McAfee has developed this free utility as a proof-of-concept to highlight the ease of which critical network information is obtained without performing any kind of active scanning.
NOTE: McAfee does not offer technical or customer support for this tool.
This tool acts much like a standard Ethernet network sniffer. However, unlike a traditional packet sniffer it doesn't attempt to capture and decode all traffic but instead is geared toward discovering useful infrastructure and security-related data from the network, often from traffic not sent to or from the host system i.e. general broadcast network traffic. This data can reveal all manner of useful information, ranging from live systems on the network, hostnames, Ipv6 systems, routers and name servers, user names and passwords.
Note that the tool is not comprehensive in the amount and range of information it gathers. Rather it goes to show that your network is constantly chattering away, unintentionally revealing vast amounts of useful information that could be utilized by an attacker. This tool highlights some of that data. This is the kind of information that was obtained by systems hit by the Aurora vulnerability (Ms10-002) affecting Microsoft's Internet Explorer web browser including for example, obtaining credentials to source control systems leading to the theft of highly confidential intellectual property.
CSniffer runs on Microsoft Windows systems (Windows 2000 upwards) and attempts to sniff network data in promiscuous mode. It can use one of two methods to achieve this:
This necessitates running with administrator privileges.
However, when using Windows raw sockets there is a workaround that allows a regular user to run the tool.
Apply the following registry setting and reboot:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\
[DWORD] "AllowUserRawAccess"Set the value to 1 to allow regular users to use raw sockets.
Being able to apply this registry setting itself requires administrator privileges. However, once rebooted you can use the tool in raw socket mode without requiring administrator privileges.
Utilizing a privilege escalation attack on a Windows system and applying the registry setting above could allow sniffing of all network traffic when running under a non-privileged account, something that is not generally known!
Other than the aforementioned requirements of running under an administrator level account, there are some severe limitations when using the built-in Windows raw sockets mode.
The Microsoft raw sockets API has several restrictions that have been introduced over the years in an effort to reduce security risks associated with low level network packet access. Depending on what platform you are running on you may find that you are limited in what data can be seen on the network. A comprehensive list of all known limitations seen on different Windows operating systems and service pack levels of those operating systems has not been compiled, but here are some known issues. Again, this only applies to Windows raw sockets mode.
If you do not have the ability to use WinPcap your best bet is to use XP Sp2 or a server level OS such as Windows Server 2003.
WinPcap is a free download. Visit http://www.winpcap.org/ for details.
CSniffer is a command-line tool. Syntax for usage can be obtained by typing
CSniffer -h
or
CSniffer -?
CSniffer
Command-line network sniffer and network intelligence gathering tool
Copyright (c) McAfee, Inc. 2010
Syntax:
CSniffer -t <port> -u <port> -i -e -b <IP> -oO <file>
-adlmnpsvwx
-a
Include timestamps in output
-b
<IP>
Bind to the given IP address
-d
Ignore duplicate data when using -p or -n
-e
Log Ethernet data (WinPcap mode only)
-i
Log ICMP packets
-l
List the IP addresses on this system
-m
Ignore traffic to or from the host (this) machine
-n
Network intelligence gathering
-o
<file>
Send output to file (overwrite)
-O
<file>
Send output to file (append)
-p
Password gathering
-s
Silent mode. No packet display. Useful with -n and -p
-t <port>[ <port>...] Log TCP packets. Port can be '*' for
any.
-u <port>[ <port>...] Log UDP packets. Port can be '*' for
any.
-v
Verbose output
-w
Use WinPcap library instead of Windows raw sockets
-x
Output packet in Hex&Text format (default text only)
-a
Timestamps will be included in the output for each event.
-b
When using raw sockets mode (default), this specifies which interface will be used, given by an associated IP address. See the -l option. When using raw sockets mode and no interface is specified, an arbitrary one is chosen by default. When using WinPcap, all interfaces are automatically used and this option is ignored.
-d
When used with -p (password gathering) or -n (network intelligence gathering) this option will attempt to only display unique messages from each source IP address. This can cut down on noise.
-e
Ethernet-level data (basically MAC addresses) will be logged. This option is only applicable when using WinPcap (-w ). It displays interesting NIC vendors such as VMWare devices. If none of -e, -i, -t or -u are specified, all protocols are automatically examined.
-i
Sniff for ICMP traffic. If none of -e, -i, -t or -u are specified, all protocols are automatically examined.
-l
List the Ipv4 addresses for this system. This can be used with -b when binding to a NIC. Only applicable to raw socket mode.
-m
Ignore traffic originating from or destined to this system (i.e. the system you're running the tool from). Only Ipv4 addresses are supported for now.
-n
Enable network intelligence gathering mode. Interesting data packets are decoded and presented to the user. The currently supported protocols are HTTP HEAD, GET, POST and OPTIONS requests (various TCP ports), BootP/DHCP (UDP ports 67, 68), TFTP (UDP port 69), NetBIOS Name Requests (UDP port 137), NetBIOS Browser Service (UDP port 138) and SSDP (UDP port 1900). In addition some interesting MAC vendors are identified and detected Ipv6 addresses on the network are shown.
-o
Send output to the given file. Output is simultaneously displayed in the command window and saved to the specified file. If the file exists its contents are deleted.
-O
Send output to the given file. Output is simultaneously displayed in the command window and saved to the specified file. If the file exists its contents are appended with the new output.
-p
Password gathering mode. Common protocols are examined for credentials and they are displayed in the output. The currently supported protocols are FTP (TCP port 21), POP3 (TCP port 110), NNTP (TCP port 119), SMB hashes (TCP port 445), Perforce (TCP port 1666) and many common HTTP ports (basic auth).
-s
Silent mode. No packet dumps are displayed. Useful if you are not interested in the actual raw contents of the packets.
-t
Log TCP packets. Optional port numbers to examine can be specified. If none of -e, -i, -t or -u are specified, all protocols are automatically examined.
-u
Log UDP packets. Optional port numbers to examine can be specified. If none of -e, -i, -t or -u are specified, all protocols are automatically examined.
-v
Verbose mode. Displays which command options are specified on the command line. Use this option as the first parameter.
-w
Use the WinPcap packet driver rather than the Windows raw sockets API. This option is highly recommended but requires you already have WinPcap installed.
-x
Output the packet's raw contents in Hex and Text format. Without this option the output format is text only.
Usage is best demonstrated through examples. All examples shown here are specifying the use of WinPcap (-w).
Show the tool's syntax.
CSniffer -h
Raw packet capture of everything, displaying text-only output (default).
CSniffer -w
Raw packet capture of everything, displaying Hex and Text output.
CSniffer -wx
Raw packet capture of TCP port 80 traffic, displaying Hex and Text output.
CSniffer -wx -t 80
Raw packet capture of TCP port 80 and port 8080 traffic, displaying Hex and Text output.
CSniffer -wx -t 80 8080
Raw packet capture of TCP port 80 and UDP port 137 traffic, displaying Hex and Text output.
CSniffer -wx -t 80 -u 137
Network intelligence gathering mode. Don't display packet dumps.
CSniffer -wns
Network intelligence gathering mode for UDP port 138 traffic only. Remove duplicate entries. Don't display packet dumps.
CSniffer -wnds
Password monitoring mode. All protocols. Remove duplicate entries. Don't display packet dumps.
CSniffer -wpds
Network intelligence gathering and password sniffing. Remove duplicate entries. Don't display packet dumps.
CSniffer -wnpds
Network intelligence gathering and password sniffing. Remove duplicate entries. Don't display packet dumps. Ignore traffic to and from this machine
CSniffer -wnpdsm
Network intelligence gathering and password sniffing. Remove duplicate entries. Don't display packet dumps. Ignore traffic to and from this machine. Send output to a file.
CSniffer -wnpsdm -o log.txt
Network intelligence gathering and password sniffing. Remove duplicate entries. Don't display packet dumps. Ignore traffic to and from this machine. Send output to a file, appending to it.
CSniffer -wnpsdm -O log.txt
Network intelligence gathering and password sniffing. Remove duplicate entries. Don't display packet dumps. Ignore traffic to and from this machine. Show timestamps. Send output to a file, appending to it.
CSniffer -wnpsdma -O log.txt
Check the McAfee website for updates to this tool.
Please submit all questions, comments, and inquiries regarding McAfee free
tools via email only: freetools@mcafee.com. Although McAfee does not offer
technical or customer support for these tools, your feedback and bug reporting is
appreciated.