Monday, February 16, 2009

What is Sniffer and how to detect sniffing in computer network

Sniffing is the electronic form of eavesdropping on the communications that computers transmit across networks. In early networks, the equipment that connected machines allowed every machine on the network to see the traffic of all others. These devices, repeaters and hubs, were very successful in connecting machines, but allowed an attacker easy access to all traffic on the because the attacker only needed to connect to one point to see the entire network’s traffic.

Sniffing is one of the most effective techniques in attacking a wireless network, whether it is mapping the network to gain information, to grab password, or to capture unencrypted data.

Sniffing is a powerful tool in the hands of a hacker. Sniffers usually act as network probes or snoops, examining network traffic but not intercepting or altering it.

How a Sniffer works?

Once a hacker has found possible networks to attack, one of their first tasks is to identify the target. Many organizations are nice enough to include their names or addresses in the network name.

The Sniffer program works by asking a computer, specifically its Network Interface Card (NIC), to stop ignoring all the traffic headed to other computers and pay attention to them. It does this by placing the NIC in a state known as promiscuous mode.

Once a NIC is promiscuous mode, a machine can see all the data transmitted on its segment. The program then begins to constantly read all information entering the PC through the network card.

Data traveling along the network comes as frames, or packets, bursts of bits formatted to specific protocols. Because of this strict formatting, the sniffer peels away the layers of encapsulation and decodes the relevant information stored in the packet sent, including the identity of the source computer, that of the targeted computer, and every piece of information exchanged between the two computer.

Even if the network administrator has configured his equipment in such a way as to hide information, there are tools available that can determine this information. Utilizing any well known network sniffing tools, an attacker can easily monitor the unencrypted networks.

Protocols Vulnerable to Sniffing:

Telnet and Re-login: With sniffing, keystrokes of a user can be captured as they are typed, including the user’s username and password. Some tools can capture all text and dump it into a terminal emulator, which can reconstruct exactly what the end user is seeing. This can produce a real time viewer on the remote user’s screen.

HTTP: The default version of HTTP has many loop-holes . Basic authentication is used by many websites, which usually send passwords across the wire in the plain text. Many websites use a technique that prompts the user for a username and password that are sent across the network in the plain text. Data sent is in clear text.

SNMP: SNMP traffic that is SNMPv1 has no good security. SNMP passwords are sent in clear text across the networks.

NNTP: Passwords and data are sent in the clear text across the network.

POP: Passwords and data are sent in the clear text across the network.

FTP: Passwords and data are sent in the clear text across the network.

IMAP: Passwords and data are sent in the clear text across the network.

Passive Vs. Active Sniffing

Sniffers are a powerful piece of software. They have the capability to place the hosting system’s network card into promiscuous mode. A network card in promiscuous mode can receive all the data it can see, not just packets addressed to it.

Passive Sniffing

If you are on a hub, a lot of traffic can potentially be affected. Hubs see all the traffic in that particular collision domain. Sniffing performed on a hub is known as passive sniffing.

Passive sniffing is performed when the user is on a hub. Because the user is on a hub, all traffic is sent to all ports. All the attacker must do is to start the sniffer and just wait for someone on the same collision domain to start sending or receiving data. Collision domain is a logical area of the network in which one or more data packets can collide with each other.

Passive sniffing worked well during the days that hubs were used. The problem is that there are few of these devices left. Most modern networks use switches. That is where active sniffing comes in.

Active Sniffing

When sniffing is performed on a switched network, it is known as active sniffing.

Active sniffing relies on injecting packets into the network that causes traffic. Active sniffing is required to bypass the segmentation that switches provided. Switches maintain their own ARP cache in a special type of memory known as Content Addressable Memory (CAM), keeping track of which host is connected to which port.

Sniffers operate at the Data Link layer of the OSI model. This means that they do not have to play by the same rules as applications and services that reside further up the stack. Sniffers can grab whatever they see on the wire and record it for later review. They allow the user to see all the data contained in the packet, even information that should remain hidden.

The terms active and passive sniffing has also been used to describe wireless network sniffing. They have analogous meaning. Passive wireless sniffing involves sending no packets, and monitoring the packets send by the others. Active sniffing involves sending out multiple network probes to identify APs.

Protecting Against Sniffing & Eavesdropping

Now wired networks upgrade from repeaters and hubs to switched environment. These switches would send only the traffic intended for a specific host over each individual port, making it to difficult to sniff the entire network’s traffic but unfortunately this is not an option for wireless networks due to the nature of wireless communications.

The only way to protect wireless users from attackers who might be sniffing is to utilize encrypted sessions wherever possible:

SSL for e-mail connection, SSH instead of Telnet, and Secure Copy (SCP) instead of File Transfer Protocol (FTP).

To protect a network from being discovered with sniffing tools, it is important to turn off any network identification broadcasts and if possible, close down the network to any unauthorized users.

Detecting a Sniffer

Sniffers are a major source of contemporary attacks. The “ifconfig” command is used to detect if a sniffer has been installed.

The “ifconfig” command displays the current configuration of your network interface. Most Ethernet adaptors are configured to accept only messages intended for them. An attacker must set a computer’s adaptor to “promiscuous mode,” in order to listen to (and record) everything on its segment of the Ethernet.

Antisniff, that scans networks to determine if any NICs are running in promiscuous mode. These detection tools should run regularly, since they act as an alarm of sorts, triggered by evidence of a sniffer.

Promqry 1.0, developed by Tim Rains at Microsoft can be used in identifying Sniffers. According to Tim Rains many network sniffer detection tools rely on bugs in the operating system and sniffer behavior for their discovery work. Promqry is different in that it can query systems to learn if any have a network interface operating in promiscuous mode, which as you know is a mode commonly use by network sniffing software. A command line version and a version with a GUI of Promqry 1.0 is available at Microsoft’s site.

No comments:

Post a Comment

You Have Successfully Posted the Message.