How to Detect Sniffing? – It is not easy to detect a sniffer on the network, as sniffers only capture data. A sniffer leaves no trace, since it does not transmit data. Some sniffers can be identified by manually verifying the Ethernet wire. Sometimes, the machine that is doing the sniffing will be in the promiscuous mode, although that is not always true. An investigator can use the reverse DNS lookup method to detect nonstandalone sniffers.
The following are the steps involved in detecting sniffing:
- Check to see if any machines on the network are running in promiscuous mode.
- Run arpwatch and check if the MAC addresses of any machines have changed.
- Run network tools such as HP OpenView and IBM Tivoli network health check tools to monitor the network for strange packets.
- Check if the network interface is in promiscuous mode by using the tools CPM, Chkrootkit, Sentinel, and Sniffdet.
The following sections describe some methods for detecting sniffers.
Machines on an Ethernet network usually run the TCP protocol, which responds to requests. Each computer on an Ethernet network contains two addresses, namely, the IP address and the MAC address. When data is sent across the network, the computers in that network segment view the data packet header information. The machine accepts a data packet if its header information matches that of the machine’s, or else it drops it.
A sniffer can be detected by sending a data packet to the IP address of the machine, but not to the network adapter. For example, assume that a computer that has a MAC address of 00-32-08-A4-64-21 and an IP address of 10.0.0.4 has a sniffer. An investigator could change the MAC address of the suspect computer in the router tableto 00-32-08-A4-64-24, and send a ping with the IP address and the modified MAC address.
No response is received to the ping, since the MAC does not match. But the system with the sniffer responds, because it has grabbed the data packet with the modified MAC address. This system has perhaps disabled MAC address filtering on the network card and can be identified as hosting a sniffer.
The ARP method uses a program called Neped to detect a sniffer on the LAN. The ARP packets are transmitted with a nonbroadcast IP address. This is done to identify systems in promiscuous mode.
A system that responds to the nonbroadcast IP address request is suspected of running a sniffer. The ARP method can identify sniffers in a network where the computers cache the broadcast information in the ARP packets for a preset time period. The ARP packet header consists of the IP and MAC addresses of both the sending and receiving computers. The IP address to MAC address mapping is also included in the header of the ARP broadcast packets.
In such a network, if a nonbroadcast ARP packet is sent, all the systems through which the packet traverses, including the sniffer, if present, cache the information. If a broadcast ping is sent to the systems in the network, all the systems except the one to which the nonbroadcast ping was sent should respond to the ping. If no response is received from a computer that was not intended recipient of the nonbroadcast ping, it hosts a sniffer.
For example, consider a scenario in which a nonbroadcast ARP packet is sent from computer A to B. Computer C has a sniffer on it, and it sniffs the nonbroadcast ARP packet. When a broadcast ping request is sent, both B and C do not reply. So computer C is running a sniffer.
To detect a sniffer, the source-route method employs a technique known as the loose-source route. The loose- source route consists of IP-source mapping in the IP header of the data packets being sent over the network. The loose-source route consists of the path that the packets traverse to reach the destination machine. The path is the list of IP addresses of machines in that order. If a machine with an IP address in the loose-source route fails, the packet cannot reach the destination.
Consider the following example:
The loose-source route is 192.168.0.12 to 192.168.0.15 to 192.168.0.17-192.168.0.23, where 192.168.0.12 is the source IP address and 192.168.0.23 is the destination IP address. Computer A’s IP address is 192.168.0.12, computer B’s IP address is 192.168.0.15, computer C’s IP address is 192.168.0.17, and computer D’s IP address is 192.168.0.23. The packet is supposed to reach the destination, D, through B and C.
If an investigator disables computer C and computer D still receives the packet, it is likely that computer D is running a sniffer.
However, certain situations exist where computer C forwards data packets to computer D. There is a method to identify whether computer D in this case is the sniffer, if it is suspected. This method uses time to live (TTL).
During packet transfer between the computers A through D, the TTL is decremented by one. If the TTL on computer A is 25, when the packet reaches B, it is decremented to 24. When it reaches C, the TTL is decremented to 23. If computer D receives a packet from C, the TTL is decremented to 22. However, if computer D has sniffed the packet received by Computer B, the TTL is decremented to 23 from 24. This indicates that computer D is running a sniffer program.
The decoy method involves stealthily capturing data that the server receives from the client. In using the decoy method, a client and a server are installed on either side of the network. The server is configured with dummy user accounts that have no privileges. The client runs a script to connect to the server. The account information is transferred in plain text through POP, Telnet, or IMAP. An attacker can sniff the account information through the Ethernet wire.
Reverse DNS Method
Some sniffers do reverse DNS lookups, thus increasing network traffic. This increase in network traffic can be an indication of the presence of a sniffer on the network. The computers generating this traffic are in promiscuous mode. Reverse DNS lookup can be carried out either remotely or locally.
The organization’s DNS server has to be monitored to identify incoming reverse DNS lookups. The method of sending ICMP requests to a nonexistent IP address can be used to monitor reverse DNS lookups. The computer performing the reverse DNS lookup would respond to the ping, thus identifying it as hosting a sniffer.
For local reverse DNS lookups, the detector should be configured in promiscuous mode. An investigator can send an ICMP request to a nonexistent IP address and view the response. If a response is received, the responding machine can be identified as performing reverse DNS lookups.
In the latency method, excess data packets are sent over a network that is suspected of hosting a sniffer. The logic is to overload the sniffer’s memory with excessive packets so that it no longer captures useful information until it discards the already captured data.
The excess traffic does not affect the machines in nonpromiscuous mode. An investigator can ping the computers on the network before and after the network is flooded. By calculating the response time of the various computers, the investigator can determine what system the excessive load affects. A computer running a sniffer is affected by the higher load and has a longer response time. The disadvantage of this method is that the Ethernet wire is loaded, leading to false positives and false negatives.
TDR (Time-Domain Reflectometers)
A TDR works like radar. It sends a pulse down the wire. It then graphs the responses to the pulse. An investigator can look at the graph and identify any variations from the expected response. The investigator analyzes these variations to detect devices that are stealthily connected to the wire. This method can identify hardware sniffers on the Ethernet wire.
There are also tools that investigators can use to detect sniffers on the network.
arpwatch monitors Ethernet activity and keeps a database of Ethernet/IP address pairings. It also reports certain changes via e-mail.
AntiSniff is a tool designed to detect hosts on an Ethernet/IP network segment that promiscuously gather data. Designed to work on a nonswitched network, AntiSniff performs different types of tests to determine whether a host is in promiscuous mode. The following are the three types of tests:
- DNS tests
- Operating-system-specific tests
- Network and machine latency tests
proDETECT is a tool that uses ARP packet analyzing techniques to detect network adapters that are in promiscuous mode. Security administrators can use this tool to detect sniffers on a LAN. Administrators can schedule proDETECT to scan at regular intervals. It also has some advanced reporting capabilities, such as SMTP reporting.
PromiScan is a sniffing detection tool. It works by detecting promiscuous applications starting and ending. PromiScan remotely monitors computers on local networks to locate network interfaces operating in promiscuous mode that illegally accept all packets. The tool alerts administrators when it detects possible sniffing activity.
Encryption is the best way to be secured against sniffing. It will not prevent a sniffer from functioning, but whatever data the sniffer reads will be incomprehensible. The sniffer will not be able to decrypt the encrypted data.
ARP spoofing can be used to sniff networks, and an attacker may try to ARP-spoof the gateway. To prevent this, an administrator can permanently add the MAC address of the gateway to the ARP cache. This can be done by placing the MAC address of the gateway and other important machines in the /etc/ethers file. Employees should not telnet to firewalls, routers, sensitive servers, or Public Key Infrastructure (PKI) systems, because it becomes easy for an attacker to intercept their passwords. For sensitive networks, static ARP tables should be used on the end systems.
Another way to prevent a network from being sniffed is to change the network to SSH.
If You Like This Post Please Comment Down And Fore More Hacking Content Click Here