Sniffing

Sniffing is the use of a network interface to receive data not intended for the machine in which the interface resides. A variety of types of machines need to have this capability. A token-ring bridge, for example, typically has two network interfaces that normally receive all packets traveling on the media on one interface and retransmit some, but not all, of these packets on the other interface. Another example of a device that incorporates sniffing is one typically marketed as a “network analyzer.” A network analyzer helps network administrators diagnose a
variety of obscure problems that may not be visible on any one particular host. These problems can involve unusual interactions between more than just one or two machines and sometimes involve a variety of protocols interacting in strange ways.
Devices that incorporate sniffing are useful and necessary. However, their very existence implies that a malicious person could use such a device or modify an existing machine to snoop on network traffic. Sniffing programs could be used to gather passwords, read inter-machine
e-mail, and examine client-server database records in transit. Besides these high-level data, lowlevel information might be used to mount an active attack on data in another computer
system.

Sniffing: How It Is Done
In a shared media network, such as Ethernet, all network interfaces on a network segment have access to all of the data that travels on the media. Each network interface has a hardware-layer address that should differ from all hardware-layer addresses of all other network interfaces on the network. Each network also has at least one broadcast address that corresponds not to an individual network interface, but to the set of all network interfaces. Normally, a network interface will only respond to a data frame carrying either its own hardware-layer address in the frame’s destination field or the “broadcast address” in the destination field. It responds to these frames by generating a hardware interrupt to the CPU. This interrupt gets the attention of the operating system, and passes the data in the frame to the operating system for further processing.

Note The term “broadcast address” is somewhat misleading. When the sender wants to
get the attention of the operating systems of all hosts on the network, he or she uses the “broadcast address.” Most network interfaces are capable of being put into a
“promiscuous mode.” In promiscuous mode, network interfaces generate a hardware
interrupt to the CPU for every frame they encounter, not just the ones with
their own address or the “broadcast address.” The term “shared media” indicates to
the reader that such networks broadcast all frames—the frames travel on all the
physical media that make up the network.
At times, you may hear network administrators talk about their networking trouble spots— when they observe failures in a localized area. They will say a particular area of the Ethernet is
busier than other areas of the Ethernet where there are no problems. All of the packets travel through all parts of the Ethernet segment. Interconnection devices that do not pass all the frames from one side of the device to the other form the boundaries of a segment. Bridges,switches, and routers divide segments from each other, but low-level devices that operate on one bit at a time, such as repeaters and hubs, do not divide segments from each other. If only low-level devices separate two parts of the network, both are part of a single segment. All frames traveling in one part of the segment also travel in the other part.
The broadcast nature of shared media networks affects network performance and reliability so
greatly that networking professionals use a network analyzer, or sniffer, to troubleshoot problems. A sniffer puts a network interface in promiscuous mode so that the sniffer can monitor each data packet on the network segment. In the hands of an experienced system administrator, a sniffer is an invaluable aid in determining why a network is behaving (or misbehaving) the way it is. With an analyzer, you can determine how much of the traffic is due to which network protocols, which hosts are the source of most of the traffic, and which hosts
are the destination of most of the traffic. You can also examine data traveling between a particular pair of hosts and categorize it by protocol and store it for later analysis offline. With a sufficiently powerful CPU, you can also do the analysis in real time.Most commercial network sniffers are rather expensive, costing thousands of dollars. When you examine these closely, you notice that they are nothing more than a portable computer with an Ethernet card and some special software. The only item that differentiates a sniffer from an ordinary computer is software. It is also easy to download shareware and freeware sniffing software from the Internet or various bulletin board systems.
The ease of access to sniffing software is great for network administrators because this type of software helps them become better network troubleshooters. However, the availability of this software also means that malicious computer users with access to a network can capture all the data flowing through the network. The sniffer can capture all the data for a short period of time or selected portions of the data for a fairly long period of time. Eventually, the malicious user will run out of space to store the data—the network I use often has 1000 packets per second flowing on it. Just capturing the first 64 bytes of data from each packet fills up my
system’s local disk space within the hour.

Note Esniff.c is a simple 300-line C language program that works on SunOS 4.x. When
run by the root user on a Sun workstation, Esniff captures the first 300 bytes of each TCP/IP connection on the local network. It is quite effective at capturing all
usernames and passwords entered by users for telnet, rlogin, and FTP.TCPDump 3.0.2 is a common, more sophisticated, and more portable Unix sniffing program written by Van Jacobson, a famous developer of high-quality TCP/IP
software. It uses the libpcap library for portably interfacing with promiscuous mode
network interfaces. The most recent version is available via anonymous FTP to ftp.ee.lbl.gov.
NetMan contains a more sophisticated, portable Unix sniffer in several programs in
its network management suite. The latest version of NetMan is available via anonymous FTP to ftp.cs.curtin.edu.au in the directory /pub/netman.
EthDump is a sniffer that runs under DOS and can be obtained via anonymous FTP
from ftp.eu.germany.net in the directory /pub/networking/inet/ethernet/.
On some Unix systems, TCPDump comes bundled with the vendor OS. When
run by an ordinary, unprivileged user, it does not put the network interface into
promiscuous mode. With this command available, a user can only see data being
sent to the Unix host, but is not limited to seeing data sent to processes owned by
the user. Systems administrators concerned about sniffing should remove user
execution privileges from this program.
Sniffing: How It Threatens Security
Sniffing data from the network leads to loss of privacy of several kinds of information that
should be private for a computer network to be secure. These kinds of information include the
following:
n Passwords
n Financial account numbers
n Private data
n Low-level protocol information

The following subsections are intended to provide examples of these kinds.
Warning


Sniffing Passwords
Perhaps the most common loss of computer privacy is the loss of passwords. Typical users type
a password at least once a day. Data is often thought of as secure because access to it requires a
password. Users usually are very careful about guarding their password by not sharing it with
anyone and not writing it down anywhere.
Passwords are used not only to authenticate users for access to the files they keep in their
private accounts but other passwords are often employed within multilevel secure database
systems. When the user types any of these passwords, the system does not echo them to the
computer screen to ensure that no one will see them. After jealously guarding these passwords
and having the computer system reinforce the notion that they are private, a setup that sends
each character in a password across the network is extremely easy for any Ethernet sniffer to
see. End users do not realize just how easily these passwords can be found by someone using a
simple and common piece of software.

Sniffing Financial Account Numbers
Most users are uneasy about sending financial account numbers, such as credit card numbers
and checking account numbers, over the Internet. This apprehension may be partly because of
the carelessness most retailers display when tearing up or returning carbons of credit card
receipts. The privacy of each user’s credit card numbers is important. Although the Internet is
by no means bulletproof, the most likely location for the loss of privacy to occur is at the
endpoints of the transmission. Presumably, businesses making electronic transactions are as
fastidious about security as those that make paper transactions, so the highest risk probably
comes from the same local network in which the users are typing passwords.
However, much larger potential losses exist for businesses that conduct electronic funds
transfer or electronic document interchange over a computer network. These transactions
involve the transmission of account numbers that a sniffer could pick up; the thief could then
transfer funds into his or her own account or order goods paid for by a corporate account.
Most credit card fraud of this kind involves only a few thousand dollars per incident.

Sniffing Private Data
Loss of privacy is also common in e-mail transactions. Many e-mail messages have been
publicized without the permission of the sender or receiver. Remember the Iran-Contra affair
in which President Reagan’s secretary of defense, Caspar Weinberger, was convicted. A crucial
piece of evidence was backup tapes of PROFS e-mail on a National Security Agency computer.
The e-mail was not intercepted in transit, but in a typical networked system, it could have
been. It is not at all uncommon for e-mail to contain confidential business information or
personal information. Even routine memos can be embarrassing when they fall into the wrong
hands.

Sniffing Low-Level Protocol Information
Information network protocols send between computers includes hardware addresses of local
network interfaces, the IP addresses of remote network interfaces, IP routing information, and
sequence numbers assigned to bytes on a TCP connection. Knowledge of any of this information
can be misused by someone interested in attacking the security of machines on the
network. See the second part of this chapter for more information on how these data can pose
risks for the security of a network. A sniffer can obtain any of these data. After an attacker has
this kind of information, he or she is in a position to turn a passive attack into an active attack
with even greater potential for damage.