Sniffers Torn Apart By Ankit Fadia
ankit@bol.net.in
Sniffers are the most dreaded nightmare of system administrators. A compromised system is bad enough, but a compromised system with a sniffer installed on it, stealing company secrets and important passwords is as bad as it gets. In this manual we will discuss just how sniffers work and how to detect them and a lot more related information.
Sniffers were originally developed by programmers around the world to be used as a tool for debugging network problems. In simple words, what they do is capture, interpret and save for analysis all the packets being sent across the network. Think of sniffers as recorders that capture or record all the packets being sent over a network. The system administrators later analyze these captured packets to find out as to what exactly is happening in the network or what kind of data is exactly being sent to and fro across the network, hence allowing them to debug or troubleshoot networking problems.
Sniffers capture the data being sent across the network in a very raw form, so in effect one is examining the packets traversing in the rawest form and using the information gathered by the analysis to detect or troubleshoot networking problems.
There are different types of sniffers available, however the most common type of sniffer is the Ethernet-based sniffer. In the next paragraph we will discuss just how such sniffers work.
An Ethernet-based sniffer works in cahoots with the Network Interface Card or the NIC. What this means is that such sniffers with the help of the NIC capture absolutely all the packets within the range of the listening system. Please note that the listening system is the system where the Ethernet-based sniffer has been installed.
Normally, a Network Card throws away any packets, which are not specifically directed to the listening system. However, in case of Ethernet-based Sniffers, the Network Interface cards are set to a special state called the promiscuous mode to ensure that it receives all the packets within listening range of the listening system. What this means is that it ensures that the NIC receives even those packets, which are not directed specifically to the listening system, but infact receives all the packets going across the wire.
After the NIC has been set to promiscuous mode, the sniffer software installed on the listening system can capture or record all the packets that travel across the local Ethernet segment. However, one thing to note is that such sniffers will not be able to capture packets traversing beyond routers, switches, segmenting devices etc.
*********************
HACKING TRUTH: The
following is the output shown by a popular sniffer. The user ID is ankit and the
password is ankit too.
$&& #’$ANSI"!ankit
ankit
cd /software
ls
The point to notice is that sniffers capture all the packets being sent across the network. That means that it captures everything from the login password to the shell command being typed out.
********************
There are a number of sniffers available, however, the most popular is tcpdump.
So how do I detect sniffers? Well, sniffers have a number of tell tales that you need to watch out for. The following are some of the various signs on the target system that tell you that a sniffer is at work:
1.) NIC is working in promiscuous Mode: there is a utility called ‘cpm’ which can detect a NIC working in promiscuous mode.
2.) Certain Sniffers are also visible in the list of Running Processes.
3.) Most Sniffers would create a long log file. One has to watch out for log files in hidden directories.
The above techniques work for host based sniffer detection. However, in case of Network-based sniffer detection one has to make use of a tool called ‘AntiSniff’, which was developed by L0phtCrack.
However if you are looking for more permanent solutions against Sniffers, then the following section may just be what you are looking for.
The following are the more permanent Anti-Sniffers Measures:
a.) Switching to Switched Networks: In case of a Switched Network, only the packets meant for that particular host reach the NIC. This limits the damages caused by a sniffer.
b.) Use of Encryption Technologies like SSH, IP Security Protocol etc.
This brings us to the end of our ‘Quick Manual’ on Sniffers. Hope you like it and till next time goodbye.