Concept of network listening principles of Ethernet listeners

A network listening tool is a management tool provided to administrators. This tool monitors the network status, data flow, and information transmitted over the network.
However, network listening tools are also common tools for hackers. When the information is uploaded and transmitted in plain text on the network, the network listener can be used for attacks. By setting the network interface in the listening mode, you can continuously intercept information transmitted on the Internet.

Network listening can be implemented at any location on the Internet, such as a host in the LAN, a gateway, or a modem in the remote network. Hackers are most likely to intercept user passwords.

　　

What is a network listener?

Network listening is a common method for hackers. After successfully logging on to a host on the network and obtaining the permissions of the super user on the host, we often need to expand the results and try to log on or win control friends from other hosts on the network. Network listening is the simplest and most effective method, which can easily obtain information that is hard to obtain using other methods.

On the network, the most effective part of the listener is the gateway, router, firewall and other devices, which are usually operated by the network administrator. The most convenient way to use is to use an Ethernet network on any host that accesses the Internet. This is what most hackers do.

　　

Why can I listen on Ethernet?

It is better to listen to the transmitted information in telephone lines and radio and microwave channels, but people often do not understand why the LAN can listen. Someone even asked: Can I listen for information that is not in the same CIDR Block. The following describes the principles of listening over Ethernet. In the ring, the principle is similar.

It is rare for a person who performs network attacks to break through gateways, routers, and firewalls. Here, the security administrator can install some devices to monitor the network, you can also use specialized devices to run specialized listening software and prevent unauthorized access. However, hackers can sneak into an unnoticed computer and quietly run a listener. Listening consumes a lot of CPU resources. Listening on a computer with a busy task can be immediately detected by the Administrator because the computer's response speed is surprisingly slow.

For a connected computer, the most convenient thing is to listen on Ethernet. You only need to install a listening software, and then you can sit next to the machine to view the listening information.

The Ethernet protocol works by sending packets to all connected hosts. The header contains the correct address of the host that should receive data packets. Therefore, only the host with the same destination address in the data packet can receive the packet. However, when the host machine is in monitoring mode, the host receives the packet regardless of the target physical address.

There are many such LAN on the Internet. Several or even dozens of hosts are connected by a single cable and a hub. In the view of the Protocol's top-level or users, when two hosts in the same network communicate, the source host sends packets with the IP address of the destination host to the gateway. However, such data packets cannot be directly sent at the top of the protocol stack. The packet to be sent must be sent from the TCP/IP IP layer to the network interface, that is, the data link layer.

Network Interfaces cannot recognize IP addresses. In the network interface, the packet with IP address from the IP layer adds a part of information: the frame header of the Ethernet frame. In the post header, two domains are the physical addresses of the source host and target host that can only be identified by network interfaces. This is a 48-bit address. The 48-bit address corresponds to the IP address. That is to say, an IP address must correspond to a physical address. For a gateway host, because it connects to multiple networks, it has multiple IP addresses at the same time, each of which has one. The physical address of the gateway is carried in frames outside the LAN.

In Ethernet, frames with physical addresses are transmitted from the network interface, that is, from the NIC to the physical line. If the LAN is composed of a thick or thin connection machine, the digital signal is transmitted over the cable, and the signal can reach each host on the line. When a hub is used, the outgoing signal is sent to the hub, and the hub sends a signal to each line connected to the loose. Therefore, the digital signals transmitted on physical lines can also reach each host connected to the hub.

When a digital signal reaches the network interface of a host, normally, the network interface reads the data frame and checks it. If the data frame carries a correct physical address, or if the physical address is a broadcast address, the data frame is handed over to the upper-layer protocol software, that is, the IP layer software. Otherwise, the frame is discarded. This process is required for each data frame that arrives at the network interface. However, when the host is working in listening mode, all data frames are handed over to the upper-layer protocol software for processing.

In this way, a big room is like a shared channel, and everyone in it is like a host. What people say is an information package, which is spread everywhere in the big room. When we speak to someone, everyone can hear it. However, only the person with the same name can reflect and process these words. When other people hear these conversations, they can only guess in a daze whether they are listening to others' conversations.

When a host connected to the same cable or hub is logically divided into several subnets, if a host is in listening mode, it can also receive packets sent to hosts that are not in the same subnet as itself (using different masks, IP addresses, and gateways. That is to say, all information transmitted over the same physical channel can be received.

Many people may ask: Can I listen to information transmitted by computers in different network segments. The answer is no. A computer can only listen to packets that pass through its network interfaces. Otherwise, we will be able to monitor the entire Internet. What a terrible situation will happen.

To enable the host to work in listening mode, you need to send an I/O control command to the network Interface and set it to listening mode. In UNIX systems, sending these commands requires the permissions of the Super User. This limit that common users cannot perform network listening in UNIX systems. Network listening can be performed only when the super user permission is obtained. However, Windows 95 does not have this restriction. You only need to run this type of listening software. At the same time, this type of software running on a microcomputer is easy to operate and has a strong ability to monitor information.

Currently, most computer networks use shared communication channels. From the above discussion, we know that communication channel sharing means that a computer may receive information sent to another computer.

　　

In addition, it should be noted that most of the protocols used in the Internet are designed very early, and the implementation of many protocols is based on a very friendly one, based on the full trust of both parties. Therefore, until now, network security is still very fragile. In a common network environment, all user information, package user headers, and password information are transmitted in plain text on the Internet. Therefore, it is not very difficult to listen to a network hacker or an attacker to obtain user information. As long as you have preliminary knowledge about the network and TCP/IP protocol, you can easily extract the information you are interested in from the listener.

Network listeners often store a large amount of information and organize the collected information. Therefore, the machines that are listening are slow to respond to user requests.

First of all, when the network listening software runs, it consumes a lot of processor time. If at this time, the content in the package is analyzed in detail, and many packages will not be received, but missed. Therefore, the network listening software usually stores the listening packets in files and analyzes them later.

Second, data packets in the network are very complex. Even if the two hosts send and receive data packets consecutively, many interactive data packets must be included in the listening results. The listening software sorts the packets of the same TCP session together, which is already quite good. If you want to sort out the user's detailed information, you need to perform a lot of analysis on the package according to the protocol. In the face of so many protocols on the network, this listening software will be very large.

In fact, it is not difficult to find such information. It is easy to extract useful information one by one based on certain rules.