Basic principle of sniffing ZZ
http://www.chinaitlab.com/www/news/Article_show.asp?id=2296
Http://www.cert.org.cn/articles/tabloid/common/2003072116217.shtml
Basic principle of sniffing
Source: Reprinted 2003-07-21
I. Introduction
Sniff is an old topic. About Sniff on the Internet is not new, there is no new case, no more successful cases, then what is the SNIFF? Sniff is the sniffing device, that is, the sniffier, Sniff quietly works on the bottom of the network, and records all your secrets. Have you seen the "National Enemy" of Wills Misth? Sniff is like a delicate dripping device, so that you can't prevent it.
SNIFF can be software, or it can be hardware. Since the software is to be a platform, there is Windows, unxi, etc., hardware SNIFF is called network analyzer, anyway, no matter the hardware software, the target is only one, that is, it is Various information transmitted on the network. This article only describes the SNIFF of the software.
When you are comfortable to sit at home, enjoy the convenience of your network to you, charge your email, when you buy your favorite items, you will think of your friend to give you a letter, your credit card account becomes Another information package is not transferred on the network. Have you ever brought into other people's machines through the network? Your concerns are not unreasonable, because Sniff can make your worries become truthful. It's like a person hiding in your side behind you. . . . . .
Two-network basics
"Network Basics", is it a bit a bit? Although it sounds like this and what we have to talk about, there is nothing to talk, but it is still to say, Wanzhang high rise, if you don't play, how to cover the building? ! If you are not very clear about the network, it is best to calm down, you know, this is the foundation foundation. Here I just simply say, if you are confused, it is best to yourself. Go to find a book.
(1) TCP / IP architecture
The Open System Interconnect (OSI) model divides the network into a seven-layer model, which is used to achieve different functions on each layer. These seven layers are: application layers, representations, session layers, transport layers, network layers, data. Link layer and physical layer. The TCP / IP system also follows this seven-layer standard, but only compresses in some OSI functions, combining the representation layer and the session layer into the application layer, so the TCP / IP we deal is only 5 floors. However, the hierarchical structure on the network determines the distribution and functional implementation of the protocols on each layer, thereby determining the use of network equipment on each layer. In fact, many successful systems are based on OSI models, such as frame relays, ATM, ISDN, etc.
TCP / IP network architecture (part)
-----------------------------------
| SMTP | DNS | HTTP | FTP | TELNET | Application
-----------------------------------
| TCP | UDP | Transportation
-----------------------------------
| IP | ICMP | ARP RARP | Network Layer
---------------------------------------------------------------------------------------------------------------------------------------
| IEEE 802 Ethernet SLIP / PPP PDN ETC | Data Link Layer
-----------------------------------
| NIC cable twisted pair ETC | Physical layer
-----------------------------------
From the above figure, we can see that the first layer of physical layer and the second layer data link layer is the foundation of TCP / IP, and the TCP / IP itself is not very concerned about the low level because the network is in the data link layer. The device driver isolates the upper protocol and the actual physical interface. The network device driver is located in the Media Access Layer (MAC).
(2) Equipment on the network
Repeater: The main function of the repeater is to end the signal of a network segment and regenerate this signal in another network segment, in a sentence, is simple to enlarge, working on the physical layer.
Bridge: Bridge uses MAC physical address implementation relay feature, which can be used to separate the network segment or connect to part of the xenographic network, working on the data link layer.
Router: Router uses a network layer address (IP, X.121, E.164, etc.), mainly responsible for the routing of packets, and can handle work on the physical layer and data link layer.
Network Off: Mainly working in the fourth layer of the network, mainly achieve convergence function and protocol conversion, but many times the gateway is used to describe any network interconnect device.
(3) TCP / IP and Ethernet
Ethernet and TCP / IP can be said to be in each other, it can be said that the relationship between the two is almost unparalleled, Ethernet provides a physical connection in a two-layer, while TCP / IP works on the upper layer, using 32-bit IP address, Ethernet uses 48-bit MAC addresses, and both ARP and RARP protocols are used to transform. From the model map of our TCP / IP, you can clearly see the relationships of both.
Carrier monitor / conflict detection (CSMA / CD) technology is generally used in Ethernet, so-called carrier monitoring is that each site in Ethernet has the same right. When transmitting your own data, first listen to the channel. Free, if you are idle, transfer your own data, if the channel is occupied, wait for the channel to idle. Conflict detection is to prevent two sites from simultaneously monitoring the network without being used. Ethernet adopts a broadcast mechanism, all workstations that are connected to the network can see data delivered on the network.
In order to deepen your understanding, let's take a look at the picture below, a typical customer and server in Ethernet
Communication for TCP / IP protocols.
User Process FTP Customer <-------------------------> FTP server application layer
| | |
TCP <-----------------------------------------------------------------------------------> TCP Transportation
| | |
Protocol in the kernel IP <-------------------------> IP network layer
| | |
Ethernet driver <-----------------------> Ethernet driver data link layer
────── - -----------------------------
Ethernet
I have so much, some people are annoying? I believe me, this is the foundation foundation, it can be said to be very simple, if needed, take out a hundred thousand words, I don't think too much, ok, let us enter the next The principle of SNIFF.
Three SNIFF principle
To know that all communications are broadcast in Ethernet, that is, all network interfaces that usually in the same network segment can access all data transmitted on physical media, and each network interface has a unique Hardware address, this hardware address is also the MAC address of the NIC. Most systems use 48-bit addresses, this address is used to represent each device in the network, which generally said that the MFC address on each network card is different, each A network card manufacturer gets an address and then assigns an address of each network card produced by this address. Use the ARP and RARP protocols between hardware addresses and IP addresses. In normal case, a network interface should only respond to such two data frames:
1. Data frames matching your hardware address.
2. Broadcast data frames for all machines.
In an actual system, the transmission and reception of the data is completed by the NIC. The NIC receives the transferred data. The single-chip of the network card receives the destination MAC address of the data frame, according to the reception mode set by the network card driver on the computer. It is determined that the reception is not received after receiving the interrupt signal to notify the CPU, and it is considered that the received data network card is cut off, so the computer does not know. The CPU obtains the interrupt signal generation interrupt, and the operating system receives data according to the network card interrupt program address of the network card, and the driver receives the data and puts the signal stack to make the operating system processing. And for the network card, there are generally four reception modes:
Broadcasting method: The NIC can receive broadcast information in the network.
Multicast mode: The network card set in this mode can receive multicast data.
Direct mode: In this mode, only the destination network card can receive the data.
Mixed mode: The network card in this mode can receive everything through it, regardless of whether the data is transmitted.
Ok, now we summarize it. First, we know that in the broadcast mode based on broadcasting data in the Ethernet, that is, all physical signals have to pass my machine, once again, the network card can be placed in a mode called Mixed mode, the NIC working in this mode can receive everything through it, regardless of the actual destination address of the data. This is actually the basic principle of our SNIFF work: Let the NIC receive everything he can receive.
(Figure 1)
Let's take a simple example. As shown in the figure, the machines A, B, C are connected to the hub HUB, and the hub HUB accesses the external network via the router Router. This is a very simple and common situation. For example, in the company building, several machines in my network office are connected through the hub, while the network, the development department, the market department is also the same, several departments The hub is connected via a router. Still returning to our map, it is worth noting that machines A, B, C use a normal HUB connection, not using Switch, nor using Router, using Switch and Router more complicated more.
We assume that the administrators on the machine A In order to maintain the machine C, we use an FTP command to remotely log in to the machine C, then the data direction process in this network connected to the HUB is like this. First, the FTP password of the login machine C input on the machine A, the Wizard, the transfer layer TCP protocol, the network layer IP protocol, the Ethernet driver on the data link layer, finally sent Go to the physical layer, on our cable. Next, the data frame is sent to the HUB, and now, it is now broadcast from the data frame issued by the machine A, and the machine B receives the data frames sent by the HUB broadcast, and checks if the address in the data frame and its own address. Matching, finding that this data frame is discarded after you want to turn itself, and you will not pay attention to it. The machine C has also received data frames and found that they were discovered after comparison, and then he analyzes this data frame.
In this simple example, the administrator on the machine B is very curious, he really wants to know what is the FTP password to log in to the machine C? Then he is going to do very simple, just need to put the network card on his machine in a mixed mode, and analyze the received data frames to find password information contained in the data frame.
Four make a self
In the previous section, we already know how the basic principles of Sniff are things. This section we came to do your own Sniff, after all, using the program code to talk more than anything, it is easy to deepen understanding.
Looking back, I think about the principles we have to say, there are a few things we have to do:
1. Place the network card in a mixed mode.
2. Capture the packet.
3. Analyze the packet.
Note: The following source code takes to Chad Renfro << Basic Packet-SnifferConstruction from THE
GROUND UP >> One article
/ *******************************
1. # include
2. # include
3. # include
4. # include
5. # include
6. # include
7. # include
8. # include
9. # include "Headers.h"
#define interface "eth0"
/ * Prototype Area * /
10.int Open_RAW_SOCKET (VOID);
11.int Set_Promisc (Char * Interface, INTSOCK);
12.int main () {
13.int Sock, Bytes_Recieved, fromlen
14.Char Buffer [65535];
15. Struct sockaddr_in from;
16.Struct IP * IP;
17.Struct TCP * TCP;
18. Sock = Open_RAW_SOCKET ();
19. SET_PROMISC (Interface, SOCK);
20. While (1)
twenty two. {
23. from Fromlen = SizeOf from
24. Bytes_Recieved = Recvfrom (Sock, Buffer, Sizeofbuffer, 0, (Struct SockAddr
*) & from, & fromlen;
25. Printf ("/ nbytes received ::% 5d / n", bytes_recieved;
26. Printf ("Source Address :::% S / N", inet_ntoa (from.sin_addr));
27. IP = (struct ip *) buffer;
/ * See IF this is a tcp packet * / 28. IF (ip-> ip_protocol == 6) {
29. Printf ("IP Header Length ::% D / N", IP-> ip_length;
30. Printf ("Protocol :::% D / N", IP-> ip_protocol;
31. TCP = (struct TCP *) (Buffer (4 * ip-> ip_length);
32. Printf ("Source Port ::% D / N", NTOHS (TCP-> TCP_SOURCE_PORT));
33. Printf ("dest port ::% D / N", NTOHS (TCP-> TCP_DEST_PORT));
34.}
35.}
36.}
37.int Open_RAW_SOCKET () {
38. int SOCK;
39. IF ((SOCK = Socket (AF_INET, SOCK_RAW, IPPROTO_TCP) <0) {
/ * THE SOCKET WAS NOT CREATED PROPERLY AND MUST DIE * /
40. PERROR ("The Raw Socket Was Not Created);
41. EXIT (0);
42.}
43. Return (SOCK);
44.}
45.int Set_Promisc (Char * Interface, Int Sock) {
46. struct ifReq IFR;
47. Strncpy (ifr.ifr_name, interface, strnlen (interface) 1);
48. IF ((IOCK, Siocgifflags, & IFR) == -1)) {
/ * Could NOT Retrieve Flags for the interface * /
49. PERROR ("Could Not Retrive Flags for the Interface);
50. EXIT (0);
51.}
52. Printf ("THE Interface IS: ::% S / N", Interface);
53. PERROR ("Retrieved Flags from Interface SuccessFully);
54. IFR.IFR_FLAGS | = IFF_Promisc;
55. IF (IOCK, Siocsifflags, & IFR) == -1) {
/ * Could Not set the flags on the interface * /
56. PERROR ("Could Not Set The Promisc Flag:");
57. EXIT (0);
58.}
59. Printf ("Setting interface :::% s ::: prop", interface;
60. Return (0);
61.}
/ ************************************************************ ********* /
There is a very detailed annotation in this program, but I think there is still necessary to say, first of all, Chain 10 - IPE
n_raw_socket (void); is our custom function, the specific content is as follows:
37.int Open_RAW_SOCKET () {
38. int SOCK;
39. IF ((SOCK = Socket (AF_INET, SOCK_RAW, IPPROTO_TCP)) <0) {/ * THEN THE SOCKET WAS NOT CREATED PROPERLY AND MUST DIE * /
40. PERROR ("The Raw Socket Was Not Created);
41. EXIT (0);
42.}
43. Return (SOCK);
44.}
RESILIN IF ((Sock = Socket (AF_INET, SOCK_RAW, IPPROTO_TCP)) <0) {
Here we call the Socket function, enabling an original set of interfaces to receive the TCP / IP packet.
Next, Char * Interface, INTSOCK, this is also our custom function, the purpose is to put the network card in mixed mode, the specific content is as follows:
45.int Set_Promisc (Char * Interface, Int Sock) {
46. struct ifReq IFR;
47. Strncpy (ifr.ifr_name, interface, strnlen (interface) 1);
48. IF ((IOCK, Siocgifflags, & IFR) == -1)) {
/ * Could NOT Retrieve Flags for the interface * /
49. PERROR ("Could Not Retrive Flags for the Interface);
50. EXIT (0);
51.}
52. Printf ("THE Interface IS: ::% S / N", Interface);
53. PERROR ("Retrieved Flags from Interface SuccessFully);
54. IFR.IFR_FLAGS | = IFF_Promisc;
55. IF (IOCK, Siocsifflags, & IFR) == -1) {
/ * Could Not set the flags on the interface * /
56. PERROR ("Could Not Set The Promisc Flag:");
57. EXIT (0);
58.}
59. Printf ("Setting interface :::% s ::: prop", interface;
60. Return (0);
61.}
First, Struct IFREQ IFR; set an IFRREG structure IFR, followed by StrNcpy (IFR.IFR_NAME, Interface, Strnlen 1); Interface "Eth0", let us look down, IOCTL (Sock, Siocgifflags, & IFR), Siocgifflags request indicates that you need to get the interface sign, now you have to go to Chapter 54, and set him into mixed mode after we succeeded after the interface sign. IFR.IFR_FLAGS | = IFF_Promisc; IOCTL (Sock, Siocsifflags, & I FR). OK, now what we said is complete -------- put the network card in a mixed mode.
Now enter the second step, capture the packet. From the 20th line, we entered a dead cycle, while (1), on the 24th line, Recvfrom (Sock, Buffer, Sizeof Buffer, 0, (Struct Sockaddr *) & from, & fromlen, this function is to do. Receive data, Ice put the received data into the buffer. It is so simple that we have completed the task we have to capture the packet. In the third step, analyze the packet. 27 lines, IP = (struct IP *) Buffer, allowing us of the IP structure in the header file corresponding to the received data, then determined whether the TCP protocol, IF (IP-> ip_ protocol) is used in the network layer == 6) If the answer is that the TCP packet starts from the entire IP / TCP package buffer (4 * ip-> ip_length) address, 31 lines TCP = (struct TCP *) (Buffer (4 * IP- > ip_length)), then the corresponding structure outputs the information you want.
/******************************************************************************************************** ***** /
/ * structure of an ip header * /
Struct ip {
Unsigned int ip_length: 4; / * Little-endian * /
Unsigned int ip_version: 4;
Unsigned char ip_tos;
UNSIGNED SHORT IP_TOTAL_LENGTH;
UNSIGNED SHORT IP_ID;
UNSIGNED SHORT IP_FLAGS;
UNSIGNED CHAR IP_TTL;
UNSIGNED Char ip_protocol;
UNSIGNED SHORT IP_CKSUM;
Unsigned int ip_source; unsigned int ip_dest;
}
/ * Structure of a tcp header * /
Struct tcp {
UNSIGNED SHORT TCP_SOURCE_PORT;
UNSIGNED SHORT TCP_DEST_PORT;
Unsigned int TCP_SEQNO;
Unsigned int TCP_ACKNO;
Unsigned int TCP_RES1: 4, / * Little-endian * /
TCP_HLEN: 4,
TCP_FIN: 1,
TCP_SYN: 1,
TCP_RST: 1,
TCP_PSH: 1,
TCP_ACK: 1,
TCP_URG: 1,
TCP_RES2: 2;
UNSIGNED SHORT TCP_WINSIZE;
UNSIGNED SHORT TCP_CKSUM;
UNSIGNED SHORT TCP_URGENT;
}
/ *************************************************** ******** /
From the above analysis we can clearly realize that knowing a SNIFF requires a detailed understanding of the TCP / IP protocol, otherwise you can't find the information you need. With the foundation of the above, you can do it yourself to be a Sniff you need.
Five common SNIFF
Few causes will let you do your own Sniff, unless you want to know his principle, or some other special reasons, such as intercepting some special packets in a particular environment. Let's take a look at some SNIFFs that are often used on the network.
(1) In the Windows environment
In the Windows environment, it is of course a famous NetXray and SnifferPro. In fact, many people use him to analyze him in a Windows environment, but I think few people are stupid to install a graphical interface on other people's machines. Unless he is very familiar with the administrator ........ Netxray is not said, anyway, the things under Windows are Click, Click, Click, very convenient users. (2) UNUX environment
The SNIFF in the unux environment can be said to be a hundred flowers, and one is a big one, such as Sniffit, Snoop, Tcpdump, DSNIFF, etc., they all have a benefit is to release source code, let you study, of course, Free :)
Sniffit
Sniffit can run on platforms such as Solaris, SGI, and Linux, a free network listener software developed by Lawrenceberkeley Laborative Lab. Recently Sniffit0.3.7 also launched NT versions and also supports Windows2000.
Instructions:
-v display version information
-A The result of the listener is output in the form of ASCII.
-A When recording, all non-printable characters are replaced
-b is equivalent to using parameters - T & -S.
-d will listen to the resulting content displayed in a hexadecimal mode in the current terminal
-p records connected to the package, 0 is all ports. The default is 0.
-P protocol Select the protocol to check, default to TCP. Possible options have IP, TCP, ICMP, UDP, and their combination.
-s Specifies the SNIFFER to check the data packet sent from the transmitted. -t Specifies the data packet sent by the SNIFFER check.
-i enters interactive mode
-l Setting the data package size, Default is 300 bytes
Note: The parameters can be used to represent an IP range, such as -t 192.168. @ -T and -s only apply to TCP / UDP packets, and interprets ICMP and IP. However, if only the -p parameter is selected, only for TCP and UDP packets.
for example:
#nsniffit -a -p 21 -t xxx.xxx.xxx.xxx
Listen to the information of the 21-port (FTP) that flows to the machine xxx.xxx.xxx.xxx, and displays ASCII
#Sniffit -d -p 23 -B xxx.xxx.xxx.xxx
Monitor all the information of the 23-port (Telnet) that flows out or flows into the machine xxx.xxx.xxx.xxx, and displays 16
You can find SNIFFIT here
http://reptile.rug.ac.be/~coder/sniffit/sniffit.html
2. Snoop
Snoop is installed in Solaris by default, a program for displaying network traffic, but Sniff is a double-edged sword, since the administrator can use him to monitor your own network, of course, an evil intruder can also use him Sniff I am interested in. It is worth mentioning that SNOOP is found to have a buffer overflow vulnerability, which is remotely entered into the system with an invader to run Snoop (usually root). This is the outline, and you will hit it.
Instructions:
[-a] # listen to Packets on Audio
[-D device] # settable to le ?, ie ?, bf ?, tr?
[-s snake] # Truncate Packets
[-c count] # qitAfter country packets
[-P] # Turn Off Promiscuous Mode
[-D] # Report Dropped Packets
[-S] # Report packet size [-i file] # ied previously captured packets
[-o file] # Capture Packets in File
[-n file] # loading addr-to-name Table from file
[-N] # Create Addr-to-Name Table
[-t r | a | d] # Time: Relative, Absolute or delta
[-v] # verbose packet display
[-V] # Show All summary Lines
[-P first [, last]] # Select packet (s) to display
[-x offset [, length]] # hx dump from offset for length
[-C] # Print Packet Filter Code
E.g:
#Snoop -o Saved a b
Listen to the conversation of machines A and B and store the content in file Saved
3. TCPDUMP
TCPDMP is also a very famous network listener software. FreeBSD also comes with the system, is a professional network management tool that is considered a professional network by many UNIX masters.
Instructions:
TCPDUMP uses a command line method, its command format is:
TCPDUMP [-ADeflnnopqstvx] [-C quantity] [-f file name] [-i network interface] [-r file name] [
-S Snaplen] [-t type] [-w file name] [expression]
1. TCPDUMP Option Introduction
-A converts network addresses and broadcast addresses into names;
-d will give the code of the matching packet to the assembly format that people understand;
-dd gives the code of the matching packet to the format of the C language block;
-ddd gives the code of the matching packet in decimal form;
-e Prints the head information of the data link layer in the output line;
-f Prints the external Internet address in the form of a number;
-L makes the standard output become buffered in form;
-n does not convert network addresses into names;
-t does not print a timestamp in each line output;
-v output a slightly detailed information, such as information of TTL and service types in the IP packet;
-VV output detailed message information;
-c After receiving the number of specified packets, TCPDUMP will stop;
-F reads expressions from the specified file to ignore other expressions;
-i Specifies the network interface of the listener;
-r Reads the package from the specified file (these packages are typically generated by the -w option);
-W Directly write the package into the file and does not analyze and print it;
-T will be listened to the package directly to the specified type of message, and the common types are RPC and SNMP.
2. TCPDUMP expression introduction
Expression is a regular expression, TCPDUMP uses it as a filtering message, if a message meets the conditions of expression, this message will be captured. If no condition is given, all the packets on the network will be intercepted.
In the expression, the following types of keywords are generally regarding the type of keyword, including Host, Net, Port, such as Host 210.27.48.2, indicating that 210.27.48.2 is a host, NET 202.0.0.0 indicated 202.0.0.0 is a network address, Port 23 indicates that the port number is 23. If there is no specified type, the default type is host. The second is to determine the keywords in the transfer direction, mainly including SRC, DST, DST OR SRC, DSTAND SRC, which indicate the direction of transmission. For example, SRC 210.27.48.2 indicating that the IP package is 210.27. 48.2, DST NET 202.0.0.0 The network address indicated by 202.0.0.0. If there is no point in the direction, the default is the src ORDST keyword.
The third is the keywords of the protocol, mainly including FDDI, IP, ARP, RARP, TCP, UDP, and other types. FDDI indicates a specific network protocol on the FDDI (Distributed Optical Data Interface Network), in fact it is "Ether" alias, FDDI and Ether have similar source address and destination address, so you can put the FDDI protocol Ether's package for processing and analysis. The other keywords are the contents of the protocols of the listener. If no protocol is specified, TCPDUMP will listen to all protocols.
In addition to these three types of keywords, other important keywords are as follows: Gateway, Broadcast, Less, Greater, there are three logical operations, take non-operative is `NOT` `!`, With the operation is `and` `&&`; or operation is `or`,` || `.
Example usage:
#tcpdump host aaa.bbb.ccc.ddd
Conversiting the IP address for a machine for aaa.bbb.ccc.ddd
#tcpdump tcp port 23 host aaa.bbb.ccc.ddd
A call to the 23-port of the IP address is a machine of aaa.bbb.ccc.ddd
4. DSNIFF
The reason why DSNIFF is to talk about because he is more than just a SNIFF, in his entire suite package, contains many other useful tools, such as Arpspoof, DNSSPOOF, MACOF, TCPKILL, etc., Sniff's means more diverse and complication. DSNIFF is developed by dugsong you can find this tool on his home page. At present, DSNIFF supports OpenBSD (I386), Redhat Linux (I386), and Solaris (SPARC). And in FreeBSD, Debian Linux, Slackware Linux, AIX, and HP-UX can also be operated very well. But DSNIFF requires several other third-party software for support, they are, BerkeleyDB, OpenSSL, LibPCAP, Libnet, Libnids. If you are allowed, you'd better read the source code of DSNIFF personally, you can
Http://naughty.monkey.org/~ DUGSONG / Found DSNIFF.
Six in-depth SNIFF
The function of simple SNIFF is always limited, so in most cases, SNIFF tends to combine with other means, SNIFF and SPOOF have been combined with other technical means to harm the network. The harm is huge. Simple SNIFF has lacks a leg, it is unable to play a big role. For example, in the example of the Sniff Principles, I repeatedly emphasized that there is a normal HUB to connect, if we Instead of HUB in Figure 1 instead, that case is more complicated, as shown in Figure 2: Figure (2)
In Figure 2, our machines A, B, C are connected to Switch, while Switch accesses external networks via router ROUTER. Let's first understand the working principle of Switch:
The HUB in our map is simply simply transmits the received signals through all ports (in the mouth of the signal), and the Switch in Figure II can check each received packet, and Treat a corresponding processing for the packet. The physical address of all nodes on each network segment is saved in Switch, only the necessary network traffic is passed through Switch. For example, after the Switch receives a packet, check the send and recipient addresses included in the packet according to your own network address table. If the recipient is located in the sender network segment, the packet will be discarded by Switch and cannot be transferred to other network segments by the switch; if the recipient and sender are in two different network segments, the packet will be forwarded by Switch Go to the target network segment. In this way, through the filtering and forwarding of the switches, the network broadcast storm can be effectively avoided, and the occurrence of misleading and oligible packages can be effectively avoided. By the way, the price of Switch and Hub is now in a few, so HUB is gradually being replaced by the network switch.
Now returning to our example, just like the figure in Figure 2, we assume that the administrator on the machine A In order to maintain the machine C, use an FTP command to remotely log in to the machine C, then here, data It is this: First, the FTP password entered by the administrator in the machine A enters the apparatus FTP protocol, the transport layer TCP protocol, the network layer IP protocol, the Ethernet driver on the data link layer layer 1 layer The parcel, finally sent to the physical layer, on our network cable. Next, the data frame is sent to the Switch, and Switch checks the destination address in the data frame, and knows that he should send this data frame to the machine C in his own network address table, so that the machine C receives When I arrived from A, I found that he was sent to himself, so analyzing processing.
OK, now the administrator of the administrator on our machine B can only be deeply buried in the heart, because the packet has not passed him at all, even if he set his own network card into mixed mode, it is powerless.
After understanding the principles in a Switch environment, we combine some means to try Sniff, yes, we can do this, there are many means to let the administrator B meet his curiosity, I will ask a few The way, of course, only some of them.
1 ARP SPOOF
In an internal network based on IP communication, we can use the ARP SPOOF's means to understand what is arpspoof. You must understand what is ARP and RARP protocol, what is a MAC address, what is IP address. The ARP protocol is an address conversion protocol, and RARP is called a reverse address conversion protocol, and they are responsible for mutual conversion of IP addresses and MAC addresses.
The fundamental principle of ARP SPOOF is because the computer maintains an ARP cache, and this ARP cache is constantly updated with the computer constant ARP request and receives ARP response, the purpose of the ARP cache is to put the machine. The IP address and MAC address are mapped to each other. You can use the ARP command to view your own ARP cache. Now I want to work in the data link layer, and he forwards the packet he receives according to the MAC address, and the ARP cache maintained by the calculator is dynamic ... What do you think of? In order to deepen understanding, now give us a machine, machine A: IP address is 10.0.0.1, the MAC address is 20-53-52-43-00-01, machine B: IP address is 10.0.0.2, MAC address For 20-53-52-43-00-02, the machine C: IP address is 10.0.0.3, the MAC address is 20-53-52-43-00-03. The administrator on the machine B is a smart guy. He issued an ARP Reply to the machine A (the agreement does not specify must wait for the ARP Request to send ArpReply, and there is no provision must send ARP Request to receive arpreply), where The destination IP address is 10.0.0.1, the destination MAC address is 20-53-52-43-00-01, and the source IP address is 10.0.0.3, the source MAC address is 20-53-52-43-00-02, good Now, the machine A updated his ARP cache and believed that the MAC address of the IP address 10.0.3 was 20-53-52-43-00-02. When the administrator on the machine A issues an FTP command - ftp10.0.0.3, the packet is sent to Switch, Switch View the destination address in the packet, found that the MAC is 20-53-52-43-00-00-00-00-00-00-00-00-00-00- 02, then he issued the data package to the machine B. Imagine what should I do if I don't want to affect communication between A and C? You can deceive them both to a man-in-middle.
Of course, in the actual operation you need to take some other things, such as some operating systems, in the active sending ARP request package to update the corresponding ARP portal, and the like.
2. Mac flooding
Only we have mentioned that Switch can determine the MAC address in the packet to determine the MAC address he should send the packet to that port is based on the address table maintained by himself. This address table may be dynamic or static. This depends on the Switch manufacturer and Switch model. For some Switch, he maintains a dynamic address table and the size of the address table. There is a ceiling, such as 3COMSUPERSTACK SWITCH 3300 (3C16981 Hardware V.1 Softwarev.2.10) is such a Switch, we can "overflow" the address table for Switch maintenance by sending a large number of errors, so that he becomes Broadcast mode to achieve the purpose of communicating between the SNIFF machine A and the machine C.
3. Fake the Mac Address
Forging MAC addresses are also a common way, but this is based on Switch in your network, which is actually updated dynamically, this is actually similar to the ARP SPOOF we mentioned above, but now you want Switch to believe in you, Instead, I want the machine A to believe you. Because Switch is dynamically updated its address table, what you have to do is telling Switch: hi, I am machine C. Substance, you only need to send a fake packet to Switch, where the source MAC address corresponds to the MAC address of the machine C, and now Switch will correct the machine C and your port. However, there is a problem, and now the machine c will also say: Hi, Switch Boss, I am machine C! What should you do now? Cut, still use it! Let him say that you can't say it, DOS is still other, just let you ... 4. ICMP Router Advertisements
This is mainly caused by the defects of the ICMP Router Discovery Protocol (IRDP). In Windows 95, 98, 2000, and Sunos, Solaris2.6 and other systems, the IRDP protocol is used, and the SunOS system is only used in certain specific cases. The agreement, and Windows95, Windows95B, Windows98, Windows98se, and Windows 2000 are all default use IRDP protocols. The main content of the IRDP protocol is to tell people who is the router, imagine, a HACK uses IRDP to claim how bad is the situation of the router! All the machines who believe in Hack put all their data to the machine controlled by HACK .........
5. ICMP Redirect
The so-called ICMP redirection means that the machine tells the machine to send his packet to another, ICMP redirection is usually used in such an occasion, assuming that both A and B are located in the same physical network segment, respectively. The logical subsidiary, and the A and B do not know this. Only the router knows that when the data sent to b arrives at the router, the router will send a ICMP redirect package to a, tell A: Hi, don't send data Give me transferred, you can send it directly to B. Imagine that a HACK can use this, so that the data sent to B has passed by him.
The methods mentioned above are only some of them. In order to cooperate with SNIFF more efficient, there are many other methods, in fact, the purpose of Sniff is that only one is, it is to capture, from the concept of capturing, All the techniques used in order to capture the information packets on the network can be classified into SNIFF, and the simple SNIFF is not efficient. Can you still think of? Attacking routers, placing SNIFF on the router ..., implanting Sniff ..., etc. in the system kernel.
Seven how to prevent SNIFF
Preventing the most effective means of Sniff is a reasonable network segment and uses switches and bridges in the network. In the ideal case, each machine has its own network segment, of course, this will make your network construction fee Add a lot, so you can try to make mutual trust machines belong to the same network segment, so that they don't have to worry about the existence of SNIFF. And hardware barriers are performed between the network segments. You can also use encrypted technology to encrypt your sensitive data or passwords you transfer in your network, your bank account, business secret, etc. You can use SSH and other encryption methods. In order to prevent ARP spoof, you can use a permanent ARP cache entry, anyway, the attacking means and principles above you have also seen it, you think about what to do. However, there must be a spear, and the usual security awareness is the most important. (Note: The following is the article of L0PHT Antisniff Technical Documentation for Antisniff to take the back Backend translation.
When you do a layer protection, you still doubt what is Sniff on your network? The L0PHT team has released a software Antisniff to detect SNIFF. Of course, this software is not free :), the AntiSniff tool is used to detect whether there is a machine in the LAN in which Antisniff Version1.x is designed to run in the Ethernet's Windows system Provide an easy-to-use graphical user interface, and AntiSniffVersion1.x is mainly working in a local network segment in a non-exchange environment. If you run in a switched environment, you will be big. AntiSniff Ver 2.0 will not only be in the local network segment, but also work through the router and switches.
◆ Operating system class special test
Linux kernel test
The old version of the Linux kernel has a strange feature that can be used to determine if the machine is in a mixed mode. In normal conditions, the NIC will filter and discard those target addresses are not packets of this machine MAC address or Ethernet broadcast address. If the target address of the packet is the local Ethernet address or broadcast address, it will be processed to the kernel because it considers that the Ethernet data frame contains the correct IP address of this unit or the network broadcast address. If the network card is in a mixed mode, each packet is passed to the operating system for analysis or processing. Many versions of the Linux kernel only check the IP address in the packet to determine if it is stored in the IP stack. In order to use this, Antisniff constructs a packet that is invalid Ethernet address and IP address is valid. For Linux systems that use these kernel versions and in a mixed mode, they receive and store them in the corresponding stack since only check the IP address. These systems returns a response package (if they are in a mixed mode) or ignore (if not in a mixed mode), if it is not in a mixed mode), it exposes its operating mode. This test is very effective when the IP address in the forged Ethernet data frame is set to the network broadcast address. AntiSniff users can modify the forged Ethernet, the default is 66: 66: 66: 66: 66: 66.
NetBSD
Many NetBSD kernels have the same characteristics as the above Linux kernel, but the IP address in the forged Ethernet data frame must be set to the broadcast address.
Windows 95/98 / NT
According to the understanding of the network driver header file, you can know that when in a mixed mode, Microsoft's operating system checks the Ethernet address of each package. If you match the Ethernet address of the NIC, the data package as the target IP address is the local package is processed in the corresponding stack. One of the points that can be utilized is the analysis of the Ethernet broadcasted package. In normal case, for example, the machine is operated in non-mixed mode, the NIC only transmits those target Ethernets to match or to the Ethernet broadcast address (FF: FF: FF: FF: FF). If the machine is in mixed mode, the network driver will still check the Ethernet address of each packet, but check if the head 8 bit address is 0xFF when the broadcast package is a broadcast package. Therefore, in order to return the response information in a hybrid mode, the Antisniff constructs the Ethernet address of ff: 00: 00: 00: 00: 00: 00: 00 and contains a correct target IP address, and when Microsoft's operating system receives this packet When the subtle difference of the network driver is checked (if in a mixed mode) or discarding this packet (if it is in a non-mixed mode). It should be noted that this check is related to the network driver used. Microsoft default network drivers have above, most manufacturers have inherited these features in order to maintain compatibility. However, some NIC will check the headed 8 digits of the Ethernet address in its hardware layer, so it may always return to the positive value regardless of what the system is true. For this type of network card and driver, please visit the Antisniff Ver1.x web site.
◆ DNS test
The reason for performing DNS test is that the network data collection tools used by many attackers are reverse DNS parsing for IP addresses because they want to find more valuable hosts based on domain names. For example, joepc1.foo.bar is often the attractive attraction of attackers is not as good as payroll.foo.bar. At this point these tools are changed by passive network tools to active network tools. The machine that does not listen to network communication will not try to reverse the IP address in the packet. In order to use this, Antisniff Ver1.x makes itself in mixed mode, send a false target IP address to the network, and then listens to whether or not the machine sends the reverse DNS query for the false target IP address. Forging the Ethernet address of the packet, check the target, the false target IP address can be customized by the user.
◆ Network and host response time test
This test has proven to be the most effective. It can find a machine in a mixed mode in the network regardless of what its operating system is. Warning that this test will produce huge network communication traffic in a short period of time. The reason for performing this test is to provide a certain hardware underlayer filtering mechanism not in a network card in the mixed mode. That is to say, the data packet of the target address is non-local (except broadcast addresses) will be discarded by the firmware of the NIC. In this case, suddenly increase, but the target address is not the local network communication traffic on the operating system. It will only be small. The machine in mixed mode lacks filtration in this type of underlying, and suddenly increases, but the target address is not a local network communication traffic that has a more obvious impact on the machine (different operating system / kernel / user mode will have different) . These changes can be monitored through the network communication flow tool.
According to the above points, AntiSniff Ver 1.x first uses the ICMPecho request and response to calculate the response time base reference and average value of the machine. After obtaining this data, a large number of forged packets are sent immediately to the local network. At the same time, the test packet is sent again to determine the change value of the average response time. The amount of response time variation of the machine of the non-mixed mode will be small, and the amount of response time of the mixed mode of the machine usually has 1-4 orders of magnitude. In order to deal with the most commonly used tools for attackers and intruders, Antisniff has three network saturation tests: SixTysix, Tcpsyn, and Threeway.
* SixTysix test constructed packet data is all 0x66. These packets are not received by the machine of the non-mixed mode while facilitating recording and capture using common network listening / analysis tools such as TCPDUMP and SNOOP.
* TCPSYN Test Construction Packet contains a valid TCP header and IP header, while the SYN bit of the TCP flag is set.
* Threeway test The principles taken are basically the same as TCPSYN, but more complex. In this test, the two actually existing machines have set up a complete TCP tripartite handshake communication. It can better deceive those hackers. Antisniff Ver 1.x can be found in the test method of the mixed mode machine by the above three packet tests, which is best performed periodically and compared to the previous data. Response Time Test The first running data can also be used to analyze a large network performance when flooding and non-flooding status, and help engineers adjust network performance. Once you are confident that the local network has been running in normal (no machines that are not allowed to be in a mixed mode), you should set the Antisniff tool periodically run. Just find that a certain amount of machine performance (response time) is changed, it is generally determined that it is in a mixed mode. This approach does not need to compare performance data between two independent systems, and only the data different from the same machine can determine if the machine is in a mixed mode.
Eight ends
This article is designed to describe the basic principles of SNIFF, which is to make you not only understand what is SNIFF, but to understand the fundamental principle of SNIFF operation, the article refers to a lot of information, involving direct reference. I am very grateful to them. I would like to thank W.Richhard.stevens, although it has passed away, but the TCP / IP three volumes left are really benefiting everyone. Many places in the article are also to make the old man pointing to the fascination. Finally, I would like to thank the Nestlé coffee, let me write this article, huh, huh, thank you.
