Sniffin' the Ether

I. Introduction

I am writting this primer on sniffers for the Attrition Newbie Track. I hope that this will be a good resource about sniffers for beginners as well as being a complete enough reference for someone who has more experience on the subject. Enjoy!

II. What is a Sniffer?

A sniffer is a program that puts a NIC (Network Interface Card), also known as an Ethernet card, (one of the necessary pieces of hardware to physically connect computers together) into what is known as promiscuous mode. Once the network card is set to this mode, it will give the sniffer program the ability to capture packets being transmitted over the network. (A quick note: packets are transmitted over the network until they reach their target host. A sniffer takes advantage of this and captures ALL packets as they are being transmitted). Some sniffers go about different ways of capturing packets and this will be described later on in the article.

                      friend           bad              dest 
                       comp            guy              comp
                        |               |                 |
     your comp    -----------------------------------------
                  > > > ^ > > > > > > > ^ > > > > > > > > ^
A standard packet will travel from "your comp" through the network. Each computer on the network will receive that packet. Starting with "friend comp", followed by "bad guy" and ending up at "dest comp." Each machine is supposed to ignore the packet if it is not destined for the IP address assigned to that computer. However, a sniffer program bends that etiquette and accepts ANY packet it receives. A sniffer is also known as a network analyzer. There is no real difference between a network analyzer or a sniffer but security companies and the Federal government like this name because it sounds more legitimate and less threatening. The original term for capturing all packets on a netowrk was called 'Sniffing the Ether' which sounded like something bad to people not familiar to computers and ethernet. 'Ether' was a technology term used to describe the land of packets, made up of cables and network cards and should not be confused with the chemical ethyl oxide.

III. What Type of an Attack is it?

A sniffer being used on a network to snoop passwords and anything else is considered to be a passive attack. A passive attack is one that doesn't directly intrude onto a foreign network or computer. Using a sniffer as an example, one is set up in hopes of catching desired information including logins and passwords. On the other hand, an active attack directly interfaces with a remote machine. Remote buffer overflows, network floods and other similiar attacks fall under the category of an active attack . By nature, passive attacks are not meant to be discovered by the person(s) being attacked. At no point should they have indication of your activity. This makes sniffers just as serious as any active attack.

IV. What a Sniffer is Good For

With the aid of a sniffer, you can get information that has been broadcast over the network including passwords, emails, confidental documents, and any other unencrypted traffic. In essence, the sniffer acts as a primary logging program for all machines on the network. By capturing all packets, the sniffer also helps paint a picture of the network it is operating on. This allows for the creation of an accurate map of the network and the machines that are on them. Another popular method widely used to break into secure machines is to break into a machine either directly or in-directly trusted by the target machine. Trust within the scope of a network is that some machines are setup to "trust" other computers to share resources. Therefore if you are able to gain access to a trusted box, you can abuse that trust and use it as a springboard into the rest of the network. By sniffing traffic on hosts close to the target machine, the liklihood of gaining the vital information needed are increased.

V. Different Types of Sniffers

Most of the more popular sniffers only monitor one connection at a time. The reason for this is to make the sniffer harder to detect due to smaller logs and less use of CPU power. A small number of sniffers monitor all connections. Often times, looking at the CPU load and file system are the only ways to detect such sniffers. Intruders are often quick to backdoor systems so that normal utilities like ps and ifconfig will not provide reliable output. If you notice your CPU load is higher than normal, or that every day you lose one more meg of disk space that can't be explained, it may point to the presence of a sniffer. This type is easier to spot because their logs will be much larger, they will eat up much more CPU, but in return it will log much more. On large networks, these sniffers may generate up to ten megabyte logs a day if set to log all interactive traffic. Sniffers designed to monitor interactive traffic as well as mail may grow even faster. Sniffers also have different methods of logging. Some sniffers will only record the first X (X being a certain number) bytes of a packet to capture a login/password. The other method will capture the entire session, which would make it into a key logger. Some of the more versatile sniffers will support both methods. These will vary depending on the intruder and the desired end result.

VI. Sniffer Construction

If you are interested in more details on how a sniffer works, there is an excellent two-part paper by Chad Renfro. He details the basic elements of programming a sniffer which requires a working knowledge of the C programming language. If you understand Renfro's article well, you should advance on to studying the source code of sniffers (such as esniff.c).

VII. Popular Sniffers

There are sniffers that are considered to be primarily 'hacker' tools while the rest of them are considered to be system administration tools. The following is a brief list of popular sniffers:

Sniffit: This is a very good sniffer. It was written by Brecht Clearhout. This is one of the first sniffers you should use to get you used to them. This sniffer also only saves the first 400 bytes of a packet by default but you can program it to capture the whole sesson and have it act as a password logger.

Snort: At the time of this writting, Snort 1.2.1 was released. This is another good sniffer because it is updated more often than Sniffit as well as having a plethora of options and cross-platform portability. Get it!

TCP Dump: This is a famous sniffer. It comes with a few *nix distros and is considered to be a more professional administrative tool. You might remember that Tsutomu Shimomura had a 'modified' version of this sniffer (well actually it was Berkeley Packet Filter (BPF) but there is not much difference) on his box at home so that when he was hacked by Kevin Mitnik the logs were sent off-site. He later wrote a paper on the attack with some of the logs to help illustrate the attack.

ADMsniff: The well-known, highly-skilled hacker group ADM put out a nice sniffer so be sure to check it out - anything they do is definitely worth a look.

Linsniffer: This is another well-known sniffer designed for the Linux platform.

Esniff: This too is a well known sniffer.

Sunsniff: It is as its name implies- made to work on SunOS. Perhaps one of the more widely known sniffers, this one was created almost a decade ago.

Solsniffer: This is a Solaris sniffer. This is just a modification of Sunsniff designed to compile cleanly on the Solaris platform. Some of the better sniffers out there like Snort have the ability to work on multiple platforms. I could go on for much longer but I pointed out a few to give you a start. You should go to a good security site and download all of the sniffers you can find.

VIII. Detection & Prevention

If you are in charge of a network's security, you are going to need to check if someone has installed a sniffer somewhere on the network that is not supposed to be there. The first way to do this is to get a small C program called promisc.c. When compiled, it will search your local machine for any NICs in promiscuous mode (which was briefly discussed at the beginning of this text). The C program, neped.c, will do remote checking for any sniffing activity however it will compile on Linux only. To search by hand, issue the command 'ifconfig -a' if you are on a *nix. Look for any of your network interfaces bearing the PROMISC flag. The L0pht has put out a very good piece of ware called AntiSniff. So far, it is still in beta and runs on Win9* but was made with NT in mind. The L0pht is planning to release an open source command-line version for Linux. But if you want a Linux program now that will do the same type of searching, check out neped.c. These tools are designed to remotely detect sniffers on other hosts within the same subnet. While not foolproof, they are excellent tools and often quite reliable. For the prevention of unauthorized sniffing, you should use strong cryptography, (you should be using strong crypto no matter what!), so even if someone does sniff you, you are not at much risk from this form of attack. When you originally designed your LAN, you should of had security in mind anyway. I am not going to go into secure LAN and segmentation design because it is another text all together however these are a couple of mehods to help you out. You should search the net and various security sites (as well as using you brain) to help better the security of your network.

VIV. Making Sniffers Hard to Detect

There is a method to help make it more diffcult to detect a sniffer on a network. Have the sniffer put a NIC card into promiscuous mode but assign the card the address of 0.0.0.0. This will allow the sniffer to monitor traffic but to not be detected. But there is still the issue of messages and alerts which will be handed off from the card the sniffer is on to another card to finish being delivered. The second card has a regular address but is not in promiscuous mode so it will be very hard for someone to detect this type of setup.

X. How to Beat Sniffers

I am not going to get into this because Horizon put out an awesome article in Phrack issue 54 (file 10) so go and study it. His paper outlines many methods and tricks for beating sniffers.

XI. Resources

The Security Focus Web site has a great collection of sniffers while Phrack.com has Horizon's article. Robert Graham put out the Sniffing (network wiretap, sniffer) FAQ. Shimomur.txt is the text mentioned above that Shimomura wrote detailing an attack using some sniffer logs to illustrate. L0pht.com are the makers of Antisniff -its a great free program to detect illegal sniffers on your network.

XII. In Closing

I hope that I have done a good enough educating some of you newbies reading this as well as making a decent point-of-reference for the more experienced that may stumble upon this.

Written by: Alaric (alaric@attrition.org)
Editing by: Jericho & Mcintyre
HTMLized by: Mcintyre

Copyright 1999, Alaric