Sniffing: The Nastiest, Sneakiest Security Problem

Updated: August 20, 2012

Network administrators use packet sniffers to diagnose network problems, but the technology can also provide a launchpad for insidious network incursions.

A packet sniffer is a software program or a hardware device that monitors the data traversing a network. Legitimate uses include troubleshooting network issues and testing firewalls . On the other hand, packet sniffers may be used to pull off targeted attacks .

In a common scenario, a packet sniffer is used to capture usernames and passwords, which can be used for further network exploits. Other bits of sensitive information may be captured as well.

Bad News

But packet sniffers may also be employed in concert with other malware tools.

"The use of packet sniffers as part of attacks has grown quite a bit over the past couple of years," said Kevin Prince, chief security officer at Perimeter eSecurity , a security SaaS (software as a service) provider based in Milford, Conn.

For example, an attacker can use a packet sniffer to make a backdoor program harder to detect.

"Traditionally, an attacker would load a backdoor program that allows them to control a system," Prince said. "However, the ports — or access points — to these devices can be detected with a port scanner or other similar system. Some attackers will use a packet sniffer in conjunction with a backdoor program so that those ports are always closed until the packet sniffer sees a particular sequence of traffic, and then it will launch the backdoor program to accept the attacker's connection."

This combination of tools provides "a very sneaky way for an attacker to keep a compromised system from being noticed," Prince said.

Combined attacks may take other forms. David Lawson, director of risk-management practice at Acumen Solutions Inc., said intruders may commence packet sniffing after deploying rootkits . He called that action the "first thing a hacker does after putting the remote control software on" a machine.

The SANS Institute , a Bethesda, Md.-based organization that provides security certification and training, published a paper suggesting that packet-sniffer exploits are relatively easy to achieve in nonswitched networks. Yet even organizations that have migrated from hubs to switches may still be subject to attack. Switches send network traffic only to the device that it is intended for, but man-in-the-middle attacks make eavesdropping possible in switched environments , the report noted.

ARP (Address Resolution Protocol) spoofing is among the common man-in-the-middle techniques, according to the SANS Insitute.

Packet sniffers may be commercially available, but a number of popular tools are freely available on the Internet. Stephen Northcutt, president of the SANS Institute, said Wireshark (formerly Ethereal) is now "pretty much the tool of choice in freeware sniffing."

The SANS Institute's paper, meanwhile, pointed to dsniff as a tool for eavesdropping on usernames and passwords. But Northcutt noted that, since the paper's publication, many people use Cain for "ARP trickery" instead of dsniff.

Packet-Sniffing Protection

A packet sniffer may be installed by a malicious insider. As for external attacks, a common means of deployment is malware that is loaded when a user accesses a compromised Web site, Prince noted. Originally, email was used to try to lure users to an infected Web site. Other methods followed such as chat and instant messaging, he added.

"We now see more sophisticated attacks including cross site scripting (XSS) attacks that redirect users or present links for users to simply click in what the user believes is a secure Web site," Prince said.

In order for a packet sniffer to work, the NIC (network interface card) must be configured in promiscuous mode.

"In this mode, the network card simply listens and records all of the traffic that passes on the network," Prince explained. "The normal operation of a workstation or server should not include the network card being in promiscuous mode."

So, detecting a packet sniffer becomes a matter of finding out if a network interface card is operating in promiscuous mode.

"Each operating system has a fairly simple method of determining if the NIC is in this mode, but that requires sitting down at each computer," Prince said.

Another method involves sending specially crafted ARP requests to each system and looking at the response types, he noted, adding that this approach usually takes a skilled network engineer to perform.

The SANS Institute's paper, however, cites encryption as the most viable form of packet-sniffing protection. Encryption technologies such as IPsec and SSL VPN let organizations continue to use plain-text protocols, since IPsec encapsulates all data and encrypts it for network transport, according to the SANS Institute.

Featured Research