by Colm Murphy - Technical Director of Espion
- Tuesday, 9 January 2007.
One of the best known exploits is to use "router redirection". ARP queries contain the correct IP-to-MAC mapping for the sender. In order to reduce ARP traffic, and traffic in general on the network, computers cache the information that they read from the query broadcasts. A malicious attacker could redirect nearby machines to forward traffic through it by sending out regular ARP packets containing the router's IP address mapped to its own MAC address. All the machines on the local wire will believe the hacker is the router, and therefore pass their traffic through him/her. Simple, but effective. A more aggressive, but equally effective strategy, would be to DoS a target victim and force it off the network, then begin using its IP address. If you picked your victim carefully the rewards could be high!!
Defending against the rouge sniffer is never easy. As previously mentioned, a switched network will keep the casual sniffer at bay, but the more determined will overcome that obstacle. The most robust method of protection is to enforce the used of encrypted protocols. Replace Telnet with SSH, introduce SSL where possible, use only encrypted email like PGP or S/MIME. Use two-factor or biometric authentication. Unfortunately, due to the nature of Ethernet, sniffing and sniffers will be here for some time to come.
There are a large number of sniffing tools available, many for free. The highly regarded and very free packet capture tool Ethereal
is a great place to start, but there are many more. A recent and comprehensive list can be found here.