Slashdot Mirror

← Back to Stories (view on slashdot.org)

l0pht develops Sniffer Sniffer

Posted by CmdrTaco on from the upping-the-ante dept.

An anonymous reader has written in to say that l0pht has released a sniffer detector called AntiSniff. You can use it to determine if someone is sniffing around your network. There's already rumors of sniffer-sniffer-proof-sniffer already for those of you who already knew what I knew I thought you knew I knew.

12 of 97 comments (clear)

  1. Re:Not again.. by Trepidity · · Score: 2

    I did.

    --
    10 PRINT CHR$(205.5+RND(1)); : GOTO 10
  2. Re:So what by jd · · Score: 2

    I agree. IPsec and SKIP make much more sense than trying to detect the sniffer. Detecting a detector is just another form of arms race. The problem with arms races is your arms fall off.

    --
    It's a small world and it smells funny; I'd buy another if it wasn't for the money; Take back what I paid (SoM)
  3. what anti-sniff isn't... by krynos · · Score: 2
    anti-sniff won't detect computers/devices on the network that don't emit any packet, but if someone has physical access to your network you have bigger problems than just sniffing.

    Anti-sniff was made mainly to try to detect sniffing on machines that are known to exist and must still listen on the network (like servers).

    It will send bogus IP and others weird things to check if it slow down the machine, as well as a few others tricks.

    Depending of the bandwidth to the machine, the speed of the machine and the intelligence of the sniffer that may not work.

    However it is a little extra in a sysadmin toolbox, it's not perfect but may help.

  4. Details? by roystgnr · · Score: 2

    This would be a useful script to have. An entire dorm at Rice had to change their passwords (and check their computers) last year because one person's Linux box got cracked and had a packet sniffer running. (and because the hubs were at that time misconfigured; normally packet sniffing doesn't work here).

  5. Not anything new by GoRK · · Score: 2

    Programs that detect network cards that are in promiscous mode aren't anything new. The detection isn't very reliable either. Often these programs show false alarms or miss the boat. In particular, the l0pht program failed to detect tcpdump on any machine I tried it on, and I tried running tcpdump from several linux boxen and tried AntiSniff on several windows machines. Hmm....

  6. There is alreadi an anti-antisniffer sniffer by F2F · · Score: 2

    As discussed on Bugtraq.

    The technique used by this anti-sniffer is to check for machines lagging in replys due to the small amount of time it takes the sniffer to write everything on disk.

    It's fairly easy to modify the current sniffers to drop the promiscuous mode once they detect the huge amount of packets sent by the AntiSniffer

    My $.02

  7. Sniffing the sniffer? by Otto · · Score: 2

    If you go out and buy an actual sniffer device (expensive, but if you use it a lot, it's worth it), such as a network general sniffer or some such, then there's just no way to detect it. These don't send anything back down the TX line (unless you tell them to.. very handy to send out a custom packet or three for debugging), and put nothing at all on the network... This l0pht dealie is to detect computers with normal NIC's that have been put into promiscuous mode. It does this a bunch of ways, some are OS specific (older linux versions, most Windows versions due to poor network driver programming), and one is not.

    The one that is not relies on the fact that if you beat the hell out of a system in promiscuous mode, it'll slow down, badly. Basically, it pings the shit out of the system while adding a bunch of network traffic destined to somewhere else. Then it measures latency on the pings. If that latency stays about the same, then the system you are pinging is probably ignoring all that other traffic at the hardware layer. If it goes up by a good amount, then that extra traffic may be getting through, passing to the software, thus slowing the system down enough to detect.

    An actual sniffer device has none of these issues. Hell, a lot of them don't even HAVE an IP address. You stick it on the network, and hear pretty much what you want to hear. Transmit from any IP you want. It's just a matter of forming the packet correctly. If the system doesn't send out anything at all, there's no way to detect it, short of mucking about with resistances on the line or some EE stuff I know nothing of. :-)

    ---

    --
    - Give a man a fire and he's warm for a day, but set him on fire and he's warm for the rest of his life.
  8. AntiSniff on Bugtraq... Go to the source. by regs · · Score: 3

    Some very interesting discussion about AntiSniff took place on the bugtraq mailing list; here are the relevant threads (and yes, there is already an AntiAntiSniff Sniffer :) :




    --
    --

    --
    "In Cyberspace, no one can hear you be sarcastic"
  9. Bullshit! by Russ+Nelson · · Score: 2

    This program is bullshit. A number of hacker sniffing tools run over packet drivers, and as long as you don't do reverse-dns queries, you can scarf all the passwords you want. Of course, installing a packet driver takes physical access to the machine.

    All this will protect you against is sniffers being run by legitimate machines. It won't protect you against a rogue machine.
    -russ

    --
    Don't piss off The Angry Economist
  10. Not easily by anticypher · · Score: 2

    Routers have enough other things to do than try and detect a machine sniffing. Cisco routers (75% of the internet) don't have any such capability directly built in.

    The l0pht anti-sniff program just does a couple of well known tricks to detect the response time of a normal machine hacked to be in promiscuous mode. A router could be used to do the same thing, just a bit more crudely, with less reliability (antisniff is pretty unreliable, I've been testing with it)

    Your router admin sounds like a know-it-all with no real knowledge. Ask for details, and if you get anything solid then email me. I'm always looking for new tricks :-)

    the AC

    --
    Hemos is like...sci-fi fans;he thinks technology is cool, but he hasn't bothered to understand the science it's based on
  11. So what by SirSlud · · Score: 2

    I'd think that if you really needed the kind of security that makes network sniffing a no-no, you'd spend more time trying to strengthen the types of security you use for network traffic rather than trying to detect who's sniffing.

    Encrypted mail and such .... just make the data that could be sniffed useless in the hands of a sniffer, and you don't need a sniffer detector.

    Not that I'm any sort of security expert, but this sounds kind of like the Radar Gun Detector argument - if you're afraid of being pulled over in the first place, you have to work to change the speed limit, not try to evade the Radar Guns.

    --
    "Old man yells at systemd"
    1. Re:So what by fwr · · Score: 2

      Get a clue, if you used someone else's MAC then the switch would update it's FDB and any traffic to the user would be forwarded to you. That would cause the user to loose any connections that they had (IP/IPX/whatever) and that would definately cause them to think something is "up." I don't know of ANY vendor's switches that has room in their FDB to hold two ports for each MAC address. If you do I'd like to know.

      True, if you're in the same VLAN you would see all broadcast/multicast traffic (unless the switch was capable of IGMP then you wouldn't even get all the multicast traffic). But, my experience is that broadcast/multicast traffic is not too useful for snooping passwords and such (at least for TCP/IP/unix connections and that's all we care about, right?).

      Switches definately do not "guarantee security" but your method for snooping will not work. Even if you were able to get control of the conversation steering or port mirroring (or whatever your particular vendor calls it) capabilities of your switch there would be problems. First, you would have to be plugged into the same switch as the device you wanted to sniff. Second, you would probably only get half of the "conversation." A little know fact is that most switches are setup for auto-negotiation to 100BT full duplex. Most switches are unable to buffer frames while port mirroring. So if the device you are sniffing happens to be in full duplex mode and is sending a frame at the same time the switch is sending a frame to it you would only get one of the frames copied to your mirror port.

      Besides, auto-negotiation does not always work and when it doesn't the results are not too pleasant. It varies between combinations of various vendor's switches and various NIC cards. Some combinations work excellent, some are intermittent, and some fail all the time. The end result is that some network engineers choose to force speed and duplex in all cases just so that there is no possibility of problems.