Sniffing Packets on LAN without ARP Spoofing

Abstract

Identifying weak points of network systems and protecting them (before attackers or hackers detect and use our data to attack our systems) are regarded as essential security methods, especially on the LAN system which uses ARP protocol with holes enabling hackers to conduct ARP spoof and sniff packets on the LAN systems. Regarding Web sites with membership systems such as e-commerce Web sites and Web sites with e-mail systems such as Hotmail and Gmail, every time users click links, browsers will send away HTTP requests which contain cookies and session ID. If hackers successfully sniff cookies and session ID of any member, they will be able to access the member's system by the right of that member. This type of attacks can be prevented by using static ARP, detecting ARP spoof using IDS, or using anti sniff type programs to scan for the computer which is sniffing the data. Although sniffing data is harmful, it sometimes needs to be conducted for some purposes, e.g. confidential affair job (sniffing terrorists' data) etc. This research aims to study techniques in sniffing data on the LAN system without using ARP spoof. The results are as follows. (1) The victims cannot detect hackers by using IDS. (2) Static ARP cannot prevent sniffing data by this method. (3) The hacker's computer cannot be scanned and found by using anti sniff type programs. MAC address and IP address values are set to coincide with gateway MAC address and gateway IP address respectively. Only two basic programs-Ping and Ethereal are used. Ethereal is used to sniff the data, and Ping command is used to send Packets to deceive the switch port that gateway is connecting with the port that we are connecting. This process is to alternate with stop ping (wait) in order to enable the system to function normally on occasions. This method is tested in sniffing the victim's cookies while the victim is clicking links to open the mailboxes of Gmail and Hotmail. The result shows that the number of the sniffed cookies is approximately 20-35%, comparing with the number of the cookies sent to the Internet by the victim. The number of sniffed cookies also depends on other factors such as periods of stop ping (wait) and brands of switch. We have conducted the experiment with three brands of switch consisting of Cisco, 3COM and SMC. It is found that using Cisco brand provides the potentiality to get the largest amount of cookies. In contrast, using SMC brand provides the potentiality to get the smallest amount of cookies. And when Ping sending is tested, switching with wait for 1, 2, 3, ....., 40 seconds, it is found that when we wait for 1-2 seconds, the user will feel that the network system encounters a problem, and Login and Logout process takes longer time than usual. However, the proportion of the sniffed cookies is high (about 30-35%). When the Wait value is set higher, the chance to get cookies decreases, but the victim will not feel the abnormality (setting the wait value at 7-10 seconds, the sniffed Cookies will be about 20% of all cookies).