Hi folks,
I found a very easy way to detect a sniffing computer from remote.
It's really simple:
How does an ethernetcard normally work? It takes a look at every
(ethernet-)frame on the wire and looks for his ethernet-id or the
broadcast-id. If found, it takes the frame and hands it to the
next upper layer, f.e. the unix kernel.
If you craft a packet for a special host, with a *wrong* ethernet
address, it won't reply - unless it's in promiscious mode!
And this is the easy solution (, which is only usable within a subnet):
Install a scanner program on a server on each subnet. All it needs to
have is an entry in /etc/ether like
# /etc/ethers
scantarget 01:01:01:01:01:01 # scantarget ip is the subnet's brodcast
# address.
then disable the broadcast ip on the interface and finally sending a
ping to "scantarget" once a minute. This doesn't need root, easy to set
up and manage.
Drawback: one server in the subnet can't reply to a broadcast packet and
some operating systems do not reply to a broadcast ping (like AIX).
Solution to these two problems is pinging each host directly with a fake
ethernet address (I think ipsend from the ip_filter packag has this feature).
Final Drawback: An attacker can modify the kernel to check the hardware
address of the received packet. But well, this will detect 98% of the script
kiddies.
Below is the output of my test:
julia:/ # arp -a
Address HWtype HWaddress Flags Mask Iface
marc ether 00:20:35:B3:4C:6A C * eth0
julia:/ # arp -d marc
julia:/ # arp -s marc 11:11:11:11:11:11
julia:/ # arp -a
Address HWtype HWaddress Flags Mask Iface
marc ether 11:11:11:11:11:11 CM * eth0
julia:/ # ping marc
PING marc (x.x.x.x): 56 data bytes
--- marc ping statistics ---
3 packets transmitted, 0 packets received, 100% packet loss
[ then I turned on promisc. mode on the server "marc" by starting "sniffit" ]
julia:/ # ping marc
PING marc (x.x.x.x): 56 data bytes
64 bytes from x.x.x.x: icmp_seq=0 ttl=64 time=0.7 ms
64 bytes from x.x.x.x: icmp_seq=1 ttl=64 time=0.7 ms
--- marc ping statistics ---
2 packets transmitted, 2 packets received, 0% packet loss
round-trip min/avg/max = 0.7/0.7/0.7 ms
julia:/ # arp -a
Address HWtype HWaddress Flags Mask Iface
marc ether 11:11:11:11:11:11 CM * eth0
[ Here I turned the sniffer on server "marc" off ]
julia:/ # ping marc
PING marc (x.x.x.x): 56 data bytes
--- marc ping statistics ---
1 packets transmitted, 0 packets received, 100% packet loss
Mit freundlichen Gruessen,
Marc Heuse
This message and any statements expressed therein are those of myself
and not of the Deutsche Bank AG or its subsidiary companies.
Type Bits/KeyID Date User ID
pub 2048/DB5C03C5 1997/09/23 Marc Heuse <marc .
heuse @
mail .
deuba .
com>
-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: 2.6.3i
mQENAzQnbFEAAAEIAL/tj4hn/DVjEWAZhuqRdxZQDy5B+gZbE0CD/mUnZqpem+9L
KY+I8te7jMfTQExzqn5jYb5BaibT0SbEBWSx9Gha8EiBLAVcAjvrXpV+HJLcnPRG
YDk5a3s7GrA+QVHbbd9DWgqjMfUMw9oUDAhhjgK20SeOtFGBD2U17GkQF6TK7EjC
CTOuz2Hx/tisDuroJJnxZdbLNvCceOf/D/bbFcR7DfnEJWJ3f9JC4fibZMlX5rXL
Ct/TKhZMd4d42uL7L4KvkT5JCnFuEw1jRDPpBjZ030cK2uWCM//iEVLGmGKOs6Pg
o3Lfnnd6I6bTPHgrNsapNWmocbIGDC/4w9tcA8UABRG0Jk1hcmMgSGV1c2UgPG1h
cmMuaGV1c2VAbWFpbC5kZXViYS5jb20+iQEVAwUQNCdsUQwv+MPbXAPFAQFWEwf5
AWt6PbKLLCCBPnzBMdXatKEJvNzrZRXNSpbgKQUDAKApRUnOkDJ9yp3tfJG0/BsL
XBf+ldmjjoo/OZeWhIhNb71bbCs8BK7/YK5LKef2eq4pzSiWYosrOfjlfyOVhAiP
AiWYtK/HBELy6Zs8QwoPX0QX0+R2+ocMS0TDz7nwBgO5wcj3yMU0geTrnlDpJdj1
RgFQLE6T9qO5coRjj1EAoT5gQMxP9L4TQuifYiQ6S2vh6blr3amjPohKSDzZ62/x
rQ1KMXJd7MlMQndn8UwKt4XgoFIsZOFRrkDiXfm6zFnH40UcotoA+Ygojp52+Y6A
MuixTDbuf3Jph2jEG6r4Dw==
=/n63
-----END PGP PUBLIC KEY BLOCK-----
Follow-Ups:
|
|
