RE: A Solution for sniffing

From: Hay, Brennan (Contractor) (HayB@ncr.disa.mil)
Date: 12/23/02

  • Next message: Chris Berry: "Re: Login Banner"
    From: "Hay, Brennan (Contractor)" <HayB@ncr.disa.mil>
    To: security-basics@securityfocus.com
    Date: Mon, 23 Dec 2002 11:13:11 -0500
    
    

    You could use something like antisniff from @stake.

    Another solution would be to stand up a *nix or windows box with a name like
    database or something that sounds interesting. Create a highly restricted
    account on the dummy database box. Automate clients telnetting/logging in,
    or doing something that is sure to get sniffed. If any computer besides
    the clients start to telnet/log in, set off an alarm. That way you know
    for sure if someone is sniffing.

    Brennan

    -----Original Message-----
    From: Janssen, Steph [mailto:s.janssen@ictk.wegener.nl]
    Sent: Friday, December 20, 2002 6:19 AM
    To: Peter Letford; security-basics@securityfocus.com
    Subject: RE: A Solution for sniffing

    I'm afraid it only brings a small amount of safety. Also the Promiscous part
    is getting a bit different.

    Nowadays most people who sniff, sniff using tools that poison your
    arp-cache, in your switches. http://ettercap.sourceforge.net/ is a good
    example of these foul tools. They are to easy to use too. My hobby is
    lanparties, and I've seen many kids visiting using it. They don't understand
    a bit of what they're doing, but hey, it delevers them passwords.

    This makes the machine sniffing you the machine in the middle, and would it
    detect an ssh-connection, it wil "put you through" like a receptionist, that
    way maintaining two sessions. One with you, and one with the server you
    think you are directly connected with. There are quite some tools that are
    capable of detecting such things (for instance the sniffer named above), but
    the safest thing to do against this, is configuring your switches and such
    in a way you can only change your mac-adress once or twice a day. Mac-adres
    poisoning is done by telling switches and machines constantly you are those
    macs. If you locked your switches to a mac a day per port, you would loose
    your connection on a sniffer attempt, and that would be all you could do! :)

    So, the days that just ssh, or a switched network would help you out are
    over. I'm still waiting for good remedies, and descent anti-material, or
    detection for it... Though snort (http://www.snort.org/) and such tools can
    often easily detect the event, it's still a problem. Detection doesn't solve
    anything, and tracing cables and ports in switches isn't a fun and quick
    thing neither...

    Kind regards,

    Steph Janssen

    -----Oorspronkelijk bericht-----
    Van: Peter Letford [mailto:peter@letford.co.uk]
    Verzonden: woensdag 18 december 2002 18:31
    Aan: security-basics@securityfocus.com
    Onderwerp: Re: A Solution for sniffing

    Not sure but somebody else may have said this.

    You could employ an IP level encryption using IPSec or tunnel your data
    through SSH to another machine that they aren't going to be sniffing and
    then to the internet?

    Then atleast whilst you try and solve who's sniffing your packets, you will
    be secure

    Peter

    ----- Original Message -----
    From: <fadi@lebrocks.com>
    To: <security-basics@securityfocus.com>
    Sent: Tuesday, December 17, 2002 10:40 AM
    Subject: A Solution for sniffing

    >
    > Hello Folks,
    > I think i am being sniffed by somone on my network, and i was wondering.
    is
    > there an application to check wether i am being sniffed or not, and if i
    > was, how can i fix that ?(like PGP for mail, what about other protocols)
    >
    > P.S. : Running Linux Slackware 8.1 (if that would help)
    >
    > cheers,
    > Fadi R. Khouja
    >