                                 HiR 8
-]]])))}}}>>> Packet Sniffing Techniques For The Novice User <<<{{{((([[[-
                                 by Axon

Ahh, the wonderful world of packet sniffing.  You may or may not have done
this before...

"Sniffing" is the process of putting your computer's network card into
what's called "promiscuous mode".  It will read all packets that it sees
(whereas normally it only reads the packets that have its address on it).
After the card is placed in this mode, a sniffer will track packets
(usually parsing the useful data out of the packet and writing it to a log
file onto the hard disk).  This is a really good way of doing a few things
on a network:

	o Gathering traffic information, looking for lan stations that are
	  abusing bandwidth.

	o Actually looking at the data inside the packets to see what
	  files people are downloading with FTP, watching telnet sessions,
	  and even watching their usernames and passwords.

	o Getting a general Idea of where most of the packets are coming
	  from and going to, as a troubleshooting measure.

There are sniffing programs for almost every platform.  My favorite
platform is linux, as it is already my Operating System of choice, and  
there are quite a few really easy to use sniffers for it.  These include:
tcpdump, sniffit, iptraf, and linsniffer.  Those are what I use the most.
My favorite floppy-linux distribution, Trinux, comes with sniffit, iptraf,
and linsniffer.  Almost every "big" linux distro (Red Hat, Debian,
Caldera, etc) comes with tcpdump, although you might have to select a
special option to have it installed automatically.

Tcpdump is probably the hardest of the three to learn how to use.  It
mostly dumps raw tcp packets out to standard output (or wherever you
redirect it to).  It has other options, too, but overall, it's difficult
to use for the beginner.  I'll focus more on the other two.

Linsniffer is quite possiby the most evil of the sniffers I've mentioned.
All it does is get passwords.  It looks for http passwords, telnet
passwords, ftp passwords, and mail passwords.  It does a pretty good job,
but really lacks an "ethical" use.  You can get linsniffer (or any of
these sniffers) wherever you can find linux software (places like sunsite,
which is now metalab.unc.edu).  All you do is run "linsniffer" as root.
It will not display any output. Everything it finds will be placed in a
file called "tcp.log" in the directory you were in when you started
linsniffer.

Sniffit is extremely cute.  It's harder to find passwords with it, but if
your goal has nothing to do with you finding passwords, and more to do
with watching who is connected to what, and maybe even watching the actual
connection, this is for you.  With Sniffit, I have many times been
successful in watching the exact telnet screen of people that are on my
segment.  You can redirect the sniffed output to another virual console,
and that console becomes the telnet screen of the person whom you are
sniffing.  You see what they type, what they get back, you watch them read
their e-mail with pine, as if their ghost was sitting there using your
screen.

Iptraf isn't really a "sniffer" by industry terms, but it still uses
promiscuous mode to operate, Therefore I call it a "sniffer".  Iptraf will
break down the traffic stream into chunks for you, so you can see exactly
what kind of packets are being exchanged, how big they are, and where they
are coming from and going to.  This proghram is not good for looking at
the actual data inside the packet, but it's great for finding out who is
hogging the bandwidth, and what they're hogging it with.

As far as snifgfing on other platforms... For Windows 95 and 98 There is
also a plugin for the ever-famous back-orifice program that does
sniffing, called "Butt Sniffer".  There is also a non-plugin version that
just runs in an MS-Dos window under Windows 95/98.  This is probably the
best Windows 9x sniffer I've seen, and it's worth looking into.  It's
available through www.cultdeadcow.com under the backorifice page
somewhere.  Shoutouts to the author, Mudge (who kicked ass at DefCon) =]
 
------------------------------------------------------------------------------

So, if it's so easy to just watch what's going on on the local network,
there must be loads of people doing it, right?  Well, the paranoid would
say so, but in actuality, there isn't probably a whole lot of it going on.
I'm not saying that there isn't ANY.  So if there's even the possibility
that it's there, how would one stay protected from the evils of
sniffing?

Well, the apostols (a spanish hacking group, if memory serves correctly)
has a few really good products.  (One being QueSO, a remote tcp/ip
fingerprinter for detecting what OS is being run on a remote machine),
but the one we focus on here is "NEtwork Promiscuous Ethernet Detector"
(or "neped").  It only runs on UNIX/Linux (that I know of.  It's not
directly compileable on windows, but I'm not much of a programmer.  It
might be easy to do).  I Wrote a small shell script that uses neped as a
core to take action when promiscuous mode is detected.

sniffdetect.sh is configureable and can run a shell script or a program
once as soon as sniffing is detected, and will run another program or
script as soon as it sees the sniffing has stopped.  It can be used to
stop services on your system, e-mail an administrator, page someone, or
even to shut down the machine (although I don't know why you would want
to do such a thing).  I set it up to blast the IP and MAC address of the
sniffing machine to my pager, and to tell me that sniffing has ceased when
it stops detecting the runnuing sniffers (I wrote some paging software
that sends out alpha pages to me from the command line to do this).  In
theory, It's very possible to make something that will launch a
counter-attack/Denial of Service against the sniffing machine, but I'm not
really a believer in that method.  Here's my shell script.

sniffdetect.sh:
-------------begin-------------------------------------------------------
#!/bin/sh
## Cheap-ass promiscuous mode watcher/action-taker
## Written by axon 
##
## Requires "NEtwork Promiscuous Ethernet Detector" (neped.c)
## ftp://apostols.org/AposTools/snapshots/neped/neped.c
##
## This program must be run as root, or neped must be set-uid root.
##
#########################################################################
##
## Config Options!
##
######
                        # Command or shell script that's run when promisc.
promisccmd="promisc.sh" # mode card is found.  This might shut down a
                        # service, or e-mail an administrator.  Up to you.
                        # (you must write a promisc.sh script or change
                        # this variable)

                                # Command or shell script that's run when
nopromisccmd="nopromisc.sh"     # promisc. mode ceases.  This might page
                                # an administrator or restart a service.
                                # (you must write a nopromisc.sh script or
                                # change this variable)
while true
do
while true
do
                                # Counts number of lines
neped=`neped eth0 | wc -l`      # that are returned
                                # by neped.

if [ $neped -gt 8 ];then        # This runs the command of your
$promisccmd                     # choice when promisc. mode
break                           # is detected

neped eth0|grep "*>" >> promisc.log  # appends output of neped to promisc.log

fi
done
while true
do
                                # Counts number of lines
neped=`neped eth0 | wc -l`      # that are returned
                                # by neped.

if [ $neped = 8 ];then          # This runs the command of your
$nopromisccmd                   # choice when promisc. mode
break                           # ceases
fi
done
done
----------------end sniffdetect.sh------------------------------------------

I hope that this gives you the edge that you need.  This was in no way a
very elaborate "sniffing how-to".  You can go anywhere to get that sort of
information.  This was focused more on how it works, and what tools are
used to do it, and how to protect yourself from the world of packet
sniffers.

