Network Security 1

[SuperJenks]

Im am trying to assess the security on my network. Its my understanding that it is possible to use a protocol analyzer or sniffer such as ethereal to sniff packets that contain user/passwork information. I have tried this myself to see if there is truely vunerabilities on my network using this method. To my surprise, I did not find any user/password sensitive information according to ethereal. My question:

Should I expect to see this information in plain text in the middle of the stack, or, am I overlooking this data because I need another program to convert the raw data into a readable format.

Additional Information: I have two networks. One is a basic domain with 2 client pc's. Should I expect the data passing around the network to be encrypted or not. The rest of my network is set up as work group. I would not expect workgroup network data to be encrypted. Obviously if the data for both domain and work are encrypted, then the data would not be able to seen in the ethereal.

 

[tfg13]

First question on any typ of these setups is how are you running ethereal? Is it on a PC connected through a hub, switch, or is it on a PC within the current setup (whether in a domain or workgroup)?

Second, you should be concerned when doing a telnet, and ftp. If you have ethereal in the proper spot (either with a hub, or a "monitoring" switch port) you'll be able to see the passing of the password in non-encrypted form.

Third, I assume you are working with Windows software, as you are posting in the Windows forum. There are certain settings within the local/domain policies that allow you to "force" encrypted communications between PC's. This does not matter whether in a domain or workgroup. If in a workgroup, the account information will still be encrypted, as long as authentication settings with both PC's are set to a high enough level. You would be able to see some of these passwords with ethereal if you were using something like 95/98/ME, and already had it communicating with NT/W2K/XP.

There are multiple areas in which this is set. There is LanMan authentication, as well as Digitally signing communication settings (in W2K3, you can also use FIPS compliant algorithyms, for hashing, encryption, and signing).

If you have more questions, please ask and we will attempt to answer the best we can.

 

[SuperJenks]

First off, thank you for taking the time to explain this for me. So the bottom line here is that if encryption is not enabled on the client pc's, the authentication between the pc and domain controller can be viewed with ethereal. By the way, my network is on a layer 2 switch. I have a layer 3 switch, but not currently using it. I no longer use hubs, they share bandwidth accross all ports unlike a switch which will dedicate bandwidth to individual ports. So, its safe to assume that I will not see the user/password information on a switch in ethereal because the data passing through the switch is not passing through all ports like a hub, and the information is port specific in relation to the Mac address/IP of the pc plugged into it.

This kinda leads me to another question. This is also a concern of mine in regards to my ftp server that is accessable online. How is a hacker able to do this on the internet. Do they use the same method with ethereal. I have thought about changing my ftp server software to include ssl support for this reason as the basic ftp protocol cannot be encrypted. But Im still currious at a technical level as to how one would be actually be able to sniff internet packets to find user/password info. Im sure it works in a similar manner.

 

[tfg13]

As far as the layer 2 and layer 3 switches, you can set them up with a "mirrored" port to do additional scans/sniffing. But that is clearly up to you.....

Anyway, lets get back to your additional question, which I'm sure could lead to even more questions.....



Essentially, all a "cracker/hacker" would need to do is sniff traffic coming from/to a range of IPs, and filter out the stuff they don't need.

(a good website explaining some of how they do what they do)

http://www.informit.com/articles/article.asp?p=28489&seqNum=2&rl=1

They may be using a tool that looks for a robots.txt file on your server. If you haven't locked that down yet, especially having an open ftp, you could be asking for trouble.

http://www.searchtools.com/robots/robots-txt.html

http://www.robotstxt.org/wc/robots.html

Also using tools like NMAP, they can also find out some additional information on what your network looks like, what assets you have, and what possible vulnerabilities exist. These tools are readily available on the internet, as a matter of fact, here is a website with a bunch of them (it's a legit one, that points these out to those of us that are security minded and want to defend against such tools):

http://sectools.org/

I totally recommend going the route of SFTP (Secure File Transfer Protocol) as you have thought about. This protocol is widely accepted from almost "all" OS's, so I don't think you would have a problem with compatability.

If you have any more questions, keep 'em coming. I'm learning as much as you on this venture....