|
|
 |
Just under contruction, version 0.3, last update 2003/01/30
Contents
What is Sniffing?
Sniffing is a technique that allows to collect all data (or better a copy of it) on the wire
where the network interface is connected to, although the data might not be adressed to this network
interface. This is done by setting the network interface into promiscous mode. This mode indicates, that
the MAC-Filter on the network interface is turned off, so accepting all data on the wire. Between
network segments, nomally the IP-adress is used. But within one network segment, computers
find their conterparts by using MAC-adresses. Also all packets that arrive via the router of your network
segment, find ther recipient by his MAC-adress (after arp-requests of the router and hopefully replies).
If you set the network interface of your computer into promiscous mode, this does not mean, that your
computer responds to all requests going throught the wire. He only responds to requests directed to him.
What is sniffing good for?
The technique of network sniffing can be used in several ways:
- Network sniffing is a useful tool for network administrators helping them to debug
network services etc. Wellknown programs are tcpdump and ethereal.
- Network Intrusion Detection Systems use sniffing to collect data on the wire for further analysis
of known attack signatures (snort, shadow etc.).
- Hackers can use this technique to find out passwords and usernames for services, that transmit
these information in clear text, using tools like ngrep, ethereal, tcpdump etc.
How to sniff in a switched network
It has to be mentioned, that sniffing is only possible in non-switched networks, like
in old fashioned ones with bnc cabling or hubs. In modern networks, switches are used, sending
packets 1 to 1, and not 1 to n. But router, switches and so on are a good place for capturing data.
Good switches offer monitor ports, where you can configure to copy all data to travelling through a network.
One problem with these active network components is, that they are shipped with default passwords and
unsecure services enabled. Administrators tend to let these unsecure services enabled. If they change
passwords for these devices, weak passwords are common.
An other possibility to sniff in swiched networks is to use a program like arpspoof
(formerly known as arpredirect). This only works within the same network segment. If a computer
in the network tries to get the MAC-adress of the router, you can convince this computer, if you are faster
responding than the router, that you are the router he is searching for. The other computer will then use you as
the router/gateway. You will then intercept all network traffik from this computer. But you also have to
forward all traffic to the real router. IDSs are able to detect such techniques. But who is using IDS?
MAC flooding is an other technique. A switch stores a table with MAC adresses for every port.
The storage space for every port is limited. If a switch is told more MAC adresses for a port than he can
store, he will not know all matchings between MAC and IP adresses. For IP adresses, where he has no
MAC adress stored, he will send out packets for this destination over all ports, until he has learned the port,
the destination computer is attached to. The sniffer dnsiff has a program called macof, that is
able to do MAC flooding.
You can also try to alter routing tables. This can gurantee, that all traffic is traffeling through
your computer. You can try to send false routing messages via RIP, defining your computer as the standard gateway.
You then have to forward traffic to the real standard gateway. So all traffic is redirected through your computer.
If you are not able to manipulate the routing table of the real standard gateway too, then you will not see the
traffic coming back.
Another tool is dnsspoof. It spoofes the responses from DNS servers. If a computer
wants to visit a website with a FQDM (Full Qualified Domain Name), then he asks a DNS server for the
IP adress of the computer with this name. dnsspoof makes use of this request and tries to send an
answer back to the asking computer faster than the DNS server. Fortunatly, he responds with an IP adress
under his own control. And he will receive the traffic.
How to detect someone sniffing on the wire?
There are several ways to check out whether someone has set his network interface
to promiscous mode. The simpliest way is to go to the computer that is supposed to sniff and check
(e.g. a simple ifconfig can do the job). There are also other techniques, that require some kind
of access (blinking hub lights, SNMP and high load etc.). But here I want to present some remote techniques.
Ping method:
- The machine suspected of running the packet filter has an IP address 10.0.0.1,
and an Ethernet address of 00-40-05-A4-32.
- You are on the same Ethernet segment as the suspect.
- You change the MAC address slightly (such as 00-40-05-A4-79-33).
- You transmit an ICMP echo request (ping) with the IP address and his new MAC address.
- Remeber that nobody should see this packet, because as the frame goes down the wire, each
ethernet adapter matches the MAC addres with their own MAC address. If none matches, then they
ignore the frame.
- If you see the response, then the suspect wasn't runnning this MAC address filter on the card
(the card must be in promiscous mode!), and is hence sniffing on the wire.
- Because this technique is known, hackers might work with virtual MAC addresses, which is possible
under windows, where MAC filtering is implemented in the drivers.
- Note that this technique works also in switched networks (but there sniffing does not work, except
on the monitor port of the switch).
The ping method can be enhanced in a number of ways:
- Any protocol that generates a response can be used, such as a TCP connection request or a UDP
protocol such as port 7 (echo).
- Any protocol that might generate an error on the target machine might be used. For example, bad
IP header values might be used to generate an ICMP error.
- Sometimes a broadcast (255.255.255.255 or directed like 10.1.1.255) needs to be used in order to
bypass software IP address filtering. This then encounters another problem in that many
machines do not respond to broadcast requests.
ARP method:
- If you sent an ARP-request to a non broadcast adress (ARP-request are normally sent via
broadcasts), a machine, that answers to an ARP of its IP address must be in promiscous mode.
- A variation of this technique takes advantage of the fasct, that machines cache ARPs.
Each ARP contains the complete information of both the sender as well as the desired target
information. In other words, when I send out a single ARP to the broadcast address, I include
my own IP-to-Ehternet address mapping. Everyone else on the wire remembers this information
for the next few minutes. Therefore, you could do something like sending out a non-broadcast
ARP (Who is?), then a broadcast ping. Anybody who responds to your ping without ARPing you
could have gotten the MAC address from a sniffed ARP frame. To make shure you should use
a different source MAC address in the ping.
DNS method:
- Some sniffing programs do a dns-lookup to resolve the IP address. You have to configure the
detector in promiscous mode itself, and to send out IP datagrams to bad addresses (addresses
that are known not to exist) and wait for dns lookups.
Source-route method:
- You first have to create a ping packet and put a loose-source route to force it by an other
machine on the same segment. This machine should have routing disabled, so that it will not
in fact forward it to the target.
- If you get a response, then it is likely the target sniffed the packet off the wire.
- In the response, doublecheck the TTL field to find out if it came back due to sniffing,
rather than beeing routed directly.
Decoy method:
- Just send a plain text password for a service over the wire and wait whether someone uses it.
One tool that tries to implement some of these detection techniques is
sentinel.
back to top
|
|
| Whats New |
| [2005-02-18] mp3riot version 1.3 released | | [2004-10-08] mp3riot version 1.2 is out. | | [2004-04-30] Added section Bridging | | [2004-01-09] working progress on mp3riot version 1.2 |
|
| The LWN.net Weekly Edition for September 9, 2010 is available.
|
| [$] LWN.net Weekly Edition for September 9, 2010 |
|
| The Mozilla project has released firefox 3.6.9
and 3.5.12and SeaMonkey 2.0.7. These
updates fix a relatively long list
of scary security problems; the firefox 3.6.9 update also add support
for X-Frame-Options,
which can be used by web sites to prevent their content from being trapped
inside another site's frames.
|
| Firefox and SeaMonkey updates released |
|
| Debianhas updated typo3-src(fix
regression from previous update),
freetype(multiple vulnerabilities), and
xulrunner(multiple vulnerabilities).
Gentoohas updated sarg(buffer
overflows - vulnerability from 2008),
acroread(multiple vulnerabilities),
and clamav(multiple vulnerabilities).
openSUSEhas updated kernel(multiple vulnerabilities) and sudo(local privilege escalation).
Red Hathas updated seamonkey(RHEL3-4: multiple vulnerabilities),
firefox(RHEL4-5: multiple
vulnerabilities), and
thunderbird(RHEL4-5: multiple
vulnerabilities).
SUSEhas updated kernel(multiple
vulnerabilities).
Ubuntuhas updated lftp(remote file
creation).
|
| Wednesday's security updates |
|
| The second
alpha version of the revised Mozilla Public Licensehas been posted;
the text has been annotated to make it relatively easy to see what has been
changed. "The most significant change in this draft is the patent
language. We have made it easier to read but also, we hope, better at
protecting communities who choose to use the MPL. It should also have the
side effect of making the license Apache-compatible, allowing projects
licensed under the next MPL release to include Apache-licensed code in
their code bases." |
| Mozilla Public License Alpha 2 |
|
| The Mozilla Labs Gaming project has announced
its existence. "Modern Open Web technologies introduced a
complete stack of technologies such as Open Video, audio, WebGL, touch
events, device orientation, geo location, and fast JavaScript engines which
make it possible to build complex (and not so complex) games on the Web.
With these technologies being delivered through modern browsers today, the
time is ripe for pushing the platform. And what better way than through
games?"The project is starting with a competitionto see who can
build the best web-based game.
|
| Mozilla Labs Gaming launches |
|
| Microsoft's CodePlex foundationCodePlex.com has announcedthe donation of $25,000 to support the development of the Mercurial source
code management system. "While Team Foundation Server is still the
most used version control system on CodePlex, our users are clearly
benefiting from having access to Mercurial for their open source
projects. The CodePlex team is happy to be able to offer our community of
more than 17,000 projects a choice. With Mercurial as an important feature
of CodePlex, we are excited to be making this donation to help support the
Mercurial project." |
| CodePlex.com donates $25,000 to Mercurial project |
|
| Mozilla has released Thunderbird 3.1.3 and Thunderbird 3.0.7 with security
and stability updates. See the release notes for details (3.1.3and 3.0.7).
|
| Thunderbird 3.1.3 and 3.0.7 security updates now available |
|
| Watching Ubuntu and Fedora development is something like watching episodes
of Iron Chef: Given roughly the same ingredients and the same
amount of time, the two projects produce vastly different dishes. The
Fedora 14 and Ubuntu 10.10 release cycle is particularly pronounced in this
regard, with Ubuntu's focus largely on refining improvements from 10.04 and
Fedora introducing major changes to the infrastructure. Subscribers can
click below for the full story from this week's Distributions page.
|
| [$] Looking at Fedora 14 and Ubuntu 10.10 |
|
| Debianhas updated quagga(denial of
service).
Gentoohas updated maildrop(privilege escalation) and sudo(privilege
escalation).
openSUSEhas updated xorg-x11-server(privilege escalation).
Red Hathas updated sudo(privilege
escalation), kernel(RHEL 4, RHEL 4.7: privilege escalation),
and rpm(RHEL 4, RHEL 5: privilege escalation).
Ubuntuhas updated sudo(privilege
escalation).
|
| Security advisories for Tuesday |
|
| Your editor had the good fortune to be able to attend the first LinuxCon
Brazil event, held in São Paulo. There were a number of interesting
talks to be seen, presented by speakers from Brazil and far beyond. This
article will cover three in particular (by Jane Silber, Vinod Kutty, and
Jon 'Maddog' Hall) which were interesting as a result
of the very different views they gave on how Linux users work with their
systems.
|
| [$] LC Brazil: Consumers, experts, or admins? |
|
| The 1.10.0 release of the Cairo graphics library has finally been released.
"One of the more interesting departures for cairo for this release is
the inclusion of a tracing utility, cairo-trace. cairo-trace generates a
human-readable, replayable, compact representation of the sequences of
drawing commands made by an application. This can be used to inspecting
applications to understand issues and as a means for profiling real-world
usage of cairo."The profiling feature has evidently been used to
improve performance in a number of areas. There is also improved printing
support, better 16-bit buffer support, and better use of hardware
acceleration.
|
| Cairo 1.10.0 available |
|
| Martin Graesslin looksat problems with the interaction between KWin and some graphics drivers.
"Now that I have explained all our checks we did to ensure a smooth
user experience, I want to explain how it could happen that there are
regressions in 4.5. In 4.5 we introduced two new features which require
OpenGL Shaders: the blur effect and the lanczos filter. Both are not hard
requirements. Blur effect can easily be turned off by disabling the effect
and the lanczos filter is controlled by the general effect level settings
which is also used for Plasma and Oxygen animations. Both new features
check for the required extensions and get only activated iff the driver
claims support for it. So everything should be fine, shouldn't it?
Apparently not when it comes to the free graphics drivers (please note and
remember: we do not see such problems with the proprietary NVIDIA
driver!)."(Thanks to Jos Poortvliet)
|
| Graesslin: Driver dilemma in KDE workspaces 4.5 |
|
| Debianhas updated smbind(sql
injection).
Fedorahas updated pam_mount(F13, F12:
arbitrary code execution), libhx(F13, F12:
arbitrary code execution), F13: python(multiple vulnerabilities), and F12:
sblim-sfcb(arbitrary code execution).
Mandrivahas updated lvm2(privilege
escalation).
Pardushas updated phpmyadmin(cross-site scripting) and mysql(multiple
vulnerabilities).
|
| Monday's security updates |
|
| Fedora will be holding
a Systemd test dayon September 7, 2010. "This
week's Test Day, which will take place on Tuesday 2010/09/07 rather than the more usual Thursday, is on systemd, so it's a very important one! It will also serve at least two functions: as usual, the testing will help us to improve the code so that if it does go into the final Fedora 14 release it will work as well as possible, but the Fedora steering committee will also be using the results of the Test Day to help inform their final decision as to whether to go ahead with systemd for the Beta and final release, or whether to revert to upstart. So there's a lot riding on this Test Day." |
| Systemd Test Day on Tuesday 2010/09/07 |
|
| Version 7.2 of the GDB debugger is out. New features include support for
the D language, some C++ improvements, better Python support, better
tracepoint support, and more; see the announcement for the details.
|
| GDB 7.2 released |
|
|
-->
