Some Sniffer information http://www.chinaunix.net Author: robbery flower Yung Posted: 2002-12-10 18:23:47
I will see some of my friends who know what I know. Sniffer FAQ (FAQ) Release Date: 2000-1-15 Content: --------------------------------- ----------------------------------------------- by backend < Backend@ndionline.org> http://www.nsfocus.com/ This article is a Snifer FAQ released a few years ago. Although the techniques involved inside may be relatively old, they can still be used as entry-level documents. I hope that this SNIFFER FAQ can help administrators have a clearer understanding of the online monitoring and solution. Sniffer has become one of the most common host intrusion on the Internet today. In the Green Alliance Network Security Monthly, I will also introduce Sniffer, Sniffer's King -nti-Sniffer and Anti-Snifer of Anti-Sniffer, Anti Anti-Sniffer. If you are interested in this, please contact me if you have any good information or suggestions. FAQ catalog: * What is Sniffer and its working principle * Where can you get Sniffer * How to monitor the host is eavesdropping (Sniffe) * blocks Sniffer O active hub o encryption O Kerberos O primary password technology O non-mixed mode network interface equipment --- -------------------------------------------------- -------------------------- What is Sniffer and its working principle Unlike telephone circuits, computer networks are shared communication channels. Switches / hubs supporting each pair of communication computer exclusive channels are still too expensive. Sharing means that the computer can receive information sent to other computers. The data information captured in the network is called Sniffing. Ethernet is the most widely used computer networking mode. The Ethernet protocol is to send packet information to all hosts on the same time. The data clamp contains the correct address of the target host. Under normal circumstances, only hosts with this address will accept this packet. If a host can receive all packets without rating the data cladding content, this method is often referred to as a "mixed" mode. Since the account and password information are transmitted in the Ethernet in a normal network environment, once the intruder gets the ROOT permission of one of the hosts, and placing it in a mixed mode to eavegance network data, it is possible to invade All computers in the network. -------------------------------------------------- ---------------- What can get Sniffer Sniffer is one of the most common intrusion methods of hackers. For example, esniff.c is a small tool that runs in the Sunos platform, capturing the first 300-byte content of all Telnet, FTP, and RLOING sessions. This procedure developed by Phrack has become one of the most widely used tools in hackers. You can run Esniff.c in the allowed network to understand how it effectively endangers local machine security. Here are some Sniffer tools that are also widely used to debug network failures: * Etherfind on sunos * Snoop on Solaris 2.x and sunos * Tcpdump * Packetman, Interman, Etherman, loadman commercial SNIFFER: * NetWork general. NetWork general has developed more Products.
The most important thing is Expert Sniffer, but it is not only SNIFF, but also can send / receive data packets through high-performance specialized systems to help diagnose faults. There is also an enhanced product "Distrbute Sniffer System" to bring the UNIX workstation as the Sniffer console, and distribute the Sniffer Agents to the remote host. * Microsoft's Net Monitor For certain commercial sites, you may need to run multiple protocols --NetBeui, IPX / SPX, TCP / IP, 802.3, and SNA. It is difficult to find a Sniffer to help solve the network problem because many SNIFFERs tend to packet some correct protocol data to an error packet. Microsoft's NET Monitor (used for BloodHound) can solve this problem. It is able to correctly distinguish unique packets such as NetWare control packets, NT NetBIOS name service broadcasts. (EtherFind onlys these data packets identifies the broadcast packets of the type 0000.) This tool runs on the MS Windows platform. It can even perform network statistics and session information monitoring by MAC address (or hostname). Simply click on a session to get the output of the TCPDUMP standard. Filter settings are also the most simpler, as long as you click on the host you need to monitor in a dialog box. -------------------------------------------------- ------------------ How to monitor the host is eating (Snifed) To monitor only the data that only acquires data without responding to any information, you need to carefully check all physical connections on Ethernet one by one. . It is impossible to send packets or ping remotely to check if the computer is eavesdropping. Sniffer on a host will place the network interface as a mixed mode to receive all packets. For some UNIX systems, the network interface of the mixed mode is monitored. Although Sniffer can be run in non-mixed mode, this will only capture the opportunity. Intruders may also capture sessions in programs such as SH, Telnet, Rlogin, In.Telnetd, and record user operations into other files. These may be easily discovered by monitoring TTY and KMEM. Only Sniffing in mixed mode can capture all sessions in the Ethernet, and other modes can only capture this opportunity. For SunOS, NetBSD, and other BSD UNIX systems, as follows: "ifconfig -a" displays all network interface information and whether it is in mixed mode. Dec OSF / 1 and IRIX are required to specify the device.
To find what network interface in the system, you can run the following command: # netstat -r routing tables Internet: Destination Gateway Flags Refs Use interface default ISS.NET UG 1 24949 Le0 localhost localhost UH 2 83 LOCALHOST UH 2 83 LO0 then check each network with the following command Interface: #ifconfig le0 le0: flags = 8863 inet 127.0.0.1 Netmask 0xffffff00 Broadcast 255.0.0.1 Intruder often replaces ifconfig, etc., so that you must check the check value of the command program. At ftp.cert.org:/pub/tools/, the CPM program (SunOS platform) can check if the interface has a mixed mode tag. For Ultrix systems, use the pfstat and pfconfig commands, it is also possible to monitor whether there is a SNIFFER run. Pfconfig Specifies who has permission to run Sniffer. PFSTAT Displays if the network interface is in a mixed mode. These commands are only valid when Sniffer is linked to the kernel. In the default, Sniffer is not link with the kernel. Most UNIX systems, such as IRIX, Solaris, SCO, etc., there is no tag to indicate whether it is in a mixed mode, so intruders can eavesdrop the entire network and cannot monitor it. Usually a Sniffer record file will quickly increase and fill the file space. In a large network, SNIFFER significantly aggravates the machine load. These warning messages are often able to help administrators find Sniffer. It is recommended to search for programs and record files for accessing packet devices such as SunOS / dev / nit) using the LSOF program. -------------------------------------------------- ---------------- Block the Sniffer active hub only sends a packet to the target address host, so that the mixed mode Sniffer failed. It applies only to 10BASE-T Ethernet. (Note: This is now disappearing in the computer market.) Only two manufacturers have produced active hub: * 3COM * HP As the switch costs and prices have decreased significantly, the switch has become very effective to make Sniffer failure. equipment. At present, the most common switches are forwarded according to the packet target address in the third layer (network layers), and the broadcast mode of the hub is not taken, so that the Sniffer has lost the land. -------------------------------------------------- ---------------- Encryption There are currently many packages available to encrypt connections, so that the intruder even if the data is captured, but cannot decrypt the data and lose the meaning of eavesdropping. The following is some of the previously used software packages * deESLogin coast.cs.purdue.edu:/pub/tools/unix/dEslogin. * Swipe ftp.csua.berkeley.edu:/pub/cypunks/swipe/ NetLock ---- -------------------------------------------------- ----------- Kerberos Kerberos is a software package for the access information in the encrypted network.
Its disadvantage is that all account information is stored in a host. If the host is invaded, it will endanger the entire network security. Also configure it is not a simple thing. Kerberos includes streaming rlogind and stream encryption Telnetd, which prevents the invader from being operated by the user after the login is completed. Kerberos FAQ can be obtained from the FTP site rtfm.mit.edu: /pub/usnet/comp.protocols/kerberos/kerberos_users__frequently_asked_questions_1.11 ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- -------------------------------------------- Like other disposable communication technologies, Key and other disposable communication make the eavesdropping account information loses meaning. The principle of S / Key is that the remote host has got a password (this password will not be transmitted in an unsafe network), and when the user is connected, a "challenge" message is obtained, the user will pass this information and password The algorithm operation produces the correct "response" information (if the communication between the communication is correct). This verification method does not need to transfer passwords in the network, and the same "challenge / response" will not appear twice. S / KEY can get from the following URL: ftp: //thumper.bellcore.com/pub/nmh/skey has a one-time password technology is an ID card system. Each authorized user has an ID card that generates digital numbers for accessing their respective accounts. If you don't have this ID card, it is impossible to guess this digital number.
The following is a company information providing such solutions: Secure Net Key (SNK) Digital Pathway, Inc.201 Ravendale Dr. MountainView, CA.97703-5216 USAPHONE: 415-964-0707 Fax: (415) 961-7487Secure Idsecurity Dynamics , One Alewife CenterCambridge, MA 02140-2312USA Phone: 617-547-7820Fax: (617) 354-8836Secure ID uses time slots as authenication rather than challenge / response.ArKey and OneTime PassManagement AnalyticsPO Box 1480Hudson, OH 44236Email: fc @ all. netTel: US 216-686-0090 Fax: US 216-686-0092WatchWord and watchWord IIRacal-Guardata480 Spring Park PlaceHerndon, VA 22070703-471-08921-800-521-6261 ext 217CRYPTOCardArnold Consulting, Inc.2530 Targhee Street, Madison , Wisconsin53711-5491 USAPhone: 608-278-7700 Fax: 608-278-7701Email: Stephen.L.Arnold@Arnold.ComCRYPTOCard is a modern, SecureID-sized, SNK-compatible device.SafeWordEnigma Logic, Inc.2151 Salvio # 301Concord, CA 94520510-827-5707 Fax: (510) 827-2593for Information About enigma ftp to: ftp.netcom.com in Directory / Pub / Sa / SafewordSecure Computing Corporation: 2675 LON G Lake Roadroseville, Mn 55113TEL: (612) 628-2700FAX: (612) 628-2701Debernar@sctc.com -------------------------------------------------------------------------------------------------------------------------------------------------- -------------------------------------- Non-mixed mode network interface equipment, most IBM DOS Both the compatible machine network card does not support mixed mode, so you cannot perform SNIFFING. But DOS has exited the computer network stage. For network interface devices in the current computer market, please query the supplier is a non-mixed mode device (ie, no mixed mode).
<< Finished >> ---------------------------------- Data Source: Internet Security Systems, Inc. ------------------------------------- Linux environment hacker common sniffer analysis release Date: 2001- 8-23 Content: --------------------------------------------- ----------------------------------- author: <> source: http: //Linuxaid.com.cn -------------------------------------------------- ----------------------------- Overview This article provides a detailed analysis of several sniffeners that hackers in the Linux environment. These sniffers are often cultivated in the victim server after the invader is completed. These sniffers have different characteristics, and some are simply used to capture user names and passwords, and some are very powerful to record all network data streams. This article will be analyzed in the following sieves: * Linsniffer * LinuxSnifer * hunt * Sniffitlinsnifferlinsniffer is a simple and practical sniffer. Its main features are used to capture username and password, which is very good in this regard. Author: Mike Edulla conditions: C header files and IP configuration file: None Location: http://agape.trilidun.org/hack/network-sniffers/linsnifferc Security History: None Notes: Easy to use. However, LNSniffe needs full IP header files, including headers that are often stored in / usr / include / net, and / usr / include / netinet, make sure the PATH variable contains / usr / include. Use the following command to compile lnsniffer: $ cc linsniffer.c -o linsniffer To run Linsniffer, use the following command: $ linsnifer starts later Linsniffer to create an empty file: tcp.log to store sniff results. In the test I created a user named Hapless, the password is Unaaware. Then use the user to log in to the Linux server and make some common user operations.
Here is an FTP process: GNS $ ftp 192.168.0.2connected to 192.168.0.2.220 Linux.test.net FTP Server WED AUG 19 02:55:52 mst 199 Ready.Name (192.168.0.2: ROOT): hapless331 Password required for hapless.Password: 230 User hapless logged in.Remote system type is UNIX.Using binary mode to transfer files.ftp> ls -al200 PORT command successful.150 Opening ASCII mode data connection for /bin/ls.total 14drwxrwxr- X 4 Hapless Hapless 1024 May 20 19:35 .drwxr-xr-x 6 Root Root 1024 May 20 19:28 ..- RW-RW-R - 1 Hapless Hapless 96 May 20 19:56 .bash_history-rw-r --R - 1 hapless hapless 49 Nov 25 1997.bash_logout-rw-r - r - 1 hapless hapless 913 NOV 24 1997.bashrc-rw-r - r - 1 hapless hapless 650 NOV 24 1997 .cshrc -rw-r - r - r - 1 hapless hapless 111 NOV 3 1997.Nputrc-rwxr-xr-x 1 hapless hapless 186 Sep1 1998 .Kshrc-rw-r - r - 1 hapless hapless 392 Jan 7 1998. Login-rw-r - r - 1 hapless hapless 51 NOV 25 1997.logout-rw-r - r - 1 hapless hapless 341 oct 13 1997.profile-rwxr-xr-x 1 hapless hapless 182 Sep 1 1998 .pro File.kshdrwxr-xr-x 2 hapless hapless 1024 May 14 12:16 .seyondrwxr-xr-x 3 hapless hapless 1024 May 14 12:15 lg226 Transfer completion.ftp>
LS200 Port Command Successful.150 Opening Ascii Mode Data Connection for /bin/ls.total 14drwxrwxr-x 4 Shanghai: 324 May 20 19:35 .drwxr-XR-x 6 Root Root 1024 May 20 19:28 ..- rw- RW-r - 1 Hapless Hapless 96 May 20 19:56.bash_history-rw-r - r - r - 1 hapless hapless 49 nov 25 1997.bash_logout-rw-r - r - 1 hapless hapless 913 Nov 24 1997 .bashrc-rw-r - r - 1 hapless hapless 650 NOV 24 1997 .cshrc-rw-r - r - 1 hapless hapless 111 NOV 3 1997 .inputess-rwxr-xr-x 1 hapless hapless 186 Sep 1 1998.Kshrc-rw-r - r - 1 hapless hapless 392 Jan 7 1998.login-rw-r - r - 1 hapless hapless 51 NOV 25 1997.logout-rw-r - r - 1 hapless Hapless 341 Oct 13 1997.profile-rwxr-xr-x 1 hapless hapless 182 Sep 1 1998 .profile.kshdrwr-xr-x 2 hapless hapless 1024 May 14 12:16 .seyondrwxr-xr-x 3 hapless hapless 1024 May 14 12 : 15 LG226 Transfer Commmand Successful.150 Opening Ascii Mode Data Connection for /bin/ls.total 14drwxrwr-x 4 Hapless Hapless 1024 May 20 19:35 ./drwxr-xr-x 6 root roo T 1024 May 20 19:28 ../rw-rw-r - 1 hapless hapless 96 May 20 19:56 .bash_history-rw-r - r - rw - 1 hapless hapless 49 nov 25 1997.bash_logout-rw-r --R - 1 Hapless Hapless 913 Nov 24 1997.bashrc-rw-r - r - 1 hapless hapless 650 NOV 24 1997 .cshrc-rw-r - r - 1 hapless hapless 111 NOV 3 1997.inputrc -RWXR-XR-X 1 Hapless Hapless 186 Sep 1 1998.Kshrc * -rw-r - r - 1 hapless hapless 392 Jan 7 1998.login-rw-r - r - 1 hapless hapless 51 nov 25 1997 .logout-rw-r - r - 1 hapless hapless 341 Oct 13 1997.profile-rwxr-xr-x 1 hapless hapless 182 Sep 1 1998.profile.ksh * drwxr-xr-x 2 hapless hapless 1024 May 14 12 : 16.seyon / drwxr-xr-x 3 Hapless Hapless 1024 May 14 12:15 LG / 226 Transfer Complete.ftp> CD LG250 CWD Command Successful.FTP>
LS -F200 Port Command Successful.150 Opening Ascii Mode Data Connection for /bin/ls.total 8DRWXR-XR-X 3 Shanghai Plum 4024 May 14 12:15 ./drwxrwr-x 4 hapless hapless 1024 May 20 19:35 .. / rw-r - r - 1 hapless hapless 70 aug 22 1998 LG3_COLORS-RW-R - R - 1 hapless hapless 629 aug 22 1998 LG3_PREFS-RW-R - R - 1 hapless hapless 728 aug 22 1998 lg3_soundPref-rw-r -. r-- 1 hapless hapless 2024 Aug 22 1998 lg3_startupdrwxr-xr-x 2 hapless hapless 1024 May 14 12:15 lg_layouts / 226 Transfer complete.ftp> cd lg_layouts250 CWD command successful this is a typical User operation process. Now let's take a look at the sniffing results generated by Linsnifer: GNSS => Linux.test.net [21] User ShanghaiSsPass UnsareStport 172, 16, 0, 1, 4, 192List -Alport 172, 16, 0, 1, 4, 193listport 172, 16 0, 1, 4, 194List -FCWD LGPORT 172, 16, 0, 1, 4, 195LIST -F output content is intuitive. First it records this is an FTP connection from GNSS to Linux host: gnss => Linux.test.net [21] Then, Linsniffer captures the Hapless username and password. User haplesspass unaaware, LINSNIFFER records each command used by hapless: SYSTPORT 172, 16, 0, 1, 4, 192List -Alport 172, 16, 0, 1, 4, 193Listport 172, 16, 0, 1, 4, 194List -FCWD LGPORT 172, 16, 0, 1, 4, 195LIST -F output results are very short and very suitable for eavesdropping passwords and recording common activities. However, it is not suitable for more complex analysis. At this time you may need Linux_snife. Linux_snifferlinux_sniffer provides relatively more complex probing results. Author: loq requirements: C header files and IP configuration file: No Download Location: http://www.ryanspc.com/sniffers/linux_sniffer.c Security History: None Note: linux_sniffer easy to use, but requires a complete IP header .
Use the following command to compile linux_sniffer: $ cc linux_sniffer.c -o linuxsniff Here is a telnet session, and was linux_sniffer record: GNSS 2 # telnet 192.168.0.1Connected to 192.168.0.1.login: haplesspassword: [hapless @ linux2 hapless] $ W19: 55: 29 Up 58 min, 4 Uses, Load average: 0.00, 0.00, 0.00User Tty from login @ iDLE JCPU PCPU WHATROOT TTY1 7:44 PM 27.00S 0.17S 0.06s -bashroot Tty2 7:46 PM 1:56 0.24S 0.01s LinuxsniffRoot TTY3 7:44 PM 10:43 0.17S 0.07S -Bashhapless TTYP0 GNSS 7:55 PM 1.00S 0.26S 0.04s W [hapless @ Linux2 Shanghai Whoroot TTY1 May 20 19: 440 TTY2 May 20 19: 46Root Tty3 May 20 19: 44Hapless TTYP0 May 20 19:55 (GNSS) [hapless @ Linux2 hapless] $ finger -llin: root name: rootdirectory: / root shell: / bin / bashon since thu May 20 19:44 (PDT) on TTY1 35 Seconds Idleon Since Thu May 20 19:46 (PDT) on TTY2 2 Minutes 4 Seconds Idleon Since The May 20 19:44 (PDT) on TTY3 10 Minutes 51 Seconds Idleno Mail.no Plan.login: Hapless Name: Caldera OpenLinux UserDirectory: / home / hapless shell: / bin / Bashon Since Thu May 20 19:55 (PDT) ON TT YP0 from gnssno mail.no plan. A typical login process: user login, detect which users are logging in, etc. Linux_sniffer records additional address data, but some important data is recorded.
First it recorded: Ethproto: 080008: 00: 69: 07: 3E: DB-> 00: E0: 29: 19: 4A: 68 192.168.0.1 [1239] -> 192.168.0.2 [23] 0000 ff fc 27 -. 'Ethproto: 080008: 00: 69: 07: 3E: DB-> 00: E0: 29: 19: 4A: 68 192.168.0.1 [1239] -> 192.168.0.2 [23] 0000 ff fa 1f 00 50 00 28 FF - F0 .... P. (. Ethproto: 080008: 00: 69: 07: 3E: DB-> 00: E0: 29: 19: 4A: 68 192.168.0.1 [1239] -> 192.168. 0.2 [23] 0000 FF FA 20 00 33 38 34 30 - 30 2C 33 38 34 30 30 Ff ..38400, 38400.0010 F0 FA 23 00 47 4E 53 - 53 3A 30 2E 30 FF F0 FF ... #. GNSS: 0.0 ... 0020 FA 18 00 49 52 49 53 2D - 41 4E 53 49 2D 4E 45 54 ... Iris-ANSI-NET0030 FF F0 -.. Ethproto: 080008: 00: 07: 3E: DB -> 00: E0: 29: 19: 4A: 68 192.168.0.1 [1239] -> 192.168.0.2 [23] 0000 ff fc 01 - ... Ethproto: 080008: 00: 69: 07: 3E: DB-> 00: E0: 29: 19: 4A: 68 192.168.0.1 [1239] -> 192.168.0.2 [23] 0000 FF FD 01 - ... Ethproto: 080008: 00: 69: 07: 3E: DB-> 00: E0: 29: 19: 4A: 68 192.168.0.1 [1239] -> 192.168.0.2 [23] Subsequently, Linux_sniffer recorded the login process, with black body below: Ethproto: 080008: 00: 69: 07: 3E: DB- > 00: E0: 29: 19: 4A: 68 192.168.0.1 [1239] -> 192.168.0.2 [23] 0000 68 - HethPROTO: 08 0008: 00: 69: 07: 3E: DB-> 00: E0: 29: 19: 4A: 68 192.168.0.1 [1239] -> 192.168.0.2 [23] Ethproto: 080008: 00: 69: 07: 3E: DB-> 00: E0: 29: 19: 4A: 68 192.168.0.1 [1239] -> 192.168.0.2 [23] 0000 61 - AethProto: 080008: 00: 69: 07: 3E: DB-> 00: E0: 29: 19: 4A: 68 192.168.0.1 [1239] -> 192.168.0.2 [23] Ethproto: 080008: 00: 69: 07: 3E: DB-> 00: E0: 29: 19: 4A: 68 192.168.0.1 [1239] -> 192.168.0.2 [23] 0000 70 - Pethproto: 080008: 00: 69: 07: 3E: DB -> 00: E0: 29: 19: 4A: 68 192.168.0.1 [1239] -> 192.168. 0.2 [23] 0000 6C - LetHPROTO: 080008: 00: 69: 07: 3E: DB-> 00: E0: 29: 19: 4A: 68 192.168.0.1 [1239] -> 192.168.0.2 [23] Ethproto: 080008 : 00: 69: 07: 3E: DB-> 00: E0: 29: 19: 4A: 68 192.168.0.1 [1239] ->
192.168.0.2 [23] 0000 65 - EethProto: 080008: 00: 69: 07: 3E: DB-> 00: E0: 29: 19: 4A: 68 192.168.0.1 [1239] -> 192.168.0.2 [23] 0000 73 - Sethproto: 080008: 00: 69: 07: 3E: DB-> 00: E0: 29: 19: 4A: 68 192.168.0.1 [1239] -> 192.168.0.2 [23] Ethproto: 080008: 00: 69: 07: 3E: DB-> 00: E0: 29: 19: 4A: 68 192.168.0.1 [1239] -> 192.168.0.2 [23] 0000 73 - Sethproto: 080008: 00: 69: 07: 3E: DB-> 00: EH: 29: 19: 4A: 68 192.168.0.1 [1239] -> 192.168.0.2 [23] Ethproto: 080008: 00: 69: 07: 3E: DB-> 00: E0: 29: 19: 4A: 68 192.168.0.1 [1239] -> 192.168.0.2 [23] 0000 0d 00 - .. etproto: 080008: 00: 69: 07: 3E: DB-> 00: E0: 29: 19: 4A: 68 192.168.0.1 [1239] -> 192.168.0.2 [23] Ethproto: 080008: 00: 69: 07: 3E: DB-> 00: E0: 29: 19: 4A: 68 192.168.0.1 [1239] -> 192.168.0.2 [23 ] Ethproto: 080008: 00: 69: 07: 3E: DB-> 00: E0: 29: 19: 4A: 68 192.168.0.1 [1239] -> 192.168.0.2 [23] 0000 75 - UethProto: 080008: 00: 69: 07: 3E: DB-> 00: E0: 29: 19: 4A: 68 192.168.0.1 [1239] -> 192.168.0.2 [23] 0000 6E - NethPROTO: 080008: 00: 69: 07: 3E: DB -> 00: E0: 29: 19: 4A: 68 192.168.0.1 [1239] -> 192.168.0.2 [23] 0000 61 - AethProto: 080008: 00: 69: 07: 3E: DB-> 00: E0: 29 : 19 : 4A: 68 192.168.0.1 [1239] -> 192.168.0.2 [23] 0000 77 - Wethproto: 080008: 00: 69: 07: 3E: DB-> 00: E0: 29: 19: 4A: 68 192.168.0.1 [1239] -> 192.168.0.2 [23] 0000 61 - AethProto: 080008: 00: 69: 07: 3E: DB -> 00: E0: 29: 19: 4A: 68 192.168.0.1 [1239] -> 192.168. 0.2 [23] 0000 72 - Rethproto: 080008: 00: 69: 07: 3E: DB-> 00: E0: 29: 19: 4A: 68 192.168.0.1 [1239] -> 192.168.0.2 [23] 0000 65 EethProto: 080008: 00: 69: 07: E0: 29: 19: 4A: 68 192.168.0.1 [1239] -> 192.168.0.2 [23] Finally, Linux_sniffer recorded all commands: Ethproto : 080008: 00: 69: 07: 3E: DB-> 00: E0: 29: 19: 4A: 68 192.168.0.1 [1239] -> 192.168.0.2 [23] Ethproto: 080008: 00: 69: 07: 3E : db-> 00: E0: 29: 19: 4A: 68 192.168.0.1 [1239] ->
192.168.0.2 [23] Ethproto: 080008: 00: 69: 07: 3E: DB-> 00: E0: 29: 19: 4A: 68 192.168.0.1 [1239] -> 192.168.0.2 [23] Ethproto: 080008: 00: 69: 07: 3E: DB-> 00: E0: 29: 19: 4A: 68 192.168.0.1 [1239] -> 192.168.0.2 [23] 0000 77 - Wethproto: 080008: 00: 69: 07: 3E : db-> 00: E0: 29: 19: 4A: 68 192.168.0.1 [1239] -> 192.168.0.2 [23] Ethproto: 080008: 00: 69: 07: 3E: DB-> 00: E0: 29: 19: 4A: 68 192.168.0.1 [1239] -> 192.168.0.2 [23] 0000 0d 00 - .. etproto: 080008: 00: 69: 07: 3E: DB-> 00: E0: 29: 19: 4A: 68 192.168.0.1 [1239] -> 192.168.0.2 [23] Ethproto: 080008: 00: 69: 07: 3E: DB-> 00: E0: 29: 19: 4A: 68 192.168.0.1 [1239] -> 192.168 .0.2 [23] Ethproto: 080008: 00: 69: 07: 3E: DB-> 00: E0: 29: 19: 4A: 68 192.168.0.1 [1239] -> 192.168.0.2 [23] 0000 77 - WethProto: 080008: 00: 69: 07: EH: 29: 19: 4A: 68 192.168.0.1 [1239] -> 192.168.0.2 [23] Ethproto: 080008: 00: 69: 07: 3E: DB-> 00: E0: 29: 19: 4A: 68 192.168.0.1 [1239] -> 192.168.0.2 [23] 0000 68 - HethPROTO: 080008: 00: 69: 07: 3E: DB-> 00: E0: 29: 19: 4A: 68 192.168.0.1 [1239] -> 192.168.0.2 [23] Ethproto: 080008: 00: 69: 07: 3E: DB-> 00: E0: 29: 19: 4A: 68 192.168.0.1 [1239] -> 192.16 8.0.2 [23] 0000 6F - OethProto: 080008: 00: 69: 07: 3E: DB-> 00: E0: 29: 19: 4A: 68 192.168.0.1 [1239] -> 192.168.0.2 [23] Ethproto : 080008: 00: 69: 07: 3E: DB-> 00: E0: 29: 19: 4A: 68 192.168.0.1 [1239] -> 192.168.0.2 [23] 0000 0d 00 - .. etproto: 080008: 00 : 69: 07: 3E: DB-> 00: E0: 29: 19: 4A: 68 192.168.0.1 [1239] -> 192.168.0.2 [23] Ethproto: 080008: 00: 69: 07: 3E: DB-> 00: EH: 29: 19: 4A: 68 192.168.0.1 [1239] -> 192.168.0.2 [23] Ethproto: 080008: 00: 69: 07: 3E: DB-> 00: E0: 29: 19: 4A: 68 192.168.0.1 [1239] -> 192.168.0.2 [23] 0000 66 - FethPROTO: 080008: 00: 69: 07: 3E: DB-> 00: E0: 29: 19: 4A: 68 192.168.0.1 [1239] -> 192.168.0.2 [23] Ethproto: 080008: 00: 69: 07: 3E: DB-> 00: E0: 29: 19: 4A: 68 192.168.0.1 [1239] ->
192.168.0.2 [23] 0000 69 - IethPROTO: 080008: 00: 69: 07: 3E: DB -> 00: E0: 29: 19: 4A: 68 192.168.0.1 [1239] -> 192.168.0.2 [23] Ethproto : 080008: 00: 69: 07: 3E: DB-> 00: E0: 29: 19: 4A: 68 192.168.0.1 [1239] -> 192.168.0.2 [23] 0000 6E - NethPROTO: 080008: 00: 69: 07: 3E: DB-> 00: E0: 29: 19: 4A: 68 192.168.0.1 [1239] -> 192.168.0.2 [23] Ethproto: 080008: 00: 69: 07: 3E: DB-> 00: E0 29: 19: 4A: 68 192.168.0.1 [1239] -> 192.168.0.2 [23] 0000 67 - gethproto: 080008: 00: 69: 07: 3E: DB-> 00: E0: 29: 19: 4A: 68 192.168.0.1 [1239] -> 192.168.0.2 [23] 0000 65 - Eethproto: 080008: 00: 69: 07: 3E: DB-> 00: E0: 29: 19: 4A: 68 192.168.0.1 [1239] -> 192.168.0.2 [23] Ethproto: 080008: 00: 69: 07: 3E: DB-> 00: E0: 29: 19: 4A: 68 192.168.0.1 [1239] -> 192.168.0.2 [23] 0000 72 - Rethproto: 080008: 00: 69: 07: 3E: DB-> 00: E0: 29: 19: 4A: 68 192.168.0.1 [1239] -> 192.168.0.2 [23] can be seen, Linux_sniffer provides relatively more Detailed content. Hunthunt is another option in which you need to read the resulting room. It has an intuitive command tracking and session registration function. Author: Pavel Krauz conditions: C, IP header, Linux 2.0.35 , LinuxThreads support of GlibC 2.0.7 configuration file: None Location: http: //www.cri.cz/kra/index.html Security History: None Notes : The author provides a binary release with dynamic links and static connections. Hunt is released in Tar.GZ format, the file name is hunt-1_3bin.tgz.
First, you need to decompress: $ TAR XVFZ hunt-1_3bin.tgz The hunt is uncompressed to the newly created directory hunt-1.3 species, including the following: -rw-r - r - 1 206 Users 1616 APR 2 03:54 Changes-rw-r - r - 1 206 users 17983 OCT 25 1998 COPYING-RW-R - R - R - 1 206 USERS 312 JAN 16 04:54 Install-RW-R - R - 1 206 Users 727 Feb 21 11:22 Makefile-RW-R - R - 1 206 Users 27373 Feb 15 12:44 Readme-RW-R - R - R - 1 206 USERS 167 DEC 4 14:29 TODO-RW-R - R - 1 206 User $ 5067 Feb 13 04:23 AddPolicy.c-rw-r - r - 1 206 Users 7141 Feb 21 23:44 Arphijack.c-rw-r - r - 1 206 Users 25029 APR 2 03:26 Arpspoof.cdrwxr-xr-x 2 206 User $ 1024 APR 9 02:03 C-RW-R - R - 1 206 User 7857 NOV 9 1998 Hijack.c-RW-R - R - 1 206 User 5066 DEC 2 12:55 hostup.c-rwxr-xr-x 1 206 Users 84572 APR 9 02:03 hunt-rw-r - r - 1 206 Users 24435 APR 2 03:26 hunt.c-rw -r - r - 1 206 Users 16342 Mar 30 01:56 hunt.h-rwxr-xr-x 1 206 User $ 316040 APR 9 02:03 hunt_static-rw-r - r - 1 root root 265 May 20 22:22 huntdir.txt-rw-r - r - 1 root root 2517 May 20 22:19 huntlog.txt-rw-r - r - 1 206 Users 6249 Feb 21 11:21 MacDisc.c-rw -r - r - 1 20 6 User $ 12105 Feb 21 11:35 Main.c-rw-r - r - 1 206 User $ 12000 Feb 6 02:27 Menu.c-RW-R - R - 1 206 Users 7432 Apr 2 03:53 NET.C-RW-R - R - 1 206 User $ 5799 Feb 11 04:21 Options.c-rw-r - r - 1 206 User $ 11986 Feb 14 04:59 Resolv.c-rw-r- -r - 1 206 User $ 1948 OCT 25 1998 RST.C-RW-R - R - 1 206 Uses 9545 Mar 30 01:48 RSTD.C-RW-R - R - 1 206 User $ 21590 APR 2 03:58 Sniff.c-rw-r - r - 1 206 users 14466 Feb 21 12:04 Synchijack.c-rw-r - r - 1 206 users 2692 Feb 19 00:10 Tap.c-rw -r - r - 1 206 Users 4078 Feb 15 05:31 Timer.c-rw-r - r - 1 206 User 2023 OCT 25 1998 TTY.C-RW-R - R - R - 1 206 Users 7871 Feb 11 02:58 Util.c Static binary publishing is hunt_static, recommended using this version, because sometimes some libraries can be lacking from the source code.
Use the following command to execute hunt: $ hunt_static run hunt: You will surprise that hunt is CURSE based on CURSE, so there is a very friendly interactive interface. After starting, the menu is as follows: --- Main Menu --- Rcvpkt 0, Free / Alloc 63/64 ------ L / W / R) List / Watch / Reset Connectionsu) Host Up Testsa ARP / SIMPLE Hijack (Avoids Ack Storm If ARP Used) S) SIMPLE Hijackd) DAEMONS RST / ARP / SNIFF / MACO) OptionsX) Exit *> In the entire example, I will log in to Linux.test.net from GNSS. Test.
GNSS 3% telnet 192.168.0.2Trying 192.168.0.2 ... Connected to 192.168.0.2.Escape character is '^]' Caldera OpenLinux (TM) Version 1.3Copyright 1996-1998 Caldera Systems, Inc.login:. [Hapless @ linux "$ finger rootlogin: root name: rootdirectory: / root shell: / bin / Bashon Since Thu May 20 21:57 (PDT) ON TTY1 1 Minute Idleon Since Thu May 20 22:02 (PDT) ON TTY2 7 Minutes 19 Seconds Idleon Since Thu May 20 21:59 (PDT) on TTY3 15 Seconds Idleno Mail.No Plan. [Hapless @ Linux Shanghai $ Last Rootroot Tty2 THU May 20 22:02 STILL Logged INROOT TTY3 THU May 20 21:59 Still Logged INROOT TTY1 THU May 20 21:57 Still Logged INROOT TTY2 THU May 20 19:46 - Down (00:26) Root Tty1 Thu May 20 19:44 - 20:12 (00:27) Root TTY3 THU May 20 19:44 Down (00:2Root Tty3 Thu May 20 19:42 - 19:44 (00:01) Root TTY1 Thu May 20 19:41 - 19:42 (00:00) Root Tty3 Thu May 20 19:28 - 19:41 (00:12) Root TTY2 THU May 20 19:11 - 19:42 (00:31) root tty1 Thu May 20 19:07 - 19:40 (00:32) root tty1 thu May 20 18:57 - 19: 07 (00:09 Root TTY1 MON May 17 22:32 - Down (00:29) Finally inspected the / etc / passwd, there is HUNT to sniff in the whole process: --- Main menu --- Rcvpkt 0, Free / Alloc 63/64 ------ l / w / r) list / watch / reset connectionsu) Host Up testsa) ARP / SIMPLE HIJACK (Avoids Ack Storm if ARP Used) S) SIMPLE HIJACKD) DAEMONS RST / ARP / SNIFF / Maco) Option *> W0) 192.168.0.1 [1049] -> 192.168.0.2 [23] Choose Conn> 0dump [S] RC / [D] ST / [B] OTH [B]> B NOTE: Top The input (black font portion) indicates the hunt to record the No. 0 connection and output the source and destination information.
The hunt will display all activities of the Hapless to the Terminal screen: 22: 18: 43 Up 21 min, 4 Uses, Load average: 0.00, 0.01, 0.00trl-c to breakhhaappliancessword: unaWare [hapless @ linux2 hapless] $ CCLLEEAARR [ Hapless @ Linux2 hapless] $ WWHHOOROOT TTY1 MAY 20 21: 57ww22: 18: 43 Up 21 min, 4 Uses, Load Average: 0.00, 0.01, 0.00 [hapless @ Linux2 hapless] $ mmoorree // Eettcc // ppaasssswwddroot: 0: 0 : root: / root: / bin / bashbin: 1: 1: bin: / bin: daemon: 2: 2: daem: / sbin: adm: 3: 4: ADM: / var / adm: lp: 4: 7: LP: / var / spool / lpd: Sync: 5: 0: Sync: / sbin: 6: 11: Shutdown: / sbin: / sbin / shutdownhalt: 7: 0: Halt: / sbin: / sbin / Haltmail: 8: 12: Mail: / VAR / Spool / Mail: News: 9: 13: News: / var / spool / news: uucp: 10: 14: uucp: / var / spool / uucp: Operator: 11: 0perator: / root: Games: 12: 100: Games: / usr / games: Gopher: 13: 30: Gopher: / usr / lib / gopher-data: ftp: 14: 50: ftp user: / home / ftp: man : 15: 15: Manuals Owner: /: Majordom: 16: 16: Majordomo: /: / bin / falsepostgres: 17: 17ostgres User: / Home / Postgres: / bin / Bashnobody: NoPody: /: 65534: NoBody: /: 65534: No / Falseanon: 100: 100: anonymous: / home / Anon: / bin / Bashhapless: 500: 500: Caldera O Penlinux User: / HOME / Shanghai Hapless: / bash [hapless @ Linux2 hapless] $ OK can see, the output of Hunt is very straightforward, easy to read. However, Hunt also provides the following tools: allowing you to specify any of interests of interest, not all things. Allow any one of the connections, not just the connection just starting with SYN. IT Offers Spoofing Tools. Provides events to hijack. Its unique features and easy-to-use interfaces make it a very good choice for Linux entry. SniffitsniffIT is for those who need more information. Author: Brecht Claerhout conditions: C, IP header profile: See discussion of history behind security: None Note: sniffit very powerful, but easy to learn to use. $ TAR XVFZ SNIFFIT_0_3_7.TAR.GZ $. / Configure (Configuration Command Whether it meets the requirements) $ make (Compile Source Code) SNIFFIT (Spriki Binary Code) Now you can use Sniffit (Sniffit Configuration We finally discuss).
Syntax: Sniffit [-xdabvnn] [-P proto] [-A char] [-r | -r) Recordfile] [-l sniflen] [-l logparam] [-f snifdevice] [-d TTY] [-M plugin] [(-t target-ip | -s source-ip | (-i | -i) | -c config-file] sniffit is a TCP / IP / ICMP protocol data report listener, It can give a very detailed technical information (SEQ, ACK, TTL, Windows, ....) and a variety of different formats (HEX or plain text) Sniffit (HEX or plain text) Sniffit (HEX or plain text) Sniffit, which is aware of these protocol datagrams. Ethernet and PPP devices can be handled. However, you can also use it on other devices (see REDME.FIRST and SN_CONFIG.H). Sniffit can make it easy to configure the access data newspaper. And the configuration file allows very certainly Specifies the datagram that needs to be processed. Sniffit also has an interactive interface. Option: -v Display version information -T destination address only processes the data of the destination address "target address", and '-S' '-c' '-V 'Option is not compatible - Source Address only processes data for sending addresses as "source address", and' -t '' '' '' option is not compatible - C configible files to define package filter rules in the configuration file And -t '' '' '' -V 'is not compatible - RF Record the output to "File" (and' -V 'is not compatible) -N Turn the IP datagram check, so that the forged data is also You can display the extended information of -X printing TCP datagram to standard output (SEQ, ACK, FLAGS, etc.), often use to track spoofing, package loss and other network debug test tasks. And '-i' ' '' -V 'is not compatible - DO output to the default file, the general file name is a combination of the address of the source, such as: 192.168.0.232.1120-192.168.0.231.80-a Output ASCII code format, unprintable characters Use "." To indicate that the protocol type, IP, TCP, ICMP, UDP, etc. of the data that need to be processed, IP, TCP, ICMP, UDP, etc. The-P port only processes the number of destination ports "port". according to. -l Sniflen In normal mode, the sum of the recorded data (default is 300 bytes), and the front SNIFLEN byte each time the connection is recorded.
-F device Specifies that the data of a device such as Eth0, Eth1 and other -D TTY are output to the specified TTY: • To listen to the access to 192.168.0.231 to 192.168.0.231 access WWW request data: [ Root @ LiX / TMP] # / usr / sbin / sniffit -p 80 -p tcp -s 192.168.0.233 -d ttyp1 packet ID (from_ip.port-to_ip.port): 192.168.0.233.1060-192.168.0.231.8045 00 00 2C 6D 0B 40 00 80 06 0A A0 C0 A8 00 E9 C0 A8 00 E7 04 24 00 00 00 00 00 00 00 00 02 20 00 67 19 00 00 02 04 05 B4 Note: 192.168.0.231 is a Running Linux server? If you want to direct the output to a file, [Root @ link / tmp] # / usr / sbin / sniffit -p 80 -p tcp -s 192.168.0.233 -r / tmp / wwwlog? If you want to view From 192.168.0.231 to the 192.168.0.225 WWW page data, and store the data in a file / TMP / WWWLOG: [Root @ link / tmp] # / usr / sbin / sniffit -p tcp -t 192.168.0.225 - R / TMP / WWWLOG Note: Do not connect to 231 on 225, such as Telnet otherwise returning to mix. • If you want to view ICMP data from 192.168.0.231 from 192.168.0.233, and display it on the console: [Root @ link / tmp] # / usr / sbin / sniffit -p ICMP -T 192.168.0.233 -d TTYP1SNIFFIT supports configuration files, which can provide more powerful sniffing control through profiles. The profile format contains five different fields, which are as follows: Field 1-select or deselect. Indicates that the Sniffit captures the data specified by the rear condition or does not capture. Field 2-from, to, or Both. H Indicates Sniffit to capture data from, sent to or two-way specified hosts. Field 3-Host, Port, or MHOST. Specify one or more target hosts. MHOST can be used to specify multiple hosts, such as 192.168.0. Field 4-Hostname, Port Number, or Multiple-Host list. Field 5-port number. For example: Select from host 192.168.0.1select from host 192.168.0.1 80Select Both Port 23Sniffit will capture all information from the Telnet and WWW from both hosts. Select Both MHOSTS 100.100.12.deselect Both Port 80Select Both Host 100.100.12.2sniffT will capture 100.100.12. * Relevant WWW data except WWW, but display 100.100.12.2 WWW data [Post Reply] [View CU Forum original post 】【shut down】
Flower compliance Reply to: 2002-12-10 18:26:33 This article is very classic! Using ARP packet detection Network node in mixed mode Release Date: 2001-11-1 Content: ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ -------------------------------------------------- This article is only for Windows implementation version 1.0 Original: kelvin king-pang Tsang Chinese version translation: nixe0n (translated from English) Summary 1. Introduction 2. Network sniffing principle 3. Detect the basic Concept 4. Basics 1). Hardware Filter 2) .arp Mechanism 5. Detect Nodes in Mixed Mode 6. Software Filter 1) .Linux 2) .micro $ OFT Windows7. Mixed mode detection 8. Check all network nodes 9 Abnormal case 1). 3COM network card 3) .Windows Y2K packet capture drive module summary In a local area network, security issues should be noticed. When plain text data is transmitted on the network, any network users will easily steal this information. Sniffing is called Sniffing on the network. By sniffing the network, a user can obtain access to the top secret document, spying to anyone's privacy. There are many freely distributed sniffer software on the Internet to achieve the above purposes. Although the network sniffing is very easy, but there is no good way to detect this malicious behavior. This article will explain the detection mechanism used by Promiscan (a software that can effectively detect the network sniffer). In order to intercept all the packets on the network, the sniffer must be set to a mixed mode (ProMiscuous mode). Next, the NIC can accept all the packets on the network and send it to the system kernel. Address Resolution Protocol, ARP request message to query the resolution of the hardware address to the IP address. We will use this type of group to check if the network is set to a mixed mode (Promiscuous Mode). The reason why the ARP request group use is because it applies to all Ethernet-based IPv4 protocols. Under the proping mode, the NIC does not block the destination address is not his own group, but is full, and transfer it to the system kernel. Then, the system core will return a message containing the error message. Based on this mechanism, we can assume that some ARP request packets are sent to each node on the network. No network cards in a mixed mode will block these packets, but if some nodes respond, it means that the NIC is in a mixed mode. under. These nodes in which these mixed modes may run the sniffer program. This can successfully detect the sniffer program running on the network. 1. Introduction In the LAN, sniffing behavior has become a huge threat to network security. Smelling through the network, some malicious users can easily steal the top secret documents and anyone's privacy. To achieve the above objectives, malicious users can download from the network and safe to their own computer. However, there is no good way to detect the sniffer program on the network. This article discusses the use of address resolution protocol packets to effectively detect office networks and sniffer procedures on campus online. 2. The principle of network sniffing is usually connected using Ethernet. The information transmitted by the IP (IPv4) protocol transmitted on the Ethernet cable is explicitly transmitted unless encrypted the encryption program. When a person sends information to the network, he wants to only receive this information only if a particular user can receive it. However, very unfortunately, the work mechanism of Ethernet provides non-verified users to steal these data. When the Ethernet is transmitted, the packet is sent to each network node, and the node that matches the destination address will receive these packets, and other network nodes are only simple to discard. Receive or discard these packets are controlled by Ethernet card.
When receiving the packet, the NIC will filter out the destination address is your packet reception, not the single collection. Some of this article We will refer to this filtering of the NICs to hardware filtration (Hardware filter). But this is just in normal cases, the sniffer uses another way of working, which sets its own NIC to receive all network packets, regardless of whether the destination address of the group is yourself. This network card mode is called a mixed mode. 3. Detecting the basic concept of the mixed mode In the network, the sniffer receives all packets without sending any illegal packets. It does not hinder the flow of network data, so it is difficult to detect it. However, the state is in promiscuous mode (promiscuous mode) network card and it is clear that in the normal mode under different. In mixed mode, the group text that should be filtered out of the hardware will enter the system's kernel. Whether to respond to this group full dependence and kernel. Let's take an example in the real world to illustrate how we detect methods in mixed mode network nodes. Imagine a meeting in a conference room. Some person places the ear in the conference room to eavesdrop (sniff ^ _ ^). When she (still a woman, the original text is like this, when she is eavesdropped (sniff), she will hold breathing and quietly listen to all the speeches in the conference room. However, if someone in the conference room suddenly called the name of the eavesdropper: "XX Mrs.", she may promise "唉". This sounds a bit funny, but it can be used in the detection of network sniffing behavior. The network is a network sniffing node receives all packets of the network, so its kernel may make an error response to some of the packets that are hardware filtered. According to this principle, we can detect the sniff behavior of the network by checking the response of the ARP packet. 4. Basics 1). Hardware Filter First, we have not started from the promiscuous mode and normal mode. The Ethernet address is 6 bytes, and the manufacturer is allocated to each network card in the world, so there is no network card with the same address. All communications on Ethernet are based on this hardware address. However, the NIC can be set to different filtration mode to receive different types of packets. Below is the filter mode of the Ethernet card: Unicast: NIC receives all destination addresses are their own group Broadcast: Receive all broadcast packets, the destination address of the Ethernet broadcast packet is fffffffffff. This broadcast packet can reach all nodes on the network. Multicast: The receiving destination address is a packet for the specified multicast group address. The network card only receives the group that has been registered in the multi-entry list. All Multicast: Receives all multi-governance submitted broadcast packets. Promiscuous: Does not check the destination address at all, receive all the packets on the network. Figure -1 depicts the hardware filter in normal conditions and in a mixed mode. Typically, the hardware filter of the NIC is set to receive a packet for unicast, broadcast (Broadcast), broadcast (Broadcast), multicast address 1. The filter only receives the packet of the destination address, the broadcast address (FF FF FF FF), and the multi-entry address 1 (01 00 5E 00 00 01). 2) .arp mechanism Use the IP network connected to the Ethernet to rely on Ethernet for transmission. Only the IP address is used, the message cannot be sent. Therefore, a mechanism is required on Ethernet to provide a conversion between IP addresses and hardware addresses. This mechanism is the address resolution protocol. ARP is a network layer, and the IP is in the same layer of the OSI model. The address resolution on IP network is continuously carried out, so ARP packets are more suitable for detecting network nodes in a hybrid mode (Promiscuous Mode).
In the example below, we will tell how the use of ARP packets analyze the IP address: for example: a PC (X) Ethernet address on the network is 192.168.1.1 is 00-00-00-00-00 -01, this PC (X) needs to send a message to the PC (Y) of another IP address from 192.168.1.10 on the network. Before sending, X first issues an ARP request packet to query the Ethernet address corresponding to the 192.168.1.10. The destination address of the query package is set to FF-FF-FF-FF-FF-FF (broadcast), so that all nodes on the local network can receive this package. After receiving, each node checks the IP address of this ARP package and whether the IP address of this unit matches. If you do different, you ignore this ARP package; if you match (Y), you will send an answer to the x. X After receiving the response, the IP / hardware address of the cache Y is. Then X can send the actual data to Y. 5. Testing the node in a mixed mode says that the filtered state of the message is the difference between the mixed mode state and the normal network node. When the network card is set to a mixed mode, the file that is filtered will enter the system's kernel. With this mechanism, we can detect nodes in a mixed mode on the network: We construct an ARP query package, its destination address is not a broadcast address, then send this ARP query package to each node on the network, and finally respond through each node To determine if it is in a mixed mode. Let's discuss the operation of the entire ARP request / response. First, an ARP query package is generated to resolve the hardware address of 192.168.1.10. In order for all nodes on the network to receive this query package, set the destination address of this package to the broadcast address. In theory, only the IP address of 192.168.1.10 can respond to this query package. Further imagine that if we set the destination address (Ethernet address) of this query package to another address, how will it be the original broadcast address? For example: What happens to the destination address of the query package to 00-00-00-00-00-01? The Ethernet card of the network node in normal mode will think that this query package is sent to other hosts, and its hardware filter will refuse to receive this package; however, if this network node (192.168.1.10) Ethernet card is in mixed mode (Promiscuous Under the Mode, even if the Ethernet address does not match, the hardware filter does not perform any filtration, so that this query package can enter the system's kernel. Because the IP address of this node is the same as the Query IP address, its kernel will think that the ARP query package arrives and should make a response. However, we are surprised that this kernel in the mixed mode node does not answer the ARPR query package. This unexpected results indicate that this package is filtered by the system core. Here we call this as a software filter. Further, we can detect a network node in which a mixed mode is detected by distinguishing a different feature of the hardware filter and software filters. Hardware filters typically block all invalid packets (these packets obviously do not enter the system kernel), so they can generally pass through the software filter through the hardware filter, which is not much discussed. Now that we need to be constructed to be blocked by the hardware filter, but can pass through the software filters. If this message is sent to each network node, the network node in normal mode will not respond; and the node in the mixed mode will respond. 6. Software filter software filter depends on how the system kernel software filter is necessary to understand how the system kernel software filter works. Linux is an open source system system, so we can get its software filtering mechanism. But for Micro $ OFT Windows, we only guess by experience. 1) .Linux In the LINUX Ethernet drive module, the group is classified by hardware addresses. Broadcasting package FF FF FF FF FF FF Multi-point Packet All packets have a group logo set, not including broadcast packets. The TO_US group destination address and the same packets as this network card.
OtherHost packets all destination addresses and local network cards different packets. Now, we assume that all packets with group logo are broadcast packets. The destination address of the Ethernet multi-entry packet corresponding to the IP network is 01-00-5e-xx-xx-xx, and the multi-entry packet cannot be classified by the check group flag. This assumption is not wrong because 01-00-5e-xx-xx-xx is an IP-based multi-cast address, but the NIC hardware addresses are also used for other high-level protocols. Below, let's take a look at the code of the ARP module. IF (in_dev == null || ARP-> AR_HLN! = dev-> addr_len '' dev-> flags & imp_noarp || SKB-> PKT_TYPE == packet_otherhost || SKB-> PKT_TYPE == Packet_loopback || ARP-> Ar_pln ! = 4) goto out; the Linux kernel's ARP module rejects all OtherHost types. Next, the ARP module will process the broadcast, multi-cast, and the TO_US type grouping. Table 1 Integrated hardware filters and software filters Filtering processes for various ARP packets, 1 Description: HW (Hardware), SW (Software), Res. (Response), GR (Group). Next, we will describe the packet of this six hardware address: to_US NIC In normal mode, all addresses of all addresses can be smin up by thin filters and software filters. Therefore, the ARP module responds to whether the network card is in a mixed mode (Promiscuous mode). OtherHost When the NIC is in normal mode, OtherHost will reject all the addresses of OtherHost. Even if the NIC is in a mixed mode, this group cannot pass software filters, so this ARP request will not receive a response. Broardcast In normal mode, the Broardcast group can also be able to pass hardware and software filters, so it cannot be used for detection of network node mixed mode. Multicast In normal mode, if the packet's hardware address is not registered in the multi-input address list, the NIC will refuse to receive; however, if the network card is in a mixed mode, this group will unimpeded through the hardware filter and software filter. . Therefore, this type of packet can be used to detect the network node in the mixed mode. Group bit This type of group is neither a Brodcast type or a multicast type, but its hardware address is set (the first one of the first-character sequence of Ethernet address) is set: 01-00-00-00 -00-00. In normal mode, the NIC refuses to receive such grouping; however, in mixed mode, this type of packet can pass through the hardware filter. In the Linux kernel, this type of grouping is classified as multifunction packets, and can pass through the software filter. Therefore, this type of packet can also be used for hybrid mode detection. 2). Micro $ OFT WindowsWindows system is not an open source system, so it cannot be analyzed from the source code to analyze its software filtering behavior. I have to test by experiments. In the experiment, we use the following hardware addresses: FF-FF-FF-FF-FF-FF broadcast addresses all network nodes receive this packet. The usual ARP query package uses this address. The FF-FF-FF-FF-FF-FF-FF-FF-FF-FF-FF-FF-FF-FF-FE is a pseudo-broadcast address, which is lost. This address is used to check if the software filter checks all address bits, whether to answer.
FF-FF-00-00-00-00-00 16-bit Broadcast Address FF-FF-00-00-00-00 Only the top 16 bits and real broadcast addresses are the same. If the filter function only tests the first word of the broadcast address, this address can be classified into the broadcast address. FF-00-00-00-00-00 8 Bit Broadcast Address This address is only the top 8 bit and broadcast addresses. If the filter function only checks the first byte of the broadcast address, it can also enter the broadcast address class. 01-00-00-00-00-00 Multi-cast mark Setting address This address is only multi-entry marking bit (the first-sequence low sequence bit of the Ethernet address) is set, used to check if the filter function is also Like Linux as a multi-cast address. 01-00-5e-00-00-00 Multi-cast address 0 is not commonly used, so we use this address as a multi-cast address that is not registered in the network card multi-input address list. Under normal circumstances, the hardware filter should refuse to receive this group. However, if the software filter cannot check all of the address bits, this type of packet may be classified to a multi-cast address. Therefore, if the network card is in a mixed mode, the kernel will respond. 01-00-5e-00-00-01 Multi-cast address 1 All network nodes on the LAN should receive multi-cast address 1 type grouping. In other words, the hardware filter allows this type of packet by default. However, you can not support multi-entry mode because the NIC does not support multi-entry mode. Therefore, this type of packet can be used to check if the host supports multi-cast address. Even if the result: Test results for these seven types of addresses are shown in Table 2. Test is for Windows85 / 98 / ME / 2000 and Linux. If you do not, the NIC is in normal mode, the kernel will respond to the grouping of all addresses and multi-cast address 1. However, when the network card is in a mixed mode, the test results of each operating system are not the same. Windows95 / 98 / me will respond to groups of 31,16,8 bits. Therefore, we can think that the software filter for the Window9x Series operating system only determines whether the packet address is a broadcast address by detecting one bit. The Windows 2000 responds to groups of addresses of 31,16 bits. Therefore, we can think of the 8 bits of the Windowsy2k check the address to determine if the packet address is a broadcast address. The Linux kernel responds to all seven addresses of addresses. 7. Mixed mode Detection We can use this test results for the detection of the local area network in the mixed mode node. The following is a specific detection process: 1). We need to detect whether the host of the IP address A is in a mixed mode. First we need to construct an ARP packet and follows the format of an Ethernet frame: ARP packet: the destination Ethernet address 000000000000 (Note 1) The sender Ethernet address 001122334455 (Note 2) The high-level protocol type 08 00 (IP) Hardware Type 00 01 (Ethernet) Hardware Address Length 06 (Ethernet Address Length) IP Address Length 04 Sender IP Address Native IP Address The IP address of the IP address is detected by the host IP address ARP operation code 00 01 (ARP Request 01, ARP Answer 02) Ethernet Frame: Protocol Type 08 06 (ARP) Sender's Hardware Equipment Native Ethernet Card Address Target Hardware Address FF FF FF FF FE Description 1: At this time, ARP want to query Ethernet Address, all fill in 0 or 1 can be. Description 2: Replace with your Ethernet address. 2) After the packet construct is completed, we can send it to the network. 3). Now we need to wait for the response of the target host. If the target host is in a normal state, this packet will be blocked; but if we are in a mixed mode, we will receive a response. 8. Check all network nodes as long as the detection method described in Section 7, we may detect all network nodes in mixed mode. However, in some cases, this detection method will be invalidated. 9. Abnormal circumstances, there are some cases that cannot be used to perform mixed mode detection.
These abnormalities include: 1). Some old network cards do not support multi-entry list, such as: 3com EtherLinkiii. The packet does not check the software filter, 2) .3com network card is installed at the Linux host 3C905 network card, which is set to receive all multi-entry packets by default. Therefore, we cannot distinguish between mixed modes and multi-point mode. The reason for this abnormality is that the Linux drive module of this network card does not support multi-entry list, and the NIC will receive all multi-point packets. Note: Linux installer uses 3C59x.o as the drive module of this network card. If the drive module is changed to 3C905X.O, this issue can be solved. 3) .Windows Y2K Packet Capture Driver Module When the Windowsy2k packet capture drive module is dynamically loaded, an exception is also generated. WinPCap2.1 (2.01) and SMS are two dynamic load packet capture drive modules for Windowsy2k. There are some special reactions when they are installed into the Windowsy2k system. Even if the NIC is not in a mixed mode, the address is 16 packets for the pseudo-broadcast address (the sniffer using the two drive modules will not be accurate). That is, even if the sniffer is not running, it can be detected. It may be that Micro $ OFT is intentionally to facilitate the detection of mixed mode. Network listening attack technology In the network, when the information is propagated, you can use the tool to set the network interface in the listening mode, you can intercept or capture the information in the network, thereby attacking. Network monitors can be implemented in any of the locations in the network. Hackers are generally using network listening to intercept user passwords. For example, after someone occupied a host, then he wants to expand the results to this host's entire LAN, monitoring is often the shortcut they choose. Many times I saw some beginners in various security forums, and if they think that if they occupy a host, they want to enter its internal networks should be very simple. In fact, it is not an easy thing to enter a host and other machines who want to turn into its internal network. Because you have to get their passwords, it is the absolute path they share. Of course, the end of this path must be written. At this time, there will be a lot of logging programs on the host that have been controlled. But it is a matter of feminine, but also needs to have sufficient patience and strain ability. ■ The principle of online monitoring Ethernet (Ethernet, is a comparative popular local area network technology invented by Xerox, which contains a cable connected to it, each computer needs a hardware called an interface board. Can connect to the Ethernet) Agreement is the way to send the data to which you want to send to all hosts connected together. In the header including the correct address of the host that should receive the packet, because the host that is consistent with the target address in the packet can receive the packet, but when the host works in the listening mode, the target physics in the data package What is the address is, the host will be available. There are more than a dozen of the local domain, and even the hundred hosts are connected by a cable, and a hub is connected. In the high-level or user of the protocol, when the two hosts in the same network, the source host will write The packet of the host address of the target directs the host, or when a host in the network communicates with the host, the source host will write the data package of the host IP address of the destination to the gateway. However, this packet does not send it directly to the high level of the protocol stack, and the packet to be sent must be handed over to the network interface from the IP layer of the TCP / IP protocol, which is the data link layer. The network interface does not recognize the IP address. In the network interface, the packet with IP addresses has increased by the IP address to the information of the superhigh head. In the head, there are two domains for the source host and destination host of only network interfaces. This is a 48-bit address. This 48-bit address corresponds to the IP address. In other words, An IP address will also correspond to a physical address.
For hosts as a gateway, since it connects multiple networks, it also has many IP addresses, which have one in each network. It is the physical address of the gateway. In the Ethernet, the Ethernet is filled in the network interface, that is, from the network card to transmit it to the physics. If the local area network is connected by a rough net or a thin network, the digital signal is transmitted on the cable to reach each host on the line. When the hub is used, the transmitted signal reaches the hub, and the hub is then forwarded to each line connected to the hub. Thus, the digital signal transmitted on the physical line can also reach each host connected to the hub. When the digital signal reaches a host's network interface, the network interface checks for the read data in the normal state. If the physical address carried in the data is your own or physical address is a broadcast address, then the data will be handed over Give IP layer software. This process is performed for each data that reaches the network interface. However, when the host works in listening mode, all data will be handed over to the upper protocol software processing. When the host connected to the same cable or hub is logically divided into several subnets, then if there is a host in a listening mode, it will also receive the swivel and yourself not in the same subnet (using different Mask, IP Address, and Gateway) Packets, all information transmitted on the same physical channel can be received. On the UNIX system, when you have super-permissions, you can send an I / O control command to the Interface (Network Interface) to send the I / O control command to the Interface (Network Interface), you can set the host to monitor mode. In the Windows9x system, you will be able to be implemented by directing the monitoring tools by the user if the user has permission. When online monitoring, a large amount of information is often saved (also contains a lot of spam), and will make a lot of information on the collected information, which will make the requested machine to respond slowly for other users. At the same time, the listener needs to consume a lot of processor time when running, and if the content in detail in detail this time, many packets will not be received and received. So listening programs often put the monitoring package in the file waiting later. Analysis of the listening packet is a very headache. Because the data packets in the network are very complicated. Continuously transmit and receive packets between the two hosts, which must add some of the data packets interacting with other hosts in the results of the listening. The listener will be quite difficult to organize the package of the same TCP session. If you still expect to organize the detailed information to organize a lot of analysis according to the protocol. On the Internet on the Internet, this listener will be very big if it runs up. The protocol used in the network is designed earlier, and many of the implementations of the agreement are based on a very friendly and communicative basis. Under the usual network environment, the user's information includes passwords to be transmitted online in a clear manner, so network listening to obtain user information is not a difficult thing, as long as the preliminary TCP / IP protocol knowledge is It can be easily listened to the information you want. I have proposed the Word Logo to extend from the LAN from the LAN, but this idea is so sincerely. If this is the case, I want the network to make the world a big chaos. And in fact now can also listen to and intercepted some user information in a wide area network. Just is not obvious enough. It is more insignificant in the entire Internet. Here are some famous listeners in the system, you can try it yourself.
Windows9x / NT NetXRay http://semxa.kstar.com/hacking/netxray.zipDEC Unix / Linux Tcpdump http://semxa.kstar.com/hacking/management.zipSolaris Nfswatch http://semxa.kstar.com/hacking /nfswatch.zipsunos etherfind http://semxa.kstar.com/hacking/etherfind012.zip ■ Detecting network listening method network monitors have explained in the above. It is designed for system administrators to manage networks, monitor network status, and data flow. But because it has the ability to intercept the network data, it is also one of the tricks used to hackers. Generally detecting the method of network listening is made by: "AMP; # 9658; network surveying is true, it is difficult to discover. When the host runs the listener, only passive reception in the Ethernet in the process of listening. The information transmitted, it does not exchange information with other hosts, and cannot be modified in the network. This shows that the detection of network monitors is more troublesome. Under normal circumstances can be passed by PS-EF or PS -AUX detects. But most people who implement the listener will prevent the PS-EF by modifying the PS command. Modifying PS only requires a few shells to filter the name of the listener. It is OK. One can start listening The procedure of the program is absolutely not a person who doesn't understand any food. Unless he is lazy. It is mentioned above. When the listener is running, the host response will generally be slow, so some people mention Come out to determine whether it is listened by the rate of response. If this is true, I think the world will really be big, say that you will find countless listeners in a time period, huh, if you suspect it Inside, a Taiwanese machine is implementing a listener (how to doubt? It depends on yourself), you can use the correct IP address and the wrong physical address to ping it, so that the listener will respond. This is because normal machines generally do not receive ping information of the wrong physical address. But the machine is being able to receive, if its IP Stack is no longer in reverse inspections, but this method is a lot The system is no effect because it relies on the system's IP Stack. The other is to send a large number of physical addresses that do not exist to the Internet, and the listener often processes these packets, which will cause the machine performance to decline. You can use ICMP echo delay to judge and compare it. You can also use the program running on all hosts in the network, but this is difficult to know, because this is not only a big workload, but not completely At the same time, check the process on all hosts. But if the administrator will make a lot of necessity, it is to determine if there is a process started from the administrator machine. Can pass PS -AUN or PS in UNIX The -AugX command generates a list of all processes: the host and memory of the genus and these processes. These are output on Stdout in the form of a standard table. If a process is running, then it will be column In this list. But many hackers will modify the PS or other running programs to the Trojan Horse program when running the listener, because he can do this completely. If it is true, then There will be no results. But doing this to a certain extent. It is easy to get the list of current processes on UNIX and Windows NT. But DOS, WIN Dows9x seems to be difficult to do, the specific is not that I have not tested it. There is also a way, this way is sufficiently luck. Because the listeners used in hackers are mostly free online, he is not professional listening. So as administrators used to search for listening programs can also be detected. Using Unix can write such a search for a small tool, otherwise, you have to be exhausted. Ha ha. There is a tool called ifstatus running under UNIX, which can identify if the network interface is in debug state or under the listening.
If the network interface is running this mode, it is likely that it is being attacked by the listener. Ifstatus generally does not generate any output, when it detects that the interface of the network is in listening mode, it will only return to the output. Administrators can set the system's cron parameter to run ifstatus regularly. If there is a good cron process, you can send it to people it generated to people who are executing the cron task. To achieve additional **************** / usr / local / etc / ifstatus a line of parameters. If you don't work, you can also use a script to under Crontab 00 **** / usr / local / etc / run-ifstatus. Sign in to monitor which aspect is actually seen. In general, the monitor is only a more sensitive to the user password information (there is no boring hacker to listen to chat information between the two machines). Therefore, it is entirely necessary to encrypt user information and password information. Prevent it from being listened by the plain text transmission. In modern network, SSH (a protocol for providing confidential communication in an application environment) The communication protocol has been taken along lines, and the port used by SSH is 22, which excludes information that communicates on unsuppiness channels, the possibility of listening Using the RAS algorithm, after the end of the license process, all transmissions are encrypted with IDEA technology. But SSH is not fully safe. At least now we can comment so bold. █ Famous Sniffer monitor tool Sniffer is famous, is to do very well in many ways, it can monitor all information (even listening, see) online transfer. Sniffer can be hardware or software. Mainly used to receive information transmitted on the network. The network can run under various protocols, including Ethernet Ethernet, TCP / IP, ZPX, etc., or the joint system of centralized protocols. Sniffer is a very dangerous thing, it can intercept the password, which can be intercepted to be secret or dedicated channels, intercepting the credit card number, economic data, e-mail, and more. More can be used to attack the network coming. SNIFFER can be used in any platform. Now use Sniffer, it is impossible to find that this is enough to be the most serious challenge for network security. In Sniffer, there is also a "enthusiastic person" written its Plugin, called TOD killer, which can complete the connection of TCP. In short, Sniffer should attract people's attention, otherwise security will never do it. If you just want to use it, you can find a Sniffer program tool that has passed my Chinese by I http://semxa.kstar.com/hacking/sniffer260.zip. Iricyan Reply to: 2002-12-10 23:47:25 Thank you, I will save it first, I have not touched it for Sniffer! This should be a good article, it is essential!
Torrent Reply to: 2002-12-11 16:50:32 Good, no mistakes.
づ ★ SL A God of War Reply to: 2003-04-03 23: 23: 37sniffer is really good, especially for Ether, I think it is more than the kind of this kind of 我 我 是 目 目 器 大 大 有 就 就 就 就 就 就When I am advertising, huh, huh!
WDYWDY Reply to: 2003-04-03 23: 00: 22LinUX I haven't used it, but I tried it under WidNows, but I haven't gotten it, these articles are right. Thank you
HeikeAngel Reply to: 2003-05-01 20:42:21 If I'm IRIS, I like it. . DSNIFF is not bad, but it is Linux
