Sniffers

Sniffers

Abstract: Sniffing is eavesdropping on the network. It can be used for monitoring the "health" of the network as well as capturing the passwords used in telnet, rlogin and ftp connections. This article describes a couple of well-known sniffers and describes an experiment with one of them. This experiment is a prerequsite to later experiments in TCP/IP exploits.

Table of Contents

  1. Sniffers
    1. Capabilities of Sniffers
    2. Promiscuous NIC
    3. Detection of Sniffers
    4. Prevention of Sniffing
  2. Lab Experiment
  3. Acknowledgements
  4. References

Sniffers

A packet sniffer is a wire-tap device that plugs into computer networks and eavesdrops on the network traffic. Like a telephone wiretap allows one to listen in on other people's conversations, a "sniffing" program lets someone listen in on computer conversations.  Sniffing is the act by a machine S of making copies of a network packet sent by machine A intended to be received by machine B.  Once a copy is made, the sniffer program can do, time and resources permitting, an arbitrary computation on the copy such as displaying it nicely in a GUI window. A sniffer can be used for a good purpose: to audit your own network, and to demonstrate the insecurity of plaintext network protocols.  A sniffer machine can be discovered by other network tools.

In this lecture, we are considering sniffers where the sniffer (program/ machine) S topologically sits between A and B.  Be aware that it is possible to route the messages between A and B to go past S when A and  B are on different subnets.

Sniffer activity occurs widely within organizations.  It is no longer a newsworthy item. So, we can find only the following.  In 1994, a sniffer program was installed by unidentified individuals at PANIX (Public Access to UNIX in New York). Within days, thousands of user names and passwords were stolen. Shortly thereafter, a similar incursion was successfully accomplished at BarNet in California.

Examples of Sniffers

Below is a select list of example sniffers from the open source archives. Visit  http://www.packetstormsecurity.org/  and search for "sniffers."    Many of these work on both Linux and Windows.

  1. tcpdump: The granddaddy of packet sniffers. Ships by default on many linux distributions.
  2. sniffit: Clever packet sniffer with good filtering. We will be using it in later labs.
  3. ethereal: Excellent GUI based sniffer. 
  4. hunt: A well written sniffer.
  5. Ettercap:  Ettercap is a network sniffer for switched LANs. It uses ARP poisoning and the man-in-the-middle technique to sniff all the connections between two hosts. It can inject characters to server (emulating commands) or to client (emulating replies) while maintaining an established TCP connection.
  6. dsniff:  As  an article puts it, ``Dsniff is the Swiss army knife of privacy invasion''. The package ships with a handful of nasties: urlsnarf, msgsnarf, mailsnarf, webspy, dsniff etc.

Capabilities of Sniffers

A sniffer program allows a user to watch all network traffic over any network interfaces connected to the host machine.  A sniffer program can watch TCP, IP, UDP, ICMP, ARP, RARP.  A sniffer also lets you watch port specific traffic for monitoring http, ftp, telnet, etc. traffic.  A sniffer can
  1. intercept packets from a target host (or all hosts) on the LAN intended for another host on the LAN by forging ARP replies.  This is an extremely effective way of sniffing traffic on a switch. Kernel IP forwarding must be turned on ahead of time for this capability.
  2. determine the local gateway of an unknown network via passive sniffing.
  3. flood the local network with random MAC addresses (causing some switches to fail open in repeating mode, facilitating sniffing). 
  4. become a simple password sniffer by minimally parsing each application protocol, and saving the "interesting" bits.
  5. output all requested URLs sniffed from HTTP traffic in CLF (Common Log Format, used by almost all web servers), suitable for offline post-processing with log analysis tools such as analog, wwwstat.
  6. send URLs sniffed from a client to local Netscape browser for display, updated in real-time (that is, as the target surfs, the local browser surfs along).

After conducting the experiment below, you should think about how all the above can be accomplished.

Promiscuous NIC

A sniffer program makes the network interface card (NIC) on the machine S enter into a so-called promiscuous mode.  An Ethernet NIC is built with a "filter" that ignores all traffic that does not belong to it, i.e.,  it ignores all frames whose destination MAC address does not match with its own.  Through the NICs driver, a sniffer turns off this filter, putting the NIC into promiscuous mode.

The typical NICs used in workstations and PCs can be put into promiscuous mode quite easily.  In fact, on many NICs, it is possible to reprogram their MAC addresses.  Network analyzing equipment deliberately and legitimately needs to observe all traffic, and hence be promiscuous.

Thus, the defense against is sniffing is not really prevention but providing security solutions so that even if large amounts of data is sniffed, not much use can be made out of it.  This is the major reason behind one-time passwords and encryption.

Detection of Sniffers

To detect a sniffing device that only collects data and is quiet, does not respond to any of the information, nor generate any of its own traffic, requires physically checking all your Ethernet connections by walking around, and observing the output of ifconfig -a or equivalent (which includes the word PROMISC).  But a malicious sniffer is often not quiet as it needs to send the data gathered out to its owner.

It is difficult to remotely detect a sniffer by sending a packet or a "proper" ping if a machine is sniffing.  The following techniques are useful to be included in security audit tools.  Note that these techniques are attempting to determine that an NIC on the suspect machine is or is not in promiscuous mode, and  if the suspected machine is on the same Ethernet segment as the detective node.  The techniques will occasionally yield false alarms. The non-trusting assumption is that because it is in promiscuous mode, the machine must be running a sniffer.

The DNS Test  In this method, the detection tool itself is in promiscuous mode. We create numerous fake TCP connections on our network segment, expecting a poorly written sniffer to pick  up on those connections and resolve the IP addresses of the  nonexistent hosts.   Some packet sniffers perform reverse DNS lookups for the packets it captures. When reverse DNS lookup occurs, a sniffer detection tool sniffs the lookup request to see if the target is the one  requesting  resolution of that nonexistent host.

The Ping Test This method relies on a problem in the target machine's kernel.  we can construct an ICMP echo request with the IP address of the machine suspected of hosting a sniffer but with a deliberately mismatched MAC address.  We send an ICMP echo packet to the target with the correct destination IP address, but a bogus destination hardware address. Most systems will disregard this packet since its hardware address information is incorrect.  But  in some Linux, NetBSD and NT systems, since the NIC is in promiscuous mode, the sniffer will grab this packet off the network as a legitimate packet  and respond accordingly. If the target in question replies to our request, we know it is in promiscuous mode.  Clever attackers are of course aware of this and can update their sniffers to filter out such packets as the NIC itself would have had it not been in promiscuous mode.

The ICMP Ping Latency Test  In this method, we ping the target and note the round trip time (RTT), from there. We create hundreds of fake TCP connections on our network segment at a lightning rate.  We expect the sniffer to be processing those packets at a rate where the target machine's network latency will increase. We then ping the  target once again, and compare the RTT this time to the first time.  After a series of tests and averages, we can conclude whether or  not a sniffer is indeed running on the target.

The ARP Test  We send out an ARP request to our target with all valid information except a bogus destination hardware address.  A machine that is not in promiscuous mode would never see the packet, since it wasn't destined to them, therefore it wouldn't reply. If a machine is in promiscuous mode,  the ARP request would be seen and the kernel would process it and  reply.  By the machine replying, we know it is in promiscuous mode.

Two tools are available that employ the above techniques: AntiSniff for NT, about 0, and Sentinel, open source, for Unices.  A program known as neped (search http://www.packetstormsecurity.org/) uses the ping test above.

Prevention of Sniffing

Use switches instead of hubs.  However, many commercial switches can be "overwhelmed" into behaving as though they are hubs.

Lab Experiment

All work should be carried out in Operating Systems and Internet Security (OSIS) Lab, 429 Russ.   Use any of the PCs numbered 19 to 30.  No other WSU facilities are allowed. 

Objective: Run a sniffer program productively.

A package named sniffit  (home page: http://reptile.rug.ac.be/~coder/sniffit/sniffit.html ) is widely known.  It is written by Brecht Claerhout.   Download the file sniffit-0.3.5.tar.gz into the PC you are working on.

  1. Untar the src code into /tmp.  cd to the sniffit src directory.  Run ./configure which creates a Makefile.  
  2. Do a make in the directory. The make will create an executable named sniffit.   This is the sniffer program.
  3. Setup a network of at least three PCs, P0, P1, P2 with P1 as a router as in the NetUtils lab experiment.
  4. Run the sniffit program on P1.  Learn to use all the options of the sniffit program.  Read the ReadMe.txt etc.  The following are links to its man pages: man 5 sniffitman 8 sniffit.
  5. Using the sniffit package, determine which of the above six capabilities (see Capabilities of Sniffers section) can be exercised.  Turn in a short description of what you learned.

References

  1. Prabhaker Mateti, Network Setup and Utilities, June 2000.  A lecture from a course on Internet Security. www.cs.wright.edu/~pmateti/InternetSecurity/  
  2. Christopher Klaus, The computer-security/ sniffers FAQ,  Jul 1997, http://www.faqs.org/faqs/ computer-security/sniffers/ 
  3. NetSniffer is a small packet sniffer for Windows NT.  As of June 30, 2000, www.assert.ee/ says  "Due to technical reasons ASSERT homepage is not available."  (The one at netsniffer. virtualave.net/ for a subscription of is an e-mail gatherer of visitors to a web page.) 
  4. Robert Graham, Sniffing (network wiretap, sniffer) FAQ, http://www.robertgraham.com/pubs/ sniffing-faq.html
  5. AntiSniff 1.021 for Windows NT 4.0, http://www.l0pht.com, 0 per licensed machine.
  6. bind, Sentinel, Promiscuous detection tool, http://www.subterrain.net/projects/sentinel/  Open source.

<<

Copyright (c) 2000 - 3000 by Ing. Eduardo Palena - Napolifirewall.com