I Love The Smell Of Packets In The Morning...
Paul M. Hirsch paul@voltagenoir.org - 01/2006Have you ever wondered why Internet banking sites and the checkout areas of online shops use SSL "Secured Web" access? Have you ever wondered why people say it is a bad idea to send sensitive information in email? Have you ever wondered how the creepy guy at the Starbucks was able to spy on every Instant Message you sent to your friend while using your laptop there? The prime answer: "packet sniffing". While it may be interesting to discuss what network data smells like (peach cobbler, if I am not mistaken...), "packet sniffing" (or "sniffing" for short) means listening in on data on a network. Much like a wiretap listens in on a phone conversation, sniffing allows a 3rd party to eavesdrop on a communication without the other parties' knowledge.
I'll stick to plain old "passive" sniffing here, ignoring all the advanced tricks. At the end I'll include brief information on some defenses such as encryption that are commonly used to thwart packet sniffing. First though, a description of the most common kind of these mysterious "packets" everyone seems to be trying to smell: TCP/IP packets.
"I have a packet for Mr. 64.233.167.104..."
The Internet and almost all modern computer networks speak a language called "TCP/IP". TCP/IP consists of a set of packet based network protocols, which means that data being sent from one computer to another is broken down into small chunks called "packets" and then sent over the network one by one. Each packet is like a snail mail letter. It has a "From" address and a "To" address. (No postage, though.) Instead of nice names like "1600 Pensylvania Ave., Washington, DC", in TCP/IP "IP addresses" are used. IP addresses consist of a series of four numbers (each between 0 and 255) separated by a dot. 10.10.10.10 is a valid IP address, as is 1.23.65.127. On the other hand, 20016.-10.43..5 is not a valid IP address.Most TCP/IP packets are the TCP or UDP type, which also have "ports". A port is like a "attention of" line on an envelope. It specifies a specific entity at an address that should be given the packet. Port numbers run from 0 through 65535. When used, each packet has not only a source (from) and destination (to) address, but also a source port and destination port. Some ports have been agreed on for specific services. For example, "HTTP" which is used for normal web traffic, uses TCP port 80. (You have probably seen "HTTP" in URLs you use in your web browser, like http://www.google.com.) A packet from Mr. Joe B. Low to a Google web server may have a source IP of 128.14.35.102, a source port of 14034, a destination IP of 64.233.167.104 (one of Google's many webserver IPs), and a destination port of 80. (Note that the source port is generally irrelevant and randomly selected by the sending user's computer. The destination server's port is the significant part.)
What use is an envelope with nothing in it? Packets often carry a "payload" of data. This is like the note, correspondence, or anthrax found inside a typical envelope. Generally, the payload is what the nefarious sniffer is looking for. We will explore that a bit later.
Hot Packets, Fresh From The Wire
Most computer traffic passes over wires of one sort or another. Regardless of the type of wired network (Ethernet, DSL, etc.), in order for someone to sniff packets from one machine to another on a wired network, a sniffer must have a direct connection to the wired network at some point between the target machine and the destination(s) they want to see traffic for. For a home DSL Internet user this could be the user's PC itself, a machine at their Internet Service Provider (ISP), or a device tapped into the phone lines outside of the house. For someone on a corporate Local Area Network (LAN) this could be another workstation on the same floor or a machine in the company's core network. No matter how the sniffer is attached and placed, if it is listening to a wire transmitting data belonging to their target(s), it can capture packets to and from the target(s).
|
| Figure_1-Sniffing_Packets_Off_The_Wire |
Figure 1 depicts a user with a PC connected to the Internet. The user is currently browsing two web sites. One is a site you may read your email from, www.hotmail.com, and the other is a fictious shopping site called www.garbagestore.com. There is a packet sniffer monitoring the user's link to the Internet, and displaying the content of each packet as it passes by. (From the screen on the packet sniffer, it looks like garbagestore.com is not using SSL and Mr. User just sent is credit card info over the Internet, Uh oh!)
"The air was heavy with the smell of coffee and packets..."
Many computers and other devices now use wireless networks to communicate. These include WiFi (802.11), cellular, and Bluetooth. Whatever the technology, these all use packets to send and receive data. Unlike wired networks, anyone within signal range of a wireless network can potentially sniff all traffic passing over the wireless network. With the use of antennas and amplifiers, even a short range wireless network can be monitored from a distance. For example, Bluetooth has a supposed range of 32 feet, but with a custom antenna can be intercepted from over a mile away. Without the use of additional security features, many wireless networks can be sniffed with ease.Point: Packet Sniffing Is Pure Evil
What kind of evil can packet sniffing be used for? Oh, nothing. Just:- Stealing login information - With a stolen user name and password, Mr. Hacker can log into sites or applications as you.
- Stealing personal or financial information - Identity theft. Stolen credit card or bank account numbers. Your secret recipe for blackberry jam you just sent to your trusted friend. Without proper protection, all that and more can be easily stolen.
- Spying - Your Instant Messaging chats, emails, Voice Over IP, and what web sites you went to and what you saw. All these and more can be snooped into, often with custom tools that make reading the data simple.
Counterpoint: Packet Sniffing Is Super!
At this point you may be thinking "Wow. Sniffing should be made a Class A Felony..." However, sniffing, like so many techniques used by computer criminals, is also an indispensable tool for all sorts of legitimate uses. Examples:- Troubleshooting - Why can't one computer talk to another? Sniffing often answers that question within seconds.
- Security monitoring - Intrusion Detection/Prevention Systems (IDS/IPS) sniffers can watch for attacks from hackers and notify administrators or take defensive action.
- Learning - One of the best ways for people working with computer networks to learn about how they work is to use a sniffer to see for themselves.
- Spying - Sometimes there are legitimate uses to spying. (No, I will not dive into a discussion of the FISA process or the recent revelations about NSA spying.)
Sniffing In Action: Be Amazed As I Spy On My Conversation With AOL ShoppingBuddy
An article on packet sniffing without at least one example is incomplete (and boring). I decided to spy on an Instant Messaging conversation. To ensure that both parties would not have their rights violated, I chose myself as party A, and a "bot" (automated chat program) as party B. I started by firing up a packet sniffing program on my workstation and having it capture packets on TCP port 5190, which is a port used by AOL Instant Messenger. Then I started a conversation with my good friend, "ShoppingBuddy". First the raw output for one packet:10:35:37.623189 10.66.66.77.38804 > 205.188.8.80.5190: P
0000: 4500 008c 6d51 4000 4006 aa7f 0a42 424d E...mQ@.@.ª..BBM
0010: cdbc 0850 9794 1446 7db7 3cda 4873 692e ü.P...F}·<ÚHsi.
0020: 5018 4000 ebeb 0000 2a02 0023 005e 0004 P.@.ëë..*..#.^..
0030: 0006 0000 0000 002c a6e7 943d 3283 0039 .......,¦ç.=2..9
0040: 0001 0d53 686f 7070 696e 6742 7564 6479 ...ShoppingBuddy
0050: 0002 0034 0501 0004 0101 0102 0101 0028 ...4...........(
0060: 0000 0000 596f 2079 6f20 796f 2120 2057 ....Yo yo yo! W
0070: 6861 7420 6973 2075 7020 5368 6f70 7069 hat is up Shoppi
0080: 6e67 2044 7564 653f 0003 0000 ng Dude?....
Pretty ugly, no? A few things to look for in the first line:
- 10:35:37.623189 - The time the packet was received. (37.623189 represents the seconds including the fraction of a second.)
- 10.66.66.77 - The source IP address of the packet. (My local PC's IP)
- 38804 - The source port of the packet.
- 205.188.8.80 - The destination IP address of the packet. (An AOL AIM server)
- 5190 - The destination port of the packet. (On the AOL AIM server)
10.66.66.77:38804-205.188.8.80:5190 Yo yo yo! What is up Shopping Dude?.
205.188.8.80:5190-10.66.66.77:38804 Welcome. Now you can search for products with
AOLShopping. Type main to get started.
10.66.66.77:38804-205.188.8.80:5190 That is cool, yo, but what if I want to just
shoot the bull with you?.
205.188.8.80:5190-10.66.66.77:38804 Cool. Also check out alerts!
10.66.66.77:38804-205.188.8.80:5190 Alerts? That doesn't sound very cool, yo.
205.188.8.80:5190-10.66.66.77:38804 Opt-in to get receive alerts from Shopping bot
. Do you want to opt-in? Y = Yes N = No
10.66.66.77:38804-205.188.8.80:5190 Dude, you used to be the shinizzle. Now you
are all like "opt-in" and "opt-out" What
happened, yo?.
205.188.8.80:5190-10.66.66.77:38804 Hmm, you have to select either option --
Yes or No -- it's not that hard!
10.66.66.77:38804-205.188.8.80:5190 "It's not that hard!" Oh, thanks. If I wanted
to be talked down to I would have IMed
SuperSmartBuddy instead. Yo, peace out.
Whatever man.
Examine the IP addresses and ports. Notice how they are swapped in reverse for messages from "ShoppingBuddy", as if it were a series of letters sent back and forth between us? (I don't think these messages are worth postage.) There are specialized programs to interpret all sorts of network services, but at their core, they start with the raw packets.
(Note - The chronic use of the word "yo" in the examples above does not represent my actual use of the word in normal conversation, yo.)
Stop Sniffing My Packets!
There are numerous ways to protect against packet sniffing and make any data that is intercepted unusable. Here are some general precautions to help reduce the risk:- Use Encryption - Only use encrypted communication to send or receive sensitive information. SSL Secured web sites (denoted by the HTTPS in the URL and the locked security icon in the web browser), S/MIME or PGP email encryption, IPSEC Virtual Private Networks, and other encryption systems will make the data a sniffer captures nearly unusable.
- Pay Attention To SSL Secured Sites - Do not use a online shopping checkout system or online banking system that does not use SSL security. Also, if your web browser complains that a security certificate is invalid, pay attention. Stop using the offending site unless you know the warning is not applicable.
- Don't Trust Untrustworthy Networks - Public wireless networks (municipal, coffee shop, etc.), hotel Internet access, and campus networks are examples of networks that can not be trusted. Extra care should be taken when using these types of networks.
- Remember That Someone May Be Watching - Paranoid? Perhaps. Remember that, just like in the real world, what you do and say can be monitored in the virtual world. In fact, it is almost always easier to monitor your online activities than it is to monitor your real world activities.
- Keep Your Patches, AntiVirus, and AntiSpyware Up To Date - Lots of nasties are floating around the Internet trying to install a sniffer on your computer. Don't let them!