Welcome to Vista Banter. You are currently viewing our boards as a guest which gives you limited access to view most discussions, articles and access our other FREE features. By joining our free community you will have access to ask questions and reply to others posts, upload your own photos and access many other special features. Registration is fast, simple and absolutely free so please, join our community today! If you have any problems with the registration process or your account login, please contact contact support. |
|
Networking with Windows Vista Networking issues and questions with Windows Vista. (microsoft.public.windows.vista.networking_sharing) |
|
LinkBack | Thread Tools | Display Modes |
|
|||
Determining the presence of wireshark
On Mar 20, 11:49*am, PaulusJrLz wrote:
On Mar 9, 11:27*pm, Karthik Balaguru wrote: Hi, How to determine the presence of wireshark in a network ? Are there any specific packet types exchanged while it is present in the network so that it can be used to determine its presence in the network . Any tool to identify its presence in either Windows or Linux ? Any ideas ? Thx in advans, Karthik Balaguru One indicator of sniffer activity is a lot of DNS requests from the sniffer. This detection is not always effective, since sniffer's DNS resolution can be turned off. I think that is how antisniff has been played down by some snifferes. I have been searching for these tools that help in finding the remote systems in promiscuous mode in a network. I did come across other tools that help in detection of a system in promiscuous mode such as the following- 1. Sentinel Supports 3 methods of remote promiscuous detection: The DNS test,Etherping test,ARP test. -a arp test, -d dns test,-e icmp etherping test. Need to check it out. Has anyone tried this out ? 2. neped.c http://www.artofhacking.com/tucops/h.../aoh_neped.htm Network Promiscuous Ethernet Detector w.r.t Linux- Specifically designed to detect the sniffers that use the flaw in Linux TCP/IP Stack !!. I think this will not be useful for the kernels in which the flaw has been fixed such as kernel 2.2.10 as they drop the incoming packets that are not destined for this ethernet address. 3. promisc.c http://seclists.org/nmap-hackers/199.../promisc_c.bin Determines the machine on which it is run is in promisc mode. This is similar to "ifconfig -a|grep PROMISC" :-) But,this does not help remote machine(sniffer) detection :-( 4. ifstatus ftp://ftp.cerias.purdue.edu/pub/tool...tus-4.0.tar.gz Checks and reports the network interfaces on the system reports any that are in debug or promiscuous mode - Not suitable for remote sniffer detection :-( 5. Antisniff So antisniff appears that it be tricked out if kernel 2.2.10 is used or if DNS lookup test is avoided or if the sniffing is not done above an average network traffic limit. And it seems there is an equally interesting 'Anti-Antisniff Sniffer' to play down the antisniff utility :-( But, I am not sure if Sentinel helps in detection of remote promiscous mode(Sniffer) even in the case of linux kernel 2.2.10 ! ? Thx in advans, Karthik Balaguru |
|
|||
Determining the presence of wireshark
On Mar 20, 11:49*am, PaulusJrLz wrote:
On Mar 9, 11:27*pm, Karthik Balaguru wrote: Hi, How to determine the presence of wireshark in a network ? Are there any specific packet types exchanged while it is present in the network so that it can be used to determine its presence in the network . Any tool to identify its presence in either Windows or Linux ? Any ideas ? Thx in advans, Karthik Balaguru One indicator of sniffer activity is a lot of DNS requests from the sniffer. This detection is not always effective, since sniffer's DNS resolution can be turned off. I think that is how antisniff has been played down by some snifferes. I have been searching for these tools that help in finding the remote systems in promiscuous mode in a network. I did come across other tools that help in detection of a system in promiscuous mode such as the following- 1. Sentinel Supports 3 methods of remote promiscuous detection: The DNS test,Etherping test,ARP test. -a arp test, -d dns test,-e icmp etherping test. Need to check it out. Has anyone tried this out ? 2. neped.c http://www.artofhacking.com/tucops/h.../aoh_neped.htm Network Promiscuous Ethernet Detector w.r.t Linux- Specifically designed to detect the sniffers that use the flaw in Linux TCP/IP Stack !!. I think this will not be useful for the kernels in which the flaw has been fixed such as kernel 2.2.10 as they drop the incoming packets that are not destined for this ethernet address. 3. promisc.c http://seclists.org/nmap-hackers/199.../promisc_c.bin Determines the machine on which it is run is in promisc mode. This is similar to "ifconfig -a|grep PROMISC" :-) But,this does not help remote machine(sniffer) detection :-( 4. ifstatus ftp://ftp.cerias.purdue.edu/pub/tool...tus-4.0.tar.gz Checks and reports the network interfaces on the system reports any that are in debug or promiscuous mode - Not suitable for remote sniffer detection :-( 5. Antisniff So antisniff appears that it be tricked out if kernel 2.2.10 is used or if DNS lookup test is avoided or if the sniffing is not done above an average network traffic limit. And it seems there is an equally interesting 'Anti-Antisniff Sniffer' to play down the antisniff utility :-( But, I am not sure if Sentinel helps in detection of remote promiscous mode(Sniffer) even in the case of linux kernel 2.2.10 ! ? Thx in advans, Karthik Balaguru |
|
|||
Determining the presence of wireshark
2010-03-20, 01:59(-07), Karthik Balaguru:
[...] 1. Sentinel Supports 3 methods of remote promiscuous detection: The DNS test,Etherping test,ARP test. -a arp test, -d dns test,-e icmp etherping test. Need to check it out. Has anyone tried this out ? All those methods assume the interface is configured with an IP address, or that the system supports IP. There's no need for implementing an IP stack to sniff ethernet packets. One can use wireshark on an interface that hasn't got any IP address configured or that has a firewall rule that prevents it from emmiting any packet. sudo iptables -I OUTPUT --out-interface eth0 -j DROP And that interface will not be detected. Probably same with sudo ip addr flush dev eth0 2. neped.c http://www.artofhacking.com/tucops/h.../aoh_neped.htm Network Promiscuous Ethernet Detector w.r.t Linux- Specifically designed to detect the sniffers that use the flaw in Linux TCP/IP Stack !!. I think this will not be useful for the kernels in which the flaw has been fixed such as kernel 2.2.10 as they drop the incoming packets that are not destined for this ethernet address. 2.2.9 was released in May 1999. I don't expect there be a lot of pre-2.2.10 Linux boxes around nowadays. -- Stéphane |
|
|||
Determining the presence of wireshark
2010-03-20, 01:59(-07), Karthik Balaguru:
[...] 1. Sentinel Supports 3 methods of remote promiscuous detection: The DNS test,Etherping test,ARP test. -a arp test, -d dns test,-e icmp etherping test. Need to check it out. Has anyone tried this out ? All those methods assume the interface is configured with an IP address, or that the system supports IP. There's no need for implementing an IP stack to sniff ethernet packets. One can use wireshark on an interface that hasn't got any IP address configured or that has a firewall rule that prevents it from emmiting any packet. sudo iptables -I OUTPUT --out-interface eth0 -j DROP And that interface will not be detected. Probably same with sudo ip addr flush dev eth0 2. neped.c http://www.artofhacking.com/tucops/h.../aoh_neped.htm Network Promiscuous Ethernet Detector w.r.t Linux- Specifically designed to detect the sniffers that use the flaw in Linux TCP/IP Stack !!. I think this will not be useful for the kernels in which the flaw has been fixed such as kernel 2.2.10 as they drop the incoming packets that are not destined for this ethernet address. 2.2.9 was released in May 1999. I don't expect there be a lot of pre-2.2.10 Linux boxes around nowadays. -- Stéphane |
|
|||
Determining the presence of wireshark
On Mar 20, 3:28*pm, Stephane CHAZELAS
wrote: 2010-03-20, 01:59(-07), Karthik Balaguru: [...] 1. Sentinel Supports 3 methods of remote promiscuous detection: The DNS test,Etherping test,ARP test. -a arp test, -d dns test,-e icmp etherping test. Need to check it out. Has anyone tried this out ? All those methods assume the interface is configured with an IP address, or that the system supports IP. Okay . Yeah, I analyzed it and it appears just like as you conveyed - Passive Sniffers in promiscuous modes(Remote) can be detected only if they are on an interface with a configured IP address ! There's no need for implementing an IP stack to sniff ethernet packets. One can use wireshark on an interface that hasn't got any IP address configured or that has a firewall rule that prevents it from emmiting any packet. sudo iptables -I OUTPUT --out-interface eth0 -j DROP And that interface will not be detected. :-( Interesting to know that wireshark or other sniffers can be used on an interface that hasn't got any IP address configured. But, i wonder what is the advantage/use of running wireshark on an interface that hasn't got any IP address. In what kind of scnearios we might need to run wireshark on an interface without IP address ? Any thoughts ? Probably same with sudo ip addr flush dev eth0 :-( It appears that there is NO method to detect passive sniffing unless the sniffer does not take care of things like hiding IP address / using a proper flawless OS. 2. neped.c http://www.artofhacking.com/tucops/h.../aoh_neped.htm Network Promiscuous Ethernet Detector w.r.t Linux- Specifically designed to detect the sniffers that use the flaw in Linux TCP/IP Stack !!. I think this will not be useful for the kernels in which the flaw has been fixed such as kernel 2.2.10 as they drop the incoming packets that are not destined for this ethernet address. 2.2.9 was released in May 1999. I don't expect there be a lot of pre-2.2.10 Linux boxes around nowadays. True that there might not be much systems that use pre-2.2.10 unless upgraded. So, it is difficult to determine the presence of sniffer in networks in such a case. So, in brief - NO METHOD to detect Passive Sniffing :-( That is, It seems that unless there is a flaw in the operating system similar to that of TCP/IP in pre-2.2.10 linux kernel, it is not possible to determine the presence of sniffers performing passive sniffing in the network. Karthik Balaguru |
|
|||
Determining the presence of wireshark
On Mar 20, 3:28*pm, Stephane CHAZELAS
wrote: 2010-03-20, 01:59(-07), Karthik Balaguru: [...] 1. Sentinel Supports 3 methods of remote promiscuous detection: The DNS test,Etherping test,ARP test. -a arp test, -d dns test,-e icmp etherping test. Need to check it out. Has anyone tried this out ? All those methods assume the interface is configured with an IP address, or that the system supports IP. Okay . Yeah, I analyzed it and it appears just like as you conveyed - Passive Sniffers in promiscuous modes(Remote) can be detected only if they are on an interface with a configured IP address ! There's no need for implementing an IP stack to sniff ethernet packets. One can use wireshark on an interface that hasn't got any IP address configured or that has a firewall rule that prevents it from emmiting any packet. sudo iptables -I OUTPUT --out-interface eth0 -j DROP And that interface will not be detected. :-( Interesting to know that wireshark or other sniffers can be used on an interface that hasn't got any IP address configured. But, i wonder what is the advantage/use of running wireshark on an interface that hasn't got any IP address. In what kind of scnearios we might need to run wireshark on an interface without IP address ? Any thoughts ? Probably same with sudo ip addr flush dev eth0 :-( It appears that there is NO method to detect passive sniffing unless the sniffer does not take care of things like hiding IP address / using a proper flawless OS. 2. neped.c http://www.artofhacking.com/tucops/h.../aoh_neped.htm Network Promiscuous Ethernet Detector w.r.t Linux- Specifically designed to detect the sniffers that use the flaw in Linux TCP/IP Stack !!. I think this will not be useful for the kernels in which the flaw has been fixed such as kernel 2.2.10 as they drop the incoming packets that are not destined for this ethernet address. 2.2.9 was released in May 1999. I don't expect there be a lot of pre-2.2.10 Linux boxes around nowadays. True that there might not be much systems that use pre-2.2.10 unless upgraded. So, it is difficult to determine the presence of sniffer in networks in such a case. So, in brief - NO METHOD to detect Passive Sniffing :-( That is, It seems that unless there is a flaw in the operating system similar to that of TCP/IP in pre-2.2.10 linux kernel, it is not possible to determine the presence of sniffers performing passive sniffing in the network. Karthik Balaguru |
|
|||
Determining the presence of wireshark
But, i wonder what is the advantage/use of running
wireshark on an interface that hasn't got any IP address. In what kind of scnearios we might need to run wireshark on an interface without IP address ? Any thoughts ? How about running whireshark while hiding from people who are trying to find people running Wireshark? -- These are my opinions, not necessarily my employer's. I hate spam. |
|
|||
Determining the presence of wireshark
On Mar 21, 11:14*am, (Hal
Murray) wrote: But, i wonder what is the advantage/use of running wireshark on an interface that hasn't got any IP address. In what kind of scnearios we might need to run wireshark on an interface without IP address ? Any thoughts ? How about running whireshark while hiding from people who are trying to find people running Wireshark? :-) :-) I had that in mind ! But, Is it only for that reason ? Are there no other scenarios ? Thx in advans, Karthik Balaguru |
|
|||
Determining the presence of wireshark
On Mar 21, 11:14*am, (Hal
Murray) wrote: But, i wonder what is the advantage/use of running wireshark on an interface that hasn't got any IP address. In what kind of scnearios we might need to run wireshark on an interface without IP address ? Any thoughts ? How about running whireshark while hiding from people who are trying to find people running Wireshark? :-) :-) I had that in mind ! But, Is it only for that reason ? Are there no other scenarios ? Thx in advans, Karthik Balaguru |
|
|||
Determining the presence of wireshark
On Mar 9, 10:40*pm, Jeff Liebermann wrote:
On Tue, 9 Mar 2010 08:27:21 -0800 (PST), Karthik Balaguru wrote: How to determine the presence of wireshark in a network ? Look for NIC cards and wireless devices running in promiscuous mode. Are there any specific packet types exchanged while it is present in the network so that it can be used to determine its presence in the network . No. *A sniffer is totally passive. Agreed, sniffer is totally passive ! On analyzing various internet links and also discussions, i understand that that unless the sniffer does not take care of things like hiding IP address / there is a flaw in the operating system similar to that of TCP/IP in pre-2.2.10 linux kernel, it is not possible to determine the presence of sniffers performing passive sniffing in the network. The option of using IPSec for all intranet traffic appears to be the main solution against passive sniffing. Though some OS can restrict that only admins can install certain type of sniffers, i think that is not enough as sometimes it can be via admin too. I wonder, why don't the various OS support the detection of Sniffers so that if a user is running it in the network, the OS might intimate it to the admins ? Just eager to know , is it not possible for the OS to detect a sniffer running on it and intimate it ? I think, the various OS(TCP/IP) in network should be configurable such that if there is a sniffer running on it, it would be able to intimate to a set of users(admin) in the network. The OS here can be either Linux / Windows. Are there any such tools already available ? Any tool to identify its presence in either Windows or Linux ? Any ideas ? AntiSniff: http://www.nmrc.org/pub/review/antisniff-b2.html You may have trouble finding this one. PromqryUI in DOS and Windowfied versions: http://www.microsoft.com/downloads/details.aspx?FamilyID=4df8eb90-83b.... http://www.microsoft.com/downloads/details.aspx?FamilyID=1a10d27a-4aa.... Only works for detecting sniffers running on a Windoze system. *I haven't been able to detect DOS, Linux, or Mac sniffers with these tools. I've also noticed that most casual users of sniffers running on laptops like to boot their operating system before firing up their sniffers. *The laptop will usually belch a few DHCP broadcasts and ARP requests before disappearing into promiscuous mode. *These initial packets can be detected with ArpWatch: http://24h.atspace.com/it/security/arpwatch.htm The problem is not identifying the presence of the sniffer, it's identifying which machine is actually doing the sniffing. *The MAC address is a clue, but given the ease of MAC address spoofing, that information is often useless. *Even if I delivered the MAC address on a silver platter, identifying which one of the potentially hundreds of similar computers in the room or building might be difficult. -- Thx in advans, Karthik Balaguru |
Thread Tools | |
Display Modes | |
|
|