Look at the following in more detail, be sure to see that your head is big ~ haha
Sniffers are almost as old as the Internet. Sniffer is a common method to collect useful data, such as user's account number and password, some confidential business data and so on. With the increasing popularity of the Internet and e-commerce, people pay more and more attention to the security of the Internet. The sniffer, which plays an important role in Internet security risks, has attracted more and more attention, so today I want to introduce the sniffer and how to stop it.
Most hackers just want to detect the host of the intranet and gain control. Only those "ambitious" hackers will install Trojan horses and backdoor programs and clear records in order to control the whole network. They usually install sniffers.
On the intranet, the most effective way for hackers to obtain a large number of accounts (including user names and passwords) is to use the "sniffer" program. This method requires that the host running sniffer program and the monitored host must be on the same Ethernet network segment, so it is invalid to run Sniffer on an external host. In addition, you must use the sniffer program as root to listen to the data flow on the Ethernet segment. When we talk about Ethernet sniffers, we must talk about Ethernet sniffers.
So what is an Ethernet sniffer?
Ethernet sniffing refers to intercepting packets transmitted on Ethernet devices and finding packets of interest. If you find a qualified package, please save it in the log file.
Let's go These conditions are usually set for packages that contain "user name" or "password". Its purpose is to put the network layer in promiscuous mode, so as to do something.
Promiscuous mode means that all devices on the network listen to the data transmitted on the bus, not just their own data. According to the basic introduction of the working principle of Ethernet in the second chapter, we can know that when a device wants to send data to a certain target, it will broadcast to Ethernet. Devices connected to the Ethernet bus are receiving data at any time. But just pass your own data to the application on this computer.
With this feature, you can set your computer's network connection to accept all Ethernet networks.
Data on the network bus, so as to realize sniffing.
Sniffer generally runs on a router or a host with router function. In this way, a large amount of data can be monitored. Sniffing is a secondary attack. Usually, an attacker has entered the target system and then uses a sniffer to get more information.
Sniffer can not only get the password or user name, but also get more other information, such as an important information, financial information transmitted on the Internet and so on. The sniffer can get almost any data packet transmitted through Ethernet. Hackers will use various methods to gain control of the system and leave a back door for re-intrusion, thus ensuring that sniffer can be executed. On the Solaris 2.x platform, the sniffer program is usually installed in the /usr/bin or /dev directory. Hackers will also cleverly modify the time to make the sniffer program appear to be installed at the same time as other system programs.
Most Ethernet sniffer programs run in the background and output the results to a log file. Hackers often modify ps programs, making it difficult for system administrators to find running sniffer programs.
The Ethernet sniffer program sets the network interface of the system to mixed mode. In this way, it can listen to all packets flowing through the same Ethernet network segment, regardless of whether its receiver or sender is the host running the sniffer. This program stores the user name, password and other data that hackers are interested in into the log file. Hackers will wait a while, say a week, and then come back here to download the recorded files.
Having said that, what common words can be used to introduce sniffer?
Computer networks are different from telephone circuits. Computer networks enjoy communication channels. * * * Sharing means that one computer can receive information sent to other computers. Capturing data information transmitted in the network is called eavesdropping.
Ethernet is the most widely used computer networking method. Ethernet protocol sends packet information to all hosts in the same loop. The packet header contains the correct address of the destination host. Usually, only the host with this address will accept the packet. If the host can receive all packets, regardless of the contents of the packet header, this mode is usually called "promiscuous" mode.
Because in the ordinary network environment, account number and password information are transmitted in clear text in Ethernet, once an intruder obtains the root authority of one of the hosts and puts it in promiscuous mode to eavesdrop on network data, it may invade all computers in the network.
In a word, sniffer is a tool for hacking and eavesdropping.
Second, the working principle of sniffer
Generally speaking, all network interfaces in the same network segment have the ability to access all data transmitted on physical media, and each network interface should also have a hardware address, which is different from that of other network interfaces existing in the network. At the same time, each network should have at least one broadcast address. (representing all interface addresses), under normal circumstances, legal network interfaces should only respond to two kinds of data frames:
The target area of the 1. frame has a hardware address that matches the local network interface.
2. The target area of the frame has a "broadcast address".
When receiving the data packets in the above two cases, nc generates a hardware interrupt through cpu, which can attract the attention of the operating system, and then transmits the data contained in the frame to the system for further processing.
Sniffer is a software that can set the local nc state to Promiscuos state. When nc is in this "promiscuous" mode, nc has a "broadcast address", which generates a hardware interrupt for each frame it encounters to remind the operating system to handle each packet flowing through the physical medium. (Most nc's have the ability to enter promiscuous mode. )
It can be seen that sniffer works at the bottom of the network environment, and it will intercept all the data being transmitted on the network. Through the corresponding software processing, it can analyze the content of these data in real time, and then analyze the network status and overall layout. It is worth noting that sniffer is extremely quiet and is a negative security attack.
Generally speaking, what sniffers should care about can be divided into the following categories:
1, password
I think this is the reason why most illegal sniffers are used. Sniffer can record userid and passwd transmitted in clear text. Even if you use encrypted data during network transmission, the data recorded by sniffer may make intruders try to crack your algorithm while eating kebabs at home.
2. Financial account number
Many users are comfortable to use their credit cards or cash accounts online, but sniffer can easily intercept the user's name, password, credit card number, expiration date, account number and online transmission pin.
3. Peek into confidential or sensitive information and data.
By intercepting data packets, intruders can easily record the transmission of sensitive information between others, or simply intercept the entire email conversation.
4. Spy on low-level protocol information.
This is a terrible thing, I think, by recording the underlying information protocol, such as recording the network interface address between two hosts, the remote network interface ip address, ip routing information and the byte serial number of tcp connection. If this information is mastered by illegal intruders, it will do great harm to network security. Usually, someone uses sniffer to collect this information for only one reason: he is committing fraud (usually ip address fraud requires you to insert the byte sequence number of tcp connection accurately, which will be pointed out in a later article). If someone cares about this problem, sniffer is just a prelude to him, and the problems will be much bigger in the future. For advanced hackers, I think this is the only reason to use sniffer.
2. The working environment of the sniffer
Snifffer is a device that can capture network messages. The correct use of sniffers is to analyze network traffic in order to find potential problems in related networks. For example, a certain network is not running well, and the message is sent slowly. We don't know what the problem is, so we can use sniffer to make an accurate judgment on the problem at this time.
There are many differences in the function and design of sniffer. Some can only analyze one protocol, and some may analyze hundreds of protocols. Generally speaking, most sniffers can analyze at least the following protocols:
1. Standard Ethernet
2.TCP/IP
3. One of the protocols used in Ethernet (Internet Packet eXchange).
4.DECNet
Sniffers are usually a combination of software and hardware. Dedicated sniffers are very expensive. On the other hand, free sniffers don't cost much, but they don't get much support.
The sniffer is different from the general keyboard capture program. Keyboard capture program captures the key values entered on the terminal, while sniffer captures the real network messages. The sniffer does this by placing the network card on the network interface-for example, setting the Ethernet card to miscellaneous mode. In order to understand the miscellaneous collection mode, first explain how the LAN works.
Data is transmitted on the network in small units called Ftame. A framework consists of several parts, and different parts perform different functions. (For example, the first 12 bytes of Ethernet store the source address and destination address, which tell the source and destination of network data. Other parts of the Ethernet frame store actual user data, TCP/IP headers or IPX headers, etc. ).
The frame is shaped by a special software called network driver and then sent to the network line through the network card. Reach the destination machine through the network cable, and perform the opposite process at one end of the destination machine. The Ethernet card of the receiving machine captures these frames, tells the operating system of their arrival, and then stores them. It is in this process of transmission and reception that the sniffer will cause security problems.
Each workstation on the LAN has its hardware address. These addresses uniquely represent the machines on the network (similar to the Internet address system). When users send messages, these messages will be sent to all available machines on the LAN.
Under normal circumstances, all machines on the network can "listen" to the passing traffic, but will not respond to messages that do not belong to them (in other words, workstation A will not capture the data that belongs to workstation B, but just ignore them).
If the network interface of the workstation is in miscellaneous receiving mode, it can capture all messages and frames on the network. If a workstation is configured in this way, it (including its software) is a sniffer.
Possible hazards caused by sniffers:
1. The sniffer can capture the password.
2. Be able to capture private or confidential information.
3. It can be used to endanger the security of network neighbors or gain a higher level of access rights.
In fact, if there is an unauthorized sniffer on your network, it means that your system has been exposed to others. (You can try the sniffing function of Skywalker 2. )
Usually, we only sniff the first 200 to 300 bytes of each message. The user name and password are included in this section, which is what we really care about. Workers can also sniff all messages on a given interface. If there is enough space for storage and processing, they will find other very interesting things. ...
Simply putting a sniffer object anywhere is useless. Put the sniffer near the attacked machine or network, and it will capture many passwords. Another better way is to put it on the gateway. If so, we can capture the authentication process between this network and other networks. This way will multiply the range we can attack.
3. Who can use a sniffer?
Maybe everyone knows who will use sniffer, but not everyone who uses sniffer is a network expert, because many Sniffers have become fools now, and oicq sniffer is the one who used it most recently. I think those friends who like to check their friends' ip should remember. Hehe, I used it, but of course I don't need it now!
Of course, the system administrator uses sniffer to analyze the network information flow and find out where the problem lies in the network. A security administrator can use multiple sniffers at the same time and spread them all over the network to form an intrusion alarm system. Sniffer is a very good tool for system administrators, but it is also a tool often used by hackers. Hackers install sniffer to obtain user names and accounts, credit card numbers, personal information and other information. If it is not developed well, it will do great harm to you or your company. When they get this information, hackers will use passwords to attack other websites and even resell credit card numbers.
3. How is the sniffer implemented on the Internet?
Before talking about this problem, we should also talk about Ethernet communication. Generally speaking, all network interfaces in the same network segment have the ability to access all data transmitted on the medium, and each network interface should also have a hardware address, which is different from the hardware addresses of other existing network interfaces in the network. At the same time, each network should have at least one broadcast address. Under normal circumstances, legitimate network interfaces should only respond to two kinds of data frames:
1? The target area of the frame has a hardware address that matches the local network interface.
2? The target area of the frame has a "broadcast address".
When receiving the data packets in the above two situations, the network card generates a hardware interrupt through the cpu. Interrupts can attract the attention of the operating system and then transfer the data contained in the frame to the system for further processing. Sniffer is a software that can set the status of the local network card to promiscuous mode. When the network card is in promiscuous mode, the network card has a "broadcast address", which will generate a hardware interrupt for each frame it encounters to remind the operating system to process each packet. (Most network cards can be set to promiscuous mode.
It can be seen that sniffer works at the bottom of the network environment, and it will intercept all the data being transmitted on the network. Through the corresponding software processing, the content of these data can be analyzed in real time, and then the network state and overall layout can be analyzed. It is worth noting that sniffer is extremely quiet and is a negative security attack.
4. Where can I get a sniffer?
The Sniffer we are talking about is mainly used under unix system, and those sniffers of oicq are beyond our discussion.
Sniffer is one of the most commonly used intrusion methods for hackers. You can run sniffer on an approved network to learn how it can effectively compromise the security of local machines.
The sniffer can be hardware or software. At present, software sniffers are the most diverse and widely used, and most hackers also use them.
Here are some sniffer tools that are also widely used to debug network faults:
(1) commercial sniffer:
1. network synthesis.
The network has developed a variety of products. The most important thing is the expert sniffer, which can not only sniff, but also send/receive data packets through a high-performance dedicated system to help diagnose faults. Another enhanced product, Distributed Sniffer System, can use UNIX workstations as sniffer consoles and distribute sniffer agents to remote hosts.
2. Microsoft's network monitor
For some commercial sites, it may be necessary to run multiple protocols at the same time-netbeui, IPX/SPX, TCP/IP, 802.3 and SNA. At this time, it is difficult to find a sniffer to help solve network problems, because many sniffers often treat some correct protocol packets as error packets. Microsoft's Net Monitor (formerly called Bloodhound) can solve this problem. It can correctly distinguish between Netware control packets and NT NetBios name service broadcasts and other unique packets. (etherfind will only recognize these packets as broadcast packets of type 0000. ) This tool runs on the MS Windows platform. It can even monitor network statistics and session information through MAC address (or host name). Just click a session to get the output of the tcpdump standard. The filter setting is also the simplest, just click the host to be monitored in a dialog box.
(2). Sniffer, a free software.
1.sniff was developed by Lawrence Berkeley Lab and runs on Solaris, SGI and Linux platforms. You can choose the source address and destination address or address set, and you can also choose the listening port, protocol and network interface. By default, this sniffer only accepts the first 400 bytes of the packet, which is just right for the login session.
Snort: This sniffer has many options for you to use and is portable. It can record some connection information to track some network activities.
3.TCPDUMP: This sniffer is very famous. Linux and FreeBSD are still connected to the system. It is a professional network management tool considered by many UNIX experts. I remember TsutomuShimomura recorded KEVINMITNICK's attack on his system with his modified version of TCPDUMP. Later, he cooperated with the FBI and caught Kevin Mitnick. Later, he wrote an article: using these logs to describe the attack, how Mitnick Hackett Sutomushimomurawithanips equals tack.
(/~lspitz/snoop.html
(4). Sniffer tool under Linux
Sniffing tool under Linux, I recommend Tcpdump.
[1]. Install tcpdump.
The installation of tcpdump under linux is very simple, and there are generally two installation methods. One is installed in the form of rpm package. The other is to install in the form of source program.
1.rpm package is installed.
This installation form is the simplest installation method. After the software is compiled, the rpm package is in binary format. It can be installed directly by rpm command, and nothing needs to be modified. Log in as superuser using the following command:
#rpm -ivh tcpdump-3_4a5.rpm
In this way, tcpdump can be successfully installed in your linux system. How's it going? It's simple.
2. Installation of source program
Since the installation of rpm package is very simple, why use a more complicated source program to install it? In fact, one of the biggest attractions of linux is that there are many software sources on it, and people can modify the source programs to meet their special needs. Therefore, I especially recommend friends to adopt this installation method of source program.
The first step is to get the source program. In the installation method of source program, we must first obtain the source program distribution package of tcpdump. This distribution package has two forms, one is tar compressed package (tcpdump-3_4a5.tar.Z) and the other is rpm distribution package (tcpdump-3_4a5.src.rpm). The content of these two forms is the same, the only difference is the compression method. Tar's compressed package can be unpacked by using the following command:
#tar xvfz tcpdump-3_4a5.tar.Z
You can use the following command to install the rpm package:
#rpm -ivh tcpdump-3_4a5.src.rpm
In this way, the source code of tcpdump is extracted into the /usr/src/redhat/SOURCES directory.
The second step is to do the preparatory activities before compiling the source program.
Before compiling the source program, it is best to make sure that the library file libpcap has been installed, which is the library file needed by tcpdump software. Similarly, you should have a standard C language compiler. Under linux, the standard C language compiler is generally gcc. In the source program directory of tcpdump. One file is Makefile.in, and the configure command automatically generates Makefile from Makefile.in file. In the Makefile.in file, you can modify the macro definitions of BINDEST and MANDEST according to the system configuration. The default value is
BINDEST = @sbindir @
MANDEST = @mandir @
The first macro value represents the path name of the binary file where tcpdump is installed, and the second macro value represents the path name of the tcpdump man page. You can modify them to meet the requirements of the system.
Step three, compile the source program.
Use the configuration script in the source directory, which reads various required properties from the system. And automatically generate Makefile according to Makefile.in file for compilation. Use the make command to compile the source program of tcpdump according to the rules in Makefile. Use the make install command to install the compiled binary file of tcpdump.
To sum up:
# tar xvfz tcpdump-3_4a5.tar.Z
# vi Makefile.in
#./Configuration
# Manufacturing
# for installation
[2]. The use of tcpdump
Tcpdump adopts command line mode, and its command format is:
Tcpdump [-adeflnNOpqStvx] [-c quantity] [-F file name]
[-i network interface] [-r file name] [-s snaplen]
[-T type] [-w file name] [expression]
Option introduction of 1 tcpdump
-a converting network addresses and broadcast addresses into names;
-d gives the code of the matching package in an assembly format that people can understand;
-dd gives the code of the matching package in the format of C language program segment;
-ddd gives the code of the matching packet in decimal form;
-e printing the header information of the data link layer on the output line;
-f Print the external Internet address in digital form;
-l produces standard output in the form of buffered lines;
-n Do not translate network addresses into names;
-t Do not print a timestamp on each line of output;
-v outputs a slightly detailed information, such as ttl and service type information, which can be included in the ip packet;
-vv outputs detailed message information;
-c tcpdump will stop after receiving the specified number of packets;
-F reads the expression from the specified file and ignores other expressions;
-i specifies the network interface to listen on;
-r reads packages from the specified file (these packages are generally generated by the -w option);
-w Write the package directly to the file without analysis and printing;
-T directly interprets the intercepted message as a specified type of message, and the common types are rpc (Remote Procedure Call) and snmp (Simple Network Management Protocol); )
2. Introduction of 2.tcpdump expression
Expression is a regular expression, which is used by tcpdump as a condition for filtering messages. If a message meets the conditions of the expression, it will be captured. If no conditions are given, all packets on the network will be intercepted.
There are usually the following types of keywords in expressions. A category of keywords mainly includes host, network and port, such as host 2 10.27.48.2, which means that 2 10.27.48.2 is the host, and network 202.0.0.0 means 202.0.0. If no type is specified, the default type is host.
The second is the keywords to determine the propagation direction, mainly including src, dst, dst or src, dst, src, indicating the propagation direction. For example, src 2 10.27.48.2 means that the source address in the ip packet is 2 10.27.48.2, and DST NET 202.0.0.0 means that the destination network address is 202.0.0. If the direction keyword is not specified, it defaults to the src or dst keyword.
The third is the key words of the protocol, mainly including fddi, ip, arp, rarp, tcp, udp and other types. Fddi stands for a specific network protocol on fddi (Distributed Optical Fiber Data Interface Network), but it is actually an alias for "Ethernet". Fddi and ether have similar source and destination addresses, so FDDI protocol packets can be processed and analyzed as ether packets. Several other keywords indicate the protocol content of the monitored package. If no protocol is specified, tcpdump will listen for packets of all protocols.
In addition to these three types of keywords, other important keywords are as follows: gateway, broadcast, less, greater, and there are three logical operations, and the negative operation is' not'! , and operation is' and','&; & amp; The OR operation is OR, ";" ;
These keywords can be combined to form a powerful combination condition to meet people's needs. Here are a few examples to illustrate.
(1) intercept all packets sent and received by 2 10.27.48. 1 host:
#tcpdump host210.27.48.1
(2) To intercept the communication between host 2 10.27.48. 1 and host 2 10.27.48.2 or 2 10.27.48.3, please use the command: (When using brackets on the command line,
#tcpdump host 2 10.27.48. 1 and \ (2 10.27.48.2 or 2 10.27.48.3 \)
(3) If you want to get the ip packets that the host 2 10.27.48. 1 communicates with all hosts except the host 2 10.27.48.2, please use the following command:
#tcpdump ip host210.27.48.1and! 2 10.27.48.2
(4) If you want to get the telnet packets received or sent by the host 2 10.27.48. 1, please use the following command:
#tcpdump tcp port23 Host210.27.48.1
3. Introduction of output results of 3.tcpdump
Below we introduce the output information of several typical tcpdump commands.
(1) data link layer header information
Use the # tcpdump-ehosite command.
Ice is a linux host, and her MAC address is 0: 90: 27: 58: AF:1a.
H2 19 is a SUN workstation, and its MAC address is 8: 0: 20: 79: 5b: 46. The output of the previous command is as follows:
2 1:50: 12.847509 eth 0 & lt; 8:0:20:79:5b:46 0:90:27:58:af: 1a IP 60:h 2 19.33357 & gt; ice.telne
t 0:0(0) ack 22535 win 8760 (DF)
Analysis: 2 1: 50: 12 is the display time, 847509 is the ID number, eth0 indicates that the packet is sent from the network interface device, and 8:0:20:79:5b:46 is the MAC address of the host H2 19, indicating that the packet is from the source address H2/kloc. 0:90:27:58:af: 1a is the MAC address of the host ICE, indicating that the destination address of the packet is. Ice.telnet means that the data packet is sent from port 33357 of host H2 19 to port TELNET(23) of host ICE. Ack 22535 indicates the response to the data packet with sequence number 222535. Win 8760 indicates that the sending window size is 8760.
(TCPDUMP output information of ARP message.
Use the command #tcpdump arp.
The output result is:
22:32:42.802509 eth 0 & gt; The arp who-has route tells ice (0:90:27:58:af: 1a).
22:32:42.802902 eth 0 & lt; The arp reply route is-at 0: 90: 27:12:10: 66 (0: 90: 27: 58: af:1a).
Analysis: 22:32:42 is timestamp, 802509 is ID number, eth0 >; Indicates that the packet is sent from the host, arp indicates that it is an ARP request packet, and who-has ROUTE tell ICE indicates that it is the MAC address of the host ICE requesting the host route. 0:90:27:58:af: 1a is the MAC address of the host ICE.
(output information of TCP packet.
The general output information of TCP packets captured by TCPDUMP is:
Src & gtdst: marking data-emergency option of serial number confirmation window.
Src & gtDst: from the source address to the destination address, flags is the flag information in the TCP packet, s is the SYN flag, F (FIN), P (PUSH), R (RST). "(not marked); Data-seqno is the sequence number of the data in the data packet, ack is the next expected sequence number, window is the window size of the receiving buffer, and urgent indicates whether there is an emergency pointer in the data packet. An option is an option.
(the output information of UDP packet.
The general output information of UDP packets captured by TCPDUMP is:
route . port 1 & gt; ice.port2: udp lenth
UDP is very simple. The output line above shows that UDP packets sent from port 1 routed by the host are sent to port 2 of the host ICE. The type is UDP, and the packet length is above lenth. I will introduce the installation and use of TCPDUMP in detail, hoping to help everyone. If you want to skillfully use the sniffer tool TCPDUMP in LINUX environment, you need to sum up experience in practice and give full play to its power.
(sniffer on windows platform.
I recommend netxray and sniffer pro software. Everyone must have used it. Here is a brief introduction.
Instructions for use of netxray
1.1.1.1-2.2-3.3-4.4.4 This is a local area network connected through ShareHub.
5.5.5.5, this is an 8080 port.
Start capturing,