Abstract: Sniffing is eavesdropping on the network. It can be used for monitoring the "health" of the network as well as capturing the passwords used in telnet, rlogin and ftp connections. This article describes a couple of well-known sniffers and describes an experiment with one of them. This experiment is a prerequisite to later experiments in TCP/IP exploits.
A packet sniffer is a program that eavesdrops on the network traffic. Like a telephone wiretap allows one to listen in on other people's conversations, a "sniffing" program lets someone tap into a network connection. Sniffing is the act by a machine S of making copies of a network packet sent by machine A intended to be received by machine B. Once a copy is made, the sniffer program can do, time and resources permitting, an arbitrary computation on the copy such as displaying it nicely in a GUI window. A sniffer can be used for a good purpose: to audit your own network, and to demonstrate the insecurity of plaintext network protocols. A sniffer machine can be discovered by other network tools.
In this lecture, we are considering sniffers where the sniffer (program/ machine) S network-topologically sits between A and B. This positioning would have been accomplished by other exploits. But, be aware that it is possible to route the messages between A and B to go past S even when A and B are on different subnets.
Sniffer activity occurs widely within organizations.
Below is a select list of example sniffers, for wired networks, from the open source archives. Visit http://www.packetstormsecurity.org/ and search for "sniffers." Many of these work on both Linux and Windows.
A sniffer process can
After conducting the experiment below, you should think about how all the above can be accomplished.
A sniffer program makes the network interface card (NIC) on the machine S enter into a so-called promiscuous mode. An Ethernet NIC is built with a "filter" that ignores all traffic that does not belong to it, i.e., it ignores all frames whose destination MAC address does not match with its own. Through the NICs driver, a sniffer turns off this filter, putting the NIC into promiscuous mode.
The typical NICs used in workstations and PCs can be put into promiscuous mode quite easily. In fact, on many NICs, it is possible to reprogram their MAC addresses. Network analyzing equipment deliberately and legitimately needs to observe all traffic, and hence be promiscuous.
Thus, the defense against sniffing is not really prevention but providing security solutions so that even if large amounts of data is sniffed, not much use can be made out of it. This is the major reason behind one-time passwords and encryption.
To detect a sniffing device that only collects data and is quiet, does not respond to any of the information, nor generate any of its own traffic, requires physically checking all your Ethernet connections by walking around, and observing the output of ifconfig -a or equivalent (which includes the word PROMISC). But a malicious sniffer is often not quiet as it needs to send the data gathered out to its owner.
It is difficult to remotely detect a sniffer by sending a packet or a "proper" ping if a machine is sniffing. The following techniques are useful to be included in security audit tools. Note that these techniques are attempting to determine that an NIC on the suspect machine is or is not in promiscuous mode, and if the suspected machine is on the same Ethernet segment as the detective node. The techniques will occasionally yield false alarms. The non-trusting assumption is that because it is in promiscuous mode, the machine must be running a sniffer.
The DNS Test In this method, the detection tool itself is in promiscuous mode. We create numerous fake TCP connections on our network segment, expecting a poorly written sniffer to pick up on those connections and resolve the IP addresses of the nonexistent hosts. Some packet sniffers perform reverse DNS lookups for the packets it captures. When reverse DNS lookup occurs, a sniffer detection tool sniffs the lookup request to see if the target is the one requesting resolution of that nonexistent host.
The Ping Test This method relies on a problem in the target machine's kernel. we can construct an ICMP echo request with the IP address of the machine suspected of hosting a sniffer but with a deliberately mismatched MAC address. We send an ICMP echo packet to the target with the correct destination IP address, but a bogus destination hardware address. Most systems will disregard this packet since its hardware address information is incorrect. But in some Linux, NetBSD and NT systems, since the NIC is in promiscuous mode, the sniffer will grab this packet off the network as a legitimate packet and respond accordingly. If the target in question replies to our request, we know it is in promiscuous mode. Clever attackers are of course aware of this and can update their sniffers to filter out such packets as the NIC itself would have had it not been in promiscuous mode.
The ICMP Ping Latency Test In this method, we ping the target and note the round trip time (RTT), from there. We create hundreds of fake TCP connections on our network segment at a lightning rate. We expect the sniffer to be processing those packets at a rate where the target machine's network latency will increase. We then ping the target once again, and compare the RTT this time to the first time. After a series of tests and averages, we can conclude whether or not a sniffer is indeed running on the target.
The ARP Test We send out an ARP request to our target with all valid information except a bogus destination hardware address. A machine that is not in promiscuous mode would never see the packet, since it wasn't destined to them, therefore it wouldn't reply. If a machine is in promiscuous mode, the ARP request would be seen and the kernel would process it and reply. By the machine replying, we know it is in promiscuous mode.
Use switches instead of hubs. However, many commercial switches can be "overwhelmed" into behaving as though they are hubs.
All work should be carried out in Operating Systems and Internet Security (OSIS) Lab, 429 Russ. Use any of the PCs numbered 19 to 30. No other WSU facilities are allowed.
Objectives: 1. Run a sniffer program productively. 2. Use an anti-sniffer. 3. Download a tar ball or two, and build.
Link to Grading Sheet
This work is supported in part by NSF DUE-9951380.