General discussion

Locked

Sniffer Detection

By systechadmin ·
Is there a way to detect if someone is using a Sniffer?

This conversation is currently closed to new comments.

12 total posts (Page 1 of 2)   01 | 02   Next
| Thread display: Collapse - | Expand +

All Comments

Collapse -

Sniffer Detection

by TimTheToolMan In reply to Sniffer Detection

Hi,

No.

It may interest you to know that any old PC on your network can sniff by putting its nic into "promiscuous mode" - whereby all packets are captured - not just the ones bound for its IP address.

Switches help, as they specifically direct the traffic directly to a PC - but PCs on a hub have pretty much free access to the information going to all the other PCs on at least the hub (and maybe wider too depending on your network configuration) if they want it.

Cheers,
Tim.

Collapse -

Sniffer Detection

by systechadmin In reply to Sniffer Detection

The question was auto-closed by TechRepublic

Collapse -

Sniffer Detection

by Joseph Moore In reply to Sniffer Detection

I know that if someone is using Windows Network Monitor (comes with 2000 Server and NT4 Server, but the main product is in SBS), there is an option to select to see if other users on your LAN are running it. I can't remember the option right now, but it is under one of the program options. Click Options, and it is probably there somewhere.
Now, if someone is running Sniffer Pro (the best sniffer out there), I don't remember if it has a detect mode to find other Sniffers running. It probably does.
Check www.sniffer.com for details.

Collapse -

Sniffer Detection

by Joseph Moore In reply to Sniffer Detection

Please look at Technet article Q148942:
http://support.microsoft.com/default.aspx?scid=kb;en-us;Q148942
(please remove any spaces)
And this link to the MSDN site on Network Monitor:
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/netmon/netmon/network_monitor.asp
(again, please remove any spaces)

hope this helps

Collapse -

Sniffer Detection

by systechadmin In reply to Sniffer Detection

The question was auto-closed by TechRepublic

Collapse -

Sniffer Detection

by jluster In reply to Sniffer Detection

There is more than one way to sniff. The all too common approach uses a hubbed environment in which all machines receive all packets. In normal operation, network cards and stacks discard packets not destined to their own IP-Addresses/MAC-Addresses.By putting your machine in "PROMISCUOUS" mode, your applications receive ALL data. There are a few PROMISC MODE detectors out there, just look at Google to find one for your OS.

In switched environments the attacker has a bit more to do since switches do not distribute packets everywhere but only to their recipient. In those scenarios an attacker can either break into the switch and add a "mirror" port to his own link or he will have to trick the switch.

This can be accomplished in two main ways: either overflowing the switch so it falls back into HUB mode or by sending out bogus ARP answers and hoping the switch won't notice. Both can be detected pretty easily by running a program like ARPwatch.

There is much more than that to it, but this entry box has a maxlenght. email me if you need more info.

Collapse -

Sniffer Detection

by systechadmin In reply to Sniffer Detection

The question was auto-closed by TechRepublic

Collapse -

Sniffer Detection

by Rookie@NPA In reply to Sniffer Detection

The best utility available to quickly identify hosts in PROMISCUOUS mode is Anti Sniff from L0pht. Uses three proven techniques to identify hosts in Promiscuous mode. a). DNS test (DNS tests operate on the premise that many attacker network data gathering tools perform IP to name inverse resolution to provide DNS names in place of IP addresses.), b). Network and Machine Latency test (These tests operate on the premise that when a network card is not in promiscuous mode it is afforded hardware filtering. When this is the case, dramatic increases in network traffic not destined to the host in question have a relatively minimal affect on the Operating System. Conversely machines in promiscuous mode do not have the benefit of this low level filtering. Thus dramatic increases in network traffic not destined to the host in question can have a dramatic effect on the underlying operating system as it now needs to do the filtering in kernel or user mode.), c). Sixty six test (SIXTYSIX creates packets that are comprised entirely of the hex value 0x66. This is designed to not be accepted by any non-promiscuous mode host yet create data that is logged and captured by most normal use network monitoring tools such as tcpdump, snoop, etc.), d).Faking the entire three-way handshake (THREEWAY operates upon the same principles as TCPSYN but takes it one step further. In the THREEWAY flooding an entire TCP three-way between non-existent machines is created a multitude of times. This test encourages network-monitoring programs that are more sophisticated to set their internal state tables for the completed fictitious session. ), Operating System specific tests (which use unique methods to identify the class of the machines in promiscuous mode - be it Linux, BSD, or Windows).
An eval version download is available at all security portals/sites. The Linux version is free for personal use.

Thanks,
Rookie

Collapse -

Sniffer Detection

by systechadmin In reply to Sniffer Detection

The question was auto-closed by TechRepublic

Collapse -

Sniffer Detection

by isys In reply to Sniffer Detection
Back to Security Forum
12 total posts (Page 1 of 2)   01 | 02   Next

Related Discussions

Related Forums