Home page logo

bugtraq logo Bugtraq mailing list archives

Re: detecting sniffers is downright easy
From: krvw () assist mil (Kenneth R. van Wyk)
Date: Wed, 10 May 95 09:45:49 -0400

Dr. Cohen writes:
...I thought I would mention that detecting sniffers from a
real-world point of view is downright easy in almost all cases.
All current (2) programs can be detected by comparing the OS programs
with their original distribution versions using MD5 or a similar
cryptographic checksum technique.  This has been widely published for
over 5 years.

I agree with the above to a point.  The assumption that you are
making is that you have _access_ to the system that has a sniffer
installed on it.  The vast majority of sniffed sessions that I am
aware of have involved sniffers running on machines that the victim
doesn't have access to.  Picture a sniffer running on your local
Internet service provider's backbone system(s).  Anyone connecting
into your site using a static password results in that person's
password being sniffed - with no requirement for a sniffer to be
running on any of the systems within your local domain.  Take a look
at a traceroute output from your site to <any other internet site>
sometime and see just how many systems and networks your packets
traverse that you have absolutely no control or authority over.  How
would you (legally) detect a sniffer on one of those?

I do agree, however, that it is easy to detect any of the currently
observed sniffers on a host that you have access to.


Ken van Wyk

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]