"Packet Sniffers"
I know this is probably the wrong forum, but I also know that the quality of hte people here is ample to get my question answered. I am an undergraduate student at a state university in Minnesota. This summer as part of a long-term independent study I set up a Linux machine on the campus ethernet, get it assigned an IP, and then proceeded to do a practicum on system administration and information management. (This is also the same machine that briefly rand the digested version of the Cypherpunks mailing list). Following some departmental conflicts and (IMHO) illegal sanctions, the machine was shut down for some unspecified "security concerns". Essentially, it turns out, the computer science department didn't was this kind of independent project around. So I trundled across campus to another college, got the proper faculty behind me and submitted for the continuance of the project. After three weeks of jumping through the correct hoops and over the correct hurdles, there appears to be only one "concern" remaining. Some junior computer administrator has raised the concept of "packet sniffers" as being a suitable bar for my project (the machine is a 486/66 Linux machine). Unfortunately, I haven't a clue what exactly a "packet sniffer" is and am really not in a position to answer the arguments in even a semi-informed manner. Thus, I am posting here in the hope that one or more of you can take a moment to give me the lowdown on what these things are. Common sense seems to indicate that it is a piece of software or firmware that will display the contents of any packets that pass through the machine on its way to the correct destination. The specific setup would have the machine on a thinnet link in a lab with about 20 other PCs which are used primarily as word processors and terminals to the campus VAX or UNIX machines. The specific upstream setup is unknown, but I assume there is some kind of a line to a router upstream, eventually winding its way into the real world. It seems to me that a packet sniffer on the lowest link of the network wouldn't be able to look at those packets passing upstream because the router would never pass them down, but I could be just plain wrong and thats why I'm asking for some clarification. Thanks for your help. Sorry if this seems confusing. ____ Robert A. Hayden <=> hayden@krypton.mankato.msus.edu \ /__ -=-=-=-=- <=> -=-=-=-=- \/ / Finger for Geek Code Info <=> I do not necessarily speak for the \/ Finger for PGP Public Key <=> City of Mankato or anyone else -=-=-=-=-=-=-=- (GEEK CODE 2.1) GJ/CM d- H-- s-:++>s-:+ g+ p? au+ a- w++ v* C++(++++) UL++++$ P+>++ L++$ 3- E---- N+++ K+++ W M+ V-- -po+(---)>$ Y++ t+ 5+++ j R+++$ G- tv+ b+ D+ B--- e+>++(*) u** h* f r-->+++ !n y++**
The way thinnet ethernet works, all machines on the net will probably see all packets going to/from any of them. If you have root access, you can look at all packets coming across the network. (You can do this with a PC or Mac as well.) The way telnet works has no encryption in it; the password you type gets sent across the network as you type it. This is barely even a secret anymore. Thats the technical side of it. What the junior admin type says is correct. You will be able to snarf the passwords of anyone who logs in over the local thinnet segment. My response to this is, so can anyone with a Mac or PC. There is code out there that will sniff passwords for you. (I've heard its in the public domain on PCs, but do not know.) The question is, what is your institution doing about this threat in general? Do they let people log in over the internet? If so, passwords have been stolen. Do they maintain full physical control of the wires between data centers? Does the institution have a policy for dealing with this? The problem seems to be the lack of a security policy to provide guidance in saying why your machine is different from all these other machines out there. If there is a solid difference, then maybe they should keep you out. But I'd guess that you are quite vulnerable to sniffing. I am no longer handing out copies of sniff.c. Track down the phrack. Some sample log output from esniff.c (part of phrack 45)
-- TCP/IP LOG -- TM: Mon Sep 12 14:41:15 -- PATH: machine1(1625) => machine2(telnet) STAT: Mon Sep 12 14:41:29, 39 pkts, 46 bytes [TH_FIN] DATA: (255)(253)^C(255)(251)^X(255)(250)^X : SUN-CMD(255)(240)(255)(253)^A(255)(252)^Aadam : ********(127)^
(My password for local logins replaced with ***) Robert Hayden: | The specific setup would have the machine on a thinnet link in a lab with | about 20 other PCs which are used primarily as word processors and | terminals to the campus VAX or UNIX machines. The specific upstream | setup is unknown, but I assume there is some kind of a line to a router | upstream, eventually winding its way into the real world. | | It seems to me that a packet sniffer on the lowest link of the network | wouldn't be able to look at those packets passing upstream because the | router would never pass them down, but I could be just plain wrong and | thats why I'm asking for some clarification.
On Sep 12, 2:47pm, Adam Shostack wrote:
The way thinnet ethernet works, all machines on the net will probably see all packets going to/from any of them.
All machine on the same PHYSICAL network will. If the university is worried about password sniffing, they should put the machine on a bridged ethernet segment. If they're really concerned, give them their own subnet and apply an appropriate routing policy. This is not difficult.
The way telnet works has no encryption in it; the password you type gets sent across the network as you type it. This is barely even a secret anymore.
It never was a secret. Ian.
participants (3)
-
Adam Shostack -
Ian Farquhar -
Robert A. Hayden