A CLOSE EXAMINATION OF SNIFFERS

By: Lawrence Lindsey Jr.

jths83@mail.konnect.net

sniffers PAPER[1].doc

I.                    Introduction

II.                 Sniffers

(A.)  Sniffers defined

(B.)   Development of sniffers

(C.)  Mechanics of sniffers

(D.)  Who uses sniffers

III.               Attacks

(A.) Passive Attack

                  (B.) Active Attack

      IV.       Types of Sniffers

(A.)   Ethereal

(B.)   Black Ice Pro

(C.)   TCPDUMP

(D.)   WINSNIFF

(E.)    WEBSNIFF

(F.)    GOBBLER

(G.)   ETHLOAD

(H.)   Esniff.c

(I.)      NETLOG

(1.)  TCPlogger

(2.)  UDPlogger

(3.)  Extract

(4.)  Netwatch

       V.       System Attacks

                  (A.) SYN flood

                  (B.) ICMP Echo

                  (C.) TCP Hijacking

                  (D.) IP Spoofing

       VI.      Vulnerable Protocols

(A.)   Telnet and rlogin

(B.)   HTTP

(C.)   SNMP

(D.)   POP

(E.)    FTP

VII.            Detection Methods

(A.)  Ping

(B.)   Decoy

(C.)  Hub

(D.)  SNMP

(E.)   Antisniffing software

VIII.         Protecting Your Network

(A.)  Passwords

(B.)   Secure Technology

(C.)  Inspections

(D.)  Secure E-mail

(E.)   Third Party Authentication

(F.)   Education

(G.)  Prohibit Sniffers

IX.              Summary/Recommendations

X.                 Bibliography

INTRODUCTION:

Sniffers were introduced in 1988 by (Network General Corp) have been around as long as the Internet.  Originally known as network analyzers, they are one of the first tools that allowed system administrators to analyze their network locating problems. [1] They also are used to read the message headers of data packets on the network, giving the administrator details about the addresses of senders and receivers, file sizes and other low-level information about those packets, in addition to verifying transmission. Unfortunately, hackers also run sniffers to spy on networks and steal various kinds of data. This paper will discuss what a sniffer is, the different kind of sniffers, and how to protect your network against them.

WHAT IS A SNIFFER:

A sniffer is a program or device that captures data traveling along the network. This process is also known as “Protocol analysis”. The sniffer may be attached to a network interface to watch all the network traffic or to a disk interface to watch all the data flowing to or from the disk. Sniffers can also be parasites, inserted inside a system, like the print spooler or login system, secretly gathering information. [2]

Sniffers were originally developed by programmers to be used as a tool for debugging network problems. Sniffing usually requires root-privileges on a host or a new host can temporarily be attached to the network. Most sniffers require shared network segments (like Ethernet) and can only see the traffic in the same segment. Sniffing also requires that the NIC (Network Interface Card) be put into “promiscuous mode” meaning (all workstations on the network listen to all of the traffic, not just their own) in this mode, it will give the sniffer program the ability to capture packets being transmitted over the network.  [3]

HOW A SNIFFER WORKS  

A sniffers can see all data traveling on a network from computer to computer, but are unable to capture data unless it puts its NIC in promiscuous mode.  Once it accomplishes this it is able to take packets of data, discarding the addresses and decoding only the pertinent information. 

Each machine is supposed to ignore the packet if it is not destined for the IP address assigned to that computer. However, sniffer programs will accept ANY packet it receives. [4]

                                                   Sniffer

                            Friend               bad                    destination

                            comp                 guy                    comp

                                |                       |                           |

 Your comp    -----------------------------------------------------

                      > > > ^ > > > > > > > ^ > > > > > > > > ^

WHO USES SNIFFERS:

Crackers and other unauthorized personnel use sniffers for a variety of reasons such as to:

Examine network traffic going to and from other machines

Gathers usernames/passwords

Capture electronic mail

Administrators use sniffers to:

Monitor the network, locate unauthorized computers and sniffers on the network.[5]

PASSIVE ATTACK:

A sniffer being used on a network to snoop passwords and anything else is considered to be a passive attack. It does not directly intrude onto a foreign network or computer. Passive attacks are not meant to be discovered.

ACTIVE ATTACK:

An active attack directly interfaces with a remote machine, network floods and buffer overflows are also considered active attacks.

TYPES OF SNIFFERS:

1.      Ethereal – Which is Unix-based program, will run on Windows. It comes both in read-only (protocol analyzer) version and a capture (sniffing) version, and is probably the best freeware available for sniffing on Windows.

2.      Black Ice Pro – Is intrusion detection software. However it is non-promiscuous, and only sniffs the packets going into/out of the machine.

3.      TCPDUMP - Tcpdump prints out the headers of packets on a network interface that match the boolean expression.

4.      WINSNIFF - The most efficient and reliable password sniffer, Win Sniffer allows network administrators to capture passwords of any network user. Win Sniffer monitors incoming and outgoing network traffic and decodes FTP, POP3, HTTP, ICQ, SMTP, Telnet, IMAP, and NNTP usernames and passwords. Unlike other network sniffers, Win Sniffer has advanced, integrated technology that allows it to reconstruct network traffic in a format that is simple to use and understand. While most other network sniffers merely display a list of packets traveling across a network, Win Sniffer will reconstruct each of those packets individually. Thus, capturing a clear and concise image of the integrity of an organizations entire network. With Win Sniffer administrators can assess the danger of clear text passwords in the network and develop ways to improve security.[7]

5.      WEBSNIFF - This program sniffs packets destined for web servers and scans for headers with Basic Authentication then automatically decodes the authentication string giving a username/password in clear text.

6.      GOBBLER - The gobbler is probably the best sniffer to learn about network traffic. It was designed to work on the MS-DOS operating system, but will work with windows.  The Gobbler runs on any PC using DOS, Windows95 or NT.  It can be run from a single workstation, analyzing local packets or it can be used remotely over a network. The Gobbler also allows you to view both the source and destination addresses for each packet.

7.      ETHLOAD - Ethload is a freeware packet sniffer written in (C language) for Ethernet and token ring networks.

8.      Esniff.c - The Esniff.c is a sniffer program also written in (C language), and is designed primarily to sniff packet traffic on the SunOS platform. It is also the most popular among hackers. It captures the beginning portion of each packet (which contains the user’s login ID and password).

9.      NET LOG - Netlog consists of four separate programs designed to run under SunOS.

·        TCPlogger is able to record all TCP traffic passed through the single monitoring host. It does this by placing the network interface into 'promiscuous mode' and reading all TCP connect requests.

·        UDPlogger is essentially the same program as TCPlogger, except it records connectionless UDP traffic.

·        Extract is a useful tool for processing the logfiles produced by TCPlogger and UDPlogger. It can extract the entries based upon any one (or combination of) the 6 fields of a record within a log file.

·        Netwatch this program is an interactive tool for real-time monitoring network traffic, attempting to identify any suspicious behavior. [8]

TYPES OF SYSTEM ATTACKS:

SYN flood Attack: - A SYN is sent to target computer with source IP spoofed. When received, target X allocates buffer space to handle the connection and sends out a SYN-ACK to the spoofed address (which will never respond). Target X will not receive its expected ACK back and will retransmit (it will do this a finite number of times and finally purge the buffer). This is a “half open socket”. The attacker will send a large number of these, which causes the buffer on X to exceed its capacity to handle. Responses may vary to this kind of attack by a specific machine - but normally results in denial of service.[9]

ICMP Echo (Ping) flood:  - Attacker sends a large number of ICMP ping requests to a victim, which can cause network congestion or outages. Attack sometimes called “smurf” attack - from tool that is available to help launch attack.

TCP Hijacking:  - Attacker must have access to packet flow to conduct this attack. Attacker must be logically located between client and server. Attacker sends a “killer” packet to the client terminating the connection. Attacker continues the connection.

IP Source Address Spoofing - IP protocol allows anyone to send a packet claiming to be form someone else. Attacker can send but not receive - return packets are sent to address attacker used in spoof. Defense: configure packet filter to drop outbound packets that do not have an “inside source” address and block inbound packets that have an “inside” address. [10]

PROTOCOLS VULNERABLE TO SNIFFING:

Telnet and rlogin – The sniffer captures the keystrokes as the user types them, including username and password.

Http – many web sites use basic authentication to send passwords and usernames, which can be seen by sniffers.

SNMP – passwords sent across the wire in clear text.

POP – passwords and data sent in clear text

FTP – password and data sent clear text.

DETECTION METHODS: 

Ping method – by slightly changing the IP address of a workstation and performing a ping if you receive a response then you know someone is sniffing your network.

Decoy method – using a dummy terminal and server with fake user accounts, usernames/passwords. Once the data is passed along the wire and captured by the sniffer, the network will alert the administrator of the intrusion.

Hub lights – you can manually check hub-lights to see if there are any connections you don’t expect.

SNMP monitoring – automated monitoring of the Ethernet and will let you make connections/disconnections to all of the ports. This may be on way of capturing a sniffer on the network.

Antisniffing software - Antisniff - the ability to remotely detect computers that are packet sniffing; Promiscan - software searches for promiscuous nodes on the local net; Sysmon - network monitoring tool.[11]

PROTECTING YOUR NETWORK:

One Time Password authentication: The password is sent across the network, but is only good for one session. Also tools that allow the password to be encrypted are useful defenses.

Secure Ethernet Technology: There are new implementations of ethernet that send only to the destination host and not to everyone (works only locally).

Regular Inspections: Have system administrators look periodically for logical sniffers

Inspect for physical sniffers: Walk the wiring and look for sniffer devices attached. Can be a computer or can be a smaller device attached via a “vampire clamp”.

Secure Email: There are commercial products that can protect your email in transit. This will protect their contents from capture by sniffing.

Third party authentication: use of certificates or smart card tokens can protect passwords (but not data) from sniffers

Education: Awareness from knowing the threat is very helpful.

Prohibit the installation and/or use of sniffers on any system in the network without the written approval of management authority.[12]

SUMMARY

SUMMARY

In summary sniffers are great networking tools but in the wrong hands they can be dangerous. It gives administrators and other IT professionals the ability to isolate and detect network problems such as Transmission Collisions, Unauthorized users, Network equipment failures, Unauthorized sniffers on the network. There are different types of sniffers on the market some are freeware/shareware, some capture passwords while other capture any and all data that comes across the network. Protecting your network against intruders, sniffers along with other diagnostic hardware/software utilities are great powerful tools in keeping your network SAFE!

Bibliography

Bonsor, Kevin. “Packet Sniffers.” How Workplace Surveillance Works. Jan 30, 2001, (Mar 30, 2002).            

                                     http://www.howstuffworks.com/workplace-surveillance2.htm

Gielda, Stephen. “Sniffers.” The Computer Professional Reference. Feb 20, 2001, (Apr 5, 2002).                           

                                      http://www.cotse.com

Graham, Robert. “Sniffing Network Wiretap, Sniffers.”Feb 24, 2002, (Apr 10, 2002).                                            

                                      http://www.robertgraham.com/pubs/sniffing-faq.html

Posey, Brien. “Sniffing Out Packet Sniffers.”July 20, 2001, (Apr 7, 2002).

                                      http://www.networking.earthweb.com/netsecure/article

Stancin, Aleksandar. “Network Sniffers.”May 14, 2001, (Apr 7, 2002).

                                       http://www.net-security.org/text/articles/sniffers.shtml

Tanase, Matthew. “Sniffers: What They Are and How to Protect Yourself” Feb 26, 2002,  (Mar 30, 2002).            

                                       http://www.online.securityfocus.com/infocus/1549