Sniffers

Prabhaker Mateti

Abstract: Sniffing is eavesdropping on the network.  It can be used for monitoring the "health" of the network as well as capturing the passwords used in telnet, rlogin and ftp connections.  This article describes a couple of well-known sniffers and describes an experiment with one of them.  This experiment is a prerequisite to later experiments in TCP/IP exploits.

This article is part of Internet Security Lectures

Table of Contents

1. Educational Objectives
2. Sniffers
   1. Examples of Sniffers
   2. Capabilities of Sniffers
   3. Promiscuous NIC
   4. Detection of Sniffers
   5. Prevention of Sniffing
3. Lab Experiment
4. Acknowledgements
5. References

Educational Objectives

1. Become aware of a class of vulnerabilities known as sniffing.
2. Learn how to setup and use a sniffer.
3. Learn to configure and build tools widely available on the net.

Sniffers

A packet sniffer is a program that eavesdrops on the network traffic. Like a telephone wiretap allows one to listen in on other people's conversations, a "sniffing" program lets someone listen in on computer conversations.  Sniffing is the act by a machine S of making copies of a network packet sent by machine A intended to be received by machine B.  Once a copy is made, the sniffer program can do, time and resources permitting, an arbitrary computation on the copy such as displaying it nicely in a GUI window. A sniffer can be used for a good purpose: to audit your own network, and to demonstrate the insecurity of plaintext network protocols.  A sniffer machine can be discovered by other network tools.

In this lecture, we are considering sniffers where the sniffer (program/ machine) S network-topologically sits between A and B.  But, be aware that it is possible to route the messages between A and B to go past S when A and  B are on different subnets.

Sniffer activity occurs widely within organizations.

Examples of Sniffers

Below is a select list of example sniffers from the open source archives. Visit  http://www.packetstormsecurity.org/  and search for "sniffers."    Many of these work on both Linux and Windows.

1. tcpdump: The grand daddy of packet sniffers. This is included in many Linux distributions.
2. wireshark/ethereal: Excellent GUI based sniffer.  It can dissect many protocols.
3. hunt: A well written sniffer with some attack tools included.
4. ettercap:  Ettercap is a network sniffer for switched LANs. It uses ARP poisoning and the man-in-the-middle technique to sniff all the connections between two hosts. It can inject characters to server (emulating commands) or to client (emulating replies) while maintaining an established TCP connection.
5. dsniff:  As an article puts it, ``Dsniff is the Swiss army knife of privacy invasion''. The package ships with a handful of nasties: urlsnarf, msgsnarf, mailsnarf, webspy, dsniff etc.
6. sniffit: Clever little packet sniffer with good filtering. We recommend its use in the experiment described below.

Capabilities of Sniffers

A sniffer program allows a user to watch all network traffic over any network interfaces connected to the host machine.  A sniffer program can watch TCP, IP, UDP, ICMP, ARP, RARP.  A sniffer also lets you watch port specific traffic for monitoring http, ftp, telnet, etc. traffic.  A sniffer can

1. intercept packets from a target host (or all hosts) on the LAN intended for another host on the LAN by forging ARP replies.  This is an extremely effective way of sniffing traffic on a switch. Kernel IP forwarding must be turned on ahead of time for this capability.
2. determine the local gateway of an unknown network via passive sniffing.
3. flood the local network with random MAC addresses (causing some switches to fail open in repeating mode, facilitating sniffing).  This is no longer passive/ silent sniffing.
4. become a simple password sniffer by minimally parsing each application protocol, and saving the "interesting" pieces.
5. output all requested URLs sniffed from HTTP traffic in CLF (Common Log Format, used by almost all web servers, suitable for offline post-processing with log analysis tools.
6. send URLs sniffed from a client to local web browser for display, updated in real-time (that is, as the target surfs, the local browser surfs along).

After conducting the experiment below, you should think about how all the above can be accomplished.

Promiscuous NIC

A sniffer program makes the network interface card (NIC) on the machine S enter into a so-called promiscuous mode.  An Ethernet NIC is built with a "filter" that ignores all traffic that does not belong to it, i.e.,  it ignores all frames whose destination MAC address does not match with its own.  Through the NICs driver, a sniffer turns off this filter, putting the NIC into promiscuous mode.

The typical NICs used in workstations and PCs can be put into promiscuous mode quite easily.  In fact, on many NICs, it is possible to reprogram their MAC addresses.  Network analyzing equipment deliberately and legitimately needs to observe all traffic, and hence be promiscuous.

Thus, the defense against sniffing is not really prevention but providing security solutions so that even if large amounts of data is sniffed, not much use can be made out of it.  This is the major reason behind one-time passwords and encryption.

Detection of Sniffers

To detect a sniffing device that only collects data and is quiet, does not respond to any of the information, nor generate any of its own traffic, requires physically checking all your Ethernet connections by walking around, and observing the output of ifconfig -a or equivalent (which includes the word PROMISC).  But a malicious sniffer is often not quiet as it needs to send the data gathered out to its owner.

It is difficult to remotely detect a sniffer by sending a packet or a "proper" ping if a machine is sniffing.  The following techniques are useful to be included in security audit tools.  Note that these techniques are attempting to determine that an NIC on the suspect machine is or is not in promiscuous mode, and  if the suspected machine is on the same Ethernet segment as the detective node.  The techniques will occasionally yield false alarms. The non-trusting assumption is that because it is in promiscuous mode, the machine must be running a sniffer.

The DNS Test  In this method, the detection tool itself is in promiscuous mode. We create numerous fake TCP connections on our network segment, expecting a poorly written sniffer to pick  up on those connections and resolve the IP addresses of the  nonexistent hosts.   Some packet sniffers perform reverse DNS lookups for the packets it captures. When reverse DNS lookup occurs, a sniffer detection tool sniffs the lookup request to see if the target is the one  requesting  resolution of that nonexistent host.

The Ping Test This method relies on a problem in the target machine's kernel.  we can construct an ICMP echo request with the IP address of the machine suspected of hosting a sniffer but with a deliberately mismatched MAC address.  We send an ICMP echo packet to the target with the correct destination IP address, but a bogus destination hardware address. Most systems will disregard this packet since its hardware address information is incorrect.  But  in some Linux, NetBSD and NT systems, since the NIC is in promiscuous mode, the sniffer will grab this packet off the network as a legitimate packet  and respond accordingly. If the target in question replies to our request, we know it is in promiscuous mode.  Clever attackers are of course aware of this and can update their sniffers to filter out such packets as the NIC itself would have had it not been in promiscuous mode.

The ICMP Ping Latency Test  In this method, we ping the target and note the round trip time (RTT), from there. We create hundreds of fake TCP connections on our network segment at a lightning rate.  We expect the sniffer to be processing those packets at a rate where the target machine's network latency will increase. We then ping the  target once again, and compare the RTT this time to the first time.  After a series of tests and averages, we can conclude whether or  not a sniffer is indeed running on the target.

The ARP Test  We send out an ARP request to our target with all valid information except a bogus destination hardware address.  A machine that is not in promiscuous mode would never see the packet, since it wasn't destined to them, therefore it wouldn't reply. If a machine is in promiscuous mode,  the ARP request would be seen and the kernel would process it and  reply.  By the machine replying, we know it is in promiscuous mode.

Prevention of Sniffing

Use switches instead of hubs.  However, many commercial switches can be "overwhelmed" into behaving as though they are hubs.

Lab Experiment

All work should be carried out in Operating Systems and Internet Security (OSIS) Lab, 429 Russ.   Use any of the PCs numbered 19 to 30.  No other WSU facilities are allowed. 

Objective: Run a sniffer program productively.

1. Setup a network of at least three PCs, P0, P1, P2 with P1 as a router as in the first lab experiment.
2. Run the sniffer program on P1. You may use the simple sniffit, or any other sniffers mentioned above.
3. Using the sniffer, determine which of the above six capabilities can be exercised. 
4. Include in the Lab Report a short description of what you learned.
5. Log into P0, and "use" all the other three machines remotely (as in ssh, http, nfs, samba). Sniff while doing so. Include in the Lab Report selected portions of what you sniffed.

Building sniffit

1. A package named sniffit is widely known.  Download sniffit.0.3.5.tar.gz file into a removable media device on the PC you are working on.
2. Untar the src code.  cd to the sniffit src directory.  Run ./configure which creates a Makefile.  
3. Do a make in the directory. The make will create an executable named sniffit.   This is the sniffer program.
4.   Learn to use all the options of the sniffit program.  Read the ReadMe.txt etc.  man 5 sniffit.  man 8 sniffit. (These files are also located in the un-tarred tree.)

Acknowledgements

This work is supported in part by NSF DUE-9951380.

References

1. Christopher Klaus, The computer-security/ sniffers FAQ,  Jul 1997, http://www.faqs.org/faqs/ computer-security/sniffers/  Recommended Reading.
2. Brecht Claerhout, sniffit , http://reptile.rug.ac.be/~coder/sniffit/sniffit.html . (Local copy sniffit.0.3.5.tar.gz ) Reference.  Download the source for the lab.
3. Robert Graham, Sniffing (network wiretap, sniffer) FAQ. Used to be at http://www.robertgraham.com/pubs/ sniffing-faq.html. Search the web for a copy. Recommended Reading.
4. AntiSniff.  Used to be at  http://www.l0pht.com,  website now gone.  "Antisniff Unix version - This is a command line only version that runs many of the same tests to determine if a sniffer is running on the local network that the Windows NT/98/95 GUI does." http://packetstormsecurity.nl/sniffers/antisniff/ Recommended download.