Learn more about sniffer

With the increasing popularity of Internet and e-commerce, the security of the Internet has been paid more and more attention. Sniffer and Forward play an important role in Internet security risks. This article will introduce Sniffer and how to block sniffer.

Most hackers only detect and take control of hosts on the Intranet. Only those "ambitious" hackers Install Trojan Horse and Backdoor programs and clear records to control the entire network. They often use the method of installing sniffer.

On the Intranet, the most effective way for hackers to quickly obtain a large number of accounts (including user names and passwords) is to use the "sniffer" program. This method requires that the host running the Sniffer program and the monitored host must be in the same Ethernet segment. Therefore, running sniffer on the external host is ineffective. Moreover, you must use the sniffer program as the root user to listen to data streams in the Ethernet segment.

Hackers will use various methods to gain control of the system and leave a backdoor for further intrusion to ensure that sniffer can be executed. On the Solaris 2. x platform, the sniffer program is usually installed in the/usr/bin or/dev directory. Hackers also cleverly modify the time to make the sniffer program seem to be installed with other system programs at the same time.

Most "ethernet sniffer" programs run in the background and output the results to a record file. Hackers often modify ps programs, making it difficult for system administrators to find sniffer programs.

The "ethernet sniffer" Program sets the network interface of the system to the hybrid mode. In this way, it can listen to all data packets flowing through the same Ethernet network segment, regardless of whether the receiver or sender is a host running sniffer. The program stores user names, passwords, and data that hackers are interested in into log files. The hacker will wait for a period of time-for example, a week later, and then return to download the record file.

1. What is sniffer?

Unlike telephone circuits, computer networks share communication channels. Sharing means that the computer can receive information sent to other computers. The data captured in the network is called sniffing ).

Ethernet is now the most widely used computer connection method. The Ethernet protocol sends packet information to all hosts in the same loop. The data packet header contains the correct address of the target host. Generally, only the host with this address will accept this data package. If a host can receive all data packets and ignore the packet header content, this mode is usually called the "hybrid" mode.

In a common network environment, account and password information are transmitted in plaintext over Ethernet. Once an attacker obtains the root permission of a host, and put it in a hybrid mode to eavesdrop network data, which may intrude into all computers in the network.

Ii. Working Principles of sniffer

Generally, all network interfaces in the same network segment have the ability to access all data transmitted on physical media, and each network interface should have a hardware address, this hardware address is different from the hardware address of other network interfaces in the network. At the same time, each network must have at least one broadcast address. (Representing all interface addresses). Under normal circumstances, a valid network interface should only respond to the following two data frames:

1. The target area of the frame has a hardware address that matches the local network interface.
2. The target area of the frame has a "broadcast address ".

When the above two data packets are received, nc generates a hardware interruption through the cpu. This interruption can attract the attention of the operating system, and then transmit the data contained in the frame to the system for further processing.

Sniffer is a software that can set the local nc status to promiscuous. When the nc is in this "hybrid" mode, the nc has "broadcast address ", it generates a hardware interruption for each frame that is encountered to remind the operating system to process each packet that flows through the physical media. (The vast majority of nc servers can be set to the promiscuous mode)

It can be seen that sniffer works at the bottom layer of the network environment. It intercepts all the data being transmitted over the network and can analyze the data in real time through corresponding software processing, then, the network status and overall layout are analyzed. It is worth noting that sniffer is extremely quiet and is a negative security attack.

Generally, the content that sniffer cares about can be divided into the following categories:

1. Password:
I think this is the reason for the vast majority of illegal use of sniffer. sniffer can record the userid and passwd transmitted in plaintext. even if you use encrypted data during network transmission, the data recorded by sniffer may cause intruders to eat meat strings at home and find a way to calculate your algorithm.

2. Financial Account:
Many users can safely use their credit card or cash account online. However, sniffer can easily intercept user names, passwords, credit card numbers, end dates, accounts, and pin sent online.

3. Peek at confidential or sensitive information data:
By intercepting data packets, intruders can easily record sensitive information transmitted between others, or simply intercept the entire email session process.

4. snoop on low-level protocol information:
This is a terrible thing. I think, through the underlying information protocol record, for example, record the network interface address, remote network interface ip address, ip route information, and the byte sequential number of tcp connections between two hosts. This information is taken into account by an illegal hacker and will pose great harm to network security. Generally, someone uses sniffer to collect this information for only one reason: he is conducting a fraud, (generally, IP address fraud requires you to insert the byte sequence number of the tcp connection accurately, which will be pointed out in future articles.) If someone is very concerned about this issue, so sniffer is just a prelude to him, and there will be more problems in the future. (For advanced hacker, I think this is the only reason to use sniffer ).

3. Where can I get sniffer?

Sniffer is one of the most common intrusion methods for hackers. You can run sniffer In the allowed network to learn how it effectively threatens the security of local machines.

Sniffer can be hardware or software. Currently, Sniffer is the most widely used software, and most hackers use Sniffer.

The following are some sniffer tools that are also widely used to debug network faults:

Commercial sniffer:

1 Network General.
Network General has developed a variety of products. The most important thing is the Expert Sniffer, which can not only be sniff, but also send/receive data packets through a high-performance specialized system to help diagnose faults. Another enhancement product, "Distrbuted SnifferSystem", can use UNIX workstations as the sniffer console and distribute snifferagents (proxies) to remote hosts.

2 Microsofts Net Monitor
For some commercial sites, multiple protocols such as NetBEUI, IPX/SPX, TCP/IP, 802.3, and SNA may be required at the same time. At this time, it is difficult to find a sniffer to solve network problems, because many sniffer often treat some correct protocol packets as error packets. Microsoft's Net Monitor (previously called Bloodhound) can solve this problem. It correctly differentiates unique data packets such as Netware control packets and NTNetBios name service broadcast. (Etherfind will only identify these packets as broadcast packets of Type 0000 .) This tool runs on MS Windows. It can even monitor network statistics and session information by MAC address (or host name. You can simply click a session to get the output of the tcpdump standard. You only need to click the host to be monitored in a dialog box.

Free Software sniffer

1 Sniffit is developed by Lawrence Berkeley Lab and runs on Solaris, SGI, Linux, and other platforms. You can select the source, target address, or address set, as well as the listening port, protocol, and network interface. By default, this SNIFFER only accepts the first 400 bytes of information packets, which is exactly the same for a login session process.

2 SNORT: This SNIFFER has many options for you to use and is highly portable. It can record some connection information to track some network activities.

3 TCPDUMP: This SNIFFER is very famous. linux and FREEBSD are also built on the system. It is considered a professional network management tool by many UNIX experts, I remember that in the past, TsutomuShimomura (which should be called a sub-village invasion) used his modified TCPDUMP version to record records of KEVINMITNICK's attack on his system, and then cooperated with the FBI to capture KEVINMITNICK, later he wrote an article: using these LOG records to describe the attack, How Mitnick hacked Tsutomu Shimomura with an IP sequence attack
(Http://www.attrition.org/securit... iffer/shimomur.txt)

4 ADMsniff: This is a SNIFFER program written by the well-known ADM hacker group.

5 linsniffer: This is a specially designed SNIFFER on a LINUX platform.

6 Esniffer: this is also a famous SNIFFER program.

7 Solsniffer: This is a solarjavasiffer. It mainly modifies SunSniff to facilitate compilation on the Solair platform.

8 Ethereal is a graphical Sniffer Based on GTK +.

9 Gobbler (for MS-DOS & Win95), Netman, NitWit, Ethload... and so on.

Iv. install and use sniffer

I mainly use sniffit as an example to describe the applications in nt and linux respectively.

[1] install sniffit in linux:

Software Installation

1. Use tarzvfxsniffit. *. tgz to decompress the downloaded sniffit. *. tgz.
Go to the target folder you want. if the version is 0.3.7, you will see a directory named sniffit.0.3.7.

2. cd sniffit.0.3.7

3../configure & make, as long as no unexpected error information appears on the terminal during this process, you can get a binary sniffit file even if the compilation is successful.

4. makeclean clears unwanted garbage ......

Usage

1. The parameter has the following command options:
-V: display version information
-T let the program listen to data packets destined for an IP address
-S allows the program to listen to IP data packets from an IP address. You can use the @ wildcard
-T199.145 .@
-I: The window is displayed. You can view the machines connected to your network.
-I extended interaction mode, ignoring all other options, much more powerful than-I ......
-C run the program using the script
-F force the program to use the network Hard Disk
-N: false data packets are displayed. Packets that use ARP, RARP, or other IP addresses are also displayed.
-N indicates the option when only plugin is run to invalidate other options.

In-