From: Adam Shostack <adam@bwh.harvard.edu>
To: hayden@krypton.mankato.msus.edu
Message Hash: b81bd3b3e3890284c4bce4dc22502d74e46193f77de2023a194e2972de4c846b
Message ID: <199409121847.OAA17194@arthur.bwh.harvard.edu>
Reply To: <Pine.3.89.9409121209.A23755-0100000@krypton.mankato.msus.edu>
UTC Datetime: 1994-09-12 18:47:10 UTC
Raw Date: Mon, 12 Sep 94 11:47:10 PDT
From: Adam Shostack <adam@bwh.harvard.edu>
Date: Mon, 12 Sep 94 11:47:10 PDT
To: hayden@krypton.mankato.msus.edu
Subject: Re: "Packet Sniffers"
In-Reply-To: <Pine.3.89.9409121209.A23755-0100000@krypton.mankato.msus.edu>
Message-ID: <199409121847.OAA17194@arthur.bwh.harvard.edu>
MIME-Version: 1.0
Content-Type: text/plain
The way thinnet ethernet works, all machines on the net will
probably see all packets going to/from any of them. If you have root
access, you can look at all packets coming across the network. (You
can do this with a PC or Mac as well.) The way telnet works has no
encryption in it; the password you type gets sent across the network
as you type it. This is barely even a secret anymore.
Thats the technical side of it. What the junior admin type
says is correct. You will be able to snarf the passwords of anyone
who logs in over the local thinnet segment.
My response to this is, so can anyone with a Mac or PC. There
is code out there that will sniff passwords for you. (I've heard its
in the public domain on PCs, but do not know.) The question is, what
is your institution doing about this threat in general? Do they let
people log in over the internet? If so, passwords have been stolen.
Do they maintain full physical control of the wires between data
centers? Does the institution have a policy for dealing with this?
The problem seems to be the lack of a security policy to
provide guidance in saying why your machine is different from all
these other machines out there. If there is a solid difference, then
maybe they should keep you out. But I'd guess that you are quite
vulnerable to sniffing.
I am no longer handing out copies of sniff.c. Track down the
phrack.
Some sample log output from esniff.c (part of phrack 45)
>-- TCP/IP LOG -- TM: Mon Sep 12 14:41:15 --
> PATH: machine1(1625) => machine2(telnet)
> STAT: Mon Sep 12 14:41:29, 39 pkts, 46 bytes [TH_FIN]
> DATA: (255)(253)^C(255)(251)^X(255)(250)^X
> : SUN-CMD(255)(240)(255)(253)^A(255)(252)^Aadam
> : ********(127)^
(My password for local logins replaced with ***)
Robert Hayden:
| The specific setup would have the machine on a thinnet link in a lab with
| about 20 other PCs which are used primarily as word processors and
| terminals to the campus VAX or UNIX machines. The specific upstream
| setup is unknown, but I assume there is some kind of a line to a router
| upstream, eventually winding its way into the real world.
|
| It seems to me that a packet sniffer on the lowest link of the network
| wouldn't be able to look at those packets passing upstream because the
| router would never pass them down, but I could be just plain wrong and
| thats why I'm asking for some clarification.
Return to September 1994
Return to ““Robert A. Hayden” <hayden@krypton.mankato.msus.edu>”