Sunday, November 10, 2019

Packet Sniffing

Sniffing In short, packet sniffing is the method used to see all kinds of information as is passes over the network it is linked to, but how does a packet sniffer work? A packet sniffer is a piece of software or hardware capable of monitoring all network traffic. It is able to capture all incoming and outgoing traffic for example clear-text passwords, user names and other private or sensitive details. Packet sniffing is a form of wire-tap applied to computer networks instead of phone networks. It came into vogue with Ethernet, which is known as a â€Å"shared medium† network.This means that traffic on a segment passes by all hosts attached to that segment. Ethernet hardware contained a filter that prevented the host machine from actually seeing any other traffic than that belonging to the host. Sniffing programs turn off the filter, and thus see everyones traffic. In the scheme of things, a computer usually only examines a packet of data that corresponds to the computerâ€℠¢s address but with a packet sniffer you are able to set the network interface to ‘promiscuous mode’. In this case it examines ALL available information passing through it.As the data passes through the system it is copied and stored in memory or on a hard drive. The copies are then able to be studied and the information analyzed. The captured information is decoded from raw digital form into a  human-readable  format that permits users of the protocol analyzer to easily review the exchanged information As soon as you connect to the internet, you ‘sign on’ to a network that is under the watch of your ISP. This network can communicate with other networks and in short forms the basis of the internet.If a packet sniffer is located at a server owned by your ISP, it has the potential to gain access to: * The web sites visited. * What is searched for on the site. * Your e-mail recipients. * The contents of your mail. * Any files you download. * A list of your audio, video and telephony options. * A list of visitors to your website. Switched vs. Non-Switched In a non-switched network environment packet sniffing is an easy thing to do. This is because network traffic is sent to a hub which broadcasts it to everyone. Switched networks are completely different in the way they operate.Switches work by sending traffic to the destination host only. This happens because switches have CAM tables. These tables store information like MAC addresses, switch ports, and VLAN information [1]. Before sending traffic from one host to another on the same local area network, the host ARP cache is first checked. The ARP cache is a table that stores both Layer 2 (MAC) addresses and Layer 3 (IP) addresses of hosts on the local network. If the destination host isn’t in the ARP cache, the source host sends a broadcast ARP request looking for the host. When the host replies,the traffic can be sent to it.The traffic goes from the source host to the switch, and then directly to the destination host. This description shows that traffic isn’t broadcast out to every host, but only to the destination host, therefore it’s harder to sniff traffic. Passive Vs. Active Sniffing Sniffers are a powerful piece of software. They have the capability to place the hosting system’s network card into promiscuous mode. A network card in promiscuous mode can receive all the data it can see, not just packets addressed to it. Passive Sniffing If you are on a hub, a lot of traffic can potentially be affected.Hubs see all the traffic in that particular collision domain. Sniffing performed on a hub is known as passive sniffing. Passive sniffing is performed when the user is on a hub. Because the user is on a hub, all traffic is sent to all ports. All the attacker must do is to start the sniffer and just wait for someone on the same collision domain to start sending or receiving data. Collision domain is a logical area of the network in wh ich one or more data packets can collide with each other. Passive sniffing worked well during the days that hubs were used.The problem is that there are few of these devices left. Most modern networks use switches. That is where active sniffing comes in. Active Sniffing When sniffing is performed on a switched network, it is known as active sniffing. Active sniffing relies on injecting packets into the network that causes traffic. Active sniffing is required to bypass the segmentation that switches provided. Switches maintain their own ARP cache in a special type of memory known as Content Addressable Memory (CAM), keeping track of which host is connected to which port.Sniffers operate at the Data Link layer of the OSI model. This means that they do not have to play by the same rules as applications and services that reside further up the stack. Sniffers can grab whatever they see on the wire and record it for later review. They allow the user to see all the data contained in the pa cket, even information that should remain hidden. The terms active and passive sniffing has also been used to describe  wireless network sniffing. They have analogous meaning. Passive wireless sniffing involves sending no packets, and monitoring the packets send by the others.Active sniffing involves sending out multiple network probes to identify APs. How Does a Packet Sniffer Work? A packet sniffer works by viewing every packet sent in the network. This includes packets not intended for itself. How does it do this? Three types of sniffing methods are used. Methods may work in non-switched networks or in switched networks. These methods are: IP-based sniffing I. P -based sniffing works by putting the network card into promiscuous mode and sniffing all packets matching the IP address filter and is the original type of packet sniffing.The IP address filtering isn’t switched on so the sniffing program is able to capture all the packets. This method will only function in non-s witched networks. MAC-based sniffing MAC-based sniffing works by putting the network card into promiscuous mode and sniffing all packets that match the MAC address filter. ARP-based sniffing ————————————————- ARP-based sniffing doesn’t put the network card into promiscuous mode because ARP packets are sent to its administrators. This is because the ARP protocol is stateless.This means that sniffing can be done on a switched network. Once a hacker has found possible networks to attack, one of their first tasks is to identify the target. Many organizations are nice enough to include their names or addresses in the network name. The Sniffer program works by asking a computer, specifically its Network Interface Card (NIC), to stop ignoring all the traffic headed to other computers and pay attention to them. It does this by placing the NIC in a state known as promiscuous mode.Once a NIC is promiscuous mode, a machine can see all the data transmitted on its segment. The program then begins to constantly read all information entering the PC through the network card. Data traveling along the network comes as frames, or packets, bursts of bits formatted to specific protocols. Because of this strict formatting, the sniffer peels away the layers of encapsulation and decodes the relevant information stored in the packet sent, including the identity of the source computer, that of the targeted computer, and every piece of information exchanged between the two computer.Even if the network administrator has configured his equipment in such a way as to hide information, there are tools available that can determine this information. Utilizing any well known network sniffing tools, an attacker can easily monitor the unencrypted networks. Modes: On wired broadcast and wireless LANs, to capture traffic other than  unicast  traffic sent to the machine running the sniffer software,  multicast  traffic sent to a multicast group to which that machine is listening, and  broadcast  traffic, the  network adapter  being used to apture the traffic must be put into  promiscuous mode; some sniffers support this, others don't. On wireless LANs, even if the adapter is in promiscuous mode, packets not for the  service set  for which the adapter is configured will usually be ignored. To see those packets, the adapter must be in  monitor mode. Who Uses a Packet Sniffer? Packet sniffers are often used by ISP’s as a diagnostic tool for their back-up systems, so it is in fact a well-utilized form of technology. Packet sniffing is also sometimes used to investigate the habits and actions of criminals, for example in the FBI’s Carnivore System.As I am sure you will appreciate from the above, packet sniffers can be a useful, relatively harmless tool or a potentially dangerous invasion of privacy. Packet sniffers are a perfec t example of how technology may be used to help or to harm. USES: The versatility of packet sniffers means they can be used to: * Analyze network problems * Detect  network intrusion  attempts * Detect network misuse by internal and external users * Documenting regulatory compliance through logging all perimeter and endpoint traffic * Gain information for effecting a network intrusion * Isolate exploited systems * Monitor WAN bandwidth utilization Monitor network usage (including internal and external users and systems) * Monitor data-in-motion * Monitor WAN and endpoint security status * Gather and report network statistics * Filter suspect content from network traffic * Serve as primary data source for day-to-day network monitoring and management * Spy on other network users and collect sensitive information such as passwords (depending on any content  encryption  methods which may be in use) * Reverse engineer  proprietary protocols  used over the network * Debug clie nt/server communications * Debug network protocol implementations Verify adds, moves and changes * Verify internal control system effectiveness (firewalls, access control, Web filter, Spam filter, proxy) DEFENSE Detection Protection Conclusion Having looked at what they are, why they work and how they are used, it is easy to view sniffers as both dangerous threats and powerful tools. Every user should understand they are vulnerable to these types of attacks and their best defense lies in encryption. Administrators and professionals need to know that these programs are superb diagnostic utilities that can, unfortunately, be used with malicious intent on any network.

No comments:

Post a Comment

Note: Only a member of this blog may post a comment.