Defeating (or at least confusing) neped.c

[smm () WPI EDU (Seth McGann)]

<snip>
/* -----------------------------------------
Network Promiscuous Ethernet Detector.
Linux 2.0.x / 2.1.x, libc5 & GlibC
-----------------------------------------
(c) 1998 savage () apostols org
-----------------------------------------
Scan your subnet, and detect promiscuous
linuxes. It really works, not a joke.
-----------------------------------------
[ http://www.rootshell.com/ ]
<snip>

This nifty program was released on rootshell a few days ago.  I'm suprised
it hasn't got more play on bugtraq yet.  Using the ARP protocol, it is
apparently possible to tell which machines on a subnet are sniffing.
Without going into the details of how exactly this detector works (mainly
because I'm not quite sure myself)  it is possible to defeat the detector
by having your machine be shown as a false negative.

<Hax0r> # /sbin/ifconfig eth0 -arp
<Hax0r> # ./evilsniffer -i eth0

Now the interface will not respond to ARP queries, thus no detection.  Not
responding to ARP requests is suspicious but the fact remains that you
can't be sure whether or not someone is sniffing.  Additionally, this
program apparently will not detect sniffers on your own machine, but if
that is the case you have bigger problems anyway.


Seth M. McGann / smm () wpi edu        "Security is making it
http://www.wpi.edu/~smm              to the bathroom in time."
KeyID: 2048/1024/E2501C80
Fingerprint 3344 DFA2 8E4A 977B 63A7  19E3 6AF7 4AE7 E250 1C80