The art of "sniffing" network traffic, or capturing packets on the wire, has long been one of the most fruitful parts of any malicious hacker attack. The bad guys can read entire e-mail messages, gain passwords, and obtain complete access by simply running a network sniffer on a shared Ethernet or Token Ring network.
Of course, the rich man's counter measure to this type of attack has always been encryption. But the poor man's counter measure was always to move away from the traditional shared Ethernet to new network-switching technology. In a book we published recently, many of our packet- capture countermeasures involved recommending a switch to keep the sniffing hounds at bay. But all this has changed with the advent of dsniff (naughty.monkey.org/~dugsong//dsniff/) by Dug Song at CITI, the Center for Information Technology Integration, a research lab at the University of Michigan.
Sniffing traffic allows an unauthorised computer user to view the traffic destined to someone else. In other words, by sending an e-mail message to a colleague at work, you could also be sending it to your cubicle neighbour, or the whole company, as well. The technique of sniffing traffic on a switched segment has been discussed in security circles for some time, but Dug has put the theory into practice. With little more than an address resolution protocol (ARP) redirect program and IP forwarding, an attacker can sniff every station on your switched network. The potential damage to your network from a sniffing attack of this nature can be nuclear. Few administrators know about this technology, and even fewer fight the menace. But don't take our word for it, check it out yourself.
Sniffing on a switch
Switching technology, by definition, switches packets from one destination to another without passing them by any of the other stations on a network, thereby reducing the risk of the packets being picked up. But arpredirect, the utility within the dsniff distribution, makes sniffing on a switched network easier than a distributed denial of service (DDoS) attack in February.
This is how it works: the attacker's system sends out a forged ARP packet to the target system, telling it that its default gateway has changed to the attacker's system. This way, whenever the target system sends traffic on the network, it will send it to the attacker's system first, which then forwards the packet on to its original destination as if nothing ever happened.
You will need to use either the kernel-level IP forwarding in /proc/sys/net/ipv4/ip _forward or fragrouter on a Linux system to perform the packet forwarding. So by forging ARP replies for the default gateway of a network, all traffic destined for the default gateway will be sent to and then forwarded by the attack system. Once received at your system, you can grab anything you desire, including passwords such as SNMP, FTP, post office protocol (POP), HTTP, Internet Relay Chat (IRC), Telnet, and many others. In addition to the passwords, you can read all cleartext e-mail as well.
Bag o' goodies
Besides arpredirect, the dsniff distribution comes with its marquee tool: dsniff. The tool is a remarkable password sniffer and collects just about every cleartext and poorly encrypted password. These include all the usual suspects, plus NNTP (Network News Transfer Protocol), IMAP (Internet Message Access Protocol), LDAP, RIP (Routing Information Protocol), OSPF (Open Shortest Path First), NFS (Network File System), YP (Yellow Pages), Socks, X11, CVS (concurrent versions system), IRC, AIM (America Online instant messaging), ICQ, Napster, PostgreSQL, Meeting Maker, Citrix Independent Computing Architecture, Symantec pcAnywhere, NAI Sniffer, Microsoft Server Message Block, and Oracle SQLNet authorization information.
Mailsnarf is another tool for grabbing network data, but this utility reassembles and displays e-mail traffic in a legible manner, thus enabling you to read other users' e-mail in real time. And finally, Webspy is a great utility for watching what your users are doing on the network; it will refresh your browser with the Web pages being viewed on anyone's system.
The only real solution to this type of attack is encryption. No matter how much packet sniffing is allowed on your network, by using applications that encrypt the traffic, users can at least be moderately reassured that their information will be safe from prying eyes. The detection solution is to monitor ARP traffic on your network and detect when ARP entries are being changed. You can use a product such as arpwatch, by Craig Leres at ftp://ftp.ee.lbl.gov/arpwatch.tar.Z. Of course neither solution is all that great and makes you wonder how many years we will be dealing with this vulnerability. It all depends on what security blanket you hug.
Stuart McClure is president/CTO and Joel Scambray is a managing principal at security consultant Foundstone (www.foundstone.com), formerly Rampart Security Group