Stealth is a subject I do like and this article opened the eyes for me in many ways. Stealth is a fashinating subject and its now soon time for me to go home from work and play with my new toy, stealth IDS :).

~micael

Source: Paranoid Penguin: Stealthful Sniffing, Intrusion Detection and Logging (http://www.linuxjournal.com/article.php?sid=6222)

Attackers can't rewrite your log files if they can't connect to the log server. Learn the ways of stealth.

In a column about syslog I mentioned ``stealth logging''--by running your central log server without an IP address, you can hide your central log server from intruders. But log servers aren't the only type of system that can benefit from a little stealth. Network sniffers and network intrusion detection systems (NIDSes) probes can also function perfectly well without IP addresses, making them less vulnerable to network attacks than the systems they protect.
This month I demonstrate three ways to use the versatile and powerful Snort--as a stealth sniffer, a stealth NIDS probe and a stealth logger--on a network interface with no IP address. If you're already familiar with Snort, I hope you'll see how easily it can be used stealthfully. If you're new to Snort, this article may be a useful crash course for you. All Snort commands and configurations in this article work equally well on interfaces with and without IP addresses.

Read the full article here. (http://www.linuxjournal.com/article.php?sid=6222)

Soooo... Basically it involves a computer without an assigned IP which sniffs out data targeted to it's 'supposed' IP, making a one-way transfer of data, effectivly isolating the sniffing machine... cool. :)

If you had a promiscuous-mode-checker utility... would it pick up the MAC address of the sniffing computer even if the computer was 'stealthed'?

If you had a promiscuous-mode-checker utility... would it pick up the MAC address of the sniffing computer even if the computer was 'stealthed'?

Hmm hard question, I would like to say, - yes it should be possible to pick up the mac adress. But Im not 100% sure and will have to check into it and see what I can find out. Thanks for the suggestion/question :).

~micael

A "stealthed" machine - one with an interface "up" but not bound to IPV4 (or any other protocols) will be entirely invisible. It does not look for packets destined for its "supposed IP", as it has no "supposed IP". It looks for packets destined for other machines on the network with real IPs.

Such machines will not respond to ARP packets (or indeed any other packets) - do not have IP addresses (hence can't be pinged), do not have IPX addresses etc, and do not respond to any type of broadcast or any other packet.

AFAIK, promiscuous mode checkers only work with machines whose IP addresses are known, or which can be reached by broadcast. A stealthed machine has NO IP address and does not respond to ANY packet.

I have personally run a stealthed machine and happily watched the "packets recieved" counter in /sbin/ifconfig go up while the "packets transmitted" stays bolted at zero.

One thing that *might* give away the existence of such a machine would be outgoing DNS requests, but determining this would be very difficult. Also, most IDSs do not do realtime DNS resolution for performance reasons.

If you run a stealth IDS and need it to do DNS requests, obviously those need to go via an an alternative interface, probably with a firewall and/or DNS cache between it and the network it's sniffing (if it even goes out via the same route at all)

Nevertheless in theory, an attacker who has compromised a machine on the same segment as this IDS and also set it into promiscuous mode (so it sees the same traffic) could send an attack which is detected, then watch and outgoing reverse DNS request for his IP.

That could make the IDS detectable, however the attacker could not possibly know the identity of this machine, as its other interface (i.e. the only one with a real private IP) is sitting behind another firewall and sending its DNS requests out via an intermediate DNS.

I did send a email to the author of the article and asked if it would be possible to detect a "stealth sniffer" with a promiscuous-mode-checker utility.

The answer is that it with small knowledge and a few modifications is possible to make the "stealth sniffer" almost totally undetectable on the network. The switch or hub it's connected to may detect and cache its hardware address, and reveal information like the brand/name of the nic.

~micael

Only switches normally cache mac addresses, and we connected our IDS to a hub not a switch.

The reason is that connecting the IDS to a switch will prevent it from being able to sniff anything unless you have a fancy expensive switch which has a "monitor port" option on it - and this is a small segment in the front of our networks which has only a few boxes on (routers and firewalls)

Also, how can a switch cache a mac address it never observes on the network? If correctly set up a stealth sniffer never sends packets through its stealth interface.

Sorry slarty,

My answer was a little bit confusing but my english is far from perfect. And the answer is not about your network or setup the comments are to the article.

The switch or hub the stealth sniffer is connected to may detect and cache its hardware address, and reveal information like the brand/name of the nic. A network administrator may also see that something is connected to the port in the switch wish not generates any traffic.

The answer to Terr's question is that it with small knowledge and a few modifications to the sniffer in the original article is possible to make it almost totally undetectable on the network. And with a few more modifications totally undetectable.

~micael

Well... not entirely... I would venture to say that a correctly equipped hub/switch might be able to figure out when there is a device at the other end of the wires through various physical means. (Think of cable-testing equipment...)

At least compromised and then stealthed machines aren't too much of a problem on switches, since traffic is not routed to them, and they would need an additional interface in order to spoof ARP packets and transfer data for a man-in-the-middle attack.

We do this sort of thing all the time at work, so I've played with it some. The hub or switch that you plug the IDS into will know that there is something connected on the other end of the cable, but doesn't have to know what. This is due to the nature of ethernet. Most hubs/switches sold today only send a signal down the wires that it knows are connected to something. The hub/switch knows something is connected on the other end of the wire because every piece of ethernet hardware generates what is known as a heartbeat through it's pair of 'transmit' wires. If the hub/switch doesn't hear the heartbeat, it assumes tat nothing is on the other end and doesn't transmit down that set of wires. However, just because the hub/switch hears the heartbeat and knows that something is there, doesn't mean that it knows anything about what is sitting on the other end. A up-to-date linux box connected to a hub/switch with no IP address is entirely undetectable from a network traffic point of view. The only indicator is the little light on the hub/switch front panel. Contrary to what the author said, the hub/switch cannot possibly know the system's hardware address because the machine does not respond to any traffic - even arp traffic. Now, some early versions of the linux kernel responded to arp requests, and this might be what the author was referring to, but that hasn't been a problem since the 2.0 kernel.

There is a new article about this same thing here (http://www.askapache.com/2006/security/sniffing-on-ethernet-undetected.html)

Sceptre, this thread is >3 years old...

It was funny, I read what I wrote, and was confused: "I didn't post to this thread... oh, 2002..."

HA, lol...

I used to be a member on here back then and when I found the article on askApache and did a google about it, this thread popped up.. so I thought, I definately need to rejoin.

You know snort still uses this exact method to capture packets.. its still a very effective method for sniffing.

The title of this thread dates it. The focus on packet sniffing and such has long since passed, being replaced with nice things like regulatory compliance and botnets.

Slarty's responses are all accurate though.

AFAIK, promiscuous mode checkers only work with machines whose IP addresses are known, or which can be reached by broadcast. A stealthed machine has NO IP address and does not respond to ANY packet.


I can confirm this in case no one else did.

Also, switches aren't going to cache MAC addresses from a stealth unit simply because it won't be aware of an IP and or ARP response/request from said device.

Old skool stuff is fun to read from time to time.

:)

thats really cool, and convenient. thats what im working on in my server at school, an IDS box with snort on it. My CS prof. has no idea whats going on with his network and he asked me if i could do any sniffing for him, rather than just sniff whenever im in there i decided to set up a snort box for him on FC5. I have two interfaces running, one to log and one to be an interface to monitor. ill definitely have to consider taking off the ip of the monitoring NIC and stealthing it. cool article and thread :)