This action might not be possible to undo. Are you sure you want to continue?
Module VII Sniffers
Dave works as an Engineer in the IT support department of a multinational banking company. Sam, a graduate in Computer Engineering, has been recently recruited by the bank as a Trainee to work under Dave. Sam knew about packet sniffers and had seen their malicious use .
Sam wanted to Sniff the network to show the
1. 2. 3. 4. 5. 6.
vulnerabilities to Dave. What information does Sam need to install a sniffing program? How can Sam find out if there are any Sniffing detectors in the network? Can Sam Sniff from a remote network? Can he install a sniffer in Dave's machine? Can he gain credit card information by sniffing? Is Sam¶s action ethical?
Definition Objectives of sniffing Passive Sniffing Active Sniffing Different types of Sniffing tools Countermeasures Summary
Definition Of Sniffing
or device that captures
vital information from the network traffic specific to a particular network.
Sniffing is basically a
of sniffing is to grab:
Password (e-mail, web, SMB, ftp, SQL, telnet)
Email text Files in transfer (e-mail, ftp, SMB)
LAN The data sent across the LAN will be sent to each system on the LAN
It looks at the MAC Addresses associated with each frame, sending data only to required connection.
Attacker: Tries to poison the switch by sending bogus MAC addresses
EtherFlood floods a switched network with Ethernet frames with random hardware addresses.
The effect on some switches is that they start sending all traffic out on all ports so that the attacker is able to sniff all traffic on the network.
ARP resolves IP addresses
to the MAC (hardware) address of the interface to send data. to send data to the attacker¶s machine(s).
ARP packets can be forged An attacker
can exploit ARP Poisoning to intercept network traffic between two machines in the network. MAC flooding a switch's ARP table with spoofed ARP replies, allows a attacker to overload the switches and then packet sniff the network while the switch is in "hub" mode.
Step 2 Victim¶s Internet traffic forwarded to attacker¶s system as its MAC address is associated with the Router Attacker Step 1 Attacker says that his IP is 192.168.1.21 and his MAC address is (say) ATTACKERS_MAC
Step 3 Attacker forwards the traffic to the Router
Use of static IP addresses and static ARP tables which prevent hackers from adding spoofed ARP entries for machines in the network
Network switch "Port Security" features should be enabled Use of Arpwatch to monitor ethernet activity
Tools For Sniffing
Ethereal Dsniff Sniffit Aldebaran Hunt NGSSniff Ntop pf IPTraf Etherape Netfilter Network Probe Maa Tec Network
Tools For Sniffing
Snort Macof, MailSnarf, URLSnarf, WebSpy Windump Etherpeek Ettercap SMAC Mac Changer Iris NetIntercept WinDNSSpoof
Ethereal is a network
protocol analyzer for UNIX and Windows. It allows the user to examine data from a live network or from a capture file on a disk. The user can interactively browse the captured data, viewing summary and detailed information of each packet captured.
Data can be intercepted ³off the wire´ from a live network connection, or read from a captured file.
Can read captured files from tcpdump. Command line switches to the editcap program enables the editing or conversion of the captured files.
Display filter enables the refinement of the data.
Dsniff is a collection of
tools for network auditing and penetration testing. ARPSPOOF, DNSSPOOF, and MACOF facilitate the interception of network traffic that is normally unavailable to an attacker. SSHMITM and WEBMITM implement active man-in-the-middle attacks against redirected SSH and https sessions by taking advantage of the weak bindings in ad-hoc PKI.
Sniffit is a packet sniffer for TCP/UDP/ICMP packets. It provides detailed technical information about the packets and packet contents in different formats.
By default it can handle Ethernet and PPP devices, but can be easily forced into using other devices.
Aldebaran is an advanced LINUX sniffer/network analyzer.
It supports sending data to another host, dump file encryption, real-time mode, packet content scanning, network statistics in html, capture rules, colored output, and much more.
Hunt is used to watch TCP connections, intrude into them, or reset them.
It is meant to be used on an Ethernet segment, and has active mechanisms to sniff switched connections.
Features: It can be used for watching, spoofing, detecting, hijacking, and resetting connections MAC discovery daemon for collecting MAC addresses, sniff daemon for logging TCP traffic with the ability to search for a particular string
NGSSniff is a network packet capture and analysis program.
Packet capture is done via windows sockets raw IP or via Microsoft network monitor drivers.
It can carry out packet sorting and does not require installed drivers to run.
It carries out real time packet viewing.
Ntop is a network
traffic probe that shows network usage. In interactive mode, it displays the network status on the user¶s terminal. In webmode, it acts as a web server, creating an html dump of the network status.
pf is Open BSDs system for filtering TCP/IP traffic and doing Network Address Translation.
It is also capable of normalizing, and conditioning, TCP/IP traffic, providing bandwidth control, and packet prioritization.
is a network monitoring utility for IP networks. It intercepts packets on the network and gives out various pieces of information about the currently monitored IP traffic. IPTraf can be used to monitor the load on an IP network, the types of network services that are most in use, the proceedings of TCP connections, and others.
a graphical network monitor for UNIX. Featuring link layer, IP and TCP modes, it displays network activity graphically. It can filter traffic to be shown, and can read traffic from a file as well as live from the network.
Network traffic is displayed graphically. The more "talkative" a node is, the bigger its representation. User may select the level of the protocol stack to concentrate on. User may either look at traffic within the network, end to end IP, or even port to port TCP. Data can be captured "off the wire" from a live network connection, or read from a tcpdump capture file. Data display can be refined using a network filter.
Netfilter and iptables
are the framework inside the Linux 2.4.x kernel which enables packet filtering, network address translation (NAT) and other packet mangling. Netfilter is a set of hooks inside the Linux 2.4.x kernel's network stack which allows kernel modules to register the callback functions called every time a network packet traverses one of those hooks.
filtering (connection tracking) Many network address translation schemes Flexible and extensible infrastructure Large numbers of additional features, as patches
network monitor and protocol analyzer gives the user an instant picture of the traffic situation on the target network. traffic is monitored in real time. All the information can be sorted, searched, and filtered by protocols, hosts, conversations, and network interfaces.
Maa Tec Network Analyzer
MaaTec Network Analyzer is a tool that is used for capturing, saving and analyzing network traffic. Features:
Real time network traffic statistics. Scheduled network traffic reports. Online view of incoming packets. Multiple data color options.
There are three main modes in
which Snort can be configured: sniffer, packet logger, and network intrusion detection system. Sniffer mode simply reads the packets off of the network and displays them for you in a continuous stream on the console. Packet logger mode logs the packets to the disk. Network intrusion detection mode is the most complex and configurable configuration, allowing Snort to analyze network traffic for matches against a user defined rule set.
Macof, MailSnarf, URLSnarf, WebSpy
Macof floods the
local network with random MAC addresses, causing some switches to fail open in repeating mode, and thereby facilitates sniffing. Mailsnarf is capable of capturing and outputting SMTP mail traffic that is sniffed on the network. urlsnarf is a tool for monitoring Web traffic. Webspy allows the user to see all the webpages visited by the victim.
WinDump is the port to the Windows platform of tcpdump, the most used network sniffer/analyzer for UNIX.
Ethernet network traffic and protocol analyzer. By monitoring, filtering, decoding and displaying packet data, it discovers protocol errors and detects network problems such as unauthorized nodes, misconfigured routers, unreachable devices, etc.
SMAC is a MAC Address Modifying Utility (spoofer) for Windows 2000, XP, and Server 2003 systems. It displays network information of available network adapters in one screen. The built-in logging capability allows the tracking of MAC address modification activities.
MAC Changer is a Linux utility for setting a specific MAC address to a network interface. It enables the user to set the MAC address randomly, set a MAC from another vendor, or set another MAC from the same vendor. The user can also set a MAC of the same kind (e.g.: wireless card). It offers a choice of vendor MAC list (more than 6200 items) to choose from.
A tool for IP based sniffing in a switched network, MAC based sniffing, OS fingerprinting, ARP poisoning based sniffing, etc.
It allows the reconstruction of network traffic in a format that is simple to use and understand. It can show the web page of any employee that is surfing the web during work hours.
A sniffing tool that studies external break-in attempts, watches for misuse of confidential data, displays the contents of an unencrypted remote login or a web session, categorize, or sort, traffic by dozens of attributes, search traffic by criteria such as e-mail headers, web sites, and file names, etc.
This tool is a simple DNS ID Spoofer for Windows 9x/2K.
In order to use it you must be able to sniff the traffic of the computer being attacked.
Usage: wds -h Example: wds -n www.microsoft.com -i 22.214.171.124 -g 00-00-39-5c-45-3b
TCPDump, Network Monitor
A widely used network diagnosis and analysis tool for UNIXbased OSs. Used to trace network problems, detect ping attacks, and monitor network activities. Monitors, and decodes, application layer data.
Network-monitoring software that is part of Windows NT server. Latest versions capture all data traffic. Maintains the history of each network connection. Provides high-speed filtering capabilities. Captures network traffic and converts it to a readable format.
MS-DOS based sniffer Used to gain knowledge about network traffic Used remotely over a network Runs from a single workstation, analyzing only the local packets
Freeware packet sniffer written in C Execute on MS-DOS and Novell platforms Cannot be used to sniff rlogin and Telnet sessions
Esniff, Sunsniff, Linux Sniffer, Sniffer Pro
Written in C by a hacker called ³rokstar´ Used to sniff packets on OSs developed by Sun Microsystems Coded to capture initial bytes which includes username and password
Written in C, specifically for Sun Microsystems OS
A Linux-specific sniffer written in C for experimenting with network traffic.
Trademark of Network Associates Inc. Easy-to-use interface for capturing and viewing network traffic.
Sam found out that he was working in a shared Ethernet network segment. So a sniffer can be launched from any machine in the LAN. Sam ran a sniffer and at the end of the day he studied the captured data. Sam could not believe it !!!
1. 2. 3. 4.
He was actually able to read e-mails Read passwords off the wire in clear-text. Read files Read financial transactions and credit card numbers Sam decided to share the information with Dave the next day. How do you think that Dave will react to this? Was Sam guilty of espionage?
Restriction of physical access to network media to ensure that a packet sniffer cannot be installed.
The best way to be secured against sniffing is to use encryption. It will not prevent a sniffer from functioning, but it will ensure that what a sniffer reads is incomprehensible.
ARP Spoofing is used to sniff a switched network. So the attacker will try to ARP spoof the gateway. This can be prevented by permanently adding the MAC address of the gateway to the ARP cache.
Change the network to SSH. There are various tools to detect a sniffer in a network. They are as follows:
ARP Watch Promiscan Antisniff Prodetect
Sniffing allows the capture of vital information from network traffic. It can be done over a hub or switch (Passive or Active). Capturing passwords, e-mail, files, etc. can be done by means of sniffing. ARP poisoning can be used to change the Switch mode, of the network, to Hub mode and subsequently carry out packet sniffing. Ethereal, Dsniff, Sniffit, Aldebaran, Hunt, NGSSniff, etc. are some of the most popular sniffing tools. The best way to be secured against sniffing is to use encryption, applying the latest patches, and applying other lockdown techniques to the systems.
This action might not be possible to undo. Are you sure you want to continue?
We've moved you to where you read on your other device.
Get the full title to continue listening from where you left off, or restart the preview.