Cyber Security Expo
 
About Sniffers by Obscure on 06/09/02

Intro

I am writing this after an overdose of MediNight (which in case you don"t know, is the medicine or choice /w alcohol, and alcohol is evil), so please understand that my mental health is not at its best.

This text is about sniffers, the good and the evil uses, which I"ll hope you will find usefull and easy to comprehend. Please note that this is not intended for the network experts out there i.e. nothing new is said. However it assumes you"re familiar with certain TCP/IP terms.


Definition of a sniffer

In networking terms, a sniffer defines a machine which has its network interface card set to promiscuous mode, thus watching over any packet on the same switch. In normal mode, a network card will accept only those packets addressed to its MAC address. However when the network card is in promiscuous mode, it will accept all of the packets, and pass them to the OS. This is usefull for monotoring a network, detecting malicious packets, capturing passwords, and many more. In fact, a sniffer is used by crackers, hackers, and by security professionals for different reasons.


NIDS

NIDS = network Intrusion Detection System. This consists of a program which sets the network card in promiscuous mode, and checks for interesting packets. This will check for hacker attacks such as NT Null Sessions, failed TELNET authentication and even PINGs, amongst others. One such free tool for Linux (and now even WinNT/2k) is Snort. Snort is given a list of patterns it should check for, log and alert the user/administrator. NIDS are there to accompany firewalls as firewalls, like any other software implementations, have limitations, and can be circumvented. Thus once an attacker has cracked the firewall, if he does anything which produces a pattern defined in the Intrusion Detection System, will probably face some new problems :)


Monitoring

This is used by employers wishing to watch over whatever their empoyees or School administrators watching over their student"s use of internet (or vice-versa, that would be interesting). Therefore they should know if you"re watching porn from school or not. One such product for WinNT is Languard, which gives you all connections other machines on the same network switch are doing. It also allows the Administrator running Languard, to filter certain sites, keywords, or protocols. With the recent controversial FBI Carnivore software, we also got an alternative implementation of the evil software: Antivore. This monitors e-mail, tracks a suspect"s IP address and basically sniffs all data of the suspect.


Password Sniffing and other malicious uses

Sniffing passwords is probably what you"re after. This basically consists of capturing only the first few bytes of every telnet, ftp (or whatever protocol) session. A huge number of programs exist to do this for all platforms. Dsniff (available for linux and WinNT) does this and more. It even allows you to synchronise with another user on the network and browse websites as he is doing so in realtime. Sniffers can be a real headache for the (maybe lazy) system administrator, as once just one machine is compromised on a network, all data going and outgoing the network can be captured. Thus e-mail, clear text passwords (such as telnet or ftp), Netbios, and many more, can be compromised easily.


General Use

TCPDump use to be, and prbably still is, the sniffer of choice. It allows the user to dump all Network Data in its roaw format. It is usually used to check on certain connections, what data is passing on a certain protocol and other general use. I personally use Snort for general use (besides using it as an IDS), as it by default decodes the packet data. Other sniffers (network protocol analyzer), are Ethereal (for Linux/UNIX, port also available for WinNT) and eEye"s IRIS (commercial product). These two are easy to use sniffers and will help you learn a lot on your network traffic. WinNT Server also comes with it"s built-in sniffer: Network Monitor.
A relatively "new" implementation of sniffers is to make passive network mapping and OS detection. A good product which does this (available for Linux and Windows platforms) is Siphon 0.666.


Defeating Sniffers

If you want to be sure that no sniffers are running on your network, there actually is software which checks for this. AntiSniff by L0pht comes to mind. Other software which I know that check for this are Sentinel (for linux) and Languard. One of the ways these work is by sending Machine A an ARP packet directed to a machine B which does not exist, thus if Machine A is capturing all packets (i.e. is in promiscuous mode), it should respond to this packet, when it"s not supposed to.

Other than that, it is recommended that Network Administrators use encryption on their networks, thus makeing sniffing (maybe by inside users, i.e. employees wishing to blackmail their boss for example >:) more or less useless. Thus for instance, instead or using TELNET, use Secure Shell (SSH).

If you actually want to attack a sniffer, say which is running as an IDS or Monitor, you can simply flood it with packets. A port scan should in theory break up most poorly implemented sniffers. It is also a known fact that many NIDS do not capture small fragmented packets, thus not noticing any malicious data when purposely constructed packets are send over a network.

It is also recommended that administrators implement switched networks, which means that if a user is in promiscuous mode, he will only be able to capture data from people on the same switch.


Conclusion

So that"s all for now. I probably forgot to state a good number of things about the sniffer kingdom.
Boost my ego and send flames to: obscure@cybergoth.i-p.com


Ref.

Tools
Snort: http://www.snort.org
Languard: http://www.languard.com/
TCPDump: http://www.tcpdump.org/
Ethereal: http://ethereal.zing.org/
IRIS: http://www.eeye.com/
Siphon 0.666: http://www.subterrain.net/projects/siphon/
Dsniff: http://www.monkey.org/~dugsong/dsniff
Antivore: http://www.networkice.com/altivore
Antisniff: http://www.l0pht.com/antisniff/
Sentinel: http://www.packetfactory.net/Projects/sentinel/

General Security Sites
Eye on Security: http://irc.m0ss.com/eos
SecurityFocus: http://www.securityfocus.com
Packetstorm: http://packetstorm.securify.com/


Sniffing FAQ: http://www.robertgraham.com/pubs/sniffing-faq.html

For further reading I recommend the Library section on SecurityFocus.
There are also good articles on Phrack (http://www.phrack.com/).

Rate this article

All images, content & text (unless other ownership applies) are © copyrighted 2000 -  , Infosecwriters.com. All rights reserved. Comments are property of the respective posters.