Networking / Beginners

Sniffing

Network sniffing or packet sniffing is the process of monitoring a network in an attempt to gather information that may be useful in an attack. With the proper tools a hacker can monitor the network packets to obtain passwords or IP addresses. Many vendors manufacture hardware and software for legitimate purposes that can be abused by hackers. The only comforting fact about these products is that hackers usually can't afford them. They can, however, steal them. There are also some common utilities available and programs that can be downloaded from hacker sites such as tcpmon, tcpdump, or gobbler. Network Associates' Sniffer Pro is an example of a commercially available product.

Password sniffing is particularly a threat for users who log into Unix systems over a network. Telnet or rlogin is usually employed when logging onto a Unix systems over a network. Telnet and rlogin do not encrypt passwords. As a result, when a user enters in his or her password, it is transmitted in the clear, meaning anyone monitoring the network can read it. In contrast, both Novel and Windows NT workstations encrypt passwords for transmission.

There are many tools available to reduce the risk of packet sniffing. Sometimes even simple traffic analysis can provide useful information. Being able to identify the systems that have the most activity can be of great value. Employing network switches instead of traditional hubs is another method to reduce the risk of network sniffing.

There are also tools available that purport to detect unauthorized packet sniffers on a network. One example, AntiSniff, is available from L0pht Heavy Industries on its Web site http://www.10pht.com. Typically, these products detect the characteristics of a network interface card (NIC) configured for promiscuous mode, which can be used to packet sniff a network. However, these systems can be countered by simply cutting the send wire on the NIC's cable. By doing so the NIC cannot send packets onto the network. Therefore, the sniffer detection programs will not be able to detect the NIC configured for promiscuous mode.

Web Site Defacement

Every week some organization's Web site is defaced by hackers, who post some message protesting something or other. Web site defacements are usually achieved by exploiting some incorrect configuration or known vulnerability of the Web server software, or by exploiting some other protocol-based vulnerability of the server's operating system.

An organization's best defense against Web site defacement is to maintain the most recent versions of its Web server software and the server's operating system. Also, an organization should ensure that its Web administrator is properly trained to install and maintain the software. Some organizations have taken more creative approaches to ensuring the integrity of their Web sites by deploying network cache servers that update the Web servers. The cache server mirrors a particular Web site and periodically refreshes the Web server with the original image of the system. If the Web site is defaced by a hacker, the cache server will overwrite the hackers' changes when it pushes the Web site refresh out to the Web server.

[Previous] [Contents] [Next]