In the LAN, Sniffer is a very big threat. Malicious user can see some classified documents and to take and some of personal privacy. Sniffer has such a threat to security, but it can be easily up and down the Internet for free download and install the PC. However, so far, there is no good way to detect who the PC to install the Sniffer software. This document will discuss the use of ARP packets to detect those in the company and the school LAN Sniffing the malicious user.
Network card promiscuous mode: Open the back door to steal information Sniffer
Ethernet LAN is often formed. Ethernet is used in the IPV4 protocol, data is transmitted in the clear, unless the use of encryption software. When users send information to the network, he only hoped that the other side of the network users can receive. Unfortunately, the Ethernet system to unauthorized users of the eavesdropping information.
We know that in Ethernet, the information will be sent to all the nodes in the network, some nodes will receive this information, and some of the node will simply discard the information. Information received or discarded by the network card to control. NIC will not receive all packets sent to the LAN, even if it connected to the Ethernet; the contrary, it will filter out specific packets. In this document, we will call this filter hardware filter for the network card. Sniffer will be set to a specific pattern card, so card can receive all incoming packets, and not whether it is not the destination address specified by these packets. This model is called promiscuous mode network card.
Sniffer receive all the packets, instead of sending illegal packets. So it does not interfere with the normal operation of the network, it is difficult to detect this malicious behavior. Even so, the network card promiscuous mode is clearly different from the normal pattern. A package should have been filtered in this mode will be allowed to reach the kernel. Is not to respond depends on the system kernel.
Those who seek to steal the fatal weakness of Sniffer
We test the method with a hybrid model real-world examples to emulate. Assuming the room is in a meeting. A listening ear who rely on with his conference room wall. When he was tapped, he will hold your breath, quietly listening to the conference room of all the dialogue. But if someone shouted at the meeting in his name, "MR. **?" Eavesdroppers sometimes would answer "YES!" This analogy seems absurd, but is indeed used in testing network SNIFFING on the. Because SINFFER receive all the packets, including those who have not sent it, so it might be network card that should have been filtered to respond to the package incorrectly. Therefore, we mixed mode test on the following basis: all the nodes in the network to send ARP request packet, check the ARP response packet is not there.
To explain this principle, first of all, we learned from the network card promiscuous mode, and the difference between normal mode start. All have a 6-byte Ethernet hardware address. Manufacturers to allocate these addresses, and each address is unique. Theoretically, no two the same network card hardware address. Ethernet is based on the exchange of information based on the hardware address. But the card in order to receive different types of data packets, you can create various filtering mechanisms. Are a variety of filtering mechanisms on the card as follows:
Unicast (UNICAST)
Receive all the destination address and network card as the hardware address of the package.
Radio (Broadcast)
Receive all broadcast packets. Broadcast packet destination address is FFFFFFFFFFFF. This model is to be able to receive those who want to reach all nodes in the network packets.
Multicast (Multicast)
Receive all pre-registered group of good-specific packages. Only those who pre-registered groups will be receiving cards.
All multicast (All Multicast)
Receive all the multicast. This model and the associated upper protocols, this mode will receive all the multicast bit set to 1 packet.
Hybrid (Promiscuous)
Receive all packets regardless of the destination address is.
The figure indicated in the normal mode and mixed mode, the hardware filter mode of operation. Typically, the card will set the hardware filter unicast, broadcast and multicast a model. Card only to receive the destination address and its hardware address, as broadcast address (FF: FF: FF: FF: FF: FF) and multicast address 1 (01:00:5 E: 00:00:01).
ARP test kits to identify promiscuous mode node
As previously stated, the card set to promiscuous mode on normal mode and packet filtering is different. When the card is set to mixed mode, otherwise the packet will be allowed to reach the filter kernel. Using this mechanism, we establish a new mechanism to detect promiscuous mode node: If the destination address is not to construct a broadcast address of the ARP packet, send it to the network each node, the node if found to have some response, then these nodes work in promiscuous mode.
We simply look at a normal ARP request and response mode of operation. First, to resolve 192.168.1.10 produce a ARP request packet. It aims to address is the broadcast address, all the nodes in the network to receive. In theory, only the IP address of the node will be consistent response.
However, if the ARP packet destination address is set to non-broadcast address? For example, if the destination address set to 00-00-00-00-00-01? When the card is in normal mode, the package will be considered "TO OTHERHOST "package, it will be the network card hardware filter rejected. However, if the network card in promiscuous mode, then the card does not perform filtering operations. So pack will be allowed to reach the kernel. The kernel will think that ARP request packet arrives, because it contains the same IP address with the PC, so it will be to respond to the request packet. However It is curious that the kernel package in fact does not make a response (below). This surprising result shows the existence of other kernel filtering mechanism, because in fact the kernel package to be filtered. We call this filtering software filtering.
Furthermore, the detection of the mixed mode filtering from the comparison of hardware and software filters to achieve the distinction. Hardware filtering is usually shielded illegal packages. If a packet through the hardware filter, it is often filtered through the software. We envision building the hardware filter is rejected at the same time filtering through the software package. By sending such a packet, the normal pattern of card will not respond, the promiscuous mode network card will respond.
Sniffer cracked software theft by filtration
Software filters set up on the basis of the operating system kernel, so to understand the software filter must understand how to work the operating system kernel. LINUX open source, so you can access its software filtering mechanism. But non-Microsoft WINDOWS source code open, the software filtering can only guess from the experiment up reasoning.
1) LINUX
Ethernet module in LINUX, according to address the different packages can be divided into the following categories:
BROADCAST PACKETS:
FF: FF: FF: FF: FF: FF
MULTICAST PACKETS:
In addition to broadcast packets, the group identified the location of a package.
TO_US PACKETS:
All the hardware address of the destination address and network card as a package.
OTHERHOST PACKETS:
All the destination address and network card hardware address different package.
Here, we assume that group identity is position 1 packet MULTICAST PACKETS. Corresponding IP MULTICAST PACKET Ethernet network address is 01-00-5E-**-**-**, so MULTICAST PACKETS group identity should not only place to differentiate. But, in fact, this assumption is correct, because the 01-00-5E-**-**-** is based on the IP network, while the card's hardware address can be used in other upper layer protocol.
Secondly, we look at the ARP module LINUX. ARP module will reject all OTHERHOST PACKETS. At the same time, it will be BROADCAST, MULTICAST, and TO_US PACKETS respond. That means under the hardware and software filtering filter response. We are given six different types of address packets sent to the card, the hardware filters and software filters is how to do.
GR BIT NORMAL MODE PROMISCUOUS MODE
HW FILTER SW FILTER RES HW FILTER SW FILTER RES
TO_US OFF PASS PASS Y PASS PASS Y
OTHERHOST REJECT - N PASS REJECT N
BROADCAST ON PASS PASS Y PASS PASS Y
MULTICAST
(IN THE LIST) PASS PASS Y PASS PASS Y
MULTICAST
(NOT IN THE LIST) REJECT - N PASS PASS Y
GROUP REJECT - N PASS PASS Y
TO_US PACKETS:
When the network card in a normal mode, all TO_US PACKETS filtered through hardware, but also through software filters, the ARP module will respond to such a package, regardless of whether the network card in promiscuous mode.
OTHERHOST PACKETS:
When the card is in normal mode, will refuse to OTHERHOST PACKETS. Even when the network card in promiscuous mode, the software filter will reject this type of package. Therefore will not respond to ARP REQUESTS.
BROADCAST PACKET:
In normal mode, BROADCAST PACKETS filtered through hardware and software filtering. Therefore, no matter what mode network card in the package will have to respond.
MULTICAST PACKETS:
In normal mode, not in the group pre-registered list of addresses of packets will be rejected. However, if the network card in promiscuous mode, this type of package will be filtered by the hardware, but also because the software filters will not reject this type of package, so will generate a response. In this case, the card will be in different models produce different results.
GROUP BIT PACKETS:
BROADCAST MULTICAST package or not, but the location of a group identity. In normal mode, will reject such a package, while in promiscuous mode, this package will be passed. And because this package will be considered a multicast packet filtering software, so this package through the software filter. Group logo position 1 packet can be used to detect promiscuous mode.
2) WINDOWS
WINDOWS non-open source operating system, we can not see its source code to analyze the software filter. On the contrary, we can only approach through experiments to test its software filter. The following seven kinds of addresses are WINDOWS use:
FF-FF-FF-FF-FF-FF BROADCAST ADDRESS:
All contacts will receive this type of packet, and respond. Normal ARP request packets made using this address.
FF-FF-FF-FF-FF-FE FAKE BROADCAST ADDRESS:
This is the last of a fake broadcast address location 0. Filtering software is used to detect whether to inspect all of the address bits, then it will respond to this package.
FF-FF-00-00-00-00 FAKE BROADCAST 16 BITS:
This is only the first 16 positions a fake broadcast address. It may be considered a broadcast address, but also in filtering mechanism only checks the first 16-bit will be to respond to circumstances.
FF-00-00-00-00-00 FAKE BROADCAST 16 BITS:
This is only the first 8 positions a fake broadcast address. It may be considered a broadcast address, but also in filtering mechanism only checks the first 8-bit case will be responding.
01-00-00-00-00-00 GROUP BIT ADDRESS:
Section 1 of the address location identification, used to check whether the multicast address will be considered.
01-00-5E-00-00-00 MULTICAST ADDRESS 0
MULTICAST ADDRESS 0 is usually not used. So we put this type of address as a group are not in the list of registered addresses. Hardware filter will reject these packets. However, the software filter will multicast this packet mistaken for a package, because it does not check all the bits. So, when the network card in promiscuous mode, the system kernel will respond to this package.
01-00-5E-00-00-01 MULTICAST ADDRESS 1
MULTICAST ADDRESS 1 represents a LAN subnet of all HOSTS. Words for names, hardware filter will by default this type of package. But the existence of such a possibility: If the card does not support multicast mode, it will not respond to this package. Therefore, this package can be used to detect whether the host supports multicast addresses.
Conclusion: Different systems use different measures
HW ADDR WINDOWS 9x/ME WINDOWS 2K/NT4 LINUX2.2/2.4
NORMAL PROMIS NORMAL PROMIS NORMAL PROMIS
FF: FF: FF: FF: FF: FF RES RES RES RES RES RES
FF: FF: FF: FF: FF: FE - RES - RES - RES
FF: FF: 00:00:00:00 - RES - RES - RES
FF: 00:00:00:00:00 - RES - - - RES
01:00:00:00:00:00 - - - - - RES
01:00:5 E: 00:00:00 - - - - - RES
01:00:5 E: 00:00:01 RES RES RES RES RES RES
On the experimental results of 7 address listed in the table above.
These results are in WINDOWS 95,98, ME, 2000 and obtained under LINUX. As we mentioned above, the card is in normal mode, all system kernel will be on the BROADCAST ADDRESS and MULTICAST ADDRESS 1 to respond.
However, when the network card in promiscuous mode, depending on your operating system, the result will be different. WINDOWS 95,98 and ME will FAKE BROADCAST 31,16, and 8BITS respond. Therefore, we can consider WINDOWS 9x software filter up to only check the first 8 bits to determine whether the broadcast address.
In the WINDOWS 2000, it will be FAKE BROADCAST 31 and 16BITS respond. So we can say that the software filter WINDOWS 2000 up to just before the test to determine whether 16-bit broadcast address.
In LINUX, the package will address all these seven responding. In other words, when the network card into promiscuous mode, LINUX will respond to these seven packages.
The following results show that we can determine whether the ARP packet to the node in promiscuous mode, regardless of operating system is WINDOWS or LINUX. So, can such a simple method to detect the LAN. The following is a testing process:
1) We are trying to load the IP protocol on whether the machine is in promiscuous mode detection. We build a ARP packet:
Ethernet address of destination FF: FF: FF: FF: FF: FE
Ethernet address of sender NIC's Device address>
Protocol type (ARP = 0806) 0806
Hardware address space (Ethernet = 01) 0001
Protocol address space (IPv4 = 0800) 0800
Byte length of Hardware address 06
Byte length of protocol address 04
Opcode (ARP request = 01, ARP reply = 02) 0001
Hardware address of sender of this packet
Protocol address of sender of this packet IP address>
Hardware address of target of this packet 00:00:00:00:00:00
Protocol address of target of this packet (address want to be checked)
2) We build complete this package, we send it to the LAN
3) Under normal circumstances, this package will be rejected by the hardware filter. But if the machine is in promiscuous mode, it would respond to this package. If we receive a response, then the machine is in promiscuous mode.
To test the hybrid model, we can use the technologies mentioned in 7 of all the machines on the LAN conducted sequentially. If some machines can not receive the ARP packet, it will not use this method.