How to Silently trace if someone is SNIFFING my Network?

[amir4u]

HI, I have an NT4.0 network and I want to "silently" know if someone is "Sniffing" my network and catch him red handed or atleast to know where the sniffing has initiated from , how long it ran , which sniffer utility or program was used etc etc.........

THanx in advance

[pierreke77]

isnt that possible with a firewall like Norton internet security ...

i know also a proggie , that i think would do the trick its called attacker .
You can find it at http://www.foundstone.com

[black_death]

there is no easy way of detecting such attacks however there are some ways of detecting promiscuous nodes on the network that need packet editing,i have to know what operating systems you use on the network (i know you have said that you use NT but do you use other operating systems or other versions of windows ( 9X,2000) too or not)
---------------------------------------------------------------------------------------------------------------

[amir4u]

well, I have 7 computer labs to look for and yes I have 2 of 7 labs using windows2000 clients and all other labs using win NT4.0 clients and all servers are windows NT4.0.

Any perfect anti-sniffing or sniff detector software or any other strategy to sniff out the sniffing software??

PLz help..........

[black_death]

some toolz:

http://www.l0pht.com/antisniff/
http://www.securityfriday.com/ToolDo...iscan_003.html

the attachment is a pdf file about sniffing and detection of promiscous mode on local networks
i thought you might like to take a look at it.


------------------------------------------------------------------------------------------------------------------------

[KissCool]

AntiSniff is a very useful program but anybody knowing exactly how it works can, with some knowledge, bypass it.
The best way to protect you efficiently is to monitore by yourself your network activity (keep an eye on arp packets) and to....sniff it!
Somebody sniffing your network will probably try to do more. He will try especially to forge false packets (hi-jacking) and to use non well protected passwords. Doing this he could reveal all to another sniffer (you).

To simplify your task you could create an honeypot.

[hacker's r us]

all u need 2 do m8 is download a exe that gives out a fake isp address i can not rember wat it is called but it is gud 2 have. And dl norton firewall or zonealarm i use em both and they r gud u can crack zonealarm so u dont have 2 buy it or owt lol. ;-)

[amir4u]

To simplify your task you could create an honeypot.


What is a "Honeypot?

[[WebCarnage]]

amir4u:

A "honeypot" (in laymen's terms) is pretty much a server or computer set aside from your network which purpose is merely to act as "bait". You don't really work on this server or pc, rather, just set up an IDS, a packetsniffer, firewall, etc. etc. But it goes like this: An attacker scans your network, see's that one of the PC's are valnuable (the honeypot), he attacks it/hacks it/whatever, you get his IP address, and turn him in.

Read this thread for more information on what more you can do with honeypots, and a more in-depth approach to them.

[ammo]

If I remember right, AntiSniff works by checking if certain hosts' stack "involuntairely" responds to certain packets that are not addressed to it's real IP but that it still gets because in promiscuous mode. "Workarounds": neutered (no transmit) NIC or cable, modified stack...


Ammo