Chapter 15

Chapter 15. Sniffers

IN THIS CHAPTER

·         Sniffers as Security Risks

·         What Level of Risk Do Sniffers Represent?

·         Has Anyone Actually Seen a Sniffer Attack?

·         What Information Do Sniffers Capture?

·         Where Is One Likely to Find a Sniffer?

·         Where Can I Get a Sniffer?

·         Defeating Sniffer Attacks

Sniffers are devices that capture network packets. Their legitimate purpose is to analyze network traffic and identify potential areas of concern. For example, suppose that one segment of your network is performing poorly: Packet delivery seems incredibly slow, or machines inex plicably lock up on a network boot. You can use a sniffer to determine the precise cause.

Note

The term sniffer is derived from a product, called the Sniffer, originally manufactured by Network General Corporation. As Network General dominated the market, this term became popular, and protocol analyzers have since then generally been referred to as such.

Sniffers vary greatly in functionality and design. Some analyze only one protocol, whereas others can analyze hundreds. As a general rule, most modern sniffers will analyze at least the following protocols:

·         Standard Ethernet

·         TCP/IP

·         IPX

·         DECNet

Proprietary sniffers are expensive ( vendors often package them on special computers that are "optimized" for sniffing). Freeware sniffers, on the other hand, are cheap but offer no support.

In this chapter, you examine sniffers as both security risks and network administration tools.

Sniffers as Security Risks

Sniffers differ greatly from keystroke-capture programs. Here's how: Key-capture programs save, or capture, keystrokes entered at a terminal. Sniffers, on the other hand, capture actual network packets. Sniffers do this by placing the network interface—an Ethernet adapter, for example—into promiscuous mode. Sniffers also differ in one key aspect from other attack methods —sniffers are passive, only listening to the network traffic.

A sniffer always functions in a promiscuous mode. Normally, a system's network card will only grab packets destined for that system. In promiscuous mode, however, instead of ignoring all other packets, the system captures every packet that it sees on the network. To further understand how promiscuous mode works, you must first understand how local area networks are designed.

Local Area Networks and Data Traffic

Local area networks (LANs) are small networks connected (generally) via Ethernet. Data is transmitted from one machine to another via cable. There are different types of cable, which transmit data at different speeds. The five most common types of network cable follow:

·         10BASE-2. (10Mbps) Coaxial Ethernet (thinwire) that, by default, transports data distances of up to 600 feet.

·         10BASE-5. (10Mbps) Coaxial Ethernet (thickwire) that, by default, transports data distances of up to 1,500 feet.

·         10BASE-F. (10Mbps) Fiber optic Ethernet.

·         10BASE-T. (10Mbps) Twisted pair Ethernet that, by default, transports data distances of up to 300 feet.

·         100BASE-T. (100Mbps) Fast Ethernet that, by default, transports data distances of up to 300 feet.

Data travels along the cable in small units called frames . These frames are constructed in sections, and each section carries specialized information. (For example, the first 12 bytes of an Ethernet frame carry both the destination and source address. These values tell the network where the data came from and where it's going. Other portions of an Ethernet frame carry actual user data, TCP/IP headers, IPX headers, and so forth.)

Frames are packaged for transport by special software called a network driver. The frames are then passed from your machine to cable via your Ethernet card. From there, they travel to their destination. At that point, the process is executed in reverse: The recipient machine's Ethernet card picks up the frames, tells the operating system that frames have arrived, and passes those frames on for processing.

Sniffers pose a security risk because of the way frames are transported and delivered. Let's briefly look at that process.

Packet Transport and Delivery

Each workstation in a LAN has its own hardware address or Media Access Control (MAC) address. This address uniquely identifies that machine from all others on the network. (This is similar to the Internet address system.) When you send a message across the LAN, your packets are sent to all connected machines.

Under normal circumstances, all machines on the network can "hear" that traffic going by, but will only respond to data addressed specifically to them. (In other words, Workstation A will not capture data intended for Workstation B. Instead, Workstation A will simply ignore that data.)

If a workstation's network interface is in promiscuous mode, however, it can capture all packets and frames on the network. A workstation configured in this way (and the software on it) is a sniffer.

What Level of Risk Do Sniffers Represent?

Sniffers represent a high level of risk. Here's why:

·         Sniffers can capture account names and passwords.

·         Sniffers can capture confidential or proprietary information.

·         Sniffers can be used to breach security of neighboring networks, or to gain leveraged access.

In fact, the existence of an unauthorized sniffer on your network might indicate that your system is already compromised.

Has Anyone Actually Seen a Sniffer Attack?

Sniffer attacks are common, particularly on the Internet. A well-placed sniffer can capture not just a few passwords, but thousands. In 1994, for example, a massive sniffer attack was discovered , leading a naval research center to post the following advisory:

In February 1994, an unidentified person installed a network sniffer on numerous hosts and backbone elements collecting over 100,000 valid user names and passwords via the Internet and Milnet. Any computer host allowing FTP, Telnet or remote log in to the system should be considered at risk…All networked hosts running a UNIX derivative operating system should check for the particular promiscuous device driver that allows the sniffer to be installed.

—Naval Computer and Telecommunications Area Master Station LANT advisory

You can access the Naval Computer and Telecommunications Area Master Station LANT advisory at http://www.chips.navy.mil/chips/archives/94_jul/file14.html .

The attack on Milnet was so serious that the issue was brought before the Subcommittee on Science, Space, and Technology at the U.S. House of Representatives. F. Lynn McNulty, Associate Director for Computer Security at the National Institute of Standards and Technology, gave this testimony:

The recent incident involved the discovery of "password sniffer" programs on hundreds of systems throughout the Internet… The serious impact of the recent incident should be recognized; log-in information (i.e., account numbers and passwords) for potentially thousands of host system user accounts appear to have been compromised. It is clear that this incident had a negative impact on the operational missions of some Government agencies. Moreover, this should be viewed as [an] ongoing incident, not an incident that has happened and been dealt with. Indeed, administrators of systems throughout the Internet were advised, in turn , to direct their users to change their passwords. This is, indeed, very significant, and we may be seeing its effects for some time to come. Not only is it difficult, if not impossible , to identify and notify every user whose log-in information might have been compromised, it is unlikely that everyone, even if notified, will change his or her passwords.

You can access McNulty's full testimony at http://www-swiss.ai.mit.edu/6.805/articles/mcnulty-internet-security.txt .

That attack is regarded as one of the worst in recorded history, but it was rivaled only months later. In the second incident (the attack was based at Rahul.net ), a sniffer ran for only 18 hours. During that time, hundreds of hosts were compromised. The following was reported by Sarah Gordon and I. Nedelchev in their article Sniffing in the Sun: History of a Disaster.

The list contained 268 sites, including hosts belonging to MIT, the U.S. Navy and Air Force, Sun Microsystems, IBM, NASA, CERFNet, and universities in Canada, Israel, the Netherlands, Taiwan and Belgium…

You can see the Gordon/Nedelchev article at http://www.command.co.uk/html/virus/sniffing.html .

Institutions and private companies are naturally reluctant to admit that their networks have been compromised, so sniffer attacks aren't usually publicly announced. There are some case studies on the Internet. Here are a couple well-known victims:

·         California State University at Stanislaus

·         A United States Army Missile Research Laboratory, White Sands Missile Range

For more information about the Stanislaus incident, visit http://yahi.csustan.edu/studnote.html .

For more information about the U.S. Army Missile Research Laboratory, White Sands Missile Range incident, see the GAO report at http://www.securitymanagement.com/library/000215.html .

The Department of Defense, in particular, has experienced numerous attacks and been the victim of sniffers on its networks. In one of the more interesting incidents, intruders installed sniffers on DoD systems, compromising numerous user accounts. This incident, which occurred in February 1998, is referred to as Solar Sunrise by DoD officials. The incident involved two teenagers from California and their mentor in Israel.

Numerous discussions on this incident can be found online including http://www.sans.org/newlook/resources/IDFAQ/solar_sunrise.htm .

What Information Do Sniffers Capture?

Sniffers will capture all packets on the network, but in practice, an attacker has to be choosier. A sniffer attack is not as easy as it sounds. It requires some knowledge of networking. Simply setting up a sniffer and leaving it will lead to problems because even a five-station network transmits thousands of packets an hour . Within a short time, a sniffer's outfile could easily fill a hard disk drive to capacity (if you logged every packet).

To circumvent this problem, crackers generally sniff only the first 200-300 bytes of each packet. The username and password are contained within this portion, which is really all most crackers want. However, it is true that you could sniff all the packets on a given interface; if you have the storage media to handle that kind of volume, you would probably find some interesting things.

Authentication information is one of the most common targets for sniffer activity. In particular, information sent to Ports 23 (Telnet) and 21 (FTP) are valuable because authentication information (like usernames and passwords) is sent in clear text in these protocols. Port 513 (rlogin) is also useful when trust relationships don't exist. (If a trust relationship does exist, then no username or password is required, but the system becomes a potential target for spoofing.)

Where Is One Likely to Find a Sniffer?

You are likely to find a sniffer almost anywhere. However, there are some strategic points that a cracker might favor. One of those points is anywhere adjacent to a machine or network that receives many passwords. This is especially true if the targeted machine is a gateway to the outside world. If so, the cracker will want to capture authentication procedures between your network and other networks. This could exponentially expand the cracker's sphere of activity.

Note

I do not believe that, in practice, any sniffer can catch absolutely all traffic on a network. This is because, as the number of packets increase, the chance of lost packets is high. If you examine technical reports on sniffers, you will discover that at high speeds and in highly trafficked networks, a more than negligible amount of data can be lost. (Commercial sniffers, which tend to have better design, are far less likely to suffer packet loss.) This suggests that sniffers might be vulnerable to attacks themselves . In other words, just how many packets-per-second can a sniffer take before it fails in its fundamental mission? That is a subject worth investigating.

Security technology has evolved considerably. Some operating systems now employ encryption at the packet level and therefore, even though a sniffer attack can yield valuable data, that data is encrypted. This presents an additional obstacle likely to be passed only by those with deeper knowledge of security, encryption, and networking. An example of this is the Windows NT/2000 authentication mechanism.

Where Can I Get a Sniffer?

Sniffers come in two basic flavors: commercial and freeware. If you're just learning about networking, I recommend getting a freeware sniffer. On the other hand, if you manage a large network, your company should purchase at least one commercial sniffer. They are invaluable when you're trying to diagnose a network problem.

Commercial Sniffers

The sniffers in this section are commercial, but many of these companies offer demo versions. Prices range from $200 to $2,000.

Sniffer Portable Analysis Solutions from Network Associates

Network Associates has produced several levels of network analysis tools including Sniffer Basic (formerly NetXRay by Cinco Networks), Sniffer Pro LAN, Sniffer Pro WAN, Sniffer High-Speed, and Sniffer Packet over SONET. These sniffers decode more than 240 LAN/WAN protocols, and Sniffer Pro High-Speed works with ATM and Gigabit Ethernet.

SnifferPro is a powerful tool providing visibility into the data network. It allows the user to perform a variety of functions including capturing network traffic, diagnosing network problems, and monitoring network activity in real-time. Figure 15.1 shows an example of a SnifferPro session in progress. The Expert window displays accumulated objects, symptoms, and diagnoses in the Expert Overview pane, while the Capture gauge shows the status of the capture in progress. The Capture function of this easily used and popular sniffer stores the actual packets from a network and decodes them, providing the user with detailed information about various network transactions. The Dashboard displays a network segment's packet rate, percentage of utilization, and error rate in real-time.

Figure 15.1. SnifferPro's real-time Expert and Capture gauge windows.

SnifferPro can collect data about conversations between network nodes in real-time. Figure 15.2 shows an example of this feature. A display of the network's traffic map depicting traffic patterns between network nodes can be seen, as well as traffic count statistics for node pairs.

Figure 15.2. SnifferPro's Traffic Map Matrix display.

Network Associates also offers a sniffer rental service, from which a client can receive a portable computer with the latest sniffer software loaded. Both weekly and monthly rentals are offered .

Network Associates, Inc.

Sniffer Technologies

3965 Freedom Circle

Santa Clara, CA 95054

Phone: 800-Sniffer

URL: http://www.networkassociates.com/

Shomiti Systems Surveyor, Explorer, and Century LAN Analyzers

Shomiti Systems LAN Analyzers are heavy-duty hardware/software solutions that support 10/100Mbps and gigabit Ethernet. The systems work with both Ethernet and token ring networks and offer real-time reporting. Surveyor operates on Windows 95/98/2K or NT. Shomiti also offers a plug-in module for Surveyor, which provides Quality of Service analysis for factors important to voice-over IP applications.

Shomiti Systems, Inc.

1800 Bering Drive

San Jose, CA 95112

Phone: 408-437-3940

Email: info @shomiti.com

URL: http://www.shomiti.com

PacketView by Klos Technologies

PacketView is a DOS-based packet sniffer designed for use in Ethernet, token ring, ARCNET, and FDDI environments. It runs about $300. You can try before you buy by downloading a demo version located at http://www.klos.com/get.pvdemo.html .

Klos Technologies, Inc.

12 Jewett

Cortland, NY 13045

Phone: 607-753-0568

Fax: 561-828-6397

Email: sales@klos.com

URL: http://www.klos.com/

Network Probe from Network Communications

Network Communications produces several network analyzers including the Ranger Network Probe and the 8000 Network Probe for both LANs and WANS. They can capture and analyze packets from the following protocols: AppleTalk, Banyan, DEC Net, Microsoft, IBM, NFS, Novell, SMB, Sun NFS, TCP/IP, Token Ring/LLC, X-WINDOWS, and XNS.

Network Communications Corporation

7601 Washington Avenue South

Edina, MN 55439

Phone: 952-946-8800

Fax: 952-946-8822

Email: sales@netcommcorp.com

URL: http://www.netcommcorp.com

LANWatch by Precision Guesswork

LANWatch is a software-based sniffer solution for both DOS (LANWatch 4.1) and Windows 95/98/2K/NT(LANWatch32) platforms. It will monitor packets from the following protocols: TCP, UDP, IP, IPv6, NFS, NetWare, SNA, AppleTalk, VINES, ARP, NetBIOS, and some 50 others. LANWatch monitors traffic in real-time and can display a wide range of usable statistics. A demo version is located at http://www.guesswork.com/demo.html .

Precision Guesswork

Five Central Street

Topsfield, MA 01983

Phone: 978-887-6570

Email: info@precision.guesswork.com

URL: http://www.guesswork.com

EtherPeek from WildPackets Inc. (formerly AG Group )

EtherPeek (4.0 is the latest version at the time of this writing) is available for both Windows and Macintosh platforms. EtherPeek supports major protocol suites including IP, IPv6, AppleTalk, NetWare, IPX/SPX, NetBIOS, DECnet, SMB, and OSI/TARP. It runs from $900 to $1,350, depending on the type of license you purchase.

WildPackets, Inc.

2540 Camino Diablo, Suite 200

Walnut Creek, CA 94596

Phone: 925-937-7900 or 800-466-2447

Email: info@wildpackets.com

URL: http://www.wildpackets.com/

NetMinder Ethernet by Neon Software

NetMinder Ethernet is a Macintosh-based protocol analyzer that can produce automatically updated HTML output reports. These reports are updated in real-time, allowing system administrators to access their latest network analysis statistics from anywhere in the world and from any platform. (Naturally, the application also provides real-time analysis in the standard GUI environment.) A demo version is available at http://www.neon.com/demos_goodies.html .

Neon Software

3685 Mt. Diablo Blvd., Suite 253

Lafayette, CA 94549

Phone: 800-334-NEON

Email: info@neon.com

URL: http://www.neon.com

DatagLANce Network Analyzer by IBM

DatagLANce is a network analyzer that IBM withdrew from its product line. DatagLANce was designed for both Ethernet and token ring networks, and, to my knowledge, is the only sniffer written expressly for OS/2. DatagLANce can analyze a wide range of protocols, including but not limited to NetBIOS, IBM LAN Manager, TCP/IP, NFS, IPX/SPX, DECnet, AppleTalk, and Banyan VINES. (DatagLANce can also output analysis data in many different formats.)

IBM

Product Numbers: 5622-441, 5622-442, 5622-443

LinkView Network Analyzers by Acterna

LinkView Network Analysers support token ring, Ethernet, and fast Ethernet but are designed chiefly for protocol analysis on internetworks. They therefore automatically segregate IP-reporting statistics from other protocol statistics. LinkView Classic runs on Windows 95/98, and Windows NT SP4. LinkView Classic is a software-only LAN analyzer that works with most third-party network cards. The Acterna Advanced Ethernet Adapter is a hardware exten sion for LinkView Classic that runs on Windows 95/98. The LinkView software is available at http://www.tinwald.com/sc_forms/linkview_classic_software.htmllv_classic_software.html .

Acterna, Inc.

1030 Swabia Court

Research Triangle Park, NC 27709

Phone: 800-346-6332

Email: linkview.info@wwgsolutions.com

URL: http://www.linkview.com

ProConvert from WildPackets, Inc. (formerly Net3 Group)

ProConvert is not a sniffer, but is instead a tool for integrating data from disparate sniffers. This allows data from different vendors'formats to be converted into a single format, allowing the user to view packets on a platform separate from the one on which the packets were captured. ProConvert decodes (and provides universal translation between) EtherPeek, Fireberd500, Internet Advisor LAN, LAN900, LANalyzer for Windows, LANWatch, Network Monitor, NetXRay, LinkView, and tcpdump formats. In other words, ProConvert is the Rosetta stone for sniffer logs. It can save you many, many hours of work.

WildPackets, Inc.

2540 Camino Diablo, Suite 200

Walnut Creek, CA 94596

Phone: 925-937-7900 or 800-466-2447

Email: info@wildpackets.com

URL: http://www.wildpackets.com/

LANdecoder32 by Triticom

LANdecoder32 is an extremely popular sniffer for use on Windows 95/98 or Windows NT/2000. It has advanced reporting capabilities and can be used to analyze frame content. Other features include remote monitoring (requiring RMON on the remote system), ASCII filtering (filter by string), and real-time reporting. Demonstration versions can be obtained by contacting Triticom.

Triticom

P.O. Box 46427

Eden Prairie, MN 55344

Phone: 952-829-8019

Email: info@triticom.com

URL: http://www.triticom.com/

LanExplorer Protocol Analyzer from Sunrise Telecom

LanExplorer Protocol Analyzer decodes all popular protocols, including TCP/IP, 802.3, 802.5, VLAN, Apple, Novell, and Microsoft as well as VoIP protocols including H323, H225, H245, RTP, and RTCP. LanExplorer runs on Windows 95/98/2K and NT and uses existing Ethernet, Fast Ethernet, token ring, or WAN network interface cards. A trial version can be obtained from http://www.intellimax.com/download.htm .

Sunrise Telecom, Inc.

22 Great Oaks Blvd

San Jose, CA 95119

Phone: 408-363-8000

Email: info@intellimax.com

URL: http://www.intellimax.com/

Freely Available Sniffers

There are also many freeware and shareware sniffers available. These are perfect if you want to learn about network traffic without spending any money. Unfortunately, some are architecture-specific, and the majority are designed for UNIX.

Esniff is a standard, generic UNIX-based sniffer. It was one of the first sniffers and was originally released in Phrack Magazine (an online hacker zine). Esniff is a very small C program that requires a C compiler and IP include files. A modified version for Solaris 2.X called solsniffer.c also exists. Esniff is available at the following locations:

http://rootshell.com/archive-j457nxiqi3gq59dv/199707/Esniff.c.html

http://www.chaostic.com/filez/exploites/Esniff.c

Gobbler (Tirza van Rijn)

Gobbler was an excellent early tool for those who wanted to learn about sniffers. It was designed to work on the MS-DOS platform, but ran in Windows 95.

An example of how Gobbler has been used as a tool for diagnosing network traffic jams can be found in a case study provided with the documentation. Here's a snippet of that paper:

A bridge was having problems in getting through its startup sequence using the bootp protocol. "The Gobbler" packet catcher was used to capture the packets to and from the bridge. The dump file viewer and protocol analyzer made it possible to follow the whole startup sequence and to track down the cause of the problem.

T.V. Rijn and J.V. Oorschot, The Gobbler, An Ethernet Troubleshooter/Protocol Analyzer. November 29, 1991. Delft University of Technology, Faculty of Electrical Engineering, the Netherlands.

Gobbler is no longer widely distributed or used, but it can be found at the following addresses:

http://packetstorm.securify.com/NT/audit/

http://agape.trilidun.org/hack/network-sniffers/

Ethload (Vyncke, et al.)

Ethload is a shareware packet sniffer/packet analyzer written in C for Ethernet and token ring networks. It runs well with any of the following interfaces:

·         Novell ODI

·         3Com/Microsoft Protocol Manager

·         PC/TCP/Clarkson/Crynwr

Further, it analyzes the following protocols:

·         TCP/IP

·         DECnet

·         OSI

·         XNS

·         NetWare

·         NetBEUI

Unfortunately, the source code is no longer available. The author explains:

After being flamed on some mailing lists for having put a sniffer source code in the public domain and as I understand their fears (even if a large bunch of other Ethernet sniffers are available everywhere), I have decided that the source code is not made available.

Ethload consists of more than 65,000 lines of C code. Two versions are available: You can either register your copy by sending in $200, or you can have an unregistered copy. The registered version has additional functions: more diligent support, printouts, periodic statistics gathered into a file, more buffers, and so on.

For a free sniffer executable on a DOS/Novell platform, Ethload is excellent.

Here are a few sites that offer Ethload:

http://www.ping.be/~pin01407/

http://www.computercraft.com/noprogs/ethld104.zip

ftp://ftp.simtel.net/pub/simtelnet/msdos/lan/ethld200.zip

TCPDUMP

TCPDUMP is one of the most popular tools for network diagnostics and analysis. TCPDUMP can be used to monitor and decode all IP, TCP, UDP, and ICMP headers. The user can vary the amount of the packet that is grabbed, but the default is 64 bytes. TCPDUMP was loosely based on Sun's etherfind and was designed to aid in ongoing research to improve TCP and Internet gateway performance. TCPDUMP is a UNIX-based program, but a Windows version now exists known as WINDUMP. TCPDUMP can be obtained at

http://www.tcpdump.org/

WINDUMP can be found at

http://netgroup-serv.polito.it/windump/

LinSniff

LinSniff is a password sniffer. To compile it, you need all necessary network include files ( tcp.h, ip.h, inet.h, if_ther.h, and so on) on a Linux system. It is available at

http://packetstorm.securify.com/Exploit_Code_Archive/linsniff.c

Sunsniff

Sunsniff is also designed specifically for the SunOS platform. It consists of 513 lines of C source, coded reportedly by crackers who want to remain anonymous. It works reasonably well on Sun, and is probably not easily portable to another flavor. This program is good for experimentation and can be found at

http://securax.org/l0t/prog/sniffers/sunsniff.c

linux_sniffer.c

This program's name pretty much says it all. It consists of 175 lines of C code, distributed primarily at cracker sites on the Net. This program is Linux-specific. It is another utility that is great for experimentation on a nice Sunday afternoon; it's a free and easy way to learn about packet traffic. linux_sniffer.c is available at

http://rootshell.com/archive-j457nxiqi3gq59dv/199707/linux_sniffer.c.html

Defeating Sniffer Attacks

Now that you understand how sniffers work and the dangers they pose, you are probably wondering how to defeat sniffer attacks. Get ready for some bad news: Defeating sniffer attacks is not easy. You can take two approaches:

·         Detect and eliminate sniffers

·         Shield your data from sniffers

Let's briefly look at the pros and cons of each method.

Detecting and Eliminating Sniffers

Sniffers are extremely difficult to detect because they are passive programs. They don't generate an audit trail, and unless their owner is very stupid (sniffing all traffic instead of the first X number of bytes-per-connection), they eat meager network resources. Some operating systems provide a mechanism to determine whether a network interface has been placed in promiscuous mode, which can aid greatly in determining if a sniffer is running on a specific host.

On a single machine, it is theoretically feasible to find a sniffer that has been installed. For example, you could rely on the MD5 algorithm (see Chapter 18, "Trojans," for more on MD5), providing you have a decent database of original installation files (or a running database of files installed). If you intend to use MD5 and search by checksum, you should obtain md5check, an AWK script that automates the process. md5check was originally distributed by CERT and works well for SunOS. md5check is located here:

http://wd.twbbs.org/ftp/security/md5check/

Certainly, searching by checksum on a single box is effective enough. However, finding a sniffer on a large network is difficult. The question of detecting sniffers on diverse architecture is a bitter debate in the security community. (You can see folks arguing this issue for weeks at a time without resolution.) However, there are at least four tools that can help—if you have the right architecture:

·         Snifftest. Written by "Beavis and Butthead," Snifftest will detect a sniffer on SunOS and Solaris. It is especially useful because it will detect a sniffer even if the network interface isn't in promiscuous mode. It works solely for SunOS, and requires a C compiler and all TCP/IP header files. It is located at http://rootshell.com/archive-j457nxiqi3gq59dv/199707/snifftest.c.html .

·         Nitwit. Nitwit runs as a NIT (Network Interface Tap) and can detect sniffers, even if the network interface is not in promiscuous mode. It is similar to Snifftest in that regard. Nitwit is available at http://www.megamine.com/utilities/unixsniffers.shtml .

·         Promisc. Written by blind@xmission.com , Promisc will detect sniffers on Linux. (There are some reports of this program working on SunOS, but these have not been verified .) Promisc is available at http://geek-girl.com/bugtraq/1997_3/0411.html .

·         cpm. cpm is an old favorite that can detect promiscuous mode on SunOS 4.x. (Again, you need a C compiler and the necessary include files.) cpm is available at ftp://ftp.cerias.purdue.edu/pub/tools/unix/sysutils/cpm/ .

Unfortunately, these tools only work on SunOS or Solaris. Detecting a sniffer in heterogeneous networks is more difficult—difficult, that is, without physically checking each machine. For example, suppose your network is made up exclusively of AIX systems. Suppose further that someone goes into an empty office, unplugs a RS/6000, and hooks up a PC laptop. They use this as a sniffer. This is difficult to detect unless you are using network topology maps (tools that red flag any change in topology) and check them daily. Otherwise , the network appears just as it did, with no indication of trouble. After all, the PC has the same IP as the RS/6000 did. Unless you run daily scans , you would probably never detect the PC.

A more recent tool that has been developed by the L0pht group of "grey-hat" hackers is called AntiSniff. AntiSniff gives network administrators the ability to remotely detect computers that are packet sniffing, regardless of the operating system. According to the developers, AntiSniff works by running several nonintrusive tests designed to determine whether or not a remote computer is listening in on all network communications. This tool can be obtained at

http://www.l0pht.com/antisniff/

A more complicated situation occurs when intruders attach physical devices that sniff. (For example, they can splice themselves in at points not visible to the naked eye. I've seen offices that run their coax wire overhead, in the space above the ceiling. This allows anyone in an adjacent office to snag the wire and patch themselves in.) Other than physically checking each wire lead throughout the network, there is no easy way to identify a spliced connection. (Although, again, network topology mapping tools would warn that an extra IP had been added to your subnet. Unfortunately, however, most small businesses can't afford such tools.)

At day's end, however, proactive solutions are difficult and expensive. Instead, you should take more defensive measures. There are two chief defenses against sniffers:

·         Safe topology

·         Encrypted sessions

Let's quickly cover both defenses.

Safe Topology

Sniffers can only capture data on the instant network segment. That means, the tighter you compartmentalize your network, the less information a sniffer can gather. Unfortunately, unless your firm is an ISP—or you have unlimited resources—this solution can get expensive. Compartmentalization requires expensive hardware. There are three network interfaces that a sniffer cannot easily cross:

·         Switches

·         Routers

·         Bridges

You can create tighter network segments by strategically placing these devices on the network. You could possibly compartmentalize 20 workstations at a crack—this seems like a reasonable number. Once a month, then, you could physically check each segment (and, perhaps once a month, you could run MD5 checks on random segments). It should be noted that programs such as macof have been developed to flood switches in the hope that they would fail open . This would then eliminate the protection that switching might otherwise have provided.

Note

Several "intelligent hub" systems are available that weigh in at lower prices than most routers. Some of these devices perform network segmentation. However, I would recommend aggressively quizzing the vendor about sniffing attacks. Some intelligent hub systems do not perform traditional segmentation and might therefore leave other segments vulnerable to attack.

Network segmentation is only practical in smaller networks. If you have more than 500 workstations split among more than 50 departments, full-scale segmentation is probably cost prohibitive. (Even if there's a budget for security, you aren't likely to convince administrative types that you need 50 hardware devices just to guard against a sniffer.) In that case, encrypted sessions are the better choice.

Encrypted Sessions

Encrypted sessions provide a different solution. Instead of worrying about data being sniffed, you simply scramble the data portion of the packet beyond recognition. The advantages to this approach are obvious: Even if an attacker sniffs data, it will be useless to him. However, the disadvantages are weighty.

There are two chief problems with encryption. One is a technical problem, and the other is a human problem.

Technical issues include whether the encryption is strong enough and whether it's supported. For example, 40-bit encryption might be insufficient, and not all applications have integrated encryption support. Furthermore, cross-platform encryption solutions are rare and typically available only in specialized applications.

Moreover, human users can resist using encryption. They might find it too troublesome . (For example, can you imagine forcing Macintosh users to use S/Key every time they logged in to the server? These folks are accustomed to ease-of-use, not generating one-time passwords for every new session.) Users might initially agree to such policies, but they rarely adhere to them.

In short, you must find a happy medium—applications that support strong, two-way encryption and also support some level of user-friendliness. That's why I like Secure Shell.

Secure Shell (SSH) provides secure communications in an application environment like Telnet. SSH binds to port 22 and connections are negotiated using RSA. All subsequent traffic is encrypted using IDEA after authentication is complete. This is strong encryption and is suitable for just about any nonsecret, nonclassified communication.

Secure Shell is a perfect example of an application that meets user and administrative standards.

Versions of SSH and OpenSSH (a free version of SSH) exist for Windows 95/98/NT/2K, Linux, and many different versions of UNIX. Check out Secure Shell at

http://www.ssh.org/

http://www.openssh.com

Summary

Sniffers represent a significant security risk, mainly because they are not easily detected . You would benefit tremendously by learning how to use a sniffer and understanding how others can employ them against you. The best defenses against sniffing are secure topology and strong encryption.