[11150] in bugtraq
Re: Antisniff thoughts
daemon@ATHENA.MIT.EDU (Wolfram Schmidt)
Tue Jul 27 19:11:25 1999
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 8bit
Message-Id: <990727203530.ZM14196@decefix.iao.fhg.de>
Date: Tue, 27 Jul 1999 20:35:30 +0200
Reply-To: Wolfram Schmidt <Wolfram.Schmidt@IAO.FHG.DE>
From: Wolfram Schmidt <Wolfram.Schmidt@IAO.FHG.DE>
X-To: BUGTRAQ@SECURITYFOCUS.COM
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: *Hobbit* <hobbit@AVIAN.ORG> "Antisniff thoughts" (Jul 27, 1:15)
On Jul 27, 1:15, *Hobbit* wrote:
> Subject: Antisniff thoughts
> 1. For a completely passive box, we set the interface to some bogus IP
> addr, or 0.0.0.0 if that works, ifconfig -arp, and hoover away.
> Antisniff would never see the machine because the machine would never
> answer anything unless someone could guess the IP address. Drawback:
> hard to retrieve logs remotely.
On Solaris you can "snoop" an interface which is down:
# ifconfig -a
lo0: flags=849<UP,LOOPBACK,RUNNING,MULTICAST> mtu 8232
inet 127.0.0.1 netmask ff000000
hme0: flags=863<UP,BROADCAST,NOTRAILERS,RUNNING,MULTICAST> mtu 1500
inet <censored> netmask <censored> broadcast <censored>
ether <censored>
le0: flags=842<BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 0.0.0.0 netmask 0
ether <censored>
# snoop -d le0
Using device /dev/le (promiscuous mode)
202.99.168.11 -> <censored> HTTP (body)
195.101.197.218 -> www.pilotschool.net HTTP C port=37004
<censored> -> 202.99.168.11 HTTP C port=53889
202.99.168.11 -> <cesnored> HTTP (body)
? -> * ETHER Type=9000 (Loopback), size = 60 bytes
^C
#
-Wolfram
--
Email: Wolfram.Schmidt@iao.fhg.de
Voice: +49 711 970 2431
Fax: +49 711 970 2401
Office: Fraunhofer IAO, Holzgartenstr. 17, 70174 Stuttgart, Germany
