Subject says it all. Someone asked the other day here for sniffers. Any
progress or suggestions for programs that detect cards in promisc mode or
sniffing traffic?
Gerald
Gerald wrote:
Subject says it all. Someone asked the other day here for sniffers. Any
progress or suggestions for programs that detect cards in promisc mode or
sniffing traffic?
I can't even imagine how one might do that. Traditionally the only
way to know that you have a mole is to encounter secrets that "had to"
have been stolen.
I should probably mention that I've already started looking at antisniff.
I was hoping to find something that was currently maintained and still
free while I investigate antisniff's capabilities. Or if there is more
than one commercial one best bang for buck suggestions.
Thanks to those who pointed it out to me again though.
Gerald
if you have multiple network interfaces you can insure that
the one doing the snooping is undetectable by the tools that people wrote
to detect promiscious ethernets...
joelja
Since all sniffers I know of are passive devices, there really shouldn't be
a way to track one down. From a Cisco standpoint, if I were mirroring a
port, and had a sniffer mirroring the sniffer port, I would see traffic of a
unicast nature with multiple unicast MAC destinations destined at a
swithport with only one MAC address cached.
That is a battle that was lost at its beginning: the Ethernet 802.1d
paradigm of "don't know where to send the packet, send it to all ports,
forget where to send packets every minute" is the weak point.
There are some common mistakes that sniffing kits do, that can be used to
detect them (I think antisniff implements them all), but a better approach
is to make to promisc mode of no gain unless the attacker compromises the
switch also. In Cisco-world, the solution is called Private VLANs.
Nortel/Bay used to have ports that could belong to more than one VLAN,
probably every other swith vendor has its own non-IEEE 802 compliant way of
making a switched network more
secure.
Rubens
Thus spake Gerald (gcoon@inch.com) [16/01/04 18:32]:
Subject says it all. Someone asked the other day here for sniffers. Any
progress or suggestions for programs that detect cards in promisc mode or
sniffing traffic?
There's an art to detecting promiscuous devices.[1] A good starting point
is Google, and the phrase 'promiscuous detect'. IIRC, L0pht once produced
something that claimed to detect all promiscuous devices on a network, I
never got it to work properly.
- Damian
[1] general consensus is that most well-written OSes are near impossible to
detect, some older ones have various methods of detection, usually involving
either broadcast traffic or timing.
Antisniff is still the best software based tool for the job. It has far
more extensive testing that anything else I've looked at.
Of course the one blind spot with antisniff is that it can only detect
sniffers that have an IP address assigned to them. To detect these you
have to look at your switch statistics. Dead giveaway is a host
receiving traffic, but never transmitting. There is a false positive for
this condition however which is a hub plugged in the switch with no
hosts attached.
HTH,
C
The best anty-sniffer is HoneyPot (it is a method, not a tool). Create so
many false information (and track it's usage) that hackers will be catched
before they do something really wrong.
Who do not know - look onto the standard, cage like, mouse - trap with a
piece of cheese inside. -
Gerald wrote:
>
> Subject says it all. Someone asked the other day here for sniffers. Any
> progress or suggestions for programs that detect cards in promisc mode
or
> sniffing traffic?
I can't even imagine how one might do that. Traditionally the only
way to know that you have a mole is to encounter secrets that "had to"
have been stolen.
In an all switched network, sniffing can normally only be accomplished with
MAC address spoofing (Man In The Middle). Watching for MAC address changes
(from every machines perspective), along with scanning for seperate machines
with the same ARP address, and using switches that can detect when a MAC
address moves between ports will go a long way towards detecting sniffing.
It can also be worthwhile setting up a machine on a switch to detect
non-broadcast traffic that isn't for it - sometimes older switches get
'leaky' when they shouldn't be used.
I'm not sure if it's still the case, but it used to be the case that when
Linux is in promiscuous mode, it will answer to TCP/IP packets sent to its
IP address even if the MAC address on that packet is wrong. Sending TCP/IP
packets to all the IP addresses on the subnet, where the MAC address
contains wrong information, will tell you which machines are Linux machines
in promiscuous mode (the answer from those machines will be a RST packet).
Some tools that google turned up (haven't tried them myself):
Apparently Man In The Middle attacks can also be detected by measuring the
latency under different traffic loads, but I haven't looked to much into
that.
Sam
I think I'll pass this onto zen of Rob T.
i think he said something along the lines of "security industry is here for my
amusement" in the last nanog.
so yea.. let's install bunch of honeypots and hope all those "stupid" "hackers"
will get caught like the mouse.
by the time you think your enemy is less capable than you, you've already lost
the war.
-J
It is also possible to sniff a network using only the RX pair so most of
the tools to detect cards in P mode will fail. The new Cisco 6548's have
TDR functionality so you could detect unauthorized connections by their
physical characteristics.
But there are also tools like ettercap which exploit weaknesses within
switched networks. See http://ettercap.sourceforge.net/ for more details
(and gain some add'l grey hairs in the process).
The question here is what are you trying to defend against?.
Scott C. McGrath
On the other hand, does the fact that police usually only catch the stupid crooks
mean that police forces are a bad idea?
1) How often is your site graced by the presence of a script kiddie who *would* fall
for a honeypot, but who has enough exploits stashed to be a serious threat? (Remember,
it only takes 1 unpatched 1U back there in row 17, rack 4, for him to get a foothold).
2) How often is your site visited by a talented Black Hat who's more capable than you,
and who wouldn't be tricked by a honeypot?
3) How do you even know your answer to (2) is correct? Think long and hard
about this one - when was the last time you took *everything* down and booted
from known good media and checked for rootkits? And how do you know it was
good media? (Go and re-read Ken Thompson's "On Trusting Trust" and Karger and
Schell's paper on a Multics pen-test, and then take another REALLY close look
at that boot CD.)
I tend toward paranoia. However, I once received a box claiming to be from IBM
Software Distribution, with the format of shipping labels that IBM SD had, and
even sealed with IBM anti-tamper Q-tape the same way IBM SD does.
There was a birthday card in it. Addressed to me. From a friend who wasn't an
IBM employee at the time. I was most impressed. 
Maybe this is just a stupid comment, but if the original poster is that
concerned with their LAN being sniffed, then maybe they should consider using
IPSec on their LAN.
Maybe this is just a stupid comment, but if the original poster is that
concerned with their LAN being sniffed, then maybe they should consider using
IPSec on their LAN.
It is also possible to sniff a network using only the RX pair so most of
the tools to detect cards in P mode will fail. The new Cisco 6548's have
TDR functionality so you could detect unauthorized connections by their
physical characteristics.But there are also tools like ettercap which exploit weaknesses within
switched networks. See http://ettercap.sourceforge.net/ for more details
(and gain some add'l grey hairs in the process).The question here is what are you trying to defend against?.
Maybe this is just a stupid comment, but if the original poster is that concerned with their LAN being sniffed, then maybe they should consider using IPSec on their LAN.
I read the ettercap service description, and still don't see how a rogue machine gets around this:
Switched network of multiple switches, servers on each port have a hardcoded MAC on the switch port. (Ports will not work if the MAC is different than the one described). This prevents MAC flood and MAC poisoning. If you use VLAN to your router and give each server a /30 or /29 that you route its IPs down towards it, your router will only talk to each server in the IP block that has been described by the subnet mask.
I know most people don't take the time to hard code their MACs onto their switch ports, but it really only takes a few seconds per switch with a little cutting & pasting -- as customer switches a network port, they just need to open a ticket to have the address changed.
Am I missing something?
Thanks,
DJ
Amen to that. It's actually easier to sleep at night if you start off with the
assumption that every single packet is received by both the intended recipient
and the entity you *least* want getting said packet, and then designing your
communications accordingly..
Similarly for spoofed and MITM attacks - assume they WILL happen, and plan
accordingly.
Proper use of IPSec/OpenSSH/OpenSSL, with key/cert checking as appropriate,
goes a LONG way to raising the bar WAY up on the attacker.
Just don't forget about endpoint security - waay too many sites deploy OpenSSL
so credit card info can't be sniffed, and then leave the suckers in plaintext on the
web server.
Sorry, but this _honeypot etc_ is _the only_ reliable defence. And, when I
mean honey pot, I do not mean _install ols linux with qpopper and wait_. I
mean that, if trhere is concern about sniffering a network (which is a
little strange, because it is not much use in sniffering switched network_,
this means concern about leaking information.
Usually, you do not get much from sniffering - you can not sniff SSL, can
not sniff Win2K rdesktop, can not sniff 'ssh'. But you can sniff, for
example, keyboard input (and the only protecting agaist such things is
SecireID etc), can try to get some passwords and so on. So, having frauded
account, even frauded computer, exposing this account into the network, and
tracking any attempt to use it
is a very effective line of defense.
I told already - _do not trust to the smart books about security too much_,
they misinterpret many things. For example, they treat _non standard port
assigments_ as a very ineffective, while in real life such simple (0 cost)
thing decrease a chance of breakage 10 - 1000 times (we investigated 3 month
logs and found, that no one in the whole Internet scans wide range of ports,
and no one in real life uses tools, reporting _real_ protocols, because they
are dramatically slow and so useless). The same here - having frauded,
'labeled', information is a very effective 'complimentary' defense - it let
you know, when thing got really wrong, when you have not other indications.
And it have 0% of false positives (if this account is never used and someone
opened it, he is 100% a hacker or intruder. No any other methods provides
you 0 false positives).
PS. Even if you are listening to MAC broadcasts, you got much more than you
expect. In one poiint, we found , that we had all traffic to one of the
servers 'broadcasted', reason was complicated - ARP timeout longer than CAM
timeout + nonsimmetrical traffic . You have not any method to detect a
passive sniffer (except a few tricks, which can work with particular OS but
do not work with other systems), have not a good method to detect keyboard
sniffer. So, if you are very serious about security, you must use active
defence.
Date: Sat, 17 Jan 2004 14:57:19 -0500
From: Deepak Jain
I know most people don't take the time to hard code their
MACs onto their switch ports, but it really only takes a few
seconds per switch with a little cutting & pasting -- as
customer switches a network port, they just need to open a
ticket to have the address changed.
In the same vein, hardcoded router ARP entries in router configs
also help. Yes, spoofed gratuitous ARP packets are detectable,
but they can still cause trouble.
Eddy
Criminal hackers _are_ stupid (like most criminals) for purely economical
reasons: those who are smart can make more money in various legal ways,
like by holding a good job or running their own business. Hacking into
other people's computers does not pay well (if at all).
Those who aren't in that for money are either psychopaths or adolescents,
pure and simple. Neither of those are smart.
The real smart ones - professionals - won't attack unless there's a chance
of a serious payback. This excludes most businesses, and makes anything
but a well-known script-based attack a very remote possibility.
Honeypots are indeed a good technique to catch those attacks, and may be
quite adequate for the probable threat model for most people. Of course,
if you're doing security for a bank, or a nuclear plant, then you may want
to adjust your expectations of adversary's motivation and capabilities and
upgrade your defenses accordingly. But, then, bribing an insider or some
other form of social engineering is going to be more likely than any
direct network-based attack.
For most other people a trivial packet-filtering firewall, lack of
Windoze, and a switch instead of a hub will do just fine.
--vadim