Packet sniffing is a form of wire-tap applied to computer networks instead of phone networks. It came into vogue with Ethernet, which is known as a "shared medium" network. This means that traffic on a segment passes by all hosts attached to that segment. Ethernet cards have a filter that prevents the host machine from seeing traffic addressed to other stations. Sniffing programs turn off the filter, and thus see everyones traffic.
Today's networks are increasingly employing "switch" technology, preventing this technique from being as successful as in the past. It is still useful, though, as it is becoming increasingly easy to install remote sniffing programs on servers and routers, through which a lot of traffic flows.
Today's networks may already contain built-in sniffing modules. Most hubs support the RMON standard, which allow the intruder to sniff remotely using SNMP, which has weak authentication. Many corporations employ Network Associates "Distributed Sniffer Servers", which are set up with easy to guess passwords. Windows NT machines often have a "Network Monitoring Agent" installed, which again allows for remote sniffing.
Packets sniffing is difficult to detect, but it can be done. But the difficulty of the solution means that in practice, it is rarely done.
The popularity of packet sniffing stems from the fact that it sees everything. Typical items sniffed include:
Not only can sniffing read information that helps break into a system, it is an intrusion by itself because it reads the very files the intruder is interested in.
- SMTP, POP, IMAP traffic
- Allows intruder to read the actual e-mail.
- POP, IMAP, HTTP Basic, Telnet authentication
- Reads passwords off the wire in clear-text.
- SMB, NFS, FTP traffic
- Reads files of the wire.
- SQL databse
- Reads financial transactions and credit card numbers.
This technique can be combined with active transimission for even more effective attacks.
Packet sniffing tools are usually written by hackers. There are many extensions for pulling desired data off the network. The most popular are password sniffing programs.
- IP spoofing
- When the sniffing program is on a segment between two communicating end points, the intruder can impersonate one end in order to hijack the connection. This is often combined with a denial of service (DoS) attack against the forged address so they don't interfere anymore.
- raw transmit
- Allows abonormal traffic to be generated, such as TCP SYN floods, overlapped fragments, illegal fragments, and TCP fingerprinting. The best attack is severe fragmentation, which fragments the TCP header in order to prevent firewalls from filtering by port number.
- Internet Hacking For Dummies- Wired news article, featuring sniffing
- Argentine Hacker Pleads Guilty- The bell has tolled for Julio Cesar Ardita, the Argentine hacker who was traced with a court-ordered computer network "wiretap" - the first ever of its kind - after his activities were detected in 1995.