Page 1 of 2 12 LastLast
Results 1 to 10 of 14

Thread: Article: Stealthful Sniffing, Intrusion Detection and Logging

  1. #1
    Senior Member
    Join Date
    Nov 2001
    Posts
    742

    Article: Stealthful Sniffing, Intrusion Detection and Logging

    Stealth is a subject I do like and this article opened the eyes for me in many ways. Stealth is a fashinating subject and its now soon time for me to go home from work and play with my new toy, stealth IDS .

    ~micael

    Source: Paranoid Penguin: Stealthful Sniffing, Intrusion Detection and Logging

    Attackers can't rewrite your log files if they can't connect to the log server. Learn the ways of stealth.

    In a column about syslog I mentioned ``stealth logging''--by running your central log server without an IP address, you can hide your central log server from intruders. But log servers aren't the only type of system that can benefit from a little stealth. Network sniffers and network intrusion detection systems (NIDSes) probes can also function perfectly well without IP addresses, making them less vulnerable to network attacks than the systems they protect.
    This month I demonstrate three ways to use the versatile and powerful Snort--as a stealth sniffer, a stealth NIDS probe and a stealth logger--on a network interface with no IP address. If you're already familiar with Snort, I hope you'll see how easily it can be used stealthfully. If you're new to Snort, this article may be a useful crash course for you. All Snort commands and configurations in this article work equally well on interfaces with and without IP addresses.

    Read the full article here.

  2. #2
    Old-Fogey:Addicts founder Terr's Avatar
    Join Date
    Aug 2001
    Location
    Seattle, WA
    Posts
    2,007
    Soooo... Basically it involves a computer without an assigned IP which sniffs out data targeted to it's 'supposed' IP, making a one-way transfer of data, effectivly isolating the sniffing machine... cool.

    If you had a promiscuous-mode-checker utility... would it pick up the MAC address of the sniffing computer even if the computer was 'stealthed'?
    [HvC]Terr: L33T Technical Proficiency

  3. #3
    Senior Member
    Join Date
    Nov 2001
    Posts
    742
    If you had a promiscuous-mode-checker utility... would it pick up the MAC address of the sniffing computer even if the computer was 'stealthed'?
    Hmm hard question, I would like to say, - yes it should be possible to pick up the mac adress. But Im not 100% sure and will have to check into it and see what I can find out. Thanks for the suggestion/question .

    ~micael

  4. #4
    Senior Member
    Join Date
    Jan 2002
    Posts
    1,207
    A "stealthed" machine - one with an interface "up" but not bound to IPV4 (or any other protocols) will be entirely invisible. It does not look for packets destined for its "supposed IP", as it has no "supposed IP". It looks for packets destined for other machines on the network with real IPs.

    Such machines will not respond to ARP packets (or indeed any other packets) - do not have IP addresses (hence can't be pinged), do not have IPX addresses etc, and do not respond to any type of broadcast or any other packet.

    AFAIK, promiscuous mode checkers only work with machines whose IP addresses are known, or which can be reached by broadcast. A stealthed machine has NO IP address and does not respond to ANY packet.

    I have personally run a stealthed machine and happily watched the "packets recieved" counter in /sbin/ifconfig go up while the "packets transmitted" stays bolted at zero.

    One thing that *might* give away the existence of such a machine would be outgoing DNS requests, but determining this would be very difficult. Also, most IDSs do not do realtime DNS resolution for performance reasons.

    If you run a stealth IDS and need it to do DNS requests, obviously those need to go via an an alternative interface, probably with a firewall and/or DNS cache between it and the network it's sniffing (if it even goes out via the same route at all)

    Nevertheless in theory, an attacker who has compromised a machine on the same segment as this IDS and also set it into promiscuous mode (so it sees the same traffic) could send an attack which is detected, then watch and outgoing reverse DNS request for his IP.

    That could make the IDS detectable, however the attacker could not possibly know the identity of this machine, as its other interface (i.e. the only one with a real private IP) is sitting behind another firewall and sending its DNS requests out via an intermediate DNS.

  5. #5
    Senior Member
    Join Date
    Nov 2001
    Posts
    742
    I did send a email to the author of the article and asked if it would be possible to detect a "stealth sniffer" with a promiscuous-mode-checker utility.

    The answer is that it with small knowledge and a few modifications is possible to make the "stealth sniffer" almost totally undetectable on the network. The switch or hub it's connected to may detect and cache its hardware address, and reveal information like the brand/name of the nic.

    ~micael

  6. #6
    Senior Member
    Join Date
    Jan 2002
    Posts
    1,207
    Only switches normally cache mac addresses, and we connected our IDS to a hub not a switch.

    The reason is that connecting the IDS to a switch will prevent it from being able to sniff anything unless you have a fancy expensive switch which has a "monitor port" option on it - and this is a small segment in the front of our networks which has only a few boxes on (routers and firewalls)

    Also, how can a switch cache a mac address it never observes on the network? If correctly set up a stealth sniffer never sends packets through its stealth interface.

  7. #7
    Senior Member
    Join Date
    Nov 2001
    Posts
    742
    Sorry slarty,

    My answer was a little bit confusing but my english is far from perfect. And the answer is not about your network or setup the comments are to the article.

    The switch or hub the stealth sniffer is connected to may detect and cache its hardware address, and reveal information like the brand/name of the nic. A network administrator may also see that something is connected to the port in the switch wish not generates any traffic.

    The answer to Terr's question is that it with small knowledge and a few modifications to the sniffer in the original article is possible to make it almost totally undetectable on the network. And with a few more modifications totally undetectable.

    ~micael

  8. #8
    Old-Fogey:Addicts founder Terr's Avatar
    Join Date
    Aug 2001
    Location
    Seattle, WA
    Posts
    2,007
    Well... not entirely... I would venture to say that a correctly equipped hub/switch might be able to figure out when there is a device at the other end of the wires through various physical means. (Think of cable-testing equipment...)

    At least compromised and then stealthed machines aren't too much of a problem on switches, since traffic is not routed to them, and they would need an additional interface in order to spoof ARP packets and transfer data for a man-in-the-middle attack.
    [HvC]Terr: L33T Technical Proficiency

  9. #9
    str34m3r
    Guest
    We do this sort of thing all the time at work, so I've played with it some. The hub or switch that you plug the IDS into will know that there is something connected on the other end of the cable, but doesn't have to know what. This is due to the nature of ethernet. Most hubs/switches sold today only send a signal down the wires that it knows are connected to something. The hub/switch knows something is connected on the other end of the wire because every piece of ethernet hardware generates what is known as a heartbeat through it's pair of 'transmit' wires. If the hub/switch doesn't hear the heartbeat, it assumes tat nothing is on the other end and doesn't transmit down that set of wires. However, just because the hub/switch hears the heartbeat and knows that something is there, doesn't mean that it knows anything about what is sitting on the other end. A up-to-date linux box connected to a hub/switch with no IP address is entirely undetectable from a network traffic point of view. The only indicator is the little light on the hub/switch front panel. Contrary to what the author said, the hub/switch cannot possibly know the system's hardware address because the machine does not respond to any traffic - even arp traffic. Now, some early versions of the linux kernel responded to arp requests, and this might be what the author was referring to, but that hasn't been a problem since the 2.0 kernel.

  10. #10
    Junior Member
    Join Date
    Jan 2007
    Posts
    2
    There is a new article about this same thing here

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •