Chapter 10 - Sniffing

Sniffing is technique by which an attacker can compromise the security of a network in a passive manner. A sniffer, in network security circles, is a program or tool that passively monitors a computer network for key information that the attacker is interested in. In most cases, this information is authentication information which can be used to gain access to a system or resource. Sniffers are included with most rootkits. There are two techniques for sniffing: old-school and new-school. In the old days, computers were connected via a shared medium. Network cards filtered traffic in the hardware so that the attached computer would see only its own traffic. Sniffing software disables this filter, putting card into what is known as promiscuous mode. The software is specially tuned to deal with the flood of traffic, and then either analyze it or capture it. These days computers are connected by switches. Rather than distributing network traffic to all ends of the network, switches filter traffic at the hub. This prevents the computer from seeing anybody else's traffic, even when it puts the adapter into promiscuous mode. Attackers must either actively attack the switch/router fabric in order to redirect traffic flows or content themselves to monitoring only the traffic flowing through the box they have compromised. When network traffic enters the machine, it is first handled by the Ethernet driver. The driver then passes the traffic to the Transmission Control Protocol/Internet Protocol (TCP/IP) stack, which will in turn pass it to applications. Sniffing software connects directly to the Ethernet driver, making a copy of it. UNIX provides a more open set of interfaces for doing this, whereas Windows systems have provided few tools for this.