Honeypots mailing list archives
RE: [inbox] undetectable NIC in promiscuous mode
From: "Roger A. Grimes" <roger () banneretcs com>
Date: Fri, 5 Mar 2004 20:09:30 -0500
In preparing my upcoming book on honeypots I played around with all these ideas a bit. And here's what I found: 1. Removing the IP address only works on some OS's and not others. For example, in Windows you cannot have the IP stack installed and have no IP address. It wants something. If you choose DHCP and don't let it get one from a DCHP server, W2K and above will just grant itself an APIPA address (168.254.x.x/16). If you remove the IP stack, I found hit and miss problems. For example, Ethereal will give two start up errors regarding the IP stack saying Winpcap needed IP running to work (not true), but then capture all packets going by on the wire...and then crash (losing all info) when you stop the capturing and try to see the detail of the results. 2. Cutting the transmit lines doesn't work on most of today's intelligent devices (i.e. switches, etc.). As others said, no link light, port is inactivated. 3. Inducing interference into the line to cause transmission problems worked, but was spotty, and definitely not great looking. There are a few diagrams around on the Internet to do it, and it's simple enough (if you don't mind a little soldering and funky looking cables). But when I was carrying the cables around from client site to client site, I often broke them...or had to take special care of them. And I could not always find the parts I needed at Radio Shack. Not ideal. The next two options are better. 4. Buy a Ethernet tap...works like charm. 5. Buy an intelligent switch and do port mirroring (aka port trunking, port spanning, MIB management, remote management console, etc.). The key here is to find out ahead of time if the switch you are using does port mirroring, and if so, how well the port mirroring works. Some switches only monitor one direction of traffic. Others only let you monitor one port at a time, others only capture limited information (not full packet decodes), and some switches only let you capture the information locally through a serial console port. Do your research. Generally, ask if the switch has an IP address first and can be "managed". This is geek-to-salesman code so they get you into the right class of switches instead of all the cheap stuff that can't be managed and doesn't have port mirroring. The cheapest, new, managed switches I could find were around $600, but I forget the brandname because I usually go with name brand stuff. If it doesn't have an IP address, but can be "managed", then usually it's a serial management port or some type management software of limited management capability and no port mirroring. On a good note, it's easy to pick up older switches with the right capability for under $50 bucks. I use port mirroring at home in my controlled environment and an Ethernet tap for on the road stuff...where I don't want to be lugging along a switch. I could see a tap being easier in any enterprise environment if I had to go location to location in my searches. Roger ************************************************************************ *** *Roger A. Grimes, Computer Security Consultant *CPA, MCSE: Security (NT/2000/2003/MVP), CNE (3/4), A+ *email: roger () banneretcs com *cell: 757-615-3355 *Author of Malicious Mobile Code: Virus Protection for Windows by O'Reilly *http://www.oreilly.com/catalog/malmobcode *Author of upcoming Honeypots for Windows (Apress) ************************************************************************ **** -----Original Message----- From: Chris Brenton [mailto:cbrenton () chrisbrenton org] Sent: Friday, March 05, 2004 3:49 PM To: Curt Purdy Cc: Jose_Maria_Gonzalez () dell com; honeypots () securityfocus com Subject: RE: [inbox] undetectable NIC in promiscuous mode On Fri, 2004-03-05 at 12:29, Curt Purdy wrote:
Yes, there are protocols that do not depend on ip such as arp, dhcp, and others.
Humm, I've never seen this myself. Please describe a situation I can try and duplicate were an interface that does not have IP bound to it would start transmitting ARP or DHCP packets.
A sure way to avoid detection is to snip your TX lines 1&2.
This _does not_ work. I have tried this with both switches and hubs from 3COM, Cisco, D-Link & Netgear. Cutting the TX lines means you can not initial the port to establish link. No link means you will not see traffic. HTH, C
Current thread:
- RE: [inbox] undetectable NIC in promiscuous mode Weaver, Woody (Mar 05)
- RE: [inbox] undetectable NIC in promiscuous mode Curt Purdy (Mar 05)
- Re: [inbox] undetectable NIC in promiscuous mode Valdis . Kletnieks (Mar 08)
- <Possible follow-ups>
- RE: [inbox] undetectable NIC in promiscuous mode Bement, Daniel (Mar 05)
- RE: [inbox] undetectable NIC in promiscuous mode Chris Brenton (Mar 07)
- RE: [inbox] undetectable NIC in promiscuous mode Roger A. Grimes (Mar 07)
- Re: [inbox] undetectable NIC in promiscuous mode Ian Baker (Mar 07)
- RE: [inbox] undetectable NIC in promiscuous mode Teicher, Mark (Mark) (Mar 08)