SwitchSniff

For those who think switched Ethernet environments are sniff-proof, the author offers this warning.

If you know the enemy and know yourself, you need not fear the result of a hundred battles. If you know yourself but not the enemy, for every victory gained you will also suffer a defeat. If you know neither the enemy nor yourself, you will succumb in every battle.-- Sun Tzu in The Art of War

While I was at university, I once discussed the topic of sniffers with an experienced network administrator. He casually mentioned that he was not bothered by sniffers, as all his machines were connected to switches. This was someone who was paranoid about security and read almost all security newsgroups religiously, but he was living in complete ignorance about the threat to his network. Unfortunately, he is not alone as many experienced systems and network administrators feel switches are immune to being sniffed. Switches may be difficult to sniff, but they are certainly not immune.

Networking Basics

A computer connected to the LAN has two addresses. One is the MAC (media access control) address that uniquely identifies each node in a network and is stored on the network card itself. Each network card has a unique MAC address. It is the MAC address that gets used by the Ethernet protocol while building `frames' to transfer data to and from a machine. The other address is the IP address, which is used by applications.

The Ethernet header uses the MAC address of the destination machine and not the IP address. It is the job of the network layer to map a particular IP address to the corresponding MAC address, as required by the Data Link Protocol. It does this by initially looking up the MAC address of the destination machine in a table, usually called the ARP cache. If no entry is found for the IP address, the Address Resolution Protocol broadcasts a request packet (ARP request) to all machines on the network. The machine with that address responds to the source machine with its MAC address (ARP reply). This MAC address is added to the source machines ARP cache, and it is then used by the source machine in all its communications with the destination machine.

Ethernet Environments

Two basic types of Ethernets environments exist, and how sniffers work in each of them is different.

  • Shared Ethernet: In a shared Ethernet environment, all hosts are connected to the same bus and compete with one another for bandwidth. In such an environment packets meant for one machine are received by all the other machines. Thus, any machine in such an environment placed in promiscuous mode will be able to capture packets meant for other machines and can therefore listen to all the traffic on the network.

  • Switched Ethernet: An Ethernet environment in which the hosts are connected to a switch instead of a hub is called a Switched Ethernet. The switch maintains a table keeping track of each computer's MAC address and delivers packets destined for a particular machine to the port on which that machine is connected. The switch is an intelligent device that sends packets to the destined computer only and does not broadcast to all the machines on the network, as in the previous case. This switched Ethernet environment was intended for better network performance, but as an added benefit, a machine in promiscuous mode will not work here. As a result of this, most network administrators assume that sniffers don't work in a Switched Environment.

Methods to Sniff on a Switch

As mentioned earlier, a switch is certainly more secure than a hub when it comes to sniffing, but it is certainly not immune. The following methods are used to sniff the traffic on a switch:

  1. ARP Spoofing: We have explained earlier how ARP is used to obtain the MAC address of the destination machine with which we wish to communicate. The ARP is stateless, you can send a ARP reply, even if one has not been asked for and such a reply will be accepted. Ideally, when you want to sniff the traffic originating from a machine, you need to ARP spoof the gateway of the network. The ARP cache of that machine will now have a wrong entry for the gateway and is said to be "poisoned". This way all the traffic from that machine destined for the gateway will pass through your machine. Another trick that can be used is to poison a hosts ARP cache by setting the gateway's MAC address to FF:FF:FF:FF:FF:FF(also known as the broadcast MAC). There are various utilities available for ARP spoofing. An excellent tool for this is the arpspoof utility that comes with the dsniff suite. Using arpspoof to poison the ARP cache of a machine is accomplished by giving the command:

    [root@tachyon dhar]# arpspoof -t 203.199.66.243 203.199.66.193
    0:80:ad:7c:7:3a 52:54:5:f3:95:1 0806 42: arp reply 203.199.66.193 is-at 0:80:ad:7c:7:3a
    0:80:ad:7c:7:3a 52:54:5:f3:95:1 0806 42: arp reply 203.199.66.193 is-at 0:80:ad:7c:7:3a
    

    The -t flag specifies the target whose ARP cache we wish to poison, and the other argument is the IP address of the gateway that we wish to spoof. Now all the data destined for the gateway from the target machine will have to pass through our machine. Before you ARP spoof the gateway, however, it is essential to turn on IP Forwarding for your machine. This can be done by giving the command:

    [root@tachyon dhar]# echo 1 > /proc/sys/net/ipv4/ip_forward 
    [root@tachyon dhar]# cat /proc/sys/net/ipv4/ip_forward
    1
    [root@tachyon dhar]#
    

    If the cat command returns a value of 1, then IP Forwarding has been enabled; if it returns 0, it means IP Forwarding has not been enabled.

  2. MAC Flooding: Switches keep a translation table that maps various MAC addresses to the physical ports on the switch. As a result of this, a switch can intelligently route packets from one host to another, but it has a limited memory for this work. MAC flooding makes use of this limitation to bombard the switch with fake MAC addresses until the switch can't keep up. The switch then enters into what is known as a `failopen mode', wherein it starts acting as a hub by broadcasting packets to all the machines on the network. Once that happens sniffing can be performed easily. MAC flooding can be performed by using macof, a utility which comes with dsniff suite.

    [root@tachyon dhar]# macof
    77:6b:e1:6e:5e:8c 93:2d:ed:45:f9:e3 0.0.0.0.45702 > 0.0.0.0.11000: S 1847390231:1847390231(0) win 512
    84:a4:d3:57:ef:8 12:56:52:42:dc:95 0.0.0.0.16630 > 0.0.0.0.3031: S 1484147693:1484147693(0) win 512
    88:f0:9:3f:18:89 d:86:53:53:d7:f8 0.0.0.0.15535 > 0.0.0.0.7466: S 293820390:293820390(0) win 512
    

______________________

Comments

Comment viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.

SwitchSnarf

Ekrem's picture

Switchsnarf is windows based helper apllication, you can sniff a computer switched network with switchsnarf.

Re: SwitchSniff

Anonymous's picture

There are some good uses for this too. Example, if you wanted to find out who is using all your bandwidth, but your not a sysadmin. You can use ettercap to poison the ARP cache of your default route, which will also enable you to span multiple switches, then use something like etherape to see what's going on.

Some switched will crash and burn, so be carefull where you try this.

Has anyone tried to use this technique to for a good purpose. Example, an IDS, IP accounting, etc where you don't have control of the switch to setup a mirror port?

Re: SwitchSniff

Anonymous's picture

If a switch is sent into 'failopen mode' will the computers connected to the switch be forced to compete for bandwith like they would on a hub?

Re: SwitchSniff

Anonymous's picture

Yes, That would sort of happen automatically.

In half-duplex mode: This competing is defined by the NIC listening for traffic before it sends traffic. If it's connected to a switch, the switch only sends stuff to it, so the NIC is competing with the switch only instead of all the other computers. When the switch goes into 'hub' mode, the sending NIC, now has a bunch of traffic to dodge before it can send it's packet.

In full-duplex mode (just a guess): There is not collision detection, the NIC sends and receives at the same time, the overloaded switch would still send everything to everyone, but the sending would not interrupt the receiving and vice versa. I have heard of some switches that revert to half-duplex when overloaded.

Re: SwitchSniff

Anonymous's picture

Once a switch goes into a failopen mode, it behaves exactly like a hub. Computers connected to it will then have to compete for bandwidth like in case of a hub. In fact though it is not mentioned in the article, suspicious administrators should often look for such signs in a Network...

Dhar

Re: SwitchSniff

Anonymous's picture

Most switches will fail open when fully staturated as well. Meaning it will act like a hub when the traffic is at or over 100%.

Re: SwitchSniff

Anonymous's picture

There are Ethernets that don't use IP, so it is not true that every computer has an IP address.

kinsella@ITCarlow.ie

ARP vs Datalink

Anonymous's picture

It's not Data Link who maps IP addresses to MACs, baby. Different layer. Otherwise, useful article. thanx.

Re: ARP vs Datalink

Anonymous's picture

looks like layer 2 to me. does not the LLC sublayer provide access for upper layer protocols ( layer 3) to the MAC sublayer?

Re: ARP vs Datalink

Anonymous's picture

just out of curiosity... is it the Network layer (L3) then?

Read these books.

Anonymous's picture

@Book{stevens94:_tcp_ip_illus_vol1,
author = {W. Richard Stevens},
title = {TCP/IP Illustrated, Volume 1: The Protocols},
publisher = {Addison-Wesley},
year = 1994,
series = {Addison-Wesley Professional Computing Series}
}

@Book{tanenbaum96:_comput_networ,
author = {Andrew S. Tanenbaum},
editor = {Noreen Regina},
title = {Computer Networks},
publisher = {Prentice Hall PTR},
year = 1996,
edition = {Third}
}

Re: SwitchSniff

Anonymous's picture

A switch can be configured (with good planning) to stop both of these sniffing methods. However, there are always tradeoffs with this type of configuration, ex. more administration work.

Re: SwitchSniff

Anonymous's picture

out of interest: how?

Re: SwitchSniff

Anonymous's picture

you could do it by manually adding the ARP entries into the switch

Re: SwitchSniff

Anonymous's picture

This of course assumes you are using managed switches, which cost many times more than unmanaged ones. I think you can still achieve good security results by using reservations for dhcp leases(better organization too), adding static entries in arp tables to places like file servers, DNS, and gateways, and using monitoring tools like arp watch. It isn't as effective as locking down things at the hardware level managed switch, but it should be enough for most environments and a hell of a lot cheaper if you don't require the added functionality the managed switch allows you...

Re: SwitchSniff

Anonymous's picture

Please break up your long <pre> lines. They force a ridiculous width for the text. Maybe, then I'll read the article.

Re: SwitchSniff

Anonymous's picture

get used to it ! mr anonymous !

this is a very good article so I don't really mind the minor formatting problem .

Re: SwitchSniff

Anonymous's picture

The reason the lines are long is because I wanted to preserve the look and feel of what you would get on the screen when you gave that command.

Wondering if there is a way to preserve that look and feel, without making it feel kludgy. If there is a better way, kindly let me know. I will incorporate it into my next article.

Dhar

Re: SwitchSniff

Anonymous's picture

Get rid of the tables. They're killing me. Try to print your page from Netscape, and you'll see what I mean. I had to paste the html into an editor and fix it just to print to. Validate your code against the W3C validator to see the things you need to fix.

Re: SwitchSniff

TrickyRick's picture

Well the opening quote from The Art of War was kind of wide in Netscape 6.2 and Mozilla but in Konqueror everything is wraped.

Why is nearly everyone including Dhar an AC?

Re: SwitchSniff

Anonymous's picture

AOL.

Oh - for the person who said "just move the bar", you've got to do that for EVERY SNGLE LINE!!!!

I'm blowed if I'm going to try to read an article where I'm scrolling left AND right on every single damn line!

Sorry, but it ain't worth the hassle (and knowing my browser, it won't print properly, either :-(

Cheers,

Wol

Re: SwitchSniff

Anonymous's picture

pretty tough to move the bar over half an inch isn't it!

give me a break

Re: SwitchSniff

Anonymous's picture

Unfortunately, arpwatch isn't all that useful on networks that make use of DHCP. People who turn their computers off at night may have their IP addresses change the next day or over the weekend. My boss runs arpwatch where I work, and we just get flooded with reports of changing addresses because of this..

Re: SwitchSniff

Anonymous's picture

So stop using fully dynamic leases. Change the existing leases into reservations. Dump the current MAC-IP table, do a little text editing and re-use it as the reservation table.

Leave 'enough' addresses, perhaps in a different group, for the inevitable additions.

The upside here is you can put these pseudo-static reserved IP addresses into DNS as well.

If you don't have enough free IP addresses then re-engineer your network. Put 'em behind a Firewall or NAT router.

The number of people that don't know how to use DHCP is astounding.

Re: SwitchSniff

Anonymous's picture

By making them all reservations you are, effectively, returning to static ips. Why bother?

With Dynamic DNS you can put a fully dynamic lease into DNS automatically. You don't need to go to reservations.

Why to bother.

Anonymous's picture

Becuase it puts all IP admin in one central place.

Re: SwitchSniff

Anonymous's picture

We set our IP lease time to 4 days. That way, unless someone is on vacation, the lease is is renewed and the IP remains the same, no matter how much the machine is turned on and off. This is so stable and dependable that we have older machines that have had the same IP address since DHCP was put in place (I can count on "old .94" to be surfing porn at work, for example).

Re: SwitchSniff

Anonymous's picture

You can also mantain a table of fixed MAC IP relationships in the DHCP server for known computers. It's more work :-( but you will know when a new box enter the network :-). And arpwatch will work :-)

Re: SwitchSniff

Anonymous's picture

Set your lease time longer. Most dhcp clients request the same lease address they already had (pump, dhcpcd, win98, nt, etc) so as long as the lease is valid it can be renewed.

If you are low on addresses, your dhcp server should just use the oldest lease that's not in use (ISC dhcpd)

Mike Fedyk

White Paper
Linux Management with Red Hat Satellite: Measuring Business Impact and ROI

Linux has become a key foundation for supporting today's rapidly growing IT environments. Linux is being used to deploy business applications and databases, trading on its reputation as a low-cost operating environment. For many IT organizations, Linux is a mainstay for deploying Web servers and has evolved from handling basic file, print, and utility workloads to running mission-critical applications and databases, physically, virtually, and in the cloud. As Linux grows in importance in terms of value to the business, managing Linux environments to high standards of service quality — availability, security, and performance — becomes an essential requirement for business success.

Learn More

Sponsored by Red Hat

White Paper
Private PaaS for the Agile Enterprise

If you already use virtualized infrastructure, you are well on your way to leveraging the power of the cloud. Virtualization offers the promise of limitless resources, but how do you manage that scalability when your DevOps team doesn’t scale? In today’s hypercompetitive markets, fast results can make a difference between leading the pack vs. obsolescence. Organizations need more benefits from cloud computing than just raw resources. They need agility, flexibility, convenience, ROI, and control.

Stackato private Platform-as-a-Service technology from ActiveState extends your private cloud infrastructure by creating a private PaaS to provide on-demand availability, flexibility, control, and ultimately, faster time-to-market for your enterprise.

Learn More

Sponsored by ActiveState