1. INTRODUCTION:-
A Sniffer
is a program or a device that eavesdrops on the network traffic by grabbing
information traveling over a network. Sniffers basically are "Data Interception" technology. They work
because the Ethernet was built around a principle of sharing. Most networks use
broadcast technology wherein messages for one computer can be read by another
computer on that network. In practice, all the other computers except the one
for which the message is meant, will ignore that message. However, computers
can be made to accept messages even if they are not meant for them. This is done by means of a Sniffer!
Many people assume computers
connected to a switch are safe from sniffing. Nothing could be further from the
truth. Computers connected to switch are just as vulnerable to sniffing as those
connected to a hub.
2. How a Sniffer works?
A computer
connected to the LAN has 2 addresses. One is the MAC
(Media Access Control) address that uniquely identifies each node in a network
and is stored on the network card itself. It is the MAC address that gets used
by the Ethernet protocol while building `frames' to transfer data to and from a
machine.
The other is the
IP address which is used by applications. The
Data Link Layer uses an Ethernet header with the MAC address of the destination
machine rather than the IP Address. The Network Layer is responsible for
mapping IP network addresses to the MAC address as required by the Data Link
Protocol.
It initially
looks up the MAC address of the destination machine in a table, usually called
the ARP (Address Resolution Protocol) cache. If
no entry is found for the IP address, the Address Resolution Protocol
broadcasts a request packet (ARP request) to all machines on the network. The
machine with that address responds to the source machine with its MAC address.
This MAC address then gets added to the source machines ARP Cache. This MAC
address is then used by the source machine in all its communications with the
destination machine.
There are two basic types of
Ethernets environments and how sniffers work in both these cases is slightly
different.
SHARED ETHERNET:
In a shared Ethernet environment, all
hosts are connected to the same bus and compete
with one another for bandwidth. In such an
environment packets meant for one machine are received by all the other
machines.
Thus when a machine Venus wants to talk to
Cupid in such an environment, it sends a packet on the network with the
destination MAC address of Cupid along with its own source MAC address. All the
computers on the shared Ethernet compare frame's destination MAC address with
their own. If the two don't match, the frame is quietly discarded.
A machine running a sniffer breaks this
rule and accepts all frames. Such a machine is said to have been put into promiscous mode and can effectively listen to all
the traffic on the network. Sniffing in a Shared Ethernet environment is
totally passive and hence extremely difficult
to detect.
SWITCHED ETHERNET:
An Ethernet environment in which the hosts
are connected to switch instead of a hub is
called a Switched Ethernet. The switch
maintains tables keeping track of each computer’s MAC address and the physical
port on the switch to which that MAC address is connected and delivers packets
destined for a particular machine correspondingly. The switch is an intelligent device which sends packets to the
destined computer only and does not broadcast it to all the machines on the
network, as in the previous case.
As
a result of this the process followed earlier, of putting the machine into promiscous mode, to gather packets does not work. As
a result of this, even many experienced Systems
Administrators fall into the belief that switched networks are secure
and cannot be sniffed.
Why has the Internet been vulnerable to sniffers for so long?
The situation
has taken this long to fix for a number of reasons.
Part of the problem is that
software companies are fighting their own battles for market share and trying
to bring users fancy new features. They will say the prefer delivering "user friendly" systems over ones that come
with tight security features, which often make the systems harder to set up or
less convenient to use. (It is often said that security is inversely
proportional to ease of use.) This is the same logic car manufacturers used in
the early 1900s to justify not installing seat belts in all vehicles sold.
Part of the problem is added cost for Ethernet switches, hubs, interface
cards that don't support promiscuous mode, and new software. If there is barely
enough money to buy the cheapest hardware to get a minimal network up and
running, and practically none for skilled network administrators, its going to
be very hard to have a secure network. With security, you [don't] get what you
[don't] pay for.
Part of the problem is incompatibilities -- vendor A software to vendor B
software, and older software to newer software -- between software products.
Often the priorities for dealing
with these problems are set by "market
forces" -- in other words "money"; they don't have
enough, or you won't pay enough -- and software vendors set these priorities in
response to user demand, or the company's perception of user demand. More
people want a new widget in their word processor, or support for some new sound
card or 62X CD-ROM drive, than are asking for abolishing clear text passwords
in network services and other security features.
One thing is certain. You can be
sure that as more of our economic, academic, and personal lives are lived on
ever more interconnected computer networks, the more responsibility we have to
protect our online assets and our privacy.
Either that or we had better be
prepared to lose them.
3. METHODS TO SNIFF ON A SWITCH
3.1 ARP Spoofing:
We have explained earlier how ARP is used
to obtain the MAC address of the destination machine with which we wish to
communicate. The ARP is stateless, you can send
a ARP reply even if one has not been asked for and such a reply will be
accepted. Ideally when you want to sniff the traffic originating from machine
Venus, you can ARP Spoof the gateway of the network.
The ARP cache of Venus will now have a
wrong entry for the gateway and is said to be Poisoned.
This way all the traffic destined for the gateway will pass through your
machine. Another trick that can be used is to poison a hosts ARP cache by
setting the gateway's MAC address to FF:FF:FF:FF:FF:FF(also known as the
broadcast MAC). An excellent tool for this is the arpspoof utility which comes
with the dsniff suite. Using arpspoof to poison the ARP cache of a machine is
accomplised by giving the command
[root@tachyon dhar]# arpspoof -t 203.199.66.243 203.199.66.193
0:80:ad:7c:7:3a 52:54:5:f3:95:1 0806 42: arp reply \
203.199.66.193 is-at 0:80:ad:7c:7:3a
0:80:ad:7c:7:3a 52:54:5:f3:95:1 0806 42: arp reply \
203.199.66.193 is-at 0:80:ad:7c:7:3a
The -t flag specifies the target
whose ARP cache we wish to poison and the other argument is the IP address of
the gateway which we wish to spoof. So now all the data destined for the
gateway from the target machine will have to pass through our machine. Before
you do this, it is essential you turn on IP Forwarding on your machine. You can
do this by giving the command:
[root@tachyon dhar]# echo 1 > /proc/sys/net/ipv4/ip_forward
[root@tachyon dhar]# cat /proc/sys/net/ipv4/ip_forward
1
[root@tachyon dhar]#
If the cat command returns a
value of 1, then IP Forwarding has been enabled but if it returns 0, it means
IP Forwarding has not been enabled. It is important to enable IP Forwarding or
else the network will die.
3.2 MAC Flooding:
Switches keep a translation table which maps
various MAC addresses to the physical ports on the switch. As a result of this
it can intelligently route packets from one host to another. The switch has a limited memory for this work. MAC flooding makes use
of this limitation to bombard the switch with fake MAC addresses till the
switch can't keep up.
The
switch then enters into what is known as a `failopen
mode' wherein it starts acting as a hub by broadcasting packets to all
the machines on the network. Once that happens sniffing can be performed
easily. MAC flooding can be performed by using macof,
a utility which comes with dsniff suite.
[root@tachyon dhar]# macof
77:6b:e1:6e:5e:8c 93:2d:ed:45:f9:e3 0.0.0.0.45702 > \
0.0.0.0.11000: S 1847390231:1847390231(0) win 512
84:a4:d3:57:ef:8 12:56:52:42:dc:95 0.0.0.0.16630 > \
0.0.0.0.3031: S 1484147693:1484147693(0) win 512
88:f0:9:3f:18:89 d:86:53:53:d7:f8 0.0.0.0.15535 > \
0.0.0.0.7466: S 293820390:293820390(0) win 512
The idea is to cause the switch to start forwarding
to the intruder the frames destined tothe victim. One can do this simply by
sending out frames with the source address of thevictim. The "auto-learning" feature will make the
switch now believe that the one thatshould receive the packets is the intruder,
and will send the frames the wrong way.
The obvious problem is that if the victim doesn't
receive the frame, then its communications breaks, and there won't be anything
more to sniff. Another problem is that the victim itself will still send out
frames with its MAC address, causing the switch to revert.
There are a few solutions to these problems. One is
by subverting an authenticated
connection, in which case the eavesdropper has to DoS the
victim (taking it offline), redirect the switch, and continue on with the
connection as if nothing happened. This can
be achieved easily.
For example,
in the case that the victim has a Telnet connection to the server, the
intruder can DoS the victim’s machine, taking him/her off
line. Then, the eavesdropper sends out packets with the victim’s MAC address,
causing the switch to send to the eavesdropper
all the packets destined for the victim. In order to pick up the victim’s
connection, the intruder causes the server to send him a TCP packet (i.e. use
the talk service to prompt the server for a connection). At this point, the
intruder simply starts
reversing the sequence and acknowledgement numbers to
continue the Telnet connection.
A similar solution is that when the intruder receives
an incoming packet, he turns around and
broadcasts it back. This way the victim still receives the packet. A steady
stream of outgoing traffic and broadcasts of the incoming traffic will allow
the intruder to recover a good percentage of the original traffic.
Concluding, it is obvious that a switch cannot stop a
malicious person from sniffing the network.
3.3
IP-based sniffing
This is the original way of packet sniffing. It works
by putting the network card into promiscuous mode
and sniffing all packets matching the IP address
filter. Normally, the IP address filter isn’t set so it can capture all
the packets. This method only works in non-switched
networks.
4. What Does Sniffed Data Look Like?
It is easy to grasp the concepts discussed above by
watching a sniffer in action. The information in the following example was
derived using tcpdump, a program that has been around for quite sometime
and is available for many platforms. This particular snippet is an abbreviated
exchange between a machine and the SecurityFocus
Web server.
21:06:30.786814 0:1:3:e5:46:6b 0:4:5a:d1:46:ad 0800 650: 192.168.1.3.32946 >
66.38.151.10.80: P [tcp sum ok] 1:585(584) ack 336 win 64080 <nop,nop,timestamp 608776
899338> (DF) (ttl 64, id 7468, len 636)
0x0000 4500 027c 1d2c 4000 4006 8074 c0a8 0103 E..|.,@.@..t....
0x0010 4226 970a 80b2 0050 54ac b070 78ef d6c3 B&.....PT..px...
0x0020 8018 fa50 c663 0000 0101 080a 0009 4a08 ...P.c........J.
0x0030 000d b90a 4745 5420 2f63 6f72 706f 7261 ....GET./corpora
0x0040 7465 2f69 6d61 6765 732f 6275 696c 642f te/images/build/
0x0050 626c 6c74 5f72 645f 312e 6769 6620 4854 bllt_rd_1.gif.HT
0x0060 5450 2f31 2e31 0d0a 486f 7374 3a20 7777 TP/1.1..Host:.ww
0x0070 772e 7365 6375 7269 7479 666f 6375 732e w.securityfocus.
0x0080 636f 6d0d 0a55 7365 722d 4167 656e 743a com..User-Agent:
0x0090 204d 6f7a 696c 6c61 2f35 2e30 2028 5831 .Mozilla/5.0.(X1
0x00a0 313b 2055 3b20 4c69 6e75 7820 6936 3836 1;.U;.Linux.i686
21:06:30.886814 0:4:5a:d1:46:ad 0:1:3:e5:46:6b 0800 402: 66.38.151.10.80 >
192.168.1.3.32949: P [tcp sum ok] 2363393025:2363393361(336) ack 1437810754 win 8616
<nop,nop, timestamp 899338 608766> (ttl 61, id 10825, len 388)
0x0000 4500 0184 2a49 0000 3d06 b74f 4226 970a E...*I..=..OB&..
0x0010 c0a8 0103 0050 80b5 8cde 8401 55b3 4042 .....P......U.@B
0x0020 8018 21a8 0543 0000 0101 080a 000d b90a ..!..C..........
0x0030 0009 49fe 4854 5450 2f31 2e31 2032 3030 ..I.HTTP/1.1.200
0x0040 204f 4b0d 0a41 6765 3a20 320d 0a41 6363 .OK..Age:.2..Acc
0x0050 6570 742d 5261 6e67 6573 3a20 6279 7465 ept-Ranges:.byte
0x0060 730d 0a44 6174 653a 2054 7565 2c20 3132 s..Date:.Tue,.12
0x0070 2046 6562 2032 3030 3220 3033 3a30 343a .Feb.2002.03:04:
0x0080 3538 2047 4d54 0d0a 436f 6e74 656e 742d 58.GMT..Content-
0x0090 4c65 6e67 7468 3a20 3433 0d0a 436f 6e74 Length:.43..Cont
0x00a0 656e 742d 5479 7065 3a20 696d 6167 652f ent-Type:.image/
0x00b0 6769 660d 0a53 6572 7665 723a 2041 7061 gif..Server:.Apa
0x00c0 6368 652f 312e 332e 3232 2028 556e 6978 che/1.3.22.(Unix
0x00d0 2920 6d6f 645f 7065 726c 2f31 2e32 360d ).mod_perl/1.26.
This excerpt shows two packets: an HTTP request by the
client and the server’s response. Note that the first few lines of each sniffed
packet provide a summary of the transaction: timestamps, source and destination
MAC addresses, source and destination IP addresses and several other bits of
information. The numbered lines (0x00##) show the data transmitted by each
packet in hexadecimal format. Additionally, an ASCII decode of the payload is
located off to the right - a convenient feature for crackers and nosy neighbors
watching you on the network.
5. Why Should Users Be Concerned?
On a normal LAN there are thousands of packets
exchanged by multiple machines every minute, ample supply for any attacker.
Anything transmitted in plaintext over the network will be vulnerable -
passwords, web pages, database queries and messaging to name a few. A sniffer
can easily be customized to capture specific traffic like telnet sessions or
e-mail. Once traffic has been captured, crackers can quickly extract the
information they need - logins, passwords and the text of messages. And the
users will likely never know they were compromised - sniffers cause no damage or
disturbance to a network environment.
6. PACKET SNIFFERS
On non-switched Ethernet networks all frames are
broadcasted by network equipment to all machines, but only the computer that
the packets are destined for will recognize them. All of the other machines on
that network still see the packet, but if they are not the intended receiver,
they will disregard it.
A packet sniffer is
either a wire-tap device or a software that plugs into the network and eavesdrops
on the network traffic. When a computer is running a packet sniffer, its network interface is in promiscuous mode, which means
that it listens for all traffic and it has the ability to receive all of the
packets reaching the interface.
7. Usage of a packet sniffer
7.1 To help administrators
The initial usage of a packet sniffer was to help
LAN/WAN administrators to maintain networks by analyzing network traffic and
determining where a problem is on the network. A security administrator uses
multiple sniffers, as a detection system by placing them strategically
throughout the network. A packet sniffer converts the data to human readable format so that people can read the
traffic. Moreover, a packet sniffer performs fault analysis in order to
discover problems in the network, such as why computer A cannot talk to
computer B and performance analysis to discover network bottlenecks.
Finally a packet sniffer can help administrators
perform network intrusion detection in order to
discover intruders and network traffic logging in order to create logs that eavesdroppers
cannot break into and erase.
7.2 To help eavesdroppers
Since packet sniffing refers to the technique of
monitoring each packet as it flows across the network, it implies that a
intruder can use this technique to automatic sift of clear-text passwords and
usernames from the network, in order to break into systems, or any other useful
information such as credit card numbers. From this moment, packet sniffing becomes
a threat that has to be taken into account.
8. Components of a packet sniffer
A packet sniffer consists of the following:
Ø Special hardware:-
The special hardware is needed for some products when
analyzing hardware faults like CRC errors, voltage problems, cable problems,
jitter, negotiation errors, and so forth is needed. But most products work from
standard network adapters.
Ø Capture driver:-
This is the most important part of a packet sniffer
because it captures the network traffic from the wire, filters it for the
particular traffic one wants, and then stores the data in a buffer.
Ø Buffer:-
The frames are stored in a buffer, after being
captured from the network. There are a couple captures modes: capture until the
buffer fills up, or use the buffer as a circular buffer where the newest data
replaces the oldest data.
Ø Real-time analysis:-
This feature does some minor bit of analysis of the
frames as they come off the wire. This is able to find network performance
issues and faults while capturing.
Ø Decoder:-
The decoder displays the contents of network traffic
with descriptive text so that an analyst can figure out what is happening.
Ø Packet editing/transmission:-
This is a feature that is contained in some products
that allow you to edit your own network packets and transmit them onto the
network.
9. Steps in
creation of a packet Linux sniffer
The main steps in the development of a packet sniffer are:
Ø Creating a socket stream.
Ø Setting the NIC into Promiscuous mode.
Ø Reading data from the open socket stream.
The rest of the steps only deal with interpreting the
headers and formatting the
data (and redirecting the data to the output stream).
Creating a socket:-
On UNIX and its clones, communication points called sockets
can be created.
These help in the communication of end systems present in
the network.
When a socket is created, a socket stream, similar to
the file stream, is created, through which data is read.
Setting the NIC to promiscuous mode:-
First, a reference to a structure called ifreq is
needed. This is done by the statement,
struct ifreq ifr;
This is an interface request structure used for socket
ioctl. The ifreq structure is a
rather large structure. The main members that will be used
in this structure are
the members that hold the interface name and the interface
flags.
Next, the NIC name, viz. eth0 (usually), is copied to
the structure member
ifr_name.
The next step is to get the flags of the specified
interface using the ioctl system
call. The ioctl system call takes 3 arguments, viz.
Ø The
socket stream descriptor
Ø The
function that the ioctl function is supposed to perform.
Here, the macro used is -
SIOCGIFFLAGS.
Ø Reference
to the ifreq member.
In the next step, the promisc flag must be set. This
is done by using the statement,
Ifr.ifr_flags |= IFF_PROMISC;
The last step in this process is to set these flags
to the NIC using the ioctl call. The
same first and third parameters are used, but the second
parameter to ioctl is changed to SIOCSIFFLAGS.
Now comes the cumbersome part - protocol
interpretation. To do this, the user is
required to have some basic knowledge about the protocol
that he/she intends to sniff. The protocol contents, its fields, field lengths
must be known and the user must know what kind of data to expect in those
fields.
To interpret the headers, the fields of the protocol
must be accessible. On a Linux
machine, by including the headers <linux/ip.h> and
<linux/tcp.h>, the IP and TCP protocols can be interpreted. These headers
contain structures that represent the IP and TCP headers. The user can refer to
these headers and interpret the information that is passing across the network.
A more complete sniffer would not just be able to capture a single protocol,
but all types of packets.
10. CHALLENGES FOR DETECTING PACKET SNIFFERS
a) A sniffer does not send any packets apart
from those that would originate from the machine under normal network
connectivity circumstances. It is a common misconception that a packet sniffer
reads all packets from a broadcast network, and then re-sends them. This is, in
fact not the case. A packet sniffer copies packets
from the network, allowing the original packets to proceed in a normal manner.
b) A sniffer is
a machine, which is not necessarily under our administrative control. Another
common misconception, and one also made by CERT, in advisory CA-94.01 is that
all machines on which illegitimate sniffers are running are under local
administrative control. This is clearly not the case. Over 80% of network
attacks come from inside the firewall. With the increasing power and reduction
in cost of a laptop computer, we can now no longer make the assumption that
every machine on a Local Area Network is controllable by the local
administrative team.
c) The intruder
is under complete control (root level or
equivalent) of the machine on which the sniffer is running. This is known to be
true, as in order for a network card to be put into promiscuous mode, the user
must have administrative privileges on the local machine. This is true of both
Unix, and Microsoft Operating Systems.
d) The sniffer
is running on a standard machine, with no special services running to give it a
unique “fingerprint”.
In theory, it is impossible to
detect sniffing programs because they are passive; they only collect packets,
they do not transmit anything. However, in practice it is sometimes possible to
detect sniffing programs, based on the fact that the networking code of the
computer running the packet sniffer generates traffic.
With these considerations in mind, there now follows
a set of possible solutions to the problem of detecting an illegitimate packet
sniffer on a network, and these will be described at a high level. There are
many more methods than these available, but many are left out for the sake of
brevity.
11. METHODS TO DETECT PACKET SNIFFERS
11.1) ICMP echo response
If we send an ICMP echo (or “ping”) request packet containing a
correct IP address and an incorrect MAC address to a normal networked machine,
then we would expect to receive no response. This is because the physical layer
of the recipient checks for a packet with the MAC address of either the local
machine, or the broadcast Ethernet address.
If the machine
we are “pinging” is running in promiscuous mode
the packet should be replied to. This is because a promiscuous mode device will
accept all packets, and consequently the fake packet we have created will also
be accepted. When this packet is received, it is passed up through the layers,
where the IP address would be recognised as its own. Therefore, the intruder’s
machine would respond to the “ping” request.
11.2) Ping method, part2
The ping
method can be enhanced in a number of ways. Any protocol that generates a
response can be used, such as a TCP connection request or a UDP protocol or any
protocol that might generate an error on the target machine might be used. For
example, bad IP header values might be used to generate an ICMP error.
Moreover, sometimes a broadcast address needs to be used in order to bypass
software IP address filtering.
11.3) DNS Lookup Test
If we send a
packet to a remote machine, it is possible that a sniffer is using DNS in order
to establish a machine name from the IP address of the packet. This would be
desirable in order to decide whether a machine was worth gaining access to. For
example, an intruder is more likely to attempt to gain access for
“payroll.uwe.ac.uk” than to “joebloggs.uwe.ac.uk.”
If this is the
case, then the IP address of any packet that is received by the intruder must
be resolved via DNS to a machine name. We can potentially use this to our
advantage. If we send a packet to a fictitious host, we can then see if there
are any DNS requests for the fake IP address. If there are, we can see who has
sent the DNS request and find the IP and MAC address of the host, which has
looked up the fake address (i.e. the intruder.)
11.4) ARP METHOD
The ARP method is similar to the ping method, but an
ARP packet is used instead. The simplest ARP method transmits an ARP to a
non-broadcast address. If a machine responds to such an ARP of its IP address,
then it must be in promiscuous mode.
11.5) The decoy method
The decoy method consists of setting up a connection
between a client and a virtual server. The client runs a script to logon to the
server using a plain-text protocol, allowing
any eavesdropper to sift the usernames and the passwords from the wire.
When the eavesdropper will attempt to log on using this information, standard
intrusion detection systems will alert the fact that a sniffing intruder has
found the traffic and attempted to use the information.
The decoy method works everywhere, unlike the ping
and ARP methods, which only work on the local network.
11.6) Source-route method
This method functions by configuring the source-route
information inside the IP header. A ping packet is created, while a
loose-source route is used to force it by another machine on the same segment.
This machine should have routing disabled, so that it will not forward it to
the target. If you get a response (from the networking code of the computer that
runs the sniffer), then it is likely the target sniffed the packet off the
wire.
11.7) Time Domain Reflectometers (TDR)
A Time Domain Reflectometer is basically radar for
the wire. It sends a pulse down the wire and graphs the reflections that come
back. By looking at the graph of the response an expert can figure out if any
devices that should not be attached to the wire, are attached. They also
roughly tell where, in terms of distance along the wire, the tap is
located.
11.8) SNMP monitoring
Another way to figure out whether a hardware packet
sniffer is attached to the wires is by using smart hubs with SNMP management.
Such hubs can provide automated monitoring of Ethernet hubs. In other words a
packet sniffer can be tracked down by configuring the system with the
information where all the cables terminate.
11.9) Antisniffer
In 1999, L0pht Heavy Industries released a product
called Antisniff. AntiSniff is a
network security software program that attempts to scan
one’s network and determine if a
computer is running in promiscuous mode, using some of the
detection methods described above. AntiSniff, which operates on both Windows NT
and UNIX, is just a detection tool; it does not protect against packet
sniffers.
11.10) Fake user name & password login attempt test
We
can create and known (fake) login sequence to a host, containing a username and
password with no credentials, but named something tempting like “Admin” We can
then check to see if a login attempt is made in future with that username and
password. If there is a login attempt using this username and password, then we
know there is a sniffer on the network “somewhere” (although the login attempt
is highly unlikely to come from the same machine that is sniffing.) This can be
achieved with a combination of auditing and logging techniques.
11.11) Unrecognized MAC address test
Many
networks use standard machines in order to make administration easier. This
means that the Network Interface Cards (NIC’s) in the machines are likely to be
of the same manufacturer and type. As each manufacturer of NIC is allocated a
specified range of MAC addresses to use, each and every NIC is uniquely
identifiable. So, the network cards in a set of standard machines will be
similar, and therefore the first two octets of the MAC address should also be
similar. Therefore, we can use pattern matching to scan the network for any
unfamiliar MAC addresses in order to ascertain if a machine has been brought in
from outside.
11.12) ICMP Echo Latency Test
If we
send a series of sensitive ICMP echo requests to every machine in a given
subnet, then we can find the average response time for each machine. This will
be referred to as the machines “ICMP echo response profile.” If we then flood
the network with packets destined for a fake IP address, we would expect that
this would make little difference to the ICMP echo response profile of each
machine.
This is because even though the network
is running at a higher usage level, normal networked machines will not be
affected considerably as the network interface and CPU load of the machine are
not considerably affected by even a massive increase of network traffic. This
is in spite of the greater amount of collisions on the network. However, an
interface running in promiscuous mode will see a noticeable increase in the
amount of packets that it will be handling, as the fake packets are queued up
on the network card awaiting processing. If, then we perform the ICMP echo
response profile again while the network is flooded, we would expect a “normal”
machine to show no significant increase in response time when comparing the two
timings taken.
A
machine running in promiscuous mode however may show a significant time delay
in responding to an ICMP echo request due to the quantity of packets queued on
its Ethernet device. So, if we gain a profile of each machine, and then compare
it with a repeat of the profile taken when the network is flooded, there should
be no significant time difference for a legitimate machine. For a sniffer
however, we may see up to three to
four times echo response time difference.
12. Protection against packet sniffers
Even though configuring the local area network can
make sniffing hard, there is pretty much nothing one can do in order to stop
people from out on the Internet from sniffing the traffic.
A lot of people believe that a good way to protect
your network against sniffers is to segment it as much as possible using
Ethernet switches instead of regular hubs. They claim that the only drawback to
this solution is cost. As mentioned earlier this is not enough. It can make
sniffing harder, but it cannot make sniffing impossible.
But there are some other ways one can be protected if
not from letting hackers sniff the traffic, from letting hackers read the
traffic. The following paragraphs describe such methods.
12.1. Encryption
Encryption is the best protection against any form of
traffic interception. It is reasonable to assume that at some point along a
path, data can always be compromised. Therefore, your best defense is to ensure
that traffic is essentially unreadable to everyone but the intended receiver.
This isn’t difficult to do, since many organizations have deployed services
that make use of Secure Socket Layers (SSL), Transport Layer Security (TLS) and
other methods that provide secure messaging, web browsing and more. Only the
payloads are scrambled, ensuring that packets reach the correct destinations.
So an attacker can see where traffic was headed and where it came from, but not
what it carries.
21:09:04.599289 192.168.1.3.32933 > opensource-01.ee.ethz.ch.https: . [tcp sum ok]
793:793(0) ack 7011 win 20104 (DF) (ttl 64, id 12206, len 40)
0x0000 4500 0028 2fae 4000 4006 c059 c0a8 0103 E.(/.@.@..Y....
0x0010 8184 0799 80a5 01bb 19a2 0520 be10 d77f ................
0x0020 5010 4e88 dfd0 0000 P.N.....
21:09:04.599289 opensource-01.ee.ethz.ch.https > 192.168.1.3.32933: P [tcp sum ok]
7011:7135(124) ack 793 win 10052 (DF) (ttl 237, id 65192, len 164)
0x0000 4500 00a4 fea8 4000 ed06 43e2 8184 0799 E.....@...C.....
0x0010 c0a8 0103 01bb 80a5 be10 d77f 19a2 0520 ................
0x0020 5018 2744 8303 0000 4d3a a587 805e e2bc P.'D....M:...^..
0x0030 9a2a 8ff3 fe95 46d4 930e b2bc 74f0 a484 .*....F.....t...
0x0040 fcae 33ad 6d1f 0198 6020 aee5 0c26 908e ..3.m...`....&..
0x0050 a1b5 17b4 84b7 44bc 1b0b 434e bbae a483 ......D...CN....
0x0060 1e23 38d3 520f 687e c5e3 b62e 5225 aa2f .#8.R.h~....R%./
0x0070 f747 1a71 669c 8fd1 55bd 511c 4988 b78a .G.qf...U.Q.I...
0x0080 a08d 554e a3fe bb7d 36ca e66b fb8b 0392 ..UN...}6..k....
0x0090 a3f3 4cef 7b04 af5a 7a94 cb4c a1e6 e7fa ..L.{..Zz..L....
0x00a0 9610 a5ee ....
Compare this sniffed sample of a web session with the OpenSSL
Web server to the example earlier in the article. Notice how the header
information remains readable, but the ASCII decode of the payload contains
seemingly random characters - thanks to the encryption. The two participants in
this exchange, however, can both decrypt and process the data once it is
received. This type of safeguard can be applied to virtually any network
process and should be employed whenever possible.
Using encryption does not disable the sniffer
monitoring the traffic, but makes the traffic useless since it is displayed as
garbled data. The drawbacks of using encryption are the speed and the chance of
breaking a weak encryption standard. Almost all encryption will introduce delay
into the network. Typically, the stronger the encryption, the slower the
machines using it will communicate. On the other hand, there is always the
chance that wrong choice of key size, of encryption algorithm or encryption
mode will allow hackers to figure out the encryption key and decrypt the encrypted
data. That is why system administrators and users have to compromise somewhere
in the middle.
Yet still this method does not prevent traffic analysis.
12.2. Authentication Protection
12.2.1 Kerberos
Kerberos is an authentication service that performs
two-way authentication between any pair of entities. The advantage of using
Kerberos is that clear text passwords are not sent on the network. Besides
that, client passwords are not stored on servers. But, still it remains a fact
that this is just an authentication service; it can keep the login information secret,
but everything else is sent on clear. This is why an intruder can see the
contents of the rest of the packets, which might include confidential
information (like credit card numbers). Moreover, this method is not effective
against traffic analysis. Finally, it has to be mentioned that Kerberos is
vulnerable to password guessing attacks.
12.2.2 One time password technology
One-time passwords provide secure authentication,
over an insecure channel. The user takes a list of usable pass codes and
scratches out each one as it is used. The system
keeps track of the usage, removing each pass code from the
list when it is used. A lot of
different schemes are used to generate one-time passwords.
Some of them are Lamport’s scheme, challenge-response
scheme, and time-synchronized scheme. Once again, since one time password
technology provides authentication, it makes invisible to an intruder the login
information but not the packets exchanged afterwards. Moreover, this method does
not protect against traffic analysis.
12.2.3 Virtual Private Networks (VPNs)
The most secure solution is establishing an encrypted
VPN. VPNs provide encrypted traffic across the Internet. Besides that, this way
one can be protected against traffic analysis, since all packets destined to
different recipients can be sent through the
computer or computers that one has established a VPN with.
There is though the threat that if an attacker
compromises the end-nodes of a VPN connection, he can sniff the traffic. A
typical scenario is an end-user who surfs the Internet normally and gets compromised
with a Remote Access Trojan (RAT) that contains a sniffing plug-in. When the
user establishes the VPN connection, the sniffing program is able to see not
only the encrypted traffic that can be seen on the Internet, but also the
unencrypted traffic before it gets sent to the VPN.
13. Sniffing Tools
List some of the commonly
available sniffers for linux.
- tcpdump: The granddaddy of packet sniffers. Ships by default on many linux distros!
- sniffit:Robust packet sniffer with good filtering.
- ethereal: A free network protocol analyzer for Unix and
Windows. It allows you to examine data from a live network or from a
capture file on disk.
- hunt: According to Pavel Krauz, the main goal of
the HUNT project is to develop tool for exploiting well known weaknesses
in the TCP/IP protocol suite. Well I think he comes pretty close to it.
- Ettercap: Ettercap
is a sniffer specifically designed for switched LANs. It allows you to
peform mitm attacks against SSH and SSL. It has password collector for
telnet, ftp, POP, rlogin, ssh1, icq, smb, mysql, http, NNTP, X11, napster,
IRC, rip, bgp, socks 5, IMAP 4, VNC, LDAP, NFS etc.
- dsniff:dsniff is a collection of tools for network auditing and penetration testing. dsniff, filesnarf, mailsnarf, msgsnarf, urlsnarf, and webspy passively monitor a network for interesting data (passwords, e-mail, files, etc.). arpspoof, dnsspoof, and macof facilitate the interception of network traffic normally unavailable to an attacker (e.g, due to layer-2 switching). sshmitm and webmitm implement active monkey-in-the-middle attacks against redirected SSH and HTTPS sessions by exploiting weak bindings in ad-hoc PKI.
- LCRZOEX: It is a network library for administrators that supports spoofing, sniffing, client and server creation. Over 200 possible examples are included in the package.
14. Programs to Detect Sniffers
- Anti Sniff: From the L0pht Heavy
Industries, comes the new program Anti Sniff. It has the ability to
monitor a network and detect if a computer is in promiscuous mode.
- Neped: It detects network cards on the network who are in promiscuous mode by exploiting a flaw in the ARP protocol as implemented on Linux machines.
- ARP Watch: ARPWatch keeps track of ethernet/IP address pairings. This is useful when you suspect you are being arp-spoofed.
- Snort: Snort is an excellent Intrusion Detection System and its arp-spoof preprocessor can be used to detect instances of ARP Spoofing, which might be an indication that someone on the network is Sniffing.
None
of these programs are foolproof. This has been
the personal experience of many System Administrators.
15. Popular packet sniffers
Below are listed some popular packet sniffers of the
public domain. They are divided into
categories based on the Operating System they are written
for.
I. Windows
1. Ethereal: Ethereal is a UNIX-based program that also runs on
Windows. It is probably
the best freeware solution available for sniffing on
Windows.
2. WinDump: A version of “tcpdump” for Windows.
3. Network Associates Sniffer
4. WinNT Server: Microsoft's
WinNT Server comes with a built-in program called
"Network Monitor". "Network Monitor Tools
and Agent" is in the "Services" of the
Networking control panel.
5. BlackICE Pro: BlackICE is an intrusion detection system that can
also log evidence
files to disk in a format that can be read by other
protocol analyzers. However, it is non-promiscuous, and only sniffs the packets
going into/out-of the machine.
6. EtherPeek
7. Intellimax LanExplorer
8. Triticom LANdecoder32
9. dsniff: dsniff is a collection of tools for network
auditing and penetration testing. dsniff, filesnarf, mailsnarf, msgsnarf,
urlsnarf, and webspy passively monitor a network for interesting data,
arpspoof, dnsspoof, and macof facilitate the interception of network traffic
normally unavailable to an attacker, sshmitm and webmitm implement active monkey-in-the-middle
attacks against redirected SSH and HTTPS sessions by exploiting weak bindings
in ad-hoc PKI. Powerful tool. Probably the best available.
II. Macintosh
1. EtherPeek
III. Unix
1. tcpdump: The
oldest and most common wiretap program. It is the standard for UNIX
2. Ethereal: It
currently looks like this is the best GUI-based sniffing program for UNIX.
3. sniffit: Useful
when trying to analyze application-layer data.
4. snort: A libpcap
based packet-sniffer/logger with extensive filtering.
5. trinux: Contains
tcpdump and sniffit, among numerous other security utilities on a
floppy bootable disk.
6. karpski: A GUI
Linux packet sniffer including a GTK interface.
7. SuperSniffer v1.3
IV. Linux, Solaris and SunOS
1. RealSecure: Real
time monitoring, attack recognition and response.
2. SniffIt
3. dsniff: For Linux and Solaris. Described above, since
available for Windows, as well.
V. SunOS, Dec-Mips, SGI, Alpha, and Solaris
1. Packetman, Interman,
Etherman, Loadman: Packetman was
designed to capture packets, while Interman, Etherman, and Loadman monitor
traffic of various kinds
VI. Solaris
Since DOS is not an Operating System, it is in some ways
more flexible as platform for
running sniffers.
1. Sniffer(r) Network Analyzer
2. Gobbler
3. Klos PacketView
4. ethdump v1.03
5. ethload v1.04
It has to be noted that there are also commercial
Sniffers.
16. CONCLUSION:-
When computers communicate over networks, they
normally listen only to the traffic destined to them. However, they also have
the ability to enter promiscuous mode, which allows
them to listen to the traffic that is destined to other computers. Sniffers put
a computer’s network interface into promiscuous
mode, allowing their users to view unauthorized information going through the
Internet. They can see usernames, passwords, credit card numbers; any sensitive information. From this point, sniffing
becomes a major threat for one’s privacy and has to be taken seriously into account.
Computer users that are connected into the Internet have to protect themselves against
intruders. Unfortunately, the way Internet is constructed favors the
eavesdroppers. If they are capable enough and persistent enough, they can
overcome any kind of protection. No solution is perfect. Still, though, it does
not mean that no perfect protection equals to no protection. On the contrary,
good protection will make an attacker’s life difficult, discouraging him, most
of the times. Easier victims will be seeked.
In fewer words, Sniffers are
an invisible major threat that has to be taken
into account. Even though there is no perfect solution, anyone connected into
the Internet has
to take the appropriate
measures against it.
Its amazing to pay a visit this site and reading the views of all colleagues
regarding this piece of writing, while I am also zealous of getting
familiarity.
Also see my site: NY