I am writing this after an overdose of MediNight (which in case you don"t know,
is the medicine or choice /w alcohol, and alcohol is evil), so please understand
that my mental health is not at its best.
This text is about sniffers, the good and the evil uses, which I"ll hope you
will find usefull and easy to comprehend. Please note that this is not intended
for the network experts out there i.e. nothing new is said. However it assumes
you"re familiar with certain TCP/IP terms.
Definition of a sniffer
In networking terms, a sniffer defines a machine which has its network interface
card set to promiscuous mode, thus watching over any packet on the same switch.
In normal mode, a network card will accept only those packets addressed to its
MAC address. However when the network card is in promiscuous mode, it will accept
all of the packets, and pass them to the OS. This is usefull for monotoring
a network, detecting malicious packets, capturing passwords, and many more.
In fact, a sniffer is used by crackers, hackers, and by security professionals
for different reasons.
NIDS = network Intrusion Detection System. This consists of a program which
sets the network card in promiscuous mode, and checks for interesting packets.
This will check for hacker attacks such as NT Null Sessions, failed TELNET authentication
and even PINGs, amongst others. One such free tool for Linux (and now even WinNT/2k)
is Snort. Snort is given a list of patterns it should check for, log and alert
the user/administrator. NIDS are there to accompany firewalls as firewalls,
like any other software implementations, have limitations, and can be circumvented.
Thus once an attacker has cracked the firewall, if he does anything which produces
a pattern defined in the Intrusion Detection System, will probably face some
new problems :)
This is used by employers wishing to watch over whatever their empoyees or
School administrators watching over their student"s use of internet (or vice-versa,
that would be interesting). Therefore they should know if you"re watching porn
from school or not. One such product for WinNT is Languard, which gives you
all connections other machines on the same network switch are doing. It also
allows the Administrator running Languard, to filter certain sites, keywords,
or protocols. With the recent controversial FBI Carnivore software, we also
got an alternative implementation of the evil software: Antivore. This monitors
e-mail, tracks a suspect"s IP address and basically sniffs all data of the suspect.
Password Sniffing and other malicious uses
Sniffing passwords is probably what you"re after. This basically consists of
capturing only the first few bytes of every telnet, ftp (or whatever protocol)
session. A huge number of programs exist to do this for all platforms. Dsniff
(available for linux and WinNT) does this and more. It even allows you to synchronise
with another user on the network and browse websites as he is doing so in realtime.
Sniffers can be a real headache for the (maybe lazy) system administrator, as
once just one machine is compromised on a network, all data going and outgoing
the network can be captured. Thus e-mail, clear text passwords (such as telnet
or ftp), Netbios, and many more, can be compromised easily.
TCPDump use to be, and prbably still is, the sniffer of choice. It allows the
user to dump all Network Data in its roaw format. It is usually used to check
on certain connections, what data is passing on a certain protocol and other
general use. I personally use Snort for general use (besides using it as an
IDS), as it by default decodes the packet data. Other sniffers (network protocol
analyzer), are Ethereal (for Linux/UNIX, port also available for WinNT) and
eEye"s IRIS (commercial product). These two are easy to use sniffers and will
help you learn a lot on your network traffic. WinNT Server also comes with it"s
built-in sniffer: Network Monitor.
A relatively "new" implementation of sniffers is to make passive network
mapping and OS detection. A good product which does this (available for Linux
and Windows platforms) is Siphon 0.666.
If you want to be sure that no sniffers are running on your network, there
actually is software which checks for this. AntiSniff by L0pht comes to mind.
Other software which I know that check for this are Sentinel (for linux) and
Languard. One of the ways these work is by sending Machine A an ARP packet directed
to a machine B which does not exist, thus if Machine A is capturing all packets
(i.e. is in promiscuous mode), it should respond to this packet, when it"s not
Other than that, it is recommended that Network Administrators use encryption
on their networks, thus makeing sniffing (maybe by inside users, i.e. employees
wishing to blackmail their boss for example >:) more or less useless. Thus
for instance, instead or using TELNET, use Secure Shell (SSH).
If you actually want to attack a sniffer, say which is running as an IDS or
Monitor, you can simply flood it with packets. A port scan should in theory
break up most poorly implemented sniffers. It is also a known fact that many
NIDS do not capture small fragmented packets, thus not noticing any malicious
data when purposely constructed packets are send over a network.
It is also recommended that administrators implement switched networks, which
means that if a user is in promiscuous mode, he will only be able to capture
data from people on the same switch.
So that"s all for now. I probably forgot to state a good number of things about
the sniffer kingdom.
Boost my ego and send flames to: firstname.lastname@example.org
Siphon 0.666: http://www.subterrain.net/projects/siphon/
General Security Sites
Eye on Security: http://irc.m0ss.com/eos
Sniffing FAQ: http://www.robertgraham.com/pubs/sniffing-faq.html
For further reading I recommend the Library section on SecurityFocus.
There are also good articles on Phrack (http://www.phrack.com/).