| About InfoWorld : Advertise : Subscribe : Contact Us : Awards : Events : Store |
 |
||||
|
||||
 |
||||
 |
|
|||
 |
||||
|
|
|
||
|
|||||||||||||||||||||||||||||||||||||||||
 COLUMN
Switched networks lose their security advantage due to packet-capturing tool THE ART OF "sniffing" network traffic, or capturing packets on the wire, has long been one of the most fruitful parts of any malicious hacker attack. The bad guys can read entire e-mail messages, gain passwords, and obtain complete access by simply running a network sniffer on a shared Ethernet or Token Ring network.
Sniffing traffic allows an unauthorized computer user to view the traffic destined to someone else. In other words, by sending an e-mail message to a colleague at work, you could also be sending it to your cubicle neighbor -- or the whole company -- as well. The technique of sniffing traffic on a switched segment has been discussed in security circles for some time, but Dug has put the theory into practice. With little more than an ARP (address resolution protocol) redirect program and IP forwarding, an attacker can sniff every station on your switched network. The potential damage to your network from a sniffing attack of this nature can be nuclear. Few administrators know about this technology, and even fewer fight the menace. But don't take our word for it, check it out yourself. Sniffing on a switch Switching technology, by definition, switches packets from one destination to another without passing them by any of the other stations on a network, thereby reducing the risk of the packets being picked up. But arpredirect, the utility within the dsniff distribution, makes sniffing on a switched network easier than a DDoS (distributed denial of service) attack in February. This is how it works: The attacker's system sends out a forged ARP packet to the target system, telling it that its default gateway has changed to the attacker's system. This way, whenever the target system sends traffic on the network, it will send it to the attacker's system first, which then forwards the packet on to its original destination as if nothing ever happened. You will need to use either the kernel-level IP forwarding in /proc/sys/net/ipv4/ip _forward or fragrouter on a Linux system to perform the packet forwarding. So by forging ARP replies for the default gateway of a network, all traffic destined for the default gateway will be sent to and then forwarded by the attack system. Once received at your system, you can grab anything you desire, including passwords such as SNMP, FTP, POP (post office protocol), HTTP, IRC (Internet Relay Chat), Telnet, and many others. In addition to the passwords, you can read all cleartext e-mail as well. Bag o' goodies Besides arpredirect, the dsniff distribution comes with its marquee tool: dsniff. The tool is a remarkable password sniffer and collects just about every cleartext and poorly encrypted password. These include all the usual suspects, plus NNTP (Network News Transfer Protocol), IMAP (Internet Message Access Protocol), LDAP, RIP (Routing Information Protocol), OSPF (Open Shortest Path First), NFS (Network File System), YP (Yellow Pages), Socks, X11, CVS (concurrent versions system), IRC, AIM (AOL instant messaging), ICQ, Napster, PostgreSQL, Meeting Maker, Citrix Independent Computing Architecture, Symantec pcAnywhere, NAI Sniffer, Microsoft Server Message Block, and Oracle SQLNet authorization information. Mailsnarf is another tool for grabbing network data, but this utility reassembles and displays e-mail traffic in a legible manner, thus enabling you to read other users' e-mail in real time. And finally, Webspy is a great utility for watching what your users are doing on the network; it will refresh your browser with the Web pages being viewed on anyone's system. Solutions The only real solution to this type of attack is encryption. No matter how much packet sniffing is allowed on your network, by using applications that encrypt the traffic, users can at least be moderately reassured that their information will be safe from prying eyes. The detection solution is to monitor ARP traffic on your network and detect when ARP entries are being changed. You can use a product such as arpwatch, by Craig Leres at ftp://ftp.ee.lbl.gov/arpwatch.tar.Z. Of course neither solution is all that great and makes you wonder how many years we will be dealing with this vulnerability. What security blanket do you hug? Let us know at security_watch@infoworld.com. Stuart McClure is president/CTO and Joel Scambray is a managing principal at security consultant Foundstone ( www.foundstone.com ), formerly Rampart Security Group.  RELATED SUBJECTS  SecurityMORE > SPONSORED WHITE PAPERS 
SPONSORED LINKS
|
|||||||||||||||||||||||||||||||||||||||||
|
||||||||||
|
||||||||||
