Chapter 14. Sniffers

Sniffers are programs that passively monitor and capture network traffic. Almost any laptop or PC can be turned into a sniffer by installing sniffer software, much of which is freely available on the Internet. The system running the sniffer should have a network interface card that can be used in promiscuous mode. Promiscuous mode enables the sniffer to view but not respond to network traffic, thereby making the sniffer essentially invisible on the network. Sniffers are very useful tools during penetration testing and network troubleshooting. We commonly use them to capture user names and passwords from FTP and telnet sessions. In addition, sniffers can be used to capture any network traffic that is not encrypted, such as e-mail, HTTP, and other clear text services.

Sniffers are generally able to intercept network traffic only on their local network segment. For instance, if a sniffer is located on a shared network that uses hubs, it can view all traffic on the entire network. If a sniffer is located on a switched network (one that uses switches versus hubs), the sniffer can see only broadcast traffic and traffic directed to it. To sniff a switched network, the sniffer would have to be located on a switch port that mirrored the traffic to other ports or be placed in a VLAN with the systems it would monitor. New sniffer programs are emerging that can sniff switched networks; one such sniffer, dsniff by Dug Song, is described below. The thought that switched networks are safe from sniffers is no longer true.

It's hard to defend against sniffers. Later in this chapter we discuss a tool that can be used as a countermeasure to sniffers, called AntiSniff. AntiSniff attempts to detect network cards in promiscuous mode to identify potential sniffers. However, even the most advanced sniffer-detection programs have a hard time detecting a well-configured sniffer. The best defense is to encrypt all sensitive network traffic and use strong authentication services that encrypt the logon process.