[11187] in bugtraq
Re: Antisniff thoughts
daemon@ATHENA.MIT.EDU (Teolicy)
Thu Jul 29 20:51:00 1999
Mime-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
Message-Id: <000301bed99b$f36085a0$2504a8c0@hysteria>
Date: Thu, 29 Jul 1999 10:25:43 +0200
Reply-To: Teolicy <teolicy@MINDLESS.COM>
From: Teolicy <teolicy@MINDLESS.COM>
X-To: "ML: BUGTRAQ" <BUGTRAQ@SECURITYFOCUS.COM>
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <Pine.LNX.4.04.9907270012430.5591-100000@dolemite.psionic.com>
Hi folks.
I hope I'm not becoming a 1970's detective movie, but how about 'framing' a
machine?
Suppose you're listening in on a network and AntiSniff begins an active bad
packet storm / ping sweep to find the listeners. Your machine happily begins
to increase the CPU utilization of machines around it (I dunno, say, a
low-volume SYN flood or an ICMP redirect packet or maybe even just good old
ping with large packets). AntiSniff will go machine after machine, and every
machine (or a specific machine you choose) will look as if it's sniffing -
since you're playing around with AntiSniff results by flooding the machine
with something during AntiSniff's tests.
While you're at it, take a look at the time it takes AntiSniff to finish a
machine, and when your turn is up, just go un-promuscious* and smile broadly
at the camera.
Note that this will not work so well if AntiSniff scans hosts randomly, in
which case you may need to listen very carefully (very carefully = don't do
other stuff and get a higher process priority, so you'd be able to respond
quickly) and start flooding a machine the moment AntiSniff begins to check
it out.
This way you can 'frame' a specific machine on the network, or maybe all the
machines on the network, or the machine of a certain SysAdmin, or whatever.
Remember to spoof the MAC address of your flood (whatever method you use),
to mask the originating machine. Also, I do realize that it may be a little
difficult to try and frame a machine by listening on the wire and checking
if it's being checked. Can anyone do a dump to see if AntiSniff sniffs
linearily?
- Teo
*:
<femto-rant>
Why does promiscuous have to be spelled in such a way?! Come on folks, a
little consideration in non-native speakers! Why not "aware mode" instead of
"promiscuous"?! :-)
</femto-rant>
