Welcome to Coding : Sécurité Programmation Réseaux

Search   in  

 Create an Account Home | Submit News Your Account Content | Topics | Top 10  


Accueil
· Home
· Listing des Articles
· Top 10
· Repository des Exploits

Les sujets / parties
· C / C ++
· Visual Basic
· Asm
· Reseaux
· Java
· Securite
· Divers

Utile
· Listing des Articles
· Telecharger
· Le Forum
· Liens
· Proposer un article

Top20 des Downloads
· 1: Etude des reseaux generalites et protocoles
· 2: Cheval de troie en VB avec sources
· 3: Netcat 1.1
· 4: Keylogger
· 5: Etudes des reseaux hauts debits architectures et protocoles
· 6: Ecoute de port
· 7: Etude du Smart Spoofing
· 8: Win Packet Capture Utils
· 9: Tutorial on Traffic Interception on Switched Lan using ARP spoofing
· 10: Cours de C

User Info
Welcome, Anonymous
Nickname
Password
(Register)
Membership:
Latest: trapcodien
New Today: 1
New Yesterday: 0
Overall: 2207
People Online:
Visitors: 40
Members: 1
Total: 41
Online Now:
01: trapcodien

  
Detecting a packet sniffer on an IPV6-enabled Linux system
Posted on Monday, February 28 @ 17:22:48 CET
Topic: Reseaux
Reseaux 

	
    Almost everything that you ever wanted to know about packet
    sniffers can be found in the
    Sniffing
    FAQ [http://www.robertgraham.com/pubs/sniffing-faq.html]. Here
    I will just focus on the following point: sniffer detection on an 
    IPV6-enabled Linux system.
    

   

 What is a packet sniffer ?

    
    A packet sniffer is a program or a device that 
    eavesdrops on the network traffic. Sometimes such wiretaps
    are carried out by the network administration
    for beneficial purposes (like intrusion detection, performance
    analysis, ...). On the other hand, malicious intruders may
    install packet sniffers in order to retrieve clear-text

    usernames and password from the local network. Vulnerable
    protocols (with clear-text passwords) include:
    telnet, pop3, imap, ftp, smtp-auth and nntp.
    

    How can I detect a packet sniffer ?

    
    To be useful for an intruder, a packet sniffer must put the
    network interface into promiscuous mode. That means,
    while normally it will receive only packets addressed to itself,
    in promiscuous mode it will listen to all packets on the
    wire, including packets that are sent from other hosts to other 
    hosts (if they pass through the wire where the interface is listening).
    

    
    Obviously, the preferred method to detect a sniffer would be
    to check whether the network interface is in promiscuous mode.
    So I started ntop 
    [http://www.ntop.org/], and found in my log files the following
    entry:
    
    
    kernel: device eth0 entered promiscuous mode
    
    
    Of course, an intruder would just delete that line, so I went
    on to detect that the device is in promiscuous mode.
    

    
      Failed: ifconfig -a
      
      
      
      Invariably, the first advice is to use ifconfig -a, which
      should, among other device flags, print out the PROMISC

      flag, like this:
      
      
      UP BROADCAST RUNNING PROMISC MULTICAST MTU:1500 Metric:1
      
      
      Unfortunately, in the output of ifconfig -a, there was
      no such flag !
      The respective line was:
      

      
      UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
      
      
    
      Failed: cpm
      
      
      

      cpm
      [ftp://ftp.cerias.purdue.edu/pub/tools/unix/sysutils/cpm/] is a simple
      tool to determine whether an interface is in promiscuous mode.
      I needed to comment out the following two lines in cpm.c:
      
      
      #include 
      #include 
      

      
      then it compiled fine. Unfortunately, it did
      not detect
      the promiscuous state of the network interface.
      
       
    

      Failed: ifstatus
      

      
      
      ifstatus
      [ftp://andrew.triumf.ca/pub/security/ifstatus2.0.tar]
      is another small utility to detect a promiscuous interface.
      It compiled fine, but again, this tool did 
      not detect
      the promiscuous state of the network interface.
      
       
    

      Failed: chkrootkit
      
      
      
      chkrootkit 
      [http://www.chkrootkit.org/] is a popular
      utility to detect rootkits, and includes a check to detect whether
      a network interface is in promiscuous mode. It seemed to detect
      the promiscuous mode:
      
      
      PROMISC mode detected in one of these interfaces: eth0 sit0
      

      
      However, upon closer inspection, I discovered the following:
      detection is done by (a) the included ifpromisc utility,
      and (b) a small shell script fragment in the chkrootkit
      main script. Method (a) 
      always failed, and
      method (b) always
      claimed that the interface was in promiscuous mode, regardless
      whether it was or not. Obviously, also chkrootkit was
      completely useless.
      

       
    

      Inconclusive: sentinel
      
      
      
      sentinel
      [http://www.packetfactory.net/Projects/sentinel/]
      is a tool for the remote detection of a sniffer / a network interface
      in promiscuous mode. It provides several different tests. Some
      of them had consistently negative results, others had consistently
      positive results for machines where no sniffer was running.
      If this is useful at all, it would require extensive testing to find
      out which of the provided tests would reliably detect a sniffer.
      

      
    

      Inconclusive: sniffdet
      
      
      
      sniffdet

      [http://sniffdet.sourceforge.net/]
      is another tool for the remote detection of a sniffer, and apparently
      has the same problems as sentinel.
      
      
    

    

      Works: kstat 1.1-2
      
      

      
      kstat (v1.1-2)
      [http://www.s0ftpj.org/en/site.html]
      is a swiss-army knife to check for kernel rootkits. It collects
      information directly from the kernel (by reading from /dev/kmem)
      and was the only 
      tool that correctly and reliably determined whether the interface
      is in promiscuous mode or not.
      
      
      The only minor drawback is that it did not compile out-of-the-box;
      I needed to comment out some of the tests in src/netproto.c, and
      also needed to fix a line in the Makefile:


      $(CC) -c $(SRC)knull.c should be 

      $(CC) -I/lib/modules/`uname -r`/build/include -c $(SRC)knull.c
      
      

    
    

      Works: ifstat
      
      
      
      ifstat is (only) that
      part of kstat (see above) that checks for promiscuous mode of 
      a network interface. It has been modified to compile as a standalone
      application, and also to automatically check
      all interfaces, if no specific one is given as 
      command line argument.
      
      

    
    

      Works: /sbin/ip 
      
      
      
      ip called
      as ip link show will show the PROMISC flag if the
      interface is in promiscuous mode:
      

      
      eth0:  mtu 1500 qdisc pfifo_fast qlen 100
      
      

    
    So what was/is the problem ?

    

    Upon inspection of the kstat source and the source of some
    other tools, it seems that for IPV6, the PROMISC flag is handled
    differently, and stored in another place, than for IPV4. It looks 
    as if most tools are only suitable for IPV4, and are not
    capable of detecting a promiscuous network interface if a
    IPV6-enabled sniffer is used on a system with an IPV6-enabled
    kernel.

 
Liens connexes
· Plus à propos de Reseaux
· Nouvelles transmises par Romain_Le_Guen
L'article le plus lu à propos de Reseaux:
Examination des méthodes de scan port - Analyse des Techniques d'Audit


Article Rating
Average Score: 0
Votes: 0

Please take a second and vote for this article:

Excellent
Very Good
Good
Regular
Bad


Options

 Format imprimable Format imprimable


PHP-Nuke Copyright © 2005 by Francisco Burzi. This is free software, and you may redistribute it under the GPL. PHP-Nuke comes with absolutely no warranty, for details, see the license.
Page Generation: 0.60 Seconds