Brief Introduction to Sniffer

BKJIA recommendation: Sniffer security technology from entry to entry

Learning the concept and principles of Sniffer is the foundation of Sniffer security technology. How should we get started with the knowledge of Sniffer security technology? Next let's introduce it to you one by one.

1. What is Sniffer?

Generally, the Sniffer program sets NIC network adapter, such as an Ethernet Card) to a State called promiscuous mode. Once the NIC is set to this mode, the Sniffer program can accept every information packet transmitted on the network. In general, the NIC only accepts information packets related to its own address, that is, the information packets transmitted to the local host. To enable Sniffer to accept the information in this way, the system must support bpf, such as SOCKET-PACKET in LINUX, however, the network hardware and TCP/IP stack generally do not support accepting or sending packets irrelevant to the local computer, so in order to bypass the standard TCP/IP stack, the NIC must be set to the messy mode we just started. Generally, to activate this method, the kernel must support this pseudo-device bpfilter and the ROOT user must run this Sniffer program, so we all know that Sniffer needs to be installed as ROOT. Even if you enter the system as a local user, you cannot find the ROOT password because Sniffer cannot be run.

Based on the Sniffer mode, you can analyze various information packages and clearly describe the network structure and machines used. Because it accepts any data packet transmitted on the same network segment, therefore, Sniffer can be used to capture passwords, EMAIL information, confidential documents, and other unencrypted information. Therefore, this has become a common method for hackers to expand the results and seize control of other hosts.

2. Possibility of media being monitored:

The possibility of Ethernet listening is high, because Ethernet is a broadcast-type network, and most of the packet listening time on the INTERNET is the result of some packet listening programs running on a computer. This computer and other computers, a gateway or router form an Ethernet.

FDDIToken-the possibility of listening is also relatively high, although the token network is not a broadcast network, the ring actually, those packets with tokens during transmission, on average, it goes through half of the computers on the network. However, a high transmission rate will make listening difficult.

The possibility of telephone line listening is moderate. The telephone line can be tapped by some people who work with the phone company or some people who have the opportunity to access the line physically, information on the Microwave Line will also be intercepted. In practice, high-speed MODEM is much more difficult than low-speed MODEM, because high-speed MODEM introduces many frequencies.

An IP address is more likely to send IP packets over a cable TV channel depending on the RF modulation cable TV channel. The RF modem uses one TV channel for uplink and one for downlink.
The information transmitted on these lines is not encrypted, so it can be intercepted by some people who can physically access the TV cable.

Microwave and listener are more likely. A radio is a broadcast-type transmission medium, and any person with a radio receiver can intercept the transmitted information.

Currently, most Sniffer only monitors the information package during connection. The reason is that if Sniffer accepts all the information packages, one is that the LOG record is extremely large and takes a lot of CPU time, therefore, when a computer is busy with tasks, it may be suspected that Sniffer is working due to the CPU and bandwidth used, when you think there are exceptions, you need some simple methods to detect them first.

Although you can use the PS or netstat command to check whether there is a conversion of process and connection information, the intruders cannot find these programs after changing the ps or netstat program, in fact, only a few SHELL commands are required to modify the ps command to filter out the name of the listening software.

III. The following two Sniffer listeners are simple in principle, but they are difficult to operate:

1. For machines suspected of running the listener, PING the machine with the correct IP address and the wrong physical address. The machine running the listener returns a response, this is because the normal machine does not accept the wrong physical address, and the machine in the listening state can accept it. If its IPSTACK does not perform reverse checks again, it will respond, this method depends on the system's IPSTACK, which may not work for some systems.

2. Send a large number of non-existent physical address packets to the Internet. Because the listener will process these packets, the performance will be degraded. By comparing the performance of the machine icmpechodelay and other methods, this method is more difficult.

4. Some popular Sniffer

◆ SNIFFIT: this is a relatively Sniffer, which is written by BrechtClearhout. This is the first program you should use. By default, this Sniffer only accepts the first 400 bytes of information packets, this is just for a login session process.

◆ SNORT: This Sniffer has many options for you to use and is highly portable. It can record some connection information for tracking some network activities.

◆ TCPDUMP: This Sniffer is very famous. FREEBSD is also built on the system. It is considered a professional network management tool by many UNIX experts. Remember that TsutomuShimomura should be called a sub-village invasion in the past) he used his modified TCPDUMP version to record records of KEVINMITNICK's attack on his system. Later, he cooperated with the FBI to seize KEVINMITNICK. Later, he wrote an article: using these logs to describe the attack, HowMitnickhackedTsutomuShimomurawithanIPsequenceattack

See http://www.attrition.org/security/newbie/security/Sniffer/shimomur.txt for details

◆ ADMsniff: This is a Sniffer program written by the well-known ADM hacker group.

◆ LinSniffer: This is a specially designed Sniffer on a LINUX platform.

◆ ESniffer: this is also a famous Sniffer program.

◆ Sunsniff: This is the Sniffer used on the SUNOS system. This program should have been launched 10 years ago.

◆ SolSniffer: This is a solarjavasiffer. It mainly modifies SunSniff to facilitate compilation on the Solair platform.

These procedures are collected and can be downloaded at the following URL:

Http://www.attrition.org/security/newbie/security/Sniffer/

5. Some popular Sniffer detection programs:

Http://www.attrition.org/security/newbie/security/Sniffer/promisc.c --

It is a very small C program. After compilation, it will find any NIC network adapter in messy mode on the local machine.

Http://www.attrition.org/security/newbie/security/Sniffer/neped.c --

It is a program used to remotely check any sniffing activity. Unfortunately, it is compiled only in LINUX. Of course, you can also simply use ifconfig-a to check whether your UNIX machine has the PROMISC flag.

◆ Http://www.l0pht.com/antisniff/

This is a good anti-Sniffer program written by L0pht. L0PHT also intends to publish the source code version on LINUX.

In addition, if two NICs are used on the machine, set the IP address to 0.0.0.0 and the other card to be in normal mode, in this way, it is difficult to find the existence of Sniffer.

6. Some Sniffer resources:

Http://www.securityfocus.com/

Here we can find a lot of articles about Sniffer programs, PHRACK54FILE10). awesomearticle explains a lot of methods and techniques to deal with Sniffer.

◆ Http://www.attrition.org/security/newbie/security/Sniffer/shimomur.txt

Here is an article written by Shimomura (HowMitnickhackedTsutomuShimomurawithanIPsequenceattack)

Http://www.l0pht.com/

Here you can download antisnifer, which is indeed a good tool.

The introduction to the concept and application of Sniffer can be explained here. I hope it will be helpful for you to understand and learn about Sniffer technology.