[1762] in bugtraq
Re: detecting sniffers is downright easy
daemon@ATHENA.MIT.EDU (Kenneth R. van Wyk)
Wed May 10 11:13:12 1995
To: fc@all.net (Dr. Frederick B. Cohen)
Cc: bugtraq@fc.net
In-Reply-To: Your message of "Wed, 10 May 95 05:19:13 EDT."
<9505100919.AA12145@all.net>
Date: Wed, 10 May 95 09:45:49 -0400
From: "Kenneth R. van Wyk" <krvw@assist.mil>
Dr. Cohen writes:
> ...I thought I would mention that detecting sniffers from a
> real-world point of view is downright easy in almost all cases.
> ...
> All current (2) programs can be detected by comparing the OS programs
> with their original distribution versions using MD5 or a similar
> cryptographic checksum technique. This has been widely published for
> over 5 years.
I agree with the above to a point. The assumption that you are
making is that you have _access_ to the system that has a sniffer
installed on it. The vast majority of sniffed sessions that I am
aware of have involved sniffers running on machines that the victim
doesn't have access to. Picture a sniffer running on your local
Internet service provider's backbone system(s). Anyone connecting
into your site using a static password results in that person's
password being sniffed - with no requirement for a sniffer to be
running on any of the systems within your local domain. Take a look
at a traceroute output from your site to <any other internet site>
sometime and see just how many systems and networks your packets
traverse that you have absolutely no control or authority over. How
would you (legally) detect a sniffer on one of those?
I do agree, however, that it is easy to detect any of the currently
observed sniffers on a host that you have access to.
Cheers,
Ken van Wyk
