Re: RE: detecting a sniffer remotely

[robert_david_graham () yahoo com (Robert Graham)]

--- CyberPsychotic <mlists () gizmo kyrnet kg> wrote:
> well, L0pht's AntiSniff won't work on switched networks, since switches
> memorize mac addresses of the devices connected to each ports and would
> drop maliformed frames. But neither sniffing would work in such
> envinroment. (just to make sure you haven't missed this detail ;-))
 
Sniffing works in switched environments by:
* jamming the switch by sending huge numbers of MAC addresses; some switches
"fail open" rather than "fail close", meaning that when they run out of table
entries, they revert to a repeating hub (essentially)

* ARP redirection, lots of ways to do this. Most devices cache the sender of an
ARP request, so send out an ARP request as if you were the local router. You
can either do a broadcast (redirect everyone) or a unicast (redirect a chosen
victim).

* ICMP redirect, same as ARP really

* ICMP router advertisements (see recent bugtraq postings)

* send out traffic with source MAC address of the victim, probablematic since
many switches will simply "flap" between you and the victim.

* reconfigure the switch via SNMP to convert your port to monitoring/span port
(trust me, in corporations, the SNMP stuff is wide open).

I've described this in more detail in my sniffing FAQ at:
http://www.robertgraham.com/pubs/sniffing-faq.html#3.8

=====
Robert Graham
"Anxiously awaiting the millenium so I can start programming
dates with 2-digits again."
__________________________________________________
Do You Yahoo!?
Bid and sell for free at http://auctions.yahoo.com