Re: False negative on anti sniffing programme.
From: Ranjeet Shetye (ranjeet.shetye2_at_zultys.com)
Date: 06/22/04
- Previous message: Andrew Aris: "Strange pings from 127.0.0.1"
- In reply to: captgoodnight_at_acsalaska.net: "Re: False negative on anti sniffing programme."
- Next in thread: captgoodnight_at_acsalaska.net: "Re: False negative on anti sniffing programme."
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Tue, 22 Jun 2004 12:18:22 -0700 To: security-basics@securityfocus.com
* captgoodnight@acsalaska.net (captgoodnight@acsalaska.net) wrote:
> On Thursday 17 June 2004 07:03 am, asharma@ita.hsr.ch wrote:
>
> > folowed the approach of sending arp request packets to the IP of the
> > machine with the arp address resembling but not equal to a broadcast
> > address . I am receiving good responses from most of test runs, however
> > some linux based machines - with Kernel 2.4.20-8 and 2.4.18 seem to
> > responding to these packets despite not being in promiscuous mode.
> > I fail to understand why this should be possible.
> > Your comments would be invaluable.
>
> Just got done working on this. The best info I found on the subject was from this pdf.
>
> http://securityfriday.com/promiscuous_detection_01.pdf
>
> I personally use
>
> http://www.habets.pp.se/synscan/programs.php
>
> The syntax I use is
>
> ./arping -s 00:50:2C:08:97:F0 -S 192.168.0.4 -t FF:FF:FF:FF:FF:FE xxx.xxx.xxx.xxx
> ^src mac ^src ip ^bad brdcst ^target
>
> Works like a charm. As the unexpected results your having, read page 13 of the pdf. It mentions
> some 3com nics and unexpected results. This may be the issue; there's a solution.
>
> Also, decoys are a sneaky way to detect baddies too. I use netcat to throw PASS/USER decoy packets out on the
> network. If I see these in the logs where there not supposed to be, then there's a issue.
>
> I hope that helps.
>
> captgoodnight
What happens if I change my MAC and my IP so that my PC looks identical
to another PC on the intranet ? There's too many assumptions that the
authors of that paper make, assumptions that cannot be correct all the
time - it seems that they think that all sniffers might be script-kiddies,
and they also take a few leaps of faith.
I dont think it is possible to identify a sniffer positively. There's
too much room for reasonable and plausible deniability.
On Linux
--------
I know that you can sniff traffic without assigning an IP, in which case
there will be no ARP responses.
ifconfig eth0 0.0.0.0 up
tethereal/tcpdump -i eth0
I do this all the time on my test networks when i am dealing with some
protocol issue, cos then I dont need to find a free IP to assign to
the interface.
If you dont want to respond at the IP level too, just put some netfilter
DROP ALL rules in OUTPUT and FORWARD and I think you would have a
perfectly passive and undetectable sniffer.
Also use macchanger to change mac address on your NIC. It even lets you
change your mac address to all FF's!. I can't even imagine the kind of havoc
that could create!!
--- It might have been better if the authors had been upfront and said, "this is the way to catch script kiddies, but regarding network savvy sniffers, we can't help you, cos you really can't do anything worthwhile". What do people on the list think ? Also one question, in your example above, isn't FF:FF:FF:FF:FF:FE a valid multicast ethernet address ? and not a "bad" broadcast address ? Or do you say "bad" cos there is no vendor with a valid vendor ID of "FF:FF:FF" i.e. did you mean a fake multicast address ? thanks, -- Ranjeet Shetye Senior Software Engineer Zultys Technologies Ranjeet dot Shetye at Zultys dot com http://www.zultys.com/ The views, opinions, and judgements expressed in this message are solely those of the author. The message contents have not been reviewed or approved by Zultys. --------------------------------------------------------------------------- Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off any course! All of our class sizes are guaranteed to be 10 students or less to facilitate one-on-one interaction with one of our expert instructors. Attend a course taught by an expert instructor with years of in-the-field pen testing experience in our state of the art hacking lab. Master the skills of an Ethical Hacker to better assess the security of your organization. Visit us at: http://www.infosecinstitute.com/courses/ethical_hacking_training.html ----------------------------------------------------------------------------
- Previous message: Andrew Aris: "Strange pings from 127.0.0.1"
- In reply to: captgoodnight_at_acsalaska.net: "Re: False negative on anti sniffing programme."
- Next in thread: captgoodnight_at_acsalaska.net: "Re: False negative on anti sniffing programme."
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
