How Network Analyzers Are Used to Hack Passwords
A network analyzer hacks passwords by sniffing the packets traversing the network. This is what the bad guys do if they can gain control of a computer, tap into your wireless network, or gain physical network access to set up their network analyzer. If they gain physical access, they can look for a network jack on the wall and plug right in!
Passwords can be crystal clear through the eyes of a network analyzer. This shows how Cain & Abel can glean thousands of passwords going across the network in a matter of a couple of hours. As you can see in the left pane, these cleartext password vulnerabilities can apply to FTP, web, telnet, and more. (The actual usernames and passwords are blurred out to protect them.)
If traffic is not tunneled through a VPN, SSH, SSL, or some other form of encrypted link, it’s vulnerable to attack.
Cain & Abel is a password-cracking tool that also has network analysis capabilities. You can also use a regular network analyzer, such as the commercial products OmniPeek and CommView as well as the free open source program, Wireshark.
With a network analyzer, you can search for password traffic in various ways. For example, to capture POP3 password traffic, you can set up a filter and a trigger to search for the PASS command. When the network analyzer sees the PASS command in the packet, it captures that specific data.
Network analyzers require you to capture data on a hub segment of your network or via a monitor/mirror/span port on a switch. Otherwise, you can’t see anyone else’s data traversing the network — just yours.
Check your switch’s user guide for whether it has a monitor or mirror port and instructions on how to configure it. You can connect your network analyzer to a hub on the public side of your firewall. You’ll capture only those packets that are entering or leaving your network — not internal traffic.
Here are some good defenses against network analyzer attacks:
Use switches on your network, not hubs. If you must use hubs on network segments, a program like sniffdet for UNIX-based systems and PromiscDetect for Windows can detect network cards in promiscuous mode (accepting all packets, whether destined for the local machine or not). A network card in promiscuous mode signifies that a network analyzer is running on the network.
Make sure that unsupervised areas, such as an unoccupied lobby or training room, don’t have live network connections.
Don’t let anyone without a business need gain physical access to your switches or to the network connection on the public side of your firewall. With physical access, a hacker can connect to a switch monitor port or tap into the unswitched network segment outside the firewall and capture packets.
Switches don’t provide complete security because they’re vulnerable to ARP poisoning attacks.