Sniffing • Chapter 10 381 Sniffit Sniffit is another sniffer that has been around for several years. It is available for several operating systems, including Linux, Solaris, SunOS, Irix, and FreeBSD. Sniffit has not been updated in a few years, but I have found it to be quite stable (even though the last release was classified as a beta). Brecht Claerhout, the author of Sniffit, has two versions available on his Web site: 0.3.5 (released in April 1997) and 0.3.7.beta (released in July 1998). I have had no problems com- piling and using 0.3.7.beta, but if you encounter problems with 0.3.7.beta, then you can still fall back and use 0.3.5. Brecht’s Web site is located at http://reptile.rug.ac.be/~coder/sniffit/sniffit.html. One of the reasons I like (and use) Sniffit so much is that you can easily con- figure it to log only certain traffic, such as FTP and Telnet.This type of filtering is not unusual; it is available in other sniffers such as Sniffer Pro and NetMon. But when was the last time you saw either one of those sniffers covertly placed on a compromised system? Sniffit is small and easily configured to capture (and log) only traffic that you know carries useful information in the clear, such as user- names and passwords for certain protocols, as shown in the following example: [Tue Mar 28 09:46:01 2000] - Sniffit session started. [Tue Mar 28 10:27:02 2000] - 10.40.1.6.1332-10.44.50.40.21: USER [hansen] [Tue Mar 28 10:27:02 2000] - 10.40.1.6.1332-10.44.50.40.21: PASS [worksux] [Tue Mar 28 10:39:42 2000] - 10.40.1.99.1651-10.216.82.5.23: login [trebor] [Tue Mar 28 10:39:47 2000] - 10.40.1.99.1651-10.216.82.5.23: password [goaway] [Tue Mar 28 11:08:10 2000] - 10.40.2.133.1123-10.60.56.5.23: login [jaaf] [Tue Mar 28 11:08:17 2000] - 10.40.2.133.1123-10.60.56.5.23: password [5g5g5g5] [Tue Mar 28 12:45:21 2000] - 10.8.16.2.2419-10.157.14.198.21: USER [afms] [Tue Mar 28 12:45:21 2000] - 10.8.16.2.2419-10.157.14.198.21: PASS [smfasmfa] www.syngress.com 194_HPYN2e_10.qxd 2/15/02 10:59 AM Page 381 382 Chapter 10 • Sniffing [Tue Mar 28 14:38:53 2000] - 10.40.1.183.1132-10.22.16.51.23: login [hohman] [Tue Mar 28 14:38:58 2000] - 10.40.1.183.1132-10.22.16.51.23: password [98rabt] [Tue Mar 28 16:47:14 2000] - 10.40.2.133.1069-10.60.56.5.23: login [whitt] [Tue Mar 28 16:47:16 2000] - 10.40.2.133.1067-10.60.56.5.23: password [9gillion] [Tue Mar 28 17:13:56 2000] - 10.40.1.237.1177-10.60.56.5.23: login [douglas] [Tue Mar 28 17:13:59 2000] - 10.40.1.237.1177-10.60.56.5.23: password [11satrn5] [Tue Mar 28 17:49:43 2000] - 10.40.1.216.1947-10.22.16.52.23: login [demrly] [Tue Mar 28 17:49:46 2000] - 10.40.1.216.1947-10.22.16.52.23: password [9sefi9] [Tue Mar 28 17:53:08 2000] - 10.40.1.216.1948-10.22.16.52.23: login [demrly] [Tue Mar 28 17:53:11 2000] - 10.40.1.216.1948-10.22.16.52.23: password [jesa78] [Tue Mar 28 19:32:30 2000] - 10.40.1.6.1039-10.178.110.226.21: USER [custr2] [Tue Mar 28 19:32:30 2000] - 10.40.1.6.1039-10.178.110.226.21: PASS [Alpo2p35] [Tue Mar 28 20:04:03 2000] - Sniffit session ended. As you can see, in a just a matter of approximately 10 hours, I have collected usernames and passwords for nine different users for three FTP sites and five Telnet locations. One user, demrly, seems to have used the incorrect password when he or she tried to login to 10.22.16.52 the first time, but I will keep this password handy because it may be a valid password at some other location. Carnivore Carnivore is an Internet wiretap designed by the U.S. Federal Bureau of Investigation (FBI). It is designed with the special needs of law enforcement in mind. For example, some court orders might allow a pen-register monitoring of www.syngress.com 194_HPYN2e_10.qxd 2/15/02 10:59 AM Page 382 Sniffing • Chapter 10 383 just the From/To e-mail addresses, whereas other court orders might allow a full capture of the e-mail.A summary of Carnivore’s features can be seen within the configuration program, shown in Figure 10.7. The features are: ■ Filter sets The settings are saved in configuration files; the user quickly can change the monitoring by selecting a different filter set. ■ Network adapters A system may have multiple network adapters; only one can be selected for sniffing at a time. ■ Archive file size A limit can be set on how much data is captured; by default, it fills up the disk. ■ Total memory usage Network traffic may come in bursts faster than it can be written to disk; memory is set aside to buffer the incoming data. ■ Fixed IP address All traffic to/from a range of IP addresses can be fil- tered. For example, the suspect may have a fixed IP address of 1.2.3.4 assigned to their cable modem.The FBI might get a court order allowing them to sniff all of the suspect’s traffic. www.syngress.com Figure 10.7 Carnivore Configuration Program 194_HPYN2e_10.qxd 2/15/02 10:59 AM Page 383 384 Chapter 10 • Sniffing ■ Protocols to capture Typically, a court order will allow only specific traffic to be monitored, such as SMTP over TCP. In Pen mode, only the headers are captured. ■ Data text strings This is the Echelon feature that looks for keywords in traffic.A court order must specify exactly what is to be monitored, such as an IP address or e-mail account. Such wide-open keyword searches are illegal in the United States.The FBI initially denied that Carnivore had this feature. ■ Ports A list of TCP and UDP ports can be specified. For example, if the FBI has a court order allowing e-mail capture, they might specify the e-mail ports of 25, 110, and 143. ■ SMTP e-mail addresses A typical scenario is where Carnivore moni- tors an ISPs e-mail server, discarding all e-mails except those of the sus- pects.An e-mail session is tracked until the suspect’s e-mail address is seen, then all the packets that make up the e-mail are captured. ■ Dynamic IP addresses When users dial-up the Internet, they are logged in via the RADIUS protocol, which then assigns them an IP address. Normally, the FBI will ask the ISP to reconfigure their RADIUS servers to always assign the same IP address to the suspect, and will then monitor all traffic to/from that IP address. (Note: if you are a dial-up user and suspect the FBI is after you, check to see if your IP address is the same every time you dial up). Sometimes this isn’t possible. Carnivore can be configured to monitor the RADIUS protocol and dynamically discover the new IP address assigned to the suspect. Monitoring begins when the IP address is assigned, and stops when it is unassigned. The FBI developed Carnivore because utilities like dsniff do not meet the needs of law enforcement.When an e-mail is sent across the wire, it is broken down into multiple packets.A utility like mailsnarf (described earlier) will reassemble the e-mail back into its original form.This is bad because the suspect’s defense attorneys will challenge its accuracy: Did a packet get dropped some- where in the middle that changes the meaning of the e-mail? Did a packet from a different e-mail somehow get inserted into the message? By capturing the raw packets rather than reassembling them, Carnivore maintains the original sequence numbers, ports, and timestamps.Any missing or extra packets are clearly visible, allowing the FBI to defend the accuracy of the system. www.syngress.com 194_HPYN2e_10.qxd 2/15/02 10:59 AM Page 384 Sniffing • Chapter 10 385 Another problem that the FBI faces is minimization of the sniffed data.When the FBI wiretaps your line, they must assign an agent to listen in. If somebody else uses your phone (like your spouse or kids), they are required to turn off the tape recorders. In much the same way, Carnivore is designed to avoid capturing anything that does not belong to the suspect.A typical example would be using Carnivore to monitor the activities of a dial-up user. Carnivore contains a module to monitor the RADIUS traffic that is used by most ISPs to authenticate the user and assign a dynamic IP address.This allows Carnivore to monitor only that user without intercepting any other traffic.A sample program containing many of the features of Carnivore can be found on the Web site for this book (www.syngress.com/solutions). Additional Resources There are some interesting locations that provide a more comprehensive list of available sniffer programs, some of which are listed here: ■ A list of network monitoring programs available from Underground Security Systems Research: www.ussrback.com/packetsniffers.htm. ■ A very good and very detailed overview of packet sniffers written by Robert Graham: www.robertgraham.com/pubs/sniffing-faq.html. NOTE A FAQ for Carnivore can be found at www.robertgraham.com/pubs/ carnivore-faq.html. Advanced Sniffing Techniques As technology has moved forward, attackers have had to create new methods to sniff network traffic.The next sections take a look at a couple of methods that attackers use to get around technology advancements. Man-in-the-Middle (MITM) Attacks As we describe later, the most effective defense against sniffing is using encrypted protocols such as SSL and SSH. However, the latest dsniff and Ettercap packages contain techniques for fooling encryption. www.syngress.com 194_HPYN2e_10.qxd 2/15/02 10:59 AM Page 385 386 Chapter 10 • Sniffing The basic technique is known as a man-in-the-middle (MITM) attack.A good example of this is in the James Bond movie From Russia with Love. Bond is supposed to meet another agent in a train station.The evil agent from SPECTRE contacts the agent first, pretending to be Bond. In this manner, the evil agent gets the correct passphrase.The evil agent then pretends to be the agent that Bond is supposed to contact. The same technique can be applied to encrypted protocols.An attacker sets up a server that answers requests from clients. For example, the server could answer a request for https://www.amazon.com.A user contacting this machine will falsely believe they have established an encrypted session to Amazon.com.At the same time, the attacker contacts the real Amazon.com and pretends to be the user.The attacker plays both roles, decrypting the incoming data from the user, then reencrypting it for transmission to the original destination. In theory, encryption protocols have defenses against this.A server claiming to be Amazon.com needs to prove that it is, indeed,Amazon.com. In practice, most users ignore this. MITM attacks have proven effective when used in the field. Cracking Tools like dsniff and Ettercap capture not only passwords, but also encrypted pass- words. In theory, capturing the encrypted passwords is useless. However, people choose weak passwords, such as words from the dictionary. It takes only a few seconds for an attacker to run through a 100,000-word dictionary, comparing the encrypted form of each dictionary word against the encrypted password. If a match is found, then the attacker has discovered the password. Such password cracking programs already exist.Tools like dsniff and Ettercap simply output the encrypted passwords in a form that these tools can read. Switch Tricks Switches came into vogue a few years ago, and a lot of people think that if they have a switched network, it is impossible for an attacker to use a sniffer success- fully to capture any information from them. It’s time to burst their bubble, as you will see when we discuss methods of successfully sniffing on a switched network. ARP Spoofing When attempting to monitor traffic on a switched network, you will run into one serious problem:The switch will limit the traffic that is passed over your sec- tion of the network. Switches keep an internal list of the MAC addresses of hosts www.syngress.com 194_HPYN2e_10.qxd 2/15/02 10:59 AM Page 386 Sniffing • Chapter 10 387 that are on each port.Traffic is sent to a port only if the destination host is recorded as being present on that port. It is possible to overwrite the ARP cache on many operating systems, which would allow you to associate your MAC address with the default gateway’s IP address.This would cause all outgoing traffic from the target host to be transmitted to you instead.You would need to ensure that you manually have added an ARP table entry for the real default gateway, to ensure that the traffic will be sent to the real target, and also to ensure that you have IP forwarding enabled. It has been found that many cable modem networks are also vulnerable to this type of attack, since the cable modem network is essentially an Ethernet network, with cable modems acting as bridges. In short, there is no solution to this attack, and new generations of cable modem networks will use alternate mechanisms to connect a user to the network. The dsniff sniffer by Dug Song includes a program named arpspoof (formerly arpredirect) for exactly this purpose. arpspoof redirects packets from a target host (or all hosts) on the LAN intended for another host on the LAN by forging ARP replies. This is an extremely effective way of sniffing traffic on a switch. —dsniff FAQ MAC Flooding To serve its purpose, a switch must keep a table of all MAC (Ethernet) addresses of the hosts that appear on each port. If a large number of addresses appear on a single port, filling the address table on the switch, then the switch no longer has a record of which port the victim MAC address is connected to.This is the same situation as when a new machine first attaches to a switch, and the switch must learn where that address is. Until it learns which port it is on, the switch must send copies of frames for that MAC address to all switch ports, a practice known as flooding. The dsniff sniffer includes a program named macof, which facilitates the flooding of a switch with random MAC addresses to accomplish this: macof floods the local network with random MAC addresses (causing some switches to fail open in repeating mode, facilitating sniffing). A straight C port of the original Perl Net::RawIP macof program by Ian Vitek <ian.vitek@infosec.se>. —dsniff FAQ www.syngress.com 194_HPYN2e_10.qxd 2/15/02 10:59 AM Page 387 388 Chapter 10 • Sniffing Routing Games One method to ensure that all traffic on a network will pass through your host is to change the routing table of the host you wish to monitor.This may be possible by sending a fake route advertisement message via RIP, declaring yourself as the default gateway. If successful, all traffic will be routed through your host. Ensure that you have enabled IP forwarding, and that your default gateway is set to the real network gateway.All outbound traffic from the host will pass through your host, and onto the real network gateway.You may not receive return traffic, unless you also have the ability to modify the routing table on the default gateway to reroute all return traffic back to you. Exploring Operating System APIs Operating systems provide, or don’t provide, interfaces to their network link layer. Let’s examine a variety of operating systems to determine how they interface to their network link layer. Linux Linux provides an interface to the network link layer via its socket interface.This is one of the easiest of the interfaces provided by any operating system.The fol- lowing program illustrates how simple this is.This program opens up the speci- fied interface, sets promiscuous mode, and then proceeds to read Ethernet packets from the network.When a packet is read, the source and destination MAC addresses are printed, in addition to the packet type. #include <stdio.h> #include <stdlib.h> #include <sys/types.h> #include <sys/socket.h> #include <netinet/in.h> #include <linux/if_arp.h> #include <linux/if_ether.h> #include <linux/sockios.h> #include <net/ethernet.h> int open_interface(char *name) { www.syngress.com 194_HPYN2e_10.qxd 2/15/02 10:59 AM Page 388 Sniffing • Chapter 10 389 struct sockaddr addr; struct ifreq ifr; int sockfd; /* open a socket and bind to the specified interface */ sockfd = socket(AF_INET, SOCK_PACKET, htons(ETH_P_ALL)); if (sockfd < 0) return -1; memset(&addr, 0, sizeof(addr)); addr.sa_family = AF_INET; strncpy(addr.sa_data, name, sizeof(addr.sa_data)); if (bind(sockfd, &addr, sizeof(addr)) != 0) { close(sockfd); return -1; } /* check to make sure this interface is ethernet, otherwise exit */ memset(&ifr, 0, sizeof(ifr)); strncpy(ifr.ifr_name, name, sizeof(ifr.ifr_name)); if (ioctl(sockfd, SIOCGIFHWADDR, &ifr) < 0) { close(sockfd); return -1; } if (ifr.ifr_hwaddr.sa_family != ARPHRD_ETHER) { close(sockfd); return -1; } www.syngress.com 194_HPYN2e_10.qxd 2/15/02 10:59 AM Page 389 390 Chapter 10 • Sniffing /* now we set promiscuous mode */ memset(&ifr, 0, sizeof(ifr)); strncpy(ifr.ifr_name, name, sizeof(ifr.ifr_name)); if (ioctl(sockfd, SIOCGIFFLAGS, &ifr) < 0) { close(sockfd); return -1; } ifr.ifr_flags |= IFF_PROMISC; if (ioctl(sockfd, SIOCSIFFLAGS, &ifr) < 0) { close(sockfd); return -1; } return sockfd; } /* read ethernet packets, printing source and destination addresses */ int read_loop(sockfd) { struct sockaddr_in from; char buf[1792], *ptr; int size, fromlen, c; struct ether_header *hdr; while (1) { /* read the next available packet */ size = recvfrom(sockfd, buf, sizeof(buf), 0, &from, &fromlen); if (size < 0) return -1; www.syngress.com 194_HPYN2e_10.qxd 2/15/02 10:59 AM Page 390 [...]... occurring on your network, right? All is not lost, as you will see in this section Providing Encryption Fortunately, for the state of network security, encryption (used properly) is the one silver bullet that will render a packet sniffer useless Encrypted data, assuming its encryption mechanism is valid, will thwart any attacker attempting to passively monitor your network Many existing network protocols... AntiSniff Network Monitor Network Monitor, available on Windows NT based systems, has the capability to monitor who is actively running NetMon on your network It also maintains a history of who has NetMon installed on their system It detects only other copies of Network Monitor, so if the attacker is using another sniffer, then you must detect it using one of the previous methods discussed Most network- based... weaknesses, so make sure you’ve allotted ample time for lab research in your schedule You’ll find plenty of information watering holes on the Internet, but some of the typical “hacker hangouts” include: s Newsgroups such as alt.hackers.malicious, alt. 260 0, and alt.hacking s Internet Relay Chat (IRC) rooms dedicated to discussions on hacking Also, astalavista.box.sk and securityfocus.com search engines... whether a host is monitoring the network for all traffic.There is no guaranteed method to detect the presence of a network sniffer DNS Lookups Most programs that are written to monitor the network perform reverse DNS lookups when they produce output consisting of the source and destination hosts involved in a network connection In the process of performing this lookup, additional network traffic is generated;... HTTP The second most common targets are e-mail messages, HTTP input, or Telnet sessions Popular Sniffing Software There are many commercial and freeware sniffing products that are intended to be used as network diagnostic tools, such as Ethereal, Network Associate’s Sniffer Pro, NetMon,WildPackets’ AiroPeek, and tcpdump.These products don’t have hacker features such as password grabbing Examples of hacker... up the network address It is possible to monitor the network for hosts that are performing a large number of address lookups alone; however, this may be coincidental, and not lead to a sniffing host An easier way, which would result in 100 percent accuracy, would be to generate a false network connection from an address that has no business being on the local network. We would then monitor the network. .. www.syngress.com 397 194_HPYN2e_10.qxd 398 2/15/02 10:59 AM Page 398 Chapter 10 • Sniffing Switching Network switches do make it more difficult for an attacker to monitor your network; however, not by much Switches sometimes are recommended as a solution to the sniffing problem; however, their real purpose is to improve network performance, not provide security As explained in the section “Advanced Sniffing Techniques,”... Detection Techniques But what if you can’t use encryption on your network for some reason? What do you do then? If this is the case, then you must rely on detecting any network interface card (NIC) that may be operating in a manner that could be invoked by a sniffer Local Detection Many operating systems provide a mechanism to determine whether a network interface is running in promiscuous mode.This is... 10:59 AM Page 403 Sniffing • Chapter 10 Advanced Sniffing Techniques It is harder to sniff on today’s networks than it was in the past, primarily due to the use of switches Older networks repeated data on all wires, allowing anybody on the network to see all traffic Switches prevent others from seeing your traffic Switches can be attacked in various ways, such as flooding with MAC addresses to force failure... chapter and to assist you with real-life implementation of these concepts To have your questions about this chapter answered by the author, browse to www.syngress.com/solutions and click on the “Ask the Author” form Q: Is network monitoring legal? A: Although using sniffers for network diagnostics and management is legal, network monitoring of employee activities by management has been highly debated . 10.40.2.133.1 069 -10 .60 . 56. 5.23: login [whitt] [Tue Mar 28 16: 47: 16 2000] - 10.40.2.133.1 067 -10 .60 . 56. 5.23: password [9gillion] [Tue Mar 28 17:13: 56 2000] - 10.40.1.237.1177-10 .60 . 56. 5.23: login [douglas] [Tue Mar 28. 10.40.1.237.1177-10 .60 . 56. 5.23: password [11satrn5] [Tue Mar 28 17:49:43 2000] - 10.40.1.2 16. 1947-10.22. 16. 52.23: login [demrly] [Tue Mar 28 17:49: 46 2000] - 10.40.1.2 16. 1947-10.22. 16. 52.23: password. 10.40.1.99. 165 1-10.2 16. 82.5.23: login [trebor] [Tue Mar 28 10:39:47 2000] - 10.40.1.99. 165 1-10.2 16. 82.5.23: password [goaway] [Tue Mar 28 11:08:10 2000] - 10.40.2.133.1123-10 .60 . 56. 5.23: login