Re: False negative on anti sniffing programme.

[Ranjeet Shetye <ranjeet.shetye2 () zultys com>]

* captgoodnight () acsalaska net (captgoodnight () acsalaska net) wrote:
> On Thursday 17 June 2004 07:03 am, asharma () ita hsr ch wrote:
>
> > folowed the approach of sending arp request packets to the IP of the
> > machine with the arp address resembling but not equal to a broadcast
> > address . I am receiving good responses from most of test runs, however
> > some linux based machines - with Kernel 2.4.20-8 and 2.4.18 seem to
> > responding to these packets despite not being in promiscuous mode.
> > I fail to understand why this should be possible.
> > Your comments would be invaluable.
>
> Just got done working on this. The best info I found on the subject was from this pdf.
>
> http://securityfriday.com/promiscuous_detection_01.pdf
>
> I personally use 
>
> http://www.habets.pp.se/synscan/programs.php
>
> The syntax I use is
>
> ./arping -s 00:50:2C:08:97:F0 -S 192.168.0.4 -t FF:FF:FF:FF:FF:FE xxx.xxx.xxx.xxx
>                ^src mac                   ^src ip               ^bad brdcst          ^target
>
> Works like a charm. As the unexpected results your having, read page 13 of the pdf. It mentions
> some 3com nics and unexpected results. This may be the issue; there's a solution.
>
> Also, decoys are a sneaky way to detect baddies too. I use netcat to throw PASS/USER decoy packets out on the
> network. If I see these in the logs where there not supposed to be, then there's a issue.
>
> I hope that helps.
>
> captgoodnight

What happens if I change my MAC and my IP so that my PC looks identical
to another PC on the intranet ? There's too many assumptions that the
authors of that paper make, assumptions that cannot be correct all the
time - it seems that they think that all sniffers might be script-kiddies,
and they also take a few leaps of faith.

I dont think it is possible to identify a sniffer positively. There's
too much room for reasonable and plausible deniability.

On Linux
--------
I know that you can sniff traffic without assigning an IP, in which case
there will be no ARP responses.

ifconfig eth0 0.0.0.0 up
tethereal/tcpdump -i eth0

I do this all the time on my test networks when i am dealing with some
protocol issue, cos then I dont need to find a free IP to assign to
the interface.

If you dont want to respond at the IP level too, just put some netfilter
DROP ALL rules in OUTPUT and FORWARD and I think you would have a
perfectly passive and undetectable sniffer.

Also use macchanger to change mac address on your NIC. It even lets you
change your mac address to all FF's!. I can't even imagine the kind of havoc
that could create!!

---

It might have been better if the authors had been upfront and said,
"this is the way to catch script kiddies, but regarding network savvy
sniffers, we can't help you, cos you really can't do anything worthwhile".



What do people on the list think ?

Also one question, in your example above, isn't FF:FF:FF:FF:FF:FE a
valid multicast ethernet address ? and not a "bad" broadcast address
? Or do you say "bad" cos there is no vendor with a valid vendor ID of
"FF:FF:FF" i.e. did you mean a fake multicast address ?

thanks,

-- 
Ranjeet Shetye
Senior Software Engineer
Zultys Technologies
Ranjeet dot Shetye at Zultys dot com
http://www.zultys.com/
 
The views, opinions, and judgements expressed in this message are solely those of
the author. The message contents have not been reviewed or approved by Zultys.


---------------------------------------------------------------------------
Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off 
any course! All of our class sizes are guaranteed to be 10 students or less 
to facilitate one-on-one interaction with one of our expert instructors. 
Attend a course taught by an expert instructor with years of in-the-field 
pen testing experience in our state of the art hacking lab. Master the skills 
of an Ethical Hacker to better assess the security of your organization. 
Visit us at: 
http://www.infosecinstitute.com/courses/ethical_hacking_training.html
----------------------------------------------------------------------------