Bugtraq mailing list archives

Re: detecting sniffers is downright easy

From: cklaus () shadow net (Christopher Klaus)
Date: Wed, 10 May 1995 13:48:24 -0400 (EDT)


All current (2) programs can be detected by comparing the OS programs
with their original distribution versions using MD5 or a similar
cryptographic checksum technique.  This has been widely published for
over 5 years.


Any sniffer can be slightly modified to change its md5 checksum, so you
can't tell if it is a sniffer or just another a.out program in someone's
directory.  Nor if a hacker uploads a sniffer, runs it, and removes
the executable, the only thing you will find as a file might be the log file.
And even then, if the sniffer is decent, it never saves the log to any file
but rather e-mails or somehow transfers it back to another site.  Then 
you won't be able to search for any files on disk.  

Also, if its a Solaris machine, you can't tell if the machine is in 
promiscuous mode, so you can't tell if the machine is even sniffing. 
The possible chance is if ps shows a process out of the ordinary,
but it wouldn't be hard for the hacker to name the process something like
in.telnetd or named so it won't stick out, so then you might get lucky,
and see a single process eating up lots of CPU if you happen to be on a
heavy network.  If the sniffer is well written and is only sniffing
certian packets, even the CPU usage will not be too noticeable.


Thus, not only is detection of all Unix-based real-world sniffers not
impossible or infeasible, it is downright easy and simple.


Uh huh.  For $29.95, Ill send you the sniffer detector kit that will
allow you to catch any and all sniffers on your networks. 8-)  I
also have the Alien Chip Implant Removal kit on sale this month for $19.95.
The ACIR is great for keeping martians out of your network.  

I have created a FAQ on Sniffers that has many products for protection 
against sniffers and advice for detecting sniffers available at 
http://iss.net/iss/sniff.html or send mail to info () iss net.

Cheers,
Christopher
  

-- 
Christopher William Klaus       Voice: (404)441-2531. Fax: (404)441-2431
Internet Security Systems, Inc.         Computer Security Consulting
2000 Miller Court West, Norcross, GA 30071

Current thread:

Anon site needed for FIP Pub 190 Everett F Batey SysAdm (May 08)
- SECURITY META HOTLIST Alberto Verga (May 09)
  - Re: SECURITY META HOTLIST Charles R. Hoynowski (May 10)
- detecting sniffers is downright easy Dr. Frederick B. Cohen (May 10)
  - Re: detecting sniffers is downright easy Kenneth R. van Wyk (May 10)
  - snooper detection Dr. Frederick B. Cohen (May 10)
  - Re: detecting sniffers is downright easy Perry E. Metzger (May 10)
    - Re: detecting sniffers is downright easy Dr. Frederick B. Cohen (May 10)
  - Re: detecting sniffers is downright easy Ronald Holland (May 10)
  - Re: detecting sniffers is downright easy Christopher Klaus (May 10)
  - imp vs. imp. END !! MIGUEL ESTEVES (May 10)
  - Re: detecting sniffers is downright easy Chris Swanson (May 11)
- Re: Anon site needed for FIP Pub 190 Paul C Leyland (May 10)
  - Re: Anon site needed for FIP Pub 190 Mark Joseph Crosbie (May 10)