Passive Ethernet Tap?
Page 1 of 2 12 LastLast
Results 1 to 10 of 14

Thread: Passive Ethernet Tap?

  1. #1
    Member
    Join Date
    Jul 2003
    Posts
    43

    Passive Ethernet Tap?

    I was wondering if anyone can explain this to me more in depth. I have read something similar to this in another thread, but I feel that it didn't give a detail description in what it is.

    Is it like a phone tap only with packets? Can it be detected with conventional software tools?

    Thanks

    Enforcer

  2. #2
    T̙͓̞̣̯ͦͭͅͅȂͧͭͧ̏̈͏̖̖Z̿ ͆̎̄
    Join Date
    Dec 2004
    Posts
    3,171
    Network Enforce,

    Try here...

    http://www.snort.org/docs/tap/

  3. #3
    Senior Member
    Join Date
    Oct 2003
    Location
    MA
    Posts
    1,052
    Hey thats pretty cool, useless to me and looks a little complicated but cool. POINTS FOR Egaladeist!

  4. #4
    AO übergeek phishphreek's Avatar
    Join Date
    Jan 2002
    Posts
    4,325
    I beleive you put a passive tap between the host you want to sniff and the switch. You can then intercept the traffic going to and from the host. Putting in the passive tap will ensure that you only get the data going to and from the host you are interested in. You don't have to filter out the rest of the traffic. It would be difficult if not impossible to find through software and an it is an effective hardware solution. (assuming that you can hide it well... server room? right off the switch? in the wall? etc.)

    A lot of people put them at the border or gateway of their networks to watch for malicious traffic...

    It would also be just as easy, but more costly, to put in a hub.

    I say more costly because you have to power it, you waste unused ports, therefore wasting resources, the hub will cost more than it will to buy the parts to make your passive tap.

    You could also want to do this if you have an unmanaged switch and can't "mirror" a port or use "port spanning". Or if you just want to monitor traffic between your internet connection and your firewall... or your firewall and your LAN/WAN. etc.

    Another effective, but noisy technique for sniffing on a switched LAN is to use ettercap or dsniff or a tool like it to flood the arp table on the switch(s) effectively turning it into a hub.

    I prefer to use Cain and Abel to do the flooding and sniffing of passwords, then I can single out my targets and then use ethereal to do my sniffing for detailed activity.

    Ettercap has a lot of nice features in it that I rarely use. MITM attacks, DoS, etc.

    To each his own. Use what you like.
    Quitmzilla is a firefox extension that gives you stats on how long you have quit smoking, how much money you\'ve saved, how much you haven\'t smoked and recent milestones. Very helpful for people who quit smoking and used to smoke at their computers... Helps out with the urges.

  5. #5
    Member
    Join Date
    Jul 2003
    Posts
    43
    I work in our IS department as a Network Admin. I am aware with Snort and it's construction of the Pasive Ethernet TAP. I only bring this up because a co-worker and I have come across the documention of the construction on the tap within our department. We feel that it might be used against some of us and so outside the department. We are trying to take measures to counter this action since we feel that the party is not aware that we know about it.

    Further more, the company recently purchased a Hardware Utility to block and capture such traffic. But was stated that it would not be used on our perticular subnet.

  6. #6
    AO übergeek phishphreek's Avatar
    Join Date
    Jan 2002
    Posts
    4,325
    If they put a hardware tap between you and them, it will be difficult to find.
    You'll have to go looking for it.

    You can try to find network cards that are in promiscous mode. There are weaknesses in some operating systems and sniffers that cause it to reveal itself.

    Here is an article from earlier this month (Feb 10th) that shows how to detect a sniffer on an NT box.

    Some tools like ettercap also have plugins to detect other sniffers on the network.

    Searches on google for "detect network sniffer" or terms similar will turn up other results.

    If your "attacker" were to create one of these boxes, then they could have also created a "receive only" patch cord to go between the network card and the passive tap. This would ensure that absolutely NO data was sent from that network card onto the line that is being sniffed.

    receive only network tap

    If that were the case, then you would not be able to detect the promisc. network card because the flaws in the OS or sniffer that gives it self away will never be sent back onto the network.
    Quitmzilla is a firefox extension that gives you stats on how long you have quit smoking, how much money you\'ve saved, how much you haven\'t smoked and recent milestones. Very helpful for people who quit smoking and used to smoke at their computers... Helps out with the urges.

  7. #7
    Member
    Join Date
    Jul 2003
    Posts
    43
    A co-worker and I determined that the actual rj-45 jacks will be connected either behind our workstation plugged into the jack in the wall or most likely in our MDF where our drops go to the switches. Unless they decided to put some time in it and route my or anyone elses connection to an IDF which we still can go out. In either case, there isn't a place that we (IS Staff and Department) can't go or get access to.

    Thanks for the info phish. My co-worker and I will be hard at work to get to the bottom of this because at the moment, we can only go off of assumption. And I for one am a paranoid person when it comes to people trying to get information from me whether or not I am informed about it.

    Enforcer

  8. #8
    AO übergeek phishphreek's Avatar
    Join Date
    Jan 2002
    Posts
    4,325
    The tap will most likely be near your switch or even at your patch panels... as you've already guessed. You can probably make one of these taps by just duplicating a port on the patch panel... Just like you can duplicate a phone line... That would be easy enough to hide.

    Under your desk is too obvious and you'd notice extra hardware there.
    If "they" really know what they're doing... it'll be hard to find.

    They can sniff/trace you at any patch panel, hub, switch, hop, etc.
    Anywhere the physical layer goes... they can go.

    Do you have any reason to suspect they are monitoring you?
    All you found was a diagram and you're getting this parinoid over it?
    I print out and save all kinds of "weird" stuff...

    Besides... to go through all that trouble and leave the documents where you can find them?

    Use encryption...
    Quitmzilla is a firefox extension that gives you stats on how long you have quit smoking, how much money you\'ve saved, how much you haven\'t smoked and recent milestones. Very helpful for people who quit smoking and used to smoke at their computers... Helps out with the urges.

  9. #9
    Senior Member IKnowNot's Avatar
    Join Date
    Jan 2003
    Posts
    792
    This was a set-up, right?
    Ok, you sucked me in because this fries my as_.

    Taps are, by there nature, passive. They listen, don’t respond. If they set up an IDS or IPS on a hub ( which is not really a tap, but called a “ cheap man’s tap “ ) without a custom read-only cable ( or maybe a home-made tap from a hub ) you might be able to detect it, but these should NEVER be used in a corporate environment.

    If you are thinking that it might inadvertently pick up some violation of the AUP ( if there is one ) by you or one of your colleagues, you may be correct, depending how it was set up and where.

    I say more costly because you have to power it, you waste unused ports, therefore wasting resources, the hub will cost more than it will to buy the parts to make your passive tap.
    Actually, most commercial taps that I know are expensive, require power, and many can interrupt the network if power is lost. ( something to think about when deciding on hardware? )
    Even some of the home-made taps require some type of power, usually battery power. And wasting unused ports? I don’t know how to respond on that one.

    ------------------- now to issue ---------

    ... I only bring this up because a co-worker and I have come across the documention of the construction on the tap within our department. We feel that it might be used against some of us and so outside the department. We are trying to take measures to counter this action since we feel that the party is not aware that we know about it.

    Further more, the company recently purchased a Hardware Utility to block and capture such traffic. But was stated that it would not be used on our perticular subnet.
    We have an alleged Network Administrator here in a corporate environment complaining that someone, admittedly from the “company” with “company” approval, MAY have put in a tap and MAY be spying on them? And he wants to know how to find it and defeat it because he thinks the person(s) who put it there doesn’t know they know about it?

    Maybe it was the Security Administrator that placed it? And there was a reason for it besides just spying on you? ( Does the phrase “ Network Security “ ring any bells here? )

    The ONLY thing you should be concerned about as a Network Admin is does it impact adversely on your network. Period!

    Go ahead, mess with the tap! Loose your job! You apparently don’t belong there anyway because you can’t be trusted!

    Where is GORE when you need him?
    " And maddest of all, to see life as it is and not as it should be" --Miguel Cervantes

  10. #10
    AO übergeek phishphreek's Avatar
    Join Date
    Jan 2002
    Posts
    4,325
    Actually, most commercial taps that I know are expensive, require power, and many can interrupt the network if power is lost. ( something to think about when deciding on hardware? )
    Even some of the home-made taps require some type of power, usually battery power. And wasting unused ports? I don’t know how to respond on that one.
    I was trying to think of some advantages/disadvantages of a passive tap over a hub. I have no direct experience with passive taps... just what I've read about them.

    At any rate, I was talking about making your own tap... not buying one.
    As far as wasting ports... it is a waste of resources. Its more than you need.

    Hopefully I didn't provide any misinformation. I thought I had researched it sufficiently.
    Guess not.
    Quitmzilla is a firefox extension that gives you stats on how long you have quit smoking, how much money you\'ve saved, how much you haven\'t smoked and recent milestones. Very helpful for people who quit smoking and used to smoke at their computers... Helps out with the urges.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •