Network Monitoring and Packet Sniffing Tools
Sections of this page, jump to a topic:
This page has been clumsily copied and pasted into this book.
Network monitoring or packet sniffing tools are like many other infosec tools. They can be used for good or evil, it all depends on the intent of the user!
I cannot imagine how you could claim to do LAN troubleshooting without capturing packets at times. At the same time, protocols that move sensitive data as cleartext are commonly used (POP and IMAP with the user's account name and password, and FTP and even TELNET are still used a surprising amount), and the bad guy could easily capture user authentication information (login and password) or other sensitive data (complete contents of shared files, copies of every print job submitted, and so on).
So, you have to use these to maintain your networks, and you need to realize that the bad guys could use these against you.
There are various categories of network monitoring tools:
Packetstorm has a wonderful archive of network monitoring tools.
UNIX / Linux / BSD / MacOS X LAN Monitoring Tools
DOS/Windows LAN Monitoring Tools
arpspoof,which uses ARP trickery to confuse hosts about the mappings between IP and MAC addresses. The attacker can use
arpspoofto have all datagrams between specified pairs of hosts sent to a sniffing host. The sniffer grabs copies and possibly modifies contents before sending the frames back through the switch to the legitimate hardware addresses. Get the
dsnifftoolkit from monkey.org or packetstormsecurity.com.
webspy,for example) understand application-layer protocols and make it easy to capture and analyze
FTPlogins and passwords, web traffic, mail, etc.
Dsniffis a great tool for password capture. You must understand that your attackers all know this and will use it if possible.
Wikipedia has a very useful introduction to wireless networking and the security issues.
Note that wireless monitoring tools can be extremely dependent on chipset. Make sure that your planned software and WLAN card will get along!
The Trifinite Group has information on wireless security, including RFIDiot and other RFID security tools and information at trifinite.org.
Also see the COMSEC section of another page of mine for details on how GSM encryption can be broken. Really. It can. GSM salesmen don't want you to know this, but it's true.
Here's my page on setting up WPA2 / 802.11i wireless security.
Optical fiber can be tapped without splicing. You can read the data by removing some of the sheath and gently bending the fiber in a bend coupler. You can supposedly buy them for a few hundred US$, check eBay.
There are claims that optical taps have been found on police networks in the Netherlands and Germany, and the FBI investigated one discovered on Verizon's network in the US.
For more see:
Interactive keyboard use can be "eavesdropped" by means you might not expect.
Consider the relative difficulty or ease of touch-typing different character sequences on a standard QWERTY keyboard: F-J would be very fast (home key on left hand then home key on right hand, easy and fast) while 2-X would be very slow (extreme reaches for the same finger, awkward and slow).
So, a good typist may have a high aggregate rate of characters per minute, but the inter-character spacings are going to vary. A given two-character or longer sequence is not always going to be exactly the same, but over time the distribution is going to be fairly distinctive.
Measure the inter-character times and you have the data needed for bigram analysis. You won't recover 100% of the cleartext, but with adequate data and quality typing of large blocks of text, you will recover some.
So how can you measure the inter-character times?
Like so much of information theory, this isn't entirely new. A Morse code operator might be recognized by a distinctive "fist" or slight imperfection in their keying cadence.
There there are more "movie-style" threats. Jan-Michael Frahm of the University of North Carolina at Chapel Hill is the head of the 3D Computer Vision Group there. His group has developed their iSpy system, which can identify text typed on touchscreens from video footage of the screen itself or of its reflection in windows or even in sunglasses. Their paper is available here. Their system was described in New Scientist, 29 October 2011, pp 22-23.
They say that they can use video from an ordinary mobile phone up to 3 meters away, but a digital SLR camera shooting HD video could read screens up to 60 meters away. Their approach takes advantage of the fact that the targeted platforms magnify the virtual keys. It isn't perfect, but they get over 90% copy of what is typed on these ever more prevalent interfaces.
For suggestions on spotting sniffer attacks, see the discussion in an older CERT advisory. One method would be to send out an Ethernet frame to MAC destination address that is not in use on your network. Inside of that is an IP datagram to which a typical host would reply. The NIC would normally have filtered out (that is, ignored or dropped) that frame because it was sent to some other unicast MAC address. But since its chipset is in promiscuous mode, the filtering is turned off and the IP datagram is passed to the operating system. The operating system then replies, and now you know that host has its interface in promiscuous mode. The sniffer detection relies on tricking the host with a promiscuous interface into reporting itself.
To detect network interfaces in promiscuous mode: