[1637] in bugtraq
Re: sniffers
daemon@ATHENA.MIT.EDU (Asriel DeCatte)
Sun Apr 30 07:36:42 1995
From: Asriel DeCatte <asriel@chewy.wookie.net>
To: root@ee.duth.gr (Theodore Alexopoulos)
Date: Sun, 30 Apr 1995 04:32:43 -0400 (EDT)
Cc: bugtraq@fc.net
In-Reply-To: <Pine.HPP.3.91.950429150525.1600B-100000@platon.ee.duth.gr> from "Theodore Alexopoulos" at Apr 29, 95 03:06:51 pm
> Is there any way to find out if a sniffer is on the net?
Sure.
If you have access to the machine you suspect is being sniffed from.
Get on the system and do an ifconfig -a. Make sure nothing is in
promiscuous mode. It shows up in most (<cough>) if's as a flag (taken from
struct ifnet, neh?) - IFF_PROMISC i believe. You'll see it in ifconfig as
PROMISC along with the rest of the flags.
Some systems (I know SunOS does this) also have an entry in the network
interface structure for how many times an interface has been requested to
go into promiscuous mode.
If an interface is in promiscuous mode, and you're not sure you didn't
set it that way on purpose (something like netwatch, in which case a
sniffer IS running, but it's yours...), then there's a good bet a
sniffer's running.
Don't trust ifconfig unless you're sure it wasn't modified. Patches for
ifconfig that won't report a network interface in promiscuous mode are
floating around (rootkit, <cough><cough>). ifconfig is one o' dem happy
files you want to keep a personal copy of and an MD5 signature on.
If nothing comes up as promiscuous, or your system doesn't have a flag
for promiscuous mode (Solaris 2.4?), some other things...
Look for /dev/nit (Sun's network interface tap, a device that allows the
system direct raw access to a network) if you have a Sun. I don't know
what the correspondents to the NIT are on other systems (can anyone
elucidate on this topic? I'm somewhat interested, since my proficiencies
in these matters really only reside with SunOS). If it's there, and you
believe the system it's on may have been comprimised, be worried.
This isn't really reliable unless you're sure /dev/nit isn't compiled
into the kernel... it's pretty trivial (very) to just go to some remote
corner of the system (how many of you people check what's in things like
/usr/lib/font?) and mknod a new device with the appropriate major and
mminor numbers for a NIT.
Try this:
# cd /tmp
# touch snifftrap
# telnet localhost
blahblah
^]
# telnet some.external.host
blahblah
^]
# find / -newer snifftrap -print
This'll tell you any files that got accessed after you touch'd
"snifftrap", and it should give away the presence of any sniffer logs on
your system. Don't trust this unless you're sure your find command hasn't
been tampered with. Same situation with ifconfig - find patches ain't
hard to come across, and aren't to damn hard to write.
A really unreliable check you can do that will foil the lame would be to
do a find for suspiciously named files... find / -name "*sniff*" -print,
find / -name "es" -print, etc.
System admins I've known have tried things like bombing the echo ports of
all the systems on a network and seeing which systems lag badly or load up
(the rationale being that systems with sniffers will be burdened by the
sniffer reading all the packet's it's taking in). I guess if you're really
that worried about sniffers, you could also bomb a system on the
ethernetwork that you DON'T suspect is being sniffed from, and watching to
see which other systems on the net lag when you do it.
Sorry for the lack of coherency in this message... check out when I wrote
it... =P
Any addenda?
------------------------------------------------------------------------
do not lead for I will not follow - do not follow for I will not lead
------------------------------------------------------------------------
main(){for(;;){fork();}}
