Listener principles
Ethernet, a popular LAN technology invented by Xerox, contains a cable from which all computers are connected, each computer needs a hardware called an interface board to connect to Ethernet. The protocol works by sending packets to all connected hosts. The packet header contains the correct address of the host that should receive data packets, because only the host with the same destination address in the data packet can receive the information packet, however, when the host is working in the listening mode, the host can receive the packet regardless of the target physical address. Many LAN hosts with dozens or even hundreds of hosts are connected by a single cable and a hub. In terms of protocol executives or users, when two hosts in the same network communicate with each other, the source host sends packets with the destination host address directly to the target host, or when a host in the Network communicates with the external host, the source host sends data packets with a destination host IP address to the gateway. However, such data packets cannot be directly sent at the top layer of the protocol stack. The data packets to be sent must be sent from the IP layer of the TCP/IP protocol to the network interface, that is, the data link layer. Network Interfaces do not recognize IP addresses. The packet with an IP address on the IP layer of the network interface adds some Ethernet Expires header information. In the hosts header, there are two domains: the physical address of the source host and the target host that can only be identified by the network interface. This is a 48-bit address, the 48-bit address corresponds to the IP address. In other words, an IP address also corresponds to a physical address. As a gateway host, because it connects to multiple networks, it also has many IP addresses, each of which has one. The physical address of the gateway is carried by the forward relay outside the network.
In Ethernet, the token with the physical address is sent from the network interface, that is, from the NIC to the physical line. If the LAN is connected by a thick or thin network, the digital signal transmitted over the cable can reach each host on the line. When a hub is used, the outgoing signal is sent to the hub, and the hub sends the signal to each line connected to the hub. In this way, the digital signal transmitted on the physical line can reach each host connected to the hub. When the digital signal reaches the network interface of a host, the network interface checks the shard of the read data under normal conditions, if the physical address carried in the data volume is its own address or the physical address is a broadcast address, the data volume is handed over to the IP layer software. This process is required for each data volume that reaches the network interface. However, when the host is working in the listening mode, all data tokens will be handed over to the upper-layer protocol software for processing.
When hosts connected to the same cable or hub are logically divided into several subnets, if one host is in the listening mode, it can also receive packets sent to a host that is not in the same subnet as itself (using different masks, IP addresses, and gateways, all information transmitted over the same physical channel can be received.
On UNIX systems, if a user with super permissions wants to enable the host controlled by him to enter the listening mode, he only needs to send an I/O control command to the interface (Network Interface, you can set the host to the listening mode. In Windows 9x, you can directly run the monitoring tool, regardless of whether the user has the permission or not.
When listening to a network, you often need to save a large amount of information (including a lot of junk information) and organize the collected information in large quantities, this will slow the response of the machines being monitored to requests from other users. At the same time, the listener consumes a lot of processing time when running. If you analyze the content in the package in detail at this time, many packages will be missed out without receiving them. So many times, the listener stores the packet in the file and waits for further analysis. It is a headache to analyze the data packets that are listened. Because data packets in the network are very complex. When packets are sent and received continuously between two hosts, some interactive data packets are added to the listening results. It is not easy for the listener to sort the packets of the same TCP session together. If you want to sort out the user's detailed information, you need to perform a lot of analysis on the packets according to the protocol. If there are so many protocols on the Internet, the listener will be very large.
The protocols used in the network are designed earlier. The implementation of many protocols is based on a very friendly foundation that the communication parties fully trust. In a general network environment, user information, including passwords, are transmitted on the Internet in plain text mode. Therefore, it is not a difficult task to perform network monitoring to obtain user information, as long as you have a preliminary knowledge of the TCP/IP protocol, you can easily listen to the information you want. Some time ago, the Chinese American China-babble once proposed to extend the hope channel listening from the LAN to the wide area network, but this idea was quickly denied. If so, I think the network will be messy. In fact, some user information can be monitored and intercepted in the WAN. It is not obvious enough. The entire Internet is even more insignificant.
The following are some famous listening programs in the system. You can try them yourself.
Windows9x/NT netxray
Dec Unix/Linux tcpdump
Solaris nfswatch
SunOS etherfind
Measure the test taker's knowledge about how to detect a network listener.
The Network listener is described in the preceding section. It is designed for system administrators to manage networks and monitor network statuses and data flows. However, because of its function of intercepting network data, it is also one of the common tricks of hackers.
Generally, you can use the following methods to detect network listeners:
Network listening is really hard to find. When the host that runs the listener only passively receives the information transmitted over the Ethernet during the listening process, it will not exchange information with other hosts, you cannot modify the information packages transmitted over the network. This shows that the detection of network listeners is troublesome.
In general, you can use PS-EF or PS-Aux to detect. However, most listeners will modify the ps command to prevent PS-Ef attacks. To modify ps, you only need several shells to filter out the name of the listener. A person who can start a listener is definitely not a person who doesn't even know about it unless he is lazy.
As mentioned above. When a listener is running, the host response is generally affected and slow, so someone proposes to determine whether the listener is listened based on the response rate. If this is the case, I think the world will be messy. I cannot say that there will be countless listening programs running in a period of time. Haha.
If you suspect that a computer on the internet is implementing a listener (how can this problem be solved? You can ping it with the correct IP address and the wrong physical address so that the running listener will respond. This is because normal machines generally do not receive Ping information from the wrong physical address. But the machine that is listening can receive it. If its IP stack does not perform reverse checks again, it will respond. However, this method does not work for many systems because it depends on the system's IP stack.
The other is to send a large number of non-existent physical address packets to the network, and the listener will often process these packets, which will lead to a decline in machine performance, you can use ICMP echo delay to judge and compare it. You can also search for programs running on all hosts in the network, but the difficulty of doing so can be imagined, because this is not only a large workload, but also cannot fully check the processes on all hosts at the same time. However, if the Administrator does this, it is necessary to determine whether a process is started from the Administrator's machine.
In UNIX, you can use the PS-Aun or PS-augx command to generate a list of all processes: the owner of the process and the time and memory occupied by these processes. These are output as standard tables on stdout. If a process is running, it will be listed in this list. However, many hackers will politely modify ps or other running programs into Trojan Horse programs when running the listeners, because they can do this completely. If this is the case, the above method will not produce any results. However, to a certain extent, this is still useful. On UNIX and Windows NT, you can easily get the list of current processes. However, DOS and Windows9x seem to be difficult to implement. I have not tested them yet.
There is also a way that relies on luck. Because most of the listening programs used by hackers are obtained online for free, they are not professional listeners. Therefore, you can search for listeners as administrators. You can use Unix to write such a search tool. Otherwise, it will be exhausting. Haha.
There is a tool named ifstatus running in UNIX that can identify whether the network interface is under debugging or loading. If the network interface runs in this mode, it is likely to be under attack by the listener. Ifstatus generally does not produce any output. It returns the output only when it detects that the network interface is in listening mode. The administrator can set the cron parameter of the system to regularly run ifstatus. If a good cron process exists, the administrator can send the output to the person executing the cron task by mail, to implement this, add the ***/usr/local/etc/ifstatus line parameter under the crontab directory. If this is not the case, you can use a script program under crontab 00 *****/usr/local/etc/run-ifstatus.
Which of the following aspects is needed to defend against listening. Generally, listening is only sensitive to user password information (it is a waste of time for no boring hackers to listen to chat information between two machines ). Therefore, it is necessary to encrypt user information and password information. Prevents listening for plaintext transmission. In modern networks, SSH (a protocol that provides Secure Communication in the application environment) communication protocols have been used, and SSH uses port 22, it ruled out information for communications on unsafe full-channel, and the possibility of being monitored to use RASAlgorithmAfter the authorization process is completed, all transmission is encrypted using idea technology. However, SSH is not completely secure. At least now we can comment so boldly.
The famous sniffer monitoring tool of supervisor
Sniffer is well-known because it performs well in many aspects and can listen to (or even hear and see) all the information transmitted on the Internet. Sniffer can be either hardware or software. It is mainly used to receive information transmitted over the network. The network can run under various protocols, including Ethernet, TCP/IP, zpx, and so on. It can also be a centralized protocol combination system.
Sniffer is a very dangerous thing. It can intercept passwords, intercept information that is originally a secret or in a dedicated channel, and intercept credit card numbers and economic data, e-mail and so on. It can also be used to attack the adjacent networks.
Sniffer can be used on any platform. However, it is impossible to use sniffer, which is the most serious challenge to network security.
In sniffer, there is another "enthusiastic person" who has compiled its plugin, which is called the top-line killer and can completely cut the TCP connection. In short, Sniffer should attract people's attention, otherwise security will never be the best.
Start building with 50+ products and up to 12 months usage for Elastic Compute Service
1 on 1 presale consultation
24/7 Technical Support 6 Free Tickets per Quarter Faster Response
Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.
A comprehensive suite of global cloud computing services to power your business
Payment Methods We Support
