Fog Creek Software
Discussion Board




How common are sniffers, anyway?

Every security protocol will explicitly forbid sending authentication data in the clear. SSL, SFTP, SSH - all manner of methods are established to protect data streams.

But I'm curious - how often does this happen? How many documented cases of "cracking via sniffing" over the internet are there?

I'm not saying it's not a risk, and I'd never advise anything but secure protocols; I'm just wondering.

Philo

Philo
Sunday, February 01, 2004

How common are sniffers?

Pretty common in shopping malls and, I'd wager, grade schools.  Parents really nead to teach their kids earlier how to blow their noses.

veal
Sunday, February 01, 2004

Seriously though... sniffers are pretty damn common here in the US.  The federal government has them installed at all the major ISPs and on the major backbones.

In fact, some poor analyst somewhere is probably evaluating this post right now, after some baysian filter flagged it as suspicious.  Hi, whoever you are.  Keep up the good work.  :-)

veal
Sunday, February 01, 2004

"In fact, some poor analyst somewhere is probably evaluating this post right now, after some baysian filter flagged it as suspicious."

At least the tinfoil hat keeps him from reading your thoughts though, right.  ;)

Joe Blandy
Sunday, February 01, 2004

The recent Debian compromise started with a sniffed password.

Matt Conrad
Sunday, February 01, 2004

A server at the same colo facility as my company's was compromised, and a sniffer was installed there. The hosting company is no longer in business.

Mike Swieton
Sunday, February 01, 2004

One can mitigate the effects of network sniffers with the use of decent switching technology, e.g. If you make each port its own VLAN.

That doesn't make it impossible for the sniffer to operate, something similar to 'overflow the switch' to revert it to default 'hub' operation or arp cache poisoning will (possibly) circumvent this, but it makes it a bit harder.

Anon
Sunday, February 01, 2004

I sniff and log the wire all the time at home.  Keeping an eye on who is surfing what and when.  I can watch the IM chat in real-time if I like.

At work, we sniff the wire as a matter of routine - we do networked hardware products and often analyze the round trip response time of packets as we attempt to understand performance issues.

A "sniffer" is nothing more than ethereal, an ethernet hub and physical access to the last router or switch.

hoser
Sunday, February 01, 2004

Hoser - I know that, but it's the "physical access" part that makes me think that's why it's not that common; not that people aren't bothering, but that they simply can't get to where they need to be to do it.

Philo

Philo
Sunday, February 01, 2004

Ahh... secure by lucky happenstance.

veal
Sunday, February 01, 2004

If all you have is a switch, then the only traffic you should be able to sniff will be your own and broadcasts right?

Is there a way to get around this?

I'm asking because I was using ethereal in my office and I couldn't see anything but that.

Wayne
Sunday, February 01, 2004

Yes, at least that's the theory. If someone manages to hijack your router/end point and gets it to log all packets (no doubt some routers do this for diagnostic purposes, I really don't know, though) then it's game over man, f'ing game over !! [leading space added for extra effect ;-)]

In theory you can poison the arp caches of other hosts on the switch, i.e. tell them to associate the IP address of the router with your Ethernet MAC address (this assumes an Ethernet) and log packets on their way through, before forwarding them on to the real router. This is basically a man-in-the-middle attack and a similar effect could be achieved one level up the protocol stack (in the OSI model) by using an ICMP redirect. In that case, you'd only get IP traffic, though.

At a very (and I do mean very) basic level, a switch is just a hub with a lookup table mapping port number -> IP address. It is, in theory, possible to overflow the lookup table and make the switch revert to a hub-like operation. There's probably some info about this in some issue of phrack, though I imagine it depends very much on the switch manufacturer.

More advanced switches allow the administrator to dedicate a port or a group of ports to be a VLAN.

As an aside, there are some interesting ways to detect sniffers on the network. Try and ping an IP address that doesn't exist on the network and if a sniffer is running it will probably send out an ARP request for the Ethernet address. This is more a side-effect of the Ethernet card being in promiscuous mode than a software sniffer running.

I believe the l0pht wrote a utility to detect sniffers that used the round trip time of ping under heavy network load, the idea being that if a machine is logging loads of packets it would take it longer to respond, I think.

Anon
Sunday, February 01, 2004

Many switches can designate one (or more) of their ports as "span ports", which get _every_ packet that arrives at the switches (except when their buffer overflows, etc. ).

If your switch doesn't have a span port, you can try to force it into hub mode by arp poisining and similar techniques, or connect an ethernet "tap", which is a passive device that goes in the middle of an ethernet cable, and connects to two ethernet ports, through which you can sniff the ingoing and outgoing communication respectively.

Sniffers are common;
Keyboard loggers are _much_ more common, and -- from a hacker's point of view -- much more useful. Who cares about encryption when you can tap into the data before it's encrypted?

Ori Berger
Sunday, February 01, 2004

It depends on who you're concerned with sniffing your conversations. The government probably (echelon/carnivore anyone?), AOL probably, your corporate firewall probably, your wife, maybe.

Hackers? I dunno.

Why, afraid Bill Gates is reading your lovey-dovey AOL messages? And what are you doing on AIM anyway,  you should be on MSN messenger!

www.MarkTAW.com
Sunday, February 01, 2004

No, it's just that at various points in time, due to various lapses, I've had SMTP servers hijacked and FTP servers tagged. In both cases it's happened when I allowed relaying or anonymous FTP "just for a little while" - I think it generally takes hours.

But due to client requirements, I've sent usernames/ passwords in cleartext for years and never been hacked. That doesn't make it good practice or advisable, but knowing that you generally need either physical access to a switch or malignant code on the machine, it makes me wonder how often cleartext passwords are actually grabbed.

And now that I think of it, I've been "reprimanded" several times for using standard FTP, but nobody ever says a word about allowing anonymous FTP access...

Philo

Philo
Sunday, February 01, 2004

I've always personally thought the anxiety over sniffing was a silly one, but am gradually giving it more credence.

I'm still highly skeptical of anyone who tells me that I'm at risk from my home DSL or dial-up connection.  Is someone really going to install a sniffer at my ISP?  Well, the FBI, sure.  (google on Carnivore).  But I doubt anyone else.  And my online banking service told me there's never (i.e. NEVER) been a case of someone using sniffed credit credit for a false transaction.  They're probably telling the truth.

But what has me now worried are the following trends. 

(1) Corporations monitoring Internet access by their employees  (one of my clients, for example)

(2) People who sit in Internet cafes and grab wireless packets.  (a guess, but a likely one) and

(3) There's documented cases of people installing keyboard loggers at public internet sites like Kinkos.

(c.f. http://www.theregister.co.uk/content/55/31832.html )

So, it's worth being careful.  Especially on a public internet terminal or over a wireless link.

Voice of Rationality
Sunday, February 01, 2004

I'm more concerned about the impact than about the likelihood. Imagine that someone sniffs just one password from just one user just one time. What's the worst he can do?

Remember, most attacks are "leapfrog" attacks, where the attacker uses a small amount of access to get just a little more access and gradually pry his way deeper into the system until he can root the box. You have to trace this chain very carefully, and if the user can get to a shell at all you can reasonably assume that he can eventually get root.

That's why nobody worries about anonymous FTP: you can't ordinarily get a shell there. But if you pass a system password in the clear to log into the FTP server, the attacker *can* generally use that to get a shell, and that usually leads to root if he knows what he's doing.

Caliban Tiresias Darklock
Monday, February 02, 2004

I remember a story about Best Buy sending credit card information over wireless networks within the store, someone with a sniffer in the parking lot could grab the traffic easy.

Internet traffic is great enough that I doubt there's someone sniffing MY traffic, but plenty of places make nice and easy targets.

Also, you don't know if the person you send info to is on a wireless network in an office building where someone has planted a sniffer, or decides to check their email from Starbucks.

www.MarkTAW.com
Monday, February 02, 2004

Common in
a) Public WiFi
b) Educational networks (University and college)
c) Cable modem environments (Usually you can get packets from everyone else on your segement)
d) Hacked colo and office machines (Although this tends to be targeted)

Basically inside your LAN it's fairly unlikely, although given where you're working at the moment Philo this may not be true.

Peter Ibbotson
Monday, February 02, 2004

> c) Cable modem environments (Usually you can get
> packets from everyone else on your segement)

Hmm. That sucks. Almost makes me glad I'm on DSL.

> d) Hacked colo and office machines (Although this tends
> to be targeted)

Reminds me of another story about HP printers that had mini servers built in that could be used to launch attacks on the network because nobody ever bothered to harden their printer.

www.MarkTAW.com
Monday, February 02, 2004

Sniffing wireless networks is a pretty common thing these days...

SG
Monday, February 02, 2004

Sniffing wireless networks is no worse than sniffing actual internet trafic from the same user, no?

m
Monday, February 02, 2004

While not exactly sniffers, I have seen key chain WiFi HotSpot detectors for sale at Staples recently. For those outside US, Staples is an office supplies store. Now I feel much better knowing every kid in the neighborhood runs around the streets hacking networks with a key chain and a PDA.

coresi
Monday, February 02, 2004

"Is someone really going to install a sniffer at my ISP?  Well, the FBI, sure.  (google on Carnivore).  But I doubt anyone else. "
----------------------
Well, I think that the ISP employees would be prime candidates.  You're basically gambling that every single employee at your ISP, past present and future, is trustworthy.

Network admins loooooooove to snoop, in my experience.  Not necessarily for "evil" reasons, but they love to do it. 

John Rose
Monday, February 02, 2004

the WiFi HotSpot detector that coresi mentioned got me curious.  here's a link for anyone else interested: http://www.kensignton.com/html/3720.html

Steve H
Monday, February 02, 2004

According to reviews, the Kensigton wifi sniffers are crap.

I kinda view it as meeting in the middle.  Prevent the damage that sniffers can do to accidental unencrypted transmissions by going to switched and otherwise hard-to-sniff connectivity (switched ethernet is good for reasons other than security, of course) and then prevent the damage that sniffers can do by encrypting transmissions.  We were moving towards unsniffable perfection with switched ethernet, then Wifi came along. ;)

Flamebait Sr.
Monday, February 02, 2004

AFAIK, the Kensington product isn't capable of sniffing packets, per se.  It (supposedly) detects WiFi signals, but you can't hook it up to a notebook or PDA.  And, like Flamebait says, every review says it's crap.

On the other hand, there's a legitimate danger with war drivers who scope out neighborhood with WiFi-enabled laptops.  Where I live (a dense neighborhood in San Francisco) there's usually even one or two open WiFi gateways within range of my apartment.

Robert Jacobson
Monday, February 02, 2004

Sniffers are used.  Keyloggers are preferred, but sniffers can be used as well.

If there wasn't such an insistance on encrypted protocols, sniffers would be much, much more common.

I knew a student at my university that had sniffers that did nothing but collect passwords and store them in a large text file.  Later, if he wanted access to someone's account, he'd brute force it starting with his ActualPasswords.txt file as the starting point.  He said he could get into 60% of the accounts he tried with this method (just from the sniffed passwords and substitutions where the password included the machine name).

Richard P
Monday, February 02, 2004

Sniffing wireless networks is habit-forming.

gluesniffer
Monday, February 02, 2004

"Network admins loooooooove to snoop, in my experience.  Not necessarily for "evil" reasons, but they love to do it. "

This has been my experience as well. They get all huffypuffy over it when you call them on it, but it is clear from their "anecdotes" in the pub that some of these guys have voyeur habits.

Just me (Sir to you)
Tuesday, February 03, 2004

That's great, because any time I have a controversial conversation at work, I'm sure to say HI to the guy who watches the network. It's actually a running joke between me and some of my friends.

The problem is, in this day and age, it's like your boss will get a customized printout as well.

www.MarkTAW.com
Tuesday, February 03, 2004

>like likely.

Oy, my typing is going downhill today.

www.MarkTAW.com
Tuesday, February 03, 2004

*  Recent Topics

*  Fog Creek Home