Password sniffing is an attack on the Internet that is used to steal user names and passwords from the network. Today, it is mostly of historical interest, as most protocols nowadays use strong encryption for passwords. However, it used to be the worst security problem on the Internet in the 1990s, when news of major password sniffing attacks were almost weekly.
The password sniffing problem was largely solved by SSH, which replaced several prior insecure protocols. Many other protocols have also introduced encryption or at least hashing of passwords, which makes this attack less practical. However, various other credentials stealing and replay attacks are still widely used. Man-in-the-middle attacks are commonly used for stealing passwords and credentials today.
Typical Password Sniffing Implementation
The typical implementation of a password sniffing attack involves gaining access to a computer connected to a local area network and installing a
password sniffer on it. The password sniffer is a small program that listens to all traffic in the attached network(s), builds data streams out of TCP/IP packets, and extracts user names and passwords from those streams that contain protocols that send cleartext passwords. (A similar approach can be applied to other credentials.)
I (Tatu Ylonen) once tried to implement such an attack as an experiment. It took me three hours to have a program that processed the data from each TCP/IP stream separately and extracted information from them. It is not a difficult attack to code.
The attack can also be performed in switches, routers, and printers. It is common nowadays for attackers to install presence on such devices. They don't run anti-virus and aren't easy to audit. Furthermore, traffic naturally goes through switches and routers, so no extra network packets need to be sent to fool switches into sending traffic of interest to the listening node.
There are many implementations of password sniffers, many dating back to 1990s. Here are just some examples:
- SniffPass from NirSoft
- Password Sniffer Spy
- FTP password sniffer
- Sniffing Out Passwords and Cookies
- Ace Password Sniffer
- Password Sniffing with Metasploit
- Build an FTP Password Sniffer with Scapy and Python
Besides adding encryption, various other developments have made wide-scale password sniffing somewhat more difficult. However, encryption is the only reliable solution, and due to man-in-the-middle attack risks, the encryption must include proper authentication of communicating parties.
- In the 1990s, thick ethernet was common, and every host typically saw all traffic in the network. Thus, it was enough to put a network interface into
promiscuous modeto see all traffic. Today, networks use switches and star-like topologies, which make this more difficult. However, it is often possible to fool switches to send traffic to any host, or perform the attack on the switch itself.
- Some enterprises hard-code MAC addresses for each network port in switches and update and set passwords on switches. Such configurations may make this attack difficult. However, it is impossible to control all switches and routers on long-distance connections.
- Intrusion detection systems may be able to detect log records resulting from some techniques of getting the traffic to the attacker's system. However, attacks performed by installing software on switches (e.g., using default passwords) generally cannot be detected this way, and most smaller organizations don't deploy intrusion detection systems today.