Security Basics mailing list archives
Re: A Solution for sniffing
From: "David Verty" <verticalrave () hotmail com>
Date: Sun, 22 Dec 2002 07:25:12 +0000
Hey there,I've only heard/read of ways to protect against attacks on switches (checking the arp tables for modifications or tampering), but not really much reliable info on doing stuff on hubs (like the last poster mentioned below, sending echo packets, etc) But generally, you will not be able to detect against a sniffer attack, since its very passive, as said below.
Some things that you can do to prevent people from viewing information coming to and from your computer are many of these basic steps that people neglect so often...
Keep your anti-virus updated (if any).Keep a personal firewall (if possible) online. These two are your best bet if you're generally paranoid. A good example of a personal firewall would be ZoneAlarm for Windows, and under Linux using the iptables filtering suite, PF in BSD and possibly a secondary suite to supplement those. Encrypt your communications...PGP your e-mail, download instant messenging clients that can support good-grade encryption...etc
Some of these things don't necessarly mean that you won't be sniffed at and prodded at, but it will certaintly make you a harder target for most would-be sniffers.
If you're a sniffer, your machine should be as discreet as you want it to be :)
David
From: "Shanon" <liquid_nitrogen79 () hotmail com> To: <Bruce.Orcutt () alltel com>, <SMerrell () avbpgh com> CC: <security-basics () securityfocus com> Subject: Re: A Solution for sniffing Date: Sat, 21 Dec 2002 02:05:58 +0530 Not only DNS, but IMO a lot things should not be run on the sniffer machine what ever it is. Try composing a mail and send it while some arp sniffer (MITM attack) like ettercap is running :)) ....for me the destined recipent was spammed with the same copy for three days :)) There are lots of white paper floating that explains how to detect if some machine is in promiscous like by sending an echo reply packet (arp, any query etc) to some and see how many replies you get in return..... ----- Original Message ----- From: <Bruce.Orcutt () alltel com> To: <SMerrell () avbpgh com> Cc: <security-basics () securityfocus com> Sent: Wednesday, December 18, 2002 11:15 PM Subject: RE: A Solution for sniffing Actually, I had never heard of Anti-Sniff before. Looks interesting, but looks easily circumvented by a determined techie. Anti-Sniff has three major components: 1) NT based: Easiest way to avoid is not run Windows NT on the Sniffer :) 2) DNS: Easy way to avoid is not to use DNS on the Sniffer, take the logs from the Sniffer and use it to the DNS lookups desired at a later date on a latermachine. Can easily set up a simple program to read in a table of IPs, thenconvert them into DNS names, and re-write the table 3) Timing with a flood: Don't know about your network, but I know I would not want to add the extra traffic of a flood of packets. Also, pretty easy to add a little intelligence into your Sniffer that if it receives X number of packets in Y number of seconds, shut down promiscuous mode temporarily. Also, with faster and faster nics coming out, more and more packets are able to be processed, thus necessitating the increase in the size of the flood, thus causing more problems associated with flooding a network. Just some of my thoughts at least -----Original Message----- From: Merrell, Sam [mailto:SMerrell () avbpgh com] Sent: Wednesday, December 18, 2002 12:18 PM To: Orcutt, Bruce Subject: RE: A Solution for sniffing What about L0pht's Anti-sniff product? Is that still available? -----Original Message----- From: Bruce.Orcutt () alltel com [mailto:Bruce.Orcutt () alltel com] Sent: Tuesday, December 17, 2002 12:19 PM To: fadi () lebrocks com; security-basics () securityfocus com Subject: RE: A Solution for sniffing As sniffing is a passive act, there is no way that you can detect the act itself, unless you have access to the machine that's doing the possible sniffing itself. Perhaps one of the simplest ways to ensure sniffing is made much moredifficult at the least is by switching from a hub type network to a switchednetwork. In a switched environment, other users cannot see each others network streams, thus providing a layer of protection. Of course, like all techniques, this can be gotten around by various additional techniques, but it does make life more difficult to would be sniffers. (ie: user installs a hub via an uplink port to switched segment, and connects target's system and a sniffing machine to the hub.) -----Original Message----- From: fadi () lebrocks com [mailto:fadi () lebrocks com] Sent: Tuesday, December 17, 2002 5:41 AM To: security-basics () securityfocus com Subject: A Solution for sniffing Hello Folks, I think i am being sniffed by somone on my network, and i was wondering. is there an application to check wether i am being sniffed or not, and if i was, how can i fix that ?(like PGP for mail, what about other protocols) P.S. : Running Linux Slackware 8.1 (if that would help) cheers, Fadi R. Khouja --- Incoming mail is certified Virus Free. Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.431 / Virus Database: 242 - Release Date: 12/17/2002 --- Outgoing mail is certified Virus Free. Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.431 / Virus Database: 242 - Release Date: 12/17/2002
_________________________________________________________________STOP MORE SPAM with the new MSN 8 and get 3 months FREE*. http://join.msn.com/?page=features/junkmail&xAPID=42&PS=47575&PI=7324&DI=7474&SU= http://www.hotmail.msn.com/cgi-bin/getmsg&HL=1216hotmailtaglines_stopmorespam_3mf
Current thread:
- RE: A Solution for sniffing, (continued)
- RE: A Solution for sniffing wbjw (Dec 19)
- RE: A Solution for sniffing Jose Avila III (Dec 20)
- RE: A Solution for sniffing Jason Kohles (Dec 20)
- RE: A Solution for sniffing Jose Avila III (Dec 20)
- RE: A Solution for sniffing Anthony, Shayla (Dec 20)
- RE: A Solution for sniffing Chris Berry (Dec 20)
- RE: A Solution for sniffing Konrad Rzeszutek (Dec 20)
- RE: A Solution for sniffing Janssen, Steph (Dec 20)
- Re: A Solution for sniffing David (Dec 23)
- RE: A Solution for sniffing Chris Berry (Dec 20)
- RE: A Solution for sniffing Hay, Brennan (Contractor) (Dec 23)
- Re: A Solution for sniffing David Verty (Dec 23)
- RE: A Solution for sniffing wbjw (Dec 19)