mailing list archives
Re: All Hail The AntiAntiSniffer Sniffer!
From: chrisa () EEYE COM (Christopher Abad)
Date: Mon, 26 Jul 1999 16:24:03 -0700
To expand on Mike Perry's comments and ideas on AntiSniff,
DNS queries can still be made, because since we assume we're
working on a non-switched LAN, the promisc. mode machine
can do it's DNS queries using spoofed IP packets, because it
can simply sniff the responses off of the network. I kind of do like
having the hostname over the ip address anyway.
Also, due to what is involved in using the DNS method, it's implied
that AntiSniff would also need to be in promisc. mode. Simply
set up a process that watches for illegitimate traffic on the network,
such as false handshakes, and then halt sniffing activities and then
use another AntiSniff-type program to detect such promisc.
scanners as AntiSniff.
Since AntiSniff uses a very noticeable '66' packet, that wont be hard
to catch. Also, a fake mac address of 66:66:66:66:66:66 to detect
old linux kernels, hmm not to obvious eth? A fake broadcast for BSD
of MAC ff:00:00:00:00:00? Those are a few obvious examples of
ways to detect AntiSniff. Upon further analysis of the falsified traffic
generated by AntiSniff, more trace markings of it's operation will
Bind and I have been working out a program not un-similar, and
actually having the exact same name as Mike's program AASS,
but really haven't put too much effort into it, so possibly we'll
look into his code and expand it.
( Ambient Empire )
Industrial Strength Brand
" As you retain your state and call it virtue,
you are deteriorating the value of mankind. "
( aempirei )