Computer Security and Penetration

Testing

Chapter 4
Sniffers
 Objectives
• Identify sniffers
• Recognize types of sniffers
• Discover the workings of sniffers
• Appreciate the functions that sniffers use on a
network

Computer Security and Penetration Testing 2

 Objectives (continued)
• List types of sniffer programs
• Implement methods used in spotting sniffers
• List the techniques used to protect networks from
sniffers

Computer Security and Penetration Testing 3

 Sniffers

• Sniffer, or packet sniffer

– Application that monitors, filters, and captures data
packets transferred over a network
• Sniffers are nearly impossible to detect in operation
– And can be implemented from nearly any computer
• Types of sniffer
– Bundled
– Commercial
– Free

Computer Security and Penetration Testing 4

 Bundled Sniffers
• Come bundled with specific operating systems
• Examples
– Network Monitor comes bundled with Windows
– Tcpdump comes with many open source UNIX-like
operating systems, like Linux
– Snoop is bundled with the Solaris operating systems
– nettl and netfmt packet-sniffing utilities are bundled
with the HP-UX operating system

Computer Security and Penetration Testing 5

 Bundled Sniffers (continued)

Computer Security and Penetration Testing 6

 Commercial Sniffers
• Observe, monitor, and maintain information on a
network
• Some companies use sniffer programs to detect
network problems
• Can be used for both
– Fault analysis, which detects network problems
– Performance analysis, which detects bottlenecks

Computer Security and Penetration Testing 7

 Free Sniffers
• Used to observe, monitor, and maintain information
on a network
• Can also be used for both fault analysis and
performance analysis
• Differences between commercial and free sniffers
– Commercial sniffers generally cost money, but
typically come with support
– Support on free sniffers is minimal

Computer Security and Penetration Testing 8

 Sniffer Operation
• Sniffer must work with the type of network interface
– Supported by your operating system
• Sniffers look only at the traffic passing through the
network interface adapter
– On the machine where the application is resident
• You can read the traffic on the network segment
upon which your computer resides

Computer Security and Penetration Testing 9

 Components of a Sniffer
• Hardware
– NIC is the hardware most needed
• Capture Driver
– Captures the network traffic from the Ethernet
connection
– Filters out the information that you don’t want
• And then stores the filtered traffic information in a buffer
• Buffer
– Dynamic area of RAM that holds specified data

Computer Security and Penetration Testing 10

Computer Security and Penetration Testing 11
 Components of a Sniffer (continued)
• Buffer (continued)
– Methods of storing captured data
• Stored until the buffer is full with information
• Round-robin method
• Decoder
– Interprets binary information and then displays it in a
readable format
• Packet Analysis
– Sniffers usually provide real-time analysis of captured
packets

Computer Security and Penetration Testing 12

 Components of a Sniffer (continued)

Computer Security and Penetration Testing 13

 Placement of a Sniffer
• A sniffer can be implemented anywhere in a network
• Sniffer is best strategically placed in a location where
only the required data will be captured
• Sniffers are normally placed on:
– Computers
– Cable connections
– Routers
– Network segments connected to the Internet
– Network segments connected to servers that receive
passwords

Computer Security and Penetration Testing 14

 Placement of a Sniffer (continued)

Computer Security and Penetration Testing 15

 MAC Addresses
• Media Access Control (MAC) address
– A unique identifier assigned to a computer
– Associated with the NIC attached to most networking
equipment
– Distinguishes a computer from the other computers on
the network

Computer Security and Penetration Testing 16

 MAC Addresses (continued)

Computer Security and Penetration Testing 17

 Data Transfer over a Network
• If a data packet is sent from Alice to Bob
– It must pass through many routers
• Routers first examine the destination Internet
Protocol (IP) address
– To direct the data packet to Bob
• Alice has the information about the first router and
the IP address of Bob’s PC
• Alice’s computer employs an Ethernet frame to
communicate with that router

Computer Security and Penetration Testing 18

 Data Transfer over a Network
(continued)

Computer Security and Penetration Testing 19

 Data Transfer over a Network
(continued)

Computer Security and Penetration Testing 20

 Data Transfer over a Network
(continued)

Computer Security and Penetration Testing 21

 Data Transfer over a Network
(continued)
• Transmission Control Protocol/Internet Protocol
(TCP/IP) stack in Alice’s computer
– Generates a frame to transmit the data packet to Bob
in Houston
• TCP/IP stack then transfers it to the Ethernet module
– Ethernet information is added
• Data is sent so that the TCP/IP stack at the opposite
end is able to process the frame
• CRC checks to verify that the Ethernet frame reaches
the destination without being corrupted

Computer Security and Penetration Testing 22

 Data Transfer over a Network
(continued)
• Frame is sent to the Ethernet cabling within the
network or the private LAN
• All hardware adapters on the LAN can view the
frame
• Every adapter then compares the destination MAC
address in the frame with its own MAC address

Computer Security and Penetration Testing 23

 The Role of a Sniffer on a Network
• Promiscuous mode
– A NIC can retrieve any data packet being transferred
throughout the Ethernet network segment
• A sniffer on any node on the network can record all
the traffic that travels
– By using the NIC’s built-in ability to examine packets
• A sniffer puts a network card into the promiscuous
mode by using a programmatic interface
• Interface can bypass the TCP/IP stack operating
systems

Computer Security and Penetration Testing 24

 The Role of a Sniffer on a Network
(continued)

Computer Security and Penetration Testing 25

 Sniffer Programs
• Some sniffer programs are used for monitoring
purposes
– Others are written specifically for capturing
authentication information
• Partially functioned sniffers have fallen out of favor

Computer Security and Penetration Testing 26

 Wireshark (Ethereal)
• Probably the best-known and most powerful free
network protocol analyzer
– For UNIX/Linux and Windows
• Allows you to capture packets from a live network
and save them to a capture file on disk
• Data can be captured off the wire from a network
connection
– And can be read from Ethernet, FDDI, PPP, token-
ring, or X.25 interfaces

Computer Security and Penetration Testing 27

Computer Security and Penetration Testing 28
Computer Security and Penetration Testing 29
 Tcpdump/Windump
• Most commonly bundled sniffer with Linux distros
• Widely used as a free network diagnostic and
analytic tool
• Configurable to allow for packet data collection
based on specific strings or regular expressions
• Can decode and monitor the header data of
– Internet Protocol (IP)
– Transmission Control Protocol (TCP)
– User Datagram Protocol (UDP)
– Internet Control Message Protocol (ICMP)
Computer Security and Penetration Testing 30
 Tcpdump/Windump (continued)
• Monitors and decodes application-layer data
• Can be used for
– Tracking network problems, detecting ping attacks, or
monitoring network activities
• Commands
– tcpdump (for Linux)
– windump (for Windows)

Computer Security and Penetration Testing 31

 Tcpdump/Windump (continued)

Computer Security and Penetration Testing 32

 Tcpdump/Windump (continued)

Computer Security and Penetration Testing 33

 Snort
• Can be used as a packet sniffer, packet logger, or
network intrusion detection system
• Logs packets into either binary or ASCII format
• Functions include
– Performing real-time traffic analysis
– Performing packet logging on IP networks
– Debugging network traffic
– Analyzing protocol
– Searching and matching content
– Detecting attacks, such as buffer overflows
Computer Security and Penetration Testing 34
 Snort (continued)
• Snort works on the following platforms:
– Linux
– Solaris
– Windows NT
– Windows 2000
– Sun
– IRIX

Computer Security and Penetration Testing 35

Computer Security and Penetration Testing 36
 Network Monitor
• Part of the Microsoft Windows NT, Windows 2000
Server, and Windows 2003 Server
• Functions
– Captures network traffic and translates it into a
readable format
– Supports a wide range of protocols
– Maintains the history of each network connection
– Supports high-speed as well as wireless networks
– Provides advanced filtering capabilities

Computer Security and Penetration Testing 37

 Gobbler
• Antiquated MS-DOS-based sniffer that can run on
any system with Windows 95 or Windows NT
• Functions that are supported by Gobbler include
– Packet filtering
– Event triggering

Computer Security and Penetration Testing 38

 Ethload
• Another MS-DOS terminal-based application
• A freeware packet sniffer that was written in the C
language for Ethernet and token-ring networks
• Cannot be used to sniff rlogin (UNIX-style remote
access) and Telnet sessions
• Ethload analyzes the following protocols:
– TCP/IP, DECnet, OSI, XNS, NetWare, and NetBios
Extended User Interface (NetBEUI)

Computer Security and Penetration Testing 39

 Esniff
• Written in the C language by the hacker known as
“rokstar”
• Designed to sniff packets on SunOS by Sun
Microsystems
• Captures only the first 300 bytes of each packet
– Including the username as well as the password
• Esniff can support the following protocols:
– Telnet, FTP, rlogin

Computer Security and Penetration Testing 40

 Dsniff
• Suite of powerful network auditing and penetration-
testing tools last updated in May 2002
• Includes many tools that allow you to
– Passively monitor a network
• Using filesnarf, dsniff, mailsnarf, msgsnarf, urlsnarf, or
Webspy
– Intercept network traffic
• Using Arpspoof, dnsspoof, and macof
– Perform man-in-the-middle attacks
• Via sshmitm and webmitm

Computer Security and Penetration Testing 41

 Sniffit
• Network protocol analysis and monitoring tool last
updated in February 2005
• Captures TCP, UDP, and ICMP packets
• Can be configured to filter incoming packets
• Can handle Ethernet and Point-to-Point Protocol
(PPP) devices

Computer Security and Penetration Testing 42

 Sunsniff
• Written in the C language
• Sniffer program written specifically for Sun
Microsystems operating systems

Computer Security and Penetration Testing 43

 Linux_sniffer
• Written in the C language
• Linux-specific sniffer
• It is of interest mostly for historical reasons

Computer Security and Penetration Testing 44

 Sniffer Pro
• Commercial product created by Network Associates,
Inc.
• Easy-to-use interface for capturing and viewing
network traffic
• Captures important authentication information
– Usernames and passwords

Computer Security and Penetration Testing 45

 EtherPeek NX
• WildPackets’ Windows-based expert Ethernet
network analyzer
• Provides network engineers with expert diagnostic
• A commercial sniffer with a clean and useful interface
• Many features and technological innovations
– Real-time expert analysis on multiple adapters
– Application Response Time (ART) analysis
– Extensive application protocol decoding

Computer Security and Penetration Testing 46

 Fluke Networks Protocol Analyzers
• Fluke Networks is a provider of network tools
– Its focus is on selling physical tools for network analysis
rather than selling only software
• Advantage of using an appliance
– Impossible to mishandle the installation of the software
if it is on a dedicated appliance
• With only one purpose or user
• Disadvantage of using an appliance
– Locks you into the appliance designer’s architecture
and vision

Computer Security and Penetration Testing 47

 Detecting a Sniffer
• Since sniffer technology is passive
– It is difficult to detect sniffers
• You can only detect whether or not the suspect is
running his or her NIC in promiscuous mode
• Tools available to check for sniffers
– AntiSniff
– SniffDet
– Check Promiscuous Mode (cpm)
– Neped.c
– Ifstatus

Computer Security and Penetration Testing 48

 DNS Test
• Some sniffers perform DNS lookups
– In order to replace IP addresses in their logs with fully
qualified host names
• Many tools exist to detect sniffers using this method

Computer Security and Penetration Testing 49

 Network Latency Tests
• Several methods use the delay in network latency to
determine a host’s likely sniffer activity
• It is possible to “measure” which of the machines are
working harder
– “Hard workers” are potential sniffer hosts

Computer Security and Penetration Testing 50

 Ping Test
• Use AntiSniff to perform this test
• Antisniff can send a packet that contains a legitimate
IP address, but a fake MAC address
– If a host responds to a ping with a fake MAC address, it
must mean that that host is in promiscuous mode

Computer Security and Penetration Testing 51

 ARP Test
• When in promiscuous mode, the Windows driver for
the network card
– Examines only the first octet of the MAC address to
determine whether it is a broadcast packet
• Antisniff can send a packet with a MAC address of
ff:00:00:00:00:00 and the correct destination IP
address of the host
– Causing the Microsoft OS to respond while in
promiscuous mode

Computer Security and Penetration Testing 52

 Source-Route Method
• Uses a technique known as the loose-source route
– To locate sniffers on nearby network segments
• Adds the source-route information inside the IP
header of packets
– Routers ignore the destination IP address
• And forward the packet to the next IP address in the
source-route option

Computer Security and Penetration Testing 53

 Decoy Method
• Involves setting up a client and a server on either side
of a network
• Server is configured with accounts that do not have
rights or privileges
– Or the server is virtual
• Client runs a script to log on to the server by using the
Telnet, POP, or IMAP protocol
• Hackers can grab the usernames and passwords
from the Ethernet
– And attempt to log on to the server

Computer Security and Penetration Testing 54

 Commands
• Check if you are running in promiscuous mode
– ifconfig -a
• Check if you are running a sniffer on your own
computer
– ps aux

Computer Security and Penetration Testing 55

 Commands (continued)

Computer Security and Penetration Testing 56

 Time Domain Reflectometers (TDR)
Method
• Sends an electrical pulse in the wire and creates a
graph based on the reflections that emanate
• Provides distance information in a numerical format
• TDR can detect hardware packet sniffers attached to
the network that are otherwise silent

Computer Security and Penetration Testing 57

 Protecting Against a Sniffer
• The heart of defense against a sniffer is to make the
data inconvenient to use
• Encourage the use of applications that use standards-
based encryption, such as:
– Secure Sockets Layer (SSL)
– Pretty Good Privacy (PGP) and Secure/Multipurpose
Internet Mail Extensions (S/MIME)
– Secure Shell (SSH)

Computer Security and Penetration Testing 58

 Secure Socket Layer (SSL)
• Designed by Netscape
• Provides data security between application protocols
• Secure Sockets Layer, or SSL
– Nonproprietary protocol providing data encryption,
server authentication, message integrity, and client
authentication for a TCP/IP connection
• SSL is built as a security standard into all Web
browsers and servers
• SSL comes in two forms, 40-bit and 128-bit

Computer Security and Penetration Testing 59

 Pretty Good Privacy (PGP) and
Secure/Multipurpose Internet Mail
Extensions (S/MIME)
• E-mail messages can be sniffed at various points
• Basic requirements for securing e-mail messages
– Privacy
– Authentication
• Methods that ensure the security of e-mail messages
– PGP
– S/MIME

Computer Security and Penetration Testing 60

 Secure Shell (SSH)

• Secure alternative to Telnet

• SSH protects against:
– IP spoofing
– Spoof attacks on the local network
– IP source routing
– DNS spoofing
– Interception of cleartext password
– Man-in-the-middle attacks

Computer Security and Penetration Testing 61

 More Protection

• At OSI layer-2
– Enable port security on a switch
– Enforce static ARP
• At OSI layer-3
– IPSEC paired with secure, authenticated naming
services (DNSSEC)
• Firewalls can be a mixed blessing
– Sniffers are most effective behind a firewall, where
legacy cleartext protocols are often allowed by
corporate security policy

Computer Security and Penetration Testing 62

 Summary
• A sniffer, or packet sniffer, is an application that
monitors, filters, and captures data packets
transferred over a network
• Bundled sniffers come built into operating systems
• Nonbundled sniffers are either commercial sniffers
with a cost of ownership or free sniffers
• The components of a sniffer are hardware, capture
driver, buffer, decoder, and packet analysis
• Sniffers need to be placed where they will get the
smallest aggregate network traffic

Computer Security and Penetration Testing 63

 Summary (continued)
• The standard behavior in a TCP/IP network that sniffers
exploit is that all packets are passed to all the nodes in
the subnet
• Sniffers change the NIC operation mode to promiscuous
mode
• Wireshark (Ethereal),Tcpdump/Windump, Snort, and
Network Monitor are all modern packet sniffers
• Sniffit works on SunOS, Solaris, UNIX, and IRIX
• Sniffer Pro, EtherPeek NX, and Fluke Networks Protocol
Analyzers are examples of commercial packet sniffers

Computer Security and Penetration Testing 64

 Summary (continued)
• Several tools exist, or have existed, to detect a sniffer
• All tools for protecting your network from a packet
sniffer involve some level of encryption

Computer Security and Penetration Testing 65