Sniffing the Corporate and Institutional Network

by Embedded
12 December 1998

Corporate and Institutional Survival Techniques
Sniffing the Corporate and Institutional Network

(You unix gurus, no laughing! ;)
This essay will talk about using a little piece of software called Sniffer Pro 1.0 by Network Associates (used to be called Net X-Ray before it was bought out). We will discuss how to extract data at the lowest level as far as the internet/intranet is concerned.

I hope you've all been reading Reverser+ pages and learned that the internet is such a large collection of information. However, how many of us have thought about the basics of the internet. It is like learning to program in assembler. We should understand how the fundamentals work. We have these little packets that contain data flying everywhere. It would make sense that if we could look at these little gold nuggets, we could extract the information we wanted right out of them. Security, not much left after this... then again I think that's what that whole SSL thing is all about (if someone would like to talk about Secure Sockets... please send me a copy). Imagine a phone line with a tap in it. Heck imagine a whole building of phone lines and your at the switchboard... and then you realize the possibilities.

Your network card sees all the traffic on the hub its connected too. If several hubs are daisy chained together, heck all the better. I hope we all know that telnet and ftp are both inherently unsecure. Meaning all data transferred is in plain text. That is, when you telnet your just sending and receiving ascii/binary data wrapped in TCP/IP.
                           xx xx xx xx xx xx yy           xxxxxxy
yy yy yy yy yy 08 00 45 00 00 2F 59 67 00 00 3E  yyyyy E  /Yg  >
06 3B 23 mm mm mm mm nn nn nn nn 00 17 06 E6 ED  ;#mmmmnnnn _
C6 7A 3D 01 44 0E 96 50 18 21 80 C5 17 00 00 6C  z=DP!+  l
6F 67 69 6E 3A 20                                ogin:           

xx = Destination MAC (media access control)
yy = Source MAC
mm = Source IP Address
nn = Destination IP Address
0x0017 == 23 (Telnet) = Source Port <- right after nn

Uhmmm... you'll notice the prompt "login: ". When you are typing in your login, your terminal is told to echo back the characters. When you are typing in your password, your terminal is told not to echo back the characters (mmm... nice security, eh!). Oh, and please don't fret over all that hex. Sniffer Pro will organize it in a nice gui format and will parse the headers for you and tell you all that you need to know.

So what? So what! If your at work, just fire up sniffer pro and define some filters. Try filtering out just telnet or ftp. Leave it on for a while and continue to do some work. When you feel you've collected enough packets. Just stop and examine them. Sniffer Pro will do all the hard work for you. You can search for text, you can filter by IP adresses, you can send out a sequence of the captured packets, you can do pretty much anything.

The interesting thing is that your network card will see everything that's flying by even though you can't assign your machine an ip. You could even get a laptop, load it up with Sniffer Pro. Go down to your favourite network. Unplug one of the machines from the network. I mean the ethernet cable because everything else is probably locked down really tight. (Isn't it ironic that the cable that passes all the information is not secured.) Start a capture and chat with the people around you. When you've got a couple megabytes of data, pack up, go home and browse at your leisure.

Now, you'll notice that the pop3 packets are viewable. However, the passwords are transmitted in an encrypted fashion. I guess if your interested, you could attempt to crack them. For those users on Novell Networks, all the login and password information is passed in an encrypted manner. I have not examined them at any length, so I don't not know anything else beyond that. (I asked the IT person who is down the hall and that's what he said. The IT people here are normal and down to earth.)

In conclusion, take a look at all the different types of data going around. Examine what ping messages look like. Check out IPX. Just explore and learn. Remember to respect other people's privacy and don't go around abusing other people's school or work accounts. Your interfering with their livelihood.
Knowledge is a tool.
Ask for Wisdom to guide it.

Embedded - in_bed(at)yahoo(dot)com


Or perform a redquery on reverser's site


redhomepage red links red anonymity +ORC redstudents' essays redacademy database redbots wars
redantismut redtools redcocktails redjavascript wars redsearch_forms redmail_reverser
redIs reverse engineering illegal?