在局域网中,嗅探行为已经成为网络安全的一个巨大威胁。通过网络嗅探,一些恶意用户能够很容易地窃取到绝密的文档和任何人的隐私。要实现上述目的非常容易,恶意用户只要从网络上下载嗅探器并安全到自己的计算机就可以了。然而,却没有一个很好的方法来检测网络上的嗅探器程序。本文将讨论使用地址解析协议(Address Resolution Protocol)报文来有效地检测办公网络和校园网上的嗅探器程序。
2.网络嗅探的原理
局域网通常使用以太网进行连接。在以太网线缆上使用IP(IPV4)协议传输的传递的信息是明文传输的,除非使用了加密程序进行了加密。当一个人把信息发送到网络上,他会希望只有特定的用户才能收到这些信息。但是,非常不幸,以太网的工作机制为非验证用户提供了窃取这些数据的机会。以太网在进行信息传输时,会把分组送到各个网络节点,目的地址匹配的节点会接收这些分组,其它的网络节点只做简单的丢弃操作。而接收还是丢弃这些分组由以太网卡控制。在接收分组时,网卡会过滤出目的地址是自己的分组接收,而不是照单全收。在本文以后的部分我们将把网卡的这种过滤称为硬件过滤(Hardware Filter)。但是这只是在正常情况下,嗅探器使用另一种工作方式,它把自己的网卡设置为接收所有的网络分组,而不管分组的目的地址是否是自己。这种网卡模式叫作混杂模式(Promiscuous Mode)。
3.检测混杂模式的基本概念
在网络中,嗅探器接收所有的分组,而不发送任何非法分组。它不会妨碍网络数据的流动,因此很难对其进行检测。不过,处于混杂模式(promiscuous mode)网卡的状态很显然和处于普通模式下不同。在混杂模式下,应该被硬件过滤掉的分组文会进入到系统的内核。是否回应这种分组完全依赖与内核。
下面我们举一个现实世界中的例子,说明我们检测处于混杂模式网络节点的方法。设想一下,在一个会议室中正在举行一个会议。某个人把耳朵放在会议室就可以进行窃听(嗅探^_^)。当她(还是个女的,原文如此:P)进行窃听(嗅探)时,会屏住呼吸,安静地聆听会议室内所有的发言。然而,如果此时会议室内有人忽然叫窃听者的名字:“XX太太”,她就可能答应“唉”。这听起来有点好笑,但是完全可以用于网络嗅探行为的检测。网络进行网络嗅探的节点会接收网络的所有报文,因此其内核可能对某些本该被硬件过滤的分组作出错误回应。根据这个原理,我们可以通过检查节点对ARP报文的响应来检测网络的嗅探行为。
4.基础
1).硬件过滤器
首先,我们从处于混杂模式(promiscuous mode)下和普通模式下有何不同开始。以太网的地址是6个字节,制造商为每块网卡分配的地址在全世界是唯一的,因此理论上没有相同地址的网卡。在以太网上的所有通讯都是基于这种硬件地址。不过,网卡可以被设置为不同的过滤模式以接收不同种类的分组。下面就是以太网卡的过滤模式:
unicast
网卡接收所有目的地址是自己的分组
broadcast
接收所有广播分组,以太网广播分组的目的地址是FFFFFFFFFFFF。这种广播分组能够到达网络上的所有节点。
multicast
接收目的地址为指定多投点递交(multicast)组地址的分组。网卡只接收其地址已经预先在多投点列表中注册的分组。
all multicast
接收所有多投点递交广播分组。
promiscuous
根本不检查目的地址,接收网络上所有的分组。
图-1描述了硬件过滤器处于在正常情况下和在混杂模式下的区别。通常,网卡的硬件过滤器被设置为接收目为单投点递交(unicast)、广播(broadcast)和多投点递交(multicast)地址1的分组。过滤器只接收目的地址为自己的地址、广播地址(FF FF FF FF FF FF)和多投点地址1(01 00 5E 00 00 01)的分组。2).ARP机制
使用以太网连接的IP网络需要依靠以太网进行传输。只使用IP地址,报文是无法发送的。因此,在以太网上需要一种机制来提供IP地址和硬件地址之间的转换。这种机制就是地址解析协议(Address Resolution Protocol)。ARP属于网络层,和IP处于OSI模型的同一层。在IP网络上地址解析是不断进行的,所以ARP报文比较适合用来检测处于混杂模式(promiscuous mode)的网络节点。
在下面的例子中,我们将讲述使用ARP报文是怎样解析IP地址的:
例如:网络上一台IP地址为192.168.1.1的PC(X)以太网地址是00-00-00-00-00-01,这台PC(X)需要向网络上另外一台IP地址为192.168.1.10的PC(Y)发送消息。在发送之前,X首先发出一个ARP请求包查询192.168.1.10对应的以太网地址。查询包的目的地址被设置为FF-FF-FF-FF-FF-FF(广播),从而本地网络上的所有节点都可以收到这个包。收到之后,每个节点会检查这个ARP包查询的IP地址和本机的IP地址是否匹配。如果不同,就忽略这个ARP包;如果匹配(Y)就向X发出应答。X收到应答之后就缓存Y的IP/硬件地址。然后,X就可以向Y发送实际的数据。
5.检测处于混杂模式的节点
上面讲到,报文的过滤状态是处于混杂模式状态和正常的网络节点的区别。当网卡被设置为混杂模式,本该被过滤掉的报文就会进入系统的内核。通过这种机制,我们可以检测到网络上处于混杂模式的节点:我们构造一个ARP查询包,其目的地址不是广播地址,然后向网络上的各个节点发送这个ARP查询包,最后通过各个节点的回应来判断是否处于混杂模式。
下面我们讨论一下整个ARP请求/响应的操作过程。首先,产生一个ARP查询包来解析192.168.1.10的硬件地址。为了使网络上的所有节点都能够收到这个查询包,把这个包的目的地址设置为广播地址。理论上,只有IP地址为192.168.1.10的网卡才能对这个查询包进行响应。
进一步设想,如果我们把这个查询包的目的地址(以太网地址)设置为另外的地址,而不是原来的广播地址又将如何?例如:我们把查询包的目的地址设置为00-00-00-00-00-01会发生什么?处于正常模式下网络节点的以太网卡会认为这个查询包是发往其它主机的,其硬件过滤器会拒绝接收这个包;然而,如果这个网络节点(192.168.1.10)的以太网卡处于混杂模式(promiscuous mode)下,那么即使以太网地址不匹配,其硬件过滤器也不进行任何过滤,从而使这个查询包能够进入到系统的内核。因为这个节点的IP地址和查询包的要查询IP地址相同,其内核就会认为ARP查询包到达,应该作出应答。但是,另我们吃惊的是,这个处于混杂模式节点的内核不会应答ARPR查询包。这种出人意料的结果说明这个包被系统内核过滤掉了。在这里我们把这叫作软件过滤器。
再进一步,我们可以通过区别硬件过滤器和软件过滤器的不同特征来检测处于混杂模式的网络节点。硬件过滤器一般会阻塞所有无效的分组(这些分组显然不会进入系统内核),因此能够通过硬件过滤器一般也能够通过软件过滤器,这种情况我们不多做讨论。现在我们需要构造应该被被硬件过滤器阻塞,但是却能够通过软件过滤器的报文。如果把这种报文送到各个网络节点,那么处于普通模式下的网络节点将不做应答;而处于混杂模式的节点会进行应答。
6.软件过滤器
软件过滤器依赖于操作系统的内核,因此有必要理解系统内核软件过滤器是如何工作的。Linux是开放源玛系统,因此我们能够获得其软件过滤机制。但是对于Micro$oft Windows我们只有凭经验猜测了:(。
1).Linux
在Linux的以太网驱动模块中,分组是以硬件地址分类的。
广播包
FF FF FF FF FF FF
多投点分组
所有的分组都有一个组标志位集合,不包括广播分组。
TO_US分组
目的地址和本机网卡相同的分组。
OTHERHOST分组
所有目的地址和本机网卡不同的分组。
现在,我们假设具有组标志位的所有分组都是广播分组。IP网络对应的以太网多投点分组的目的地址是01-00-5e-xx-xx-xx,而且,通过校验组标志位本来就不能对多投点分组进行分类。这个假设并不错误,因为01-00-5e-xx-xx-xx是一个基于IP的多投点地址,但是网卡硬件地址还用于其它高层协议。
下面,我们看一下ARP模块的代码。
if (in_dev == NULL
arp->ar_hln != dev->addr_len ' '
dev->flags & IFF_NOARP
skb->pkt_type == PACKET_OTHERHOST
skb->pkt_type == PACKET_LOOPBACK
arp->ar_pln != 4)
goto out;
Linux内核的ARP模块拒绝所有OTHERHOST类型的分组。接着,ARP模块将处理广播、多投点和TO_US类型的分组。表1综合了硬件过滤器和软件过滤器对各种ARP分组的过滤处理,1说明:hw(hardware)、sw(software)、res.(response)、gr(group)。
下面,后我们将对这六硬件地址的分组进行详细描述:
TO_US
网卡在正常模式下,所有地址为TO_US的分组都能够通过精简过滤器和软件过滤器。因此,不管网卡是否处于混杂模式(promiscuous mode)下,ARP模块都会对其进行响应。
OTHERHOST
当网卡处于正常模式下,会拒绝所有地址为OTHERHOST的分组。即使网卡处于混杂模式(promiscuous mode),这种分组也无法通过软件过滤器,因此这种ARP请求不会收到响应。
BROARDCAST
在正常模式下,BROARDCAST分组能够也能够通过硬件和软件过滤器,因此不能用于网络节点混杂模式的检测。
MULTICAST
在正常模式下,如果分组的硬件地址没有在多投点地址列表中注册,网卡将拒绝接收;但是,如果网卡处于混杂模式,这种分组将畅通无阻地穿过硬件过滤器和软件过滤器。因此,可以使用这种类型的分组来检测处于混杂模式的网络节点。
group bit
这种类型的分组既不属于BRODCAST类型也不属于MULTICAST类型,但是其硬件地址的组位(以太网地址的首字节低序第一位)置位即:01-00-00-00-00-00。在正常模式下,网卡会拒绝接收此类分组;但是在混杂模式下,这种类型的分组能够通过硬件过滤器。而在Linux内核中,这种类型的分组被归类为多投点分组进行处理,能够穿过软件过滤器。因此,这种类型的分组也能够用于混杂模式检测。
2).Micro$oft Windows
Windows系统不是开放源码系统,因此不能从源代码分析其软件过滤行为。只好由实验来测试。在实验中,我们使用了以下的硬件地址:
FF-FF-FF-FF-FF-FF 广播地址
所有的网络节点都会接收这种分组。通常的ARP查询包使用这个地址。
FF-FF-FF-FF-FF-FE 伪广播地址
FF-FF-FF-FF-FF-FE是一种伪广播地址,它的最后一位丢失。这个地址被用来检查软件过滤器是否检查所有的地址位,是否应答。
FF-FF-00-00-00-00-00 16位伪广播地址
FF-FF-00-00-00-00-00只有前16位和真正的广播地址相同。如果过滤器函数只测试广播地址的第一个字,这个地址就可以归入广播地址。
FF-00-00-00-00-00 8位伪广播地址
这个地址只有前8位和广播地址相同,如果过滤器函数只检查广播地址的首字节,它也可以归入广播地址类。
01-00-00-00-00-00 多投点标记置位地址
这个地址只有多投点标记位(以太网地址的首字节低序位)被置位,用来检查过滤器函数是否也象Linux一样把它作为多投点地址处理。
01-00-5E-00-00-00 多投点地址0
多投点地址0并不常用,因此我们使用这个地址作为没有在网卡多投点地址列表中注册的多投点地址。正常情况下,硬件过滤器应该拒绝接收这种分组。但是,如果软件过滤器不能检查所有的地址位,这类分组就可能被归类到多投点地址。因此,如果网卡处于混杂模式(promiscuous mode),内核就会进行应答。
01-00-5E-00-00-01 多投点地址1
局域网上的所有网络节点都应该接收多投点地址1类型的分组。换句话说,默认情况下硬件过滤器允许这类分组通过。但是可以由于网卡不支持多投点模式而不应答。因此,这类分组可以用于检查主机是否支持多投点地址。
即使结果:
对于这7种类型地址的测试结果如表2所示。测试是针对Windows85/98/ME/2000和Linux。不出所料,网卡处于正常模式下,内核会对所有地址为广播地址和多投点地址1的分组进行回应。
然而,当网卡处于混杂模式下时,每种操作系统的测试结果不尽相同。Windows95/98/ME会响应31、16、8位伪广播地址的分组。因此,我们可以认为Window9x系列操作系统的软件过滤器只通过检测一位来判断分组地址是否是广播地址。
Windows2000对地址为31、16位伪广播地址的分组进行响应。因此,我们可以认为WindowsY2K检查地址的8位来判断分组地址是否为广播地址。
Linux内核对所有七种地址的分组都会进行响应。
7.混杂模式检测
我们可以把这个测试结果用于局域网处于混杂模式节点的检测。下面是具体检测过程:
1).我们需要检测IP地址A的主机是否处于混杂模式。我们首先需要构造如下格式的ARP分组和以太网帧:
ARP分组:
目的以太网地址 00 00 00 00 00 00(说明1)
发送方以太网地址 00 11 22 33 44 55(说明2)
高层协议类型 08 00(IP)
硬件类型 00 01(以太网)
硬件地址长度 06(以太网地址长度)
IP地址长度 04
发送方的IP地址 本机IP地址
目标的IP地址 被检测主机的IP地址
ARP操作码 00 01(ARP请求01、ARP应答02)
以太网帧:
协议类型 08 06(ARP)
发送方的硬件地址 本机以太网卡地址
目标硬件地址 FF FF FF FF FF FE
说明1:这时ARP要查询的以太网地址,全部填0或者1都可以。
说明2:用自己的以太网地址代替。
2).分组构造完成后,我们可以把它发送到网络上。
3).现在我们需要等待目标主机的反应。如果目标主机处于正常状态,这个分组就会被阻塞;但是如果处于混杂模式(promiscuous mode)下,我们就会收到应答。
8.检查所有网络节点
只要顺序使用第七节叙述的检测方法,我们就可能检测出所有处于混杂模式下的网络节点。但是,某些情况下,会使这种检测方法失效。
9.异常情况
上面讲到有一些情况不能使用这种方式进行混杂模式检测。这些异常情况包括:
1).旧网卡
有些旧网卡不支持多投点列表,例如:3COM EtherlinkIII。分组不经过硬件过滤器的检查就进入软件过滤器,
2).3COM网卡
安装在LInux主机的3COM 3c905网卡,默认情况下被设置为接收所有的多投点分组。因此,我们无法区别混杂模式和多投点模式。造成这种异常的原因是这种网卡的Linux驱动模块不支持多投点列表,网卡就会接收所有多投点分组。注意:Linux安装程序使用3c59x.o作为这种网卡的驱动模块。如果把驱动模块改为3c905x.o可以解决这个问题。
3).Windows Y2K分组捕获驱动模块
当WindowsY2K分组捕获驱动模块是动态加载的,也会产生异常情况。WinPcap2.1(2.01不同)和SMS是用于WindowsY2K的两种动态加载分组捕获驱动模块。当它们安装到WindowsY2K系统中,会有一些特别的反应。即使网卡不处于混杂模式下,也会对地址为16为伪广播地址的分组进行响应(使用这两种驱动模块的嗅探器也将无法准确操作)。也就是说,即使嗅探器没有运行也照样可以检测到。可能是Micro$oft为了方便混杂模式的检测有意为之。
Detection of Promiscuous Nodes
Using ARP Packets
Version 1.0
31-Aug-01
Written by: Daiji Sanai <hyler@securityfriday.com>
Translated by: Kelvin King-Pang Tsang
http://www.securityfriday.com
Contents
Abstract
..................................................................................................................................................3
1. Introduction
.......................................................................................................................................3
2. The Principle of Sniffing
...................................................................................................................3
3. Basic Concepts of Promiscuous Node Detection
.............................................................................4
4. The Basics
...........................................................................................................................................4
1)Hardware Filter................................................................................................................................4
Unicast............................................................................................................................................4
Broadcast........................................................................................................................................5
Multicast.........................................................................................................................................5
All Multicast...................................................................................................................................5
Promiscuous...................................................................................................................................5
2)ARP Mechanism..............................................................................................................................5
5. Basics of Promiscuous Node Detection
............................................................................................6
6. Software Filter
...................................................................................................................................7
1) Linux
..............................................................................................................................................7
2) Microsoft Windows........................................................................................................................9
7. Promiscuous Detection
....................................................................................................................11
8. Promiscuous Node Detection
..........................................................................................................12
9. Exceptions
........................................................................................................................................12
1) Old NIC's......................................................................................................................................12
2) 3Com NIC....................................................................................................................................13
3) Windows 2000 Packet Capture Driver.........................................................................................13
Abstract
On a local network, security is always taken into consideration. When plain text data is being sent onto the network, it can be easily stolen by any network user. Stealing data from the network is called sniffing. By sniffing the network, a user can gain access into confidential documents and cause intrusion into anyone’s privacy. Many freely distributed software on the Internet provides this functionality. Despite the easiness of sniffing, there is no good way to detect such malicious act yet. This document explains the mechanism used by PromiScan, a piece of software that can effectively scan sniffers on the network. Sniffers work by receiving all packets being sent onto the network. To achieve this, all sniffers must set the Network Interface Card (NIC) of their PC's into a mode called "promiscuous mode". Then the NIC will blindly receive all packets and pass them to the system kernel. The Address Resolution Protocol (ARP) request packets are used to query hardware addresses from IP addresses. We make use of this kind of packet to verify whether the NIC's on the network are set to promiscuous mode. ARP request packets are used because it is available on all IPv4 based Ethernet. When a NIC is receiving all packets, packets that are not supposed to arrive to that PC are no longer blocked by the NIC. All packets are passed to the system kernel and, the system kernel may make mistake by responding to some packets that it is not supposed to respond. With the presence of the above mechanisms, we can compose fake ARP request packets and send them to every node on the network. These packets normally are blocked by the NIC's, but if some nodes respond to it, then some promiscuous NIC's exist. Those PC's with promiscuous NIC's are running sniffers. Thus sniffers can be successfully detected.
1. Introduction
In the local network, the act of sniffing has been a big thread. Malicious users can easily steal confidential documents and anyone’s privacy by sniffing the network. Sniffing causes intrusion into privacy, but it can be done simply by downloading free sniffer software (sniffers) from the Internet and installing them into their personal computer. However, so far there is no good way to detect which PC's are sniffing the network. This documentation will discuss the use of Address Resolution Protocol (ARP) packets to effectively detect malicious users when they are sniffing the office's or the school's networks.
2. The Principle of Sniffing
The local network is usually composed of the Ethernet. On an Ethernet using IP protocol (IPv4), information is sent on the cable in plain text, unless an encryption program is used. When someone sends information onto the network, she expects someone on the other side of the network to receive that information. Unfortunately, the mechanism of Ethernet gives unauthorized people a chance to steal and look at the data. We know that an Ethernet based network works by sending messages to all nodes on the network, and it expects that only the intended node(s) will receive the messages. At the same time, the other nodes simply drop the messages. Whether to receive or drop the messages is controlled by the Network Interface Card (NIC). The NIC does not receive all the packets on the network although it is connected to the Ethernet; instead it filters out the desired packets, which this specific computer should receive. For the rest of this document, we will call the filter of the NIC the Hardware Filter. Sniffing is done by setting the NIC of its own PC to a specific mode, such that the NIC will receive all data arriving to it, no matter whether it is the intended destination. This NIC mode is called the Promiscuous Mode.
3. Basic Concepts of Promiscuous Node Detection
Instead of sending out illegal packets, network sniffing is performed by receiving all packets. Since it does not interfere the network traffic at all, it is difficult to detect such behavior. Nonetheless, the state of the NIC in promiscuous mode is obviously different from that in normal mode. A packet that is supposed to be filtered by the hardware filter is now passed to the system kernel. As a result, whether to respond to the packet relies totally on the internal software.
Our way to detect promiscuous node can be demonstrated by an example from the real world. Imagine that there is a conference in a meeting room. Then sniffing the conference can be done by putting ones' ear against the wall of the meeting room. When she is sniffing, she wants to hold her breaths and quietly listen to all the conversations going on in the meeting room. However, if the name of the sniffer is called in the conference, "Miss XX?" the sniffer may occasionally make a mistake by responding to it, "Yes!" This analogy sounds a little ridiculous, but it can be applied to network sniffing. Since the sniffing node receives all the packets, including those that are not targeting to it, it may make mistakes such as responding to a packet, which originally is supposed to be filtered by the NIC. Therefore, our promiscuous node detection is performed by checking the responses of ARP packets, when ARP request packets are sent to all nodes on the network.
4. The Basics 1) Hardware Filter
First of all, let us begin with the differences between the NIC in promiscuous mode and in normal mode. All the NIC’s on the Ethernet are represented by a 6-byte hardware address. The manufacturer assigns this address such that each address is unique in the whole world. Theoretically, there are no two NIC's having the same hardware address. All communications on the Ethernet are based on this hardware address. The NIC, however, can set up different filters in order to receive different kinds of packets. The followings are a list of hardware filters:
Unicast
Receive all packets having the same destination address as the hardware address of the NIC.
Broadcast
Receive all broadcast packets. Broadcast packets have destination address FF FF FF
FF FF FF. The purpose of this mode is to receive the packets which are supposed to
arrive at all nodes existing on the network.
Multicast
Receive all packets which are specifically configured to arrive at some multicast
group addresses. Only packets from the hardware multicast addresses registered
beforehand in the multicast list can be received by the NIC.
All Multicast
Receive all multicast packets. Since this mode may also correspond to other high-
level protocols other than IPv4, All Multicast will receive all packets that have their
group bit set.
Promiscuous
Receive all packets on the network without checking the destination address at all.
fig.1 illustrates the operations of a hardware filter when it is in normal mode and when it is sniffing. Normally, PC's set their NIC hardware filter to unicast, broadcast and multicast address 1. They only receive packets that have its destination address set to the PC's own hardware address, broadcast address (FF FF FF FF FF FF), and multicast address 1(01 00 5E 00 00 01). 2) ARP Mechanism
On an Ethernet linked by IP addresses, packets are in fact sent and received based on hardware addresses. Packets cannot be sent by just using an IP address. Therefore, the Ethernet needs a mechanism that converts IP addresses into hardware addresses. At this time, Address Resolution Protocol(ARP) packets are used. ARP packets belong to the link layer, which is the same layer as IP, so ARP packets does not affect the IP layer. Since IP addresses resolving is always available on an IP network, ARP packets become the suitable packets for testing the response of the nodes when detecting promiscuous nodes.
In the following example, we illustrate the operations of using an ARP packet to resolve an IP address:
A PC (X) with IP address 192.168.1.1 and hardware address 00-00-00-00-00-01 wants to send messages to another PC (Y) with IP address 192.168.1.10. X will first compose an ARP request packet, which is used to query the hardware address corresponding to 192.168.1.10. The destination hardware address field of the ARP packet is set to a broadcast (FF-FF-FF-FF-FF-FF) such that all nodes in the local network will receive this packet. When each PC on the network receives this packet, it checks whether the IP address of the ARP packet is the same as its own. If they are different, this ARP packet is ignored. If they are the same, that PC will reply to the packet, along with its own hardware address and IP address. In this case, Y will send a reply packet to X, and X will cache this hardware/IP address pair. Since X successfully queried the hardware address of Y, X can begin sending the actual data.
5. Basics of Promiscuous Node Detection
As stated before, packets are filtered differently when the NIC is set to promiscuous mode and that to normal mode. When the NIC is set to promiscuous mode, packets that are supposed to be filtered by the NIC are now passed to the system kernel. By using this mechanism, we come up with a new way to detect promiscuous nodes: if we configure an ARP packet such that it does not have broadcast address as the destination address, send it to every node on the network and discover that some nodes respond to it, then those nodes are in promiscuous mode.
Here is a walk-through of the correct request/respond operations of ARP. First of all, an ARP packet is generated in order to resolve 192.168.1.10. Its destination address is set to the broadcast address such that all nodes on the network can receive it. Theoretically, only one node with exactly the same IP address will respond to it.
Then, what about the ARP packet destination is set to a different address other than the broadcast address? For instance, what will happen if we set the destination address to 00-00-00-00-00-01? When the NIC is in normal mode, this packet is considered to be "to other host" packet, so it is refused by the hardware filter of the NIC. However, when the NIC is in promiscuous mode, the NIC does not perform any filter operation. Then this packet is able to pass to the system kernel. The system kernel assumes that this ARP request packet arrives because it contains the same IP address as that PC, so it should respond to the packet. To our surprise, the kernel indeed will not respond to the packet(fig.2). This unexpected result shows that there exists some sort of filter in the software, because a packet is actually filtered again by the system kernel. For the time being, we will call this the Software Filter.
9
OTHERHOST packets:
When the NIC is in normal mode, it rejects the OTHERHOST packets. Even when the NIC is in promiscuous mode, the software filter rejects those packets. So there will be no response to ARP requests.
BOARDCAST packets:
In normal mode, BOARDCAST packets pass both hardware and software filters. So there will be a response regardless of the mode of the NIC.
MULTICAST packets:
In normal mode, packets with hardware address not registered in the multicast list are rejected. But if the NIC is in promiscuous mode, this kind of packets will pass the hardware filter even if the hardware address is not registered in the multicast list. And, due to the fact that the software filter does not reject multicast packets, a response will be obtained. In this case, since a different result will be obtained when a same packet is sent to a NIC in normal mode and that in promiscuous mode, this kind of packets will be used for promiscuous node detection.
Group bit packets:
These are the packets that are neither BROADCAST nor MULTICAST packets, but with the group bit set. In normal mode, the hardware filter rejects these kinds of packets but in promiscuous mode, these packets are passed. And since these kinds of packets are classified as multicast packets by the software filter, they are able to pass the software filter. These group bit packets can be used to detect promiscuous nodes.
2) Windows
Windows is not an open-source operating system, so we cannot analyse its software filter behaviour by examining its source code. Instead we perform experiments testing the software filter of Windows. The following seven kinds of hardware addresses are used:
FF-FF-FF-FF-FF-FF broadcast address:
All nodes should receive this kind of packet and respond because it is a broadcast address. A usual ARP request packet uses this address.
FF-FF-FF-FF-FF-FE fake broadcast address:
This address is a fake broadcast address missing the last 1 bit. This is to check whether the software filter examines all bits of the address and whether it will respond.
FF-FF-00-00-00-00 fake broadcast 16 bits:
This address is a fake broadcast address in which only the first 16 bits are the same as the broadcast address. This may be classified as a broadcast address and replied when the filter function only checks the first word of the broadcast address.
10
FF-00-00-00-00-00 fake broadcast 8 bits:
This address is a fake broadcast address in which only the first 8 bits are the same as the broadcast address. This may be classified as a broadcast address and replied when the filter function only checks the first byte of the broadcast address.
01-00-00-00-00-00 group bit address
This is an address with only the group bit set. This is to check whether this address is considered as a multicast address as Linux does.
01-00-5E-00-00-00 multicast address 0
Multicast address 0 is usually not used. So we use this as an example of a multicast address not registered in the multicast list of the NIC. The hardware filter should reject this packet. However, this packet may be misclassified to be a multicast address when the software filter does not completely check all bits. The system kernel thus may reply to such packet when the NIC is set to promiscuous mode.
01-00-5E-00-00-01 multicast address 1
Multicast address 1 is an address that all hosts in the local network should receive. In the other word, the hardware filter will pass this kind of packets by default. But it is possible that the NIC does not support multicast mode and does not respond. So this is to check whether the host supports multicast addresses.
Results:
The test results of the experiment using the 7 addresses are listed in table 2. The tests are performed against Windows 95, 98, ME, 2000 and Linux. As expected, all kernels respond to the broadcast address and multicast address 1 when the NIC is in normal mode.
However, when the NIC is set to promiscuous mode, the results are OS dependent. Windows 95, 98 and ME responds to the fake broadcast 31, 16, and 8 bits. So we may say that the software filter of Windows 9x series determines the broadcast address by checking only 1 bit.
In the case of Windows 2000, it responds to fake broadcast 31 and 16 bits. So we may conclude that the software filter of Windows 2000 determines the broadcast address by checking 8 bits.
In the case of Linux, it responds to all seven kinds of hardware address. In the other words, Linux responds to all seven kinds of hardware address when the NIC is set to promiscuous mode.
11
01:00:5E:00:00:01
01:00:5E:00:00:0001:00:00:00:00:00FF:00:00:00:00:00FF:FF:00:00:00:00FF:FF:FF:FF:FF:FEFF:FF:FF:FF:FF:FFpromisc
normal
promisc
normal
promisc
normal
Linux2.2/2.4Windows2k/NT4Windows9x/MEHW Address
3-----3
3-----3
3-----3
3333--3
333---3
3333333
Table 2 Result
7. Promiscuous Detection
The results so far prove that we can use ARP packets to determine a promiscuous node, whether the systems are running Windows or Linux. Thus, in a similar manner, this detection method can be applied to the local network. Here is the procedure:
1)We want to check whether the machine with IP address (A) is in promiscuous mode, we compose an ARP packet. An ARP packet has the following format:
Ethernet address of destination FF FF FF FF FF FF Ethernet address of sender 00 11 22 33 44 55 Protocol type (ARP = 0806) 08 06 Hardware address space (Ethernet = 01) 00 01 Protocol address space (IPv4 = 0800) 08 00 Byte length of hardware address 06 Byte length of protocol address 04 Opcode (ARP request = 01, ARP reply = 02) 00 01 Hardware address of sender of this packet <Own NIC’s Device Address> Protocol address of sender of this packet <Own PC's IP Address> Hardware address of target of this packet 00 00 00 00 00 00 Protocol address of target <IP Address (A)>
? Ethernet address of destination is the destination address of the Ethernet packet. In
this case, it is the hardware address of the NIC of the target. The destination of ARP packet should be set to the broadcast address FF FF FF FF FF FF, because we want all hosts to receive this packet. And we want one host to reply if its IP address corresponds to the one the ARP packet is querying. But, as stated before, we want to
12
compose a packet that is supposed to be blocked by the hardware filter and is able to pass the software filter, we will use FF FF FF FF FF FE instead.
? Ethernet address of sender is the hardware address of the sender. For instance, 00 11 22 33 44 55 is a six-byte hardware address.
? Protocol type is 08 06 when this is an ARP packet.
? Hardware address space is 01 when the Ethernet is being used. ? Protocol address space is 08 00 when IPv4 protocol is being used.
? Byte length of hardware address is the length in byte of the hardware address. In this case, it is 06.
? Byte length of protocol address is the length in byte of an IPv4 address. In this case, it is 04.
? Opcode is 00 01 when it is an ARP request packet.
? Hardware address of sender of this packet is the PC's hardware address, for example, it can be set to 00 11 22 33 44 55.
? Protocol address of sender of this packet is the 4-byte IP address of the sender's PC. ? Hardware address of target of this packet is 00 00 00 00 00 00 because it is currently unknown. (The purpose of ARP request packet is to query this field)
?
Protocol address of target is the 4-byte IP address of the node that is being checked whether it is in promiscuous mode.
2)After we compose this packet, we can send it onto the network.
3)Now, this packet is supposed to be blocked by the hardware filter of the target machine. However, if that machine is in promiscuous mode, this packet will pass the hardware filter and the software filter will respond. If we receive a respond, then that machine is in promiscuous mode.
8. Promiscuous Node Detection
To detect all the promiscuous nodes present on the local network, we apply the technique described in 7. to all nodes on the network sequentially. If there exists some machines that cannot be reached by ARP packets, then this method of promiscuous detection cannot be achieved.
9. Exceptions
Here we present some exceptions that promiscuous detection cannot be used:
1) Old NIC's
Some old NIC's do not support multicast list. For example, 3COM's EtherlinkIII does not support multicast list. Packets are possible to reach the software filter without being checked by the hardware filter. Due to the fact that the packets we are sending out have their group bit set, it is not possible for this kind of NIC's to distinguish between a promiscuous detection packet and a multicast packet. If such situation happens, they should be replaced by new NIC's.
13
2) 3Com NIC
When 3Com's 3c905 series NIC's are installed on Linux machines, they are set to all multicast mode by default, so it is not possible for us to distinguish multicast mode from promiscuous mode. The appearance of this exception is due to the fact that the driver provided by Linux does not support multicast list, and the NIC's become all multicast mode by default. Notice that 3c59x.o is chosen to be the driver of such NIC's by the Linux installer. If such case happens, edit the line in /etc/modules.conf (/etc/conf.modules) and change the driver to 3c905x.o, then this problem will be resolved.
3) Windows 2000 Packet Capture Driver
This exception arises when Windows 2000 packet capture driver is dynamically loaded. WinPcap2.1 (2.01 is different) and SMS are two dynamically loaded drivers. When they are installed on Windows 2000 system, they have special responses. The NIC will respond to the fake broadcast 16 bit even if it is not in promiscuous mode (Sniffers with those drivers will not operate accurately as well). In the other words, sniffers can be detected even if it is not being run. Microsoft may create this exception intentionally in order to detect promiscuous nodes.
Copyright? 2001,SecurityFriday.com, all right reserved.
4245
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
