Network monitoring principle (LAN data eavesdropping)

In the network, when the information is propagated, the tool can be used to set the network interface in the listening mode, the network can be
The information that is being transmitted in the message is intercepted or captured to attack. Network monitoring can be implemented in any location mode in the network.
The application. Hackers generally use network monitoring to intercept user passwords. For example, when someone occupies a mainframe, he will
Again want to extend the gains to the host of the whole LAN dialect, listening is often their choice of shortcut. A lot of times I'm in all kinds of Ann
The whole forum to see some novice enthusiasts, after they think that if they occupy a host, then want to enter its intranet should be very
Simple. In fact, it is not easy to enter a host and then want to transfer to its internal network of other machines is not an easier thing. Because
For you in addition to get their password and there is the absolute path they share, of course, the end of this path must be a write
Permission to do this. At this point, the listener on the host that is already under control will have a big effect. But it's a bother.
Need to be patient and resilient.

The principle of █ network monitoring

Ethernet (Ethernet, which is a popular LAN technology invented by Xerox, it contains all the computers
All connected to a cable on which each computer needs a hardware called the interface board to connect to the Ethernet) protocol works
Is the packets that will be sent to all the hosts that are connected together. Include the correct address of the host that should receive the packet in the packet header,
Because only the host that is consistent with the destination address in the packet can receive the packet, but when the host is working in listening mode
Regardless of the destination physical address in the packet, the host will be able to receive it. Many local area networks have more than 10 or even hundreds of host computers.
is connected by a cable, a hub, at the top of the protocol, or in the user's view, when two hosts in the same network
When communicating, the source host sends the packet that writes the destination host address directly to the destination host, or when a host in the network
When the external host communicates, the source host sends packets that are written to the destination host IP address to the gateway. But such packets are not allowed in the protocol
The upper layer of the stack is sent directly, and the packets to be sent must be handed over to the network interface from the IP level of the TCP/IP protocol, that is, the data
Link layer. The network interface does not recognize the IP address. Packets with IP addresses from the IP layer on the network interface are added in part to
The information of the too-Zhen's head. In the header, there are two domains for which only the network interface can be recognized by the source host and the destination host physically
This is a 48-bit address, this 48-bit address is corresponding to the IP address, in other words, an IP address will also correspond to a
A physical address. For a host that is a gateway, because it is connected to more than one network, it also has a number of IP addresses, in each
Network, it has one. The physical address of the gateway is the one that is sent to the outside of the network.

The physical address of the Ethernet is filled in from the network interface, that is, from the NIC sent out to transfer to the physical line.
If a local area network is connected by a coarse or thin network, the digital signal transmits the signal on the cable to reach every
Console host. When the hub is used, the signal sent out arrives at the hub, which is then sent to each of the hubs connected to the hub.
A line. The digital signals that are transmitted on the physical line can also reach each host connected to the hub. When the digital signal
When the network interface of a host is reached, the network interface in normal state checks the read data, if the data is carried in the physical
The address is its own or the physical address is the broadcast address, then the data will be sent to the IP layer software. For each network interface that arrives at the
The data is going to be the process. But when the host is working in listening mode, all data will be sent to the upper protocol.
Software processing.

When a host connected to the same cable or hub is logically divided into subnets, then if a host is
Listening mode, it will also be able to receive a primary that is sent to the same subnet as itself (using a different mask, IP address, and gateway)
All information transmitted on the same physical channel can be received.

On UNIX systems, when a user with super-privilege wants to enter the listening mode for the host they control, only
The Interface (network interface) sends the I/O control command so that the host can be set up as a listening mode. And in the WINDOWS9X system
It is possible to run the monitoring tool directly, regardless of whether the user has permission.

When listening to the network, it is often necessary to keep a large amount of information (also contains a lot of spam), and will be a large number of information collected
, so that the machine being monitored can respond slowly to requests from other users. While the listener is running, it needs to
To consume a lot of processor time, if at this time in the detailed analysis of the contents of the package, many packets will be too late to receive the leak
Go. So the listener will often store the received packets in the file for later analysis. The data packets that are heard by the analysis Monitor are
It's a headache. Because the packets in the network are very complex. Data packets are sent and received continuously between the two hosts,
The result is bound to add some other host interaction packets. A listener that organizes packets of the same TCP session together is quite
Easy, if you also expect to organize the user details, you need to do a lot of analysis of the package according to the protocol. On the internet so
Many of the protocols, running into the case of this listener will be very large oh.

Now the protocols used in the network are designed earlier, and many of the protocols are implemented based on a very friendly, communication
The basis of full trust on both sides. In the normal network environment, the user's information including the password is in clear text in the way of transmission on the Internet,
Therefore, network monitoring to obtain user information is not a difficult task, as long as the knowledge of the initial TCP/IP protocol can be
Easily listen to the information you want. Some time ago, Chinese-American china-babble had proposed to extend the monitoring of the road from the LAN to the wide
Domain network, but the idea was soon denied. If that's the case, I think the internet will chaos. And in fact now in
Some user information can also be monitored and intercepted in the WAN. It's just not obvious enough. Across the internet, it's even more tiny.
Foot the road.

Here are some of the system's famous listeners, you can try it yourself.

Windows9x/nt NetXRay Http://semxa.kstar.com/hacking/netxray.zip

Decunix/linux Tcpdump Http://semxa.kstar.com/hacking/management.zip

Solaris Nfswatch Http://semxa.kstar.com/hacking/nfswatch.zip

SunOS Etherfind Http://semxa.kstar.com/hacking/etherfind012.zip

The method of █ detecting network monitoring

Network monitoring has been described in the above. It is designed for system administrators to manage the network, monitor network status and data flow
Of But because it has the function of intercepting network data, it is also one of the tactics that hackers are accustomed to.

The General detection Network monitoring method is carried out by:

? network monitoring really, it's hard to find out. When the host running the listener is passive during the listening process
Receives information transmitted over Ethernet, it does not exchange information with other hosts, and it cannot modify packets that are transmitted over the network.
This shows that the detection of network monitoring is a more troublesome thing.

In general, it can be detected by PS-EF or Ps-aux. But most people who implement a listener will have to modify the PS command
To prevent it from being ps-ef. Modifying PS requires only a few shells to filter out the listener name and OK. One can start the listening process
The order of the people is definitely not a dish even this does not understand the person, unless he is lazy.

mentioned above. When running the listener, the host response will generally be affected by the change will be slow, so it has been proposed to pass
The rate at which the response is to be monitored. If that's true, I think the world is really going to be a mess.
You'll find countless listeners running in the section. Oh.

If you suspect that a certain machine in the net is implementing a listening program, what's the suspicion? It depends on your own), you can use
The correct IP address and the wrong physical address to ping it so that the running listener will respond. This is because normal
The machine generally does not receive the error of the physical address of the ping information. But the machine that is listening is ready to be received, if its ipstack
If you do not reverse the check again, you will respond. However, this method is ineffective for many systems because it relies on the ipstack of the system.

The other is to send a large number of non-existent physical address packets, and listeners often will be processing these packets, so that
Will cause the performance of the machine to degrade, you can use Icmpechodelay to judge and compare it. You can also search through all the hosts in the network
Run on the program, but it is difficult to imagine, because this is not only a large workload, but also can not fully check
Processes on all hosts. However, if an administrator does this, there is a great need to determine whether a process is
Boot from the administrator machine.

In Unix, a manifest that includes all processes can be produced through the Ps–aun or PS–AUGX command: The owner of the process and these
Process consumes processor time and memory, and so on. These are output on stdout in the form of a standard table. If a process is running,
Then it will be listed in this list. But many hackers in the running of the listener is not polite to the PS or other running
The program is modified into a trojanhorse program because he can do it completely. If that's the case, then there's no way.
As a result. But doing so will somehow still make a difference. It's easy to get the current process on UNIX and windowsnt.
List. But DOS, windows9x seems to be difficult to do oh, specifically I have not tested it is unclear.

There is also a way to rely on enough luck in this way. Because most of the eavesdropping programs that hackers use are free to get online
, he is not a professional listener. So as the administrator used to search the listener can also be detected. Using UNIX can write a search like this
Gadget, otherwise it would be exhausting. Oh.

There's a tool called Ifstatus that runs under UNIX, which can identify if the network interface is in a debug state or
into the tins. If the network interface is running in such a mode, it is likely that it is being attacked by a listener. Ifstatus A
The output is not generated when it detects that the network interface is in listening mode. Administrators can
Set the cron parameter of the system to run Ifstatus regularly, and if there is a good cron process, you can send the output it generates with mail
To the person performing the cron task, to implement a ****/usr/local/etc/ifstatus line of parameters that can be added to the crontab directory.
If that doesn't work, you can also use a scripting program to 00****/usr/local/etc/run-ifstatus under Crontab.

To resist the monitoring actually depends on which aspect. In general, listening is just a bit more sensitive to user password information (no boring
It's a waste of time for hackers to listen to chat messages between two machines. So the user information and password information are encrypted
is absolutely necessary. Prevent it from being heard in clear text transmission. In modern networks, SSH, a secure communication in the application environment
Protocol) Communication Protocol has been in use, SSH uses a port of 22, which excludes the communication on the unsecured channel information, is
The possibility of listening is used by the RAS algorithm, and all transmissions are encrypted with idea technology at the end of the authorization process. But SSH is not
Completely safe. At least now we can be so bold to comment.

█ 's famous sniffer monitoring tool

Sniffer is famous, because it is doing well in many ways, it can hear (even listen, see) online transmission
All information about the loss. Sniffer can be either hardware or software. Used primarily to receive information that is transmitted over the network. Network is available
Run under a variety of protocols, including Ethernet Ethernet, TCP/IP, ZPX, and so on, can also be centralized protocol of the federated system.

Sniffer is a very dangerous thing, it can intercept the password, you can intercept the secret or the private channel within the
Information, intercept to credit card number, economic data, e-mail and so on. More can be used to attack the network that is adjacent to oneself.

Sniffer can be used in any kind of platform. And now using sniffer can not be found, this is enough to the net
The most serious challenge of the security of the network.

In sniffer, there is also "enthusiastic person" wrote its plugin, called Tod Killer, can be the TCP connection completely cut off.
In short sniffer should arouse people's attention, otherwise security will never do the best.

Network monitoring principle (LAN data eavesdropping)