ch12.htm

Maximum Security (First Edition) 网络安全 英文版

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN">
<HTML>

<HEAD>
	
	<TITLE>Maximum Security -- Ch 12 -- Sniffers</TITLE>
</HEAD>

<BODY TEXT="#000000" BGCOLOR="#FFFFFF">

<CENTER>
<H1><IMG SRC="../button/samsnet.gif" WIDTH="171" HEIGHT="66" ALIGN="BOTTOM" BORDER="0"><BR>
<FONT COLOR="#000077">Maximum Security: </FONT></H1>
</CENTER>
<CENTER>
<H2><FONT COLOR="#000077">A Hacker's Guide to Protecting Your Internet Site and Network</FONT></H2>
</CENTER>
<CENTER>
<P><A HREF="../ch11/ch11.htm"><IMG SRC="../button/previous.gif" WIDTH="128" HEIGHT="28"
ALIGN="BOTTOM" ALT="Previous chapter" BORDER="0"></A><A HREF="../ch13/ch13.htm"><IMG
SRC="../button/next.gif" WIDTH="128" HEIGHT="28" ALIGN="BOTTOM" ALT="Next chapter"
BORDER="0"></A><A HREF="../index.htm"><IMG SRC="../button/contents.gif" WIDTH="128"
HEIGHT="28" ALIGN="BOTTOM" ALT="Contents" BORDER="0"></A> 
<HR>

</CENTER>
<CENTER>
<H1><FONT COLOR="#000077">12</FONT></H1>
</CENTER>
<CENTER>
<H1><FONT COLOR="#000077">Sniffers</FONT></H1>
</CENTER>
<P>A <I>sniffer</I> is any device, whether software or hardware, that grabs information
traveling along a network. That network could be running any protocol: Ethernet,
TCP/IP, IPX, or others (or any combination of these). The purpose of the sniffer
to place the network interface--in this case, the Ethernet adapter--into promiscuous
mode and by doing so, to capture all network traffic.


<BLOCKQUOTE>
	<P>
<HR>
<FONT COLOR="#000077"><B>NOTE:</B></FONT><I><B> </B>Promiscuous</I> <I>mode</I> refers
	to that mode where all workstations on a network listen to all traffic, not simply
	their own. In other words, non-promiscuous mode is where a workstation only listens
	to traffic route it its own address. In promiscuous mode, the workstation listens
	to all traffic, no matter what address this traffic was intended for. 
<HR>


</BLOCKQUOTE>

<P>When one discusses sniffers, one is not discussing <I>key capture utilities</I>,
which grab keystrokes and nothing more. Essentially, a key capture utility is the
software equivalent of peering over someone's shoulder. This peering might or might
not reveal important information. True, it might capture passwords typed into the
console of the local terminal, but what about other terminals? In contrast, sniffers
capture network traffic. This network traffic (irrespective of what protocol is running)
is composed of <I>packets</I> (these might be IP datagrams or Ethernet packets).
These are exchanged between machines at a very low level of the operating-system
network interface. However, these also carry vital data, sometimes very sensitive
data. Sniffers are designed to capture and archive that data for later inspection.
<H2><FONT COLOR="#000077"><B>About Ethernet</B></FONT></H2>
<P>As I have discussed, Ethernet was created at Xerox's Palo Alto Research Center.
(Sometimes referred to as <I>PARC Place.</I>) You might remember an RFC document
that I presented earlier in this book: It was posted over a Christmas holiday and
discussed the issue of hackers gaining access to a network that would soon become
the Internet. The author of that RFC was Bob Metcalfe, who, along with David Boggs
(both at PARC), invented Ethernet.</P>
<P>In 1976, these two gentlemen presented to the computing communities a document
titled <I>Ethernet: Distributed Packet Switching for Local Computer Networks</I>.
The ideas set forth in that paper revolutionized business-based computing. Prior
to the birth of Ethernet, most large networks were strung to mainframe computers
(in even earlier years, most systems were based on computer time sharing).</P>
<P>Today, Ethernet is probably the most popular way to network machines. A group
of machines within an office that are linked via Ethernet might be referred to as
a <I>local area network </I>(LAN). These machines are strung together with high-speed
cable that transfers information as quickly (or sometimes much more quickly) than
most hard drives.


<BLOCKQUOTE>
	<P>
<HR>
<FONT COLOR="#000077"><B>NOTE:</B></FONT><B> </B>You might remember that in Chapter
	6, &quot;A Brief Primer on TCP/IP,&quot; I noted that one element of TCP/IP networking
	was the full-duplex transmission path, which allows information to travel in both
	directions at one time, a common situation in TCP/IP that is especially vital to
	the error-reporting process during a transmission (a typical example might be during
	a FTP transfer). Ethernet does not truly support full-duplex transmission and therefore,
	although Ethernet interfaces are advertised as being capable of extremely high-speed
	transmission, you can expect only perhaps 50-75 percent of the actual advertised
	speed when using Ethernet on a high-traffic network. If you were to employ a packet
	sniffer, you would see that while a card is receiving a heavy transmission of data
	from some card elsewhere on the network, it cannot also send data out with any great
	reliability. That represents an interesting security issue of sorts. For example,
	can an Ethernet card answer an ARP request while being bombarded with data? If not,
	couldn't a cracker temporarily conduct an ARP spoofing session under such circumstances?
	At any rate, there are switching products that can remedy this limitation. 
<HR>


</BLOCKQUOTE>

<H3><FONT COLOR="#000077"><B>The Composition of an Ethernet Network</B></FONT></H3>
<P>The composition of a network is complex. First, in order for each machine to be
part of a network, it must have both software and hardware designed to traffic Ethernet
packets. The four minimal components necessary are illustrated in Figure 12.1.</P>
<P><A NAME="01"></A><A HREF="01.htm"><B>Figure 12.1.</B></A><B><BR>
</B><I>The minimum requirements for a single workstation.</I></P>
<P>The software can either come with the operating system (Novell NetWare, UNIX,
Windows NT, Windows 95), or it can be a third-party product added later (LANtastic).
At a minimum, the software needed is as follows:

<UL>
	<LI>Ethernet packet driver<BR>
	<BR>
	
	<LI>Network adapter driver
</UL>

<P>The network adapter driver commonly comes with the network adapter or Ethernet
card. It is typically provided by the manufacturer of the card but might also be
included in a total package. This is not always true. It is primarily the IBM-compatible
architecture that requires an Ethernet card. Most workstations (and most Macintoshes)
have on-board Ethernet support. This means that the Ethernet card is already hard-wired
to the motherboard. I believe that IBM-based RS/6000 machines might be one of the
few real exceptions to this. A good example would be an IBM Powerstation 320H.


<BLOCKQUOTE>
	<P>
<HR>
<FONT COLOR="#000077"><B>NOTE:</B></FONT><B> </B>Most operating systems now come
	with boot drivers for various Ethernet cards. Linux certainly does, as does Windows
	95 and Windows NT. Chances are, unless you have a very strange, off-beat Ethernet
	card, you may never need the manufacturer's driver. 
<HR>


</BLOCKQUOTE>

<P>The packet driver negotiates packets back and forth. The network adapter driver
is used to bind the Ethernet protocol to the Ethernet card. The card transmits these
packets from the workstation and into wire. This wire may be one of several kinds.
Some Ethernet cable transmits packets at 10MB/sec, others at 100MB/sec.


<BLOCKQUOTE>
	<P>
<HR>
<FONT COLOR="#000077"><B>NOTE:</B></FONT><B> </B>TCP/IP can be bound to most Ethernet
	cards as quickly as IPX or other network protocols. 
<HR>


</BLOCKQUOTE>

<P>So you have a machine running Ethernet software (for both packet and card). The
machine is a classic workstation, equipped with an Ethernet card that connects to
a cable. But where does the data that travels down that cable lead? The answer depends
on the network needs of the organization.</P>
<P>In general, there will be a least several other workstations and a network hub
(see Figure 12.2). The workstations may be deposited throughout a building, with
the wire strung through the walls.</P>
<P><A NAME="02"></A><A HREF="02.htm"><B>Figure 12.2.</B></A><B><BR>
</B><I>Basic network setting.</I></P>
<P>Figure 12.2 shows a very simple network setting. Thousands of businesses nationwide
have such a setting, using any of a dozen different networked operating systems.


<BLOCKQUOTE>
	<P>
<HR>
<FONT COLOR="#000077"><B>NOTE:</B></FONT><B> </B>In many network settings, you can
	take the hub out of the picture altogether. There are plenty of Novell NetWare networks
	that have simply a file server or a closed-circuit cabling scheme, precisely like
	the setup in Figure 12.2. Hubs are used for many things, including enhancement of
	security, as you will see later. But if you have no fear of allowing indiscriminate,
	network-wide broadcasts, a hub might not be necessary. 
<HR>


</BLOCKQUOTE>

<P>Note the line in Figure 12.2 that represents information flow. On networks without
hubs, the data doesn't point in any particular direction. Instead, it travels in
<I>all</I> directions. A typical example of this is at the moment a message needs
to be sent. Each network node or workstation is an interface. When a message needs
to be sent, a request is forwarded to all interfaces, looking for the intended recipient.
This request is sent in the form of a general broadcast.</P>
<P>This broadcast issues a message to all interfaces, saying: &quot;Hey! Which one
of you is this data destined for? Will the real recipient please stand up?&quot;
All interfaces receive this message, but only one (the one for which the message
is intended) actually replies. In this respect, then, there is no established flow
of information until the recipient is known. As you might expect, because this broadcast
is global on the network, all machines hear it. Those that are not intended recipients
of the data hear the broadcast but ignore it. The request packet dies at such workstations
because there is no reply.


<BLOCKQUOTE>
	<P>
<HR>
<FONT COLOR="#000077"><B>NOTE:</B></FONT><B> </B>This all broadcast scenario only
	occurs in network blocks, or segments. In other words, bar hard-wiring by hub (where
	all machines are strung to a hub), the information will be broadcast between all
	machines within that network segment. As you will see, the topology of such segments
	can greatly enhance or debilitate your network security, at least with respect to
	sniffers. In general, however, all machines are sent this request. 
<HR>


</BLOCKQUOTE>

<P>The workstation that <I>is</I> the intended recipient responds, forwarding its
hardware address. The information is then sent down the wire (in packets) from the
issuing workstation to the recipient. You might imagine that in this scenario (and
from the instant that the recipient is known), all other workstations ignore the
data being sent between the bona-fide sender and recipient. This is true; they do.
However, they do not necessarily <I>have</I> <I>to</I> ignore this data, and if they
don't, they can still hear it. In other words, any information traveling through
the network is always &quot;hear-able&quot; by all interfaces within a segment (barring
installation of controls to prevent it).</P>
<P>A sniffer is nothing more than hardware or software that hears (and does not ignore)
all packets sent across the wire. In this respect, every machine and every router
is a sniffer (or at least, each of these devices <I>could</I> be a sniffer). This
information is then stored on some media and archived for later viewing.


<BLOCKQUOTE>
	<P>
<HR>
<FONT COLOR="#000077"><B>NOTE:</B></FONT><B> </B>To use your machine as a sniffer,
	you will need either special software (a promiscuous driver for the Ethernet card)
	or a version of networking software that allows promiscuous mode. <BR>
	
<HR>
</P>
	<P>
<HR>
<FONT COLOR="#000077"><B>NOTE:</B></FONT><B> </B>Think of the network as a dynamic
	atmosphere, such as a river. In that river, packets flow freely along the path of
	least resistance. A sniffer is an entity that sticks its hand into the river and
	filters the water through its fingers. 
<HR>


</BLOCKQUOTE>

<P>A sniffer can be (and usually is) a combination of both hardware and software.
The software might be a general network analyzer enabled with heavy debugging options,
or it might be a real sniffer.</P>
<P>A sniffer must be located within the same network block (or net of trust) as the
network it is intended to sniff. With relatively few exceptions, that sniffer could
be placed anywhere within that block (see Figure 12.3).</P>
<P><A NAME="03"></A><A HREF="03.htm"><B>Figure 12.3.</B></A><B><BR>
</B><I>Possible placements for sniffers.</I></P>
<P>Notice that one of the positions I have marked as a sniffer is located in the
void (along the network wire instead of within a workstation). This is possible,
though unlikely. Certain tools designed for network-traffic analysis can be spliced
into the cable itself. These tools are quite expensive and not something that the
average cracker would employ (however, I thought I should mention them).