Determining the presence of wireshark
in [Wireless Internet]
|
From: Stephane CHAZELAS on 20 Mar 2010 06:28 2010-03-20, 01:59(-07), Karthik Balaguru: [...] > 1. Sentinel > Supports 3 methods of remote promiscuous > detection: The DNS test,Etherping test,ARP test. > -a arp test, -d dns test,-e icmp etherping test. > Need to check it out. Has anyone tried this > out ? All those methods assume the interface is configured with an IP address, or that the system supports IP. There's no need for implementing an IP stack to sniff ethernet packets. One can use wireshark on an interface that hasn't got any IP address configured or that has a firewall rule that prevents it from emmiting any packet. sudo iptables -I OUTPUT --out-interface eth0 -j DROP And that interface will not be detected. Probably same with sudo ip addr flush dev eth0 > 2. neped.c > http://www.artofhacking.com/tucops/hack/unix/live/aoh_neped.htm > Network Promiscuous Ethernet Detector w.r.t Linux- > Specifically designed to detect the sniffers that > use the flaw in Linux TCP/IP Stack !!. I think this > will not be useful for the kernels in which the > flaw has been fixed such as kernel 2.2.10 as they > drop the incoming packets that are not destined > for this ethernet address. 2.2.9 was released in May 1999. I don't expect there be a lot of pre-2.2.10 Linux boxes around nowadays. -- Stéphane
From: Karthik Balaguru on 20 Mar 2010 21:42 On Mar 20, 3:28 pm, Stephane CHAZELAS <stephane_chaze...(a)yahoo.fr> wrote: > 2010-03-20, 01:59(-07), Karthik Balaguru: > [...] > > > 1. Sentinel > > Supports 3 methods of remote promiscuous > > detection: The DNS test,Etherping test,ARP test. > > -a arp test, -d dns test,-e icmp etherping test. > > Need to check it out. Has anyone tried this > > out ? > > All those methods assume the interface is configured with an IP > address, or that the system supports IP. Okay . Yeah, I analyzed it and it appears just like as you conveyed - Passive Sniffers in promiscuous modes(Remote) can be detected only if they are on an interface with a configured IP address ! > There's no need for > implementing an IP stack to sniff ethernet packets. One can use > wireshark on an interface that hasn't got any IP address > configured or that has a firewall rule that prevents it from > emmiting any packet. > > sudo iptables -I OUTPUT --out-interface eth0 -j DROP > > And that interface will not be detected. > :-( Interesting to know that wireshark or other sniffers can be used on an interface that hasn't got any IP address configured. But, i wonder what is the advantage/use of running wireshark on an interface that hasn't got any IP address. In what kind of scnearios we might need to run wireshark on an interface without IP address ? Any thoughts ? > Probably same with > > sudo ip addr flush dev eth0 > :-( It appears that there is NO method to detect passive sniffing unless the sniffer does not take care of things like hiding IP address / using a proper flawless OS. > > 2. neped.c > >http://www.artofhacking.com/tucops/hack/unix/live/aoh_neped.htm > > Network Promiscuous Ethernet Detector w.r.t Linux- > > Specifically designed to detect the sniffers that > > use the flaw in Linux TCP/IP Stack !!. I think this > > will not be useful for the kernels in which the > > flaw has been fixed such as kernel 2.2.10 as they > > drop the incoming packets that are not destined > > for this ethernet address. > > 2.2.9 was released in May 1999. I don't expect there be a lot of > pre-2.2.10 Linux boxes around nowadays. > True that there might not be much systems that use pre-2.2.10 unless upgraded. So, it is difficult to determine the presence of sniffer in networks in such a case. So, in brief - NO METHOD to detect Passive Sniffing :-( That is, It seems that unless there is a flaw in the operating system similar to that of TCP/IP in pre-2.2.10 linux kernel, it is not possible to determine the presence of sniffers performing passive sniffing in the network. Karthik Balaguru
From: Hal Murray on 21 Mar 2010 02:14 > But, i wonder what is the advantage/use of running > wireshark on an interface that hasn't got any IP address. > In what kind of scnearios we might need to run wireshark > on an interface without IP address ? Any thoughts ? How about running whireshark while hiding from people who are trying to find people running Wireshark? -- These are my opinions, not necessarily my employer's. I hate spam.
From: Karthik Balaguru on 21 Mar 2010 02:35 On Mar 21, 11:14 am, hal-use...(a)ip-64-139-1-69.sjc.megapath.net (Hal Murray) wrote: > > But, i wonder what is the advantage/use of running > > wireshark on an interface that hasn't got any IP address. > > In what kind of scnearios we might need to run wireshark > > on an interface without IP address ? Any thoughts ? > > How about running whireshark while hiding from people > who are trying to find people running Wireshark? > :-) :-) I had that in mind ! But, Is it only for that reason ? Are there no other scenarios ? Thx in advans, Karthik Balaguru
From: Karthik Balaguru on 21 Mar 2010 02:59
On Mar 9, 10:40 pm, Jeff Liebermann <je...(a)cruzio.com> wrote: > On Tue, 9 Mar 2010 08:27:21 -0800 (PST), Karthik Balaguru > > <karthikbalagur...(a)gmail.com> wrote: > >How to determine the presence of wireshark in a network ? > > Look for NIC cards and wireless devices running in promiscuous mode. > > >Are there any specific packet types exchanged while it > >is present in the network so that it can be used to determine > >its presence in the network . > > No. A sniffer is totally passive. > Agreed, sniffer is totally passive ! On analyzing various internet links and also discussions, i understand that that unless the sniffer does not take care of things like hiding IP address / there is a flaw in the operating system similar to that of TCP/IP in pre-2.2.10 linux kernel, it is not possible to determine the presence of sniffers performing passive sniffing in the network. The option of using IPSec for all intranet traffic appears to be the main solution against passive sniffing. Though some OS can restrict that only admins can install certain type of sniffers, i think that is not enough as sometimes it can be via admin too. I wonder, why don't the various OS support the detection of Sniffers so that if a user is running it in the network, the OS might intimate it to the admins ? Just eager to know , is it not possible for the OS to detect a sniffer running on it and intimate it ? I think, the various OS(TCP/IP) in network should be configurable such that if there is a sniffer running on it, it would be able to intimate to a set of users(admin) in the network. The OS here can be either Linux / Windows. Are there any such tools already available ? > >Any tool to identify its presence > >in either Windows or Linux ? Any ideas ? > > AntiSniff: > <http://www.nmrc.org/pub/review/antisniff-b2.html> > You may have trouble finding this one. > > PromqryUI in DOS and Windowfied versions: > <http://www.microsoft.com/downloads/details.aspx?FamilyID=4df8eb90-83b....> > <http://www.microsoft.com/downloads/details.aspx?FamilyID=1a10d27a-4aa....> > Only works for detecting sniffers running on a Windoze system. I > haven't been able to detect DOS, Linux, or Mac sniffers with these > tools. > > I've also noticed that most casual users of sniffers running on > laptops like to boot their operating system before firing up their > sniffers. The laptop will usually belch a few DHCP broadcasts and ARP > requests before disappearing into promiscuous mode. These initial > packets can be detected with ArpWatch: > <http://24h.atspace.com/it/security/arpwatch.htm> > > The problem is not identifying the presence of the sniffer, it's > identifying which machine is actually doing the sniffing. The MAC > address is a clue, but given the ease of MAC address spoofing, that > information is often useless. Even if I delivered the MAC address on > a silver platter, identifying which one of the potentially hundreds of > similar computers in the room or building might be difficult. > > -- Thx in advans, Karthik Balaguru |