Ethereal Packet Sniffing (Syngress)

What is Network Analysis and Sniffing?

• Network analysis is capturing and decoding network data.

• Network analyzers can be hardware or software, and are available both free and commercially.

• Network analyzer interfaces usually have three panes: summary, detail, and data.

• The five parts of a network analyzer are: hardware, capture driver, buffer, real-time analysis, and decode.

Who Uses Network Analysis?

• Administrators use network analysis for troubleshooting network problems, analyzing the performance of a network, and intrusion detection.

• When intruders use sniffers, it considered is a passive attack.

• Intruders use sniffers mostly to capture user names and passwords, collect confidential data, and map the network.

• Sniffers are a common component of a rootkit.

• Intruders are using sniffers to control backdoor programs.

How Does it Work?

• Ethernet is a shared medium that uses MAC, or hardware, addresses.

• The OSI model has seven layers and represents a standard for network communication.

• Hubs send out information to all hosts on the segment, creating a shared collision domain.

• Switches have one collision domain per port and keep an address table of the MAC addresses that are associated with each port.

• Port mirroring is a feature that allows you to sniff on switches.

• Switches make sniffing more difficult, however the security measures in switch architectures can be overcome by a number of methods, thus allowing the sniffing of traffic designated for other computers.

Detecting Sniffers

• Sometimes sniffers can be detected on local systems by looking for the promiscuous mode flag.

• There are several tools available that attempt to detect promiscuous mode by using various methods.

• Carefully monitoring your hosts, hub and switch ports, and DNS reverse lookups can assist in detecting sniffers.

• Honeypots are a good method to detect intruders on your network who are attempting to use compromised passwords.

• Newer sniffers are smart enough to hide themselves from traditional detection techniques.

Protecting Against Sniffers

• Switches offer some, but little protection against sniffers.

• Encryption is the best method of protecting your data from sniffers.

• SSH, SSL/TLS, and IPSEC are all forms of VPNs that operate at various layers of the OSI model.

• IPSec tunnel mode can protect the source and destination addresses in the IP header by appending a new header.

Network Analysis and Policy

• Make sure you have permission to use a sniffer on a network that is not your own.

• Read the appropriate use policies of your ISPs before using a sniffer.

• If you are hired to assess a computer network, and plan to use a sniffer, make sure you have some sort of non-disclosure agreements in place, because you may have access to confidential data.

• One-time passwords render compromised passwords useless.

• E-mail should be protected while in transit and storage with some type of data encryption method.