Slashdot Mirror

← Back to Stories (view on slashdot.org)

Unhealthy Sniffing

Posted by timothy on from the price-of-slurping dept.

Simon Doring writes "Stefan Esser did it again. Yesterday he reported 13 remote root vulnerabilities in Ethereal. Time to teach all those sniffing kiddies an unhealthy lesson. The next LAN party will be a lot of fun."

6 of 49 comments (clear)

  1. Ettercap by vasqzr · · Score: 4, Interesting

    Sounds like a good time to check out Ettercap

    Short Description:

    Ettercap is a multipurpose sniffer/interceptor/logger for switched LAN.
    It supports active and passive dissection of many protocols (even ciphered ones) and includes many feature for network and host analysis.

  2. Re:passive scanner by Elwood+P+Dowd · · Score: 3, Interesting

    The right way to do passive scanning is with an ethernet cable that has the tx leads removed. It is physically impossible to effect the network, as far as I understand it (not very far).

    I imagine that the right way to do passive wifi scanning would require support from your driver and hardware, to ensure that you were not transmitting any packets at all.

    And no, I don't know anything about Ethereal. I'll shut up now.

    --

    There are no trails. There are no trees out here.
  3. Wardriving by DustMagnet · · Score: 4, Interesting

    These bugs can also be used to catch war drivers. Another trick I've seen in a white paper was to transmit fake traffic from an unused IP address and watch for reverse DNS lookups.

    --
    'SBEMAIL!' is better than a goat!!
  4. Re:passive scanner by Anonymous Coward · · Score: 3, Interesting
    The right way to do passive scanning is with an ethernet cable that has the tx leads removed. It is physically impossible to effect the network, as far as I understand it (not very far).

    Yea, but a common way to configure the sensors is to have one side plugged into the "trusted" internal network and the other side as an un-addressed interface in promiscuous mode. Ideally this would prevent someone on the outside from ever hopping into your internal LAN, but even if you cut the tx leads, the recent vulnerabilities in snort and I assume ethereal would allow a remote attacker on the untrusted network to exploit your sensor and gain access to your internal net which undoubtably has access to the Internet through some mechanism to talk back to the attacker. Lovely. Moral of the story is to use an isolated admin net for the sensors so if they get compromised, no big deal.

  5. Why don't distros use buffer overflow protection? by Homology · · Score: 4, Interesting
    13 remotely triggerable vulnerabilities were discovered in the multiprotocol packet sniffer Ethereal that allow remote compromise.

    Thanks to ProPolice on OpenBSD, these stack overflows will only lead to a crash, not a root exploit on this OS.

    Gentoo has a project called "Hardened Gentoo" where the stack overflow would just chrash the Ethereal.It's time the bigger Linux distros implement similar technology (that exist as PaX).

  6. Re:Privilege separation by Phillup · · Score: 2, Interesting

    I use tcpdump to capture what is on the wire... which is run as root.

    Then, as a non-root user, I pull the data into ethereal.

    I do this because the network is over a thousand miles away and the machines don't even have X on them... so... I capture remotely and then look at the data on my workstation.

    --

    --Phillip

    Can you say BIRTH TAX