● how to detect sniffer(1) - 荔园在线 | 深圳大学学生论坛,荔园晨风BBS,深大在线网站

荔园之美，在春之萌芽，在夏之绽放，在秋之收获，在冬之沉淀

发信人: hellsolaris (qq), 信区: Security
标  题: how to detect sniffer(1)
发信站: 荔园晨风BBS站 (Sat Oct 25 18:18:26 2003), 站内信件

鉴于网络安全防范的脆弱，我想先抛开黑客定义的话题，转而讨论网络安全。
虽然以往的文章很多，但对于抓包软件的介绍却不尽人意。一个大家都知道的
事实是：抓包程序(SNIFFER) 在理论上是不能被检测及预防的。这对入侵者来
说，简直是天大的喜事。控制一个网段中的一台机器，你就可以用SNIFFER 偷
来的口令控制整个网段，如果其他用户没有过分小心的话。总线网的链路层协
议竟然如此不堪一击。买SWITCH固然是一个方案，就是有点费。真的没有别的
办法吗？

粗看起来，这是个是非判断题，能或者不能必居其一。但实际上并不那么简单，
这不是是非判断，也不是见仁见智的问题，理论上不能检测和实际上不能检测
还存在一些差距。UNIX的口令理论上是无法在有效时间内破解的，但实际上现
在的口令破解软件功能相当强，为什么？口令理论上的复杂度与实际上并不相
称。就象SNIFFER 理论上可以不具有的行为特征实际上却不因为容易实现而保
留。一个消去痕迹的SNIFFER 不能被检测到，但一个忘了消去痕迹的SNIFFER
总可以吧。为此，葡萄在INTERNET上引发了一轮讨论，没想到结论出人意料的
复杂。

How can I detect if there is a sniffer running on my local subnet?

Quan Nguyen:
You can never detect a sniffer. The only way is to prevent it to see
all the traffic by installing an ethernet switch.

Zuk, Allen:
you can't tell if there is a sniffer running on the network unless
you know for a hard absolutre fact that no one has connected one to
the network, espacially hard for one that may be remotely connected,
including pc's that are running nic's in promisciuos mode.

batz:
Phrack 54 has a good article on sniffer evasion and detection.
the one I remember best was running tcpdump on a 'safe' machine
on the segment, telnetting somewhere off the network and see if
you see any other hosts on your network doing lookups for the
remote host you are connecting to. Most sniffers don't hide that
they are attempting to resolve the ip addrs that they are logging
connections to/from.

David Lang:
of course if the person setting up the sniffer takes a couple extra
min to set the speed of the card manually and then snipps the
transmit wires on the cable to that interface you will not detect
it anyway :-)

Piete Brooks:
As I remember, you can do something like sending a packet to an
incorrect MAC address (so it should be seen by no hosts) with data
which solicit a reply of some type, and see which hosts reply.

Of course, a *real* sniffer would have the transmit wires snipped,
so you would not see it ...

Chris Brenton:
This is about as close as you can get. If we are talking a software
based sniffer that is running on a known OS, you have a chance of
detecting it. Your other possibilities are to find hub ports that you
know should be inactive, switch ports that have been setup as a
monitor, etc. There was also a good hint that was passed along on
this list to watch DNS queries in case the sniffer is trying to
resolve host names. Keep in mind that these are all indirect
methods of figuring out if your network is being monitored.

It is more than possible to run a sniffer on a network and have it be
100% undetectable. You are talking about a passive device, something
that listens to all network traffic without actually generating any
traffic itself. Heck, the device does not even need a network address
or a MAC address meaning that it can be completely invisible from OSI
layers 2 and up. This means that if a savvy attacker is able to gain
access to your physical network, they are more than capable of
grabbing traffic and going undetected.

Benny Amorsen:
The classic trick is to cut the TX wire. That makes it rather hard to
detect the sniffer.

Chris Brenton:
I've heard this...and have tried it myself. I've found that if the Tx
pair is cut, most hubs/switches will not initialize the port. If the
port does not initialize, you obviously can not monitor anything. ;)

You can however fray the Tx pair so that a voltage is still passed but
inductance is high enough to chop any signal pulses. Of course you need
to be using stranded twisted pair wiring in order to get this to work.
It also takes a lot of work to make a functional cable.

Rich Schaller:
Yes, this is true if you have the opportunity or access to the wiring
closet or hub device.  However, what if you managed to find a cable
run and run a network analyzer on the pairs to find the correct
recieve pair.  Tap into that and wham, you are listening.  You would
then be tapping into another already established segment.  As long as
you kept the cable short, you would go undetected.

This is beyond the conventional hacker, but I've seen it done.

Bennett Todd:
I seem to recall the trick was something like "send a ping or some
such to the broadcast IP address with a specific, non-broadcast
ethernet address". While it won't catch the truly stealthy sniffer
with no transmit pin connected, or even a specialty customized
sniffer from the network drivers up, it _will_ get a ping back from
general-purpose OSes that have an interface in promiscuous mode, and
won't be seen by hosts whose interfaces are not in promisc.

Marc:
I found this solution one year ago and posted it on the mailing list,
so it should be in the archives. However, it does not work with
Solaris, AIX or a BSD I tested. Linux was the only one that nice.
I hear that this was fixed in the kernel 2.0.36 but I don't think so.
Either way, there are other possibilities ;-)

don't waste your money on a "commercial" program for this (I've never
seen one though) if you want to use this fake-arp solution. It's
really easy:

Example: (1.1.1.1 is the linux host you want to check for a sniffer)

# arp -s 1.1.1.1 01:01:01:01:01:01
# ping 1.1.1.1

if you get a ping reply, it's ethernet card is in promisc mode.
you can also do similar things with ipsend (in the ip_filter package)
or casl.

Oliver Enzmann:
It's sufficient to leave an interface unconfigured without
an IP address on most Unix boxes. No IP address, no ARP replies
and therefore no way to detect your MAC address. You will still
be able to snoop on the wire as promiscuous mode works independent
of IP addresses being configured on the interface or not.

......

够了，现在大家明白了，到底能不能检测？这个问题就象在问：“UNIX到底能
不能被黑？”  结论是：理论上，精心构造的SNIFFER 不能被检测到；实际上
可以，只要你比对手更加高明。

--
※ 来源:·荔园晨风BBS站 bbs.szu.edu.cn·[FROM: 192.168.44.223]

荔园在线首页友情链接：深圳大学深大招生荔园晨风BBS S-Term软件网络书店