Re: detecting sniffers is downright easy
Chris Swanson (cds@SSDS.com)
Thu, 11 May 1995 14:50:10 -0700 (PDT)
Greetings,
I think you underestimate the problem. Actually, most Unix
sniffers do not "modify the kernel" as you state. Most Unixes have a
promiscuous mode interface built-in (w/o it you can not do ARP/RARP,
etc), /dev/nit in BSD based systems is a good example. The only way the
kernel checksum that you recommended would work, would be if the
promiscuous mode interface were configured out of the kernel. While this
is desirable, in certain cases, it can not be done.
Also, the software scan will only work on machines that you know
about and control. If someone gains physical access to your net (trivial
in most real-world situations), they can plug an "enabled" system in and
sniff. In reallity detecting sniffers is quite difficult. You must
control all of the systems on the net, they must be secure, and the net
must have physical security (where most organizations REALLY fall down).
Regards,
-+Chris
+-------------------------+------------------------+-------------------------+
| @@@ @@@ @@@@ @@@ | SSDS, Inc. | Chris Swanson |
| @ @ @ @ @ | Minneapolis Operations | Engineer |
| @@@ @@@ @ @ @@@ | 8841 Nicollet Ave S. | Tel: (612)/888-4045 |
| @ @ @ @ @ | Bloomington, MN | FAX: (612)/888-4066 |
| @@@@ @@@@ @@@@ @@@@ | 55420 | Email: cds@ssds.com |
+-------------------------+------------------------+-------------------------+
| ** The Intelligent Network Computing Company ** |
+----------------------------------------------------------------------------+
On Wed, 10 May 1995, Dr. Frederick B. Cohen wrote:
> Date: Wed, 10 May 1995 05:19:13 -0400 (EDT)
> From: Dr. Frederick B. Cohen <fc@all.net>
> To: bugtraq@fc.net
> Subject: detecting sniffers is downright easy
>
> Since so many bugtraq people have pointed out that this is a practical
> list where the distinction between possible and feasible is not
> important and we are only concerned with real-world issues, I thought I
> would mention that detecting sniffers from a real-world point of view is
> downright easy in almost all cases.
>
> The vast majority of real-world sniffers reported to date are software
> sniffers of one of two varieties:
>
> 1 - DOS programs using the network interface in promiscuous mode.
> 2 - Unix programs modifying OS software to observe packets.
>
> The total number of (1) programs in widespread use comes to only 10-20
> and is certainly under 100. Current virus scanning technology makes
> detection of these cases trivial by simply adding patterns for them into
> your existing virus scanning software. HOWEVER - since bugtraq is ONLY
> concerned with Unix security holes, this is not relevant to this list
> and should be taken elsewhere.
>
> All current (2) programs can be detected by comparing the OS programs
> with their original distribution versions using MD5 or a similar
> cryptographic checksum technique. This has been widely published for
> over 5 years.
>
> Thus, not only is detection of all Unix-based real-world sniffers not
> impossible or infeasible, it is downright easy and simple.
>
> --
> -----------------
> \Management /\/| 216-686-0090 - PO Box 1480, Hudson, OH 44236
> \ /\/ | Check out info-security heaven and test your system
> \/\ /\/ | for known vulnerabilities (1st time for free) at URL:
> \/Analytics| (scans deeper than SATAN or ISS) http://all.net:8080
> -----------------
> ASIS "Security Management" Articles and Information On-Line
> Read "Protection and Security on the Information Superhighway"
> John Wiley and Sons, 1995 ISBN 0-471-11389-1, 320 pp, $24.95
>
>