NMCSP

2008 Batch-I

Module VII
Sniffers
Scenario

Dave works as an Engineer in the IT support

department of a multinational banking company.
Sam, a graduate in Computer Engineering, has
been recently recruited by the bank as a Trainee to
work under Dave. Sam knew about packet sniffers
and had seen their malicious use .
Sam wanted to Sniff the network to show the
vulnerabilities to Dave.
1. What information does Sam need to install a sniffing
program?
2. How can Sam find out if there are any Sniffing detectors
in the network?
3. Can Sam Sniff from a remote network?
4. Can he install a sniffer in Dave's machine?
5. Can he gain credit card information by sniffing?
6. Is Sam’s action ethical?
Module Objectives

 Definition
 Objectives of sniffing
 Passive Sniffing
 Active Sniffing
 Different types of Sniffing tools
 Countermeasures
 Summary
Module Flow

Definition Of Sniffing Active Sniffing

ARP Poisoning Passive Sniffing

Sniffing Tools Countermeasures

Definition: Sniffing

A program or device that captures

vital information from the network
traffic specific to a particular
network.
Sniffing is basically a “data
interception” technology.
The objective of sniffing is to grab:
• Password (e-mail, web, SMB, ftp,
SQL, telnet)

• Email text

• Files in transfer (e-mail, ftp,

SMB)
Passive Sniffing

LAN
The data sent across the LAN will be
sent to each system on the LAN

Hub

Attacker
 Active Sniffing

LAN
It looks at the MAC Addresses
associated with each frame, sending data
only to required connection.

Switch

Attacker: Tries to poison the switch

by sending bogus MAC addresses
EtherFlood

http://ntsecurity.nu/toolbox/etherflood/

 EtherFlood floods a switched network with Ethernet

frames with random hardware addresses.

 The effect on some switches is that they start sending all

traffic out on all ports so that the attacker is able to sniff

all traffic on the network.

ARP Poisoning

ARP resolves IP addresses to the MAC

(hardware) address of the interface to send data.
ARP packets can be forged to send data to the
attacker’s machine(s).
An attacker can exploit ARP Poisoning to
intercept network traffic between two machines
in the network.
MAC flooding a switch's ARP table with
spoofed ARP replies, allows a attacker to
overload the switches and then packet sniff the
network while the switch is in "hub" mode.
 ARP Poisoning
Step 2
Victim’s Internet traffic
forwarded to attacker’s system Attacker
as its MAC address is associated
with the Router
Step 1
Attacker says that his IP is
192.168.1.21 and his MAC address
is (say) ATTACKERS_MAC
Victim
192.168.1.21

Step 3
Attacker forwards the
traffic to the Router Router
192.168.1.25
Countermeasures

 Small Network
• Use of static IP addresses and static ARP tables
which prevent hackers from adding spoofed ARP
entries for machines in the network
 Large Networks
• Network switch "Port Security" features should be
enabled
• Use of Arpwatch to monitor ethernet activity
http://www.redhat.com/swr/i386/arpwatch-2.1a11-1.i386.html
Tools For Sniffing

Ethereal pf

Dsniff IPTraf

Sniffit Etherape

Netfilter
Aldebaran
Network Probe
Hunt
Maa Tec Network
NGSSniff
Analyzer
Ntop
Tools For Sniffing
 Snort
 Macof, MailSnarf, URLSnarf, WebSpy
 Windump
 Etherpeek
 Ettercap
 SMAC
 Mac Changer
 Iris
 NetIntercept
 WinDNSSpoof
Ethereal

Ethereal is anetwork
protocol analyzer for
UNIX and Windows.
It allows the user to
examine data from a
live network or from a
capture file on a disk.
The user can
interactively browse the
captured data, viewing
summary and detailed
information of each
packet captured.
Features

 Data can be intercepted “off the wire” from a live

network connection, or read from a captured file.

 Can read captured files from tcpdump.

 Command line switches to the editcap program enables

the editing or conversion of the captured files.

 Display filter enables the refinement of the data.

Dsniff
Dsniff is a collection of
tools for network auditing
and penetration testing.
ARPSPOOF, DNSSPOOF,
and MACOF facilitate the
interception of network
traffic that is normally
unavailable to an attacker.
SSHMITM and
WEBMITM implement
active man-in-the-middle
attacks against redirected
SSH and https sessions by
taking advantage of the
weak bindings in ad-hoc
PKI.
Sniffit

 Sniffit is a packet sniffer for TCP/UDP/ICMP packets.

 It provides detailed technical information about the

packets and packet contents in different formats.

 By default it can handle Ethernet and PPP devices, but

can be easily forced into using other devices.
Aldebaran

 Aldebaran is an advanced LINUX sniffer/network

analyzer.

 It supports sending data to another host, dump file

encryption, real-time mode, packet content scanning,
network statistics in html, capture rules, colored output,
and much more.
Hunt

 Hunt is used to watch TCP connections, intrude into

them, or reset them.
 It is meant to be used on an Ethernet segment, and has
active mechanisms to sniff switched connections.
 Features:
• It can be used for watching, spoofing, detecting,
hijacking, and resetting connections
• MAC discovery daemon for collecting MAC
addresses, sniff daemon for logging TCP traffic with
the ability to search for a particular string
NGSSniff

 NGSSniff is a network packet capture and analysis

program.

 Packet capture is done via windows sockets raw IP or

via Microsoft network monitor drivers.

 It can carry out packet sorting and does not require

installed drivers to run.

 It carries out real time packet viewing.

 Ntop

 Ntop is a network
traffic probe that shows
network usage.
 In interactive mode, it
displays the network
status on the user’s
terminal.
 In webmode, it acts as
a web server, creating an
html dump of the
network status.
 pf

 pf is Open BSDs system for filtering TCP/IP traffic and

doing Network Address Translation.

 It is also capable of normalizing, and conditioning,

TCP/IP traffic, providing bandwidth control, and packet
prioritization.
 IPTraf
 IPTraf is a network
monitoring utility for IP
networks. It intercepts
packets on the network
and gives out various
pieces of information
about the currently
monitored IP traffic.
IPTraf can be used to
monitor the load on an
IP network, the types of
network services that
are most in use, the
proceedings of TCP
connections, and others.
 Etherape

EtherApe is a graphical
network monitor for
UNIX.
Featuring link layer, IP
and TCP modes, it
displays network activity
graphically.
It can filter traffic to be
shown, and can read
traffic from a file as well
as live from the network.
Features

 Network traffic is displayed graphically. The more

"talkative" a node is, the bigger its representation.
 User may select the level of the protocol stack to
concentrate on.
 User may either look at traffic within the network, end
to end IP, or even port to port TCP.
 Data can be captured "off the wire" from a live network
connection, or read from a tcpdump capture file.
 Data display can be refined using a network filter.
Netfilter
 Netfilter and iptables are
the framework inside the
Linux 2.4.x kernel which
enables packet filtering,
network address
translation (NAT) and
other packet mangling.
 Netfilter is a set of hooks
inside the Linux 2.4.x
kernel's network stack
which allows kernel
modules to register the
callback functions called
every time a network
packet traverses one of
those hooks.
Features
Stateful packet filtering
(connection tracking)
Many network address
translation schemes
 Flexible and extensible
infrastructure
 Large
numbers of
additional features, as
patches
Screenshot: Netfilter
Network Probe

 This network monitor

and protocol analyzer
gives the user an instant
picture of the traffic
situation on the target
network.
 All traffic
is
monitored in real time.
 All the information
can be sorted, searched,
and filtered by
protocols, hosts,
conversations, and
network interfaces.
 Maa Tec Network Analyzer

MaaTec Network
Analyzer is a tool that is
used for capturing,
saving and analyzing
network traffic.
Features:
• Real time network
traffic statistics.
• Scheduled network
traffic reports.
• Online view of
incoming packets.
• Multiple data color
options.
Tool: Snort
There are three main modes in
which Snort can be configured:
sniffer, packet logger, and network
intrusion detection system.
Sniffer mode simply reads the
packets off of the network and
displays them for you in a
continuous stream on the console.
Packet logger mode logs the
packets to the disk.
Network intrusion detection
mode is the most complex and
configurable configuration,
allowing Snort to analyze network
traffic for matches against a user
defined rule set.
Macof, MailSnarf, URLSnarf, WebSpy
Macof floods the local
network with random MAC
addresses, causing some
switches to fail open in
repeating mode, and thereby
facilitates sniffing.
Mailsnarf is capable of
capturing and outputting
SMTP mail traffic that is
sniffed on the network.
urlsnarf is a tool for
monitoring Web traffic.
Webspy allows the user to
see all the webpages visited by
the victim.
Tool: Windump

 WinDump is the port to the Windows platform of

tcpdump, the most used network sniffer/analyzer for
UNIX.
Tool: Etherpeek

Ethernet network traffic and protocol analyzer.

By monitoring, filtering, decoding and
displaying packet data, it discovers protocol
errors and detects network problems such as
unauthorized nodes, misconfigured routers,
unreachable devices, etc.
SMAC

SMAC is a MAC Address Modifying Utility (spoofer)

for Windows 2000, XP, and Server 2003 systems. It displays network
information of available network adapters in one screen. The built-in
logging capability allows the tracking of MAC address modification
activities.
MAC Changer

 MAC Changer is a Linux utility for setting a

specific MAC address to a network interface.
 It enables the user to set the MAC address
randomly, set a MAC from another vendor, or set
another MAC from the same vendor.
 The user can also set a MAC of the same kind
(e.g.: wireless card).
 It offers a choice of vendor MAC list (more than
6200 items) to choose from.
Ettercap

A tool for IP based sniffing in a switched network, MAC based sniffing, OS

fingerprinting, ARP poisoning based sniffing, etc.
Iris

It allows the reconstruction of network traffic in a format that is simple to use and
understand. It can show the web page of any employee that is surfing the web during
work hours.
NetIntercept

A sniffing tool that studies external break-in attempts, watches for misuse of confidential
data, displays the contents of an unencrypted remote login or a web session, categorize,
or sort, traffic by dozens of attributes, search traffic by criteria such as e-mail headers,
web sites, and file names, etc.
WinDNSSpoof

 This tool is a simple DNS ID Spoofer for

Windows 9x/2K.
 In order to use it you must be able to sniff the
traffic of the computer being attacked.
 Usage: wds -h
Example: wds -n www.microsoft.com -i
216.239.39.101 -g 00-00-39-5c-45-3b
TCPDump, Network Monitor

 TCPDump
• A widely used network diagnosis and analysis tool for UNIX-
based OSs.
• Used to trace network problems, detect ping attacks, and
monitor network activities.
• Monitors, and decodes, application layer data.
 Network Monitor
• Network-monitoring software that is part of Windows NT
server.
• Latest versions capture all data traffic.
• Maintains the history of each network connection.
• Provides high-speed filtering capabilities.
• Captures network traffic and converts it to a readable format.
Gobbler, ETHLOAD

 Gobbler
• MS-DOS based sniffer
• Used to gain knowledge about network traffic
• Used remotely over a network
• Runs from a single workstation, analyzing only the
local packets
 ETHLOAD
• Freeware packet sniffer written in C
• Execute on MS-DOS and Novell platforms
• Cannot be used to sniff rlogin and Telnet sessions
Esniff, Sunsniff, Linux Sniffer, Sniffer
Pro
 Esniff
• Written in C by a hacker called “rokstar”
• Used to sniff packets on OSs developed by Sun Microsystems
• Coded to capture initial bytes which includes username and
password
 Sunsniff
• Written in C, specifically for Sun Microsystems OS
 Linux_sniffer
• A Linux-specific sniffer written in C for experimenting with
network traffic.
 Sniffer Pro
• Trademark of Network Associates Inc.
• Easy-to-use interface for capturing and viewing network
traffic.
Scenario
Sam found out that he was working
in a shared Ethernet network
segment. So a sniffer can be
launched from any machine in the
LAN. Sam ran a sniffer and at the
end of the day he studied the
captured data. Sam could not
believe it !!!
1. He was actually able to read e-mails
2. Read passwords off the wire in clear-text.
3. Read files
4. Read financial transactions and credit card
numbers
Sam decided to share the information with
Dave the next day. How do you think that
Dave will react to this? Was Sam guilty of
espionage?
Countermeasures

 Restriction of physical access to network media to ensure that a

packet sniffer cannot be installed.

 The best way to be secured against sniffing is to use encryption. It

will not prevent a sniffer from functioning, but it will ensure that
what a sniffer reads is incomprehensible.

 ARP Spoofing is used to sniff a switched network. So the attacker

will try to ARP spoof the gateway. This can be prevented by
permanently adding the MAC address of the gateway to the ARP
cache.
Countermeasures (contd.)

 Change the network to SSH.

 There are various tools to detect a sniffer in a
network. They are as follows:
• ARP Watch
• Promiscan
• Antisniff
• Prodetect
Summary

 Sniffing allows the capture of vital information from network

traffic. It can be done over a hub or switch (Passive or Active).
 Capturing passwords, e-mail, files, etc. can be done by means of
sniffing.
 ARP poisoning can be used to change the Switch mode, of the
network, to Hub mode and subsequently carry out packet sniffing.
 Ethereal, Dsniff, Sniffit, Aldebaran, Hunt, NGSSniff, etc. are some
of the most popular sniffing tools.
 The best way to be secured against sniffing is to use encryption,
applying the latest patches, and applying other lockdown
techniques to the systems.