Slashdot Mirror
l0pht develops Sniffer Sniffer
An anonymous reader has written in to say that l0pht has released a sniffer detector called AntiSniff.
You can use it to determine if someone is sniffing around your network.
There's already rumors of sniffer-sniffer-proof-sniffer already for
those of you who already knew what I knew I thought you knew I knew.
One way to check the presence of a sniffer is to insert a wrong MAC address with the arp tool for the host to scan.
Then try to ping it : it won't work, as the host
only listens for it's own MAC address (if it's not promisc).
Then active a sniffer like tcpdump on the remote host and see your ping request being answered :
In promisc, the machine only checks the IP headers to see if the packets are destined for it, and not the MAC address.
One scan implementation is neped.c
Just cut the transmit pair and, voila, no one knows you're there. Old technique, but it still works.
As saw in the history about Berferd (the ones who have read it know what I'm talking about) they showed a very effective way to prevent someone from detecting they were sniffing: they cut the TX wire from the computer with the sniffer.
This Anti-Sniffer WILL detect network general 'sniffer' boxes.
Okay, what's the best sniffer that runs on Linux and is free?
... Boblimo or somebody posts under some other moroni submitters name.
I don't understand how that can work. Not all sniffers write everything to disk. I have several sniffers with large amounts of memory that don't save to disk unless I want them to.
L0pht's claim is that this tool is designed to find unautherized sniffers on your network started by crackers who have broken into one machine on your net. For crackers, cutting the transmit wire isn't an option. Neither is running a specialized sniffer-only box. AntiSniff only needs to find things that crackers can set up remotely -- that is, if you believe L0pht is serious about this being an anti-intrusion tool for sys admins.
Or is anyone else really sick of the skript kiddie names like lOpht ...sheesh...I think I'll go look for some WaReZ B4E the mAn cathes mE
At one point, a couple of years back, there were some problems with script kiddies who had somehow gotten into the Caltech network, and were running packet sniffers on many people's machines. A couple of my friends came up with a way to detect machines on the local subnet which were in promiscuous mode. The basic idea is that they would use "arp" to modify the local arp cache and put in an invalid ethernet address for the broadcast address on the local subnet. Then it would ping the broadcast address once. Any machine that was in promiscuous mode would respond, and so you could quickly get a list of machines that were probably running packet sniffers. (There are a few other reasons that a person might run in promiscuous mode, but this was a pretty good detector.) Very ingenious, considering that it took only a 20-line shell script and basic utilities installed on most Linux machines.
> Then again, that wouldn't explain why the NT boxes have two interfaces - one for monitoring and > one for transport... That doesn't matter. L0pht's sniffer detector works on the principle that overloading the sniffing interface with network garbage will slow down the machine's response to pings on the real interface. The only real solution to this is probably to modify your OS to always have a helluva lot of network latency, so that AntiSniff can't tell the difference between promisc and non promisc mode.
> All this will protect you against is sniffers being run by legitimate machines. It won't protect > you against a rogue machine. But that's the point of their program, anyway. L0pht should be ashamed though, because encouraging people to feel secure simply because they aren't being sniffed will only set them up for a fall when a truly undetectable sniffer is used. (Maybe this was L0pht's goal all along?) Properly used cryptography is the only way to be secure...
> All this will protect you against is sniffers being run by legitimate machines. It won't protect
> you against a rogue machine.
But that's the point of their program, anyway.
L0pht should be ashamed though, because encouraging people to feel secure simply because they aren't being sniffed will only set them up for a fall when a truly undetectable sniffer is used. (Maybe this was L0pht's goal all along?)
Properly used cryptography is the only way to be secure...
WRONG!
Do you think that your switch is secure? I hope not. Most switches can be reconfigured to 'mirror' all packets to a given port for monitoring. Most switches can be reconfigured over the network. Many switches have been shown to have fixed all-access passwords in their firmware...
Eliminating sniffers is (a) impossible (b) not enough to really be secure.
http://www.nuvision.com.au/
Here there are programs called packetboy and webboy. They let you view packets.
This has been out for weeks. I think the motto needs to change to "Old news for nerds, stuff that mattered".
- A.P.
--
"One World, One Web, One Program" - Microsoft Promotional Ad
"Remember when the U.S. had a drug problem, and then we declared a War On Drugs, and now you can't buy drugs anymore?"
I did.
10 PRINT CHR$(205.5+RND(1)); : GOTO 10
...they've been around for a while, having that name before it was k3w1.
If someone NEW tries using a name like that, then no slack.
One simple technique: cards in promiscuous mode on the net are catching and processing every packet. Simple enough to throw out a packet with a destination address of 234.234.234.234 (or something similarly unique or bogus, and sniff out DNS lookups. The sniffer will often be logging 234.234.234.234 after doing a name lookup, and when the lookup packets go out, the source of the sniffer is identified.
That's just one of many tricks; others involve talking to sniffer candidates to see how the cards respond to packets differently when in promiscuous mode.
It must only run on Win NT and Win95 and must be a small utility with a single defined purpose. We don't want no stinkin Linux software. On my LAN we accept that we're sniffed as a fact of life. That's the price of 10MB/s ATM in a time when companies make and lose $billions on the internet. Years ago this wasn't the case, but today you must pay.
I agree. IPsec and SKIP make much more sense than trying to detect the sniffer. Detecting a detector is just another form of arms race. The problem with arms races is your arms fall off.
It's a small world and it smells funny; I'd buy another if it wasn't for the money; Take back what I paid (SoM)
Anti-sniff was made mainly to try to detect sniffing on machines that are known to exist and must still listen on the network (like servers).
It will send bogus IP and others weird things to check if it slow down the machine, as well as a few others tricks.
Depending of the bandwidth to the machine, the speed of the machine and the intelligence of the sniffer that may not work.
However it is a little extra in a sysadmin toolbox, it's not perfect but may help.
I guess there aren't enough moderators to keep all of the "I don't know anything about this, and I can't think of how it could work, therefore it must not work" down to -1.
If your system has a driver that lets you get at raw packets (the moral equivalent of raw DLPI access on Solaris, SOCK_PACKET or packet filter access on Linux, BPF access on BSD, etc.), the driver could provide a way to enable or disable promiscuous mode on cards that support it, read and write raw packets, etc..
Unfortunately, NT either doesn't come with such a driver by default, or doesn't document it (NT Server comes, I think, with Network Monitor, which includes such a driver, although the version that comes with NT is claimed not to support promiscuous mode; you need the version that comes with System Management Server to get that).
The Microsoft Developer Network stuff comes with sample driver and userland code to do that, at least on NT, and PCAUSA sells the Win32 NDIS Framework, which includes a driver and a userland library to let you do that on W9x and WNT (complete with a BPF interpreter in the driver, so you can do BPF-style packet filtering when capturing).
I've not used either of them, so I can't say one way or the other how well they work.
This would be a useful script to have. An entire dorm at Rice had to change their passwords (and check their computers) last year because one person's Linux box got cracked and had a packet sniffer running. (and because the hubs were at that time misconfigured; normally packet sniffing doesn't work here).
The design of AntiSniff is to detect intruders running sniffers on your network.
-weld
... be on switched Ethernet.
:wq
Wrong. Switches do not guarantee security. It would be trivial to fake your MAC address in order to listen to somebody else's traffic, not to mention Ethernet broadcasts.
Appearently, you've never had a submission ignored for a while only to come up under another person's name a day (or days) later.
Couldn't you just send out ARP packets asking for the host-you-are-scanning's IP but to a MAC address other than the broadcast one (or it's) and see if it responds?
Or has this been tried and found not to work?
Pretend that something especially witty is here. Thanks.
Switched hubs render sniffers useless simply because every packet does not go to every NIC. Of course, encryption is a good idea anyway :)
I certainly wasnt implying that relying on switches alone would completely secure anything. It does stop people from running a sniffer and then choosing what traffic they see from the whole subnet to grab. As far as faking the MAC address, would that not interrupt the communication to the other NIC? I've never tried faking a MAC address so I really dont know. Ethernet broadcasts arent generally sensitive information that I can think of. I know I said it before, but crypto is always the best way to go.
This is like the radar detector detectors police started using a few years ago.
08/15/1999 - AntiSniff mentioned on CryptoGram
08/17/1999 - Submitted to Slashdot by anonymous reader
Stop worrying about the risks of nuclear power and start worrying about the risks of not using nuclear power.
I assume the reason it failed to detect it (based on other comments) is that each linux box is running its own caching nameserver, preventing any 'extra' traffic especially during the DNS tests, which is really what AntiSniff looks for.
Programs that detect network cards that are in promiscous mode aren't anything new. The detection isn't very reliable either. Often these programs show false alarms or miss the boat. In particular, the l0pht program failed to detect tcpdump on any machine I tried it on, and I tried running tcpdump from several linux boxen and tried AntiSniff on several windows machines. Hmm....
That's only one of three methods. The second takes advantage of a known protocol idiosyncracy of Linux.
The third method takes response time data from hosts before and during a flood of packets with bogus MAC addresses. This is the core detection routine, and actually comprises three different timing attacks.
There are multiple techniques to invalidate these tests; however, the intent of the tool is to detect *unauthorized* sniffing on a segment, and a number of the best anti-antisniffer techniques imply control of the surrounding network infrastructure...
It's an arms race, but isn't it always? The tool has its place.
-- Cerebus
-- Cerebus
well, I guess it goes kinda well with the following Slashdot article, maybe? If you have an anti-sniffer sniffer, would it maybe stop a bunch of script kiddies who use plain old sniffers with default settings, I guess?
Maybe?
...
AH! I was gonna say that.
But yeah, after a certain point you'll hafta use exponents:
trace-buster^3
trace-buster^27
As discussed on Bugtraq.
The technique used by this anti-sniffer is to check for machines lagging in replys due to the small amount of time it takes the sniffer to write everything on disk.
It's fairly easy to modify the current sniffers to drop the promiscuous mode once they detect the huge amount of packets sent by the AntiSniffer
My $.02
LOpht has probably been around longer than you've been 'doing computers', freak. Respect your elders.
...suckling from the sweet amnion of life...
I have actually detected people sniffing, and the logfiles produced are very helpful. Between this and L0phtCrack, you couldn't ask for a better (free) security suite.
I like music
If you saw this weeks ago, why the hell didn't you submit it? It's so easy to say "Boring, I saw this last week", but apparently the task of submitting a story is overwhelming to c00l folks like you.
I can see this getting ridiculous as you will have an anti-sniffer buster buster sniffer buster sniffer....
You get the idea.
Actually I think the Network General sniffer puts out a packet every once in a while to let everyone know that it's there (but don't take my word on it check a trace with the sniffer and see it there is a packet with a Network General MAC in it).
I know that an ethernet aui connection can be wired so that it only receives. I don't think you can do that with a 10BaseT connection (link integrity won't work and may take the port down).
Neil Cherry - Linux Smart Homes For Dummies
I can't get past the ./configure stage of Ethereal. It says that I need a net/bpf.h file. What file is this and what devel package do I install to get it?
-- Kiran Jonnalagadda http://www.pobox.com/~jace
libpcap wasn't installed. Sorry for the luser quality post.
-- Kiran Jonnalagadda http://www.pobox.com/~jace
If you go out and buy an actual sniffer device (expensive, but if you use it a lot, it's worth it), such as a network general sniffer or some such, then there's just no way to detect it. These don't send anything back down the TX line (unless you tell them to.. very handy to send out a custom packet or three for debugging), and put nothing at all on the network... This l0pht dealie is to detect computers with normal NIC's that have been put into promiscuous mode. It does this a bunch of ways, some are OS specific (older linux versions, most Windows versions due to poor network driver programming), and one is not.
:-)
The one that is not relies on the fact that if you beat the hell out of a system in promiscuous mode, it'll slow down, badly. Basically, it pings the shit out of the system while adding a bunch of network traffic destined to somewhere else. Then it measures latency on the pings. If that latency stays about the same, then the system you are pinging is probably ignoring all that other traffic at the hardware layer. If it goes up by a good amount, then that extra traffic may be getting through, passing to the software, thus slowing the system down enough to detect.
An actual sniffer device has none of these issues. Hell, a lot of them don't even HAVE an IP address. You stick it on the network, and hear pretty much what you want to hear. Transmit from any IP you want. It's just a matter of forming the packet correctly. If the system doesn't send out anything at all, there's no way to detect it, short of mucking about with resistances on the line or some EE stuff I know nothing of.
---
- Give a man a fire and he's warm for a day, but set him on fire and he's warm for the rest of his life.
I don't see how this is possible. From my experience, the Network General line of sniffers don't send ANYTHING out on the wire - they just listen to the packets going by and record them.
:-)
Guess I'll have to check this out...
-- Perry Ketter, a.k.a. IceStorm
AntiSniff detects the *lag* that is produced when packets pass *through* machines which are being sniffed. Any extra processing of packets moving through, such as logging or sniffing adds lag to the amount of lag the machine causes. AntiSniff detects the lag caused by storing sniffed packets.
DES Khaddafi KGB genetic jihad Uzi Rule Psix Qaddafi cryptographic Peking Mossad Legion of Doom Albanian Serbian Saddam
Some very interesting discussion about AntiSniff took place on the bugtraq mailing list; here are the relevant threads (and yes, there is already an AntiAntiSniff Sniffer :) :
07/25/1999 - People start trying to figure out workarounds
07/25/1999 - Another discussion thread on AntiSniff and how it works.
07/25/1999 - The AntiAntiSniffer Sniffer is released: "All Hail The AntiAntiSniffer Sniffer!"
--
--
"In Cyberspace, no one can hear you be sarcastic"
Can a television station detect electronically the number of viewers they have at any given time? Every standard television set and radio in the world is just like a dedicated packet sniffer. If I could connect a specialized box to your internal network, I could grab anything I want and it is not possible that you would be able to detect it unless you saw the box with your own eyes. I could come in and get it a week later and have a large number of passwords to mess with. The best sniffers have no need of a MAC or IP address.
:)
/. article has been mildly irritating. We need more moderators.
However, most crackers have to get into your network remotely. They usually find their way into a general-purpose machine. For practical reasons, it may not be possible for him/her to put the NIC into 100% receive-only mode. That is the kind of situation that AntiSniffer detects.
As others have said, a switch can make sniffing more difficult. Not impossible, just more difficult. Remember that no computer can be 100% secure, unless of course it finds itself in the middle of a nuclear explosion.
This
This is only one of the ways it detects it. The nslookups are a dead givaway though.
Absolutely hilarious subplot, watching the characters go from TraceBuster to TraceBusterBuster to TraceBusterBusterBuster! I can't believe more people haven't caught this on this thread.
get out your trace-buster-buster to bust the buster who's trying to bust your trace
unless he has a trace-buster-buster-buster that is
Then don't read it and don't reply to it. Maybe people like myself haven't seen it.
that's my contribution.
Karnal
this program is inherently flawed....it makes the assumption that the computer doing the sniffing is also going to be doing nslookups on every ip that comes by..it would be a simple task to just sniff the data, and process it 6 hours later from another machine on the same network.
just my worthless opinion.
--BlueLines "The cost of living hasn't affected it's popularity." -anonymous
As per the bugtraq discussion this isn't always possible.
The Tx can be cut on AUI lines since it is not the same line as the keep alive, but on RJ45 Tx and keep alive are the same line so if you cut Tx, the device on the other end will stop sending you data.
Another method that would work better (which was also on Bugtraq) was to sniff on one nic that had an unreachable address (eg 0.0.0.0) and have another nic in the sniffer machine to connect remotely with that has a valid IP. This hack practically requires a rewrite of the tcp driver tho so it would really one be feasable on an Open Source OS.
I was under the impression you couldn't go to promiscuous mode under 98/NT, but this article seems to indicate you can. Can someone point me on info on how to do this? Perhaps people hook into specific ethernet card drivers? Is there a general solution like linux?
-- Virtual Windows Project
I have used a number of sniffers and there is no way on earth that they can be detected remotely. All just capture packets - no more, no less.
Of course if the sniffer was running as a process on an NT or Windows 95 machine, then it is possible that sniffed packets get passed up to the protocol stack, but I have not been daft enough to run such a sniffer.
Looks like another means of making money out of ignorance.
This program is bullshit. A number of hacker sniffing tools run over packet drivers, and as long as you don't do reverse-dns queries, you can scarf all the passwords you want. Of course, installing a packet driver takes physical access to the machine.
All this will protect you against is sniffers being run by legitimate machines. It won't protect you against a rogue machine.
-russ
Don't piss off The Angry Economist
Well if you need another type of sniffer sniffer, try neped. the apostols had this thing a long time ago. instead of this approach they actually send out something which only promisc network stacks respond to. not the sneakiest approach, but it works.
So which is it? Are they "quasi-cracker" or "going corporate"? There's no pleasing some people.
Routers have enough other things to do than try and detect a machine sniffing. Cisco routers (75% of the internet) don't have any such capability directly built in.
:-)
The l0pht anti-sniff program just does a couple of well known tricks to detect the response time of a normal machine hacked to be in promiscuous mode. A router could be used to do the same thing, just a bit more crudely, with less reliability (antisniff is pretty unreliable, I've been testing with it)
Your router admin sounds like a know-it-all with no real knowledge. Ask for details, and if you get anything solid then email me. I'm always looking for new tricks
the AC
Hemos is like...sci-fi fans;he thinks technology is cool, but he hasn't bothered to understand the science it's based on
More wrong-headed "conventional wisdom". The two
flaws in the logic that "switches solve sniffing":
A.) switches aren't designed for security (even
the ones with "security features"), and B.) there
are things you can do at the network layer that
affect the way the link layer works.
There are switches that will revert into an
"insecure" forwarding mode when room for
forwarding tables runs out (if you think about
this, you'll realize that there's basically no
way any switch can prevent this attack, other
than detecting it and locking down the offending
port). There are switches that can be "fooled"
by seeing a frame with an Ethernet address it
believes to be on a different port (forwarding
table updates happen instantaneously). There
are tens of other little problems like this that
can be exploited.
More importantly, there are games you can play
with IP that completely subvert switches; you can
race ARP, for instance, and transparently forward
captures packets. You can play games with dynamic
routing. Look at the recent L0pht advisory on
Router Discovery.
For something to be useful as a security device,
it needs to provide some degree of assurance that
it is doing what you expect it to be doing.
Switches, as "anti-sniffing" devices, fail this
test --- there is no way for you to know, outside
of expensive testing, not only of the switch but
of your entire LAN environment, whether or not
they are really providing any protection.
In the real world, IPsec isn't a practical
solution to most security problems. When the
entire Internet speaks IPsec, you will have
a valid point. Until then, LAN snooping is a
problem that is important to address.
Even when IPsec is deployed widely, the only
reasons sniffing will cease to be such an issue
is that so few people will be doing it anymore.
Right now, sniffer detection is a valuable means
of detecting _intrusions_, and after-the-fact
intrusion detection is obviously valuable when
you can't assure attack detection.
A.) The "company" you're talking about never
published any research. They might as well have
never done it.
B.) Your idea of how the L0pht tool works has
very little to do with what the tool actually
does. The technique your "company" uses (which
is well-known, though undocumented) is not the
only (or even the most powerful) check done by
the L0pht tool.
C.) Physical sniffers are not the threat that
this tool purports to defend against, nor are
they a threat for the vast majority of networks
(in which physical access to the network is not
an issue).
L0pht predates "skript kiddies". The researchers
at the L0pht are among the more respected in the
whole security industry (speaking as one who spent
a great deal of time in that industry). They're
responsible for a good deal of pioneering work,
and they have a reputation for doing things right.
Which is what I believe they are doing here, by
thoroughly documenting the way their tool works
and what its limitations are. We can study their
tool and determine through peer-review how
effective it is. And, if we wanted to, we could
use their research to build our own tools.
Which is only fair, because they are also using
publically available research to build their
tool.
The article claims to be the first of its kind,
despite the fact that I had a discussion with
a guy 3 years ago whose company was doing
_exactly_ this same thing.
The theory is that if a machine is in promiscuous
mode, certain IP communications are not responded to. (Sending an ICMP error to the machine and seeing if you get a reply is one such test.)
So if your protocol stacks still respond normally, these tests don't work.
The problem is that 1) after my conversation 3
years ago, I managed to modify a public domain IP implementation that would sniff and not interrupt normal processing of packets, and 2) even if intruders are nice enough to use garbage stack implementations that respond like this, what if they are running a machine you don't know is there, and no protocol stack? No way to query the machine, no way to know it is sniffing.
The point is that this company is grandstanding on a couple well-known behaviours of promiscuous machines. Don't believe them. They'll not improve your security.
What's the big deal? I've been doing this from my various UNIX boxes for years. And, I didn't need a half-assed (must be, since it's only for Windows) quasi-cracker utility to do it. I wonder how long it took them to copy the tcpdump source?
But, since you brought it up, I would think an organization like l0pht would have thought of a better name for their product. Hmm, let's see, a product that detects others who are promiscuous. How about Celibacy? Or Puritan? Guess they're going corporate, huh?
How else can one detect a nic is promiscuous (sp?) mode? The Router guy at my school said that he could easily detect such things. Can anyone explain how? Is sniffing logged in the records of various network routers?
He's a real jerk so he may just be embellishing the truth.
-matt
Who gave me a -1 on redundancy?
If you would look, I was the first to post.
Duh....
The above post is an editorial, the poster cannot and will not be held responsible for all or in part for it's contents
I'd think that if you really needed the kind of security that makes network sniffing a no-no, you'd spend more time trying to strengthen the types of security you use for network traffic rather than trying to detect who's sniffing.
.... just make the data that could be sniffed useless in the hands of a sniffer, and you don't need a sniffer detector.
Encrypted mail and such
Not that I'm any sort of security expert, but this sounds kind of like the Radar Gun Detector argument - if you're afraid of being pulled over in the first place, you have to work to change the speed limit, not try to evade the Radar Guns.
"Old man yells at systemd"
I knew that I knew before he thought that I knew.
I don't know why we even bother...someone will always find a loop hole...
Why is it that thier are never fixed before someone exploits it? You'd think that somewhere and sometime, one of the good guys would find the exploit first.
Ah well...
"Imagination is the only weapon in the war against reality." -Jules de Gautier
Does this remind anyone of the movie "The Big Hit"
"I have a call tracer blocker tracker blocker....."