Re: detecting sniffers is downright easy

• Messages sorted by: [ date ][ thread ][ subject ][ author ]
• Next message: Caspar Arquint: "Re: detecting sniffers is downright easy"
• Previous message: MIGUEL ESTEVES: "imp vs. imp. END !!"
• In reply to: Dr. Frederick B. Cohen: "detecting sniffers is downright easy"
• Next in thread: Caspar Arquint: "Re: detecting sniffers is downright easy"

> 
> All current (2) programs can be detected by comparing the OS programs
> with their original distribution versions using MD5 or a similar
> cryptographic checksum technique.  This has been widely published for
> over 5 years.

Any sniffer can be slightly modified to change its md5 checksum, so you
can't tell if it is a sniffer or just another a.out program in someone's
directory.  Nor if a hacker uploads a sniffer, runs it, and removes
the executable, the only thing you will find as a file might be the log file.
And even then, if the sniffer is decent, it never saves the log to any file
but rather e-mails or somehow transfers it back to another site.  Then 
you won't be able to search for any files on disk.  

Also, if its a Solaris machine, you can't tell if the machine is in 
promiscuous mode, so you can't tell if the machine is even sniffing. 
The possible chance is if ps shows a process out of the ordinary,
but it wouldn't be hard for the hacker to name the process something like
in.telnetd or named so it won't stick out, so then you might get lucky,
and see a single process eating up lots of CPU if you happen to be on a
heavy network.  If the sniffer is well written and is only sniffing
certian packets, even the CPU usage will not be too noticeable. 

> 
> Thus, not only is detection of all Unix-based real-world sniffers not
> impossible or infeasible, it is downright easy and simple. 

Uh huh.  For $29.95, Ill send you the sniffer detector kit that will
allow you to catch any and all sniffers on your networks. 8-)  I
also have the Alien Chip Implant Removal kit on sale this month for $19.95.
The ACIR is great for keeping martians out of your network.  

I have created a FAQ on Sniffers that has many products for protection 
against sniffers and advice for detecting sniffers available at 
http://iss.net/iss/sniff.htm or send mail to info@iss.net.

Cheers,
Christopher
  

-- 
Christopher William Klaus       Voice: (404)441-2531. Fax: (404)441-2431
Internet Security Systems, Inc.         Computer Security Consulting
2000 Miller Court West, Norcross, GA 30071

• Next message: Caspar Arquint: "Re: detecting sniffers is downright easy"
• Previous message: MIGUEL ESTEVES: "imp vs. imp. END !!"
• In reply to: Dr. Frederick B. Cohen: "detecting sniffers is downright easy"
• Next in thread: Caspar Arquint: "Re: detecting sniffers is downright easy"