From: Subject: The power of the sniffer snoop! Date: Sun, 17 Jun 2001 12:02:13 +0900 MIME-Version: 1.0 Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Content-Location: http://www.enteract.com/~lspitz/snoop.html X-MimeOLE: Produced By Microsoft MimeOLE V5.00.3018.1300 The power of the sniffer snoop! A = passive=20 approach to your network security
The Secrets of=20 Snoop
Lance=20 Spitzner=20

Sniffers have exploded in popularity over the past several years, = from=20 Network General’s Netxray and Microsoft’s Network Monitor, = to public domain=20 tools such as Etherman and Curry Sniffer. These tools are used for = various=20 reasons, including network troubleshooting, traffic analysis, node = discovery,=20 etc. We will be covering one of the most common, yet effective sniffers, = snoop.=20 Of all the sniffers, this is one standby you always have access to with = Solaris.=20 The purpose of this article is to demonstrate how to leverage snoop, = with=20 examples focusing on network security.
 =20

What = is=20 snoop?=20

Snoop is an executable binary that puts your system’s = interface(s) in=20 promiscuous mode. By being in promiscuous mode, snoop captures all = packets on=20 you network, in either real time or capture file format. What makes = snoop so=20 powerful is the detail of information it provides and the flexibility of = the=20 tool.=20

In the first half of this article we will focus on snoop commands, = how to get=20 the information we want. The second half of this article we will focus = on=20 analyzing network traffic with real world examples, focusing on = security. The=20 examples will be IP, but snoop can be used to capture and analyze other = network=20 packets, such as DECnet and AppleTalk. For packet analysis, I will be = using the=20 standard 7 layer OSI model (see Figure 1 for a refresher).
 =20

How = to Use=20 Snoop=20

The first thing you have to decide is do you want real time data, or = capture=20 packets to a snoop capture file? Most of the time, you will capture the = data to=20 a file. In real-time mode the data flies across you screen to fast to = read. Its=20 only real benefit is to give you a quick feel of what traffic is moving = on your=20 network. To do some serious analysis, you will want to capture your = network=20 traffic to a file so you can take your time.=20

To capture data to a file, the command is
#snoop –o = filename=20

This saves all the data in binary format to filename. To see = data=20 real-time, exclude the command "-o filename". Otherwise, all command = syntax is=20 the same for snoop.=20

The first thing we need to do is determine how many packets to = capture. If no=20 number is determined, snoop will continue to gather packets until you = CRTL-C or=20 run out of resources. To set the number, use the command.=20

#snoop –o = filename –c=20 1000 .=20

Snoop will capture 1000 packets in about 60 seconds on a standard = 10Mbps=20 network.=20

Next, we want to determine what level of detail we need. Snoop comes = in three=20 flavors, summary (default), verbose summary (-V), and verbose mode (-v). = Summary=20 gives us the least information, only the highest protocol level, layer = 5,6 or 7=20 , and packet source/destination. Below is a single packet in summary = mode. This=20 is the 27th packet captured, it shows a Telnet connection = between=20 squirrel and my school account. 0.01743 is the time between packet 26 = and 27.=20

27 0.01743 = squirrel ->=20 ICARUS.CC.UIC.EDU TELNET C port=3D45330=20

Verbose summary (-V) gives us all the layers of the OSI model, = (layers 2,3,4,=20 and 5, 6 or 7) but in summarized fashion, one line for each layer. Below = we see=20 an example, packet 27 again. Notice it gives us layer 2 (ETHER), layer 3 = (IP),=20 layer 4 (TCP), and layer 7 (Telnet). Note how it also gives Syn and Seq=20 (sequence number). There is no Ack (Acknowledge number) so this is the = first=20 packet for this Telnet session.=20

27 0.01743 squirrel ->=20 ICARUS.CC.UIC.EDU ETHER Type=3D0800 (IP), size =3D 58 = bytes
27 0.01743 squirrel -> = ICARUS.CC.UIC.EDU IP=20 D=3D128.248.121.53 S=3D208.194.41.20 LEN=3D44, ID=3D6082 =
27 0.01743 squirrel -> = ICARUS.CC.UIC.EDU TCP=20 D=3D23 S=3D45330 Syn Seq=3D678057692 Len=3D0 Win=3D8760 =
27 0.01743 squirrel -> = ICARUS.CC.UIC.EDU=20 TELNET C port=3D45330=20

Verbose gives us all the gory details of each packet, all the way to = the bit=20 level on the OSI model. Below is a packet 27 in verbose mode. Here we = see=20 detailed information of each layer, layer 2 (Ethernet), layer 3 (IP), = and layer=20 4 (TCP) header. See RFC = 894=20 (Ether), 791 (IP),=20 and 793=20 (TCP) for specific header information.=20

ETHER: ----- Ether Header=20 -----
ETHER:
ETHER:=20 Packet 27 arrived at 10:40:36.07
ETHER: Packet size =3D 58 = bytes=20
ETHER: Destination =3D = 8:0:20:8d:fc:d2,=20 Sun
ETHER: = Source =3D=20 8:0:20:c:df:aa, Sun
ETHER: Ethertype =3D 0800 (IP)
ETHER:
IP: ----- IP Header = -----=20
IP: =
IP: Version =3D 4 =
IP: Header length =3D 20 = bytes=20
IP: Type of service =3D=20 0x00
IP: = xxx. .... =3D 0=20 (precedence)
IP: ...0=20 .... =3D normal delay
IP:=20 .... 0... =3D normal throughput
IP: .... .0.. =3D normal reliability
IP: Total length =3D 44 = bytes=20
IP: Identification =3D=20 6082
IP: = Flags =3D=20 0x4
IP: = .1.. .... =3D do=20 not fragment
IP: ..0.=20 .... =3D last fragment
IP: Fragment offset =3D 0 bytes
IP: Time to live =3D 255=20 seconds/hops
IP:=20 Protocol =3D 6 (TCP)
IP:=20 Header checksum =3D 7005
IP: Source address =3D 208.194.41.20, squirrel =
IP: Destination address =3D = 128.248.121.53,=20 ICARUS.CC.UIC.EDU
IP:=20 No options
IP:
TCP: -----=20 TCP Header -----
TCP:
TCP:=20 Source port =3D 45330
TCP: Destination port =3D 23 (TELNET)
TCP: Sequence number =3D = 678057692=20
TCP: Acknowledgement = number =3D=20 0
TCP: Data = offset =3D 24=20 bytes
TCP: = Flags =3D=20 0x02
TCP: = ..0. .... =3D=20 No urgent pointer
TCP:=20 ...0 .... =3D No acknowledgement
TCP: .... 0... =3D No push
TCP: .... .0.. =3D No = reset=20
TCP: .... ..1. =3D = Syn=20
TCP: .... ...0 =3D No = Fin=20
TCP: Window =3D = 8760=20
TCP: Checksum =3D = 0x517a=20
TCP: Urgent pointer =3D = 0=20
TCP: Options: (4 = bytes)=20
TCP: - Maximum segment = size =3D 1460=20 bytes
TCP:
TELNET:=20 ----- TELNET: -----
TELNET:
TELNET:=20 ""
TELNET:=20

No one level of detail is "better" then the other. It depends on what = type of=20 information you are looking for. Keep in mind however that snoop can be = resource=20 intensive. In verbose mode, snoop may overwhelm the system, forcing it = to drop=20 packets depending on your network traffic. In some cases, you may have = to use a=20 dedicated server for snoop, depending on your verbose level and number = of=20 packets gathered. To capture 1000 packets in verbose summary mode:=20

#snoop –V = –o filename=20 –c 1000=20

To read a capture file, use –i filename. If you captured = packets in=20 verbose mode, you can read a capture file in summary, verbose summary, = or=20 verbose mode. I recommend you scan through the capture file in summary = mode,=20 identify what packets are interesting, then view specific packets in = verbose=20 mode. To look at a specific packet, use –ppacket#. Below is = an example of=20 looking at packets 10-32 and packet 56 in verbose mode.=20

snoop –i = filename –v=20 –p10-32,56=20

Now lets leverage the true power of snoop. Snoop has a variety of = filtering=20 tools, allowing us to focus on the type of packets we capture, be it = source,=20 destination, protocol layer, etc. Here we will cover some of the most = commonly=20 used options. However, for complete information, be sure to do a man on=20 snoop(1).=20

First, we can select what systems, by either MAC (layer 2) or IP or = host=20 name, (layer 3) will be snooped. This limits what packets are captured = at the=20 interface. If you have just one node you want to snoop, include its IP = address.=20 If there are several, use the expression "and" or "or" between the = nodes. You=20 can focus the expression even more with the qualifier "from" or "to" = which match=20 the source or destination address. The "!" or "not" performs a logical = NOT=20 operation. Last, the expression "net" captures all packets that belong = to a=20 specific network. The command below captures all packets coming from = zeus, going=20 to 8:0:20:f1:b3:51, or packets belonging to the network 192.168.3.0, = except=20 192.168.3.58. Note, the host name zeus must be resolvable, be it = /etc/hosts or=20 DNS.=20

snoop –o = filename from=20 zeus or to 8:0:20:f1:b3:51or net 192.168.3.0 not = 192.168.3.58=20

Just as we can qualify specific hosts or networks at layer 2 or 3, we = can=20 limit packets captured at layers 4, 5, 6, and 7. At layer 4, we can = qualify=20 "tcp", "udp", or "icmp" (actually RFC 792 states icmp is a layer 3 = protocol, but=20 I have placed it here to reflect snoop’s man page). For layers 5,6 = and 7 use the=20 qualifiers "port" and "rpc" (based on the /etc/services and /etc/rpc = files). The=20 command below captures all DNS or NFS packets=20

snoop –o = filename –V=20 port domain or rpc nfs=20

Snoop = and=20 Security=20

Now that we have covered the flexibility of snoop, lets apply it to = your=20 network security. With snoop, you silently sit on the network and = capture data.=20 Unlike active measures, such as network discovery using ICMP, snoop does = not=20 alert anyone to its presence. This allows you to analyze the security of = your=20 network, without notifying anyone. Also, snoop can run over a long = period of=20 time, compared to active measures that run in a single point of time. If = a=20 server is down for several minutes while you are pinging the network, = you will=20 miss it. Snoop will pick up these servers, as long as they eventually = send or=20 receive traffic.=20

Snoop does two critical things for security, it tells you who is on = your=20 network, and what they are doing. You need to first identify what your = security=20 concern is, then configure snoop to find that information.=20

Often, a security concern is having a node or gateway on your network = that=20 you do not know about. This node could be an innocent dial-up server, or = a=20 gateway a hacker set-up. I know of a company where an unknown Internet=20 connection was recently identified with a sniffer. Active measures will = tell you=20 who is on the network, only if the machine is on. But what if a node is = on only=20 at night, or has been configured not to ICMP_REPLY, then what? Using the = qualifiers we covered above, snoop could capture information on your = network.=20 With a perl or shell script, you could parse this information, = identifying=20 unknown nodes on your network.=20

Another security issue is what is going on your network. You may be = concerned=20 about specific websites or downloads. Perhaps you are concerned that = users are=20 downloading the latest hacker attacks. You can snoop your network, = looking for=20 FTP downloads from known websites. I know of a recent incident where an = employee=20 was identified of this during a routine network analysis.=20

Perhaps you have several critical servers that have been hit with = denial of=20 service attacks, such as land.c or ping of death. You can qualify snoop = to look=20 for land.c by capturing packets with source and destination the same. = For ping=20 of death, look for icmp packets with extremely large lengths.=20

So far we have discussed what snoop can do, now we will cover what = snoop=20 cannot do. Unlike active measures, snoop, like most sniffers, cannot = operate in=20 a switched environment. Snoop only records packets that cross the = designated=20 interface. Switches block and forward IP packets based on their MAC , = layer 2,=20 address. If you have a switch, snoop will capture only the packets in = its=20 collision domain.=20

Where you snoop is just as important as what you snoop. If you want = to=20 monitor all the traffic on your network, place your sniffer on the = Internet=20 router segment. This way your are capturing all Internet traffic, you = are no=20 limited to specific collision domains.=20

This limitation of snoop can also be used to your advantage. A common = tactic=20 of hackers is to compromise a system and implement. Once compromised, = the=20 sniffer picks up user names and passwords. Several months ago, the SANS=20 Institute was compromised by this same method. A prime target for this = are=20 systems on your DMZ, or the network segment between your Internet router = and=20 Firewall. Often companies place unsecured systems outside the firewall, = such as=20 webservers. However, once compromised, these systems make excellent = platforms=20 for capturing user names and passwords. To protect your network, place = these=20 systems behind a switch. If compromised, they are still isolated in = their=20 collision domain, thus protecting you from sniffing (note, if possible, = you may=20 want to hardcode the MAC address on the switch to specific ports).=20

Snoop is an extremely powerful and flexible tool. Its uses are as = varied as=20 its qualifiers. The ideas and concepts covered in this article are only = an=20 introduction to its capabilities.=20

Figure A
OSI 7 Layer Model
The OSI model (Open Systems Interconnection = model) was=20 developed in 1974 by the International Standards Organization) The seven = layer=20 model is an international standard that allows systems to communicate = with each=20 other as if they were the same system. Each layer has a specific purpose = independent of each other. A packet starts at the applications layer, = works it=20 way down the stack, and is then sent to the other system. The other = system=20 receives the packet at the first layer, then sends it back up the stack. = Not all=20 layers, specifically 5 and 6, may be utilized.=20

Layer 7 = Application=20 (SMTP, TELNET)
Defines the network = applications.=20

Layer 6 Presentation (Encryption)
Data translation = (format of=20 the data)=20

Layer 5 Session
Establishes, maintains, and disconnects = a=20 communications link between two stations on a network=20

Layer 4 Transport (TCP, UDP)
Provides for end-to-end=20 transmission of data=20

Layer 3 Network (IP, IPX, AppleTalk)
Controls = forwarding of=20 packets between stations.=20

Layer 2 Data Link (Ethernet, Token Ring)
Physical layer = addressing , synchronizes transmission and handles frame-level error = control and=20 recovery=20

Layer 1 Physical (UTP, Fiber)
Method used to transmit = data=20 (media, voltage, etc)
 =20

Author’s = bio=20
Lance Spitzner enjoys learning by blowing up his Unix systems at = home.=20 Before this, he was an Officer in the = Rapid=20 Deployment Force, where he blew up things of a different nature. You = can=20 reach him at lance@honeynet.org .=20
 
 
 =20

Whitepapers /=20 = Publications