ch12.htm

Maximum Security (First Edition) 网络安全 英文版

<BLOCKQUOTE>
	<P>
<HR>
<FONT COLOR="#000077"><B>Cross Reference:</B></FONT><B> </B>There are also devices
	that are referred to as cable sniffers, which are used to diagnose problems along
	network cable. One such product is called the <I>Cable Sniffer</I> by Macally. It
	can be used to sniff cable problems on AppleTalk networks. Their page is located
	at <A HREF="http://www.macally.com/"><TT>http://www.macally.com/</TT></A>. 
<HR>


</BLOCKQUOTE>

<P>Sniffers are a significant threat because of the following:

<UL>
	<LI>They can capture passwords.<BR>
	<BR>
	
	<LI>They can capture confidential or proprietary information.<BR>
	<BR>
	
	<LI>They can be used to breach security of neighboring networks.
</UL>

<H2><FONT COLOR="#000077"><B>Where Is One Likely to Find a Sniffer?</B></FONT></H2>
<P>You are likely to find a sniffer almost anywhere. However, there are some strategic
points that a cracker might favor. One of those points is anywhere adjacent to a
machine or network that receives many passwords. This is especially so if the targeted
machine is the gateway of a network, or a path of data going to or coming from the
outside world. If your network goes out to the Internet (and that's really what I'm
getting at here), the cracker will want to capture authentication procedures between
your network and other networks. This could exponentially expand the cracker's sphere
of activity.
<H2><FONT COLOR="#000077"><B>What Level of Risk Do Sniffers Represent?</B></FONT></H2>
<P>Sniffers represent a high level of risk. In fact, the existence of a sniffer in
itself shows a high level of compromise. In fact, if a sniffer has been placed on
your network (by folks other than those authorized to undertake such an action),
your network is already compromised. That is, taking the case study out of the LAN
and into the Internet, if your Internet-enabled network has a sniffer, someone has
breached your network security. One scenario is that he or she has come from the
outside and placed a monitoring device on your network. The other scenario is that
one of your own is up to no good. Either way, the situation is grave.</P>
<P>Security analysts characterize a sniffer attack as a second-level attack. The
cracker has already worked his or her way into your network and now seeks to further
compromise the system. To do so, he must begin by capturing all the user IDs and
passwords. For that reason (and for the information a sniffer gathers), a sniffer
represents an extremely high level of risk.</P>
<P>However, sniffers can catch more than simply user IDs and passwords; they can
capture sensitive financial data (credit-card numbers), confidential information
(e-mail), and proprietary information. Depending on the resources available to the
cracker, a sniffer is capable of capturing nearly all traffic on a network.


<BLOCKQUOTE>
	<P>
<HR>
<FONT COLOR="#000077"><B>NOTE:</B></FONT><B> </B>I do not believe that, in practice,
	any sniffer can catch absolutely all traffic on a network. This is because as the
	number of packets increases, the chances of lost packets is high. If you examine
	technical reports on sniffers, you will discover that at high speeds and in highly
	trafficked networks, a more-than negligible amount of data can be lost. This suggests
	that sniffers employed by the good guys might be vulnerable to attacks themselves.
	In other words, just how many packets per second can a sniffer take before it starts
	to fail in its fundamental mission? That is a subject probably worth investigating.</P>
	<P>Security technology has evolved considerably. Some operating systems now employ
	encryption at the packet level, and, therefore, even though a sniffer attack can
	yield valuable data, that data is encrypted. This presents an additional obstacle
	likely to be passed only by those with deeper knowledge of security, encryption,
	and networking. 
<HR>


</BLOCKQUOTE>

<H2><FONT COLOR="#000077"><B>Where Do Sniffers Come From and Why Do They Exist?</B></FONT></H2>
<P>Sniffers are designed as devices that can diagnose a network connection. You will
remember that in Chapter 9, &quot;Scanners,&quot; I referred to a UNIX command called
<TT>traceroute</TT>. <TT>traceroute</TT> examines the route between two points and
is used to determine whether problems exist along that route (for example, if one
of the machines a&#218; g that route has died).</P>
<P>Tools such as <TT>traceroute</TT> are sniffers of sorts. However, a hard-core
sniffer is designed to examine the packet traffic at a very deep level. Again, this--like
the scanner--has a perfectly legitimate purpose. Sniffers were designed by those
aiding network engineers (and not for the purpose of compromising networks).</P>
<P>Some companies produce entire suites of sniffer applications designed to diagnose
network problems. The leading company in this industry is Network General Corporation
(NGC), which offers a wide variety of sniffer products, including

<UL>
	<LI>The Sniffer Network Analyzer (I should mention that the term <I>The Sniffer</I>
	is a registered trademark of NGC)<BR>
	<BR>
	
	<LI>A wide area network (WAN) Sniffer<BR>
	<BR>
	
	<LI>Network General Reporter
</UL>

<H2><FONT COLOR="#000077"><B>On What Platforms Will a Sniffer Run?</B></FONT></H2>
<P>Sniffers now exist for every network platform, but even if they did not, they
would still be a threat to you. Here is why: Sniffers sniff packets, not machines.
Unless your network is entirely homogenous, a sniffer could exist there. As I pointed
out, a sniffer need be only on a single node of a network (or at a gateway) to sniff
traffic. This is because of the manner in which Ethernet broadcasts occur. Because
the traffic is broadcasted to all nodes on a network segment, any platform that you
have will do. Also, more sniffers for different operating systems emerge every few
months; because source is now available for a wide variety of systems, it seems likely
that trend will continue. Eventually, you will see the ultimate sniffer written for
Windows 95 with some sort of VB front end. You can bet on it.
<H2><FONT COLOR="#000077"><B>Has Anyone Actually Seen a Sniffer Attack?</B></FONT></H2>
<P>There have been many sniffer attacks executed over the Internet; these attacks
were disparate in terms of target and scope. Consider this security advisement update:

<DL>
	<DD>In February 1994, an unidentified person installed a network sniffer on numerous
	hosts and backbone elements collecting over 100,000 valid user names and passwords
	via the Internet and Milnet. Any computer host allowing FTP, Telnet or remote log
	in to the system should be considered at risk...All networked hosts running a UNIX
	derivative operating system should check for the particular promiscuous device driver
	that allows the sniffer to be installed.<FONT SIZE="1"><SUP>1</SUP></FONT>
</DL>



<BLOCKQUOTE>
	<P>
<HR>
<FONT SIZE="1"><SUP>1</SUP></FONT>Naval Computer &amp; Telecommunications Area Master
	Station LANT advisory. 
<HR>


</BLOCKQUOTE>


<DL>
	<DD>
</DL>



<BLOCKQUOTE>
	<P>
<HR>
<FONT COLOR="#000077"><B>Cross Reference:</B></FONT><B> </B>You can access the Naval
	Computer &amp; Telecommunications Area Master Station LANT advisory at <A HREF="http://www.chips.navy.mil/chips/archives/94_jul/file14.html"><TT>http://www.chips.navy.mil/chips/archives/94_jul/file14.html</TT></A>.
	
<HR>


</BLOCKQUOTE>

<P>Naturally, institutions and private companies are reluctant to state what level
of compromise might have occurred. But, there are many such victims:

<UL>
	<LI>California State University at Stanislaus<BR>
	<BR>
	
	<LI>A United States Army missile research laboratory<BR>
	<BR>
	
	<LI>White Sands Missile Range
</UL>



<BLOCKQUOTE>
	<P>
<HR>
<FONT COLOR="#000077"><B>Cross Reference:</B></FONT><B> </B>For more information
	about the Stanislaus incident, visit <A HREF="http://yahi.csustan.edu/studnote.html"><TT>http://yahi.csustan.edu/studnote.html</TT></A>.</P>
	<P>For more information about the U.S. Army missile research lab and White Sands
	Missile Range incidents, see the GAO report at <A HREF="http://www.securitymanagement. com/library/000215.html"><TT>http://www.securitymanagement.
	com/library/000215.html</TT></A>. 
<HR>


</BLOCKQUOTE>

<P>Universities seem to be consistent targets, mainly because of the sheer volume
of usernames and passwords that can be gleaned from such an attack. This also translates
into bigger and more complex networks. Network administration in a university is
quite a job, even if crackers aren't prowling around. How many times have you fingered
an account at a university only to find that the target was discharged or graduated
a year or more before? Two days before writing this chapter, I encountered exactly
that situation. Except that the individual had been gone 18 months. Even so, his
account was still active!
<H2><FONT COLOR="#000077"><B>What Information Is Most Commonly Gotten from a Sniffer?</B></FONT></H2>
<P>A sniffer attack is not as easy as you might think. It requires some knowledge
of networking before a cracker can effectively launch one. Simply setting up a sniffer
and leaving it will lead to problems because even a five-station network transmits
thousands of packets an hour. Within a short time, the outfile of a sniffer could
easily fill a hard disk drive to capacity (if you logged every packet).</P>
<P>To circumvent this problem, crackers typically sniff only the first 200-300 bytes
of each packet. Contained within this portion is the username and password, which
is really all most crackers want. However, it is true that you could sniff all the
packets on a given interface; if you have the storage media to handle that kind of
volume, you would probably find some interesting things.
<H2><FONT COLOR="#000077"><B>Where Does One Get a Sniffer?</B></FONT></H2>
<P>There are many sniffers available on many platforms. As you might expect, the
majority of these are commercial. Commercial sniffing applications are a good idea
if you have a real need to diagnose your network (or catch a cracker). They are probably
a poor idea if you simply want to learn about networking.
<H3><FONT COLOR="#000077"><B>Gobbler (Tirza van Rijn)</B></FONT></H3>
<P>Gobbler, shown in Figure 12.4, is probably the best sniffer for someone wanting
to learn a bit about network traffic. It was designed to work on the MS-DOS platform
but can be run in Windows 95.</P>
<P><A NAME="04"></A><A HREF="04.htm"><B>Figure 12.4.</B></A><B><BR>
</B><I>Gobbler's opening screen.</I></P>
<P>Operation of Gobbler might seem a little confusing at first. There are no menus
in the traditional sense (that is, the menus are not immediately apparent when you
start the application); the application just pops up, as shown in Figure 12.4. (The
menus are there; it is just that Gobbler is not the most user-friendly application.)
Depending on what package you get, you may or may not receive documentation. If you
do, it will be a PostScript document titled <TT>Paper.gs</TT>. Of the four locations
where I have found Gobbler, only one has the document. It is the first of the addresses
that follow.


<BLOCKQUOTE>
	<P>
<HR>
<FONT COLOR="#000077"><B>Cross Reference:</B></FONT><B> </B>Gobbler is no longer
	widely distributed; these links are quite remote. Expect some download time. Gobbler
	can be found at

	<UL>
	<LI><A HREF="http://www.cse.rmit.edu.au/~rdssc/courses/ds738/watt/other/gobbler.zip"><TT>http://www.cse.rmit.edu.au/~rdssc/courses/ds738/watt/other/gobbler.zip</TT></A><BR>
	<BR>
	
	<LI><A HREF="http://cosmos.ipc.chiba-u.ac.jp/~simizu/ftp.ipc.chiba-u.ac.jp/.0/network/noctools/sniffer/gobbler.zip"><TT>http://cosmos.ipc.chiba-u.ac.jp/~simizu/ftp.ipc.chiba-u.ac.jp/.0/network/noctools/sniffer/gobbler.zip</TT></A><BR>
	<BR>
	
	<LI><A HREF="ftp://ftp.mzt.hr/pub/tools/pc/sniffers/gobbler/gobbler.zip"><TT>ftp://ftp.mzt.hr/pub/tools/pc/sniffers/gobbler/gobbler.zip</TT></A><BR>
	<BR>
	
	<LI><A HREF="ftp://ftp.tordata.se/www/hokum/gobbler.zip"><TT>ftp://ftp.tordata.se/www/hokum/gobbler.zip</TT></A>
	</UL>

	<P>
<HR>


</BLOCKQUOTE>

<P>Press the F1 key after booting the application to view a legend that provides
information about the program's functions (see Figure 12.5).</P>
<P><A NAME="05"></A><A HREF="05.htm"><B>Figure 12.5.</B></A><B><BR>
</B><I>Gobbler's function and navigation help screen.</I></P>
<P>Gobbler runs on any PC running DOS, Windows, Windows 95, and perhaps NT. It can
be run from a single workstation, analyzing only local packets, or it can be used
remotely over a network (this is an especially useful function).</P>
<P>Contained within the program are some fairly complex functions for packet filtering
as well as an event-triggered mechanism (that is, one can specify a particular type
of packet that must be encountered before the deep logging process starts or stops).
Perhaps most importantly, Gobbler allows you to view both the source and destination
addresses for each packet without further effort (these are printed to the screen
in a very convenient manner).</P>
<P>The program allows you to view the recording process as it happens. This is a
vital element of its usefulness. As noted in one of the case studies presented with
the application: