In Search of a Sniffer

A sniffer is a program/device that
eavesdrops on network traffic and grabs information traveling over
the network. Sniffers are basically data
interception programs. They work because the Ethernet
was built around a principle of sharing.Most networks use what is known as broadcast technology,
meaning that every message transmitted by one computer on a network
can be read by any other computer on that network. In practice, all
the other computers, except the one for which the message is meant,
will ignore that message. However, computers can be made to accept
messages, even if they are not meant for them, by means of a
sniffer.How a Sniffer WorksSuppose the machine Venus wants to talk to the machine Cupid.
Venus has the IP address 144.16.103.3, whereas Cupid has the IP
address 144.16.103.2. When Venus sends a packet on the network, it
includes the destination media access control (MAC) address and the
source MAC address. All the computers on the network compare the
frame's destination MAC address with their own MAC addresses. When
the two don't match, the frame is discarded. The machine running
the sniffer breaks this rule and does not discard the frame. Such a
machine is said to be in promiscuous mode and
can effectively listen to all the network traffic.Detecting SniffersA sniffer is usually passive, it only collects data. Hence,
it becomes extremely difficult to detect sniffers. When installed
on a computer, a sniffer will generate some small amount of
traffic, though, and is therefore detectable. Here is an overview
of the detection methods:Ping Method: The trick used
here is to send a ping request with the IP address of the suspect
machine but not its MAC address. Ideally, no machine should see
this packet, as each Ethernet adaptor will reject it since it does
not match its own MAC address. If the suspect machine is running a
sniffer, it will respond since it does not reject packets with a
different destination MAC address. This is an old method and no
longer reliable.Address Resolution Protocol (ARP)
Method: A machine caches ARPs, so what we do is send a
non-broadcast ARP. A machine in promiscuous mode will cache your
ARP address. Next, we send a broadcast ping packet with our IP
address but a different MAC address. Only a machine that has our
correct MAC address from the sniffed ARP frame will be able to
respond to our broadcast ping request. Voilà!On Local Host: Often, after
your machine has been compromised, hackers will leave sniffers on
it in order to compromise other hosts. On a local machine, run
ifconfig. On a clean machine, the
output will be:

        eth0      Link encap:Ethernet  HWaddr 52:54:05:F3:95:01  
                  inet addr:203.199.66.243  Bcast:203.199.  ...
                  UP BROADCAST RUNNING MULTICAST  MTU:1500  ...
        But on a machine running a sniffer the output will be like this: 
        eth0      Link encap:Ethernet  HWaddr 52:54:05:F3:95:01  
                  inet addr:203.199.66.243  Bcast:203.199.  ...
                  UP BROADCAST RUNNING PROMISC MULTICAST    ...

(Output slightly modified to fit screen.)Latency Method: This method
is based on the assumption that most sniffers do some parsing.
Simply put, in this method, a huge amount of data is sent on the
network, and the suspect machine is pinged before and during the
data flooding. If the machine is in promiscuous mode, it will parse
the data, increasing the load on it. It will therefore take extra
time to respond to the ping packet. This difference in response
times can be used as an indicator of whether or not a machine is in
promiscuous mode. A point worth noting is the packets may be
delayed because of the load on the wire, resulting in false
positives.Preventing SniffingThe best way to secure yourself against sniffing is to use
encryption. While this won't prevent a sniffer from functioning, it
will ensure that what a sniffer reads is pure junk.Switch to SSH. SSH is fast
becoming the de facto standard method of connecting to a UNIX/Linux
Machine. For more information on SSH, check out
www.ssh.fi/. You might also
want to check out the open-source implementation, OpenSSH, at
www.openssh.org/.Sniffing ToolsSince I have been a Linux man for years, I will list some of
the commonly available sniffers for Linux.tcpdump: The granddaddy of
packet sniffers. Ships by default on many Linux
distributions.sniffit: Robust packet
sniffer with good filtering. Available at:
the
sniffit web site.ethereal: A free network
protocol analyzer for UNIX and Windows. It allows you to examine
data from a live network or from a capture file on disk. Available
at: the ethereal
web site.hunt: According to Pavel
Krauz, the main goal of the HUNT project is to develop tools for
exploiting well-known weaknesses in the TCP/IP protocol suite. With
hunt, I think he comes pretty close to that goal. Available
by
FTP.dsniff: I won't say much
about dsniff except to point to an article by Kurt Seifried titled
"The End of SSL and SSH". As Mark Joseph Edwards puts it in the
article, "Dsniff is the Swiss army knife of privacy invasion." The
package ships with a handful of nasties:
urlsnarf, msgsnarf, mailsnarf, webspy,
dsniff, etc.Programs to Detect SniffersAnti Sniff: From L0pht Heavy
Industries comes the new program, Anti Sniff. It has the ability to
monitor a network and detect if a computer is in promiscuous mode.
Available from
www.securitysoftwaretech.com.Neped: It detects network
cards on the network that are in promiscuous mode by exploiting a
flaw in the ARP protocol, as implemented on Linux machines.
Outdated. Available
by
FTP.ReferencesAntisniff Technical
Detailshttp://www.securitysoftwaretech.com/antisniff/tech-paper.htmlRobert Graham's Sniffing
FAQhttp://www.robertgraham.com/pubs/sniffing-faq.htmlSumit Dhar is the Manager,
Business Development and Products, for Design Expo Networks. He can
be reached at dhar@dexponet.com.

email: ljeditors@ssc.com