articles ... About Sniffers - Their (ab)use in Networks

 

user comments
name
email
comments
 
smtp relay check
mailserver:
e-mail:
more info
translate to ...
language:
 
[1] . [2] . [3] . [4] . [5] . [6] . [7] . [8]
EyeonSecurity
Nekromantic
EyeonSecurity Forums
Ob5cureDotCom
elfqrin swg help net security
frame4 security hacker gurus computerglitch
gotr00t b0iler hackinthebox
nekromantic.com astalavista.net wand products
security-protocols
adv-knowledge rootshell wbglinks
security.nnov.ru
 
Copyright © 2001,2002 eyeonsecurity Inc., All Rights Reserved. No portions of eyeonsecurity may be used without express, written permission
 
About Sniffers - Their (ab)use in Networks.
- Obscure^, Eye on Security
- 16.9.2k


Intro

I am writing this after an overdose of MediNight (which in case you don't know, is the medicine or choice /w alcohol, and alcohol is evil), so please understand that my mental health is not at its best.

This text is about sniffers, the good and the evil uses, which I'll hope you will find usefull and easy to comprehend. Please note that this is not intended for the network experts out there i.e. nothing new is said. However it assumes you're familiar with certain TCP/IP terms.


Definition of a sniffer.

In networking terms, a sniffer defines a machine which has its network interface card set to promiscuous mode, thus watching over any packet on the same switch. In normal mode, a network card will accept only those packets addressed to its MAC address. However when the network card is in promiscuous mode, it will accept all of the packets, and pass them to the OS. This is usefull for monotoring a network, detecting malicious packets, capturing passwords, and many more. In fact, a sniffer is used by crackers, hackers, and by security professionals for different reasons.


NIDS.

NIDS = network Intrusion Detection System. This consists of a program which sets the network card in promiscuous mode, and checks for interesting packets. This will check for hacker attacks such as NT Null Sessions, failed TELNET authentication and even PINGs, amongst others. One such free tool for Linux (and now even WinNT/2k) is Snort. Snort is given a list of patterns it should check for, log and alert the user/administrator. NIDS are there to accompany firewalls as firewalls, like any other software implementations, have limitations, and can be circumvented. Thus once an attacker has cracked the firewall, if he does anything which produces a pattern defined in the Intrusion Detection System, will probably face some new problems :)


Monitoring.

This is used by employers wishing to watch over whatever their empoyees or School administrators watching over their student's use of internet (or vice-versa, that would be interesting). Therefore they should know if you're watching porn from school or not. One such product for WinNT is Languard, which gives you all connections other machines on the same network switch are doing. It also allows the Administrator running Languard, to filter certain sites, keywords, or protocols. With the recent controversial FBI Carnivore software, we also got an alternative implementation of the evil software: Antivore. This monitors e-mail, tracks a suspect's IP address and basically sniffs all data of the suspect.


Password Sniffing and other malicious uses.

Sniffing passwords is probably what you're after. This basically consists of capturing only the first few bytes of every telnet, ftp (or whatever protocol) session. A huge number of programs exist to do this for all platforms. Dsniff (available for linux and WinNT) does this and more. It even allows you to synchronise with another user on the network and browse websites as he is doing so in realtime. Sniffers can be a real headache for the (maybe lazy) system administrator, as once just one machine is compromised on a network, all data going and outgoing the network can be captured. Thus e-mail, clear text passwords (such as telnet or ftp), Netbios, and many more, can be compromised easily.


General Use.

TCPDump use to be, and prbably still is, the sniffer of choice. It allows the user to dump all Network Data in its roaw format. It is usually used to check on certain connections, what data is passing on a certain protocol and other general use. I personally use Snort for general use (besides using it as an IDS), as it by default decodes the packet data. Other sniffers (network protocol analyzer), are Ethereal (for Linux/UNIX, port also available for WinNT) and eEye's IRIS (commercial product). These two are easy to use sniffers and will help you learn a lot on your network traffic. WinNT Server also comes with it's built-in sniffer: Network Monitor.
A relatively "new" implementation of sniffers is to make passive network mapping and OS detection. A good product which does this (available for Linux and Windows platforms) is Siphon 0.666.


Defeating Sniffers.

If you want to be sure that no sniffers are running on your network, there actually is software which checks for this. AntiSniff by L0pht comes to mind. Other software which I know that check for this are Sentinel (for linux) and Languard. One of the ways these work is by sending Machine A an ARP packet directed to a machine B which does not exist, thus if Machine A is capturing all packets (i.e. is in promiscuous mode), it should respond to this packet, when it's not supposed to.

Other than that, it is recommended that Network Administrators use encryption on their networks, thus makeing sniffing (maybe by inside users, i.e. employees wishing to blackmail their boss for example >:) more or less useless. Thus for instance, instead or using TELNET, use Secure Shell (SSH).

If you actually want to attack a sniffer, say which is running as an IDS or Monitor, you can simply flood it with packets. A port scan should in theory break up most