[7971] in bugtraq
Defeating (or at least confusing) neped.c
daemon@ATHENA.MIT.EDU (Seth McGann)
Fri Sep 18 21:45:50 1998
Date: Fri, 18 Sep 1998 12:03:18 -0400
Reply-To: Seth McGann <smm@WPI.EDU>
From: Seth McGann <smm@WPI.EDU>
To: BUGTRAQ@NETSPACE.ORG
<snip>
/* -----------------------------------------
Network Promiscuous Ethernet Detector.
Linux 2.0.x / 2.1.x, libc5 & GlibC
-----------------------------------------
(c) 1998 savage@apostols.org
-----------------------------------------
Scan your subnet, and detect promiscuous
linuxes. It really works, not a joke.
-----------------------------------------
[ http://www.rootshell.com/ ]
<snip>
This nifty program was released on rootshell a few days ago. I'm suprised
it hasn't got more play on bugtraq yet. Using the ARP protocol, it is
apparently possible to tell which machines on a subnet are sniffing.
Without going into the details of how exactly this detector works (mainly
because I'm not quite sure myself) it is possible to defeat the detector
by having your machine be shown as a false negative.
<Hax0r> # /sbin/ifconfig eth0 -arp
<Hax0r> # ./evilsniffer -i eth0
Now the interface will not respond to ARP queries, thus no detection. Not
responding to ARP requests is suspicious but the fact remains that you
can't be sure whether or not someone is sniffing. Additionally, this
program apparently will not detect sniffers on your own machine, but if
that is the case you have bigger problems anyway.
Seth M. McGann / smm@wpi.edu "Security is making it
http://www.wpi.edu/~smm to the bathroom in time."
KeyID: 2048/1024/E2501C80
Fingerprint 3344 DFA2 8E4A 977B 63A7 19E3 6AF7 4AE7 E250 1C80
