3.1 Sniffing and Port Scanning

The first step in any successful attack is sniffing, used to see what type of traffic is being passed on a network, and look for things like passwords, credit card numbers , and so forth. Sniffing is the term generally used for traffic monitoring within a network, while port scanning is used to find out information about a remote network.

Both sniffing and port scanning have the same objective ”to find system vulnerabilities ”but they take different approaches. Sniffing is used by an attacker already on the network who wants to gather more information about the network. Port scanning is used by someone who is interested in finding vulnerabilities on a system that is unknown.

There are many tools available for network sniffing. Two of the most common tools are Ethereal (www.ethereal.com/) and Snort (www.snort.org/). Both tools are relatively simple to use, and are designed to help troubleshoot problems, but can also be used to watch traffic.

Figure 3.1 is an example of what a packet captured by Ethereal looks like. As you can see information about the transaction is included in the top window, while the bottom contains the contents of the actual packet. If the packet is not encrypted it is possible to read the information within it. It is also possible to string packets together to monitor an entire transaction.

A packet sniffer works by putting the network card into promiscuous mode so the network card listens for and processes all Address Resolution Protocol (ARP) requests on the network segment, not just ARP requests destined for that machine.

Obviously, for a packet sniffer to be effective it has to be attached to the network. A packet sniffer is used either by someone who has compromised a machine on a network, or by an internal attacker.

A packet sniffer is hard to detect because it operates passively . It simply collects information, rather than actively searching for data. Many network intrusion detection systems (NIDS) attempt to detect promiscuous mode by watching for certain behaviors, but these methods are not always effective.

3.1.1 Port Scanning

Prior to sniffing a network an attacker has to gain access. Attackers gain access by scanning devices on the network for vulnerabilities, then exploiting them. Port scanning can either be targeted or random. An attacker interested in a particular network will attempt to track down information about that network and scan for vulnerabilities. Alternatively, attackers will put large netblocks into a port scanner and let it run for days, trying to find any machine that is available and able to be exploited. This highlights the difference between an attacker and a script kiddie .

A tool commonly used for port scanning is nmap (www. insecure .org/nmap/). It allows users to enter a range of IP addresses, choose the type of scan desired, and let the program run in the background. When it has completed its sweep it will produce a report showing the ports which responded, on each network device:

 [root@test root]# nmap -sT www.datacenterwire.com  Starting nmap V. 2.99RC2 ( www.insecure.org/nmap/ )  Interesting ports on (66.150.201.102):  (The 1589 ports scanned but not shown below are in state: closed)  Port State Service  21/tcp open ftp  22/tcp open ssh  25/tcp open smtp  53/tcp open domain  80/tcp open http  81/tcp open hosts2-ns  110/tcp open pop-3  443/tcp open https  587/tcp open submission  3306/tcp open mysql  5432/tcp open postgres  10000/tcp open snet-sensor-mgmt  Nmap run completed -- 1 IP address (1 host up) scanned in 48 seconds 

Nmap can be configured to scan all TCP and User Datagram Protocol (UDP) ports, or just the ports that generally have services running on them. Using the information collected in the example, notice there were 12 out of 1,589 scanned ports responding on the server.

Once the list of ports and host names has been compiled, the next step is to try to exploit weaknesses in the various server configurations. This involves knowing what the weaknesses of the different servers are and exploiting those weaknesses.