CEG 499/699:
Internet Security


College of Engineering & CS
Wright State University
Dayton, Ohio 45435-0001

Sniffers
 

Prabhaker Mateti
 
Abstract: Sniffing is passively eavesdropping on the network.  We introduce sniffing both as an investigating technique as well as a malicious activity.  Also discussed are a few methods of discovering that a host in your LAN is sniffing.  Sniffing forms the base on which TCP/IP exploits are built.
 
This work is supported in part by NSF DUE-9951380.
  04/24/01

Table of Contents

  1. Educational Objectives
  2. Sniffers
    1. Capabilities of Sniffers
    2. Promiscuous NIC
    3. Detection of Sniffers
    4. Prevention of Sniffing
  3. Lab Experiment
  4. Acknowledgements
  5. References

Educational Objectives

  1. Become aware of a class of vulnerabilities known as sniffing.
  2. Learn how to setup and use a sniffer.
  3. Learn to configure and build tools widely available on the net.

Sniffers

A packet sniffer is a program that eavesdrops on the network traffic. Just as a telephone wiretap allows one to listen in on other people's conversations, a "sniffing" program lets someone listen in on computer conversations.  Sniffing is the act by a machine S of making copies of a network packet sent by machine A intended to be received by machine B.  Once a copy is made, the sniffer program can do, time and resources permitting, an arbitrary computation on the copy such as displaying it nicely in a GUI window. 

A sniffer can be used for a good purpose: to audit your own network, and to demonstrate the insecurity of plaintext network protocols.  A sniffer machine can be discovered by other network tools.

In this lecture, we are considering sniffers where the sniffer program / machine S topologically sits between A and B.  Be aware that it is possible to route the messages between A and B to go past S when A and  B are on different subnets.

Capabilities of Sniffers

A sniffer program allows a user to watch all network traffic over any network interfaces connected to the host machine.  A sniffer program can watch TCP, IP, UDP, ICMP, ARP, RARP.  A sniffer also lets you watch port specific traffic for monitoring things like http, ftp, telnet, etc. traffic.  A sniffer can
  1. intercept packets from a target host (or all hosts) on the LAN intended for another host on the LAN by forging ARP replies.  This is an extremely effective way of sniffing traffic on a switch. Kernel IP forwarding must be turned on ahead of time.
  2. determine the local gateway of an unknown network via passive sniffing.
  3. flood the local network with random MAC addresses (causing some switches to fail open in repeating mode, facilitating sniffing). 
  4. become a simple password sniffer by minimally parsing each application protocol, and saving the "interesting" bits.
  5. output all requested URLs sniffed from HTTP traffic in CLF (Common Log Format, used by almost all web servers), suitable for offline post-processing with your favorite web log analysis tool (analog, wwwstat, etc.).
  6. send URLs sniffed from a client to your local Netscape browser for display, updated in real-time (as the target surfs, your browser surfs along with them, "automagically").

Promiscuous NIC

A sniffer program makes the NIC on the machine S enter into a so-called promiscuous mode.  An Ethernet NIC is built with a "filter" that ignores all traffic that does not belong to it, i.e.,  it ignores all frames whose destination MAC address does not match with its own.  Through the NICs driver, a sniffer turns off this filter, putting the NIC into promiscuous mode.

The typical NICs used in workstations and PCs can be put into promiscuous mode quite easily.  In fact, on many NICs, it is possible to reprogram their MAC addresses.  Even if there are NICs that cannot enter into a promiscuous mode, network analyzing equipment deliberately and legitimately needs to observe all traffic, and hence be promiscuous.

Thus, the defense against is sniffing is not really prevention but providing security solutions so that even if large amounts of data is sniffed, not much can be made out of it.  This is the major reason behind one-time passwords and encryption.

Detection of Sniffers

To detect a sniffing device that only collects data and is quiet, does not respond to any of the information, nor generate any of its own traffic, requires physically checking all your Ethernet connections by walking around, and observing the output of ifconfig -a or equivalent.  But a malicious sniffer is often not quiet as it needs to send the data gathered out to its owner.

It is difficult to remotely check by sending a packet or a "proper" ping if a machine is sniffing.  The following techniques are useful to be included in security audit tools.  Note that these techniques are attempting to determine that an NIC on the suspect machine is or is not in promiscuous mode, and  if the suspected machine is on the same Ethernet segment as the detective node,  but will occasionally yield false alarms. The non-trusting assumption is that because it is in promiscuous mode, the machine must be running a sniffer.

The DNS Test  In this method, the detection tool itself is in promiscuous mode. We create numerous fake TCP connections on our network segment, expecting a poorly written sniffer to pick  up on those connections and resolve the IP addresses of the  nonexistent hosts.   Some packet sniffers perform reverse DNS lookups for the packets it captures. When reverse DNS lookup occurs, a sniffer detection tool sniffs the lookup request to see if the target is the one  requesting  resolution of that nonexistent host.

The Ping Test This method relies on a problem in the target machine's kernel.  we can construct an ICMP echo request with the IP address of the machine suspected of hosting a sniffer but with a deliberately mismatched MAC address.  We send an ICMP echo packet to the target with the correct destination IP address, but a bogus destination hardware address. Most systems will disregard this packet since its hardware address information is incorrect.  But  in some Linux, NetBSD and NT systems, since the NIC is in promiscuous mode, the sniffer will grab this packet off the network as a legitimate packet  and respond accordingly. If the target in question replies to our request, we know it is in promiscuous mode.  Clever attackers are of course aware of this and can update their sniffers to filter out such packets as the NIC itself would have had it not been in promiscuous mode.

The ICMP Ping Latency Test  In this method, we ping the target and note the round trip time (RTT), from there. We create hundreds of fake TCP connections on our network segment at a lightning rate.  We expect the sniffer to be processing those packets at a rate where the target machine's network latency will increase. We then ping the  target once again, and compare the RTT this time to the first time.  After a series of tests and averages, we can conclude whether or  not a sniffer is indeed running on the target.

The ARP Test  We send out an ARP request to our target with all valid information except a bogus destination hardware address.  A machine that is not in promiscuous mode would never see the packet, since it wasn't destined to them, therefore it wouldn't reply. If a machine is in promiscuous mode,  the ARP request would be seen and the kernel would process it and  reply.  By the machine replying, we know it is in promiscuous mode.

Two tools are available that employ the above techniques: AntiSniff for NT, about $350, and Sentinel, open source, for Unices.  A program known as neped (neped-libnet.tar.gz) uses the ping test above.

Prevention of Sniffing

Use switches instead of hubs.  However, many commercial switches can be "overwhelmed" into behaving as though they are hubs.

Use protocols that encrypt the packet payload.

Lab Experiment

All work should be carried out in Operating Systems and Internet Security (OSIS) Lab, 429 Russ.   Use any of the PCs numbered 19 to 30.  No other WSU facilities are allowed. 

Objective: Run a sniffer program productively and evaluate its information gathering abilities.

A package named ethereal   is widely known.  It is installed as /usr/local/bin/ethereal in all the machines.  Verify that it is available.  Even though the GUI is intuitive enough to begin using immediately, please do read the man pages.  Also, read the FAQ listed in the References.

  1. Setup a network of at least three PCs, P0, P1, P2 with P1 as a router as in the first lab experiment.
  2. Run the ethereal program on P1.  Learn to use all the options of the program.
  3. Using the ethereal package, determine which of the above six capabilities (see Capabilities of Sniffers section) can be exercised.  Turn in a short description of what you learned.

Acknowledgements

References

  1. Christopher Klaus, The computer-security/ sniffers FAQ,  Jul 1997, http://www.faqs.org/faqs/ computer-security/sniffers/  Recommended Reading.
  2. NetSniffer is a small packet sniffer for Windows NT.  As of June 30, 2000, www.assert.ee/ says  "Due to technical reasons ASSERT homepage is not available."  (The one at netsniffer. virtualave.net/ for a subscription of $99 is an e-mail gatherer of visitors to a web page.)  Recommended download.
  3. Robert Graham, Sniffing (network wiretap, sniffer) FAQ, http://www.robertgraham.com/pubs/ sniffing-faq.html Recommended Reading.
  4. AntiSniff 1.021 for Windows NT 4.0, http://www.l0pht.com, $350 per licensed machine. Recommended visit.
  5. bind, Sentinel, Promiscuous detection tool, http://www.subterrain.net/projects/sentinel/  Open source. Recommended download.
  6. Ethereal FAQ
04/24/01 06:30:45 PM
Open Content Copyright © 2001 pmateti@cs.wright.edu