When I tell some of my coworkers that I'm sniffing the network, they have a tendency to look at me funny. A Sniffer (also know as a Network Analyzer) is a piece of software that can look at network traffic, decode it, and give meaningful data that a network administrator can use to diagnose problems on a network. Sniffers are also useful tools for deviant computer users since they can be used to pull plain text passwords off a network. A few popular general purpose Sniffers are NAI Sniffer (commercial), Ethereal (an Open Source GUI Sniffer for Linux, Windows and other platforms), TCPDump (Open Source command line Sniffer for *nix – any Unix like operating system like Linux or FreeBSD-) and its Windows version called WinDump.
First an explanation of some network basics is in order. Most Ethernet networks use to be of a common bus topology, using either coax cable or twisted pair wire and a hub. All of the nodes (computers and other devices) on the network could communicate over the same wires and take turns sending data using a scheme known as carrier sense multiple access with collision detection (CSMA/CD). Think of CSMA/CD as being like a conversation at a loud party, you may have to wait for quite a spell for your chance to get your words in during a lull in everybody else's conversation. All of the nodes on the network have their own unique MAC (media access control) address that they use to send packets of information to each other. Normally a node would only look at the packets that are destined for its MAC address. However, if the network card is put into what is known as "promiscuous mode" it will look at all of the packets on the wires it is hooked to.
To cut down on the number of collisions and the possibility of sniffing data that does not belong to a node, most networks use switches. On a network, a hub is a passive device that sends all traffic it receives to all of its ports. A switch on the other hand looks at the MAC address of the nodes hooked to it and what ports they are on then tries to send packets only to the nodes they are intended for. A switch cuts back on the number of collisions on the network, increasing throughput. In theory, on a switched network a node can only see broadcast messages (meant for all computers on the LAN) and packets addresses to its MAC along with the occasional stray packet whose destination is not known. Even with switches in place a LAN can be sniffed using the mirrored port on some switches (put there so administrators can use a Sniffer to diagnose network problems), by confusing the switch into mirroring traffic to all ports or by a technique know as ARP poisoning (more on this later).
Sniffers have many legitimate uses that system administrators should be aware of. They can be used to find what computers on the network are causing problems such as using too much bandwidth, having the wrong network settings or running malware. I've personally found them useful in the past for finding hack attempts as they were happening by sniffing my own servers for inappropriate traffic. Every system admin would do well to learn about using sniffers to find network problems and I'd recommend starting with Ethereal since it's free, multiplatform and well supported (see the links section of this article of more information).
Sniffers can also be used by those trying to bypass security. Many popular application protocols pass logon credentials (username and password) in plain text or using weak encryption that's easy for a Sniffer to decode. Common examples of such insecure protocols are FTP, Telnet, POP3, SMTP, and HTTP Basic Authentication. In their place use encrypted protocols like SFTP, SSH (Secure Shell), and HTTPS (SSL) when possible. Protocols like FTP may be hard to switch away from because the clients for more secure protocols like SFTP are not as readily available. FTP clients come with every recent version of Windows (ftp.exe from the command line and Explorer from a GUI), but free clients that support SFTP like FileZilla and PSFTP can be downloaded. A few sniffers that have good password extraction abilities include Cain, Dsniff and Ettercap. All three are free or Open Source. Cain is for Windows only and Dsniff and Ettercap are mostly used in *nix environments but also have Windows versions available.
ARP Spoofing/ARP Poisoning
ARP stands for Address Resolution Protocol and it allows the network to translate IP addresses into MAC addresses. Basically, ARP works like this: When one host using IP on a LAN is trying to contact another it needs the MAC address of the host it is trying to contact. It first looks in its ARP cache (to see your ARP cache in Windows type in "arp –a" at the command line) to see if it already knows the MAC address, but if not, it broadcasts out an ARP request asking "Yo, who has this IP address I'm looking for?" If the host that has that IP address hears the ARP query it will respond with its own MAC address and a conversation can begin using IP. In common bus networks like Ethernet using a hub or 801.11b all traffic can be seen by all hosts whose NICs (network interface card) are in promiscuous mode, but things are a bit different on switched networks. A switch looks at the data sent to it and tries to only forward packets to its intended recipient based on the MAC address. Switched networks are more secure and help speed up the network by only sending packets where they need to go. There are ways around switches though. Using a program like Arpspoof (part of the Dsniff package), Ettercap or Cain we can lie to other machines on the local area network and tell them we have the IP they are looking for, thus funneling their traffic through us.
Even with a switched network it's not hard for an attacker to use Dsniff or Ettercap from the Knoppix-STD boot CD to do some arpspoofing and redirect traffic through them for the purposes of sniffing. These tools can even parse out usernames and passwords automatically, making the attacker's job easy. If the attacker ARP Spoofs between the gateway and the FTP server he can sniff the traffic and extract user names and passwords as users are trying to get their data from offsite, and the same thing goes for SMTP and POP3. Even with SFTP, SSL, and SSH, passwords can still be sniffed with Ettercap because it has the ability to proxy those types of connections. The user might get a warning that the public key of the server they are trying to get to has changed or may not be valid, but how many of us just click past those kinds of messages without actually reading them?
The
image in figure 1 helps to illustrate how ARP Spoofing/ARP Poisoning works.
Basically, the attacker is telling Alan's box that he has the IP that
corresponds to Brian's box and vice versa. By doing this the attacker receives
all network traffic going between Alan and Brian. Once the attacker has ARP
Spoofed his way between two nodes he can sniff the connection with whatever tool
he likes (TCPDump, Ethereal, Ngrep, etc.) By ARP Spoofing between a computer and
the LAN's gateway an attacker can see all the traffic the computer is sending
out and receiving from the Internet. In this article I'm only giving the basics
of how these tools are used. Since Arpspoof from the Dsniff package is the
easiest to demonstrate I will use it in my examples.A quick demonstration of ARP Spoofing using Dsniff Tools
Let's start by using Dug Song's Arpspoof program that comes with his Dsniff package. I use the *nix version but if you look around you may be able to find a Win32 version. The easiest way to run Dsniff is to boot from a Knoppix-STD boot CD. The first thing you should do is make sure packet forwarding is turned on, otherwise our machine will drop all traffic between the hosts we are trying to sniff, causing a denial of service. Some of the tools I use do this automatically, but to be sure, you may want to do it yourself. Use the following commands, depending on operating system:
Linux:
echo 1 > /proc/sys/net/ipv4/ip_forward
BSD:
sysctl -w net.inet.ip.forwarding=1
Now that your computer will forward the traffic you can start ARP Spoofing. Let's assume you want to sniff all traffic between a host and the gateway so you can see the traffic it's sending to the Internet. To get traffic in both directions you would use the following two commands:
arpspoof -t 192.168.1.1 192.168.1.2 & >/dev/null
arpspoof -t 192.168.1.2 192.168.1.1 & >/dev/null
The "& >/dev/nul" part is there to make it easier to run from one terminal, but you may want to omit it for debugging purposes. Now you can use any package you wish to sniff the connection. To start with I'd recommend using the Sniffer Dsniff that comes along with Arpspoof to sniff for plain text passwords. To start sniffing with Dsniff just drop out to a command shell and type:
dsniff
As Dsniff finds passwords and usernames it will print them to the screen. To look at all sorts of other traffic I would recommend TCPDump or Ethereal. When you are ready to stop ARP Spoofing issue the following command:
killall arpspoof
This should kill the two instances of Arpspoof started above.
Other Tools
There are two other packages I would like to mention in more detail. The first is Ettercap, the Swiss army knife of ARP Poisoning and password sniffing. I usually use it in non-interactive mode, but by default it has a ncurses interface that some may find easier to use. The second is Cain, which Windows users will be much more comfortable with. It has some great functionality and a nice interface. I have a video tutorial on how to use it here: http://www.irongeek.com/i.php?page=videos/cain1
If you like pretty GUIs, Cain is the way to go. It does not have as many options as Ettercap, but it's still pretty cool and has some other Windows specific extras built in.
Mitigating Sniffing Attacks
There are quite a few ways to mitigate sniffing attacks.
1. Avoid using insecure protocols like Basic HTTP authentication and Telnet. As a matter of fact you should sniff your own network to see what passwords the tools listed above can pick up.
2. Look into using Static ARP tables between critical workstations and servers. They are more trouble to maintain but limit arpspoofing.
3. Run software like ARPWatch to detect changes in MAC addresses on your network that may point to Sniffers.
4. Try running tools like Sniffdet and Sentinel to detect network cards in promiscuous mode that may be running sniffing software.
5. Have outside laptops using Wi-Fi that come into your facility use a VPN to connect to the network.
6. Lockdown workstations so users can't install sniffing software or boot from a CD like Knoppix.
7. Keep public terminals on a separate LAN from the staff workstations and servers.
I hope you have found this article useful.
Further research:
Adrian's Security Website:
http://www.irongeek.com
ARPWatch
http://www-nrg.ee.lbl.gov/
Cain:
http://www.oxid.it/cain.html
Dsniff Package:
http://www.monkey.org/~dugsong/dsniff
Ethernet Networks:
http://en.wikipedia.org/wiki/Ethernet
Ethereal
http://www.ethereal.com/
Ethereal User's Guide
http://www.ethereal.com/distribution/docs/user-guide.pdf
Ettercap:
http://ettercap.sourceforge.net/
Knoppix-STD has most of the Linux security tools listed above all or one bootable CD:
http://www.knoppix-std.org/
Sentinel
http://www.packetfactory.net/Projects/sentinel/
Sniffdet
http://sniffdet.sourceforge.net/
TCPDump
http://www.tcpdump.org/
WinDump
http://windump.polito.it/