Some information about Sniffer

This article is a SNIFFER FAQ released a few years ago. Although the techniques involved inside may be relatively old, they can still be used as entry-level documents. I hope that this SNIFFER FAQ can help administrators have a clearer understanding of the online monitoring and solution. Sniffer has become one of the most common host intrusion on the Internet today.

 In the Green Alliance Network Security Monthly, I will also introduce Sniffer, Sniffer's King -nti-Sniffer and Anti-Sniffer's NTI-SNIFFER. And Anti-Sniffer. If you are interested in this, please contact me if you have any good information or suggestions.

FAQ directory:

* What is SNIFFER and its working principle

* Where can I get SNIFFER?

* How to monitor the host is eavesdropping (Snifed)

*   Block Sniffer

             

  encryption

Keberos

              

  non-mixed mode network interface equipment

-------------------------------------------------- -----------------------------

What is SNIFFER and its working principle

 Unlike telephone circuits, computer networks are shared communication channels. Switches / hubs supporting each pair of communication computer exclusive channels are still too expensive. Sharing means that the computer can receive information sent to other computers. The data information captured in the network is called Sniffing.

 Ethernet is the most widely used computer networking mode. The Ethernet protocol is to send packet information to all hosts on the same time. The data clamp contains the correct address of the target host. Under normal circumstances, only hosts with this address will accept this packet. If a host can receive all packets without rating the data cladding content, this method is often referred to as a "mixed" mode.

 Since the account and password information is transmitted in the Ethernet in a normal network environment, once the intruder gets the ROOT permission of one of the hosts, and places it in a mixed mode to eavegance network data, it is possible All computers in the intrusion network.

-------------------------------------------------- -----------------

Where can I get SNIFFER?

The Sniffer is one of the most common intrusion methods of hackers. For example, esniff.c is a small tool that runs in the Sunos platform, capturing the first 300-byte content of all Telnet, FTP, and RLOING sessions. This procedure developed by Phrack has become one of the most widely used tools in hackers.

 You can run Esniff.c in the allowed network to understand how it effectively endangers local machine security.

 The following is some Sniffer tools that are also widely used to debug network failures:

                                                                                                    #

                                                                                                             

* TCPDUMP

                                                          

  commercial SNIFFER:

                    

  NetWork general has developed a variety of products. The most important thing is Expert Sniffer,

  it is not only SNIFF, but also can send / receive / receive through high performance specialized systems.

According to the package, help diagnose faults. There is also an enhanced product "DistrButed Sniffer

                                          Sniffer

                         .

*                           Net monitor

  For some business sites, you may need to run multiple protocols - Netbeui,

IPX / SPX, TCP / IP, 802.3 and SNA, etc. It is difficult to find a Sniffer help, because many SNIFFERs often make certain correct agreement data

  became an error packet. Microsoft's Net Monitor (called Bloodhound)

  can solve this problem. It can correctly distinguish between NetWare control packets, NT

  Netbios Name Service Broadcasting and other unique packets. (Etherfind will only put these numbers

According to the package logo as the type 0000 broadcast data package. ) This tool runs in MS Windows

  platform. It can even press MAC address (or host name) to make network statistics and sessions

Information monitoring. Simply click on a session to get the output of the TCPDUMP standard.

  filter settings are also the most simple, as long as you click on a dialog box to monitor

  host.

-------------------------------------------------- ------------------

How to monitor the host is eavesdropping (Sniffe)

 To monitor only data without responding to any information, you need to carefully check all physical connections on Ethernet one by one.

 It is impossible to send packets or ping remotely to check if the computer is eavesdropping.

 The SNIFFER on a host will place the network interface as a mixed mode to receive all packets. For some UNIX systems, the network interface of the mixed mode is monitored. Although Sniffer can be run in non-mixed mode, this will only capture the opportunity. Intruders may also capture sessions in programs such as SH, Telnet, Rlogin, In.Telnetd, and record user operations into other files. These may be easily discovered by monitoring TTY and KMEM. Only Sniffing in mixed mode can capture all sessions in the Ethernet, and other modes can only capture this opportunity.

 For SunOS, NetBSD and other BSD UNIX systems, as follows:

"Ifconfig -a"

 All network interface information and whether it is in mixing mode. Dec OSF / 1 and IRIX are required to specify the device. To find what network interface is there in the system, you can run as follows:

# tat -r

Routing Tables

INTERNET:

 DestinationGatewayFlags Refs UseInterface

                                                         24949

                                  

 Then check each network interface by the following command:

# Ifconfig le0

LE0: flags = 8863

@Et 127.0.0.1 Netmask 0xfffffffff00 Broadcast 255.0.0.1

 Intruder often replaces ifconfig commands to avoid inspections, so they must check the verification value of the command program.

 The CPM program (SunOS platform) in ftp.cert.org:/pub/tools/ can check if the interface has a mixed mode tag.

 For the ULTRIX system, using the PFSTAT and PFCONFIG commands may also monitor whether there is a Sniffer run.

Pfconfig Specifies who has permission to run Sniffer.

Pfstat Displays whether the network interface is in a mixed mode.

 These commands are only valid when Sniffer is linked to the kernel. In the default, Sniffer is not link with the kernel. Most UNIX systems, such as IRIX, Solaris, SCO, etc., there is no tag to indicate whether it is in a mixed mode, so intruders can eavesdrop the entire network and cannot monitor it.  Usually a Sniffer record file will quickly increase and fill the file space. In a large network, SNIFFER significantly aggravates the machine load. These warning messages are often able to help administrators find Sniffer. It is recommended to search for programs and record files for accessing packet devices such as SunOS / dev / nit.

-------------------------------------------------- ----------------

Block Sniffer

 Active hub only sends a packet to the target address host, so that the mixed mode Sniffer failed. It applies only to 10BASE-T Ethernet. (Note: This is now disappearing in the computer market.)

 Only two manufacturers have produced active hubs:

*   3com

*    

As the cost and price of the switch have decreased significantly, the switch has become a very effective device that makes the Sniffer failure. At present, the most common switches are forwarded according to the packet target address in the third layer (network layers), and the broadcast mode of the hub is not taken, so that the Sniffer has lost the land.

-------------------------------------------------- ----------------

encryption

 At present, there are many packages available to encrypt connections, so that the invaders will decrypt the data even if they capture data, but they cannot decrypt data.

 The following is some of the previously used packages

* DESLOGIN

Coast.cs.purdue.edu: / pub / Tools / Unix / Deslogin.

* Swipe

  ftp.csua.berkeley.edu:/pub/cypherpunks/swipe/

* Netlock

-------------------------------------------------- ---------------

Kerberos

                                 . Its disadvantage is that all account information is stored in a host. If the host is invaded, it will endanger the entire network security. Also configure it is not a simple thing. Kerberos includes streaming rlogind and stream encryption Telnetd, which prevents the invader from being operated by the user after the login is completed.

Keerberos FAQ can be obtained from the FTP site RTFM.mit.edu:

/pub/Usenet/comp.protocols/kerberos/kerberos_users__frequently_asked_questions_1.11

-------------------------------------------------- ----------------

One-time communication

Like other disposable communication techniques,                                                                                               ? The principle of S / Key is that the remote host has got a password (this password will not be transmitted in an unsafe network), and when the user is connected, a "challenge" message is obtained, the user will pass this information and password The algorithm operation produces the correct "response" information (if the communication between the communication is correct). This verification method does not need to transfer passwords in the network, and the same "challenge / response" will not appear twice. S / KEY can be obtained from the following URL: ftp: //thumper.bellcore.com/pub/nmh/skey

 There is also a disposable communication technology is an ID card system. Each authorized user has an ID card that generates digital numbers for accessing their respective accounts. If you don't have this ID card, it is impossible to guess this digital number.   The following is a company information provided such solutions:

Secure Net Key (SNK)

Digital Pathways, Inc.

201 Ravendale Dr. MountainView, CA.

97703-5216 USA

Phone: 415-964-0707 Fax: (415) 961-7487

Secure ID

Security Dynamics,

One Alewife Center

Cambridge, MA 02140-2312

USA Phone: 617-547-7820

Fax: (617) 354-8836

Secure ID Uses Time Slots as Autainication Rather Than Challenge / Response.

Arkey and onetime pass

Management Analytics, MANAGEMENT Analytics

PO Box 1480

Hudson, OH 44236

Email: fc@all.net

Tel: US 216-686-0090 Fax: US 216-686-0092

WatchWord and Watchword II

Racal-Guardata

480 Spring Park Place

Herndon, VA 22070

703-471-0892

1-800-521-6261 EXT 217

Cryptocard

Arnold Consulting, Inc.

2530 Targhee Street, Madison, Wisconsin

53711-5491 u.s.a.

Phone: 608-278-7700 fax: 608-278-7701

Email: stephen.l.arnold@arnold.com

Cryptocard Is A Modern, SecureID-Size, SNK-Compatible Device.

Safeword

Enigma logic, Inc.

2151 Salvio # 301

CONCORD, CA 94520

510-827-5707 Fax: (510 )827-2593

For information about enigma ftp to: ftp.netcom.com in Directory

/ PUB / SA / SAFEWORD

Secure Computing Corporation:

2675 Long Lake Road

Roseville, Mn 55113

Tel: (612) 628-2700

Fax: (612) 628-2701

DeBernar@sctc.com

-------------------------------------------------- ----------------

Non-mixed mode network interface equipment

 Over, most IBM DOS compatible machine network cards do not support mixed mode, so I cannot perform SNIFFING. But DOS has exited the computer network stage. For network interface devices in the current computer market, please query the supplier is a non-mixed mode device (ie, no mixed mode).

<< Finished >>

------------------------------------

source:

Internet Security Systems, Inc.

------------------------------------

Analysis of common senseless sniffer in Linux environment

Release Date: 2001-8-23

content:

-------------------------------------------------- ------------------------------ author: <>

Source: http://linuxaid.com.cn

-------------------------------------------------- ------------------------------

Overview

 This article performs a detailed analysis of several sniffers that hackers in the Linux environment, which are often cultivated in the victim server after the invader is completed. These sniffers have different characteristics, and some are simply used to capture user names and passwords, and some are very powerful to record all network data streams. This article will analyze the following number of snifiers:

* Linsniffer

 

* Linuxsniffer

* hunt

* Sniffit

linsniffer

Linsniffer is a simple and practical sniffer. Its main features are used to capture username and password, which is very good in this regard.

Author: Mike Edulla

Conditions: C and IP header files

Profile: no

Location: http://agape.trilidun.org/hack/neetwork-sniffers/linsnifferc

Safety history: no

Note: It is easy to use. However, LNSniffe needs full IP header files, including headers that are often stored in / usr / include / net, and / usr / include / netinet, make sure the PATH variable contains / usr / include.

Use the following command to compile LNSniffer:

$ cc linsniffer.c -o linsniffer

To run Linsniffer, use the following command:

$ linsniffer

LinSniffer will create an empty file: tcp.log to store sniff results.

In the test I created a user named Hapless, the password is Unaaware. Then use the user to log in to the Linux server and make some common user operations. The following is a FTP process:

GNSS $ FTP 192.168.0.2

Connected to 192.168.0.2.

220 Linux.test.net FTP Server WED AUG 19 02:55:52 MST 1998).

Name (192.168.0.2 :root): hapless

331 Password Required for hapless.

PASSWORD:

230 USER HAPLESS LOGGED IN.

Remote System Type IS UNIX.

Using binary model to transfer files.

FTP> LS -AL

200 Port Command Successful.

150 opening ascii mode data connection for / bin / ls.

Total 14

Drwxrwxr-x 4 hapless hapless 1024 may 20 19:35.

DRWXR-XR-X 6 root root 1024 May 20 19:28 ..

-rw-rw-r - 1 hapless hapless 96 May 20 19:56 .bash_history

-rw-r - r - 1 hapless hapless 49 NOV 25 1997.bash_logout

-rw-r - r - 1 hapless hapless 913 NOV 24 1997.bashrc

-rw-r - r - 1 hapless hapless 650 NOV 24 1997 .cshrc

-rw-r - r - 1 hapless hapless 111 NOV 3 1997.INPUTRC-RWXR-XR-X 1 Hapless Hapless 186 Sep 1 1998.Kshrc

-rw-r - r - 1 hapless hapless 392 jan 7 1998 .login

-rw-r - r - 1 hapless hapless 51 nov 25 1997.logout

-rw-r - r - 1 hapless hapless 341 oct 13 1997 .profile

-RWXR-XR-X 1 hapless hapless 182 Sep 1 1998 .profile.ksh

DRWXR-XR-X 2 Hapless Hapless 1024 May 14 12:16 .seyon

DRWXR-XR-X 3 Hapless Hapless 1024 May 14 12:15 LG

226 Transfer Complete.

FTP> LS

200 Port Command Successful.

150 opening ascii mode data connection for / bin / ls.

Total 14

Drwxrwxr-x 4 hapless hapless 1024 may 20 19:35.

DRWXR-XR-X 6 root root 1024 May 20 19:28 ..

-rw-rw-r - 1 hapless hapless 96 May 20 19:56 .bash_history

-rw-r - r - 1 hapless hapless 49 NOV 25 1997.bash_logout

-rw-r - r - 1 hapless hapless 913 NOV 24 1997.bashrc

-rw-r - r - 1 hapless hapless 650 NOV 24 1997 .cshrc

-rw-r - r - 1 hapless hapless 111 NOV 3 1997.INPUTRC

-RWXR-XR-x 1 hapless hapless 186 Sep 1 1998.Kshrc

-rw-r - r - 1 hapless hapless 392 jan 7 1998 .login

-rw-r - r - 1 hapless hapless 51 nov 25 1997.logout

-rw-r - r - 1 hapless hapless 341 oct 13 1997 .profile

-RWXR-XR-X 1 hapless hapless 182 Sep 1 1998 .profile.ksh

DRWXR-XR-X 2 Hapless Hapless 1024 May 14 12:16 .seyon

DRWXR-XR-X 3 Hapless Hapless 1024 May 14 12:15 LG

226 Transfer Complete.

FTP> LS -F

200 Port Command Successful.

150 opening ascii mode data connection for / bin / ls.

Total 14

DRWXRWXR-X 4 hapless hapless 1024 may 20 19:35 ./

DRWXR-XR-X 6 root root 1024 May 20 19:28 .:/rw-rw-r - 1 hapless hapless 96 May 20 19:56 .bash_history

-rw-r - r - 1 hapless hapless 49 NOV 25 1997.bash_logout

-rw-r - r - 1 hapless hapless 913 NOV 24 1997.bashrc

-rw-r - r - 1 hapless hapless 650 NOV 24 1997 .cshrc-rw-r - r - 1 hapless hapless 111 NOV 3 1997.inputrc

-RWXR-XR-X 1 hapless hapless 186 Sep 1 1998.Kshrc *

-rw-r - r - 1 hapless hapless 392 jan 7 1998 .login

-rw-r - r - 1 hapless hapless 51 nov 25 1997.logout

-rw-r - r - 1 hapless hapless 341 oct 13 1997 .profile

-RWXR-XR-X 1 hapless hapless 182 Sep 1 1998 .profile.ksh *

DRWXR-XR-X 2 Hapless Hapless 1024 May 14 12:16 .seyon /

DRWXR-XR-X 3 Hapless Hapless 1024 May 14 12:15 LG /

226 Transfer Complete.

FTP> CD LG

250 CWD Command Successful.

FTP> LS -F

200 Port Command Successful.

150 opening ascii mode data connection for / bin / ls.

Total 8

DRWXR-XR-X 3 Hapless Hapless 1024 May 14 12:15 ./

Drwxrwxr-x 4 hapless hapless 1024 May 20 19:35 ../rw-r--r - 1 hapless hapless 70 aug 22 1998 lg3_colors

-rw-r - r - 1 hapless hapless 629 aug 22 1998 LG3_PREFS

-rw-r - r - 1 hapless hapless 728 aug 22 1998 LG3_SOUNDPREF

-rw-r - r - 1 hapless hapless 2024 AUG 22 1998 LG3_Startup

DRWXR-XR-X 2 Hapless Hapless 1024 May 14 12:15 LG_Layouts /

226 Transfer Complete.

FTP> CD LG_LAYOUTS

250 CWD Command Successful.

This is a typical user operation process. Now let's take a look at the sniffing results generated by linsniffer:

GNSS => Linux.test.net [21]

User hapless

Pass unaaware

Syst

Port 172, 16, 0, 1, 4,192

List -al

Port 172, 16, 0, 1, 4, 193

List

Port 172, 16, 0, 1, 4,194

List -f

CWD LG

Port 172, 16, 0, 1, 4,195

List -f

The content of the output is very intuitive. First it records this is an FTP connection from GNSS to Linux host:

GNSS => Linux.test.net [21]

Then, Linsniffer captures the Hapless username and password.

User hapless

Pass unaaware

Finally, Linsniffer records each command used by hapless:

Syst

Port 172, 16, 0, 1, 4,192

List -al

Port 172, 16, 0, 1, 4, 193

List

Port 172, 16, 0, 1, 4,194

List -f

CWD LG

Port 172, 16, 0, 1, 4,195

List -f

The output results are very short and very suitable for eavesdropping passwords and recording common activities. However, it is not suitable for more complex analysis. At this time you may need Linux_snife. Linux_sniffer

Linux_sniffer provides relatively more complex probing results.

Author: loq

Requirements: C and IP header files

Profile: no

Download Location: http://www.ryanspc.com/sniffrs/linux_sniffer.c.

Safety history: no

Note: Linux_sniffer is easy to use, but it needs a full IP header file.

Compile Linux_sniffer using the following command:

$ cc linux_sniffer.c -o linuxsniff

Here is a Telnet session process, and is also recorded by Linux_sniffer:

GNSS 2 # telnet 192.168.0.1

Connected to 192.168.0.1.

Login: hapless

PASSWORD:

[hapless @ linux2 hapless] $ w

19:55:29 Up 58 min, 4 Uses, Load average: 0.00, 0.00, 0.00

User Tty from login @ idle jcpu pcpu what

Root TTY1 7:44 PM 27.00S 0.17S 0.06s -bash

Root TTY2 7:46 PM 1:56 0.24S 0.01s Linuxsniff

Root TTY3 7:44 PM 10:43 0.17S 0.07s -bash

Hapless TTYP0 GNSS 7:55 PM 1.00S 0.26S 0.04S W

[hapless @ linux2 hapless] $ WHO

Root TTY1 May 20 19:44

Root Tty2 May 20 19:46

Root Tty3 May 20 19:44

Hapless TTYP0 May 20 19:55 (GNSS)

[hapless @ linux2 hapless] $ finger -l

Login: root name: root

Directory: / root shell: / bin / bash

On Since Thu May 20 19:44 (PDT) on TTY1 35 SECONDS IDLE

On Since Thu May 20 19:46 (PDT) on TTY2 2 Minutes 4 SECONDS IDLE

On Since Thu May 20 19:44 (PDT) on TTY3 10 Minutes 51 Seconds Idle

No Mail.

NO PLAN.

Login: Hapless Name: Caldera OpenLinux User

Directory: / home / hapless shell: / bin / bash

ON Since Thu May 20 19:55 (PDT) on TTYP0 from GNSS

No Mail.

NO PLAN.

Also this is a typical login process: user login, detect which users are logged in, etc. Linux_sniffer records additional address data, but some important data is recorded. First it records the connection:

Eth

Proto: 080008: 00: 69: 07: 3E: DB-> 00: E0: 29: 19: 4A: 68 192.168.0.1 [1239] -> 192.168.0.2 [23]

0000 FF FC 27 - .. '

Eth

Proto: 080008: 00: 69: 07: 3E: DB-> 00: E0: 29: 19: 4A: 68 192.168.0.1 [1239] -> 192.168.0.2 [23]

0000 FF FA 1F 00 50 00 28 ff - f0 .... p. (.. Eth

Proto: 080008: 00: 69: 07: 3E: DB-> 00: E0: 29: 19: 4A: 68 192.168.0.1 [1239] -> 192.168.0.2 [23]

0000 FF FA 20 00 33 38 34 30 - 30 2C 33 38 34 30 30 FF ... 38400, 38400.

0010 F0 FF FA 23 00 47 4e 53 - 53 3A 30 2E 30 FF F0 FF ... #. GNSS: 0.0 ...

0020 FA 18 00 49 52 49 53 2D - 41 4E 53 49 2D 4E 45 54 ... Iris-ANSI-NET

0030 ff f0 - ..

Eth

Proto: 080008: 00: 69: 07: 3E: DB-> 00: E0: 29: 19: 4A: 68 192.168.0.1 [1239] -> 192.168.0.2 [23]

0000 ff fc 01- ...

Eth

Proto: 080008: 00: 69: 07: 3E: DB-> 00: E0: 29: 19: 4A: 68 192.168.0.1 [1239] -> 192.168.0.2 [23]

0000 ff fd 01 - ...

Eth

Proto: 080008: 00: 69: 07: 3E: DB-> 00: E0: 29: 19: 4A: 68 192.168.0.1 [1239] -> 192.168.0.2 [23]

Subsequently, Linux_sniffer recorded the login process, the following uses a black body:

Eth

Proto: 080008: 00: 69: 07: 3E: DB-> 00: E0: 29: 19: 4A: 68 192.168.0.1 [1239] -> 192.168.0.2 [23]

0000 68 - h

Eth

Proto: 080008: 00: 69: 07: 3E: DB-> 00: E0: 29: 19: 4A: 68 192.168.0.1 [1239] -> 192.168.0.2 [23]

Eth

Proto: 080008: 00: 69: 07: 3E: DB-> 00: E0: 29: 19: 4A: 68 192.168.0.1 [1239] -> 192.168.0.2 [23]

0000 61 - a

Eth

Proto: 080008: 00: 69: 07: 3E: DB-> 00: E0: 29: 19: 4A: 68 192.168.0.1 [1239] -> 192.168.0.2 [23]

Eth

Proto: 080008: 00: 69: 07: 3E: DB-> 00: E0: 29: 19: 4A: 68 192.168.0.1 [1239] -> 192.168.0.2 [23]

0000 70 - P

Eth

Proto: 080008: 00: 69: 07: 3E: DB-> 00: E0: 29: 19: 4A: 68 192.168.0.1 [1239] -> 192.168.0.2 [23]

0000 6C - L

Eth

Proto: 080008: 00: 69: 07: 3E: DB-> 00: E0: 29: 19: 4A: 68 192.168.0.1 [1239] -> 192.168.0.2 [23]

Eth

Proto: 080008: 00: 69: 07: 3E: DB-> 00: E0: 29: 19: 4A: 68 192.168.0.1 [1239] -> 192.168.0.2 [23]

0000 65 - E

Eth

Proto: 080008: 00: 69: 07: 3E: DB-> 00: E0: 29: 19: 4A: 68 192.168.0.1 [1239] -> 192.168.0.2 [23]

0000 73 - S

Eth

Proto: 080008: 00: 69: 07: 3E: DB-> 00: E0: 29: 19: 4A: 68 192.168.0.1 [1239] -> 192.168.0.2 [23] Eth

Proto: 080008: 00: 69: 07: 3E: DB-> 00: E0: 29: 19: 4A: 68 192.168.0.1 [1239] -> 192.168.0.2 [23]

0000 73 - S

Eth

Proto: 080008: 00: 69: 07: 3E: DB-> 00: E0: 29: 19: 4A: 68 192.168.0.1 [1239] -> 192.168.0.2 [23]

Eth

Proto: 080008: 00: 69: 07: 3E: DB-> 00: E0: 29: 19: 4A: 68 192.168.0.1 [1239] -> 192.168.0.2 [23]

0000 0D 00 -..

Eth

Proto: 080008: 00: 69: 07: 3E: DB-> 00: E0: 29: 19: 4A: 68 192.168.0.1 [1239] -> 192.168.0.2 [23]

Eth

Proto: 080008: 00: 69: 07: 3E: DB-> 00: E0: 29: 19: 4A: 68 192.168.0.1 [1239] -> 192.168.0.2 [23]

Eth

Proto: 080008: 00: 69: 07: 3E: DB-> 00: E0: 29: 19: 4A: 68 192.168.0.1 [1239] -> 192.168.0.2 [23]

0000 75 - U

Eth

Proto: 080008: 00: 69: 07: 3E: DB-> 00: E0: 29: 19: 4A: 68 192.168.0.1 [1239] -> 192.168.0.2 [23]

0000 6e - n

Eth

Proto: 080008: 00: 69: 07: 3E: DB-> 00: E0: 29: 19: 4A: 68 192.168.0.1 [1239] -> 192.168.0.2 [23]

0000 61 - a

Eth

Proto: 080008: 00: 69: 07: 3E: DB-> 00: E0: 29: 19: 4A: 68 192.168.0.1 [1239] -> 192.168.0.2 [23]

0000 77 - W

Eth

Proto: 080008: 00: 69: 07: 3E: DB-> 00: E0: 29: 19: 4A: 68 192.168.0.1 [1239] -> 192.168.0.2 [23]

0000 61 - a

Eth

Proto: 080008: 00: 69: 07: 3E: DB-> 00: E0: 29: 19: 4A: 68 192.168.0.1 [1239] -> 192.168.0.2 [23]

0000 72 - R

Eth

Proto: 080008: 00: 69: 07: 3E: DB-> 00: E0: 29: 19: 4A: 68 192.168.0.1 [1239] -> 192.168.0.2 [23]

0000 65 - E

Eth

Proto: 080008: 00: 69: 07: 3E: DB-> 00: E0: 29: 19: 4A: 68 192.168.0.1 [1239] -> 192.168.0.2 [23]

Finally, Linux_sniffer records all the commands:

Eth

Proto: 080008: 00: 69: 07: 3E: DB-> 00: E0: 29: 19: 4A: 68 192.168.0.1 [1239] -> 192.168.0.2 [23]

Eth

Proto: 080008: 00: 69: 07: 3E: DB-> 00: E0: 29: 19: 4A: 68 192.168.0.1 [1239] -> 192.168.0.2 [23]

Eth

Proto: 080008: 00: 69: 07: 3E: DB-> 00: E0: 29: 19: 4A: 68 192.168.0.1 [1239] -> 192.168.0.2 [23] Eth

Proto: 080008: 00: 69: 07: 3E: DB-> 00: E0: 29: 19: 4A: 68 192.168.0.1 [1239] -> 192.168.0.2 [23]

0000 77 - W

Eth

Proto: 080008: 00: 69: 07: 3E: DB-> 00: E0: 29: 19: 4A: 68 192.168.0.1 [1239] -> 192.168.0.2 [23]

Eth

Proto: 080008: 00: 69: 07: 3E: DB-> 00: E0: 29: 19: 4A: 68 192.168.0.1 [1239] -> 192.168.0.2 [23]

0000 0D 00 -..

Eth

Proto: 080008: 00: 69: 07: 3E: DB-> 00: E0: 29: 19: 4A: 68 192.168.0.1 [1239] -> 192.168.0.2 [23]

Eth

Proto: 080008: 00: 69: 07: 3E: DB-> 00: E0: 29: 19: 4A: 68 192.168.0.1 [1239] -> 192.168.0.2 [23]

Eth

Proto: 080008: 00: 69: 07: 3E: DB-> 00: E0: 29: 19: 4A: 68 192.168.0.1 [1239] -> 192.168.0.2 [23]

0000 77 - W

Eth

Proto: 080008: 00: 69: 07: 3E: DB-> 00: E0: 29: 19: 4A: 68 192.168.0.1 [1239] -> 192.168.0.2 [23]

Eth

Proto: 080008: 00: 69: 07: 3E: DB-> 00: E0: 29: 19: 4A: 68 192.168.0.1 [1239] -> 192.168.0.2 [23]

0000 68 - h

Eth

Proto: 080008: 00: 69: 07: 3E: DB-> 00: E0: 29: 19: 4A: 68 192.168.0.1 [1239] -> 192.168.0.2 [23]

Eth

Proto: 080008: 00: 69: 07: 3E: DB-> 00: E0: 29: 19: 4A: 68 192.168.0.1 [1239] -> 192.168.0.2 [23]

0000 6F - O

Eth

Proto: 080008: 00: 69: 07: 3E: DB-> 00: E0: 29: 19: 4A: 68 192.168.0.1 [1239] -> 192.168.0.2 [23]

Eth

Proto: 080008: 00: 69: 07: 3E: DB-> 00: E0: 29: 19: 4A: 68 192.168.0.1 [1239] -> 192.168.0.2 [23]

0000 0D 00 -..

Eth

Proto: 080008: 00: 69: 07: 3E: DB-> 00: E0: 29: 19: 4A: 68 192.168.0.1 [1239] -> 192.168.0.2 [23]

Eth

Proto: 080008: 00: 69: 07: 3E: DB-> 00: E0: 29: 19: 4A: 68 192.168.0.1 [1239] -> 192.168.0.2 [23]

Eth

Proto: 080008: 00: 69: 07: 3E: DB-> 00: E0: 29: 19: 4A: 68 192.168.0.1 [1239] -> 192.168.0.2 [23]

0000 66 - f

Eth

Proto: 080008: 00: 69: 07: 3E: DB-> 00: E0: 29: 19: 4A: 68 192.168.0.1 [1239] -> 192.168.0.2 [23]

Eth

Proto: 080008: 00: 69: 07: 3E: DB-> 00: E0: 29: 19: 4A: 68 192.168.0.1 [1239] -> 192.168.0.2 [23] 0000 69 - I

Eth

Proto: 080008: 00: 69: 07: 3E: DB-> 00: E0: 29: 19: 4A: 68 192.168.0.1 [1239] -> 192.168.0.2 [23]

Eth

Proto: 080008: 00: 69: 07: 3E: DB-> 00: E0: 29: 19: 4A: 68 192.168.0.1 [1239] -> 192.168.0.2 [23]

0000 6e - n

Eth

Proto: 080008: 00: 69: 07: 3E: DB-> 00: E0: 29: 19: 4A: 68 192.168.0.1 [1239] -> 192.168.0.2 [23]

Eth

Proto: 080008: 00: 69: 07: 3E: DB-> 00: E0: 29: 19: 4A: 68 192.168.0.1 [1239] -> 192.168.0.2 [23]

0000 67 - g

Eth

Proto: 080008: 00: 69: 07: 3E: DB-> 00: E0: 29: 19: 4A: 68 192.168.0.1 [1239] -> 192.168.0.2 [23]

0000 65 - E

Eth

Proto: 080008: 00: 69: 07: 3E: DB-> 00: E0: 29: 19: 4A: 68 192.168.0.1 [1239] -> 192.168.0.2 [23]

Eth

Proto: 080008: 00: 69: 07: 3E: DB-> 00: E0: 29: 19: 4A: 68 192.168.0.1 [1239] -> 192.168.0.2 [23]

0000 72 - R

Eth

Proto: 080008: 00: 69: 07: 3E: DB-> 00: E0: 29: 19: 4A: 68 192.168.0.1 [1239] -> 192.168.0.2 [23]

It can be seen that Linux_sniffer provides relatively more detailed content.

hunt

Hunt is another option in which you need to read the resulting room. It has an intuitive command tracking and session registration function.

Author: Pavel Krauz

Conditions: C, IP head, Linux 2.0.35 , support LinuXThreads GLIBC 2.0.7

Profile: no

Location: http://www.cri.cz/kra/index.html

Safety history: no

Note: The author provides a binary release with dynamic links and static connections.

Hunt is released in Tar.GZ format, the file name is hunt-1_3bin.tgz. First, you need to decompress:

$ tar xvfz hunt-1_3bin.tgz

The hunt is uncompressed to the newly created directory hunt-1.3, including the following:

-rw-r - r - 1 206 Users 1616 Apr 2 03:54 Changes

-rw-r - r - 1 206 Users 17983 OCT 25 1998 COPYING

-rw-r - r - 1 206 Users 312 Jan 16 04:54 INSTALL

-rw-r - r - 1 206 Users 727 Feb 21 11:22 makefile

-rw-r - r - 1 206 Users 27373 Feb 15 12:44 Readme

-rw-r - r - 1 206 Users 167 DEC 4 14:29 Todo

-rw-r - r - 1 206 Users 5067 Feb 13 04:23 AddPolicy.c

-rw-r - r - r - 1 206 Users 7141 Feb 21 23:44 arphijack.c-rw-r - r - R - 1 206 Users 25029 Apr 2 03:26 arpspoof.c.c

DRWXR-XR-X 2 206 User $ 1024 APR 9 02:03 C

-rw-r - r - 1 206 Users 7857 NOV 91998 hijack.c

-rw-r - r - 1 206 User $ 5066 DEC 2 12:55 hostup.c

-RWXR-XR-x 1 206 Users 84572 APR 9 02:03 hunt

-rw-r - r - 1 206 Users 24435 APR 2 03:26 hunt.c

-rw-r - r - 1 206 User $ 16342 Mar 30 01:56 hunt.h

-RWXR-XR-X 1 206 Users 316040 APR 9 02:03 hunt_static

-rw-r - r - 1 root root 265 May 20 22:22 Huntdir.txt

-rw-r - r - 1 root root 2517 May 20 22:19 hunTlog.txt

-rw-r - r - 1 206 Users 6249 Feb 21 11:21 Macdisc.c

-rw-r - r - 1 206 Users 12105 Feb 21 11:35 main.c

-rw-r - r - 1 206 User $ 12000 Feb 6 02:27 menu.c

-rw-r - r - 1 206 Users 7432 APR 2 03:53 Net.c

-rw-r - r - 1 206 User $ 5799 Feb 11 04:21 options.c

-rw-r - r - 1 206 Users 11986 Feb 14 04:59 Resolv.c

-rw-r - r - 1 206 User $ 1948 OCT 25 1998 RST.C

-rw-r - r - 1 206 User $ 9545 Mar 30 01:48 RSTD.C

-rw-r - r - 1 206 User $ 21590 APR 2 03:58 Sniff.c

-rw-r - r - 1 206 Uses 14466 Feb 21 12:04 Synchijack.c

-rw-r - r - 1 206 Users 2692 Feb 19 00:10 Tap.c

-rw-r - r - 1 206 Users 4078 Feb 15 05:31 Timer.c

-rw-r - r - 1 206 User 2023 OCT 25 1998 TTY.C

-rw-r - r - 1 206 users 7871 Feb 11 02:58 Util.c

The static binary is published for hunt_static, and it is recommended to use this version because it is sometimes compiled from the source code that may have an error in some libraries. Use the following command to perform hunt:

$ hunt_static

Running hunt You will surprise that hunt is CURSE based on CURSE, so there is a very friendly interactive interface. The menu is started as follows:

--- Main menu --- Rcvpkt 0, Free / Alloc 63/64 ------

L / W / R) List / Watch / Reset Connections

u) Host Up Tests

a) ARP / Simple Hijack (Avoids Ack Storm if ARP Used)

s) Simple Hijack

d) daem RST / ARP / SNIFF / MAC

o) Options

x) EXIT

*>

In the entire example, I will log in to Linux.test.net from GNSS.

GNSS 3% Telnet 192.168.0.2

Trying 192.168.0.2 ... Connected to 192.168.0.2.

Escape Character is '^]'.

Caldera OpenLinux (TM)

Version 1.3

Copyright 1996-1998 Caldera Systems, Inc.

Login:

[hapless @ linux hapless] $ finger root

Login: root name: root

Directory: / root shell: / bin / bash

ON Since Thu May 20 21:57 (PDT) on TTY1 1 Minute Idle

ON Since Thu May 20 22:02 (PDT) on TTY2 7 Minutes 19 Seconds Idle

On Since Thu May 20 21:59 (PDT) on TTY3 15 Seconds Idle

No Mail.

NO PLAN.

[hapless @ linux hapless] $ last root

Root tty2 thu may 20 22:02 still logged in

Root Tty3 Thu May 20 21:59 Still Logged in

Root Tty1 Thu May 20 21:57 STILL Logged in

Root TTY2 THU May 20 19:46 - Down (00:26)

Root Tty1 Thu May 20 19:44 - 20:12 (00:27)

Root Tty3 THU May 20 19:44 - Down (00:28)

Root Tty3 Thu May 20 19:42 - 19:44 (00:01)

Root TTY1 Thu May 20 19:41 - 19:42 (00:00)

Root tty328 - 19:41 (00:12)

Root Tty2 Thu May 20 19:11 - 19:42 (00:31)

Root TTY1 Thu May 20 19:07 - 19:40 (00:32)

Root TTY1 Thu May 20 18:57 - 19:07 (00:09)

Root TTY1 MON May 17 22:32 - Down (00:29)

Finally, the / etc / passwd is checked, and Hunt's sniffing is running throughout the process:

--- Main menu --- Rcvpkt 0, Free / Alloc 63/64 ------

L / W / R) List / Watch / Reset Connections

u) Host Up Tests

a) ARP / Simple Hijack (Avoids Ack Storm if ARP Used)

s) Simple Hijack

d) daem RST / ARP / SNIFF / MAC

o) Options

x) EXIT

*> w

0) 192.168.0.1 [1049] -> 192.168.0.2 [23]

Choose Conn> 0

Dump [S] RC / [D] ST / [B] OTH [B]> B

Note: The above input (black font portion) indicates the hunt to record the No. 0 connection, and output the source and the purpose information.

The hunt will display all activities of the Hapless to the terminal screen:

22:18:43 Up 21 min, 4 Uses, Load Average: 0.00, 0.01, 0.00

TRL-C to BREAK

HhaAppLleessssss

Password: unaware

[hapless @ linux2 hapless] $ CCLLEEAARR

[hapless @ Linux2 hapless] $ wWhooot TTY1 May 20 21:57

WW

22:18:43 Up 21 min, 4 Uses, Load Average: 0.00, 0.01, 0.00

[hapless @ linux2 hapless] $ mmoorree // Eettcc // ppaasssswwdd

Root: x: 0: 0: root: / root: / bin / bash

BIN: X: 1: 1: bin: / bin:

Daemon: x: 2: 2: daem: / sbin:

ADM: X: 3: 4: ADM: / VAR / ADM:

LP: x: 4: 7: lp: / var / spool / lpd:

Sync: x: 5: 0: sync: / sbin: / bin / sync

Shutdown: x: 6: 11: Shutdown: / sbin: / sbin / shutdown

Halt: x: 7: 0: Halt: / sbin: / sbin / halt

Mail: x: 8: 12: Mail: / var / spool / mail:

News: x: 9: 13: News: / var / spool / news:

UUCP: X: 10: 14: UUCP: / VAR / SPOOL / UUCP:

Operator: x: 11: 0: Operator: / root:

Games: x: 12: 100: Games: / usr / games:

Gopher: x: 13: 30: Gopher: / usr / lib / gopher-data:

FTP: X: 14: 50: FTP User: / Home / FTP:

MAN: x: 15: 15: Manuals Owner: /:

Majordom: x: 16: 16: Majordomo: /: / bin / false

Postgres: x: 17: 17: Postgres User: / Home / Postgres: / bin / BASH

NoBody: x: 65534: 65534: NoBody: /: / bin / false

Anon: x: 100: 100: anonymous: / home / anon: / bin / bash

Hapless: x: 500: 500: Caldera OpenLinux User: / Home / ShanghaiS: / Bash

[hapless @ linux2 hapless] $

It can be seen that the output of Hunt is very straightforward, easy to read. However, Hunt also provides the following tools:

Allows to specify any of an interested connection instead of recording all things.

Allow any one of the connections, not just the connection just starting with SYN. IT Offers Spoofing Tools.

Provide events to hijack.

Its unique features and easy-to-use interfaces make it a very good choice for Linux entry.

Sniffit

Sniffit is for those who need more information needed.

Author: Brecht Claerhout

Conditions: C, IP header file

Profile: See the discussion later

Safety history: no

Note: The Sniffit function is very powerful, but it is not easy to learn.

$ TAR XVFZ Sniffit_0_3_7.tar.gz

$. / configure (configuration command will detect if the system meets the requirements)

$ Make (Compilation Source)

Strip sniffit (size of the binary code)

You can now use Sniffit (Sniffit Configuration Let's finally discussed).

grammar:

Sniffit [-xdabvnn] [-P proto] [-a char] [-p port]

[(- r | -r) Recordfile] [-l sniflen] [-l logparam] [-f

                          (-t target-ip | -s

  Source-IP | (-i | -i) | -c config-file] Sniffit is a TCP / IP / ICMP protocol data report to listen, which gives these protocols Data News Very detailed technical information (SEQ, ACK, TTL, Windows, ....) and various different formats (HEX or plain text) of the data report (HEX or plain text)

Sniffit default can handle Ethernet and PPP devices. However, you can also be used on other devices (see README.FIRST and SN_CONFIG.H). Sniffit can make a convenient configuration implementation to filter access. The configuration file allows very certain to specify a data report that needs to be processed. Sniffit also has an interactive interface.

Option:

-v display version information

-T target address

 Only the data of the destination address is "target address", and the '-S' '' '' option is not compatible.

-S source address

 Only the data that the send address is "source address", and the '-t' '' '' '"option is not compatible.

-c configuration file

  Define the pack filter rules in the configuration file, and -t '' -s' '-V' is not compatible

-R file

 Record the output results into "file" (not compatible with '-V')

-n Turns off the IP datagram to make the forged data can also be displayed.

-x Print TCP Data Report Extended Information to Standard Output (SEQ, ACK, FLAGS, etc.), often used to track spoofing, package loss and other network debug test tasks. And '-i' 'I' '- v 'is not compatible

-d output into the default file, the general file name is a combination of the address of the source, such as: 192.168.0.232.1120-192.168.0.231.80

-A  Output ASCII code format, unprintable characters "."

-P protocol

  specified the protocol type, IP, TCP, ICMP, UDP, etc. that need to be processed.

-P port

  only processed data for the destination port "port.

-L Sniflen

  In normal mode, the sum of the recorded data (default is 300 bytes), and the front SNIFLEN bytes of each connection is recorded.

-F Device

 Specify the data of a device such as Eth0, Eth1, etc.

-D Tty

 All record information is output to the specified TTY

Example:

• To listen to the 192.168.0.233 to 192.168.0.231 access WWW request data:

[Root @ link / tmp] # / usr / sbin / sniffit -p 80 -p tcp -s 192.168.0.233 -d TTYP1

Packet ID (from_ip.port-to_ip.port): 192.168.0.233.1060-192.168.0.231.80

45 00 00 2C 6D 0B 40 00 80 06 0A A0 C0 A8 00 E9 C0 A8 00 E7 04 24 00 50 00 4E

89 2A 00 00 00 00 00 02 20 00 67 19 00 00 02 04 05 B4

Note: 192.168.0.231 is a server running Linux

• If you want to orient the output to a file, then

[root @ LiX / TMP] # / usr / sbin / sniffit -p 80 -p TCP -S 192.168.0.233 -r / tmp / wwwlog

• If you want to view WWW page data from 192.168.0.225, stored data in a file / TMP / WWWLOG:

[root @ link / tmp] # / usr / sbin / sniffit -p tcp -t 192.168.0.0.225 -r / tmp / wwwlog Note: Do not open on the 225 to 231 connection, such as telnet otherwise returning to mix together.

• If you want to view the ICMP data from 192.168.0.231 from 192.168.0.231, and display it on the console:

[Root @ link / tmp] # / usr / sbin / sniffit -p ICMP -T 192.168.0.233 -d TTYP1

Sniffit supports configuration files, providing more powerful sniffing controls through profiles. The configuration file format contains five different fields, the meaning is as follows:

Field 1-select or deselect. Indicates that the Sniffit captures the data specified by the rear condition or does not capture.

Field 2-from, to, or Both. H Indicates Sniffit to capture data from, sent to or two-way specified hosts.

Field 3-Host, Port, or MHOST. Specify one or more target hosts. MHOST can be used to specify multiple hosts, such as 192.168.0.

Field 4-Hostname, Port Number, or Multiple-Host list.

Field 5-port number.

E.g:

SELECT from host 192.168.0.1

Select from host 192.168.0.1 80

SELECT Both Port 23

Sniffit will capture all information from the Telnet and WWW from both hosts.

SELECT Both MHOSTS 100.100.12.

Deselectr Both Port 80

Select Both Host 100.100.12.2

Sniffit will capture 100.100.12. * Relevant WWW data that except WWW, but display 100.100.12.2 WWW data

-------------------------------------------------- ------------------------------

This article related comments:

This article has three related comments as follows: (click here to post a comment)

Flower hobby Posted: 2002/12/10 06:26 PM

This is very classic!

Use ARP packet to detect network nodes in mixed mode

Release Date: 2001-11-1

content:

-------------------------------------------------- ------------------------------

This article only has the implementation of for Windows: (

Version 1.0

Original: Daiji Sanai

English translation: kelvin king-pang tsang

Chinese translation: nixe0n (translated from English)

Summary

1 Introduction

2. The principle of network sniffing

3. Detect the basic concept of mixed mode

4. Foundation

1). Hardware filter

2) .arp mechanism

5. Detect nodes in mixed mode

6. Software filter

1) .linux

2) .micro $ OFT Windows

7. Mixed mode detection

8. Check all network nodes

9. Abnormal situation

1). Old NIC

2) .3com network card

3) .windows Y2K packet capture drive module

Summary

In a local area network, security issues should be paid attention to. When plain text data is transmitted on the network, any network users will easily steal this information. Sniffing is called Sniffing on the network. By sniffing the network, a user can obtain access to the top secret document, spying to anyone's privacy. There are many freely distributed sniffer software on the Internet to achieve the above purposes. Although the network sniffing is very easy, but there is no good way to detect this malicious behavior. This article will explain the detection mechanism used by Promiscan (a software that can effectively detect the network sniffer). In order to intercept all the packets on the network, the sniffer must be set to a mixed mode (ProMiscuous mode). Next, the NIC can accept all the packets on the network and send it to the system kernel. Address Resolution Protocol, ARP request message to query the resolution of the hardware address to the IP address. We will use this type of group to check if the network is set to a mixed mode (Promiscuous Mode). The reason why the ARP request group use is because it applies to all Ethernet-based IPv4 protocols. Under the proping mode, the NIC does not block the destination address is not his own group, but is full, and transfer it to the system kernel. Then, the system core will return a message containing the error message. Based on this mechanism, we can assume that some ARP request packets are sent to each node on the network. No network cards in a mixed mode will block these packets, but if some nodes respond, it means that the NIC is in a mixed mode. under. These nodes in which these mixed modes may run the sniffer program. This can successfully detect the sniffer program running on the network. 1 Introduction

In the LAN, sniffing behavior has become a huge threat to network security. Smelling through the network, some malicious users can easily steal the top secret documents and anyone's privacy. To achieve the above objectives, malicious users can download from the network and safe to their own computer. However, there is no good way to detect the sniffer program on the network. This article discusses the use of address resolution protocol packets to effectively detect office networks and sniffer procedures on campus online.

2. The principle of network sniffing

LAN usually uses Ethernet to connect. The information transmitted by the IP (IPv4) protocol transmitted on the Ethernet cable is explicitly transmitted unless encrypted the encryption program. When a person sends information to the network, he wants to only receive this information only if a particular user can receive it. However, very unfortunately, the work mechanism of Ethernet provides non-verified users to steal these data. When the Ethernet is transmitted, the packet is sent to each network node, and the node that matches the destination address will receive these packets, and other network nodes are only simple to discard. Receive or discard these packets are controlled by Ethernet card. When receiving the packet, the NIC will filter out the destination address is your packet reception, not the single collection. Some of this article We will refer to this filtering of the NICs to hardware filtration (Hardware filter). But this is just in normal cases, the sniffer uses another way of working, which sets its own NIC to receive all network packets, regardless of whether the destination address of the group is yourself. This network card mode is called a mixed mode.

3. Detect the basic concept of mixed mode

In the network, the sniffer receives all packets without sending any illegal packets. It does not hinder the flow of network data, so it is difficult to detect it. However, the state is in promiscuous mode (promiscuous mode) network card and it is clear that in the normal mode under different. In mixed mode, the group text that should be filtered out of the hardware will enter the system's kernel. Whether to respond to this group full dependence and kernel.

Let's take an example in the real world to illustrate how we detect methods in mixed mode network nodes. Imagine a meeting in a conference room. Some person places the ear in the conference room to eavesdrop (sniff ^ _ ^). When she (still a woman, the original: P), when she is eavesdropped (sniff), she will hold breathing and quietly listen to all the speeches in the conference room. However, if someone in the conference room suddenly called the name of the eavesdropper: "XX Mrs.", she may promise "唉". This sounds a bit funny, but it can be used in the detection of network sniffing behavior. The network is a network sniffing node receives all packets of the network, so its kernel may make an error response to some of the packets that are hardware filtered. According to this principle, we can detect the sniff behavior of the network by checking the response of the ARP packet. 4. Foundation

1). Hardware filter

First, we don't have the same starting from the promiscuous mode. The Ethernet address is 6 bytes, and the manufacturer is allocated to each network card in the world, so there is no network card with the same address. All communications on Ethernet are based on this hardware address. However, the NIC can be set to different filtration mode to receive different types of packets. Below is the filter mode of the Ethernet card:

Unicast: NIC receives all destination addresses is your own group

Broadcast: Receives all broadcast packets, the destination address of the Ethernet broadcast packet is fffffffffff. This broadcast packet can reach all nodes on the network.

Multicast: The receiving destination address is a packet for the specified multicast group address. The network card only receives the group that has been registered in the multi-entry list.

All Multicast: Receives all multi-governance submitted broadcast packets.

Promiscuous: Does not check the destination address at all, receive all the packets on the network.

Figure -1 depicts the hardware filter in normal conditions and in a mixed mode. Typically, the hardware filter of the NIC is set to receive a packet for unicast, broadcast (Broadcast), broadcast (Broadcast), multicast address 1. The filter only receives the packet of the destination address, the broadcast address (FF FF FF FF), and the multi-entry address 1 (01 00 5E 00 00 01).

2) .arp mechanism

The IP network connected to the Ethernet needs to rely on Ethernet to transmit. Only the IP address is used, the message cannot be sent. Therefore, a mechanism is required on Ethernet to provide a conversion between IP addresses and hardware addresses. This mechanism is the address analysis protocol (Address Resolution Protocol). ARP is a network layer, and the IP is in the same layer of the OSI model. The address resolution on IP network is continuously carried out, so ARP packets are more suitable for detecting network nodes in a hybrid mode (Promiscuous mode).

In the following example, we will tell how the use of ARP packets analyze the IP address:

For example: PC (X) Ethernet address on the network is 192.168.1.1 is 00-00-00-00-00-01, this PC (X) needs to be another IP address to another IP address to 192.168 .1.10 PC (Y) sends a message. Before sending, X first issues an ARP request packet to query the Ethernet address corresponding to the 192.168.1.10. The destination address of the query package is set to FF-FF-FF-FF-FF-FF (broadcast), so that all nodes on the local network can receive this package. After receiving, each node checks the IP address of this ARP package and whether the IP address of this unit matches. If you do different, you ignore this ARP package; if you match (Y), you will send an answer to the x. X After receiving the response, the IP / hardware address of the cache Y is. Then X can send the actual data to Y.

5. Detect nodes in mixed mode

Hereinafter, the filtered state of the packet is the difference between mixed mode status and normal network node. When the network card is set to a mixed mode, the file that is filtered will enter the system's kernel. With this mechanism, we can detect nodes in a mixed mode on the network: We construct an ARP query package, its destination address is not a broadcast address, then send this ARP query package to each node on the network, and finally respond through each node To determine if it is in a mixed mode. Let's discuss the operation of the entire ARP request / response. First, an ARP query package is generated to resolve the hardware address of 192.168.1.10. In order for all nodes on the network to receive this query package, set the destination address of this package to the broadcast address. In theory, only the IP address of 192.168.1.10 can respond to this query package.

Further imagine that if we set the destination address (Ethernet address) of this query package to another address, how will it be the original broadcast address? For example: What happens to the destination address of the query package to 00-00-00-00-00-01? The Ethernet card of the network node in normal mode will think that this query package is sent to other hosts, and its hardware filter will refuse to receive this package; however, if this network node (192.168.1.10) Ethernet card is in mixed mode (Promiscuous Under the Mode, even if the Ethernet address does not match, the hardware filter does not perform any filtration, so that this query package can enter the system's kernel. Because the IP address of this node is the same as the Query IP address, its kernel will think that the ARP query package arrives and should make a response. However, we are surprised that this kernel in the mixed mode node does not answer the ARPR query package. This unexpected results indicate that this package is filtered by the system core. Here we call this as a software filter.

Further, we can detect a network node in which a mixed mode is detected by distinguishing a different feature of the hardware filter and software filters. Hardware filters typically block all invalid packets (these packets obviously do not enter the system kernel), so they can generally pass through the software filter through the hardware filter, which is not much discussed. Now that we need to be constructed to be blocked by the hardware filter, but can pass through the software filters. If this message is sent to each network node, the network node in normal mode will not respond; and the node in the mixed mode will respond.

6. Software filter

The software filter depends on how the operating system is, it is necessary to understand how the system kernel software filter works. Linux is an open source system system, so we can get its software filtering mechanism. But for Micro $ OFT Windows, we only guess the experience :(.

1) .linux

In Linux's Ethernet drive module, the packet is classified by hardware addresses.

Broadcaster

  inff ff ff ff

Multi-point packet

 All packets have a set of group logo, which does not include broadcast packets.

TO_US group

 The destination address and the same packets as this network card.

OtherHost group

All destination addresses and local network cards different groups.

Now, we assume that all packets with group logo are broadcast packets. The destination address of the Ethernet multi-entry packet corresponding to the IP network is 01-00-5e-xx-xx-xx, and the multi-entry packet cannot be classified by the check group flag. This assumption is not wrong because 01-00-5e-xx-xx-xx is an IP-based multi-cast address, but the NIC hardware addresses are also used for other high-level protocols.

Below, let's take a look at the code of the ARP module.

IF (in_dev == null ||

ARP-> Ar_hln! = dev-> addr_len ''

Dev-> flags & iff_noarp ||

SKB-> pkt_type == packet_otherhost || SKB-> PKT_TYPE == Packet_loopback ||

ARP-> Ar_PLN! = 4)

Goto Out;

The ARP module of the Linux kernel rejects all OtherHost types. Next, the ARP module will process the broadcast, multi-cast, and the TO_US type grouping. Table 1 Integrated hardware filters and software filters Filtering processes for various ARP packets, 1 Description: HW (Hardware), SW (Software), Res. (Response), GR (Group).

Next, we will describe the packet of this six hardware address:

TO_US

 NIC In normal mode, all addresses of all addresses can be able to filter with software filters. Therefore, the ARP module responds to whether the network card is in a mixed mode (Promiscuous mode).

Otherhost

 When the network card is in normal mode, all addresses are groups of OtherHost. Even if the NIC is in a mixed mode, this group cannot pass software filters, so this ARP request will not receive a response.

Broardcast

 In normal mode, the Broardcast group can also pass hardware and software filters, so it cannot be used for detection of network node mixing mode.

Multicast

 In normal mode, if the hardware address of the group is not registered in the multi-entry address list, the NIC will refuse to receive; however, if the network card is in a mixed mode, this group will open the hardware filter and software filter. . Therefore, this type of packet can be used to detect the network node in the mixed mode.

GROUP bit

 This type of group is neither a brodcast type or a multicast type, but the group of hardware addresses (the first one of the first-character sequence of Ethernet address) is set: 01-00-00-00 00-00. In normal mode, the NIC refuses to receive such grouping; however, in mixed mode, this type of packet can pass through the hardware filter. In the Linux kernel, this type of grouping is classified as multifunction packets, and can pass through the software filter. Therefore, this type of packet can also be used for hybrid mode detection.

2) .micro $ OFT Windows

The Windows system is not an open source system, so its software filtering behavior cannot be analyzed from the source code. I have to test by experiments. In the experiment, we used the following hardware addresses:

FF-FF-FF-FF-FF-FF Broadcast Address

 All network nodes receive this grouping. The usual ARP query package uses this address.

FF-FF-FF-FF-FF-FE pseudo-demand address

                                                                                                     This address is used to check if the software filter checks all address bits, whether to answer.

FF-FF-00-00-00-00-00 16-bit Broadcast Address

  FF-FF-00-00-00-00 is only the same as the top 16 and the real broadcast address. If the filter function only tests the first word of the broadcast address, this address can be classified into the broadcast address.

FF-00-00-00-00-00 8-bit Broadcast Address

 This address only has the same top 8 and broadcast addresses. If the filter function only checks the first byte of the broadcast address, it can also be classified into the broadcast address class.

01-00-00-00-00 More gong marker set address

 This address only has a multi-entry marking bit (the first-sequence low sequence bit of the Ethernet address) is set, and it is used to check if the filter function is also like Linux as a multi-cast address.

01-00-5e-00-00-00 More in the address 0

 Multi-point address 0 is not common, so we use this address as a multi-cast address that is not registered in the NIC multi-cast address list. Under normal circumstances, the hardware filter should refuse to receive this group. However, if the software filter cannot check all of the address bits, this type of packet may be classified to a multi-cast address. Therefore, if the network card is in a mixed mode, the kernel will respond. 01-00-5e-00-00-01 multi-cast address 1

 All network nodes on the LAN should receive a multi-cast address 1 type group. In other words, the hardware filter allows this type of packet by default. However, you can not support multi-entry mode because the NIC does not support multi-entry mode. Therefore, this type of packet can be used to check if the host supports multi-cast address.

Even if the result:

Test results for these seven types of addresses are shown in Table 2. Test is for Windows85 / 98 / ME / 2000 and Linux. If you do not, the NIC is in normal mode, the kernel will respond to the grouping of all addresses and multi-cast address 1.

However, when the network card is in a mixed mode, the test results of each operating system are not the same. Windows95 / 98 / me will respond to groups of 31,16,8 bits. Therefore, we can think that the software filter for the Window9x Series operating system only determines whether the packet address is a broadcast address by detecting one bit.

The Windows 2000 responds to groups of addresses of 31,16 bits. Therefore, we can think of the 8 bits of the Windowsy2k check the address to determine if the packet address is a broadcast address.

The Linux kernel responds to all seven addresses of addresses.

7. Mixed mode detection

We can use this test results for the detection of the LAN in the mixed mode node. The following is a specific test process:

1). We need to detect whether the host of the IP address A is in a mixed mode. We first need to construct an ARP packet and an Ethernet frame in the following format:

ARP group:

 Objective to Ethernet Address 00 00 00 00 00 (Description 1)

 Send Ethernet address 00 11 22 33 44 55 (Description 2)

 High-level protocol type 08 00 (IP)

 Hardware type 00 01 (Ethernet)

 Hardware address length 06 (Ethernet address length)

IP address length 04

 Send side's IP address native IP address

 Target IP address is detected by the host's IP address

 ARP operation code 00 01 (ARP request 01, ARP answer 02)

Ethernet frame:

 Type 08 06 (ARP)

 Sender's hardware address native Ethernet card address

 Target hardware address FF FF FF FF FE

Note 1: The Ethernet address to be queried at this time is all possible to fill in 0 or 1.

Description 2: Replace with your Ethernet address.

2) After the packet construct is completed, we can send it to the network.

3). Now we need to wait for the response of the target host. If the target host is in a normal state, this packet will be blocked; but if we are in a mixed mode, we will receive a response.

8. Check all network nodes

We may detect all network nodes in hybrid mode as long as you sequentially use the detection method described in Section VI. However, in some cases, this detection method will be invalidated.

9. Abnormal situation

It is said that there is some case that cannot be used to detect hybrid mode. These exceptions include:

1). Old NIC

Some old network cards do not support multi-entry list, for example: 3com Etherlinkiii. The packet does not pass the hardware filter, enter the software filter,

2) .3com network card

The 3COM 3C905 network card installed in the Linux host is set to receive all multi-entry packets by default. Therefore, we cannot distinguish between mixed modes and multi-point mode. The reason for this abnormality is that the Linux drive module of this network card does not support multi-entry list, and the NIC will receive all multi-point packets. Note: Linux installer uses 3C59x.o as the drive module of this network card. If the drive module is changed to 3C905X.O, this issue can be solved. 3) .windows Y2K packet capture drive module

When the Windowsy2k packet capture drive module is dynamically loaded, an exception is generated. WinPCap2.1 (2.01) and SMS are two dynamic load packet capture drive modules for Windowsy2k. There are some special reactions when they are installed into the Windowsy2k system. Even if the NIC is not in a mixed mode, the address is 16 packets for the pseudo-broadcast address (the sniffer using the two drive modules will not be accurate). That is, even if the sniffer is not running, it can be detected. It may be that Micro $ OFT is intentionally to facilitate the detection of mixed mode.

Network listening attack technology

In the network, when the information is propagated, the tool can be utilized, and the network interface is set in the listening mode, and the network can be accepted or captured in the network, thereby attacking. Network monitors can be implemented in any of the locations in the network. Hackers are generally using network listening to intercept user passwords. For example, after someone occupied a host, then he wants to expand the results to this host's entire LAN, monitoring is often the shortcut they choose. Many times I saw some beginners in various security forums, and if they think that if they occupy a host, they want to enter its internal networks should be very simple. In fact, it is not an easy thing to enter a host and other machines who want to turn into its internal network. Because you have to get their passwords, it is the absolute path they share. Of course, the end of this path must be written. At this time, there will be a lot of logging programs on the host that have been controlled. But it is a matter of feminine, but also needs to have sufficient patience and strain ability.

■ Principle of network listening

Ethernet (Ethernet, is a comparative popular local area network technology invented by Xerox, which contains a cable connected to it, each computer needs a hardware called an interface board to connect to Ethernet. The mode of operation of the protocol is to send all the hosts connected to the data package to be sent. In the header including the correct address of the host that should receive the packet, because the host that is consistent with the target address in the packet can receive the packet, but when the host works in the listening mode, the target physics in the data package What is the address is, the host will be available. There are more than a dozen of the local domain, and even the hundred hosts are connected by a cable, and a hub is connected. In the high-level or user of the protocol, when the two hosts in the same network, the source host will write The packet of the host address of the target directs the host, or when a host in the network communicates with the host, the source host will write the data package of the host IP address of the destination to the gateway. However, this packet does not send it directly to the high level of the protocol stack, and the packet to be sent must be handed over to the network interface from the IP layer of the TCP / IP protocol, which is the data link layer. The network interface does not recognize the IP address. In the network interface, the packet with IP addresses has increased by the IP address to the information of the superhigh head. In the head, there are two domains for the source host and destination host of only network interfaces. This is a 48-bit address. This 48-bit address corresponds to the IP address. In other words, An IP address will also correspond to a physical address. For hosts as a gateway, since it connects multiple networks, it also has many IP addresses, which have one in each network. It is the physical address of the gateway.

In the Ethernet, the Ethernet is filled in the network interface, that is, from the network card to transmit it to the physics. If the local area network is connected by a rough net or a thin network, the digital signal is transmitted on the cable to reach each host on the line. When the hub is used, the transmitted signal reaches the hub, and the hub is then forwarded to each line connected to the hub. Thus, the digital signal transmitted on the physical line can also reach each host connected to the hub. When the digital signal reaches a host's network interface, the network interface checks for the read data in the normal state. If the physical address carried in the data is your own or physical address is a broadcast address, then the data will be handed over Give IP layer software. This process is performed for each data that reaches the network interface. However, when the host works in listening mode, all data will be handed over to the upper protocol software processing. When the host connected to the same cable or hub is logically divided into several subnets, then if there is a host in a listening mode, it will also receive the swivel and yourself not in the same subnet (using different Mask, IP Address, and Gateway) Packets, all information transmitted on the same physical channel can be received.

On the UNIX system, when you have super-permissions, you can send an I / O control command to the Interface (Network Interface) to send the I / O control command to the Interface (Network Interface), you can set the host to monitor mode. In the Windows9x system, you will be able to be implemented by directing the monitoring tools by the user if the user has permission.

When online monitoring, a large amount of information is often saved (also contains a lot of spam), and will make a lot of information on the collected information, which will make the requested machine to respond slowly for other users. At the same time, the listener needs to consume a lot of processor time when running, and if the content in detail in detail this time, many packets will not be received and received. So listening programs often put the monitoring package in the file waiting later. Analysis of the listening packet is a very headache. Because the data packets in the network are very complicated. Continuously transmit and receive packets between the two hosts, which must add some of the data packets interacting with other hosts in the results of the listening. The listener will be quite difficult to organize the package of the same TCP session. If you still expect to organize the detailed information to organize a lot of analysis according to the protocol. On the Internet on the Internet, this listener will be very big if it runs up.

The protocol used in the network is designed earlier, and many of the implementations of the agreement are based on a very friendly and communicative basis. Under the usual network environment, the user's information includes passwords to be transmitted online in a clear manner, so network listening to obtain user information is not a difficult thing, as long as the preliminary TCP / IP protocol knowledge is It can be easily listened to the information you want. I have proposed the Word Logo to extend from the LAN from the LAN, but this idea is so sincerely. If this is the case, I want the network to make the world a big chaos. And in fact now can also listen to and intercepted some user information in a wide area network. Just is not obvious enough. It is more insignificant in the entire Internet.

Here are some famous listeners in the system, you can try it yourself.

Windows9x / Nt Netxray http://semxa.kstar.com/hacking/netxray.zip

Dec unix / linux tcpdump http://semxa.kstar.com/hacking/management.zip

Solaris nfswatch http://semxa.kstar.com/hacking/nfswatch.zip

Sunos Etherfind http://semxa.kstar.com/hacking/etherfind012.zip

■ Detecting network listening method

Network monitors have explained in the above. It is designed for system administrators to manage networks, monitor network status, and data flow. But because it has the ability to intercept the network data, it is also one of the tricks used to hackers. Generally detecting the method of network listening is carried out by:

"amp; # 9658; network surveying is true, it is difficult to discover. When the host runs the listener, only the information transmitted in the Ethernet in the process of listening, it will not follow other hosts. If you exchange information, you cannot modify the packets transmitted in the network. This shows that the detection of network listening is a more troublesome thing.

In general, it can be detected by PS-EF or PS-AUX. However, most people who implement the listener will prevent PS-EF by modifying the PS command. Modifying PS only requires several shells to filter the name of the listener. It is OK. One person who can start the listener is definitely not a person who doesn't understand this dish, unless he is lazy.

It is mentioned above. When the listener is running, the host response will generally be slow, so it is also proposed to judge whether it is listened by the rate of response. If this is true, I think the world is really chaotic, saying that there will be countless listeners will run in a time period. Ha ha.

If you are suspected of having a monitoring program in the network (how to doubt? It depends on yourself), you can use the correct IP address and the wrong physical address to ping it, so that the listener is running. Will respond. This is because normal machines generally do not receive ping information for errors. But the machine is being listening can be received. If its IP Stack is no longer inspected, it will respond. However, this method is no effect on many systems because it relies on the IP Stack of the system.

The other is to send a large number of physical addresses that do not exist online, while listening programs often process these packages, which will cause the machine performance to decline, you can use ICMP Echo delay to determine and compare it. You can also search for programs running on all hosts in the network, but this is difficult to know, because this is not only a big workload, but also can't completely check the process on all hosts. But if the administrator will make a lot of necessity, it is to determine if there is a process started from the administrator machine.

In UNIX, you can generate a list of all processes in the UNIX: The host and memory of the proceedings of the process and these processes are occupied. These are output on STDOUT in the form of a standard table. If a process is running, it will be listed in this list. However, many hackers will modify PS or other running programs to the Trojan Horse program when running the listener, because he can do this. If this is the case, the above method will not have a result. But doing this to a certain extent therefore. It is easy to get the list of current processes on UNIX and Windows NT. But DOS, windows9x seems to be difficult to do, is it particularly known that I have not tested it.

There is also a way, this way is sufficiently luck. Because the listeners used in hackers are mostly free online, he is not professional listening. So as administrators used to search for listening programs can also be detected. Using Unix can write such a search for a small tool, otherwise, you have to be exhausted. Ha ha.

There is a tool called ifstatus running under UNIX, which can identify if the network interface is in debug state or under the listening. If the network interface is running this mode, it is likely that it is being attacked by the listener. Ifstatus generally does not generate any output, when it detects that the interface of the network is in listening mode, it will only return to the output. Administrators can set the system's cron parameter to run ifstatus regularly. If there is a good cron process, you can send it to people it generated to people who are executing the cron task. To achieve additional **************** / usr / local / etc / ifstatus a line of parameters. If you don't work, you can also use a script to under Crontab 00 **** / usr / local / etc / run-ifstatus. Sign in to monitor which aspect is actually seen. In general, the monitor is only a more sensitive to the user password information (there is no boring hacker to listen to chat information between the two machines). Therefore, it is entirely necessary to encrypt user information and password information. Prevent it from being listened by the plain text transmission. In modern network, SSH (a protocol for providing confidential communication in an application environment) The communication protocol has been taken along lines, and the port used by SSH is 22, which excludes information that communicates on unsuppiness channels, the possibility of listening Using the RAS algorithm, after the end of the license process, all transmissions are encrypted with IDEA technology. But SSH is not fully safe. At least now we can comment so bold.

█ famous Sniffer monitoring tool

The reason why Sniffer is famous, is done well in many ways, it can monitor all the information (even listening, see) online transfer. Sniffer can be hardware or software. Mainly used to receive information transmitted on the network. The network can run under various protocols, including Ethernet Ethernet, TCP / IP, ZPX, etc., or the joint system of centralized protocols.

Sniffer is a very dangerous thing, it can intercept the password, which can be intercepted to be secret or dedicated channels, intercepting the credit card number, economic data, e-mail, and more. More can be used to attack the network coming.

SNIFFER can be used in any platform. Now use Sniffer, it is impossible to find that this is enough to be the most serious challenge for network security.

In Sniffer, there is also a "enthusiastic person" written its Plugin, called TOD killer, which can complete the connection of TCP. In short, Sniffer should attract people's attention, otherwise security will never do it.

If you just want to use it, you can find a Sniffer program tool that has passed my Chinese by I http://semxa.kstar.com/hacking/sniffer260.zip.