finding packets - Page 2
Page 2 of 5 FirstFirst 1234 ... LastLast
Results 11 to 20 of 43

Thread: finding packets

  1. #11
    Dissident 4dm1n brokencrow's Avatar
    Join Date
    Feb 2004
    Location
    Shawnee country
    Posts
    1,242
    Just do a search for all the files that have changed in the last day. You'll have a long list, but your packet file will be in there.

    Can't say I ever heard of a sniffer trojan...
    “Everybody is ignorant, only on different subjects.” — Will Rogers

  2. #12
    Member
    Join Date
    Sep 2005
    Posts
    77
    I agree with Brokencrow in that I haven't heard of a trojan with packet sniffing capabilities.
    Maybe Kurokage means keylogger instead of of sniffer?

    Regardless, the idea of incorperating a network packet sniffer into a trojan is an interesting idea.
    A way to expand the trojan's snooping capabilities beyond the local machine to a network segment (assuming the machine is on a network).

    Imagine if the trojan incorperated something similar to EffeTechs PassDetect - Ace Password Sniffer
    (Currently Ace Password Sniffer can monitor and capture passwords through FTP, POP3, HTTP, SMTP, Telnet, including some web mail password.)

    Granted, the trojan would be pretty large, unless it was configured to pull additional modules from a remote location.... food for thought.
    %42%75%75%75%75%72%70%21%00

  3. #13
    Senior Member
    Join Date
    Feb 2002
    Posts
    856
    I agree with Brokencrow in that I haven't heard of a trojan with packet sniffing capabilities.
    Maybe Kurokage means keylogger instead of of sniffer?
    Hi, if a cracker has had access through a trojan, wouldn't that allow them to install a sniffer?

    Kurokage:
    A packet sniffer being used to sniff a network will put a computer's network card into what is called "promiscuous mode." Here is a freeware tool whose author claims it can detect if a Windows computer's NIC (Network Interface Card) is running in promiscuous mode. http://www.ntsecurity.nu/toolbox/promiscdetect/ But don't rely on this alone. There are other ways/tools for detecting sniffers. Try a Google search for "detecting packet sniffers" for other tools and articles that will educate you on the topic.

    You might just want to try the tools that Nihil mentioned first (if you haven't). If you have do have a trojan installed the best course might be to not worry about the sniffer. Just go ahead and reinstall your OS. If a computer has been trojaned it would be best not to trust that installation. As far as what kinds of files might be safe to salvage from your old installation, someone else will need to advise you on that. And, if you suspect that this computer is trojaned you have already isolated it from the rest of your network (haven't you)? See this thread.
    For the wages of sin is death, but the free gift of God is eternal life in Christ Jesus our Lord.
    (Romans 6:23, WEB)

  4. #14
    Master-Jedi-Pimps0r & Moderator thehorse13's Avatar
    Join Date
    Dec 2002
    Location
    Washington D.C. area
    Posts
    2,883
    I agree with Brokencrow in that I haven't heard of a trojan with packet sniffing capabilities.
    Maybe Kurokage means keylogger instead of of sniffer?
    How long have you guys been in the security sector? Rootkits anyone?

    Indeed trojans can and have been observed with sniffing capabilities, both manual and automatic.

    That said, you can expect a trojan with sniffing capabilities to operate similarly to a keylogging tool with the exception of the NIC operating in permiscuous mode (sniffer).
    1) It will collect data.
    2) It will save it locally awaiting retrieval from the attacker or it will auto send the contents based on some pre-defined logic.
    3) If the attacker is smart, the local file will be destroyed after the above has happened.

    So the answer to your question is, "it depends".

    Now, one thing has to happen in order for any of this to work. Your host has to either accept or initiate connections. I would start by identifying ways to monitor unusual processes and/or connections. This sounds simple but is fairly involved. Don't forget to monitor HTTP, HTTPS and your e-mail protocols, as these channels provide plenty of white noise for attackers to ship out the goods without you noticing.

    --TH13
    Our scars have the power to remind us that our past was real. -- Hannibal Lecter.
    Talent is God given. Be humble. Fame is man-given. Be grateful. Conceit is self-given. Be careful. -- John Wooden

  5. #15
    Senior Member
    Join Date
    Feb 2002
    Posts
    856
    Don't forget to monitor HTTP, HTTPS and your e-mail protocols, as these channels provide plenty of white noise for attackers to ship out the goods without you noticing.
    Wouldn't netstat be a good way to do this?
    For the wages of sin is death, but the free gift of God is eternal life in Christ Jesus our Lord.
    (Romans 6:23, WEB)

  6. #16
    Master-Jedi-Pimps0r & Moderator thehorse13's Avatar
    Join Date
    Dec 2002
    Location
    Washington D.C. area
    Posts
    2,883
    It would if you have assurance that you're not running a trojaned version of the tool. Some advanced attackers replace vital system tools with their own version, which of course masks their processes. The limitation with this tool is that it's not realtime. I like to use tools such as TCPView, which provides realtime views of the system.

    If I suspect a rooted host, I use a trusted forensic toolkit for analysis. I *never* trust tools on the suspect host.

    --Th13
    Our scars have the power to remind us that our past was real. -- Hannibal Lecter.
    Talent is God given. Be humble. Fame is man-given. Be grateful. Conceit is self-given. Be careful. -- John Wooden

  7. #17
    AO übergeek phishphreek's Avatar
    Join Date
    Jan 2002
    Posts
    4,324
    Originally posted here by preacherman481
    Wouldn't netstat be a good way to do this?
    Maybe, maybe not. It depends on the attack. You have to assume that you don't have a clean system. You can't trust your binaries or APIs. If there is a rootkit... it's job is to hide itself.

    You have to use forensice toolkits with binaries you can trust.

    There are plenty of toolkits out there. You can use toolkits live before you take it offline for further analysis. As, there may be importatnt data in memory that can be lost when you power off.

    Check out some of the following links for more info on toolkits.

    http://www.forensics.nl/toolkits

    I like the live cds that will run while the system is up, and then you can reboot to the live cd for further analysis. Helix has been my favorite forensics boot cd thus far.

    http://www.e-fense.com/helix/index.php

    Mind you, I'm no forensics expert. I just know a bit here and there from books I've read or tools I've played with.

    Incident responce is one of the books I have. Though, I only have the first edition...
    http://www.amazon.com/gp/product/007...Fencoding=UTF8
    Quitmzilla is a firefox extension that gives you stats on how long you have quit smoking, how much money you\'ve saved, how much you haven\'t smoked and recent milestones. Very helpful for people who quit smoking and used to smoke at their computers... Helps out with the urges.

  8. #18
    Member
    Join Date
    Sep 2005
    Posts
    77
    Hi, if a cracker has had access through a trojan, wouldn't that allow them to install a sniffer?
    Of course... they could install virtually anything themselves. I was referring to something a little more automated though. Maybe even wormlike in autonomous terms

    How long have you guys been in the security sector? Rootkits anyone?
    Let me clarify my comment a tad....I was stating that I had not seen a trojan (in the classic sense) that had a built in network sniffer. That did appear to be what Kurokage was referring to originally in this thread and not rootkits. I could be mistaken. *shrugs*
    You don't have to explain that once a backdoor has been established (and assuming the attacker has half a clue) that anything can be installed on that machine, including rootkits.

    And to answer your question as to how long I have been in the security sector, the answer would be "Not long enough" or "not nearly as long as you" ; )
    But I am in for the long haul.... thanks for asking.
    %42%75%75%75%75%72%70%21%00

  9. #19
    Master-Jedi-Pimps0r & Moderator thehorse13's Avatar
    Join Date
    Dec 2002
    Location
    Washington D.C. area
    Posts
    2,883
    And to answer your question as to how long I have been in the security sector, the answer would be "Not long enough" or "not nearly as long as you" ; )
    But I am in for the long haul.... thanks for asking.
    Actually, I just read my post and just to clarify, I wasn't attempting to be a wise guy as it may appear by the wording.

    I was referring to something a little more automated though. Maybe even wormlike in autonomous terms
    There are dozens of documented worms that do this. Maybe hundreds by now. Depending upon where you go, they *may* be classified as "system monitors".

    The industry lacks a good framework for naming and classifying these things. This of course causes a lot of issues amongst the nerd community.

    --Th13
    Our scars have the power to remind us that our past was real. -- Hannibal Lecter.
    Talent is God given. Be humble. Fame is man-given. Be grateful. Conceit is self-given. Be careful. -- John Wooden

  10. #20
    Member
    Join Date
    Sep 2005
    Posts
    77
    The industry lacks a good framework for naming and classifying these things. This of course causes a lot of issues amongst the nerd community.
    Agreed, in fact, there was an absurdly long thread not to long ago disputing the difference between a RAT's and a TROJANs. Lots of different opinions and definitions.

    When Kurokage mentioned there might be a trojan on the system and that he/she could handle/get rid of it, thoughts of classic trojans like netbus, sub7, B.O. came to mind. Considering Kurokage has stated (in his/her profile) that he/she isn't very computer literate, I don't surmise that he/she would know how to get rid of a rootkit if indeed one was on the system.


    TH - you mentioned you *never* trust tools on the suspected host... and I understand that if a rootkit was installed that it can intercept system calls and other processes so the application or tool running may return false results. What are your opinions of programs like Sysinternal's RootkitRevealer and F-Secures Blacklight? Or should that question be saved for a seperate thread?
    %42%75%75%75%75%72%70%21%00

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

 Security News

     Patches

       Security Trends

         How-To

           Buying Guides