Tuesday 6 August 2013

How to detect NIC working in Promiscuous mode?

Let’s start our discussion with working of a NIC (Network Interface Card) or LAN Card, All NIC’s are supposed to have a 6-byte hardware address which is well known as MAC address of the NIC. The manufacturer of NIC assigns this MAC address such that each address is unique in the whole world (as we all know 3-bytes from IEEE and 3-bytes from manufacturer) and NIC’s are supposed to accept and process packets based on these MAC address, for the processing of packets all NIC’s are going to use two filters 1.) Hardware Filters & 2.) Software Filters which are defined bellow
1.)    Hardware Filters – such filters can be setup and controlled by NIC and it’s Driver  to receive different kind of packets, we have following filters in this list
a.)    Unicast- Receives all packets who have destination MAC as hardware address of NIC.
b.)    Broadcast- Receives all packets who have destination MAC as FF:FF:FF:FF:FF:FF
c.)     Multicast- Receives all packets who have destination a multicast group address which is already registered in multicast list can be received by the NIC
d.)    All Multicast- Receives all packets who have destination a multicast address (all MAC who have group bit set to 1)
e.)    Promiscuous- Receives all packets or ignore destination address

2.)    Software Filters – Software filters are used by OS and it’s kernel to accept or reject packet such filters are depending on OS and used to categorized packet as per their Destination Address packet types are different in different OS but commonly we have following types
a.)    Broadcast Packets – Destination to FF:FF:FF:FF:FF:FF
b.)    Multicast Packets – Destination to any MAC having group bit set to 1 except Broadcast
c.)     To Self Packets – Destination to Hardware Address of NIC
d.)    To Other Packets – Destination to MAC other than hardware address of NIC
Whenever a packet comes to NIC checked for hardware filter first if it’s acceptable then forwarded to software filter and categorised  according to it, if it’s in acceptable category then it can be send to upper layers for processing and response if any can be sent to source.

Difference between Normal Mode & Promiscuous Mode working of NIC :-  In normal working mode packet has to processed by both filters but in promiscuous mode it accept all packet in hardware filter and apply software filter only. Sniffers or Intrusion Detection System (IDS) kind of software enable promiscuous mode on NIC so if you want to detect sniffer in your network you need to detect NIC working in Promiscuous mode. 

Now we come to actual discussion that how to detect NIC working in Promiscuous mode?
As per the above discussion it’s quite clear that if we want to check that NIC is working in promiscuous mode we need to send such crafted packet to NIC which is supposed to be rejected by Hardware filter but accepted by Software filter and if we are getting response for such packet then it shows that this NIC is working in Promiscuous mode.

Following test method can be used to detect NIC working in promiscuous mode.
1.)    ICMP Test – we can send an ICMP request packet destination to bogus MAC address but correct IP of the NIC and if we are getting reply from NIC it’s working in Promiscuous mode.

As all broadcast and multicast packets are accepted by software filter but commonly OS kernel doesn’t check all 48 bit to decide broadcast or multicast address. So based on this we can use any of the following following address or similar one as bogus MAC address
FF:FF:FF:FF:FF:FE – Fake broadcast address 47 bit
FF:FF:0:0:0:0 – Fake broadcast address 16 bit
FF:0:0:0:0:0 – Fake broadcast address 8 bit
01:0:0:0:0:0 – Group bit set to 1 Mac address
01:00:5E:00:00:00 – Multicast 0 address
2.)    ARP Test – we use the same technique as ICMP test but use ARP request instead of ICMP request
3.)    DNS Test – Inject crafted packet with non-existing IP as a source and destination and then start capturing network traffic, because some of the sniffers have option to resolve IP in to host name by reverse query if it’s configured in network. nodes which are sniffing traffic will start sending reverse query for non-existing IPs and can be easily detected in your capture.
4.)    Latency Test – Flood your network with specially crafted packets which can be only captured by NIC working in promiscuous mode and then try to check responsiveness of that target NIC.

None of these techniques are guaranteed method to detect NIC working in promiscuous mode but by using multiple and different kind of test we can increase reliability of our test result.

I hope it will help you detect sniffers or promiscuous mode NIC's  in your network :-)

Thursday 25 July 2013

Tabnabbing - Another Way of Phishing

Tabnabbing is a type of phishing attack. Let’s discuss how it works If you are working with multiple tabs in your browser and one of them is opening a normal looking website which is hosted or compromised by attacker and this tab goes inactive for some time then the page in inactive tab force your browser to replace favicon, page title & page to look alike login page to any of the server which you are using and then whenever you switch to this inactive tab you will get spoofed login page and as I said it’s look alike page so if you don’t check URL carefully (which is very common as if you are regular visitor of a site you use to identify that site by look and care for URL in beginning of the session but during the session you least bother about URL) and proceed with login assuming that I might opened this page but forgot to login then your credential will be submitted to attacker’s website and then he will redirect you to original website.
Example :- I am working with multiple tabs in my browser Tab_1 – Gmail, Tab_2 – Google, Tab_3 – w.x.y.z, Tab_4 – Microsoft as shown in following picture

Now suppose my Tab_3 goes inactive for few minutes because I was working on other tabs here attacker’s script for Tabnabbing works and if it will sense that you lost focus from this tab and it's inactive for a while then it force Tab_3 to replace favicon , page title and page as Gmail login page, now when I switch to Tab_3 i found Gmail login page with Gmail favicon and page title as shown in following Picture (as I highlighted with circle in picture if you notice URL is not correct but this attack is based on assumption that generally we don’t check for URL during the session and because of look and feel it pretends original login page)

Now after getting this page I may think that I opened Gmail and forgot to login and I proceed with login then my user name and password is submitted to attacker’s URL and then he will redirect me to original Gmail, as I have already active session with Gmail in Tab_1 it will load my account successfully in Tab_3 as well.
Note:- To make this attack more effective attacker use to collect information first about your browsing like what sites you use to visit (Email, Internet banking, Social networking, etc) and then they host a normal looking website with tabnabbing script. this normal looking website can be advertised or promoted by any method to influence you for visit.

I hope this article will help you to understand Tabnabbing and it's working :-)