Sniffing • Chapter 10 377 TCPDump can be obtained from www.tcpdump.org. Many modifications have been made to TCPDump in recent years to add support for a wide range of additional protocols. dsniff dsniff is a sniffing toolkit provided by Dug Song. dsniff is available on his Web site at www.monkey.org/~dugsong/dsniff, or at a number of mirrors sites. dsniff is most famous for its authentication (usernames, passwords) sniffing capa- bilities.The current version of dsniff will decode authentication information for the following protocols:AOL Instant Messenger, Citrix Winframe, Concurrent Versions System (CVS), FTP, HTTP, ICQ, IMAP, Internet Relay Chat (IRC), Lightweight Directory Access Protocol (LDAP), RPC mount requests, Napster, NNTP, Oracle SQL*Net, Open Shortest Path First (OSPF), PC Anywhere, POP, PostgreSQL, Routing Information Protocol (RIP), Remote Login (rlogin),Windows NT plaintext (SMB), Network Associates Sniffer Pro (remote), Simple Network Management Protocol (SNMP), Socks,Telnet, X11, and RPC yppasswd. www.syngress.com dsniff Used against the Author The following sample output from dsniff was captured by Dug Song, who successfully captured my password at the CanSecWest 2001 secu- rity conference. It happened because Outlook automatically checks POP3 servers, even when you just open it to grab someone’s contact informa- tion. I quickly changed the password, just in time—the remainder of dsniff output captures somebody else attempting to log on with that password, presumably another person using dsniff who had captured the password. 03/28/01 18:43:24 tcp 192.168.1.201.1035 -> 216.136.173.10.110 (pop) USER robert_david_graham PASS Cerveza2 Notes from the Underground… Continued 194_HPYN2e_10.qxd 2/15/02 10:59 AM Page 377 378 Chapter 10 • Sniffing www.syngress.com 03/29/01 02:07:41 tcp 192.168.1.243.1837 -> 216.136.173.10.110 (pop) USER robert_david_graham PASS Cerveza2 03/29/01 02:07:08 tcp 192.168.1.243.1836 -> 64.58.76.98.80 (http) POST /config/login?84gteu3f1fmvt HTTP/1.0 Host: login.yahoo.com Content-type: application/x-www-form-urlencoded Content-length: 147 .tries=1&.src=ym&.last=&promo=&.intl=us&.bypass=&.partner=&.u=86 3imictc5nnu&.v=0&hasMsgr=0&.chkP=Y&.done=&login=robert _david_graham&passwd=Cerveza2 03/29/01 02:06:48 tcp 192.168.1.243.1835 -> 64.58.76.98.80 (http) POST /config/login?15aeb5g14endr HTTP/1.0 Host: login.yahoo.com Content-type: application/x-www-form-urlencoded Content-length: 146 .tries=&.src=ym&.last=&promo=&.intl=us&.bypass=&.partner=&.u=863 imictc5nnu&.v=0&hasMsgr=0&.chkP=Y&.done=&login=robert _david_graham&passwd=Cerveza2 03/31/01 17:07:38 tcp 192.168.1.243.1307 -> 216.136.173.10.110 (pop) USER robert_david_graham PASS Cerveza2 194_HPYN2e_10.qxd 2/15/02 10:59 AM Page 378 Sniffing • Chapter 10 379 With today’s switched networks and encrypted protocols, password sniffing doesn’t always work as well as we might hope. dsniff contains several redirect and man-in-the-middle (MITM) utilities to redirect the flow of traffic and decrypt sessions. The first utility is arpspoof (formerly known as arpredirect).Address Resolution Protocol (ARP) is used by hosts to find the local router’s Media Access Control (MAC) address. By spoofing ARP packets, you can convince other nearby com- puters that you are the router.Your machine has to forward them onto the legiti- mate router after receiving them, but in the meantime, the dsniff password sniffer has a chance to process the packets.This runs well not only on local switched networks, but also cable-modem networks.This tool isn’t completely foolproof; you are essentially fighting with the router, trying to convince other machines of the local MAC address.As a result, traffic flows through your machine are some- times intermittent.This technique is easily detected by network-based intrusion detection systems (IDSs). Even the Sniffer Pro (mentioned earlier) has an expert diagnostic mode that will flag these as “duplicate IP addresses” (i.e., multiple machines claiming to have the IP address of the router). The dnsspoof utility is another way of redirecting traffic. In this case, it spoofs responses from the local Domain Name System (DNS) server.When you go a Web site such as http://www.example.com, your machine sends out a request to your local DNS server asking for the IP address of www.example.com.This usually takes a while to resolve; dnsspoof quickly sends its own response faster.The victim will take the first response and ignore the second one.The spoofed response will contain a different IP address than the legitimate response, usually the IP address of the attacker’s machine.The attacker will likely be using one of the other dsniff man-in-the-middle utilities. The name man-in-the-middle comes from cryptography and describes the situ- ation when somebody intercepts communications, alters it, and then forwards it. The dsniff utilities for these attacks are webmitm for HTTP traffic (including SSL) and sshmitm (for SSH). Normally, SSH and SSL are thought to be secure, encrypted protocols that cannot be sniffed.The way the MITM utilities work is that they present their own encryption keys to the SSL/SSH clients.This allows them to decrypt the traffic, sniff passwords, and then reencrypt with the original server keys. In theory, you can protect yourself against this by checking the validity of the server certificate, but in practice, nobody does this. dsniff can sniff not only passwords, but also other cleartext traffic.The mail- snarf utility sniffs e-mails like the FBI’s Carnivore, except it reassembles them into an mbox format that can be read by most mail readers.The msgsnarf utility sniffs www.syngress.com 194_HPYN2e_10.qxd 2/15/02 10:59 AM Page 379 380 Chapter 10 • Sniffing messages from ICQ, IRC,Yahoo! Messenger, and AOL IM.The filesnarf utility sniffs files transferred via NFS (a popular fileserver protocol used on UNIX sys- tems).The urlsnarf utility saves all the URLs it sees going across the wire.The webspy utility sends those URLs to a Netscape Web browser in real time—essen- tially allowing you to watch in real time what the victim sees on their Web browser. The macof utility sends out a flood of MAC addresses.This is intended as another way of attacking Ethernet switches. Most switches have limited tables that can hold only 4000 MAC addresses.This is more than enough for normal networks—you would need 4000 machines attached to the switch before over- loading these tables.When the switch overloads, it “fails open” and starts repeating every packet out every port, allowing everyone’s traffic to be sniffed. The tcpkill utility kills TCP connections. It can be used as a denial of service (DoS) attack. For example, you can configure it to kill every TCP connection your neighbor makes. It can also be integrated with tools like network-based IDSs to kill connections from hackers.The tcpnice utility is similar to tcpkill, but rather than killing connections, it slows them down. For example, you could spoof ICMP Source Quenches from your neighbor’s cable modems so that you can get a higher percentage of the bandwidth for your downloads. Ettercap Ettercap is a package similar to dsniff. It has many of the same capabilities, such as man-in-the-middle attacks against SSL and SSH and password sniffing. It also has additional features for man-in-the-middle attacks against normal TCP connec- tions, such as inserting commands into the stream. Ettercap is written by Alberto Ornaghi and Marco Valleri and is available on the Web at http://ettercap.source- forge.net. Esniff.c Esniff.c is probably one of the first sniffers that surfaced within the hacker under- ground.Written by a hacker named rokstar, it functioned only on Sun Microsystems’ SunOS (now outdated) operating systems. Esniff.c supports the Telnet, FTP, and rlogin protocols. It provides basic functionality and does not support a comprehensive list of protocols as those found in newer sniffers such as dsniff and sniffit.This sniffer was first publicly published in Phrack magazine, which can be obtained from www.phrack.org/show.php?p=45&a=5. www.syngress.com 194_HPYN2e_10.qxd 2/15/02 10:59 AM Page 380 Sniffing • Chapter 10 381 Sniffit Sniffit is another sniffer that has been around for several years. It is available for several operating systems, including Linux, Solaris, SunOS, Irix, and FreeBSD. Sniffit has not been updated in a few years, but I have found it to be quite stable (even though the last release was classified as a beta). Brecht Claerhout, the author of Sniffit, has two versions available on his Web site: 0.3.5 (released in April 1997) and 0.3.7.beta (released in July 1998). I have had no problems com- piling and using 0.3.7.beta, but if you encounter problems with 0.3.7.beta, then you can still fall back and use 0.3.5. Brecht’s Web site is located at http://reptile.rug.ac.be/~coder/sniffit/sniffit.html. One of the reasons I like (and use) Sniffit so much is that you can easily con- figure it to log only certain traffic, such as FTP and Telnet.This type of filtering is not unusual; it is available in other sniffers such as Sniffer Pro and NetMon. But when was the last time you saw either one of those sniffers covertly placed on a compromised system? Sniffit is small and easily configured to capture (and log) only traffic that you know carries useful information in the clear, such as user- names and passwords for certain protocols, as shown in the following example: [Tue Mar 28 09:46:01 2000] - Sniffit session started. [Tue Mar 28 10:27:02 2000] - 10.40.1.6.1332-10.44.50.40.21: USER [hansen] [Tue Mar 28 10:27:02 2000] - 10.40.1.6.1332-10.44.50.40.21: PASS [worksux] [Tue Mar 28 10:39:42 2000] - 10.40.1.99.1651-10.216.82.5.23: login [trebor] [Tue Mar 28 10:39:47 2000] - 10.40.1.99.1651-10.216.82.5.23: password [goaway] [Tue Mar 28 11:08:10 2000] - 10.40.2.133.1123-10.60.56.5.23: login [jaaf] [Tue Mar 28 11:08:17 2000] - 10.40.2.133.1123-10.60.56.5.23: password [5g5g5g5] [Tue Mar 28 12:45:21 2000] - 10.8.16.2.2419-10.157.14.198.21: USER [afms] [Tue Mar 28 12:45:21 2000] - 10.8.16.2.2419-10.157.14.198.21: PASS [smfasmfa] www.syngress.com 194_HPYN2e_10.qxd 2/15/02 10:59 AM Page 381 382 Chapter 10 • Sniffing [Tue Mar 28 14:38:53 2000] - 10.40.1.183.1132-10.22.16.51.23: login [hohman] [Tue Mar 28 14:38:58 2000] - 10.40.1.183.1132-10.22.16.51.23: password [98rabt] [Tue Mar 28 16:47:14 2000] - 10.40.2.133.1069-10.60.56.5.23: login [whitt] [Tue Mar 28 16:47:16 2000] - 10.40.2.133.1067-10.60.56.5.23: password [9gillion] [Tue Mar 28 17:13:56 2000] - 10.40.1.237.1177-10.60.56.5.23: login [douglas] [Tue Mar 28 17:13:59 2000] - 10.40.1.237.1177-10.60.56.5.23: password [11satrn5] [Tue Mar 28 17:49:43 2000] - 10.40.1.216.1947-10.22.16.52.23: login [demrly] [Tue Mar 28 17:49:46 2000] - 10.40.1.216.1947-10.22.16.52.23: password [9sefi9] [Tue Mar 28 17:53:08 2000] - 10.40.1.216.1948-10.22.16.52.23: login [demrly] [Tue Mar 28 17:53:11 2000] - 10.40.1.216.1948-10.22.16.52.23: password [jesa78] [Tue Mar 28 19:32:30 2000] - 10.40.1.6.1039-10.178.110.226.21: USER [custr2] [Tue Mar 28 19:32:30 2000] - 10.40.1.6.1039-10.178.110.226.21: PASS [Alpo2p35] [Tue Mar 28 20:04:03 2000] - Sniffit session ended. As you can see, in a just a matter of approximately 10 hours, I have collected usernames and passwords for nine different users for three FTP sites and five Telnet locations. One user, demrly, seems to have used the incorrect password when he or she tried to login to 10.22.16.52 the first time, but I will keep this password handy because it may be a valid password at some other location. Carnivore Carnivore is an Internet wiretap designed by the U.S. Federal Bureau of Investigation (FBI). It is designed with the special needs of law enforcement in mind. For example, some court orders might allow a pen-register monitoring of www.syngress.com 194_HPYN2e_10.qxd 2/15/02 10:59 AM Page 382 Sniffing • Chapter 10 383 just the From/To e-mail addresses, whereas other court orders might allow a full capture of the e-mail.A summary of Carnivore’s features can be seen within the configuration program, shown in Figure 10.7. The features are: ■ Filter sets The settings are saved in configuration files; the user quickly can change the monitoring by selecting a different filter set. ■ Network adapters A system may have multiple network adapters; only one can be selected for sniffing at a time. ■ Archive file size A limit can be set on how much data is captured; by default, it fills up the disk. ■ Total memory usage Network traffic may come in bursts faster than it can be written to disk; memory is set aside to buffer the incoming data. ■ Fixed IP address All traffic to/from a range of IP addresses can be fil- tered. For example, the suspect may have a fixed IP address of 1.2.3.4 assigned to their cable modem.The FBI might get a court order allowing them to sniff all of the suspect’s traffic. www.syngress.com Figure 10.7 Carnivore Configuration Program 194_HPYN2e_10.qxd 2/15/02 10:59 AM Page 383 384 Chapter 10 • Sniffing ■ Protocols to capture Typically, a court order will allow only specific traffic to be monitored, such as SMTP over TCP. In Pen mode, only the headers are captured. ■ Data text strings This is the Echelon feature that looks for keywords in traffic.A court order must specify exactly what is to be monitored, such as an IP address or e-mail account. Such wide-open keyword searches are illegal in the United States.The FBI initially denied that Carnivore had this feature. ■ Ports A list of TCP and UDP ports can be specified. For example, if the FBI has a court order allowing e-mail capture, they might specify the e-mail ports of 25, 110, and 143. ■ SMTP e-mail addresses A typical scenario is where Carnivore moni- tors an ISPs e-mail server, discarding all e-mails except those of the sus- pects.An e-mail session is tracked until the suspect’s e-mail address is seen, then all the packets that make up the e-mail are captured. ■ Dynamic IP addresses When users dial-up the Internet, they are logged in via the RADIUS protocol, which then assigns them an IP address. Normally, the FBI will ask the ISP to reconfigure their RADIUS servers to always assign the same IP address to the suspect, and will then monitor all traffic to/from that IP address. (Note: if you are a dial-up user and suspect the FBI is after you, check to see if your IP address is the same every time you dial up). Sometimes this isn’t possible. Carnivore can be configured to monitor the RADIUS protocol and dynamically discover the new IP address assigned to the suspect. Monitoring begins when the IP address is assigned, and stops when it is unassigned. The FBI developed Carnivore because utilities like dsniff do not meet the needs of law enforcement.When an e-mail is sent across the wire, it is broken down into multiple packets.A utility like mailsnarf (described earlier) will reassemble the e-mail back into its original form.This is bad because the suspect’s defense attorneys will challenge its accuracy: Did a packet get dropped some- where in the middle that changes the meaning of the e-mail? Did a packet from a different e-mail somehow get inserted into the message? By capturing the raw packets rather than reassembling them, Carnivore maintains the original sequence numbers, ports, and timestamps.Any missing or extra packets are clearly visible, allowing the FBI to defend the accuracy of the system. www.syngress.com 194_HPYN2e_10.qxd 2/15/02 10:59 AM Page 384 Sniffing • Chapter 10 385 Another problem that the FBI faces is minimization of the sniffed data.When the FBI wiretaps your line, they must assign an agent to listen in. If somebody else uses your phone (like your spouse or kids), they are required to turn off the tape recorders. In much the same way, Carnivore is designed to avoid capturing anything that does not belong to the suspect.A typical example would be using Carnivore to monitor the activities of a dial-up user. Carnivore contains a module to monitor the RADIUS traffic that is used by most ISPs to authenticate the user and assign a dynamic IP address.This allows Carnivore to monitor only that user without intercepting any other traffic.A sample program containing many of the features of Carnivore can be found on the Web site for this book (www.syngress.com/solutions). Additional Resources There are some interesting locations that provide a more comprehensive list of available sniffer programs, some of which are listed here: ■ A list of network monitoring programs available from Underground Security Systems Research: www.ussrback.com/packetsniffers.htm. ■ A very good and very detailed overview of packet sniffers written by Robert Graham: www.robertgraham.com/pubs/sniffing-faq.html. NOTE A FAQ for Carnivore can be found at www.robertgraham.com/pubs/ carnivore-faq.html. Advanced Sniffing Techniques As technology has moved forward, attackers have had to create new methods to sniff network traffic.The next sections take a look at a couple of methods that attackers use to get around technology advancements. Man-in-the-Middle (MITM) Attacks As we describe later, the most effective defense against sniffing is using encrypted protocols such as SSL and SSH. However, the latest dsniff and Ettercap packages contain techniques for fooling encryption. www.syngress.com 194_HPYN2e_10.qxd 2/15/02 10:59 AM Page 385 386 Chapter 10 • Sniffing The basic technique is known as a man-in-the-middle (MITM) attack.A good example of this is in the James Bond movie From Russia with Love. Bond is supposed to meet another agent in a train station.The evil agent from SPECTRE contacts the agent first, pretending to be Bond. In this manner, the evil agent gets the correct passphrase.The evil agent then pretends to be the agent that Bond is supposed to contact. The same technique can be applied to encrypted protocols.An attacker sets up a server that answers requests from clients. For example, the server could answer a request for https://www.amazon.com.A user contacting this machine will falsely believe they have established an encrypted session to Amazon.com.At the same time, the attacker contacts the real Amazon.com and pretends to be the user.The attacker plays both roles, decrypting the incoming data from the user, then reencrypting it for transmission to the original destination. In theory, encryption protocols have defenses against this.A server claiming to be Amazon.com needs to prove that it is, indeed,Amazon.com. In practice, most users ignore this. MITM attacks have proven effective when used in the field. Cracking Tools like dsniff and Ettercap capture not only passwords, but also encrypted pass- words. In theory, capturing the encrypted passwords is useless. However, people choose weak passwords, such as words from the dictionary. It takes only a few seconds for an attacker to run through a 100,000-word dictionary, comparing the encrypted form of each dictionary word against the encrypted password. If a match is found, then the attacker has discovered the password. Such password cracking programs already exist.Tools like dsniff and Ettercap simply output the encrypted passwords in a form that these tools can read. Switch Tricks Switches came into vogue a few years ago, and a lot of people think that if they have a switched network, it is impossible for an attacker to use a sniffer success- fully to capture any information from them. It’s time to burst their bubble, as you will see when we discuss methods of successfully sniffing on a switched network. ARP Spoofing When attempting to monitor traffic on a switched network, you will run into one serious problem:The switch will limit the traffic that is passed over your sec- tion of the network. Switches keep an internal list of the MAC addresses of hosts www.syngress.com 194_HPYN2e_10.qxd 2/15/02 10:59 AM Page 386 [...]... sending a fake route advertisement message via RIP, declaring yourself as the default gateway If successful, all traffic will be routed through your host Ensure that you have enabled IP forwarding, and that your default gateway is set to the real network gateway All outbound traffic from the host will pass through your host, and onto the real network gateway.You may not receive return traffic, unless you... occurring on your network, right? All is not lost, as you will see in this section Providing Encryption Fortunately, for the state of network security, encryption (used properly) is the one silver bullet that will render a packet sniffer useless Encrypted data, assuming its encryption mechanism is valid, will thwart any attacker attempting to passively monitor your network Many existing network protocols... AntiSniff Network Monitor Network Monitor, available on Windows NT based systems, has the capability to monitor who is actively running NetMon on your network It also maintains a history of who has NetMon installed on their system It detects only other copies of Network Monitor, so if the attacker is using another sniffer, then you must detect it using one of the previous methods discussed Most network- based... whether a host is monitoring the network for all traffic.There is no guaranteed method to detect the presence of a network sniffer DNS Lookups Most programs that are written to monitor the network perform reverse DNS lookups when they produce output consisting of the source and destination hosts involved in a network connection In the process of performing this lookup, additional network traffic is generated;... up the network address It is possible to monitor the network for hosts that are performing a large number of address lookups alone; however, this may be coincidental, and not lead to a sniffing host An easier way, which would result in 100 percent accuracy, would be to generate a false network connection from an address that has no business being on the local network. We would then monitor the network. .. forwarding enabled It has been found that many cable modem networks are also vulnerable to this type of attack, since the cable modem network is essentially an Ethernet network, with cable modems acting as bridges In short, there is no solution to this attack, and new generations of cable modem networks will use alternate mechanisms to connect a user to the network The dsniff sniffer by Dug Song includes a... HTTP The second most common targets are e-mail messages, HTTP input, or Telnet sessions Popular Sniffing Software There are many commercial and freeware sniffing products that are intended to be used as network diagnostic tools, such as Ethereal, Network Associate’s Sniffer Pro, NetMon,WildPackets’ AiroPeek, and tcpdump.These products don’t have hacker features such as password grabbing Examples of hacker... sniffing host Latency A second technique that can be used to detect a host that is monitoring the network is to detect latency variations in the host’s response to network traffic (i.e., ping) Although this technique can be prone to a number of error conditions (such as the host’s latency being affected by normal operation), it can assist in determining whether a host is monitoring the network. The method... www.syngress.com 397 194_HPYN2e_10.qxd 398 2/15/02 10:59 AM Page 398 Chapter 10 • Sniffing Switching Network switches do make it more difficult for an attacker to monitor your network; however, not by much Switches sometimes are recommended as a solution to the sniffing problem; however, their real purpose is to improve network performance, not provide security As explained in the section “Advanced Sniffing Techniques,”... Detection Techniques But what if you can’t use encryption on your network for some reason? What do you do then? If this is the case, then you must rely on detecting any network interface card (NIC) that may be operating in a manner that could be invoked by a sniffer Local Detection Many operating systems provide a mechanism to determine whether a network interface is running in promiscuous mode.This is . 10.40.2.133.1 069 -10 .60 . 56. 5.23: login [whitt] [Tue Mar 28 16: 47: 16 2000] - 10.40.2.133.1 067 -10 .60 . 56. 5.23: password [9gillion] [Tue Mar 28 17:13: 56 2000] - 10.40.1.237.1177-10 .60 . 56. 5.23: login [douglas] [Tue Mar 28. 03/29/01 02:07:41 tcp 192. 168 .1.243.1837 -> 2 16. 1 36. 173.10.110 (pop) USER robert_david_graham PASS Cerveza2 03/29/01 02:07:08 tcp 192. 168 .1.243.18 36 -> 64 .58. 76. 98.80 (http) POST /config/login?84gteu3f1fmvt. 10.40.1.237.1177-10 .60 . 56. 5.23: password [11satrn5] [Tue Mar 28 17:49:43 2000] - 10.40.1.2 16. 1947-10.22. 16. 52.23: login [demrly] [Tue Mar 28 17:49: 46 2000] - 10.40.1.2 16. 1947-10.22. 16. 52.23: password