Security Basics mailing list archives
Re: False negative on anti sniffing programme.
From: Ranjeet Shetye <ranjeet.shetye2 () zultys com>
Date: Tue, 22 Jun 2004 12:18:22 -0700
* captgoodnight () acsalaska net (captgoodnight () acsalaska net) wrote:
On Thursday 17 June 2004 07:03 am, asharma () ita hsr ch wrote:folowed the approach of sending arp request packets to the IP of the machine with the arp address resembling but not equal to a broadcast address . I am receiving good responses from most of test runs, however some linux based machines - with Kernel 2.4.20-8 and 2.4.18 seem to responding to these packets despite not being in promiscuous mode. I fail to understand why this should be possible. Your comments would be invaluable.Just got done working on this. The best info I found on the subject was from this pdf. http://securityfriday.com/promiscuous_detection_01.pdf I personally use http://www.habets.pp.se/synscan/programs.php The syntax I use is ./arping -s 00:50:2C:08:97:F0 -S 192.168.0.4 -t FF:FF:FF:FF:FF:FE xxx.xxx.xxx.xxx ^src mac ^src ip ^bad brdcst ^target Works like a charm. As the unexpected results your having, read page 13 of the pdf. It mentions some 3com nics and unexpected results. This may be the issue; there's a solution. Also, decoys are a sneaky way to detect baddies too. I use netcat to throw PASS/USER decoy packets out on the network. If I see these in the logs where there not supposed to be, then there's a issue. I hope that helps. captgoodnight
What happens if I change my MAC and my IP so that my PC looks identical to another PC on the intranet ? There's too many assumptions that the authors of that paper make, assumptions that cannot be correct all the time - it seems that they think that all sniffers might be script-kiddies, and they also take a few leaps of faith. I dont think it is possible to identify a sniffer positively. There's too much room for reasonable and plausible deniability. On Linux -------- I know that you can sniff traffic without assigning an IP, in which case there will be no ARP responses. ifconfig eth0 0.0.0.0 up tethereal/tcpdump -i eth0 I do this all the time on my test networks when i am dealing with some protocol issue, cos then I dont need to find a free IP to assign to the interface. If you dont want to respond at the IP level too, just put some netfilter DROP ALL rules in OUTPUT and FORWARD and I think you would have a perfectly passive and undetectable sniffer. Also use macchanger to change mac address on your NIC. It even lets you change your mac address to all FF's!. I can't even imagine the kind of havoc that could create!! --- It might have been better if the authors had been upfront and said, "this is the way to catch script kiddies, but regarding network savvy sniffers, we can't help you, cos you really can't do anything worthwhile". What do people on the list think ? Also one question, in your example above, isn't FF:FF:FF:FF:FF:FE a valid multicast ethernet address ? and not a "bad" broadcast address ? Or do you say "bad" cos there is no vendor with a valid vendor ID of "FF:FF:FF" i.e. did you mean a fake multicast address ? thanks, -- Ranjeet Shetye Senior Software Engineer Zultys Technologies Ranjeet dot Shetye at Zultys dot com http://www.zultys.com/ The views, opinions, and judgements expressed in this message are solely those of the author. The message contents have not been reviewed or approved by Zultys. --------------------------------------------------------------------------- Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off any course! All of our class sizes are guaranteed to be 10 students or less to facilitate one-on-one interaction with one of our expert instructors. Attend a course taught by an expert instructor with years of in-the-field pen testing experience in our state of the art hacking lab. Master the skills of an Ethical Hacker to better assess the security of your organization. Visit us at: http://www.infosecinstitute.com/courses/ethical_hacking_training.html ----------------------------------------------------------------------------
Current thread:
- False negative on anti sniffing programme. asharma (Jun 18)
- Re: False negative on anti sniffing programme. captgoodnight (Jun 21)
- Re: False negative on anti sniffing programme. Ranjeet Shetye (Jun 23)
- Re: False negative on anti sniffing programme. captgoodnight (Jun 21)