This entry continues where Sniffing Networks Part 1 left off. If you didn’t read it, as long as you understand how switches work and why we have MAC addresses, you’ll be able to understand this entry.

The physical wire may talk in MAC addresses, but when’s the last time you typed a MAC address into a browser location bar? (You haven’t, except by accident, and certainly not expecting to get anywhere with it.) Computers talk in IP addresses, not MAC addresses, so how does the switch know what port to send the packet on to if it’s only given the IP address? Address Resolution Protocol, or ARP. ARP is another table that lives in each router (and computer) to map IP addresses to MAC addresses. Not only does each switch and router have an ARP table, each computer does as well (since there can be multiple interfaces on a system). You can look at your ARP table by typing arp -a in most operating systems. Below, I’ve included screenshots of arp -a in OS X (on a fairly large network), and Windows (on a “private” VMware network).

OSX ARP table

OSX ARP table

Windows ARP

Windows ARP

As you can see, the information is presented differently on each system, but the fundamental information is the same: IP address to MAC address mapping. The OSX screenshot has a lot of “ghost” entries because the network is more dynamic – the 192.168.0.0 network is the wireless interface (en2), and I had used the machine to provide “Internet sharing” over both of the Ethernet ports to a system that hadn’t yet had wireless configured on it. The “ghost” entries, where the (incomplete) is found are laptops that come and go on the network (and they just happen to be off at the moment). Once I reboot this machine, that table will be fairly empty. It will very quickly fill up with the gateway and DNS information, since that’s accessed almost immediately. And if it’s a windows network, it’ll start talking to all of the other machines and fill up pretty quickly. What does this mean for sniffing? This is how ARP spoofing is done.

In order for all of these tables to be built, ARP and RARP (Reverse ARP) packets are being sent over the network. When a machine needs to talk to another IP address, it has to find out what the MAC address is, so it sends out an ARP packet saying “who has IP address“. Someone (hopefully the legitimate machine), says “I have it”. If the machine is on another network, the router that knows how to get to that network will say “I have it” in place of that machine. The asking machine then dutifully stores that information for future use, so it can be polite and not shout to the network again. Some machines send what’s called a gratuitous ARP when they boot to let everyone else know they’re there – this happens a lot when a machine boots up, so that any old MAC addresses are flushed out of the cache of other machines on the network.

It’s the gratuitous ARP that sniffers take advantage of. They send out this unsolicited message that says, “Look! Here I am! This is my IP and MAC address.” All other machines dutifully update their ARP tables and start sending packets destined for that IP address to the attacker/sniffer. You can see where this leads.

How do you detect ARP spoofing? Watching the ARP table for changes is a start. Both arpwatch for Unix and Xarpv2 for Windows will notify you if an ARP table changes. However, there are legitimate uses for ARP spoofing. You know when you go to a hotel and you’re redirected to a login/payment page? That’s likely using ARP spoofing. So, your watcher would notify you, and it’d be a false alarm. ARP spoofing is also used in high availability computing so that one machine can “take over” for another when needed.

Each Thursday, Security Musings features a security-related technology or tool. Featured items do not imply a recommendation by Gemini Security Solutions. For more information about how Gemini Security Solutions can help you solve your security issues, contact us!

This entry was posted on Thursday, March 5th, 2009 at 5:50 am by Laura Raderman and is filed under Technology & Tool Thursday.

 

A sniffer, which can also be referred to as a network analyzer, is a piece of software that analyzes network traffic, decodes it, and gives it back packet information so that a network administrator can use it to help diagnose problems on the network.  But because these tools can be so powerful, they can also help give leverage to those of the black hat world by allowing them to pull plain text information off the network as well (usernames, passwords, unencrypted emails, instant message chat, etc.).

Some of the more “legitimate” uses for a sniffer fall towards the roles of the network administrators. They can be used to probe the network for bandwidth usage, helping pinpoint which individual machines may be running malware or simply have wrong network settings. Sniffers are often used as a practical defense against finding intrusion attempts by detecting inappropriate traffic. If you’re ever going to be in a role where you need to ensure your network is protected, you would do well to learn how to use a sniffer. I recommend Wireshark (formerly known as Ethereal), it’s free (as in beer) and well supported with great documentation.  Other alternatives are NAI Sniffer (commercial), TCPDump (*nix), WinDump (Win32), Cain & Abel, Dsniff, and Ettercap (the last three are more specialized for password extraction but can still be used to test your applications or network protocols).

Sniffers can also be used to bypass security. Many application protocols pass credentials in plain text or use weak encryption that is easy for a sniffer to decode. Common examples of insecure protocols are FTP, Telnet, POP3, SMTP, and HTTP Basic Authentication.  Instead, secured/encrypted protocols should be used, SFTP, SSH, HTTPS (SSL).

One of the most common hacks other than password sniffing that sniffers can be used for is probably ARP Spoofing / ARP Poisoning. ARP (Address Resolution Protocol) allows the network to translate IP addresses into MAC addresses. Essentially, when one host using IP on the LAN is trying to contact another, it needs the MAC address of the host it is trying to contact. It first looks in its ARP cache to see if it already knows the MAC address. Otherwise, it sends out an ARP request (looking for the IP).

To view your ARP cache:
Windows Command line: "arp -a"
Linux Command line: "ip neigh show"

In common bus networks like a wired hub or 802.11b, all traffic can be seen by all hosts whose NICs are in promiscuous mode, but not on a switched network. A switch looks at the data sent to it and only forwards packets to the intended recipient based on the MAC. This helps secure the network by only sending packets to where they need to go. Of course, I wouldn’t mention this if there wasn’t some sort of way around it. Programs like Arpspoof (part of the Dsniff package), Ettercap, or Cain & Abel can allow you to fool the network and allow you to spoof another machine making the network think you have the IP it is looking for, then funnel their traffic through you.

So, even with a switched network, it’s not too difficult for an attacker to simply boot up their BackTrack CD, do some ARP spoofing with Dsniff or Ettercap, and redirect traffic through them for the purpose of sniffing.

ARP Spoofing Diagram

ARP Spoofing Diagram

So how can one help ensure their network doesn’t fall to these attacks?

  • Avoid using insecure protocols like Basic HTTP Authentication and Telnet.  You should make it a practice to sniff your own network to see what information is being passed and ensure you’re not already sending sensitive information across the network.
  • If you do have to use an insecure protocol, tunnel it through a secure channel (SSH, SSL, etc.)
  • Look into using Static ARP tables between critical workstations and servers. Although a pain to maintain, they do limit the chances of ARP spoofing.
  • You can run software like ARPWatch to detect changes in MAC addresses on the network.
  • Try running tools that can detect if a NIC is running in promiscuous mode, this could be a sign of sniffing. (Sniffdet and Sentinel are common tools)
  • All mobile or guest access points should use a VPN to connect to the network.
  • Better yet, keep public terminals on a separate LAN from workstations and servers.
  • Lockdown workstations so that users can’t install sniffing software or boot from live CDs (BackTrack, Knoppix, etc.)

Each Thursday, Security Musings features a security-related technology or tool. Featured items do not imply a recommendation by Gemini Security Solutions. For more information about how Gemini Security Solutions can help you solve your security issues, contact us!

This entry was posted on Thursday, December 18th, 2008 at 2:00 am by Tim Donaworth and is filed under Technology & Tool Thursday.