| Overview | | | | host's ARP cache by setting the gateway's MAC |
| A packet sniffer is a program or device that | | | | address to FF:FF:FF:FF:FF:FF (also known as the |
| eavesdrops on network traffic and gathers data from | | | | broadcast MAC). |
| packets. Sometimes such wiretaps are carried out by | | | | · MAC Flooding -- Switches keep a translation |
| the network administrator for beneficial purposes (like | | | | table that maps MAC addresses to physical ports on |
| intrusion detection, performance analysis, etc.). On the | | | | the switch. This allows them to intelligently route |
| other hand, malicious intruders may install packet | | | | packets from one host to another. The switch has a |
| sniffers in order to retrieve clear-text usernames and | | | | limited amount of memory for this work. MAC flooding |
| passwords from the local network or other vital | | | | makes use of this limitation to bombard a switch with |
| information transmitted on the network. Vulnerable | | | | fake MAC addresses until the switch can't keep up. |
| protocols (with clear-text passwords) include: telnet, | | | | The switch then enters into what is known as a |
| pop3, imap, ftp, smtp-auth and nntp. Sniffers work | | | | `failopen mode', at which point it starts acting as a hub |
| because ethernet was designed to be shared. Most | | | | by broadcasting packets to all the machines on the |
| networks use broadcast technology -- messages for | | | | network. Once that happens sniffing can be |
| one computer can be read by another computer on | | | | performed easily. |
| that network. In practice, computers ignore messages | | | | Detecting Sniffers on the Network |
| except those that were sent directly to them (or | | | | A sniffer is usually passive -- it just collects data -- and |
| broadcast to all hosts on the network). However, | | | | is especially difficult to detect when running in a shared |
| computers can be placed in promiscuous mode and | | | | Ethernet environment. However, it is easy to detect a |
| made to accept messages even if they are not | | | | sniffer when installed on a switched network. When |
| meant for them -- this is how a Sniffer works. | | | | installed on a computer a sniffer does generate some |
| People assume that computers connected to a switch | | | | small amount of traffic -- which allows for its detection |
| are safe from sniffing -- but this is not really so. | | | | using the following types of techniques: |
| Computers connected to switches are just as | | | | · Ping Method -- a ping request is sent with the IP |
| vulnerable to sniffers as those connected to a hub. | | | | address of the suspect machine but not its MAC |
| How a Sniffer works | | | | address. Ideally, nobody should see this packet as |
| A computer connected to a LAN has 2 addresses -- | | | | each ethernet adapter will reject it as it does not |
| one is the MAC address that uniquely identifies each | | | | match its MAC address. But if the suspect machine is |
| node in a network and which is stored on the network | | | | running a sniffer it will respond since it accepts all |
| card. The MAC address is used by the ethernet | | | | packets. |
| protocol when building frames to transfer data. The | | | | · ARP Method -- this method relies on the fact all |
| other is the IP address, which is used by applications. | | | | machines cache ARPs (i.e. MAC addresses). Here, we |
| The Data Link Layer (layer 2 of the OSI model) uses | | | | send a non-broadcast ARP so only machines in |
| an ethernet header with the MAC address of the | | | | promiscuous mode will cache our ARP address. Next, |
| destination machine. The Network Layer (layer 3 of | | | | we send a broadcast ping packet with our IP, but a |
| the OSI model) is responsible for mapping IP network | | | | different MAC address. Only a machine which has our |
| addresses to the MAC address as required by the | | | | correct MAC address from the sniffed ARP frame will |
| Data Link Protocol. Layer 3 attempts to look-up the | | | | be able to respond to our broadcast ping request. |
| MAC address of the destination machine in a table, | | | | · On Local Host -- if a machine has been |
| called the ARP cache. If no MAC entry is found for | | | | compromised a hacker may have left a sniffer running. |
| the IP address, the Address Resolution Protocol | | | | There are utility programs that can be run which report |
| broadcasts a request packet (ARP request) to all | | | | whether the local machine's network adapter has |
| machines on the network. The machine with that IP | | | | been set to promiscuous mode. |
| address responds to the source machine with its MAC | | | | · Latency Method -- is based on the assumption |
| address. This MAC address then gets added to the | | | | most sniffers do some kind of parsing, thereby |
| source machines ARP Cache. This MAC address is | | | | increasing the load on that machine. Therefore it will |
| then used by the source machine in all its | | | | take additional time to respond to a ping packet. This |
| communications with the destination machine. | | | | difference in response times can be used as an |
| There are two basic types of ethernet environments | | | | indicator of whether a machine is in promiscuous mode |
| -- shared and switched. In a shared ethernet | | | | or not. |
| environment all hosts are connected to the same bus | | | | · ARP Watch -- to prevent a hacker from ARP |
| and compete with one another for bandwidth. In such | | | | spoofing the gateway there are utilities that can be |
| an environment packets meant for one machine are | | | | used to monitor the ARP cache of a machine to see |
| received by all the other machines. All the computers | | | | if there is duplication for a machine. |
| on the shared ethernet compare the frame's | | | | How To Protect Against Sniffing |
| destination MAC address with their own. If the two | | | | The best way to secure a network against sniffing is |
| don't match, the frame is quietly discarded. A machine | | | | to use encryption. While this won't prevent sniffers |
| running a sniffer breaks this rule and accepts all | | | | from functioning, it will ensure the data collected by |
| frames. Such a machine is said to have been put into | | | | sniffers is un-interpretable. Also, on a switched |
| promiscuous mode and can effectively listen to all the | | | | network, the chances are ARP spoofing will be used |
| traffic on the network. Sniffing in a shared ethernet | | | | for sniffing purposes. The machine that the hacker will |
| environment is passive and, hence, difficult to detect. | | | | most likely ARP-spoof is the default gateway. To |
| In a switched environment the hosts are connected to | | | | prevent this from happening it is suggested the MAC |
| a switch instead of a hub. The switch maintains a table | | | | address of the gateway be permanently added to |
| that keeps track of each computer's MAC address | | | | each host's ARP cache. |
| and the physical port on the switch to which that MAC | | | | Additional suggestions include: |
| address is connected. The switch is an intelligent | | | | · Use SSH instead of telnet. |
| device which sends packets only to the destination | | | | · Use HTTPS instead of HTTP (if the site |
| computer. As a result, the process of putting a | | | | supports it). |
| machine into promiscuous mode to gather packets | | | | · If concerned about email privacy, try a service |
| does not work. However, this does not mean that | | | | such as Hushmail ( which uses SSL to ensure that |
| switched networks are secure and cannot be sniffed. | | | | data is not read in transit. Also, Pretty Good Privacy ( |
| Though a switch is more secure than a hub, you can | | | | can be used for encrypting and signing emails to |
| use the following methods to sniff on a switch: | | | | prevent others from reading them. |
| · ARP Spoofing -- The ARP is stateless, that is, | | | | · Employ a sniffer detector. For example, the |
| you can send an ARP reply even if none has not | | | | software package PromiScan is considered the |
| been asked for, and such a reply will be accepted. For | | | | standard sniffing node detection tool and is |
| example, one technique is to ARP Spoof the gateway | | | | recommended by the SANS (SysAdmin, Audit, |
| of the network. The ARP cache of the targeted host | | | | Network, Security) Institute. It is an application package |
| will now have a wrong entry for the gateway and is | | | | used to remotely monitor computers on local networks |
| said to be Poisoned. From this point on, all the traffic | | | | to locate network interfaces operating in a |
| destined for the gateway will pass through the sniffer | | | | promiscuous mode. |
| machine. Another trick that can be used is to poison a | | | | |