[11136] in bugtraq
Re: (How) Does AntiSniff do what is claimed?
daemon@ATHENA.MIT.EDU (Jon Marler)
Mon Jul 26 23:46:28 1999
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Message-Id: <19990725155422.I4792@istrength.net>
Date: Sun, 25 Jul 1999 15:54:22 -0500
Reply-To: Jon Marler <jmarler@ISTRENGTH.NET>
From: Jon Marler <jmarler@ISTRENGTH.NET>
X-To: Nick Lamb <njl98r@ECS.SOTON.AC.UK>
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <Pine.LNX.4.10.9907242358330.24292-100000@chef.ecs.soton.ac.uk>;
from Nick Lamb on Sun, Jul 25, 1999 at 12:37:11AM +0100
On Sun, Jul 25, 1999 at 12:37:11AM +0100, Nick Lamb wrote:
> How does AntiSniff detect sniffing?
> http://www.l0pht.com/antisniff/tech-paper.html
>
> will detect sniffing -- a green light from their product does NOT mean
> you're not being sniffed.
>
> If AntiSniff becomes popular, I'd estimate only a few months grace
> before Black Hats have made a reduced-functionality sniffer which slips
> under AntiSniff's radar. I don't have any use for such a tool, but if
> I did I doubt I'd need more than a week or two to get it right.
We've had the same discussion in the nmap-hackers list.
All you would need to do to prevent detection is cut the send pair on your
Ethernet connection. That would make it completely passive. You could
even do it as simple as a cable with only 1 pair.
There is already a popular UN*X package that does promisc. detection. It
is called hunt. (http://www.cri.cz/kra/index.html). It also does MAC
spoofing, ARP collection, connection hijacking, etc ... Hunt will allow
you to scan an entire range of IP addresses for "Sniffing". Here is a
tcpdump -ne during a small promisc. scan :
15:48:09.785988 0:10:4b:7a:3d:32 ea:1a:de:ad:be:4 0800 106: 192.168.1.1 >
192.168.1.1: icmp: echo request (DF)
15:48:09.786088 0:10:4b:7a:3d:32 ea:1a:de:ad:be:4 0800 106: 192.168.1.1 >
192.168.1.2: icmp: echo request (DF)
15:48:09.786154 0:10:4b:7a:3d:32 ea:1a:de:ad:be:4 0800 106: 192.168.1.1 >
192.168.1.3: icmp: echo request (DF)
There is a package for hunt that is part of the 'potato' distribution of
Debian GNU/Linux. I'm not aware of any RPM's.
Jon
jmarler@istrength.net
