Think You're Safe from Sniffing?

Do you use Ethernet switches to help protect network traffic from prying eyes? For a long time, switches have been a tactic against snoops. A switched network separates traffic so that a user on one segment can't easily sniff traffic on another segment. To sniff traffic on a switched network, a user must either place a sniffer on the actual target segment or get machines on the target segment to send traffic through your network segment or your system. Instructing a remote machine to forward packets your way used to be difficult; you had to somehow change the remote host's gateway. Not an easy task, unless you have a copy of arpredirect.

Arpredirect is an Address Resolution Protocol (ARP) poisoning tool. The tool can instruct a remote system to change its gateway address by sending the host the appropriate ARP packets. For example, an intruder can use arpredirect to instruct a remote host to forward all packets to the intruder's IP address. The intruder can analyze or save the packets, then forward them to their final destination without the remote user's knowledge.

Dug Song originally developed the arpredirect tool in December 1999. The tool is part of his dsniff package, which is available at Song's Web site. I had forgotten about arpredirect until I recently read an article by Stuart McClure and Joel Shambray in a competing publication. The two men point out that we need to be aware of arpredirect and the entire dsniff package because it can be dangerous in the wrong hands.

In a nutshell, dsniff is the Swiss army knife of privacy invasion. The package ships with a handful of powerful tools, including urlsnarf, webspy, mailsnarf, and the dsniff tool. Urlsnarf grabs every URL that passes across the wire and stores it for later examination. Webspy can grab URLs off the wire and open the URL in your local browser window so you can follow along and view what a remote user is seeing on his or her Web browser. Mailsnarf is just as nasty as webspy—it can sniff SMTP-related packets off the wire and reassemble entire email messages into a common format that popular mail clients can read. The dsniff tool is one of the most powerful password grabbers I've seen. It can snag passwords off the wire from many different protocols, including FTP, Telnet, Web, POP3, IMAP, LDAP, Citrix ICA, pcAnywhere, SMB, Oracle SQL*Net, and numerous others.

Even though the tools found in the dsniff package are written for UNIX platforms, you still need to be aware that these tools exist because they could be used against your Windows-based networks. Song's package is incredibly powerful, whether used with good or bad intent. The tools point out a well-known problem with networks in general: malicious users can easily sniff clear text from packets to glean sensitive data. Although blocking ARP redirects and monitoring ARP traffic and tables can help protect against tools like arpredirect, those tactics are certainly not cure-alls. They help prevent packets from becoming misdirected, but most data still travels in clear text over your networks, which means localized intruders can glean sensitive data with packet-sniffing tools. To better protect your data, you must encrypt it at some level before sending it out on the wire, and you must use sniffer-detecting tools to help stop the snoops.

The decision about which tactics to use for data protection depends on your data and your organization, so I can't give you much more advice on the matter. Just be aware that ARP poisoning and data sniffing are real problems that you need to guard against. Until next time, have a great week.