Packet Sniffer

Sniffer and Monitor Software Picks
Sniffer - Packet sniffer and protocol analyzer.
MSN Sniffer - Monitor MSN messenger sessions.
Password Sniffer - Monitor password usage.
HTTP Sniffer - Capture Internet web traffic on LAN.
Network Monitoring - Monitor your network traffic.
EtherBoss MSN Conversation Monitor & Sniffer

 

Switched networks lose their security advantage due to packet-capturing tool

Download sniffer and monitoring software
By Stuart McClure & Joel Scambray

THE ART OF "sniffing" network traffic, or capturing packets on the wire, has long been one of the most fruitful parts of any malicious hacker attack. The bad guys can read entire e-mail messages, gain passwords, and obtain complete access by simply running a network sniffer on a shared Ethernet or Token Ring network.

Of course, the rich man's countermeasure to this type of attack has always been encryption. But the poor man's countermeasure was always to move away from the traditional shared Ethernet to new network-switching technology. In the book we published recently, many of our packet-capture countermeasures involved recommending a switch to keep the sniffing hounds at bay. But all this has changed with the advent of dsniff by Dug Song at CITI, the Center for Information Technology Integration, a research lab at the University of Michigan.

Sniffing traffic allows an unauthorized computer user to view the traffic destined to someone else. In other words, by sending an e-mail message to a colleague at work, you could also be sending it to your cubicle neighbor -- or the whole company -- as well. The technique of sniffing traffic on a switched segment has been discussed in security circles for some time, but Dug has put the theory into practice. With little more than an ARP (address resolution protocol) redirect program and IP forwarding, an attacker can sniff every station on your switched network. The potential damage to your network from a sniffing attack of this nature can be nuclear. Few administrators know about this technology, and even fewer fight the menace. But don't take our word for it, check it out yourself.

Sniffing on a switch

Switching technology, by definition, switches packets from one destination to another without passing them by any of the other stations on a network, thereby reducing the risk of the packets being picked up. But arpredirect, the utility within the dsniff distribution, makes sniffing on a switched network easier than a DDoS (distributed denial of service) attack in February.

This is how it works: The attacker's system sends out a forged ARP packet to the target system, telling it that its default gateway has changed to the attacker's system. This way, whenever the target system sends traffic on the network, it will send it to the attacker's system first, which then forwards the packet on to its original destination as if nothing ever happened.

You will need to use either the kernel-level IP forwarding in /proc/sys/net/ipv4/ip _forward or fragrouter on a Linux system to perform the packet forwarding. So by forging ARP replies for the default gateway of a network, all traffic destined for the default gateway will be sent to and then forwarded by the attack system. Once received at your system, you can grab anything you desire, including passwords such as SNMP, FTP, POP (post office protocol), HTTP, IRC (Internet Relay Chat), Telnet, and many others. In addition to the passwords, you can read all cleartext e-mail as well.

Bag o' goodies

Besides arpredirect, the dsniff distribution comes with its marquee tool: dsniff. The tool is a remarkable password sniffer and collects just about every cleartext and poorly encrypted password. These include all the usual suspects, plus NNTP (Network News Transfer Protocol), IMAP (Internet Message Access Protocol), LDAP, RIP (Routing Information Protocol), OSPF (Open Shortest Path First), NFS (Network File System), YP (Yellow Pages), Socks, X11, CVS (concurrent versions system), IRC, AIM (AOL instant messaging), ICQ, Napster, PostgreSQL, Meeting Maker, Citrix Independent Computing Architecture, Symantec pcAnywhere, NAI Sniffer, Microsoft Server Message Block, and Oracle SQLNet authorization information.

Mailsnarf is another tool for grabbing network data, but this utility reassembles and displays e-mail traffic in a legible manner, thus enabling you to read other users' e-mail in real time. And finally, Webspy is a great utility for watching what your users are doing on the network; it will refresh your browser with the Web pages being viewed on anyone's system.

Solutions

The only real solution to this type of attack is encryption. No matter how much packet sniffing is allowed on your network, by using applications that encrypt the traffic, users can at least be moderately reassured that their information will be safe from prying eyes. The detection solution is to monitor ARP traffic on your network and detect when ARP entries are being changed. You can use a product such as arpwatch, by Craig Leres at ftp://ftp.ee.lbl.gov/arpwatch.tar.Z. Of course neither solution is all that great and makes you wonder how many years we will be dealing with this vulnerability.

Related Sniffer & Network Monitoring Software:

HTTP Sniffer - Capture HTTP packets, monitor Internet web traffic, and show URL visited by LAN users.
Password Sniffer - Monitor password from HTTP, email (SMTP/POP3), FTP, TELNET on LAN.
Packet Sniffer - Capture network packets and provide view for full TCP conversations and UDP threads.
MSN Sniffer & Monitor - Capture MSN messenger chat and conversations on your network.