Re: sniffers

[asriel () chewy wookie net (Asriel DeCatte)]

> Is there any way to find out if a sniffer is on the net?

Sure.

If you have access to the machine you suspect is being sniffed from.

Get on the system and do an ifconfig -a. Make sure nothing is in
promiscuous mode. It shows up in most (<cough>) if's as a flag (taken from
struct ifnet, neh?) - IFF_PROMISC i believe. You'll see it in ifconfig as
PROMISC along with the rest of the flags. 

Some systems (I know SunOS does this) also have an entry in the network 
interface structure for how many times an interface has been requested to 
go into promiscuous mode.

If an interface is in promiscuous mode, and you're not sure you didn't 
set it that way on purpose (something like netwatch, in which case a 
sniffer IS running, but it's yours...), then there's a good bet a 
sniffer's running.

Don't trust ifconfig unless you're sure it wasn't modified. Patches for 
ifconfig that won't report a network interface in promiscuous mode are 
floating around (rootkit, <cough><cough>). ifconfig is one o' dem happy 
files you want to keep a personal copy of and an MD5 signature on. 

If nothing comes up as promiscuous, or your system doesn't have a flag 
for promiscuous mode (Solaris 2.4?), some other things...

Look for /dev/nit (Sun's network interface tap, a device that allows the 
system direct raw access to a network) if you have a Sun. I don't know 
what the correspondents to the NIT are on other systems (can anyone 
elucidate on this topic? I'm somewhat interested, since my proficiencies 
in these matters really only reside with SunOS). If it's there, and you 
believe the system it's on may have been comprimised, be worried.

This isn't really reliable unless you're sure /dev/nit isn't compiled 
into the kernel... it's pretty trivial (very) to just go to some remote 
corner of the system (how many of you people check what's in things like
/usr/lib/font?) and mknod a new device with the appropriate major and 
mminor numbers for a NIT.

Try this:

# cd /tmp
# touch snifftrap
# telnet localhost
blahblah
^]
# telnet some.external.host
blahblah
^]
# find / -newer snifftrap -print

This'll tell you any files that got accessed after you touch'd 
"snifftrap", and it should give away the presence of any sniffer logs on 
your system. Don't trust this unless you're sure your find command hasn't 
been tampered with. Same situation with ifconfig - find patches ain't 
hard to come across, and aren't to damn hard to write.

A really unreliable check you can do that will foil the lame would be to 
do a find for suspiciously named files... find / -name "*sniff*" -print, 
find / -name "es" -print, etc. 

System admins I've known have tried things like bombing the echo ports of
all the systems on a network and seeing which systems lag badly or load up
(the rationale being that systems with sniffers will be burdened by the
sniffer reading all the packet's it's taking in). I guess if you're really
that worried about sniffers, you could also bomb a system on the
ethernetwork that you DON'T suspect is being sniffed from, and watching to
see which other systems on the net lag when you do it. 

Sorry for the lack of coherency in this message... check out when I wrote 
it... =P

Any addenda?

------------------------------------------------------------------------
do not lead for I will not follow - do not follow for I will not lead
------------------------------------------------------------------------
                       main(){for(;;){fork();}}