Sniffers: Basics and Detection

Introduction

A Sniffer is a program or a device that eavesdrops on the network traffic by grabbing information travelling over a network. Sniffers basically are "Data Interception" technology. They work because the Ethernet was built around a principle of sharing. Most networks use broadcast technology wherein messages for one computer can be read by another computer on that network. In practice, all the other computers except the one for which the message is meant, will ignore that message. However, computers can be made to accept messages even if they are not meant for them. This is done by means of a Sniffer!

How A Sniffer Works

A computer connected to the LAN has 2 addresses. One is the MAC 1 address that uniquely identifies each node in a network and is stored on the network card itself. It is the MAC address that gets used by the Ethernet protocol while building `frames' to transfer data to and from a machine. The other is the IP address which is used by applications. The Data Link Layer uses an Ethernet header with the MAC address of the destination machine rather than the IP Address. The Network Layer is responsible for mapping IP network addresses to the MAC address as required by the Data Link Protocol. It initially looks up the MAC address of the destination machine in a table, usually called the ARP cache. If no entry is found for the IP address, the Address Resolution Protocol broadcasts a request packet (ARP request) to all machines on the network. The machine with that address responds to the source machine with its MAC address. This MAC address then gets added to the source machines ARP Cache. This MAC address is then used by the source machine in all its communications with the destination machine.

There are two basic types of Ethernets environments and how sniffers work in both these cases is slightly different.

*      Shared Ethernet: In a shared Ethernet environment, all hosts are connected to the same bus and compete with one another for bandwidth. In such an environment packets meant for one machine are received by all the other machines. Thus when a machine Venus wants to talk to Cupid in such an environment, it sends a packet on the network with the destination MAC address of Cupid along with its own source MAC address. All the computers on the shared ethernet compare frame's destination MAC address with their own. If the two don't match, the frame is quietly discarded. A machine running a sniffer breaks this rule and accepts all frames. Such a macine is said to have been put into promiscous mode and can effectively listen to all the traffic on the network. Sniffing in a Shared Ethernet environment is totally passive and hence extremely difficult to detect.

*      Switched Ethernet: An Ethernet environment in which the hosts are connected to switch instead of a hub is called a Switched Ethernet. The switch maintains a table keeping track of each computer's MAC address and the physical port on the switch to which that MAC address is connected and delivers packets destined for a particular machine correspondingly. The switch is an intelligent device which sends packets to the destined computer only and does not broadcast it to all the machines on the network, as in the previous case. As a result of this the process followed earlier, of putting the machine into promiscous mode, to gather packets does not work. As a result of this, even many experienced Systems Administrators fall into the belief that switched networks are secure and cannot be sniffed. Though a switch is more secure than a hub, you can use the following methods to sniff on a switch: 

2.                 [root@tachyon dhar]# arpspoof -t 203.199.66.243 203.199.66.193
3.                 0:80:ad:7c:7:3a 52:54:5:f3:95:1 0806 42: arp reply \
4.                                203.199.66.193 is-at 0:80:ad:7c:7:3a
5.                 0:80:ad:7c:7:3a 52:54:5:f3:95:1 0806 42: arp reply \
6.                                203.199.66.193 is-at 0:80:ad:7c:7:3a

The -t flag specifies the target whose ARP cache we wish to poison and the other argument is the IP address of the gateway which we wish to spoof. So now all the data destined for the gateway from the target machine will have to pass through our machine. Before you do this, it is essential you turn on IP Forwarding on your machine. You can do this by giving the command: 

[root@tachyon dhar]# echo 1 > /proc/sys/net/ipv4/ip_forward 
[root@tachyon dhar]# cat /proc/sys/net/ipv4/ip_forward
1
[root@tachyon dhar]#

If the cat command returns a value of 1, then IP Forwarding has been enabled but if it returns 0, it means IP Forwarding has not been enabled. It is important to enable IP Forwarding or else the network will die. 

8.                 [root@tachyon dhar]# macof
9.                 77:6b:e1:6e:5e:8c 93:2d:ed:45:f9:e3 0.0.0.0.45702 > \
10.                     0.0.0.0.11000: S 1847390231:1847390231(0) win 512
11.             84:a4:d3:57:ef:8 12:56:52:42:dc:95 0.0.0.0.16630 >  \
12.                     0.0.0.0.3031: S 1484147693:1484147693(0) win 512
13.             88:f0:9:3f:18:89 d:86:53:53:d7:f8 0.0.0.0.15535 > \ 
14.                     0.0.0.0.7466: S 293820390:293820390(0) win 512

Warning: This method might lead to degeneration of the network services and should not be run for a long interval of time.

Detecting Sniffers

A sniffer is usually passive, it just collects data. Hence it becomes extremely difficult to detect sniffers, specially when running on a Shared Ethernet. When installed on a computer, a sniffer does generate some small amount of traffic. Here is an overview of the detection methods:

  1. Ping Method: The trick used here is to send a ping request with the IP address of the suspect machine but not its MAC address. Ideally nobody should see this packet as each Ethernet Adapter will reject it as it does not match its MAC address. But if the suspect machine is running a sniffer it will respond as it does not bother rejecting packets with a different Destination MAC address. This is an old method and not reliable any longer.
  2. ARP2 Method: A machine caches ARPs. So what we do is send a non-broadcast ARP. A machine in promiscuous mode will cache your ARP address. Next we send a broadcast ping packet with our IP, but a different MAC address. Only a machine which has our correct MAC address from the sniffed ARP frame will be able to respond to our broadcast ping request. Voila!
  3. On Local Host: Often after your machine has been compromised, hackers will leave sniffers, to compromise other machines. On a local machine run ifconfig. On a clean machine the output will be: 
4.           eth0      Link encap:Ethernet  HWaddr 52:54:05:F3:95:01  
5.                     inet addr:203.199.66.243  Bcast:203.199.  ...
6.                     UP BROADCAST RUNNING MULTICAST  MTU:1500  ...

But on a machine running a sniffer the output will be like this: 

eth0      Link encap:Ethernet  HWaddr 52:54:05:F3:95:01  
          inet addr:203.199.66.243  Bcast:203.199.  ...
          UP BROADCAST RUNNING PROMISC MULTICAST    ...

(Output slightly modified to fit screen)

  1. Latency Method: This method is based on the assumption that most sniffers do some parsing. Very simply put, in this method, huge amount of data is sent on the network and the suspect machine is pinged before and during the data flooding. If the machine is in promiscuous mode, it will parse the data, increasing the load on it. Therefore it will take extra time to respond to the ping packet. This difference in response times can be used as an indicator of whether a machine is in promiscuous mode or not. A point worth noting is that the packets may be delayed because of the load on the wire, resulting in false positives.
  2. ARP Watch: As described earlier, one method to sniff on a switched network is to ARP spoof the gateway. A utility called arpwatch can be used to monitor the arp cache of a machine to see if there is duplication for a machine. If there is, it could trigger alarms and lead to detection of sniffers.

Preventing Sniffing

The best way to secure yourself against sniffing is to use encryption. While this won't prevent a sniffer from functioning, it will ensure that what a sniffer reads is pure junk.

Switch to SSH. SSH is fast becoming the de facto standard method of connecting to a Unix/Linux Machine. For more information on SSH, check out http://www.ssh.fi. You might want to check out the open-source implemetation OpenSSH at http://www.openssh.org/

Sniffing Tools

Since I have been a Linux man through out, I will list some of the commonly available sniffers for linux.

  1. tcpdump: The granddaddy of packet sniffers. Ships by default on many linux distros!
  2. sniffit: Robust packet sniffer with good filtering.
    Available at: http://sniffit.rug.ac.be/ coder/sniffit/sniffit.html.
  3. ethereal: A free network protocol analyzer for Unix and Windows. It allows you to examine data from a live network or from a capture file on disk.
    Available at: http://www.ethereal.com/download.html.
  4. hunt: According to Pavel Krauz, the main goal of the HUNT project is to develop tool for exploiting well known weaknesses in the TCP/IP protocol suite. Well I think he comes pretty close to it.
    Available at: ftp://ftp.gncz.cz/pub/linux/hunt/hunt-1.5.tgz
  5. Ettercap: Ettercap is a sniffer specifically designed for switched LANs. It allows you to peform mitm attacks against SSH and SSL. It has password collector for telnet, ftp, POP, rlogin, ssh1, icq, smb, mysql, http, NNTP, X11, napster, IRC, rip, bgp, socks 5, IMAP 4, VNC, LDAP, NFS etc.
    Available at: http://ettercap.sourceforge.net/
  6. dsniff: I won't say much about dsniff except point you to an article by Kurt Seifried titled ``The End of SSL and SSH''. As Mark Joseph Edwards puts in an article, ``Dsniff is the Swiss army knife of privacy invasion''. The package ships with a handful of nasties: urlsnarf, msgsnarf, mailsnarf, webspy, dsniff etc.
    Available at: http://monkey.org/ dugsong/dsniff/
  7. LCRZOEX: It is a network library for administrators that supports spoofing, sniffing, client and server creation. Over 200 possible examples are included in the package.
    Available: Grab it at http://www.laurentconstantin.com/

Programs to Detect Sniffers

  1. Anti Sniff: From the L0pht Heavy Industries, comes the new program Anti Sniff. It has the ability to monitor a network and detect if a computer is in promiscuous mode.
    Get it: http://www.securitysoftwaretech.com/antisniff/download.html
  2. Neped: It detects network cards on the network who are in promiscuous mode by exploiting a flaw in the ARP protocol as implemented on Linux machines. Outdated
    Get it: ftp://apostols.org/AposTools/snapshots/neped/neped.c
  3. ARP Watch: ARPWatch keeps track of ethernet/IP address pairings. This is useful when you suspect you are being arp-spoofed.
    Get it: ftp://ftp.ee.lbl.gov/arpwatch.tar.Z

References

  1. Antisniff Technical Details
    http://www.securitysoftwaretech.com/antisniff/tech-paper.html
  2. Robert Graham's Sniffing FAQ
    http://www.robertgraham.com/pubs/sniffing-faq.html
  3. Created by Sumit Dhar
    http://www.rootshell.be/~dhar/index.html

 

---

Footnotes

... MAC

Media Access Control

...ARP

Address Resolution Protocol