Setting up promiscuous mode
Page 1 of 2 12 LastLast
Results 1 to 10 of 13

Thread: Setting up promiscuous mode

  1. #1
    Junior Member
    Join Date
    Dec 2005
    Posts
    5

    Setting up promiscuous mode

    Hi folks-
    I am just starting my quest to figure out this network security stuff and am afraid one of my users is sniffing passwords on our network. I would like to try and recreate doing this, but for the life of me I cannot figure out how to set my network card to promiscuous mode. It's a broadcom netxtreme 57xx card. Is there a document somewhere I can reference how to do that. I did spend some time searching for an answer today and learned quite a bit about what promiscuous mode was, but not starting it. Can anyone help?
    Thanks for any help.
    -Rich

  2. #2
    AO's Resident Redneck The Texan's Avatar
    Join Date
    Aug 2003
    Location
    Texas
    Posts
    1,539
    THIS might be what your looking for.
    Git R Dun - Ty
    A tribe is wanted

  3. #3
    Junior Member
    Join Date
    Dec 2005
    Posts
    5
    Fantastic, that gives me some answers. I appreciate the quick response and thanks.

  4. #4
    Banned
    Join Date
    Apr 2003
    Posts
    1,147
    Depending on the OS you are running, you will also need libpcap or Winpcap. For Linux you should check out:

    http://www.tcpdump.org/

    For Windows:

    http://www.winpcap.org/

    You'll need these installed so that Ethereal or whatever tool you use can access the network card in promiscuous mode.

    However, you are likely in a switched network. If your "naughty" user is sniffing passwords, the user has more access to your network than he/she should have. In the switched network, your promiscuous mode network card can still only see that traffic that passes by that card. Normally that is management traffic, broadcast traffic and traffic directed specifically to that NICs IP.

  5. #5
    Junior Member
    Join Date
    Dec 2005
    Posts
    5
    Hmm, that certainly makes things a little more interesting. We do have a switched network, so what I am gathering from your post is that running a sniffer won't really even read passwords on its own subnet, which is how I thought it would work. That's probably a good thing, but it thickens the plot a little...

  6. #6
    AO Ancient: Team Leader
    Join Date
    Oct 2002
    Posts
    5,197
    What evidence do you have that the user is sniffing passwords?

    It's an easy conclusion to come to but the user would need to be quite sophisticated to do it on a non-switched network, (not a genius - but smarter than your average user). On a switched network they would have to be very sophisticated.

    Frankly, I would look for some other avenue such as his access to a password list that he should be denied from. Certainly you could look at his machine when he isn't there to see if a sniffer is loaded but I think you'll find he's ding this stuff in a more mundane fashion.
    Don\'t SYN us.... We\'ll SYN you.....
    \"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides

  7. #7
    Junior Member
    Join Date
    Dec 2005
    Posts
    5
    The only proof I had was the user logging in as administrator where he was not supposed to know the password at all. This thread is good though, I am learning to not look into the most difficult scenario first, maybe just look to the more obvious first. I am learning as I go for sure, so thanks all for the help.

  8. #8
    AO Ancient: Team Leader
    Join Date
    Oct 2002
    Posts
    5,197
    Sniffing the administrators, (or any user's), password for a domain login is difficult to say the least since the password is never passed across the network - a hash of it is. This would require your user being able to sniff the hash off a switched network, recognize the hash within the packet capture and then decrypt the hash to reveal the original password - a task which could take months or years. None of these acts are trivial..... He got this password in another fashion... Start looking under keyboards....
    Don\'t SYN us.... We\'ll SYN you.....
    \"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides

  9. #9
    Senior Member
    Join Date
    Sep 2005
    Posts
    332
    Well i am not sure about all this switched netwrok stuffs, but here at my work one of my co-workers has this helpful little cd that he made. It has a bunch of **** on it like DBAN, Lysol, FDisk, and other helpful apps. But it also has this thing where if you use it as a boot disk then you can reset and change any of the passwords AND rights for any of the accounts on that pc. It also allows him to create his own admin accounts on that computer. Maybe the person your talking about is doing something similar.
    \"He who shall introduce into public affairs the principles of primitive Christianity will change the face of the world.\"
    Benjamin Franklin

  10. #10
    Banned
    Join Date
    Apr 2003
    Posts
    1,147
    JewishIntent made a good point. There is also the possibility that the person installed a keylogger on one of your systems and has been grabbing the information that way. That is a lot of work and there may be a high noise to content ratio, depending on the system monitored.

    The direct route is the simplest and the most probable. The person in question has physical access. With physical access, you can get almost anything you want from the machine if you can boot to floppy/CD/DVD. Allowing systems to boot from CD/DVD/floppy makes it trivial to change local admin passwords, add local admin-level accounts, almost anything else. There should also be a Supervisor password on the BIOS to protect the boot sequence.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •