Basic Principles of sniffing

Preface

SNIFF is really an old topic. It is nothing new to use SNIFF on the Internet to obtain sensitive information. There are also many successful cases. So what is SNIFF? SNIFF is a sniffer, a bug. SNIFF quietly works at the bottom of the network and records all your secrets. Have you ever seen wilsmith play "all the public enemy? SNIFF is like an exquisite bug in it, making it hard for you to defend against.

SNIFF can be software or hardware. Since it is software, it has to be divided into platforms, such as WINDOWS and UNXI. The hardware's SNIFF is called a network analyzer, regardless of hardware software, only one target is to obtain various information transmitted over the network. This article only introduces the software SNIFF.

When you sit at home comfortably, enjoy the convenience brought by the Internet, receive your EMAIL, and purchase your favorite items, will you think of the letter your friend sent to you? Your credit card account has become one message package after another, which is continuously transmitted over the Internet, have you ever seen these information packets flow into other machines through the network? Your worries are not unreasonable, because SNIFF can turn your worries into real dangers. It's as if a person is hiding behind you and peeking at it ......

 

2. Basic network knowledge

Does "basic network knowledge" sound a bit out of question? Although it sounds like this has nothing to do with the SNIFF we are going to talk about, we still need to talk about it. If the foundation is not well laid, how can we build a building ?! If you are not very clear about the network, it is best to calm down and take a good look. You need to know that this is the basis of the Foundation. Here I just want to give it a simple explanation, so that no one will be confused at the time, for details, you 'd better find a book by yourself.

(1) TCP/IP architecture

The Open Systems Interconnection (OSI) model divides the network into seven-layer models to implement different functions on each layer. These seven layers are: application Layer, presentation layer, Session Layer, transmission layer, network layer, data link layer, and physical layer. The TCP/IP system also follows the layer-7 standard, but compresses some OSI functions and merges the presentation layer and Session Layer into the application layer, in fact, the TCP/IP we deal with is only five layers. the layered structure on the network determines the Protocol distribution and function implementation at each layer, this determines the use of network devices on each layer. In fact, many successful systems are based on OSI models, such as frame relay, ATM, and ISDN.

TCP/IP network architecture (Part 1)

-----------------------------------
| SMTP | DNS | HTTP | FTP | TELNET | Application Layer
-----------------------------------
| TCP | UDP | Transport Layer
-----------------------------------
| IP | ICMP | arp rarp | Network Layer
------------------------
| IEEE 802 Ethernet SLIP/ppp pdn etc | data link layer
-----------------------------------
| Nic cable twisted pair (etc) | Physical Layer
-----------------------------------

 

From the figure above, we can see that the first layer of the physical layer and the second layer of the data link layer are the basis of TCP/IP, and TCP/IP itself is not very concerned about the lower layer, because the network device driver on the data link layer isolates the upper layer protocol from the actual physical interface. The network device driver is located in the Media Access sub-layer (MAC ).

(2) devices on the network

Repeater: the main function of a repeater is to terminate a network segment signal and regenerate the signal in another network segment. In a word, it simply scales up and works on the physical layer.

Network Bridge: The Bridge uses MAC physical addresses to implement the relay function. It can be used to separate network segments or connect some heterogeneous networks and work on the data link layer.

Vro: the router uses the network layer address (IP, X.121, E.164, etc.), which is mainly responsible for packet routing and can also process work on the physical layer and data link layer.

Gateway: It mainly works on the layer 4 or above of the network and implements convergence and protocol conversion. However, many times the gateway is used to describe any network interconnection device.

(3) TCP/IP and Ethernet

Ethernet and TCP/IP can be said to complement each other. The relationship between the two is almost inseparable. Ethernet provides physical connections on the first and second layers, while TCP/IP works on the upper layer, A 32-bit IP address is used, while a 48-bit MAC address is used for Ethernet. ARP and RARP are used for mutual conversion. We can clearly see the relationship between the two in the above TCP/IP model diagram.

Carrier listening/conflict detection (CSMA/CD) technology is widely used in Ethernet. The so-called carrier listening means that each site in the Ethernet has the same rights, when transmitting your own data, first listen to whether the channel is idle. If it is idle, it will transmit its own data. If the channel is occupied, it will wait for the channel to be idle. The conflict detection aims to prevent conflicts when two sites detect that the network is not used at the same time. Ethernet adopts the broadcast mechanism. All workstations connected to the network can see the data transmitted over the network.

To deepen your understanding, let's take a look at the figure below, a typical communication between customers and servers over Ethernet using the TCP/IP protocol.

　　
User process FTP client <-------------------------> FTP Server Application Layer
|
Protocol Stack TCP in the kernel <-----------------------> TCP transmission layer
|
Protocol Stack IP address in the kernel <-----------------------> IP Network Layer
|
Ethernet driver <---------------------------> Ethernet driver data link layer

── ─ -------------------------------
Ethernet

　

?? Why is it annoying to have so many crashes? Believe me, this is the basis of the Foundation. It can be said that it is very simple to pull. If you need to write a few hundred words for the above content, I don't think too much. Okay, let's go to the next section, the sniff principle.

 

Principle of Tri-SNIFF

You must know that all communication over Ethernet is broadcast. That is to say, all network interfaces in the same network segment can access all data transmitted on physical media, each network interface has a unique hardware address, which is the MAC address of the NIC. Most systems use a 48-bit address, which is used to represent each device in the network, generally, the MFC addresses on each network adapter are different. Each network adapter manufacturer obtains an address and assigns it an address for each network adapter. ARP and RARP are used between the hardware address and the IP address for mutual conversion.

Under normal circumstances, a network interface should only respond to the following two data frames:

1. Data frame that matches your own hardware address. 2. Send data frames to all machines.

In an actual system, data is sent and received by the Network Adapter. The network adapter receives the transmitted data. The single-chip program in the network adapter receives the destination MAC address of the data frame, determine whether or not to receive the message based on the receiving mode set by the NIC driver on the computer. The CPU is notified of the interruption signal after receiving the message, and the CPU is discarded if it is not received, so the network card that shouldn't receive the data is truncated, and the computer doesn't know it at all. When the CPU gets an interrupt signal, the operating system calls the driver to receive data based on the NIC interrupt program address set by the driver of the network card. After the driver receives the data, it puts the data into the signal stack for the operating system to process. For NICs, there are generally four receiving modes:

Broadcast mode: In this mode, the NIC can receive broadcast information in the network. Multicast mode: Set the NIC in this mode to receive multicast data. Direct mode: In this mode, only the target Nic can receive the data. Hybrid mode: In this mode, the network adapter can receive all data through it, regardless of whether the data is transmitted to it.

Now, let's sum up. First, we know that data is transmitted through broadcast over Ethernet. That is to say, all physical signals must pass through our machines, A network card can be placed in promiscuous mode. In this mode, the network card that works can receive all the data through it, regardless of whether the actual data destination address is him or not. This is actually the basic principle of our SNIFF operation: Let the NIC receive all the data that it can receive.

()

 

 

Let's take A simple example. 1. Machine A, machine B, and machine C are connected to the HUB. The HUB accesses the external network through the Router. This is a very simple and common situation. For example, in the company building, several machines in the office of my network department are connected through a hub, and the same is true for the network department, Development Department, and marketing department, the hubs of several departments are connected through routers. Back to us, it is worth noting that machines A, B, and C use A common HUB Connection, not A SWITCH or A ROUTER, the use of SWITCH and ROUTER is much more complicated than this.

Let's assume that the Administrator on machine A uses an FTP command to remotely log on to machine C to maintain machine C, the Data Process in the network connected with the HUB is like this. First, the FTP password entered by the Administrator on machine A to log on to machine C is packaged at the layer of the application layer FTP protocol, transport layer TCP protocol, network layer IP protocol, and Ethernet driver on the data link layer, finally, it is sent to the physical layer and our network cable. Next, the data frame is sent to the HUB. Now, the HUB broadcasts the data frame sent by machine A to each contact, and machine B receives the data frame broadcast by the HUB, check whether the address in the data frame matches your own address. If it is not sent to your own address, discard the data frame and ignore it. Machine C also receives the data frame and finds itself after comparison. Then, it analyzes and processes the data frame.

In the simple example above, if the Administrator on machine B is curious, he wants to know what the FTP password is for logging on to machine C? It is easy to do. You just need to place the network adapter on your machine in the hybrid mode and connect it to the received data frame for analysis to find the password information contained in the data frame.

 

4. Make your own sniff

In the previous section, we have learned how SNIFF works.