Sniffer principle:
Today, when it comes to hacker attacks, it generally refers to attacks on the system in an active way, such as exploiting vulnerabilities or guessing system passwords. However, there is another type of passive attack that is very harmful, which is often ignored by everyone, that is, the use of sniffer for sniffing attacks.
Sniffer, which can be translated into a sniffer, is a threatening passive attack tool. This tool monitors the network status, data flow, and information transmitted over the network. When the information is uploaded and transmitted in plain text on the network, the network listener can be used for attacks. By setting the network interface in the listening mode, you can capture the continuously transmitted information on the Internet. Hackers often use it to intercept user passwords. It is said that a vro of a backbone network was attacked by hackers and a large number of user passwords were sniffed. This article describes in detail the principles and applications of sniffer.
I. sniffer Principle
1. Network Technology and Equipment Overview
Before introducing the concept of SNI er, we must first introduce some basic concepts of LAN devices.
Data is transmitted in a small frame unit on the network. frames are composed of several parts and different parts perform different functions. Frames are driven by a specific network Program The software is molded, and then sent to the network card through the network card, through the network cable to reach their target machine, at the end of the target machine to execute the opposite process. The ethernet card of the acceptor captures these frames, tells the operating system that the frames have arrived, and then stores them. In the process of transmission and receipt, the sniffer will bring security issues.
Each workstation on a LAN has its hardware address, which uniquely represents a machine on the Network (similar to an Internet address system ). When a user sends a packet, the packet is sent to all available machines on the LAN.
In general, all machines on the network can "listen" to the traffic passed, but do not respond to packets that do not belong to them (in other words, workstation A does not capture data belonging to workstation B, but simply ignores the data ). If the network interface of a workstation is in the hybrid mode (the concept of the hybrid mode will be explained later), it can capture all the packets and frames on the network.
2. Network Monitoring Principles
The sniffor program is a tool that uses the Ethernet characteristics to set the network adapter (NIC, usually Ethernet Card) to the messy (promiscuous) mode. Once the same card is set to this mode, it can receive every packet transmitted over the network.
In normal cases, a card only receives information packets related to its own address, that is, the information packets transmitted to the local host. To enable sniffer to receive and process information in this mode, the system must support BPF. in Linux, the system must support socket-packet. However, generally, network hardware and TCP/IP stacks do not support receiving or sending packets irrelevant to the local computer. Therefore, to bypass the standard TCP/IP stack, the NIC must be set to the hybrid mode we just talked about. Generally, to activate this method, the kernel must support this pseudo-device bpfilter and require root permission to run this program. Therefore, Sniffer must be installed as root, if a user enters the system as a local user, the root password cannot be called because sniffer cannot be run.
Based on the sniffer mode, you can analyze various information packages and describe the network structure and machines used. Because it receives any data packet transmitted on the same network segment, therefore, it is possible to capture passwords, various information, secret documents, and other unencrypted information. This has become a common method used by hackers to expand the results of the war, to seize control of other hosts.
3. snifffer Classification
Sniffer is divided into two types: software and hardware. The software's sniffer includes netxray, packetboy, and net monitor. Its advantages are inexpensive, easy to learn and use, and easy to communicate; the disadvantage is that you cannot capture all the transmission information on the network. In some cases, you cannot really understand network faults and running conditions. The hardware sniffer is usually called a protocol analyzer, which is generally commercial and expensive.
In fact, the sniffer mentioned in this Article refers to software. It captures the package, opens the package, views the content, and obtains the password. Sniffer can only capture packets in one physical network segment. That is to say, you and the listening target cannot have routers or other devices that shield broadcast packets. This is very important. Therefore, for dial-up Internet users, Sniffer cannot be used to intercept the communication content of others.
4. Purpose of network listening
When a hacker successfully captures a host and obtains the root permission, and wants to use this host to attack other hosts on the same network segment, he will install the sniffer software on the host to listen on the packets transmitted on the Ethernet device, so as to find the packets of interest. If a qualified package is found, store it in a log file. These conditions are usually set to include a package with the word "username" or "password". Such a package usually contains passwords that hackers are interested in. Once a hacker intercepts the password of a host, the hacker immediately enters the host.
If sniffer runs on a vro or a host with a routing function, it can monitor a large amount of data, because all incoming and outgoing packets must pass through the vro.
Sniffer belongs to the M-level attack. That is to say, only when attackers have already entered the target system can they use the sniffer attack method to obtain more information.
In addition to passwords or user names, Sniffer can also obtain more information, such as an important information and financial information sent online. Sniffer can obtain almost any data packet sent on the Internet.
Sniffer is a complex attack method. Generally, only hackers are able to use it. For a newbie on a network, even if a hacker successfully compiles and runs sniffer on a host, generally, no useful information is obtained, because the information traffic on the network is usually quite large. It is very difficult to receive all the packets without selecting them and find the required information; in addition, if you listen for it for a long time, it is possible to blow up the hard disk of the machine that stores snifkr.
5. A simple sniffer program
The following is a very simple C program that can complete the general listening function. The content in/**/is the annotation in this article. /** // * The header file containing the system call and network functions */
# Include <stdio. h> 〉
# Include <sys/socket. h> 〉
# Include <netinet/in. h> 〉
# Include <ARPA/inet. h> 〉
/** // * The IP address and TCP packet header structure */
Struct IP {
Unsigned int ip_length: 4;
/** // * Define the length of the IP header */
Unsigned int ip_version: 4;
/** // * IP version, IPv4 */
Unsigned char ip_tos;
/** // * Service type */
Unsigned short
Ip_total_length;/** // * total length of the IP data packet */
Unsigned short ip_id;
/** // * City identification */
Unsigned short ip_flags;
/** // * IP flag */
Unsigned char ip_ttl;
/** // * Retention period of the IP package */
Unsigned char ip_protocol;
/** // * IP upper-Layer Protocol */
Unsigned short ip_cksum;
/** // * IP header checksum */
Unsigned int ip_source;
/** // * Source IP Address */
Unsigned int ip_source;
/** // * Destination IP address */
};
Struct TCP {
Unsigned short tcp_source_port;
/** // * Define the TCP source port */
Unsigned short tcp_dest_port;
/** // * TCP destination port */
Unsigned short tcp_seqno;
/** // * Tc p serial number */
Unsigned int tcp_ackno;
/** // * The next serial number that the sender expects */
Unsigned int tcp_res1: 4;
/** // * The following are TCP flags */
Tcp_hlen: 4
Tcp_fin: 1,
Tcp_syn: 1,
Tcp_rst: 1,
Tcp_psh: 1,
Tcp_ack: 1,
Tcp_urg: 1,
Tcp_res2: 2;
Unsignd short tcp_winsize;/** // * Maximum number of bytes that can be received */
Unsigned short tcp_cksum;
/** // * TCP checksum */
Unsigned short tcp_urgent;
/** // * Emergency flag */
};
/** // * Main function */
Int main ()
{
Int sock, bytes_recieved, fromlen;
Char buffer [65535];
Struct sockaddr_in from;
/** // * Define the Socket Structure */
Struct IP address;
/** // * Define IP and tcp */
Struct tcp * TCP;
Sock = socket (af_inet, sock_raw, ipproto_tcp );
/** // * Set up a socket connection. The first parameter is the address family type. Use the Internet type */
/** // * The second parameter is socket type. sock_raw is used here, which can bypass the transport layer */
/** // * Directly access the IP layer package. To call sock_raw, you must have the root permission */
/** // * The third parameter is the protocol. Select ipproto_tcp to specify the content of the receiving TCP layer */
While (1)
/** // * Create an endless loop to continuously receive network information */
{
Fromlen = sizeof from;
Bytes_recieved = recvfrom (sock, buffer, sizeofbuffer, 0, (struct sockaddr *) & from, & fromlen );
/** // * The above function receives data from the established socket connection */
/** // * Because recvfrom () requires a sockaddr data type, we use a forced type conversion */
Print ("\ nbytes received ::% 5d \ n", bytes_recieved );
/** // * Display the number of received data bytes */
Printf ("Source Address: % s \ n", inet_ntoa (from. sin_addr ));
/** // * Display the source address */
IP = (struct IP *) buffer;
/** // * Convert the received data into a pre-defined structure for ease of viewing */
Printf ("IP header length: % d \ n", IP-> ip_length );
/** // * Display the length of the IP header */
Print ("Protocol: % d \ n", IP-> ip_protocol );
/** // * Display the protocol type. 6 is TCP, and 17 is udp */
TCP = (struct tcp *) (buffer + (4 * IP-> ip_iplength ));
/** // * The above parameter needs to be explained in detail, because the size of the IP header in the received packet header is fixed to 4 bytes */
/** // * So I multiply the IP length by 4 to point to the TCP Header */
Printf ("Source Port: % d \ n", ntohs (TCP-> tcp_source_port);/** // * display port */
Printf ("DEST prot: % d \ n", ntohs (TCP-> tcp_dest_port);/** // * display the target port */
The above C program is the simplest example to illustrate the sniffer receiving principle. It only completes the sniffer receiving function. Before running it, we also need to manually set the same card as the hybrid mode, and set it with the following command under the root permission:
Ifconfig eth0 promisc
Assume that etho is your Ethernet device interface and runs the compiled program to view the received data packets.
Although this program is simple, it illustrates the basic principle of Sniffer, that is, first set the same card device to a hybrid mode, and then directly receive data at the IP layer.
Of course, the function of this program is too simple. Only simple information such as the source address, target address and source port, and target port can be displayed, which is of no use to hackers, hackers need information such as passwords, which can be completed using some free sniffer programs.
Meaning and working principle of sniffer:
1. Meanings of Sniffer and sniffer
Sniffers (sniffer) has nearly the same history as Internet. sniffer is a common method for collecting useful data. The data can be user accounts and passwords, or commercial confidential data. With the increasing popularity of Internet and e-commerce, the security of the Internet has been paid more and more attention. Sniffer, which plays an important role in Internet security risks, is getting more and more attention. So today I want to introduce sniffer and how to block it.
Most hackers only detect and take control of hosts on the Intranet. Only those "ambitious" hackers Install Trojan Horse and Backdoor programs and clear records to control the entire network. They often use the method of installing sniffer.
On the Intranet, the most effective way for hackers to quickly obtain a large number of accounts (including user names and passwords) is to use the "sniffer" program. This method requires that the host running the sniffer program and the monitored host must be in the same Ethernet segment. Therefore, running sniffer on the external host is ineffective. Moreover, you must use the sniffer program as the root user to listen to data streams in the Ethernet segment. When talking about Ethernet sniffer, we must talk about Ethernet sniffing.
So what is Ethernet sniffer?
Ethernet sniffing refers to listening for packets transmitted on an Ethernet device to discover packets of interest. If a qualified package is found, store it in a log file. These conditions are usually set to include a package with the word "username" or "password.
It aims to put the network layer in the promiscuous mode to do something.
The promiscuous mode means that all devices on the network listen to the data transmitted on the bus, not just their own data. According to the basic introduction to the working principle of Ethernet in Chapter 2, you can know that when a device sends data to a target, it broadcasts data over Ethernet. A device connected to the Ethernet BUS receives data at any time. However, it only transmits its own data to applications on the computer.
With this, you can set the network connection of a computer to accept data on all Ethernet buses to implement sniffer.
Sniffer usually runs on a vro or a host with the vro function. In this way, you can monitor a large amount of data. Sniffer is a second-level attack. Generally, attackers have already entered the target system and then use sniffer to obtain more information.
In addition to passwords or user names, Sniffer can also obtain more information, such as other important information and financial information sent online. Sniffer can get almost any packets transmitted over Ethernet. Hackers will use various methods to gain control of the system and leave a backdoor for further intrusion to ensure that sniffer can be executed. On the Solaris 2. x platform, the sniffer program is usually installed in the/usr/bin or/dev directory. Hackers also cleverly modify the time to make the sniffer program seem to be installed with other system programs at the same time.
Most Ethernet sniffer programs run in the background and output the results to a record file. Hackers often modify PS programs, making it difficult for system administrators to find sniffer programs.
The Ethernet Sniffer Program sets the network interface of the system to the hybrid mode. In this way, it can listen to all data packets flowing through the same Ethernet network segment, regardless of whether the receiver or sender is a host running sniffer. The program stores user names, passwords, and data that hackers are interested in into log files. The hacker will wait for a period of time-for example, a week later, and then return to download the record file.
So many things have been mentioned, so what should we use to introduce sniffer?
Different from telephone circuits, computer networks share communication channels. Sharing means that the computer can receive information sent to other computers. The data captured in the network is called sniffing ).
Ethernet is now the most widely used computer connection method. The Ethernet protocol sends packet information to all hosts in the same loop. The data packet header contains the correct address of the target host. Generally, only the host with this address will accept this packet. If a host can receive all data packets and ignore the packet header content, this mode is usually called the "hybrid" mode.
In a common network environment, account and password information are transmitted in plaintext over Ethernet. Once an intruder obtains the root permission of one of the hosts, and put it in a hybrid mode to eavesdrop network data, which may intrude into all computers in the network.
In a word, sniffer is a hacker and tool used for eavesdropping.
Ii. Working Principles of sniffer
Generally, all network interfaces in the same network segment have the ability to access all data transmitted on physical media, and each network interface should have a hardware address, this hardware address is different from the hardware address of other network interfaces in the network. At the same time, each network must have at least one broadcast address. (Representing all interface addresses). Under normal circumstances, a valid network interface should only respond to the following two data frames:
1. The target area of the frame has a hardware address that matches the local network interface.
2. The target area of the frame has a "broadcast address ".
When the above two data packets are received, NC generates a hardware interruption through the CPU. This interruption can attract the attention of the operating system, and then transmit the data contained in the frame to the system for further processing.
Sniffer is a software that can set the local NC status to promiscuous. When the NC is in this "hybrid" mode, the NC has "broadcast address ", it generates a hardware interruption for each frame that is encountered to remind the operating system to process each packet that flows through the physical media. (The vast majority of NC servers can be set to the promiscuous mode)
It can be seen that sniffer works at the bottom layer of the network environment. It intercepts all the data being transmitted over the network and can analyze the data in real time through corresponding software processing, then, the network status and overall layout are analyzed. It is worth noting that sniffer is extremely quiet and is a negative security attack.
Generally, the content that sniffer cares about can be divided into the following categories:
1. Password
I think this is the reason for the vast majority of illegal use of sniffer. sniffer can record the userid and passwd transmitted in plaintext. even if you use encrypted data during network transmission, the data recorded by sniffer may cause intruders to eat meat strings at home and find a way to calculate your Algorithm .
2. Financial Account
Many users can safely use their credit card or cash account online. However, Sniffer can easily intercept user names, passwords, credit card numbers, end dates, accounts, and pin sent online.
3. Peek at confidential or sensitive information data
By intercepting data packets, intruders can easily record sensitive information transmitted between others, or simply intercept the entire email session process.
4. snoop on low-level protocol information.
This is a terrible thing. I think, through the underlying information protocol record, for example, record the network interface address, remote network interface IP address, IP route information, and the byte sequential number of TCP connections between two hosts. This information is taken into account by an illegal hacker and will pose great harm to network security. Generally, someone uses sniffer to collect this information for only one reason: he is conducting a fraud, (generally, IP address fraud requires you to insert the byte sequence number of the TCP connection accurately, which will be sorted later. Article If someone is very concerned about this issue, then sniffer is just a prelude to him, and there will be much more problems in the future. (For advanced hacker, I think this is the only reason to use sniffer)
Ii. Working Environment of sniffer
Snifffer is a device that can capture network packets. The proper use of the sniffer is to analyze the network traffic to identify potential problems in the network. For example, if a certain part of the network is not running well and the message sending speed is slow, but we don't know where the problem is, we can use a sniffer to make a precise problem judgment.
The functions and design of the sniffer are quite different. Some can only analyze one protocol, while others may be able to analyze several hundred protocols. In general, most sniffing devices can analyze at least the following protocols:
1. standard Ethernet
2. TCP/IP
3. IPX
4. decnet
Sniffer is usually a combination of hardware and software. Dedicated sniffer is very expensive. On the other hand, although the free sniffer does not need to spend any money, it does not have any support.
The sniffer is different from the general keyboard capture program. The keyboard capture program captures the Input key values on the terminal, while the sniffer captures the real network packets. The sniffer puts it on a network interface to achieve this goal-for example, setting the ethernet card to the miscellaneous mode. (To understand how the miscellaneous mode works, first explain how the LAN works ).
Data is transmitted in a small frame (ftame) unit on the network. frames are composed of several parts, and different parts perform different functions. (For example, the first 12 bytes of Ethernet store the Source and Destination addresses. These bits tell the network the source and destination of the data. Other parts of the Ethernet frame are used to store actual user data, TCP/IP headers, and IPX headers ).
The frame is formed by a specific software called a network driver and then sent to the network cable through the network adapter. The opposite process is executed at one end of the target machine through a network cable. The ethernet card of the acceptor captures these frames, notifies the operating system of the arrival of the frames, and then stores them. In the process of transmission and receipt, the sniffer will cause security problems.
Each workstation on a LAN has its hardware address. These addresses uniquely represent machines on the Network (similar to Internet address systems ). When a user sends a packet, the packet is sent to all available machines on the LAN.
In general, all machines on the network can "listen" to the traffic passed, but do not respond to messages that do not belong to them (in other words, workstation A does not capture data belonging to workstation B, but simply ignores the data ).
If a network interface on a workstation is in the multiplexing mode, it can capture all the packets and frames on the network. If a workstation is configured in this mode, it (including its software) is a sniffer.
Possible hazards of the sniffer:
1. the sniffer can capture passwords.
2. Ability to capture private or confidential information
3. It can be used to endanger the security of network neighbors or to obtain higher-level access permissions.
In fact, if you have an unauthorized sniffer on the network, you think your system has been exposed to others. (You can try the sniffing function of tianxing2)
Generally, we only sniff the first 200 to 300 bytes of each packet. The user name and password are included in this part, which is the real part of our concern. Workers can also sniff all packets on a given interface. If there is enough space for storage and processing, they will find something very interesting ......
Simply placing a sniffer object in any place does not play any role. Place the sniffer in the vicinity of the attacked machine or network to capture a lot of passwords. Another better way is to put the sniffer on the gateway. In this way, the process of identity authentication between the network and other networks can be captured. This method will multiply the attack scope.
3. Who will use sniffers?
Maybe everyone knows who will use sniffer, but not everyone who uses it is a good web player, because many sniffer users are dummies now, OICQ sniffer is the most widely used. I think those friends who like to check the IP address should remember it. Well, I have used it all, but now I certainly don't need it!
Of course, the system administrator uses sniffer to analyze network information traffic and find out where a problem occurs on the network. A security administrator can place multiple snifers across the network to form an intrusion alarm system. Sniffer is a good tool for system administrators, but it is also a tool frequently used by hackers. hackers install sniffer to obtain user names and accounts, credit card numbers, personal information, and other information, which can cause great harm to you or your company if it develops to a bad aspect. When they get this information, hackers will use their passwords to attack other Internet sites or even resell credit card numbers.
Network listening technology:
In the network, when information is transmitted, you can use tools to set the network interface in the listening mode to intercept or capture the information being transmitted in the network, to launch attacks. Network listening can be implemented in any location mode of the network. Hackers generally use network listening to intercept user passwords. For example, when someone occupies a host, then he wants to extend the result to the whole LAN of the host. Listening is usually a shortcut they choose. Many times I have seen some beginners on various security forums. They think it is very easy to enter the Intranet if they occupy a host. In fact, it is not easy to enter a host and then transfer it to another machine in its internal network. Because in addition to getting their passwords, you have to share them with others.
For the path, of course, the path must end with the write permission. At this time, running the listeners on the controlled host will have a great effect. However, it is a difficult task, and it also requires the patience and adaptability of the attacker.
Listener principles
Ethernet, a popular LAN technology invented by Xerox, contains a cable from which all computers are connected, each computer needs a hardware called an interface board to connect to Ethernet. The protocol works by sending packets to all connected hosts. The packet header contains the correct address of the host that should receive data packets, because only the host with the same destination address in the data packet can receive the information packet, but when the host is working in the monitoring mode
No matter what the destination physical address is in the data packet, the host can receive it. Many LAN hosts with dozens or even hundreds of hosts are connected by a single cable and a hub. In terms of protocol executives or users, when two hosts in the same network communicate with each other, the source host sends packets with the destination host address directly to the target host, or when a host in the Network communicates with the external host, the source host sends data packets with a destination host IP address to the gateway. However, such data packets cannot be directly sent at the top layer of the protocol stack. The data packets to be sent must be sent from the IP layer of the TCP/IP protocol to the network interface, that is, the data link layer. network Interfaces do not recognize IP addresses. The packet with an IP address on the IP layer of the network interface adds some Ethernet Expires header information. In the Authorization header, there are two
The domain is the physical address of the source host and target host that can only be identified by network interfaces. This is a 48-bit address, which corresponds to the IP address, in other words, an IP address also corresponds to a physical address. As a gateway host, because it connects to multiple networks, it also has many IP addresses, each of which has one. The physical address of the gateway is carried by the forward relay outside the network.
In Ethernet, the token with the physical address is sent from the network interface, that is, from the NIC to the physical line. If the LAN is connected by a thick or thin network, the digital signal transmitted over the cable can reach each host on the line. When a hub is used, the outgoing signal is sent to the hub, and the hub sends the signal to each line connected to the hub. In this way, the digital signal transmitted on the physical line can reach each host connected to the hub. When the digital signal reaches the network interface of a host, the network interface checks the shard of the read data under normal conditions, if the physical address carried in the data volume is its own address or the physical address is a broadcast address, the data volume is handed over to the IP layer software. This process is required for each data volume that reaches the network interface. However, when the host is listening
In this mode, all data tokens are handed over to the upper-layer protocol software for processing.
When hosts connected to the same cable or hub are logically divided into several subnets, if one host is in the listening mode, it can also receive packets sent to a host that is not in the same subnet as itself (using different masks, IP addresses, and gateways, all information transmitted over the same physical channel can be received.
On UNIX systems, if a user with super permissions wants to enable the host controlled by him to enter the listening mode, he only needs to send an I/O control command to the interface (Network Interface, you can set the host to the listening mode. In Windows 9x, you can directly run the monitoring tool, regardless of whether the user has the permission or not.
When listening to a network, you often need to save a large amount of information (including a lot of junk information) and organize the collected information in large quantities, this will slow the response of the machines being monitored to requests from other users. At the same time, the listener consumes a lot of processing time when running. If you analyze the content in the package in detail at this time, many packages will be missed out without receiving them. So many times, the listener stores the packet in the file and waits for further analysis. It is a headache to analyze the data packets that are listened. Because data packets in the network are very complex. When packets are sent and received continuously between two hosts, some interactive data packets are added to the listening results. It is not easy for the listener to sort the packets of the same TCP session together. If you want to sort out the user's detailed information, you need to perform a lot of analysis on the packets according to the protocol. If there are so many protocols on the Internet, the listener will be very large.
The protocols used in the network are designed earlier. The implementation of many protocols is based on a very friendly foundation that the communication parties fully trust. In a general network environment, user information, including passwords, are transmitted on the Internet in plain text mode. Therefore, it is not a difficult task to perform network monitoring to obtain user information, as long as you have a preliminary knowledge of the TCP/IP protocol, you can easily listen to the information you want. Some time ago, the Chinese American China-babble once proposed to extend the hope channel listening from the LAN to the wide area network, but this idea was quickly denied. If so, I think the network will be messy. In fact, some user information can be monitored and intercepted in the WAN. It is not obvious enough. The entire Internet is even more insignificant.
The following are some famous listening programs in the system. You can try them yourself.
Windows9x/NT netxray http://semxa.kstar.com/hacking/netxray.zip
Dec Unix/Linux tcpdump http://semxa.kstar.com/hacking/management.zip
Solaris nfswatch http://semxa.kstar.com/hacking/nfswatch.zip
SunOS etherfind http://semxa.kstar.com/hacking/etherfind012.zip
Measure the test taker's knowledge about how to detect a network listener.
The Network listener is described in the preceding section. It is designed for system administrators to manage networks and monitor network statuses and data flows. However, because of its function of intercepting network data, it is also one of the common tricks of hackers.
Generally, you can use the following methods to detect network listeners:
►Network listening is really hard to find. When the host that runs the listener only passively receives the information transmitted over the Ethernet during the listening process, it will not exchange information with other hosts, you cannot modify the information packages transmitted over the network. This shows that the detection of network listeners is troublesome.
In general, you can use PS-EF or PS-Aux to detect. However, most listeners will modify the ps command to prevent PS-Ef attacks. To modify ps, you only need several shells to filter out the name of the listener. A person who can start a listener is definitely not a person who doesn't even know about it unless he is lazy.
As mentioned above. When a listener is running, the host response is generally affected and slow, so someone proposes to determine whether the listener is listened based on the response rate. If this is the case, I think the world will be messy. I cannot say that there will be countless listening programs running in a period of time. Haha.
If you suspect that a computer on the internet is implementing a listener (how can this problem be solved? You can ping it with the correct IP address and the wrong physical address so that the running listener will respond. This is because normal machines generally do not receive Ping information from the wrong physical address. But the machine that is listening can receive it. If its IP stack does not perform reverse checks again, it will respond. However, this method does not work for many systems because it depends on the system's IP stack.
The other is to send a large number of non-existent physical address packets to the network, and the listener will often process these packets, which will lead to a decline in machine performance, you can use ICMP echo delay to judge and compare it. You can also search for programs running on all hosts in the network, but the difficulty of doing so can be imagined, because this is not only a large workload, but also cannot fully check the processes on all hosts at the same time. However, if the Administrator does this, it is necessary to determine whether a process is started from the Administrator's machine.
In UNIX, you can use the PS-Aun or PS-augx command to generate a list of all processes: the owner of the process and the time and memory occupied by these processes.
These are output as standard tables on stdout. If a process is running, it will be listed in this list. However, many hackers will politely modify ps or other running programs into Trojan Horse programs when running the listeners, because they can do this completely. If this is the case, the above method will not produce any results. However, to a certain extent, this is still useful. On UNIX and Windows NT, you can easily get the list of current processes. However, DOS,
Windows 9x seems to be difficult to implement. I don't know if I have tested it.
There is also a way that relies on luck. Because most of the listening programs used by hackers are obtained online for free, they are not professional listeners. Therefore, you can search for listeners as administrators. You can use Unix to write such a search tool. Otherwise, it will be exhausting. Haha.
There is a tool named ifstatus running in UNIX that can identify whether the network interface is under debugging or loading. If the network interface runs in this mode, it is likely to be under attack by the listener. Ifstatus generally does not produce any output. It returns the output only when it detects that the network interface is in listening mode. The administrator can set the cron parameter of the system to regularly run ifstatus. If a good cron process exists, the administrator can send the output to the person executing the cron task by mail, to implement this, add the ***/usr/local/etc/ifstatus line parameter under the crontab directory. This is not the case.
You can also use a script program under crontab: 00 *****/usr/local/etc/run-ifstatus.
Which of the following aspects is needed to defend against listening. Generally, listening is only sensitive to user password information (it is a waste of time for no boring hackers to listen to chat information between two machines ). Therefore, it is necessary to encrypt user information and password information. Prevents listening for plaintext transmission. In modern networks, SSH (a protocol that provides Secure Communication in the application environment) communication protocols have been used, and SSH uses port 22, it does not rule out the information for communications on unsafe channels, and the possibility of being monitored uses the RAS algorithm. After the authorization process ends, all transmission uses idea Technology for encryption. However, SSH is not completely secure. At least now we can comment so boldly.
The famous sniffer monitoring tool of supervisor
Sniffer is well-known because it performs well in many aspects and can listen to (or even hear and see) all the information transmitted on the Internet. Sniffer can be either hardware or software. It is mainly used to receive information transmitted over the network. The network can run under various protocols, including Ethernet, TCP/IP, zpx, and so on. It can also be a centralized protocol combination system.
Sniffer is a very dangerous thing. It can intercept passwords, intercept information that is originally a secret or in a dedicated channel, and intercept credit card numbers and economic data, e-mail and so on. It can also be used to attack the adjacent networks.
Sniffer can be used on any platform. However, it is impossible to use sniffer, which is the most serious challenge to network security.
In sniffer, there is another "enthusiastic person" who has compiled its plugin, which is called the top-line killer and can completely cut the TCP connection. In short, Sniffer should attract people's attention, otherwise security will never be the best.
Sniffer (sniffer)-Overview
Sniffer is a common method for collecting useful data. The data can be user accounts and passwords, or commercial confidential data. Snifffer can be used as a device to capture network packets. ISS defines sniffer as a tool to intercept data packets destined for other computers using computer network interfaces.
The legitimate use of sniffer is mainly to analyze network traffic to identify potential problems in the network. For example, if a certain part of the network is not running well and the message sending speed is slow, but we don't know where the problem is, we can use a sniffer to make a precise problem judgment. In a reasonable network, the existence of sniffer is important to the system administrator. the system administrator can use sniffer to diagnose a large number of invisible fuzzy problems, these problems involve abnormal communication between two or more computers, and some even involve various protocols, with the help of sniffer % 2C, the system administrator can easily determine the network protocol for which the communication volume belongs, the host that occupies the main communication protocol, the host that occupies the most communication destination, and the number of packets used for sending. time, or the packet transmission interval between hosts, etc, this information provides valuable information for administrators to identify network problems and manage network areas.
The sniffer is different from the general keyboard capture program. The keyboard capture program captures the Input key values on the terminal, while the sniffer captures the real network packets.
To gain an in-depth understanding of the working principles of Sniffer, let's first briefly introduce the principles of hub and nic.
Prerequisites
How the hub works
Because many networks such as Ethernet (usually the intranets that share hub connections) are bus-based, they are physically broadcast, that is, when one machine sends data to another machine, the shared hub receives the data first and then sends the data it receives to each of the other ports (the port to which it is sent is not sent, therefore, the NIC of all machines in the same network segment under the shared hub can receive data.
The internal monolithic program of the exchange hub can remember the MAC address of each port. In the future, the machine that receives the message will be sent to the port, rather than all ports that are sent to the Hub, therefore, only the NIC of the machine that receives the data in the exchange hub can receive the data. Of course, the broadcast package is still sent to all ports. Obviously, the working mode of the shared Hub also occupies other ports of other machines when two machines transmit data. Therefore, the shared hub determines that only two machines can communicate with each other in the same network segment at the same time, when data is transmitted between two machines in the hub, other ports are not occupied, so other ports can also be transmitted at the same time. This is the difference between the shared hub and the exchange hub. The shared hub can only send data from one machine at a time and all machines can receive the data, as long as it is not a broadcast data exchange hub, data can be transmitted to machines at the same time and the data is private.
How NICs work
Let's talk about how the network adapter works. The NIC receives the transmitted data. The monolithic program in the NIC first receives the destination MAC address of the Data header, and determines whether to receive the data according to the receiving mode set by the NIC driver on the computer, the CPU is notified of the interruption signal generated after receiving the message, and the CPU is deemed to be discarded if the message is not received. Therefore, the NIC is truncated because the computer does not know the data to be received. When the CPU gets an interrupt signal, the operating system calls the driver to receive data based on the NIC interrupt program address set in the NIC Driver. After the driver receives the data, it puts the data into the signal stack for the operating system to process.
How LAN works
Data is transmitted in a small frame unit on the network. frames are composed of several parts, and different parts perform different functions. (For example, the first 12 bytes of Ethernet store the Source and Destination addresses. These bits tell the network the source and destination of the data. Other parts of the Ethernet frame are used to store actual user data, TCP/IP headers, and IPX headers ).
The frame is formed by a specific network driver and then sent to the network cable through the NIC. The opposite process is executed at one end of the target machine through a network cable. The ethernet card of the acceptor captures these frames, notifies the operating system of the arrival of the frames, and then stores them. In the process of transmission and receipt, the sniffer will cause security problems.
Generally, all network interfaces of the same network segment in the LAN can access all data transmitted on physical media. Each network interface should have a hardware address, this hardware address is different from the hardware address of other network interfaces in the network. At the same time, each network must have at least one broadcast address. (Representing all interface addresses). Under normal circumstances, a valid network interface should only respond to the following two data frames:
1. The target area of the frame has a hardware address that matches the local network interface.
2. The target area of the frame has a broadcast address ".
When the above two data packets are received, the NIC generates a hardware interruption through the CPU, which can cause the attention of the operating system, and then transmits the data contained in the frame to the system for further processing.
When a user sends a message using the shared hub, these messages are sent to all available machines on the LAN. In general, all machines on the network can "listen" to the traffic passed, but do not respond to messages that do not belong to them (in other words, workstation A does not capture data belonging to workstation B, but simply ignores the data ).
If the network interface of a machine in the LAN is in promiscuous mode (that is, the NIC can receive all the packets it receives, the following will be detailed ), it can capture all the packets and frames on the network. If a machine is configured in this way, it (including its software) is a sniffer.
Sniffer
Sniffer Principle
With the working principles of the hub and nic, you can start to talk about sniffer. First, you need to know that sniffer must capture the information of packets that must be received by physical signals. Obviously, as long as the network adapter is notified to receive all packets it receives (generally called the promiscuous mode), all devices on the network listen to the data transmitted on the bus, it's not just their own data .), In the shared hub, you can receive all the packets of this network segment, but in the exchange hub, you can only add broadcast packets to your own package.
If you want to receive packets from others under the Exchange hub, you need to send the packets to the port of your machine. The switch hub remembers that the MAC of a port is to remember its source MAC after receiving data from this port, just like the ARP list corresponding to the IP address of a machine and Mac, the switch hub maintains a physical port (that is, the network cable plug-in on the hub, all the hub ports mentioned later refer to the network cable plug-in) and a Mac table, so the switch hub can be spoofed. You can send a packet to set the source MAC to the MAC of the machine you want to receive, so the switch hub will match the physical port of your machine's network cable with that Mac, the package sent to the Mac will be sent to your network cable plug-in, that is, your network card can be sniffer. Note that the physical port and Mac table are dynamically refreshed like the ARP table on the machine. After the machine sends packets, the hub will remember its port again, so the two are competing, this can only be used when listening to a few packets.
IP-based Intranet Communication can use ARP to spoof other machines and send them to your machines. If you want to avoid affecting the communication between the two parties, you can spoof the two parties, send it to your machine and then forward it by your machine, which is equivalent to a man-in-the-middle, which uses ARP