Re: False negative on anti sniffing programme.
captgoodnight_at_acsalaska.net
Date: 06/18/04
- Previous message: Ranjeet Shetye: "Re: Strange pings from 127.0.0.1"
- In reply to: asharma_at_ita.hsr.ch: "False negative on anti sniffing programme."
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: security-basics@securityfocus.com Date: Fri, 18 Jun 2004 13:08:20 -0800
On Thursday 17 June 2004 07:03 am, asharma@ita.hsr.ch wrote:
> folowed the approach of sending arp request packets to the IP of the
> machine with the arp address resembling but not equal to a broadcast
> address . I am receiving good responses from most of test runs, however
> some linux based machines - with Kernel 2.4.20-8 and 2.4.18 seem to
> responding to these packets despite not being in promiscuous mode.
> I fail to understand why this should be possible.
> Your comments would be invaluable.
Just got done working on this. The best info I found on the subject was from this pdf.
http://securityfriday.com/promiscuous_detection_01.pdf
I personally use
http://www.habets.pp.se/synscan/programs.php
The syntax I use is
./arping -s 00:50:2C:08:97:F0 -S 192.168.0.4 -t FF:FF:FF:FF:FF:FE xxx.xxx.xxx.xxx
^src mac ^src ip ^bad brdcst ^target
Works like a charm. As the unexpected results your having, read page 13 of the pdf. It mentions
some 3com nics and unexpected results. This may be the issue; there's a solution.
Also, decoys are a sneaky way to detect baddies too. I use netcat to throw PASS/USER decoy packets out on the
network. If I see these in the logs where there not supposed to be, then there's a issue.
I hope that helps.
captgoodnight
---------------------------------------------------------------------------
Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off
any course! All of our class sizes are guaranteed to be 10 students or less
to facilitate one-on-one interaction with one of our expert instructors.
Attend a course taught by an expert instructor with years of in-the-field
pen testing experience in our state of the art hacking lab. Master the skills
of an Ethical Hacker to better assess the security of your organization.
Visit us at:
http://www.infosecinstitute.com/courses/ethical_hacking_training.html
----------------------------------------------------------------------------
- Previous message: Ranjeet Shetye: "Re: Strange pings from 127.0.0.1"
- In reply to: asharma_at_ita.hsr.ch: "False negative on anti sniffing programme."
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
