To illustrate how a packet sniffer works, first one must understand how a network hub (as used in this example) works.

When network traffic is sent from upstream to a host attached to the hub, the hub re-transmits this data to all hosts on the hub. By default, the NIC in a computer is not set to promiscuous mode, in other words, unless the traffic is addressed to (a) broadcast or (b) specifically its address, it ignores it.

At this point, the packet sniffer can operate in one of two modes, it can sniff only the traffic addressed to it, or it can enter promiscuous mode and sniff all traffic recieved.

Since the most common use of packet sniffers is on college networks, the obvious choice is to tell your packet sniffer of choice to enable promiscuous mode. At this point, you are now recieving a massive list of all network traffic generated by everyone on your hub.

At most dorms, this is a good 10+ people on a single network hub, which enables the person running the sniffer to gather POP and IMAP passwords (generally unencrypted), as well as monitor AIM/IRC conversations, keep track of what websites everyone browses, etc.

And the packet sniffer is nice enough to sort by which IP address each packet comes from, and filter based on protocol.

This only covers the negative aspects of packet sniffers, however, and they have many legitimate reasons such as testing to see if a NIC is functioning properly, to ensure that workers in an office aren't cruising porn sites on company time, etc.

Introduction

A Packet Sniffer is a legitimate network administration tool, which can be extremely powerful in the wrong hands. The beauty, from the cracker's point of view, is that the sniffer is passive - that means that no systems need to be broken to run it, and it is not possible to detect it running. (Haha, as if... see later)

It not only allows you to view what people are looking at on the internet, but also internal protocols such as people's connections to a mail server, secure shared directories and so on.

How it works

A network typically consists of computer equipment, hubs and routers. When a message leaves a computer, destined for another, the first place it hits is usually a hub. The hub will broadcast the message to all of its other ports, and so on through the network.

A router will take messages and only forward them to the appropriate ports - thereby lowering traffic on individual parts of a local network. There may be a subnet per floor in a large building, with all machines on each floor connected by hubs.

Each machines on each subnet will receive all messages destined for any machine on that subnet. They then check the destination address, and if it is the correct destination it will pass it on to the software layer for appropriate use.

It is easily possible (given administrator/root privileges on a machine) to ask the network card to report all traffic, not just that destined for the current machine. You will then be capable of watching and decoding any traffic on your router spar - possibly your whole company, maybe a floor of your building, maybe just the room you're in.

Application

Packet Sniffers come in various levels of complexity. Some will simply log or save all data with little decoding. Others will decode several protocols and log various items separately.

To the newbie cracker, this is a magical device. Set it running on a network and you'll end up with a few log files. One will contain everyone's passwords as they check their POP3 mail. Another will contain all outgoing mail. And so on.

To the white hat and system administrator, the tool is useful for determining which services and protocols are unencrypted; giving important information for prioritizing work.

To the black hat, it is a source of passwords, private data and so on. For example, imagine that someone uses their cash card PIN as their logon password. Free money!

I once performed a password log for research purposes, and discovered, in a sample of 18 passwords:

  • 6 unchanged from the day they were handed out - these were generated very simply, including the surname of the user.
  • 3 dictionary words - a brute-force cracker can obtain these quickly.
  • 1 possible cash-card PIN - this is very bad protection of privacy.
  • 2 over-shoulder passwords - these would be easily remembered if you stood behind the user, and watched them type.
  • 6 mostly-sound passwords - mixtures of characers, numerals, symbols etc.

Detection

The novice sniffer may think they are undetectable because they are not compromising any systems in order to sniff. This is not the case. Two classic detection methods are now presented:

1. A blabbing NIC. Before sniffing is possible, the network interface card must be put into promiscuous mode. Several NICs will warn the network when this occurs. A vigilant sysadmin will spot it. To avoid getting caught, a potential cracker should check the MAC address of the machine they want to run the sniffer on; then get hold of the same card (using its vendor ID to identify it), and check if it's the blabbing sort.

2. A ping detection. Since the kernel of the sniffing machine is seeing all packets, not just the ones destined for it, a ping can be sent to a suspect machine. Given the correct IP address, but wrong MAC address, this should normally be filtered in the NIC. While in promiscuous mode, the packet will get through, and the sniffing machine will acknowledge the ping. Oops!

To guard against packet sniffing on your network use switches and routers instead of hubs - switches only forward packets to the ethernet address it's addressed to, so it can't be sniffed by a third-party. An entry level switch is only slightly more expensive than a hub, and will give a slight performance increase as well

If you're stuck with a poorly designed/cheaply implemented network, (as you might find in university halls of residence, the greatest risk is from packet sniffing by people on your local segment- they know the most about you, and can use sniffed information to their advantage most readily1. Your best defense against this kind of thing is to use strong encryption for everything you do:

Encrypt your email: Modern email programs can use SSL/TLS when communicating with the server, preventing a sniffed session from yielding any passwords or emails. To protect against packet sniffing further down the line, interception by rogue admins, police, the FBI, aliens, etc. , the actual message has to be encrypted. Programs like PGP and GPG make this process user-friendly.

Safety when web browsing: Don't use any passwords that you use anywhere else to access a website, and think carefully before submitting personal information2. Most browser/server combinations send passwords and data completely unencrypted, unless they're using SLL (recognisable by a padlock icon, and https:// in the location bar)

SSH: SSH is your friend. If you have a shell account that allows SSH port forwarding, use it instead of a direct connection for any servers you use regularly, for example the web proxy3, NNTP(newsgroups), email, and FTP (If you must use it).4 Finally, to transfer files from your shell account to your desktop, use SZ/RZ over SSH instead of FTP.

Unsafe applications: Don't use protocols that pass plain-text passwords. These include, but are not limited to, FTP, telnet, SMTP, POP3, windows SMB filesharing protocol, unix NFS filesharing protocol, and just about any others that were designed in the eighties. If you absolutely have to use these, do it over an SSH port forward, or use a version that incorperates TLS.

1 - Not to mention that everyone's data goes through the main switch or internet gateway, so if the admins wanted to sniff you, there's not a lot you could do about it.

2 - Even if the session isn't sniffed, how do you know the webmaster can be trusted?

3 - On most networks, outgoing web traffic is transparently redirected through their web proxy anyway, so talking to it directly over an encrypted link gives security at no loss of speed.

4 - In theory, at least, the admins are probably more trustworthy and professional than your roommate is...

Log in or registerto write something here or to contact authors.