[11126] in bugtraq
Re: (How) Does AntiSniff do what is claimed?
daemon@ATHENA.MIT.EDU (Paul Boyer)
Mon Jul 26 16:55:16 1999
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Message-Id: <379B6219.BF809F21@paulboyer.org>
Date: Sun, 25 Jul 1999 21:14:33 +0200
Reply-To: Paul Boyer <paul.boyer@PAULBOYER.ORG>
From: Paul Boyer <paul.boyer@PAULBOYER.ORG>
X-To: BUGTRAQ@SECURITYFOCUS.COM
To: BUGTRAQ@SECURITYFOCUS.COM
Do I miss something or antisniff will totally fail to detecting a non-IP
machine going promiscuous ?
Is there any Novell trojan that can turn an IPX only machine into a
sniffer ?
Is there a trojan for VMS that can turn a Decnet only machine into a
sniffer ?
Is there a DOS trojan that can turn a Netbeui only machine into a
sniffer ?
Also, a dedicated sniffing device/machine inserted on your network by a
cracker will probably be as verbose as a /dev/null with its TX wire cut,
huh ?
So, one should be well aware that antisniff only detect when a regular
IP machine you know (you need to know its IP address) is changing to
promiscuous mode, but fail to detect "any" promiscuous mode device on a
specific network.
I see nothing except maybe an electronical device analyzing signal
deformation to detect such attacks. Cryptography is probably a cheaper
alternative to this kind of protection, anyway.
Nevertheless, antisniff will detect _MOST_ cases of sniffing attacks,
and it is the first integrated graphical tool to do it so well, and as
such it is really a "must have" tool.
Many thanks to L0pht for their work.
Paul
Nick Lamb wrote:
>
> How does AntiSniff detect sniffing?
> http://www.l0pht.com/antisniff/tech-paper.html
-> a very good paper indeed.
[...]
>
> Nick.
