Monday 5 November 2007

Sniffers

When I tell some of my co-workers that I’m sniffing the network, they have a tendency to look at me funny. A Sniffer (also know as a Network Analyzer) is a piece of software that can look at network traffic, decode it, and give meaningful data that a network administrator can use to diagnose problems on a network. Sniffers are also useful tools for deviant computer users since they can be used to pull plain text passwords off a network.

First an explanation of some network basics is in order. Most Ethernet networks use to be of a common bus topology, using either coax cable or twisted pair wire and a hub. All of the nodes (computers and other devices) on the network could communicate over the same wires and take turns sending data using a scheme known as carrier sense multiple access with collision detection (CSMA/CD). Think of CSMA/CD as being like a conversation at a loud party, you may have to wait for quite a spell for your chance to get your words in during a lull in everybody else’s conversation. All of the nodes on the network have their own unique MAC (media access control) address that they use to send packets of information to each other. Normally a node would only look at the packets that are destined for its MAC address. However, if the network card is put into what is known as “promiscuous mode” it will look at all of the packets on the wires it is hooked to.
To cut down on the number of collisions and the possibility of sniffing data that does not belong to a node, most networks use switches. On a network, a hub is a passive device that sends all traffic it receives to all of its ports. A switch on the other hand looks at the MAC address of the nodes hooked to it and what ports they are on then tries to send packets only to the nodes they are intended for. A switch cuts back on the number of collisions on the network, increasing throughput. In theory, on a switched network a node can only see broadcast messages (meant for all computers on the LAN) and packets addresses to its MAC along with the occasional stray packet whose destination is not known. Even with switches in place a LAN can be sniffed using the mirrored port on some switches (put there so administrators can use a Sniffer to diagnose network problems), by confusing the switch into mirroring traffic to all ports or by a technique know as ARP poisoning.
Sniffers can also be used by those trying to bypass security. Many popular application protocols pass logon credentials (username and password) in plain text or using weak encryption that’s easy for a Sniffer to decode. Common examples of such insecure protocols are FTP, Telnet, POP3, SMTP, and HTTP Basic Authentication. In their place use encrypted protocols like SFTP, SSH (Secure Shell), and HTTPS (SSL) when possible. Protocols like FTP may be hard to switch away from because the clients for more secure protocols like SFTP are not as readily available. FTP clients come with every recent version of Windows (ftp.exe from the command line and Explorer from a GUI), but free clients that support SFTP like FileZilla and PSFTP can be downloaded. A few sniffers that have good password extraction abilities include Cain, Dsniff and Ettercap. All three are free or Open Source. Cain is for Windows only and Dsniff and Ettercap are mostly used in *nix environments but also have Windows versions available.
ARP stands for Address Resolution Protocol and it allows the network to translate IP addresses into MAC addresses. Basically, ARP works like this: When one host using IP on a LAN is trying to contact another it needs the MAC address of the host it is trying to contact. It first looks in its ARP cache (to see your ARP cache in Windows type in “arp –a” at the command line) to see if it already knows the MAC address, but if not, it broadcasts out an ARP request asking “Yo, who has this IP address I’m looking for?” If the host that has that IP address hears the ARP query it will respond with its own MAC address and a conversation can begin using IP. In common bus networks like Ethernet using a hub or 801.11b all traffic can be seen by all hosts whose NICs (network interface card) are in promiscuous mode, but things are a bit different on switched networks. A switch looks at the data sent to it and tries to only forward packets to its intended recipient based on the MAC address. Switched networks are more secure and help speed up the network by only sending packets where they need to go. There are ways around switches though. Using a program like Arpspoof (part of the Dsniff package), Ettercap or Cain we can lie to other machines on the local area network and tell them we have the IP they are looking for, thus funneling their traffic through us.
Even with a switched network it’s not hard for an attacker to use Dsniff or Ettercap from the BackTrack boot CD to do some ARP spoofing and redirect traffic through them for the purposes of sniffing. These tools can even parse out usernames and passwords automatically, making the attacker’s job easy. If the attacker ARP Spoofs between the gateway and the FTP server he can sniff the traffic and extract user names and passwords as users are trying to get their data from offsite, and the same thing goes for SMTP and POP3. Even with SFTP, SSL, and SSH, passwords can still be sniffed with Ettercap because it has the ability to proxy those types of connections. The user might get a warning that the public key of the server they are trying to get to has changed or may not be valid, but how many of us just click past those kinds of messages without actually reading them?