Home page logo

bugtraq logo Bugtraq mailing list archives

Re: detecting sniffers is downright easy
From: ericm () lne com (Eric Murray)
Date: Fri, 12 May 1995 09:31:52 -0700 (PDT)

On Wed, 10 May 1995, Christopher Klaus wrote:

All current (2) programs can be detected by comparing the OS programs
with their original distribution versions using MD5 or a similar
cryptographic checksum technique.  This has been widely published for
over 5 years.

Any sniffer can be slightly modified to change its md5 checksum, so you
can't tell if it is a sniffer or just another a.out program in someone's

If you know that the only programs running are virgin copies of system
programs, then you know you have no sniffer running.

not many systems are run from nothing but installed programs.

I guess 'lsof' is the tool to find out which executables are currently
being executed.  Test them with md5 to make sure that you know what
they are.

you would have to run lsof from a read-only media to make sure
it's not compromised.  then you'd still have to worry that the
attacker haden't modified the kernel in some way as to make lsof
not see the sniffer.

that's just for one unix machine.  you would have to do all of
your machines, constantly running lsof and scanning for sniffers.
scanning once an hour would not be good enough, the sniffer
could quit during the scan and start up afterwards.  you'd wind up
spending an awful lot of cpu time on this.  and you still
wouldn't guarantee that you don't have sniffers clipped into
your net elsewhere (i.e. not on an offical host).

if you actually try this, or even think it out, you'll discover
that it's less work to encrypt everything on your network than it is to
be 100% sure that no one on your net is sniffing packts.

eric murray  ericm () lne com  ericm () motorcycle com  http://www.lne.com/ericm

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]