Introduction
This post explores packet sniffers, which are a useful tool and a potentialthreat. It provides detailed information about packet sniffers, software usedas packet sniffers, how sniffers work, types of sniffing, protocols vulnerableto sniffing, Wireshark©filters, threats of Address Resolution Protocol (ARP)poisoning, span port, and how to defend against packet sniffing.
What are packet sniffers?
A sniffer is a piece of software that captures network traffic and performsnetwork analysis, traffic analysis, protocol analysis, sniffing, packet analysis,and so on. A packet sniffer is essentially a tool that aids in monitoringnetwork traffic and troubleshooting a network. It works by capturing andanalyzing packets of data that flow through a network. In some cases, a packetsniffer might be a dedicated hardware device.
Sniffers capture, decode, and analyze network traffic and answer questions suchas the following:
- Why is the network slow?
- What is the network traffic pattern?
- How is the traffic being shared between nodes?
Network analyzer
A network analyzer is a combination of hardware and software tools that can detect, decode, andmanipulate traffic on the network. Network administrators use network analyzers totroubleshoot networking issues, but many hackers use them to gather vitalinformation.
Uses include:
- Passive sniffing (detection) - Difficult to detect
- Active sniffing (attack)
Common network analyzers
The following list contains some common analyzers:
- Wireshark
- Ettercap©
- Dsniff©
- Tcpdump
- Etherpeak©
- Cain and Abel©
How a sniffer works
Data travels through a network in the form of packets. Packet-switchednetworks break down the data to transmit into several packets. They thenreassemble these packets after all the data packets reach their intendeddestination.
When you install a packet sniffer in the network, the sniffer intercepts thenetwork traffic and captures the raw data packets. Subsequently, the packetsniffing software analyzes the captured data packet and presents the results tothe network administrators in a user-friendly format so that they can interpretthe data.
Types of sniffing
There are two types of sniffing: passive and active.
Network administrators use passive sniffing on the hub used by the network tosend traffic to all the ports. It only monitors packets sent by others and doesnot insert any additional data packets into the network traffic.
Attackers use active sniffing to steal data from others. In a network thatuses hubs to connect systems, all hosts on the network can see all the traffic,and therefore, an attacker can easily capture data packets.
What is Wireshark?
Formerly known as Ethereal, Wireshark is an open-source program with many freefeatures that provides the following functionality:
- Helps you to decode over 750 protocols.
- Is compatible with many other sniffers.
- Has plenty of online resources available.
- Supports the command-line and GUI interfaces.
- Offers the TShark command-line interface that has the following three components:
- Editcap: Reads the captured packets from the infile and reads and writesthe same capture files that are supported by Wireshark.
- Mergecap: Combines multiple saved capture files into a single output file.
- Text2pcap: Reads in an ASCII hex dump and writes the data describedinto a pcapor pcapngcapture file. Text2pcap can read hex dumps with multiple packets in them and build a capture file of multiple packets.
Protocols vulnerable to sniffing
The following protocols are vulnerable to sniffing:
- HTTP
- Telnet
- rlogin
- POP
- IMAP
- SMTP and NNTP
- FTP
Users of network analyzers
The following roles use network analyzers:
- System administrators
- Understand system problems and performance
- Malicious individuals (intruders)
- Capture cleartext data
- Passively collect data on the following vulnerable protocols: FTP, POP3,
- IMAP, SMATP, rlogin, HTTP, and so on.
- Capture VoIP data
- Map the target network
- Discover traffic patterns
- Actively break into the network (backdoor techniques)
Filters
You can use filters to analyze captured data.
Sometimes, you can observe and record traffic traveling on a network, whichmight contain valuable information such as the following:
- Usernames and passwords
- Encrypted
- Unencrypted
- Email, web requests (and replies), data files, and so on.
Wireshark
Wireshark a is very popular network analyzer tool, which is used by networkadministrators to capture packets traversing through a network. Administratorsmostly use it to identify network problems, but hackers also use it to decodesecure information.
The following image shows a Wireshark screen:
Example – A nmap port scan:
- Target host: 10.0.0.1 -Start Wireshark
- Source host: 10.0.0.2 or the attacker's computer – Perform a TCP-connect scan: `nmap –sT <target host>`
- View results
Example – A web connection:
- Target host: 10.0.0.1 -Start Wireshark
- Source host: 10.0.0.2
- Open web browser: Type any website name
- View results
Example – An FTP connection:
- Target host: 10.0.0.1–Start Wireshark
- Source host: 10.0.0.2– Use the ftp client: ftp <target host>
- View results
Man-in-the-middle
The man-in-the-middle is a common attack tactic.In a switched environment, a host receives only the following:
- Traffic destined for itself
- Broadcast traffic
The host cannot see traffic between other hosts. The man-in-the-middle attackenables you to insert yourself as an (undetected) intermediary betweencommunicating hosts.
What is ARP poisoning?
Address Resolution Protocol (ARP) poisoning is when an attacker sends falsified ARP messages over a localarea network (LAN) to link an attacker’s MAC address with an IP address of alegitimate computer or a server on the network. After the attacker’s media access control (MAC) addressis linked to an authentic IP address, the attacker can receive any messages
directed to the legitimate MAC address. As a result, the attacker can intercept,modify, or block communications to the legitimate MAC address.
Attackers look for the following opportunities to use ARP poisoning:
- Sensitive, unencrypted communications - Web requests or replies, email, FTP, or HTTP
- Weakly-encrypted communications - Old versions of SSH or RDC
ARP poisoning countermeasures
Dynamic ARP inspection in Cisco© systems helps to prevent man-in-the-middleattacks by not relaying invalid or gratuitous ARP replies to other ports in thesame VLAN. Dynamic ARP inspection intercepts all ARP requests and all replieson untrusted ports. Each intercepted packet is verified for valid IP-to-MACbindings via DHCP snooping. Denied ARP packets are either dropped or logged bythe switch for auditing when ARP poisoning attacks are stopped. Incoming ARPpackets on the trusted ports are not inspected. Dynamic ARP inspection can alsorate-limit ARP requests from client ports to minimize port scanning mechanisms.
How to defend against sniffing
Use the following techniques and best practices to protect yourself from
sniffing attacks:
- Restrict the physical access to the network media to ensure that a packet sniffer cannot be installed.
- Use encryption to protect confidential information.
- Permanently add the MAC address of the gateway to the ARP cache.
- Use static IP addresses and static ARP tables to prevent attackers fromadding spoofed ARP entries for their machines to the network.
- Turn off network identification broadcasts, and if possible, restrict the network to authorized users in order to protect the network from beingdiscovered with sniffing tools.
- Use the IPv6 instead of the IPv4 protocol.
- Use encrypted sessions such as Secure Shell (`ssh`) instead of Telnet.
- Use Secure Copy (`scp`) instead of a file transfer protocol (`ftp`).
- Use Secure Socket Layer (SSL) for email connections.
Conclusion
These days, many attacks happen through packet sniffing. Packet sniffers areplaced in cyber cafes and on open wifi in restaurants, hotels, and publicplaces. You can protect your data with a little caution. You should never useopen wifi and should stop using open text protocols like ftp, http, IMAP, Telnet,and SNMP V1 and V2. You must install SSL certificates in your websites, useSecure File Transfer Protocol (`sftp`) instead of `ftp`, and use SSH instead oftelnet. You should use SNMP V3 and opt for the strongest encryption.
