Re: promiscuous Mode detection?
From: blitzkrieg (blitzkrieg@sitoverde.com)Date: 12/06/01
- Previous message: matthew.huck@tab.co.nz: "Procmail virus filtering"
- In reply to: Christian Steinert: "promiscuous Mode detection?"
- Next in thread: GomoR: "Re: promiscuous Mode detection?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Thu, 6 Dec 2001 20:29:32 +0100 From: blitzkrieg <blitzkrieg@sitoverde.com> To: Christian Steinert <christian.steinert@by-your-site.de>
On Wed, Dec 05, 2001 at 12:57:03PM +0100, Christian Steinert wrote:
> Anything more you can use to remotely discover listening network
> stations?
If the sniffer is stand-alone, i.e. passive, it's theoretically
impossible to discover it.
Besides dns reply check, network latency test and forged MAC test,
there are other few methods...
- ARP test
send an ARP request to a non broadcast suspicious address, if
it reply, this is the sniffer
- Source route
create a packet (icmp echo) with loose source parameter
(destination sniffer), and send it to an host that can't route
it. If you receive a reply, you locate it
- Decoy test
[if you can control logs of one server]
create packet (example POP3) with fake user-pass, then check
logs of your server, if you'll find another entry with faked
user-pass...
- Hub lights
watch hub's leds for unexpected connection
And possible others, depends on your fantasy :)
Ciao
-- blitzkrieg
PS I apologize for my english
--
- Previous message: matthew.huck@tab.co.nz: "Procmail virus filtering"
- In reply to: Christian Steinert: "promiscuous Mode detection?"
- Next in thread: GomoR: "Re: promiscuous Mode detection?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
