Re: A Solution for sniffing

From: Shanon (liquid_nitrogen79@hotmail.com)
Date: 12/20/02

  • Next message: riscorp@mindspring.com: "Re: Webmail authentication"
    From: "Shanon" <liquid_nitrogen79@hotmail.com>
    To: <Bruce.Orcutt@alltel.com>, <SMerrell@avbpgh.com>
    Date: Sat, 21 Dec 2002 02:05:58 +0530
    
    

    Not only DNS, but IMO a lot things should not be run on the sniffer machine
    what ever it is.

    Try composing a mail and send it while some arp sniffer (MITM attack) like
    ettercap is running :)) ....for me the destined recipent was spammed with
    the same copy for three days :))

    There are lots of white paper floating that explains how to detect if some
    machine is in promiscous like
    by sending an echo reply packet (arp, any query etc) to some and see how
    many replies you get in return.....

    ----- Original Message -----
    From: <Bruce.Orcutt@alltel.com>
    To: <SMerrell@avbpgh.com>
    Cc: <security-basics@securityfocus.com>
    Sent: Wednesday, December 18, 2002 11:15 PM
    Subject: RE: A Solution for sniffing

    Actually, I had never heard of Anti-Sniff before.

    Looks interesting, but looks easily circumvented by a determined techie.

    Anti-Sniff has three major components:

    1) NT based:

    Easiest way to avoid is not run Windows NT on the Sniffer :)

    2) DNS:

    Easy way to avoid is not to use DNS on the Sniffer, take the logs from the
    Sniffer and use it to the DNS lookups desired at a later date on a later
    machine. Can easily set up a simple program to read in a table of IPs, then
    convert them into DNS names, and re-write the table

    3) Timing with a flood:

    Don't know about your network, but I know I would not want to add the extra
    traffic of a flood of packets. Also, pretty easy to add a little
    intelligence into your Sniffer that if it receives X number of packets in Y
    number of seconds, shut down promiscuous mode temporarily. Also, with
    faster and faster nics coming out, more and more packets are able to be
    processed, thus necessitating the increase in the size of the flood, thus
    causing more problems associated with flooding a network.

    Just some of my thoughts at least

    -----Original Message-----
    From: Merrell, Sam [mailto:SMerrell@avbpgh.com]
    Sent: Wednesday, December 18, 2002 12:18 PM
    To: Orcutt, Bruce
    Subject: RE: A Solution for sniffing

    What about L0pht's Anti-sniff product? Is that still available?

    -----Original Message-----
    From: Bruce.Orcutt@alltel.com [mailto:Bruce.Orcutt@alltel.com]
    Sent: Tuesday, December 17, 2002 12:19 PM
    To: fadi@lebrocks.com; security-basics@securityfocus.com
    Subject: RE: A Solution for sniffing

    As sniffing is a passive act, there is no way that you can detect the act
    itself, unless you have access to the machine that's doing the possible
    sniffing itself.

    Perhaps one of the simplest ways to ensure sniffing is made much more
    difficult at the least is by switching from a hub type network to a switched
    network. In a switched environment, other users cannot see each others
    network streams, thus providing a layer of protection.

    Of course, like all techniques, this can be gotten around by various
    additional techniques, but it does make life more difficult to would be
    sniffers. (ie: user installs a hub via an uplink port to switched segment,
    and connects target's system and a sniffing machine to the hub.)

    -----Original Message-----
    From: fadi@lebrocks.com [mailto:fadi@lebrocks.com]
    Sent: Tuesday, December 17, 2002 5:41 AM
    To: security-basics@securityfocus.com
    Subject: A Solution for sniffing

    Hello Folks,
    I think i am being sniffed by somone on my network, and i was wondering. is
    there an application to check wether i am being sniffed or not, and if i
    was, how can i fix that ?(like PGP for mail, what about other protocols)

    P.S. : Running Linux Slackware 8.1 (if that would help)

    cheers,
    Fadi R. Khouja

    ---
    Incoming mail is certified Virus Free.
    Checked by AVG anti-virus system (http://www.grisoft.com).
    Version: 6.0.431 / Virus Database: 242 - Release Date: 12/17/2002
    ---
    Outgoing mail is certified Virus Free.
    Checked by AVG anti-virus system (http://www.grisoft.com).
    Version: 6.0.431 / Virus Database: 242 - Release Date: 12/17/2002
    


    Relevant Pages

    • Re: packet sniffing help needed.
      ... In order to sniff traffic between the two victims, ... the sniffer on the same physical network. ... can take between the two to reliably try sniffing. ...
      (Security-Basics)
    • Re: A Solution for sniffing
      ... I've only heard/read of ways to protect against attacks on switches ... If you're a sniffer, your machine should be as discreet as you want it to be ... >Subject: Re: A Solution for sniffing ... >causing more problems associated with flooding a network. ...
      (Security-Basics)
    • Re: [inbox] Re: Counter detect Network Sniffer
      ... > to communicate with the sniffing system. ... It is not difficult to devise a sniffer detection ... Protect your network against hackers, viruses, spam and other risks with Astaro ... Security Linux, the comprehensive security solution that combines six ...
      (Focus-IDS)
    • RE: A Solution for sniffing
      ... The Sniffer is now incapeable of transmitting and is ... There ARE ways to detect sniffing, ... Sniffing places the network device into promiscous mode. ... > least is by switching from a hub type network ...
      (Security-Basics)
    • Re: Firewall and IDS, (the second way).
      ... There's only two ways of detecting an IDS that I know. ... Look for the data stream from a remote sensor (sniffer) to wherever ... a network card usually discards ethernet ... This also isn't very useful for remote sniffer detection. ...
      (Vuln-Dev)