The Scent of a Password
networknewz.com


03.05.01
Only a few years ago, the threat of a hacker being able to actually intrude and affect a network was much less likely than today. Now, with so many companies utilizing an internet presence, and so many home and small office networks using always-on connections, hackers now have literally millions of targets. As a demonstration of some of the free tools available to hackers and the complexity of such tools, I conducted a small experiment. I spent less than ten minutes searching the internet before finding a powerful and potentially malicious tool. Please read on and as always, if you have any questions, or suggestions for topics for articles, let me know.

Jay Fougere
NetworkNewz Editor

Windows 2000 magazine has selected Panda Antivirus Platinum as the best antivirus product on the market:
www.pandasecurity.com/ientry-platinuminfo.htm


Before we get started, I would like to say that today's article deals with some sensitive security issues. In light of that, let me issue a warning. The purpose of this article is for the education of Network Engineers and System Administrators and is not meant to be a guide for any illegal use. Before you install and run this type of software, be sure that you have the proper authorization to do so.

Now that we have gotten that out of the way, let's see how easy it is for a hacker to "sniff" packets on your network and what those packets can reveal. This is just an overview and does not discuss encryption; many sources on the internet cover different facets of this topic and will even provide encryption algorithms, etc. This discussion will focus around plain text information found in the header of a network packet; however, one can imagine the vulnerabilities that could be exposed by a hacker with knowledge of encryption technologies.

First of all, what is a packet sniffer? A packet sniffer is a combination of software and a network card (NIC) utilizing a special driver. The result of this combination is the ability to read information contained within all network packets traversing a local subnet. The program that I am going to discuss is free and easy to use. That is why you should be concerned. Anyone with limited network knowledge and access to your network can utilize these tools to effectively strip network packets of potentially sensitive data while remaining undetected, unless you have installed software somewhere on the network aimed at detecting such intrusions. There is also available software that will hide promiscuous sniffers from sniffer detecting software.

Another interesting point to keep in mind is that often times a hacker will install this type of software on a machine on your network that has already been compromised by a program such as Back Orifice. This way he can scan your local subnet from afar by using your own machine(s) against you. Once a series of packets (or a "capture") have been captured, the intruder can then send the capture to himself via email or a free "X-drive" on the internet. Once the hacker has the capture, he can then utilize decryption technologies to translate encrypted information on his own system. Once the hacker has one Administrator or Root password your entire network has been compromised.

I understand that Network Monitor, which is packaged with Windows 2000, can reveal much the same information as the scanner I found. My argument is that few people have access to Network Monitor while anyone with an internet connection has access to the scanner program. Also, I found this program to be easier to use than Network Monitor.

The first thing that we need to do is obtain the software and the packet driver. The packet driver is a specialized network driver that will let your NIC operate in promiscuous mode. Promiscuous mode is a mode in which the network card will listen to all network traffic on a subnet and has the ability to "capture" all packets traversing that subnet. The program that I will be discussing is called analyzer.exe, was written by Piero Viano, and can be found here. While you are there do not forget to pick up your packet driver. Most of the documentation on the program is written in Italian, however it is intuitive enough so that documentation should not be necessary.

Signup FREE for NetworkNewz
Text HTML
Enter your email address below

Click here for a printer-friendly text version.
Recently selected as the #1 Antivirus on the market by Windows 2000 Magazine. Are you fully satisfied with your antivirus product? $29.95 for desktop version. Licensing available for networks.
Read the Windows 2000 review or Find out more or Download a demo

Once you have downloaded the driver and the software you will need to install the packet driver. The procedure outlined is for Windows 2000 but should be similar on other versions of Windows.

  1. Unzip the driver to a directory that you can find later.


  2. Right-click "My Network Places" or "Network Neighborhood" and select properties.


  3. Right-click Local Area Connection (on the network card associated with the subnet that you will want to be "sniffing" on, if you have more than one card in your machine) and select properties.


  4. On the Local Area Connection dialog box press Install.


  5. On the Select Network Component Type dialog box select protocol and then press add.


  6. On the Select Network Protocol dialog box select "have disk" and browse to your packet driver. Press OK on all dialog boxes/windows.

That's it, you have installed the packet driver. Now you will need to reboot. If you have more than one NIC, you can repeat the above process as many times as is necessary. Once you have rebooted, simply run the self-extracting executable (analyzer.exe) which will install the program folder to c:\program files\analyzer by default. Please note that the executable does not show up on your start menu. You will have to go to the folder (in program files) and run the program from there. You could also make a shortcut to the executable on your desktop.

Next simply run the executable (which is, coincidentally, named analyzer.exe but is not the same as the one that you downloaded). You will be prompted to pick a network adapter (If you have more than one, be sure to pick the one that you installed the packet driver on and is in the subnet you want to observe) and then you are ready to capture. If you can, set up a small test network (two machines is enough). Try different types of communications between machines and then go back and look at the captures that you have attained. You will be amazed at the information that is passed around the network in plain text. Usernames, machine names, shares; all are visible as plain text in the headers of packets. Here in the office while experimenting on a very small subnet (5 machines) one of my fellow employees was accessing his personal website. The URL and all usernames and passwords that he used were plainly visible in the headers of some packets. Pretty scary huh?

Before I start a panic, let me point out some limitations of these types of programs. Primarily, they only work on the subnet on which they are physically located. This means that if you are behind any type of firewall the invading sniffer will have to be installed on a machine on your subnet; not impossible, but difficult to do. Also, the sniffer is passive. You can not direct it to sniff packets on another subnet. What this means is that a hacker cannot listen to the entire internet or to your entire network if your network is routed. He can only capture packets on the segment to which he is directly connected.

Doing this type of surveillance, you can determine what type of encryption technologies you should be using with what services on your network. Any sensitive data should be passed using the most powerful authentication and encryption technologies as is practical. Services that can not be made secure should be replaced with those that can. Remember, it is very easy for a hacker to infiltrate and observe your network. This is information warfare - you will need knowledge of the strengths and weaknesses of the enemies weapons in order to remain unscathed and to ultimately remain secure.

Good luck, and remember to be ethical in your use of this information.

Security for your home or office computer. Check this out:
www.pandasecurity.com/ientry-platinuminfo.htm

iEntry.com | Sign-Up | Comments | More Articles
Send this page to a Friend | Advertise | Links


 ©2001 iEntry Inc. All Rights Reserved