-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--=-=-=-=- -= Intro to Packet Sniffers: What They Are and Why to use Them =- -= By Grifter =- -= grifter@staticdischarge.com =- -= http://www.2600slc.org =- -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= § What is Packet Sniffing? The best way I can think of to describe packet sniffing is that it is basically a computer wire tap. When someone is sniffing a network, they are reading the packets that are traveling across a network. Everything you do online sends packets of information over phone lines or cables and through or past other machines on it's way to its destination. The computers between you and the destination can read the information that you send as it passes by; packet sniffers make this possible. Each packet contains a block of data ranging in size from 512 bytes to 4k, and a header block that will contain the information about the packet like its destination and origin addresses. The data part of the packet contains the information being sent on the network, like e-mail, web pages, logins and passwords, e-commerce information including credit card numbers, and all kinds of other goodies. Under normal circumstances network cards will check the packet to see if it's for them and if it's not they'll ignore it and let it pass on to the next machine. In the case of internet routing, the machines will check the packet's final destination and choose where to pass the packet onto next. However, ethernet cards typically have a "promiscuous-mode" option, which will turn off the filter and cause them to look at all packets as they go by. Setting your NIC to promiscuous mode is what packet sniffing programs take advantage of to do their dirty work. Firewalls can't prevent packet sniffing, and Virtual Private Networks and Encryption can't do anything either, except maybe make the attackers job a little more difficult. Keep in mind that many passwords are sent over the net unencrypted, and in some cases even when they are this won't foil a packet sniffer intent on breaking into a system. An intruder looking for a login sequence and sniffing an encrypted password will have no need to decrypt the password for their own use and can just relay the encrypted version for unauthorized access. § What should you use? There are a ridiculous amount of packet sniffers out there and it will basically be up to you to decide which one you want to use, and what works best for you. Personally I like "Etherpeek" by WildPackets. It's offered in versions for Windows and Macs, and has good features like web monitoring and analysis. Only problem is it's going to cost you, but you can always try out the trial version. If you're looking for something free or something you might already have try these: tcpdump tcpdump is a free network packet analysis tool. The advantage that tcpdump has is that it is entirely command line based, so it runs nicely in a remote telnet session. When compiled, the binary is self-contained so it can be easily sent to a remote machine and executed. You won't need to install special device drivers or other software. The fact that it's free doesn't hurt either, this way, let's say you capture a packet trace and the send it over to a friend running on a different platform, once your friend compiles it for his machine he can read your trace. netmon Microsoft includes a packet-tracing tool with the Windows NT Server CD-ROM and with the System Management Software (SMS) CD-ROM called Network Monitor (a k a netmon). It's made up of two parts: an agent, and the actual tool. They both have to be installed in order to work. The thing about netmon though is that it can't be used with a telnet window. Installing the Network Monitor agent and tools on a Windows NT 4.0 Workstation. There are two distinct versions of netmon, neither of which are freely available like tcpdump. The version included with the Windows NT 4.0 Server CD-ROM allows only for viewing packets sent to and from the local machine. The version included with the SMS CD-ROM enables the network interface to be put into promiscuous mode where all packets on the shared media can be seen. Both versions can also be run locally on Windows NT Workstations and on Windows 9x clients as long as the Network Monitor agent has been installed. § How to Sniff Most packet sniffers will set your NIC card to promiscuous mode when you select it and start a session. If there is network traffic then you should start to see results right away. The actual task of sniffing is relatively easy and shouldn't take long to figure out so I won't go into detail on it. However translating the data into something that you can understand is the tricky part. I recommend that you have a solid knowledge of networking and TCP/IP, and also aren't very scared of Hex. The software to capture the packets will normally write them to a text file on the device, this way you can come and read the file later to see what you've got. The software can be set to only log certain contents, like packets containing the word "password" or any packets that look like email. This will keep the size of your log file down and helps lessen the chance that someone will notice the sniffer. But it does mean that you're relying on the program to find the good stuff, so you run the risk of missing something you may have liked. That should cover the basics, now you know what packet sniffing is, what programs to use, and that it doesn't take a genius to get started. There are other types of sniffing that can be used, like specifically looking for logins and credit card numbers, but that goes beyond the scope of my ethics so you'll have to look somewhere else if that's what you're interested in. I hope this taught you something, if anything it was fun to write. -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--=-=-=-=- © 2600SLC.ORG 2001 -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-