer Protocol) Server. Khi i thit b sang Switch khc, Switch s da vo VMPS database thc hin ch nh VLAN cho thit b . Qu trnh thc hin Dynamic VLAN: Thit b mng (Client) thc hin kt ni vo mt cng trn Switch. Switch ng vai tr VMPS Client nhn c a ch MAC ca thit b mng.
Hnh 1.11. Dynamic VLAN (MAC address base VLAN) Switch VMPS Client tin hnh kim tra a ch MAC ny bng cch gi gi request n Switch ng vai tr l VMPS Server. Thng tin VMPS database (a ch MAC tng ng vi VLAN) t TFTP Server s c ti vo VMPS Server kim chng a ch MAC request t VMPS Client. Nu thng tin c kim chng l ng th VMPS Server s gi v VLAN ID cho VMPS Client. VMPS Client s cu hnh cng cho thit b mng vo ng VLAN da trn nhng thng tin nhn t VMPS Server. Cc cng trn Switch ch thuc 1 VLAN. Lu lng s khng lu thng qua cc cng ny cho n khi Switch VMPS server ch nh VLAN cho cng ny. Nhiu thit b mng c th hot ng trn cng 1 cng ca Switch khi chng cng chung VLAN. Cc cng trn Switch m thit b c gn vo lm thnh vin ca VLAN theo Dynamic VLAN c gi l cng ng (Dynamic port).
21
Dynamic VLAN (Protocol base VLAN): y cng l cch cu hnh VLAN ng. Cch cu hnh ny gn ging nh MAC address base VLAN, nhng s dng mt a ch logic hay a ch IP thay th cho a ch MAC. Cch cu hnh khng cn thng dng nh s dng giao thc DHCP. 1.5 H thng phn gii tn min-DNS (Domain Name System) 1.5.1 Khi nim Mi my tnh trong mng mun lin lc hay trao i thng tin, d liu cho nhau cn phi bit r a ch IP ca nhau. Nu s lng my tnh trong mng nhiu th vic nh nhng IP ny l rt kh khn. Mi my tnh ngoi a ch IP ra cn c tn my (host name). i vi con ngi th vic nh tn my bao gi cng d nh hn a ch IP v chng c tnh trc quang v gi nh hn. Do ngi ta tm cch nh x a ch IP thnh tn my. Dch v DNS hot ng theo m hnh Client-Server: Server: c chc nng l phn gii tn thnh a ch IP v ngc li a ch IP thnh tn, c gi l Name Server, lu tr c s d liu ca DNS.
Hnh 1.12. S t chc DNS Client: truy vn phn gii tn n DNS server c gi l Resolver, cha cc hm th vin dng to cc truy vn (query) n Name Server.DNS c thi hnh nh 1 giao thc ca tng Application trong m hnh mng
22
TCP/IP.Mt hostname trong domain l s kt hp gia nhng t phn cch nhau bi du chm (.). V d: Tn my l srv1 gi l hostname. Tn y trong domain theo m hnh trn th l srv1.csc.hcmuns.edu.vn gi l FQDN (Fully Qualified Domain Name). 1.5.2 C ch phn gii tn Phn gii tn thnh a ch IP Root Name Server l my ch qun l cc name server mc top-level domain. Khi c query v 1 tn domain no th Root Name Server s cung cp tn v a ch IP ca name server qun l top-level domain (thc t th hu ht cc root server cng chnh l my ch qun l top-level domain) v n lc cc name server ca top-level domain cung cp danh sch cc name server c quyn trn cc secon-level domain m domain ny thuc vo. C nh th n khi no tm c my ch qun l tn domain cn truy vn. Qua qu trnh trn cho thy vai tr rt quan trng ca Root Name Server trong qu trnh phn gii tn domain. Nu mi Root Name Server trn mng Internet khng lin lc c vi nhau th mi yu cu phn gii tn u s khng c thc hin. V d : Client cn truy cp trang web Yahoo th Client s yu cu phn gii a ch IP ca Web Server no c cha website Yahoo ny. u tin Client s tm trong cache ca n, nu cache ca n khng c th n s gi request querry n DNS local (nu trong mng ni b c DNS Server). Sau DNS local cng s tm trong cache ca n, nu c n s gi a ch IP cn truy vn n cho Client, nu cache khng c th lc ny DNS local s gi request query ny n 1 Root Name Server no gn n nht m n bit c. Sau Root Name Server ny s tr li a ch IP ca Name Server qun l min .com cho DNS local. DNS local li hi tip name server qun l domain .com min yahoo.com a ch IP l bao nhiu. Cui cng DNS local truy vn my ch qun l domain Yahoo v nhn c cu tr li.Truy vn c th 2 loi:
23
Truy vn quy (recursive query) : khi name server nhn c truy vn dng ny, n bt buc phi tr v kt qu tm c hoc thng bo li nu nh truy vn ny khng phn gii c. Name Server khng th tham chiu n 1 Name Server khc. Name Server c th gi truy vn dng recursive hoc interative n Name Server khc nhng phi thc hin cho n khi no c kt qu mi thi.
Hnh 1.13. Truy vn quy Truy vn tng tc (Iteractive query): khi name server nhn c truy vn dng ny, n tr li cho Resolver vi thng tin tt nht m n c c vo thi im lc . Bn thn name server khng thc hin bt c mt truy vn no thm. Thng tin tr v lc c th ly t d liu cc b (k c cache). Trong trng hp Name Server khng tm thy thng tin trong d liu cc b n s tr v tn min v a ch IP ca Name Server no gn nht m n bit. Phn gii a ch IP thnh tn host c th phn gii tn my tnh ca 1 a ch IP, trong khng gian tn min ngi ta b xung thm 1 nhnh tn min m c lp ch mc theo a ch IP. Phn khng gian ny c tn min l in-addr.arpa. Mi node trong min inaddr.arpa c 1 tn nhn l ch s thp phn ca a ch IP.
24
Hnh 1.14. Truy vn tng tc V d: Min in-addr.arpa c th c 256 subdomain tng ng vi 256 gi tr t 0 n 255 ca byte u tin trong a ch IP. Trong mi subdomain li c 256 subdomain con na ng vi byte th 2. C nh th v n byte th 4 c cc bn ghi cho bit tn min y ca cc my tnh hoc cc mng c a ch IP tng ng. 1.6 a ch MAC (Media Access Control) 1.6.1 Khi nim Nm 1976, khi nhu cu kt ni cc my tnh li vi nhau tr nn cp thit, 3 cng ty ln l Xerox, Intel v Digital Equipment Corp (DEC) cng nhau nghin cu v a ra bn tho cho chun DIX Ethernet, chun cho php cc my tnh kt ni vi nhau thnh mng LAN. n nm 1980, t chc IEEE (Institute of Electrical and Electronics Engineers) da vo bn tho DIX Ethernet ni trn xy dng chun Etherner u tin, trong gm 2 phn: IEEE 802.3 quy nh v lp iu khin truy cp mi trng, vit tt l MAC v IEEE 802.2 quy nh v lp iu khin kt ni logic, vit tt l LLC (Logical Link Control). Trong m hnh tham chiu OSI (Open Systems Interconnection) hay m hnh tham chiu kt ni cc h thng m th a ch MAC nm lp 2 (data-link). Ni mt cch n gin, a ch MAC l a ch vt l hay cn gi l s nhn dng ca
25
mi thit b (identification number) ca mi thit b. Mi thit b (card mng, modem, router,...) c nh sn xut gn sn mt a ch MAC nht nh v a ch ny l duy nht trn th gii (c th gi mo c a ch MAC). 1.6.2 Cu trc a ch MAC a ch MAC c biu din bng mt s nh phn 48 bit. Trong 24 bit u l m s ca hng sn xut thit b v c t chc IEEE cp cho mi hng v 24 bit ny gi l OUI (Organizationnally Unique Identifier). Cn 24 bit sau l s seri cho tng thit b do nh sn xut t gn cho tng thit b. a ch MAC ny c lu trong chip ROM trn mi thit b trong qu trnh sn xut. a ch MAC thng c vit dng 12 s hexa v c 2 kiu ghi a ch MAC: XX:XX:XX:YY:YY:YY (cch nhau bi du 2 chm) hoc XX-XXXX-YY-YYYY (cch nhau bi du gch ngang). a ch MAC c phn lm 3 loi: Unicast: y l loi a ch dng i din cho mt thit b duy nht.
Hnh 1.15. Cu trc a ch MAC Multicast: y l loi a ch i din cho mt nhm cc thit b trong mng LAN. a ch c dng trong trng hp mt ng dng c th mun trao i vi mt nhm cc thit b. Bng cch gi i mt bn tin c a ch multicast; tt c cc thit b trong nhm u nhn v x l gi tin trong khi cc thit b cn li trong mng s b qua. Giao thc IP cng h tr truyn multicast. Khi mt gi tin IP multicast c truyn qua mt mng LAN, a ch MAC multicast tng ng vi a ch IP s l 0100.5exxx.xxxx.
26
Broadcast: a ch ny i din cho tt c cc thit b trong cng mt mng LAN. iu cng c ngha l nu mt gi tin c a ch MAC l FFFF.FFFF.FFFF c gi i th tt c cc thit b trong mng LAN u phi thu nhn v x l.
S lng a ch MAC rt ln (248 a ch) v s c ti s dng vi nm mt ln nn gii quyt vic phn nh a ch vt l cho tt c cc my tnh.
27
CHNG II: TNG QUAN V SNIFFER 2.1 nh ngha Sniffer Sniffer l mt hnh thc nghe ln trn h thng mng, da trn nhng c im ca c ch TCP/IP. Sniffer l mt k thut bo mt, c pht trin nhm gip nhng nh qun tr mng khai thc mng hiu qu hn v c th kim tra cc d liu ra vo mng, cng nh cc d liu chy trong mng. V mt tiu cc, Sniffer c s dng nh mt cng c vi mc ch nghe ln cc thng tin trn mng ly cc thng tin quan trng. 2.2 Phn loi Sniffer 2.2.1 Active Sniffer Mi trng: Ch yu hot ng trong mi trng c cc thit b chuyn mch gi.Ph bin hin nay l cc dng mch s dng switch. C ch hot ng: Ch yu hin nay thng dng c ch ARP v RARP bng cch pht i cc gi tin u c, m c th y l pht i cc gi thng bo cho my gi gi tin l ti l ngi nhn mc khng phi l ngi nhn. c im: Do phi gi gi tin i nn c th chim bng thng mng. Nu sniff qu nhiu my trong mng th lng gi gi i s rt ln (do lin tc gi i cc gi tin gi mo) c th dn n nghn mng hay gy qu ti trn chnh NIC ca my ang dng sniff (tht nt c chai). Ngoi ra cc sniffer cn dng mt s k thut p dng d liu i qua NIC nh: o MAC fooding: lm trn b nh switch t switch s chy ch forwarding m khng chuyn mch gi. o MAC Spoofing/Duplicating: cc sniffer s thay i MAC ca mnh thnh MAC ca mt my hp l v qua c chc nng lc MAC ca thit b. o u c DHCP thay i gateway ca client. o Gi mo ARP.
28
2.2.2 Passive Sniffer Mi trng: ch yu hot ng trong mi trng khng c cc thit b chuyn mch gi. Ph bin hin nay l cc dng mng s dng hub, hay cc mng khng dy. C ch hot ng: do khng c cc thit b chuyn mch gi nn cc host phi b broadcast cc gi tin i trong mng t c th bt gi tin li xem (d host nhn gi tin khng phi l ni n ca gi tin ). c im: do cc my t broadcast cc gi nn hnh thc sniff ny rt kh pht hin. 2.2.3 Cc giao thc d b Sniffing Bt k giao thc no khng thc hin m ha d liu th v nguyn tc u c th b hacker tn cng qua hnh thc sniffer. Nhng giao thc thng dng nh Telnet, HTTP, POP3, SMNP, NNTP, FTP, IMAP u b sniffer nh cp d liu d dng v thng tin ng nhp c gi i di dng cleartext. 2.3 Mt sn phng php pht hin Sniffer 2.3.1 Phng php Ping ICMP (Internet Control Message Protocol) l mt giao thc hot ng trong b giao thc TCP, giao thc ny dng kim tra kt ni trong h thng mng thng qua hnh ng Ping. Cc my tnh trn mng thng s dng giao thc TCP, khi gi yu cu n nhng my tnh ny, chng s phn hi li kt qu. Mi my bao gm hai loi a ch gm a ch IP v a ch MAC. Khi d liu c truyn trn mng, mt my tnh ch chp nhn gi tin khi gi tin ny cha a ch MAC hp l. My tnh chy sniffer c th c pht hin bng cch gi i nhng gi tin n a ch IP ca my trong mng, nhng khng thng qua card mng. V d, my tnh chy sniffer c a ch MAC l 00-32-08-A4-64-21 v c a ch IP l 10.0.0.4. Ngi qun tr mng c th i a ch MAC ca my trn trong router table thnh 00-32-08-A4-64-24, sau Ping n a ch IP v MAC mi ny. Theo nguyn tc th khng c my tnh no c th tr li, nhng vn c
29
tr li t my tnh chy chng trnh sniffer, v my ny c th tt tnh nng MAC Address Filtering trn card mng. Trn c s , ngi qun tr mng s xc nh c my tnh no chy sniffer trn h thng. 2.3.2 Phng php ARP Phng php pht hin Sniffer ny tng t nh phng php dng Ping. Khc bit ch chng ta s s dng gi tin ARP. Trong header ca gi tin ARP cha a ch IP v a ch MAC ca c my tnh gi v my tnh nhn. Trong h thng mng, nu mt gi tin ARP nonbroadcast c gi i, tt c cc my tnh trong mng m gi tin i qua, k c my c ci t sniffer, s lu li thng tin ny. Nu ta ping ti a ch broadcast, th tt c cc my tr my nhn gi tin nonbroadcast s tr li li. Nu khng c s tr li no t mt my no , th my c kh nng ci sniffer. V d, gi s c mt gi tin ARP nonbroadcast t gi t my tnh A n my tnh B. My tnh C chy sniffer s lu li gi tin ARP nonbroadcast ny. Khi ping ti a ch broadcast, c my B v C u khng tr li. Suy ra, my tnh C c chy cc chng trnh sniffer. 2.3.3 Phng php DNS Mt s chng trnh sniffer c tnh nng phn gii ngc cc a IP thnh DNS m chng nhn thy. thc hin phng php ny, bn cn theo di qu trnh phn gii ngc trn DNS Server, bng cch ping n nhng a ch IP khng tn ti trn h thng, nu c tr li t mt my tnh no th rt c th my c ci t chng trnh sniffer v n ang c gng phn gii ngc a ch IP khng tn ti ny. 2.3.4 Phng php Source-Route pht hin sniffer, phng php Souce-Route s dng mt k thut gi l loose-source route. Loose-source route cha thng tin ng i (danh sch cc a ch IP) m gi tin phi i qua n c ch. V d, ta c cc my tnh vi IP nh hnh, loose-source route cha ng dn 192.168.0.12 192.168.0.15 192.168.0.17 192.168.0.23, v i
30
192.168.0.12 l a ch ngun, 192.168.0.23 l a ch ch. Gi s rng n c my D, gi tin t my A phi i qua my B v my C. Nu ngi qun tr v hiu ha tnh nng routing trn my C m gi tin vn i sang my D c th rt c th my C ci t cc chng trnh sniffer. Mt cch khc pht hin sniffer l s dng trng time to live(TTL), nu TTL my A l 25, khi gi tin n my B, TTL s gim xung cn 24, tng t cui cng khi n c ch (my D) TTL cn 22. Nu my D sniff cc gi tin t my B th khi n D, TTL ch gim n 23. iu ny chng t my D c ci t cc chng trnh sniffer. 2.3.5 Phng php ging by (Decoy) Phng php ny c s dng trong nhng phm vi mng rng ln hn nh Internet. Rt nhiu giao thc s dng cc password khng c m ho trn ng truyn. n gin bn ch cn gi lp nhng Client s dng dch v m Password khng c m ho nh : POP, FTP, Telnet,...Bn c th cu hnh nhng User khng c quyn hn, hay thm ch nhng User khng tn ti. Khi sniff c nhng thng tin ny, cc Hacker s tm cch kim tra, s dng v khai thc chng... 2.3.6 Minh ha s dng cng c Ettercap pht hin Arp poisoning
192.168.1.20 Admin
192.168.1.10 Attacker
192.168.1.1
192.168.1.21 User
Hnh 2.1. M hnh minh ha
31
minh ha ny my Attacker s s dng phn mm Cain & Abel thc hin tn cng Arp Poisoning, cch tn cng tng t nh phn chng 2. Trn my Admin s ci thm phn mm Ettercap gim st h thng. Cc bc thc hin: Trn my Attacker, kt qu sau khi thc hin tn cng Arp Poisoning.
Hnh 2.2. Kt qu sau khi tn cng Sang my Admin khi ng Ettercap, chn Sniff Unified Sniffing, chn eth0 (card mng giao tip vi h thng) OK. Chn tip Host Scan for host, scan tt c cc host trong mng, Start Start sniffing, sang tab Plugin Manage the plugin. Click p vo mc search_promisc lc ra nhng card mng ang trng thi promiscuous mode, ta c kt qu
Hnh 2.3. Pht hin Sniffer bng Ettercap
32
dng Most probably sniffing NICs lit k nhng a ch IP c kh nng cao ang chy cc chng trnh Sniffer( my Attacker). phn ny Admin cng c th s dng thm plugin arp_cop theo di cc hot ng Arp ng ng trn h thng. 2.4 Cc phng php phng chng Sniffer Nhn chung, s dng phn mm pht hin nghe trm l gii php nhanh v thun tin nht i vi ngi dng cui. Tuy nhin hn ch ln ca cc chng trnh ny l ch pht hin c sau khi b nghe ln pht hin trong th b ng khi s nghe trm xy ra. Cch n gin nht ngn chn nhng k mun Sniffer d liu l s dng cc giao thc m ho chun cho d liu trn ng truyn. Di y l mt s cch phng chng Sniffer trn h thng mng: Thay th Hub bng nhng Switch, n c th cung cp mt s phng chng hiu qu hn, tuy nhin cng cn phi gii hn mc v phm vi broadcast bng cch phn chia VLAN. Gii hn kh nng b ci t chng trnh nghe ln bng cch p dng chnh sch qun l ci t phn mm cho h thng nh: Port Sercurity, DHCP snooping, Dynamic Arp Inspection, i vi mng nh, nn s dng a ch IP tnh v bng ARP tnh hn ch kh nng b tn cng kiu ARP spoofing thng qua gim st cht ch s thay i a ch MAC (Media Access Control) trn thit b switch. p dng c ch one-time password, thay i password lin tc. M ha d liu truyn dn bng cc c ch truyn thng d liu an ton SSL (Secure Sockets Layer), mng ring o VNP (Virtual Private Network). Ni cch khc l thay th hoc hn ch s dng cc giao thc truyn thng khng m ha d liu bng giao thc m ha. V d: Dng SSH (Secure Shell Host) thay cho Telnet/Rlogin, dng SFTP (secure FTP) thay v FTP, dng HTTPS thay cho HTTP,.. i vi h thng mng cng ty, cch bo v tt nht l ngn chn, phng nga ngay t u bng cch xy dng cc chnh sch bo mt mng
33
(Network Security Policy). Trong c nhng chnh sch qun l truy xut, qun l bo v vt l h thng mng vi nhng quy nh nh: ai c php tip xc vi cc my, c php s dng my, c php gn thm thit b vo my, c php ci t nhng loi chng trnh no (khng cho php ngi dng t ci t chng trnh), nhm hn ch n mc ti a kh nng xm nhp v mt vt l ci t cc chng trnh nghe ln trong mng.
34
CHNG III: CC LOI SNIFFER V CCH PHNG CHNG 3.1 MAC flooding
3.1.1
Bng CAM (Content Address Memory)
Bng CAM l vng nh trong RAM ca Switch dng lu cc nh x gia a ch MAC ngun ca cc PC, thit b mng v port trn Switch m cc thit b kt ni vo mng. Kch thc cc bng CAM l gii hn v ty thuc vo cc dng Switch khc nhau. D liu trong bng CAM c Switch xy dng qua qu trnh hc a ch MAC, duy tr trong qu trnh hot ng v s c cp nht sau mt khong thi gian nht nh hoc khi Switch khi ng li. Thi gian cp nht ca bng CAM thng l sau khong thi gian 300s.
Hnh 3.1. Bng CAM 3.1.2 MAC flooding Tn cng: MAC flooding thuc loi active Sniffer, l mt kiu tn cng da vo im yu ca Switch. K tn cng s dng mt phn mm gi n Switch tht nhiu gi tin m mi gi tin c a ch MAC ngun khc nhau (cc a ch MAC ny l gi). Theo nguyn tc hot ng ca Switch, khi nhn c a ch MAC ngun ca gi tin khng c trong bng CAM th Switch s hc thm a ch ny vo bng CAM ng vi port nhn gi tin gi ti. Nh vy nu trong mt khong thi gian m Switch nhn c mt s lng ln cc gi tin nh th th bng CAM s b y v Switch s khng th hc thm a MAC t bt c my no gi gi tin n. Khi bng CAM b y th Switch s gi cc gi tin m n nhn c ra tt
35
c cc cng tr cng n nhn c, c ch ny ging nh mt Hub (thit b hot ng lp 1). Lc ny k tn cng c th thy gi tin ca cc my gi cho nhau trong mng nh vo cc phn mm Sniffer. Cch phng chng: Nguyn l ca phng php phng chng MAC flooding l khng cho cc gi tin c a MAC l i qua Switch. Phng php phng chng hiu qu nht l cu hnh port-security trn Switch. y l phng php cu hnh cho php iu khin vic truy cp vo cc port ca Switch thng qua a ch MAC ca thit b gn vo. Khi Switch nhn c mt gi tin chuyn n, n s kim tra a ch MAC ngun ca gi tin vi danh sch cc a ch MAC trong bng CAM. Nu a ch MAC ny c trong bng CAM th switch s forward gi tin n a ch MAC ch m gi tin yu cu. Nu a ch ny cha c trong bng CAM th tu theo s cu hnh ca ngi qun tr m Switch s x l gi tin n vi cc mc khc nhau. Cc bin php x l c th l: shutdown: cng s b ngng hot ng, khng nhn v chuyn gi tin restrict: cng ch cho php cc gi tin c a ch MAC hp l i qua, cc gi tin vi phm s b hu. ng thi s bo syslog cho ngi qun tr. protect: cng ging nh trong trng hp restrict, tuy nhin s khng bo syslog. 3.2.3 Minh ha Chun b Mt Cisco Switch Mt PC ng vai tr User Mt PC ng vai tr Attacker Cp kt ni
36
M hnh
F0/1 F0/7
User
Switch
Attacker
Hnh 3.2. M hnh MAC flooding Thc hin tin hnh tn cng MAC flooding ta c rt nhiu cng c nhng hiu qu hn c l macof. y l mt phn mm nh trong gi phn mm dsniff, gi phn mm ny ch chy trn mi trng Linux. Ta c m hnh nh hnh trn, m hnh gm 2 PC v mt Switch. Trn m hnh ta c mt my Attacker dng tn cng MAC flooding v mt my l user bnh thng. Trn my Attacker, trong terminal ta dng lnh sau: macof i eth0 (lnh ny thc hin vic flood MAC qua cng ethernet0), macof i eh0 n n (lnh ny thc hin vic flood MAC qua interface ethernet0 v flood n ln).
Hnh 3.3. Flood MAC trn ubuntu Khi thc hin lnh trn, PC s tin hnh gi cc a ch MAC o ti Switch, Switch s hc tt c cc a ch MAC ny v sau mt thi gian Switch s xy ra hin tng trn bng CAM. Ta xem tt c cc a ch MAC trong bng CAM bng lnh trn Switch: Switch#show mac address-table
Hnh 3.4. Kt qu sau khi thc hin MAC flooding
38
phng chng MAC flooding ta s cu hnh chc nng port-security trn Switch. Ta s xc nh cng tin tng v ch cho mt hoc mt s cng c gi frame qua Switch.
Hnh 3.5. Cu hnh port-security trn Switch 3.2 DHCP starvation 3.2.1 DHCP starvation Nh chng ta tm hiu chng 1, DHCP Server cp pht, qun l thng tin cu hnh TCP/IP ca cc Client nh a ch IP, Default Gateway, DNS Server, v khong thi gian c cp pht. Qu trnh cp pht din ta gm 4 bc, trong bc u tin l Client broadcast DHCPDISCOVER nhm xin a ch IP ca Server, sau cc bc tip theo th Client s nhn c IP t Server. Nh vy, ta c th thy bc u tin rt quan trng v rt d b tn cng
39
DHCP Request/Reply Message
Hnh 3.6. Chc nng cc gi tin DHCP Tn cng Khi mt Client cn cp ip t DHCP Server th u tin Client s gi mt gi tin broadcast DHCPDISCOVER n DHCP Server, sau th DHCP s x l v cp pht a ch IP cho Client v hu ht vic gi gi tin DHCPDISCORVER ca Client u c DHCP Server cp a ch IP. Li dng iu ny th Attacker s tn cng vo dch v DHCP. tng ca vic tn cng DHCP starvation l Attacker s gi rt nhiu gi broadcast DHCPDISCOVER vi nhng a MAC
40
khc nhau ti DHCP Server, iu ny s lm cho DHCP Server b nh la t Attacker s nhn a nhng a ch IP tng ng vi nhng gi broadcast DHCPDISCOVER gi trc . iu ny s lm cho vic qun l a ch IP gp nhiu kh khn v cc Users khi cn a ch IP t DHCP Server s khng nhn c a ch IP v khi tt c a ch IP c cp cho cc gi tin t Attacker gi ti. DHCP starvation l mt phng thc tn cng t chi dch v (DoS-Denial of Service) da trn bn tin DHCP v y thuc loi active sniffer.
Client DHCP Server DHCPDISCOVER DHCPOFFER DHCPREQUEST DHCPACK

Hnh 3.7. Tn cng DHCP stravation Phng chng Khi Client gi mt gi tin DHCPDISCOVER ti DHCP Server th trong gi tin cng bao gm c a ch MAC ca Client cng nh l Computer name ca Client. Nh vo c im ny DHCP Server c th bit c gi tin t Client no gi ti. Ta c th nh vo c im ny phng chng vic tn cng DHCP starvation, tng ca vic ny l lc nhng gi tin c gi ti switch, ch cho nhng a ch chng ta nh sn i qua, cn nhng gi tin t nhng a ch l chng ta s hy khng cho gi tin t a ch l i qua. Tnh nng hiu qu nht ta nn dng l port-sercurity trn Switch.
Yersinia
41
3.2.2 Minh ha Chun b Mt Cisco router Mt Cisco switch Mt PC ng vai tr User Mt PC ng vai tr Attacker (chy Linux ci sn yersinia)
M hnh
F0/1 F0/0 Router F0/24 F0/7 Switch
User
Attacker
Hnh 3.8. M hnh tn cng DHCP starvation Thc hin tin hnh tn cng DHCP starvation ta c rt nhiu cng c, trn Linux ta c mt cng c rt hiu qu v d s dng l yersinia. Nh m hnh trn ta dng mt Router ng vai tr nh mt DHCP Sever, Switch ng vai tr forward cc gi tin t PC gi ti Router. u tin ta tin hnh cu hnh DHCP Server trn Router.
Hnh 3.9. Cu hnh DHCP Server trn Router
42
tin hnh tn cng, u tin ta khi ng chng trnh bng lnh yersinia G trong terminal
Hnh 3.10. Giao din yersinia trn ubuntu Sau , chn qua th DHCP theo di tin trnh Attack. bt u tn cng, click nt Launch attack m giao din attack option. Tip theo, chn sending DISCOVER packet v click nt OK gi DHCPDISCOVER cho DHCP Server.
Hnh 3.11. DHCP Attack option
43
xem nhng bn tin DHCPDISCOVER, ta chuyn qua th DHCP trn giao din yersinia
Hnh 3.12. Bn tin DHCPDISCOVER trn yersinia Sau khi Attack bng cch gi gi tin DHCPDISCOVER, ta kim tra vic Attack bng cch xem nhng IP c Server cp cho Client. Ta xem tt c cc a ch MAC trong bng CAM bng lnh trn Router: Router#show ip dhcp binding
44
Hnh 3.13. Show DHCP binding phng chng DHCP starvation, ta cng cu hnh port-security trn Switch tng t nh trn phng php phng chng MAC flooding. 3.3 Rogue DHCP Server 3.3.1 Rogue DHCP Server Trong mi h thng u c mt DHCP Server c nhim v cung cp ton b IP cho h thng mng, nhng IP ny s c Default-gateway v DNS-Server. Nhng thng tin ny c ngi qun tr mng cu hnh sn, n gip hot ng trong mng theo ng mong mun ca ngi qun tr mng. Nhng nu ton b thng tin trn ca cc my Client b sai lch khng ng vi mong mun ca ngi qun tr mng th ton b h thng mng s hot ng sai lch. Trn nhng
45
tng , Attacker s tn cng Rogue DHCP Server. Attacker trong cuc tn cng ny s ng vai tr nh mt DHCP Server trong mng, Attacker s ci t mt DHCP pool, trong DHCP pool ny s c default gateway v DNS Server ch v a ch m Attacker mong mun
Hnh 3.14. Rogue DHCP Server Tn cng tng ca Rogue DHCP Server l mt h thng mng s tn ti mt DHCP Server khng nm trng k hoch ca ngi qun tr, DHCP ny s do Attacker cu hnh. Khi Client xin a ch IP bng gi tin DHCPDISCOVER th Attacker s tr li li nhng gi tin ny, sau Client s nhn c IP t DHCP Server gi ny, a ch IP ny s tr ti mt a ch Default-gateway ca chnh my Attacker v DNS-Server l do Attacker phn gii, iu ny c th dn n sai lch v vic phn gii tn min, t vic sniff ca Attacker s rt d dng. Vic tn cng ny khng m bo lc no cng thnh cng, v theo l thuyt th khi Client gi DHCPDISCOVER th Server s tr v IP. Nhng khi mng tn ti 2 Server th Server no tr IP v trc th Client s nhn IP . Phng th Trong h thng mng cc Server c kt ni vi cc thit b Client qua Switch. Trn Switch ta c th cu hnh DHCP snooping phng chng vic tn cng Rogue DHCP Server. tng ca phng php trn l xc nh cng tin tng trn Switch, cc thit b u cui c ni vi Switch ch nhn IP c
46
cp t cc Server c ni vi cng tin tng trn Switch. DHCP snooping s cc nh cng tin tng trn cc VLAN, v vy ta s chia VLAN trn Switch trc khi cu hnh DHCP snooping cho h thng. 3.3.2 Minh ha Chun b Mt Cisco router Mt Cisco switch Mt PC ng vai tr User Mt PC ng vai tr Attacker (chy Windows Server 2008)
M hnh
Hnh 3.15. M hnh tn cng Rogue DHCP Server Thc hin Trn m hnh c 2 DHCP Server, i vi Server lm Attacker ta s dng Windows Server 2008 dng DHCP Server v Server chnh ta s dng Router dng DHCP Server.
47
Hnh 3.16. DHCP trn Windows Server 2008 Trn DHCP ta to mt scope mi, c dy a ch t 172.16.1.1 n 172.16.1.200
Hnh 3.17. To scope trn DHCP Server Trn Router ta cng cu hnh to mt DHCP pool, vic cu hnh tng t nh trn phn DHCP stavation, dy a ch l ton b lp mng 192.168.1.0/24. Khi Client xin IP th khng chc chn rng IP m Client nhn c s t
48
Attacker hay do Router cp, v th bi LAB ny i khi l IP ca Attacker v i khi cng l Router. cu hnh phng chng cho vic tn cng Rogue DHCP Server, ta cu hnh DHCP snooping. Mc nh tt c cc cng trn Switch u thuc VLAN 1, ta s cu hnh trn VLAN 1 v sau xc nh cng tin tng
Hnh 3.18. Cu hnh DHCP snooping Sau khi cu hnh ta s kim tra vic cu hnh DHCP snooping
Hnh 3.19. Kim tra DHCP snooping 3.4 ARP Poisoning 3.4.1 Qu trnh ARP HostA v HostB truyn tin cho nhau, cc packet s c a xung tng Datalink ng gi, cc Host s phi ng gi MAC ngun, MAC ch vo frame. Nh vy trc khi qu trnh truyn d liu xy ra, 2 my s phi lm ng tc hi MAC ca nhau. Nu HostA khi ng qu trnh hi MAC trc, n broadcast gi tin ARP request hi MAC HostB, th HostB coi nh c MAC ca HostA, v HostB ch tr li cho A MAC ca HostB thi (gi tin tr li t HostB l ARP response). 3.4.2 ARP Spoofing Attack Li dng im yu ca giao thc ARP l giao thc stateless, c ngha l mt host khi nhn bn tin reply vn cp nht thng tin trong vo ARP cache mc
d n hon ton khng gi i ARP request. K tn cng li dng im yu ny gi i bn tin gratuitous gi mo a ch MAC ngun ti my nn nhn.
Hnh 3.20. ARP Spoofing Attack u tin, UserA mun gi d liu cho Victim (User B). UserA cn phi bit a ch MAC ca Victim lin lc. UserA s gi broadcast ARP Request ti tt c cc my trong cng mng LAN hi xem IP 10.1.1.1 (IP ca Victim) c a ch MAC l bao nhiu. Tt c cc User trn mng LAN (k c Attacker) u nhn c gi tin ARP Request, nhng ch c Victim l gi li gi tin ARP Response li cho UserA. ARP Response cha thng tin v IP ca Victim, MAC Victim, MAC UserA. Sau khi nhn c gi tin ARP Response t Victim, UserA bit c a ch MAC ca Victim. UserA bt u thc hin lin lc, truyn d liu ti Victim. Cc User khc khng th xem ni dung d liu c truyn gia 2 my UserA v Victim. Attacker mun xem d liu truyn gia UserA v Victim. Attacker s dng kiu tn cng ARP Spoofing. Attacker thc hin gi lin tc ARP Response cha thng tin v IP Victim, MAC Attacker, MAC UserA. y, thay v l MAC Victim, Attacker i thnh a ch MAC ca mnh. UserA nhn c ARP Response v ngh l IP Victim 10.1.1.1 s c a ch MAC l 9:8:7:6:5:4 (MAC ca Attacker). UserA lu thng tin ny vo bng ARP Cache. By gi mi thng tin, d liu UserA gi ti 10.1.1.1 (Victim), Attacker
50
u c th nhn c, Attacker c th xem ton b ni dung UserA gi cho Victim. Attacker cn c th kim sot ton b qu trnh lin lc gia UserA v Victim thng qua ARP Attack. Attacker thng xuyn gi cc gi tin ARP Response cha a ch IP ca UserA v Victim nhng c a ch MAC l ca Attacker. UserA nhn c gi tin ny th c ngh Victim s c a ch MAC l 9:8:7:6:5:4 (MAC ca Attacker). Victim nhn c gi tin ny th c ngh UserA s c a ch MAC l 9:8:7:6:5:4 (MAC ca Attacker). Mi thng tin trao i gia UserA v Victim, Attacker u c th nhn c. Nh vy l Attacker c th bit c ni dung trao i gia UserA v Victim. Bng cch gi mo cc gi tin ARP, Attacker c th chuyn hng tt c cc kt ni gia hai thit b khin ton b traffic i v my ca mnh, t s dn ti: T chi dch v. Chn d liu. Nghe ln cuc gi VoIP. nh cp Password. Chnh sa d liu.
3.4.3 Nhc im ca ARP Spoofing Attack Ch c nhng my nm trong cng ng mng vi my Attacker mi b tn cng. Cc my nm khc mng s khng th b tn cng bng hnh thc ny v trong cng mt ng mng LAN, cc my s thc hin trao i d liu vi nhau da vo a ch MAC. HostA mun trao i d liu vi HostB. HostA s d tm trong bng ARP cache xem IP ca HostB s c a ch MAC tng ng l g. HostA ng gi d liu cn truyn vi MAC ngun l MAC HostA, MAC ch l MAC HostB. Sau HostA s truyn d liu ti HostB da vo MAC ch ca gi tin.
51
Trong trng hp HostA, HostB khc ng mng mun lin lc vi nhau, ta phi da vo a ch IP truyn d liu v phi thng qua mt thit b nh tuyn, l router. HostA s ng gi d liu cn truyn vi MAC ngun l HostA, MAC ch l router. Gi tin s c truyn n router, router s da vo a ch IP ch (IP HostB)v d tm trong bng nh tuyn nhm xc nh con ng i n HostB. Router c kh nng ngn chn cc gi tin broadcast Hnh thc tn cng ny khng th thc hin c trong mng WAN, trn Internet m ch thc hin c trn cng mng LAN. Cch phng chng ARP Spoofing D ng lnh: arp -a xem bng ARP trn my mnh, kim tra MAC ca B c ng l MAC B hay khng. arp -d * xa ton b ARP table trn my mnh, nh vy cc a ch MAC b tn cng cng mt, v my tnh s bt u hc li. Nhng nu my tn cng vn tip tc bm cc gi tin ARP u c th vic xa ARP table ny cng v ch. arp -s gn c nh IP ch vo MAC tht ca n, nh vy k tn cng khng u c c IP ny na. Nhng vic ny khng kh thi cho mng ln, nhiu my tnh, v c s thay i IP (dng DHCP). D ng thit b: S dng DAI (Dynamic ARP Inspection): DAI tng thch vi cc Trusted v Untrusted Port trn Switch. Trusted Port cho qua tt c cc gi tin ARP. Untrusted Port xc nhn s ng n ca cc gi tin ARP. Cu hnh kch hot DAI trn cc VLAN Switch(config)# ip arp inspection vlan [vlan_id,vlan_id,] Cu hnh Trusted v Untrusted Interface trn Switch Switch(config-if)# ip arp inspection trust Cu hnh DAI loi b cc gi ARP nu a ch IP khng hp l
52
Switch(config-if)# ip arp inspection validate {[src-mac][dst-mac] [ip]} Kim tra Switch# show ip dhcp snooping bindings Switch# show ip arp inspection 3.4.4 Minh ha Chun b Mt Cisco router Mt Cisco switch Mt PC ng vai tr Victim Mt PC ng vai tr Attacker (ci Sniffer)
M hnh
Hnh 3.21. S minh ha ARP Spoofing Thc hin thc hin minh ha ny, ta cn c 3 my tnh chy h iu hnh Windows XP, my Attacker s ci t thm phn mm Cain&Abel. Trn my attacker khi chy Cain&Abel, chn tab Sniffer. Chn Configure chn card mng giao tip vi h thng, y chn 192.168.1.3 Apply OK Chn Start Sniffer, sau chn tip Start ARP Chn Add to list qut tt c cc my c trn mng OK, ta c kt qu
53
Hnh 3.22. ARP Spoofing trn Cain & Abel Chn sang tab ARP Add to list, chn cc my mun sniff, OK. Chn Start ARP 1 ln na.
Hnh 3.23. Kt qu Spoofing Sang my User A, vo Command Prompt, g telnet 192.168.1.4 (telnet sang my Victim), ng nhp bng username Administrator, password 123456. Sang my Attacker, n tab Password Telnet, khung bn phi, click vo dng cui, chn View, ta c kt qu:
Hnh 3.24. Username v Password bt c
54
Sang my User A, g lnh arp a, xem bng arp
Hnh 3.25. Bng ARP trn my Victim
Vic phng th ARP spoofing, chng ta s dng tnh nng DAI (Dynamic ARP Inspection) trn Switch. Nhng v mt s nguyn nhn khch quan nn nhm khng th thc hin tnh nng ny trn Switch, nn v th nhm ch gii thiu tnh nng ny trong phn l thuyt phng th ARP spoofing. 3.5 DNS Poisoning 3.5.1 Tng quan DNS poisoning l k thut nh la DNS server lm cho n tng l n nhn c thng tin phn gii a ch-ip ng tuy nhin trn thc t th n nhn thng tin gi mo. y l dng attacker m cc Attacker thng hay s dng khi c mong mun tn cng vo mt mng no . Dng attacke ny nu xy ra s c hu qu to ln cho ton b h thng b tn cng, ton b a ch phn gii s b thay i lm cho thng tin b sai lch. DNS poisonig gm c 4 kiu tn cng ph bin: Intranet DNS spoofing (local network), Internet DNS spoofing (remote network), Proxy Server DNS poisoning, DNS Cache poisoning.
Hnh 3.26. DNS Poisoning
55
3.5.2 Intranet DNS Spoofing Intranet DNS spoofing l kiu tn cng da trn hot ng ca DNS. Kiu tn cng ny tn cng vo mng cc b. u tin, Attacker s kt ni vo h thng, Attacker s u c ton b h thng bng cch ly nhim Trojan. Con Trojan ny s tin hnh thay i ton b a ch DNS ca User thnh a ch m ca Attacker dng nn, v th khi User tin hnh yu cu phn gii a ch th yu cu ny s gi ti my Attacker.
Hnh 3.27. Intranet DNS spoofing Bc tip theo Attacker s gi tr v cho User mt a ch IP c phn gii, m a ch ch ti mt Website gi m Attacker to nn (c th mi yu cu phn gii ca User u c Attacker phn gii thnh mt a ch IP). Website gi ny, Attacker s c ton b thng tin m User thao tc trn Website bng cc phn mm Sniffer, t Attacker s s dng nhng thng tin ny gi ti Website tht tn cng ton h thng. V d: User trong h thng c a ch IP 10.0.0.3 c yu cu phn gii a ch i ti Website tht c a ch 200.0.0.4. Nhng nu c Intranet DNS spoofing xy ra, khi Attacker c a ch 100.0.0.5 s ly nhim Trojan cho User lm a ch DNS ca User ny l 100.0.0.5. Sau Attacker s phn gii Website m User mun n thnh 65.0.0.2 v t Attacker s bt gi tin User gi ti sau forward ti Website tht c a ch 200.0.0.4.
56
3.5.3 DNS Cache Poisoning Cc thng tin v a ch ca Website c DNS Server phn gii s c lu tr vo cc Record trong DNS cache. Khi mt Client gi yu cu truy nhp ti mt a ch no th Local DNS Server s tra cc record trong cache ca chnh mnh v gi a ch phn gii cho Client. Nu trong cache ca Local DNS Server khng c sn a ch phn gii sn m Client yu cu th Local DNS Server s gi truy vn ti External DNS Server, sau Local DNS Server s nhn c a ch phn gii. Tip theo Local DNS Server s lu thng tin ny vo cache ca mnh v tr truy vn v cho Client . Nhng nu trn cc Record, thng tin ca cc a ch b sai lch th DNS Server s gi cho Client cc a ch b sai lch.
Hnh 3.28. DNS Cache poisoning Da trn tng trn, Attacker s l lm thay i cc Record lu tr trn DNS Server, do DNS Server s query vo a ch IP ca mt Website gi c thit lp bi Attacker v tr v cho Client. Nu DNS Server khng xc minh li cc gi tin, n s lu li nhng Record vi nhng IP sai lch. 3.5.4 Internet DNS Spoofing Internet DNS spoofing l mt k thut MITM c s dng nhm cung cp thng tin DNS sai cho mt host khi ngi dng duyt n mt a ch no , v d abc.vn c IP X.X.X.X, th s b chuyn hng n mt a ch abc.vn gi mo c tr a ch IP Y.Y.Y.Y, y l a ch m k tn cng to trc nh cp cc thng tin ca ngi dng. r hn, hy tham kho hnh bn di:
57
Hnh 3.29. Internet DNS Spoofing Qu trnh trn c tm tt nh sau: Ban u, Attacker u c Router, chuyn tt c cc DNS request v my ca mnh. My Victim yu cu phn gii tn min abc.vn Attacker s respone DNS phn gii abc.vn thnh IP ca website gi mo. Khi Victim truy cp ti abc.vn s b chuyn hng ti website gi Attacker s bt cc gi tin, nh cp thng tin ca Victim v chuyn hng ti Website tht. 3.5.5 Proxy Server DNS Poisoning Proxy Server DNS poisoning l mt kiu tn cng da trn hot ng DNS. kiu tn cng ny th Attacker s tn cng vo proxy trn trn trnh duyt IE (Internet Explorer). Trong h thng mng, Attacker s ly nhim Trojan vo ton b cc PC ca h thng. Con Trojan ny s lm thay i proxy Serrver trn IE, a ch proxy Server m User ch ti lc ny l a ch ca Attacker. Khi tt c cc Web request ca User u chy qua my Attacker, Attacker s chuyn tt c cc request ny sang mt Website gi m Attacker dng sn. Trn Website gi, Attacker s bt ton b gi tin m User gi ti, sau tt c gi tin ny s c Attacker forward ti Website tht.
58
Hnh 3.30. Proxy Server DNS Poisoning V d, User c yu cu ti Website c a ch 200.0.0.4. Nhng nu trong trng hp c tn cng Proxy Server DNS poisoning xy ra th Attacker c a ch 100.0.0.5 s cho ly nhim Trojan vo trong h thng. Trojan s lm thay i IE proxy (IP ca proxy Server: 100.0.0.5). Khi cc Web request s i qua Attacker. 3.5.6 Phng chng Vic tn cng DNS poisoning thng rt phc tp, v th phng chng DNS poisoning chng ta phi kt hp nhiu phng php trn ton h thng. Di y l mt s phng php dng phng chng DNS poisoning hiu qu: Phn gii tt c DNS query vo Local DNS Server Vic phn gii tt c DNS query vo Local DNS Server nhm m bo mi yu cu phn gii t User u nm trong cache ca Local DNS Server Block tt c cc request ti External DNS Server Khi c request ti External DNS Server s d lm cho User nhn thng tin phn gii b sai lch, v khi Attacker s li dng s h ng vai tr l External DNS Server.
59
Trin khai DNSSEC DNSSEC l cng ngh an ton m rng ca DNS, v bn cht DNSSEC cung cp cc c ch c kh nng chng thc v m bo ton vn d liu cho h thng DNS, theo DNSSEC a ra 4 loi bn ghi mi: Bn ghi kha cng cng DNS (DNSKEY - DNS Public Key): s dng chng thc zone d liu. Bn ghi ch k ti nguyn (RRSIG - Resource Record Signature): s dng chng thc cho cc bn ghi ti nguyn trong zone d liu. Bn ghi bo mt k tip (NSEC - Next Secure): s dng trong qu trnh xc thc i vi cc bn ghi c cng s hu tp cc bn ghi ti nguyn hoc bn ghi CNAME. Kt hp vi bn ghi RRSIG xc thc cho zone d liu. Bn ghi k y quyn (DS - Delegation Signer): thit lp chng thc gia cc zone d liu, s dng trong vic k xc thc trong qu trnh chuyn giao DNS. Cu hnh Firewall loi b cc gi tin DNS i ra External DNS Server y l mt phng php hn ch vic User query ra ngoi External DNS Server, Attacker s d dng gi thng tin sai lch v thng tin DNS cho User. Hn ch s dng dch v DNS, bng cch phn quyn cho User y l mt phng php rt hu hiu, v khi khng dng dch v DNS th Attacker s khng th tn cng DNS poisoning. 3.5.7 Minh ha V mt s l do khch quan nn nhm khng th tin hnh minh ha ton b nhng kiu tn cng DNS poisoning nn ch a ra mt bi minh ha cho vic tn cng ny. minh ha cho hnh thc tn cng ny cn c 2 my tnh chy h iu hnh Windows XP (c th s dng Linux) , ring trn my tn cng phi ci t cng c Ettercap v dng sn mt website gi mo c giao din ging vi trang
60
facebook.com tht, hai my tnh truy cp Internet thng qua ADSL Router c IP l 192.168.1.1. Ch cch to website gi mo v to c s d liu lu password mnh s khng cp y, phn minh ha ny ch tp trung vo cch lm sao chuyn hng truy cp ca nn nhn n website gi m thi.
Hnh 3.31. Minh ha tn cng DNS poisoning Thc hin M file etter.dns th mc C:\Program Files\EttercapNG\share trn my Attacker, y l mt file kh n gin v c cha cc bn ghi DNS m bn mun gi mo, thm vo cc dng sau: facebook.com *.facebook.com A 192.168.1.22 A 192.168.1.22
www.facebook.com PTR 192.168.1.22 Mc ch ca vic lm ny l khi nn nhn truy cp facebook.com tht th s b chuyn hng ti website gi m ta dng sn trn my tn cng. Khi chy cng c Ettercap, chn tab Sniff chn tip Unifiedsniffing, chn card mng giao tip vi h thng. Chn tab Host Scan for host, scan tt c cc host c trn mng. Sau khi scan xong, chn tip tab Host Host List. Click chn 192.168.1.23 Add to target 1. Click chn 192.168.1.22 Add to target 2. Chn tip tab Start Start Sniffing. Sau chn Tab Plugin Manage the plugin, click double vo dns_spoof kch hot tnh nng gi cc DNS replies gi mo n my nn nhn.
Hnh 3.32. Chn tnh nng dns_spoof Sang my nn nhn, truy cp website www.facebook.com. Tr li my tn cng, trn giao din phn mm Ettercap, ta thy trang www.facebook.com b chuyn hng n a ch IP ca my tn cng (cha website gi mo).
Hnh 3.33. Kt qu DNS spoofing Dng wireshark bt gi tin, ta thy rng khi my nn nhn(192.168.1.23) yu cu phn gii tn min facebook.com, th ADSL Router s response v a ch 192.168.1.22 (a ch website gi mo).
Hnh 3.34. Kt qu bt gi tin trn Wireshark Cui cng, ta c kt qu:
62
Hnh 3.35. Username v Password 3.6 MAC spoofing 3.6.1 MAC spoofing Mi thit b mng u c nh sn xut gn cho mt a ch xc nh, l a ch MAC. a ch ny dng phn bit thit b ny vi thit b kia v a ch ny s l duy nht cho mi thit b. Nhng chng ta c mt k thut c th thay i a ch ny l MAC spoofing. Khi thay i a ch MAC chng ta c th vt qua c cc phng php bo mt da trn c im duy nht ca a ch MAC, nhng phng php c th vt qua c th l: ACLs (Access Control List), port-sercurity 3.6.2 Minh ha thay i a ch MAC trn thit b ta dng phn mm SMAC v2.7. Phn mm ny c ci t trn Windows XP
Hnh 3.36. SMAC v2.7 professional

dng khong trng, s xung chn 10NET COMMUNICATION/DCA
Hnh 3.37. Chn 10NET COMMUNICATION/DSA in a ch MAC mi vo nhng cn trng, sau click Update MAC i a ch MAC.
Hnh 3.38. i a ch MAC mi Kim tra ta dng lnh ipconfig /all
Hnh 3.39. Kim tra a ch MAC sau khi i
64
3.7 VLAN Hopping 3.7.1 Cc giao thc hot ng trong mi trng VLAN Cc chun ng gi VLAN Khi s dng nhiu VLAN trong mng c cc Switch c ni vi nhau, gia cc Switch s c kt ni trunk. ng trunk ny c nhim v truyn frame ca cc VLAN khc nhau cng mt lc. Khi gi frame ti mt Switch khc, cc Switch cn mt cc nh ra cc VLAN m frame mun gi ti. V th chng ta cn mt chun ng gi cc frame cc Switch phn bit c frame ca VLAN no. Ta c 2 chun: Inter-Switch Link (ISL): y l chun c quyn ca Cisco nn ch c th s dng trn cc Switch ca Cisco. ISL ng gi ton b cc frame Ethernet gc trong mt ISL header. Cc frame Ethernet c ng gi bn trong khng c g thay i. Trong ISL header s gn VLAN ID, da vo VLAN ID ny nn Switch nhn bit c frame thuc VLAN no gi ti.
Hnh 3.40. Inter-Switch Link IEEE 802.1Q IEEE 802.1Q (hay n gin l .1Q) l mt chun dng chung cho tt c cc thit b. Chun ny c s dng cho mi trng LAN. 802.1Q s dng mt cch hon ton khc vi ISL, n khng ng gi frame gc m n thm vo header ca frame 4 bytes. Trong 4 bytes th s cha VLAN ID v da vo VLAN ID m Switch c th nhn bit ra frame thuc VLAN no.
65
Hnh 3.41. IEEE 802.1Q VLAN Trunking Protocol (VTP) VTP l giao thc ca Cisco dng ng b tt c VLAN trn Switch vi nhau. Xt v d sau thy v sao nn dng VTP trong vic trin khai VLAN. Tnh hung t ra: Mt cng ty c 10 Switch, mi Switch c chia thnh 10 VLAN, cng vic cu hnh VLAN s tn nhiu thi gian v gy nhm ln, kt hp vi vic to thm, xa, thay i VLAN s lm cho vic cu hnh phc tp. Lc ny vi VTP cho php qun l VLAN hiu qu hn. Ch cn to VLAN trn server, thng tin s c phn phi n cc Switch khc, nu c thay i VLAN th gia cc Switch s t ng ng b vi nhau. VTP s dng gi tin VTP advertisement ng b. Theo chu k 5 pht 1 ln cc Switch s gi gi tin ny cho cc Switch ni trc tip vi n. Mc nh th VTP c bt trn Switch nhng khng tt giao thc ny c.
Hnh 3.42. M hnh VTP
66
thc hin ng b thng tin cu hnh VLAN th phi tha mn 2 iu kin sau: C ng Trunk ni cc Switch li vi nhau. Cc Switch phi cng chung mt min VTP (VTP domain).
VTP ch gip ng b thng tin cu hnh VLAN ch khng ng b cng. V vy phi cu hnh gn cng cho cc VLAN trn Switch. V d: Switch A c cc cng F0/1, F0/2, F0/2 gn cho VLAN 10, trong khi Switch B c cc cng F0/1, F0/2, F0/2 gn cho VLAN 20. Dynamic Trunking Protocol (DTP) DTP l giao thc c quyn ca Cisco. Giao thc ny dng thit lp ng Trunk v cch ng gi frame VLAN (chun IEEE 802.1Q hoc chun ISL) gia hai Switch. C th cu hnh ng Trunk bng tay gia hai thit b chuyn mch. Nhng vi giao thc DTP th ng Trunk c thit lp mt cch t ng. Theo mc nh th giao th DTP c bt trn cc thit b chuyn mch ca Cisco. Gia Router v Switch c th cu hnh ng Trunk nhng khng c giao thc ny v Router khng hiu c giao thc DTP. Ngi qun tr mng c th cu hnh trng thi DTP trn mi trunk port. Cc trng th i bao gm: On, Off, Desirable,fAutorveNon-Negotiate. On: trng thi ny c s dng khi Switch khc khng hiu giao thcrDTP. Off: trng thi ny c s dng khi cng c cu hnh t trc khng vi mc ch tr thnh trunk port. Desirable: trng thi ny c s dng khi cng Switch mun tr thnh trunk port. Auto: y l trng thi mc nh trn nhiu Switch. Non-Negotiate: trng thi ny c s dng khi ngi qun tr mun mt loi trunk c ng gi ISL hay IEEE 802.1Q c th. Trn phn ln Switch giao thc DTP trn cc cng c cu hnh mc nh l auto.
67
3.7.2 VLAN Hopping VLAN hopping l mt phng thc tn cng mng da trn nhng im yu ca VLAN. Attacker s dng VLAN hopping khi mun i vng qua cc thit b lp 2, lp 3 khi trao i thng tin t mt VLAN ny sang mt VLAN khc. tng tn cng da trn cc trunk port trn Switch c cu hnh bt hp l. Mc nh, cc trunk port c th truy nhp ti tt c cc VLAN. D liu truyn qua cc ng trunk ny c th c ng gi theo chun IEEE 802.1Q hoc ISL (InterSwitch Link). VLAN hopping c thc hin theo hai cch: Switch spoofing v double tagging. VLAN hopping vi Switch spoofing Tt c cc trunk port u c th truy cp ti tt c cc VLAN. Nu Attacker kt ni vo trunk port th Attacker s thy c tt c cc gi tin ca tt c cc VLAN bng cc phn mm Sniffer. tin hnh tn cng VLAN hopping theo kiu Switch spoofing, Attacker s gi cc gi tin c ng gi theo cc chun Inter-Switch Link (ISL) hoc 802.1Q cng vi Dynamic Trunking Protocol (DTP), thit lp kt ni trunk n Switch. Theo mc nh th trng thi DTP trn mi trunk port trn Switch u ch auto, khi Attacker gi DTP packet n Switch th Switch s kt ni trunk vi Attacker. Do Attacker s d dng truy cp vo tt c cc VLAN. Attacker c th gi packet hoc nhn cc packet ti bt k VLAN no.
Hnh 3.43. VLAN hopping-Switch spoofing VLAN hopping vi double tagging
68
Kiu tn cng ny li dng cch thc hot ng ca Switch. Hin nay, phn ln cc Switch ch thc hin ng gi IEEE 802.1Q. iu ny cho php Attacker trong nhng tnh hung c th c kh nng gn cc ui 802.1Q (gi l .1Q tag) vo khung. Khung ny s vo VLAN vi ui .1Q u ra khng xc nh. Mt c im quan trng ca kiu tn cng VLAN hopping double tagging l n c th tin hnh thm ch vi cc cng trunk c thit lp ch Off.
Hnh 3.44. VLAN hopping-Double tagging Ngn chn kiu tn cng ny khng d nh vic ngn chn kiu tn cng VLAN hopping Switch spoofing. Bin php tt nht m bo cc VLAN ca cc trunk port c phn bit rch ri vi cc VLAN ca cc cng ca User. 3.7.3 Minh ha VLAN hopping minh ha tn cng VLAN hopping ta dng chng trinh yersinia trn ubuntu
Hnh 3.45. Tn cng VLAN hopping vi yersinia Chn tab 802.1Q, sau chon Edit mode chnh sa VLAN mun attack, theo minh ha l VLAN 20.
69
Hnh 3.46. Tn cng VLAN 20 Sau hp thoi hin ra, chn sending 802.1Q double enc. Packet, click OK.
Hnh 3.47. Sending 802.1Q
70
3.8 Spanning Tree Protocol Attack 3.8.1 Cc kiu tn cng Li dng im yu v chng thc bn tin, mt hacker c th tin hnh tn cng theo kiu gi i bn tin BPDU gi dng tuyn b mnh l root bridge. Thc hin iu ny khng kh bi ch cn gi i bn tin BPDU c priority cc thp th kh nng ca host tr thnh root bridge l rt cao. Hu qu l, cu trc cy STP b thay i khng theo mun ca ngi qun tr.V d khi k tn cng chim c quyn lm root bridge, khi nhn c bn tin TCN bo c s thay i cu hnh t mt Switch, root vn gi i bn tin BPDU vi TC = 0 bo trng thi STP bnh thng. Kt qu l mi Switch khc u khng bit v s thay i ny dn n vic trao i thng tin c th b gin on. D liu truyn qua li gia cc Switch thuc cc nhnh khc nhau ca cy STP s c truyn qua host trc (tn cng man in the middle). Thay i cu trc cy STP:
Hnh 3.48. Cu trc cy STP lc u Trc khi b tn cng, cy STP c root bridge l Switch 1. Attacker gi i bn tin gi mo c Priority thp nht (Priority 0) n Switch 3. Khi Switch 3 nhn c bn tin BPDU t cng 3 ca n, n bit l c s thay i topology ca mng. Lc 3 cng trn switch 3 s chuyn t trng thi blocking sang trng thi listening Switch tham gia vo qu trnh bnh bu root bridge, root portv
71
designated port. Trong trng thi ny, switch 3 cng gi i bn tin BPDU c priority 0 n hai Switch 1 v 2. Qu trnh bnh bu din ra c kt qu nh sau: Cc Switch s coi Attacker l root bridge. Trn Switch 3: cng 3 c chn lm root port v c chi ph n root thp nht, vy cng 1, 2 c chn lm designated port v n gi i bn tin BPDU c chi ph thp hn so vi chi ph ca cc bn tin gi t Switch 1 v 2. Trn Switch 1: cng 1 c chn lm root port, cng 2 c chn l designated port . Trn Switch 2: cng 2 c chn lm root port; cng 1 l non-designated port. Sau khi chn c root port; Switch 3 s gi i bn tin TCN qua cng 3 cho root bridge mi thng bo l c s thay i trong mng. Attacker gi li bn tin TCA cho Switch 3 v gi i bn tin BPDU c TC=1 n tt c cc Switch khc. Cc Switch khc khi nhn c bn tin ny s t thi gian tn ti cc nh x trong bng cache xung cn 15 s chun b hc a ch MAC mi. Tt c qu trnh trn c din ra trong khong 15s (trng thi listening). Cc Switch i thm 15s na hc li a ch MAC (trng thi learning). Sau 30s, cc cng l root port hoc designated port s c t vo trng thi forwarding cn cc cng l non-designated port s c t vo trng thi blocking.
Hnh 3.49. Cu trc cy STP b thay i Chng ta thy cu trc cy b thay i
72
Tn cng Man in the middle:
Hnh 3.50. S tn cng Man in the middle Trong s tn cng trn, Attacker cn c hai card mng gn vo cc cng tng ng trn cc Switch, sau gi bn tin BPDU vi Priority nh hn Priority ca cc Switch. Khi , Attacker s tr thnh root bridge.
Hnh 3.51. ng i ca d liu D liu t PC 1 sang PC 2 phi i qua my ca k tn cng thay v i trc tip qua ng ni gia Switch 1 v Switch 2 nh trong s mng trc khi b tn cng. 3.8.2 Cch phng chng Nguyn l phng chng STP l khng cho host gi bn tin BPDU gi mo. Cu hnh BPDU guard: Cu hnh ny thng i km vi cu hnh portfast trn cng mt cng. Nu cng nhn c bt k mt bn tin BPDU no th ngay lp tc, cng s c chuyn vo trng thi errdisable, trng thi cn phi b shut-down do li. Cng
73
ch c th c hot ng tr li khi c s can thip ca ngi qun tr hoc c khi phc li t ng sau khong thi gian timeout ca trng thi errdisable. SW(config-if)# spanning-tree portfast SW(config-if)# spanning-tree portfast bpduguard default Cu hnh root guard: Bnh thng khi mt Switch nhn c bn tin BPDU ca mt Switch c bridge ID tt hn root bridge ca n, ngay lp tc n s cng nhn Switch mi chnh l root bridge v nh vy lm mt i tnh n nh ca mng. Vi vic cu hnh root guard, khi mt cng ca Switch nhn c bn tin BPDU qung co tt hn, port s c chuyn sang mt trng thi c gi l root-inconsistent. Trong trng thi ny, d liu v BPDU khng c gi nhn qua cng nhng Switch vn lng nghe cc bn tin BPDU trn . Chng no khng nhn c bn tin BPDU tt hn na, port s tr li trng thi bnh thng. SW(config-if)# spanning-tree guard root 3.8.3 Minh ha thc hin minh ha ny, ta cn c: My Attacker chy h iu hnh Ubuntu, ci t sn 2 phn mm Ettercap v Yersinia. Hai cisco Switch v 1 my victim chy h iu hnh Windows XP (c th dng linux).
Root bridge
F1/0 SW1 F1/1 FWD F1/15 FWD F1/15 SW2 F1/2
Victim
eth0 SW1 MAC: c200.0ab8.0000 SW2 MAC: c201.0ab8.0000
eth1
Attacker
Hnh 3.52.M hnh minh ha
74
Trc khi minh ha cch tn cng ta cn phi cu hnh Victim c th telnet n 2 Switch. SW2(config)# int vlan 1 SW2(config-if)# ip address 10.0.0.2 255.255.255.0 SW2(config)# line vty 0 15 SW2(config-line)# password 654321 SW2(config-line)# login SW2(config)# enable secret cisco Cu hnh tng t vi Switch 1. Theo m hnh trn, v Switch 1 c a ch MAC nh hn ca Switch 2 (priority mc nh bng nhau) nn Switch 1 s c bnh chn l root bridge, cc cng ca 2 Switch ang trng thi forwarding. Cc bc thc hin: Trn my Attacker, khi chy phn mm Ettercap. Chn tab Sniff Bridged sniffing, chn First network interface l eth0, second network interface l eth1. Chn Start Start sniffing, chn n tab View Connection. Trn Terminal, g yersinia G khi ng Yersinia. Chn tab Edit interfaces, tick chn eth0, eth1 Chn Launch Attack, chuyn sang tab STP, chn Claiming Root Role kch hot tnh nng gi BPDU gi mo root bridge OK.
75
Hnh 3.53. My Attacker gi tin BPDU Ta thy rng, sau khi xc nh c bridge ID ca Switch (c200.0ab8.0000), phn mm Yersinia s t ng sinh ra mt bridge ID thp hn (c200.0ab7.0000) gi n Switch bt u li qu trnh bu chn root bridge. Sang Switch 1 g lnh: SW1# show spanning-tree vlan 1 brief.
Hnh 3.54.Show STP trn Switch
76
Khi , cng f1/15 ca Switch 2 s trng thi blocking. Cu trc cy STP by gi s l:
F1/0
SW1 F1/1
FWD F1/15
BLK F1/15
SW2 F1/2
Victim
Root bridge BPDU
eth0 SW1 MAC: c200.0ab8.0000 SW2 MAC: c201.0ab8.0000 Attacker MAC: c201.0ab7.0000 eth1
BPDU
Attacker
Hnh 3.55. Cu trc cy STP b thay i Trn my victim ta m Command promt, g lnh telnet 10.0.0.2. Login vi mt khu cu hnh trc . Sang my Attacker, trn giao din Ettercap, tab Connection, double click vo gi tin c port l 23 chn Join view, ta c kt qu:
Hnh 3.56. Password bt c trn Ettercap Ta c nhn xt l khi cng f1/15 ca Switch 2 trng thi blocking th d liu t my victim thay v i qua ng ni gia 2 Switch th s phi i qua my Attacker
77
PHN III: TNG KT V NH GI 1. Kt qu t c Sau qu trnh tm hiu cc k thut Sniffer, nhm nm c nhng vn c bn sau: Hiu su hn v cc giao thc nh: ARP, DNS, DHCP, STP,.. Phn loi c 2 phng thc Sniffer: Active Sniffer v Passive Sniffer. Minh ha cc k thut Sniffer c bn trong h thng mng nh: MAC Attack, DHCP Attack, ARP Poisoning, DNS Poisoning. Trin khai c cc phng thc phng chng Sniffer: Port Security, DHCP Snooping, Dynamic ARP Inspection. S dng c cc phn mm h tr vic gim st h thng mng. Hn ch: ti bo co hon tt tuy nhin hiu r su hn v cc kiu tn cng trn mng cn phi c thi gian di nghin cu, do thi gian lm ti khng cho php, nhn thc ca bn thn c hn, nn cn nhc im v thiu st, chng em s c gng hon thin hn na. 2. Hng pht trin Trn c s ca ti ny, chng em s tm hiu thm mt s k thut tn cng mng khc nh Footprinting, Scaning, Phishing, T c th tng bc lm ch c h thng mng, tng cng kh nng bo mt, i ph vi cc s c xy ra.
78
PHN IV: TI LIU THAM KHO Ting Vit [1] Hunh Nguyn Chnh, Gio trnh mng my tnh nng cao, i hc S Phm K Thut TP.H Ch Minh. Ting Anh [1] Certified Ethical Hacker Version 7 Module 8 Sniffer, EC-Council Press. [2] Yusuf Bhaiji, Layer 2 Attacks & Mitigation Techniques, Cisco Systems. [3] Sean Convery, Hacking Layer 2: Fun with Ethernet Switch, Cisco Systems. [4] Threats and Defense Mechanisms, EC-Council Press. [5] CCNA Security - Cisco Certified Network Associate Security (640-554) [6] http://wikipedia.org
79

Tìm hiểu Sniffer

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Tìm hiểu Sniffer

Uploaded by

Copyright:

Available Formats

PROTOCOL) ...........................................................................................................5 1.2

TM HIU V MINH HA SNIFFER

SPANNING TREE PROTOCOL ATTACK...............................................71

TM HIU V MINH HA SNIFFER

TM HIU V MINH HA SNIFFER

TM HIU V MINH HA SNIFFER

TM HIU V MINH HA SNIFFER

TM HIU V MINH HA SNIFFER

TM HIU V MINH HA SNIFFER

TM HIU V MINH HA SNIFFER

TM HIU V MINH HA SNIFFER

TM HIU V MINH HA SNIFFER

TM HIU V MINH HA SNIFFER

TM HIU V MINH HA SNIFFER

TM HIU V MINH HA SNIFFER

TM HIU V MINH HA SNIFFER

Bridge Priority: l u tin c chiu di l 2 byte to thnh 216 gi tr t 0 n 65535, c gi tr mc nh l 32768

Hnh 1.7. Cost

TM HIU V MINH HA SNIFFER

Bc 9: Cc port cn li c xc nh l Block Port.

TM HIU V MINH HA SNIFFER

TM HIU V MINH HA SNIFFER

TM HIU V MINH HA SNIFFER

Static VLAN (Port based VLAN):

TM HIU V MINH HA SNIFFER

TM HIU V MINH HA SNIFFER

TM HIU V MINH HA SNIFFER

TM HIU V MINH HA SNIFFER

TM HIU V MINH HA SNIFFER

TM HIU V MINH HA SNIFFER

TM HIU V MINH HA SNIFFER

TM HIU V MINH HA SNIFFER

TM HIU V MINH HA SNIFFER

TM HIU V MINH HA SNIFFER

Hnh 2.1. M hnh minh ha

TM HIU V MINH HA SNIFFER

Hnh 2.3. Pht hin Sniffer bng Ettercap

TM HIU V MINH HA SNIFFER

TM HIU V MINH HA SNIFFER

TM HIU V MINH HA SNIFFER

Bng CAM (Content Address Memory)

TM HIU V MINH HA SNIFFER

TM HIU V MINH HA SNIFFER

Hnh 3.4. Kt qu sau khi thc hin MAC flooding

TM HIU V MINH HA SNIFFER

TM HIU V MINH HA SNIFFER

DHCP Request/Reply Message

TM HIU V MINH HA SNIFFER

Client DHCP Server DHCPDISCOVER DHCPOFFER DHCPREQUEST DHCPACK

TM HIU V MINH HA SNIFFER

F0/1 F0/0 Router F0/24 F0/7 Switch

Hnh 3.9. Cu hnh DHCP Server trn Router

TM HIU V MINH HA SNIFFER

Hnh 3.11. DHCP Attack option

TM HIU V MINH HA SNIFFER

TM HIU V MINH HA SNIFFER

TM HIU V MINH HA SNIFFER

TM HIU V MINH HA SNIFFER

TM HIU V MINH HA SNIFFER

TM HIU V MINH HA SNIFFER

TM HIU V MINH HA SNIFFER

TM HIU V MINH HA SNIFFER

TM HIU V MINH HA SNIFFER

Hnh 3.24. Username v Password bt c