Sniffing Michael Sonntag Institute for Information processing and microprocessor technology (FIM) Johannes Kepler University Linz, Austria michael.sonntag@jku.at 1
What is a "Sniffer"? Devices or programs, which capture or copy data packets Theory: A "receive-only" device Practice: Most software sends e.g. DNS lookups to decode IP addresses, The "sniffed" packets are then analyzed later on (= packet analysis) I.e. you don't see (only) a bit/byte stream, but a TCP packet or an HTTP stream These are also called wiretap programs In "old" times this was used for phones by attaching wires to the telephone lines Why would you use them? Professional products network management, finding problems, Will copy everything and can filter according to various expressions Underground products Intrusions, hacking Will automatically filter out passwords 2
Threats to network traffic: Interruption Information Source Normal Flow Information Destination Normal Flow Normal process of transmitting data Information Source Interruption Information Destination Interruption E.g. failure of a switch/router, Denial of Service attack,... Copeland J. Computer Network Security, 2000 http://www.csc.gatech.edu/~copeland/8813/slides 3
Threats to network traffic: Fabrication Information Source Normal Flow Information Destination Normal Flow Normal process of transmitting data Information Source Fabrication Information Destination Fabrication E.g. packet construction Different source address than it actually should have Copeland J. Computer Network Security, 2000 http://www.csc.gatech.edu/~copeland/8813/slides 4
Threats to network traffic: Interception Information Source Normal Flow Information Destination Normal Flow Normal process of transmitting data Information Source Interception Information Destination Interception E.g. packet sniffer Copeland J. Computer Network Security, 2000 http://www.csc.gatech.edu/~copeland/8813/slides 5
Threats to network traffic: Modification Information Source Normal Flow Information Destination Normal Flow Normal process of transmitting data Modification Modification E.g. content scanner, proxy Information Source Information Destination Copeland J. Computer Network Security, 2000 http://www.csc.gatech.edu/~copeland/8813/slides 6
Protocol analysis Definitions: Protocol Analysis is the process of capturing network traffic (with sniffing programs) and looking at it closely in order to figure out what is going on. A protocol analyzer interprets the sniffed packets and interprets ist fields (according to the protocols). Renders interpreting the result of sniffing much easier (or even possible)! 7
Sniffer example: Wireshark Sniffed, copied, and analyzed traffic Decoded single packet (on different levels) Full binary view of single packet 8
Areas of use Automatic sifting the traffic for cleartext passwords and usernames Copying the communication between certain entities (if in readable format) Normally: Persons. But may also be devices or programs E.g. reverse engineering of protocols Error analysis to discover/analyze/solve network problems E.g. to frequent topology changes (TCs) with STP (Spanning Tree Protocol) Performance analysis for locating bottlenecks Network Intrusion Detection to discover hacks/intruders Network Traffic Logging to generate logs a hacker cannot modify or delete On a system with read-only connection to the network; but: Crashing (Ping of Death)? 9
Classification of sniffers Breadth of functionality Universal sniffers (all / many protocols) Protocol-specific sniffers (e.g. only IP, only FTP / WWW /...) Depth of functionality How detailed the data/packets are analyzed Integrated specific functions, e.g. password sniffing Area of use Standalone Distributed (with central management/reporting/analysis system) Remote Detection/evasion measures MAC-Filter in sniffer software,... 10
Broadcast networks Intranets / LANs are often broadcast networks Because they employ Ethernet Broadcast means, that every sender pushes its data into the network and hopes (relies on), that only the intended recipient will read it Ethernet is a shared medium, i.e. from a logical view all clients are connected to a single medium (cable) Ethernet is based on collision detection (CSMA/CD). All segments connected by a hub build a SINGLE collision domain "But we use switches" This is good, but doesn't prevent problems You can still attack the switch so it acts like a hub (or other attacks) Result: Broadcast network again! 11
Anatomy of an Ethernet frame 8 6 6 2 46-1500 4 preamble Preamble: Synchronization of clocks, Also includes the "Start Frame Delimiter" Destination and source address are hardware addresses (=MAC addresses) Example: 00-60-08-2C-C3-FE EtherType or length: Indicates which protocol is encapsulated within LLC/SNAP/VLAN-Tag Note: Many NICs strip the VLAN tag so you can't see it Depends also on driver! Payload data destination address source address typ/ len L L C S N A P data FCS FCS (Frame Check Sequence): CRC for error checking 12
MAC addresses (1) MAC = Media Access Control 48 Bit Ethernet MAC address The first Bit marks unicast addresses (0) resp. multicast addresses (1) If the second Bit is 0, the next 22 Bits identify the producer as OUI (=Organisationally Unique Identifier), who then manages the next 24 Bits himself. The uniqueness of these MAC addresses is essential for correct working in a LAN! Note: Outside of a LAN duplicates may exist, but can again produce problems Many identifiers are created based on the assumption of MAC addresses being worldwide unique, e.g. GUUIDs List of vendor / OUI codes: http://standards.ieee.org/develop/regauth/oui/ Special (destination) MAC address: Broadcast: FF-FF-FF-FF-FF-FF 13
MAC addresses (2) Identify your own MAC address: Windows >=XP: ipconfig /all or netsh Unix/Linux: ifconfig List the IP addresses in the local net which you are currently communicating with (via IP) : arp a Note: "Other" addresses might appear too, which "nearby" computer comm. with On switches, routers hp# show arp hp# show mac MAC addresses should be unique, but with most modern hardware spoofing is possible quite easily You cannot rely on them to be correct Changes through software or Re-Burn of the EEPROM 14
Filtering in the protocol stack Each layer of the protocol stack filters out that part of the traffic not destined for this system Aim: Get rid of unnecessary traffic as early as possible Goal: Reduce the amount of work necessary Application Presentation Session UDP/TCP (Transport) IP (Network) NIC Driver (Data Link) NIC (Physical) Sniffing, 2012 Discard Discard Discard Discard 15
How can a sniffer just "listen in"? The Ethernet hardware contains a filter, which normally drops any traffic not directed to this device (and not a broadcast): MAC filter Promiscuous Mode Sniffer switches the hardware (network device) to the promiscuous mode This turns off the MAC filter and consequently all of the traffic is delivered to the upper layers and potentially available If not filtered there! If this is a shared medium this is the complete traffic within a collision domain! Note: The load will be much higher, as every packet must be handled! "But shared mediums don't exist any more" Wrong: WLAN is a typical example! 16
Promiscuous mode Filtered traffic All traffic NIC (MAC filter) NIC (Promiscuous mode) Discard Discard nothing During normal operation the NIC drops (discards) traffic not for this system based on MAC addresses In promiscuous mode this filter is switched off All traffic will be passed on (up) and nothing is discarded 17
Components of a sniffer Hardware Capture driver Buffer Realtime analysis Decode Additional functionality: Packet editing (Re-)Transmission Specialty: Don't send anything Capture driver Promiscuous mode Sniffing, 2012 Application Presentation Session Transport Network Data Link Physical 18
Basic structure of a sniffer Display Capture Buffer Capture Filter Packet Decoder Display Filter Network Driver+ (Capture Driver) NIC (Promiscuous Mode) Realtime Analysis Border for distributed sniffing 19
Places to sniff (1) A hacker has the following options to listen in on the communication between two clients: Passive methods The attacker must only "plug in" the sniffer and can immediately access all data If you are one of the clients, this is always possible Useless? No! SW might hide a lot of details which you might be interested in! Active methods The attacker must actively do something because of the network architecture E.g. switches; these do not broadcast all traffic Disadvantage: He produces traffic this might be noticed! Local versus distributed sniffing 20
Places to sniff (2) active Route redirection Route redirection Intranet L-1 L-3 Internet L-3 L-2 Intranet Client ISP Router Client Sniff on the client Sniff in the LAN (HUB) Sniff at the ISP passive 21
Sniffing in WLANs WLAN = Wireless LAN Danger: Circumvention of firewall Just sniff from "outside" (e.g. the building) Signal distance: approx. 100 300 m But: With special antennas (e.g. parabolic antennas) reception from even longer distances become possible Countermeasures: MAC filtering: Allow only the "known good" MAC addresses to connect Why is this deficient on several levels? Think! Encryption Old: WEP = Wired Equivalent Privacy IPSec Not integrated (manually possible very good, but complex)! Newer standards 802.11i with WPA-2 (TKIP, AES, 802.1x,...) 22
Defending against sniffers Encryption (SSL, VPNs, PGP, SSH,...) Do not use broadcast networks, especially not WLANs Physical security for wires and equipment (switches) To prevent hardware manipulation Making the collision domains smaller Splitting on layer 2 Switches for the local network Will only help against "amateur hackers" Several attacks are still possible, e.g. ARP spoofing or flooding the switch so it will behave like a hub VLANs help, but it depends on how switches finds out assignment port VLAN Splitting on layer 3 Using routers And potentially also firewalls 23
Detecting sniffers Theoretically (solely passive sniffers) impossible, but Practically very often possible, because: Sniffers cause traffic distributed /remote sniffers communicate with each other/the server And these are the ones hacker will use when installing them remotely They use active methods (ARP spoofing,...) Perform reverse DNS lookups Sniffer detectors employ active methods (Decoys,...) Sniffer still suffer from bugs or peculiarities of their network stack The best method to detect sniffers, is to use a sniffer! Ping method, ARP method, DNS method, Note: Local sniffers (on the same computer) can be detected typically easily! 24
ex Detecting sniffers Sending special traffic to the network where sniffing is suspected Computers sniffing are hopefully acting differently than all other computers Victim 192.168.0.3 L-1 192.168.0.1 192.168.0.2 Host running sniffer detection Suspicious of sniffing 25
Detection: Ping method Assumption: A client with the IP 192.168.0.2 and MAC 00-60-08-2C-C4-FE is under suspicion of employing a sniffer We are on the same Ethernet segment We construct a special ping packet (ICMP Echo Request) with following data: IP: 192.168.0.2 A slightly modified MAC: 00-60-08-2C-C4-FD Theoretically nobody should answer to this ping, as the MAC address in it does not exist But a client in promiscuous mode looks at the packet and will (often) answer to it Why? Not filtered based on MAC ( Sniffing!), IP address is correct Answer 26
Detection: DNS method Create a packet with both a non-existing MAC and a non-existing IP address Send it out on the network where a sniffer is suspected to be running Any "normal" computer will ignore it, as it is not for him ( wrong MAC) The network should remain completely "silent" But a sniffer will inspect the packet and, hopefully, try to resolve the IP address in it to its hostname This DNS request is noted and shows that a sniffer exists (and who it is) Disadvantage: Will only work if the sniffer "cooperates", i.e. resolves IP addresses/names If it is completely passive, i.e. really only listening, this won't work! 27
Detection: ARP test Prerequisite: In the same Ethernet segment (local network) Prepare an ARP request (Almost) All systems react on receiving an ARP request Modify the destination for the ARP request In the layer 2 frame Instead of the broadcast address ffffff-ffffff use e.g. ffffff-fffffe If a computer answers, the NIC is probably in promiscuous mode This doesn't necessary mean that a sniffer is present, but it is very likely! Normal computers would not answer, as they only check for their own MAC address and the "real" broadcast address (all FFs) Other option: Send FF:00:00:00:00:00 Standard Windows NIC drivers (at least older ones) inspect only the first byte to find out whether a packet is a broadcast or not 28
But what to do in cases like these? There is no protocol bound to the Sniffing Interface There will be no reaction at all to ARPs, pings,! Better method required! Dedicated wiretap-hardware Switch with mirroring functionality "Monitoring port", etc. 29
Physical wiretaps http://www.netoptics.com/sites/default/files/pubtpcu3zdu- 1%20install.pdf http://www.netoptics.com/products/network-taps/gig-zero-delay-tap http://passthrough.fwnotify.net/download/461090/http://www.netoptics.com/sites/default/ files/pdf/datasheet/slim-tap-datasheet.pdf 30
Detecting sniffers: AntiSniff No sniffer active http://packetstormsecurity.org/sniffers/antisniff/ 31
Detecting sniffers: AntiSniff Sniffer seems to be running! ARP test is positive http://packetstormsecurity.org/sniffers/antisniff/ 32
"Endangered species (protocols)" You cannot tell too often: All these protocols transmit passwords (or important data) unencrypted! Telnet, rlogin http (without TLS/SSL) SNMP (passwords), DNS (unsecured data very important for attackers) SMTP, POP, IMAP NNTP, FTP For most of these protocols secure alternatives already exist (TLS for HTTP, PGP with POP/IMAP/SMTP, ) But you have to use them! Also: "External = HTTPS, Internal = HTTP" Is this a good policy? An attacker might have a sniffer on the inside too 33
Summary Sniffing = Interception = Listening is a very dangerous technique You can get a lot of information without having to hack a computer Most of the techniques will not show up in any logs Therefore the following aspect are important: Encryption is important against sniffing Perhaps even locally: Try to use secure protocols also within your local network! Sniffing alone is very difficult, unless extended by active techniques If someone can tamper with your glass fibre cables, you're out of luck anyway! Investigate your equipment: Switches often support various forms of protection Lockdown, static assignments ( management issues!), DNS snooping, Partition your network: Routers, VLANs, 34
Thank you for your attention! Michael Sonntag Institute for Information processing and microprocessor technology (FIM) Johannes Kepler University Linz, Austria michael.sonntag@jku.at 35