inteliture.com
Google

Saturday, July 14, 2007

Sniffer-best tools to get passwords

An Introduction.

A sniffer is a program that sets the desired NIC (Network Interface Card, also known as Ethernet card) into promiscuous mode.

The most common way of networking computers is through Ethernet. The Ethernet protocol works by broadcasting packets to all hosts on the network, with the packet header containing the name of the machine that is meant to receive the packet. All others are supposed to ignore it. A NIC thats is accepting all packets, regardless of the intended machine, is said to be in promiscuous mode. A sniffer is also often called a "network analyzer", mostly by companies who doesnt want their products (sniffers) to be called and be considered as "Hack Tool". Despite this, is actually the same thing.

A sniffer attack is commonly used to grab logins and passwords that re traveling around on the network. This is what is known as a passive attack, coz the attacker doesnt directly interface with any machine which he/she may be trying to compromise.

NOTE: Ethernet was built around a "shared" principle: all machines on a local network share the same wire. This implies that all machines are able to "see" all the traffic on the same wire. Thus, Ethernet hardware is built with a "filter" that ignores all traffic that doesn't belong to it. It does this by ignoring all frames whose MAC address doesn't match. A wiretap program turns off this filter, putting the Ethernet hardware into "promiscuous mode". ex. CyNoS^M can see all the traffic between {SisQo^M} and his girlfriend, as long as they are on the same Ethernet wire.

Things to remember.

Some things to remember when working with sniffers:

  • Generally, u 'll only need to capture the first few bytes if u are trying to get logins/passwords, as this is usually where that information is located.
  • If u are capturing the entire session (depending on how busy the network is) a lot of hard disk 'll be used up.
  • If u are monitoring more than one connection (some sniffers monitor all, some just one) a lto of hard disk 'll be used up as well as a lot of RAM.
  • If u are using a lot of RAM/hard disk space, u 'll probably get noticed. Thus, it may be a good idea to replace some utilities such as ps and ifconfig, so that u 'll not be noticed.

Where to find sniffers.

Windows:

  1. PASniffer: here (u can find it in "Others" section too)
  2. Ethereal: ftp://ethereal.zing.org/pub/ethereal/win32/
  3. WinDump: http://netgroup-serv.polito.it/windump/
  4. Network Associates Sniffer: http://www.nai.com/mktg/survey.asp?type=d&code=2483
  5. Analyzer: http://netgroup-serv.polito.it/analyzer/
  6. EtherDetect (packet sniffer): http://www.etherdetect.com/download.htm
  7. HttpDetect (http sniffer): http://www.effetech.com/download/
  8. PassDetect (passwords sniffer): http://www.effetech.com/download/

Macintosh:

  1. EtherPeek: http://www.aggroup.com/

Unix:

  1. TcpDump: http://www.tcpdump.org/
  2. Ethereal: http://ethereal.zing.org/
  3. Sniffit: http://reptile.rug.ac.be/~coder/sniffit/sniffit.html
  4. Karpski: http://niteowl.userfriendly.net/linux/RPM/karpski.html
  5. SuperSniffer: http://www.mobis.com/~ajax/projects/

DOS:

  1. Gobbler and Beholder: http://nmrc.org/files/msdos/gobbler.zip

Protection against sniffing.

  • Switching to Switched Networks: In case of a Switched Network, only the packets meant for that particular host reach the NIC. This limits damages caused by a sniffer.
  • Use of Encryption Technologies:

SSH

IP Security Protocol

SMB/CIFS: In the Windows/SAMBA environment, make sure that you have the older LanManager authentication turned off. This requires SAMBA v2 or later, WinNT SP3 or later, and so on.

Kerberos v5: Both Windows 2000 and UNIX provide support for Kerberos authentication. This is one of the strongest generic mechanisms available. ftp://aeneas.mit.edu/pub/kerberos/doc/KERBEROS.FAQ

Smart Cards:

  1. There are numerous smart card implementations around providing one-time passwords. These are often used when connecting remotely, either dial-in or VPN across the Internet.
  2. Stanford SRP (Secure Remote Password).
  3. Enhancements to Telnet and FTP for UNIX and Windows. http://srp.stanford.edu/srp/
  • Other Tools:

AntiSniff: http://www.l0pht.com/antisniff/

CPM (Check Promiscuous Mode): ftp://coast.cs.purdue.edu/pub/tools/unix/cpm/

Sentinel: http://www.packetfactory.net/Projects/sentinel/

Neped: http://www.apostols.org/projectz/neped/
Posted by at
Labels: , , , ,

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)