Tactics to Discover “Passive” Monitoring Devices
The Problem at Hand Local ether segments behave like party-line phone systems A B C D E F G H A-B : CDEFGH can listen in A-H : BCDEFG can listen in Etc. etc. Without encryption there are no secrets
How Systems Know What to Listen To … Ether headerpayloadEther headerpayload Read a packet from the network Is the dest ether header my MAC address? Make a copy of the packet and hand it to the OS stack yes no Network Interface Card decision flow Systems are courteous largely for performance. Hardware filtering at the NIC hands up only the packets the system is supposed to receive. Promiscuous mode tells the NIC that all packets should be handed to the OS stack. Not just the ones with the matching MAC destination address.
Ether and IP Headers Destination AddressSource Addresstype 6 bytes 2 bytes Ether IP verslenTOSTotal length (bytes) identificationflagsfragment offset TTLprotocolchecksum Source IP Address Destination IP Address Application Transport Network Link Telnet, SMTP, etc TCP, UDP IP, ICMP Device Driver, Interface card 4 layers of TCP/IP protocol suite
The Disconnect Physical Data Network Transport Session Presentation Application
DNS Method Definition The Domain Naming System maps IP addresses to names and vice-versa. DNS allows hierarchical grouping of domain DNS is a necessity for human convenience % telnet foo.bar.baz Trying … Connected to foo.bar.baz. Q: Who is foo.bar.baz? A: foo.bar.baz is (follow up by initiating TCP connection to port 23)
DNS Method 1 Sniffing the Sniffer Spoofed packets are sent out on the local network The network is sniffed looking for reverse DNS lookups on spoofed packet Any systems asking about the fictitious systems is in promiscuous mode Src > Dst Sniffer Bogus System 1Bogus System 2 Who is ?
DNS Method 2 Queries to DNS Server The DNS server is under our control Spoofed packets with addresses handled by the DNS server are sent out on the local network Any requests that the DNS server receives for the spoofed machines are from machines in promiscuous mode Src > Dst Sniffer Bogus System 1Bogus System 2 Net Net 10 DNS Server Whois ? router
DNS Method Pros and Cons Can work across multiple networks Names of machines are very telling and as such, many malicious sniffers will do the reverse lookups Does not saturate the local network High reliability – minimal false positives Sniffing systems do not have to perform reverse lookups Sniffing systems can do batch reverse lookups later on – this defeats method 1 but not method 2 ProsCons
Ether Tricks Definition Ether tricks work by intentionally mis- mapping layer 2 and layer 3 addresses 08:00:20:10:22:e :66:66:66:66: !=
Ether Tricks 1 Linux Classic When in promiscuous mode the NIC does not filter the ether address. The kernel must filter the ether address on its own. ICMP – Echo Request Correct ether address Correct IP address ICMP – Echo Reply Normal behavior for non-promiscuous mode
Ether Tricks 1 linux (cont) ICMP – Echo Request In-correct ether address Correct IP address No response as NIC did not pass the packet to the stack Normal behavior for non-promiscuous mode
Ether Tricks 1 linux (cont) ICMP – Echo Request In-correct ether address Correct IP address Older linux behavior for promiscuous mode ICMP – Echo Reply NIC had to pass all traffic to OS. OS forgot to check the MAC address and only looked at IP
Ether Tricks 2 BSD Style Problems ICMP – Echo Request In-correct ether address Broadcast IP address Older BSD behavior for promiscuous mode ICMP – Echo Reply NIC had to pass all traffic to OS. OS forgot to check the MAC address and only looked at IP (took a different path for broadcast)
Ether Tricks 3 Microsoft Shortcut Ether Address What the NIC filters on 6 bytes 4 bytes Word What many MS software drivers check when in promisc ff:ff:ff:ff:00:00|IP|ICMP echo request Equivalent to be ff:ff:ff:ff:ff:ff on many promisc NT systems
Ether Tricks Pros and Cons High reliability, low false positives Limited to local ether segment Dependent upon particular OS/Kernel “nuances” Pros Cons
Machine Latency defined Hardware filtering Discards packets not addressed to correct MAC address Handled by on-card logic Minimal impact on system performance as few interrupts Kernel not called in to process unless really needed Match criteria == MAC, broadcast, multicast Software filtering All packets must be copied and handed over to OS On-card logic bypassed Severe impact on system performance due to maximum interrupts Kernel must process packets Malicious sniffing often happens in user space – context shift from Kernel to User space is expensive
Machine Latency example A B C A – ether: 08:00:20:ac:1e:e2 IP: B – ether: 08:00:20:ac:22:16 IP: C – ether: 08:00:20:ac:23:e4 IP:
Machine Latency example A B C A – ether: 08:00:20:ac:1e:e2 IP: B – ether: 08:00:20:ac:22:16 IP: C – ether: 08:00:20:ac:23:e4 IP: – ICMP Echo Request Ether Src: 08:00:20:ac:1e:e2 Ether Dst: 08:00:20:ac:23:e4 IP Source: IP Dest: Latency == 2 ms 2 – ICMP Echo Request Ether Src: 08:00:20:ac:1e:e2 Ether Dst: 08:00:20:ac:22:16 IP Source: IP Dest: Latency == 3 ms
Machine Latency example A B C A – ether: 08:00:20:ac:1e:e2 IP: B – ether: 08:00:20:ac:22:16 IP: C – ether: 08:00:20:ac:23:e4 IP: – ICMP Echo Request Ether Src: 08:00:20:ac:1e:e2 Ether Dst: 08:00:20:ac:23:e4 IP Source: IP Dest: Latency == 4 ms 2 – ICMP Echo Request Ether Src: 08:00:20:ac:1e:e2 Ether Dst: 08:00:20:ac:22:16 IP Source: IP Dest: Latency == 300 ms 3 3 – ICMP Echo Request Ether Src: 66:66:66:66:66:67 Ether Dst: 66:66:66:66:66:66 IP Source: IP Dest:
Machine Latency Methods for increasing end-node processing Fake entire three way handshake Fake connections to well known sniffed ports Use “legitimate” ether addresses that still have no physical presence Fake huge numbers of sessions Fake huge numbers of SYN recv’d states The trick is to make the sniffing application process as much as possible in user space
Machine Latency Pros and Cons Cross platform Often times crashes sniffing programs Confined to local segment High accuracy in watching deltas for a particular machine over time Pros Limited to local ether segment Assumptions must be made about systems response under load Network and regular machine load assumptions must be made Network congestion Cons
Spotting the curious Create fictitious connections to a real machine Use a ‘trap’ account Watch and log on the legitimate machine for anyone attempting to log on with the ‘trap’ account