The best pen tester tools: sniffers and working with packages. Network traffic analyzer sniffer. What is a sniffer: description Reviews of Whatsapp Sniffer

The idea of ​​writing this material was born, as it happened in most cases, thanks to questions from readers and other acquaintances regarding technologies for intercepting and analyzing network traffic. These questions are conditionally divided into 3 categories: is it possible, in principle, to intercept and decode data moving over the network, how and with the help of what software this can be done. The third group of questions reflects some confusion in terminology, in particular the following options are possible: a person knows the essence of the technology, but does not know what it is called. Therefore, when it comes to, say, a sniffer, he, looking down, answers that he does not know what it is. Isn't it time to dot the i's on this extremely important issue for both beginners and advanced networkers? Let's get started...

First, let's understand a little terminology.

The word sniffer (literally from English this can be translated as “sniffer” or “sniffer”) in the most general sense is a kind of listening device embedded in a network to intercept data transmitted over it. In a narrower sense, a sniffer is software that interacts with (often said, “sitting” came from a registered trademark of the company Network Associates, referring to the product “Sniffer(r) Network Analyzer”, but the word later suffered the same fate as the PC , xerox, kleenex - sniffer is becoming a common noun, denoting the entire class of similar products.

In some literature and documentation, as well as in electronic dictionaries such as Lingvo, the term sniffer (network sniffer) is identified with such concepts as “network traffic analyzer”, “packet analyzer”, “protocol analyzer”, “network analyzer”. However, let me slightly disagree with this approach.

Still, it would be more logical to say that sniffing is a set of measures to intercept traffic. Within the framework of a specific product, the following things can be implemented: packet capturing. At this stage, we receive a kind of raw (machine readable) data dump, usually divided into pieces along frame (packet) boundaries. And what we are going to do with him is our problem. But usually, since we have started the sniffer to work for some reason, we are interested in getting some result in a human readable format, for which we use packet decoding or protocol analysis;

Actually, this is the process of “raking up” our dump. For example, we had such raw material.

As you may have noticed, this case consists of three columns: the offset of each line, the data in hexadecimal format and their ASCII equivalent. This packet contains a 14-byte Ethernet header, a 20-byte IP header, a 20-byte TCP header, an HTTP header ending with two consecutive CRLFs (0D 0A 0D 0A), and then the actual application layer data, in our case - web traffic.

Sometimes this representation is enough to obtain the necessary information, but it is still more convenient for the packet to be decoded and analyzed at all levels of the protocol stack. It’s really nice to get a picture like this, isn’t it?

ETHER: Destination address: 0000BA5EBA11 ETHER: Source address: 00A0C9B05EBD ETHER: Frame Length: 1514 (0x05EA) ETHER: Ethernet Type: 0x0800 (IP) IP: Version = 4 (0x4) IP: Header Length = 20 (0x14) IP: Service Type = 0 (0x0) IP: Precedence = Routine IP:...0.... = Normal Delay IP:... 0... = Normal Throughput IP:.....0.. = Normal Reliability IP: Total Length = 1500 (0x5DC) IP: Identification = 7652 (0x1DE4) IP: Flags Summary = 2 (0x2) IP:.. .....0 = Last fragment in datagram IP:......1. = Cannot fragment datagram IP: Fragment Offset = 0 (0x0) bytes IP: Time to Live = 127 (0x7F) IP: Protocol = TCP - Transmission Control IP: Checksum = 0xC26D IP: Source Address = 10.0.0.2 IP: Destination Address = 10.0.1.201 TCP: Source Port = Hypertext Transfer Protocol TCP: Destination Port = 0x0775 TCP: Sequence Number = 97517760 (0x5D000C0) TCP: Acknowledgment Number = 78544373 (0x4AE7DF5) TCP: Data Offset = 20 (0x14) TCP: Reserved = 0 (0x0000) TCP : Flags = 0x10:.A.... TCP:..0..... = No urgent data TCP:...1.... = Acknowledgment field significant TCP:....0... = No Push function TCP:.....0.. = No Reset TCP:......0. = No Synchronize TCP:......0 = No Fin TCP: Window = 28793 (0x7079) TCP: Checksum = 0x8F27 TCP: Urgent Pointer = 0 (0x0) HTTP: Response (to client using port 1909) HTTP: Protocol Version = HTTP/1.1 HTTP: Status Code = OK HTTP: Reason = OK....

In addition to the above, other “features” can be implemented, such as viewing passing packets in real time, filtering according to a given scenario, various types of traffic statistics - the number of errors, intensity, etc.

types of sniffers and sniffing

Everything that will be described in this paragraph, naturally, has some shade of convention, since no one has yet fully described the official “Sniffing Theory”. We'll have to come up with a classification on the fly;)

So, according to “location” (if this term is applicable here), the sniffer can work:

On the router (gateway)

In this situation, you can intercept traffic passing through the interfaces of this gateway. For example, from your local network to another network and in the opposite direction. Accordingly, if we install a sniffer on the router of an Internet provider, we can monitor the traffic of its users, and so on...

At the end node of the network

With regard to Ethernet, we will have two main possible options for wiretapping. Classic, non-switched Ethernet assumes that each network interface, in principle, “hears” the traffic of its segment. However, in normal operation of the network card, after reading the first 48 bits of the frame header, the station compares its MAC address with the recipient address specified in the frame. If the address is someone else’s, the station “shamefully closes its ears,” that is, stops reading someone else’s frame. Thus, in normal mode, you can only intercept and analyze your own traffic. To intercept packets from all stations on a segment, you need to switch your network card to a mode called promiscuous mode so that it “shamelessly” continues to read packets that are not intended for it. Almost all sniffer implementations allow the card to switch to promiscuous mode.

Note: using switched Ethernet creates a situation where even switching the card to promiscuous mode makes listening to traffic not intended for your station almost impossible. However, there is a technology for organizing such eavesdropping through so-called ARP spoofing. The bottom line is this: the switch creates a so-called “broadcast domain”, and a host with an installed sniffer using ARP message forgery can pretend to be, for example, a border router (by constantly sending out ARP messages where network address router corresponds to the MAC address of the listening station). Thus, the neighbors' traffic will be forcibly turned towards the "spien".

Otherwise, sniffers may differ from each other mainly in functionality, such as:

Supported physical interfaces and link layer protocols;

Decoding quality and number of “recognizable” protocols;

User interface and ease of display;

Additional features: statistics, real-time viewing, generating or modifying packets and more...

When choosing a sniffer (as, indeed, any other software), it makes sense to be guided by the following considerations: from what exists for your OS, choose either something that exactly matches your tasks (it makes sense if you are planning either a one-time event or either constantly performing the same operation) or the most sophisticated solution, in case you feel that the sniffer will be useful to you, but don’t yet know in what situation :) And situations can be different...

why do we need a sniffer?

Traditionally, the idea of ​​sniffing has lived in two forms: legal and illegal use. Typically, the word “sniffer” is more often used in the illegal sphere, and “network analyzer” - in the legal sphere. Let's start with legal use;)

Troubleshooting (detection of problems and network bottlenecks). In advanced mode, when the sniffer operates in a non-switched segment or on a gateway, we can get an almost complete picture of events occurring in our network: traffic intensity by time, by workstation, by protocol, number of errors different types. In addition, in both modes, we can “sort out” more specific problems when, say, a particular station is unable to organize some kind of interaction over the network, and this despite the fact that outwardly the network looks quite functional. A sniffer is especially useful in cases where network software is poorly documented or uses its own proprietary (undocumented), often suspicious technologies (protocols).

For example: ICQ, Europe Online. Suspicious technologies/software should be understood as situations when you suspect the presence of a bookmark or other undocumented functionality in a program. For example, there were rumors that client part the famous cDc Back Orifice is also a Trojan horse and sends some information to the owners - the authors of the software. Setting BO Client to "listen" showed that the rumors were not true.

A sniffer is no less useful for debugging your own software. I will never forget the moment when the proxy server did not want to establish a connection if the GET request ended in \n\n instead of the required \r\n\r\n. Only researching the packets sent by the “legitimate” browser and comparing them with the packets sent by my “upstart” script pointed out to me the annoying error. Very, very often in everyday admin practice I have to deal with analysis at the TCP/UDP level.

Education. You can drive yourself into a semi-fainting state by memorizing the packet header formats of various protocols and communication methods (say, 3-way TCP handshake, DNS, traceroute plan application methods), but this knowledge will be dead until you try to “touch it with your hands” - having written once program or... by looking into the sniffer! Try, after reading the documentation for an unknown or poorly understood protocol, to simulate interaction, intercept packets and analyze them - I assure you, everything will become extremely clear and, moreover, this knowledge will be more realistic and will stay in your head for a long time. In the case of closed technologies, a sniffer may be almost the only means for studying them.

Network traffic logging. There can be a lot of discussion about the legality and ethics of administrators logging user traffic for later viewing, but the fact remains that many organizations include this technology in their security policies. My personal opinion is that the owner is a gentleman, that is, if a company provides its employees with equipment and connections to local and global networks, it has the right to demand the proper use of these resources. The second important reason for logging traffic is to detect unauthorized access attempts and other malware - DoS attacks, for example. Having such logs, the administrator can know with 100% accuracy what is happening in his network properties.

Now let's talk about the illegal side of sniffing. Well, first of all, it's banal

Eavesdropping. By correctly installing a sniffer, you can spy on your close and distant ones - enemies, friends, spouses;) You may be interested in the following questions: why does a person use the network, what web resources does he visit, what data does he transmit, with whom and what does he communicate? May the state security authorities forgive me, but the notorious SORM, the legality of which in the form of total logging of traffic is a big question, I attribute it to this section for now, although it could end up in the last paragraph of “legal sniffing”;)

More mercantile eavesdropping. However, a significant part of the “hacker” community does not exchange their talents for spying on unfaithful spouses and other everyday matters. Most often, an attacker is interested in some material that can be used to advance the difficult task of breaking into other people's systems and networks. As you might have guessed, we are mainly talking about intercepting usernames and passwords passing through the network in unencrypted (plain text) form. In particular, this applies to passwords for telnet, POP, IMAP, NNTP, IRC, for web applications that do not use encryption, SNMP v1 community-strings, etc.

implementation

Now, having more or less understood the theoretical part, let’s return to the sinful earth - let’s talk about specific implementations of sniffers for various platforms. In fact, there is a lot of such software, the difference in functionality and price tag (especially in the latter) is colossal. The author of the "Sniffing (network wiretap, sniffer) FAQ" Robert Graham recommends trying the following products:

Network Associates Sniffer (for Windows)
http://www.nai.com/mktg/survey.asp?type=d&code=2483

WinNT Server
Microsoft's WinNT Server comes with a built-in program called "Network Monitor". Go to the network control panel, select "Services", click "Add..." and select "Network Monitor Tools and Agent". Once installed, the program will be available in start menu in the "Administrative Tools" section.

In fact, BlackICE is an intrusion detection system (IDS, Intrusion Detection System), but one of its functions is to write raw packet dumps in a form acceptable for decryption by protocol analyzers. One thing: the program only views traffic passing through the local interfaces of the host on which it works, that is, it is non-promiscuous.

This program, on the contrary, can only analyze packets recorded by a sniffer like BlackICE Pro.

Free protocol analyzer.

Naturally, this list is far from complete; you can climb to any search engine or to the download software collection and find something else. Moreover, the review does not mention what, in my opinion, is the most outstanding product of this kind for Win32 - NetXRay, now renamed Sniffer Basic. We'll talk about it a little later.

snort
A libpcap-based sniffer with advanced filtering capabilities.

Again, the list is far from perfect, you can look elsewhere. Another thing is that in the *NIX community it is not particularly customary to “spray” - there are time-tested, constantly improving leading products, and the majority prefer them, without even trying to look for an alternative. The absolute leaders here are tcpdump and sniffit.

Tcpdump & WinDump

(by Ghost//Necrosoft)

As mentioned above, TcpDump is the most commonly used sniffer for *nix systems. You can find it in any of the latest distributions of the operating system you use. The best way to describe tcpdump is to simply list all its command line options - this way you get a list of its capabilities and a direct guide to action - “in one bottle”.

WinDump is a port of TcpDump from *nix systems, performs the same functions and has the same syntax as TcpDump, but has a couple of additional command line options, which will be discussed below.

A short note on using TcpDump under various systems. Under SunOS using nit or bpf devices: To run tcpdump you must have read access to /dev/nit or /dev/bpf*. Under Solaris with dlpi, you should be able to access pseudo-network adapters such as /dev/le. Under HP-UX with dlpi: you must be root or uid must be set to root on tcpdump. Under IRIX with snoop and Linux: requirements similar to HP-UX. Under Ultrix and Digital UNIX: only the superuser has access to promiscuous-mode operations , using pfconfig(8) you can get permission to run tcpdump. Under BSD: you must have access to /dev/bpf*. Under Win32: you must install the NDIS packet capture driver.

Now let's look at the command line options in detail.

TcpDump[ -adeflnNOpqStvx] [-ccount] [-Ffile] [-iinterface] [-rfile] [-ssnaplen] [-Ttype] [-wfile] [expression]. Windump specific options [- D] [ -Bsize].

Aallows you to convert network and broadcast addresses into names.

Output after processing count packages.

D displays the contents of the package in human-readable form.

Dd prints the contents of the package as a C program fragment.

Ddd prints the contents of the packet in decimal format.

Eprints link-layer headers on each new line.

Fprints remote and local host addresses without converting to names.

Fuse file with a description of the filtering parameters (additional expressions on the command line are ignored).

Iuse the interface interface for tracing. If not defined, tcpdump Finds the active network interface with the lowest number (excluding loopback). On Windows interface- the name of the network adapter or its number (you can find out by running WinDump -D).

Uses buffered output to stdout. A construct like "tcpdump -l | tee dat" or "tcpdump -l > dat & tail -f dat" may be useful.

Do not resolve addresses (ie host address, port number, etc.) into names.

Don't print the domain name in the hostname. Those. if this flag is used, tcpdump will print "nic"" instead of "nic.ddn.mil"".

Don't run the package optimizer. This option is useful if you rake the packages yourself.

Don't put the network interface into "promiscuous mode".

Qabbreviated output. Displays information in abbreviated form.

Rreads packets from a file file(which are created using the -w option). If you want to use the console as input, then file This "-"".

Sissues snaplen bytes per packet (in SunOS's NIT the minimum number is 96). 68 bytes is enough for IP, ICMP, TCP and UDP protocols, but cuts off information from higher levels, say, DNS and NFS packets.

Force interpretation of packets by type type corresponding to the mask " expression". The following types are currently known: rpc(Remote Procedure Call) rtp(Real-Time Applications protocol), rtcp(Real-Time Applications control protocol), vat(Visual Audio Tool), and wb(distributed White Board).

Sprints the absolute number of the TCP packet.

It does not print the time on each line.

Tt prints the unformatted time on each line.

Vdetailed conclusion. For example, packet lifetime and service type.

Vv more detailed output. For example, displaying additional fields of NFS reply packets.

Wwrites raw packets to file, which you can later decrypt using the -r option. If you want to use the console as output, then file This "-"".

X outputs each packet in hexadecimal (without header). The output will be sent snaplen byte.

Additional WinDump options:

Sets the driver buffer size size in kilobytes. The default buffer size is 1 megabyte. If some packets are not displayed during operation, try increasing the buffer size. If you have a PPP connection or 10 Mbit Ethernet, then the buffer size can be halved or tripled.

-D displays a list of network devices that are present on your system. The list looks like: number- number of the network device in the system, name- its name, followed by a description of the device. Subsequently, you will be able to use this data to work with all the existing network interfaces of your system that are currently available. And you can select the device using the -I option - "WinDump -i name" or "WinDump -i number".

expression - actually, an expression that specifies the packet filtering criterion. If the field expression missing, all packages are displayed. Otherwise, only those packets that match the mask are output expression.

expression can consist of one or more primitives. Primitives often consist of id(name or number) of the determinant. There are three key types of qualifiers:

type qualifier that specifies the general policy. Possible types - host,net And port. Those. "host foo", "net 128.3", "port 20". If type is not specified, it is used by default host.

dir specifier indicating the direction of packet transmission. Possible options src,dst,src or dst And src anddst. That is, "src foo", "dst net 128.3", "src or dst port ftp-data". If dir unspecified, then used by default src or dst. For "null" connections (ppp or slip) use inbound And outbound qualifier to indicate the desired direction.

The proto qualifier allows you to filter packets based on a specific protocol. Possible protocols: ether,fddi,ip,arp,rarp,decnet,lat,sca,moprc,mopdl,tcp And udp. Those. "ether src foo", "arp net 128.3", "tcp port 21". If there is no qualifier, then no packets are filtered. ("fddi" is actually an alias for "ether", since in most cases FDDI packets contain the Ethernet address of the source and destination and often contain Ethernet packet types. FDDI headers also contain other fields that are not in the filter list .)

In addition to the above, some special primitives do not have templates, these are: gateway,broadcast,less,greater and arithmetic expressions. More on this a little later.

Many compound filter expressions use words and,or And not to combine primitives. For example "host foo and not port ftp and not port ftp-data". To simplify entry, some qualifiers may be omitted. For example, "tcp dst port ftp or ftp-data or domain" is the same as "tcp dst port ftp or tcp dst port ftp-data or tcp dst port domain".

The following expressions are allowed:

dst host host true if the IP destination field of the packet is host, can be an address or a hostname.

src host host true if the IP source field of the packet is host.

host host true if the source or destination of the package is host. Prefixes can also be used: ip,arp, or rarp How: ip hosthost which is equivalent ether proto\ipand hosthost. If host- a name with several IP addresses, each address is checked for consistency.

ether dst ehost True if the recipient's Ethernet address is ehost.Ehost- any of the /etc/ethers names or numbers (see ethers(3N).

ether src ehost true if the sender's Ethernet address is ehost.

ether host ehost true if the recipient or sender Ethernet addresses are ehost.

gateway host true if host- gateway. Those. Ethernet address of the sender or recipient - host, but neither the sender's IP nor the recipient's IP are host.Host may be a name, and may also be located in /etc/hosts and /etc/ethers. (Which is equivalent ether hostehostand not hosthost, which can be used with any name or number for host/ehost.)

dst net net true if the recipient's IP address is - net.Net- any entry from /etc/networks or network address.

src net net true if the sender's IP has an address - net.

net net True if the recipient or sender IP have a network address - net.

net netmaskmask True if the IP address matches net with the corresponding netmask. Can be determined in conjunction with src or dst.

net net/len true if IP is equal to net, a subnet mask - len in bit form (CIDR format). Can be determined in conjunction with src or dst.

dst port port true if the packet is ip/tcp or ip/udp and has a destination port - port.port may be a number or present in /etc/services (see tcp(4P) and udp(4P)). If a name is used for two or more ports, then both port numbers and protocols are checked. If an invalid port number or name is used, then only the port numbers are checked (i.e. dst port 513 outputs tcp/login and udp/who traffic, and port domain outputs tcp/domain and udp/domain).

src port port true if the source port is port.

port port true if the sender or recipient port is port. Some expressions can be combined, for example: tcp src portport- only tcp packets with a port - port.

less length true if the packet length is less than or equal to length, which is equivalent len<= length.

greater length true if the packet length is greater than or equal to length, which is equivalent len >=length.

ip proto protocol true if the packet is an IP packet with a protocol protocol.Protocol may have a number or one of the names icmp,igrp,udp,nd, or tcp.

ether broadcast true if the packet is an Ethernet broadcast packet. Expression ether is optional.

ip broadcast true if the packet is an IP broadcast packet.

ether multicast true if the packet is an Ethernet multicast packet. Expression ether is optional. This is a shorthand for " ether & 1!= 0".

ip multicast true if the packet is an IP multicast packet.

ether proto protocol true if the packet is of Ethernet type. Protocol can be a number or a name: ip,arp, or rarp.

decnet src host true if the recipient's DECNET address is host, which can be an address like "10.123" or a DECNET hostname (DECNET hostname is only supported on Ultrix systems).

decnet dst host True if the recipient's DECNET address is host.

decnet host host True if the DECNET address of the recipient or sender is host.

proto [ expr: size]

Protoone of the following protocols ether, fddi, ip, arp, rarp, tcp, udp, oricmp, and shows the protocol level for this operation. The byte offset for a given protocol level is taken from expr.Size- optional, shows the number of bytes of interest at a given offset, can be 1,2 or 4, default 1.

Examples of using tcpdump

Issuing all incoming and outgoing packets from sundown:tcpdump host sundown

Issuing traffic between helios and one of two hot or ace:tcpdump host helios and \(hot or ace \)

Issuance of all packages between ace and other hosts, excluding helios:tcpdump ip host ace and not helios

Sending traffic between the local machine and the machine located in Berkeley: tcpdump net ucb-ether

Issuing ftp traffic through the gateway snup:tcpdump "gateway snup and (port ftp or ftp-data)"

Issuing traffic that does not belong to machines on the local network (if your machine is a gateway to another network, tcpdump will not be able to output traffic from your local network). tcpdump ip and not netlocalnet

Issuing old and stop packets (SYN and FIN packets) that do not belong to the local network. tcpdump "tcp & 3!= 0 and not src and dst netlocalnet"

Issuing IP packets longer than 576 bytes transmitted through the gateway snup:tcpdump "gateway snup and ip > 576"

Issuing IP broadcast or multicast packets that are not sent via Ethernet broadcast or multicast: tcpdump "ether & 1 = 0 and ip >= 224"

Outputting all ICMP packets that are not echo requests/responses (i.e., not ping packets): tcpdump "icmp!= 8 and icmp!= 0"

by Alice D. Saemon

The one I love...

Long long time ago... NetXRay was the first sniffer that came to my attention. Then, in 1997, this English program made a splash in the circles of Windows-oriented networkers. Years have passed, but the old version of NetXRay (3.0.1) is still in service, in daily use on my workstation. Today, the product has been renamed Sniffer Basic, some new features have been added, but, moreover, the main functionality has remained unchanged since 3.0.1. This is the first reason why NetXRay 3.0.1 will be described in the newspaper. The second reason... (looking at the anti-piracy police) - the product is very expensive (1643 pounds sterling), and the trial restrictions are very serious. So, let's get started.

The package consists of a set of different functions and can really be called a network analyzer rather than a sniffer. All capabilities (modules) are grouped in the “Tools” menu, where various settings are also located. Let's start with them. You can select the adapter for which the current test is being carried out (probe). The adapter must support the NDIS 3.0/3.1 standard.

Attention, bug! If you “set” NetXRay on the “wrong” adapter in its opinion or capture packets that it cannot decode at the link-network level (for example, exploit traffic that sends crookedly fragmented packets) - at the decoding stage (protocol analysis) the program freezes dead .

You can simultaneously test on several interfaces, for which multiple versions of the program (probes) are created. You can copy all the settings of any existing probe to a new probe.

In the options you can configure the following things: the appearance of the desktop, standard port numbers for various protocols (3 options - very useful in cases where network applications run on non-standard ports), response to the occurrence of some event, threshold values ​​for various types of statistics and etc.

Well, now let's move on to the functional modules of the package.

capture (packet capture)

The heart of NetXRay, in fact, is what in the popular understanding is a sniffer. Therefore, I will allow myself to describe it in as much detail as possible.

When this module is activated, a small window with a “dashboard” and a couple of buttons appears in front of us. All actions that we can perform in this window are duplicated in the Capture menu. And this is what we can do: start capturing packets, stop, stop+view the contents of the buffer and simply view the contents of the buffer, provided that the capture was stopped. There we can fine-tune the filters:

By addresses of the sender and recipient. To facilitate this task, there is an address book and a certain set of preset addresses, for example “Any”.

According to templates. If you need to catch packets containing some specific data anywhere in the packet, you can write a clever template. Moreover, what is especially nice is that you can construct templates in any representation convenient for you: binary, hexadecimal, ASCII and EBCDIC.

According to protocols known to the program. This:

network: AppleTalk, AppleTalk ARP, APOLLO, DECNET, IP, IP ARP, IPX, LAT, NetBEUI, OSI, SNA, VINES, VINES Loopback, VINES Echo, XNS

higher in the IP stack: transport, service and routing - ICMP, IGMP, GGP, EGP, IGP, ISO-TP4, HELLO, IP-VINES, IGRP, OSPF, TCP, UDP; application level - FTP, REXEC, RLOGIN, RSH, PRINTER, SMTP, TELNET, DNS(TCP), GOPHER, HTTP, POP, SUNRPC(TCP), NNTP, NETBIOS, X-WINDOW, DNS(UDP), BOOTP, TFTP, SUNRPC(UDP), SNMP, SNMPTRAP, BIFF, WHO, SYSLOG, RIP, GDP, NFS.

higher in the IPX stack: NCP, SAP, NRIP, NBIOS, DIAGNOSTIC, SERIALIZATION, NMPI, NLSP, NSNMP, NSNMPTRAP, SPX.

As you can see, it’s not so little, I would say - even excessive for real life.

Attention! The protocol filter has a slightly strange interface: it is assumed that if all checkboxes within the boundaries of one level are not checked, all protocol packets of this level and everything higher (lower, if you look at the user interface;) are captured. Thus, if you haven’t placed a single “bird”, absolutely everything is caught. Naturally, unknown protocols of application levels in this case are also caught, but are not decoded into a readable form, which is natural, since they are unknown :))

In addition, you can adjust the buffer size or specify the file where to send the packet capture results.

Filter settings can be recorded in a so-called profile, assigned a name and subsequently selected from the list.

After capturing the required number of packets, when viewing is activated, we fall into the so-called “results window”, which by default has the names XRay1, XRay2 and so on according to the number of current buffers. You can see such a window in the screenshot: at the top is a list of packages with a brief “annotation”, in the middle is the decoded data (well, what could I decode;) and at the bottom is the raw package. It’s interesting that when you click on the field of interest in the decoded section, the corresponding place in the raw packet is highlighted - you can check the quality of the protocol analyzer;)

The user interface of the "result window" has, along with advantages (the ability to apply any of the filters discussed above to the displayed buffer, the ability to send any packet or buffer to the network with one mouse click or copy a number of packets to a separate buffer, a very beautiful display of decoded data, even with some nesting for fields of little interest to the average user) as well as obvious disadvantages (you cannot delete a couple of packets from the buffer, there is no clipboard operability, that is, the results cannot, for example, be copied and saved in text format).

In addition to storing packets in a buffer or file for later decoding, it is also possible to view traffic in real time.

True, a) visually it looks terrible b) this option is turned on in such an illogical place that even such an old NetXRay user like me forgets where this “bird” is. The bird is installed in the Tools | Options... General tab, Realtime Display checkbox, and not in the Capture settings, where it would be logical to look for it;-/

In addition, the “results window” contains bookmarks on statistical data on the captured session, but we will not dwell on them.

packet generator

This is a truly wonderful thing: you can “draft” absolutely any packet from scratch and send it to the network. The interface consists of the main window and the so-called package designer, divided into two sections - Configure and Decode.

In the first, we have a portrait of a standard dump (see the theoretical part of the article), filled with zeros. We begin to enter hexadecimal numbers there - in the decoding section, which looks exactly like the decrypted packet in the “results window” of Capture, an analysis of our packet appears.

But in this case, we can not only look at the decoded packet, but also make changes by clicking on the desired field. True, changing values ​​in any case is carried out only in hexadecimal form, and the input fields are striking in their inconvenience: (There are several options for generating and sending packets: send the current packet, send the current buffer, write a packet from scratch or send an edited packet from what you collected .

Interface note: if the “send current packet” option is called from the Capture “result window”, the packet is sent immediately without calling the packet constructor, although it remains in the current “send buffer”, and can be adjusted there later.

If "send current packet" is called from the Packet Generator window, the package designer is automatically called. Be careful!

In the package designer in the Decode section, the program will give you some hints, in particular, it will calculate a new checksum when modifying the package (it would also make the appropriate changes itself, lazy creation;). However, AI differs from the human mind in that it cannot think properly. So when, for example, you change the recipient's IP address, think about whether you should also change its MAC address? ;)

Packets can be sent in different modes: one click - one packet, a specified number of packets, or in a loop. This way you can generate traffic. In general, you can find a lot of options for using the package generator, it’s up to your imagination and ingenuity.

all sorts of things

In addition to the above, the program contains a lot of other useful and not very (depending on whom;) bells and whistles. Briefly about them:

Dashboard Network congestion statistics, or more precisely the part of it that is visible to you. Number of packets, bytes, errors of all types, utilization calculation. This feature has always confused me, because I have never seen error messages in my life - well, it can’t be that there aren’t any!;)

Host Table. Captures various information about hosts visible to the sniffer and their activities (without full packet capture and analysis)

Matrix. Almost the same as Host Table, but presented in a slightly different format.

History. Draws graphs and diagrams of network behavior over a certain period of time.

Protocol Distribution. As the name suggests, it keeps statistics on the use of various protocols.

Statistics. Statistics on utilization and frame sizes.

Alarm log. A log of events you define.

Well, that's all in a nutshell. (wow “it turned out in short %-()) Download and test for health - for your joy and to spite your enemies :)

conclusion

Well, the tale of sniffers is over for today. Those who listened (read to the end) - well done, I hope you got answers to most of your questions. For the sake of fairness, I note: not ALL issues were considered within the framework of this article. At least two big topics were left out: the internal structure of sniffers, including methods and approaches to writing such software, as well as ways to counter sniffing.

As for the first, here’s what I think: the topic is interesting, requiring separate material, but it will be intended mainly for programmers. We'll figure something out about this. As for the second question, the answer to it is basically the same: encryption, encryption and encryption again, which is obvious. There are, of course, methods for recognizing the presence of a sniffer on a network and even countering it, but they are quite private and not very effective.

Many users do not realize that by filling out a login and password when registering or authorizing on a closed Internet resource and pressing ENTER, this data can easily be intercepted. Very often they are transmitted over the network in an unsecured form. Therefore, if the site you are trying to log in to uses the HTTP protocol, then it is very easy to capture this traffic and analyze it with using Wireshark and then, using special filters and programs, find and decrypt the password.

The best place to intercept passwords is the core of the network, where the traffic of all users goes to closed resources (for example, mail) or in front of the router to access the Internet, when registering on external resources. We set up a mirror and we are ready to feel like a hacker.

Step 1. Install and launch Wireshark to capture traffic

Sometimes, to do this, it is enough to select only the interface through which we plan to capture traffic and click the Start button. In our case, we are capturing over a wireless network.

Traffic capture has begun.

Step 2. Filtering captured POST traffic

We open the browser and try to log in to some resource using a username and password. Once the authorization process is complete and the site is opened, we stop capturing traffic in Wireshark. Next, open the protocol analyzer and see a large number of packets. This is where most IT professionals give up because they don't know what to do next. But we know and are interested in specific packages that contain POST data that is generated on our local machine when filling out a form on the screen and sent to a remote server when we click the “Login” or “Authorization” button in the browser.

We enter a special filter in the window to display captured packets: http.request.method == “POST"

And we see, instead of thousands of packages, only one with the data we are looking for.

Step 3. Find the user's login and password

Quickly right-click and select the item from the menu Follow TCP Steam

After this, text will appear in a new window that restores the contents of the page in code. Let's find the fields “password” and “user”, which correspond to the password and username. In some cases, both fields will be easily readable and not even encrypted, but if we are trying to capture traffic when accessing very well-known resources such as Mail.ru, Facebook, VKontakte, etc., then the password will be encrypted:

HTTP/1.1 302 Found

Server: Apache/2.2.15 (CentOS)

X-Powered-By: PHP/5.3.3

P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM"

Set-Cookie: password= ; expires=Thu, 07-Nov-2024 23:52:21 GMT; path=/

Location: loggedin.php

Content-Length: 0

Connection: close

Content-Type: text/html; charset=UTF-8

Thus, in our case:

Username: networkguru

Password:

Step 4. Determine the encoding type to decrypt the password

For example, go to the website http://www.onlinehashcrack.com/hash-identification.php#res and enter our password in the identification window. I was given a list of encoding protocols in order of priority:

Step 5. Decrypting the user password

At this stage we can use the hashcat utility:

~# hashcat -m 0 -a 0 /root/wireshark-hash.lf /root/rockyou.txt

At the output we received a decrypted password: simplepassword

Thus, with the help of Wireshark, we can not only solve problems in the operation of applications and services, but also try ourselves as a hacker, intercepting passwords that users enter in web forms. You can also find out passwords for mailboxes users using simple filters to display:

• The POP protocol and filter looks like this: pop.request.command == "USER" || pop.request.command == "PASS"
• The IMAP protocol and filter will be: imap.request contains "login"
• The protocol is SMTP and you will need to enter the following filter: smtp.req.command == "AUTH"

and more serious utilities for decrypting the encoding protocol.

Step 6: What if the traffic is encrypted and uses HTTPS?

There are several options to answer this question.

Option 1. Connect when the connection between the user and the server is broken and capture traffic at the moment the connection is established (SSL Handshake). When a connection is established, the session key can be intercepted.

Option 2: You can decrypt HTTPS traffic using the session key log file recorded by Firefox or Chrome. To do this, the browser must be configured to write these encryption keys to a log file (FireFox based example) and you should receive that log file. Essentially, you need to steal the session key file from hard drive another user (which is illegal). Well, then capture the traffic and use the resulting key to decrypt it.

Clarification. We're talking about the web browser of a person whose password they're trying to steal. If we mean decrypting our own HTTPS traffic and want to practice, then this strategy will work. If you are trying to decrypt the HTTPS traffic of other users without access to their computers, this will not work - that is both encryption and privacy.

After receiving the keys according to option 1 or 2, you need to register them in WireShark:

1. Go to the menu Edit - Preferences - Protocols - SSL.
2. Set the flag “Reassemble SSL records spanning multiple TCP segments”.
3. “RSA keys list” and click Edit.
4. Enter the data in all fields and write the path in the file with the key

WireShark can decrypt packets that are encrypted using the RSA algorithm. If the DHE/ECDHE, FS, ECC algorithms are used, the sniffer will not help us.

Option 3. Gain access to the web server that the user is using and obtain the key. But this is an even more difficult task. In corporate networks, for the purpose of debugging applications or content filtering, this option is implemented on a legal basis, but not for the purpose of intercepting user passwords.

BONUS

VIDEO: Wireshark Packet Sniffing Usernames, Passwords, and Web Pages

A sniffer is another name for a traffic analyzer - it is a program or other hardware device that intercepts and then analyzes network traffic. Currently, these programs have a completely legal justification, therefore they are widely used on the Internet, but they can be used both for good and for harm.

The history of their origin goes back to the 90s, when hackers using such software could easily capture a user’s login and password, which at that time were very weakly encrypted.

The word sniffer comes from the English. to sniff - to sniff, the principle of operation is that this program registers and analyzes programs that are installed on machines that transmit information packets. For the information reading operation to be effective, it must be located close to the main PC.

Programmers use this application for traffic analysis, other goals are pursued by hackers on the network; they track down passwords or other information they need.

Types of traffic analyzers

Sniffers vary in type; they can be online applets or applications installed directly on a computer, which in turn are divided into hardware and software-hardware.

Most often they are used to intercept passwords, in this case the application gains access to the codes of encrypted information. This can bring enormous inconvenience to the user, since there are often cases when several programs or sites are set the same passwords, which ultimately leads to the loss of access to necessary resources.

There is a type of sniffing that is used to intercept a snapshot of RAM, since it is difficult to read the information constantly without using up the processor power. Detect Spy possible by monitoring the maximum file load of the PC during operation.

Another type of program works with a large data transmission channel, and the pest can generate up to 10 megabyte protocols every day.

How it works

Analyzers work only with TCP/IP protocols; such programs require a wired connection, for example, routers that distribute the Internet. Data transfer is carried out using separate packages, which, when the final goal is achieved, again become a single whole. They are also capable of intercepting packets at any stage of transmission and obtaining valuable information in the form of unprotected passwords along with it. In any case, with the help of decryption programs it is possible to obtain the key even to a protected password.

The easiest way to use WiFi sniffers is in networks with weak protection - in cafes, public places, etc.

Providers using these programs can track unauthorized access to external system addresses.

How to protect yourself from sniffers

To understand that someone has penetrated the local network, first of all you should pay attention to package download speed, if it is significantly lower than stated, this should alert you. You can monitor your computer's performance using the Task Manager. You can use special utilities, but they most often conflict with windows firewall, so it’s better to turn it off for a while.

For system administrators checking and searching for traffic analyzers on the local network is a necessary undertaking. To detect malicious applications, you can use well-known network antiviruses, such as Doctor Web or Kaspersky Anti-Virus, which allow you to detect pests both on remote hosts and directly within the local network.

In addition to special applications that are simply installed on your computer, you can use more complex passwords and cryptographic systems. Cryptographic systems work directly with information, encrypting it using an electronic signature.

Application overview and main features

CommView

CommView decodes packets of transmitted information and displays statistics of the protocols used in the form of diagrams. The traffic sniffer allows you to analyze IP packets, and those that are necessary. Sniffer for Windows works with known protocols: HTTP, HTTPS, DHCP, DDNH, DIAG, POP3, TCP, WAP, etc. CommView works with Ethernet modems, wi-fi and others. Packets are captured via established connection, using the tab " CurrentIP- connections", where you can create address aliases.

Tab " Packages» displays information about them, and they can be copied to the clipboard.

« LOG-files» allows you to view packages in NFC format.

Tab " Rules" Here you can set the conditions for packet interception. Sections of this tab: IP addresses, MAC addresses, Ports, Process, Formulas and Individual parameters.

« Warning": provides for setting up notifications on the local network, operates using the "Add" button. Here you can set conditions and event types:

• "Packets per second" - when the network load level is exceeded.
• “Bytes per second” - when the data transmission frequency is exceeded.
• “Unknown address”, i.e. detection of unauthorized connections.

Tab " View»—traffic statistics are reflected here.

CommView is compatible with Windows 98, 2000, XP, 2003. An Ethernet adapter is required to use the application.

Advantages: user-friendly interface in Russian, supports common types network adapters, statistics are visualized. The only downside is the high price.

Spynet

Spynet performs the functions of decoding packets and intercepting them. With its help, you can recreate the pages that the user visited. Consists of 2 programs CaptureNet and PipeNet. It is convenient to use on a local network. CaptureNet scans data packets, a second program monitors the process.

The interface is quite simple:

• Button Modify Filter– setting up filters.
• Button Layer 2,3 – installs Flame – IP protocols; Layer 3 – TCP.
• Button Pattern Matching searches for packages with the specified parameters.
• Button IP— Addresses allows you to scan the necessary IP addresses that transmit information of interest. (Options 1-2, 2-1, 2=1). In the latter case, all traffic.
• Button Ports, i.e. selection of ports.

To intercept data, you must run the Capture Start program, i.e., the data interception process starts. The file with the saved information is copied only after the Stop command, i.e., termination of the capture actions.

The advantage of Spynet is the ability to decode web pages that the user has visited. The program can also be downloaded for free, although it is quite difficult to find. The disadvantages include a small set of features in Windows. Works in Windows XP, Vista.

BUTTSniffer

BUTTSniffer analyzes network packets directly. The principle of operation is the interception of transmitted data, as well as the ability to automatically save it on a medium, which is very convenient. This program is launched via command line. There are also filter options. The program consists of BUTTSniff.exe and BUTTSniff. dll.

Significant disadvantages of BUTTSniffer include unstable operation, frequent crashes, even demolition of the OS ( blue screen of death).

In addition to these sniffer programs, there are many other equally well-known ones: WinDump, dsniff, NatasX, NetXRay, CooperSniffer, LanExplorter, Ne Analyzer.

There are also online sniffers, which, in addition to obtaining the victim’s IP address, change the IP address of the attacker directly. Those. The hacker first registers under an IP address and sends to the victim’s computer a picture that needs to be downloaded or an email that just needs to be opened. After this, the hacker receives all the necessary data.

It is worth recalling that interfering with the data of someone else's computer is a criminal offense.

When an ordinary user hears the term “sniffer”, he immediately becomes interested in what it is and why it is needed.

We will try to explain everything in simple language.

However, this article will be intended not only for novice users, but also for.

Definition

Sniffer is a traffic analyzer. In turn, traffic is all information that passes through computer networks.

This analyzer looks at what information is being transmitted. To do this, it must be intercepted. In fact, this is an illegal thing, because in this way people often gain access to other people's data.

This can be compared to a train robbery - a classic plot of most Westerns.

You are transferring some information to another user. It is carried by a “train”, that is, a network channel.

The idiots from Bloody Joe's gang intercept the train and rob it completely. In our case, the information goes further, that is, attackers do not steal it in the literal sense of the word.

But let's say that this information is passwords, personal notes, photographs and the like.

Attackers can simply rewrite and photograph all this. This way they will have access to sensitive data that you would like to hide.

Yes, you will have all this information, it will come to you.

But you will know that complete strangers know the same thing. But in the 21st century, information is most valued!

In our case, exactly this principle is used. Certain people stop traffic, read data from it and send it on.

True, in the case of sniffers, everything is not always so scary. They are used not only to gain unauthorized access to data, but also to analyze the traffic itself. This is an important part of the work of system administrators and simply administrators of various resources. It’s worth talking about the application in more detail. But before that, we will touch on how these same sniffers work.

Principle of operation

In practice, sniffers can be portable devices that are literally placed on a cable and read data and programs from it.

In some cases, it is simply a set of instructions, that is, codes that must be entered in a certain sequence and in a certain programming environment.

In more detail, traffic interception by such devices can be read in one of the following ways:

1 By installing hubs instead of switches. In principle, listening to a network interface can be done in other ways, but all of them are ineffective.

2 By connecting a literal sniffer to the place where the channel breaks. This is exactly what was discussed above - and a small device is installed that reads everything that moves along the channel.

3 Installation of a traffic branch. This fork is routed to some other device, possibly decrypted and sent to the user.

4 An attack whose goal is to completely redirect traffic to the sniffer. Of course, after the information reaches the reading device, it is again sent to the end user for whom it was originally intended. in its purest form!

5 By analyzing electromagnetic radiation, which arise due to traffic movement. This is the most complex and rarely used method.

Here is an approximate diagram of how the second method works.

True, it is shown here that the reader is simply connected to the cable.

In fact, doing it this way is almost impossible.

The fact is that the end user will still notice that there is a break in the channel at some point.

The very principle of operation of a regular sniffer is based on the fact that within one segment they are sent to all connected machines. Quite a stupid, but so far no alternative method! And between segments, data is transmitted using switches. This is where the possibility of intercepting information using one of the above methods appears.

Actually, this is what is called cyber attacks and hacking!

By the way, if you install these same switches correctly, you can completely protect the segment from all kinds of cyber attacks.

There are other methods of protection, which we will talk about at the very end.

Helpful information:

Pay attention to the program. It is used to analyze network traffic and parse data packets, for which the pcap library is used. This significantly narrows the number of packages available for parsing, since only those packages that are supported by this library can be parsed.

Application

Of course, first of all, this concept has the application discussed above, that is, hacker attacks and illegal acquisition of user data.

But besides this, sniffers are also used in other areas, specifically in the work of system administrators.

In particular, such devices or programs help to perform the following tasks:

As you can see, the devices or programs we are considering can greatly facilitate the work of system administrators and other people who use networks. And that's all of us.

Now let's move on to the most interesting part - a review of sniffer programs.

We figured out above that they can be made in the form of physical devices, but in most cases special ones are used.

Let's study them.

Sniffer programs

Here is a list of the most popular such programs:

CommView. The program is paid, like everyone else on our list. One minimum license costs $300. But the software has rich functionality. The first thing worth noting is the ability to set rules yourself. For example, you can make sure that (these protocols) are completely ignored. It is also noteworthy that the program allows you to view details and a log of all sent packets. There is a regular version and a Wi-Fi version.

SpyNet. This is, in fact, the Trojan that we are all so tired of. But it can also be used for noble purposes, which we talked about above. The program intercepts and that are in the traffic. There are many unusual features. For example, you can recreate pages on the Internet that the “victim” visited. It is noteworthy that this software is free, but it is quite difficult to find.

BUTTSniffer. This is a sniffer in its purest form, which helps analyze network packets rather than intercept other people's passwords and browser history. At least that's what its author thought. In fact, his creation is used for you know what. This is a regular batch program that works via the command line. To get started, two files are downloaded and launched. “Captured” packets are saved on your hard drive, which is very convenient.

There are many other sniffer programs. For example, fsniff, WinDump, dsniff, NatasX, NetXRay, CooperSniffer, LanExplorer, Net Analyzer and many others are known. Choose any! But, in fairness, it is worth noting that the best is CommView.

So, we have looked at what sniffers are, how they work and what they are like.

Now let's move from the place of a hacker or system administrator to the place of an ordinary user.

We are well aware that our data can be stolen. What to do to prevent this from happening? here). It works extremely simply - it scans the network for all kinds of spies and reports if any are detected. This is the simplest and most understandable principle that allows you to protect yourself from cyber attacks.

3 Use PromiScan. In its properties and tasks performed, this program is very similar to AntiSniff for Windows, so choose one. There are also many download links on the Internet (here is one of them). This is an innovative program that allows you to remotely control computers connected to the same network. The principle of its operation is to determine nodes that should not be on the network. Actually, these are most likely sniffers. The program identifies them and signals this with an eloquent message. Very comfortably!.

4 Use cryptography and if deployed, a public key cryptographic system. This is a special encryption or electronic signature system. Its “trick” is that the key is public and everyone can see it, but it is impossible to change the data, since this must be done on all computers on the network at the same time. An excellent method - as a bait for a thief. In you can read about blockchain, where exactly such a system is used.

5 Do not download suspicious programs, do not go to suspicious sites, and so on. Every modern user knows about this, and yet this is the main way for Trojans and other nasty things to get into your operating system. Therefore, be very responsible when using the Internet in principle!

If you have any more questions, ask them in the comments below.

We hope we were able to explain everything in simple and understandable language.

Each member of the ][ team has their own preferences regarding software and utilities for
pen test. After consulting, we found out that the choice varies so much that it is possible
create a real gentleman's set of proven programs. That's it
decided. In order not to make a hodgepodge, we divided the entire list into topics - and in
This time we’ll touch on utilities for sniffing and manipulating packets. Use it on
health.

Wireshark

Netcat

If we talk about data interception, then Network Miner will be taken off the air
(or from a pre-prepared dump in PCAP format) files, certificates,
images and other media, as well as passwords and other information for authorization.
A useful feature is to search for those sections of data that contain keywords
(for example, user login).

Scapy

Website:
www.secdev.org/projects/scapy

A must-have for any hacker, it is a powerful tool for
interactive packet manipulation. Receive and decode packets of the most
different protocols, answer the request, inject the modified and
a package created by yourself - everything is easy! With its help you can perform a whole
a number of classic tasks such as scanning, tracorute, attacks and detection
network infrastructure. In one bottle we get a replacement for such popular utilities,
like: hping, nmap, arpspoof, arp-sk, arping, tcpdump, tetheral, p0f, etc. At that
it's about time Scapy allows you to perform any task, even the most specific
a task that can never be done by another developer already created
means. Instead of writing a whole mountain of lines in C to, for example,
generating the wrong packet and fuzzing some daemon is enough
throw in a couple of lines of code using Scapy! The program does not have
graphical interface, and interactivity is achieved through the interpreter
Python. Once you get the hang of it, it won’t cost you anything to create incorrect
packets, inject the necessary 802.11 frames, combine different approaches in attacks
(say, ARP cache poisoning and VLAN hopping), etc. The developers themselves insist
to ensure that Scapy's capabilities are used in other projects. Connecting it
as a module, it’s easy to create a utility for various types of local area research,
searching for vulnerabilities, Wi-Fi injection, automatic execution specific
tasks, etc.

packeth

Website:
Platform: *nix, there is a port for Windows

An interesting development that allows, on the one hand, to generate any
ethernet packet, and, on the other hand, send sequences of packets with the purpose
bandwidth checks. Unlike other similar tools, packeth
has a graphical interface, allowing you to create packages in the most simple way
form. Further more. The creation and sending are especially elaborated
sequences of packets. You can set delays between sending,
send packets at maximum speed to test throughput
section of the network (yup, this is where they will file) and, what’s even more interesting -
dynamically change parameters in packets (for example, IP or MAC address).