Bugtraq mailing list archives

Re: Hidden sniffer on unplumb'ed interface on Solaris

From: Casper Dik <Casper.Dik () HOLLAND SUN COM>
Date: Tue, 9 Jan 2001 10:57:09 +0100

I don't actually consider this to be a problem. This is how some network
IDSes are able to work (RealSecure for one) and can avoid all risk of IP
based attacks (since there's no ipaddr on the if).

But, the interfaces are able to found, you just need to look for the MAC
address and not the IP. ;-) Checking the ARP tables of your switches and
routers should bring a rogue interface that doesn't have an ipaddr assigned
to it.


You won't find the MAC address anywhere; the interface is passive.  It
won't reply to ARP requests (no IP).  Since it doesn't send any other
packets, its MAC address can't be learned that way either.

Casper

Current thread:

Hidden sniffer on unplumb'ed interface on Solaris Robert Banniza (Jan 05)
- Re: Hidden sniffer on unplumb'ed interface on Solaris Mike Bristow (Jan 08)
- Re: Hidden sniffer on unplumb'ed interface on Solaris George Ellenburg (Jan 08)
  - Re: Hidden sniffer on unplumb'ed interface on Solaris Casper Dik (Jan 09)
- <Possible follow-ups>
- Re: Hidden sniffer on unplumb'ed interface on Solaris Darren Moffat (Jan 08)
- Re: Hidden sniffer on unplumb'ed interface on Solaris Chris St. Clair (Jan 08)