ch12.htm

Maximum Security (First Edition) 网络安全 英文版

<DL>
	<DD>A bridge was having problems in getting through its startup sequence using the
	<TT>bootp</TT> protocol. `The Gobbler' packet catcher was used to capture the packets
	to and from the bridge. The dump file viewer and protocol analyzer made it possible
	to follow the whole startup sequence and to track down the cause of the problem.<FONT
	SIZE="1"><SUP>1</SUP></FONT>
</DL>



<BLOCKQUOTE>
	<P>
<HR>
<FONT SIZE="1"><SUP>1</SUP></FONT>T.V. Rijn and J.V. Oorschot, <I>The Gobbler, An
	Ethernet Troubleshooter/Protocol Analyzer.</I> November 29, 1991. Delft University
	of Technology, Faculty of Electrical Engineering, the Netherlands. 
<HR>


</BLOCKQUOTE>

<H3><FONT COLOR="#000077"><B>ETHLOAD (Vyncke, Vyncke, Blondiau, Ghys, Timmermans,
Hotterbeex, Khronis, and Keunen)</B></FONT></H3>
<P>A freeware packet sniffer written in C for Ethernet and token ring networks, ETHLOAD
runs well atop or in conjunction with any of the following interfaces:

<UL>
	<LI>Novell ODI
	<LI>3Com/Microsoft Protocol Manager
	<LI>PC/TCP/Clarkson/Crynwr
</UL>

<P>Further, it analyzes the following protocols:

<UL>
	<LI>TCP/IP
	<LI>DECnet
	<LI>OSI
	<LI>XNS
	<LI>NetWare
	<LI>NetBEUI
</UL>

<P>One thing that is not available in the standard distribution is the source code.
This is unfortunate because some time ago, the source was available. However, as
the authors explain:

<DL>
	<DD>After being flamed on some mailing lists for having put a sniffer source code
	in the public domain and as I understand their fears (even if a large bunch of other
	Ethernet sniffers are available everywhere), I have decided that the source code
	is not made available.
</DL>

<P>What is interesting is that the program did have the capability to sniff rlogin
and Telnet sessions, though only with a special key that had to be obtained from
the author. As one might expect, even when this key was available, the author restricted
its access to those who could provide some form of official certification.</P>
<P>For a free sniffer executable on a DOS/Novell platform, ETHLOAD is probably the
most comprehensive currently available (this is certainly so for the PC platforms).
It is also more easily found than others (<TT>altavista.digital.com</TT> returns
approximately one hundred instances of the file name, and more than half of those
sites have the product).


<BLOCKQUOTE>
	<P>
<HR>
<FONT COLOR="#000077"><B>Cross Reference:</B></FONT><B> </B>Here are a few sites
	that offer ETHLOAD:

	<UL>
	<LI><A HREF="ftp://oak.oakland.edu/SimTel/msdos/lan/ethld104.zip"><TT>ftp://oak.oakland.edu/SimTel/msdos/lan/ethld104.zip</TT></A><BR>
	<BR>
	
	<LI><A HREF="http://www.med.ucalgary.ca:70/1/ftp/dos/regular"><TT>http://www.med.ucalgary.ca:70/1/ftp/dos/regular</TT></A><BR>
	<BR>
	
	<LI><A HREF="ftp://ftp.vuw.ac.nz/simtel/msdos/lan/ethld104.zip"><TT>ftp://ftp.vuw.ac.nz/simtel/msdos/lan/ethld104.zip</TT></A><BR>
	<BR>
	
	<LI><A HREF="http://www.apricot.co.uk/ftp/bbs/atsbbs/allfiles.htm"><TT>http://www.apricot.co.uk/ftp/bbs/atsbbs/allfiles.htm</TT></A>
	</UL>

	<P>
<HR>


</BLOCKQUOTE>

<H3><FONT COLOR="#000077"><B>Netman (Schulze, Benko, and Farrell)</B></FONT></H3>
<P>Netman is a little different from ETHLOAD in that you can obtain the source, although
the process is more complex than &quot;ask and ye shall receive.&quot; It involves
money ($500 for educational institutions, $1,000 for private firms), and the development
team makes it clear that that source is not to be used for commercial purposes.</P>
<P>The team at Curtin University has developed a whole suite of applications in the
Netman project:

<UL>
	<LI>Interman
	<LI>Etherman
	<LI>Packetman
	<LI>Geotraceman
	<LI>Loadman
	<LI>Analyser
</UL>

<P>Etherman is of main interest in tracing Ethernet activity. It is important to
note that this tool is no ordinary ASCII-to-outfile packet sniffer. As the authors
explain in <I>Homebrew Network Monitoring: A Prelude to Network Management</I>, Etherman
takes a whole new approach that is completely distinct from its counterparts:

<DL>
	<DD>In this project, we attempt to extend the goals of these by visualizing network
	data. This has been achieved by applying a graphical model to a collection of continuously
	updating network statistics.
</DL>

<P>True to their claims, these individuals created an extraordinary tool. The program
presents a black screen on which addresses, traffic, and interfaces are all represented
as points within the network (connection points or flows of data between these are
represented in red). This accurate graphical model is altered as traffic varies.</P>
<P>The entire suite of applications constitutes a formidable arsenal for network
analysis and management. In the hands of a cracker, this suite could prove quite
a weapon. However, the main features of the Etherman program, at least, run in X.
It is extremely unlikely that a cracker would be running X apps on your network without
your knowledge. If this <I>is</I> going on, you better wake up and mind your network;
your problems are deeper than a sniffer.


<BLOCKQUOTE>
	<P>
<HR>
<FONT COLOR="#000077"><B>Cross Reference:</B></FONT><B> </B>The Netman project, papers,
	and all binaries for these programs are located at <A HREF="http://www.cs.curtin.edu.au/~netman/"><TT>http://www.cs.curtin.edu.au/~netman/</TT></A>.<BR>
	
<HR>
</P>
	<P>
<HR>
<FONT COLOR="#000077"><B>NOTE:</B></FONT><B> </B>The Netman suite of applications
	was reportedly coded on the Sun and DEC platforms (SPARC and Decstation 5000, respectively).
	Information about porting is scarce, but this much is certain: This application runs
	only on UNIX platforms. Moreover, remember when I suggested that some sniffers might
	lose data on high-speed, high-volume networks? Packetman is apparently one such application,
	although the problem is reportedly limited to the SunOS platform. This application
	is probably the most functional sniffer suite for the UNIX platform (if not in terms
	of superb functionality, at least in design). 
<HR>


</BLOCKQUOTE>

<H3><FONT COLOR="#000077"><B>Esniff.c (the Posse)</B></FONT></H3>
<P>Esniff.c is a sniffer program that is always distributed in source form (C language),
designed primarily to sniff packet traffic on the SunOS platform. It is probably
the most popular among crackers. It is already coded to capture only the beginning
portion of each packet (and thereby capture user login IDs and passwords).


<BLOCKQUOTE>
	<P>
<HR>
<FONT COLOR="#000077"><B>Cross Reference:</B></FONT><B> </B>Esniff.c is available
	at many locations, including

	<UL>
	<LI><A HREF="ftp://ftp.infonexus.com"><TT>ftp.infonexus.com</TT></A><BR>
	<BR>
	
	<LI><A HREF="http://pokey.nswc.navy.mil/Docs/Progs/ensnif.txt"><TT>http://pokey.nswc.navy.mil/Docs/Progs/ensnif.txt</TT></A><BR>
	<BR>
	
	<LI><A HREF="http://www.catch22.com/Twilight.NET/phuncnet/hacking/proggies/sniffers/"><TT>http://www.catch22.com/Twilight.NET/phuncnet/hacking/proggies/sniffers/</TT></A>
	</UL>

	<P>
<HR>


</BLOCKQUOTE>

<H3><FONT COLOR="#000077"><B>Sunsniff (Author Unknown)</B></FONT></H3>
<P>Sunsniff is also designed specifically for the SunOS platform. It consists of
513 lines of C source, coded reportedly by crackers who wish to remain anonymous.
It works reasonably well on Sun, and is probably not easily portable to another flavor.
This program is good for experimentation.


<BLOCKQUOTE>
	<P>
<HR>
<FONT COLOR="#000077"><B>Cross Reference:</B></FONT><B> </B>Sunsniff is available
	at

	<UL>
	<LI><A HREF="http://www.catch22.com/Twilight.NET/phuncnet/hacking/proggies/sniffers/"><TT>www.catch22.com/Twilight.NET/phuncnet/hacking/proggies/sniffers/</TT></A><BR>
	<BR>
	
	<LI><A HREF="http://mygale.mygale.org/08/datskewl/elite/"><TT>http://mygale.mygale.org/08/datskewl/elite/</TT></A><BR>
	<BR>
	
	<LI><A HREF="http://hacked-inhabitants.com/warez/SUNSNIFF.C"><TT>http://hacked-inhabitants.com/warez/SUNSNIFF.C</TT></A>
	</UL>

	<P>
<HR>


</BLOCKQUOTE>

<H3><FONT COLOR="#000077"><B>linux_sniffer.c (Author Unknown)</B></FONT></H3>
<P>This program's name pretty much says it all. It consists of 175 lines of C code,
distributed primarily at cracker sites on the Net. This program is Linux specific.
It is another utility that is great for experimentation on a nice Sunday afternoon;
it's a free and easy way to learn about packet traffic.


<BLOCKQUOTE>
	<P>
<HR>
<FONT COLOR="#000077"><B>Cross Reference:</B></FONT><B> </B>linux_sniffer.c is available
	at

	<UL>
	<LI><A HREF="http://www.catch22.com/Twilight.NET/phuncnet/hacking/proggies/sniffers/"><TT>www.catch22.com/Twilight.NET/phuncnet/hacking/proggies/sniffers/</TT></A><BR>
	<BR>
	
	<LI><A HREF="http://mygale.mygale.org/08/datskewl/elite/"><TT>http://mygale.mygale.org/08/datskewl/elite/</TT></A><BR>
	<BR>
	
	<LI><A HREF="http://www.hacked-inhabitants.com/warez/"><TT>http://www.hacked-inhabitants.com/warez/</TT></A>
	</UL>

	<P>
<HR>


</BLOCKQUOTE>

<H3><FONT COLOR="#000077"><B>Nitwit.c (Author Unknown)</B></FONT></H3>
<P>This C source (159 lines, excluding comments) is distributed primarily at cracker
sites. When compiled, it runs as a NIT (Network Interface Tap) sniffer. It is yet
another SunOS-only utility. The authors anonymously claim that the utility is:

<DL>
	<DD>...better than CERT's `cpm' because the sniffer can be reading in normal (non
	promiscuous) mode from <TT>/dev/nit</TT> and nittie.c will sense this.
</DL>

<P>I would closely examine the source before employing this utility. This utility
emerged from the back alleys of the Net.


<BLOCKQUOTE>
	<P>
<HR>
<FONT COLOR="#000077"><B>Cross Reference:</B></FONT><B> </B>Nitwit.c can be found
	at <A HREF="http://www.catch22.com/Twilight.NET/phuncnet/hacking/proggies/sniffers/nitwit.c"><TT>www.catch22.com/Twilight.NET/phuncnet/hacking/proggies/sniffers/nitwit.c</TT></A>.
	
<HR>


</BLOCKQUOTE>