Sniffing Michael Sonntag Institute for Information processing and microprocessor technology (FIM) Johannes Kepler University Linz, Austria sonntag@fim.uni-linz.ac.at 1
What is a "Sniffer"? Devices or programs, which capture or copy data packets Theory: A "receive-only" device Practice: Most software sends e.g. DNS lookups to decode IP addresses, The "sniffed" packets are then analyzed later on (= packet analysis) I.e. you don't see (only) a bit/byte stream, but a TCP packet or an HTTP stream These are also called wiretap programs In "old" times this was used for phones by attaching wires to the telephone lines Why would you use them? Professional products network management, finding problems, Will copy everything and can filter according to various expressions Underground products Intrusions, hacking Will automatically filter out passwords Sniffing, 2012 2
Threats to network traffic: Interruption Information Source Normal Flow Information Destination Normal Flow Normal process of transmitting data Information Source Interruption Information Destination Interruption E.g. failure of a switch/router, Denial of Service attack,... Copeland J. Computer Network Security, 2000 http://www.csc.gatech.edu/~copeland/8813/slides Sniffing, 2012 3
Threats to network traffic: Fabrication Information Source Normal Flow Information Destination Normal Flow Normal process of transmitting data Information Source Fabrication Information Destination Fabrication E.g. packet construction Different source address than it actually should have Copeland J. Computer Network Security, 2000 http://www.csc.gatech.edu/~copeland/8813/slides Sniffing, 2012 4
Threats to network traffic: Interception Information Source Normal Flow Information Destination Normal Flow Normal process of transmitting data Information Source Interception Information Destination Interception E.g. packet sniffer Copeland J. Computer Network Security, 2000 http://www.csc.gatech.edu/~copeland/8813/slides Sniffing, 2012 5
Threats to network traffic: Modification Information Source Normal Flow Information Destination Normal Flow Normal process of transmitting data Information Source Modification Information Destination Modification E.g. content scanner, proxy Copeland J. Computer Network Security, 2000 http://www.csc.gatech.edu/~copeland/8813/slides Sniffing, 2012 6
Protocol analysis Definitions: Protocol Analysis is the process of capturing network traffic (with sniffing programs) and looking at it closely in order to figure out what is going on. [Graham_Sniff_2000] A protocol analyzer interprets the sniffed packets and interprets ist fields (according to the protocols). Renders interpreting the result of sniffing much easier (or even possible)! Sniffing, 2012 7
Sniffer example: Wireshark Sniffed, copied, and analyzed traffic Decoded single packet (on different levels) Full binary view of single packet Sniffing, 2012 8
Areas of use Automatic sifting the traffic for cleartext passwords and usernames Copying the communication between certain entities (if in readable format) Normally: Persons. But may also be devices or programs E.g. reverse engineering of protocols Error analysis to discover/analyze/solve network problems E.g. to frequent topology changes (TCs) with STP (Spanning Tree Protocol) Performance analysis for locating bottlenecks Network Intrusion Detection to discover hacks/intruders Network Traffic Logging to generate logs a hacker cannot modify or delete On a system with read-only connection to the network; but: Crashing (Ping of Death)? Sniffing, 2012 9
Classification of sniffers Breadth of functionality Universal sniffers (all / many protocols) Protocol-specific sniffers (e.g. only IP, only FTP / WWW /...) Depth of functionality How detailed the data/packets are analyzed Integrated specific functions, e.g. password sniffing Area of use Standalone Distributed (with central management/reporting/analysis system) or remote Detection/evasion measures MAC-Filter in sniffer software,... Sniffing, 2012 10
Broadcast networks Intranets / LANs are often broadcast networks Because they employ Ethernet Broadcast means, that every sender pushes its data into the network and hopes (relies on), that only the intended recipient will read it Ethernet is a shared medium, i.e. from a logical view all clients are connected to a single medium (cable) Ethernet is based on collision detection (CSMA/CD). All segments connected by a hub build a SINGLE collision domain "But we use switches" This is good, but doesn't prevent problems You can still attack the switch so it acts like a hub (or other attacks) Sniffing, 2012 11
Anatomy of an Ethernet frame 8 6 6 2 46-1500 4 preamble destination address source address typ/ len L L C S N A P data FCS Preamble: Synchronization of clocks, Also includes the "Start Frame Delimiter" Destination and source address are hardware addresses (=MAC addresses) Example: 00-60-08-2C-C3-FE EtherType or length: Indicates which protocol is encapsulated within LLC/SNAP/VLAN-Tag Note: Many NICs strip the VLAN tag so you can't see it Depends also on driver! Payload data FCS (Frame Check Sequence): CRC for error checking Sniffing, 2012 12
MAC addresses (1) MAC = Media Access Control 48 Bit Ethernet MAC address The first Bit marks unicast addresses (0) resp. multicast addresses (1) If the second Bit is 0, the next 22 Bits identify the producer as OUI (=Organisationally Unique Identifier), who then manages the next 24 Bits himself. The uniqueness of these MAC addresses is essential for correct working in a LAN! Note: Outside of a LAN duplicates may exist, but can again produce problems Many identifiers are created based on the assumption of MAC addresses being worldwide unique, e.g. GUUIDs List of vendor / OUI codes: http://standards.ieee.org/develop/regauth/oui/ Special (destination) MAC address: Broadcast: FF-FF-FF-FF-FF-FF Sniffing, 2012 13
MAC addresses (2) Identify your own MAC address: Windows >=XP: ipconfig /all or netsh Unix/Linux: ifconfig List the IP addresses in the local net which you are currently communicating with (via IP) : arp a Note: "Other" addresses might appear too, which "nearby" computer comm. with On switches, routers hp# show arp hp# show mac MAC addresses should be unique, but with most modern hardware spoofing is possible quite easily You cannot rely on them to be correct Changes through software or Re-Burn of the EEPROM Sniffing, 2012 14
Filtering in the protocol stack Each layer of the protocol stack filters out that part of the traffic not destined for this system Aim: Get rid of unnecessary traffic as early as possible Goal: Reduce the amount of work necessary Application Presentation Session UDP/TCP (Transport) IP (Network) NIC Driver (Data Link) NIC (Physical) Discard Discard Discard Discard Sniffing, 2012 15
How can a sniffer just "listen in"? The Ethernet hardware contains a filter, which normally drops any traffic not directed to this device (and not a broadcast): MAC filter Promiscuous Mode Sniffer switches the hardware (network device) to the promiscuous mode This turns off the MAC filter and consequently all of the traffic is delivered to the upper layers and potentially available If not filtered there! If this is a shared medium this is the complete traffic within a collision domain! Note: The load will be much higher, as every packet must be handled! "But shared mediums don't exist any more" Wrong: WLAN is a typical example! Sniffing, 2012 16
Promiscuous mode Filtered traffic NIC (MAC filter) All traffic NIC (Promiscuous mode) Discard Discard nothing During normal operation the NIC drops (discards) traffic not for this system based on MAC addresses In promiscuous mode this filter is switched off All traffic will be passed on (up) and nothing is discarded Sniffing, 2012 17
Components of a sniffer Hardware Capture driver Buffer Realtime analysis Decode Additional functionality: Packet editing (Re-)Transmission Specialty: Don't send anything Capture driver Promiscuous mode Application Presentation Session Transport Network Data Link Physical Sniffing, 2012 18
Basic structure of a sniffer Display Capture Buffer Capture Filter Packet Decoder Display Filter Network Driver+ (Capture Driver) NIC (Promiscuous Mode) Realtime Analysis Border for distributed sniffing Sniffing, 2012 19
Places to sniff (1) A hacker has the following options to listen in on the communication between two clients: Passive methods The attacker must only "plug in" the sniffer and can immediately access all data If you are one of the clients, this is always possible Useless? No! SW might hide a lot of details which you might be interested in! Active methods The attacker must actively do something because of the network architecture E.g. switches; these don not broadcast all traffic Disadvantage: He produces traffic this might be noticed! Local versus distributed sniffing Sniffing, 2012 20
Places to sniff (2) active Route redirection Route redirection Intranet L-1 L-3 Internet L-3 L-2 Intranet Client ISP Router Client Sniff on the client Sniff in the LAN (HUB) Sniff at the ISP passive Sniffing, 2012 21
Sniffing in WLANs WLAN = Wireless LAN Danger: Circumvention of firewall Just sniff from "outside" (e.g. the building) Signal distance: approx. 100 300 m But: With special antennas (e.g. parabolic antennas) reception from even longer distances become possible Countermeasures: MAC filtering: Allow allowing the "known good" MAC addresses to connect Why is this deficient on several levels? Think! En cryption Old: WEP = Wired Equivalent Privacy IPSec Not integrated (manually possible very good)! Newer standards 802.11i with WPA-2 (TKIP, AES, 802.1x,...) Sniffing, 2012 22
Defending against sniffers Encryption (SSL, VPNs, PGP, SSH,...) Do not use broadcast networks, especially not WLANs Physical security for wires and equipment (switches) To prevent hardware manipulation Making the collision domains smaller Splitting on layer 2 Switches for the local network Will only help against "amateur hackers" Several attacks are still possible, e.g. ARP spoofing or flooding the switch so it will behave like a hub VLANs help, but it depends on how switches finds out assignment port VLAN Splitting on layer 3 Using routers And potentially also firewalls Sniffing, 2012 23
Detecting sniffers Theoretically (solely passive sniffers) impossible, but Practically very often possible, because: Sniffers cause traffic distributed /remote sniffers communicate with each other/the server And these are the ones hacker will use when installing them remotely They use active methods (ARP spoofing,...) Perform reverse DNS lookups Sniffer detectors employ active methods (Decoys,...) Sniffer still suffer from bugs or peculiarities of their network stack The best method to detect sniffers, is to use a sniffer! Ping method, ARP method, DNS method, Note: Local sniffers (on the same computer) can be detected typically easily! Sniffing, 2012 24
ex Detecting sniffers Sending special traffic to the network where sniffing is suspected Computers sniffing are hopefully acting differently than all other computers Victim 192.168.0.3 L-1 192.168.0.1 192.168.0.2 Host running sniffer detection Suspicious of sniffing Sniffing, 2012 25
Detection: Ping method Assumption: A client with the IP 192.168.0.2 and MAC 00-60-08-2C-C4-FE is under suspicion of employing a sniffer We are on the same Ethernet segment We construct a special ping packet (ICMP Echo Request) with following data: IP: 192.168.0.2 A lightly modified MAC: 00-60-08-2C-C4-FD Theoretically nobody should answer to this ping, as the MAC address in it does not exist But a client in promiscuous mode looks at the packet and will (often) answer to it Why? Not filtered based on MAC ( Sniffing!), IP address is correct Answer Sniffing, 2012 26
Detection: DNS method Create a packet with both a non-existing MAC and a non-existing IP address Send it out on the network where a sniffer is suspected to be running Any "normal" computer will ignore it, as it is not for him ( wrong MAC) The network should remain completely "silent" But a sniffer will inspect the packet and, hopefully, try to resolve the IP address in it to its hostname This DNS request is noted and shows that a sniffer exists (and who it is) Disadvantage: Will only work if the sniffer "cooperates", i.e. resolves IP addresses/names If it is completely passive, i.e. really only listening, this won't work! Sniffing, 2012 27
Detection: ARP test Prerequisite: In the same Ethernet segment (local network) Prepare an ARP request (Almost) All systems react on receiving an ARP request Modify the destination for the ARP request In the layer 2 frame Instead of the broadcast address ffffff-ffffff use e.g. ffffff-fffffe If a computer answers, the NIC is probably in promiscuous mode This doesn't necessary mean that a sniffer is present, but it is very likely! Normal computers would not answer, as they only check for their own MAC address and the "real" broadcast address (all FFs) Other option: Send FF:00:00:00:00:00 Standard Windows NIC drivers (at least older ones) inspect only the first byte to find out whether a packet is a broadcast or not Sniffing, 2012 28
But what to do in these cases? There is no protocol bound to the Sniffing Interface There will be no reaction at all to ARPs, pings,! Better method required! Dedicated wiretap-hardware Switch with mirroring functionality "Monitoring port", etc. Sniffing, 2012 29
Detecting sniffers: AntiSniff No sniffer active http://packetstormsecurity.org/sniffers/antisniff/ Sniffing, 2012 30
Detecting sniffers: AntiSniff Sniffer seems to be running! ARP test is positive http://packetstormsecurity.org/sniffers/antisniff/ Sniffing, 2012 31
"Endangered species (protocols)" You cannot tell too often: All these protocols transmit passwords (or important data) unencrypted! Telnet, rlogin http (without TLS/SSL) SNMP (passwords), DNS (unsecured data very important for attackers) SMTP, POP, IMAP NNTP, FTP For most of these protocols secure alternatives already exist (TLS for HTTP, PGP with POP/IMAP/SMTP, ) But you have to use them! Also: "External = HTTPS, Internal = HTTP" Is this a good policy? An attacker might have a sniffer on the inside too Sniffing, 2012 32
Summary Sniffing = Interception = Listening is a very dangerous technique You can get a lot of information without having to hack a computer Most of the techniques will not show up in any logs Therefore the following aspect are important: Encryption is important against sniffing Perhaps even locally: Try to use secure protocols also within your local network! Sniffing alone is very difficult, unless extended by active techniques If someone can tamper with your glass fibre cables, you're out of luck anyway! Investigate your equipment: Switches often support various forms of protection Lockdown, static assignments ( management issues!), DNS snooping, Partition your network: Routers, VLANs, Sniffing, 2012 33
Thank you for your attention! Michael Sonntag Institute for Information processing and microprocessor technology (FIM) Johannes Kepler University Linz, Austria sonntag@fim.uni-linz.ac.at 34