What Is Port Sniffing?
Generally refers to a sniffer. A sniffer can eavesdrop on packets flowing through the network. The network formed by the hub hub is based on the principle of sharing. All computers in the local area network receive the same data packets, and the network card constructs a hardware "filter" to filter out information that is not relevant to it by identifying the MAC address. Sniffer programs Simply turn off this filter and set the network card to "promiscuous mode" to perform sniffing. The network formed by the switch is based on the "switching" principle. Instead of sending data packets to all ports, the switch sends to The port where the destination NIC is located.
Sniff
(Eavesdropping on packets flowing through the network)
- Generally refers to
- Sniff sniff.
- SNIFF is really an old topic. It is nothing new to use SNIFF to obtain sensitive information on the Internet, and there are many successful cases. So what exactly is SNIFF? SNIFF is
- Does "network basics" sound a bit off-topic? Although it sounds like it has nothing to do with the SNIFF we want to talk about, but I still have to say something. If the ground is high enough, if the foundation is not laid, how can we build a building? !! If you are not very clear about the Internet, it is best to calm down and take a closer look. You must know that this is the basic basis. I will just briefly talk about it here, so as not to get confused in time, it is best to be yourself. Look for a book.
- TCP / IP architecture
- Be aware that in Ethernet, all communication is broadcast, that is to say, all network interfaces on the same network segment can access all data transmitted on the physical media, and each network interface has a unique Hardware address. This hardware address is also the MAC address of the network card. Most systems use a 48-bit address. This address is used to represent each device in the network. Generally speaking, the MAC address on each network card is different. Each network card manufacturer obtains an address, and then uses this address to assign an address to each network card it produces. ARP and RARP protocols are used to convert between hardware addresses and IP addresses.
- Under normal circumstances, a network interface should only respond to these two data frames:
- 1. A data frame that matches its own hardware address.
- 2. Broadcast data frames sent to all machines.
- In an actual system, data is transmitted and received by the network card. The network card receives the transmitted data, and the single-chip program in the network card receives the destination MAC address of the data frame. According to the receiving mode set by the network card driver on the computer If it is judged that it should not be received, if it is considered to be received, it will generate an interrupt signal to notify the CPU, and if it should not be received, it will be discarded, so the data network card that should not be received will be truncated and the computer will not know at all. The CPU receives an interrupt signal to generate an interrupt, and the operating system calls the driver to receive data according to the network card interrupt program address set by the network card driver, and the driver receives the data and puts it into the signal stack for the operating system to process. There are generally four receiving modes for network cards:
- Broadcast mode: The network card in this mode can receive broadcast information in the network. Multicast mode: The network card set in this mode can receive multicast data.
- Direct method: In this mode, only the destination network card can receive the data. Promiscuous mode: The network card in this mode can receive all the data passing through it, regardless of whether the data is passed to it.
- Well, now we summarize, first of all, we know that data is transmitted based on broadcast in Ethernet, that is, all physical signals must pass through my machine, and again, the network card can be put in a mode called Promiscuous mode, the network card working in this mode can receive all the data passing through it, regardless of the actual destination address of the data is not him. This is actually the basic principle of our SNIFF work: let the network card receive all the data he can receive.
- Let's look at a simple example. Machines A, B, and C are connected to the hub HUB. The hub HUB accesses the external network through the router Router. This is a very simple and common situation. For example, in a company building, several machines in the office of my network department are connected through a hub. The same is true of the network department, development department, and marketing department. The hub is connected via a router. It is worth noting that machines A, B, and C are connected by a common HUB, not SWITCH or ROUTER. The situation of using SWITCH and ROUTER is more complicated than this.
- Let's assume that the administrator on machine A uses an FTP command to remotely log in to machine C in order to maintain machine C. Then the data flow in this network connected by HUB is like this. First, the FTP password entered by the administrator on machine A to log in to machine C passes through the application layer FTP protocol, the transport layer TCP protocol, the network layer IP protocol, and the Ethernet driver on the data link layer. To the physical layer, our network line. The next data frame was sent to HUB. Now HUB broadcasts the data frame sent by machine A to each contact. Machine B receives the data frame sent by HUB broadcast and checks whether the address in the data frame is the same as its own After matching, it is found that the data frame is not sent to itself and the data frame is discarded and ignored. And machine C also received the data frame, and found that he found himself after the comparison, and then he analyzed and processed this data frame.
- In the simple example above, if the administrator on machine B is curious, he would like to know what is the FTP password on machine C? So what he has to do is very simple, just need to put the network card on his machine into promiscuous mode, and analyze the received data frame, so as to find the password information contained in the data frame.
- sniff approach
- In the previous section, we already knew what the basic principles of SNIFF are. In this section, we will make our own sniff. After all, using program code to speak is more true than anything and it is easy to deepen understanding.
- Looking back on the principle we said above, there are several things we need to do:
- 1. Put the network card in promiscuous mode. 2. Capture the packet. 3. Analyze the data packet.
- Note: The following source code is taken from the article "Basic Packet-Sniffer Construction from the Ground Up" by Chad Renfro
- /************************Tcp_sniff_2.c********************/
- 1. # include
- 2. # include
- 3. # include
- 4. # include
- 5. # include
- 6. # include
- 7. # include
- 8. # include
- 9. # include "headers.h"
- #define INTERFACE "eth0"
- / * Prototype area * /
- 1 0 int Open_Raw_Socket (void);
- 11 int Set_Promisc (char * interface, intsock);
- 12 int main () {
- 13int sock, bytes_recieved, fromlen;
- 14.char buffer [65535];
- 15.struct sockaddr_in from;
- 16.struct ip * ip;
- 17.struct tcp * tcp;
- 18.sock = Open_Raw_Socket ();
- 19. Set_Promisc (INTERFACE, sock);
- 20. while (1)
- twenty two. {
- 23. fromlen = sizeof from;
- 24. bytes_recieved = recvfrom (sock, buffer, sizeofbuffer, 0, (struct sockaddr *) & amp; from, & amp; fromlen);
- 25. printf ("\ nBytes received :::% 5d \ n", bytes_recieved);
- 26. printf ("Source address :::% s \ n", inet_ntoa (from.sin_addr));
- 27.ip = (struct ip *) buffer;
- / * See if this is a TCP packet * /
- 28. if (ip-> ip_protocol == 6) {
- 29. printf ("IP header length :::% d \ n", ip-> ip_length);
- 30. printf ("Protocol :::% d \ n", ip-> ip_protocol);
- 31. tcp = (struct tcp *) (buffer + (4 * ip-> ip_length));
- 32. printf ("Source port :::% d \ n", ntohs (tcp-> tcp_source_port));
- 33. printf ("Dest port :::% d \ n", ntohs (tcp-> tcp_dest_port));
- 34.}
- 35.}
- 36.}
- 37 int Open_Raw_Socket () {
- 38. int sock;
- 39. if ((sock = socket (AF_INET, SOCK_RAW, IPPROTO_TCP)) <0) {
- / * Then the socket was not created properly and must die * /
- 40. perror ("The raw socket was not created");
- 41. exit (0);
- 42.};
- 43. return (sock);
- 44.}
- 45 int Set_Promisc (char * interface, int sock) {
- 46. struct ifreq ifr;
- 47. strncpy (ifr.ifr_name, interface, strnlen (interface) +1);
- 48. if ((ioctl (sock, SIOCGIFFLAGS, & amp; ifr) == -1)) {
- / * Could not retrieve flags for the interface * /
- 49. perror ("Could not retrive flags for the interface");
- 50. exit (0);
- 51.}
- 52. printf ("The interface is :::% s \ n", interface);
- 53. perror ("Retrieved flags from interface successfully");
- 54. ifr.ifr_flags | = IFF_PROMISC;
- 55. if (ioctl (sock, SIOCSIFFLAGS, & amp; ifr) == -1) {
- / * Could not set the flags on the interface * /
- 56. perror ("Could not set the PROMISC flag:");
- 57. exit (0);
- 58.}
- 59. printf ("Setting interface :::% s ::: to promisc", interface);
- 60. return (0);
- 61.}
- / *********************** EOF ************************* ********* /
- The above program has a very detailed comment, but I think it is necessary to talk about it. First, line 10 --intOpen_Raw_Socket (void); is our custom function, the specific content is as follows:
- 37 int Open_Raw_Socket () {
- 38. int sock;
- 39. if ((sock = socket (AF_INET, SOCK_RAW, IPPROTO_TCP)) <0) {
- / * Then the socket was not created properly and must die * /
- 40. perror ("The raw socket was not created");
- 41. exit (0);
- 42.};
- 43. return (sock);
- 44.}
- Line 39 if ((sock = socket (AF_INET, SOCK_RAW, IPPROTO_TCP)) <0) {
- Here we call the socket function to create a raw socket to receive TCP / IP packets.
- Next line 11 -int Set_Promisc (char * interface, intsock), this is also our custom function, the purpose is to put the network card in promiscuous mode, the specific content is as follows:
- 45 int Set_Promisc (char * interface, int sock) {
- 46. struct ifreq ifr;
- 47. strncpy (ifr.ifr_name, interface, strlen (interface) +1);
- 48. if ((ioctl (sock, SIOCGIFFLAGS, & amp; ifr) == -1)) {
- / * Could not retrieve flags for the interface * /
- 49. perror ("Could not retrive flags for the interface");
- 50. exit (0);
- 51.}
- 52. printf ("The interface is :::% s \ n", interface);
- 53. perror ("Retrieved flags from interface successfully");
- 54. ifr.ifr_flags | = IFF_PROMISC;
- 55. if (ioctl (sock, SIOCSIFFLAGS, & amp; ifr) == -1) {
- / * Could not set the flags on the interface * /
- 56. perror ("Could not set the PROMISC flag:");
- 57. exit (0);
- 58.}
- 59. printf ("Setting interface :::% s ::: to promisc", interface);
- 60. return (0);
- 61.}
- First struct ifreq ifr; defines an ifrreg structure ifr, then strncpy (ifr.ifr_name, interface, strnlen (interface) +1); is to fill the name of our network equipment into the ifr structure, here #define INTERFACE "eth0", let's look down. Ioctl (sock, SIOCGIFFLAGS, & amp; ifr), SIOCGIFFLAGS request indicates that the interface flag needs to be obtained. Now it reaches line 54. After we successfully obtain the interface flag, we set it to a mixed Mode, ifr.ifr_flags | = IFF_PROMISC; ioctl (sock, SIOCSIFFLAGS, & amp; ifr). OK, now the first step we have said is done -------- put the network card in promiscuous mode.
- Now proceed to the second step, capture the packet. Starting from line 20, we enter an endless loop, while (1). On line 24, recvfrom (sock, buffer, sizeof buffer, 0, (struct sockaddr *) & amp; from, & amp; fromlen), this function All you have to do is receive the data and put the received data into a buffer. It's that simple, we have completed our task of capturing packets.
- At the third step, analyze the data packet. Line 27, ip = (struct ip *) buffer, so that our IP structure in the header file corresponds to the received data. Next, determine whether the TCP protocol is used in the network layer. If (ip-> ip_protocol = = 6) If the answer is yes, the TCP packet starts at the entire IP / TCP packet buffer + (4 * ip-> ip_length) address, so line 31 tcp = (struct tcp *) (buffer + (4 * ip-> ip_length)), then the corresponding structure outputs the information you need.
- /*************************headers.h********************* ***** /
- / * structure of an ip header * /
- struct ip {
- unsigned int ip_length: 4; / * little-endian * /
- unsigned int ip_version: 4;
- unsigned char ip_tos;
- unsigned short ip_total_length;
- unsigned short ip_id;
- unsigned short ip_flags;
- unsigned char ip_ttl;
- unsigned char ip_protocol;
- unsigned short ip_cksum;
- unsigned int ip_source; unsigned int ip_dest;
- };
- / * Structure of a TCP header * /
- struct tcp {
- unsigned short tcp_source_port;
- unsigned short tcp_dest_port;
- unsigned int tcp_seqno;
- unsigned int tcp_ackno;
- unsigned int tcp_res1: 4, / * little-endian * /
- tcp_hlen: 4,
- tcp_fin: 1,
- tcp_syn: 1,
- tcp_rst: 1,
- tcp_psh: 1,
- tcp_ack: 1,
- tcp_urg: 1,
- tcp_res2: 2;
- unsigned short tcp_winsize;
- unsigned short tcp_cksum;
- unsigned short tcp_urgent;
- };
- / ********************* EOF *************************** ******** /
- From the above analysis, we can clearly understand that knowing a SNIFF requires a detailed understanding of the TCP / IP protocol, otherwise you cannot find the information you need at all. With the above foundation, you can make the SNIFF you need.