[18498] in bugtraq
Re: Hidden sniffer on unplumb'ed interface on Solaris
daemon@ATHENA.MIT.EDU (Casper Dik)
Tue Jan 9 14:47:45 2001
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Message-Id: <200101090957.KAA10741@romulus.Holland.Sun.COM>
Date: Tue, 9 Jan 2001 10:57:09 +0100
Reply-To: BUGTRAQ@SECURITYFOCUS.COM
From: Casper Dik <Casper.Dik@HOLLAND.SUN.COM>
X-To: gellenburg@FREEDOM.NET
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: Your message of "Fri, 05 Jan 2001 16:47:19 EST."
<20010105214333.C225124C967@lists.securityfocus.com>
>I don't actually consider this to be a problem. This is how some network
>IDSes are able to work (RealSecure for one) and can avoid all risk of IP
>based attacks (since there's no ipaddr on the if).
>
>But, the interfaces are able to found, you just need to look for the MAC
>address and not the IP. ;-) Checking the ARP tables of your switches and
>routers should bring a rogue interface that doesn't have an ipaddr assigned
>to it.
>
You won't find the MAC address anywhere; the interface is passive. It
won't reply to ARP requests (no IP). Since it doesn't send any other
packets, its MAC address can't be learned that way either.
Casper
