.

Some questions on ISP's and Sniffing Across Internet?

<<

manoj9372

Jr. Member
Jr. Member

Posts: 72

Joined: Mon Oct 05, 2009 8:54 am

Post Sun Dec 12, 2010 8:03 am

Some questions on ISP's and Sniffing Across Internet?

I have some questions for which i am struggling to find answers,

1)I am sure most of guys knows what is an Reflective ddos and ip spoofing,I am wondering why ISP's(As far as i know )are not enabling
ingress and egress filtering on their border routers to prevent these kind of attacks originating from their network?

Because when i tested from my ISP for sending forged ip pakcets,i can able to send across my ISP network,i don't know why most ISP's does not care about these...

2)I am tired of reading tutorials on sniffing,because i personally believe the tools,tutorials we are using for sniffing is out-dated,now network security is very high these days,

they are having the following
i)arp-watches to watch deviations in mac tables of the switch or routers..

ii)modern cisco router's and switches(which are very hard to flood)

iii)Also nowadays ssl stripping is almost impossible as the companies started to validate the root certifcate by installing the client softwares on the victim pc,

iv)No more usage of hubs and unmanaged switches in the modern network

v)Presence of NIDS,NIPS,HIPS,NIPS And even presence of Some anti-virus suits like kasper-sky making our job tough...

I don't know how we can able to over-come the above difficulties and successfully sniff around a secured network,If you got any bypasses for the above security mechanisms please feel free to share here...

3)To be honest i only know sniffing from LAN,I never did sniffing over internet,I don't know how to do that,i am very much interested in understanding about sniffing Network devices over the internet,I am sure it is definitely possible,hope some 1 will link me to some nice articles for understanding this remote sniffing thing...


Hope some one will Answer my queries and guide me in a correct way..
<<

mambru

Jr. Member
Jr. Member

Posts: 98

Joined: Wed Jun 03, 2009 3:11 pm

Post Sun Dec 12, 2010 2:26 pm

Re: Some questions on ISP's and Sniffing Across Internet?

A few comments about your questions:

2)I am tired of reading tutorials on sniffing,because i personally believe the tools,tutorials we are using for sniffing is out-dated,now network security is very high these days,


You would be surprised of knowing how many organizations are not aware of the dangers of an attacker sniffing their network, and don't implement any kind of protection against this. So sniffing is still very real nowadays.

iii)Also nowadays ssl stripping is almost impossible as the companies started to validate the root certifcate by installing the client softwares on the victim pc,


I don't agree on this either. Most of the common users will click OK/Continue on the presence of any warning window, even without reading what it's about.

v)Presence of NIDS,NIPS,HIPS,NIPS And even presence of Some anti-virus suits like kasper-sky making our job tough...


IDS/IPS are only as good as the signatures they are using and people monitoring their alerts. I've seen many organizations placing their IDS/IPS product without doing any kind of tuning up/customization and expecting it to be their silver bullet.

3)To be honest i only know sniffing from LAN,I never did sniffing over internet,I don't know how to do that,i am very much interested in understanding about sniffing Network devices over the internet,I am sure it is definitely possible,hope some 1 will link me to some nice articles for understanding this remote sniffing thing...


Then you need to read more on those out-dated sniffing tutorials your mention to understand the theory behind.
<<

hayabusa

User avatar

Hero Member
Hero Member

Posts: 1662

Joined: Mon Jan 29, 2007 2:59 pm

Post Sun Dec 12, 2010 3:14 pm

Re: Some questions on ISP's and Sniffing Across Internet?

I'd considered writing a detailed reply here, but due to time, will have to let it wait until later.  That said, though, manoj9372, I've personally been in MANY a Fortune 500 or larger account, in recent past, where many of the flaws which you're saying shouldn't be present, are, and are easily reachable / exploitable.

Fact is, although you'll have good security folks in many of these companies, too often they have too many responsibilities and systems to maintain, and they overlook or simply don't account for the obvious.  That's exactly why PCI DSS and others REQUIRE pentests and audits, to be able to help folks see what they've missed, and remediate.
~ hayabusa ~ 

"All men can see these tactics whereby I conquer, but what none can see is the strategy out of which victory is evolved." - Sun Tzu, 'The Art of War'


OSCE, OSCP , GPEN, C|EH
<<

rattis

User avatar

Hero Member
Hero Member

Posts: 1172

Joined: Mon Jul 27, 2009 1:25 pm

Post Sun Dec 12, 2010 3:30 pm

Re: Some questions on ISP's and Sniffing Across Internet?

1) It adds over head, and the majority of the ISPs don't have the time to deal with it. They have enough problem keeping customers as it is. Look at the negative feedback that happened when Comcast was doing deep packet filtering on BT traffic.

I've, and others I've worked with have left ISPs because of ports being blocked.

2) Keep reading.
i: There are ways around it that. MAC cloning is the first thing that comes to mind.

ii: Who needs to flood it. There are some other things you can try. Just because things have patches available doesn't mean that they've been patched.

iii: As mambru said, users are the weakest link. Where I worked, I goofed up updating the SSL Certs 2 weeks ago. Left out the Thawte verification chain. lots of connections to those servers, but only 4 people called about it.

iv: What makes you think that hubs and dumb switches aren't used on modern networks? Any place with a conference room will more than likely have those. So will any spot where more than 1 person needs to work and corporate wireless is not included. Also using hubs is a quick and easy way to put an IDS on the network.

3) build a network at home, and get cracking. Learn how to build taps.

Things worth looking at:
Hacking Exposed series of books. ( cisco networks, wireless, etc).
Professional Penetration Testing
Security+ Deluxe study guide
Hacking For Dummies
Hacking Dojo
Offensive Security
OSWP, Sec+
<<

manoj9372

Jr. Member
Jr. Member

Posts: 72

Joined: Mon Oct 05, 2009 8:54 am

Post Sun Dec 12, 2010 4:06 pm

Re: Some questions on ISP's and Sniffing Across Internet?

  Code:
1) It adds over head, and the majority of the ISPs don't have the time to deal with it. They have enough problem keeping customers as it is. Look at the negative feedback that happened when Comcast was doing deep packet filtering on BT traffic.

I've, and others I've worked with have left ISPs because of ports being blocked.

2) Keep reading.
i: There are ways around it that. MAC cloning is the first thing that comes to mind.

ii: Who needs to flood it. There are some other things you can try. Just because things have patches available doesn't mean that they've been patched.

iii: As mambru said, users are the weakest link. Where I worked, I goofed up updating the SSL Certs 2 weeks ago. Left out the Thawte verification chain. lots of connections to those servers, but only 4 people called about it.

iv: What makes you think that hubs and dumb switches aren't used on modern networks? Any place with a conference room will more than likely have those. So will any spot where more than 1 person needs to work and corporate wireless is not included. Also using hubs is a quick and easy way to put an IDS on the network.

3) build a network at home, and get cracking. Learn how to build taps.

Things worth looking at:
Hacking Exposed series of books. ( cisco networks, wireless, etc).
Professional Penetration Testing
Security+ Deluxe study guide
Hacking For Dummies
Hacking Dojo
Offensive Security


Thanks for your reply sir,
  Code:
1) It adds over head, and the majority of the ISPs don't have the time to deal with it. They have enough problem keeping customers as it is. Look at the negative feedback that happened when Comcast was doing deep packet filtering on BT traffic.

I've, and others I've worked with have left ISPs because of ports being blocked.


If possible can you tell me what kind of issues will be created if our ISP enables ingress and egress filtering on their border routers?

If possible please link me to such documents ...

  Code:
2) Keep reading.
i: There are ways around it that. MAC cloning is the first thing that comes to mind.

ii: Who needs to flood it. There are some other things you can try. Just because things have patches available doesn't mean that they've been patched.

iii: As mambru said, users are the weakest link. Where I worked, I goofed up updating the SSL Certs 2 weeks ago. Left out the Thawte verification chain. lots of connections to those servers, but only 4 people called about it.

iv: What makes you think that hubs and dumb switches aren't used on modern networks? Any place with a conference room will more than likely have those. So will any spot where more than 1 person needs to work and corporate wireless is not included. Also using hubs is a quick and easy way to put an IDS on the network.


I want to ask u 1 thing sir,

tell me from you from experience sir,don't the corporates have arp watches installed on the network to monitor deviations in the mac table?

Because even we clone the mac address,it will result in causing a deviation on the mac table of the switch/router

am i right or wrong?

Also Tell me from your experience dont the IDS(i.e any HIDS.NIDS) on the networks was euipped with such a signature or pattern?

i know signatures are there,but i want to know they are actually being implemented by companys?

Also you said "There are some other things you can try. Just because things have patches available doesn't mean that they've been patched."

can you tell  them please, Atleast in a glance or in short so that i can try to research them on my free-time..

Also sir i am not looking at sniffing some ordinary network like school,college and some wifi,i am willing to try sniffing on a secured network,If my target was a low profile network,I am happy with the olden techniques,That is why i am asking here,if possible suggest me some ideas sir.. :D


  Code:
I'd considered writing a detailed reply here, but due to time, will have to let it wait until later.  That said, though, manoj9372, I've personally been in MANY a Fortune 500 or larger account, in recent past, where many of the flaws which you're saying shouldn't be present, are, and are easily reachable / exploitable.

Fact is, although you'll have good security folks in many of these companies, too often they have too many responsibilities and systems to maintain, and they overlook or simply don't account for the obvious.  That's exactly why PCI DSS and others REQUIRE pentests and audits, to be able to help folks see what they've missed, and remediate.


Thank you sir,

But i would like to have a brief explanation sir,Because i am looking forward to understand the things in detail,if possible reply here on your free time or when-ever possible,but if you would reply i will be glad ::)

  Code:
A few comments about your questions:

2)I am tired of reading tutorials on sniffing,because i personally believe the tools,tutorials we are using for sniffing is out-dated,now network security is very high these days,

You would be surprised of knowing how many organizations are not aware of the dangers of an attacker sniffing their network, and don't implement any kind of protection against this. So sniffing is still very real nowadays
[code]

yes sir,from your reply i guess it would be some low profile networks,what if the network is high profile or highly secured?

because i would like to have some challenge or fun by sniffing a secured network,

[code]
iii)Also nowadays ssl stripping is almost impossible as the companies started to validate the root certifcate by installing the client softwares on the victim pc,

I don't agree on this either. Most of the common users will click OK/Continue on the presence of any warning window, even without reading what it's about.

[/code]

I think you didn't got my question correctly sir,

Assume like this you had installed a vpn client on your pc,when you click connect it will connect to the vpn server automatically ,Also in those scene i think you won't need to click some confirmation certificates,because it will be done automatically inside the client,Also sir besides sniffing a browser based ssl traffic,have you sniffed a ssl vpn traffic?

if yes i would like to have a bit of information from your experience...

[code]
v)Presence of NIDS,NIPS,HIPS,NIPS And even presence of Some anti-virus suits like kasper-sky making our job tough...

IDS/IPS are only as good as the signatures they are using and people monitoring their alerts. I've seen many organizations placing their IDS/IPS product without doing any kind of tuning up/customization and expecting it to be their silver bullet.
[/code]

You are correct here sir,but most IDS,IPS in networks don't have a signature to detect a sniffing?
just wondering, ???

[code]
3)To be honest i only know sniffing from LAN,I never did sniffing over internet,I don't know how to do that,i am very much interested in understanding about sniffing Network devices over the internet,I am sure it is definitely possible,hope some 1 will link me to some nice articles for understanding this remote sniffing thing...

Then you need to read more on those out-dated sniffing tutorials your mention to understand the theory behind.
[/code]



hmmm i know about sniffing from LAN sir,in LAN sniffing we just change the mac address to the  mac address of the default gateway,And as we are on the same sub-net the switch/router's traffic pass through as and reaches the victim,but how is this possible over internet?

I don't know how it is done,if possible please link me to a tutorial on SNIFFING OVER INTERNET,...

Also believe it or not,i had seen guys who can strip the IP-SEC traffic passing between the Networks and they are decrypting the traffic pass through them and pass them with out breaking the encryption,But All i can do is only amaze,but i don't have any ideas about how they managed to do it,Because as far as i know IPSEC has verification headers... ???
but i don't know their logic....

This is also one of the reason that makes me much more interested in thinking about the modern sniffing methods..

hope i will find some help here :o


[/code]
Last edited by manoj9372 on Sun Dec 12, 2010 4:15 pm, edited 1 time in total.
<<

rattis

User avatar

Hero Member
Hero Member

Posts: 1172

Joined: Mon Jul 27, 2009 1:25 pm

Post Sun Dec 12, 2010 5:56 pm

Re: Some questions on ISP's and Sniffing Across Internet?

the quote tag works better than the code tag.

If possible can you tell me what kind of issues will be created if our ISP enables ingress and egress filtering on their border routers?


No documentation. It's been to long since I worked in an ISP. But money talks. So if it you did the filtering, you'd probably have to do it per customer. Otherwise you will have customers leave. Example: I run my own servers from home. LAMP based and shell for testing work servers. Some ISPs block port 25 to minimize spam. That's great, so now I have to use their mail server. But what if I have to send something from my domain? I don't want @isp.whatever showing up.

Then its a a case of blocking home users one way, and business users another way.  That means knowing what needs to be where, what "exceptions" have to be in place, and trust that everything will get it right.

When I was working at the place 2 Global ISPs that I did. We had a hard enough time keeping the connections and circuits up to our clients to worry about doing filtering on the Egress and Ingress routers.

tell me from you from experience sir,don't the corporates have arp watches installed on the network to monitor deviations in the mac table?

Because even we clone the mac address,it will result in causing a deviation on the mac table of the switch/router


Yes and no. The network I maintain, didn't have arp watchers for 4 years. Even now, I've only been able to put them in 2 of the 4 offices.

It also depends on the company. My previous employer, a large automotive company, used laptops. So they expected to see our boxes move around and show up on different ports.

Even then, vendors, sales people, auditors, etc usually get to plug in. So having random mac address show, might get someone from Network or Security to stop by and check it out. But that's assuming they see it. Other than having 2 of the same mac on the network at the same time, I don't think most people will notice.

Also Tell me from your experience dont the IDS(i.e any HIDS.NIDS) on the networks was euipped with such a signature or pattern?


How is the IDS configured? Is it even configured? When I was at the auto company, I used to use ssh over 443 to hit my home system to tunnel HTTP traffic. In the year I was there, no one came and talked to me about it.
OSWP, Sec+
<<

mallaigh

User avatar

Jr. Member
Jr. Member

Posts: 65

Joined: Fri Jul 16, 2010 12:36 am

Post Tue Dec 14, 2010 5:15 pm

Re: Some questions on ISP's and Sniffing Across Internet?

All the "sir"s makes reading your replies very difficult, but I will throw out some things for you to think about.

1) Because newer/better technology exists, that doesn't mean it is being used.  The larger the corporation, the cheaper they become.  Large corporations are focused on the bottom line.  So if old technology still functions, the people calling the shots often believe there is no reason to upgrade.  At a previous employer (of 6 years), I only recall one upgrade to the network which resulted from some legal issues.

2) Because newer/better technology is in place, that doesn't mean it has been configured properly.  I'm sure everyone has their stories of software/network appliances that was left with default configurations and (could have) allowed an attacker (pentester or malicious) to just skate past it.  An admin may not be familiar with the equipment or software.  They might just not know better or they just trust the default settings to be the "best" option.

3) Generally, there are exceptions to rules.  At previous employers, I have seen management use "their discretion" to disregard company policies.  Just an example, Manager Larry tells Admin Bob to add his personal laptop to the company network (generally a "no no").  I know this indirectly applies to your OP, but you cannot discount the human element.  

4) As hayabusa said, IT/SystemAdmins are usually very busy managing multiple systems.  Actively checking logs and monitoring systems generally is a luxury.

Those are a few things I could think of to address your concerns in your original post.  Definitely, there is some really cool technology available, but for various reason I doubt you will see it (all) applied.  You could always run a port scan on your internet facing IP not only to see what is open, but also to see if your ISP filters the traffic or send you any kind of communique.  
Last edited by mallaigh on Tue Dec 14, 2010 8:33 pm, edited 1 time in total.
<<

hayabusa

User avatar

Hero Member
Hero Member

Posts: 1662

Joined: Mon Jan 29, 2007 2:59 pm

Post Tue Dec 14, 2010 6:00 pm

Re: Some questions on ISP's and Sniffing Across Internet?

mallaigh wrote:4) As hayabusa said, IT/SystemAdmins are usually very busy managing multiple systems.  Actively checking logs and monitoring systems generally is a luxury.


These are the times I usually recommend a good SIEM solution, like Novell's Sentinel, ManageEngine's EventLogManager (which I have little experience with) or others.
~ hayabusa ~ 

"All men can see these tactics whereby I conquer, but what none can see is the strategy out of which victory is evolved." - Sun Tzu, 'The Art of War'


OSCE, OSCP , GPEN, C|EH
<<

mallaigh

User avatar

Jr. Member
Jr. Member

Posts: 65

Joined: Fri Jul 16, 2010 12:36 am

Post Tue Dec 14, 2010 8:54 pm

Re: Some questions on ISP's and Sniffing Across Internet?

hayabusa wrote:
mallaigh wrote:4) As hayabusa said, IT/SystemAdmins are usually very busy managing multiple systems.  Actively checking logs and monitoring systems generally is a luxury.


These are the times I usually recommend a good SIEM solution, like Novell's Sentinel, ManageEngine's EventLogManager (which I have little experience with) or others.


For sure.  Depending on the industry SIEM is not only recommended but required.  Then again, configurations and those receiving the alerts could come into play. 
<<

hayabusa

User avatar

Hero Member
Hero Member

Posts: 1662

Joined: Mon Jan 29, 2007 2:59 pm

Post Tue Dec 14, 2010 11:10 pm

Re: Some questions on ISP's and Sniffing Across Internet?

Definitely.  Was more referring to making recommendations, as the outside auditor / pentester, in solutions where we find it obvious that log data is getting missed or overlooked.
~ hayabusa ~ 

"All men can see these tactics whereby I conquer, but what none can see is the strategy out of which victory is evolved." - Sun Tzu, 'The Art of War'


OSCE, OSCP , GPEN, C|EH

Return to Network Pen Testing

Who is online

Users browsing this forum: No registered users and 1 guest

cron
.
Powered by phpBB® Forum Software © phpBB Group.
Designed by ST Software