Detecting Network Sniffers

Detecting Network Sniffers

Overview

A packet sniffer is a program or device that eavesdrops on network traffic and gathers data from packets. Sometimes such wiretaps are carried out by the network administrator for beneficial purposes (like intrusion detection, performance analysis, etc.). On the other hand, malicious intruders may install packet sniffers in order to retrieve clear-text usernames and passwords from the local network or other vital information transmitted on the network. Vulnerable protocols (with clear-text passwords) include: telnet, pop3, imap, ftp, smtp-auth and nntp. Sniffers work because ethernet was designed to be shared. Most networks use broadcast technology — messages for one computer can be read by another computer on that network. In practice, computers ignore messages except those that were sent directly to them (or broadcast to all hosts on the network). However, computers can be placed in promiscuous mode and made to accept messages even if they are not meant for them — this is how a Sniffer works.

People assume that computers connected to a switch are safe from sniffing — but this is not really so. Computers connected to switches are just as vulnerable to sniffers as those connected to a hub.

How a Sniffer works

A computer connected to a LAN has 2 addresses — one is the MAC address that uniquely identifies each node in a network and which is stored on the network card. The MAC address is used by the ethernet protocol when building frames to transfer data. The other is the IP address, which is used by applications. The Data Link Layer (layer 2 of the OSI model) uses an ethernet header with the MAC address of the destination machine. The Network Layer (layer 3 of the OSI model) is responsible for mapping IP network addresses to the MAC address as required by the Data Link Protocol. Layer 3 attempts to look-up the MAC address of the destination machine in a table, called the ARP cache. If no MAC entry is found for the IP address, the Address Resolution Protocol broadcasts a request packet (ARP request) to all machines on the network. The machine with that IP address responds to the source machine with its MAC address. This MAC address then gets added to the source machines ARP Cache. This MAC address is then used by the source machine in all its communications with the destination machine.

There are two basic types of ethernet environments — shared and switched. In a shared ethernet environment all hosts are connected to the same bus and compete with one another for bandwidth. In such an environment packets meant for one machine are received by all the other machines. All the computers on the shared ethernet compare the frame’s destination MAC address with their own. If the two don’t match, the frame is quietly discarded. A machine running a sniffer breaks this rule and accepts all frames. Such a machine is said to have been put into promiscuous mode and can effectively listen to all the traffic on the network. Sniffing in a shared ethernet environment is passive and, hence, difficult to detect.

In a switched environment the hosts are connected to a switch instead of a hub. The switch maintains a table that keeps track of each computer’s MAC address and the physical port on the switch to which that MAC address is connected. The switch is an intelligent device which sends packets only to the destination computer. As a result, the process of putting a machine into promiscuous mode to gather packets does not work. However, this does not mean that switched networks are secure and cannot be sniffed.

Though a switch is more secure than a hub, you can use the following methods to sniff on a switch:

· ARP Spoofing — The ARP is stateless, that is, you can send an ARP reply even if none has not been asked for, and such a reply will be accepted. For example, one technique is to ARP Spoof the gateway of the network. The ARP cache of the targeted host will now have a wrong entry for the gateway and is said to be Poisoned. From this point on, all the traffic destined for the gateway will pass through the sniffer machine. Another trick that can be used is to poison a host’s ARP cache by setting the gateway’s MAC address to FF:FF:FF:FF:FF:FF (also known as the broadcast MAC).

· MAC Flooding — Switches keep a translation table that maps MAC addresses to physical ports on the switch. This allows them to intelligently route packets from one host to another. The switch has a limited amount of memory for this work. MAC flooding makes use of this limitation to bombard a switch with fake MAC addresses until the switch can’t keep up. The switch then enters into what is known as a `failopen mode’, at which point it starts acting as a hub by broadcasting packets to all the machines on the network. Once that happens sniffing can be performed easily.

Detecting Sniffers on the Network

A sniffer is usually passive — it just collects data — and is especially difficult to detect when running in a shared Ethernet environment. However, it is easy to detect a sniffer when installed on a switched network. When installed on a computer a sniffer does generate some small amount of traffic — which allows for its detection using the following types of techniques:

· Ping Method — a ping request is sent with the IP address of the suspect machine but not its MAC address. Ideally, nobody should see this packet as each ethernet adapter will reject it as it does not match its MAC address. But if the suspect machine is running a sniffer it will respond since it accepts all packets.

· ARP Method — this method relies on the fact all machines cache ARPs (i.e. MAC addresses). Here, we send a non-broadcast ARP so only machines in promiscuous mode will cache our ARP address. Next, we send a broadcast ping packet with our IP, but a different MAC address. Only a machine which has our correct MAC address from the sniffed ARP frame will be able to respond to our broadcast ping request.

· On Local Host — if a machine has been compromised a hacker may have left a sniffer running. There are utility programs that can be run which report whether the local machine’s network adapter has been set to promiscuous mode.

· Latency Method — is based on the assumption most sniffers do some kind of parsing, thereby increasing the load on that machine. Therefore it will take additional time to respond to a ping packet. This difference in response times can be used as an indicator of whether a machine is in promiscuous mode or not.

· ARP Watch — to prevent a hacker from ARP spoofing the gateway there are utilities that can be used to monitor the ARP cache of a machine to see if there is duplication for a machine.

How To Protect Against Sniffing

The best way to secure a network against sniffing is to use encryption. While this won’t prevent sniffers from functioning, it will ensure the data collected by sniffers is un-interpretable. Also, on a switched network, the chances are ARP spoofing will be used for sniffing purposes. The machine that the hacker will most likely ARP-spoof is the default gateway. To prevent this from happening it is suggested the MAC address of the gateway be permanently added to each host’s ARP cache.

Additional suggestions include:

· Use SSH instead of telnet.

· Use HTTPS instead of HTTP (if the site supports it).

· If concerned about email privacy, try a service such as Hushmail (www.hushmail.com), which uses SSL to ensure that data is not read in transit. Also, Pretty Good Privacy (www.gnupg.org) can be used for encrypting and signing emails to prevent others from reading them.

· Employ a sniffer detector. For example, the software package PromiScan is considered the standard sniffing node detection tool and is recommended by the SANS (SysAdmin, Audit, Network, Security) Institute. It is an application package used to remotely monitor computers on local networks to locate network interfaces operating in a promiscuous mode.

Related Posts