One thing you can and should do is subscribe to the CERT advisories.īefore wrapping up, this final note: To the handful of people whose saying,"What if the cracker changes rpm or md5sum?", you now have anunderstanding of how tricky this whole security business is.
#Ubuntu http sniffer software
The CERT Web site has extensive security information and "alerts" describing security issues or software weaknesses. If your system has been cracked, you should consider reporting the incident to the CERT Coordination Center, run by Carnegie Mellon University. It may also have a perfectly innocent name in theprocess table, even if your ps is fine.Įnough with the sniffers and on to other things. Some are stripped-down packagesthat simply keep track of logins and passwords from any telnet or ftp session.Your cracker may use a modified ps to hide the presence of the snifferas it logs away the hours. There are many sniffer programs available. That is to tell tcpdump to show me the output I wasbusy capturing to a file for later perusal.
I told tcpdump to watch fortraffic coming to and from the -l flag.
In a few seconds, you should start seeing packets coming from and going toyour system. From the command line, type thefollowing: # tcpdump If you'veever wondered what goes on across your network, you'll find thisenlightening. While not as flashy as the other twosniffers I mentioned, this little program will do the same thing. When you installed your Linux system, you probably alsoinstalled a little package called tcpdump. Simply run the ifconfig command and grepfor PROMISC, like this: ifconfig | grep PROMISCīy now, if I've made you so scared of loading anything new on yoursystem, but you would still like to try out a sniffer and see what happens,you're in luck. Now, if you are busy collecting commands to run as part of your systemadministration toolkit, you could do worse than to check for interfaces runningin promiscuous mode. You can get netwatch from the application home page at or various other sources. This is also a network-monitoring tool that shows you what connections are alive on your network. (This almost begs a future column on secure shell, doesn't it?)Īnother similar product is netwatch. Yes, you can actually see what they are typing. One of the cool things about this package is that, if you hit Return on one of the open sockets in the interactive list, you can watch the plain-text traffic going to and from the user's process. You can also visit the Web site directly at. I obtained my copy from my Linux vendor's contrib ftp site. Sniffit is a light, curses-based program that will work in a regular terminal window (see Figure 1). If you put yournetwork interface in promiscuous mode, it will receive all packets on thenetwork. Normally, yoursystem is capturing only information bound for your IP address. Notice the addition of the word PROMISC in this line, short for"promiscuous mode." What that means is that your network interface isindiscriminate as to what network traffic is listening for. I'll focus on the important line here: UP BROADCAST RUNNING PROMISC MULTICAST MTU:1500 Metric:1 In the second window, rerun the ifconfig command and look for thedifferences. The one I'm using is called sniffit,and I will start it in interactive mode: # sniffit -i In one window,we'll start a sniffer program. Now let's open up a couple of terminal or xterm windows. If I run the command ifconfig eth0 on my machine, I get thefollowing output: eth0 Link encap:Ethernet HWaddr 00:C0:4F:E3:C1:8F inet addr:192.168.22.2 Bcast:192.168.22.255 Mask:255.255.255.0 UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:49448 errors:0 dropped:0 overruns:0 frame:0 TX packets:33859 errors:0 dropped:0 overruns:0 carrier:0 collisions:6 txqueuelen:100 Interrupt:10 Base address:0x300
You couldsimply monitor your machine's own traffic, but sniffers use promiscuousmode to scan all packets bound for your network. Simply put, a sniffer is a tool that lets youmonitor packets as they "fly" across your network interface. Since I did not go into much detail then, I'll try to clarifywhat I meant by sniffing. In the last section, I mentioned in my "real life" example that mycracker was using a sniffer to monitor network traffic and collect usernames andpasswords. Learn More Buy Intro to Network Sniffers Linux System Administration: A User's Guide
0 kommentar(er)
