Network security - Common sniffers and countermeasures


Hackers can install sniffers on a system and capture data. To know how the sniffers work and how one can protect this attack, read this detailed article.

It is only a misconception that IP addresses work only from within the network segment. Poorly configured firewalls and routers can pas all traffic. Packets with built-in routing information can pass by improbable paths to impersonate any of the system in your network and even cryptographically strong connections can be intercepted and manipulated. As there is a rise in security threats, an increase in the awareness is also necessary. This article deals with some basic sniffers and countermeasures that everyone must be aware of.

Hackers install sniffers on the system to capture data as it passes across the network. Sniffers help the hacker capture usernames and passwords for all the connected systems as well. This is the most used hacking tool for gaining access to systems. It hides on the system as a harmless looking program. Once the system is hacked, automated scripts are used to contact the system and retrieve sniffer files.

How sniffers work?


To understand how sniffers work, it is necessary to understand how data is passed across the network. For data transfer between systems in Local Area Network (LAN), data is placed in frames. These frames have their unique MAC addresses which are assigned by the manufacturers of Network Interface Cards (NIC) or network devices. If the MAC address is found to belong to a NIC in the system on LAN, the NIC reads the data, processes it and passes it to the protocol stack for further processing.

Sniffers capture data by putting the NIC in promiscuous mode where it passes all data to protocol stack irrespective of the address. A hacker can then obtain any information he wants. Many protocols like FTP, HTTP and telnet clearly pass usernames and passwords over network. Thus, it becomes easy for a hacker to get your passwords and access or alter confidential data.

Common sniffers


Network administrators and hackers have created many sniffers till date. While network administrators use them to debug network problems, hackers use them to capture data. Some of the common sniffers are mentioned below.

Tcpdump

It is a very simple sniffer that easily examines and captures network traffic. It stores the information for a later review as well. It does not show the data portion of the packet but it captures the entire header information including the file handle. This allows the hacker to access a file even when the file-system is not mounted. Tcpdump has served as the foundation of many intrusion-detection systems like Shadow.

Hunt

Developed by the Hunt Project, this sniffer can be used to capture usernames, passwords and get hold of connections. This is a more sophisticated tool than Tcpdump and causes mayhem on the entire network.

Linux-Sniff

Unlike other sniffers, Linux-Sniff is a plain and ordinary tool. It is not very complex or complicated and provides only as much information as necessary for basic HTTP authentication, FTP and tenet sessions.

Ethereal

Ethereal is a perfect network debugging sniffer. It automatically snags all packets on the wire and works on standard Tcpdump packet selection so that if the user wants, he can concentrate on a particular port, host or protocol combination at a time. This sniffer understands many protocols and thus can easily understand any conversation between two hosts. It can capture usernames and passwords from almost anywhere including IMPAP/POP connections and telnet sessions.

How to protect a sniffer-attack?


You should try not to have a sniffer installed on your system in the first place. Download only authentic files. However, if a sniffer is already installed on your system, some countermeasures can be taken to minimize its effect. These simple steps will stop a hacker from gaining complete access to your system.

Use switched networks in place of hubs

If a switched environment is adopted, data frames are visible only to that interface where the MAC address is. On the other hand, all data or traffic is visible to every system on the LAN when a hub is used. However, it must be noted that some advanced sniffers can sniff on switched networks also.

Hard-code the MAC address

This may sound like an annoying solution but since some sniffers can work on switched networks also, it becomes essential. Update the file on all systems each time you change an Ethernet card or add a new host.

Encrypt the data

This is the best way to protect usernames, passwords or any sensitive data. Only the authorized sender and the authorized receiver can access the data if it is encrypted.

Encrypt the protocol

A hacker may succeed in redirecting an encrypted TCP session but he will not be able to see the data flowing in the network. Also, he would not be able to inject any commands if the stream itself is encrypted. Whenever a hacker will attempt to insert data in the stream, the server will terminate the connection immediately. This can also be seen as drawback of encrypting protocols as an outsider can terminate your connection and hamper the data flow. Still, I would say that even if the data flow is slowed, it is better than being captured by someone.

Read NAI Gauntlet - A reliable solution for network security


Comments

No responses found. Be the first to comment...


  • Do not include your name, "with regards" etc in the comment. Write detailed comment, relevant to the topic.
  • No HTML formatting and links to other web sites are allowed.
  • This is a strictly moderated site. Absolutely no spam allowed.
  • Name:
    Email: