Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:

pen-test logo Penetration Testing mailing list archives

Re: Spyware assessment techniques - hub?
From: Packet Man <packetman () altsec info>
Date: Sun, 12 Feb 2006 13:11:30 -0600
Petr.Kazil () eap nl wrote:

If you are doing a host:
- interrupt the hosts uplink with a hub and plug your snort box in.
You could have this all setup on a laptop.



I have tried this but run into problems:
- Real hubs are (almost?) impossible to get nowadays. Even the cheapest "hub" is really a switch. If you know where I can find a hub-like network component, then I'll order it right away. - I was able to buy the last real hub from a PC-shop, but it was only 10Mbps and it refused to work with my 100Mb cards and switches. 

If you can't do port mirroring on the switch itself, you
could build a passive network tap for under US$30.00,
or so.  Or, the alternative is a commercial network tap
for around US$1,000.00.

I've been building and using them for several years
now, but only recently have started documenting their
finer points (NIC selection is critical).  For more
info on building and using a passive network tap, see
my paper at: http://www.altsec.info/passive-network-tap.html

I'm working on an updated paper right now regarding the
error rates.  I've been testing with combinations of NIC's
that produce ZERO errors on 100Mb connections.  I expect to
update the paper with the suggestions within the next week.

BTW... a must read for such things is "The TAO of Network
Security Monitoring" by Richard Bejtlich.  Check out his
site at:  http://www.taosecurity.com/books.html

BTW... since the technique really belongs in the IDS
list, I cross-posted this message there.

Good luck.

--
Excellence in InfoSec and Linux
http://www.altsec.info

------------------------------------------------------------------------------
Audit your website security with Acunetix Web Vulnerability Scanner: Hackers are concentrating their efforts on attacking applications on your website. Up to 75% of cyber attacks are launched on shopping carts, forms, login pages, dynamic content etc. Firewalls, SSL and locked-down servers are futile against web application hacking. Check your website for vulnerabilities to SQL injection, Cross site scripting and other web attacks before hackers do! Download Trial at: 

http://www.securityfocus.com/sponsor/pen-test_050831
-------------------------------------------------------------------------------

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]