Transcript Detecting Sniffers

Detecting Sniffers
By
Christopher Hawes
&
Farzaneh Naghibi
Outline
•Introduction
•What is a sniffer
•How a sniffer works
•Defeating sniffers
•Detecting sniffers
•Avoiding sniffers
•Fooling antisniffer tools
Sniffer
•A sniffer is a hardware or a software which
grabs information traveling over a network
•Computer networks are shared communication
channels
•Computers can receive information that was
intended for other machines
•They check if the message is meant for them
•If so, receive it; if not, ignore it
•A sniffer breaks the rule and receives all
information, even the information is not meant
for it
How a sniffer works
• Two types of addresses
- MAC (Media Access Control)
• Uniquely identifies the nodes on a network
- IP address
• Used by applications
Ethernet protocol
•Ethernet protocol: sending information to all the
machines on the same network
•OSI protocol
–Uses MAC when building frames to transfer
•Network Layer
–Maps IP addresses to the MAC addresses in a table
–ARP(Address Resolution Protocol)Cache
–Required by the Data Link
•Data Link Layer
–Uses an Ethernet header with the MAC address of
the dest. machine
Ethernet protocol(cont.)
•Data Link Layer
–Looks up the MAC address of the dest. machine in
the ARP (Address Resolution Protocol) cache
–If no entry is found for the IP address, ARP
broadcasts a request packet called ARP request to
all machines on the Network
–The machine with that mapping address will
responds to the source machine by sending its
MAC address
–MAC address gets added to the ARP cache
of the source machine
–Used for all communications with the destination machine
Ethernet Environments
•Shared Ethernet
•Switched Ethernet
Shared Ethernet
•All hosts are connected via a universal bus
•Compete for the bandwidth
•Uses a hub
–Broadcasts a message to all computers
•All machines can receive messages
•Example:
–Computer1 desires to establish a connection with
computer2, packets are sent to all with the Mac
address of computer2
–All computers receive the frame
–Compare the destination MAC address with their own
MAC address
–If don't match, ignore the packet
Shared Ethernet(cont.)
If computer1 desires to establish a connection with computer2 by sending a packet on the
network with the destination MAC address of computer2 along with its own source MAC address,
all computers on the shared Ethernet receive the frame and compare the destination MAC address
with their own MAC address. If the two don't match, the frame is quietly discarded.
Switched Ethernet
•Uses Switches
–Maintains each computers MAC address with the
physical port the form of a table
–Packets destined for a particular machine are
delivered correspondingly
–Intelligent device
•send packets to the particular computer which they are
intended
•no broadcast over the entire network
–Delivers packets destined for a particular machine
correspondingly
Switched Ethernet(cont.)
When a message is sent from computer1 to computer2, those systems are the only two
that are involved. The switch uses its table to compare the MAC address of the package to
the existing MAC addresses in the table. The packet is passed to its corresponding MAC
addresses port and not to any other computers
Switched Ethernet(cont.)
•Example
–When a message is sent from computer1 to
computer2, those systems are the only two that
are involved. The switch uses its table to compare
the MAC address of the package to the existing
MAC addresses in the table. The packet is passed
to its corresponding MAC addresses port and not to
any other computers
How a sniffer Works
•Shared Ethernet
–When a packet is sent, each machine checks to
see if it is theirs
–If the packet was theirs, it is accepted, if not the
packet is ignored
–When the sniffer is in place this rule is broken
–All frames are accepted by the machine running
the sniffer
How a sniffer Works(cont.)
•Sniffers look at only the first 200 to 300
bytes of each packet
–It gets oversaturated, if grabs all packets
•A machine that is able to grab all packets,
is into promiscuous mode
–Machine accepts anything and everything
that comes its way
•In Shared Ethernet, sniffers are very
difficult to detect
–The entire process is passive in that, the
sniffer leaves no trail
Conceptual image of how sniffers
work on a Shared Ethernet
Switched Ethernet
•Switched environment seems to be safe
–Packets are distributed to only computers that they
are meant for
–Putting a machine into promiscuous mode is not
a good idea
•Vulnerable to sniffer attacks
•Several methods
–ARP Spoofing
–MAC Flooding
ARP Spoofing
•ARP: A table, used by the Network Access
Layer for mapping IP addresses to MAC
addresses
–If no entry is found for the IP, ARP request is
transferred across the network
–The machine with the correct address responds to
the request
–Sends its MAC
–The Mac gets added to the ARP table
ARP Spoofing(cont.)
•Problem
–When the source computer is waiting for a
response after the ARP request, it accepts any
MAC number
–Nothing can stop the wrong machine from
sending its MAC to the source computer
–This means that if a computer sends its MAC
to the source the ARP cache will have the wrong
entry for the gateway
ARP Spoofing(cont.)
•Another attack
–Returning the MAC FF:FF:FF:FF:FF:FF
–Known as the broadcast MAC
–Switch acts as a hub
–Will broadcast any further messages to all
machines on the network
–Anytime the wrong MAC is returned and stored
in the ARP Cache the cache is said to have been
poisoned
Example of a poisoned ARPCache
MAC Flooding
•Switch Ethernet maintains a translation table which
maps MAC addresses to physical ports
•Requires memory
•Switch has a very limited amount of memory
•Bombards the switch with fake MAC addresses to
the point that the switch can no longer keep up
•Switch enters into failopen mode
•Acts as a hub by once again broadcasting the packets to
all machines on the network
Example of a switched Ethernet in failopen
state
Defeating sniffers
•Two different approaches
•Detecting and Eliminating
•Shielding data
•Detection of sniffers is a very difficult
•Sniffers don’t leave a trail
•Sniffers are usually passive programs which simply
sample small network resources
•Testing for sniffers
•Five methods to detect them
•More powerful measures must be taken On broader
networks
•More powerful programs are used
Defeating sniffers
•Snifftest for one example will detect a sniffer on a
SunOS and Solaris system regardless of whether of not
the interface is in promiscuous mode
•A similar program called is Nitwit will also work well.
Detection Methods
•Sniffers are very difficult to detect
•In both Shared Ethernet and Switched Ethernet
•Sniffers simply collect data
•In the Switched Ethernet sniffers are somewhat easier
to detect
•They generate a small amount of traffic (parsing)
•time delay that is noticable
•Five common methods of detecting sniffers
•Ping Method
•Address Resolution Protocol (ARP) Method
•On Local Host
•Latency Method
•ARP Watch
Ping Method
•Uses the fact that if a ping request is sent
with an IP address rather than a MAC address
it should not be seen by anyone on the
network since the MAC address will not find a
match
•Each Ethernet Adapter will reject the request
•If there is a sniffer on the machine of the IP
used there will be a response because this
machine doesn’t reject packets with a MAC
address of other destinations.
•An old method, no longer considered reliable.
ARP Method
•Machines automatically cache ARPs
•A non-broadcast ARP is sent out, a machine in
promiscuous mode will cache this ARP
•Once this has been done a broadcast ping packet is
sent which has the IP of the Machine that is being
used, but a MAC address that is not correct for this
machine
•The only machine that is able to respond is one
that has the correct MAC address that was sniffed
from the first ARP that was sent out
On Local Host
•Once a hacker has penetrated a system it is often
the case that they will leave sniffers behind to
compromise other machines they may be interested
in
•To detect a sniffer on a machine the ifconfig
maintenance command is used
•Running ifconfig allows one to view the network
interface parameters
•If no sniffer is running on the system than the
output of the command should be as follows
•If a sniffer is present the out put will then be
different
Output of ifconfig
Clean system output
[root@sushma root]# /sbin/ifconfig
eth0 Link encap:Ethernet HWaddr 52:54:05:F3:95:01
inet addr:203.199.66.243 Bcast:203.199. …
UP BROADCAST RUNNING MULTICAST MTU:1500 ...
Infected system output
[root@sushma root]# /sbin/ifconfig
eth0 Link encap:Ethernet HWaddr 52:54:05:F3:95:01
inet addr:203.199.66.243 Bcast:203.199. …
UP BROADCAST RUNNING PROMISC MULTICAST MTU:1500 ...
Latency Method
•This method applies to sniffers that do some parsing
•A very large amount of data is sent on the network flooding it.
Meanwhile a computer which is suspected to be running a sniffer
has been pinged before and during this flooding stage
•The machine will parse the data if it is in promiscuous mode,
therefore having an increased load on it
•Extra time is needed for this increased load so it will take longer to
respond to the ping packet
•The difference in the response times of the suspected machine and
other machines indicates that the suspected machine may be in
promiscuous mode. This method sometimes fingers a system
falsely due to the delay incurred by packets caused by the heavy
load on the line.
ARP Watch
•When a sniffer is suspected on a switched network
a utility called arpwatch is available
•Using this utility allows one to monitor the ARP
cache of a machine to look for duplication for a
machine
•If this is so, alarms may be triggered which can
lead to the detection of sniffers
•One draw back is that networks may trigger many
false alarms if the network is implementing DHCP
Avoiding Sniffers
•The best defence may not be the detection methods,
but more so the Prevention methods
•There are many measures that can be taken to ensure
that your system is not vulnerable to sniffers
•One simple fix to assure the security of a network is to
lock the network
•Locking the network refers to removing the
administrative privileges from all users. This limits the
accessibility to the network and the machine settings.
Avoiding Sniffers
•Five common ways to snuff out the sniffer
•Active Hubs
•Encryption
•Kerberos
•One Time Password Technology
•Non-promiscuous Interfaces
Active hubs
•These hubs like switches send packets to
machines only if they are intended for that
machine
•Eliminate the ability for sniffers to use the
promiscuous mode as a method of collecting
data because the data never goes to a
machine in promiscuous mode unless the data
is intended for that machine
Encryption
•One of the best methods when protecting an Ethernet
from sniffers is implementing Encrypted Sessions
•Takes the data and scrambles it beyond interpretation
•The security of this method does not keep the intruding
sniffer from accessing the packets but it focuses on
rendering the packets useless to the intruder
•There is one difficulty with this approach; that is some
encryptions method may not sufficiently protect the data
•Also there may be some applications that do not have
encryption support integrated in with them
Kerberos
•This method is actually another encryption
method but this package focuses on the
encryption of account information that is being
traversed over the network
•There are some well known drawbacks of this
technique
•One being that all account information is held
on a single host. If this host were to be
accessed by an intruder the entire network
would be vulnerable to attack
•This methods intent is to prevent any intruders
from accessing what a user does after s/he has
logged on
One Time password Technology
•Renders sniffing account information practically useless
•The remote host in use already knows a password
which will not be transmitted over insecure channels.
•When a user connects s/he will receive a challenge
•The user must then plug his/her password and the
challenge received into an algorithm
•A response is generated that should be the same if the
password is the same on both sides
•Removes the need to transfer passwords over the
network
•The same challenge is never used twice
Non-promiscuous Interfaces
•Based on the device that is used over the network
•Some Ethernet cards do not have the ability to be in
promiscuous mode
•This disables any chance of sniffing occurring on an
interface such as this
Fooling AntiSniffing tools
•Some sniffer protection tools will suffice when it
comes to dealing with the most common sniffing tools
•Not perfect
•Since 1999 methods have been suggested that
permit Anti-Sniff tools to be fooled, and therefore
making the sniffers undetectable
•Custom made sniffers have the ability to listen for
incoming traffic on a line and the ability to be totally
passive
•While most sniffer attacks derive from legitimate
systems residing on the network that make use of
standard sniffing tools and not custom made sniffers,
there is the ability of hiding even the standard tools
from AntiSniff
Fooling AntiSniffing tools
•Methods used to hide sniffing tools from AntiSniffer
•A modified kernel or IP stack that works properly but also
drops any incoming packets into a Ethernet address though the
packets are not intended for this address
•If the sniffer is set to not do DNS lookups. Note that most
sniffers have this option
•If the sniffer knows to stop sniffing once the network traffic is
greater than a particular rate
•There are sniffers that implement these tactics to fool
the AntiSniffer and other Anti-sniffing devices
•known as the Anti-AntiSniffer
Conclusions
•Very effective means for Hackers to take advantage
of a network.
•Passiveness makes sniffers very difficult to detect,
•Used to capture information long before any
suspicion of the existence of a sniffer arises.
•Availability
•Detection methods are not foolproof, can often be
tricked as fast as new techniques for detecting
sniffers come about, it’s not long before there are
methods that fool them.
Conclusions cont
•Main intent is sharing of information among
computers but there may be a need for a new
architecture that is mindful of sniffers.
•Non-promiscuous Ethernet cards could be
specifically designed for network use.
•One time only password technology
•Don’t get sniffed!!