You Want Me to What?

You Want Me to What ?

Sniffing is one of the simplest of all data- harvesting techniques. And not only is it easy to do, but people forget about it. I was at DEFCON 7, and I saw people logging in to their root accounts over Telnet ! This is not something a person should do, even on a trusted network, much less on a malicious network like those found at a security convention!

Now, bear in mind that I don't pretend to be an expert. Well, sometimes I do, but I'm not. I cannot decode Ethernet frames in my head, I cannot merely put a CAT-5 Ethernet cable in my mouth and immediately divine what sort of traffic is on the wire. (If those two disclaimers make zero sense, worry a bit. You should know something about how networks work before you get this far.) But I have done some Unix administration, and I've done some network administration, and I've done more than my fair share of sniffing.

In order to understand sniffing, we should talk very, very briefly about how sniffing works. If you're old enough, you may remember the party-line telephone. This was a system in which everyone's telephone shared a single physical connection ”all phones were connected on the same shared wire. If Tom, Dick, Harry, and Sally all had phones in their homes , only one of them could be using it at a time ”unless, of course, Tom was calling Dick or Harry was calling Sally. It had no method to prevent eavesdropping. When Tom placed a call to, say, Chicago, he could almost guarantee that someone else was listening in on it. When a call came in from the outside, all phones would ring ”and potential recipients would listen for the distinctive pattern that was their ring. It might be two long rings followed by a short, or six shorts and two longs.

Nonswitched Ethernet networks function in the same way. Everyone is on the same shared bandwidth; when one computer has a message for another, everyone's phone rings. Now, there are lots of technical details for how this works, but they aren't fully germane to this discussion. So we'll leave it at this: Every Ethernet card normally ignores any packets not intended for it. So, even though Tom's, Dick's, Harry's, and Sally's computers all have the potential to see the network traffic for everybody, they'll just ignore it unless it concerns them.

In order to sniff, we run a bit of software that mildly alters the behavior of our network cards. Sniffing software puts one's network card into "promiscuous" mode ”in other words, it starts seeing all the network traffic out there. This is rather like becoming the person who always picks up the receiver of the party-line phone.

Why would anyone put this capability into a networking protocol? Because all our modern networking protocols were designed by engineers, not by security freaks. The engineers decided that it would be really, really useful if they could use any machine to diagnose troubles. I've got a nickel that says they never really considered the security implications. IBM, according to a rumor I once heard , did consider the implications, and produced an Ethernet card incapable of going into promiscuous mode. I've never seen one, so it may be just a rumor. And when it comes down to it, it is useful to be able to use any machine to troubleshoot problems.

Sniffing is the act of (and I'm sure you're already way ahead of me) examining every packet on the wire. This is a passive data-harvesting technique ”it doesn't put any additional traffic on the wire, and it's rather hard to detect. It's incredibly easy to set up, and it gathers a ridiculous amount of useful information. I did an informal survey of a half- dozen Unix system administrators. They all said the same thing: They had found sniffers installed on every breached machine they had ever encountered . To believe that sniffing is uncommon is naive at best and career limiting at worst. In other words, if one of the machines on your network is compromised, you can rest assured that a sniffer has been installed on it.

Now that we know what sniffing is, and a little bit of how it works, we'll get into answering your question: How do I see what's going wrong on my network? We'll also tackle the other two uses of sniffers: offense and defense.