I am sure you already know what I am going to say next. These are tools that hackers use every day. Make sure that you have permission to be using these tools. You can be arrested, fined, and even imprisoned for using these tools where you shouldn't be using them. I do not condone the use of these tools for any purpose other than to educate yourself and to establish and test security on your own network. In other words, use your head and don't do anything that will get you in trouble. 'Nuff said.

Now, get a fresh cup of coffee, lock the office door, and let's do some sniffing! Read on, download, and enjoy!

Best Wishes,

Jay

A packet sniffer is rarely the only tool used for an attack. The reason for this is simple. A sniffer only works in what is known as a common collision domain. A common collision domain is a network segment that is not switched or bridged (ie. connected through a
hub). Any traffic that is not switched or bridged on a network segment can be seen by all machines on that segment.

"The Oracle Certification Program is dedicated to ensuring you have the right skills for success in today's fast paced, internet world." Click here for Info

In other words, let's say that you have a network segment that is part of a larger subnet. All of the machines in this segment are connected to a hub (rather than a switch). All of the other segments of this subnet are configured in the same manner. Now, assume all of
these seperate network segments are connected to each other via a switch (see my cheesy diagram below). A packet sniffer being run on segment A will not see any traffic from segments B or C except for
broadcast traffic or traffic aimed directly at the machine running the sniffer. Now, if all of the segments were connected to each other through a hub (rather than a switch), a packet sniffer on segment A would see traffic in segments B and C.

There are generally only two ways that a sniffer can be used against you. The first instance would be when your physical security has been compromised. This is when some rogue machine can actually physically connect to your network. (ie. someone walks in with a laptop and plugs into your network) Now I have an interesting point in regard to this involving wireless LAN technology. Someone sitting in the parking lot with a laptop and a wireless NIC can connect to your network the same as if he walked through the front door and plugged directly into your hub. That is why I always recommend using password encryption, especially with wireless networks. Chances are, anyone who comes up against encrypted passwords on your network will just move on to the next network.

The second method usually involves a Trojan horse. The two that I am most aware of are known as Back Orifice and Netbus. These are softwares that can be easily hidden on your machine and can give the attacker more control of your keyboard and mouse than you have. (It is very similar in concept to VNC Viewer from AT+T labs - Check this article out: http://www.networknewz.com/2001/0702.html)
I am more familiar with Back Orifice than Netbus, so I will use it for an example. The attack is usually deployed by someone who has discreetly attached the Back Orifice server (which is tiny) to some executable and then mailed it to the victim. A plugin known as "Butt Trumpet" is usually used in conjunction with the Back Orifice Trojan. Butt Trumpet will send the attacker an email (to his anonymous free email account) when the server has been installed. Once the attacker knows that the victim's machine has been compromised, the attacker could then send another email to the machine with a packet sniffer attached and no one would be there to stop the attacker from installing and using it, that is if the attacker was in the least bit discreet.

By the way, Back Orifice hides all of the installation files after it has been installed so that it is very difficult to detect. If you suspect that you have a machine that is infected with Back Orifice, you will need to download software over the internet that can check to see if your machine is infected. If it is in fact infected, you will have to download more software to remove it.

To learn more about Back Orifice and Netbus detection and removal, go here:
http://www.kehm.de/henrik/trojan/eng_index.html

To find out more than you probably need to know about Back Orifice, go here:
www.cultdeadcow.com/

Click Here! Think Oracle9i- the complete e-business infrastructure. All you need to meet the demands of e-business. Oracle has defined nine keys to success. Click here for this week's key. Think Fast, Think Simple, Think Smart. Think Oracle9i.

Now, out with the software. The three softwares listed are free and fall under either the GNU Public License (GPL) available here: http://www.gnu.org/ or under a BSD style license (for Analyzer) available here:
netgroup-serv.polito.it/

==> Ethereal 0.8.18 Freeware GPL license
Homepage: http://www.ethereal.com
Windows (6.05 Mb)
Linux/Unix/BSD source (1.8 Mb)
Mac OS-X (1.35 Mb)
Ethereal is available as binaries for almost any platform that you can imagine: http://www.ethereal.com/download.html

Ethereal is a free network protocol analyzer for Unix and Windows. It allows you to examine data from a live network or from a capture file on disk. You can interactively browse the capture data, viewing summary and detail information for each packet. Ethereal has several powerful features, including a rich display filter language and the ability to view the reconstructed stream of a TCP session.

Recent versions of Ethereal have included many enhancements to the interface. Under the "Display" menu, you can now jump to a particular frame, find a frame in the list, and match a frame's component. The filter entry box now sports a popup list, similar to many web browsers. The TCP stream window can display the client and server data in different colors.

For excellent documentation on Ethereal go here:
http://www.ns.aus.com/

==> dsniff 2.3 Freeware GPL license
Homepage: http://www.monkey.org/~dugsong/dsniff/
Linux/Unix/BSD source (132 Kb)
http://www.monkey.org/

Windows port (older version- 1.8) (287 Kb)
http://www.datanerds.net/

dsniff is a collection of tools for network auditing and penetration testing. dsniff, filesnarf, mailsnarf, msgsnarf, urlsnarf, and webspy passively monitor a network for interesting data (passwords, e-mail, files, etc.). arpspoof, dnsspoof, and macof facilitate the interception of network traffic normally unavailable to an attacker (e.g, due to layer-2 switching). sshmitm and webmitm implement active monkey-in-the-middle attacks against redirected SSH and HTTPS sessions by exploiting weak bindings in ad-hoc PKI. These tools were written with honest intentions - to audit the author's network, and to demonstrate the insecurity of most network application protocols. Please do not abuse this software.

FAQ is here:
www.monkey.org/
Additional Windows info:
http://www.datanerds.net/

==> Analyzer 2.1 Freeware BSD style license
Homepage:
http://netgroup-serv.polito.it/analyzer/
Windows (2.04 Mb)
http://netgroup-serv.polito.it

NOTE: Requires WinPcap (679 Kb) available here:
http://www.netgroup.polito.it/

Analyzer is a fully configurable network analyzer program for Win32 environment. Analyzer is able to capture packets on all platforms (and link-layer technologies) supported by WinPcap. This program is current being developed at Politecnico di Torino; main contributors include Loris Degioanni, Paolo Politano, Fulvio Risso and Piero Viano and it is released under a BSD-style licence.

This work has been partially sponsored by Microsoft Research.

WARNING: Analyzer is a tool that is still under development. Please be patient when you use it.

NOTE: Install WinPcap before analyzer. It is the packet driver that Analyzer relies on for operation.

For more security related information and downloads check out these sites:

http://www.wiretapped.net/
http://softload.narod.ru/
http://neworder.box.sk/
http://www.antionline.com/

We at the Editorial Team would like to thank all our readers for reading NetworkNewz. We hope you find this information useful. Also, questions, suggestions and comments are always welcome.

Sincerely,

Jay Fougere
NetworkNewz Editor