Bugtraq mailing list archives

Re: Antisniff thoughts

From: Wolfram.Schmidt () IAO FHG DE (Wolfram Schmidt)
Date: Tue, 27 Jul 1999 20:35:30 +0200


On Jul 27,  1:15, *Hobbit* wrote:

Subject: Antisniff thoughts
1. For a completely passive box, we set the interface to some bogus IP
addr, or 0.0.0.0 if that works, ifconfig -arp, and hoover away.
 Antisniff would never see the machine because the machine would never
answer anything unless someone could guess the IP address. Drawback:
hard to retrieve logs remotely.


On Solaris you can "snoop" an interface which is down:

# ifconfig -a
lo0: flags=849<UP,LOOPBACK,RUNNING,MULTICAST> mtu 8232
        inet 127.0.0.1 netmask ff000000
hme0: flags=863<UP,BROADCAST,NOTRAILERS,RUNNING,MULTICAST> mtu 1500
        inet <censored> netmask <censored> broadcast <censored>
        ether <censored>
le0: flags=842<BROADCAST,RUNNING,MULTICAST> mtu 1500
        inet 0.0.0.0 netmask 0
        ether <censored>
# snoop -d le0
Using device /dev/le (promiscuous mode)
202.99.168.11 -> <censored>     HTTP (body)
195.101.197.218 -> www.pilotschool.net HTTP C port=37004
    <censored> -> 202.99.168.11 HTTP C port=53889
202.99.168.11 -> <cesnored>     HTTP (body)
           ? -> *            ETHER Type=9000 (Loopback), size = 60 bytes
^C
#

-Wolfram


--
Email: Wolfram.Schmidt () iao fhg de
Voice: +49 711 970 2431
Fax: +49 711 970 2401
Office: Fraunhofer IAO, Holzgartenstr. 17, 70174 Stuttgart, Germany

Current thread:

Antisniff thoughts *Hobbit* (Jul 25)
- Re: Antisniff thoughts David Dyer-Bennet (Jul 26)
- Re: Antisniff thoughts + AASS Patch Mike Perry (Jul 26)
- Re: Antisniff thoughts Craig H. Rowland (Jul 26)
- <Possible follow-ups>
- Re: Antisniff thoughts blue0ne (Jul 26)
- Re: Antisniff thoughts Wolfram Schmidt (Jul 27)