Sniffer FAQ Version: 1.7 ------------------------------------------------------------------------------- This Security FAQ is a resource provided by: Internet Security Systems, Inc. 2000 Miller Court West Tel: (770) 441-2531 Norcross, Georgia 30071 Fax: (770) 441-2431 - Internet Scanner ... the most comprehensive "attack simulator" available. - ------------------------------------------------------------------------------- To get the newest updates of Security files check the following services: mail info@iss.net with "send index" in message http://iss.net/ ftp iss.net /pub/ ------------------------------------------------------------------------------- This Sniffer FAQ will hopefully give administrators a clear understanding of sniffing problems and hopefully possible solutions to follow up with. Sniffers is one of the main causes of mass break-ins on the Internet today. This FAQ will be broken down into: * What a sniffer is and how it works * Where are sniffers available * How to detect if a machine is being sniffed * Stopping sniffing attacks: o Active hubs o Encryption o Kerberos o One-time password technology o Non-promiscuous interfaces ------------------------------------------------------------------------------- What a sniffer is and how it works Unlike telephone circuits, computer networks are shared communication channels. It is simply too expensive to dedicate local loops to the switch (hub) for each pair of communicating computers. Sharing means that computers can receive information that was intended for other machines. To capture the information going over the network is called sniffing. Most popular way of connecting computers is through ethernet. Ethernet protocol works by sending packet information to all the hosts on the same circuit. The packet header contains the proper address of the destination machine. Only the machine with the matching address is suppose to accept the packet. A machine that is accepting all packets, no matter what the packet header says, is said to be in promiscuous mode. Because, in a normal networking environment, account and password information is passed along ethernet in clear-text, it is not hard for an intruder once they obtain root to put a machine into promiscuous mode and by sniffing, compromise all the machines on the net. ------------------------------------------------------------------------------- Where are sniffers available Sniffing is one of the most popular forms of attacks used by hackers. One special sniffer, called Esniff.c, is very small, designed to work on Sunos, and only captures the first 300 bytes of all telnet, ftp, and rlogin sessions. It was published in Phrack, one of the most widely read freely available underground hacking magazines. You can find Phrack on many FTP sites. Esniff.c is also available on many FTP sites such as coombs.anu.edu.au:/pub/net/log. You may want to run Esniff.c on an authorized network to quickly see how effective it is in compromising local machines. Other sniffers that are widely available which are intended to debug network problems are: * Etherfind on SunOs4.1.x * Snoop on Solaris 2.x and SunOs 4.1 (on ftp playground.sun.com) * Tcpdump 3.0 uses bpf for a multitude of platforms. * Packetman, Interman, Etherman, Loadman works on the following platforms: SunOS, Dec-Mips, SGI, Alpha, and Solaris. It is available on ftp.cs.curtin.edu.au:/pub/netman/[sun4c|dec-mips|sgi|alpha|solaris2]/ [etherman-1.1a|interman-1.1|loadman-1.0|packetman-1.1].tar.Z Packetman was designed to capture packets, while Interman, Etherman, and Loadman monitor traffic of various kinds. DOS based sniffers * Gobbler for IBM DOS Machines * ethdump v1.03 Available on ftp ftp.germany.eu.net:/pub/networking/inet/ethernet/ethdp103.zip * ethload v1.04 Companion utility to a ethernet monitor. Available on ftp ftp.germany.eu.net:/pub/networking/monitoring/ethload/ethld104.zip Commercial Sniffers are available at: * Network General. Network General produces a number of products. The most important are the Expert Sniffer, which not only sniffs on the wire, but also runs the packet through a high-performance expert system, diagnosing problems for you. There is an extension onto this called the "Distributed Sniffer System" that allows you to put the console to the expert sniffer on you Unix workstation and to distribute the collection agents at remote sites. * Microsoft's Net Monitor " My commercial site runs many protocols on one wire - NetBeui, IPX/SPX, TCP/IP, 802.3 protocols of various flavors, most notably SNA. This posed a big problem when trying to find a sniffer to examine the network problems we were having, since I found that some sniffers that understood Ethernet II parse out some 802.3 traffic as bad packets, and vice versa. I found that the best protocol parser was in Microsoft's Net Monitor product, also known as Bloodhound in its earlier incarnations. It is able to correctly identify such oddities as NetWare control packets, NT NetBios name service broadcasts, etc, which etherfind on a Sun simply registered as type 0000 packet broadcasts. It requires MS Windows 3.1 and runs quite fast on a HP XP60 Pentium box. Top level monitoring provides network statistics and information on conversations by mac address (or hostname, if you bother with an ethers file). Looking at tcpdump style details is as simple as clicking on a conversation. The filter setup is also one of the easiest to implement that I've seen, just click in a dialog box on the hosts you want to monitor. The number of bad packets it reports on my network is a tiny fraction of that reported by other sniffers I've used. One of these other sniffers in particular was reporting a large number of bad packets with src mac addresses of aa:aa:aa:aa:aa:aa but I don't see them at all using the MS product. - Anonymous ------------------------------------------------------------------------------- How to detect a sniffer running. To detect a sniffing device that only collects data and does not respond to any of the information, requires physically checking all your ethernet connections by walking around and checking the ethernet connections individually. It is also impossible to remotely check by sending a packet or ping if a machine is sniffing. A sniffer running on a machine puts the interface into promiscuous mode, which accepts all the packets. On some Unix boxes, it is possible to detect a promiscuous interface. It is possible to run a sniffer in non-promiscuous mode, but it will only capture sessions from the machine it is running on. It is also possible for the intruder to do similiar capture of sessions by trojaning many programs such as sh, telnet, rlogin, in.telnetd, and so on to write a log file of what the user did. They can easily watch the tty and kmem devices as well. These attacks will only compromise sessions coming from that one machine, while promiscuous sniffing compromises all sessions on the ethernet. For SunOs, NetBSD, and other possible BSD derived Unix systems, there is a command "ifconfig -a" that will tell you information about all the interfaces and if they are in promiscuous mode. DEC OSF/1 and IRIX and possible other OSes require the device to be specified. One way to find out what interface is on the system, you can execute: # netstat -r Routing tables Internet: Destination Gateway Flags Refs Use Interface default iss.net UG 1 24949 le0 localhost localhost UH 2 83 lo0 Then you can test for each interface by doing the following command: #ifconfig le0 le0: flags=8863inet 127.0.0.1 netmask 0xffffff00 broadcast 255.0.0.1 Intruders often replace commands such as ifconfig to avoid detection. Make sure you verify its checksum. There is a program called cpm available on ftp.cert.org:/pub/tools/cpm that only works on Sunos and is suppose to check the interface for promiscuous flag. Ultrix can possibly detect someone running a sniffer by using the commands pfstat and pfconfig. pfconfig allows you to set who can run a sniffer pfstat shows you if the interface is in promiscuous mode. These commands only work if sniffing is enabled by linking it into the kernel. by default, the sniffer is not linked into the kernel. Most other Unix systems, such as Irix, Solaris, SCO, etc, do not have any flags indication whether they are in promiscuous mode or not, therefore an intruder could be sniffing your whole network and there is no way to detect it. Often a sniffer log becomes so large that the file space is all used up. On a high volume network, a sniffer will create a large load on the machine. These sometimes trigger enough alarms that the administrator will discover a sniffer. I highly suggest using lsof (LiSt Open Files) available from coast.cs.purdue.edu:/pub/Purdue/lsof for finding log files and finding programs that are accessing the packet device such as /dev/nit on SunOs. There is no commands I know of to detect a promiscuous IBM PC compatible machine, but they atleast usually do not allow command execution unless from the console, therefore remote intruders can not turn a PC machine into a sniffer without inside assistance. ------------------------------------------------------------------------------- Stopping sniffing attacks Active hubs send to each system only packets intended for it rendering promiscuous sniffing useless. This is only effective for 10-Base T. The following vendors have available active hubs: * 3Com * HP ------------------------------------------------------------------------------- Encryption There are several packages out there that allow encryption between connections therefore an intruder could capture the data, but could not decypher it to make any use of it. Some packages available are: * deslogin is one package available at ftp coast.cs.purdue.edu:/pub/tools/unix/deslogin . * swIPe is another package available at ftp.csua.berkeley.edu:/pub/cypherpunks/swIPe/ * Netlock encrypts all (tcp, udp, and raw ip based) communications transparently. It has automatic (authenticated Diffie-Helman) distibuted key management mechanism for each host and runs on the SUN 4.1 and HP 9.x systems. The product comes with a Certification Authority Management application which generates host certificates (X.509) used for authentication between the hosts. and provides centralized control of each Hosts communications rules. The product is built by Hughes Aircraft and they can be reached at 800-825-LOCK or email at netlock@mls.hac.com. ------------------------------------------------------------------------------- Kerberos Kerberos is another package that encrypts account information going over the network. Some of its draw backs are that all the account information is held on one host and if that machine is compromised, the whole network is vulnerable. It is has been reported a major difficulty to set up. Kerberos comes with a stream-encrypting rlogind, and stream-encrypting telnetd is available. This prevents intruders from capturing what you did after you logged in. There is a Kerberos FAQ at ftp at rtfm.mit.edu in /pub/usenet/comp.protocols/kerberos/Kerberos_Users__Frequently_Asked_Questions_1.11 ------------------------------------------------------------------------------- One time password technology S/key and other one time password technology makes sniffing account information almost useless. S/key concept is having your remote host already know a password that is not going to go over insecure channels and when you connect, you get a challenge. You take the challenge information and password and plug it into an algorithm which generates the response that should get the same answer if the password is the same on the both sides. Therefore the password never goes over the network, nor is the same challenge used twice. Unlike SecureID or SNK, with S/key you do not share a secret with the host. S/key is available on ftp:thumper.bellcore.com:/pub/nmh/skey Other one time password technology is card systems where each user gets a card that generates numbers that allow access to their account. Without the card, it is improbable to guess the numbers. The following are companies that offer solutions that are provide better password authenication (ie, handheld password devices): Secure Net Key (SNK) Digital Pathways, Inc. 201 Ravendale Dr. Mountainview, Ca. 97703-5216 USA Phone: 415-964-0707 Fax: (415) 961-7487 Secure ID Security Dynamics, One Alewife Center Cambridge, MA 02140-2312 USA Phone: 617-547-7820 Fax: (617) 354-8836 Secure ID uses time slots as authenication rather than challenge/response. ArKey and OneTime Pass Management Analytics PO Box 1480 Hudson, OH 44236 Email: fc@all.net Tel:US+216-686-0090 Fax: US+216-686-0092 OneTime Pass (OTP): This program provides unrestricted one-time pass codes on a user by user basis without any need for cryptographic protocols or hardware devices. The user takes a list of usable pass codes and scratches out each one as it is used. The system tracks usage, removing each passcode from the available list when it is used. Comes with a very small and fast password tester and password and pass phrase generation systems. ArKey: This is the original Argued Key system that mutu
This page was created Wed Aug 11 13:00:10 EDT 1999
Using Linux
version 2.0.32
on an i586
Main Page @ Matarese.com
Acquiring Account Information @ Matarese.com
Act2! by Symantec @ Matarese.com
All hacks / Annoyance @ Matarese.com
Alt 2600 Group FAQ @ Matarese.com
Hacking Angelfire @ Matarese.com
Anonymous E-Mail @ Matarese.com
Hacking BBS's @ Matarese.com
List of Common Bugs @ Matarese.com
Things that go Bump on the Internet @ Matarese.com
Expanding the capacity of Caller ID Boxes @ Matarese.com
The Matarese Circle @ Matarese.com
Cops and Robbers | UNIX Security @ Matarese.com
Credit Carding Part I @ Matarese.com
Exploits FAQ @ Matarese.com
Making Free Calls @ Matarese.com
FTP Bouncing @ Matarese.com
Hackers Encyclopedia @ Matarese.com
Hacking from Windows9x FTP @ Matarese.com
Hacking Tripod @ Matarese.com
Hacking Web Pages @ Matarese.com
How to crack a UNIX password file. @ Matarese.com
Hacking Servers : A Begginners Guide @ Matarese.com
Hacking Tutorial @ Matarese.com
Hacking UNIX @ Matarese.com
How to Hack the WWWboard Message Board 2.0 @ Matarese.com
Hackers Handbook @ Matarese.com
Guide to Harmless-Hacking @ Matarese.com
All about security holes @ Matarese.com
Hacking Hotmail @ Matarese.com
]How to Hack from from Harlequin and Archangel @ Matarese.com
Improve security by breaking into your site @ Matarese.com
Internet Security @ Matarese.com
IRC Hacking FAQ by Lord Somer @ Matarese.com
Lan Technology Scorecard @ Matarese.com
Harmless Hacking - Linux @ Matarese.com
Mail Spoofing Explained @ Matarese.com
Microsoft IIS Vulnerability @ Matarese.com
Microsoft(Yuk) Index Server exposes IDs and Passwords @ Matarese.com
Intresting Microsoft Access 7.0 Trick @ Matarese.com
MS Money 2.0 Back Door @ Matarese.com
Mind Your Own Business (MYOB) @ Matarese.com
This Hack is for the OptiChat Original Chat Room @ Matarese.com
Internet Outdials @ Matarese.com
Introduction to the Internet Protocols @ Matarese.com
Analysis of QueSO Performance @ Matarese.com
Finger - ATTACKING FROM THE OUTSIDE @ Matarese.com
L0pht Security Advisory - Sendmail 8.7.5 @ Matarese.com
unix linux networking c c++ operating systems Copyright (C) 1999 - Matarese.com