The Mighty Sniffer

One of the most important tools in a security professional’s arsenal is the mighty ‘sniffer’. Its power is never underestimated, never undervalued. A sniffer is many things to many people. In the right hands it is invaluable, allowing for the analysis of complex traffic passing over the network, in the wrong hands it can be a destructive force, allowing for the capture of confidential or sensitive data as it flows on the wire.

A sniffer, sometimes called protocol or network analysers, is essentially hardware or software that can intercept or log traffic as it passes over the network. It will then decode that data traffic and present it in a easily understandable format, always in accordance with the particular protocol’s specifications. A sniffer is the ultimate network ‘wire-tap’ offering an insight into the black-art of computer conversations

The most common type of network is the Ethernet network. Ethernet was built on the principal that all computers on the same network will share the same ‘wire’. As a result, it is potentially possible that any one computer on the network could see all of the traffic on that network, regardless of whether that traffic was destined for it or not. To overcome this possibility, all Ethernet hardware (your network card) is programmed with a ‘filter’ that instructs it to ignore packets that do not its own MAC address. This has the effect of a single computer only receiving data that has been addressed directly to it, or to the whole network, like broadcast packets.

With sniffing, we essentially turn off or disable the filter, forcing the card into what has been aptly named ‘promiscuous mode’. When a network card is operating in promiscuous mode, as long as the traffic is on the same wire, it will see it. And there in lies its power. The sniffing software then translates the captured packets into something more easily understood and displays it in the usual array of fancy ways, depending on the particular software in use.

Sniffers have a wide range of uses. Fault analysis and performance analysis are the two most obvious ways that the purchase of a commercial grade sniffer can be justified. Network intrusion detection is another benefit, in that devices running in promiscuous mode can monitor the network for unusual patterns of traffic, and create alerts or take action as appropriate. More sinister uses are the automatic sifting of clear text passwords from the network, or clear text protocols such as SMTP (email) or HTTP (web). In fact, encrypted passwords can be captured, and cracked offline at a later stage.

SMTP email is notoriously insecure, but despite repeated warnings many people persist in using email as a means to distribute confidential documents or information. A short sharp wake up call may be to demonstrate, through the use of a sniffer, exactly just how easy it is for an unauthorised individual to capture SMTP email from a network.

Many of the more technically adept among you, will surely argue that with the advent of switched networks, sniffing, or at least unauthorised sniffing, have become a thing of the past. Not so. While a switch can provide a good defence against the causual sniffer, it is important to remember that a switch creates a ‘broadcast domain’ providing an attacker the ability to spoof ARP packets and thus gain access to all of the traffic on the wire.

One of the best known exploits is to use “router redirection”. ARP queries contain the correct IP-to-MAC mapping for the sender. In order to reduce ARP traffic, and traffic in general on the network, computers cache the information that they read from the query broadcasts. A malicious attacker could redirect nearby machines to forward traffic through it by sending out regular ARP packets containing the router’s IP address mapped to its own MAC address. All the machines on the local wire will believe the hacker is the router, and therefore pass their traffic through him/her. Simple, but effective. A more aggressive, but equally effective strategy, would be to DoS a target victim and force it off the network, then begin using its IP address. If you picked your victim carefully the rewards could be high!!

Defending against the rouge sniffer is never easy. As previously mentioned, a switched network will keep the casual sniffer at bay, but the more determined will overcome that obstacle. The most robust method of protection is to enforce the used of encrypted protocols. Replace Telnet with SSH, introduce SSL where possible, use only encrypted email like PGP or S/MIME. Use two-factor or biometric authentication. Unfortunately, due to the nature of Ethernet, sniffing and sniffers will be here for some time to come.

There are a large number of sniffing tools available, many for free. The highly regarded and very free packet capture tool Ethereal is a great place to start, but there are many more. A recent and comprehensive list can be found here.