With the increasing popularity of the Internet and e-commerce, Internet security is receiving more and more attention. Sniffer and Scanner play an important role in Internet security risks. This article will introduce Sniffer and how to block sniffer.

Most hackers only want to detect hosts on the internal network and gain control. Only those "ambitious" hackers will install Trojans and backdoors and clear records in order to control the entire network. The technique they often use is to install sniffers.

On an intranet, the most effective way for hackers to quickly obtain a large number of accounts (including usernames and passwords) is to use the "sniffer" program. This method requires that the host running the Sniffer program and the monitored host must be on the same Ethernet segment, so running sniffer on an external host has no effect. Furthermore, you must use the sniffer program as root to monitor the data flow on the Ethernet segment.

Hackers will use various methods to gain control of the system and leave backdoors for re-intrusion to ensure that sniffers can be executed. On Solaris 2.x platforms, the sniffer program is usually installed in the /usr/bin or /dev directory. Hackers will also cleverly modify the time to make the sniffer program appear to be installed at the same time as other system programs.

Most "ethernet sniffer" programs run in the background and output their results to some log file. Hackers often modify the ps program, making it difficult for system administrators to discover the running sniffer program.

The "ethernet sniffer" program sets the system's network interface to mixed mode. In this way, it can monitor all data packets flowing through the same Ethernet segment, regardless of whether its recipient or sender is the host running sniffer. The program stores usernames, passwords and other data of interest to hackers in log files. The hacker will wait for a period of time ----- for example, a week later, and then come back here to download the log file.

1. What is a sniffer

Unlike telephone circuits, computer networks only share communication channels. Sharing means that computers can receive information sent to other computers. Capturing the data transmitted in the network is called sniffing.

Ethernet is the most widely used computer networking method today. The Ethernet protocol sends packet information to all hosts on the same loop. The packet header contains the correct address of the destination host. Normally only the host with this address will accept this packet. If a host is able to receive all packets regardless of header content, this is often called "promiscuous" mode.

Since in a normal network environment, account and password information are transmitted in plain text over the Ethernet, once an intruder obtains root privileges on one of the hosts and puts it in promiscuous mode to eavesdrop network data, potentially compromising all computers on the network.

2. Working principle of sniffer

Usually all network interfaces on the same network segment have the ability to access all data transmitted on the physical media, and each network interface also has the ability to access all data transmitted on the physical media. There should be a hardware address that is different from the hardware addresses of other network interfaces present on the network, and at least one broadcast address for each network. (Representing all interface addresses), under normal circumstances, a legal network interface should only respond to these two types of data frames:

1. The target area of ??the frame has hardware that matches the local network interface address.

2. The target area of ??the frame has a "broadcast address".

When receiving the data packets in the above two situations, nc generates a hardware interrupt through the CPU, which can attract the attention of the operating system, and then transfer the data contained in the frame to the system for further processing.

The sniffer is a software that can set the local nc status to the (promiscuous) state. When the nc is in this "promiscuous" mode, the nc has a "broadcast address", which will be used by all encounters. Each frame generates a hardware interrupt to alert the operating system to process each packet flowing through the physical media. (Most NCs have the ability to be set to promiscuous mode)

It can be seen that sniffer works at the bottom of the network environment. It will intercept all data being transmitted on the network and process it through corresponding software. , the content of these data can be analyzed in real time, and then the network status and overall layout can be analyzed. It is worth noting: sniffers are extremely quiet and are a passive security attack.

Usually the content that sniffers are concerned about can be divided into the following categories:

1. Password:

I think this is the reason for the vast majority of illegal use of sniffers. Sniffer can record the userid and passwd transmitted in plain text. Even if you use encrypted data during network transmission, the data recorded by sniffer may still allow an intruder to figure out your algorithm while eating meat skewers at home.

2. Financial account:

Many users feel safe using their credit card or cash account online. However, sniffers can easily intercept user names, passwords, and credit card numbers transmitted online. , expiration date, account number and pin.

3. Peeping