Re: A Solution for sniffing

Not only DNS, but IMO a lot things should not be run on the sniffer machine what ever it is.

Try composing a mail and send it while some arp sniffer (MITM attack) like ettercap is running :)) ....for me the destined recipent was spammed with the same copy for three days :))

There are lots of white paper floating that explains how to detect if some machine is in promiscous like
by sending an echo reply packet (arp, any query etc) to some and see how many replies you get in return.....

• Original Message ----- From: <Bruce.Orcutt@alltel.com> To: <SMerrell@avbpgh.com> Cc: <security-basics@securityfocus.com> Sent: Wednesday, December 18, 2002 11:15 PM Subject: RE: A Solution for sniffing

Actually, I had never heard of Anti-Sniff before.

Looks interesting, but looks easily circumvented by a determined techie.

Anti-Sniff has three major components:

1. NT based:

Easiest way to avoid is not run Windows NT on the Sniffer :)

Do you need help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

2) DNS: Easy way to avoid is not to use DNS on the Sniffer, take the logs from the Sniffer and use it to the DNS lookups desired at a later date on a later machine. Can easily set up a simple program to read in a table of IPs, then convert them into DNS names, and re-write the table

3) Timing with a flood:

Don't know about your network, but I know I would not want to add the extra traffic of a flood of packets. Also, pretty easy to add a little intelligence into your Sniffer that if it receives X number of packets in Y number of seconds, shut down promiscuous mode temporarily. Also, with faster and faster nics coming out, more and more packets are able to be processed, thus necessitating the increase in the size of the flood, thus causing more problems associated with flooding a network.

Just some of my thoughts at least

-----Original Message-----

From: Merrell, Sam [mailto:SMerrell@avbpgh.com] Sent: Wednesday, December 18, 2002 12:18 PM To: Orcutt, Bruce
Subject: RE: A Solution for sniffing

What about L0pht's Anti-sniff product? Is that still available?

-----Original Message-----

From: Bruce.Orcutt@alltel.com [mailto:Bruce.Orcutt@alltel.com] Sent: Tuesday, December 17, 2002 12:19 PM To: fadi@lebrocks.com; security-basics@securityfocus.com Subject: RE: A Solution for sniffing

As sniffing is a passive act, there is no way that you can detect the act itself, unless you have access to the machine that's doing the possible sniffing itself.

Do you need more help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

Perhaps one of the simplest ways to ensure sniffing is made much more difficult at the least is by switching from a hub type network to a switched network. In a switched environment, other users cannot see each others network streams, thus providing a layer of protection.

Of course, like all techniques, this can be gotten around by various additional techniques, but it does make life more difficult to would be sniffers. (ie: user installs a hub via an uplink port to switched segment, and connects target's system and a sniffing machine to the hub.)

-----Original Message-----

From: fadi@lebrocks.com [mailto:fadi@lebrocks.com] Sent: Tuesday, December 17, 2002 5:41 AM To: security-basics@securityfocus.com
Subject: A Solution for sniffing

Hello Folks,
I think i am being sniffed by somone on my network, and i was wondering. is there an application to check wether i am being sniffed or not, and if i was, how can i fix that ?(like PGP for mail, what about other protocols)

P.S. : Running Linux Slackware 8.1 (if that would help)

cheers,
Fadi R. Khouja

---

Incoming mail is certified Virus Free.
Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.431 / Virus Database: 242 - Release Date: 12/17/2002

---

Outgoing mail is certified Virus Free.
Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.431 / Virus Database: 242 - Release Date: 12/17/2002 Received on Fri Dec 20 21:56:14 2002

Can we help you?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek