Sniffers are programs that passively monitor and capture network traffic. Almost any laptop or PC can be turned into a sniffer by installing sniffer software, much of which is freely available on the Internet. The system running the sniffer should have a network interface card that can be used in promiscuous mode. Promiscuous mode enables the sniffer to view but not respond to network traffic, thereby making the sniffer essentially invisible on the network. Sniffers are very useful tools during penetration testing and network troubleshooting. We commonly use them to capture user names and passwords from FTP and telnet sessions. In addition, sniffers can be used to capture any network traffic that is not encrypted, such as e-mail, HTTP, and other clear text services.
Sniffers are generally able to intercept network traffic only on their local network segment. For instance, if a sniffer is located on a shared network that uses hubs, it can view all traffic on the entire network. If a sniffer is located on a switched network (one that uses switches versus hubs), the sniffer can see only broadcast traffic and traffic directed to it. To sniff a switched network, the sniffer would have to be located on a switch port that mirrored the traffic to other ports or be placed in a VLAN with the systems it would monitor. New sniffer programs are emerging that can sniff switched networks; one such sniffer, dsniff by Dug Song, is described below. The thought that switched networks are safe from sniffers is no longer true.
It's hard to defend against sniffers. Later in this chapter we discuss a tool that can be used as a countermeasure to sniffers, called AntiSniff. AntiSniff attempts to detect network cards in promiscuous mode to identify potential sniffers. However, even the most advanced sniffer-detection programs have a hard time detecting a well-configured sniffer. The best defense is to encrypt all sensitive network traffic and use strong authentication services that encrypt the logon process.
URL: www.monkey.org/~dugsong/dsniff/
Client OS: UNIX
Target OS: TCP/IP networks
Price: Free
Description: Dsniff actually consists of a collection of tools for sniffing passwords, e-mail, and HTTP traffic. (The nomenclature is confusing because one of the tools, the password sniffer, is also called dsniff.) Dsniff's tools include dsniff, arpredirect, macof, tcpkill, tcpnice, filesnarf, mailsnarf, urlsnarf, and webspy. Dsniff is a very effective sniffer for both switched and shared networks. It can sniff across switched networks using arpredirect and macof, a utility that floods switches in an attempt to cause them to fail to an open state. In addition, Dsniff can be used to capture authentication information for FTP, telnet, SMTP, HTTP, POP, poppass, NNTP, IMAP, SNMP, LDAP, Rlogin, RIP, OSPF, NFS, YP/NIS, SOCKS, X11, CVS, IRC, AIM, ICQ, Napster, PostgreSQL, Meeting Maker, Citrix ICA, Symantec pcAnywhere, NAI Sniffer, Microsoft SMB, Oracle SQL*Net, Sybase, and Microsoft SQL.
Dsniff's ability to sniff across switches reinforces the need to encrypt all authentication processes. Dsniff uses arpredirect to capture network traffic intended for other systems. Dsniff spoofs ARP replies and tricks the sending system into thinking it is the intended recipient of the message. Dsniff then forwards the traffic to the true destination using IP forwarding. Dsniff's ability to sniff across switches is complicated by the fact it can potentially cause a denial-of-service condition on the network being sniffed. Therefore, you must be careful when using this tool during penetration testing. If you intend to use arpredirect or macof, you should first test it in a nonproduction environment. In addition, arpredirect and macof are not totally passive and can therefore be detected.
Use: Dsniff can be installed on a UNIX or NT platform. You must enable IP forwarding on the system if you intend to use arpredirect. On Windows NT systems, you need to install a packet capture driver before using the tool. On UNIX systems you need to install three additional packages in order for the tool to work properly. The packet drivers and additional packages needed for the installation on your specific system can be found on Dsniff's Web site.
Dsniff, the individual utility, is the password sniffer portion of the tool. It automatically detects and captures the minimum amount of the protocol to gather interesting information. The tool looks for and recognizes passwords for a variety of systems and applications.
arpredirect is the tool that enables sniffing across switched network segments. arpredirect spoofs ARP replies, convincing the sending system that the sniffer is the intended recipient. arpredirect then forwards the packet to its intended host after having captured a copy of the packet. This is a major breakthrough in sniffing technology. Prior to the advent of this tool, sniffing on switched networks was virtually impossible unless you could obtain access to the actual switch device. However, if the network is very busy your system may have trouble keeping up with the flow of network traffic. If this happens you could cause a denial-of-service condition on the network.
macof is a tool that attempts to flood the network with random MAC addresses in the hopes of causing a switch to fail into an open state in repeating mode. This would enable the sniffer to sniff across the switch. Be careful using this utility since it could cause a denial-of-service condition on the target network or switch. Try testing the tool in a nonproduction environment before using it during testing.
tcpkill can be used to kill specific, in-progress TCP connections. tcpnice attempts to slow in-progress TCP network traffic. This is useful when trying to sniff fast networks where the sniffer would normally have a difficult time keeping up with the traffic.
filesnarf can be used to capture network file system traffic. mailsnarf enables you to capture e-mail traffic for later viewing. urlsnarf captures selected HTTP traffic that can be viewed via a Web browser. webspy enables you to surf along with the person whose traffic you are sniffing. The tool actually sends the sniffed URL traffic to your browser so you can view the HTTP traffic in real time.
Benefits: Dsniff is an excellent tool for sniffing passwords on a network and attempting to sniff on a switched network. The collection of utilities enables you to target passwords, e-mail, and HTTP traffic.
Cons: The documentation is very limited. Also, the packet drivers can be difficult to load if you are not familiar with them. Installing the additional packages and compiling the source code on UNIX can be difficult. Finally, the same functions that are designed to enable you to sniff across switches can cause denial-of-service conditions on the network.
URL: www.packetstormsecurity.org
Client OS: Linux
Target OS: TCP/IP networks
Price: Free
Description: Linsniff is the classic, easy-to-use Linux sniffer. Linsniff simply captures the first few bytes of each TCP connection to the ports for telnet, FTP, POP and IMAP Mail, and Rlogin. Captured information includes date, time, source IP address, destination IP address, destination port, and the first 256 bytes of captured data.
Use: Linsniff is a simple-to-use sniffer. Simply compile the program and run it from the command line.
Benefits: The tool is free and easy to use.
Cons: While the tool is easy to use, it does have limited functionality compared to some of the more advanced sniffers. Also, the documentation is minimal.
URL: www.tcpdump.org
Client OS: Linux
Target OS: TCP/IP networks
Price: Free
Description: Tcpdump is a simple, easy-to-use sniffer that enables you to capture traffic on your network segment. If you prefer GUIs, you will be disappointed that Tcpdump offers only a command line interface. Using different options, you can configure Tcpdump to look for specific traffic.
Use: To install Tcpdump, you must first install the packet driver, libpcap. Once this is installed, compile and install the source code. Tcpdump's syntax consists of the command tcpdump and the desired option. The following is a sample Tcpdump command:
#tcpdump –n –w output.file tcp or udp
This command directs Tcpdump to sniff all TCP and UDP traffic and write it to a file called output.file. You could just as easily specify a port by using TCP port 21 or a range of ports. Using these options you can sniff for specific traffic that will most likely yield user names and passwords. These types of traffic include that on ports 21 (FTP), 23 (telnet), 25 (SMTP), 80 (HTTP), and others.
Benefits: Tcpdump is a simple, free sniffer. You can target it to look for specific types of traffic that should provide user names and passwords.
Cons: If you haven't loaded a packet driver or compiled a program, it could be difficult to load Tcpdump. There is only a command line interface, which some users consider a benefit and others a con. Tcpdump captures only the raw network traffic. It may be difficult to reassemble the packet order to view entire communications.
URL: www.packetstormsecurity.com
Client OS: Windows NT
Target OS: TCP/IP networks
Price: Free
Description: BUTTSniffer is a Windows NT packet sniffer. BUTTSniffer currently supports only a command line version. BUTTSniffer's filters can be used to sniff specific ports or to capture all data on a segment.
Use: BUTTSniffer is easy to load. The tool must be configured and run from the command line. The following sample syntax enables you to capture all traffic on ports 1–2000 on the segment:
C:>buttsniff –d <interface> output.file p 1-2000
To determine the interface number, you can issue the command:
C:>buttsniff –l
This lists the available interfaces, and then you can enter the number of the interface you wish to use in place of <interface>.
BUTTSniffer can also be used in interactive mode to view the output as it is captured. However, we find it useful to use the tool in disk dump mode (-d) and configure it to capture traffic on specific ports or to specific IP addresses. To specify IP addresses to be included or excluded in the sniff, you have to use the file filter option. Using this option, a file is used to supply the filter rules BUTTSniffer will use to capture traffic. The syntax for this type of use is:
C:>buttsniff –d <interface> output.file p filter.txt
The file filter.txt contains the filter rules. A + indicates that the tool should log that traffic, while a - indicates it should exclude the traffic identified. For example, a file containing the following syntax would sniff all telnets except those to or from IP address 10.10.10.10:
+23 -10.10.10.10 + *.*.*.*
BUTTSniffer reviews and considers all the rules before making a decision to log or not log the traffic. A * represents wild cards in IP address filters.
Benefits: BUTTSniffer is an effective, free sniffer for Windows NT. BUTTSniffer can be used to test networks for clear text services and to look for passwords during penetration testing.
Con: BUTTSniffer's command line access can be frustrating if you are used to a GUI.
URL: www.ca.com
Client OS: Windows NT/9x
Target OS: IP networks
Price: Over $1,000
Description: SessionWall-3, shown in Figure 14-1, is a commercial sniffing tool and intrusion detection product from Abirnet. Abirnet was acquired by Computer Associates, and the product has been improved and is now sold as eTrust Intrusion Detection. Although the product is sold as an intrusion detection system, it also works well as a sniffing tool for testing a network. Using sniffing technology, SessionWall-3 records and displays HTTP, FTP, SMTP, POP, NNTP, and telnet traffic. The tool reassembles the network traffic into legible documents. For instance, you can gather an entire e-mail, HTTP session, or telnet session. telnet and FTP traffic tends to be the most useful, since user names and passwords are displayed in clear text and commonly enable you to gain administrator access to the target system.
Additionally, SessionWall-3 is particularly useful if you want to gain access to a mainframe or AS400 computer system. The telnet session with a mainframe often looks like binary traffic. SessionWall-3 can do on-the-fly translation from EBCDIC to ASCII if you right-click on the captured data. This makes AS400 and mainframe systems that use telnet vulnerable in a shared media environment. Without this translation capability, you would have to perform an extra step to read the EBCDIC traffic, such as using “dd” on the file on a UNIX system.
Use: SessionWall-3 is easy to install and use. First install the executable. By default SessionWall-3 will capture FPT, HTTP, telnet, and SMTP traffic. You can modify the default traffic SessionWall-3 captures through the Functions menu, Monitor/Block/Alert Rules. In the Monitor/Block/Alert window you can use Edit Rules to add rules to specify the type of traffic to be monitored, the source, the destination, and an action such as log or block. The upper left pane lists the capture sessions sorted by protocol. You can drill down to individual sessions to view the actual communications (and user names and passwords) if present. The same pane offers different views by selecting the Clients, Servers, or Rules tab. The bottom pane shows the statistics for the captured traffic. For penetration testing, you are usually only concerned with viewing the captured information, especially FTP, telnet, HTTP, and e-mail.
Benefits: SessionWall-3 is very easy to use. It reassembles the packets into complete sessions and transmissions, making them easy to follow and read. The rules are easy to configure to target specific traffic and servers.
Cons: SessionWall-3 is an expensive tool. In addition, if you do not target very specific traffic the log files will grow very quickly. Also, it can be difficult to view the raw packet or to extract a particular session for documentation or reporting purposes.
URL: www.L0pht.com
Client OS: Windows NT
Target OS: TCP/IP networks
Description: AntiSniff is a tool used to combat unauthorized sniffers. As we discussed above, sniffers' network cards usually operate in promiscuous mode. AntiSniff uses several techniques to detect these network cards in promiscuous mode. AntiSniff operates on Windows NT and is an excellent tool for helping to secure networks. While AntiSniff is an excellent packet sniffer detection application, it is not foolproof. Detecting sniffers is a difficult task, and AntiSniff normally has to be deployed widely throughout a network to cover all critical network segments. In addition to using a packet sniffer detection application, organizations should follow other best practices to guard against sniffers. One of the most effective best practices for guarding against sniffers is to encrypt sensitive information as it travels across networks, even internally.
Use: AntiSniff uses three primary methods for detecting sniffers: network latency, DNS, and OS-specific tests. For network latency tests, AntiSniff sends a high volume of network traffic to a target system. If the system is operating in promiscuous mode it will attempt to capture each packet being sent. Under a high load of network traffic, the sniffer will experience performance degradation that will increase network latency. By calculating the changes in response time, AntiSniff may be able to detect a system being used as a sniffer.
Using the DNS method, AntiSniff sends a packet to a predetermined IP address. Many packet sniffers perform a reverse lookup on IP addresses they capture. AntiSniff capitalizes on this and looks for a sniffer performing the reverse lookup, thereby revealing itself.
For the OS-specific checks, AntiSniff sends to the target system packets to which certain systems operating in promiscuous mode will respond. For instance, for Windows NT systems AntiSniff sends a packet from MAC address FF:00:00:00:00:00 to the IP address of the suspected sniffer. A Windows NT system in promiscuous mode should respond to this packet, thereby revealing itself as a sniffer.
AntiSniff cannot test across network segments. Therefore, AntiSniff is needed on each network segment you are trying to protect.
AntiSniff is easy to use. First, enter the IP address range you wish to test for sniffers in the Network Configuration tab shown in Figure 14-2 . Next, use the Scanner Configuration tab (see Figure 14-3 ) to select which of the methods you wish to use for your scans. The DNS check box will enable the scanner to perform the DNS test, trying to get a sniffer to perform a lookup on the fake IP address supplied by the scanner. The ARP test performs a specific test in an attempt to identify Windows hosts in promiscuous mode. Ether Ping is a check designed for finding Linux and NetBSD sniffers. The ICMP Time Delta, Echo, and Ping Drop tests are network latency tests. You can specify the number of packets to be used in the ICMP Time Delta test. The default value of 20 packets is intended to test a Class C address in a reasonable amount of time. As you increase this value, you increase the accuracy of the test, as well as the time it takes to complete the test. Decreasing the number of packets decreases the amount of time the test takes but sacrifices accuracy. Similarly, the default values for Echo and Ping Drop tests are 20 and 200 packets, respectively. These values assume you are testing a Class C network in a reasonable amount of time (a few hours). As you increase the number of packets, you increase the time the scan takes and its accuracy. In contrast, as you decrease the number of packets, the scan finishes quicker, but accuracy begins to decrease.
In addition, the Scanner Configuration tab offers options for scheduling the scans and writing the output to a file. You can use the scheduling option to perform regular scans of the network and to enable alarms. If a potential sniffer is detected, AntiSniff will alert you.
After the scan has completed, use the Reports tab to view the results. For all the tests except network latency, AntiSniff indicates a positive or negative response for a system running as a sniffer. The network latency tests display time responses, and you have to determine whether the changes in time response indicate a sniffer may be present.
Benefits: AntiSniff is an excellent tool for trying to detect packet sniffers on a network. The tool is easy to use and configure.
Cons: Packet sniffers can be operated very stealthily and remain undetected. Even though AntiSniff uses effective methods for testing for sniffers, it probably will not detect a well-configured sniffer. In addition, AntiSniff can drain resources on its host system and the network. The network latency tests can create significant network traffic, causing degradation in network performance. Also, many of the scans can take significant time to run, especially on slow systems and networks. Given the significant resource drain AntiSniff can place on networks and hosts, you should schedule it for periodic use during hours that will not affect production operations. While AntiSniff and other packet detection applications have significant shortcomings, the tool is a worthwhile addition to a security tool kit.