|
-
September 21st, 2004, 06:31 PM
#11
Member
There are different methods to find sniffers
1. Ping method - by changing the MAC addr2ss.
2. ARP method
3. Revers DNS lookup method
4. Source-route method
-
September 21st, 2004, 06:47 PM
#12
Originally posted here by anban
There are different methods to find sniffers
1. Ping method - by changing the MAC addr2ss.
2. ARP method
3. Revers DNS lookup method
4. Source-route method
explain with more details how, pls.
Meu sÃtio
FORMAT C: Yes ...Yes??? ...Nooooo!!! ^C ^C ^C ^C ^C
If I die before I sleep, I pray the Lord my soul to encrypt. If I die before I wake, I pray the Lord my soul to brake.
-
September 21st, 2004, 07:18 PM
#13
Member
search google or visit sans.org
-
September 22nd, 2004, 05:31 AM
#14
The key is that a network card is usually in promiscuous mode in order to sniff a network or network segment. It doesn't _require_ an IP to do this. If it is in a switched network, the sniffer will only see that traffic that passes by its own port. If the switched network is reasonably secured (config passwords on switches hardened (been there, done that)) that will be as far as the sniffer can go.
To detect a sniffer in promiscuous mode, you will likely have to run your detection tool in the same segment (maybe even on the same switch) as the suspected sniffer. If the sniffer is a trojan-based tool and riding on one of your systems, you should be able to ID the system using the ARP method in the same segment. If the sniffer is a dual-homed laptop plugged into an open network port in your building, you are probably more likely to find it by "war-walking"--walking around and looking. Carry a big stick or bring a big security guard.
I've used dsniff, and haven't been able to sniff past the switched segment in my environment.
If you want to use WindowXP as your Sniffer platform, you install a WinPcap library (freely available), then install WinDump and Ethereal. On mine, I wrote a simple script that fires a windump command line every five minutes to capture about 30,000 packets on the sluty port, and gives the resulting capture a random file name in a specific folder. Since I am in a switched network, and the switches are hardened, I must needs have a way to look at the router traffic. Therefore, I have a mirror port on the router that sees all, knows all ...
With WinXP, you need all the resources possible when sniffing a large pipe. So, strip down the OS as best you can. Remove anything not absolutely needed, then add the tools above. You can find the tool websites by Google-ing the words.
-
September 22nd, 2004, 11:49 PM
#15
Senior Member
i found that too.. i have already downloaded but i just simply cant find the doc like how to run the program..
-
September 23rd, 2004, 12:12 AM
#16
Both are command line tools right? I would think it's the same in both linux and windows. There is a man page for Dsniff here:
http://www.zevils.com/cgi-bin/man/man2html?dsniff+8
-
September 23rd, 2004, 12:15 AM
#17
Senior Member
Originally posted here by rapier57
The key is that a network card is usually in promiscuous mode in order to sniff a network or network segment. It doesn't _require_ an IP to do this. If it is in a switched network, the sniffer will only see that traffic that passes by its own port. If the switched network is reasonably secured (config passwords on switches hardened (been there, done that)) that will be as far as the sniffer can go.
To detect a sniffer in promiscuous mode, you will likely have to run your detection tool in the same segment (maybe even on the same switch) as the suspected sniffer. If the sniffer is a trojan-based tool and riding on one of your systems, you should be able to ID the system using the ARP method in the same segment. If the sniffer is a dual-homed laptop plugged into an open network port in your building, you are probably more likely to find it by "war-walking"--walking around and looking. Carry a big stick or bring a big security guard.
I've used dsniff, and haven't been able to sniff past the switched segment in my environment.
If you want to use WindowXP as your Sniffer platform, you install a WinPcap library (freely available), then install WinDump and Ethereal. On mine, I wrote a simple script that fires a windump command line every five minutes to capture about 30,000 packets on the sluty port, and gives the resulting capture a random file name in a specific folder. Since I am in a switched network, and the switches are hardened, I must needs have a way to look at the router traffic. Therefore, I have a mirror port on the router that sees all, knows all ...
With WinXP, you need all the resources possible when sniffing a large pipe. So, strip down the OS as best you can. Remove anything not absolutely needed, then add the tools above. You can find the tool websites by Google-ing the words.
why does ARP has the capability to sniff on a switched network?
what is the logic behind?
i have tried ethereal but not windump.. ethereal simply gave me the broadcasted packets.. that's why i am looking into dsniff.. but so far i cannot find doc on how to run the program...
-
September 23rd, 2004, 12:22 AM
#18
Dsniff comes with another program called Arpspoof. You can fine more info about arpspoofing here:
http://www.irongeek.com/i.php?page=security/arpspoof
-
September 23rd, 2004, 02:51 AM
#19
ARP can resolve the MAC of a sniffing NIC if you have the originating IP. This helps when you have to hunt down a system on a network where DHCP is given out to any system that connects, or trying to nail down someone who has co-opted one of your precious IP numbers without authorization.
As for WinDump, it does a command line sniff of the slutty port, and dumps the results into a log file. Ethereal reads those files so you don't have to try to run Ethereal as a sniffer directly (not a fun project). I use WinDump on the sniffer (dual ported box). and run Ethereal on my workstation. Map a share to the folder where winDump drops the log files, copy the ones you want to use to your workstation, run Ethereal and open the subject file.
You can build filters and such in Ethereal to help analyze the results of the sniffs and identify certain activity. It will also show you what is encrypted and what is not.
Honestly, Ethereal is a very nice program. It runs just fine as a sniffer in a small network, on a stripped down WinXP box. I have WinDump grabbing packets off of a very large pipe. So, using Ethereal directly would not work well at all, too many dropped packets. The 30k packet sniff works well and gives me about a 2 to 3 mb file to examine. The 5 minute frequency is enough to capture the character of a point in time based on our MRTG graph
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|
Reply With Quote
