8.1 Sniffers, identify types of sniffing, and understand active and passive sniffing Exam Focus: Sniffers, identify types of sniffing, and understand active and passive sniffing. Objective includes:

Understand lawful intercept and wiretapping Understand sniffing and protocols vulnerable to it. Identify types of sniffing. Understand active and passive sniffing.

  Lawful intercept As authorized by judicial or administrative order, lawful intercept allows a Law Enforcement Agency (LEA) to perform electronic surveillance on a target. Wiretaps on the traditional telecommunications and Internet services in voice, data, and multiservice networks are used to perform the surveillance. The LEA provides a request for a wiretap to the target's service provider. The target's service provider intercepts data communication to and from the individual. The service provider determines the edge router that handles the target's traffic by using the target's IP address or session. The service provider then intercepts the target's traffic as it passes via the router and forwards a copy of the intercepted traffic to the LEA without the target's knowledge.  Benefits of lawful intercept The following are the benefits of lawful intercept:

It permits multiple LEAs to run a lawful intercept on the same target without each other's knowledge.

It hides information regarding lawful intercepts from all but the most privileged users. It supports wiretaps in both the input and output direction. It does not affect the subscriber's services on the router. It supports wiretaps of the individual subscribers who share a single physical interface. It provides two secure interfaces. One interface is for setting up the wiretap and the other

one is for sending the intercepted traffic to the LEA.

  Network components used for lawful intercept The following are network components used for lawful intercept:

Internet Access point (IAP): Provides information for the lawful intercept. Mediation device: Manages most of the processing for the lawful intercept. Collection function: Stores and processes the traffic that is intercepted by the service

provider.

  Wiretapping

Wiretapping is the process used to monitor telephone and Internet conversations by third party. Attackers connect a listening device to the circuit that carries information between two phones or hosts on the Internet. The listening device may be hardware, software, or a combination of both hardware and software. The following are the types of wiretapping:

Passive wiretapping: It is used to monitor and record the traffic. Active wiretapping: It is used to monitor, record, and alter the traffic.

  Sniffers A sniffer is a software tool that is used to capture any network traffic. A sniffer changes the NIC of the LAN card into promiscuous mode due to which the NIC begins to record the incoming and outgoing data traffic across the network. A sniffer attack is a passive attack because the attacker does not directly connect with the target host. Most of the time, this attack is used to grab logins and passwords from network traffic. Tools such as Ethereal, Snort, Windump, EtherPeek, and Dsniff are some good examples of sniffers. These tools provide many facilities to users, such as graphical user interface, traffic statistics graph, and multiple sessions tracking. Sniffers work at the Data Link layer of the OSI model. They do not stick to the same rules as applications and services that are further up the stack. If one layer of the OSI model is hacked, communications are compromised without the other layers being aware of the problem.

  Examples of sniffers The following are examples of sniffers:

Dsniff: Dsniff is a set of tools that are used for sniffing passwords, e-mail, and HTTP traffic. Some of the tools of Dsniff include dsniff, arpredirect, macof, tcpkill, tcpnice, filesnarf, and mailsnarf. Dsniff is highly effective for sniffing both switched and shared networks. It uses the arpredirect and macof tools for switching across switched networks. It can also be used to capture authentication information for FTP, telnet, SMTP, HTTP, POP, NNTP, IMAP, etc.

Ethereal: Ethereal is a network protocol analyzer that is used in the UNIX and Windows operating systems. It can read and analyze data from various network resources such as Ethernet, FDDI, PPP, Token-Ring, IEEE 802.11, Classical IP over ATM, and loopback

interfaces. It has many features, such as the ability to display filter languages and view the reconstructed stream of a TCP session.

EtherPeek: EtherPeek is an Ethernet network traffic and protocol analyzer that is used to capture and analyze network data traffic. It has the following features:

o It has Internet attack plug-ins that are used to test for various attacks such as Land, Rip Trace, Tear Drop, Jolt, Pimp, Oversize IP, and WinNuke attacks.

o It has a Napster plug-in that pinpoints Napster traffic on the network.o It has sound notification, which allows a user to assign sounds to important

network events.

  Wireless sniffers The following are some wireless sniffers:

Kismet: Kismet is a Linux-based 802.11 wireless network sniffer and intrusion detection system. It can work with any wireless card that supports raw monitoring (rfmon) mode. Kismet can sniff 802.11b, 802.11a, and 802.11g traffic. Kismet can be used for the following tasks:

o To identify networks by passively collecting packets o To detect standard named networks o To detect masked networks o To detect the presence of non-beaconing networks via data traffic

AiroPeek: AiroPeek is a Windows-based commercial wireless LAN analyzer for IEEE 802.11b. It supports all high level protocols, such as TCP/IP, NetBEUI, and IPX. It can be used to perform the following tasks:

o Site surveys o Security assessments o Channel scanning o Real time and post capture WEP decryptions o Client troubleshooting o WLAN monitoring o Remote WLAN analysis o Application layer protocol analysis

AirSnort: AirSnort is a Linux-based WLAN WEP cracking tool that recovers encryption keys. It operates by passively monitoring transmissions. AirSnort uses Ciphertext Only Attack to decrypt WEP keys. It captures approximately 5 to 10 million packets and guesses the encryption password in a single second.

  Types of sniffing The following are the types of sniffing:

Passive sniffing: It implies sniffing via a hub. The traffic is sent to all ports on a hub. In passive sniffing, no packets are sent and packets sent by others are monitored. Multiple network probes are sent out to identify APs in passive sniffing.

Active sniffing: In active sniffing, sniffing is carried out on a switched network. Active sniffing relies on injecting packets (ARP) into the network. This creates traffic. MAC flooding, MAC duplicating, DHCP starvation, and ARP spoofing are active sniffing techniques. MAC flooding is difficult to sniff. MAC duplication is easy to detect.

  Working of a sniffer A sniffer turns the NIC of a system to the promiscuous mode to listen to all data transmitted on its segments. The sniffer decodes the information encapsulated in the data packet to constantly read all information entering the computer via the NIC.  Sniffing threats An attacker sniffs the network to steal the following sensitive information:

Email traffic Web traffic Chat sessions FTP passwords Router configuration DNS traffic Syslog traffic Telnet passwords

Packet information within a given subnet can only be captured by a packet sniffer. Any laptop can usually be plugged into the network and the network can be accessed. Switch ports of many enterprises are open. The attacker can capture and analyze all the network traffic by placing a packet sniffer on a network in promiscuous mode.  Protocols vulnerable to sniffing The following protocols are vulnerable to sniffing:

Telnet and Rlogin HTTP SMTP NNTP POP FTP IMAP

  Hacking the network using sniffers The following steps are taken by an attacker for hacking the network using sniffers:

1. Connect the laptop to a switch port.2. Run discovery tools in order to learn about the network topology.3. Identify the victim's machine in order to target the attack.

4. Use ARP spoofing techniques to poison the victim machine. The traffic destined for the victim's machine is redirected to the attacker.

5. Extract passwords and sensitive data from the redirected traffic.

  Hardware protocol analyzer A hardware protocol analyzer is an equipment that captures signals without changing the traffic in a cable segment. It can be used for monitoring network usage and identifying malicious network traffic that is generated due to hacking software installed in the network. It captures a data packet, decodes, and analyzes its content based on specific predetermined rules.  SPAN port The SPAN port is configured in order to receive a copy of every packet that passes via a switch.

  8.2 Understand Address Resolution Protocol (ARP), and the process of ARP spoofing Exam Focus: Understand Address Resolution Protocol (ARP), and the process of ARP spoofing. Objective includes:

Understand Address Resolution Protocol (ARP). Understanding the process of ARP spoofing. Understand ARP poisoning.

  Address Resolution Protocol (ARP) Address Resolution Protocol (ARP) is a network maintenance protocol of the TCP/IP protocol suite. It is responsible for the resolution of IP addresses to media access control (MAC) addresses of a network interface card (NIC). The ARP cache is used to maintain a correlation between a MAC address and its corresponding IP address. ARP provides the protocol rules for making this correlation and providing address conversion in both directions. ARP is limited to physical network systems that support broadcast packets.

The Address Resolution Protocol uses a simple message format that contains one address

resolution request or response. The size of the ARP message depends on the upper layer and lower layer address sizes, which are given by the type of networking protocol (usually IPv4) in use and the type of hardware or virtual link layer that the upper layer protocol is running on. The message header specifies these types, as well as the size of addresses of each. The message header is completed with the operation code for request (1) and reply (2). The payload of the packet consists of four addresses, the hardware and protocol address of the sender and receiver hosts.  Address Resolution Protocol (ARP) spoofing Address Resolution Protocol (ARP) spoofing is also known as ARP poisoning or ARP Poison Routing (APR). It is a technique used to attack an Ethernet wired or wireless network. ARP spoofing may permit an attacker to perform the following actions:

Sniff data frames on a local area network (LAN). Modify the traffic Stop the traffic altogether

The attack can only be used on networks that actually use ARP and do not use another method of address resolution. Sending fake ARP messages to an Ethernet LAN is the principle of ARP spoofing. Generally, the motive is to link the attacker's MAC address with the IP address of another node (such as the default gateway). Any traffic that is meant for that IP address will be mistakenly sent to the attacker instead. The attacker can forward the traffic to the actual default gateway (passive sniffing) or modify the data before forwarding it. ARP spoofing attacks can be run from a compromised host or from an attacker's machine that is connected directly to the target Ethernet segment. Arpspoof (part of the DSniff suite of tools), Cain and Abel, and Ettercap are the tools that can be used to carry out ARP poisoning attacks. DHCP Snooping Binding table and Dynamic ARP Inspection should be used to defend against ARP poisoning. WinArpAttacker, and Ufasoft Snif are also ARP poisoning tools. Ufasoft Snif is an automated ARP poisoning tool. It sniffs passwords and email messages on the network. It also works on Wi-Fi networks.  ARP spoofing attack ARP packets can be forged in order to send data to the attacker's machine. In ARP spoofing, a large number of forged ARP requests and reply packets are constructed to overload a switch. A target computer's ARP cache is flooded with forged entries by attackers. This is also referred to as poisoning. After the ARP table is flooded with spoofed ARP replies, a switch is set in forwarding mode and attackers can sniff all the network packets.

An ARP request is broadcasted using user B's IP address and user A waits for user B to respond with a MAC address when user A starts a session with user B in the same Layer 2 broadcast domain. A malicious user eavesdrops on this unprotected Layer 2 broadcast domain. The malicious user can respond to broadcast the ARP request and use user B's MAC address to reply to user A.  Threats of ARP poisoning

An attacker can divert all communications between two machines by using fake ARP messages to exchange traffic through his/her computer. The following are threats of ARP poisoning:

Denial of Service (DoS) attack Data interception VoIP call tapping Stealing passwords Manipulating data

  ARP Watch ARP watch can be used to monitor the ARP cache of a machine to see if there is duplication for a system. If there is duplication or the system is in the promiscuous mode, arpwatch can trigger alarms and lead to detection of sniffers.  8.3 Understand MAC duplicating Exam Focus: Understand MAC duplicating. Objective includes:

MAC duplicating attack VLAN hoping attack

  MAC duplicating attack In a MAC duplicating attack, the attacker confuses the switch and the switch begins to think that two ports have the same MAC address. To perform a MAC duplicating attack, the attacker changes the MAC address on the sniffer to one that is the same in another system on the local subnet. This differs from ARP spoofing because, in ARP spoofing, the attacker confuses the host by poisoning its ARP cache. SMAC is a MAC spoofing tool. DHCP Snooping Binding table, Dynamic ARP Inspection, and IP Source Guard are used to defend against MAC spoofing.

Suppose, there is a legitimate user whose MAC address is A:B:C:D:E, and a switch that permits access to the network if the MAC address is A:B:C:D:E. The attacker sniffs the network for MAC addresses of the currently associated users and then attacks other users associated to the same switch port by using that MAC address.  Spoofing attack threats The following are MAC spoofing threats:

The network can be accessed by an attacker if MACs are used for network access. Someone's identity already on the network can be overtaken by an attacker.

The following are IP spoofing threats:

Ping of death ICMP unreachable SYN flood

Trusted IP addresses can be spoofed

  DHCP servers DHCP servers maintain TCP/IP configuration information in a database. The TCP/IP configuration information may include valid TCP/IP configuration parameters, valid IP addresses, and duration of the lease provided by the server. It delivers address configuration to DHCP-enabled clients in the form of a lease offer. DHCPDISCOVER, DHCPOFFER, DHCPREQUEST, DHCPACK, DHCPNAK, DHCPDECLINE, DHCPRELEASE, and DHCPINFORM are DHCP request/ reply messages.

An attacker broadcasts a discovery request for the entire DHCP and attempts to lease all the DHCP addresses present in the DHCP scope.

A rogue DHCP server is set by attackers in the network. It provides DHCP addresses to the user.

An attacker can send incorrect TCP/IP settings by running a rogue DHCP server. The following are the potential problems with incorrect information:

Wrong Default Gateway: Attacker is the gateway. Wrong DNS server: Attacker is DNS server. Wrong IP address: Denial of service with incorrect IP.

  Gobbler Gobbler is a DHCP starvation attack tool. Port security should be enabled to defend against DHCP starvation attack. DHCP snooping should be enabled to defend against DHCP rogue server attack.

  VLAN hoping attack VLAN hopping (Virtual LAN Hopping) is a computer security exploit, which is a method of attacking a network by passing traffic to a port that is generally not accessible. It is a method of attacking networked resources on a VLAN. VLAN hopping attacks are generally performed in the Dynamic Trunking Protocol (DTP) and the encapsulation protocol (802.1q or ISL). There are two primary methods of VLAN hopping:

1. Switch spoofing: In a switch spoofing attack, the attacker attempts to place a network switch for auto-trunking and emulates either ISL or 802.1q signaling together with the Dynamic Trunk Protocol (DTP) signaling. If the attacker becomes successful, he can see the traffic for all VLANs.

2. Double tagging: In a double tagging attack, the attacker tries to send two VLAN tags with the transmitted data, one tag for the victim switch and the other for the attacking switch. The victim switch accepts the data frames as the incoming data, and then the target switch forwards these data frames to the destination based on the VLAN identifier in the second 802.1q header.

  Protection from MAC duplication and VLAN hoping There are various methods to protect again these attacks. Some of these methods are applicable to both the non-switched and switched environments.

IP filtering: By enabling IP filtering on the switch, a network administrator directly specifies which traffic is allowed to flow to and from each port.

Port security: By enabling port security, a network administrator can avoid the MAC flood and MAC spoofing attacks.

Routing security: Routing should only be performed by the designated routers.

  Role of port security in MAC attacks Port security is required to limit MAC flooding. It locks down ports and sends an SNMP trap. It restricts the MAC addresses that can connect through a particular port of the switch. This feature permits a specific MAC address or a range of MAC addresses to be specified for a particular port.  8.4 Learn ethereal capture and display filters Exam Focus: Learn ethereal capture and display filters. Objective includes:

Ethereal Wireshark Wireshark filters

  Ethereal

Ethereal is a network protocol analyzer that is used in the UNIX and Windows operating systems. It can read and analyze data from various network resources such as Ethernet, FDDI, PPP, Token-Ring, IEEE 802.11, Classical IP over ATM, and loopback interfaces. It has many features, such as the ability to display filter languages and view the reconstructed stream of a TCP session.  Wireshark Wireshark is a free packet sniffer computer application. It is used for the following purposes:

Network troubleshooting Network analysis Software and communications protocol development Education

Although wireshark is very similar to tcpdump, it has a graphical front-end, and more information sorting and filtering options. By putting the network interface into promiscuous mode, wireshark permits a user to view all traffic being passed over the network. Wireshark captures packets using pcap to only capture the packets on the networks supported by pcap. It has the following features:

Capturing data "from the wire" from a live network connection or reading from a file that records the already-captured packets

Reading live data that can be read from a number of types of network, including Ethernet, IEEE 802.11, PPP, and loopback

Browsing captured network data through a GUI, or through the terminal (command-line) version of the utility, tshark

Programmatically editing captured files or converting captured files through command-line switches to the "editcap" program

Refining data display using a display filter Creating plugins for dissecting new protocols

  Wireshark filters The following are Wireshark filters:

tcp.flags.reset=1: It displays all TCP resets. http.request: It displays all HTTP GET requests. tcp contains traffic: It displays all packets that include the word 'traffic'. udp contains 33.27.58: It sets a filter for the HEX values of 0x33 0x27 0x58 at any

offset. tcp.analysis.retransmission: It displays all retransmissions in the trace.

  Few important filters of ethereal The following are the important filters of ethereal:

ip.dst eq www.eccouncil.org: This command sets the filter to capture only packets destined for the web server http://www.eccouncil.org/.

ip.src == 192.168.1.1: This command sets the filter to capture only packets coming from the host 192.168.1.1.

eth.dst eq ff:ff:ff:ff:ff:ff: This command sets the filter to capture only Layer 2 broadcast packets.

host 172.18.5.4: This sets the filter to capture only traffic to or from IP address 172.18.5.4.

net 192.168.0.0/24: This command sets the filter to capture traffic to or from a range of IP addresses.

port 80: This command sets the filter to capture traffic to destination port 80 (HTTP). port 80 and tcp[((tcp[12:1] & 0xf0) >> 2):4] = 0x47455420: This command sets the

filter to capture HTTP GET requests. The filter looks for the bytes "G", "E", "T", and " " (hex values 47, 45, 54, and 20) just after the TCP header. "tcp[12:1] & 0xf0) >> 2" figures out the TCP header length.

  8.5 Understand MAC flooding, understand DNS spoofing techniques, and DNS spoofing countermeasures Exam Focus: Understand MAC flooding, understand DNS spoofing techniques, DNS spoofing countermeasures. Objective includes:

Understand MAC flooding. Understand DNS spoofing techniques. Identify sniffing countermeasures.

  MAC flooding MAC flooding is a technique employed to compromise the security of network switches. In a typical MAC flooding attack, a switch is flooded with packets, each containing different source MAC addresses. The intention is to consume the limited memory set aside in the switch to store the MAC address-to-physical port translation table. The result of this attack causes the switch to enter a state called failopen mode, in which all incoming packets are broadcast out on all ports (as with a hub), instead of just down the correct port as per normal operation. A malicious user could then use a packet sniffer (such as Wireshark) running in promiscuous mode to capture sensitive data from other computers (such as unencrypted passwords, e-mail and instant messaging conversations), which would not be accessible were the switch operating normally. Yersinia is a MAC flooding tool.

  MAC address/ CAM table All Content Addressable Memory (CAM) tables hold a fixed size. It includes information such as MAC address that is available on physical ports with their associated VLAN parameters.

Working of CAM:

An additional ARP request will flood every port on a switch once the CAM table on the switch is full. This will basically turn the switch into a hub. The CAM tables of adjacent switches will also be filled by this attack.

  Macof Macof is a tool of the dsniff tool set, and it is used to flood the local network with random MAC addresses. It causes some switches to fail open in repeating mode, and facilitates sniffing. It generates random MAC addresses exhausting the switch's memory and is capable of generating 155,000 MAC entries on a switch per minute. Due to this effect, most of the switches revert to act like a hub.  Cache poisoning Cache poisoning is also known as DNS cache poisoning. When a DNS server cannot answer the query within its cache, the DNS server forwards the query to another DNS server on behalf of the client. If the query passed to the other DNS server holds incorrect information, then cache poisoning can occur. Malicious cache poisoning is also known as DNS spoofing.  DNS spoofing DNS spoofing is a MITM attack that is used to supply false DNS information to the users when they attempt to browse. For example, if there is a website www.bankofamerica.com residing at the IP address XXX.XX.XX.XX, the users of the website can be sent to a fake www.bankofamerica.com residing at IP address YYY.YY.YY.YY, which an attacker has created in order to steal online banking credentials.  DNS poisoning DNS poisoning tricks a DNS server and makes it believe that it has received authentic information, but in reality it has not. DNS poisoning leads to substitution of a false Internet provider address at the domain name service level. At the domain name service level, web addresses are converted into numeric Internet provider address. The following are DNS poisoning techniques:

Intranet DNS spoofing: A user must be connected to the local area network (LAN) and be able to sniff packets for Intranet DNS spoofing. Intranet DNS spoofing operates well against switches with ARP poisoning.

Internet DNS poisoning: In Internet DNS poisoning, an attacker infects a machine of a user with a Trojan and changes the user's DNS IP address with that of the attacker.

DNS cache poisoning: In DNS cache poisoning, records are changed or added in the resolver cache of a DNS. An IP address of a fake website established by an attacker is returned by a DNS query for a domain. The server will cache the incorrect entries locally

and serve them to users making the same request if the server cannot validate that DNS responses have arrived from an authoritative resource.

Proxy Server DNS poisoning: Attackers send a Trojan to a user's machine that changes the user's proxy server settings in Internet Explorer to that of the attackers.

  Defend against DNS poisoning The following actions are taken to defend against DNS poisoning:

All DNS queries should be resolved to a local DNS server. DNS requests should be blocked from going to external servers. DNSSEC should be implemented. A DNS resolver should be configured to use a new random source port from its available

range for each outgoing query. The firewall should be configured to restrict external DNS lookup. DNS recursing service, either full or partial, to authorized users should be restricted. DNS Non-Existent Domain (NXDOMAIN) Rate Limiting should be used.

  Sniffing prevention techniques The following are sniffing prevention techniques:

Using PGM and S/MIME Using Virtual Private Networks (VPNs) Using Secure Shell (SSH) Using IP Security (IPSec) Using One-time passwords (OTP) Using SSL/TLS protocol

  Defend against sniffing The following actions are taken to defend against sniffing:

The physical access to the network media should be restricted so that it can be ensured that a packet sniffer cannot be installed.

Encryption should be used so that confidential information can be protected. The MAC address of the gateway should be permanently added to the ARP cache. Static IP addresses and static ARP tables should be used so that attackers can be

prevented from adding the spoofed ARP entries for machines in the network. Network identification broadcasts should be turned off and the network should be

protected from being discovered with sniffing tools if it is possible to restrict the network to authorized users.

IPv6 protocol should be used instead of IPv4. Encrypted sessions (SSH instead of Telent, Secure Copy (SCP) instead of FTP, and SSL

for email connection) should be used for protecting wireless network users against sniffing attacks.

  Countermeasures against DNS spoofing Due to the attacks being mostly passive by nature, DNS spoofing is difficult to defend. However, the following steps can be taken as countermeasures against the DNS spoofing attacks:

Secure internal machines - Since DNS spoofing is performed via network, if the internal network devices are secure, then there are very few chances of internal servers to be compromised.

Don't rely on DNS for secure systems. Use IDS - A network administrator should install an intrusion detection system to give

alarms on ARP cache poisoning and DNS spoofing. Use DNSSEC to secure DNS records.

  8.6 Know various sniffing tools, identify sniffing detection and defensive techniques Exam Focus: Know various sniffing tools, and identify sniffing detection and defensive techniques. Objective includes:

Know various sniffing tools. Identify sniffing detection and defensive techniques.

  Sniffing tools The following are sniffing tools:

EtherDetect Packet Sniffer Ettercap dsniff Windump CACE Pilot EffeTech HTTP Sniffer SmartSniff Ntop EtherApe Network Probe Maa Tec Network Monitor Snort Alchemy Network Monitor Colasoft MSN Monitor CommView Sniff'em NetResident Kismet IE HTTP Analyzer AIM Sniffer MiniStumbler

Netstumbler PacketMon Packet Sniffer EtherScan Analyzer NaDetector PRTG Network Monitor Microsoft Network Monitor Sniff-O-Matic NetworkMiner Network Security Toolkit Jitbit Network Sniffer Atelier Web Ports Traffic Analyzer (AWPTA)

The following are some important sniffing tools:

Tcpdump: It is a powerful command line interface packet sniffer. It runs on Linux and Windows.

Ace: It is a password sniffing tool. Ace Password Sniffer can be used to monitor and capture passwords via FTP, POP3, HTTP, SMTP, Telnet, and webmail passwords.

Capsa Network Analyzer: It is a packet sniffing tool. It is used to capture all data transmitted over the network. It delivers a wide range of analysis statistics in an intuitive and graphical manner.

OmniPeek sniffer: It displays a Google Map in the OmniPeek capture window. In the Google Map, OmniPeek sniffer shows the location of all the public IP addresses of captured packets. OmniPeek sniffer is a great way used to monitor the network in real time. It is used to show locations in the world from where the traffic is coming.

Observer: It delivers a comprehensive drill-down into network traffic. It provides back-in-time analysis, reporting, trending, alarms, application tools, and route monitoring capabilities.

Big-Mother: It is an eavesdropping program. It captures and analyzes communication traffic over a home network by using a switch sniffer. It has the following features:

o It logs in real time URL visits, email, chats, games, FTP, and data flows.o It takes webpage snapshots, duplicates email and FTP copies, records MSN

messenger content, and gives statistical reports.

  EtherApe EtherApe is a packet sniffer/network traffic monitoring tool, developed for Unix. Network traffic is displayed using a graphical interface. Each node represents a specific host. Links represent connections to hosts. Nodes and links are color coded to represent different protocols forming the various types of traffic on the network. Individual nodes and their connecting links grow and shrink in size with increase and decrease in network traffic. EtherApe supports Ethernet, FDDI, Token Ring, ISDN, PPP and SLIP devices.  Dsniff

Dsniff is a set of tools used for sniffing passwords, e-mail, and HTTP traffic. Dsniff tools include the following:

dsniff arpredirect macof tcpkill tcpnice filesnarf mailsnarf

Dsniff is highly effective for sniffing both switched and shared networks. It uses the arpredirect and macof tools to switch across switched networks. It can also be used to capture authentication information for the following:

FTP Telnet SMTP HTTP POP NNTP IMAP

  EtherPeek EtherPeek is an Ethernet network traffic and protocol analyzer that is used to capture and analyze network data traffic. It has the following features:

It has Internet attack plug-ins that are used to test for various attacks such as Land, Rip Trace, Tear Drop, Jolt, Pimp, Oversize IP, and WinNuke attacks.

It has a Napster plug-in that pinpoints Napster traffic on the network. It includes a sound notification, which allows a user to assign sounds to important

network events.

  Mailsnarf Mailsnarf is a tool that captures and outputs SMTP mail traffic sniffed on the network. Once the attacker gets access to the target subnet, he can use mailsnarf to capture mail traffic that passes through the network subnet or Ethernet switch. Mailsnarf reassembles and displays e-mail traffic in a proper format; hence, the attacker can easily read other users' e-mail.  Webspy Webspy is a tool that allows the network administrator to see all the Web pages visited by an attacker. For example, let the IP address of the attacker be 222.222.222.222, running the Webspy 222.222.222.222 command intercepts all HTTP traffic to and from the IP addresses 222.222.222.222 and passes it off to a local browser. However, Webspy does not follow targets

over SSL connection. Besides this, it does not reveal information entered into form fields (like passwords).  Form Scalpel Form Scalpel is a hacking tool that is used to assess the resilience of Web sites to various forms of attacks. It supports HTTP/HTTPS, Proxy servers, Cookies, Java/javascript/vbscript/XML pages and forms. It also provides detailed analysis of certificates as well as real-time manipulation of HTML data.  Hping Hping is a free packet generator and analyzer for the TCP/IP protocol. Hping is one of the de facto tools for security auditing and testing of firewalls and networks. The new version of hping, hping3, is scriptable using the Tcl language and implements an engine for string based, human readable description of TCP/IP packets, so that the programmer can write scripts related to low level TCP/IP packet manipulation and analysis in very short time. Like most tools used in computer security, hping is useful to both system administrators and crackers (or script kiddies).  Discovery tools The following are discovery tools:

NetworkView: It is a network and discovery management tool for Windows. It uses DNS, SNMP, ports, NetBIOS, and WMI to discover TCP/IP notes and routes.

Dude sniffer: It scans all devices within the specified subnets and draws a detailed layout map.

  Sniffers detection techniques The following are sniffers detection techniques:

Ping method: In this method, a ping request is sent with the IP address of the suspect machine but not its MAC address. Hence, this packet should not be used, as each Ethernet Adapter will reject it as it does not match its MAC address. However, if the system is in the promiscuous mode, it will respond as it does not bother rejecting packets with a different Destination MAC address.

ARP2 method: This method is based on the concept that a system in the promiscuous mode will be in the promiscuous mode and it will cache ARP address. In the next step, we send a broadcast ping packet with our IP, but a different MAC address. Only a system in promiscuous mode will have the correct MAC address from the sniffed ARP frame. So, the system in promiscuous mode will be able to respond to the broadcasted ping request.

Latency method: This method is on the assumption that most sniffers do some parsing. If the system is in promiscuous mode, it will parse the data. This will increase the load on it and it will take extra time to respond to the ping packet.

ARP Watch: It can be used to monitor the ARP cache of a machine to see if there is duplication for a system. If there is duplication or the system is in the promiscuous mode, arpwatch can trigger alarms and lead to detection of sniffers.

Promiscuous mode: It permits a network device to intercept and read every packet that enters in its entirety. Machines that are running in the promiscuous mode are checked. PromqryUI and PromiScan are promiscuous detection tools. It is a security tool from Microsoft. It detects network interfaces running in promiscuous mode.

IDS: It can be used to alert administrators regarding suspicious activities. It is run and checked if the MAC address of specific machines has changed.

Network tools: Network tools such as HP Performance Insight can be run in order to monitor the network for strange packets. Network tools are useful to collect, consolidate, centralize, and analyze traffic data across different network resources and technology.

  Countermeasures against sniffer attacks It is quite difficult to overcome sniffer attacks. However, the following steps can be taken as countermeasures against such attacks:

Use encrypted protocols for all communication. Segment the network to limit the spread of information. Use switches instead of hubs since they switch communications, which means that

information is delivered only to the predefined host. Use a sniffer detector that checks whether an NIC is in promiscuous mode or not. For wireless networks, reduce the range of the network so that it can cover only the

necessary surface area.

  MAC flooding MAC flooding is a technique employed to compromise the security of network switches.  Chapter Summary In this chapter, we learned about sniffers, types of sniffers, ARP spoofing, MAC duplicating, and ethereal capture and display filters. In this chapter, we discussed MAC flooding, DNS spoofing techniques, and DNS spoofing countermeasures. This chapter focused on various sniffing tools and sniffing detection and defensive techniques.Glossary  ARP watch ARP watch can be used to monitor the ARP cache of a machine to see if there is duplication for a system.  DNS poisoning DNS poisoning tricks a DNS server into believing that it has received authentic information, but in reality it has not.  DNS spoofing DNS spoofing is a MITM attack that is used to supply false DNS information to the users when they attempt to browse. 

Dsniff Dsniff is a set of tools that are used for sniffing passwords, e-mail, and HTTP traffic.  Ethereal Ethereal is a network protocol analyzer that is used in the UNIX and Windows operating systems.  Macof Macof is a tool of the dsniff tool set and it is used to flood the local network with random MAC addresses.  Sniffer A sniffer is a software tool that is used to capture any network traffic. The sniffer changes the NIC of the LAN card into promiscuous mode due to which the NIC begins to record the incoming and outgoing data traffic across the network.  VLAN hopping VLAN hopping (Virtual LAN Hopping) is a computer security exploit, which is a method of attacking a network by passing traffic to a port that is generally not accessible.  Wireshark Wireshark is a free packet sniffer computer application. It is used for network troubleshooting, analysis, software and communications protocol development, and education.