If authentication was successful, a NULL byte is returned by the server; otherwise, a value of 1 is returned in addition to an error string. rlogin (Port 513) The rlogin protocol provides much the same functionality as the Telnet pro- tocol, combined with the authentication mechanism of the rexec protocol, with some exceptions. It supports trust relationships, which are specified via a file called rhosts in the user’s home directory. This file contains a listing of users, and the hosts on which they reside, who are allowed to log in to the specified account without a password. Authentication is performed, instead, by trusting that the user is who the remote rlogin client says he or she is. This authenti- cation mechanism works only among UNIX systems, and is extremely flawed in many ways; therefore, it is not widely used on networks today. If a trust rela- tionship does not exist, user and password information is still transmitted in plaintext over this protocol in a similar fashion to rexec: ■ An ASCII port number, specifying a port for the server to connect to, to send standard error information. This is a port on the client host that will be awaiting this connection. 0 is specified if this is not desired. This string is NULL terminated. ■ A NULL terminated client username, 16 characters long or less. ■ A NULL terminated server username, 16 characters long or less. ■ A NULL terminated string consisting of the terminal type and speed. The server then returns a 0 byte to indicate it has received these. If authentication via the automatic trust mechanism fails, the connection is then passed onto the login program, at which point a login proceeds as it would have if the user had connected via the Telnet service. X11 (Port 6000+) The X11 Window system uses a “magic cookie” to perform authorization against clients attempting to connect to a server. A randomly generated 128-bit cookie is sent by X11 clients when connecting to the X Window server. By sniffing this cookie, an attacker can use it to connect to the same X Window server. Normally, this cookie is stored in a file named .Xauthority within a user’s home directory. This cookie is passed to the X Window server by the xdm program at logon. NFS File Handles The Network File System (NFS) originally created by Sun Microsystems relies on what is known as an NFS file handle to grant access to a particular file or directory offered by a file server. By monitoring the network for NFS file han- dles, it is possible to obtain this handle, and use it yourself to obtain access to the resource. Unfortunately, the NFS protocol uses ONC-RPC (Open Network Computing-Remote Procedure Call) to perform its operations, which introduces more complexity than a plaintext authentication mechanism. This does not 264 Chapter 9 • Sniffing www.syngress.com 95_hack_prod_09 7/13/00 12:05 PM Page 264 provide more security; however, it makes it difficult to provide example net- work traffic in this book. The process by which a legitimate NFS client accesses a file system on a server is as follows: ■ The user issues a mount request, attempting to mount a remote file system. ■ The local operating system contacts an RPC service on the remote host called rpc.mountd, passing it the name of the file system it wishes to access. ■ The mountd program performs an access validation check to deter- mine whether the request came from a privileged port on the client host, and whether the client host has been given permission to access the target host. ■ The mountd program sends a reply back to the client, including an NFS file handle that provides access to the root of the file system the user wishes to access. ■ The client program now contacts the NFS daemon (nfsd) on the target host, passes in the file handle, and obtains access to the resource. Windows NT Authentication Windows operating systems support a number of different authentication types, each of which progressively increase its security. The use of weak Windows NT authentication mechanisms, as explained next, is one of the weakest links in Windows NT security. The authentication types supported are explained here: ■ Plaintext Passwords are transmitted in the clear over the network ■ Lan Manager (LM) Uses a weak challenge response mechanism where the server sends a challenge to the client, which it uses to encrypt the user’s password hash and send it back to the server. The server does the same, and compares the result to authenticate the user. The mechanism with which this hash is transformed before transmission is very weak, and the original hash can be sniffed from the network and cracked quite easily. In Windows NT 4, even though a stronger authen- tication mechanism is available (NTLM), the LM hash was still sent over the network along with the NTLM hash, which lowers the security to the security of the LM mechanism. ■ NT Lan Manager (NTLM) and NT Lan Manager v2 (NTLMv2) NTLM and NTLMv2 provide a much stronger challenge/response mechanism that has made it much more difficult to crack captured authentication requests. NTLMv2 was introduced with the release of Service Pack 4 for Windows NT 4.0. NTLMv2 should be used if possible; however, care must be taken to ensure that your clients can support the protocol. You may need to install additional software on the clients to allow them to use NTLMv2. Sniffing • Chapter 9 265 www.syngress.com 95_hack_prod_09 7/13/00 12:05 PM Page 265 The development of these mechanisms occurred in a series of iterative steps, as weaknesses were found in each prior implementation (fortunately, the weaknesses became less significant with each improvement). Specialized sniffers exist that support only the capture of Windows NT authentication information. A good example is one included with the L0phtCrack program (which is exclusively a Windows NT password cracker). The documentation that comes with L0phtCrack explains in great detail how Windows NT password hashes are created. L0phtCrack can be obtained at www.l0pht.com/l0phtcrack. Other Network Traffic Although the ports we just examined are the most common to be sniffed due to cleartext authentication information being passed, they are not the only ones that an attacker may find of interest. A sniffer may be used to capture interesting traffic on other ports as shown in this section. SMTP (Port 25) Simple Mail Transfer Protocol (SMTP) is used to transfer e-mail on the Internet and internally in many organizations. E-mail has and always will be an attractive target for an attacker. An attacker’s goal may be to watch the network adminis- trator to determine whether he has been discovered, or much more sinister activity. It is not hard to believe that in today’s competitive business environment, the goal can be to monitor the network for internal company information, such as merger and acquisition data, and partnership information. This can usually all be gleaned by reading e-mail that has been sent over the network. The dsniff sniffer, explained in more detail next, includes a program designed to capture e-mail messages from the network: “mailsnarf outputs e-mail messages sniffed from SMTP and POP traffic in Berkeley mbox format, suitable for offline browsing with your favorite mail reader (mail(1), pine(1), etc.).” HTTP (Port 80) HyperText Transfer Protocol (HTTP) is used to pass Web traffic. This traffic, usually destined for port 80, is more commonly monitored for statistics and network usage than for its content. While HTTP traffic can contain authentication information and credit card transactions, this type of information is more commonly encrypted via Secure Sockets Layer (SSL). Commercial products are available to monitor this usage, for organizations that find it acceptable to track their users’ Web usage. The dsniff sniffer also includes a program designed specifically to capture URL requests from the network: “urlsnarf outputs all requested URLs sniffed from HTTP traffic in CLF (Common Log Format, used by almost all Web servers), suit- able for offline post-processing with your favorite Web log analysis tool (analog, wwwstat, etc.).” 266 Chapter 9 • Sniffing www.syngress.com 95_hack_prod_09 7/13/00 12:05 PM Page 266 Common Implementations There have been many sniffer programs written throughout the history of net- work monitoring. We examine a few key programs here. Note that it is not our intention to provide a comprehensive list of sniffers, only some example imple- mentations. We examine both commercial implementations, used for network diagnostics, and implementations written purely for capturing authentication information. More implementations can be found at your nearest security site, such as www.securityfocus.com/. Network Associates Sniffer Pro Sniffer Pro is a commercial product, the name itself being a trademark of Network Associates, Inc. The product may very well be where the hacker- derived name originated, as it existed long before targeted password capturing programs were available. The Sniffer Pro product from Network Associates pro- vides an easy-to-use interface for capturing and viewing network traffic. One major benefit of commercial products is that they support a vast range of net- work protocols, and display the decoded protocol data in a very easy-to-read manner. Sniffer Pro runs in two primary modes: first, it captures network traffic, and second, it decodes and displays it. Figure 9.1 shows Sniffer Pro running in capture mode; network statistics and data are displayed in the dials shown. Sniffing • Chapter 9 267 www.syngress.com Figure 9.1 Sniffer Pro in capture mode. 95_hack_prod_09 7/13/00 12:05 PM Page 267 Once captured, data is decoded and displayed in an easy-to-read fashion. In Figure 9.2, we can see that Sniffer Pro has decoded the HTTP request for us. Inside, we can see some relevant variables being passed, “alias” and “pw.” For this Web application, those are the username and password. NT Network Monitor Windows NT server ships with network monitoring software called Network Monitor, or Netmon for short. This version of Netmon only captures traffic entering or leaving the server on which it is installed. However, there is a ver- sion of Netmon that captures all traffic. That version is available with Systems Management Server (SMS). Netmon provides some advantages over other com- mercial network analyzers, in that it has the ability to decode some proprietary Microsoft network traffic, which has no open specifications. A good example of this type of traffic are the many different MS-RPC services that communicate using named pipes over Windows NT networking. While Netmon does not 268 Chapter 9 • Sniffing www.syngress.com Figure 9.2 Sniffer Pro displaying captured data. 95_hack_prod_09 7/13/00 12:05 PM Page 268 decode all of these MS-RPC services, it does decode a significant portion, which would not otherwise be understood. Network Monitor’s operation is very similar to Sniffer Pro’s, as it provides both a capture (Figure 9.3) and view (Figure 9.4) mechanism that provide the same functionality. TCPDump TCPDump is by far the most popular network diagnostic and analysis tool for UNIX-based operating systems. TCPDump monitors and decodes all IP, TCP, UDP (User Datagram Protocol), and ICMP (Internet Control Message Protocol) header data, in addition to some application layer data (mostly net- work infrastructure protocols). TCPDump was not written as an attacker’s tool, and is not designed to assist an attacker who wishes to monitor the network. That being said, it does provide a good starting point for anyone intending to write a sniffer, and since its source code is free, it provides interesting reading. Sniffing • Chapter 9 269 www.syngress.com Figure 9.3 Network Monitor in capture mode. 95_hack_prod_09 7/13/00 12:05 PM Page 269 TCPDump can be obtained from www.tcpdump.org. Many modifications have been made to TCPDump in recent years to add support for a wide range of additional protocols. dsniff Dsniff is one of the most comprehensive sniffers available today. Dsniff is written purely to monitor the network for known authentication information. It does this very well, and has a wide range of functions to decode known pro- tocol types. The current version of dsniff will decode authentication informa- tion for the following protocols: 270 Chapter 9 • Sniffing www.syngress.com Figure 9.4 Network Monitor in view mode. 95_hack_prod_09 7/13/00 12:05 PM Page 270 AOL Instant Messenger Citrix Winframe CVS (Concurrent Versions System) File Transfer Protocol (FTP) HTTP ICQ IMAP Internet Relay Chat (IRC) Lightweight directory protocol (LDAP) RPC mount requests Napster NNTP Oracle SQL*Net OSPF (Open Shortest Path First) PC Anywhere POP PostgreSQL Routing Information Protocol (RIP) Remote Login (rlogin) Windows NT plaintext Network Associates Sniffer Pro SNMP (Simple Network Management (remote) Protocol) Socks Telnet X11 RPC yppasswd Dsniff also includes utilities to monitor and save HTTP URLs, e-mail, and file transfers occurring on the network. Dsniff, written by Dug Song, is avail- able on his Web site at www.monkey.org/~dugsong/dsniff. Esniff.c Esniff is probably one of the first sniffers that surfaced within the hacker underground. Written by a hacker named “rokstar,” it functioned only on Sun Microsystems’ SunOS (now outdated) operating systems. Esniff supports the Telnet, FTP, and rlogin protocols. It provides basic functionality and does not support a comprehensive list of protocols as those found in newer sniffers such as dsniff and sniffit. This sniffer was first publicly published in Phrack magazine, which can be obtained from: http://phrack.infonexus.com/search.phtml?view&article=p45-5 Sniffit Sniffit is another sniffer that has been around for several years. It is available for several operating systems, including Linux, Solaris, SunOS, Irix, and FreeBSD. Sniffit has not been updated in a few years, but I have found it to be quite stable (even though the last release was classified as a beta). Brecht Claerhout, the author of Sniffit, has two versions available on his Web site: 0.3.5 (released in April 1997) and 0.3.7.beta (released in July 1998). I have had no problems com- piling and using 0.3.7.beta, but if you encounter problems with 0.3.7.beta, then you can still fall back and use 0.3.5. Brecht’s Web site is located at: http://reptile.rug.ac.be/~coder/sniffit/sniffit.html Sniffing • Chapter 9 271 www.syngress.com 95_hack_prod_09 7/13/00 12:05 PM Page 271 One of the reasons I like (and use) Sniffit so much is that you can easily configure it to only log certain traffic, such as FTP and Telnet. This type of fil- tering is not unusual, as it is available in other sniffers, such as Sniffer Pro and Netmon to name only two. But when was the last time you saw either one of those sniffers covertly placed on a compromised system? Sniffit is small and easily configured to capture (and log) only traffic that you know carries useful information in the clear, such as usernames and passwords for certain proto- cols as shown in the following example: [Tue Mar 28 09:46:01 2000] - Sniffit session started. [Tue Mar 28 10:27:02 2000] - 10.40.1.6.1332-10.44.50.40.21: USER [hansen] [Tue Mar 28 10:27:02 2000] - 10.40.1.6.1332-10.44.50.40.21: PASS [worksux] [Tue Mar 28 10:39:42 2000] - 10.40.1.99.1651-10.216.82.5.23: login [trebor] [Tue Mar 28 10:39:47 2000] - 10.40.1.99.1651-10.216.82.5.23: password [goaway] [Tue Mar 28 11:08:10 2000] - 10.40.2.133.1123-10.60.56.5.23: login [jaaf] [Tue Mar 28 11:08:17 2000] - 10.40.2.133.1123-10.60.56.5.23: password [5g5g5g5] [Tue Mar 28 12:45:21 2000] - 10.8.16.2.2419-10.157.14.198.21: USER [afms] [Tue Mar 28 12:45:21 2000] - 10.8.16.2.2419-10.157.14.198.21: PASS [smfasmfa] [Tue Mar 28 14:38:53 2000] - 10.40.1.183.1132-10.22.16.51.23: login [hohman] [Tue Mar 28 14:38:58 2000] - 10.40.1.183.1132-10.22.16.51.23: password [98rabt] [Tue Mar 28 16:47:14 2000] - 10.40.2.133.1069-10.60.56.5.23: login [whitt] [Tue Mar 28 16:47:16 2000] - 10.40.2.133.1067-10.60.56.5.23: password [9gillion] [Tue Mar 28 17:13:56 2000] - 10.40.1.237.1177-10.60.56.5.23: login [douglas] [Tue Mar 28 17:13:59 2000] - 10.40.1.237.1177-10.60.56.5.23: password [11satrn5] [Tue Mar 28 17:49:43 2000] - 10.40.1.216.1947-10.22.16.52.23: login [demrly] [Tue Mar 28 17:49:46 2000] - 10.40.1.216.1947-10.22.16.52.23: password [9sefi9] [Tue Mar 28 17:53:08 2000] - 10.40.1.216.1948-10.22.16.52.23: login [demrly] [Tue Mar 28 17:53:11 2000] - 10.40.1.216.1948-10.22.16.52.23: password [jesa78] [Tue Mar 28 19:32:30 2000] - 10.40.1.6.1039-10.178.110.226.21: USER [custr2] [Tue Mar 28 19:32:30 2000] - 10.40.1.6.1039-10.178.110.226.21: PASS [Alpo2p35] [Tue Mar 28 20:04:03 2000] - Sniffit session ended. As you can see, in a just a matter of approximately 10 hours, I have collected usernames and passwords for nine different users for three FTP sites and five Telnet locations. One user, demrly, seems to have used the incorrect password when he or she tried to login to 10.22.16.52 the first time, but I will keep this password handy because it may be a valid password at some other location. Advanced Sniffing Techniques As technology has moved forward, attackers have had to create new methods to sniff network traffic. Let’s take a look at a couple of methods that attackers use to get around technology advancements. Switch Tricks Switches came into vogue a few years ago, and a lot of people think that if they have a switched network, that it is impossible for an attacker to successfully use a sniffer to capture any information from them. It’s time to burst their bubble, as you will see when we discuss methods of successfully sniffing on a switched network. 272 Chapter 9 • Sniffing www.syngress.com 95_hack_prod_09 7/13/00 12:05 PM Page 272 ARP Spoofing When attempting to monitor traffic on a switched network, you will run into one serious problem: The switch will limit the traffic that is passed over your section of the network. Switches keep an internal list of the MAC addresses of hosts that are on each port. Traffic is sent to a port, only if the destination host is recorded as being present on that port. It is possible to overwrite the ARP (Address Resolution Protocol) cache on many operating systems, which would allow you to associate your MAC address with the default gateway’s IP address. This would cause all outgoing traffic from the target host to be trans- mitted to you instead. You would need to ensure that you have manually added an ARP table entry for the real default gateway, to ensure that the traffic will be sent to the real target, and also ensure that you have IP for- warding enabled. It has been found that many cable modem networks are also vulnerable to this type of attack, since the cable modem network is essentially an Ethernet network, with cable modems acting as bridges. In short, there is no solution to this attack, and new generations of cable modem networks will use alternate mechanisms to connect a user to the network. The dsniff sniffer by Dug Song includes a program named “arpredirect” for exactly this purpose. “arpredirect redirects packets from a target host (or all hosts) on the LAN intended for another host on the LAN by forging ARP replies. This is an extremely effective way of sniffing traffic on a switch.” ARP Flooding To serve its purpose, a switch must keep a table of all MAC (Ethernet) addresses of the hosts that appear on each port. If a large number of addresses appear on a single port, filling the address table on the switch, some switches begin to send all traffic to the port. The dsniff sniffer includes a program named “macof” that facilitates the flooding of a switch with random MAC addresses to accomplish this: “macof floods the local network with random MAC addresses (causing some switches to fail open in repeating mode, facilitating sniffing). A straight C port of the original Perl Net::RawIP macof program by Ian Vitek <ian.vitek@infosec.se>.” Routing Games One method to ensure that all traffic on a network will pass through your host is to change the routing table of the host you wish to monitor. This may be possible by sending a fake route advertisement message via the Routing Information Protocol (RIP), declaring yourself as the default gateway. If Sniffing • Chapter 9 273 www.syngress.com 95_hack_prod_09 7/13/00 12:05 PM Page 273 [...]...95 _hack_ prod_09 274 7/ 13/00 12:05 PM Page 274 Chapter 9 • Sniffing For IT Professionals Awareness and Education The primary idea behind this chapter is to educate you on the types of traffic that traverse your networks, the simplicity with which it can be monitored, and steps that you can take to limit your exposure The real solution is to ensure that you are aware of the traffic on your network, ... 00:60:08:C5:93:6B inet addr:10.0.0.21 Bcast:10.0.0.255 Mask:255.255.255.0 UP BROADCAST RUNNING PROMISC MULTICAST MTU:1500 Metric:1 RX packets:1492330 errors: 277 9 dropped:0 overruns: 277 9 frame: 277 9 TX packets:128 276 9 errors:0 dropped:0 overruns:0 carrier:0 collisions:10 575 txqueuelen:100 Interrupt:10 Base address:0x300 It is important to note that if an attacker has compromised the security of the host on which you... 00:60:08:C5:93:6B inet addr:10.0.0.21 Bcast:10.0.0.255 Mask:255.255.255.0 UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:1492448 errors: 277 9 dropped:0 overruns: 277 9 frame: 277 9 TX packets:1282868 errors:0 dropped:0 overruns:0 carrier:0 collisions:10 575 txqueuelen:100 Interrupt:10 Base address:0x300 Note that the attributes of this interface mention nothing about promiscuous mode When the interface... the protocol versions and the authentication mechanisms that your network infrastructure runs on successful, all traffic will be routed through your host Ensure that you have enabled IP forwarding, and that your default gateway is set to the real network gateway All outbound traffic from the host will pass through your host, and onto the real network gateway You may not receive return traffic, unless you... sniffing from occurring on your network, right? All is not lost, as you will see in this section Encryption Fortunately, for the state of network security, encryption is the one silver bullet that will render a packet sniffer useless Encrypted data, assuming its encryption mechanism is valid, will thwart any attacker attempting to passively monitor your network Many existing network protocols now have... www.openbsd.org/orders.html Figure 9.5 The OpenSSH Project www.syngress.com 95 _hack_ prod_09 7/ 13/00 12:05 PM Page 281 Sniffing • Chapter 9 Switching Network switches do make it more difficult for an attacker to monitor your network; however, not by much Switches are sometimes recommended as a solution to the sniffing problem; however, their real purpose is to improve network performance, not provide security As explained in... { close(sockfd); return -1; } return sockfd; } /* read ethernet packets, printing source and destination addresses */ www.syngress.com 275 95 _hack_ prod_09 276 7/ 13/00 12:05 PM Page 276 Chapter 9 • Sniffing int read_loop(sockfd) { struct sockaddr_in from; char buf[ 179 2], *ptr; int size, fromlen, c; struct ether_header *hdr; while (1) { /* read the next available packet */ size = recvfrom(sockfd, buf,... #include #include pcap_t *open_interface(char *name) { pcap_t *pd; char ebuf[PCAP_ERRBUF_SIZE]; www.syngress.com 277 95 _hack_ prod_09 278 7/ 13/00 12:05 PM Page 278 Chapter 9 • Sniffing /* use pcap call to open interface in promiscuous mode */ pd = pcap_open_live(name, 1600, 1, 100, ebuf); if (!pd) return NULL; return pd; } int read_loop(pcap_t... mode www.syngress.com 281 95 _hack_ prod_09 282 7/ 13/00 12:05 PM Page 282 Chapter 9 • Sniffing Network Detection There are a number of techniques, varying in their degree of accuracy, to detect whether a host is monitoring the network for all traffic There is no guaranteed method to detect the presence of a network sniffer DNS Lookups Most programs that are written to monitor the network perform reverse DNS... be to generate a false network connection from an address that has no business being on the local network We would then monitor the network for DNS queries that attempt to resolve the faked address, giving away the sniffing host Latency A second technique that can be used to detect a host that is monitoring the network is to detect latency variations in the host’s response to network traffic (i.e., ping) . 17: 13:59 2000] - 10.40.1.2 37. 1 177 -10.60.56.5.23: password [11satrn5] [Tue Mar 28 17: 49:43 2000] - 10.40.1.216.19 47- 10.22.16.52.23: login [demrly] [Tue Mar 28 17: 49:46 2000] - 10.40.1.216.19 47- 10.22.16.52.23:. MTU:1500 Metric:1 RX packets:1492330 errors: 277 9 dropped:0 overruns: 277 9 frame: 277 9 TX packets:128 276 9 errors:0 dropped:0 overruns:0 carrier:0 collisions:10 575 txqueuelen:100 Interrupt:10 Base address:0x300 It. MTU:1500 Metric:1 RX packets:1492448 errors: 277 9 dropped:0 overruns: 277 9 frame: 277 9 TX packets:1282868 errors:0 dropped:0 overruns:0 carrier:0 collisions:10 575 txqueuelen:100 Interrupt:10 Base address:0x300 Note