Wireshark-users: Re: [Wireshark-users] Wireshark in Network - Windows/Linux
From: Karthik Balaguru <karthikbalaguru79@xxxxxxxxx>
Date: Sat, 20 Mar 2010 13:04:45 +0530
On Fri, Mar 19, 2010 at 5:07 AM, ronnie sahlberg
<ronniesahlberg@xxxxxxxxx> wrote:
> Yes, the tools can sometimes be used to detect network cards in
> promisquous mode.
>
> Sometimes.
>
> In general, it is impossible to detect if someone on the network runs
> a sniffer or not.
> You can sometimes detect when someone is in promiscuous mode,

I have been searching for these tools. I did come across other tools that
help in detection of a system in promiscuous mode such as the following -

1. Sentinel
  ( Supports 3 methods of remote promiscuous detection: The DNS test,
   Etherping test, ARP test. -a arp test, -d dns test,-e icmp etherping test.)

2. neped.c - http://www.artofhacking.com/tucops/hack/unix/live/aoh_neped.htm
    ( Network Promiscuous Ethernet Detector w.r.t Linux - Specifically designed
     to detect the sniffers that use the flaw in Linux TCP/IP Stack !!
. I think this
     will not be useful for the kernels in which the flaw has been
fixed such as
     kernel 2.2.10 as they drop the incoming packets that are not destined for
     this ethernet address. )

3. promisc.c - http://seclists.org/nmap-hackers/1999/att-271/promisc_c.bin
   (Similar to "ifconfig -a|grep PROMISC". Determines the m/c on which it is
   run is in promisc mode - This does not help in remote machine detection :-( )

4. ifstatus - ftp://ftp.cerias.purdue.edu/pub/tools/unix/sysutils/ifstatus/ifstatus-4.0.tar.gz
    (Checks and reports the network interfaces on  the  system reports
any that are
      in debug or promiscuous mode - Not suitable for remote sniffer
detection :-( )

5. Antisniff - An equally interesting 'Anti-Antisniff Sniffer' !
    (So antisniff appears that it be tricked out if kernel 2.2.10 is used or
    if DNS lookup test is avoided or if the sniffing is not done above
an average
    network traffic)

I am Not sure if Sentinel helps in detection of remote promiscous mode
even in the case of linux kernel 2.2.10 ! ?

> but then again, this is trivial to hide as well.
>

But, is it easy to escape from the above tools too ?

>
> Anyone that suspects you may be monitoring for a sniffer on the
> network can trivially hide that the nic is in promiscuous mode.

:-(

> For example, that detection of Linux mentioned previously can be
> "fixed" by adding a simple IPTABLES rule to the host before starting
> the sniffer :
>
> iptables -I OUTPUT -o * -j DROP
>
>
> Run this before you start the sniffer and no one will ever be able to
> detect that you run a sniffer remotely.
>
>

:-(

I did come across another interesting info that states that Linux kernel 2.2.10
drops the incoming packets that are not destined for this Ethernet address.
So, the Sniffers running on that kernel will not be detected :-(

But, is it really good or bad to have a linux kernel that drops
packets that are not destined for that ethernet address. Are there
too many drawbacks that outweigh the advantages due to the
presence of such weakness in linux TCP/IP stack ?
Isn't prevention of sniffing more important ?

>
> If you have a problem with users in your network running sniffers and
> using this to gain access to data they shouldnt have access to
> you have bigger problems than just the presence of sniffers.
>
> Perhaps making IPSEC mandatory for all your intranet traffic and have
> all switches / routers drop all non-ipsec ip traffic is a solution ?
> They can then still sniff   and you cant detect them,  but they cant
> make sense of any of the data they sniff.
>

Yeah, i think IPSec is a better choice.

>
> regards
> ronnie sahlberg
>
>
>
>
> On Tue, Mar 16, 2010 at 11:08 PM, Karthik Balaguru
> <karthikbalaguru79@xxxxxxxxx> wrote:
>> On Tue, Mar 16, 2010 at 3:37 PM, Hobbe <my1listmail@xxxxxxxxx> wrote:
>>> Hi
>>> None of them supports detecting a sniffer, they all detect that the network
>>> card is in promiscous mode.
>>
>> :-( :-(
>>
>>> That a network card is in promiscous mode only means that there is a chance
>>> of that machine could be used as a sniffer, but it is not the same as it is
>>> a sniffer device.
>>
>> Okay !
>> But do these tools help in determination of the presence of a network
>> card in promiscous mode w.r.t Windows also ?
>>
>>> To find sniffers and such you would have to run a software inventory program
>>> that checks out what software does exist in the machines.
>>> Then you can say: "ok we have found sniffer software on the machines".
>>> The different tools do different things so do a search for them and se wich
>>> one/ones would help you find out what you want.
>>
>> Karthik Balaguru
>>
>>
>>>
>>> 2010/3/16 Karthik Balaguru <karthikbalaguru79@xxxxxxxxx>
>>>>
>>>> On Sun, Mar 14, 2010 at 4:45 PM, Hobbe <my1listmail@xxxxxxxxx> wrote:
>>>> > As far as i know there is no way to detect a sniffer in a network,
>>>> > however
>>>> > there are some ways that can detect network cards in promiscuous mode,
>>>> > tools
>>>> > for this could be antisniff, neped, promgryui, sniffer-detect and so on.
>>>> > They all do NOT detect a sniffer "per se", they detect that a network
>>>> > card
>>>> > is in promiscuous mode wich is a strong indicator that there is a
>>>> > sniffer.
>>>>
>>>> Thx for your reply.
>>>> antisniff, neped, promgryui, sniffer-detect - Do they support
>>>> detection of sniffer
>>>> in both windows and linux ? Thought of checking it with you before
>>>> actually
>>>> going in for analyzing those. Any ideas ?
>>>>
>>>> > This does not however show the sniffers used with SPAN or RSPAN ports in
>>>> > switches since those ports are shutdown for outgoing traffic from the
>>>> > sniffer and only mirrors the traffic on the ports choosen.
>>>> >
>>>> > HTH
>>>> > Hobbe
>>>> >
>>>> > 2010/3/13 Karthik Balaguru <karthikbalaguru79@xxxxxxxxx>
>>>> >>
>>>> >> On Wed, Mar 10, 2010 at 12:03 AM, Guy Harris <guy@xxxxxxxxxxxx> wrote:
>>>> >> >
>>>> >> > On Mar 9, 2010, at 8:35 AM, Karthik Balaguru wrote:
>>>> >> >
>>>> >> >> How to determine the presence of wireshark in a network ? Are there
>>>> >> >> any specific packet types exchanged while it is present in the
>>>> >> >> network
>>>> >> >> so that it can be used to determine its presence in the network ?
>>>> >> >> Any
>>>> >> >> specific tool to identify its presence in either Windows or Linux ?
>>>> >> >
>>>> >> > There is no Wireshark-specific network protocol that it and only it
>>>> >> > uses.
>>>> >> >
>>>> >> > If you do a Web search for
>>>> >> >
>>>> >> >        detecting sniffers
>>>> >> >
>>>> >> > you can find some techniques that, although not *guaranteed* to find
>>>> >> > programs that capture network packets, such as Wireshark (and tcpdump
>>>> >> > and
>>>> >> > snoop and Microsoft Network Monitor and NetScout Sniffer and
>>>> >> > WildPackets
>>>> >> > {Ether,Token,Airo,Omni}Peek and...), can sometimes detect those
>>>> >> > programs on
>>>> >> > a network.  For example:
>>>> >> >
>>>> >> >        http://www.securiteam.com/unixfocus/2EUQ8QAQME.html
>>>> >> >
>>>> >> > says
>>>> >> >
>>>> >> >        How to detect other sniffers on the network
>>>> >> >
>>>> >> >        Detecting other sniffers on other machines is very difficult
>>>> >> > (and
>>>> >> > sometimes impossible). But detecting whether one of the Linux
>>>> >> > machines is
>>>> >> > doing the sniffing is possible.
>>>> >> >        This can be done by exploiting a weakness in the TCP/IP stack
>>>> >> > implementation of Linux.
>>>> >> >        When Linux is in promiscuous mode, it will answer to TCP/IP
>>>> >> > packets sent to its IP address even if the MAC address on that packet
>>>> >> > is
>>>> >> > wrong (the standard behavior is that packets containing wrong MAC
>>>> >> > address
>>>> >> > will not be answered because the network interface will drop them).
>>>> >>
>>>> >> Interesting to know that Linux TCP/IP stack implementation answers to
>>>> >> TCP/IP packets even if the MAC address on that packet is
>>>> >> wrong(Promiscuous mode). But, Is this made intentionally in Linux to
>>>> >> be different from standard behavior in helping the determination of
>>>> >> presence of sniffer in network ? Any thoughts ?
>>>> >>
>>>> >> >        Therefore, sending TCP/IP packets to all the IP addresses on
>>>> >> > the
>>>> >> > subnet, where the MAC address contains wrong information, will tell
>>>> >> > you
>>>> >> > which machines are Linux machines in promiscuous mode (the answer
>>>> >> > from those
>>>> >> > machines will be a RST packet)
>>>> >> > While this is far from being a perfect method, it can help discover
>>>> >> > suspicious activity on a network.
>>>> >> >
>>>> >>
>>>> >> Thx in advans,
>>>> >> Karthik Balaguru
>>>> >>
>>>> >>
>>>> >> ___________________________________________________________________________
>>>> >> Sent via:    Wireshark-users mailing list
>>>> >> <wireshark-users@xxxxxxxxxxxxx>
>>>> >> Archives:    http://www.wireshark.org/lists/wireshark-users
>>>> >> Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
>>>> >>
>>>> >> mailto:wireshark-users-request@xxxxxxxxxxxxx?subject=unsubscribe
>>>> >
>>>> >
>>>> >
>>>> > ___________________________________________________________________________
>>>> > Sent via:    Wireshark-users mailing list
>>>> > <wireshark-users@xxxxxxxxxxxxx>
>>>> > Archives:    http://www.wireshark.org/lists/wireshark-users
>>>> > Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
>>>> >
>>>> > mailto:wireshark-users-request@xxxxxxxxxxxxx?subject=unsubscribe
>>>> >
>>>>
>>>> Thx in advans,
>>>> Karthik Balaguru
>>>>
>>>> ___________________________________________________________________________
>>>> Sent via:    Wireshark-users mailing list <wireshark-users@xxxxxxxxxxxxx>
>>>> Archives:    http://www.wireshark.org/lists/wireshark-users
>>>> Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
>>>>
>>>> mailto:wireshark-users-request@xxxxxxxxxxxxx?subject=unsubscribe
>>>
>>>
>>> ___________________________________________________________________________
>>> Sent via:    Wireshark-users mailing list <wireshark-users@xxxxxxxxxxxxx>
>>> Archives:    http://www.wireshark.org/lists/wireshark-users
>>> Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
>>>             mailto:wireshark-users-request@xxxxxxxxxxxxx?subject=unsubscribe
>>>
>> ___________________________________________________________________________
>> Sent via:    Wireshark-users mailing list <wireshark-users@xxxxxxxxxxxxx>
>> Archives:    http://www.wireshark.org/lists/wireshark-users
>> Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
>>             mailto:wireshark-users-request@xxxxxxxxxxxxx?subject=unsubscribe
>>
> ___________________________________________________________________________
> Sent via:    Wireshark-users mailing list <wireshark-users@xxxxxxxxxxxxx>
> Archives:    http://www.wireshark.org/lists/wireshark-users
> Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
>             mailto:wireshark-users-request@xxxxxxxxxxxxx?subject=unsubscribe
>

Karthik Balaguru