Posts Tagged ‘Ethernet Protocol’

Detecting Network Sniffers

January 29th, 2010



Overview

A packet sniffer is a program or device that eavesdrops on network traffic and gathers data from packets. Sometimes such wiretaps are carried out by the network administrator for beneficial purposes (like intrusion detection, performance analysis, etc.). On the other hand, malicious intruders may install packet sniffers in order to retrieve clear-text usernames and passwords from the local network or other vital information transmitted on the network. Vulnerable protocols (with clear-text passwords) include: telnet, pop3, imap, ftp, smtp-auth and nntp. Sniffers work because ethernet was designed to be shared. Most networks use broadcast technology — messages for one computer can be read by another computer on that network. In practice, computers ignore messages except those that were sent directly to them (or broadcast to all hosts on the network). However, computers can be placed in promiscuous mode and made to accept messages even if they are not meant for them — this is how a Sniffer works.

People assume that computers connected to a switch are safe from sniffing — but this is not really so. Computers connected to switches are just as vulnerable to sniffers as those connected to a hub.

How a Sniffer works

A computer connected to a LAN has 2 addresses — one is the MAC address that uniquely identifies each node in a network and which is stored on the network card. The MAC address is used by the ethernet protocol when building frames to transfer data. The other is the IP address, which is used by applications. The Data Link Layer (layer 2 of the OSI model) uses an ethernet header with the MAC address of the destination machine. The Network Layer (layer 3 of the OSI model) is responsible for mapping IP network addresses to the MAC address as required by the Data Link Protocol. Layer 3 attempts to look-up the MAC address of the destination machine in a table, called the ARP cache. If no MAC entry is found for the IP address, the Address Resolution Protocol broadcasts a request packet (ARP request) to all machines on the network. The machine with that IP address responds to the source machine with its MAC address. This MAC address then gets added to the source machines ARP Cache. This MAC address is then used by the source machine in all its communications with the destination machine.

There are two basic types of ethernet environments — shared and switched. In a shared ethernet environment all hosts are connected to the same bus and compete with one another for bandwidth. In such an environment packets meant for one machine are received by all the other machines. All the computers on the shared ethernet compare the frame’s destination MAC address with their own. If the two don’t match, the frame is quietly discarded. A machine running a sniffer breaks this rule and accepts all frames. Such a machine is said to have been put into promiscuous mode and can effectively listen to all the traffic on the network. Sniffing in a shared ethernet environment is passive and, hence, difficult to detect.

In a switched environment the hosts are connected to a switch instead of a hub. The switch maintains a table that keeps track of each computer’s MAC address and the physical port on the switch to which that MAC address is connected. The switch is an intelligent device which sends packets only to the destination computer. As a result, the process of putting a machine into promiscuous mode to gather packets does not work. However, this does not mean that switched networks are secure and cannot be sniffed.

Though a switch is more secure than a hub, you can use the following methods to sniff on a switch:
· ARP Spoofing — The ARP is stateless, that is, you can send an ARP reply even if none has not been asked for, and such a reply will be accepted. For example, one technique is to ARP Spoof the gateway of the network. The ARP cache of the targeted host will now have a wrong entry for the gateway and is said to be Poisoned. From this point on, all the traffic destined for the gateway will pass through the sniffer machine. Another trick that can be used is to poison a host’s ARP cache by setting the gateway’s MAC address to FF:FF:FF:FF:FF:FF (also known as the broadcast MAC).
· MAC Flooding — Switches keep a translation table that maps MAC addresses to physical ports on the switch. This allows them to intelligently route packets from one host to another. The switch has a limited amount of memory for this work. MAC flooding makes use of this limitation to bombard a switch with fake MAC addresses until the switch can’t keep up. The switch then enters into what is known as a `failopen mode’, at which point it starts acting as a hub by broadcasting packets to all the machines on the network. Once that happens sniffing can be performed easily.

Detecting Sniffers on the Network

A sniffer is usually passive — it just collects data — and is especially difficult to detect when running in a shared Ethernet environment. However, it is easy to detect a sniffer when installed on a switched network. When installed on a computer a sniffer does generate some small amount of traffic — which allows for its detection using the following types of techniques:
· Ping Method — a ping request is sent with the IP address of the suspect machine but not its MAC address. Ideally, nobody should see this packet as each ethernet adapter will reject it as it does not match its MAC address. But if the suspect machine is running a sniffer it will respond since it accepts all packets.
· ARP Method — this method relies on the fact all machines cache ARPs (i.e. MAC addresses). Here, we send a non-broadcast ARP so only machines in promiscuous mode will cache our ARP address. Next, we send a broadcast ping packet with our IP, but a different MAC address. Only a machine which has our correct MAC address from the sniffed ARP frame will be able to respond to our broadcast ping request.
· On Local Host — if a machine has been compromised a hacker may have left a sniffer running. There are utility programs that can be run which report whether the local machine’s network adapter has been set to promiscuous mode.
· Latency Method — is based on the assumption most sniffers do some kind of parsing, thereby increasing the load on that machine. Therefore it will take additional time to respond to a ping packet. This difference in response times can be used as an indicator of whether a machine is in promiscuous mode or not.
· ARP Watch — to prevent a hacker from ARP spoofing the gateway there are utilities that can be used to monitor the ARP cache of a machine to see if there is duplication for a machine.

How To Protect Against Sniffing

The best way to secure a network against sniffing is to use encryption. While this won’t prevent sniffers from functioning, it will ensure the data collected by sniffers is un-interpretable. Also, on a switched network, the chances are ARP spoofing will be used for sniffing purposes. The machine that the hacker will most likely ARP-spoof is the default gateway. To prevent this from happening it is suggested the MAC address of the gateway be permanently added to each host’s ARP cache.

Additional suggestions include:
· Use SSH instead of telnet.
· Use HTTPS instead of HTTP (if the site supports it).
· If concerned about email privacy, try a service such as Hushmail (www.hushmail.com), which uses SSL to ensure that data is not read in transit. Also, Pretty Good Privacy (www.gnupg.org) can be used for encrypting and signing emails to prevent others from reading them.
· Employ a sniffer detector. For example, the software package PromiScan is considered the standard sniffing node detection tool and is recommended by the SANS (SysAdmin, Audit, Network, Security) Institute. It is an application package used to remotely monitor computers on local networks to locate network interfaces operating in a promiscuous mode.

By: Steve Leytus

No comments »

Posted in Article

Tags:

Choosing the Right Wireless Network Components

December 12th, 2009



The most important step in building a wireless network is selecting the right components. Before you set out for the electronics store in search of the parts and pieces you need, you may want to review my previous articles about planning your network and what standards there are to choose from.

Typically, you are only searching for three types of equipment if you establishing a wireless network for you personal computers to share files, share devices (such as a printer) and establish a connection between your home or office and the outside world (Internet access). You may need several of one or more of these but your selection really comes down to deciding upon these three things.

Network Interface Adapter

The protocol (simply the language standard of a communication method) used in connectivity between computers and printers on a network in your home or at your office is known as Ethernet. What is confusing is that this is the language standard but it is not method by which the components communicate. Therefore, there must be some intermediary device that can translate these internal component communications and the Ethernet protocol. These devices are known simply as a network interface adapter. You probably know this by another name. Commonly referred to as a network interface card (NIC) this device is installed in or to your computer and provides the connectivity to the Ethernet network. A desktop PC’s NIC is usually a card that is installed inside the case and inserted into one of the slots on your system’s motherboard. More and more, this functionality is being built into the mother board of desktop PCs and is usually an integral component on portable PCs.

Access Point

A wireless access point, also known as a base station, is a device that provides a translation and handles protocol conversion from the wired side of your inbound Internet connection (usually a DSL or Cable Modem) and the wireless side of your network. This is a must in order to create a wireless network.

Sometimes, the access point may be an installed component of a DSL or Cable modem and/or router putting all of these components in one, easy to install and manage device. Having these components bundled can provide a better value as it will be more cost effective when combined with functions of other components that you have decided to include in your wireless network:

Hub or Switch – A hub is device that provides a physical connection for wired pc’s in a network. A switch is sometimes referred to as an intelligent hub that adds traffic management capability.

Router – A device that allows multiple computers to share a single Internet connection. As mentioned, some routers can include built-in a broadband modem and wireless access in one device

Wireless Network Interface Adapter

This device is similar to a NIC but provides wireless functionality. More and more computers are being built with this device already included as the popularity of wireless networks continue to grow.

By: Jeff Runyon

No comments »

Posted in Article

Tags:

Finding Your MAC Address On Wired And Wireless Network Cards

December 2nd, 2009



The Answer To The Media Access Control Question

Over the past few weeks I have received quite a few e-mails about Ethernet cards, both wired and wireless, and more specifically, about Media Access Control (MAC) addresses. I think the main reason I’ve received so many questions about Ethernet cards and MAC addresses is people trying to secure their home wireless networks and their desire to use MAC address filtering. This type of filtering in wireless networks can be configured to allow or deny specific computers to use or attach to the wireless network, based on the MAC address.

My first thought was to write an article just about MAC addresses and wireless Ethernet. After thinking about it I decided to expand on this and go over some specific information about Ethernet cards and communication.

Different Ways Of Finding Your MAC Address And More

There are several ways of finding your Ethernet and communications protocol information. Many Ethernet card manufacturer’s have proprietary software that can reveal this information but they work differently depending on the manufacturer. So we will use the Windows 2000 and XP “ipconfig” utility since this is available in the majority of Windows Operating Systems.

First, go to “start” -> “run” and type “cmd” without the quotes. Then hit the enter key. At the command line type “ipconfig /all”, again without the quotes. Actually, just typing ipconfig without the /all will work but will only provide you with abbreviated information regarding your network cards. An example of what you might see by typing the “ipconfig /all” command is below with each item commented in green lettering:

Fault Tolerant And Highly Availability Computer Systems

There are several ways of finding your Ethernet and communications protocol information. Many Ethernet card manufacturer’s have proprietary software that can reveal this information but they work differently depending on the manufacturer. So we will use the Windows 2000 and XP “ipconfig” utility since this is available in the majority of Windows Operating Systems.

First, go to “start” -> “run” and type “cmd” without the quotes. Then hit the enter key. At the command line type “ipconfig /all”, again without the quotes. Actually, just typing ipconfig without the /all will work but will only provide you with abbreviated information regarding your network cards. An example of what you might see by typing the “ipconfig /all” command is below:

OutPut Of The “Ipconfig /All” Command

Windows IP Configuration

Host Name . . . . . . . . . . . . : Home Computer

This is the name of your computer, typically defined during the windows installation. However, it can be changed after installation.

Primary Dns Suffix . . . . . . . : domain.com

If your computer participates in a network such as a Microsoft Windows domain this item may contain the name of the domain.

Node Type . . . . . . . . . . . . : Unknown

The Node Type may say Unknown, or peer-to-peer, or in some cases “hybrid”. It is a setting that has to do with the Windows Internet Naming Services used in certain types of Windows domain networks.

IP Routing Enabled. . . . . . . . : No

This setting determines if Windows XP or 2000 will function as an IP router. If you have two or more network cards you can setup your system to act as a router, forwarding communications requests from one network to another. Windows 2000 can be configured to do this in a pretty straight forward fashion; Windows XP will need a registry modification.

WINS Proxy Enabled. . . . . . . . : No

WINS Proxy is another setting that is related to the “Node Type” we discussed earlier. It is normally not a required setting in a home or small office network, or newer types of Microsoft Windows domains.

Ethernet adapter Wireless Network Connection 2:

If you have multiple Ethernet (network) cards in your systems, as I do in this laptop, you will have multiple listings. This one happens to be the second Ethernet card, an internal wireless Ethernet card.

Description . . . . . . . . . . . : Broadcom 802.11b/g WLAN

This is the description of the Ethernet card, usually the Name / Manufacturer and type of Ethernet card. In this case, it is a Broadcom wireless Ethernet card built into my laptop.

Physical Address. . . . . . . . . : 00-90-4B-F1-6E-4A

And here we have the MAC address. The MAC address is a 48 bit hexadecimal code and is suppose to be a totally unique address. It is 48 bits because each number or letter in hexadecimal represents 8 bits. Hexadecimal numbers range from 0,1,2,3,4,5,6,7,8,9,A,B,C,D,E, F. There are 6 alpha-numeric codes hence 6*8=48(bits). The first 3 codes identify the manufacturer of the card and the remaining codes are used to create a unique number. Theoretically there should never be a card with same MAC address on a local network. However, there are a few exceptions. There are software tools that allow you to change this code. In fact, this is a step some hackers take to attack other systems on a local network. I say local network because MAC addresses are not routable between network segments. By spoofing this address, you can impersonate another machine on the local network. Traffic that was bound for the intended target can be redirected to the hacker’s machine. This is the address you would also use to populate a MAC address, or physical address table when setting up your wireless access point to support MAC address filtering.

DHCP Enabled. . . . . . . . . . . : Yes

DHCP, or the Dynamic Host Control Protocol, if enabled means your computers IP address is being provided by a DHCP server on you network. The DHCP server could be your wireless access point, cable/dsl router, cable modem, or a server on your network. Also, if a DHCP server is not enabled on your network, your computers Operating System will auto generate a random IP address within a certain predefined range. This means you could network a group of systems together without having to manually assign the IP settings.

IP Address. . . . . . . . . . . . : 192.168.0.117

This parameter provides you with your current IP address. The address listed above is what is called a “private” address. There are certain classes of IP addresses that have been set aside for private use. This means for your internal, local, or private network at home or office. These addresses are not, or should not, be routable on the Internet. The Internet routes what are called “valid” IP addresses. Your cable/dsl router or cable modem has a valid IP address assigned to its “external” network interface. The external interface may be your phone line or cable TV cable.

Subnet Mask . . . . . . . . . . . : 255.255.255.0

The Subnet Mask is a special number, or in some sense, filter, that breaks down your IP address, in this case private IP address, into certain groups. IP addresses and Subnet Masks can be a complicated matter and would take an entire article to go over.

Default Gateway . . . . . . . . . : 192.168.0.254

The default gateway, the IP addresses listed above, is the IP address of the device that will route your request, such as when you try to browse a website, to the Internet. It is a bit more complicated than that though as gateways or routers can route traffic to various different networks, even other private networks. At your home or small office, this gateway most likely is your cable/dsl modem or router.

DHCP Server . . . . . . . . . . . : 192.168.0.49

The DHCP server, remember we talked a little about this above, is the device that assigns your computer an IP address and other information. DHCP servers can assign all kinds of information such as; Default Gateway, Domain Name Servers (DNS), IP address, Subnet Mask, Time Server, and much more.

DNS Servers . . . . . . . . . . . : 192.168.0.49, 64.105.197.58

DNS Servers are internal or external servers that resolve Fully Qualified Domain Names (FQDN), such as http://www.defendingthenet.com , to IP addresses. This is done because computers don’t actually transmit your requests using the domain name, they use the IP address assigned to the FQDN. For most home or small office users, the primary DNS server is the IP address of your cable/dsl router. Your cable/dsl router than queries an external DNS server on the Internet to perform the actual resolution of the FQDN to IP address. The address 192.168.0.49 is an internal private device on my network whereas the 64.105.197.58 is an external public Internet DNS server and is present just in case my router has trouble performing the DNS resolution tasks.

Lease Obtained. . . . . . . . . . : Sunday, March 19, 2006 6:38:16 PM

This information tells you when your computer received its IP address and other information from a DHCP server. You will notice it says “Lease Obtained”, that is because most DHCP servers only lease the IP address to you from a pool of available address. For instance, your pool may be 192.168.1.1 through 192.168.1.50. So your DHCP server has 50 IP addresses to choose from when assigning your computer its IP address.

Lease Expires . . . . . . . . . . : Wednesday, March 29, 2006 9:38:16 PM

When the IP address, assigned by the DHCP server, lease expires it will attempt to lease you the same or another IP address. This function can typically be changed on the DHCP server. For instance, on some fully functional DHCP servers, you can configure the Lease to never expire, or to expire within 1 day and so on.

Why Are MAC Addresses So Important And How Do They Work

To jump back to MAC address for just a bit. You may think that IP addresses are the most important thing when it comes to network communication. The reality is, MAC addresses are very important because without them computers would not be able to communicate over Ethernet networks. When a computer wants to speak with another computer on a local network, it will make a broadcast request, or ask a question, of who owns a particular IP address. For instance, your computer may say “Who is 192.168.0.254”. Using the information above, my default gateway is 192.168.0.254 and will answer “I am “00-90-4B-F1-6E-4A” 192.168.0.254”. It sends back its MAC address. That MAC address then goes into what is called a Address Resolution Protocol (ARP) table on your computer. You can see this information by going to the command prompt like you did above and typing “arp –a”. You will get information like the following:

Internet Address Physical Address Type

192.168.0.49 00-12-17-5c-a2-27 dynamic

192.168.0.109 00-12-17-5c-a2-27 dynamic

192.168.0.112 00-0c-76-93-94-b2 dynamic

192.168.0.254 00-0e-2e-2e-15-61 dynamic

How A Hacker Can Use MAC Addresses In An Attack

You will notice the IP addresses and to the right of them the MAC addresses. Without this information, without the MAC address, you would not be reading this article right now. MAC addresses are not routable like IP addresses. They work on your local or private network. However, devices on the Internet perform the same tasks. Routers and switches maintain a list of their peer devices MAC address just like your computers and devices on your home or office network. I mentioned above that MAC addresses can be changed in order to redirect requests. For instance, if I were on your office network and you had an internal web server that took personal information as input, I could tell your computer to go to my laptop for the web site by broadcasting my MAC address tied to the real web servers IP address. I would do this when you computer asked “Who is the “Real Web Server””. I could setup a fake web server that looks just like the real thing, and start collecting information the real web server would normally collect. You can see how dangerous this can be.

Conclusion

There are several other easy ways you can find your MAC address but they can be a little confusing if you have more than one internal network card. Most external USB, or PCMCIA wired and wireless Ethernet cards have their MAC address printed on them. In cases where the wired or wireless network card are inside your computer, such as in laptops, the MAC address is sometimes printed on the bottom of the laptop. Even Desktop systems cards that are inserted in PCI slots have the MAC address printed on the Ethernet card.

You may reprint or publish this article free of charge as long as the bylines are included.

Original URL (The Web version of the article)

http://www.defendingthenet.com/NewsLetters/FindingYourMACAddressOnWiredAndWirelessNetworkCards.htm

By: Darren Miller

No comments »

Posted in Article

Tags: