Detecting Network Sniffers
A packet sniffer is a program or device that eavesdrops on network traffic and gathers
data from packets. Sometimes such wiretaps are carried out by the network administrator for
beneficial purposes (like intrusion detection, performance analysis, etc.). On the other hand,
malicious intruders may install packet sniffers in order to retrieve clear-text usernames and
passwords from the local network or other vital information transmitted on the network.
Vulnerable protocols (with clear-text passwords) include: telnet, pop3, imap, ftp, smtp-auth
and nntp. Sniffers work because ethernet was designed to be shared. Most networks use
broadcast technology - messages for one computer can be read by another computer on that
network. In practice, computers ignore messages except those that were sent directly to them
(or broadcast to all hosts on the network). However, computers can be placed in promiscuous
mode and made to accept messages even if they are not meant for them - this is how a Sniffer works.
People assume that computers connected to a switch are safe from sniffing - but this
is not really so. Computers connected to switches are just as vulnerable to sniffers as those
connected to a hub.
How a Sniffer works
A computer connected to a LAN has 2 addresses - one is the MAC address that uniquely
identifies each node in a network and which is stored on the network card. The MAC address
is used by the ethernet protocol when building frames to transfer data. The other is the IP
address, which is used by applications. The Data Link Layer (layer 2 of the OSI model) uses
an ethernet header with the MAC address of the destination machine.
The Network Layer (layer 3 of the OSI model) is responsible for mapping IP network
addresses to the MAC address as required by the Data Link Protocol. Layer 3 attempts to
look-up the MAC address of the destination machine in a table, called the ARP cache. If no
MAC entry is found for the IP address, the Address Resolution Protocol broadcasts a request
packet (ARP request) to all machines on the network. The machine with that IP address
responds to the source machine with its MAC address. This MAC address then gets added
to the source machines ARP Cache. This MAC address is then used by the source machine
in all its communications with the destination machine.
There are two basic types of ethernet environments - shared and switched. In a shared
ethernet environment all hosts are connected to the same bus and compete with one another for
bandwidth. In such an environment packets meant for one machine are received by all the other
machines. All the computers on the shared ethernet compare the frame's destination MAC address
with their own. If the two don't match, the frame is quietly discarded. A machine running a
sniffer breaks this rule and accepts all frames. Such a machine is said to have been put into
promiscuous mode and can effectively listen to all the traffic on the network. Sniffing in
a shared ethernet environment is passive and, hence, difficult to detect.
In a switched environment the hosts are connected to a switch instead of a hub. The switch
maintains a table that keeps track of each computer's MAC address and the physical port on
the switch to which that MAC address is connected. The switch is an intelligent device which
sends packets only to the destination computer. As a result, the process of putting a machine
into promiscuous mode to gather packets does not work. However, this does not mean that switched
networks are secure and cannot be sniffed.
Though a switch is more secure than a hub, you can use the following methods to sniff on a switch:
• ARP Spoofing - The ARP is stateless, that is, you can send an ARP reply
even if none has not been asked for, and such a reply will be accepted. For example, one technique
is to ARP Spoof the gateway of the network. The ARP cache of the targeted host will now have
a wrong entry for the gateway and is said to be Poisoned. From this point on, all the traffic
destined for the gateway will pass through the sniffer machine.
Another trick that can be used is to poison a host's ARP cache by setting the gateway's
MAC address to FF:FF:FF:FF:FF:FF (also known as the broadcast MAC).