Re: (How) Does AntiSniff do what is claimed?

[jmarler () ISTRENGTH NET (Jon Marler)]

On Sun, Jul 25, 1999 at 12:37:11AM +0100, Nick Lamb wrote:
> How does AntiSniff detect sniffing?
> http://www.l0pht.com/antisniff/tech-paper.html
>
> will detect sniffing -- a green light from their product does NOT mean
> you're not being sniffed.
>
> If AntiSniff becomes popular, I'd estimate only a few months grace
> before Black Hats have made a reduced-functionality sniffer which slips
> under AntiSniff's radar. I don't have any use for such a tool, but if
> I did I doubt I'd need more than a week or two to get it right.

We've had the same discussion in the nmap-hackers list.

All you would need to do to prevent detection is cut the send pair on your
Ethernet connection.  That would make it completely passive.  You could
even do it as simple as a cable with only 1 pair.

There is already a popular UN*X package that does promisc. detection.  It
is called hunt. (http://www.cri.cz/kra/index.html).  It also does MAC
spoofing, ARP collection, connection hijacking, etc ...  Hunt will allow
you to scan an entire range of IP addresses for "Sniffing".  Here is a
tcpdump -ne during a small promisc. scan :

15:48:09.785988 0:10:4b:7a:3d:32 ea:1a:de:ad:be:4 0800 106: 192.168.1.1 >
192.168.1.1: icmp: echo request (DF)
15:48:09.786088 0:10:4b:7a:3d:32 ea:1a:de:ad:be:4 0800 106: 192.168.1.1 >
192.168.1.2: icmp: echo request (DF)
15:48:09.786154 0:10:4b:7a:3d:32 ea:1a:de:ad:be:4 0800 106: 192.168.1.1 >
192.168.1.3: icmp: echo request (DF)

There is a package for hunt that is part of the 'potato' distribution of
Debian GNU/Linux.  I'm not aware of any RPM's.

Jon
jmarler () istrength net