Friday, April 22, 2011

Sniffers - An Introduction : Network Sniffers - 2

Sniffers - An Introduction


  • Sniffers monitor network data.

  • A sniffer can be a self-contained software program or a hardware device with the appropriate software or firmware programming.

  • Sniffers usually act as network probes or "snoops" -- examining network traffic but not intercepting or altering it.

  • Some sniffers work only with TCP/IP packets, but the more sophisticated tools can work with many other protocols and at lower levels such as the Ethernet frame.
A sniffer is a piece of software that captures the traffic on a network. They are available for several platforms in both commercial and open-source variations. Some of simplest packages use a command line interface and dump captured data to the screen, while sophisticated ones use GUI, graph traffic statistics, track multiple sessions and offer several configuration options.
Sniffers are also the engines for other programs. Network Intrusion Detection Systems (NIDS) use sniffers to match packets against a rule-set designed to flag anything malicious or strange. Network utilization and monitoring programs often use sniffers to gather data necessary for metrics and analysis. It is to be noted that sniffers do not intercept or alter the data it captures.
The most common way of networking computers is through Ethernet. The Ethernet protocol works by broadcasting packets to all hosts on the network, with the packet header containing the MAC address of the machine that is meant to receive the packet. All others are supposed to ignore it. A NIC (Network Interface Card, also known as Ethernet card) that is accepting all packets, regardless of the intended machine is said to be in promiscuous mode. A sniffer is a program that sets the desired NIC into promiscuous mode.
A sniffer attack is commonly used to grab logins and passwords that are traveling around on the network. This is what is known as a passive attack because the attacker does not directly interface with any machine which the attacker may be trying to compromise.
Before we can explore how some sniffing tools are used by attackers towards malicious ends, let us examine what enables the tool to work. However, on a LAN, several PCs share a common connection to the Internet. The devices that come into play here include hubs, switches and routers among others.
A switch performs the layer 2 or Data-Link layer function. That is, it simply looks at each packet or data unit and determines from a physical address (the "MAC address") which device a data unit is intended for and switches it out toward that device. A hub is a place of convergence where data arrives from one or more directions and is forwarded out in one or more other directions. The distinction seems to be that the hub is the place where data comes together and the switch is what determines how and where data is forwarded from the place where data comes together.
If the network is not switched, the traffic destined for any machine on a segment is broadcast to every machine on that segment. This means that a computer actually sees the data traveling to and from each of its neighbors, but ignores it, unless otherwise instructed.
The sniffer program works by asking a computer, specifically its Network Interface Card (NIC), to stop ignoring all the traffic headed to other computers and pay attention to them. It does this by placing the NIC in a state known as promiscuous mode. Once a NIC is promiscuous, (a status that requires administrative or root privileges) a machine can see all the data transmitted on its segment. The program then begins to constantly read all information entering the PC through the network card. A sniffer can therefore peel away the layers of encapsulation and decode the relevant information stored within. This includes information such as source computer, destination computer, targeted port number, payload etc - in short, every piece of information exchanged between two computers.
Security Concern

  • Users of computer networks unwittingly disclose sensitive information about themselves through the use of insecure software, and protocols.

  • Standard implementations of widely adopted protocols such as Windows file sharing (CIFS/SMB), telnet, POP3, HTTP and FTP transmit login passwords in clear text, exposing an extremely large segment of the internet population to sniffing-related attacks.

A packet sniffer is nefariously known for its ability to "sniff" plain text passwords. On a normal LAN there are thousands of packets being conversed by numerous machines every minute. Therefore, anything transmitted in plaintext, such as passwords, web pages, database queries and messaging over the network will be vulnerable to sniffing.
A sniffer can easily be customized to capture specific traffic like telnet sessions or e-mail. Once network traffic has been captured, an attacker can swiftly extract sensitive information such as logins, passwords and the text of messages to extend their attack. The disturbing part of the entire process is that users may remain clueless about the leakage of information until they are visibly compromised. This is because sniffers cause no damage or disturbance to a network environment.
Data is transmitted in the binary form over the network. Packet sniffers capture binary data passing through the network, and most of them decode this data into a human readable form. Another feature supported by popular sniffers is protocol analysis. This makes it even easier for attackers, as they can target specific protocols in accordance with their intent.
On most sniffers there is a varying degree of the analysis that takes place. This may be simple analysis involving just breaking down the information packet. Others are more complex involving detailed information contained in the packet (i.e., highlights a password for a service). We will explore some sniffers in this module and see the functionality offered by them.
It must be borne in mind that sniffer have beneficial applications as well. In fact, majority of them were designed for legitimate purposes. However, like double edged swords, the end sought by their means lies in the mind of the user.

No comments:

Post a Comment

Note: Only a member of this blog may post a comment.