1

Eastern Michigan University

Asad Khailany , Eastern Michigan University
Dmitri Bagatelia , Eastern Michigan University
Wafa Khorsheed , Eastern Michigan University
 Do You Want to become a
Hacker?
 Now you can get an MS degree
specializing on hacking techniques from a
university in Paris France.
 Do not miss this golden opportunity!
 Soon you will see your institution also
offers a degree in hacking techniques

2
 ABSTRACT
   Computers on the network normally only
listen to communications destined to them.
 However, when they enter promiscuous
mode they can listen to all communications
whether destined or not destined to them.
   Computers are put into the promiscuous
mode by installing software package known
as packet Sniffers.

3
ABTRACT
    Sniffers are the best tools for hackers to attack
computers.
  Network administrators use Sniffers for network
troubleshooting and security analysis. Many
sniffing and anti sniff packages available on the
Internet for download.
  This paper discusses sniffing and anti sniffing,
their advantages and disadvantages, and presents
some recommendations to make network systems
and their data more secure.

4
 INTRODUCTION

A computer to be able to listen to all communications on the

network must be in a multi-partners mode. Such mode is known as the
promiscuous mode
   Through packed Sniffers computers can transfer to the promiscuous
mode.
     Attackers love packet Sniffere.
   Sniffers are valuable tools needed by network administrators to do
network trouble shooting, to perform network security analysis and to
measure the performance of network system.

5
 INTRODUCTION - 2

  Sniffers are used by law enforcement agencies to

monitor network systems.
  Anti sniff packages are available to determine
whether or not a suspected remote computer is
listening in to all communications on the network.
   Several methods utilized by anti sniff package to
identify suspected computers on the network are
discussed in this paper.

6
 What sniffing packages used
for?
 Sniffing packages used for:
        Network traffic analysis to
1.    Identify the type of network application used.
2.    Identify the hosts using the network.
3.    Identify the bottlenecks.
4.  Capture data sniffing packages used for
troubleshooting of network applications.
5.    Create network traffic logs.

7
 More usages of sniffing
packages
  Gathering private data such as passwords,
credit cards information, email messages, ..
etc.
   Establishing connection with senders while
using authentication provided by receiver.
    Modifying and resending data to
recipients.

8
 SNIFFERS AND
NETWORK
ARCHITECTURES
 Sniffing is possible because most network
architectures use shared medium and
protocols that presume only intended
computer receives and reads the message.

9
 Case: Ethernet architecture
C o m p u te r A C o m p u te r B C o m p u te r C C o m p u te r D

M es s age

Computer A sends a message to Computer C. Since all

computers share the same line Computers B and D can
listen to messages if they are in promiscuous (multi
partner) mode. In this case the message was not change but
the privacy was compromised since data was only copied
and not modified.

10
 Case: Routed network
Routed protocol, means that sent message might be
handled by several hosts.
Any of the hosts can copies the message or
changes the message and forwarded to others
hosts. The final recipient of the message will
never know that the message was modified. Thus
the security risk taking in routed protocol is much
greater than Ethernet architecture.

11
 DIFFERENT METHODS FOR
DTECTING ACTIVE SNIFFERS
 Theoretically it is impossible to detect active
Sniffers if they only listen without sending
anything i.e. if they are in passive mode.
Practically there are some methods can be used to
identify suspected computers that are trying to
listen to messages not intended for them.
 Some Popular Methods To Identify Suspected
Computers Are:

12
 1. PING METHOD.

        A computer is uniquely identified on the

network by its serial number of its network
computer card. This hardware address is called
MAC (Media Access Control address).
        Sniffer always turns off MAC filter on its
host device, thus it can receive all messages
that are intended or not intended for that device.

13
 1. PING METHOD.
How to identify suspected computers ?
        Send a message to the suspected device using a
wrong MAC address and a corrected IP address, the
device should not respond if it has MAC address filter
on, but if it runs in a promiscuous mode it will respond
to the message. Thus a computer, which is listening, is
identified.
New problems to be solved:
        The newer sniffer devices/programs have built-in
filters, which prevent such kind of responses.

14
 2. ARP: Address Resolution
Protocol METHOD.
ARP is a TCP/IP protocol maps an IP address into physical
address.
The ARP method uses arp packets.
On a network when a computer sends arp request to a
broadcast address, all those computers see that request send
an arp answer with their IP to MAC address mapping.
How suspected computers identified?
If such request is sent to a regular non-broadcast address,
there should not be any reply, if a reply is received that
computer will be a suspected sniffer device.

15
 3. DNS METHOD.
The DNS method works on the assumption that
many attackers use IP addresses to find DSN names.
Most sniffer programs have a feature to do a reverse
DNS lookup using an IP to get the hostname.
How suspected computers identified?

An anti sniff package places itself in a promiscuous

mode and sends a message to fictitious hosts such as
charge BankC.com. The address of all computers that
use reverse lookup request referencing the fictitious hosts
are flagged as being suspected computers.

16
 4. SOURCE-ROUTE
METHOD
IP header has an option of loose source routing.
Routers ignore destination IP address and instead will forward message to
the next IP in source-route option.
How to identify suspected computers ?
Turn off packet routing on a specific computer and the packet should be
dropped at that computer. A computer that sniffs messages responds to
such message that the packed was dropped on the computer, which the
package was dropped.
For instance, you send a message from computer A to computer B, but
you route it through computer C first. If you turn off packet routing on
computer C, then packet should be dropped. Thus, if computer B
responds to such message, that was dropped at C, it means computer B
sniffed the message.

17
 5. DECOY METHOD.
This method sets up a “victim” computer that will repeatedly run
script to login to a remote server using a dummy account with no
real permissions, and try to find any hacker who tries to use that
dummy account to login to the remote server.
How to identify suspected computers?
        Setup a “victim” computer that will repeatedly run script to
login to a remote server using a dummy account with no real
permissions.
        Any hacker who gets such login information tries login to
remote server.
        Any login attempt not originated from the “victim” computer
indicates that someone was sniffing on your network and stole
that account number information.

18
 6. OTHER METHODs.
There are many more methods that can be used to detect
sniffing activities
None works 100% of the time, because hackers already
know them and try to work around those detection
methods.
One of the among the best software packages that use all
the above methods to find sniffing activities is:
AntiSniff package (http://www.securitysoftwaretech
.com/antisniff/)

19
 Protocols targeted for
sniffing by hackers
Protocols that transmit data in plain text format make it easy
for hackers to get what they want. Some of protocols
targeted for sniffing are:
1.     telnet
2.     rlogin (user sessions and passwords)
3.     HTTP(passwords, web-based emails)
4.     Simple Network Management Protocol (passwords)
5.     Network News Transfer Protocol (passwords)
6.     Post Office Protocol (passwords, emails)
7.     File Transfer Protocol (passwords)
8.     Internet Message Access Protocol (passwords, emails).

20
 METHODS TO ENFORCE
NETWORK SECURITY
switched network
 Use of switched network eliminates use of shared wire.
Switch knows the location of every device on the
network, and sends data directly to the intended
recipient without transmitting the message all over the
network.
The diagram in the next slide compares two network of
computers one interconnected by a hub and the other
interconnected by a switch.

21
 Switch And Hub Networks
Hub Switch
H ub S w it c h

M e s s a g e to M e s s a g e to M es s a g e to M e s s a g e to M e s s a g e to
C o m p ute r C C o m p ute r C C o m p u te r C C om p uter C C o m pu te r C

  C o m p ute r A C o m p u ter B C o m p u te r C C o m p u te r A C o m p u te r B C o m p u te r C

Hubs send communications to all

connected computers.
Switch, on the other hand, remembers what
computer is connected to what port on the
switch, thus it forwards message only to one
computer.

22
 Data encryption Method:
   This one of the oldest security routines used to enforce
security.
   Many software algorithms and software packages are
available to encrypt data.
   You can encrypt you messages before sending them,
e.g. PGP (Pretty Good Privacy) is being used to encrypt
email messages.
You can choose a secure protocol with
built-in encryption schemes, e.g. SSH (Secure
Shell) instead of telnet of rlogin.

23
 Some disadvantages of
encrypting over plain text
messages
   Encrypting increases the message
size as well as response time, since
message has to be not only encrypted
on one end, but also decrypted by the
recipient on the other end.
  It might not be a reasonable solution
for some setups that require very high
response time.

24
 Some important usages
of sniffing methods:
Sniffing methods can be used for:
  Network management.
 Traffic analysis can identify who is using what
network resource in what way. For instance,
you can identify users who use most of your
bandwidth, then you can find out whether they
use it for a legitimate purpose or not.
  Because most network applications use fixed
port numbers you can filter traffic and identify
software that are being used..
  Maximizing network performances.

25
 More usages of sniffing
methods:
 Not all packets capturing is intended to compromise
security. For instance, during programming of a
network application programmers might want to
see the network traffic that local computer
generates, so that troubleshooting of the
application can go much faster.
   It is also possible to use sniffer to create log of all
network traffic, so that serve as evidence in case
security is compromised on some other system on
the network. Those logs can be used to track down
the intruders and to support legal action to bring
those hackers to justice.

26
 CONCLUSION
 The security threat that sniffers pose can be minimized
using combination of switched networks and encryption.
 Sniffers can be sometimes detected using sniffing
detection software.
  Network professionals to manage networks for
identifying problems and monitoring usage of network
resources have used sniffers for a long time.
 Hackers utilize Sniffing packages to attack networked
computers to steal information.
  It may be impossible to make sure that no one uses
sniffing packages against you, but it is important to
make sure that unauthorized people could not get useful
information.

27
 REFERENCES.
1. Web Server Security, & Maintenance by Eric Larson &
Bruan
2.http://lin.fsid.cvut.cz/~kra/index.html
3. http://www.eeye.com/
4. http://neworder.box.sk/
5. http://www.securitysoftwaretech.com/
6. http://www.winsniffer.com/
7. http://www.snifferpro.co.uk/
8. http://stein.cshl.org/~lstein/talks/WWW6/sniffer/
9. http://www.atstake.com/
10. http://www.swrtec.de/clinux/
11. http://stein.cshl.org/~lstein/talks/WWW6/sniffer/

28