TUCoPS :: Networks :: esniff.txt

Ethernet Sniffers Debunked! 


 From : Brian Jones                                            06 Mar 98
 Subj : Ethernet Sniffers Debunked, err Explained                               
ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
From: Brian Jones <balif@dada.darkriMUNGEdge.com>

sorry, couldn't resist on the subject

    Here's a message I wrote a while back for the mailing list of the
group I've been in for a while. Unlike some member, err Members of this
group, I type my own words, and don't copy from existing texts. Well okay,
I copied from an existing text, but it was MY OWN text. (chuckle)


Ethernet Sniffers Explained
This is a very basic, overly simplified explanation of how ethernet and eth
sniffing works. There are many books detailing Network Layer Protocol and
all the good stuff. Read them if you are interested.

~=-/wire/----------------------------------------------------------=~
            |                |                     |
        computer a        computer b          computer c
        192.168.1.1       192.168.1.2         192.168.1.3

Ethernet is known as a "Broadcast" method of networking. Everything is
done on a common wire. All the computers are connected to this common
wire. Packets are broadcast to every machine on the network, and only the
machine that the packet is addressed too does something with it. This is
different from other older networks such as Token ring, where the computers
are connected in a large ring and a special packet called a token is passed
from computer to computer, and to send a packet to another computer a system
adds it to the token.

When an ethernet card wants to send out a packet of information, it
"listens" to see if the line is currently used. Then it sends its packet.
The packet has a from address, say 192.168.1.1. It has a To address, say
192.168.1.3. The packet is "Broadcasted" out onto the ethernet. All the
computers recieve it. In this example, 192.168.1.2 would recieve the
packet. Its ethernet card would say "Hmm.. nope not for me" and dumps the
packet. However, 192.168.1.3 would say "Hey thats me" and save the packet,
most likely passing it to an application or program for use.

Since the computers all broadcast on the same wire, something interesting
can happen. If two cards want to send at the same time, take a look at the
wire and see its unused, then send at the same time, something called a
"Packet Collision" occurs. The cards detect this, and all cards ignore
the corrupted packet. The sending cards wait a random amount of time, then
attempt to send again. Complex formulas and timing in modern day ethernet
cards reduce Packet Collision. Modern cards send so fast, several dozen
collisions could happen and you'd never even notice. After all, most cards
are 10 or 100 mbs. One packet probably takes a nanosecond or so to send.

Now that you know how ethernet broadcasts packets to all the computers,
you can understand how sniffing works.

An ethernet sniffer is a program, run by root, that does something special
to the ethernet card. It sets it in a mode called "promiscuous" mode.
Simplified, this means that instead of having the ethernet card dump all
packets it "hears" not addressed to itself, it passes them up to be
examined by the ethernet sniffer.

Scenario:
192.168.1.1 is the box we hacked. We are running a sniffer on it.
192.168.1.2 is some guy's machine on the same network.
192.168.1.3 is the guy's friend's machine.

The friend on .3  wants to login to his buddies machine on .2. So he
telnets over. Telnet opens the socket, and connects to the machine. Behind
the scenes, the kernel, the ethernet drivers, and the ethernet cards do
their magic. 192.168.1.3 broadcasts over the ethernet "Hey, I want to
connect to 192.168.1.2 on port 23 using TCP".  .2 grabs the packets
addressed to it, passes them up to the system, who knows what's going on and
starts sending the appropriate data over the wire basically saying "Okay .3
lets do this." and the connection happens. This is INCREDIBLY simplified.

    Meanwhile.. our sniffer on 1.1, which has been casually watching
the ethernet, notices this and perks up. It dumps to the log file
"192.168.1.3 -> 192.168.1.2 23", which means .3 connected to .2's telnet
port. (Different sniffers will produce different output.)

        The friend types in his login name, and then his password. This gets
broadcasted over the ethernet, where it's picked up by
.2 who most likely will verify the password is right, and then let him
login to his shell.

    Our ethernet sniffer on .1 says "yay!" and records the login and
password, which is UNENCRYPTED and sent PLAINTEXT over the ethernet. Our
ethernet sniffer can be setup to log the entire connection, or just wait for
login and passwords to come by, or log the first 500 bytes of the
connection, whatever we want. We come back a day later, and examine it, and
get the password.

(Simplified)
    A host on the internet most likely has its net connection attached
to a router. The router will often times be called a "Gateway". An example
of a router is a Cisco. The router broadcasts packets coming from the
net to the ethernet, to be picked up by machines they are directed at.
Or it gets packets being broadcast by machines destined for remote machines,
and sends them over the internet connection, be it a T1 or an ISDN line. The
servers are set to have their default gateway be the address of the router.

    If we setup a sniffer on one of those machines, we can moniter all
traffic coming from the outside to inside machines, or from inside machines
to the outside internet, or from inside machines to inside machines. We can
capture ftp passwords, pop passwords, telnet login passwords, anything we
want to monitor.

    That, very simply described, is ethernet sniffing. Its not some
magical program you run on your modem to sniff a remote isp and get all
sorts of "k-rad stuff". It works because ethernet broadcasts everything
over a single wire.

    To stop ethernet sniffing, people
1: Use encryption programs like ssh (secure shell) to encrypt transfers
2: segment a large ethernet (like a university). Instead of one big wire,
   it's broken down into groups of machines, reducing the impact of a
   sniffer setup somewhere. The machines are connected via some secure
   hubs or something like that
3: Various forms of encryption through the ethernet drivers or even hardware
based encryption.

    If you've read anything about Cable modems, you know they are all on
a common wire based on geographic area. Your entire neighborhood, or city
could be on the same wire. That means anyone down the block, street, or road
from you with another cable modem can sniff your connection. Think your
neighbors are stupid? It's not too hard for their 14 year old kid to find
some "eleet windowz sn1ffer" and run it. All the more reason to encrypt your
connections.

    Feel free to make any additions or corrections

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2025 AOH