Sniffing Traffic Over a Switched Network
I was cleaning out my server and I found this old article I wrote back when I was a little more… black hat. It’s an interesting read. I was in high school when I wrote this, so the quality of the actual writing may not be quite as good, but it’s still cool non the less. I can’t say I condone doing such actions as this article outlines, but knowledge should be free. No system should be secured through obscurity, and any transport layer security implementation would make this attack fruitless. Without further ado, I present an simple guide to hijacking a network via ARP poisoning to read any data you like on a switched network.
II) Preliminary Data Gathering
III) Setting up Cain
VI) Other Notes
Okay so we have all at one time wanted to be able to read our friends AIM messages while we are at their house, or maybe while at work or school wanted to be able to read some MSN messenger, or yahoo messages. Sure there are programs that claim to be able to intercept these messages for you, but most of the time they are not free, don’t work on switched networks, and only capture one kind of traffic. I am going to teach you how to capture any kind of traffic with 2 free tools and a little cunning. You will also require some basic networking knowledge; I’ll try and make it as simple as possible, but don’t expect to be able to do this if you’ve never turned on a computer before. So first what you’ll need. If you are on a wireless network, you can move straight to the ethereal chapter. Wired networks, unless on a hub need to have ARP route poisoning set up, which is in the Cain section.
Ethereal Network Packet Sniffer: http://www.ethereal.com/download.html
Ethereal Display Filter Help: http://www.ethereal.com/docs/dfref/
Cain and Abel Password Recovery Tool: http://www.oxid.it/cain.html
Basic networking knowledge, including what a network is, what an IP address is, and an understanding of ARP wouldn’t hurt.
At least two computers on a network
The computer that will be capturing traffic should have windows XP, it may work with down to Windows 95, but I’m not sure.
The other computer theoretically could be of any kind, because all IM traffic should be the same, although I haven’t tested this theory.
Somebody having a conversation you want to monitor. Preliminary data gathering:
Okay first let’s say this, ARP, routers, switches, and such could take up many many many pages and would get very in depth. All you really need to know for this is that ARP tells computers which network card has what IP address, so traffic can get where it is going. Therefore being able to change ARP presents you with the possibility of being able to send traffic wherever you want within your network. ARP is like the traffic controller in a sense in that it tells data where computers are located. The tool we use for messing with ARP is Cain. But before we fire up Cain we have to figure out a few things. You have to know what address the computers traffic you want to capture is using to send traffic to the outside world. Odds are this is going to be a piece of hardware called a router, or a switch. These are devices that specialize in directing network traffic where it needs to be. This is called the default gateway; it acts like your door to the internet. Odds are if it’s on your network, it’s using the same default gateway as you. An easy way to find this out is to go into dos, by using start->run->cmd and typing in ipconfig /all. Where it says default gateway is the address you are interested in. Then you also need to know the IP address of the computers traffic you want to capture. There are a lot of ways to do this, if you know the name of the computer a simple ping, by using start->run->cmd ping comptuername where computername is the name of the computer, the ping should return the IP address of that computer. Also you could do the net view command in dos to view all computers on your network, then you know all the names, then you probably find the computer that sounds right, ping that and get the IP. Or you can go to my network places and you may see it there. Or under network if your on windows 95, 98, or 2000 go to computers near me, that should show you all computers on your network, unless a firewall is blocking you from doing so. Or on windows XP under my network places, then in entire network, microsoft windows network, then the workgroup you are in, should also show you a listing of all accessible computers. Then you can get the computers name and ping it. So now you should have the target PC’s IP address, and its default gateway (If you know a better way to get a remote machines default gateway, please let me know). Now you are ready to fire up Cain.
Setting up Cain with ARP route poisoning:
So now you need to forward all traffic to you for inspecting, because if you don’t, most of the traffic is going to go straight to the internet without you getting a chance to analyze it. Because routers and switches choose the best path for traffic to move to the internet you normally would not get to see it. Like this
You see how if computer A wanted to send traffic to the internet, it would first go to the router, which is computer A’s default gateway. The router would then send it to the internet, computer B would have no chance to see it. So say you are computer B and computer A is sending the traffic you want to see, what is the easier way to do this? Easy of course, LOOK LIKE YOU ARE THE ROUTER! So we need to corrupt the network ARP information, to make computer A think that computer B is the way to the internet. So it would look like this, although the physical connections do not change, this is how it kinda works on in the network once we have ARP route poisoning is set up.
Notice that now computer A sends you all of its information and you send it to the outside world. Computer A thinks that the IP address it is looking for is on your computer, so it sends all traffic to you, and then to the outside world. Then traffic from the internet coming in, goes through you and you then give it to A. You get to see everything that is coming from or going to A.
So we do this by using Cain’s ARP route poisoning. First, go to configure and select the appropriate adaptor, which is probably going to be the only one with an IP assigned to it. Then start the sniffer by clicking the sniffer button in the top left toolbar area. Then click the sniffer tab, and click the + sign on the toolbar. Run the tests to find all the hosts on your network. Once the recon is done, go to the ARP tab on the bottom. Then again click the + button. Here is where you need that info you got earlier. In the left column find the IP address of the computer you want to analyze the traffic of.
Then in the right column find the IP address of the default gateway, which is probably a router/switch. What his does is make you look like you are the default gateway, so the computer thinks it needs to send all information to you to get to the internet. This is crucial. Make sure the little icon in the ARP poisoning area says poisoning.
This is all you have to do with Cain. Interesting side note, under the passwords tab, you can capture all kinds of passwords going to the internet from the victim computer, such as pop email passwords, some http passwords, FTP, and lots more. I don’t condone this though, outright password stealing is very wrong, there is no ethical delima there, its just plain wrong. You can now minimize Cain, we are done with it. Keep it running!
Okay, for those of you who don’t know what a packet sniffer is, it is simply something that watches all information moving over the network. It can see everything moving into your computer, unless you’re on a wireless network, then you can see all wireless traffic. Sorry to play this card again, but Ethereal is a complex program I’m just going to cover the very basics that will get it to do what we want to do. First we are going to start a new capture session, meaning we are going to start watching network traffic.There are a few options to set here. Of course select the adaptor with an IP address, if you want to set a capture filter, you can, if you only want to see traffic from the target computer you could use the filter host victimip without the quotes, and where victimip is the IP address of the victim computer. I personally turn off auto scrolling, turn on network name resolution, turn off the info dialog, and turn on update packets in real time. You can also specify a file to save the captured packets to.
So start the capture session. Odds are you’ll notice the sniffer gathers a lot of traffic pretty fast, especially if the victim is actively browsing the web and such. Okay so you’re seeing a lot of traffic. Most of it is crap you have no interest in; network jabber about DNS requests, ARP stuff, and so on and so forth. Now this article is about capturing instant messenger traffic. So one basic piece of information, everything that moves across a network must move via a protocol, which is like a transport mechanism. Different types of traffic move use different protocols, the 3 main messaging services, use the following protocols.
There are hundreds of protocols that do hundreds of things, like HTTP for web sites, FTP, for moving files, POP for email.The 3 instant messaging protocols are the only we are are interested in right now. Near the top of Ethereal you’ll notice a box where you can input a display filter. That’s where you can put the name of the protocol that is the only kind of traffic you want to see. Or you can build complex filters by using logic operators, which is covered in depth on the Ethereal web site (You can write all kinds of filters to see only the kind of traffic you are interested in seeing, like web traffic, pop traffic, and so on). If you want to capture all instant messaging traffic you can use
msnms || aim_messaging || ymsg
That just says if the protocol is msnms or aim_messaging or it is ymsg, then show it. So now we are only seeing messaging traffic. Now all you can to do is wait for traffic to go over the wire. Packets will start appearing. We are almost ready to start reading. Make the second box down a little bigger, that’s where we can actually see the message as it goes over. Packets are not exactly the most friendly thing to try and have to read. They have a lot of information that is cryptic and to be honest pretty irrelevant to our cause. On the bottom of each packets there is going to be something that says message block. In there is going to be the data that we have sought after. Open up that area by clicking the small arrow and you may just see some actual words! If not don’t fret, odds are the message is in a packet somewhere around that one, so check out a few packets in either direction. Eventually you should find some that have words. Keep in mind instant messengers send lots of information that isn’t actually messages, they are used for keep the connection alive and such. Either way just keep searching around and you’ll get the hang of how to find the information you want in the packets.
See with a little searching around you can find actual messages. Like I said getting the hang of what packets contain info and don’t can take a little getting used to. AIM is pretty easy, it says incoming or outgoing message, so those are pretty easy to pick out. MSN and Yahoo are a little harder, but just keep searching around in the message block of the packet.
So you see with some patience, and some good luck, you can read pretty much any instant message traffic going over the internet. Please be ethical with this, I mean maybe use it for jokes on your friend or something, don’t be like reading your sisters intimate conversations with someone, or something of that sort. Just use good judgment with what you do with this skill. If you have problems just start over and try again, make sure your ARP route poisoning is for the right computer and is intercepting their default gateway. Please note I do not know if this technique will work on networks with different subnet’s, however that usually only happens in very large networks where they need segmentation and such.
Okay so there are some limitations. You can’t do this over the internet because ARP traffic cannot transverse the internet. Also if they are running a good firewall it may alert them that something has changed on the network when you set up the route poisoning, I know zone alarm does. Good news is that most people don’t know what those warnings mean, so they just click okay and go about their business. Also don’t try to do this to a bunch of computers are once, like don’t route poison 30 computers and try to play router to them all because your computer WILL NOT BE ABLE TO HANDLE THE LOAD and probably severely slow down the network, and maybe crash your computer.
This technique can be adjusted and changed for whatever you need. If you just want to sniff pop passwords, http traffic, whatever you can do that to. I don’t condone it, but I know people are gonna do it anyway, and I mean I have to, it’s just kinda my obligation to say not to.
I made this article because I had never seen any article talking about sniffing instant message traffic specifically. If you thought of this idea first and you think I’m ripping you off, I’m sorry. I promise I took this info from noone and that I did my best to make an understandable, readable, and knowledgeable.