[1808] in bugtraq

home help back first fref pref prev next nref lref last post

Re: detecting sniffers is downright easy

daemon@ATHENA.MIT.EDU (Eric Murray)
Fri May 12 14:13:05 1995

From: ericm@lne.com (Eric Murray)
To: chowes@helix.net (Charles Howes)
Date: Fri, 12 May 1995 09:31:52 -0700 (PDT)
Cc: bugtraq@fc.net
In-Reply-To: <Pine.SUN.3.91.950511160843.26546D-100000@trance.helix.net> from "Charles Howes" at May 11, 95 04:17:18 pm

> 
> On Wed, 10 May 1995, Christopher Klaus wrote:
> 
> > > All current (2) programs can be detected by comparing the OS programs
> > > with their original distribution versions using MD5 or a similar
> > > cryptographic checksum technique.  This has been widely published for
> > > over 5 years.
> > 
> > Any sniffer can be slightly modified to change its md5 checksum, so you
> > can't tell if it is a sniffer or just another a.out program in someone's
> > directory.
> 
> If you know that the only programs running are virgin copies of system
> programs, then you know you have no sniffer running.

not many systems are run from nothing but installed programs.

> I guess 'lsof' is the tool to find out which executables are currently
> being executed.  Test them with md5 to make sure that you know what
> they are.

you would have to run lsof from a read-only media to make sure
it's not compromised.  then you'd still have to worry that the
attacker haden't modified the kernel in some way as to make lsof
not see the sniffer.

that's just for one unix machine.  you would have to do all of
your machines, constantly running lsof and scanning for sniffers.
scanning once an hour would not be good enough, the sniffer
could quit during the scan and start up afterwards.  you'd wind up
spending an awful lot of cpu time on this.  and you still
wouldn't guarantee that you don't have sniffers clipped into
your net elsewhere (i.e. not on an offical host).

if you actually try this, or even think it out, you'll discover
that it's less work to encrypt everything on your network than it is to
be 100% sure that no one on your net is sniffing packts.


-- 
eric murray  ericm@lne.com  ericm@motorcycle.com  http://www.lne.com/ericm

home help back first fref pref prev next nref lref last post