Slashdot Mirror
Unhealthy Sniffing
Simon Doring writes "Stefan Esser did it again. Yesterday he reported 13 remote root vulnerabilities in Ethereal. Time to teach all those sniffing kiddies an unhealthy lesson. The next LAN party will be a lot of fun."
← Back to Stories (view on slashdot.org)
network sniffers are useful for other things as well.
just this spring had to use ethereal on one networking course to follow ethernet packets, which computer was asking what from who, how the router affected the packets and how a hub is different from a switch(all and all quite basic stuff but still it was quite useful for gaining insight to the different protocols in real world like situation)..
how about the windows port?
world was created 5 seconds before this post as it is.
And what? List it's buffer overflows? You aren't saying it exploit free, are you?
A patched Ethereal will be out in a few days. I think you'd be better off with that.
The right way to do passive scanning is with an ethernet cable that has the tx leads removed.
Can't do that with UTP. The link pulse travels over the same wire, so the hub or switch will deactivate the port and you won't see any traffic at all. What you can do is cut the TX pin on the AUI connector when using an external tranceiver, but nobody uses those any more.
In BSD derivatives, you can up an interface without giving it an address, attach to it with bpf and set it in promiscuous mode. You'll see all the traffic on the wire, but none of it will go into the network stack and no outgoing traffic will be generated unless you do it yourself.
(I write network analysis software for a living)
So, yes, they did let them know, and the holes have already been fixed.
"From my cold, dead hands you damn, dirty apes!" - CH
It's in TFA:
Disclosure Timeline
5 March 2004
Ethereal developers were contacted by email telling them about 10(of the 13) holes. 6 holes were closed the same day EIGRP, IGAP, ISUP and BGP.
7 March 2004
IRDA hole closed (after checking specs)
8 March 2004
PGM hole closed (after checking specs)
9 March 2004
NetFlow hole closed (after checking specs)
17 March 2004
UCP holes were discovered and mailed to vendor
19 March 2004
UCP and TCAP holes closed (after checking specs)
22 March 2004
Ethereal developers have releases a mini advisory urging their users to upgrade to version 0.10.3 which will be released later this week
23 March 2004
Public Disclosure
Want to improve your Karma? Instead of "Post Anonymously", try the "Post Humously" option.
It's true that you can't just cut the tx wire, but you _can_ rig it so a hub can see it but no xmit will occur.
Search google for "sniffer +stealth". There is a site with plans to build a non-transmitting cable. It also discusses the theory of how it works. (I can't verify a link because those kinds of sites are blocked here at work.) It involves cutting _one_ of the TX wires and inserting a capacitor in series to form a hi-pass (or is it low-pass?) filter. This causes the hub to see all "1" bits (and out of parity) from the NIC. The hub will turn on the link light even though it never gets good data, so then the NIC can receive just fine.
I've built one of these into an inline RJ-45 coupler and it works great. As explained on the site, the value of the capacitor depends in the ethernet speed, so it's different for 10mb or 100mb.You were 80% angel, 10% demon. The rest was hard to explain. - Over The Rhine
"Math in a song is good."-Linford
Can't do that with UTP. The link pulse travels over the same wire, so the hub or switch will deactivate the port and you won't see any traffic at all. What you can do is cut the TX pin on the AUI connector when using an external tranceiver, but nobody uses those any more.
In BSD derivatives, you can up an interface without giving it an address, attach to it with bpf and set it in promiscuous mode. You'll see all the traffic on the wire, but none of it will go into the network stack and no outgoing traffic will be generated unless you do it yourself.
(I write network analysis software for a living)
Ok.. UTP 101.. let's use EIA/TIA568B FastEthernet here (toss this out if you're sniffing GigE traffic)...
pin 1 -> white/orange
pin 2 -> orange
pin 3 -> white/green
pin 6 -> green
Following traffic from switch to host, the pins are as follows:
pin 1: RX+ (receives from host)
pin 2: RX-
pin 3: TX+ (transmits to host)
pin 6: TX-
The *proper* way to do this is start with a normal cable. At the host end, cut into the cable jacketing a little ways up from the terminator and cut the white/orange and orange wires, then solder lead 1 to 3 and lead 2 to lead 6 (white/orange to white/green and orange to green). Do this for the side of the cable headed towards the switch and leave pins 1 & 2 "dangling" to the host. The cable is unidirectional and it can only connect between the switch and host *one way*. This is safer than depending on an unaddressed promiscuous port because there is phyically *no way* for data to get to the switch from the host, but the host will see everything on the wire.
You can get a little more freaky and use a small capacitor inline (I can't recall the value at the moment, but it's specific to the speed of the wire) to simply put too much noise to pass traffic but not so much as to drop the connection, but the solution above works just swimmingly well if you're handy doing small task soldering and wire stripping.
(I sniff networks for a living)
A passive tap isn't nasty from an electrical perspective and is trivial to create with 30 minutes and $25 worth of parts from Home Depot and Radio Shack.
Take four RJ-45 jacks and straight connect all eight pins on two of them. Then take pins 1 & 2 from one jack and connect to pins 3 & 6 on one of the unused jacks. That's Tap Port 1 and will only see data running one direction on the wires. Now take the other fully-wired jack and connect pins 3 & 6 on that one to pins 3 & 6 on the remaining unused jack. That's now Tap Port 2 and again sees unidirectional traffic on the wires, flowing the opposite direction from Tap 1.
Pretty easy and quite handy for all sorts of things.