[home] [<-back] [index] [next->]
____________________________________________________________________
[10:. - [ Sniffing and spoofing explained ] [psyops] :. ]
[psyops@phault.org] :. ]
____________________________________________________________________
Introduction.
Sniffing and spoofing are security threats that target the
lower layers of the networking infrastructure supporting
applications that use the Internet. Users do not interact
directly with these lower layers and are typically
completely unaware that they exist. Without a deliberate
consideration of these threats, it is impossible to build
effective security into the higher levels.
Sniffing is a passive security attack in which a machine
separate from the intended destination reads data on a
network. The term "sniffing" comes from the notion of
"sniffing the ether" in an Ethernet network and is a bad
pun on the two meanings of the word "ether."
Passive security attacks are those that do not alter the
normal flow of data on a communication link or inject data
into the link.
Spoofing is an active security attack in which one machine
on the network masquerades as a different machine. As an
active attack, it disrupts the normal flow of data and may
involve injecting data into the communications link between
other machines. This masquerade aims to fool other machines
on the network into accepting the impostor as an original,
either to lure the other machines into sending it data or
to allow it to alter data. The meaning of 'spoof' here is
not 'a lighthearted parody,' but rather 'a deception intended
to trick one into accepting as genuine something that is
fake.' Such deception can have grave consequences because
notions of trust are central to many networking systems.
Sniffing may seem innocuous (depending on just how sensitive
and confidential you consider the information on your network),
some network security attacks use sniffing as a prelude to
spoofing. Sniffing gathers sufficient information to make
the deception believable.
Sniffing.
Sniffing is the use of a network interface to receive data
not intended for the machine in which the interface resides.
A variety of type of machines need to have this capability.
A token-ring bridge, for example, typically has two network
interfaces that normally receives all packets travelling on
the media on one interface and retransmit some, but not all,
of these packets on the other interface. Another example of
a device that incorporates sniffing is one typically marketed
as a 'network analyzer.' A network analyzer helps network
administrators diagnose a variety of obscure problems that
may not be visible on any one particular host. These problems
can involve unusual interactions between more than just one
or two machines and sometimes involve a variety of protocols
interacting in strange ways.
Devices that incorporate sniffing are useful and necessary.
However, their very existence implies that a malicious person
could use such a device or modify an existing machine to
snoop on network traffic. Sniffing programs could be used to
gather passwords, read inter-machine e-mail, and examine
clien-server database records in transit. Besides these high
level data, lowlevel information might be used to mount an
active attack on data in another computer system.
Sniffing: How It Is Done.
In a shared media network, such as Ethernet, all network
interfaces on a network segment have access to all the data
that travels on the media. Each network interface has a
hardware-layer address that should differ from all hardware-layer
addresses of all other network interfaces on the network. Each
network also has at least on broadcast address that corresponds
not to an individual network interface, but to the set of all
network interfaces. Normally, a network interface will only
respond to a data frame carrying either its own hardware-layer
address in the frame's destination field or the 'broadcast address'
in the destination field. It responds to these frames by generating
a hardware interrupt to the CPU. This interrupt gets that attention
of the operating system, and passes the data in the frame to the
operating system for further processing.
At times, you may hear network administrators talk about their
networking troubles spots---when they observe failures in a
localized area. They will say a particular area of the Ethernet
is busier than other areas of the Ethernet where there are no
problems.
All of the packets travel through all parts of the Ethernet segment.
Interconnection devices that do not pass all the frames from one side
of the device to the other form the boundaries of a segment. Bridges,
switches, and routers divide segments from each other, but low-level
devices that operate on one bit at a time, such as repeaters and hubs,
do not divide segments from each other. If only low-level devices
separate two parts of the network, both are part of a single segment.
All frames travelling in one part of the segment also travel in the
other part.
The broadcast nature of shared media networks effects network
performance and reliability so greatly that networking professionals
use a network analyzer, or sniffer, to troubleshoot problems.
A sniffer puts a network interface in promiscuous mode so that
the sniffer can monitor each data packet on the network segment.
In the hands of an experienced system administrator, a sniffer
is an invaluable aid in determining why a network is behaving
(or misbehaving) the way it is. With an analyzer, you can determine
how much of the traffic is due to which network protocols, which
hosts are the source of most of the traffic, and which hosts are
the destination of most of the traffic. You can also examine data
travelling between a particular pair of hosts and categorize it by
protocol and store it for later analysis offline. With a sufficiently
powerful CPU, you can also do the analysis in real time.
Most commercial network sniffers are rather expensive, costing
thousands of dollars. When you examine these closely, you notice
that they are nothing more than a portable computer with an Ethernet
card and some special software. The only item that differentiates
a sniffer from an ordinary computer is software. It is also easy to
download software and freeware sniffing software from the Internet
or various bulleting board systems.
The ease of access to sniffing software is great for network
administrators because this type of software helps them become better
network troubleshooters. However, the availability of this software
also means that malicious computer users with access to a network
can capture all the data flowing through the network. The sniffer
can capture all the data for a short period of time or selected
portions of the data for a fairly long period of time. Eventually,
the malicious user will run out of space to store the data---the
network I use often has 1000 packets per second flowing on it.
Just capturing the first 64 bytes of data from each packet fills
up my system's local disk space within an hour.
Sniffing Passwords.
Perhaps the most common loss of computer privacy is the loss of
passwords. Typically users type a password at least once a day.
Data is often thought of as secure because access to it requires
a password. Users usually are very careful about guarding their
password by not sharing it with anyone and not writing it down
anywhere.
Passwords are used not only to authenticate users for access to
the files they keep in their private accounts but other passwords
are often employed within multilevel secure database systems.
When the user types any of these passwords, the system does not
echo them to the computer screen to ensure that no one will see
them. After jealously guarding these passwords and having the
computer system reinforce the notion that they are private, a
setup that sends each character in a password across the network
is extremely easy for any Ethernet sniffer to see. End users
do not realize just how easily these passwords can be found
by someone using a simple and common piece of software.
Sniffing Financial Account Numbers.
Most users are uneasy about sending financial account numbers,
such as credit card numbers and checking account numbers, over
the Internet. This apprehension may e partly because of the
carelessness most retailers display when tearing up or returning
carbons of credit card receipts. The privacy of each user's credit
card numbers is important. Although the Internet is by no means
bulletproof, the most likely location for the loss of privacy
to occur is at the endpoints of the transmission. Presumably,
businesses making electronic transactions are as fastidious about
security as those that make paper transactions, so the highest
risk probably comes from the same local network in which the
users are typing the passwords.
However, much larger potential losses exist for businesses that
conduct electronic funds transfer or electronic document interchange
over a computer network. These transactions involve the transmission
of account numbers that a sniffer could pick up; the thief could
then transfers funds into his or her own account or order goods
paid by a corporate account. Most credit card fraud of this kind
involves only a few thousand dollars per incident.
Sniffing Private Data.
Loss of privacy is also common in e-mail transactions. Many e-mail
messages have been publicized without the permission of the sender
or receiver. Remember the Iran-Contra affair in which President
Reagan's secretary of defence, Caspar Weinberger, was convicted.
A crucial piece of evidence was backup tapes of PROFS e-mail on
a National Security Agency computer. The e-mail was not intercepted
in transit, but in a typical networked system, it could have been.
It is not at all uncommon for e-mail to contain confidential business
information or personal information. Even routine memos can be
embarrassing when they fall into the wrong hands.
Sniffing Low-Level Protocol Information.
Information network protocols send between computers includes
hardware addresses of local network interfaces, the IP address of
remote network interfaces, IP routing information, and sequence
numbers assigned to bytes on a TCP connection. Knowledge of any of
this information can be misused by someone interested in attacking the
security of machines on the network.
A sniffer can obtain any of these data. After an attacker has this
kind of information, he or se is in a position to turn a passive
attack into an active attack wit even greater potential for damage.
Protocol Sniffing: A Case Study.
At one point in time, all user access to computing facilities in the
organization under study (the university at which the author is
employed) was done via terminals. It was not practical to hardwire
each terminal to the host, and users needed to use more than one host.
To solve these two problems, Central Computing used a switch (an AT&T
ISN switch) between the terminals and the hosts. The terminals
connected to the switch so that the user had a choice of hosts. When
the user chose a host to switch connected the terminal to the chosen
host via a very real, physical connection. The switch had several
thousands ports and was, in theory, capable of setting up connections
between any pair of ports. In practical, however, some ports attached
to terminals and other ports attached to hosts.
To make the system more flexible, the central computing facility was
changed to a new system that uses a set of (DEC 550) Ethernet terminal
servers with ports connected to the switch, rather than the old
system, which used a fixed number of switch ports connected to each
host. The new terminal servers are on an Ethernet segment by the hosts
in the central machine room.
Offices have a cable running from a wallplate to a wiring closet
punchdown block. The punchdown block has cables running to
multiplexers which turn connect to the switch. The multiplexers serve
to decrease the number of cables that need to be long. With this
arrangement sniffing or other form of security problems are not an
issue. No two offices share any media.
The switch mediates all interaction between computers, isolating the
flow of data away from the physical location of the end users.
Rather than using simple terminals, however, most computer users have
a computer on their desktop that they use in addition to the Central
Computing computers. The switch services these computers as well as
simple terminals. The number of computer users, however, has grown
rapidly over the past decade and the switch is no longer adequate.
Terminal ports are in short supply, host ports are in even shorter
supply, and the switch does not supply particularly high-speed
connections.
To phase out the switch, Central Computing installed an Ethernet hub
in the basement of each building next to the punchdown block used to
support both the switch multiplexer and the telephone lines. The hubs
in the basement connect to the central facility using fiber-optic
cables to prevent signal degradation over long distances. Hubs also
were placed in the wiring closets on each floor of each building that
connected to the basement hub. Now the cables leading to the
wallplates in the offices are being moved from the punchdown block
that leads to the multiplexer to a punchdown block that leads to one
of these hubs. The new wiring scheme neatly parallels the old and was
changed relatively inexpensively.
Although the new wiring scheme neatly parallels the old, the data
travelling on the new wiring scheme does not neatly parallel its
previous path. From a logical standpoint, it can get to the same
places, but the data can and does go to many other places as well.
Under this scheme, any office can sniff on all the data flowing to
Central Computing from all of the other offices in the building.
Different departments are located in the same building. These
departments compete for resources allocated by uppermanagers that
supervise them, and middle management all are located in the same
building. A fair amount of potential exists for employees to want to
know what other people are sending in e-mail messages, storing in
personnel files, and storing in project planning files.
In addition to nosiness and competition, a variety of people sharing
the same physical media in the new wiring scheme, could easily misuse
the network. Since all occupants of a building share a single set of
Ethernet hubs, they broadcast all of their network traffic to every
network interface in the entire building. Any sensitive information
that they transmit is no longer limited to a direct path between
user's machine and the final destination, anyone in the building can
intercept the information with a sniffer. However, some careful
planning of network installation or a redesign of an existing
network should include security considerations (as well as performance
issues) to avoid the risks inherent in shared media networking.
The network in the case study fails miserably in the prevention of
sniffing. Any computer in a building is capable of sniffing the
network traffic to or from any other computer in the building.
Feedback would be nice .
b0g!#@!b0g!#@!b0g!#@!b0g!#@!b0g!#@!b0g!#@!b0g!#@!b0g!#@!b0g!#@!b0g!#@!
b0g!#@!b0g!#@!b0g!#@!b0g!#@!b0g!#@!b0g!#@!b0g!#@!b0g!#@!b0g!#@!b0g!#@!
b0g!#@!b0g!#@!b0g!#@!b0g!#@!b0g!#@!b0g!#@!b0g!#@!b0g!#@!b0g!#@!b0g!#@!
b0g!#@!b0g!#@!b0g!#@!b0g!#@!b0g!#@!b0g!#@!b0g!#@!b0g!#@!b0g!#@!b0g!#@!
b0g!#@!b0g!#@!b0g!#@!b0g!#@!b0g!#@!b0g!#@!b0g!#@!b0g!#@!b0g!#@!b0g!#@!
...........................................
...#""""""#................................
..." ~ ~ "................................
..( 0 0 ).. /------------------------..
...| <> |... | tak will have sex with |..
...| /"" |...< a_kitten, blueberry, |..
...| ____ |... | justagirl, jericho, jp |..
...|| ||... | and rloxley at defcon! |..
....****/.... ------------------------/..
......||...................................
[^-top] [next->]