IN THIS CHAPTER
Sniffers are devices that capture network packets. Their legitimate purpose is to analyze network traffic and identify potential areas of concern. For example, suppose that one segment of your network is performing poorly: packet delivery seems incredibly slow, or machines inexplicably lock up on a network boot. You can use a sniffer to determine the precise cause.
NOTE
The term sniffer is derived from a product, called the Sniffer, originally manufactured by Network General Corporation. As Network General dominated the market, this term became popular, and protocol analyzers have since then generally been referred to as such.
Sniffers vary greatly in functionality and design. Some analyze only one protocol, whereas others can analyze hundreds. As a general rule, most modern sniffers will analyze at least the following protocols:
Standard Ethernet
TCP/IP
NetBIOS
Proprietary sniffers are expensive (vendors often package them on special computers that are “optimized” for sniffing). Freeware sniffers, on the other hand, are cheap, but offer no support.
In this chapter, we’ll examine sniffers as both security risks and network administration tools.
Sniffers differ greatly from keystroke-capture programs. Key-capture programs save, or capture, keystrokes entered at a terminal. Sniffers, on the other hand, capture actual network packets. Sniffers do this by placing the network interface—an Ethernet adapter, for example—into promiscuous mode. Sniffers also differ in one key aspect from other attack methods—sniffers are passive, only listening to the network traffic.
A sniffer always functions in a promiscuous mode. Normally, a system’s network card will only grab packets destined for that system. In promiscuous mode, however, instead of ignoring all other packets, the system captures every packet that it sees on the network. To further understand how promiscuous mode works, you must first understand how local area networks are designed.
Local area networks (LANs) are small networks connected (generally) via ethernet. Data is transmitted from one machine to another via cable.
Data travels along the cable in small units called frames. These frames are constructed in sections, and each section carries specialized information. For example, the first 12 bytes of an ethernet frame carry both the destination and source MAC address. These values tell the network where the data came from and where it’s going. Other portions of an ethernet frame carry actual user data, TCP/IP headers, IPX headers, and so forth.
Frames are packaged for transport by special software called a network driver. The frames are then passed from your machine to cable via your Network Interface Card (NIC). From there, they travel to their destination. At that point, the process is executed in reverse: The recipient machine’s NIC picks up the frames, tells the operating system that frames have arrived, and passes those frames on for processing.
Sniffers pose a security risk because of the way frames are transported and delivered. Let’s briefly look at that process.
Each workstation in a LAN has its own hardware address or Media Access Control (MAC) address. This address uniquely identifies that machine from all others on the network. (This is similar to the Internet address system.) When you send a message across the LAN, your packets are sent to all connected machines.
Under normal circumstances, all machines on the network can “hear” that traffic going by, but will only respond to data addressed specifically to them. In other words, Workstation A will not capture data intended for Workstation B. Instead, Workstation A will simply ignore that data.
If a workstation’s network interface is in promiscuous mode, however, it can capture all packets and frames on the network. A workstation configured in this way (and the software on it) is a sniffer.
Sniffers represent a high level of risk. Here’s why:
Sniffers can capture account names and passwords.
Sniffers can capture confidential or proprietary information.
Sniffers can be used to breach the security of neighboring networks, or to gain leveraged access.
In fact, the existence of an unauthorized sniffer on your network might indicate that your system is already compromised.
Sniffer attacks are common, particularly on the Internet. A well-placed sniffer can capture not just a few passwords, but thousands. In 1994, for example, a massive sniffer attack was discovered, leading a naval research center to post the following advisory:
In February 1994, an unidentified person installed a network sniffer on numerous hosts and backbone elements collecting over 100,000 valid user names and passwords via the Internet and Milnet. Any computer host allowing FTP, Telnet or remote log in to the system should be considered at risk…All networked hosts running a Unix derivative operating system should check for the particular promiscuous device driver that allows the sniffer to be installed. | ||
| --Naval Computer and Telecommunications Area Master Station LANT advisory | ||
The attack on Milnet was so serious that the issue was brought before the Subcommittee on Science, Space, and Technology at the U.S. House of Representatives. F. Lynn McNulty, Associate Director for Computer Security at the National Institute of Standards and Technology, gave this testimony:
The recent incident involved the discovery of “password sniffer” programs on hundreds of systems throughout the Internet…The serious impact of the recent incident should be recognized; log-in information (i.e., account numbers and passwords) for potentially thousands of host system user accounts appear to have been compromised. It is clear that this incident had a negative impact on the operational missions of some Government agencies. Moreover, this should be viewed as [an] ongoing incident, not an incident that has happened and been dealt with. Indeed, administrators of systems throughout the Internet were advised, in turn, to direct their users to change their passwords. This is, indeed, very significant, and we may be seeing its effects for some time to come. Not only is it difficult, if not impossible, to identify and notify every user whose log-in information might have been compromised, it is unlikely that everyone, even if notified, will change his or her passwords.
TIP
You can access McNulty’s full testimony at http://www-swiss.ai.mit.edu/6.805/articles/mcnulty-internet-security.txt.
The Department of Defense, in particular, has experienced numerous attacks and been victimized by sniffers on its networks. In one of the more interesting incidents on February 1998, intruders installed sniffers on DoD and university systems, compromising numerous user accounts. This incident is referred to as Solar Sunrise by DoD officials, involved two teenagers from California and their mentor in Israel.
TIP
Numerous discussions on this incident can be found online, including http://www.sans.org/newlook/resources/IDFAQ/solar_sunrise.htm.
Sniffers will capture all packets on the network, but in practice, an attacker has to be choosier. A sniffer attack is not as easy as it sounds. It requires some knowledge of networking. Simply setting up a sniffer and leaving it will lead to problems, because even a five-station network transmits thousands of packets an hour. Within a short time, a sniffer’s outfile could easily fill a hard disk drive to capacity (if you logged every packet).
To circumvent this problem, crackers generally sniff only the first 200–300 bytes of each packet. The username and password are contained within this portion, which is really all most crackers want. However, it is true that you could sniff all the packets on a given interface; if you have the storage media to handle that kind of volume, you would probably find some interesting things.
Authentication information is one of the most common targets for sniffer activity. In particular, information sent to ports 23 (Telnet), 80 (HTTP), and 21 (FTP) are valuable, because authentication information (such as usernames and passwords) is sent in clear text in these protocols. Port 513 (rlogin) is also useful when trust relationships don’t exist. (If a trust relationship does exist, then no username or password is required, but the system becomes a potential target for spoofing.)
TIP
The authentication information from encrypted connections are generally not vulnerable to sniffer attacks. By switching from an unencrypted protocol to an encrypted one, you can improve your security. For example, use SSL (Secure Socket Layer) to encrypt Web traffic, or SSH (Secure Shell) to encrypt remote shell instead of Telnet or rlogin. We’ll cover more on this subject later in the chapter.
You are likely to find a sniffer almost anywhere. However, there are some strategic points that a cracker might favor. One of those points is anywhere adjacent to a machine or network that receives many passwords. This is especially true if the targeted machine is a gateway to the outside world. If so, the cracker will want to capture authentication procedures between your network and other networks. This could exponentially expand the cracker’s sphere of activity.
NOTE
I do not believe that, in practice, any sniffer can catch absolutely all traffic on a network. This is because, as the number of packets increase, the chance of lost packets is high. If you examine technical reports on sniffers, you will discover that at high speeds and in highly trafficked networks, a significant amount of data can be lost. (Commercial sniffers, which tend to have better designs, are far less likely to suffer packet loss.) This suggests that sniffers might be vulnerable to attacks themselves. In other words, just how many packets-per-second can a sniffer take before it fails in its fundamental mission? That is a subject worth investigating.
Security technology has evolved considerably. Some operating systems now employ encryption at the packet level, and therefore, even though a sniffer attack can yield valuable data, that data is encrypted. This presents an additional obstacle likely to be passed only by those with deeper knowledge of security, encryption, and networking. An example of this is the Windows NT/2000 authentication mechanism.
TIP
More information about Windows authentication can be found at http://www.windowsitlibrary.com/Content/617/06/toc.html.
Sniffers come in two basic flavors: commercial and freeware. If you’re just learning about networking, I recommend getting a freeware sniffer. On the other hand, if you manage a large network, your company should purchase at least one commercial sniffer. They are invaluable when you’re trying to diagnose a network problem.
The sniffers in this section are commercial, but many of these companies offer demo versions. Prices range from $200 to $2,000.
Network Associates has a whole line of Sniffer-related products, divided into three types. The first is the Distributed Environment line, which are permanently installed at fixed locations on the network. The second is the Portable line, which are designed for carrying around to hotspots on the network for diagnostic purposes. Finally, there’s a Wireless product line for troubleshooting problems with wireless equipment. To give you an idea of how advanced the Sniffer line is, it can decode more than 450 different protocols. Also, it can handle many different types of network media and systems. One of the strengths of the Sniffer line has always been that it is a good real-time and historical reporting product at the same time. Of course, all this power means the units are fairly expensive.
Network Associates, Inc.
Sniffer Technologies
Finisar-Systems LAN Analyzers are heavy-duty hardware/software solutions that support 10/100Mbps and gigabit Ethernet. The systems work with both Ethernet and token ring networks and offer real-time reporting. Surveyor operates on Windows. Finisar also offers a plug-in module for Surveyor, which provides Quality of Service analysis for factors important to voice-over IP applications.
Shomiti Systems, Inc.
Email: [email protected]
PacketView is a DOS-based packet sniffer designed for use in Ethernet, token ring, and FDDI environments. It runs about $299. You can try before you buy by downloading a demo version located at www.klos.com/get.pvdemo.html.
Klos Technologies, Inc.
Email: [email protected]
URL: http://www.klos.com/
Network Communications produces several network analyzers, including the Ranger Network Probe. The Ranger Network Probe is designed for use on WANs, and supports a large number of protocols.
Network Communications Corporation
Email: [email protected]
LANWatch is a software-based sniffer solution for Windows. It will monitor packets from the following protocols: TCP, UDP, IP, IPv6, NFS, NetWare, SNA, AppleTalk, VINES, ARP, NetBIOS, and some 50 others. LANWatch monitors traffic in real-time, and can display a wide range of usable statistics. A demo version is located at www.guesswork.com/demo.html.
Precision Guesswork
Email: [email protected]
EtherPeek and AiroPeek are available for Windows. EtherPeek is for Ethernet networks, and AiroPeek is for wireless. Both support all the major protocol suites.
WildPackets, Inc.
Email: [email protected]
NetMinder Ethernet is a Macintosh-based protocol analyzer that can produce automatically-updated HTML output reports. Not only does it support Ethernet, it supports wireless as well. These reports are updated in real-time, allowing system administrators to access their latest network analysis statistics from anywhere in the world and from any platform. (Naturally, the application also provides real-time analysis in the standard GUI environment.) A demo version is available at http://www.neon.com/demos_goodies.html.
Neon Software
Email: [email protected]
URL: http://www.neon.com
LinkView Classic Network Analyzer supports token ring, Ethernet, and fast Ethernet, but it’s designed chiefly for protocol analysis on internetworks. It therefore automatically segregates IP-reporting statistics from other protocol statistics. LinkView Classic runs on Windows. LinkView Classic is a software-only LAN analyzer that works with most third-party network cards.
Acterna, Inc.
ProConvert is not a sniffer, but is instead a tool for integrating data from disparate sniffers. This allows data from different vendors’ formats to be converted into a single format, enabling the user to view packets on a platform separate from the one on which the packets were captured. ProConvert decodes (and provides universal translation between) 20 different sniffer file formats, including EtherPeek, Fireberd500, Internet Advisor LAN, LAN900, LANalyzer for Windows, LANWatch, Network Monitor, NetXRay, LinkView, and TCPDUMP formats. In other words, ProConvert is the Rosetta stone for sniffer logs. It can save you many, many hours of work.
WildPackets, Inc.
Email: [email protected]
LANdecoder32 is a popular sniffer for use on Windows. It has advanced reporting capabilities, and can be used to analyze frame content. Other features include remote monitoring (requiring RMON on the remote system), ASCII filtering (filter by string), and real-time reporting. Demonstration versions can be obtained by contacting Triticom.
Triticom
Email: [email protected]
Many freeware and shareware sniffers are also available. These are perfect if you want to learn about network traffic without spending any money. Unfortunately, some are architecture-specific, and the majority are designed for Unix.
Solaris ships with a packet sniffer called Snoop. It has very nice output formats compared to many of the Unix sniffers. To find out more, type man snoop on a Solaris system.
Esniff is a standard, Unix-based sniffer. It was one of the first sniffers, and was originally released in Phrack Magazine (an online hacker zine). Esniff is a very small C program that requires a C compiler and IP include files. A modified version for Solaris 2.X called solsniffer.c also exists. Esniff is available at http://www.netsw.org/net/ip/audit/sniffer/esniff/.
TCPDUMP is one of the most popular tools for network diagnostics and analysis. TCPDUMP can be used to monitor and decode all IP, TCP, UDP, and ICMP headers. The user can vary the amount of the packet that is grabbed, but the default is 64 bytes. TCPDUMP was loosely based on Sun’s etherfind, and was designed to aid in ongoing research to improve TCP and Internet gateway performance. TCPDUMP is a Unix-based program, but a Windows version known as WINDUMP exists. TCPDUMP can be obtained at http://www.tcpdump.org/.
WINDUMP can be found at http://netgroup-serv.polito.it/windump/.
LinSniff is a password sniffer. To compile it, you need all the necessary network include files (tcp.h, ip.h, inet.h, if_ther.h, and so on) on a Linux system. It is available at http://www.pdaconsulting.com/Cracker%20Tools/linsniff.c.
Now that you understand how sniffers work and the dangers they pose, you are probably wondering how to defeat sniffer attacks. Get ready for some bad news: Defeating sniffer attacks is not easy. You can take two approaches:
Detect and eliminate sniffers
Shield your data from sniffers
Let’s briefly look at the pros and cons of each method.
Sniffers are extremely difficult to detect because they are passive programs. They don’t generate an audit trail, and unless their owner is very stupid, they use up no network resources. Some operating systems provide a mechanism to determine whether a network interface has been placed in promiscuous mode, which can aid greatly in determining if a sniffer is running on a specific host.
On a single machine, it is theoretically feasible to determine whether a sniffer has been installed. For example, you could rely on the MD5 algorithm (see Chapter 18, “Trojans,” for more on MD5), provided you have a decent database of original installation files (or a running database of installed files). If you intend to use MD5 and search by checksum, you should obtain md5check, an awk script that automates the process. md5check was originally distributed by CERT and works well for SunOS. md5check can be found at http://lvl.sourceforge.net/md5check.php. Another alternative is Tripwire (http://www.tripwire.org), or see Chapter 21, “Unix,” for more on Tripwire.
Certainly, searching by checksum on a single box is effective enough. However, finding a sniffer on a large network is difficult. The question of detecting sniffers on diverse architecture is a bitter debate in the security community. (You can see folks arguing this issue for weeks at a time without resolution.) However, there are several tools that can help—if you have the right architecture:
Snifftest—. Written by “Beavis and Butthead,” Snifftest will detect a sniffer on SunOS and Solaris. It will detect a sniffer even if the network interface isn’t in promiscuous mode, so it’s especially useful. It works solely for Sun, and requires a C compiler and TCP/IP header files. It is located at http://packetstorm.decepticons.org/Exploit_Code_Archive/snifftest.c.
Nitwit—. Nitwit runs as a NIT (Network Interface Tap) and can detect sniffers, even if the network interface is not in promiscuous mode. It is similar to Snifftest in that regard. Nitwit is available at http://www.cotse.com/sw/sniffers/nitwit.c.
Promisc—. Written by [email protected], Promisc will detect sniffers on Linux. (There are some reports of this program working on Sun, but these have not been verified.) Promisc is available at http://www.cotse.com/sw/sniffers/promisc.c.
PromiScan—. A Windows 2000/XP promiscuous mode detector, PromiScan is available at http://www.securityfriday.com/ToolDownload/PromiScan/promiscan_doc.html.
PromiscDetect—. A Windows NT/2000/XP promiscuous mode detector, this can be found at http://ntsecurity.nu/toolbox/promiscdetect/.
Sentinel—. A remote promiscuous mode detector for Linux- and BSD-based Unix versions. It can be downloaded from http://www.packetfactory.net/Projects/sentinel/.
Detecting a sniffer in heterogeneous networks is more difficult—difficult, that is, without physically checking each machine. For example, suppose your network is made up exclusively of AIX systems. Suppose further that someone goes into an empty office, unplugs a RS/6000, and hooks up a PC laptop, which they use as a sniffer. This is difficult to detect unless you are using network topology maps (tools that red-flag any change in topology) and check them daily. Otherwise, the network appears just as it did, with no indication of trouble. After all, the PC has the same IP as the RS/6000 did. Unless you run daily scans, you would probably never detect the PC.
A more complicated situation occurs when intruders attach physical devices that sniff. (For example, they can splice themselves in at points not visible to the naked eye. I’ve seen offices that run their coax wire overhead, in the space above the ceiling. This allows anyone in an adjacent office to snag the wire and patch themselves in.) Other than physically checking each wire lead throughout the network, there is no easy way to identify a spliced connection. (Although, again, network topology mapping tools would warn that an extra IP had been added to your subnet. Unfortunately, however, most small businesses can’t afford such tools.)
At day’s end, however, proactive solutions are difficult and expensive. Instead, you should take more defensive measures. There are two chief defenses against sniffers:
Safe topology
Encrypted sessions
Let’s quickly cover both defenses.
Sniffers can only capture data on the instant network segment. This means that the tighter you compartmentalize your network, the less information a sniffer can gather. This used to be expensive, but switches have dropped in price so much that a low-end switch does not cost much more than a hub. There are three network interfaces that a sniffer cannot easily cross:
Switches
Routers
Bridges
You can create tighter network segments by strategically placing these devices on the network. You could possibly compartmentalize 20 workstations at a crack—this seems like a reasonable number. Once a month you could physically check each segment (and, also perhaps once a month, you could run MD5 checks on random segments). It should be noted that programs such as macof have been developed to flood switches in the hope that they would fail open. This would then eliminate the protection that switching might otherwise have provided.
Encrypted sessions provide a different solution. Instead of worrying about data being sniffed, you simply scramble the data portion of the packet beyond recognition. The advantages to this approach are obvious: Even if an attacker sniffs data, it will be useless to him. However, the disadvantages are weighty. There are two chief problems with encryption. One is a technical problem, and the other is a human problem.
Technical issues include whether the encryption is strong enough, and whether it’s supported. For example, 40-bit encryption might be insufficient, and not all applications have integrated encryption support. Furthermore, cross-platform encryption solutions used to be rare and typically available only in specialized applications. Recently, cross-platform and generalized encryption services are becoming more common and will continue to do so.
Moreover, human users can resist using encryption. They might find it too troublesome. (For example, can you imagine forcing Macintosh users to use S/Key every time they logged in to the server? These folks are accustomed to ease-of-use, not generating one-time passwords for every new session.) Users might initially agree to such policies, but they rarely adhere to them.
In short, you must find a happy medium—applications that support strong, two-way encryption and also support some level of user-friendliness. That’s why I like Secure Shell.
Secure Shell (SSH) provides secure communications in an application environment like Telnet. SSH binds to port 22, and connections are negotiated using RSA. All subsequent traffic is encrypted using IDEA after authentication is complete. This is strong encryption, and is suitable for just about any nonsecret, nonclassified communication.
Secure Shell is a perfect example of an application that meets user and administrative standards.
Versions of SSH and OpenSSH (a free version of SSH) exist for just about all of the major operating systems. Check out Secure Shell at http://www.ssh.com/ or http://www.openssh.com.
Sniffers represent a significant security risk, mainly because they are not easily detected. You would benefit tremendously by learning how to use a sniffer, and understanding how others can employ them against you. The best defenses against sniffing are secure topology and strong encryption.