Overview

A packet sniffer is a program or device that eavesdrops on network traffic and collects packet data. Sometimes these wiretaps are carried out by the network administrator for beneficial purposes (such as intrusion detection, performance analysis, etc.). On the other hand, malicious intruders can install packet sniffers to retrieve clear-text local network usernames and passwords or other vital information transmitted over the network. Vulnerable protocols (with clear text passwords) include: telnet, pop3, imap, ftp, smtp-auth, and nntp. The sniffers work because Ethernet was designed to be shared. Most networks use broadcast technology: messages from one computer can be read by another computer on that network. In practice, computers ignore messages except those that were sent directly to them (or broadcast to all hosts on the network). However, computers can be put into promiscuous mode and made to accept messages even if they are not intended for them; this is how a Sniffer works.

People assume that computers attached to a switch are safe from sniffing, but that’s actually not the case. Computers connected to switches are just as vulnerable to sniffers as those connected to a hub.

How a sniffer works

A computer connected to a LAN has 2 addresses: one is the MAC address that uniquely identifies each node on a network and is stored on the network card. The MAC address is used by the ethernet protocol when building frames to transfer data. The other is the IP address, which is used by the applications. The data link layer (layer 2 of the OSI model) uses an ethernet header with the MAC address of the destination machine. The network layer (layer 3 of the OSI model) is responsible for mapping IP network addresses to MAC addresses as required by the Data Link Protocol. Layer 3 tries to look up the MAC address of the destination machine in a table, called the ARP cache. If no MAC entry is found for the IP address, the Address Resolution Protocol broadcasts a request packet (ARP request) to all machines on the network. The machine with that IP address replies to the source machine with its MAC address. This MAC address is then added to the ARP cache of the source machines. This MAC address is then used by the source machine in all of its communications with the destination machine.

There are two basic types of Ethernet environments: shared and switched. in a shared ethernet environment, all hosts are connected to the same bus and compete with each other for bandwidth. In such an environment, packets destined for one machine are received by all other machines. All computers on the shared Ethernet network compare the destination MAC address of the frame with their own. If the two do not match, the frame is silently discarded. A machine running a sniffer breaks this rule and accepts all frames. Such a machine is said to have been put into promiscuous fashion and can effectively listen to all traffic on the network. Sniffing in a shared ethernet environment is passive and therefore difficult to detect.

in a switched environment, the hosts are connected to a switch instead of a hub. The switch maintains a table that keeps track of the MAC address of each computer and the physical port on the switch to which that MAC address is connected. The switch is a smart device that sends packets only to the destination computer. As a result, the process of putting a machine in promiscuous mode to collect packets does not work. However, this does not mean that switched networks are secure and cannot be traced.

Although a switch is more secure than a hub, you can use the following methods to sniff a switch:

ARP spoofing — ARP is stateless, ie it can send an ARP reply even if none has been requested, and the reply will be accepted. For example, one technique is ARP Spoof at the network gateway. The destination host’s ARP cache will now have an incorrect entry for the gateway and is said to be poisoned. From this moment on, all traffic destined for the gateway will go through the sniffer machine. Another trick that can be used is to poison a host’s ARP cache by setting the gateway’s MAC address to FF:FF:FF:FF:FF:FF (also known as the broadcast MAC).

MAC floods — Switches maintain a translation table that assigns MAC addresses to physical ports on the switch. This allows them to intelligently route packets from one host to another. The switch has a limited amount of memory for this job. MAC flooding makes use of this limitation to bombard a switch with bogus MAC addresses until the switch can’t keep up. The switch then enters what is known as “fail-open mode,” at which point it begins to act as a hub by broadcasting packets to all machines on the network. Once that happens, sniffing can be easily done.

Network tracker detection

A sniffer is typically passive, just collecting data, and is especially difficult to detect when running in a shared Ethernet environment. However, it is easy to detect a sniffer when it is installed on a switched network. When installed on a computer, a sniffer generates a small amount of traffic, which allows it to be detected using the following types of techniques:

ping method — a ping request is sent with the IP address of the suspect machine but not its MAC address. Ideally, no one should see this packet as every ethernet adapter will reject it because it doesn’t match its MAC address. But if the suspect machine is running a sniffer, it will respond since it accepts all packets.

ARP method — this method is based on the fact that all machines cache ARP (ie MAC addresses). Here, we send a non-broadcast ARP so that only machines in promiscuous mode will cache our ARP address. We then send a broadcast ping packet with our IP, but a different MAC address. Only a machine that has our correct MAC address from the tracked ARP frame will be able to respond to our broadcast ping request.

on-localhost — if a machine has been compromised, a hacker may have left a sniffer running. There are utilities that can be run that report whether the local machine’s network adapter has been set to promiscuous mode.

latency method — is based on the assumption that most sniffers perform some type of analysis, which increases the load on that machine. Therefore, it will take longer to respond to a ping packet. This difference in response times can be used as an indicator of whether or not a machine is in promiscuous mode.

ARP Clock — to prevent an ARP hacker from spoofing the gateway, there are utilities that can be used to monitor a machine’s ARP cache to see if there is any duplication for a machine.

How to protect against inhalation

The best way to secure a network against sniffing is to use encryption. While this will not prevent the trackers from working, it will ensure that the data collected by the trackers cannot be interpreted. Also, in a switched network, ARP spoofing is likely to be used for sniffing purposes. The machine on which the hacker will most likely spoof ARP is the default gateway. To prevent this from happening, it is suggested that the gateway’s MAC address be permanently added to each host’s ARP cache.

Additional suggestions include:

· Use SSH instead of telnet.

· Use HTTPS instead of HTTP (if the site supports it).

· If you’re concerned about email privacy, try a service like Hushmail (www.hushmail.com), which uses SSL to ensure data isn’t read in transit. Additionally, Pretty Good Privacy (www.gnupg.org) can be used to encrypt and sign emails to prevent others from reading them.

· Use a sniff detector. For example, the software package PromiScan It is considered the standard crawl node detection tool and is recommended by the SANS (SysAdmin, Audit, Network, Security) institute. It is an application package used to remotely monitor computers on local networks to locate network interfaces that are operating in a promiscuous mode.