Re: sniffers

[asriel () chewy wookie net (Asriel DeCatte)]

> Is there any way to find out if a sniffer is on the net?

Ahh. Addenda of my own to that post... sorry... like I said, I'm tired.

First of all, pick up lsof and cpm... 
ftp://ftp.cert.org/pub/tools/lsof/lsof_3.02.tar.gz and
ftp://ftp.cert.org/pub/tools/cpm/cpm.1.0.tar, respectively.

lsof will give you information about file and device access by processes,
including the process ID of anything currently accessing a device. If you
think you're being sniffed and you have a /dev/nit, lsof it to see if your
sniffers are being really obvious. Many hackers will make their own NIT
device somewhere else... if you trust your find command,

# find / -type c -exec /bin/ls -l {} ';' | more

Will give you a list of all the character devices on the system. Look for 
devices in weird places. NIT normally has 37 as it's major and 40 as it's 
minor number.

CPM will show if an interface is in promiscuous mode, pretty reliably 
unless the intruder went to the trouble of changing the net.o object 
(couldn't someone feasably reassign the IFF_PROMISC flag to a different 
hex value in if.h?). It does this by opening a socket and reading the 
ifconf structure returned by a SIOCGIFCONF ioctl to that socket's file 
descriptor, and reading the flags out of the returned structure. 

Somewhere around here I have a program that will scan a system for 
NIT-type devices. I don't have it handy, so I can't tell you offhand how 
it works... if I find it, I'll send it your way. 

------------------------------------------------------------------------
A s r i e l  D e C a t t e  a t  M 0 C K  C h i c a g o ,  1 9 9 5 . . . 
do not lead for I will not follow - do not follow for I will not lead
                        asriel () wookie net
------------------------------------------------------------------------