Beware of Network Sniffers
Subject:   sniffing IS a threat
Date:   2005-11-03 17:15:48
From:   damdamdam
"Well, sniffing is actually a lot harder than Hollywood movies portray it to be."

It's not that hard to do, and very effective.

"Imagine gaining clandestine access to a corporate network with a thousand nodes connected by a Gigabit Ethernet backbone."

Or just imagine an open Wifi network...

"first, how long will it take for you to fill up your laptop's hard drive with captured packets?"

Quite a long time if I have set the right capture filters. No need to log all the packets. Just log the interesting ones (the ones coming and going to the host you want to crack for example).

"And second, how long will it take you to actually find something useful (like a password or other credentials or a MasterCard number) in all those captured packets?"

You're not using the right tool for the right job. You may want to try some powerful packet sniffers before saying that.

"Then ask yourself something else: if you're standing in the server room of a company you want to hack, why on earth would you bother sniffing the network anyway?"

To get to other networks/accounts I have not YET cracked.

"Why not just grab the hard drive from a server and run?"

You need physical access to do that. You can do it but it requires much more planning than just sniffing somewhere on the network. You don't need to sniff from the source or the destination network. Somewhere in the middle is just fine. You can even do it from previously cracked networks and be relatively safe. Much safer than "grab and run" if you ask me.

"Encrypt all traffic on your internal network using IPSec. Just try and sniff that."

I'm not talking for IPSec but every protocol based on SSL is vulnerable to man in the middle attacks. It's not sniffing anymore because it's an active attack, but you can cracked "ssl secured" networks . But we're not talking of script kiddies anymore. It's more difficult than just sniffing.

Besides, encrypting your internal network is fine, but it won't do a lot when you'll have to send the root password by plain email to someone outside (yourself at home because you want to work from home this week). Sniffing is still effective in that sort of cases.

"Checking your DNS logs periodically for lookups for this machine's IP address could signal a sniffing attack at work."

Absolulety not. It might just be a (dumb) port scan. Quite a different beast from sniffing. By definition, sniffing is silent. You don't do anything on the sniffed network except listening. You won't know someone is sniffing unless you're looking for it.