Sniffers

Prabhaker Mateti

Abstract: Sniffing is eavesdropping on the network.  It can be used for monitoring the "health" of the network as well as capturing the passwords used in telnet, rlogin and ftp connections.  This article describes a couple of well-known sniffers and describes an experiment with one of them.  This experiment is a prerequisite to later experiments in TCP/IP exploits.

Table of Contents

  1. Educational Objectives
  2. Sniffers
    1. Examples of Sniffers
    2. Capabilities of Sniffers
    3. Promiscuous NIC
    4. Detection of Sniffers
    5. Prevention of Sniffing
  3. Lab Experiment
  4. Acknowledgements
  5. References

Educational Objectives

  1. Become aware of a class of vulnerabilities known as sniffing.
  2. Learn how to setup and use a sniffer.
  3. Learn to configure and build tools widely available on the net.

Sniffers

A packet sniffer is a program that eavesdrops on the network traffic. Like a telephone wiretap allows one to listen in on other people's conversations, a "sniffing" program lets someone tap into a network connection. Sniffing is the act by a machine S of making copies of a network packet sent by machine A intended to be received by machine B. Once a copy is made, the sniffer program can do, time and resources permitting, an arbitrary computation on the copy such as displaying it nicely in a GUI window. A sniffer can be used for a good purpose: to audit your own network, and to demonstrate the insecurity of plaintext network protocols. A sniffer machine can be discovered by other network tools.

In this lecture, we are considering sniffers where the sniffer (program/ machine) S network-topologically sits between A and B. This positioning would have been accomplished by other exploits. But, be aware that it is possible to route the messages between A and B to go past S even when A and B are on different subnets.

Sniffer activity occurs widely within organizations.

Examples of Sniffers

Below is a select list of example sniffers, for wired networks, from the open source archives. Visit http://www.packetstormsecurity.org/ and search for "sniffers." Many of these work on both Linux and Windows.

  1. tcpdump: The grand daddy of packet sniffers. This is included in many Linux distributions.
  2. wireshark/ethereal: Excellent GUI based sniffer. It can dissect many protocols.
  3. hunt: A well written sniffer with some attack tools included.
  4. ettercap: It uses ARP poisoning and the man-in-the-middle technique to sniff all the connections between two hosts. It can inject characters to server (emulating commands) or to client (emulating replies) while maintaining an established TCP connection.
  5. dsniff: As an article puts it, ``Dsniff is the Swiss army knife of privacy invasion''. Dsniff package includes dsniff, filesnarf, mailsnarf, msgsnarf, urlsnarf, webspy, arpspoof, dnsspoof, macof, sshmitm, and webmitm.
  6. nast from http://nast.berlios.de/
  7. sniffit: Clever little packet sniffer, with no other functionality, with good filtering.

Capabilities of Sniffers

A sniffer process can

  1. intercept packets from a target host (or all hosts) on the LAN intended for another host on the LAN by forging ARP replies. This is an extremely effective way of sniffing traffic on a switch. Kernel IP forwarding must be turned on ahead of time for this capability.
  2. determine the local gateway of an unknown network via passive sniffing.
  3. flood the local network with random MAC addresses (causing some switches to fail open in repeating mode, facilitating sniffing). This is no longer passive/ silent sniffing.
  4. become a simple password sniffer by minimally parsing each application protocol, and saving the "interesting" pieces.
  5. output all requested URLs sniffed from HTTP traffic in CLF (Common Log Format, used by almost all web servers, suitable for offline post-processing with log analysis tools.
  6. send URLs sniffed from a client to local web browser for display, updated in real-time (that is, as the target surfs, the local browser surfs along).

After conducting the experiment below, you should think about how all the above can be accomplished.

Promiscuous NIC

A sniffer program makes the network interface card (NIC) on the machine S enter into a so-called promiscuous mode. An Ethernet NIC is built with a "filter" that ignores all traffic that does not belong to it, i.e., it ignores all frames whose destination MAC address does not match with its own. Through the NICs driver, a sniffer turns off this filter, putting the NIC into promiscuous mode.

The typical NICs used in workstations and PCs can be put into promiscuous mode quite easily. In fact, on many NICs, it is possible to reprogram their MAC addresses. Network analyzing equipment deliberately and legitimately needs to observe all traffic, and hence be promiscuous.

Thus, the defense against sniffing is not really prevention but providing security solutions so that even if large amounts of data is sniffed, not much use can be made out of it. This is the major reason behind one-time passwords and encryption.

Detection of Sniffers

To detect a sniffing device that only collects data and is quiet, does not respond to any of the information, nor generate any of its own traffic, requires physically checking all your Ethernet connections by walking around, and observing the output of ifconfig -a or equivalent (which includes the word PROMISC). But a malicious sniffer is often not quiet as it needs to send the data gathered out to its owner.

It is difficult to remotely detect a sniffer by sending a packet or a "proper" ping if a machine is sniffing. The following techniques are useful to be included in security audit tools. Note that these techniques are attempting to determine that an NIC on the suspect machine is or is not in promiscuous mode, and if the suspected machine is on the same Ethernet segment as the detective node. The techniques will occasionally yield false alarms. The non-trusting assumption is that because it is in promiscuous mode, the machine must be running a sniffer.

The DNS Test In this method, the detection tool itself is in promiscuous mode. We create numerous fake TCP connections on our network segment, expecting a poorly written sniffer to pick up on those connections and resolve the IP addresses of the nonexistent hosts. Some packet sniffers perform reverse DNS lookups for the packets it captures. When reverse DNS lookup occurs, a sniffer detection tool sniffs the lookup request to see if the target is the one requesting resolution of that nonexistent host.

The Ping Test This method relies on a problem in the target machine's kernel. we can construct an ICMP echo request with the IP address of the machine suspected of hosting a sniffer but with a deliberately mismatched MAC address. We send an ICMP echo packet to the target with the correct destination IP address, but a bogus destination hardware address. Most systems will disregard this packet since its hardware address information is incorrect. But in some Linux, NetBSD and NT systems, since the NIC is in promiscuous mode, the sniffer will grab this packet off the network as a legitimate packet and respond accordingly. If the target in question replies to our request, we know it is in promiscuous mode. Clever attackers are of course aware of this and can update their sniffers to filter out such packets as the NIC itself would have had it not been in promiscuous mode.

The ICMP Ping Latency Test In this method, we ping the target and note the round trip time (RTT), from there. We create hundreds of fake TCP connections on our network segment at a lightning rate. We expect the sniffer to be processing those packets at a rate where the target machine's network latency will increase. We then ping the target once again, and compare the RTT this time to the first time. After a series of tests and averages, we can conclude whether or not a sniffer is indeed running on the target.

The ARP Test We send out an ARP request to our target with all valid information except a bogus destination hardware address. A machine that is not in promiscuous mode would never see the packet, since it wasn't destined to them, therefore it wouldn't reply. If a machine is in promiscuous mode, the ARP request would be seen and the kernel would process it and reply. By the machine replying, we know it is in promiscuous mode.

Prevention of Sniffing

Use switches instead of hubs. However, many commercial switches can be "overwhelmed" into behaving as though they are hubs.

Lab Experiment

All work should be carried out in Operating Systems and Internet Security (OSIS) Lab, 429 Russ. Use any of the PCs numbered 19 to 30. No other WSU facilities are allowed.

Objectives: 1. Run a sniffer program productively. 2. Use an anti-sniffer. 3. Download a tar ball or two, and build.

  1. Setup a network of four PCs, P0, P1, P2, P3 with P1 and P2 as routers as in the NetUtils lab experiment.
  2. Run the sniffer program on, say, P1. Use the simple sniffit, and then once more any one of other sniffers mentioned above. Here are the details in building sniffit.
    1. Download sniffit.0.3.5.tar.gz file into a removable media device on the PC you are working on.
    2. Untar the src code. cd to the sniffit src directory. Run ./configure which creates a Makefile. (The configure script as bundled may prematurely exit on a modern Linux setup. Do the following and it will build. 1. Comment-out the "exit" on line 1001 of ./configure 2. Insert "target_os=linux-gnu" just above the line "case "$target_os" " (line 1095 or 1096) of ./configure 3. Re-run ./configure.)
    3. Do a make in the directory. The make will create an executable named sniffit. This is the sniffer program. (Build it in both Knoppix and BackTrack. Preferably use libpcap.so as installed in these distributions, typically located at /usr/ lib/ x86_64-linux-gnu/ libpcap.so.* instead of what was in the sniffit tarball.)
    4. Learn to use all the options of the sniffit program. Read the ReadMe.txt etc. man 5 sniffit. man 8 sniffit. (These files are also located in the un-tarred tree.)
    5. Comment on the source code quality of sniffit.
  3. Set up ssh, http, nfs, samba services, one each on the four machines. Log into P0, and "use" these services remotely. Sniff (on P1) while doing so. Include in the Lab Report only brief and interesting portions of what you sniffed.
  4. Describe which of the above six capabilities can be exercised/determined.
  5. Visit http://packetstormsecurity.org/. Search for anti-sniffers. Choose, build and install one. Evaluate how effective it is.
Turn in a Lab Report. Check the number of the lab on the course home page.

Link to Grading Sheet

Acknowledgements

This work is supported in part by NSF DUE-9951380.

References

  1. Brecht Claerhout, sniffit , http://reptile.rug.ac.be/~coder/sniffit/sniffit.html . (Local copy sniffit.0.3.5.tar.gz ) Reference. Download the source for the lab.
  2. Robert Graham, Sniffing (network wiretap, sniffer) FAQ. Search the web for a copy. Recommended Reading.
  3. Christopher Klaus, The computer-security/ sniffers FAQ, Jul 1997, http://www.faqs.org/faqs/ computer-security/sniffers/ Recommended Reading.

Copyright 2012 • pmateti@wright.edu Other Internet Security Lectures by Mateti