Professional Documents
Culture Documents
2008 Batch-I
Module VII
Sniffers
Scenario
Definition
Objectives of sniffing
Passive Sniffing
Active Sniffing
Different types of Sniffing tools
Countermeasures
Summary
Module Flow
• Email text
LAN
The data sent across the LAN will be
sent to each system on the LAN
Hub
Attacker
Active Sniffing
LAN
It looks at the MAC Addresses
associated with each frame, sending data
only to required connection.
Switch
http://ntsecurity.nu/toolbox/etherflood/
Step 3
Attacker forwards the
traffic to the Router Router
192.168.1.25
Countermeasures
Small Network
• Use of static IP addresses and static ARP tables
which prevent hackers from adding spoofed ARP
entries for machines in the network
Large Networks
• Network switch "Port Security" features should be
enabled
• Use of Arpwatch to monitor ethernet activity
http://www.redhat.com/swr/i386/arpwatch-2.1a11-1.i386.html
Tools For Sniffing
Ethereal pf
Dsniff IPTraf
Sniffit Etherape
Netfilter
Aldebaran
Network Probe
Hunt
Maa Tec Network
NGSSniff
Analyzer
Ntop
Tools For Sniffing
Snort
Macof, MailSnarf, URLSnarf, WebSpy
Windump
Etherpeek
Ettercap
SMAC
Mac Changer
Iris
NetIntercept
WinDNSSpoof
Ethereal
Ethereal is anetwork
protocol analyzer for
UNIX and Windows.
It allows the user to
examine data from a
live network or from a
capture file on a disk.
The user can
interactively browse the
captured data, viewing
summary and detailed
information of each
packet captured.
Features
Ntop is a network
traffic probe that shows
network usage.
In interactive mode, it
displays the network
status on the user’s
terminal.
In webmode, it acts as
a web server, creating an
html dump of the
network status.
pf
EtherApe is a graphical
network monitor for
UNIX.
Featuring link layer, IP
and TCP modes, it
displays network activity
graphically.
It can filter traffic to be
shown, and can read
traffic from a file as well
as live from the network.
Features
MaaTec Network
Analyzer is a tool that is
used for capturing,
saving and analyzing
network traffic.
Features:
• Real time network
traffic statistics.
• Scheduled network
traffic reports.
• Online view of
incoming packets.
• Multiple data color
options.
Tool: Snort
There are three main modes in
which Snort can be configured:
sniffer, packet logger, and network
intrusion detection system.
Sniffer mode simply reads the
packets off of the network and
displays them for you in a
continuous stream on the console.
Packet logger mode logs the
packets to the disk.
Network intrusion detection
mode is the most complex and
configurable configuration,
allowing Snort to analyze network
traffic for matches against a user
defined rule set.
Macof, MailSnarf, URLSnarf, WebSpy
Macof floods the local
network with random MAC
addresses, causing some
switches to fail open in
repeating mode, and thereby
facilitates sniffing.
Mailsnarf is capable of
capturing and outputting
SMTP mail traffic that is
sniffed on the network.
urlsnarf is a tool for
monitoring Web traffic.
Webspy allows the user to
see all the webpages visited by
the victim.
Tool: Windump
It allows the reconstruction of network traffic in a format that is simple to use and
understand. It can show the web page of any employee that is surfing the web during
work hours.
NetIntercept
A sniffing tool that studies external break-in attempts, watches for misuse of confidential
data, displays the contents of an unencrypted remote login or a web session, categorize,
or sort, traffic by dozens of attributes, search traffic by criteria such as e-mail headers,
web sites, and file names, etc.
WinDNSSpoof
TCPDump
• A widely used network diagnosis and analysis tool for UNIX-
based OSs.
• Used to trace network problems, detect ping attacks, and
monitor network activities.
• Monitors, and decodes, application layer data.
Network Monitor
• Network-monitoring software that is part of Windows NT
server.
• Latest versions capture all data traffic.
• Maintains the history of each network connection.
• Provides high-speed filtering capabilities.
• Captures network traffic and converts it to a readable format.
Gobbler, ETHLOAD
Gobbler
• MS-DOS based sniffer
• Used to gain knowledge about network traffic
• Used remotely over a network
• Runs from a single workstation, analyzing only the
local packets
ETHLOAD
• Freeware packet sniffer written in C
• Execute on MS-DOS and Novell platforms
• Cannot be used to sniff rlogin and Telnet sessions
Esniff, Sunsniff, Linux Sniffer, Sniffer
Pro
Esniff
• Written in C by a hacker called “rokstar”
• Used to sniff packets on OSs developed by Sun Microsystems
• Coded to capture initial bytes which includes username and
password
Sunsniff
• Written in C, specifically for Sun Microsystems OS
Linux_sniffer
• A Linux-specific sniffer written in C for experimenting with
network traffic.
Sniffer Pro
• Trademark of Network Associates Inc.
• Easy-to-use interface for capturing and viewing network
traffic.
Scenario
Sam found out that he was working
in a shared Ethernet network
segment. So a sniffer can be
launched from any machine in the
LAN. Sam ran a sniffer and at the
end of the day he studied the
captured data. Sam could not
believe it !!!
1. He was actually able to read e-mails
2. Read passwords off the wire in clear-text.
3. Read files
4. Read financial transactions and credit card
numbers
Sam decided to share the information with
Dave the next day. How do you think that
Dave will react to this? Was Sam guilty of
espionage?
Countermeasures