Sniffer FAQ

[cklaus () iss net (Christopher Klaus)]

I have put together a FAQ (Frequently Asked Questions) file about Sniffers.

I tried covering all topics related to sniffers and mentioned some
companies that provide products for solutions for sniffer attacks.

Unfortunately, I have not evaluated any of the products except for using
Skey, but I would appreciate it if you have had the chance to play
with the product, please send me a small review and Ill stick it under
the companies product.  I would like unbiased reviews, good and bad.
Mostly, what features did you like and what were missing.

Also, I am sure I may have missed a few companies that offer similiar
solutions and if you know of any of them, please email me.

I would like feedback on this, Thank you.


This Sniffer FAQ will hopefully give administrators a clear understanding of
sniffing problems and hopefully possible solutions to follow up with. Sniffers
is one of the main causes of mass break-ins on the Internet today.

This FAQ will be broken down into:

      What a sniffer is and how it works
      Where are sniffers available
      How to detect if a machine is being sniffed
      Stopping sniffing attacks:
           Active hubs
           Encryption
           Kerberos
           One-time password technology
           Non-promiscuous interfaces

    ------------------------------------------------------------------------


What a sniffer is and how it works

Unlike telephone circuits, computer networks are shared communication channels.
It is simply too expensive to dedicate local loops to the switch (hub) for each
pair of communicating computers. Sharing means that computers can receive
information that was intended for other machines. To capture the information
going over the network is called sniffing.

Most popular way of connecting computers is through ethernet. Ethernet protocal
works by sending packet information to all the hosts on the same circuit. The
packet header contains the proper address of the destination machine. Only the
machine with the matching address is suppose to accept the packet. A machine
that is accepting all packets, no matter what the packet header says, is said
to be in promiscuous mode.

Because account and password information is passed along ethernet in
clear-text, it is not hard for an intruder to put a machine into promiscuous
mode and by sniffing, compromise all the machines on the net.

    ------------------------------------------------------------------------


Where are sniffers available

Sniffing is one of the most popular forms of attacks used by hackers. One
special sniffer, called Esniff.c, is very small, designed to work on Sunos, and
only captures the first 300 bytes of all telnet, ftp, and rlogin sessions. It
was published in Phrack, one of the most widely read freely available
underground hacking magazines. You can find Phrack on many FTP sites. Esniff.c
is also available on many FTP sites such as coombs.anu.edu.au:/pub/net/log.

You may want to run Esniff.c on an authorized network to quickly see how
effective it is in compromising local machines.

Other sniffers that are widely available which are intended to debug network
problems are:

      Etherfind on SunOs4.1.x
      Snoop on Solaris 2.x
      Tcpdump 2.0 uses bpf for a multitude of platforms.
      Gobbler for IBM DOS Machines

Commercial Sniffers are available at:

      Network General.

    ------------------------------------------------------------------------


How to detect a sniffer running.

To detect a sniffing device that only collects data and does not respond to any
of the information, requires physically checking all your ethernet connections.

It is also impossible to remotely check by sending a packet or ping if a
machine is sniffing.

A sniffer running on a machine puts the interface into promiscuous mode, which
accepts all the packets. On some Unix boxes, it is possible to detect a
promiscuous interface.

For SunOs, NetBSD, and other possible BSD derived Unix systems, there is a
command

     "ifconfig -a"

that will tell you information about all the interfaces and if they are in
promiscuous mode. Intruders often replace commands such as ifconfig to avoid
detection. Make sure you verify its checksum.

There is a program called cpm available on ftp.cert.org:/pub/tools/cpm that
only works on Sunos and is suppose to check the interface for promiscuous flag.

Ultrix can possibly detect someone running a sniffer by using the commands
pfstat and pfconfig.

pfconfig allows you to set who can run a sniffer
pfstat shows you if the interface is in promiscuous mode.

These commands only work if sniffing is enabled by linking it into the kernel.
by default, the sniffer is not linked into the kernel. Most other Unix systems,
such as Irix, Solaris, SCO, etc, do not have any flags indication whether they
are in promiscuous mode or not, therefore an intruder could be sniffing your
whole network and there is no way to detect it.

Often a sniffer log becomes so large that the file space is all used up. On a
high volume network, a sniffer will create a large load on the machine. These
sometimes trigger enough alarms that the administrator will discover a sniffer.
I highly suggest using lsof (LiSt Open Files) available from
coast.cs.purdue.edu:/pub/Purdue/lsof for finding log files.

There is no commands I know of to detect a promiscuous IBM PC compatible
machine, but they atleast usually do not allow command execution unless from
the console, therefore remote intruders can not turn a PC machine into a
sniffer without inside assistance.

    ------------------------------------------------------------------------


Stopping sniffing attacks

Active hubs send to each system only packets intended for it rendering
promiscuous sniffing useless. This is only effective for 10-Base T.

The following vendors have available active hubs:

      3Com
      HP

    ------------------------------------------------------------------------


Encryption

There are several packages out there that allow encryption between connections
therefore an intruder could capture the data, but could not decypher it to make
any use of it.

Some packages available are:

      deslogin is one package available at ftp
     coast.cs.purdue.edu:/pub/tools/unix/deslogin .
     swIPe is another package available at
     ftp.csua.berkeley.edu:/pub/cypherpunks/swIPe/

    ------------------------------------------------------------------------


Kerberos

Kerberos is another package that encrypts account information going over the
network. Some of its draw backs are that all the account information is held on
one host and if that machine is compromised, the whole network is vulnerable.
It is has been reported a major difficulty to set up. It does not stop an
intruder from capturing what you did after you logged in.
    ------------------------------------------------------------------------


One time password technology

S/key and other one time password technology makes sniffing account information
almost useless. S/key concept is having your remote host already know a
password that is not going to go over insecure channels and when you connect,
you get a challenge. You take the challenge information and password and plug
it into an algorithm which generates the response that should get the same
answer if the password is the same on the both sides. Therefore the password
never goes over the network, nor is the same challenge used twice. Unlike
SecureID or SNK, with S/key you do not share a secret with the host. S/key is
available on ftp:thumper.bellcore.com:/pub/nmh/skey

Other one time password technology is card systems where each user gets a card
that generates numbers that allow access to their account. Without the card, it
is improbable to guess the numbers.

The following are companies that offer solutions that are provide better
password authenication (ie, handheld password devices):


Secure Net Key (SNK)

Digital Pathways, Inc.
201 Ravendale Dr. Mountainview, Ca.
94043-5216 USA

Phone: 415-964-0707 Fax: (415) 961-7487


Secure ID

Security Dynamics,
One Alewife Center
Cambridge, MA 02140-2312
USA Phone: 617-547-7820
Fax: (617) 354-8836
Secure ID uses time slots as authenication rather than challenge/response.


WatchWord and WatchWord II

Racal-Guardata
480 Spring Park Place
Herndon, VA 22070
703-471-0892
1-800-521-6261 ext 217


SafeWord

Enigma Logic, Inc.
2151 Salvio #301
Concord, CA 94520
510-827-5707 Fax: (510)827-2593


Secure Computing Corporation:

2675 Long Lake Road
Roseville, MN 55113
Tel: (612) 628-2700
Fax: (612) 628-2701
debernar () sctc com

    ------------------------------------------------------------------------


Non-promiscuous Interfaces

You can try to make sure that most IBM DOS compatible machines have interfaces
that will not allow sniffing. Here is a list of cards that do not support
promiscuous mode:

Test the interface for promiscuous mode by using the Gobbler. If you find a
interface that does do promiscuous mode and it is listed here, please e-mail
cklaus () iss net so I can remove it ASAP.

     3Com 3C501 EtherLink
     3Com 3C507 EtherLink 16
     3Com 3C507 EtherLink 16 TP
     IBM Token-Ring Network PC Adapter
     IBM Token-Ring Network PC Adapter II (short card)
     IBM Token-Ring Network PC Adapter II (long card)
     IBM Token-Ring Network 16/4 Adapter
     IBM Token-Ring Network PC Adapter/A
     IBM Token-Ring Network 16/4 Adapter/A
     IBM Token-Ring Network 16/4 Busmaster Server Adapter/A
     Microdyne (Excelan) EXOS 205
     Microdyne (Excelan) EXOS 205T
     Microdyne (Excelan) EXOS 205T/16
     Hewlett-Packard 27250A EtherTwist PC LAN Adapter Card/8
     Hewlett-Packard 27245A EtherTwist PC LAN Adapter Card/8
     Hewlett-Packard 27247A EtherTwist PC LAN Adapter Card/16
     Hewlett-Packard 27248A EtherTwist EISA PC LAN Adapter Card/32
     Compaq 32-bit DualSpeed Token-Ring Controller
     Novell/Eagle NE3200
     Novell/Eagle NE2000
     AMD Am2110-SM AT Ethernet 7998
     AMD Am1500T/2 PCnet-ISA
     AMD Am1500T PCnet-ISA
     HP 27247B EtherTwist Adapter Card/16 TP Plus
     HP 27252A EtherTwist Adapter Card/16 TP Plus
     HP J2405A EtherTwist PC LAN Adapter NC/16 TP
     IBM LAN Adapter for Ethernet
     IBM LAN Adapter for Ethernet TP
     IBM LAN Adapter for Ethernet CX
     Intel EtherExpress 16
     Intel EtherExpress 16TP
     Intel EtherExpress 16C
     Intel EtherExpress FlashC
     Intel EtherExpress 16 MCA
     Intel EtherExpress 16 MCA TP

    ------------------------------------------------------------------------


Acknowledgements

I would like to thank the following people for the contribution to this FAQ
that has helped to update and shape it:

      Padgett Peterson (padgett () tccslr dnet mmc com)
      Steven Bellovin (smb () research att com)
      Wietse Venema (wietse () wzv win tue nl)

    ------------------------------------------------------------------------


Copyright

This paper is Copyright (c) 1994, 1995
   by Christopher Klaus of Internet Security Systems, Inc.

Permission is hereby granted to give away free copies electronically. You may
distribute, transfer, or spread this paper electronically. You may not pretend
that you wrote it. This copyright notice must be maintained in any copy made.
If you wish to reprint the whole or any part of this paper in any other medium
(ie magazines, books, etc) excluding electronic medium, please ask the author
for permission.

Disclaimer

The information within this paper may change without notice. Use of this
information constitutes acceptance for use in an AS IS condition. There are NO
warranties with regard to this information. In no event shall the author be
liable for any damages whatsoever arising out of or in connection with the use
or spread of this information. Any use of this information is at the user's own
risk.

Address of Author

Please send suggestions, updates, and comments to:
Christopher Klaus <cklaus () iss net> of Internet Security Systems, Inc.
<iss () iss net>

-- 
Christopher William Klaus       Voice: (404)441-2531. Fax: (404)441-2431
Internet Security Systems, Inc.         Computer Security Consulting
2000 Miller Court West, Norcross, GA 30071