Intro to Network Sniffers
In the last section, I mentioned in my "real life" example that my cracker was using a sniffer to monitor network traffic and collect usernames and passwords. Since I did not go into much detail then, I'll try to clarify what I meant by sniffing. Simply put, a sniffer is a tool that lets you monitor packets as they "fly" across your network interface. You could simply monitor your machine's own traffic, but sniffers use promiscuous mode to scan all packets bound for your network.
Allow me to demonstrate.
If I run the command ifconfig eth0 on my machine, I get the following output:
eth0 Link encap:Ethernet HWaddr 00:C0:4F:E3:C1:8F inet addr:192.168.22.2 Bcast:192.168.22.255 Mask:255.255.255.0 UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:49448 errors:0 dropped:0 overruns:0 frame:0 TX packets:33859 errors:0 dropped:0 overruns:0 carrier:0 collisions:6 txqueuelen:100 Interrupt:10 Base address:0x300
Now let's open up a couple of terminal or xterm windows. In one window, we'll start a sniffer program. The one I'm using is called sniffit, and I will start it in interactive mode:
# sniffit -i
In the second window, rerun the ifconfig command and look for the differences. I'll focus on the important line here:
UP BROADCAST RUNNING PROMISC MULTICAST MTU:1500 Metric:1
Notice the addition of the word PROMISC in this line, short for "promiscuous mode." What that means is that your network interface is indiscriminate as to what network traffic is listening for. Normally, your system is capturing only information bound for your IP address. If you put your network interface in promiscuous mode, it will receive all packets on the network.
sniffit is a light, curses-based program that will work in a regular terminal window (see Figure 1). I obtained my copy from my Linux vendor's contrib ftp site. You can also visit the Web site directly at http://reptile.rug.ac.be/~coder/sniffit/sniffit.html. One of the cool things about this package is that, if you hit Return on one of the open sockets in the interactive list, you can watch the plain-text traffic going to and from the user's process. Yes, you can actually see what they are typing. (This almost begs a future column on secure shell, doesn't it?)
Figure 1 Running sniffit.
Another similar product is netwatch. This is also a network-monitoring tool that shows you what connections are alive on your network. You can get netwatch from the application home page at http://www.slctech.org/~mackay/netwatch.html or various other sources.
Now, if you are busy collecting commands to run as part of your system administration toolkit, you could do worse than to check for interfaces running in promiscuous mode. Simply run the ifconfig command and grep for PROMISC, like this:
ifconfig | grep PROMISC
By now, if I've made you so scared of loading anything new on your system, but you would still like to try out a sniffer and see what happens, you're in luck. When you installed your Linux system, you probably also installed a little package called tcpdump. While not as flashy as the other two sniffers I mentioned, this little program will do the same thing. If you've ever wondered what goes on across your network, you'll find this enlightening. Here's how to do it. From the command line, type the following:
In a few seconds, you should start seeing packets coming from and going to your system. Here's some output from my system. I told tcpdump to watch for traffic coming to and from http://www.linuxjournal.com. Notice the -l flag. That is to tell tcpdump to show me the output I was busy capturing to a file for later perusal.
# tcpdump host http://www.linuxjournal.com -l | tee /tmp/tcpdump.out
This is what the output looked like when I clicked on the Web site address:
16:41:49.101002 www2.linuxjournal.com.www > [ccc] marcel.somedomain.com.1432: F 2303148464:2303148464(0) ack 1998428290 win 16352 16:41:49.101206 marcel.somedomain.com.1432 > [ccc] www2.linuxjournal.com.www: . ack 1 win 32120 (DF) 16:41:50.001024 www2.linuxjournal.com.www > [ccc] marcel.somedomain.com.1429: F 1805282316:1805282316(0) ack 1988937134 win 16352 16:41:50.001215 marcel.somedomain.com.1429 > [ccc] www2.linuxjournal.com.www: . ack 1 win 32120 (DF) 16:41:50.840998 www2.linuxjournal.com.www > [ccc] marcel.somedomain.com.1431: F 1539885010:1539885010(0) ack 1997163524 win 16352 16:41:50.841198 marcel.somedomain.com.1431 > [ccc] www2.linuxjournal.com.www: . ack 1 win 32120 (DF) 16:41:51.494356 marcel.somedomain.com.1429 > [ccc] www2.linuxjournal.com.www: P 1:335(334) ack 1 win 32120 (DF) 16:41:51.497003 marcel.somedomain.com.1433 > [ccc] www2.linuxjournal.com.www: S 2019129753:2019129753(0) win 32120 (DF) 16:41:51.671023 www2.linuxjournal.com.www > [ccc] marcel.somedomain.com.1429: R
There are many sniffer programs available. Some are stripped-down packages that simply keep track of logins and passwords from any telnet or ftp session. Your cracker may use a modified ps to hide the presence of the sniffer as it logs away the hours. It may also have a perfectly innocent name in the process table, even if your ps is fine.
Enough with the sniffers and on to other things. If your system has been cracked, you should consider reporting the incident to the CERT Coordination Center, run by Carnegie Mellon University. The CERT Web site has extensive security information and "alerts" describing security issues or software weaknesses. One thing you can and should do is subscribe to the CERT advisories.
Before wrapping up, this final note: To the handful of people whose saying, "What if the cracker changes rpm or md5sum?", you now have an understanding of how tricky this whole security business is. My answer to this would be, immediately after installing your system and before you hook up to the Internet, get md5sums of md5sum and rpm, print out the results, and store them for future reference.