SNIFFERS OVERVIEW

Sniffers can listen for and record any raw data that passes through, over, or by a physical (hardware) network interface. They operate at a very low level (that is, as a kernel or OS-level application) so that they can communicate directly with the network interface in a language it understands. For example, a sniffer can tell an Ethernet network interface card (NIC) to send it a copy of every single Ethernet frame that arrives on the interface, regardless of what it is or where it's going.

The sniffer typically operates on the Data Link layer of the OSI model so it doesn't have to play by the rules of any higher-level protocols. It bypasses the filtering mechanisms (addresses, ports, messages, and so on) that the Ethernet drivers and TCP/IP stack use when interpreting data that arrives "on the wire." The sniffer grabs anything it can and stores the raw Ethernet frames for analysis.

As with many other security tools, sniffers have acquired a kind of mystical quality, albeit one that's not necessarily deserved. Everyone's heard of them and is aware of their power, but many people outside the network security community think that sniffers are black magic used only by hackers, thieves , and other hoodlums. Sniffers are just another useful tool for system and network administrators. The first sniffers were used to debug networks, not hack into them. While they can be used in the unauthorized capture of information and passwords, they can also diagnose network problems or pinpoint failures in an IP connection.

One reason sniffers pose less of a threat is the encrypted communications are more common, although not as ubiquitous as they could be. People who used to telnet into shell accounts to check their e-mail, which communicates in clear, unencrypted text for all intermediate routers, hubs, and switches to see, now take advantage of the encryption available through Secure Shell (SSH). Secure Sockets Layer (SSL) has become more predominant as protection for users who log into web sites. Savvy administrators have replaced the less secure, clear-text communications of FTP with SSL, Secure Copy (SCP), or Secure FTP (SFTP). Other unencrypted services can be replaced by the point-to-point encryption of Virtual Private Networks (VPNs).

The bottom line is that sniffers exist and people will abuse them. It's no different from tapping someone's phone, bugging someone's room, or simply eavesdropping on the table next to you in a restaurant. If you have any concern for the confidentiality of your data, then don't transmit it over unencrypted channels. Yet there are still two caveats for sniffers:

  • Sniffers must be placed on the network local to either end of the communication or on an intermediary point, such as a router, through which the communication passes. It's much easier to sniff traffic in a shared computing environment like a coffee shop, school, or library than it is to target arbitrary cable modem or DSL users.

  • Current tools use encryption standards that make it extremely difficult to capture useful information. Be aware that programmers still make mistakes in the implementation of encryption, so even the latest algorithms may be inadvertently crippled.

Switched networks make it more difficult, but not impossible , for LAN users to sniff data from the network. Wireless networks, however, open up a whole new can of worms as you'll see in Chapter 17. In this chapter we'll introduce several sniffers and point out their usefulness and some possible countermeasures.



Anti-Hacker Tool Kit
Anti-Hacker Tool Kit, Third Edition
ISBN: 0072262877
EAN: 2147483647
Year: 2006
Pages: 175

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net