Antisniff

[mates]

I have recently gotten myself into some trouble with my schools network security and the police had to get involved. I want to see if I can prevent my types of doings from happening again. Can anyone direct me to a product page for the latest version of Antisniff? I want to somewhat set things right and just go back to school. The school's tech said there is no way to prevent packet sniffing. I've heard otherwise. I also have a felony charge that is based on me changing mac addresses. Correct me if I'm wrong, but I've always heard MAC addresses couldn't be altered. I really want to set things right help would be much appreciated.

[Rathgar]

Well if your school is using hubs and not switches... then no, there is no way to avoid packet sniffing. Packet sniffing is totally independent to the rest of the network and works by altering how your network card works to capture all the traffic that passes by it, instead of doing what it normally does, and ignore anything not specifically directed to it's address.

MAC addresses can be changed, and quite easily. Research MAC address 'spoofing' to find out more.

Oh, and play nice at school...sheesh

[brokencrow]

Boys will be boys. A felony, that hurts. Most admins are overworked
and stressed. You must've got yours pretty PO'ed.

MAC's can be altered. Virtualized if you will. It's difficult to detect
sniffing. Some sniffers, ettercap for one, can detect ARP poisoning.
Beyond that, I don't know.

Just curious, how'd you get caught?

[nihil]

Hi brokencrow,

My guess is they scan the system for network cards in promiscuous mode that shouldn't be..................... a bit of a dead giveaway I would have thought?

I seem to recall a tool called NEPED............ it is an acronym for something... I think the PED bit is "promiscuous ethernet detection"?

The "changed MAC addresses" sounds like something to do with either the sniffing tool or the antisniffer:

The proposed technique uses three phases to detect the sniffing hosts in an Ethernet network. In the first phase, the ARP caches of the sniffing hosts are corrupted. In the second phase, TCP SYN request connections packets are sent to each host in the network using fake IP and MAC source addresses.Finally, by analyzing the responses of the hosts, all hosts running sniffers are detected. Four anti-sniffers, PMD [18], PromiScan [17], L0pht AntiSniff [19] and SupCom anti-sniffer, are tested and the evaluation results show that SupCom AntiSniffer succeeded to detect more sniffing hosts than the other antisniffers.

Another possibility is if you connect an unauthorised device to the network. It will show up as an unrecognised MAC which someone might assume is an authorised device with a spoofed MAC?


@ mates

AntiSniff is by L0pht Heavy Industries. They packed in around 2000, so there isn't a current version. AFAIK the last supported OS was NT 4.0 SP3 although I expect it would work with later SPs and possibly NT 5.0 (Win2000).

The school's tech said there is no way to prevent packet sniffing.

He probably means in your environment. You could lock the place down but it would be very much to the detriment of the educational process. It would be a physical security solution.

I am not aware of any applications that actually prevent sniffing.......... they just try to detect it, and it seems your school already has that in place.

[isildur]

Just a suggestion. If you have a felony hanging over your head, I would drop the idea of antisniff, or any other tools. Just go straight until they forget about you (graduation time), concentrate on your studies and hope this doesn't ruin your life. Sorry, but I have kids about your age and I will tell them the same.

[devildell]

LOL. OK man…
Let me give you some much needed advice. When I was in high school I did the exact same thing you did. LEAVE IT ALONE. By the time I got done I had 7 felonies on my head… the only reason I am not in prison right now is because I made a deal with the super intendment that I would fix the holes. And if I graduated valedictorian they would drop all charges…. BOY I STUDIED HARD.
DON'T DO ANYTHING MORE. you are being watched....

good luck

[nihil]

Hmmm,

Let's assume that mates is telling the truth?

I also have a felony charge that is based on me changing mac addresses. Correct me if I'm wrong, but I've always heard MAC addresses couldn't be altered.

That suggests to me that he doesn't know how to do it?

Now, if you mess around with the MAC addresses on a network the chances are that you will screw it up. That would be classed as damage and probably is a felony in the USA. If he didn't do it, then they won't have any evidence, and I do not see how running a simple packet sniffer would have that effect, even if it were defective?

Come to think of it I haven't heard of any malware that would do such a thing either........... has anyone?

I think that mates might be looking at a defence along the lines of: "The school should have installed software to prevent me from doing this, that is contributory negligence"

Forget it son, I am no ADA but if I were I would immediately shoot you down by saying: "They did........they have an AUP and software to detect violations of it, which is how you got caught"

There must be some amendment to the Constitution along the lines of "the right to be stupid"........... well, they didn't violate your constitutional rights?

OK I am not a lawyer, much less a US one, but I would suggest a defence along these lines:

1. The student is authorised to access the School's network so there is no case of illegal entry (that is a felony I would imagine).
2. He ran unauthorised software which is contrary to the School's IT AUP, but that is not a felony, per se.
3. Can you prove that he actually changed mac addresses rather than spoofed them?
4. Can you prove material damage?
5. Simple packet sniffing software does not "change" anything.
6. Can you prove criminal intent? That would be why the case would not even get as far as a felony charge over here in the UK. It would be impossible, and the police would tell the School that it is an internal disciplinary matter and if there is any damage then it is a civil court matter.
7. How can you be sure that these "changed" MAC addresses are a result of what the student did rather than that of your anti-sniffer software, which almost certainly uses this technique?
8. Changing the NIC card to promiscuous mode is a valid setting and does not damage it.

Of course, that does assume that mates is telling the truth.

[brokencrow]

Could be a script kiddie who was fooling around with an ARP spoofing
tool. By and large any ARP spoofing's going to change your MAC addy,
yes? Must've done it one time too many from the sound of it. OTOH,
if he ran SMAC, good luck...

I think there's a tendency when one gets into 'security' tools to not
realize how powerful they are and what they're doing to others. Years
ago when I got my hands on nmap, I did a few things I'd hesitate to
do now. But we won't go there...

[nihil]

That's very true.

There seems to be a fair degree of naivety amongst these guys as well, as cases crop up on a daily basis?

I think that these guys could do worse than snag a copy of Tsun Tsu's "Art of Warfare" and read it until they understand the principles; particularly:

"If I know nothing about myself and nothing about my enemy, I will surely lose.
If I know everything about myself and nothing about my enemy, my chances of winning are even.
If I know everything about myself and everything about my enemy, I shall surely prevail."

Why can't these guys realise that unless you know otherwise for certain, you must assume that any given network is secured or at least monitored?

Hell, you have local laws, contracts and possibly even Federal laws that require school systems to be protected and monitored? Also, the admins are custodians of the IT assets of an educational establishment.......... it is their duty to protect those assets.

I would be the first to admit that I am a bit of a skiddie myself, in that I like playing with new tools and applications However I must have over 20 personally owned machines to do this on, and I never mess about on any of my "production" machines.

I just hope that this guy did not try to run his stuff against the School's administrative network

[mates]

Well I wanted to see if I could prevent this from occurring again because a big fear overcame the staff about compromised info. I had been doing it about 6 months and had no problems. I somehow got rolled up because the tech said there were some network failures and he looked into it and claimed it was my fault. There was also an outbreak of other children using sniffers and just running it in promiscuous, I did some ARP poisoning, and some other things. The felony is based on the destruction of government property and I didn't, not that I'm aware of change any MAC addresses only did some spoofing. But seriously aren't MAC addresses permanently stored on NICs? They never told me how i got rolled up and they never told me why I have 3 felonies because the police knew less about the network than I did. I don't want to complain because I'm getting informal probation, and I want to see if i can go back to school. I never intended any malicious activities i just didn't have an ellaborate network to play with at home.