嗅探器的基础知识与检测翻译.doc

《嗅探器的基础知识与检测翻译.doc》由会员分享，可在线阅读，更多相关《嗅探器的基础知识与检测翻译.doc（20页珍藏版）》请在咨信网上搜索。

1、SJ0201-2016版 本科毕业论文（设计） 英 文 翻 译 嗅探器的基础知识与检测学 院xxx 姓 名xxx专 业xxx班 级xxx学 号xxxSniffers Basics and DetectionPrefaceThis is the first version of my article titled “Sniffers Basics and Detection”. I have tried to explain in a very simple way what Sniffers are, how they work, methods of detecting sniffers,

2、various sniffing tools and finally how to protect against sniffers.The reason I wrote this document was the fact when I started trying out sniffers, there was not a single document that covered this topic comprehensively.This article is a work in progress. I keep adding material as and when requeste

3、d by users. I am planning to add another section on using the various sniffing tools that are mentioned in this article.I would love to hear from you, specifically if you want more details to be added to this document. Are there any doubts/queries of yours that this article didnt clear up? Do you wa

4、nt more information on a particular topic? If yes, please mail me. I would love to hear from you and help you if possible. Your comments, suggestions and criticisms about this article are welcome. And finally, this article is dedicated to my good friend GVS Karthik (Nange as we used to call him in I

5、IT).Sniffers: Basics and Detection“If you know the enemy and know yourself, you need not fear the result of a hundred battles. If you know yourself but not the enemy, for every victory gained you will also suffer a defeat. If you know neither the enemy nor yourself, you will succumb in every battle.

6、” IntroductionA sniffer is a program or a device that eavesdrops on the network traffic by grabbing information traveling over a network. Sniffers basically are Data Interception technology. They work because the Ethernet was built around a principle of sharing. Most networks use broadcast technolog

7、y wherein messages for one computer can be read by another computer on that network. In practice, all the other computers except the one for which the message is meant, will ignore that message. However,computers can be made to accept messages even if they are not meant for them. This is done by mea

8、ns of a Sniffer! Many people assume computers connected to a switch are safe. Nothing could be further from the truth. Computers connected to switches are just as vulnerable to sniffing as those connected to a hub. This article seeks to explore the topic of sniffers, how they work, detecting and pro

9、tecting your assets against the malicious use of these programs. Finally, towards the end we will talk about some commonly available sniffers.How A Sniffer WorksA computer connected to the LAN has two addresses. One is the MAC (Media Access Control) address that uniquely identifies each node in a ne

10、twork and is stored on the network card itself. It is the MAC address that gets used by the Ethernet protocol while building “frames” to transfer data to and from a machine. The other is the IP address, which is used by applications. The Data Link Layer uses an Ethernet header with the MAC address o

11、f the destination machine rather than the IP Address. The Network Layer is responsible for mapping IP network addresses to the MAC address as required by the Data Link Protocol. It initially looks up the MAC address of the destination machine in a table, usually called the ARP (Address Resolution Pr

12、otocol) cache. If no entry is found for the IP address, the Address Resolution Protocol broadcasts a request packet (ARP request) to all machines on the network. The machine with that address responds to the source machine with its MAC address. This MAC address then gets added to the source machines

13、 ARP Cache. The source machine in all its communications with the destination machine then uses this MAC address. There are two basic types of Ethernet environments and how sniffers work in both these cases is slightly different. Shared Ethernet: In a shared Ethernet environment, all hosts are conne

14、cted to the same bus and compete with one another for bandwidth. In such an environment packets meant for one machine are received by all the other machines. Thus when a machine Venus(Comp 1) wants to talk to Cupid (Comp 2) in such an environment, it sends a packet on the network with the destinatio

15、n MAC address of Cupid along with its own source MAC address. All the computers on the shared Ethernet (Comp 3 and Comp 4) compare frames destination MAC address with their own. If the two dont match, the frame is quietly discarded. A machine running a sniffer breaks this rule and accepts all frames

16、. Such a machine is said to have been put into promiscuous mode and can effectively listen to all the traffic on the network.Sniffing in a Shared Ethernet environment is totally passive and hence extremely difficult to detect.Figure 1: A Shared Ethernet Network Packets from Comp 1, meant for Comp 2

17、are received by both Comp 3 and Comp 4. But under normal circumstances they reject the packets as the MAC address in the packet does not match their MAC address. But if either of these computers is put in promiscuous mode, they can capture the entire communication between Comp 1 and Comp2 Switched E

18、thernet: An Ethernet environment in which the hosts are connected to switch instead of a hub is called a Switched Ethernet. The switch maintains a table keeping track of each computers MAC address and the physical port on the switch to which that MAC address is connected and delivers packets destine

19、d for a particular machine correspondingly. The switch is an intelligent device that sends packets to the destined computer only and does not broadcast it to all the machines on the network, as in the previous case. This results in better utilization of the available bandwidth and improved security.

20、 Hence the process followed earlier, of putting the machine into promiscuous mode, to gather packets does not work. As a result of this, even many experienced Systems Administrators fall into the belief that switched networks are totally secure and immune to sniffing. Sadly, this is not really true.

21、Figure 2: A Switched NetworkIn a switched network, packets from Comp 1 meant for Comp 2 are not received by other terminals connected to the switch. Even if the Comp 3 and Comp 4 are in promiscuous mode, they will yet not be able to see the traffic between Comp 1 and Comp 2.Though a switch is more s

22、ecure than a hub, the following methods can still be used to sniff on a switch:1ARP Spoofing: We have explained earlier how ARP is used to obtain the MAC address of the destination machine with which we wish to communicate. The ARP is stateless, you can send an ARP reply even if one has not been ask

23、ed for and such a reply will be accepted. Ideally when you want to sniff the traffic originating from machine Venus, you can ARP Spoof the gateway of the network. The ARP cache of Venus will now have a wrong entry for the gateway and is said to be poisoned. This way all the traffic destined for the

24、gateway will pass through your machine. Another trick that can be used is to poison a hosts ARP cache by setting the gateways MAC address to FF:FF:FF:FF:FF:FF (also known as the broadcast MAC). An excellent tool for this is the arpspoof utility that comes with the dsniff suite. Using arpspoof to poi

25、son the ARP cache of a machine is accomplished by giving the command:Figure 3: the command 1The -t flag specifies the target whose ARP cache we wish to poison and the other argument is the IP address of the gateway that we wish to spoof. So now all the data destined for the gateway from the target m

26、achine will have to pass through our machine. Before you do this, it is essential you to turn on IP Forwarding on your machine. You can do this by giving the command:Figure 4: the command 2If the cat command returns a value of 1, then IP Forwarding has been enabled but if it returns 0, it means IP F

27、orwarding has not been enabled. It is important to enable IP Forwarding or else the network will die.Note: This way you can sniff the traffic from the target machine to the gateway, but not the traffic from the gateway to the target machine. In order to do that, you will need to poison the ARP cache

28、 of the gateway too. Given the importance of the gateway machines, quite a few administrators often install programs like arp-watch to detect such malicious activities. Hence trying to poison the gateway might be risky.2MAC Flooding: Switches keep a translation table that maps various MAC addresses

29、to the physical ports on the switch. As a result of this it can intelligently route packets from one host to another. The switch has a limited memory for this work. MAC flooding makes use of this limitation to bombard the switch with fake MAC addresses till the switch cant keep up. The switch then e

30、nters into what is known as a “failopen mode” wherein it starts acting as a hub by broadcasting packets to all the machines on the network. Once that happens sniffing can be performed easily. MAC flooding can be performed by using macof, a utility that comes with dsniff suite.Figure 5: the command 3

31、Warning: This method might lead to degeneration of the network services and should not be run for a long interval of time.The cases we discussed so far, involve usage of sniffers by malicious unauthorized users. If you are the LAN administrator and need to set up a sniffer for some legitimate activi

32、ty, you can connect the NIC of the sniffing machine to the SPAN port of the switch. As the SPAN port mirrors all the traffic flowing across the switch, you dont need to perform activities like ARP spoofing or MAC Flooding to get the packets destined for other machines.Detecting Sniffers:A sniffer is

33、 usually passive, it just collects data. Hence it becomes extremely difficult to detect sniffers, especially when running on a Shared Ethernet. But it is slightly easier when the sniffer is functioning on a Switched Ethernet network segment. When installed on a computer, a sniffer does generate some

34、 small amount of traffic. Here is an overview of the detection methods: Ping Method: The trick used here is to send a ping request with the IP address of the suspect machine but not its MAC address. Ideally nobody should see this packet as each Ethernet Adapter will reject it as it does not match it

35、s MAC address. But if the suspect machine is running a sniffer it will respond, as it does not bother rejecting packets with a different Destination MAC address. This is an old method and not reliable any longer. ARP Method: A machine caches ARPs. So what we do is send a non-broadcast ARP. A machine

36、 in promiscuous mode will cache your ARP address. Next we send a broadcast ping packet with our IP, but a different MAC address. Only a machine that has our correct MAC address from the sniffed ARP frame will be able to respond to our broadcast ping request. Voila! On Local Host: Often after your ma

37、chine has been compromised, hackers will leave sniffers, to compromise other machines. On a local machine run ifconfig. On a clean machine the output will be:Figure 6: the command 4But on a machine running a sniffer the output will be slightly different. Specifically check the last line wherein it m

38、entions “RUNNING PROMISC”. That means the machine is in promiscuous mode and probably a sniffer is running on it. Figure 7：the command 5The output of the ifconfig command has been slightly modified to fit screen Latency Method: This method is based on the assumption that most sniffers do some parsin

39、g. Very simply put, in this method, If the machine is in promiscuous mode, it will parse the data, increasing the load on it. Therefore it will take extra time to respond to the ping packet. This difference in response times can be used as an indicator of whether a machine is in promiscuous mode or

40、not. A point worth noting is that the packets may be delayed because of the load on the wire, resulting in false positives. ARP Watch: As described earlier, one method to sniff on a switched network is to ARP spoof the gateway. A utility called arpwatch can be used to monitor the ARP cache of a mach

41、ine to see if there is duplication for a machine. If there is, it could trigger alarms and lead to detection of sniffers. Unfortunately on network implementing DHCP, this could trigger many false alarms. A simple change that can be made is the increase the DHCP lease time. This way even after your u

42、sers come back after the weekend break, they will get the same IP address as before and the chance of a false alarm is greatly reduced. Using IDS: Certain Intrusion Detection Systems, monitor for ARP Spoofing on the network. The Open Source IDS Snort for instance has an arp-spoof preprocessor that a

43、llows it to record packets on the network with spoofed ARP addresses. Typically it compares the IP/MAC pairing it is given in the snort.conf file, against the pairing in the packet flowing across the network. Whenever there is a mismatch, it generates an alert. To be honest, it is not easy to detect

44、 sniffers. 9嗅探器的基础知识与检测前言这是我的一篇题为“关于基础与检测”的第一个版本。我试图以一种非常简单的方式解释嗅探器是什么，它们是如何工作的，检测嗅探器的方法，各种嗅探工具以及最后如何防范嗅探器。我写这个文件的原因是当我开始尝试嗅探，没有一个全面地阐述过这一议题单个文档。本文是一项正在进行的工作。我一直在添加材料，当用户要求时。我打算再添加上一节使用本文中提到的各种嗅探工具。我很想听到你的建议，特别是如果你想让更多的细节被添加到本文档中。是否有任何疑问/疑问，这篇文章不清楚？你想了解更多关于某个特定主题的信息吗？如果是，请给我发邮件。如果可能的话，我很愿意听你的话，帮助你。欢

45、迎您的意见，建议和批评这篇文章。最后，这篇文章是献给我的好朋友GVS Karthik（南葛我们过去在IIT称呼他）。嗅探器：基础与检测“如果你认识敌人，了解你自己，你不必担心一百场战斗的结果。如果你认识自己，而不是敌人，因为每一次的胜利，你也会遭受失败。如果你既不知道敌人，也不知道你自己，你就会屈服于每一场战役。”简介嗅探器是一个程序或一个设备，监听网络上的流量通过抓住传输在网络上的信息。嗅探器本质上是“数据拦截技术。他们工作，是因为以太网是建立在一个共享的原则。大多数网络使用广播技术，其中一台计算机上的消息可以通过另一台计算机在网络上读取。在实践中，除了有意义的消息，所有的其他计算机将忽略该

46、消息。然而，即使不是他们的消息，计算机也可以接受信息。这是由一个嗅探手段完成的！许多人认为连接到一个交换机的计算机是安全的。没有什么可以能远离真相。连接到交换机和连接到集线器的计算机一样容易受到攻击。本文旨在探讨嗅探器的话题，他们是如何工作的，检测和保护你的资产，反对这些程序的恶意使用。最后，我们将讨论一些常用的嗅探器。嗅探器的工作原理：连接到局域网的计算机有两个地址。一种是媒体访问控制（媒体访问控制）地址，唯一标识网络中的每个节点，并存储在网络卡本身。MAC地址由以太网所使用的协议，同时构建“帧”从一台机器传输数据。另一种则是应用程序的地址。数据链路层使用一个以太网头部和目标机器的MAC地址

47、，而不是IP地址。网络层负责将网络地址映射到数据链路协议所要求的MAC地址。它最初是在一个表中的目标机器的MAC地址，通常称为ARP（地址解析协议）缓存。如果没有发现条目为IP地址，地址解析（ARP请求广播请求包）网络上所有的机器。该地址的机器与它的MAC地址的源程序响应。这个MAC地址然后添加到源主机的ARP缓存。源主机在所有与目的地主机的通信，然后使用这个MAC地址。有两种基本类型的以太网环境，嗅探器在这两种情况下，工作稍有不同。共享以太网：在一个共享的以太网环境中，所有主机都连接到同一总线，并与另一个带宽竞争。在这样的环境中，一台机器的数据包被所有其他机器接收。因此，当机器Venus（C

48、omp 1）想跟Cupid（Comp 2）在这样的环境中，它将与目的MAC地址的Cupid随着自身的源MAC地址的网络数据包。在共享式以太网的所有计算机（Comp 3和COMP 4）比较帧的目的MAC地址与自己的MAC地址，如果两者不相匹配，则该帧被悄悄丢弃。一台机器上运行一个嗅探器打破这个规则并接受所有帧。换句话说该机器已经进入混杂模式能有效地监听网络上的所有流量。在一个共享的以太网环境嗅探是完全被动的，因此很难检测。图1：共享以太网从COMP 1发出的数据包，目的指向COMP 2， COMP 3和COMP 4也是被动接受的。但在正常情况下，他们拒绝的数据包的MAC地址不匹配他们的MAC地址。但如果这些电脑放在混杂模式，它能捕捉Comp 1和Comp2之间的整个通信交换式以太网：一个以太网环境，主机与主机相连通过交换机，而不是一个集线器被称为交换式以太网。该交换机包含一个表保持跟踪每个计算机的MAC地址和交换机上的物理端口，该MAC地址是发送数据包到特定的机器并连接。该交换机是一个智能设备，发送数据包到特定的计算机，并没有广播到所有机器上的网络，