McAfee has developed this free utility as a proof-of-concept to highlight the ease of which critical network information is obtained without performing any kind of active scanning.
* File: CSniffer.exe
* Size: 105984 bytes
* File Version: 1, 0, 0, 3
* Modified: Wednesday, March 03, 2010, 2:21:22 PM
* Md5: DE9A9EB7AC8FA9D2EDF41C3BC85A579D
* SHA1: 6DCD9FD27125C1B85A47D0A5427B7C40FEC03FCC
NOTE: McAfee does not offer technical or customer support for this tool.
Purpose
This tool acts much like a standard Ethernet network sniffer. However, unlike a traditional packet sniffer it doesn't attempt to capture and decode all traffic but instead is geared toward discovering useful infrastructure and security-related data from the network, often from traffic not sent to or from the host system i.e. general broadcast network traffic. This data can reveal all manner of useful information, ranging from live systems on the network, hostnames, Ipv6 systems, routers and name servers, user names and passwords.
Note that the tool is not comprehensive in the amount and range of information it gathers. Rather it goes to show that your network is constantly chattering away, unintentionally revealing vast amounts of useful information that could be utilized by an attacker. This tool highlights some of that data. This is the kind of information that was obtained by systems hit by the Aurora vulnerability (Ms10-002) affecting Microsoft's Internet Explorer web browser including for example, obtaining credentials to source control systems leading to the theft of highly confidential intellectual property.
Tool requirements
CSniffer runs on Microsoft Windows systems (Windows 2000 upwards) and attempts to sniff network data in promiscuous mode. It can use one of two methods to achieve this:
* Using Windows' built-in raw sockets API (default).
* Using the WinPcap packet driver.
This necessitates running with administrator privileges.
However, when using Windows raw sockets there is a workaround that allows a regular user to run the tool.
Apply the following registry setting and reboot:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\
[DWORD] "AllowUserRawAccess"
Set the value to 1 to allow regular users to use raw sockets.
Being able to apply this registry setting itself requires administrator privileges. However, once rebooted you can use the tool in raw socket mode without requiring administrator privileges.
Utilizing a privilege escalation attack on a Windows system and applying the registry setting above could allow sniffing of all network traffic when running under a non-privileged account, something that is not generally known!
Limitations
Other than the aforementioned requirements of running under an administrator level account, there are some severe limitations when using the built-in Windows raw sockets mode.
The Microsoft raw sockets API has several restrictions that have been introduced over the years in an effort to reduce security risks associated with low level network packet access. Depending on what platform you are running on you may find that you are limited in what data can be seen on the network. A comprehensive list of all known limitations seen on different Windows operating systems and service pack levels of those operating systems has not been compiled, but here are some known issues. Again, this only applies to Windows raw sockets mode.
If you do not have the ability to use WinPcap your best bet is to use XP Sp2 or a server level OS such as Windows Server 2003.
WinPcap is a free download. Visit http://www.winpcap.org/ for details.
Usage
CSniffer is a command-line tool. Syntax for usage can be obtained by typing
CSniffer -h or CSniffer -?
Check the McAfee website for updates to this tool.
http://www.mcafee.com/us/enterprise/downloads/free_tools/index.html
