Bugtraq mailing list archives
Re: sniffers
From: asriel () chewy wookie net (Asriel DeCatte)
Date: Sun, 30 Apr 1995 05:06:17 -0400 (EDT)
Is there any way to find out if a sniffer is on the net?
Ahh. Addenda of my own to that post... sorry... like I said, I'm tired. First of all, pick up lsof and cpm... ftp://ftp.cert.org/pub/tools/lsof/lsof_3.02.tar.gz and ftp://ftp.cert.org/pub/tools/cpm/cpm.1.0.tar, respectively. lsof will give you information about file and device access by processes, including the process ID of anything currently accessing a device. If you think you're being sniffed and you have a /dev/nit, lsof it to see if your sniffers are being really obvious. Many hackers will make their own NIT device somewhere else... if you trust your find command, # find / -type c -exec /bin/ls -l {} ';' | more Will give you a list of all the character devices on the system. Look for devices in weird places. NIT normally has 37 as it's major and 40 as it's minor number. CPM will show if an interface is in promiscuous mode, pretty reliably unless the intruder went to the trouble of changing the net.o object (couldn't someone feasably reassign the IFF_PROMISC flag to a different hex value in if.h?). It does this by opening a socket and reading the ifconf structure returned by a SIOCGIFCONF ioctl to that socket's file descriptor, and reading the flags out of the returned structure. Somewhere around here I have a program that will scan a system for NIT-type devices. I don't have it handy, so I can't tell you offhand how it works... if I find it, I'll send it your way. ------------------------------------------------------------------------ A s r i e l D e C a t t e a t M 0 C K C h i c a g o , 1 9 9 5 . . . do not lead for I will not follow - do not follow for I will not lead asriel () wookie net ------------------------------------------------------------------------
Current thread:
- Re: nfs_mount in AIX, (continued)
- Re: nfs_mount in AIX Julian Assange (Apr 26)
- CGI script insecurity in NCSA httpd Paul Phillips (Apr 26)
- Re: CGI script insecurity in NCSA httpd Jeremy Fitzhardinge (Apr 27)
- sniffers froden () yf-kraft no (Apr 28)
- Re: your mail Timothy Newsham (Apr 30)
- sniffers Theodore Alexopoulos (Apr 29)
- Re: sniffers Jonathan M. Bresler (Apr 29)
- Re: sniffers Asriel DeCatte (Apr 30)
- Re: sniffers Asriel DeCatte (Apr 30)
- Re: sniffers Jas (Apr 30)
- Re: sniffers Asriel DeCatte (Apr 30)
- Re: sniffers Jonathan M. Bresler (Apr 30)
- Re[2]: sniffers Nayfield, Rod (Apr 30)
- Re: SUMMARY: AntiFlash talkd Aleph One (Apr 24)
- Re: SUMMARY: AntiFlash talkd Gary Anderson (Apr 24)
- The Dan Farmer rap - authors note Julian Assange (Apr 24)
- Re: SUMMARY: AntiFlash talkd Marek Michalkiewicz (Apr 25)