Announcement

Collapse
No announcement yet.

Sniff attack and traceroute

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • Sniff attack and traceroute

    If your network connection is being sniffed (Arp poisoning) in a LAN by a culprit (whom is in your LAN too), all your network packets will go through the culprit's computer before reaching its actual destination. Thus I was wondering if the network command 'traceroute' can determine whether your network connections are being sniffed? If no, is there a method to find out ?

    Furthermore, as my network packets have to be forwarded to its actual destination when passing through the culprit's computer, is it possible that your network will slow down a little (i.e. web page takes longer time to load) when your connections are being sniffed (Arp poisoning) ?

    Lastly, as I'm still new to networking, I apologise if any of the informations above are misleading.

  • #2
    Sniffing packects is a bit different than ARP poisoning. Sniffers usually only capture packets that are sent through the network. Sniffing packets will place the computers NIC in promiscuous mode. If your trying to discover a sniffer in your network, and you use a Unix based system, use the command ifconfig -a and look for PROMISC. If your system is Windows based you can use a tool like promiscdetect.

    http://www.ntsecurity.nu/toolbox/promiscdetect/
    Last edited by Clp727; June 25, 2005, 17:28.

    Comment


    • #3
      Originally posted by 0oOOo0
      If your network connection is being sniffed (Arp poisoning) in a LAN by a culprit (whom is in your LAN too), all your network packets will go through the culprit's computer before reaching its actual destination. Thus I was wondering if the network command 'traceroute' can determine whether your network connections are being sniffed? If no, is there a method to find out ?
      Poisoning of a target's arp cache to convince the target host to build ethernet frames with a destination address of the "sniffing host" so the switch passes those frames to the "sniffing host" which then re-packages the layer2 payload for the router to pass them on, is not sniffing in the conventional sense-- it is a non-passive (active) attack to allow for MiM processing. Such an attack would need to be applied to the logical next hop (like a router or host on the same subnet) in order to have both halves of any session.

      If the packets are only forwarded on layer2 (802.* for those that match) then traceroute would not show the intermediate host, because "routing" happens at layer3 (IP) and "traceroute" (for the most part) operates at layer3/4. The arp information that is primarily for frame manufacturing in knowing what destination MAC address to include in the Layer2 header.

      Assuming something about how the sniffing host works, the intermediate sniffing host is not actually a IP-based "hop" as Layer 3/4 is concerned, as it is not an IP address in the path of traffic, it is only a layer 2 host in the path. (Imagine a switch that does store and forward where it sends a frame only after it has received the complete frame. This switch would also not appear as a "hop" from traceroute for similar reasons.)

      Furthermore, as my network packets have to be forwarded to its actual destination when passing through the culprit's computer, is it possible that your network will slow down a little
      Any delay would likey be very, very small and similar to a burdened etherswitch.

      Comment


      • #4
        Good idea, thinking about stuff like this, in this kinda way I think is what makes people a hacker. For being new to networking, your already ahead of the game on many people that think they know about networking....

        The tool that is the most popular among 'arp poisoners' I think is ettercap. Cain for windows and Dsniff also support arp spoofing as do im sure a few other tools.
        In the older versions, there was an option in the 'curses interface where you can check for other 'poisoners' ... This would send out a very noisey arp storm, and see if a MAC (layer2 address) responds twice, it lets you know.
        As TheCotMan said excellently, your new spoofed gateway will slow you down...
        It also will NOT show up on a traceroute...
        If he is spoofing more than one machines gateway, or even the entire switch.. then all of the traffic will go through him, thus things will be quite slower.
        The danger of ARP poisoning is VERY HIGH... this is a 'mmtm' (Man-in-the-middle) situation and if the end user is not very technical and/or the attacker is very resourceful, they can sniff all your traffic, they can present you with fake certs and then sniff your HTTPS traffic, she/he can even sniff your SSHv1 traffic. He/She can inject data into your outgoing or incoming frames, and they can drop whatever they want. He/She is in control. Ettercap has large support for filters, that is where the real scary shit starts....

        Some cisco routers I believe will protect from arp poisoning, snort will give you alerts, but a vast majority of networks are quite vulnerable to this attack. If you run windows, even if you staticly assign a gateway, you can still be victimized. If you run *nix and have enough permission, you can set your route staticly, and thus be protected from ARP poisioning (but not much else, esp if they have control of the switch, physical access, etc).

        I am thinking of a community college near where I live that uses SSN's for computer lab logins... this college also allows you to bring your laptop in for special occasions. (I can't think its that rare...)
        The SSN box (program written in VB) sends the number in plaintxt form to a central Database, and gets a reply (that contains other student information and the name of the student). This is horrible, and even in the name of security and personal information discloser, they won't change the system. (I already used diff. number as my student ID, and i recommend anyone else that can switch to something else do so...)
        ARP poisioning is very effective for an attacker, and can be hard to protect against.
        The only constant in the universe is change itself

        Comment


        • #5
          Sniffing packects is a bit different than ARP poisoning. Sniffers usually only capture packets that are sent through the network. Sniffing packets will place the computers NIC in promiscuous mode. If your trying to discover a sniffer in your network, and you use a Unix based system, use the command ifconfig -a and look for PROMISC. If your system is Windows based you can use a tool like promiscdetect.

          http://www.ntsecurity.nu/toolbox/promiscdetect/

          Straight forward answer with a nice link there, thanks


          Poisoning of a target's arp cache to convince the target host to build ethernet frames with a destination address of the "sniffing host" so the switch passes those frames to the "sniffing host" which then re-packages the layer2 payload for the router to pass them on, is not sniffing in the conventional sense-- it is a non-passive (active) attack to allow for MiM processing. Such an attack would need to be applied to the logical next hop (like a router or host on the same subnet) in order to have both halves of any session.

          If the packets are only forwarded on layer2 (802.* for those that match) then traceroute would not show the intermediate host, because "routing" happens at layer3 (IP) and "traceroute" (for the most part) operates at layer3/4. The arp information that is primarily for frame manufacturing in knowing what destination MAC address to include in the Layer2 header.

          Assuming something about how the sniffing host works, the intermediate sniffing host is not actually a IP-based "hop" as Layer 3/4 is concerned, as it is not an IP address in the path of traffic, it is only a layer 2 host in the path. (Imagine a switch that does store and forward where it sends a frame only after it has received the complete frame. This switch would also not appear as a "hop" from traceroute for similar reasons.)

          Very informative, that's 11 out of 10 rating , thanks for your time TheCotMan.


          Good idea, thinking about stuff like this, in this kinda way I think is what makes people a hacker. For being new to networking, your already ahead of the game on many people that think they know about networking....

          The tool that is the most popular among 'arp poisoners' I think is ettercap. Cain for windows and Dsniff also support arp spoofing as do im sure a few other tools.
          In the older versions, there was an option in the 'curses interface where you can check for other 'poisoners' ... This would send out a very noisey arp storm, and see if a MAC (layer2 address) responds twice, it lets you know.
          As TheCotMan said excellently, your new spoofed gateway will slow you down...
          It also will NOT show up on a traceroute...
          If he is spoofing more than one machines gateway, or even the entire switch.. then all of the traffic will go through him, thus things will be quite slower.
          The danger of ARP poisoning is VERY HIGH... this is a 'mmtm' (Man-in-the-middle) situation and if the end user is not very technical and/or the attacker is very resourceful, they can sniff all your traffic, they can present you with fake certs and then sniff your HTTPS traffic, she/he can even sniff your SSHv1 traffic. He/She can inject data into your outgoing or incoming frames, and they can drop whatever they want. He/She is in control. Ettercap has large support for filters, that is where the real scary shit starts....

          Some cisco routers I believe will protect from arp poisoning, snort will give you alerts, but a vast majority of networks are quite vulnerable to this attack. If you run windows, even if you staticly assign a gateway, you can still be victimized. If you run *nix and have enough permission, you can set your route staticly, and thus be protected from ARP poisioning (but not much else, esp if they have control of the switch, physical access, etc).

          I am thinking of a community college near where I live that uses SSN's for computer lab logins... this college also allows you to bring your laptop in for special occasions. (I can't think its that rare...)
          The SSN box (program written in VB) sends the number in plaintxt form to a central Database, and gets a reply (that contains other student information and the name of the student). This is horrible, and even in the name of security and personal information discloser, they won't change the system. (I already used diff. number as my student ID, and i recommend anyone else that can switch to something else do so...)
          ARP poisioning is very effective for an attacker, and can be hard to protect against

          My gosh, Defcon is just great

          Comment


          • #6
            Its funny. When people can ask intelligent questions without any attitude, we can be downright helpful. Almost too helpful, I started to reply to this thread several times and both times found that everyone else gave you the same advice I was going to.

            I return whatever i wish . Its called FREEDOWM OF RANDOMNESS IN A HECK . CLUSTERED DEFEATED CORn FORUM . Welcome to me

            Comment


            • #7
              Originally posted by Clp727
              If your trying to discover a sniffer in your network, and you use a Unix based system, use the command ifconfig -a and look for PROMISC.
              From what I've known so far, if you see PROMISC after typing the command ifconfig -a, it only tells you that you have a sniffer running on YOUR SYSTEM, not in any other computers on your network (i thought it is earlier). Unless you're the administrator of the network having access to all root account on every computers in your network, then it's possible to check which computer in the network may be running a sniffer.

              Please let me know if there's any misconception, thanks.

              Comment


              • #8
                Originally posted by 0oOOo0
                From what I've known so far, if you see PROMISC after typing the command ifconfig -a, it only tells you that you have a sniffer running on YOUR SYSTEM, not in any other computers on your network (i thought it is earlier). Unless you're the administrator of the network having access to all root account on every computers in your network, then it's possible to check which computer in the network may be running a sniffer.

                Please let me know if there's any misconception, thanks.
                Nope, you are correct. This just informs you that your local interface is running in promiscous mode, thus accepting all packets coming to it on the wire, not just the ones intended for it. This also will NOT work on a network switch, unless ARP poisioning has occured already.
                But there's plenty of hubs out there... (what a great idea that was, (hubs))
                The only constant in the universe is change itself

                Comment


                • #9
                  Originally posted by 0oOOo0
                  From what I've known so far, if you see PROMISC after typing the command ifconfig -a, it only tells you that you have a sniffer running on YOUR SYSTEM, not in any other computers on your network (i thought it is earlier). Unless you're the administrator of the network having access to all root account on every computers in your network, then it's possible to check which computer in the network may be running a sniffer.

                  Please let me know if there's any misconception, thanks.
                  OK. Here is where I can get tedious and be a PITA (Pain in the Ass):

                  Just because you see "PROMISC" does not mean that you have a sniffer on your machine.
                  Just because you *don't* see "PROMISC" does not mean you do not have a sniffer on your machine.

                  I believe that if you chose to install the netatalk suite of Apple Filesharing tools that support EtherTalk/AppleTalk in addition to the TCP/IP for Apple Filesharing, that you may still see "PROMISC" on your interface because of what netatalk needs (or needed) to do with network traffic to make EtherTalk/AppleTalk work over ethernet WRT FilesSharing and PrinterSharing.

                  You can use "ifconfig" to enable "PROMISC" even if you do not have a sniffer running on the box.

                  A common theme for rootkits that include sniffers is to alter the content ifconfig provides through altering PATH/making-a-wrapper/system-trojan/*, or provide an ifconfig that is modified to not show "PROMISC" even when it really has it.

                  There are also other methods to sniff on a machine even without the interface configured to show "PROMISC" when you run ifconfig.

                  This does not mean sighting "PROMISC" when conducting ifconfig is useless, but it is something that should not be equated to, "there is a sniffer here," and more importantly, lack of seeing "PROMISC" should not be equated to "The must NOT be a sniffer here."

                  There are tools that claim to be able to detect sniffers on networks, but IMO, the advantage to not being detected when using passive sniffing techniques favors the attacker. Active sniffing attacks are another story.

                  Comment

                  Working...
                  X