HIR Issue 8: Packet Sniffing Techniques For The Novice User
by Axon
Ahh, the wonderful world of packet sniffing. You may or may not have done this before...
"Sniffing" is the process of putting your computer's network card into what's called "promiscuous mode". It will read all packets that it sees (whereas normally it only reads the packets that have its address on it). After the card is placed in this mode, a sniffer will track packets (usually parsing the useful data out of the packet and writing it to a log file onto the hard disk). This is a really good way of doing a few things on a network:
- Gathering traffic information, looking for lan stations that are abusing bandwidth.
- Actually looking at the data inside the packets to see what files people are downloading with FTP, watching telnet sessions, and even watching their usernames and passwords.
- Getting a general Idea of where most of the packets are coming from and going to, as a troubleshooting measure.
There are sniffing programs for almost every platform. My favorite platform is linux, as it is already my Operating System of choice, and there are quite a few really easy to use sniffers for it. These include: tcpdump, sniffit, iptraf, and linsniffer. Those are what I use the most. My favorite floppy-linux distribution, Trinux, comes with sniffit, iptraf, and linsniffer. Almost every "big" linux distro (Red Hat, Debian, Caldera, etc) comes with tcpdump, although you might have to select a special option to have it installed automatically.
Tcpdump is probably the hardest of the three to learn how to use. It mostly dumps raw tcp packets out to standard output (or wherever you redirect it to). It has other options, too, but overall, it's difficult to use for the beginner. I'll focus more on the other two.
Linsniffer is quite possibly the most evil of the sniffers I've mentioned. All it does is get passwords. It looks for http passwords, telnet passwords, ftp passwords, and mail passwords. It does a pretty good job, but really lacks an "ethical" use. You can get linsniffer (or any of these sniffers) wherever you can find linux software (places like sunsite, which is now metalab.unc.edu). All you do is run "linsniffer" as root. It will not display any output. Everything it finds will be placed in a file called "tcp.log" in the directory you were in when you started linsniffer.
Sniffit is extremely cute. It's harder to find passwords with it, but if your goal has nothing to do with you finding passwords, and more to do with watching who is connected to what, and maybe even watching the actual connection, this is for you. With Sniffit, I have many times been successful in watching the exact telnet screen of people that are on my segment. You can redirect the sniffed output to another virtual console, and that console becomes the telnet screen of the person whom you are sniffing. You see what they type, what they get back, you watch them read their e-mail with pine, as if their ghost was sitting there using your screen.
Iptraf isn't really a "sniffer" by industry terms, but it still uses promiscuous mode to operate, Therefore I call it a "sniffer". Iptraf will break down the traffic stream into chunks for you, so you can see exactly what kind of packets are being exchanged, how big they are, and where they are coming from and going to. This program is not good for looking at the actual data inside the packet, but it's great for finding out who is hogging the bandwidth, and what they're hogging it with.
As far as snifgfing on other platforms... For Windows 95 and 98 There is also a plugin for the ever-famous back-orifice program that does sniffing, called "Butt Sniffer". There is also a non-plugin version that just runs in an MS-Dos window under Windows 95/98. This is probably the best Windows 9x sniffer I've seen, and it's worth looking into. It's available through www.cultdeadcow.com under the backorifice page somewhere. Shoutouts to the author, Mudge (who kicked ass at DefCon) =]
------------------
So, if it's so easy to just watch what's going on on the local network, there must be loads of people doing it, right? Well, the paranoid would say so, but in actuality, there isn't probably a whole lot of it going on. I'm not saying that there isn't ANY. So if there's even the possibility that it's there, how would one stay protected from the evils of sniffing?
Well, the apostols (a spanish hacking group, if memory serves correctly) has a few really good products. (One being QueSO, a remote tcp/ip fingerprinter for detecting what OS is being run on a remote machine), but the one we focus on here is "NEtwork Promiscuous Ethernet Detector" (or "neped"). It only runs on UNIX/Linux (that I know of. It's not directly compileable on windows, but I'm not much of a programmer. It might be easy to do). I Wrote a small shell script that uses neped as a core to take action when promiscuous mode is detected.
sniffdetect.sh is configureable and can run a shell script or a program once as soon as sniffing is detected, and will run another program or script as soon as it sees the sniffing has stopped. It can be used to stop services on your system, e-mail an administrator, page someone, or even to shut down the machine (although I don't know why you would want to do such a thing). I set it up to blast the IP and MAC address of the sniffing machine to my pager, and to tell me that sniffing has ceased when it stops detecting the running sniffers (I wrote some paging software that sends out alpha pages to me from the command line to do this). In theory, It's very possible to make something that will launch a counter-attack/Denial of Service against the sniffing machine, but I'm not really a believer in that method. Here's my shell script.
sniffdetect.sh:
------------begin-------------------------------------------------------
#!/bin/sh
## Cheap-ass promiscuous mode watcher/action-taker
## Written by axon
##
## Requires "NEtwork Promiscuous Ethernet Detector" (neped.c)
## ftp://apostols.org/AposTools/snapshots/neped/neped.c
##
## This program must be run as root, or neped must be set-uid root.
##
#########################################################################
##
## Config Options!
##
######
# Command or shell script that's run when promisc.
promisccmd="promisc.sh" # mode card is found. This might shut down a
# service, or e-mail an administrator. Up to you.
# (you must write a promisc.sh script or change
# this variable)
# Command or shell script that's run when
nopromisccmd="nopromisc.sh" # promisc. mode ceases. This might page
# an administrator or restart a service.
# (you must write a nopromisc.sh script or
# change this variable)
while true
do
while true
do
# Counts number of lines
neped=`neped eth0 | wc -l` # that are returned
# by neped.
if [ $neped -gt 8 ];then # This runs the command of your
$promisccmd # choice when promisc. mode
break # is detected
neped eth0|grep "*>" >> promisc.log # appends output of neped to promisc.log
fi
done
while true
do
# Counts number of lines
neped=`neped eth0 | wc -l` # that are returned
# by neped.
if [ $neped = 8 ];then # This runs the command of your
$nopromisccmd # choice when promisc. mode
break # ceases
fi
done
done
----------------end sniffdetect.sh------------------------------------------
I hope that this gives you the edge that you need. This was in no way a very elaborate "sniffing how-to". You can go anywhere to get that sort of information. This was focused more on how it works, and what tools are used to do it, and how to protect yourself from the world of packet sniffers.