Home page logo
/

bugtraq logo Bugtraq mailing list archives

Re: detecting sniffers is downright easy
From: cds () SSDS com (Chris Swanson)
Date: Thu, 11 May 1995 14:50:10 -0700 (PDT)


Greetings,

        I think you underestimate the problem.  Actually, most Unix 
sniffers do not "modify the kernel" as you state.  Most Unixes have a 
promiscuous mode interface built-in (w/o it you can not do ARP/RARP, 
etc), /dev/nit in BSD based systems is a good example.  The only way the 
kernel checksum that you recommended would work, would be if the 
promiscuous mode interface were configured out of the kernel.  While this 
is desirable, in certain cases, it can not be done.

        Also, the software scan will only work on machines that you know 
about and control.  If someone gains physical access to your net (trivial 
in most real-world situations), they can plug an "enabled" system in and 
sniff.   In reallity detecting sniffers is quite difficult.  You must 
control all of the systems on the net, they must be secure, and the net 
must have physical security (where most organizations REALLY fall down).

        Regards,
        -+Chris


+-------------------------+------------------------+-------------------------+
|  @@@   @@@  @@@@   @@@  | SSDS, Inc.             | Chris Swanson           |
| @     @     @   @ @     | Minneapolis Operations | Engineer                |
|  @@@   @@@  @   @  @@@  | 8841 Nicollet Ave S.   | Tel:    (612)/888-4045  |
|     @     @ @   @     @ | Bloomington, MN        | FAX:    (612)/888-4066  |
| @@@@  @@@@  @@@@  @@@@  |           55420        | Email:  cds () ssds com    |
+-------------------------+------------------------+-------------------------+
|              ** The Intelligent Network Computing Company **               |
+----------------------------------------------------------------------------+

On Wed, 10 May 1995, Dr. Frederick B. Cohen wrote:

Date: Wed, 10 May 1995 05:19:13 -0400 (EDT)
From: Dr. Frederick B. Cohen <fc () all net>
To: bugtraq () fc net
Subject: detecting sniffers is downright easy

Since so many bugtraq people have pointed out that this is a practical
list where the distinction between possible and feasible is not
important and we are only concerned with real-world issues, I thought I
would mention that detecting sniffers from a real-world point of view is
downright easy in almost all cases.

The vast majority of real-world sniffers reported to date are software
sniffers of one of two varieties:

      1 - DOS programs using the network interface in promiscuous mode.
      2 - Unix programs modifying OS software to observe packets.

The total number of (1) programs in widespread use comes to only 10-20
and is certainly under 100.  Current virus scanning technology makes
detection of these cases trivial by simply adding patterns for them into
your existing virus scanning software.  HOWEVER - since bugtraq is ONLY
concerned with Unix security holes, this is not relevant to this list
and should be taken elsewhere. 

All current (2) programs can be detected by comparing the OS programs
with their original distribution versions using MD5 or a similar
cryptographic checksum technique.  This has been widely published for
over 5 years.

Thus, not only is detection of all Unix-based real-world sniffers not
impossible or infeasible, it is downright easy and simple. 

-- 
-----------------
\Management  /\/| 216-686-0090 - PO Box 1480, Hudson, OH 44236
 \        /\/   | Check out info-security heaven and test your system
  \/\  /\/      | for known vulnerabilities (1st time for free) at URL:
     \/Analytics| (scans deeper than SATAN or ISS)  http://all.net:8080
-----------------
   ASIS "Security Management" Articles and Information On-Line
   Read "Protection and Security on the Information Superhighway"
   John Wiley and Sons, 1995 ISBN 0-471-11389-1, 320 pp, $24.95





  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault