Aug 31, 2009

Packet Sniffing - "protocol decoding and surveillance"


Packet Sniffing is a fascinating subject. It wears both hats, the good and the evil. It's used by many (including myself) to detect network faults etc...but the same technology allows someone to "sniff" out passwords for your mail account or even your internet account. Now you understand why securing/encrypting your data is so important.

When a file is "deleted" what actually happens? Your operating system removes the reference to that file on the file system. This reference had details such as where on the disk the file was. Whilst marked and available as free space the old data didn't move, its just not seen on the file system but physically exisits on the disk. The entire file remains on the disk until another data is created over the physical area, and even then it may be possible to recover data by studying the magnetic fields on the platter surface.

What's a packet sniffer?

When you make contact with the Internet, data isn't sent in one continuous stream of data; this would be impractical and it would limit the performance of the Internet network. To keep the performance of the Internet as high as possible, the data is cut in slices. Such a slice of data (either inbound or outbound) is called "a packet". Now, you can't see atoms with your naked eye can you? No, I thought so. Sending information on a network means sending "packets" of data. Think of them like the atoms. A lot of packets will create the final information you will see on your screen, be it website or email. To "see" the atoms you would need a special device, some kind of electron microscope, to be able to see the "packets" you've sent or received... you also need a special device. This is a special type of monitoring program called... a packet sniffer. By using a packet sniffer you're able to see any bit of information entering or leaving your computer... even those you normally wouldn't see!

A packet sniffer can be considered as a sort of wire tap device. A device that can "plug" into computer networks and eavesdrops on the network traffic. Just as a telephone wiretap allows the CIA to listen to conversations, the same concept follows a packet sniffer in the sense that it allows someone to listen in on computer conversations.

How packet sniffers work

Packet sniffers capture "binary" data passing through the network, most if not all decent sniffers "decode" this data into a human readable form. To make it even easier (for humans) another step occurs known as "protocol analysis". There is a varying degree of the analysis that takes place, some are simple, just breaking down the "packet" information. Others are more complex giving "detailed" information about what it sees on the packet (i.e., highlights a password for a service).

One very important (and very simple) point to understand is that the sniffer has to be on the same "wire" on which the data is travelling to. In short the "probing" device that "captures" the data has to be on the same wire. The data can then be relayed to a decoding computer on a different network.

Situation: Bob and John are engaged in a internet chat session. You are in a city far apart from where the two men reside. Bob and John are talking top secret details on a cocaine deal. You (the law abiding citizen) decide to sniff their chat session (from your location) to help the feds bust Bob and John.

The simple answer is you CAN'T do that as you don't have access to the path that the data travels from! Of course if you are a good hacker (or well Cracker) then you could install a Trojan on Bob or John's computer and run a sniffer from their system, thus the sniffer it self is on the same wire.

When packet sniffing will work and won't work

Basically to successfully sniff you have to be on a LAN that is connected with a hub and not a switch. Computers can be physically connected in many ways. If they are connected using a Hub then here is what happens. If there were 4 computers (A, B, C & D) and A wanted to send something to D then it goes through the hub. But the hub doesn't know where D is. So the hub "re-transmits" what A sent to all other computers. Computers B and C should ignore this data since the packet says it's for D. Computer D will obviously accept the data.

You can probably see the security issue here, since other computers nearly have direct access to data that's not meant for them. A packet sniffer can put your network card into promiscuous mode. In this mode the data not meant for that computer will silently pass through the system and thus allows for the packet sniffer to log data!

When computers are connected via a switch and not a hub then things are different. A switch actually knows which computers are connected to it. The switch also knows where the computers are. So when A sends something to D the data goes to the switch and it will send it directly to D without passing by B or C. So you cannot sniff data by installing a sniffer on computer B or C. Thus when functioning as intended a switch provides good sniffer protection!

Switches WON'T prevent sniffing - they make it harder

There is a super important point to understand with sniffing and "switches". Whilst switches appear to protect against sniffers THERE ARE WAYS to "trick" the switch which can enable you to start sniffing. You can flood the switch with ARP requests which will cause the switch to start behaving like a hub, or you can trick the switch to redirect traffic to the sniffer system.

How do I prevent my data being sniffed?

Many services on the internet send data in the plain text. By default POP mail, SMTP (for sending mail) send data in clear text. The same applies for FTP, Telnet and News clients. ICQ, MSN and AOL Instant messengers send passwords again in clear text. In fact most services send passwords this way.

Ways to secure yourself

   1. When logging into to mail services check to see if your mail client supports encrypted login's. The server has to  support this setting too, so check with them.
   2. Even if you login securely (above) any e-mail you send is still in clear text, anyone on the path that the mail travels through can technically read it. Use Encryption to encrypt the message. PGP ( is the popular application for this
   3. When shopping on-line make sure the store has a "secure" connection for submitting credit card details. Generally SSL 128bit encryption is the standard.
   4. Telnet sends password and normal data in plain text. If your server supports SSH then use this instead of Telnet since the connection is encrypted.

If possible use a Switch rather than a HUB on a LAN. This provides extremely efficient protection in practice (more work required to successfully sniff). This method is a frontline defence but it shouldn't be a method fully relied upon.

It's near impossible to detect that a packet sniffer is sniffing a connection. This is a passive act, the data is "logged" but unaltered. There are some methods of determining a packet sniffer, however they cannot conclude 100% what they found. A major clue that that sniffing MAY be taking place is the fact that many DNS lookup's are taking place. (i.e., the sniffer is attempting to convert IP addresses to host names) however this is only an indication for there may be other reasons as to why this may occur.

Another, stronger method of detecting if a packet sniffer is operating is to send an ARP request to the device in question to determine if it's in promiscuous mode. A packet which is not destined for your computer will be stopped at the hardware level if promiscuous mode is not on. The "device" in most cases is the network card of the computer running the sniffer.

No comments:

Post a Comment