Honeypots mailing list archives
RE: [inbox] undetectable NIC in promiscuous mode
From: "Bement, Daniel" <dbement1 () pghboe net>
Date: Fri, 5 Mar 2004 16:25:09 -0500
There have been situations (depending on the hardware) I have seen where if one of the wires in the TX pair is cut or (not making good connection) it will still maintain link with the switch while not allowing any data to pass through to the switch.. Maybe a similar situation would produce the results you are hoping for.... -----Original Message----- From: Chris Brenton [mailto:cbrenton () chrisbrenton org] Sent: Friday, March 05, 2004 3:49 PM To: Curt Purdy Cc: Jose_Maria_Gonzalez () dell com; honeypots () securityfocus com Subject: RE: [inbox] undetectable NIC in promiscuous mode On Fri, 2004-03-05 at 12:29, Curt Purdy wrote:
Yes, there are protocols that do not depend on ip such as arp, dhcp, and others.
Humm, I've never seen this myself. Please describe a situation I can try and duplicate were an interface that does not have IP bound to it would start transmitting ARP or DHCP packets.
A sure way to avoid detection is to snip your TX lines 1&2.
This _does not_ work. I have tried this with both switches and hubs from 3COM, Cisco, D-Link & Netgear. Cutting the TX lines means you can not initial the port to establish link. No link means you will not see traffic. HTH, C
Current thread:
- RE: [inbox] undetectable NIC in promiscuous mode Weaver, Woody (Mar 05)
- RE: [inbox] undetectable NIC in promiscuous mode Curt Purdy (Mar 05)
- Re: [inbox] undetectable NIC in promiscuous mode Valdis . Kletnieks (Mar 08)
- <Possible follow-ups>
- RE: [inbox] undetectable NIC in promiscuous mode Bement, Daniel (Mar 05)
- RE: [inbox] undetectable NIC in promiscuous mode Chris Brenton (Mar 07)
- RE: [inbox] undetectable NIC in promiscuous mode Roger A. Grimes (Mar 07)
- Re: [inbox] undetectable NIC in promiscuous mode Ian Baker (Mar 07)
- RE: [inbox] undetectable NIC in promiscuous mode Teicher, Mark (Mark) (Mar 08)