Objectives Sniffing Become aware of a class of vulnerabilities known as sniffing. Learn how to use a sniffer tool. What is a packet sniffer? Sniffing is eavesdropping on the network and A packet sniffer is a piece of software that grabs all of the traffic flowing into and out of a computer attached to a network. They are available for several platforms in both commercial and opensource variations. Some of simplest packages are actually quite easy to implement in C or Perl, use a command line interface and dump captured data to the screen. More complex projects use a GUI, graph traffic statistics, track multiple sessions and offer several configuration options. Sniffers are also the engines for other programs. Intrusion Detection Systems (IDS) use sniffers to match packets against a rule-set designed to flag anything malicious or strange. Uses of a packet sniffer Sniffing programs are found in two forms. Commercial packet sniffers are used to help maintain networks and to demonstrate the insecurity of plaintext network protocols, while underground packet sniffers are used by attackers to gain unauthorized access to remote hosts, as an example capturing the passwords used in telnet, rlogin and ftp connections. Sniffing methods There are three types of sniffing methods. Some methods work in nonswitched networks while others work in switched networks. The sniffing methods are: IP-based sniffing, MAC-based sniffing, and ARP-based sniffing. 1. IP-based sniffing This is the original way of packet sniffing. It works by putting the network card into promiscuous mode and sniffing all packets matching the IP address filter. Normally, the IP address filter isn t set so it can capture all the packets. This method only works in non-switched networks. 2. MAC-based sniffing This method works by putting the network card into promiscuous mode and sniffing all packets matching the MAC address filter. 4
3. ARP-based sniffing This method works a little different. It doesn t put the network card into promiscuous mode. This isn t necessary because ARP packets will be sent to us. This happens because the ARP protocol is stateless. Because of this, sniffing can be done on a switched network. To perform this kind of sniffing, you first have to poison the ARP cache1 of the two hosts that you want to sniff, identifying yourself as the other host in the connection. Once the ARP caches are poisoned, the two hosts start their connection, but instead of sending the traffic directly to the other host it gets sent to us. We then log the traffic and forward it to the real intended host on the other side of the connection. This is called a man-in-the-middle attack. See Diagram 1 for a general idea of the way it works. A sniffer program makes the network interface card (NIC) on the machine S enter into a so-called promiscuous mode. An Ethernet NIC is built with a "filter" that ignores all traffic that does not belong to it, i.e., it ignores all frames whose destination MAC address does not match with its own. Through the NICs driver, a sniffer turns off this filter, putting the NIC into promiscuous mode. the defense against sniffing is not really prevention but providing security solutions so that even if large amounts of data is sniffed, not much use can be made out of it. This is the major reason behind one-time passwords and encryption. Capabilities of Sniffers A sniffer program allows a user to watch all network traffic over any network interfaces connected to the host machine. A sniffer program can watch TCP, IP, UDP, ICMP, ARP, RARP. A sniffer also lets you watch port specific traffic for monitoring http, ftp, telnet, etc. traffic. 5
A sniffer can intercept packets from a target host (or all hosts) on the LAN intended for another host on the LAN by forging ARP replies. This is an extremely effective way of sniffing traffic on a switch. Kernel IP forwarding must be turned on ahead of time for this capability. determine the local gateway of an unknown network via passive sniffing. flood the local network with random MAC addresses (causing some switches to fail open in repeating mode, facilitating sniffing). This is no longer passive/ silent sniffing. become a simple password sniffer by minimally parsing each application protocol, and saving the "interesting" pieces. output all requested URLs sniffed from HTTP traffic in CLF (Common Log Format, used by almost all web servers, suitable for offline post-processing with log analysis tools. send URLs sniffed from a client to local web browser for display, updated in real-time (that is, as the target surfs, the local browser surfs along). Examples of Sniffers 1. tcpdump 2. wireshark/ethereal: 3. hunt 4. ettercap: Ettercap is a network sniffer for switched LANs. It uses ARP poisoning and the man-in-the-middle technique to sniff all the connections between two hosts. It can inject characters to server (emulating commands) or to client (emulating replies) while maintaining an established TCP connection. 5. dsniff 6. sniffi. Detection of Sniffers 1. The DNS Test In this method, the detection tool itself is in promiscuous mode. We create numerous fake TCP connections on our network segment, expecting a poorly written sniffer to pick up on those connections and resolve the IP addresses of the nonexistent hosts. Some packet sniffers perform reverse DNS lookups for the packets it captures. When reverse DNS lookup occurs, a sniffer detection tool sniffs the lookup request to see if the target is the one requesting resolution of that nonexistent host. 2. The Ping Test This method relies on a problem in the target machine's kernel. we can construct an ICMP echo request with the IP address of the machine suspected of 6
hosting a sniffer but with a deliberately mismatched MAC address. We send an ICMP echo packet to the target with the correct destination IP address, but a bogus destination hardware address. Most systems will disregard this packet since its hardware address information is incorrect. But in some Linux, NetBSD and NT systems, since the NIC is in promiscuous mode, the sniffer will grab this packet off the network as a legitimate packet and respond accordingly. If the target in question replies to our request, we know it is in promiscuous mode. Clever attackers are of course aware of this and can update their sniffers to filter out such packets as the NIC itself would have had it not been in promiscuous mode. 3. The ICMP Ping Latency Test In this method, we ping the target and note the round trip time (RTT), from there. We create hundreds of fake TCP connections on our network segment at a lightning rate. We expect the sniffer to be processing those packets at a rate where the target machine's network latency will increase. We then ping the target once again, and compare the RTT this time to the first time. After a series of tests and averages, we can conclude whether or not a sniffer is indeed running on the target. 4. The ARP Test We send out an ARP request to our target with all valid information except a bogus destination hardware address. A machine that is not in promiscuous mode would never see the packet, since it wasn't destined to them, therefore it wouldn't reply. If a machine is in promiscuous mode, the ARP request would be seen and the kernel would process it and reply. By the machine replying, we know it is in promiscuous mode. Prevention of Sniffing Use switches instead of hubs. However, many commercial switches can be "overwhelmed" into behaving as though they are hubs. 7
Lab Experiment Requirements: Setup a network contains at least two machines (in the lab) or you can use software like VMware or Virtual PC to built you virtual lab (in the home). Procedures : 1. From PC1 setup wireshark (or other sniffing tool), from capture menu select interfaces then a list of network interfaces NIC will shown, select the interface that connected to the network you want to sniff. 2. Click start to start sniffing, in this case sniffing tool will capture any packet on the wire and analyze it ; as shown in figure 1 and 2. 3. If we want to sniff a specific machine then we can use options of the tool to determine specific ip to filter the captured packet to that ip. The analysis result of the sniffing tool depend on the packet that captured and the protocol that create the packet and will displayed according to OSI model, as an example if we deal with ARP protocol then the data will only in the lower layer (Physical, Data link, Network) and no other data because the ARP protocol work over Network layer as shown in figure1 ; another example is DNS packet the data that will displayed is in all layers (Physical,Data link, Network, Transport, and Application) as shown in figure 2. Let we discuss an example of analyzing a captured packet (DNS example) ; the result of the analyzing will displayed in the middle panel of the wireshark : 1. The first layer displays the Physical layer data. 2. The second layer shows the MAC address for the sender and receiver if available otherwise it give the MAC of the gateway for the sniffed machine, as shown in figure3. 3. Third layer shows the Network layer, the data in this layer is packet :it contains the source ip address and destination ip address, the internet protocol version ie, IPv4 or IPv6, checksum and other related information to this layer, as shown in figure 3. 4. Next layer displays the Transport layer (TCP or UDP), it displays source and destination ports and other related information, as shown in figure 4. 5. The last thing is the upper layer protocols, this data in this layers depends on the protocols that initialize the packet, as in our example the data here is related to DNS (Domain Name Service),as shown in figure 4. 6. We can use filter to display specific data such as UDP packets only, or ICMP echo request and echo reply as shown in figure 5. 8
Figure 1 ARP packet example Figure 2 DNS packet example 9
Figure 3 The figure illustrate data link layer frame with Src MAC address 00:19:d1:07:9b:18 and Dst MAC 00:11:f5:88:cd:24 and network layer packet with Src ip address 192.168.1.3 and Dst ip 192.168.1.1 and version 4 and the checksum is 0x6e0c. Figure 4 This figure illustrate the transport layer UDP protocol data with 4348 Src port, and 53 Dst port; and the application layer data of the DNS query about site: www.effetech.com 10
Figure 5 Using specific filter Also we can use wireshark sniffer using Backtrack Linux, From StartBacktrackPrivilege Escalation SniffersWireshark Figure 6 running wireshark from backtrack Also we can use other available sniffers such dsniff. 11
Exercise : Install Wireshark on your PC and start sniffing for some seconds, then analyze four different packets, for example if you capture ARP request packet you must show that this packet work only in the lower three layers and show the source IP and MAC and destination IP and MAC, also anything important and can recognize the captured packet. 12