Introduction

A Packet Sniffer is a legitimate network administration tool, which can be extremely powerful in the wrong hands. The beauty, from the cracker's point of view, is that the sniffer is passive - that means that no systems need to be broken to run it, and it is not possible to detect it running. (Haha, as if... see later)

It not only allows you to view what people are looking at on the internet, but also internal protocols such as people's connections to a mail server, secure shared directories and so on.

How it works

A network typically consists of computer equipment, hubs and routers. When a message leaves a computer, destined for another, the first place it hits is usually a hub. The hub will broadcast the message to all of its other ports, and so on through the network.

A router will take messages and only forward them to the appropriate ports - thereby lowering traffic on individual parts of a local network. There may be a subnet per floor in a large building, with all machines on each floor connected by hubs.

Each machines on each subnet will receive all messages destined for any machine on that subnet. They then check the destination address, and if it is the correct destination it will pass it on to the software layer for appropriate use.

It is easily possible (given administrator/root privileges on a machine) to ask the network card to report all traffic, not just that destined for the current machine. You will then be capable of watching and decoding any traffic on your router spar - possibly your whole company, maybe a floor of your building, maybe just the room you're in.

Application

Packet Sniffers come in various levels of complexity. Some will simply log or save all data with little decoding. Others will decode several protocols and log various items separately.

To the newbie cracker, this is a magical device. Set it running on a network and you'll end up with a few log files. One will contain everyone's passwords as they check their POP3 mail. Another will contain all outgoing mail. And so on.

To the white hat and system administrator, the tool is useful for determining which services and protocols are unencrypted; giving important information for prioritizing work.

To the black hat, it is a source of passwords, private data and so on. For example, imagine that someone uses their cash card PIN as their logon password. Free money!

I once performed a password log for research purposes, and discovered, in a sample of 18 passwords:

  • 6 unchanged from the day they were handed out - these were generated very simply, including the surname of the user.
  • 3 dictionary words - a brute-force cracker can obtain these quickly.
  • 1 possible cash-card PIN - this is very bad protection of privacy.
  • 2 over-shoulder passwords - these would be easily remembered if you stood behind the user, and watched them type.
  • 6 mostly-sound passwords - mixtures of characers, numerals, symbols etc.

Detection

The novice sniffer may think they are undetectable because they are not compromising any systems in order to sniff. This is not the case. Two classic detection methods are now presented:

1. A blabbing NIC. Before sniffing is possible, the network interface card must be put into promiscuous mode. Several NICs will warn the network when this occurs. A vigilant sysadmin will spot it. To avoid getting caught, a potential cracker should check the MAC address of the machine they want to run the sniffer on; then get hold of the same card (using its vendor ID to identify it), and check if it's the blabbing sort.

2. A ping detection. Since the kernel of the sniffing machine is seeing all packets, not just the ones destined for it, a ping can be sent to a suspect machine. Given the correct IP address, but wrong MAC address, this should normally be filtered in the NIC. While in promiscuous mode, the packet will get through, and the sniffing machine will acknowledge the ping. Oops!