A. Who peek at my blog
Inspector small Jie grew up with the habit of writing diary, after graduation on the job did not change, regardless of work how busy tired, every night near bedtime she will always put today's happenings into the recording diary, for example some problems at work, mood, idea, colleagues, and superiors things, and so on. Small clean to use a site provided by the blog of the service, she liked the quiet simplicity of the text interface, occasionally no task to busy or in a bad mood, she'll use the yard of the network up to see their own previously written diary.
This small clean and as usual came to the office, but found the atmosphere different from usual: colleagues in the face her smile is very unnatural, there are several female colleagues also secretly for her to juggle, little Jie look at the past they yet do not speak, and she had to prick up your ears overhear, indistinct hear a sentence“...... Even others still owe 5 $ 0 did also her write up, this person really......”that A small dirty face instantly become white as a sheet: this is not her one day of the diary content?......
Who exactly is the small dirty diary peeking out? You are using the LAN, and can really safe? Small Jie do not know, campus LAN, there are a pair of ears being quietly recorded on her computer to send and receive all the information......
This pair of ears of the noun is called“network sniffing”the Network Sniffing or“network monitoring”Network Listening, it is not only recently emerged technology, it is not specifically used in the underworld on the technology, monitoring technology as an aid in assisting the network administrator monitoring the network transmission of data, the exclusion of network failure, and so has an irreplaceable role, and therefore has been much affected by the network administrator's favor and gradually developed, the so-called“listening”technology, is in communication with each other between two computers, through technical means to insert a station can receive and record the content of communications equipment, eventually to achieve the communication between the two sides of the data record. Generally the requirements used to monitor the way the device can not cause communication between the two sides of abnormal behavior or the connection is interrupted, etc., that is to say, the listening party can not participate in communication in any one of the communication behavior, is merely a“passive”recording of Communications Data and not to be tampered with, once listening party in violation of this requirement, this behavior is not“listening”, but“hijacking”a Hijacking.
See above for the“monitor”concept description, someone might have been eager to try: I have a network, also has a brain, there is a network Sniffer tool, I can not put a premium movie station or even the Ministry of Defence website account password recorded? Of course this is not impossible, but the premise is you have enough capacity in the relevant site of the entity server of the gateway or routing device to access a listening device, otherwise with a your own home computer can not be achieved. This is the“listening”weakness: it requires the listening device to the physical transmission medium and the monitor device to the physical transmission medium there is a direct link or data packets through the routing to reach each other, i.e. a logic on the third party connection. To achieve this condition only the following cases:
1. Listening party with the communication orientation in the same physical network, such as a local area network
2. Listening party and the communication party there is a route or interface for the communication between the two sides of the same Gateway, the connection communication between the two sides of the routing device, etc.
Therefore, the direct use their own home computer to sniff the Ministry of Defence website, the data is not possible, you see only your own field of the data packet, those who are afraid of their own in the house Internet access is a distant intruder listening friends can breathe easier to your machine with the Trojan's Case, except, unless the intruder control your gateway device, but this requires the intruder to have advanced intrusion technology, and a superior technology of the invaders will Rare the average home user Yes a computer?
Admittedly, the“listening”behavior is the will to communication loss, a typical example is the in 1 9 9 4-year USA network eavesdropping incident, an unknown person in many of the hosts and the backbone network equipment is installed on the Network Monitor software, use it against the United States the backbone of the Internet and military networks to steal more than 1 0 0 0 0 0 a valid user name and password, triggering a significant loss, while“listening”technology, is in that event only after from the underground towards openness.
Next, we come to a deeper layer of understanding of today's most common network monitoring.
II. Active in the local area where the“ears”were
Due to the previously said reasons, the sniffing technology does not too can be in the public devices on the network use only refer to the intrusion of the installation because the network administrator in a routing device is provided on the monitor are simple things, so today the most common sniffing behavior did not occur on the Internet, but each large or small local area network, because it obviously listening to meet the technical need of the conditions: a listening party with the communication orientation in the same physical network.
To occur monitor events, you must have at least two computers in communication state, and listening to the Spirit is the transmission of data, which requires the eavesdropper itself also in the communication network, and the realization of LAN communication based on the Ethernet model the Ethernet, it includes a physical data transmission on a device such as network cards, hubs and switches, etc., in addition also need logic on the software, network protocols, andOSsupport, such as network card drivers, TCP/IP Protocol, NetBIOS Protocol, multiple address and the underlying Protocol, etc., with these conditions, the computer can realize the complete communication process.
Then the LAN computer communication is how? The computer system to transmit data, is in strict accordance with the IEEE802. 3 Standard LAN Protocol and also with TCP/IP and the OSI model 7 layer specifications implementation, so the data is after packing the package, from the top to the lower are respectively coupled with the associated data header and address, until the physical layer to put it into the level of the signal sent out, and another computer is by reverse operation of the data reduction, which raises a question: addressing the issue.
In the LAN, the computer to find each other is not through IP, but through the network card MAC address is also called Ethernet address, which is a group in the production of cured a globally unique identification number, according to the Protocol Specification, when a computer to locate another computer, it must be the target computer's IP through the ARP Protocol the Address Resolution Protocol in the physical network broadcast to go out, the“broadcast”is a so any computer can receive the data of the data transmission mode, the computer after receiving the data it will determine which pieces of information are not sent to their own, if it is, it will return the response in here, it will return its own address, this step is referred to as“ARP addressing.” When the source computer receives a valid response when it learned that the target computer's MAC address and the result is stored in the system address of the buffer pool, the next transmission data does not need to again send a broadcast, the address of the buffer pool will refresh timing reconstruction, so as to avoid the data is old and wrong. The current activities of the ARP table you can use the arp –a command to view.
Topic back to the data to be packaged into the bit stream of the last two layers, where a critical section is referred to as“Data Link Layer”, the data at the network layer to form an IP datagram, and then reaches down to the Data Link Layer by the Data Link Layer the IP datagram fragment is divided into data frames, adding an Ethernet header, and then down to one send. The Ethernet header contains the native and the target device's MAC address, that is, the link layer data frame sent, is to rely on Ethernet address rather than IP address to confirm, the NIC driver does not care about IP data packet of the destination address, it needs only the MAC address, and MAC address is through the previously mentioned ARP address obtained. Simply put, the data in the LAN of the final transmission destination is the other network card MAC address instead of IP address, the IP address in the LAN just to assist the system to find the MAC address.
And that's because this addressing structure, eventually leading the listener to achieve.
So what happened to the Internet on the monitor and how is performed? The Internet does not use MAC address addressing, it is impossible to occurs similar to a local area network within the monitor case, in fact, on the Internet monitor is because the data must pass through the routing gateway routing device is rigged, does not belong to this discussion range.
The so-called“shared”local area network Hub-Based Lan, refers to the early use of the Hub HUB as a network connection device of the conventional Ethernet structure, in this structure, all the machines are sharing the same transmission line, the Hub no port of the concept, its data transmission method is“broadcasting”, the Hub receives the corresponding data is simply the data to which it is connected every device on the line is transmitted, for example, a machine sends a“I want to and small talk”packets, then all connected to the Hub device will receive this packet, but only the name of the“small”computer will receive the processing of this packet, and the other is independent of the computer will be“calm and collected”discarded the packets. Thus, shared Ethernet structure in the data is actually there is no privacy, just the network card will“the gentleman”of the ignored and their irrelevant“gossip”., but unfortunately, the card at design time is added to the“operating mode”options, and it is this characteristic leads to a nightmare.
Each card will basically have the following operating modes: Unicast, a Broadcast, a Multicast, And Promiscuous, the General case, theoperating systemwill put the network card is set to Broadcast（broadcast mode in Broadcast mode, the network card can receive all types of broadcast packets data frame-for example, ARP addressing, in addition it will ignore the destination address is not its own MAC address of the packet, i.e., the receive-only sent to their own data packets, broadcast and multicast packets, this is the network card working mode; if a network card is set to Unicast or Multicast mode, the LAN may throw an exception, because the two mode limits it to the received packet type; and Promiscuous（promiscuous mode, it is the root of evil. In promiscuous mode, the NIC of the packets in the destination MAC address without any checks and all received, thus causing no matter what the data, as long as passing will be the card received situation, the listener is started from here.
Under normal circumstances, the network card working mode is theoperating systemis set, and there is no disclosure of Mode to the user selection, which limits the average user's monitor to achieve, but since the Sniffer the Sniffer family development to a certain extent, began to have set the NIC operating mode the power, and pointed a finger at Promiscuous, any user as long as the corresponding selection on a hook, his machine becomes a can be recorded within the LAN on any machine transmission of the data of the ears, due to the shared LAN of the characteristics, all the people are able to receive the data, which resulted in non-Defense information leakage.
But, ultimately, this monitor mode or basic wiped out, people use what means? Quite simply, local area network structure upgrade, into a“switched LAN” in.
But the magic of the high of a husband, several years later, listening once again making a comeback.
As with the“sharing formula”relative to the“Exchange formula”local area network Switched Lan, the network connection device is replaced by a switch, Switch, switch than a Hub the clever bit is it connected to each computer is independent, the switch introduces a“port”concept, it will generate an address table for storing each connected computer's MAC address from each network line interfaceAs an independent port exists, in addition to the statement for a broadcast or multicast packet, the switch in General is not going to let other packets that appear similar to the shared LAN as broadcast in the form of sending behavior, so that even if your NIC is set to promiscuous mode, it also received less than sent to the other computer data, because the data of the destination address in the switch is identified, and then targeted to the table corresponding to the address of the port, never ran to someone's house to go.
This improvement quickly stifled by the traditional local area network monitoring tools, but history tends to prove that a person is difficult to be conquered......
(1). The switch attack: MAC flooding
Do not know who first discovered this attack mode, probably because the switch appears to undermine the Sniffer to work, so a stomach gas vent to the switch body, another observation is astute in the art is contemplated the switch to the processor at more than can withstand the amount of information of what happens when circumstances and trials, whether it is from the What argument, at least this attack mode has become a reality: the so-called MAC flooding attack, is sent to the switch containing a large amount of false MAC address and IP address of the IP packet, so that the switch can not handle so much information and cause the device work abnormal, that is, the so-called“failure”mode, in this mode, the switch processor has been unable to properly analyze the data packets and configured to query the address table, then the switch will become a regular Hub, there is no choice to all the ports to send the data, this behavior is referred to as“flooding send”, so that the attacker can Sniffer to the desired data.
However using this method will the network bring large amounts of junk data packets, for the listener to say also is not what good thing, so MAC flooding use case is relatively small, and the design of a port protection switch may be in overload when forced to close all ports causing network outages, so today, people are biased in favor of the use of the Address Resolution Protocol ARP for fraudulent attacks.
(2). ARP brings nightmares
Recalling the previously mentioned local area network addressing mode, we already know the two computers to complete the communication rely on MAC address regardless of IP address, and the target computer MAC address acquired by the ARP Protocol is broadcast, and acquires the address stored in the MAC address table and updated regularly, at this time, the computer is not going to broadcast address information to obtain the target MAC address, which gives a intruder to enter.
When a computer wants to send data to another computer, it will be IP address based on the first query its ARP address table if no target computer is the MAC information, it will trigger the ARP broadcast addressing data until the target computer to return its own address packets, and once the address table exists in the target computer's MAC information, the computer will directly put the address as the Data Link Layer of the Ethernet address of the head of the package to send out. In order to avoid MAC address table maintains the errors of the data, the system in a specified period of time after emptying the MAC address table, and re-broadcast to obtain an address list, and new ARP broadcast may unconditionally overwrite the original MAC address table.
Assuming that the LAN there are two computers A and B in communication, and the computer C to be used as an eavesdropper's identity to get the two computers to the communication data, then it must think of a way to let yourself be able to insert the data between two computers line in, and in this a pair of a switching network, the computer C must be an intermediate device to allow data to pass through it, to achieve this goal, the computer C will start to forge a false ARP packets.
ARP the address packet is divided into two kinds, one is used to send addressing information of the ARP query packet, the source machine is using it to broadcast address information, the other is the target machine's ARP reply packet to respond to the source machine to it's MAC address, in the eavesdropping case of the presence of, if the computer C to eavesdrop on computer A communication, it will fake an IP address for computer B and the MAC address of computer C The False ARP response packet is sent to A computer, causing the computer A MAC address table error update for computer B, The IP corresponding to the computer C The MAC address of the case, as a result, the system through IP address get MAC address is a computer C, the data will be sent to monitor the capacity of the computer C. But this will result in a situation that is as the original target of computer B can not receive data, and therefore acts as a fake data receives the role of the computer C must act as a forwarding role, The from computer A to send data back to computer B, make the two machines the communication is normal, thus, the computer C and the computer AB to form a communication link, and for computer A and B, computer C is always transparent presence, they do not know the computer C in overhearing the data transmission. As long as the computer C on computer A to re-send the ARP query packet in time for the forgery of false ARP response packet will be able to maintain this communication link, so as to obtain continuous data recording, but also will not cause to be listener of the communication abnormality.
The computer C in order to monitor computer A and B of the data communication initiated by the this behavior, is“ARP spoofing”is ARP Spoofing）or“ARP attack”in the ARP default settings, and in fact, the real environment of ARP spoofing in addition to the sniffing computer A data, also usually by the computer B the data to the sniffing-the-go, as long as the computer C to computer A sends disguised as computer B's ARP response packet to computer B sent disguised as computer A, The ARP response packet, so that it can be used as a two-way proxy of the identity is inserted between the two communication links.
III. Containment“ears”: the LAN monitor Defense
Know LAN monitor implementation, we will not be difficult to reproduce the opening paragraph referred to the inspector of small dirty diary how content is to be seen by others: although the Office of the network is a switched LAN, but the eavesdropper to use ARP spoofing tool to tamper with a small cleaning machine to the MAC address table, so that the small Jie of the machine sending the data is in fact an eavesdropper machine walk in a circle before really sent out, this time as long as the small dirty log on any use of cleartext passwords web form, she entered the URL, username and password will be sniffing software to record down, the eavesdropper as long as the use this password to log in to the website, you can put small clean write in the diary on the privacy sweeping.
Thus, by the Network Monitor initiator information leakage the consequences are very serious, ranging from privacy leakage, the weight is because banking password, after the network transmission of the content of the document theft and lead to not be able to measure the economic loss, therefore, how to effectively prevent the Local Area Network Monitor, has been is to make the admin worry about the problem.
Due to the shared LAN limitations（Hub does not select a specific port, in the above flow of data is basically“you have, I also have”, the eavesdropper connected to the ARP information does not need to be changed, nature cannot be escaped by listening to the destiny, to solve this problem, only the first to put the Hub to replace the switch, put an end to this no privacy of data dissemination.
Well, now we switch to the switched LAN, the next step, the start of containment of these unwelcome ears.
If we suspect a machine is in the listening data, what should I do?
Several years ago, There is a method called the ping detection method has become popular, it the principle or the use of the MAC address itself, most of the card allows the user in the driver settings itself specifies a MAC address in particular the description: This by drivers of the specified MAC address can only be used for the LAN itself, can not be used to break the remote gateway MAC+IP binding limits!, the Therefore we can use this feature to get is spoofing the MAC address of the machine Boomerang.
•Assume that the IP is 1 9 2. 1 6 8. 1. 4 The machine is equipped with a ARP spoofing tool and Sniffer, so ping 192.168.1.4, and then arp –a | find “192.168.1.4” to give it the MAC address“00-00-0e-4 0-b4-a1”
•Modify your NIC driver settings page, change the Network Address for the“00000e40b4a2”, i.e., to remove the delimiter of the MAC address of the last bit plus 1
•Once again ping the 192.168.1.4, the normal should not see any response, because the LAN does not exist any“00-00-0e-4 0-b4-a2”matches the MAC address.
•If you see returns, then the 1 9 2. 1 6 8. 1. 4 It may be equipped with a Sniffer.
Another“vicious”method is being suspected to install a Sniffer computer to send a large number of does not exist the MAC address of the data packet, since the monitor program on the analysis and processing large amounts of data packets need to take up a lot of CPU resources, which will lead to the other side of the computer performance degradation, so we just compare the packets sent before and after the performance of the machine can be judged, but if the other machine configuration is relatively high, this method is not too effective.
In addition to Active sniffing behavior, as well as some machine is an intruder maliciously planted with sniffing capabilities of the backdoor, then we must use the machine test method, its principle is to establish a raw connection, Raw Socket open their own machine a random port, and then establish a UDP connection to your own machine any port and feel free to send a piece of data, under normal circumstances, this method to establish the original connection is impossible to successfully receive the data, if the original connection is capable of receiving this data, the description of the machine the NIC is in“promiscuous”mode-Sniffer often so dry, the next thing you don't want me to say?
But basically didn't find a ready-made tool can be used, it may be my ability to find the problem, but in fact, this problem very good solution: because the installation of the Sniffer machine is able to receive any data, so as long as on this machine again to install a Sniffer software is not an ARP spoofing type!） You can“share”the capture of data, under normal circumstances, we can only see their own IP network data, if unfortunately found Sniffer other computer data also pilfering, and due to the ARP spoofing exists, we may also sniffing to your computer periodically sends an ARP reply packet out...... Since we are doing so obvious, that it is not polite to put it out.......
Although the use of the ARP spoofing packets in the network monitoring is difficult to detect, but it is not a Defense, with ARP addressing is relative, in a relatively stable local area network in the number of machines and the network card is replaced, the number is not much, also is not people with nothing to do is to change your IP, we can use a static ARP mapping, i.e. recording under a local area network within all computers of the network card MAC address and the corresponding IP, and then use the“arp –s IP address MAC address”for static binding, so that the computer will not pass ARP broadcast to find people, nature will not respond to ARP spoof tools send the dynamic ARP response packet static address of the priority degrees is greater than the dynamic address, but this method has the disadvantage that the operation of the user requirements very high, to know that not all people are understanding the MAC address is what, the other point is that if the machine is an excessive number of or frequent changes, the operation of the user, usually network administrators cause great spiritual harm......
Therefore, the commonly used method is to use software Defense, such as Anti Arp Sniffer, it can forcibly bind the machine with the gateway MAC of the relationship, let disguised as a gateway to obtain the data of the monitor the machine utterly useless, and if it is the listener only to deceive a computer case? This requires the use of ARP Watch, ARP Watch real-time monitor LAN computer MAC address and ARP broadcast packets to the changes, if there is ARP spoofing program to send a false address of the packet, will cause the MAC address table does not match, ARP Watch will pop up to warn the user.
In addition, the network VLAN division is also a valid method, each VLAN is isolated, it must be through the routing for data transmission, this time of MAC address information will be discarded, and each computer is using a standard TCP/IPFor data transmission, even if the presence of Sniffer also can't use a false MAC address to be deceived.
Network monitoring technology as a tool, always plays both positive and negative role, especially in the LAN is often in the dark. For the intruder, through a Network Monitor can easily obtain the user's key information, and therefore they favor. And for theintrusion detectionand tracing, network monitoring technology also can be in with the invaders fight play an important role, and therefore they can do without the need of sniffing. We should be trying to learn network security knowledge, to further tap the Network Monitor technical detail, a solid grasp enough of the technical basis, to be in with the invaders in the struggle to victory.