I have put together a FAQ (Frequently Asked Questions) file about Sniffers. I tried covering all topics related to sniffers and mentioned some companies that provide products for solutions for sniffer attacks. Unfortunately, I have not evaluated any of the products except for using Skey, but I would appreciate it if you have had the chance to play with the product, please send me a small review and Ill stick it under the companies product. I would like unbiased reviews, good and bad. Mostly, what features did you like and what were missing. Also, I am sure I may have missed a few companies that offer similiar solutions and if you know of any of them, please email me. I would like feedback on this, Thank you. This Sniffer FAQ will hopefully give administrators a clear understanding of sniffing problems and hopefully possible solutions to follow up with. Sniffers is one of the main causes of mass break-ins on the Internet today. This FAQ will be broken down into: What a sniffer is and how it works Where are sniffers available How to detect if a machine is being sniffed Stopping sniffing attacks: Active hubs Encryption Kerberos One-time password technology Non-promiscuous interfaces ------------------------------------------------------------------------ What a sniffer is and how it works Unlike telephone circuits, computer networks are shared communication channels. It is simply too expensive to dedicate local loops to the switch (hub) for each pair of communicating computers. Sharing means that computers can receive information that was intended for other machines. To capture the information going over the network is called sniffing. Most popular way of connecting computers is through ethernet. Ethernet protocal works by sending packet information to all the hosts on the same circuit. The packet header contains the proper address of the destination machine. Only the machine with the matching address is suppose to accept the packet. A machine that is accepting all packets, no matter what the packet header says, is said to be in promiscuous mode. Because account and password information is passed along ethernet in clear-text, it is not hard for an intruder to put a machine into promiscuous mode and by sniffing, compromise all the machines on the net. ------------------------------------------------------------------------ Where are sniffers available Sniffing is one of the most popular forms of attacks used by hackers. One special sniffer, called Esniff.c, is very small, designed to work on Sunos, and only captures the first 300 bytes of all telnet, ftp, and rlogin sessions. It was published in Phrack, one of the most widely read freely available underground hacking magazines. You can find Phrack on many FTP sites. Esniff.c is also available on many FTP sites such as coombs.anu.edu.au:/pub/net/log. You may want to run Esniff.c on an authorized network to quickly see how effective it is in compromising local machines. Other sniffers that are widely available which are intended to debug network problems are: Etherfind on SunOs4.1.x Snoop on Solaris 2.x Tcpdump 2.0 uses bpf for a multitude of platforms. Gobbler for IBM DOS Machines Commercial Sniffers are available at: Network General. ------------------------------------------------------------------------ How to detect a sniffer running. To detect a sniffing device that only collects data and does not respond to any of the information, requires physically checking all your ethernet connections. It is also impossible to remotely check by sending a packet or ping if a machine is sniffing. A sniffer running on a machine puts the interface into promiscuous mode, which accepts all the packets. On some Unix boxes, it is possible to detect a promiscuous interface. For SunOs, NetBSD, and other possible BSD derived Unix systems, there is a command "ifconfig -a" that will tell you information about all the interfaces and if they are in promiscuous mode. Intruders often replace commands such as ifconfig to avoid detection. Make sure you verify its checksum. There is a program called cpm available on ftp.cert.org:/pub/tools/cpm that only works on Sunos and is suppose to check the interface for promiscuous flag. Ultrix can possibly detect someone running a sniffer by using the commands pfstat and pfconfig. pfconfig allows you to set who can run a sniffer pfstat shows you if the interface is in promiscuous mode. These commands only work if sniffing is enabled by linking it into the kernel. by default, the sniffer is not linked into the kernel. Most other Unix systems, such as Irix, Solaris, SCO, etc, do not have any flags indication whether they are in promiscuous mode or not, therefore an intruder could be sniffing your whole network and there is no way to detect it. Often a sniffer log becomes so large that the file space is all used up. On a high volume network, a sniffer will create a large load on the machine. These sometimes trigger enough alarms that the administrator will discover a sniffer. I highly suggest using lsof (LiSt Open Files) available from coast.cs.purdue.edu:/pub/Purdue/lsof for finding log files. There is no commands I know of to detect a promiscuous IBM PC compatible machine, but they atleast usually do not allow command execution unless from the console, therefore remote intruders can not turn a PC machine into a sniffer without inside assistance. ------------------------------------------------------------------------ Stopping sniffing attacks Active hubs send to each system only packets intended for it rendering promiscuous sniffing useless. This is only effective for 10-Base T. The following vendors have available active hubs: 3Com HP ------------------------------------------------------------------------ Encryption There are several packages out there that allow encryption between connections therefore an intruder could capture the data, but could not decypher it to make any use of it. Some packages available are: deslogin is one package available at ftp coast.cs.purdue.edu:/pub/tools/unix/deslogin . swIPe is another package available at ftp.csua.berkeley.edu:/pub/cypherpunks/swIPe/ ------------------------------------------------------------------------ Kerberos Kerberos is another package that encrypts account information going over the network. Some of its draw backs are that all the account information is held on one host and if that machine is compromised, the whole network is vulnerable. It is has been reported a major difficulty to set up. It does not stop an intruder from capturing what you did after you logged in. ------------------------------------------------------------------------ One time password technology S/key and other one time password technology makes sniffing account information almost useless. S/key concept is having your remote host already know a password that is not going to go over insecure channels and when you connect, you get a challenge. You take the challenge information and password and plug it into an algorithm which generates the response that should get the same answer if the password is the same on the both sides. Therefore the password never goes over the network, nor is the same challenge used twice. Unlike SecureID or SNK, with S/key you do not share a secret with the host. S/key is available on ftp:thumper.bellcore.com:/pub/nmh/skey Other one time password technology is card systems where each user gets a card that generates numbers that allow access to their account. Without the card, it is improbable to guess the numbers. The following are companies that offer solutions that are provide better password authenication (ie, handheld password devices): Secure Net Key (SNK) Digital Pathways, Inc. 201 Ravendale Dr. Mountainview, Ca. 94043-5216 USA Phone: 415-964-0707 Fax: (415) 961-7487 Secure ID Security Dynamics, One Alewife Center Cambridge, MA 02140-2312 USA Phone: 617-547-7820 Fax: (617) 354-8836 Secure ID uses time slots as authenication rather than challenge/response. WatchWord and WatchWord II Racal-Guardata 480 Spring Park Place Herndon, VA 22070 703-471-0892 1-800-521-6261 ext 217 SafeWord Enigma Logic, Inc. 2151 Salvio #301 Concord, CA 94520 510-827-5707 Fax: (510)827-2593 Secure Computing Corporation: 2675 Long Lake Road Roseville, MN 55113 Tel: (612) 628-2700 Fax: (612) 628-2701 debernar@sctc.com ------------------------------------------------------------------------ Non-promiscuous Interfaces You can try to make sure that most IBM DOS compatible machines have interfaces that will not allow sniffing. Here is a list of cards that do not support promiscuous mode: Test the interface for promiscuous mode by using the Gobbler. If you find a interface that does do promiscuous mode and it is listed here, please e-mail cklaus@iss.net so I can remove it ASAP. 3Com 3C501 EtherLink 3Com 3C507 EtherLink 16 3Com 3C507 EtherLink 16 TP IBM Token-Ring Network PC Adapter IBM Token-Ring Network PC Adapter II (short card) IBM Token-Ring Network PC Adapter II (long card) IBM Token-Ring Network 16/4 Adapter IBM Token-Ring Network PC Adapter/A IBM Token-Ring Network 16/4 Adapter/A IBM Token-Ring Network 16/4 Busmaster Server Adapter/A Microdyne (Excelan) EXOS 205 Microdyne (Excelan) EXOS 205T Microdyne (Excelan) EXOS 205T/16 Hewlett-Packard 27250A EtherTwist PC LAN Adapter Card/8 Hewlett-Packard 27245A EtherTwist PC LAN Adapter Card/8 Hewlett-Packard 27247A EtherTwist PC LAN Adapter Card/16 Hewlett-Packard 27248A EtherTwist EISA PC LAN Adapter Card/32 Compaq 32-bit DualSpeed Token-Ring Controller Novell/Eagle NE3200 Novell/Eagle NE2000 AMD Am2110-SM AT Ethernet 7998 AMD Am1500T/2 PCnet-ISA AMD Am1500T PCnet-ISA HP 27247B EtherTwist Adapter Card/16 TP Plus HP 27252A EtherTwist Adapter Card/16 TP Plus HP J2405A EtherTwist PC LAN Adapter NC/16 TP IBM LAN Adapter for Ethernet IBM LAN Adapter for Ethernet TP IBM LAN Adapter for Ethernet CX Intel EtherExpress 16 Intel EtherExpress 16TP Intel EtherExpress 16C Intel EtherExpress FlashC Intel EtherExpress 16 MCA Intel EtherExpress 16 MCA TP ------------------------------------------------------------------------ Acknowledgements I would like to thank the following people for the contribution to this FAQ that has helped to update and shape it: Padgett Peterson (padgett@tccslr.dnet.mmc.com) Steven Bellovin (smb@research.att.com) Wietse Venema (wietse@wzv.win.tue.nl) ------------------------------------------------------------------------ Copyright This paper is Copyright (c) 1994, 1995 by Christopher Klaus of Internet Security Systems, Inc. Permission is hereby granted to give away free copies electronically. You may distribute, transfer, or spread this paper electronically. You may not pretend that you wrote it. This copyright notice must be maintained in any copy made. If you wish to reprint the whole or any part of this paper in any other medium (ie magazines, books, etc) excluding electronic medium, please ask the author for permission. Disclaimer The information within this paper may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties with regard to this information. In no event shall the author be liable for any damages whatsoever arising out of or in connection with the use or spread of this information. Any use of this information is at the user's own risk. Address of Author Please send suggestions, updates, and comments to: Christopher Klaus <cklaus@iss.net> of Internet Security Systems, Inc. <iss@iss.net> -- Christopher William Klaus Voice: (404)441-2531. Fax: (404)441-2431 Internet Security Systems, Inc. Computer Security Consulting 2000 Miller Court West, Norcross, GA 30071