Posts Tagged ‘Osi Model’

Detecting Network Sniffers

January 29th, 2010



Overview

A packet sniffer is a program or device that eavesdrops on network traffic and gathers data from packets. Sometimes such wiretaps are carried out by the network administrator for beneficial purposes (like intrusion detection, performance analysis, etc.). On the other hand, malicious intruders may install packet sniffers in order to retrieve clear-text usernames and passwords from the local network or other vital information transmitted on the network. Vulnerable protocols (with clear-text passwords) include: telnet, pop3, imap, ftp, smtp-auth and nntp. Sniffers work because ethernet was designed to be shared. Most networks use broadcast technology — messages for one computer can be read by another computer on that network. In practice, computers ignore messages except those that were sent directly to them (or broadcast to all hosts on the network). However, computers can be placed in promiscuous mode and made to accept messages even if they are not meant for them — this is how a Sniffer works.

People assume that computers connected to a switch are safe from sniffing — but this is not really so. Computers connected to switches are just as vulnerable to sniffers as those connected to a hub.

How a Sniffer works

A computer connected to a LAN has 2 addresses — one is the MAC address that uniquely identifies each node in a network and which is stored on the network card. The MAC address is used by the ethernet protocol when building frames to transfer data. The other is the IP address, which is used by applications. The Data Link Layer (layer 2 of the OSI model) uses an ethernet header with the MAC address of the destination machine. The Network Layer (layer 3 of the OSI model) is responsible for mapping IP network addresses to the MAC address as required by the Data Link Protocol. Layer 3 attempts to look-up the MAC address of the destination machine in a table, called the ARP cache. If no MAC entry is found for the IP address, the Address Resolution Protocol broadcasts a request packet (ARP request) to all machines on the network. The machine with that IP address responds to the source machine with its MAC address. This MAC address then gets added to the source machines ARP Cache. This MAC address is then used by the source machine in all its communications with the destination machine.

There are two basic types of ethernet environments — shared and switched. In a shared ethernet environment all hosts are connected to the same bus and compete with one another for bandwidth. In such an environment packets meant for one machine are received by all the other machines. All the computers on the shared ethernet compare the frame’s destination MAC address with their own. If the two don’t match, the frame is quietly discarded. A machine running a sniffer breaks this rule and accepts all frames. Such a machine is said to have been put into promiscuous mode and can effectively listen to all the traffic on the network. Sniffing in a shared ethernet environment is passive and, hence, difficult to detect.

In a switched environment the hosts are connected to a switch instead of a hub. The switch maintains a table that keeps track of each computer’s MAC address and the physical port on the switch to which that MAC address is connected. The switch is an intelligent device which sends packets only to the destination computer. As a result, the process of putting a machine into promiscuous mode to gather packets does not work. However, this does not mean that switched networks are secure and cannot be sniffed.

Though a switch is more secure than a hub, you can use the following methods to sniff on a switch:
· ARP Spoofing — The ARP is stateless, that is, you can send an ARP reply even if none has not been asked for, and such a reply will be accepted. For example, one technique is to ARP Spoof the gateway of the network. The ARP cache of the targeted host will now have a wrong entry for the gateway and is said to be Poisoned. From this point on, all the traffic destined for the gateway will pass through the sniffer machine. Another trick that can be used is to poison a host’s ARP cache by setting the gateway’s MAC address to FF:FF:FF:FF:FF:FF (also known as the broadcast MAC).
· MAC Flooding — Switches keep a translation table that maps MAC addresses to physical ports on the switch. This allows them to intelligently route packets from one host to another. The switch has a limited amount of memory for this work. MAC flooding makes use of this limitation to bombard a switch with fake MAC addresses until the switch can’t keep up. The switch then enters into what is known as a `failopen mode’, at which point it starts acting as a hub by broadcasting packets to all the machines on the network. Once that happens sniffing can be performed easily.

Detecting Sniffers on the Network

A sniffer is usually passive — it just collects data — and is especially difficult to detect when running in a shared Ethernet environment. However, it is easy to detect a sniffer when installed on a switched network. When installed on a computer a sniffer does generate some small amount of traffic — which allows for its detection using the following types of techniques:
· Ping Method — a ping request is sent with the IP address of the suspect machine but not its MAC address. Ideally, nobody should see this packet as each ethernet adapter will reject it as it does not match its MAC address. But if the suspect machine is running a sniffer it will respond since it accepts all packets.
· ARP Method — this method relies on the fact all machines cache ARPs (i.e. MAC addresses). Here, we send a non-broadcast ARP so only machines in promiscuous mode will cache our ARP address. Next, we send a broadcast ping packet with our IP, but a different MAC address. Only a machine which has our correct MAC address from the sniffed ARP frame will be able to respond to our broadcast ping request.
· On Local Host — if a machine has been compromised a hacker may have left a sniffer running. There are utility programs that can be run which report whether the local machine’s network adapter has been set to promiscuous mode.
· Latency Method — is based on the assumption most sniffers do some kind of parsing, thereby increasing the load on that machine. Therefore it will take additional time to respond to a ping packet. This difference in response times can be used as an indicator of whether a machine is in promiscuous mode or not.
· ARP Watch — to prevent a hacker from ARP spoofing the gateway there are utilities that can be used to monitor the ARP cache of a machine to see if there is duplication for a machine.

How To Protect Against Sniffing

The best way to secure a network against sniffing is to use encryption. While this won’t prevent sniffers from functioning, it will ensure the data collected by sniffers is un-interpretable. Also, on a switched network, the chances are ARP spoofing will be used for sniffing purposes. The machine that the hacker will most likely ARP-spoof is the default gateway. To prevent this from happening it is suggested the MAC address of the gateway be permanently added to each host’s ARP cache.

Additional suggestions include:
· Use SSH instead of telnet.
· Use HTTPS instead of HTTP (if the site supports it).
· If concerned about email privacy, try a service such as Hushmail (www.hushmail.com), which uses SSL to ensure that data is not read in transit. Also, Pretty Good Privacy (www.gnupg.org) can be used for encrypting and signing emails to prevent others from reading them.
· Employ a sniffer detector. For example, the software package PromiScan is considered the standard sniffing node detection tool and is recommended by the SANS (SysAdmin, Audit, Network, Security) Institute. It is an application package used to remotely monitor computers on local networks to locate network interfaces operating in a promiscuous mode.

By: Steve Leytus

No comments »

Posted in Article

Tags:

Network+ Exam Tutorial: Network Interface Cards (NICs)

December 25th, 2009



Part of the challenge of passing the Network+ exam is learning about all the different types of hardware a network requires. Today we’ll take a look at a vital part of network connectivity, the Network Interface Card (NIC, pronounced “nick”).

The NIC is the device, or card, that gives the host a physical connection to the network. The NIC is generally an internal device, but one that can be removed and replaced with a different NIC. NICs are considered Physical layer devices and work at Layer 1 of the OSI model.

Most issues involving NICs occur before the device is even added to the network – because the purchaser didn’t do their research. All NICs are not created equal. Some are for Ethernet networks, some for Token Ring, and speed capabilities vary as well. Don’t assume a given vendor’s NIC is going to fit your device and give you the results you want. A quick visit to the vendor’s website and a few minutes looking up NIC specifications can save you a lot of trouble later on.

One more NIC warning – take your time when you’re installing a new NIC. Make sure the device is off, and make sure you’re properly grounded by connecting the grounding strap to your wrist. Otherwise, you can send static electricity into places on the host where it’s only going to cause damage.

Your new NIC should also come with directions on how to download the drivers for that NIC. Drivers sound like something physical, but they’re not. Drivers are simply software files that are needed on the host in order for the NIC to work correctly. Vendors used to include drivers on CDs with their NICs, but the trend now is to include instructions on where to download the drivers from the vendor website.

That does lend itself to an occasional Catch-22: “If I don’t have this device on the Net yet, how can I download the drivers?” If the host has no network connectivity, you may need to download the drivers to a host that does, copy the files to CD, and then install the drivers from CD.

You’ll see two different lights on a typical NIC, one green and one amber. Depending on whether the host has network connectivity or not, the lights will be solid, flashing, or out. Sometimes flashing is good, sometimes it’s not! Here’s a guide to the colors you’ll see on a NIC:

A solid green light indicates connectivity is present. This link light is generally either green or off. Green is good, off is not! That light should stay a solid green. If you see it flashing green, that’s a sign of intermittent connectivity, which is a fancy way of saying “one minute the PC is on the network, the next minute it’s not”. Most likely, either the NIC or the cable connected to the NIC is going bad. With the green light, flashing is not desirable.

Flashing amber lights indicate collisions. You’ll see this flash occasionally even on a healthy network, but you don’t want to see it flash so often that it looks like a solid amber light!

If you have an Internet connection at home, you can see these lights in action for yourself. The green and amber lights will be right next to where the cable from your modem connects to your PC.

On occasion, you’ll have a PC that loses connectivity to the network. I advise you to always start network troubleshooting at the Physical layer of the OSI model, and that means checking both the NIC and the cable connected to it. I personally would swap the cable out first, since they seem to go bad more often than NICs, but that’s up to you. If you swap NICs and you still can’t get the PC on the network, try putting a new cable in.

By: Chris Bryant

No comments »

Posted in Article

Tags: