Lecture 7. Sniffers

What is a sniffer?

A sniffer is any device, whether software or hardware, that grabs information traveling along a network. That network could be running any protocol: Ethernet, TCP/IP, IPX, or others (or any combination of these). The purpose of the sniffer is to place the Ethernet adapter into promiscuous mode and by doing so, to capture all network traffic.

---

NOTE: Promiscuous mode refers to that mode where workstations on a network listen to all traffic, not simply their own. In other words, Non-promiscuous mode is where a workstation only listens to traffic routed to its own address. In promiscuous mode, the workstation listens to all traffic, no matter what address this traffic was intended for. 

---

A sniffer can be a combination of both hardware and software. The software might be a general network analyzer enabled with heavy debugging options, or it might be a real sniffer.

A sniffer must be located within the same network block (or net of trust) as the network it is intended to sniff. With relatively few exceptions, that sniffer could be placed anywhere within that block.
 

Sniffers are a significant threat

• They can capture passwords.
• They can capture confidential or proprietary information.
• They can be used to breach security of neighboring networks.
In fact, the existence of a sniffer in itself shows a high level of compromise. In fact, if a sniffer has been placed on your network (by folks other than those authorized to undertake such an action), your network is already compromised. A sniffer attack is characterized as a second-level attack. The cracker has already worked his or her way into your network and now seeks to further compromise the system. To do so, he must begin by capturing all the user IDs and passwords. For that reason (and for the information a sniffer gathers), a sniffer represents an extremely high level of risk.

However, sniffers can catch more than simply user IDs and passwords; they can capture sensitive financial data (credit-card numbers), confidential information (e-mail), and proprietary information. Depending on the resources available to the cracker, a sniffer is capable of capturing nearly all traffic on a network.
 

Where Do Sniffers Come From and Why Do They Exist?

Sniffers are designed as devices that can diagnose network problems and monitor network activities. Sniffers were designed by those aiding network engineers (and not for the purpose of compromising networks).

Sniffers

1. Gobbler (Tirza van Rijn) for MS-DOS and Win 95

2. snoop from Sun
   • requires super-user status
   • sample output
   • sample output (selected portion)

     pc_rhee.sookmyung.ac.kr -> cs           TELNET C port=1030 
               cs -> pc_rhee.sookmyung.ac.kr TELNET R port=1030 [1] 2977\r\ncs:/user/f
     pc_rhee.sookmyung.ac.kr -> cs           TELNET C port=1030 
     pc_rhee.sookmyung.ac.kr -> cs           TELNET C port=1188 
               cs -> pc_rhee.sookmyung.ac.kr TELNET R port=1188 
     pc_rhee.sookmyung.ac.kr -> cs           TELNET C port=1188 
               cs -> pc_rhee.sookmyung.ac.kr TELNET R port=1188 
     pc_rhee.sookmyung.ac.kr -> cs           TELNET C port=1188 
               cs -> pc_rhee.sookmyung.ac.kr TELNET R port=1188 
     pc_rhee.sookmyung.ac.kr -> cs           TELNET C port=1188 
               cs -> pc_rhee.sookmyung.ac.kr TELNET R port=1188 
     pc_rhee.sookmyung.ac.kr -> cs           TELNET C port=1188 
               cs -> pc_rhee.sookmyung.ac.kr TELNET R port=1188 
     pc_rhee.sookmyung.ac.kr -> cs           TELNET C port=1188 
               cs -> pc_rhee.sookmyung.ac.kr TELNET R port=1188 \r\n\r\nUNIX(r) System V
     pc_rhee.sookmyung.ac.kr -> cs           TELNET C port=1188 
               cs -> pc_rhee.sookmyung.ac.kr TELNET R port=1188 
     pc_rhee.sookmyung.ac.kr -> cs           TELNET C port=1188 
               cs -> pc_rhee.sookmyung.ac.kr TELNET R port=1188 
     pc_rhee.sookmyung.ac.kr -> cs           TELNET C port=1188 
               cs -> pc_rhee.sookmyung.ac.kr TELNET R port=1188 
     pc_rhee.sookmyung.ac.kr -> cs           TELNET C port=1188 
               cs -> pc_rhee.sookmyung.ac.kr TELNET R port=1188 
     pc_rhee.sookmyung.ac.kr -> cs           TELNET C port=1188 c
               cs -> pc_rhee.sookmyung.ac.kr TELNET R port=1188 c
     pc_rhee.sookmyung.ac.kr -> cs           TELNET C port=1188 a
               cs -> pc_rhee.sookmyung.ac.kr TELNET R port=1188 a
     pc_rhee.sookmyung.ac.kr -> cs           TELNET C port=1188 
     pc_rhee.sookmyung.ac.kr -> cs           TELNET C port=1188 l
               cs -> pc_rhee.sookmyung.ac.kr TELNET R port=1188 l
     pc_rhee.sookmyung.ac.kr -> cs           TELNET C port=1188 
     pc_rhee.sookmyung.ac.kr -> cs           TELNET C port=1188 v
               cs -> pc_rhee.sookmyung.ac.kr TELNET R port=1188 v
     pc_rhee.sookmyung.ac.kr -> cs           TELNET C port=1188 
     pc_rhee.sookmyung.ac.kr -> cs           TELNET C port=1188 i
               cs -> pc_rhee.sookmyung.ac.kr TELNET R port=1188 i
     pc_rhee.sookmyung.ac.kr -> cs           TELNET C port=1188 
     pc_rhee.sookmyung.ac.kr -> cs           TELNET C port=1188 n
               cs -> pc_rhee.sookmyung.ac.kr TELNET R port=1188 n
     pc_rhee.sookmyung.ac.kr -> cs           TELNET C port=1188 
     pc_rhee.sookmyung.ac.kr -> cs           TELNET C port=1188 
               cs -> pc_rhee.sookmyung.ac.kr TELNET R port=1188 
     pc_rhee.sookmyung.ac.kr -> cs           TELNET C port=1188 
               cs -> pc_rhee.sookmyung.ac.kr TELNET R port=1188 Password: 
     pc_rhee.sookmyung.ac.kr -> cs           TELNET C port=1188 
     pc_rhee.sookmyung.ac.kr -> cs           TELNET C port=1188 T
               cs -> pc_rhee.sookmyung.ac.kr TELNET R port=1188 
     pc_rhee.sookmyung.ac.kr -> cs           TELNET C port=1188 i
               cs -> pc_rhee.sookmyung.ac.kr TELNET R port=1188 
     pc_rhee.sookmyung.ac.kr -> cs           TELNET C port=1188 g
               cs -> pc_rhee.sookmyung.ac.kr TELNET R port=1188 
     pc_rhee.sookmyung.ac.kr -> cs           TELNET C port=1188 e
               cs -> pc_rhee.sookmyung.ac.kr TELNET R port=1188 
     pc_rhee.sookmyung.ac.kr -> cs           TELNET C port=1188 r
               cs -> pc_rhee.sookmyung.ac.kr TELNET R port=1188 
     pc_rhee.sookmyung.ac.kr -> cs           TELNET C port=1188 7
               cs -> pc_rhee.sookmyung.ac.kr TELNET R port=1188 
     pc_rhee.sookmyung.ac.kr -> cs           TELNET C port=1188 =
               cs -> pc_rhee.sookmyung.ac.kr TELNET R port=1188 
     pc_rhee.sookmyung.ac.kr -> cs           TELNET C port=1188 $
               cs -> pc_rhee.sookmyung.ac.kr TELNET R port=1188 
     pc_rhee.sookmyung.ac.kr -> cs           TELNET C port=1188 
               cs -> pc_rhee.sookmyung.ac.kr TELNET R port=1188 
     pc_rhee.sookmyung.ac.kr -> cs           TELNET C port=1188 
               cs -> pc_rhee.sookmyung.ac.kr TELNET R port=1188 Last login: Mon Aug 
     pc_rhee.sookmyung.ac.kr -> cs           TELNET C port=1188 
               cs -> pc_rhee.sookmyung.ac.kr TELNET R port=1188 cs:/user/faculty/cal
     pc_rhee.sookmyung.ac.kr -> cs           TELNET C port=1188 
     pc_rhee.sookmyung.ac.kr -> cs           TELNET C port=1188 l
               cs -> pc_rhee.sookmyung.ac.kr TELNET R port=1188 l
     pc_rhee.sookmyung.ac.kr -> cs           TELNET C port=1188 
     pc_rhee.sookmyung.ac.kr -> cs           TELNET C port=1188 s
               cs -> pc_rhee.sookmyung.ac.kr TELNET R port=1188 s
     pc_rhee.sookmyung.ac.kr -> cs           TELNET C port=1188 
     pc_rhee.sookmyung.ac.kr -> cs           TELNET C port=1188  
               cs -> pc_rhee.sookmyung.ac.kr TELNET R port=1188  
     pc_rhee.sookmyung.ac.kr -> cs           TELNET C port=1188 
     pc_rhee.sookmyung.ac.kr -> cs           TELNET C port=1188 -
               cs -> pc_rhee.sookmyung.ac.kr TELNET R port=1188 -
     pc_rhee.sookmyung.ac.kr -> cs           TELNET C port=1188 
     pc_rhee.sookmyung.ac.kr -> cs           TELNET C port=1188 l
               cs -> pc_rhee.sookmyung.ac.kr TELNET R port=1188 l
     pc_rhee.sookmyung.ac.kr -> cs           TELNET C port=1188 
     pc_rhee.sookmyung.ac.kr -> cs           TELNET C port=1188 
               cs -> pc_rhee.sookmyung.ac.kr TELNET R port=1188 
               cs -> pc_rhee.sookmyung.ac.kr TELNET R port=1188 \303\321 112\r\ndrwxr-xr-x  
               cs -> pc_rhee.sookmyung.ac.kr TELNET R port=1188 drwxr-xr-x   3 calvi
     pc_rhee.sookmyung.ac.kr -> cs           TELNET C port=1188 
               cs -> pc_rhee.sookmyung.ac.kr TELNET R port=1188 cs:/user/faculty/cal
     pc_rhee.sookmyung.ac.kr -> cs           TELNET C port=1188 
     pc_rhee.sookmyung.ac.kr -> cs           TELNET C port=1188 p
               cs -> pc_rhee.sookmyung.ac.kr TELNET R port=1188 p
     pc_rhee.sookmyung.ac.kr -> cs           TELNET C port=1188 
     pc_rhee.sookmyung.ac.kr -> cs           TELNET C port=1188 a
               cs -> pc_rhee.sookmyung.ac.kr TELNET R port=1188 a
     pc_rhee.sookmyung.ac.kr -> cs           TELNET C port=1188 
     pc_rhee.sookmyung.ac.kr -> cs           TELNET C port=1188 s
               cs -> pc_rhee.sookmyung.ac.kr TELNET R port=1188 s
     pc_rhee.sookmyung.ac.kr -> cs           TELNET C port=1188 s
               cs -> pc_rhee.sookmyung.ac.kr TELNET R port=1188 s
     pc_rhee.sookmyung.ac.kr -> cs           TELNET C port=1188 
     pc_rhee.sookmyung.ac.kr -> cs           TELNET C port=1188 w
               cs -> pc_rhee.sookmyung.ac.kr TELNET R port=1188 w
     pc_rhee.sookmyung.ac.kr -> cs           TELNET C port=1188 d
               cs -> pc_rhee.sookmyung.ac.kr TELNET R port=1188 d
     pc_rhee.sookmyung.ac.kr -> cs           TELNET C port=1188 
     pc_rhee.sookmyung.ac.kr -> cs           TELNET C port=1188 
               cs -> pc_rhee.sookmyung.ac.kr TELNET R port=1188 
     pc_rhee.sookmyung.ac.kr -> cs           TELNET C port=1188 
               cs -> pc_rhee.sookmyung.ac.kr TELNET R port=1188 passwd:  Changing pa
     pc_rhee.sookmyung.ac.kr -> cs           TELNET C port=1188 
     pc_rhee.sookmyung.ac.kr -> cs           TELNET C port=1188 T
               cs -> pc_rhee.sookmyung.ac.kr TELNET R port=1188 
     pc_rhee.sookmyung.ac.kr -> cs           TELNET C port=1188 i
               cs -> pc_rhee.sookmyung.ac.kr TELNET R port=1188 
     pc_rhee.sookmyung.ac.kr -> cs           TELNET C port=1188 g
               cs -> pc_rhee.sookmyung.ac.kr TELNET R port=1188 
     pc_rhee.sookmyung.ac.kr -> cs           TELNET C port=1188 e
               cs -> pc_rhee.sookmyung.ac.kr TELNET R port=1188 
     pc_rhee.sookmyung.ac.kr -> cs           TELNET C port=1188 r
               cs -> pc_rhee.sookmyung.ac.kr TELNET R port=1188 
     pc_rhee.sookmyung.ac.kr -> cs           TELNET C port=1188 7
               cs -> pc_rhee.sookmyung.ac.kr TELNET R port=1188 
     pc_rhee.sookmyung.ac.kr -> cs           TELNET C port=1188 =
               cs -> pc_rhee.sookmyung.ac.kr TELNET R port=1188 
     pc_rhee.sookmyung.ac.kr -> cs           TELNET C port=1188 $
               cs -> pc_rhee.sookmyung.ac.kr TELNET R port=1188 
     pc_rhee.sookmyung.ac.kr -> cs           TELNET C port=1188 
               cs -> pc_rhee.sookmyung.ac.kr TELNET R port=1188 
     pc_rhee.sookmyung.ac.kr -> cs           TELNET C port=1188 
     

3. sniffit for UNIX
   • requires super-user status
   • sample output

     cs# ls
     
     203.252.195.1.110-203.252.195.191.1297  
     203.252.195.1.20-203.252.195.2.1034     
     203.252.195.1.20-203.252.195.2.1035     
     203.252.195.1.21-203.252.195.2.1033     
     203.252.195.1.23-203.252.195.2.1032     
     203.252.195.1.23-203.252.195.65.1030    
     203.252.195.191.1297-203.252.195.1.110
     203.252.195.2.1032-203.252.195.1.23
     203.252.195.2.1033-203.252.195.1.21
     203.252.195.2.1034-203.252.195.1.20
     203.252.195.2.1035-203.252.195.1.20
     203.252.195.65.1030-203.252.195.1.23
     
     cs# more 2*
     
     ::::::::::::::
     203.252.195.1.110-203.252.195.191.1297
     ::::::::::::::
     +OK QUALCOMM Pop server derived from UCB (version 2.1.4-R3) at cs starting.
     +OK Password required for hrshin.
     +OK hrshin has 0 message(s) (0 octets).
     +OK 0 0
     +OK Pop server at cs signing off.
     
     ::::::::::::::
     203.252.195.191.1297-203.252.195.1.110
     ::::::::::::::
     USER hrshin
     PASS shr1234
     STAT
     QUIT
     
     
     ::::::::::::::
     203.252.195.1.21-203.252.195.2.1033
     ::::::::::::::
     220 cs FTP server (UNIX(r) System V Release 4.0) ready.
     331 Password required for rhee.
     230 User rhee logged in.
     200 PORT command successful.
     150 ASCII data connection for /bin/ls (203.252.195.2,1034) (0 bytes).
     226 ASCII Transfer complete.
     200 PORT command successful.
     150 ASCII data connection for certcc-msg (203.252.195.2,1035) (764 bytes).
     
     ::::::::::::::
     203.252.195.2.1033-203.252.195.1.21
     ::::::::::::::
     USER rhee
     PASS Quick297
     PORT 203,252,195,2,4,10
     LIST
     PORT 203,252,195,2,4,11
     RETR certcc-msg
     QUIT
     
     ::::::::::::::
     203.252.195.1.20-203.252.195.2.1035
     ::::::::::::::
     ¼ö°íÇϽʴϴÙ. 
     Àú´Â ¼÷¸í¿©´ë Àü»êÇаú ½Ã½ºÅÛ°ü¸®ÀÚÀÔ´Ï´Ù.
     À¥ºê¶ó¿ìÀú »ó¿¡¼­ ¿Â¶óÀÎ ½ÃÅ¥¾î ´ÚÅÍ º¸¾È Á¡°ËÀ» ¿äûÇÏ¿´À¸³ª
     °è¼Ó ¾Æ·¡¿Í °°Àº ¸Þ½ÃÁö¸¸ ¶ß¸é¼­ Á¡°ËÀ» °ÅºÎ´çÇÏ°í ÀÖ½À´Ï´Ù.
     IP Addressµµ Á¤È®È÷ ÀÔ·ÂÇÏ¿´°í, ½Ã½ºÅÛ Äֿܼ¡¼­ ³×Æ®½ºÄÉÀÌÇÁ¸¦
     »ç¿ëÇÏ¿© ½ÅûÇÏ¿´½À´Ï´Ù. Âü°í·Î, ½Ã½ºÅÛÀº Solaris 2.5.1ÀÔ´Ï´Ù.
     ÁüÀ۵Ǵ ÀÌÀ¯¸¦ ¾Ë·ÁÁÖ¼ÌÀ¸¸é ÇÕ´Ï´Ù.
     
     >       Á¤º¸ °ËÁõ ¿À·ù
     
     >       »ç¿ëÀÚ¿¡ ÀÇÇØ Á¦°øµÈ ½Ã½ºÅÛ Á¤º¸¸¦ °ËÁõÇÑ °á°ú ºÎÀûÀýÇÑ °ÍÀ¸·Î
      >      ÆǸíµÇ¾ú½À´Ï´Ù. ¿Â¶óÀÎ ½ÃÅ¥¾î ´ÚÅÍ´Â ¼­ºñ½º¸¦ Á¦°øÇÏÁö ¾Ê±â·Î
      >      °áÁ¤ÇÏ¿´½À´Ï´Ù.
     
     >       ¸¸¾à Á¡°ËÇÏ°íÀÚ ÇÏ´Â ½Ã½ºÅÛ¿¡¼­ ½ÅûÀ» ÇÏÁö ¾ÊÀ¸¸é Á¤º¸ °ËÁõ¿À·ù°¡
      >                                    ¹ß»ýÇÏ¿© Á¡°ËÇÒ ¼ö ¾ø½À´Ï´Ù.
     >
      >      Á¡°ËÀ» °è¼ÓÇÏ·Á¸é Ãë¼Ò ´ÜÃ߸¦ ´­·¯ ÁֽʽÿÀ. Á¡°ËÀ» Ãë¼ÒÇÏ¸é º»
      >      ¼­ºñ½ºÀÇ Ã³À½ È­¸éÀ¸·Î µ¹¾Æ°¡°Ô µË´Ï´Ù.
     

How Do I Detect a Sniffer on My Network?

To detect a sniffing device that only collects data and does not respond to any of the information, requires physically checking all your ethernet connections by walking around and checking the ethernet connections individually.

It is also impossible to remotely check by sending a packet or ping if a machine is sniffing.

Sniffers are largely passive applications and generate nothing. In other words, they leave no trace on the system.

One way to detect a sniffer is to search all current processes being run. This isn't entirely reliable, of course, but you can at least determine whether a process is being run from your machine.

Some utilities can identify whether your system has been thrown into promiscuous mode. These can at least detect whether a running sniffer would even work under your current configuration. Nitwit.c is one such utility.
For SunOs, NetBSD, and other possible BSD derived Unix systems, there is a command

     "ifconfig -a"

that will tell you information about all the interfaces and if they are in promiscuous mode.
 

What Can I Do to Foil a Sniffer?

1. Encryption

   There are several packages out there that allow encryption between connections therefore an intruder could capture the data, but could not decypher it to make any use of it.

   A product called Secure Shell, or SSH is one of them. SSH is a protocol that provides secure communications in an application environment such as Telnet.

   One-time password such as S/Key might be used to protect passwords.

2. Active hubs (or called switching hubs)

   Active hubs send to each system only packets intended for it rendering promiscuous sniffing useless. This is only effective for 10-Base T.

3. Compartmentalization

   The generally accepted way to defeat sniffer attacks is to employ safe topology. Here are the rules:

   • Network blocks should only trust other network blocks if there is a reason.
   • The network blocks should be designed around the trust relationships between your staff and not your hardware needs.

• Some traffics are safe from sniffer attacks:
   
  • data transmission from keyboard to the workstation
  • data transmission between the host amd the terminals connected via serial interface