Prevent Network sniffing

Prevent Network sniffing

Author: free pig

The most common security threats come from the inside, and these threats are often fatal, and their destructiveness is far greater than that of external threats. Network sniffing is a simple and threatening network for General Security protection. Many hackers also use the sniffer to penetrate the network.

Network sniffer threats to information security come from passive and non-intrusive features, which make network sniffing highly concealed and often make it difficult to discover network information leaks. This article analyzes the principles of network sniffing, analyzes some examples, proposes solutions, and introduces practical experience.

Principle of a sniffer attack

Sniffer is a technology that uses computer network interfaces to intercept data packets destined for other computers. It works at the bottom layer of the network and records all the data transmitted over the network. The sniffer can help the network administrator find Network Vulnerabilities and detect network performance. The sniffer can analyze network traffic to identify potential problems in the network.

The Network listening of different transmission media is different. Generally, Ethernet is more likely to be listened on, because Ethernet is a broadcast-type network and FDDI Token is more likely to be listened on, although it is not a broadcast-type network, however, packets with tokens are transmitted over half of the computers on average. Microwave and wireless networks are also more likely to be monitored, because the radio itself is a broadcast-type transmission medium, radio signals scattered in the air can be easily intercepted. In general, most sniffing devices can analyze at least the following protocols:

Standard Ethernet

TCP/IP

IPX

Decnet

FDDI Token

Microwave and wireless networks.

In actual application, the sniffer can be soft or hard. Software sniffer is cheap and easy to use. Its disadvantage is that it is often unable to capture all transmitted data (such as fragments) on the network, so it may not be able to fully understand network faults and running conditions; the hardware sniffer is usually called a protocol analyzer. Its advantage is precisely due to the lack of software sniffer, but it is expensive. Currently, the main application of sniffer is software.

The sniffer captures real network packets. The sniffer puts it on a network interface to achieve this goal-for example, setting the ethernet card to the miscellaneous mode. Data is transmitted in frame units on the network. Frames are driven by a specific networkProgramSoftware, and then sent to the network cable through the network card. The opposite process is executed at one end of the target machine through a network cable. The ethernet card of the acceptor captures these frames, notifies the operating system of the arrival of the frames, and then stores them. In this transmission and receipt process, each workstation on the LAN has its hardware address. These addresses uniquely represent machines on the network. When a user sends a packet, the packet is sent to all available machines on the LAN. In general, all machines on the network can "listen" to the traffic that passes, but do not respond to packets that do not belong to them. If a network interface on a workstation is in the multiplexing mode, it can capture all the packets and frames on the network. If a workstation is configured in this mode, it (including its software) is a sniffer. This is also the cause of security problems caused by the sniffer. Generally, intruders using the sniffer must have a base point to place the sniffer. For external intruders, they can obtain the need by intruding into the Internet server, sending Trojans to the internal workstation, and then placing the sniffer, and the internal destroyer can directly obtain the location of the sniffer, for example, you can use an attached physical device as the sniffer (for example, they can connect the sniffer to a certain point in the network, which is not easily discovered by the naked eye. Unless you manually detect each segment of network cable, there is no easy way to identify this connection (of course, the network topology ing tool can detect additional IP addresses ).

Possible hazards of the sniffer:

The sniffer can capture passwords;

Ability to capture private or confidential information;

It can be used to endanger the security of network neighbors or to obtain high-level access permissions;

Analyze the network structure for network penetration.

2. sniffer attack instance

In Linux and UNIX environments, Sniffer includes tcpdump, Nmap, linuxsniffer, hunt, and sniffit. Linsniffer is a simple and practical sniffer. Its main feature is to capture the user name and password, which is also outstanding. Note: The network files (TVP. H, IP. H, inet. hif_t, and her. h) required for compiling the software must be in the Linux system ). Although this tool is easy to use, linsniffer requires a complete IP header file, including the header files that are often stored in/usr/include/net and/usr/include/netinet, make sure that the PATH variable contains/usr/include before compilation.

After obtaining the software, go to the src directory and use the following command to compile linsniffer: $ CC linsniffer. C-o linsniffer

To run linsniffer, run the following command: $ linsniffer

After the startup, linsniffer will create an empty file: TCP. log to store the sniffing result.

For example, create a user named "goodcloud" on a Linux server and set the password to "fad ". Then, you can log on to the Linux server using this user on the host csung and perform some common user operations. The following is an FTP process:

Cjh $ FTP www.red.net
Connected to www.red.net.
220 www.red.net FTP server Wed Aug 19 02:55:52 MST 2002) ready.
Name (www.red.net: Root): goodc.pdf
331 Password required for goodcloud.
Password:
230 user goodcw.logged in.
Remote system type is UNIX.
Using binary mode to transfer files.
Ftp> ls-Al
200 PORT command successful.
150 opening ASCII mode data connection for/bin/LS.
Total 14
Drwxrwxr-x 4 goodc1_goodc1_1024 May 20.
Drwxr-XR-x 6 Root 1024 May 20 ..
-RW-r -- 1 goodc1_goodc1_96 May 20. bash_history
-RW-r -- 1 goodc1_goodc1_49 Nov 25 2002. bash_logout
-RW-r -- 1 goodc1_goodc1_913 Nov 24 2002. bashrc
-RW-r -- 1 goodc1_goodc1_650 Nov 24 2002. cshrc
-RW-r -- 1 goodc1_goodc1_111 Nov 3 2002. inputrc
-Rwxr-XR-x 1 goodc?goodc=186 Sep 1 2002. kshrc
-RW-r -- 1 goodc1_goodc1_392 Jan 7 2002. Login
-RW-r -- 1 goodc1_goodc1_51 Nov 25 2002. logout
-RW-r -- 1 goodc1_goodc1_341 Oct 13 2002. Profile
-Rwxr-XR-x 1 goodcw.goodcw.182 Sep 1 2002. profile. ksh
Drwxr-XR-x 2 goodc1_goodc1_1024 May 14. Seyon
Drwxr-XR-x 3 goodc1_goodc1_1024 May 14 LG
226 transfer complete.
Ftp> ls
200 PORT command successful.
150 opening ASCII mode data connection for/bin/LS.
Total 14
Drwxrwxr-x 4 goodc1_goodc1_1024 May 20.
Drwxr-XR-x 6 Root 1024 May 20 ..
-RW-r -- 1 goodc1_goodc1_96 May 20. bash_history
-RW-r -- 1 goodc1_goodc1_49 Nov 25 2002. bash_logout
-RW-r -- 1 goodc1_goodc1_913 Nov 24 2002. bashrc
-RW-r -- 1 goodc1_goodc1_650 Nov 24 2002. cshrc
-RW-r -- 1 goodc1_goodc1_111 Nov 3 2002. inputrc
-Rwxr-XR-x 1 goodc?goodc=186 Sep 1 2002. kshrc
-RW-r -- 1 goodc1_goodc1_392 Jan 7 2002. Login
-RW-r -- 1 goodc1_goodc1_51 Nov 25 2002. logout
-RW-r -- 1 goodc1_goodc1_341 Oct 13 2002. Profile
-Rwxr-XR-x 1 goodcw.goodcw.182 Sep 1 2002. profile. ksh
Drwxr-XR-x 2 goodc1_goodc1_1024 May 14. Seyon
Drwxr-XR-x 3 goodc1_goodc1_1024 May 14 LG
226 transfer complete.
Ftp> ls-F
200 PORT command successful.
150 opening ASCII mode data connection for/bin/LS.
Total 14
Drwxrwxr-x 4 goodc1_goodc1_1024 May 20 ./
Drwxr-XR-x 6 Root 1024 May 20 ../RW-r -- 1 goodc1_goodc1_96 May 20. bash_history
-RW-r -- 1 goodc1_goodc1_49 Nov 25 2002. bash_logout
-RW-r -- 1 goodc1_goodc1_913 Nov 24 2002. bashrc
-RW-r -- 1 goodc1_goodc1_650 Nov 24 2002. cshrc
-RW-r -- 1 goodc1_goodc1_111 Nov 3 2002. inputrc
-Rwxr-XR-x 1 goodc?goodc=186 Sep 1 2002. kshrc *
-RW-r -- 1 goodc1_goodc1_392 Jan 7 2002. Login
-RW-r -- 1 goodc1_goodc1_51 Nov 25 2002. logout
-RW-r -- 1 goodc1_goodc1_341 Oct 13 2002. Profile
-Rwxr-XR-x 1 goodcw.goodcw.182 Sep 1 2002. profile. ksh *
Drwxr-XR-x 2 goodc1_goodc1_1024 May 14. Seyon/
Drwxr-XR-x 3 goodc1_goodc1_1024 May 14 LG/
226 transfer complete.
Ftp> Cd LG
250 CWD command successful.
Ftp> ls-F
200 PORT command successful.
150 opening ASCII mode data connection for/bin/LS.
Total 8
Drwxr-XR-x 3 goodc1_goodc1_1024 May 14 ./
Drwxrwxr-x 4 goodc1_goodc1_1024 May 20 ../RW-r -- 1 goodc1_goodc1_70 Aug 22 2002 lg3_colors
-RW-r -- 1 goodc1_goodc1_629 Aug 22 2002 lg3_prefs
-RW-r -- 1 goodc1_goodc1_728 Aug 22 2002 lg3_soundpref
-RW-r -- 1 goodc1_goodc1_2024 Aug 22 2002 lg3_startup
Drwxr-XR-x 2 goodc1_goodc1_1024 May 14 lg_layouts/
226 transfer complete.
Ftp> Cd lg_layouts
250 CWD command successful.

The above is a typical user operation process. Now let's look at the sniffing result generated by linsniffer:

Cquota => www.red.net [21]
User goodcjh
Pass fad
Syst
Port 4,192
List-Al
Port 4,193
List
Port 4,194
List-F
CWD LG
Port 4,195
List-F
 
The output content is intuitive. First, it records the FTP connection from the host cjh to the Linux host www.red.net: Host cjh => linux.red.net [21]. Then, linsniffer captured the username and password of goodc.pdf. Finally, linsniffer records every command used by goodcjh:

Syst
Port 4,192
List-Al
Port 4,193
List
Port 4,194
List-F
CWD LG
Port 4,195
List-F

It can be seen that the output result of linsniffer is very concise and suitable for eavesdropping on passwords and recording common activities. However, it is not suitable for more complex analysis.

The sniffer can help network administrators find Network Vulnerabilities and detect network performance. The sniffer is a double-edged sword, which is also very harmful. Sniffer attacks are very common. A good sniffer can capture thousands of passwords. One of the largest sniffer attacks was discovered in 1994. This attack was considered to be the most harmful, and many host systems that can be accessed via FTP, telnet, or remote login were compromised. In this accident (the attacker is in rahul.net), the sniffer only runs for 18 hours. During this period, several hundred hosts were leaked. "The attackers include 268 sites, including MIT, US Navy and Air Force, sun, IBM, NASA, and hosts from Canada and Belgium ......"

Security Protection for third-party sniffer

1. detects the sniffer.

The sniffer tool can be used to detect NICs in the hybrid mode. Because the sniffer needs to set the network card that is intruded into the network to work in the hybrid mode, the AntiSniff that can detect the network card in the hybrid mode is a tool. The software can be downloaded at http://www.l0pht.com/antisniff/, with detailed instructions.

Prove that your network has two experience in sniffing:

Network Communication packet loss rate is very high: through some network management software, you can see the information packet transmission situation, the simplest is the ping command. It will tell you how many % of the package has been dropped. If your network structure is normal, and 20%-30% data packets are lost, the data packets cannot flow smoothly to the destination. Someone may be listening, because the sniffer intercepts data packets.

Abnormal network bandwidth: Some bandwidth controllers can view the current network bandwidth distribution in real time. If a machine occupies a large bandwidth for a long time, this machine may be listening. It is also possible to detect changes in network communication speed.

For SunOS, and other bsd unix systems, you can use lsof (this command displays opened files) to detect the existence of the sniffer. The initial design of lsof is not designed to prevent sniffing intrusion, but because the sniffer will open its output file and send information to the file, in this way, the content of this file will become larger and larger. If we use lsof to find that the content of a file is constantly increasing, we suspect that the system is sniffed. Because most sniffing devices write the intercepted "TCP/IP" data into their own output files. Here you can use: ifconfig le0 to check the port. Then use:

#/Usr/sbin/lsof> Test

# VI test or grep [opened port number]

Detects file size changes.

Note: If you are sure someone has connected the sniffer to your network, you can find some verification tools. This tool is called time domaio Reflectometer (TDR ). TDR measures the propagation and variation of electromagnetic waves. Connect a TDR to the network and detect unauthorized devices that obtain network data. However, many small and medium-sized companies do not have such expensive tools.

2. Hide the data so that the sniffer cannot discover it.

Sniffer is very difficult to detect because they are passive programs. A sophisticated attacker can easily conceal information by damaging log files. They do not leave a tail for verification .. Completely active solutions are hard to find. We can adopt some passive defense measures:

Secure topology;

Session encryption;

Replace dynamic with static ARP or IP-MAC tables.

Secure topology:

The sniffer can only capture data in the current network segment. This means that the finer the network segment, the less information the sniffer can collect. However, unless your company is an ISP or your resources are relatively unrestricted, such a solution will be costly. Network segments require expensive hardware devices. Three network devices cannot be crossed by the sniffer: switches, routers, and bridges. We can use these devices flexibly for network segmentation. Most of the internal networks established earlier use hub hubs to connect to multiple workstations, which means that data in the network is broadcast (data is distributed to all workstations ), it facilitates the smooth operation of the sniffer. A common sniffer program only captures data. Therefore, it is necessary to prevent network data flooding. As the price of a vswitch decreases, network transformation becomes feasible and necessary. Using a vswitch instead of a hub to connect to the network can effectively avoid data flooding, that is, to prevent a workstation from receiving any irrelevant data. Segment the network. For example, you can set a VLAN on a vswitch to isolate unnecessary data transmission. Generally, 20 workstations can be used as a group, which is a reasonable number. Then, each segment is manually detected every month (or a specific segment can be randomly detected using MD5 every month ). Network segments are only applicable to small and medium networks. If there is a network of 500 workstations distributed in more than 50 Departments, the cost of full segmentation is very high.

Session Encryption:

Session Encryption provides another solution. There is no need to worry about data being sniffed, but to find a way to make the sniffer not aware of the data. The advantage of this method is obvious: even if the attacker sniffed the data, the data is useless to him. S/key is the same as other one-time password technology, which makes the information of the eavesdropping account meaningless. The principle of S/key is that the remote host has obtained a password (this password will not be transmitted in an insecure network), and a "challenge" (Challenge) information will be obtained when the user connects, the user passes this information and password through a algorithm to generate a correct "response" (response) information (if the password of both parties is correct ). This authentication method does not need to transmit passwords over the network, and the same "challenge/response" does not appear twice. S/key can be obtained from the following URL: ftp://thumper.bellcore.com/pub/nmh/skey. Its disadvantage is that all account information is stored in one host. If the host is intruded, the entire network security will be compromised. Configuring it is not a simple task. Kerberos includes stream encryption rlogind and stream encryption telnetd. It prevents intruders from capturing users' operations after logon. There are two main problems in encryption: technical problems and human problems.

Technology indicates whether the encryption capability is high. For example, 64-bit encryption may not be enough, and not all applications are integrated with encryption support. In addition, cross-platform encryption solutions are rare, which are generally only available in some special applications. The artificial problem is that some users may not like encryption, which is too troublesome for them. Users may start to use encryption, but they rarely stick to it. In short, we have to look for a friendly medium-using powerful such applications, but also user friendly. Using Secure Shell, secure copy, or IPv6 can ensure secure information transmission. Traditional network service programs, such as SMTP, HTTP, FTP, POP3, and telnet, are inherently insecure because they transmit passwords and data in plain text on the network, the sniffer can easily intercept these passwords and data. the full name of SSH is secure shell. By using SSH, You can encrypt all transmitted data, so that the "Intermediate server" attack method is impossible, and it can also prevent DNS and IP spoofing. Another advantage is that the data transmitted is compressed, which can speed up transmission. SSH has many functions. It can replace Telnet and provide a secure "channel" for FTP, pop, and even PPP ". SSH is bound to port 22, and its connections are encrypted using RSA through negotiation. After the authentication is complete, all subsequent traffic is encrypted using idea. The SSH (Secure Shell) program can log on to the remote host over the network and execute commands. The SSH encrypted tunnel only protects the security of intermediate transmission, so that any common sniffing tool software cannot obtain the sent content. It provides strong security verification for secure communication in insecure networks, so it is a method to prevent sniffing.

Replace dynamic ARP or IP-MAC tables with static ARP or IP-MAC tables.

This measure is mainly used to prevent penetration sniffing. Using such measures as ARP spoofing can allow intruders to perform sniffing smoothly in the switching network. Network administrators need to have an in-depth understanding of various spoofing methods. For example, ARP spoofing is usually used in sniffing to modify ARP dynamic cache tables. Set static ARP table on important hosts or workstation, for example, Win2k system using ARP command settings, set static IP-MAC table on the switch, etc, this prevents the use of spoofing methods for sniffing.

In addition to the above three points, we also need to pay attention to security protection in key areas. The key area here is mainly for the placement of the sniffer. Intruders usually place the sniffer in areas where data is converged, such as gateways, switches, and routers, to capture more data. Therefore, more protection should be taken for these areas to prevent sniffing in these areas.

4. Anti-sniffing application cases

1. Install SSH in Linux

Download the latest software package SSH2 at www.ssh.com. You 'd better download the source software package and compile it yourself.

# Tar-zxvf ssh2-2.4.0.tar.gz
# Cd ssh2-2.4.0
#./Configure; # Make; # make install

In this process, the server software package and the client software are installed together, so you do not have to install the client software package again. The installer installs the SSH2 package under/usr/local/bin and/usr/local/sbin.

2. Configuration

The SSH configuration file is under/etc/SSH2, including the host public key and private key of sshd2: hostkey and hostkey. Pub. These two files are usually automatically generated during SSH installation. You can use the following command to generate them again: (The ssh2_config file generally does not need to be modified)

# Rm/etc/SSH2/hostkey *
# Ssh-keygen2-P/etc/SSH2/hostkey

3. Start the SSH server

In Unix/Linux, the server program is placed in the/usr/local/sbin directory. the startup method is as follows:

# Sshd

# Ps x

If you do not want to restart the system each time, you must manually start the system. Add a/usr/local/sbin/sshd line to RC. Local.

4. Use SSH

After installing SSH, we can easily obtain a shell on a remote server using SSH. For example, assume that I execute:

# SSH cjh@red.forge.net

First, the system prompts you to enter the password. after entering the password, I got a shell on the remote machine. From here on, the SSH session process is similar to the Telnet session. However, ssh ensures that all data transmitted between me and the server is encrypted. If you are familiar with RSH and its options, you will soon be able to start using SSH. SSH is designed to work in the same way as RSH. Generally, programs that can use RSH as the transmission port can use SSH instead (such as rsync ). The secure copy command SCP is easy to use. Its syntax is similar to that of CP. For example, to copy the my. php file to the cjh.org server, run the following command:

# SCP my. php cjh@cjh.org:/usr/local/Apache/htdocs/

At this point, we will see the prompt for entering the password (just like SSH ). Next, the my. php file in the current directory of the local machine is copied to/usr/local/Apache/htdocs/of cjh.org, And the login name is csung. In terms of usage, it is no different from telnet. With the SSH client software, if you want to upload files, you do not have to open another FTP window as before, authenticate the file again, and then upload the file. Using the SCP tool provided by the SSH client, you can directly upload files to the remote server.

The SCP command is the most convenient and useful command in SSH. If you are told to directly transfer files between two servers, you can use only the SCP command to solve the problem completely. you can run it as root on a server:

# SCP servername:/home/FTP/pub/file1 ./

In this way, the file/home/FTP/pub/file1 on the other server is directly transferred to the current directory of the machine.

In terms of technology, management is especially important for network security. Except for network administrators, it is absolutely necessary to prohibit the use of any sniffer tools on the network, including some enterprise senior management personnel. This can clearly limit the active use of sniffer by some workstations.

For network administrators, it is more important to establish security awareness and understand your users (the more familiar the system administrators are with their users and users' work habits, the more they can quickly discover unusual events, unusual events often mean system security issues .) Regularly check key devices in your network, such as servers, switches, and routers. It is best to have some professional tools such as the TDR introduced on the front. The Network Administrator also provides users with security services. Users should regularly send security emails, which give users security awareness. Management awareness is another important factor to improve security. If the user's Management Department does not have strong security requirements, the system administrator alone does not. It is best for the management department to establish a set of security standards that everyone must comply with. If the system administrator establishes his/her own security rules on this basis, the security is enhanced. Management helps to strengthen user awareness and make users clear that information is a valuable asset. The system administrator should make the security protection method as simple as possible for users and provide some security improvement tools. Network administrators should establish a reasonable amount of user pain (the amount of pain refers to the boycott function caused by security restrictions). They should not only consider the problem technically, but also consider it from the user's point of view. For example, can we use S/key every time a Macintosh user logs on? The more users know about security, the more secure the network.

Summary

Sniffer is widely used in network maintenance and management. It works like a passive sonar. It silently receives various information from the network and analyzes the data, the network administrator can gain an in-depth understanding of the current running status of the network to identify vulnerabilities in the network. Today, with increasing attention to network security, we must not only correctly use the sniffer, but also properly prevent the dangers of the sniffer, which can cause great security hazards, mainly because they are not easy to be discovered. For an enterprise with strict security requirements, it is also very important to construct a security management system while using technical defense.

the sniffer technology is not a cutting-edge technology, but a basic topic in the security field. The Research on sniffing technology does not require much underlying knowledge. It is not mysterious. In fact, some of our network management software and some network testers use the sniffer technology. However, many computer software vendors have never been familiar with it. It is unwise to avoid this basic fact. Understanding and mastering it is the key. This is also the author's motivation for writing.