Sniffing: The Nastiest, Sneakiest Security Problem

Updated: April 30, 2009

Network administrators use packet sniffers to diagnose network problems, but the technology can also provide a launchpad for insidious network incursions.

A packet sniffer is a software program or a hardware device that monitors the data traversing a network. Legitimate uses include troubleshooting network issues and testing firewalls . On the other hand, packet sniffers may be used to pull off targeted attacks .

In a common scenario, a packet sniffer is used to capture usernames and passwords, which can be used for further network exploits. Other bits of sensitive information may be captured as well.

Bad News

But packet sniffers may also be employed in concert with other malware tools.

"The use of packet sniffers as part of attacks has grown quite a bit over the past couple of years," said Kevin Prince, chief security officer at Perimeter eSecurity , a security SaaS (software as a service) provider based in Milford, Conn.

For example, an attacker can use a packet sniffer to make a backdoor program harder to detect.

"Traditionally, an attacker would load a backdoor program that allows them to control a system," Prince said. "However, the ports — or access points — to these devices can be detected with a port scanner or other similar system. Some attackers will use a packet sniffer in conjunction with a backdoor program so that those ports are always closed until the packet sniffer sees a particular sequence of traffic, and then it will launch the backdoor program to accept the attacker's connection."

This combination of tools provides "a very sneaky way for an attacker to keep a compromised system from being noticed," Prince said.

Combined attacks may take other forms. David Lawson, director of risk-management practice at Acumen Solutions Inc., said intruders may commence packet sniffing after deploying rootkits . He called that action the "first thing a hacker does after putting the remote control software on" a machine.

The SANS Institute , a Bethesda, Md.-based organization that provides security certification and training, published a paper suggesting that packet-sniffer exploits are relatively easy to achieve in nonswitched networks. Yet even organizations that have migrated from hubs to switches may still be subject to attack. Switches send network traffic only to the device that it is intended for, but man-in-the-middle attacks make eavesdropping possible in switched environments , the report noted.

ARP (Address Resolution Protocol) spoofing is among the common man-in-the-middle techniques, according to the SANS Insitute.

Packet sniffers may be commercially available, but a number of popular tools are freely available on the Internet. Stephen Northcutt, president of the SANS Institute, said Wireshark (formerly Ethereal) is now "pretty much the tool of choice in freeware sniffing."

The SANS Institute's paper, meanwhile, pointed to dsniff as a tool for eavesdropping on usernames and passwords. But Northcutt noted that, since the paper's publication, many people use Cain for "ARP trickery" instead of dsniff.

Packet-Sniffing Protection

A packet sniffer may be installed by a malicious insider. As for external attacks, a common means of deployment is malware that is loaded when a user accesses a compromised Web site, Prince noted. Originally, email was used to try to lure users to an infected Web site. Other methods followed such as chat and instant messaging, he added.

"We now see more sophisticated attacks including cross site scripting (XSS) attacks that redirect users or present links for users to simply click in what the user believes is a secure Web site," Prince said.

In order for a packet sniffer to work, the NIC (network interface card) must be configured in promiscuous mode.

"In this mode, the network card simply listens and records all of the traffic that passes on the network," Prince explained. "The normal operation of a workstation or server should not include the network card being in promiscuous mode."

So, detecting a packet sniffer becomes a matter of finding out if a network interface card is operating in promiscuous mode.

"Each operating system has a fairly simple method of determining if the NIC is in this mode, but that requires sitting down at each computer," Prince said.

Another method involves sending specially crafted ARP requests to each system and looking at the response types, he noted, adding that this approach usually takes a skilled network engineer to perform.

The SANS Institute's paper, however, cites encryption as the most viable form of packet-sniffing protection. Encryption technologies such as IPsec and SSL VPN let organizations continue to use plain-text protocols, since IPsec encapsulates all data and encrypts it for network transport, according to the SANS Institute.

Related Categories
Featured Research
  • Securing Enterprise Information Technology

    In the 1980s and 1990s, business applications and data were largely confined within and protected by a Local Area Network (LAN). The 2000s introduced a significant change. Download this white paper now to learn why the shift to the cloud is changing how companies think about and manage their IT infrastructure. more

  • Office365 Adoption eGuide

    Microsoft moved to the cloud in 2014, and, as a result, Office 365 is taking off. Now, Okta customers are connecting to Office 365 in increasing numbers. This eGuide explains why IT departments should plan and deploy solutions around identity and mobility management in concert with their Office 365 roll out to get maximum user adoption. more

  • Okta Directory Integration

    For most companies, Active Directory (AD) or Lightweight Directory Access Protocol (LDAP) play a central role in coordinating identity and access management policies. When on-premise applications are integrated to Active Directory or LDAP, users get the best possible experience. That's why Okta's cloud-based identity and access management service provides a highly useful single integration point. more

  • Top 8 Identity and Access Management Challenges with Your SaaS Applications

    With more and more businesses adopting Software-as-a-Service (SaaS) applications, enterprise IT is fundamentally changing. This whitepaper presents the eight biggest Identity and Access Management (IAM) challenges associated with adopting and deploying cloud and SaaS applications, and discusses best practices for addressing each of them. more

  • Better BYOD with Pulse Secure and MDM Partners

    Learn how Pulse Secure and leading MDM product partners are transforming the way employees and IT benefit from the productivity and flexibility of BYOD — without compromising security or increasing management complexity. more