[mic64]

Chapter 10 • Sniffing
Introduction
sniff (snif)
v. sniffed, sniff·ing, sniffs.
v. intr.
1. a. To inhale a short, audible breath through the nose, as in smelling
something.
b. To sniffle.
2. To use the sense of smell, as in savoring or investigating: sniffed at the jar
to see what it held.
3. To regard something in a contemptuous or dismissive manner: The critics
sniffed at the adaptation of the novel to film.
4. Informal.To pry; snoop: The reporters came sniffing around for more details.
As these definitions describe, the word sniffing has a number of meanings.
Although we believe that hackers generate irritating sniffling noises, sniff at jars
to determine their contents, and especially sniff in contempt, we really are interested
in the last meaning: the process of prying or snooping.
What Is Sniffing?
Sniffing is method by which an attacker can compromise the security of a network
in a passive fashion. A sniffer, in network security circles, is a program or
tool that passively monitors a computer network for key information that the
attacker is interested in. In most cases, this information is authentication information,
such as usernames and passwords, which can be used to gain access to a
system or resource. Sniffers are included with most rootkits. If your UNIX
machine has been broken into, it is likely running a sniffer right now.
How Does It Work?
There are two techniques for sniffing: old-school and new-school. In the old
days, computers were connected via a shared medium.They all shared the same
local wire, and network traffic was seen by all computers. Network cards filtered
traffic in the hardware so that the attached computer would see only its own
traffic, and not anybody else’s.This wasn’t a security feature; it was designed to
avoid overloading the machine. Sniffing software disables this filter, putting the
www.syngress.com
www.syngress.com
card into what is known as “promiscuous mode.”The software is specially tuned
to deal with the flood of traffic, and then either analyze it or capture it.
These days, more and more computers are connected by switches. Rather
than distributing network traffic to all ends of the network, switches filter traffic
at the hub.This prevents the computer from seeing anybody else’s traffic, even
when it puts the adapter into promiscuous mode. Attackers must either actively
attack the switch/router fabric in order to redirect traffic flows (which we’ll
describe later), or content themselves to monitoring only the traffic flowing
through the box they’ve compromised.
When network traffic enters the machine, it is first handled by the Ethernet
driver.The driver then passes the traffic to the Transmission Control
Protocol/Internet Protocol (TCP/IP) stack, which will in turn pass it to applications.
Sniffing software connects directly to the Ethernet driver, making a copy of
it. UNIX provides a more open set of interfaces for doing this, whereas Windows
systems have provided few tools for this.Thus, sniffers are usually part of UNIX
rootkits, and seldom part of Windows rootkits.
What to Sniff?
When monitoring a network, there are many interesting pieces of data to look
for. In the most obvious case, authentication information (usernames and passwords)
can be captured, and then used to gain access to a resource.Other types of
information can also be monitored, such as e-mail and instant messages.Anything
passing over the network is open to peering eyes.
Obtaining Authentication Information
The following subsections provide examples of the various types of network
traffic that is attractive to an attacker who is monitoring your network.The following
sections are organized by the protocol or service that the traffic corresponds
to, and by no means represent a comprehensive listing.
In the example traffic in the next section, bold text indicates that it was sent
by a client program, and standard text indicates it was sent by the server. In
almost all cases, we are interested only in client-generated traffic, since this traffic
will contain the authentication information. More advanced sniffers may also
examine server result codes to filter out failed authentication attempts.
The following sections provide a brief overview of the types of authentication
information that can be gleaned from the respective protocols.These examples
have been simplified, and in some cases, the current versions of these
Sniffing • Chapter 10 363
364 Chapter 10 • Sniffing
protocols support more advanced authentication mechanisms that alleviate the
risks shown. In the case of common Internet protocols, a Request for Comments
(RFC) that can elaborate on its specifications is available.
Monitoring Telnet (Port 23)
Telnet historically has been the service that an attacker will monitor when
attempting to obtain login information.Telnet provides no session-level security,
sending username and password information in plaintext across a network as
shown here:
[~] % telnet localhost
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
Red Hat Linux release 6.1 (Cartman)
Kernel 2.2.12-20 on an i686
login: oliver
Password: welcome
[18:10:03][redhat61]
[~] %
Monitoring FTP (Port 21)
The File Transfer Protocol (FTP) service, used for file transmissions across the
network, also sends its authentication information in plaintext. Unlike Telnet,
FTP can also be used to allow anonymous access to files, whereby a user uses the
username “anonymous” or “ftp” and issues an arbitrary password. FTP protocol
information is normally hidden by a friendly client interface; however, the underlying
authentication traffic appears as follows on a network:
[~] % telnet localhost 21
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
220 localhost FTP server (Version wu-2.5.0(1) Tue Sep 21 16:48:12 EDT
1999) ready.
www.syngress.com
Sniffing • Chapter 10 365
USER oliver
331 Password required for oliver.
PASS welcome
230 User oliver logged in.
Monitoring POP (Port 110)
The Post Office Protocol (POP) service is a network server by which clientbased
e-mail programs are connected to access a user’s e-mail on a central server.
POP servers appear commonly on an Internet service provider’s (ISP’s) network,
to provide e-mail delivery to customers. POP traffic is often not encrypted,
sending authentication information in plaintext. Username and password information
is specified to the remote server via the USER and PASS commands.An
example of the protocol is as follows:
[~] % telnet localhost 110
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
+OK POP3 localhost v7.59 server ready
USER oliver
+OK User name accepted, password please
PASS welcome
+OK Mailbox open, 24 messages
Note that extensions to the POP protocol exist, which prevent authentication
information from being passed on the network in the clear, in addition to session
encryption.
Monitoring IMAP (Port 143)
The Internet Message Access Protocol (IMAP) service is an alternative protocol to
the POP service, and provides the same functionality. Like the POP protocol,
authentication information is in many cases sent in plaintext across the network.
IMAP authentication is performed by sending a string consisting of a user-selected
token, the LOGIN command, and the username and password as shown here:
[~] % telnet localhost imap
Trying 127.0.0.1...
www.syngress.com
366 Chapter 10 • Sniffing
Connected to localhost.
Escape character is '^]'.
* OK localhost IMAP4rev1 v12.250 server ready
A001 LOGIN oliver welcome
A001 OK LOGIN completed
Note that extensions to the IMAP protocol exist, which prevent authentication
information from being passed on the network in the clear, in addition to
session encryption.
Monitoring NNTP (Port 119)
The Network News Transport Protocol (NNTP) supports the reading and
writing of Usenet newsgroup messages. NNTP authentication can occur in many
ways. In legacy systems, authentication was based primarily on a client’s network
address, restricting news server access to only those hosts (or networks) that were
within a specified address range. Extensions to NNTP were created to support
various authentication techniques, including plaintext and encrypted challenge
response mechanisms.The plaintext authentication mechanism is straightforward
and can easily be captured on a network. It appears as follows:
[~] % telnet localhost 119
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
200 Welcome to My News Server (Typhoon v1.2.3)
AUTHINFO USER oliver
381 More Authentication Required
AUTHINFO PASS welcome
281 Authentication Accepted
Monitoring rexec (Port 512)
The rexec service, called rexecd on almost all UNIX-based operating systems, is a
legacy service used for executing commands remotely.The service performs
authentication via plaintext username and password information passed to the
server by a client.The service receives a buffer from the client consisting of the
following data:
www.syngress.com
Sniffing • Chapter 10 367
 An ASCII port number, specifying a port for the server to connect to, to
send standard error information.This is a port on the client host that
will be awaiting this connection. 0 is specified if this is not desired.This
string is NULL terminated.
 A NULL terminated username, 16 characters long or less.
 A NULL terminated password, 16 characters long or less.
 A NULL terminated command to be executed on the remote host.
An example authentication request may appear as follows:
0\0oliver\0welcome\0touch /tmp/hello\0
If authentication was successful, a NULL byte is returned by the server;
otherwise, a value of 1 is returned in addition to an error string.
Monitoring rlogin (Port 513)
The rlogin protocol provides much the same functionality as the Telnet protocol,
combined with the authentication mechanism of the rexec protocol, with some
exceptions. It supports trust relationships, which are specified via a file called
rhosts in the user’s home directory.This file contains a listing of users and the
hosts on which they reside, who are allowed to log in to the specified account
without a password. Authentication is performed instead by trusting that the user
is who the remote rlogin client says he or she is.This authentication mechanism
works only among UNIX systems, and is extremely flawed in many ways; therefore,
it is not widely used on networks today. If a trust relationship does not exist,
username and password information is still transmitted in plaintext over this protocol
in a similar fashion to rexec:
 An ASCII port number, specifying a port for the server to connect to, to
send standard error information.This is a port on the client host that
will be awaiting this connection. 0 is specified if this is not desired.This
string is NULL terminated.
 A NULL terminated client username, 16 characters long or less.
 A NULL terminated server username, 16 characters long or less.
 A NULL terminated string consisting of the terminal type and speed.
The server then returns a 0 byte to indicate it has received these. If authentication
via the automatic trust mechanism fails, the connection is then passed to
www.syngress.com
368 Chapter 10 • Sniffing
the login program, at which point a login proceeds as it would have if the user
had connected via the Telnet service.
Monitoring X11 (Port 6000+)
The X11 Window system uses a “magic cookie” to perform authorization against
clients attempting to connect to a server. A randomly generated 128-bit cookie is
sent by X11 clients when connecting to the X Window server. By sniffing this
cookie, an attacker can use it to connect to the same X Window server. Normally,
this cookie is stored in a file named .Xauthority within a user’s home directory.
This cookie is passed to the X Window server by the xdm program at logon.
Monitoring NFS File Handles
The Network File System (NFS), originally created by Sun Microsystems, relies
on what is known as an NFS file handle to grant access to a particular file or
directory offered by a file server. By monitoring the network for NFS file handles,
it is possible to obtain this handle, and use it yourself to obtain access to the
resource. Unfortunately, the NFS protocol uses Open Network Computing-
Remote Procedure Call (ONC-RPC) to perform its operations, which introduces
more complexity than a plaintext authentication mechanism.This does not
provide more security; however, it makes it difficult to provide example network
traffic in this book.
The process by which a legitimate NFS client accesses a file system on a
server is as follows:
 The user issues a mount request, attempting to mount a remote file
system.
 The local operating system contacts an RPC service on the remote host
called rpc.mountd, passing it the name of the file system it wishes to
access.
 The mountd program performs an access validation check to determine
whether the request came from a privileged port on the client host, and
whether the client host has been given permission to access the target
host.
 The mountd program sends a reply back to the client, including an NFS
file handle that provides access to the root of the file system the user
wishes to access.
www.syngress.com
Sniffing • Chapter 10 369
 The client program now contacts the NFS daemon (nfsd) on the target
host, passes in the file handle, and obtains access to the resource.
Capturing Windows NT Authentication Information
Windows operating systems support a number of different authentication types,
each of which progressively increase its security.The use of weak Windows NT
authentication mechanisms, as explained next, creates one of the weakest links in
Windows NT security.The authentication types supported are explained here:
 Plaintext Passwords are transmitted in the clear over the network.
 Lan Manager (LM) Uses a weak challenge response mechanism
where the server sends a challenge to the client, which it uses to encrypt
the user’s password hash and then send it back to the server.The server
does the same, and compares the result to authenticate the user.The
mechanism with which this hash is transformed before transmission is
very weak, and the original hash can be sniffed from the network and
cracked quite easily. In Windows NT 4, even though a stronger authentication
mechanism is available (NTLM), the LM hash was still sent over
the network along with the NTLM hash, which lowers the security to
the security of the LM mechanism.
 NT Lan Manager (NTLM) and NT Lan Manager v2 (NTLMv2)
NTLM and NTLMv2 provide a much stronger challenge/response
mechanism, which has made it much more difficult to crack captured
authentication requests. NTLMv2 was introduced with the release of
Service Pack 4 for Windows NT 4.0. NTLMv2 should be used if possible;
however, care must be taken to ensure that your clients can support
the protocol.You may need to install additional software on the clients
to allow them to use NTLMv2.
The development of these mechanisms occurred in a series of iterative steps,
as weaknesses were found in each prior implementation (fortunately, the weaknesses
became less significant with each improvement).
There are specialized sniffers that support only the capture of Windows NT
authentication information. A good example is one included with the L0phtcrack
program (which is exclusively a Windows NT password cracker).The documentation
that comes with L0phtcrack explains in great detail how Windows NT
password hashes are created. L0phtcrack can be obtained at http://stake.com/
research/lc3.
www.syngress.com
370 Chapter 10 • Sniffing
Capturing Other Network Traffic
Although the ports we just examined are the most commonly sniffed due to
cleartext authentication information being passed, they are not the only ones that
an attacker may find of interest. A sniffer may be used to capture interesting
traffic on other ports, as shown in this section.
Monitoring SMTP (Port 25)
Simple Mail Transfer Protocol (SMTP) is used to transfer e-mail on the Internet
and internally in many organizations. E-mail has been and always will be an
attractive target for an attacker. An attacker’s goal may be to watch the network
administrator to determine whether he has been discovered, or it may be a much
more sinister activity. It is not hard to believe that in today’s competitive business
environment, the goal can be to monitor the network for internal company
information, such as merger and acquisition data, and partnership information. All
of this usually can be gleaned by reading e-mail that has been sent over the network.
The dsniff sniffer, explained in more detail later, includes a program designed
to capture e-mail messages from the network:
mailsnarf outputs e-mail messages sniffed from SMTP and POP
traffic in Berkeley mbox format, suitable for offline browsing with
your favorite mail reader (mail(1), pine(1), etc.). —dsniff FAQ
Monitoring HTTP (Port 80)
Hypertext Transfer Protocol (HTTP) is used to pass Web traffic.This traffic, usually
destined for port 80, is commonly monitored more for statistics and network
usage than for its content. Although HTTP traffic can contain authentication
information and credit card transactions, this type of information more commonly
is encrypted via Secure Sockets Layer (SSL). Commercial products are
available to monitor this usage for organizations that find it acceptable to track
their users’Web usage.
The dsniff sniffer also includes a program designed specifically to capture
URL requests from the network:
urlsnarf outputs all requested URLs sniffed from HTTP traffic in CLF
(Common Log Format, used by almost all Web servers), suitable for
offline post-processing with your favorite Web log analysis tool
(analog, wwwstat, etc.). —dsniff FAQ
www.syngress.com
Sniffing • Chapter 10 371
Popular Sniffing Software
There have been many sniffer programs written throughout the history of network
monitoring.We examine a few key programs here. Note that it is not our
intention to provide a comprehensive list of sniffers, only some example implementations.
We examine both commercial implementations, used for network
diagnostics, and implementations written purely for capturing authentication
information. More implementations can be found at your nearest security site,
such as www.securityfocus.com.
Ethereal
Ethereal is one of the newest protocol analyzers, having appeared on the scene
around 1998. However, due to its open source nature, Ethereal has become one
of the most popular protocol analyzers. Because of the community of developers,
it decodes more protocols than many commercial offerings. For UNIX-based systems,
it is by far the best protocol analyzer. However, although it runs on
Windows, it doesn’t have quite the same polish that Windows users expect.The
user interface is based upon Gtk, so it has a very UNIX-like feel to it.
Figure 10.1 shows the Ethereal capture window. One of the useful features of
Ethereal is live decodes. Most protocol analyzers cannot display the captured data
until after capture has been halted. Such live decodes are thought to be a bad feature
because network traffic can flow by at 10,000 packets per second, far faster
than humans can keep up. However, most users of a sniffer will create capture filters
that discard most of the traffic anyway.
www.syngress.com
Figure 10.1 Ethereal Capture Preferences
372 Chapter 10 • Sniffing
Once captured, the packets are stored in a buffer and shown in a typical
three-pane display (see Figure 10.2).This was the display format chosen by the
original Sniffer Protocol Analyzer, and has been adopted by all other products.
The top window shows a line-by-line summary of each packet.The second
window shows the detailed decode of the current packet highlighted in the summary
window.The third window shows a hex dump of the same packet. Clicking
on a field in the detail window causes the equivalent characters to be highlighted
in the hex window.
Network Associates Sniffer Pro
Sniffer Pro is a commercial product (the name “Sniffer” itself is a trademark of
Network Associates, Inc.).The product may very well be where the hackerderived
name originated, as it existed long before targeted password capturing
programs were available.The Sniffer Pro product from Network Associates provides
an easy-to-use interface for capturing and viewing network traffic. One
www.syngress.com
Figure 10.2 Ethereal Protocol Decodes
Sniffing • Chapter 10 373
major benefit of commercial products is that they support a vast range of network
protocols, and display the decoded protocol data in a very easy-to-read
manner. Sniffer Pro runs in two primary modes: first, it captures network traffic,
and second, it decodes and displays it.
Figure 10.3 shows Sniffer Pro running in capture mode; network statistics and
data are displayed in the dials shown.
Once captured, data is decoded and displayed in an easy-to-read fashion. In
Figure 10.4, we can see that Sniffer Pro has decoded the HTTP request for us.
Inside, we can see some relevant variables being passed, alias and pw. For this Web
application, those are the username and password.
www.syngress.com
Figure 10.3 Sniffer Pro in Capture Mode
374 Chapter 10 • Sniffing
NT Network Monitor
Windows NT server ships with network monitoring software called Network
Monitor, or Netmon for short.This version of Netmon captures only traffic
entering or leaving the server on which it is installed.There are versions of
Netmon for Windows 2000 and Windows XP with the same restriction.
However, there is a version of Netmon that captures all traffic.That version is
available with Systems Management Server (SMS). Netmon provides some
advantages over other commercial network analyzers, in that it has the ability to
decode some proprietary Microsoft network traffic, which has no open specifications.
Good examples of this type of traffic are the many different MS-RPC services
that communicate using named pipes over Windows NT networking.
Although Netmon does not decode all of these MS-RPC services, it does decode
a significant portion, which would not otherwise be understood.
www.syngress.com
Figure 10.4 Sniffer Pro Displaying Captured Data
Sniffing • Chapter 10 375
Network Monitor’s operation is very similar to Sniffer Pro’s, as it provides
both a capture (see Figure 10.5) and view (see Figure 10.6) mechanism that provide
the same functionality.
WildPackets
One of the oldest protocol analyzers is EtherPeek by WildPackets (formerly provided
by the A.G. Group). It is available for the Macintosh as well as Windows (it
was originally written more than 10 years ago for the Macintosh). EtherPeek has
interesting real-time displays and decodes and other interesting features (download
from www.wildpackets.com for a demo version).Today, it is primarily
notable for its AiroPeek version that sniffs IEEE 802.11b wireless networks.
www.syngress.com
Figure 10.5 Network Monitor in Capture Mode
376 Chapter 10 • Sniffing
TCPDump
TCPDump is by far the most popular network diagnostic and analysis tool for
UNIX-based operating systems.TCPDump monitors and decodes all IP,TCP,
User Datagram Protocol (UDP), and Internet Control Message Protocol (ICMP)
header data, in addition to some application layer data (mostly network infrastructure
protocols).TCPDump was not written as an attacker’s tool, and is not
designed to assist an attacker who wishes to monitor the network.That being
said, it does provide a good starting point for anyone intending to write a sniffer,
and since its source code is free, it provides interesting reading.
www.syngress.com
Figure 10.6 Network Monitor in View Mode
Sniffing • Chapter 10 377
TCPDump can be obtained from www.tcpdump.org. Many modifications
have been made to TCPDump in recent years to add support for a wide range of
additional protocols.
dsniff
dsniff is a sniffing toolkit provided by Dug Song. dsniff is available on his Web site
at www.monkey.org/~dugsong/dsniff, or at a number of mirrors sites.
dsniff is most famous for its authentication (usernames, passwords) sniffing capabilities.
The current version of dsniff will decode authentication information for the
following protocols:AOL Instant Messenger, Citrix Winframe, Concurrent Versions
System (CVS), FTP, HTTP, ICQ, IMAP, Internet Relay Chat (IRC), Lightweight
Directory Access Protocol (LDAP), RPC mount requests, Napster, NNTP, Oracle
SQL*Net, Open Shortest Path First (OSPF), PC Anywhere, POP, PostgreSQL,
Routing Information Protocol (RIP), Remote Login (rlogin),Windows NT
plaintext (SMB), Network Associates Sniffer Pro (remote), Simple Network
Management Protocol (SNMP), Socks,Telnet, X11, and RPC yppasswd.
www.syngress.com
dsniff Used against the Author
The following sample output from dsniff was captured by Dug Song,
who successfully captured my password at the CanSecWest 2001 security
conference. It happened because Outlook automatically checks POP3
servers, even when you just open it to grab someone’s contact information.
I quickly changed the password, just in time—the remainder of
dsniff output captures somebody else attempting to log on with that
password, presumably another person using dsniff who had captured
the password.
-----------------
03/28/01 18:43:24 tcp 192.168.1.201.1035 ->
216.136.173.10.110 (pop)
USER robert_david_graham
PASS Cerveza2
Notes from the Underground…
Continued
378 Chapter 10 • Sniffing
www.syngress.com
-----------------
03/29/01 02:07:41 tcp 192.168.1.243.1837 ->
216.136.173.10.110 (pop)
USER robert_david_graham
PASS Cerveza2
-----------------
03/29/01 02:07:08 tcp 192.168.1.243.1836 ->
64.58.76.98.80 (http)
POST /config/login?84gteu3f1fmvt HTTP/1.0
Host: login.yahoo.com
Content-type: application/x-www-form-urlencoded
Content-length: 147
.tries=1&.src=ym&.last=&promo=&.intl=us&.bypass=&.partner=&.u=86
3imictc5nnu&.v=0&hasMsgr=0&.chkP=Y&.done=&login=robert
_david_graham&passwd=Cerveza2
-----------------
03/29/01 02:06:48 tcp 192.168.1.243.1835 ->
64.58.76.98.80 (http)
POST /config/login?15aeb5g14endr HTTP/1.0
Host: login.yahoo.com
Content-type: application/x-www-form-urlencoded
Content-length: 146
.tries=&.src=ym&.last=&promo=&.intl=us&.bypass=&.partner=&.u=863
imictc5nnu&.v=0&hasMsgr=0&.chkP=Y&.done=&login=robert
_david_graham&passwd=Cerveza2
-----------------
03/31/01 17:07:38 tcp 192.168.1.243.1307 ->
216.136.173.10.110 (pop)
USER robert_david_graham
PASS Cerveza2
Sniffing • Chapter 10 379
With today’s switched networks and encrypted protocols, password sniffing
doesn’t always work as well as we might hope. dsniff contains several redirect and
man-in-the-middle (MITM) utilities to redirect the flow of traffic and decrypt
sessions.
The first utility is arpspoof (formerly known as arpredirect). Address Resolution
Protocol (ARP) is used by hosts to find the local router’s Media Access Control
(MAC) address. By spoofing ARP packets, you can convince other nearby computers
that you are the router.Your machine has to forward them onto the legitimate
router after receiving them, but in the meantime, the dsniff password sniffer
has a chance to process the packets.This runs well not only on local switched
networks, but also cable-modem networks.This tool isn’t completely foolproof;
you are essentially fighting with the router, trying to convince other machines of
the local MAC address. As a result, traffic flows through your machine are sometimes
intermittent.This technique is easily detected by network-based intrusion
detection systems (IDSs). Even the Sniffer Pro (mentioned earlier) has an expert
diagnostic mode that will flag these as “duplicate IP addresses” (i.e., multiple
machines claiming to have the IP address of the router).
The dnsspoof utility is another way of redirecting traffic. In this case, it spoofs
responses from the local Domain Name System (DNS) server.When you go a
Web site such as http://www.example.com, your machine sends out a request to
your local DNS server asking for the IP address of www.example.com.This usually
takes a while to resolve; dnsspoof quickly sends its own response faster.The
victim will take the first response and ignore the second one.The spoofed
response will contain a different IP address than the legitimate response, usually
the IP address of the attacker’s machine.The attacker will likely be using one of
the other dsniff man-in-the-middle utilities.
The name man-in-the-middle comes from cryptography and describes the situation
when somebody intercepts communications, alters it, and then forwards it.
The dsniff utilities for these attacks are webmitm for HTTP traffic (including SSL)
and sshmitm (for SSH). Normally, SSH and SSL are thought to be secure,
encrypted protocols that cannot be sniffed.The way the MITM utilities work is
that they present their own encryption keys to the SSL/SSH clients.This allows
them to decrypt the traffic, sniff passwords, and then reencrypt with the original
server keys. In theory, you can protect yourself against this by checking the
validity of the server certificate, but in practice, nobody does this.
dsniff can sniff not only passwords, but also other cleartext traffic.The mailsnarf
utility sniffs e-mails like the FBI’s Carnivore, except it reassembles them into
an mbox format that can be read by most mail readers.The msgsnarf utility sniffs
www.syngress.com
380 Chapter 10 • Sniffing
messages from ICQ, IRC,Yahoo! Messenger, and AOL IM.The filesnarf utility
sniffs files transferred via NFS (a popular fileserver protocol used on UNIX systems).
The urlsnarf utility saves all the URLs it sees going across the wire.The
webspy utility sends those URLs to a Netscape Web browser in real time—essentially
allowing you to watch in real time what the victim sees on their Web
browser.
The macof utility sends out a flood of MAC addresses.This is intended as
another way of attacking Ethernet switches. Most switches have limited tables
that can hold only 4000 MAC addresses.This is more than enough for normal
networks—you would need 4000 machines attached to the switch before overloading
these tables.When the switch overloads, it “fails open” and starts repeating
every packet out every port, allowing everyone’s traffic to be sniffed.
The tcpkill utility kills TCP connections. It can be used as a denial of service
(DoS) attack. For example, you can configure it to kill every TCP connection
your neighbor makes. It can also be integrated with tools like network-based
IDSs to kill connections from hackers.The tcpnice utility is similar to tcpkill, but
rather than killing connections, it slows them down. For example, you could
spoof ICMP Source Quenches from your neighbor’s cable modems so that you
can get a higher percentage of the bandwidth for your downloads.
Ettercap
Ettercap is a package similar to dsniff. It has many of the same capabilities, such as
man-in-the-middle attacks against SSL and SSH and password sniffing. It also has
additional features for man-in-the-middle attacks against normal TCP connections,
such as inserting commands into the stream. Ettercap is written by Alberto
Ornaghi and Marco Valleri and is available on the Web at http://ettercap.sourceforge.
net.
Esniff.c
Esniff.c is probably one of the first sniffers that surfaced within the hacker underground.
Written by a hacker named rokstar, it functioned only on Sun
Microsystems’ SunOS (now outdated) operating systems. Esniff.c supports the
Telnet, FTP, and rlogin protocols. It provides basic functionality and does not
support a comprehensive list of protocols as those found in newer sniffers such as
dsniff and sniffit.This sniffer was first publicly published in Phrack magazine,
which can be obtained from www.phrack.org/show.php?p=45&a=5.
www.syngress.com
Sniffing • Chapter 10 381
Sniffit
Sniffit is another sniffer that has been around for several years. It is available for
several operating systems, including Linux, Solaris, SunOS, Irix, and FreeBSD.
Sniffit has not been updated in a few years, but I have found it to be quite stable
(even though the last release was classified as a beta). Brecht Claerhout, the
author of Sniffit, has two versions available on his Web site: 0.3.5 (released in
April 1997) and 0.3.7.beta (released in July 1998). I have had no problems compiling
and using 0.3.7.beta, but if you encounter problems with 0.3.7.beta, then
you can still fall back and use 0.3.5. Brecht’s Web site is located at
http://reptile.rug.ac.be/~coder/sniffit/sniffit.html.
One of the reasons I like (and use) Sniffit so much is that you can easily con-
figure it to log only certain traffic, such as FTP and Telnet.This type of filtering is
not unusual; it is available in other sniffers such as Sniffer Pro and NetMon. But
when was the last time you saw either one of those sniffers covertly placed on a
compromised system? Sniffit is small and easily configured to capture (and log)
only traffic that you know carries useful information in the clear, such as usernames
and passwords for certain protocols, as shown in the following example:
[Tue Mar 28 09:46:01 2000] - Sniffit session started.
[Tue Mar 28 10:27:02 2000] - 10.40.1.6.1332-10.44.50.40.21: USER
[hansen]
[Tue Mar 28 10:27:02 2000] - 10.40.1.6.1332-10.44.50.40.21: PASS
[worksux]
[Tue Mar 28 10:39:42 2000] - 10.40.1.99.1651-10.216.82.5.23: login
[trebor]
[Tue Mar 28 10:39:47 2000] - 10.40.1.99.1651-10.216.82.5.23: password
[goaway]
[Tue Mar 28 11:08:10 2000] - 10.40.2.133.1123-10.60.56.5.23: login
[jaaf]
[Tue Mar 28 11:08:17 2000] - 10.40.2.133.1123-10.60.56.5.23: password
[5g5g5g5]
[Tue Mar 28 12:45:21 2000] - 10.8.16.2.2419-10.157.14.198.21: USER
[afms]
[Tue Mar 28 12:45:21 2000] - 10.8.16.2.2419-10.157.14.198.21: PASS
[smfasmfa]
www.syngress.com
382 Chapter 10 • Sniffing
[Tue Mar 28 14:38:53 2000] - 10.40.1.183.1132-10.22.16.51.23: login
[hohman]
[Tue Mar 28 14:38:58 2000] - 10.40.1.183.1132-10.22.16.51.23: password
[98rabt]
[Tue Mar 28 16:47:14 2000] - 10.40.2.133.1069-10.60.56.5.23: login
[whitt]
[Tue Mar 28 16:47:16 2000] - 10.40.2.133.1067-10.60.56.5.23: password
[9gillion]
[Tue Mar 28 17:13:56 2000] - 10.40.1.237.1177-10.60.56.5.23: login
[douglas]
[Tue Mar 28 17:13:59 2000] - 10.40.1.237.1177-10.60.56.5.23: password
[11satrn5]
[Tue Mar 28 17:49:43 2000] - 10.40.1.216.1947-10.22.16.52.23: login
[demrly]
[Tue Mar 28 17:49:46 2000] - 10.40.1.216.1947-10.22.16.52.23: password
[9sefi9]
[Tue Mar 28 17:53:08 2000] - 10.40.1.216.1948-10.22.16.52.23: login
[demrly]
[Tue Mar 28 17:53:11 2000] - 10.40.1.216.1948-10.22.16.52.23: password
[jesa78]
[Tue Mar 28 19:32:30 2000] - 10.40.1.6.1039-10.178.110.226.21: USER
[custr2]
[Tue Mar 28 19:32:30 2000] - 10.40.1.6.1039-10.178.110.226.21: PASS
[Alpo2p35]
[Tue Mar 28 20:04:03 2000] - Sniffit session ended.
As you can see, in a just a matter of approximately 10 hours, I have collected
usernames and passwords for nine different users for three FTP sites and five
Telnet locations. One user, demrly, seems to have used the incorrect password
when he or she tried to login to 10.22.16.52 the first time, but I will keep this
password handy because it may be a valid password at some other location.
Carnivore
Carnivore is an Internet wiretap designed by the U.S. Federal Bureau of
Investigation (FBI). It is designed with the special needs of law enforcement in
mind. For example, some court orders might allow a pen-register monitoring of
www.syngress.com
Sniffing • Chapter 10 383
just the From/To e-mail addresses, whereas other court orders might allow a full
capture of the e-mail.A summary of Carnivore’s features can be seen within the
configuration program, shown in Figure 10.7.
The features are:
 Filter sets The settings are saved in configuration files; the user quickly
can change the monitoring by selecting a different filter set.
 Network adapters A system may have multiple network adapters; only
one can be selected for sniffing at a time.
 Archive file size A limit can be set on how much data is captured; by
default, it fills up the disk.
 Total memory usage Network traffic may come in bursts faster than
it can be written to disk; memory is set aside to buffer the incoming
data.
 Fixed IP address All traffic to/from a range of IP addresses can be filtered.
For example, the suspect may have a fixed IP address of 1.2.3.4
assigned to their cable modem.The FBI might get a court order
allowing them to sniff all of the suspect’s traffic.
www.syngress.com
Figure 10.7 Carnivore Configuration Program
384 Chapter 10 • Sniffing
 Protocols to capture Typically, a court order will allow only specific
traffic to be monitored, such as SMTP over TCP. In Pen mode, only the
headers are captured.
 Data text strings This is the Echelon feature that looks for keywords
in traffic. A court order must specify exactly what is to be monitored,
such as an IP address or e-mail account. Such wide-open keyword
searches are illegal in the United States.The FBI initially denied that
Carnivore had this feature.
 Ports A list of TCP and UDP ports can be specified. For example, if
the FBI has a court order allowing e-mail capture, they might specify
the e-mail ports of 25, 110, and 143.
 SMTP e-mail addresses A typical scenario is where Carnivore monitors
an ISPs e-mail server, discarding all e-mails except those of the suspects.
An e-mail session is tracked until the suspect’s e-mail address is
seen, then all the packets that make up the e-mail are captured.
 Dynamic IP addresses When users dial-up the Internet, they are
logged in via the RADIUS protocol, which then assigns them an IP
address. Normally, the FBI will ask the ISP to reconfigure their
RADIUS servers to always assign the same IP address to the suspect, and
will then monitor all traffic to/from that IP address. (Note: if you are a
dial-up user and suspect the FBI is after you, check to see if your IP
address is the same every time you dial up). Sometimes this isn’t possible.
Carnivore can be configured to monitor the RADIUS protocol and
dynamically discover the new IP address assigned to the suspect.
Monitoring begins when the IP address is assigned, and stops when it is
unassigned.
The FBI developed Carnivore because utilities like dsniff do not meet the
needs of law enforcement.When an e-mail is sent across the wire, it is broken
down into multiple packets. A utility like mailsnarf (described earlier) will
reassemble the e-mail back into its original form.This is bad because the suspect’s
defense attorneys will challenge its accuracy: Did a packet get dropped somewhere
in the middle that changes the meaning of the e-mail? Did a packet from
a different e-mail somehow get inserted into the message? By capturing the raw
packets rather than reassembling them, Carnivore maintains the original sequence
numbers, ports, and timestamps.Any missing or extra packets are clearly visible,
allowing the FBI to defend the accuracy of the system.
www.syngress.com
Sniffing • Chapter 10 385
Another problem that the FBI faces is minimization of the sniffed data.When
the FBI wiretaps your line, they must assign an agent to listen in. If somebody
else uses your phone (like your spouse or kids), they are required to turn off the
tape recorders. In much the same way, Carnivore is designed to avoid capturing
anything that does not belong to the suspect. A typical example would be using
Carnivore to monitor the activities of a dial-up user. Carnivore contains a
module to monitor the RADIUS traffic that is used by most ISPs to authenticate
the user and assign a dynamic IP address.This allows Carnivore to monitor only
that user without intercepting any other traffic. A sample program containing
many of the features of Carnivore can be found on the Web site for this book
(www.syngress.com/solutions).
Additional Resources
There are some interesting locations that provide a more comprehensive list of
available sniffer programs, some of which are listed here:
 A list of network monitoring programs available from Underground
Security Systems Research: www.ussrback.com/packetsniffers.htm.
 A very good and very detailed overview of packet sniffers written by
Robert Graham: www.robertgraham.com/pubs/sniffing-faq.html.
NOTE
A FAQ for Carnivore can be found at www.robertgraham.com/pubs/
carnivore-faq.html.
Advanced Sniffing Techniques
As technology has moved forward, attackers have had to create new methods to
sniff network traffic.The next sections take a look at a couple of methods that
attackers use to get around technology advancements.
Man-in-the-Middle (MITM) Attacks
As we describe later, the most effective defense against sniffing is using encrypted
protocols such as SSL and SSH. However, the latest dsniff and Ettercap packages
contain techniques for fooling encryption.
www.syngress.com
386 Chapter 10 • Sniffing
The basic technique is known as a man-in-the-middle (MITM) attack.A
good example of this is in the James Bond movie From Russia with Love. Bond is
supposed to meet another agent in a train station.The evil agent from SPECTRE
contacts the agent first, pretending to be Bond. In this manner, the evil agent gets
the correct passphrase.The evil agent then pretends to be the agent that Bond is
supposed to contact.
The same technique can be applied to encrypted protocols. An attacker sets
up a server that answers requests from clients. For example, the server could
answer a request for https://www.amazon.com.A user contacting this machine will
falsely believe they have established an encrypted session to Amazon.com.At the
same time, the attacker contacts the real Amazon.com and pretends to be the
user.The attacker plays both roles, decrypting the incoming data from the user,
then reencrypting it for transmission to the original destination.
In theory, encryption protocols have defenses against this. A server claiming to
be Amazon.com needs to prove that it is, indeed,Amazon.com. In practice, most
users ignore this. MITM attacks have proven effective when used in the field.
Cracking
Tools like dsniff and Ettercap capture not only passwords, but also encrypted passwords.
In theory, capturing the encrypted passwords is useless. However, people
choose weak passwords, such as words from the dictionary. It takes only a few
seconds for an attacker to run through a 100,000-word dictionary, comparing the
encrypted form of each dictionary word against the encrypted password. If a
match is found, then the attacker has discovered the password.
Such password cracking programs already exist.Tools like dsniff and Ettercap
simply output the encrypted passwords in a form that these tools can read.
Switch Tricks
Switches came into vogue a few years ago, and a lot of people think that if they
have a switched network, it is impossible for an attacker to use a sniffer successfully
to capture any information from them. It’s time to burst their bubble, as you
will see when we discuss methods of successfully sniffing on a switched network.
ARP Spoofing
When attempting to monitor traffic on a switched network, you will run into
one serious problem:The switch will limit the traffic that is passed over your section
of the network. Switches keep an internal list of the MAC addresses of hosts
www.syngress.com
Sniffing • Chapter 10 387
that are on each port.Traffic is sent to a port only if the destination host is
recorded as being present on that port. It is possible to overwrite the ARP cache
on many operating systems, which would allow you to associate your MAC
address with the default gateway’s IP address.This would cause all outgoing traffic
from the target host to be transmitted to you instead.You would need to ensure
that you manually have added an ARP table entry for the real default gateway, to
ensure that the traffic will be sent to the real target, and also to ensure that you
have IP forwarding enabled.
It has been found that many cable modem networks are also vulnerable to
this type of attack, since the cable modem network is essentially an Ethernet
network, with cable modems acting as bridges. In short, there is no solution to
this attack, and new generations of cable modem networks will use alternate
mechanisms to connect a user to the network.
The dsniff sniffer by Dug Song includes a program named arpspoof (formerly
arpredirect) for exactly this purpose.
arpspoof redirects packets from a target host (or all hosts) on the
LAN intended for another host on the LAN by forging ARP replies.
This is an extremely effective way of sniffing traffic on a switch.
—dsniff FAQ
MAC Flooding
To serve its purpose, a switch must keep a table of all MAC (Ethernet) addresses
of the hosts that appear on each port. If a large number of addresses appear on a
single port, filling the address table on the switch, then the switch no longer has a
record of which port the victim MAC address is connected to.This is the same
situation as when a new machine first attaches to a switch, and the switch must
learn where that address is. Until it learns which port it is on, the switch must
send copies of frames for that MAC address to all switch ports, a practice known
as flooding.
The dsniff sniffer includes a program named macof, which facilitates the
flooding of a switch with random MAC addresses to accomplish this:
macof floods the local network with random MAC addresses
(causing some switches to fail open in repeating mode, facilitating
sniffing). A straight C port of the original Perl Net::RawIP macof
program by Ian Vitek <ian.vitek@infosec.se>. —dsniff FAQ
www.syngress.com
388 Chapter 10 • Sniffing
Routing Games
One method to ensure that all traffic on a network will pass through your host is
to change the routing table of the host you wish to monitor.This may be possible
by sending a fake route advertisement message via RIP, declaring yourself as the
default gateway. If successful, all traffic will be routed through your host. Ensure
that you have enabled IP forwarding, and that your default gateway is set to the
real network gateway. All outbound traffic from the host will pass through your
host, and onto the real network gateway.You may not receive return traffic, unless
you also have the ability to modify the routing table on the default gateway to
reroute all return traffic back to you.
Exploring Operating System APIs
Operating systems provide, or don’t provide, interfaces to their network link layer.
Let’s examine a variety of operating systems to determine how they interface to
their network link layer.
Linux
Linux provides an interface to the network link layer via its socket interface.This
is one of the easiest of the interfaces provided by any operating system.The following
program illustrates how simple this is.This program opens up the speci-
fied interface, sets promiscuous mode, and then proceeds to read Ethernet packets
from the network.When a packet is read, the source and destination MAC
addresses are printed, in addition to the packet type.
#include <stdio.h>
#include <stdlib.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <linux/if_arp.h>
#include <linux/if_ether.h>
#include <linux/sockios.h>
#include <net/ethernet.h>
int open_interface(char *name)
{
www.syngress.com
Sniffing • Chapter 10 389
struct sockaddr addr;
struct ifreq ifr;
int sockfd;
/* open a socket and bind to the specified interface */
sockfd = socket(AF_INET, SOCK_PACKET, htons(ETH_P_ALL));
if (sockfd < 0)
return -1;
memset(&addr, 0, sizeof(addr));
addr.sa_family = AF_INET;
strncpy(addr.sa_data, name, sizeof(addr.sa_data));
if (bind(sockfd, &addr, sizeof(addr)) != 0) {
close(sockfd);
return -1;
}
/* check to make sure this interface is ethernet, otherwise exit */
memset(&ifr, 0, sizeof(ifr));
strncpy(ifr.ifr_name, name, sizeof(ifr.ifr_name));
if (ioctl(sockfd, SIOCGIFHWADDR, &ifr) < 0) {
close(sockfd);
return -1;
}
if (ifr.ifr_hwaddr.sa_family != ARPHRD_ETHER) {
close(sockfd);
return -1;
}
www.syngress.com
390 Chapter 10 • Sniffing
/* now we set promiscuous mode */
memset(&ifr, 0, sizeof(ifr));
strncpy(ifr.ifr_name, name, sizeof(ifr.ifr_name));
if (ioctl(sockfd, SIOCGIFFLAGS, &ifr) < 0) {
close(sockfd);
return -1;
}
ifr.ifr_flags |= IFF_PROMISC;
if (ioctl(sockfd, SIOCSIFFLAGS, &ifr) < 0) {
close(sockfd);
return -1;
}
return sockfd;
}
/* read ethernet packets, printing source and destination addresses */
int read_loop(sockfd)
{
struct sockaddr_in from;
char buf[1792], *ptr;
int size, fromlen, c;
struct ether_header *hdr;
while (1) {
/* read the next available packet */
size = recvfrom(sockfd, buf, sizeof(buf), 0, &from, &fromlen);
if (size < 0)
return -1;
www.syngress.com
Sniffing • Chapter 10 391
if (size < sizeof(struct ether_header))
continue;
hdr = (struct ether_header *)buf;
/* print out ethernet header */
for (c = 0; c < ETH_ALEN; c++)
printf("%s%02x",c == 0 ? "" : ":",hdr->ether_shost[c]);
printf(" > ");
for (c = 0; c < ETH_ALEN; c++)
printf("%s%02x",c == 0 ? "" : ":",hdr->ether_dhost[c]);
printf(" type: %i\n", hdr->ether_type);
}
}
int main(int argc, char **argv)
{
int sockfd;
char *name = argv[1];
if (!argv[1]) {
fprintf(stderr, "Please specify an interface name\n");
return -1;
}
if ((sockfd = open_interface(name)) < 0) {
fprintf(stderr, "Unable to open interface\n");
return -1;
}
www.syngress.com
392 Chapter 10 • Sniffing
if (read_loop(sockfd) < 0) {
fprintf(stderr, "Error reading packet\n");
return -1;
}
return 0;
}
BSD
BSD-based operating systems such as OpenBSD, FreeBSD, NetBSD, and BSDI all
provide an interface to the link layer via a kernel-based driver called the Berkeley
Packet Filter (BPF). BPF possesses some very nice features that make it extremely
efficient at processing and filtering packets.
The BPF driver has an in-kernel filtering mechanism.This is composed of a
built-in virtual machine, consisting of some very simple byte operations allowing
for the examination of each packet via a small program loaded into the kernel by
the user.Whenever a packet is received, the small program is run on the packet,
evaluating it to determine whether it should be passed through to the user-land
application. Expressions are compiled into simple bytecode within user-land, and
then loaded into the driver via an ioctl() call.
libpcap
libpcap is not an operating system interface, but rather a portable cross-platform
library that greatly simplifies link layer network access on a variety of operating
systems. libpcap is a library originally developed at Lawrence Berkeley
Laboratories (LBL). Its goal is to abstract the link layer interface on various operating
systems and create a simple standardized application program interface
(API).This allows the creation of portable code, which can be written to use a
single interface instead of multiple interfaces across many operating systems.This
greatly simplifies the technique of writing a sniffer, when compared to the effort
required to implement such code on multiple operating systems.
The original version available from LBL has been significantly enhanced since
its last official release. It has an open source license (the BSD license), and therefore
can also be used within commercial software, and allows unlimited modifications
and redistribution.
www.syngress.com
Sniffing • Chapter 10 393
The original LBL version can be obtained from ftp://ftp.ee.lbl.gov/
libpcap.tar.Z .The tcpdump.org guys, who have taken over development of
TCPDump, have also adopted libpcap. More recent versions of libpcap can be
found at www.tcpdump.org.
In comparison to the sniffer written for the Linux operating system, using its
native system interface, a sniffer written on Linux using libpcap is much simpler,
as seen here:
#include <stdio.h>
#include <stdlib.h>
#include <sys/types.h>
#include <net/ethernet.h>
#include <pcap/pcap.h>
pcap_t *open_interface(char *name)
{
pcap_t *pd;
char ebuf[PCAP_ERRBUF_SIZE];
/* use pcap call to open interface in promiscuous mode */
pd = pcap_open_live(name, 1600, 1, 100, ebuf);
if (!pd)
return NULL;
return pd;
}
int read_loop(pcap_t *pd)
{
const unsigned char *ptr;
int size, c;
struct pcap_pkthdr h;
struct ether_header *hdr;
while (1) {
www.syngress.com
394 Chapter 10 • Sniffing
/* read the next available packet using libpcap */
ptr = pcap_next(pd, &h);
if (h.caplen < sizeof(struct ether_header))
continue;
hdr = (struct ether_header *)ptr;
/* print out ethernet header */
for (c = 0; c < ETH_ALEN; c++)
printf("%s%02x",c == 0 ? "" : ":",hdr->ether_shost[c]);
printf(" > ");
for (c = 0; c < ETH_ALEN; c++)
printf("%s%02x",c == 0 ? "" : ":",hdr->ether_dhost[c]);
printf(" type: %i\n", hdr->ether_type);
}
}
int main(int argc, char **argv)
{
pcap_t *pd;
char *name = argv[1];
if (!argv[1]) {
fprintf(stderr, "Please specify an interface name\n");
return -1;
}
pd = open_interface(name);
if (!pd) {
www.syngress.com
Sniffing • Chapter 10 395
fprintf(stderr, "Unable to open interface\n");
return -1;
}
if (read_loop(pd) < 0) {
fprintf(stderr, "Error reading packet\n");
return -1;
}
return 0;
}
Windows
Unfortunately,Windows-based operating systems provide no functionality to
access the network at the data link layer.We must obtain and install a third-party
packet driver to obtain access to this level. Until recently, there have been no
such drivers publicly available for which a license was not required. A BPF-like
driver has now been written that supports even the BPF in-kernel filtering
mechanism. A port of the libpcap library is also now available that, when combined
with the driver, provides an interface as easy as their UNIX counterparts.
The driver, libpcap port, as well as a Windows version of TCPDump, are both
available from http://netgroup-serv.polito.it/windump.
Taking Protective Measures
So you probably think that all is lost and that there is nothing you can do to prevent
sniffing from occurring on your network, right? All is not lost, as you will
see in this section.
Providing Encryption
Fortunately, for the state of network security, encryption (used properly) is the
one silver bullet that will render a packet sniffer useless. Encrypted data, assuming
its encryption mechanism is valid, will thwart any attacker attempting to passively
monitor your network.
Many existing network protocols now have counterparts that rely on strong
encryption, and all-encompassing mechanisms such as IPSec provide this for all
www.syngress.com
396 Chapter 10 • Sniffing
protocols. Unfortunately, IPSec is not widely used on the Internet outside of
individual corporations.
Secure Shell (SSH)
Secure Shell is a cryptographically secure replacement for the standard Telnet,
rlogin, rsh, and rcp commands. It consists of both a client and server that use
public key cryptography to provide session encryption. It also provides the ability
to forward arbitrary ports over an encrypted connection, which comes in very
handy for the forwarding of X11 Windows and other connections.
SSH has received wide acceptance as the secure mechanism to access a
remote system interactively. SSH was conceived and initially developed by
Finnish developer Tatu Ylonen.The original version of SSH turned into a commercial
venture, and although the original version is still freely available, the
license has become more restrictive.A public specification has been created,
resulting in the development of a number of different versions of SSH-compliant
client and server software that do not contain these restrictions (most signifi-
cantly, those that restrict commercial use).
The original SSH, written by Tatu Ylonen, is available from ftp://ftp.cs.hut.fi/
pub/ssh/.The new commercialized SSH can be purchased from SSH
Communications Security (www.ssh.com), who have made the commercial
version free to recognized universities.
A completely free version of SSH-compatible software, OpenSSH, developed
by the OpenBSD operating system project (as seen in Figure 10.8), can be
obtained from www.openssh.com.
www.syngress.com
Figure 10.8 The OpenSSH Project
Sniffing • Chapter 10 397
Incidentally, the OpenBSD/OpenSSH team does a lot of good work for little
or no money. Figure 10.8 is available as a T-shirt, and proceeds go to help cover
expenses for the project. Check out the shirts, posters, and CD-ROMs that they
sell at www.openbsd.org/orders.html.
Secure Sockets Layers (SSL)
SSL provides authentication and encryption services. From a sniffing perspective,
SSL is vulnerable to a man-in-the-middle attack (as described previously in the
dsniff section). An attacker can set up a transparent proxy between you and the
Web server.This transparent proxy can be configured to decrypt the SSL connection,
sniff it, and then reencrypt it.When this happens, the user will be prompted
with dialogs similar to Figure 10.9.The problem is that most users ignore the
warnings and proceed anyway.
PGP and S/MIME
PGP and S/MIME are standards for encrypting e-mail. If used correctly, these
will prevent e-mail sniffers like dsniff and Carnivore from being able to interpret
intercepted e-mail.
In the United States, the FBI has designed a Trojan horse called Magic Lantern
that is designed to log keystrokes, hopefully capturing a user’s passphrase. Once
the FBI gets a passphrase, they can then decrypt the e-mail messages. In the
United Kingdom, users are required by law to give their encryption keys to law
enforcement when requested.
www.syngress.com
Figure 10.9 Incorrect SSL Certificate Alert
398 Chapter 10 • Sniffing
Switching
Network switches do make it more difficult for an attacker to monitor your network;
however, not by much. Switches sometimes are recommended as a solution
to the sniffing problem; however, their real purpose is to improve network performance,
not provide security. As explained in the section “Advanced Sniffing
Techniques,” any attacker with the right tools can still monitor a switched host if
they are on the same switch or segment as that system.
Employing Detection Techniques
But what if you can’t use encryption on your network for some reason? What do
you do then? If this is the case, then you must rely on detecting any network
interface card (NIC) that may be operating in a manner that could be invoked by
a sniffer.
Local Detection
Many operating systems provide a mechanism to determine whether a network
interface is running in promiscuous mode.This is usually represented in a type of
status flag that is associated with each network interface and maintained in the
kernel.This can be obtained by using the ifconfig command on UNIX-based
systems.
The following examples show an interface on the Linux operating system
when it isn’t in promiscuous mode:
eth0 Link encap:Ethernet HWaddr 00:60:08:C5:93:6B
inet addr:10.0.0.21 Bcast:10.0.0.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:1492448 errors:2779 dropped:0 overruns:2779 frame:2779
TX packets:1282868 errors:0 dropped:0 overruns:0 carrier:0
collisions:10575 txqueuelen:100
Interrupt:10 Base address:0x300
Note that the attributes of this interface mention nothing about promiscuous
mode.When the interface is placed into promiscuous mode, as shown next, the
PROMISC keyword appears in the attributes section:
eth0 Link encap:Ethernet HWaddr 00:60:08:C5:93:6B
inet addr:10.0.0.21 Bcast:10.0.0.255 Mask:255.255.255.0
www.syngress.com
Sniffing • Chapter 10 399
UP BROADCAST RUNNING PROMISC MULTICAST MTU:1500 Metric:1
RX packets:1492330 errors:2779 dropped:0 overruns:2779 frame:2779
TX packets:1282769 errors:0 dropped:0 overruns:0 carrier:0
collisions:10575 txqueuelen:100
Interrupt:10 Base address:0x300
It is important to note that if an attacker has compromised the security of the
host on which you run this command, he or she can easily affect this output.An
important part of an attacker’s toolkit is a replacement ifconfig command that
does not report interfaces in promiscuous mode.
Network Detection
There are a number of techniques, varying in their degree of accuracy, to detect
whether a host is monitoring the network for all traffic.There is no guaranteed
method to detect the presence of a network sniffer.
DNS Lookups
Most programs that are written to monitor the network perform reverse DNS
lookups when they produce output consisting of the source and destination hosts
involved in a network connection. In the process of performing this lookup, additional
network traffic is generated; mainly, the DNS query to look up the network
address. It is possible to monitor the network for hosts that are performing
a large number of address lookups alone; however, this may be coincidental, and
not lead to a sniffing host.
An easier way, which would result in 100 percent accuracy, would be to generate
a false network connection from an address that has no business being on
the local network.We would then monitor the network for DNS queries that
attempt to resolve the faked address, giving away the sniffing host.
Latency
A second technique that can be used to detect a host that is monitoring the network
is to detect latency variations in the host’s response to network traffic (i.e.,
ping). Although this technique can be prone to a number of error conditions
(such as the host’s latency being affected by normal operation), it can assist in
determining whether a host is monitoring the network.The method that can be
used is to probe the host initially, and sample the response times. Next, a large
amount of network traffic is generated, specifically crafted to interest a host that
www.syngress.com
400 Chapter 10 • Sniffing
is monitoring the network for authentication information. Finally, the latency of
the host is sampled again to determine whether it has changed significantly.
Driver Bugs
Sometimes an operating system driver bug can assist us in determining whether a
host is running in promiscuous mode. In one case, CORE-SDI, an Argentine
security research company, discovered a bug in a common Linux Ethernet driver.
They found that when the host was running in promiscuous mode, the operating
system failed to perform Ethernet address checks to ensure that the packet was
targeted toward one of its interfaces. Instead, this validation was performed at the
IP level, and the packet was accepted if it was destined to one of the host’s interfaces.
Normally, packets that did not correspond to the host’s Ethernet address
would have been dropped at the hardware level; however, in promiscuous mode,
this doesn’t happen.We could determine whether the host was in promiscuous
mode by sending an ICMP ping packet to the host, with a valid IP address of the
host, but an invalid Ethernet address. If the host responded to this ping request, it
was determined to be running in promiscuous mode.
AntiSniff
AntiSniff is a tool written by a Boston-based group of grey-hat hackers known as
the L0pht.They have combined several of the techniques just discussed into a
tool that can serve to effectively detect whether a host is running in promiscuous
mode.A 15-day trial version of this tool (for Windows-based systems) can be
obtained from their Web site located at www.securitysoftwaretech.com/antisniff.
A UNIX version is available for free for noncommercial use. See the license
for the restrictions on using this version.
Remember that AntiSniff finds some sniffers, not all. Some sniffers are completely
stealth, whereas others have been patched to counteract AntiSniff.
Network Monitor
Network Monitor, available on Windows NT based systems, has the capability to
monitor who is actively running NetMon on your network. It also maintains a
history of who has NetMon installed on their system. It detects only other copies
of Network Monitor, so if the attacker is using another sniffer, then you must
detect it using one of the previous methods discussed. Most network-based intrusion
detection systems will also detect these instances of NetMon.
www.syngress.com
Sniffing • Chapter 10 401
Summary
Sniffing is monitoring a network for useful information. Sniffing can be used to
steal authentication information (passwords), can be used to steal e-mail, monitor
Web usage, and generally discover everything a target is doing on a network.
Protocols that are useful to sniff for passwords include Telnet, POP3, IMAP,
HTTP, and NetBIOS.
There are many popular sniffing software packages.These include Ethereal,
Sniffer Pro, NetMon,AiroPeek,TCPDump, dsniff, and Ettercap. Some of these
are commercial, and some are available for free. For password monitoring, dsniff is
the most useful. It’s also one of the free ones. It also has modules for monitoring
e-mail and Web traffic. Carnivore is a specialized sniffer used by law enforcement
that has more filtering options than many others (and is not available to the general
public).
Traditionally, most local area networks sent traffic to all attached nodes.
Currently, many networks employ switches, which are network devices designed
to help improve performance.They can also hinder sniffing somewhat, since they
are designed to not send traffic to nodes that aren’t supposed to get it.There are
tricks that can be played to get around this problem, such as MAC flooding,ARP
spoofing, or route manipulation.These techniques are designed to give a sniffer
on a switched network an opportunity to monitor traffic again. MAC flooding
and route manipulation work by manipulating the network equipment itself.
ARP spoofing works by manipulating the ARP table of the machine that is to be
monitored. Some of the sniffing packages mentioned come with tools to accomplish
these tricks.
Each operating system comes with its own API for capturing network traffic,
except older versions of Windows. Free add-on driver software is available for
versions of Windows that don’t include the functionality.Writing a program to
capture network traffic can be done in a handful of lines in many cases, though
you will need the appropriate privileges in order to use it. However, actually
decoding the traffic your program captures will be much harder.
In general, encryption is the way to defend against sniffing. If done properly,
encrypted network traffic will defeat any sniffing attempts. However, many
encryption schemes rely on the end user to make intelligent choices regarding
the error messages the might see.This leaves a hole for MITM attacks, which
may cause an error, but the error is often ignored.The dsniff package includes
some tools for performing MITM (monkey-in-the-middle, in that case) attacks.
www.syngress.com
402 Chapter 10 • Sniffing
There are some ways that some sniffers can be detected, if they are running
on top of a general-purpose operating system.These include seeing if any DNS
queries happen for fake IP address, checking for responses to packets with the
wrong MAC address, and others.These will never be 100 percent reliable,
because it is possible to build a totally passive sniffer.
Solutions Fast Track
What Is Sniffing?
Sniffing is a network wiretap that passively monitors network traffic.
In classic operation, a sniffer attaches on the side of the network wire.
In modern operation, sniffers are installed on the target machine or as
gateways in order to intercept traffic.
What to Sniff?
The most common target for sniffers is cleartext authentication
information, such as the usernames and passwords found in such
protocols as Telnet, FTP, and HTTP.
The second most common targets are e-mail messages, HTTP input, or
Telnet sessions.
Popular Sniffing Software
There are many commercial and freeware sniffing products that are
intended to be used as network diagnostic tools, such as Ethereal,
Network Associate’s Sniffer Pro, NetMon,WildPackets’ AiroPeek, and
tcpdump.These products don’t have hacker features such as password
grabbing.
Examples of hacker sniffing tools are dsniff, Ettercap, Esniff, and Sniffit.
Rather than sniffing all traffic, these tools target passwords and cleartext
data.
www.syngress.com
Sniffing • Chapter 10 403
Advanced Sniffing Techniques
It is harder to sniff on today’s networks than it was in the past, primarily
due to the use of switches. Older networks repeated data on all wires,
allowing anybody on the network to see all traffic. Switches prevent
others from seeing your traffic.
Switches can be attacked in various ways, such as flooding with MAC
addresses to force failure conditions, spoofing ARP packets, or spoofing
routing packets.These techniques confuse equipment in to forwarding
network traffic to a nearby hacker running a sniffer.
Several sniffing packages allow attackers to interpose themselves as part
of a man-in-the-middle attack. An example is pretending to be an
HTTPS server; the victim encrypts traffic with the attacker’s key
thinking it is the trusted server’s key.This allows the attacker to see the
data before reencrypting with the real server’s key.
Exploring Operating System APIs
Sniffing is not a normal operating mode of an operating system. Special
APIs must be used to enable it.
The libpcap API is the most widely supported API across UNIX/
Windows platforms, and there are more specialized APIs for specific
platforms.
Taking Protective Measures
The most important defense against sniffers is encryption. Most protocols
support encryption of the authentication credentials (username, password)
and data. SSL and SSH are the two most important encryption standards.
Encryption does not work if it is not used properly. Users much choose
strong passwords and must be vigilant against man-in-the-middle attacks.
Replacing shared media hubs with switches will make sniffing harder,
but cannot be relied upon to make sniffing impossible.
www.syngress.com
404 Chapter 10 • Sniffing
Employing Detection Techniques
The most important measure is to monitor hosts themselves in order to
see if their interfaces have been placed in promiscuous mode.This
indicates not only that a sniffer is running, but that the box has been
compromised by a hacker.
Remotely detecting sniffers is not reliable. Remote detection relies upon
hosts behaving in certain ways, such as running slowly when the sniffer
is active, or sniffers who resolve IP addresses to names. Only some
sniffers will behave this way.
Q: Is network monitoring legal?
A: Although using sniffers for network diagnostics and management is legal, network
monitoring of employee activities by management has been highly
debated. Commercial tools exist for exactly this purpose. In most countries
(particularly the United States and United Kingdom), it is legal for employers
to monitor any activity that traverses their own networks, including all
employee activity.
Q: How can I detect a sniffer running on my network?
A: There is no 100 percent reliable method to detect a sniffer; however, utilities
are available to assist in this (AntiSniff).
Q: How can I protect myself from a sniffer?
A: Encryption, encryption, and encryption—this is the one true solution. Many
newer versions of network protocols also support enhancements that provide
secure authentication.
www.syngress.com
Frequently Asked Questions
The following Frequently Asked Questions, answered by the authors of this book,
are designed to both measure your understanding of the concepts presented in
this chapter and to assist you with real-life implementation of these concepts. To
have your questions about this chapter answered by the author, browse to
www.syngress.com/solutions and click on the “Ask the Author” form.
Sniffing • Chapter 10 405
Q:Why can’t I get my tool to work under Windows?
A: Most of the sniffing tools described in this chapter were written on platforms
such as Linux.They can run under Windows, but you will need to install
UNIX-like features on Windows.You will usually need to install the
WinDump toolkit described earlier.You may need to install other utilities as
well, such as the Gnu environment.
Q: Can I use these tools on wireless networks?
A:Yes, but it is difficult without a lot of work. Sniffing is not supported by the
standard package you receive from your vendor.You need to search on the
Internet and find patches for your particular driver.You may also need to
download special utilities such as AirSnort that are designed to bypass the
poor encryption in today’s wireless networks. Luckily, most people don’t use
encryption, so this may not be necessary.