|[Home] [Credit Search] [Category Browser] [Staff Roll Call]||The LINUX.COM Article Archive|
|Originally Published: Sunday, 4 June 2000||Author: Kapil Sharma|
|Published to: enchance_articles_security/Advanced Security Articles||Page: 1/1 - [Std View]|
Who's Sniffing Your Network?
A sniffer is any device, software or hardware, which grabs information traveling on a network. In this article, Kapil Sharma discusses how sniffers are used and the pros and cons of using a sniffer.
A sniffer is any device, software or hardware, which grabs information traveling on a network. The purpose of a sniffer is to place the network interface (Ethernet adapter) into promiscuous mode, and by doing so, to capture all network traffic. Promiscuous mode refers to the mode where all workstations on a network listen to all traffic, not simply their own.
linsniffer: linsniffer is a simple sniffer whose main purpose is to capture usernames and passwords. The output of linsniffer is excellent for stealing passwords and logging general activity, but not suitable for more detailed analysis.
linux_sniffer: linux_sniffer provides a slightly more detailed view. linux_sniffer is easy to use and provides a more detailed output.
hunt: hunt is one of my favourites. It is suitable for when you need less raw output and more easy-to-read information. Hunt also supports the following utilities: (1) it allows you to specify particular connections you are interested in, rather than having to watch and log everything; (2) it detects already-established connections; (3) it offers spoofing tools; and (4) it offers active session hijacking.
sniffit: sniffit is for folks who need just a little more. It allows you wide latitude to monitor multiple hosts, on different ports, for different packets. It's really a nice tool.
Risks of Using Sniffers
Sniffers represent a high level of risk because: they can capture passwords; they can capture confidential or proprietary information; and they can be used to breach security of neighboring networks, or gain leveraged access
Defending Against Sniffer Attack
As we have seen, sniffer attacks are difficult to detect and thwart because sniffers are passive programs. They don't generate an evidence trail (logs), and when used properly, they don't use a lot of disk and memory resources.
To hunt down a sniffer, you must ascertain whether any network interfaces on your network are in promiscuous mode. For this, try ifconfig or ifstatus.
ifconfig: You can quickly detect an interface in promiscuous mode on your local host by using ifconfig, a tool for configuring network interface parameters. To run ifconfig, issue the ifconfig command at a prompt.
ifstatus: ifstatus checks all network interfaces on the system and reports any that are in debug or promiscuous mode.
ifconfig and ifstatus are fine for detecting sbiffers on your local host. But on a large network you need a tool to detect sniffers across a subnet. One of them is NEPED. NEPED can detect sniffer activity on a subnet. NEPED has a limitation -- It can only work with linux kernels before 2.0.36.
Security Measures against Sniffers
Choose "good" passwords and change them frequently. Always use encryption; Encrypted sessions generally reduce your risk. Even if an attacked sniffs data, it will be useless to him. For example, always use ssh as a alternate for Telnet.
Sniffers represent a significant security risk, mainly because they are not easily detected. Lastly the best defences against sniffing are secure topology and strong encryption.
Kapil Sharma is a Linux and Internet security consultant. He has been working on various Linux systems for more than 2 years.