Security Basics mailing list archives

Previous By Date Next
Previous By Thread Next

Re: False negative on anti sniffing programme.

From: captgoodnight () acsalaska net
Date: Fri, 18 Jun 2004 16:45:06 -0800
On Thursday 17 June 2004 07:03 am, asharma () ita hsr ch wrote:


folowed the approach of sending arp request packets to the IP of the
machine with the arp address resembling but not equal to a broadcast
address . I am receiving good responses from most of test runs, however
some linux based machines - with Kernel 2.4.20-8 and 2.4.18 seem to
responding to these packets despite not being in promiscuous mode.
I fail to understand why this should be possible.
Your comments would be invaluable.


Just got done working on this. The best info I found on the subject was from this pdf.

http://securityfriday.com/promiscuous_detection_01.pdf

I personally use 

http://www.habets.pp.se/synscan/programs.php

The syntax I use is

./arping -s 00:50:2C:08:97:F0 -S 192.168.0.4 -t FF:FF:FF:FF:FF:FE xxx.xxx.xxx.xxx
                 ^src mac                   ^src ip               ^bad brdcst          ^target

Works like a charm. As the unexpected results your having, read page 13 of the pdf. It mentions
some 3com nics and unexpected results. This may be the issue; there's a solution.

Also, decoys are a sneaky way to detect baddies too. I use netcat to throw PASS/USER decoy packets out on the
network. If I see these in the logs where there not supposed to be, then there's a issue.

I hope that helps.

captgoodnight



---------------------------------------------------------------------------
Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off 
any course! All of our class sizes are guaranteed to be 10 students or less 
to facilitate one-on-one interaction with one of our expert instructors. 
Attend a course taught by an expert instructor with years of in-the-field 
pen testing experience in our state of the art hacking lab. Master the skills 
of an Ethical Hacker to better assess the security of your organization. 
Visit us at: 
http://www.infosecinstitute.com/courses/ethical_hacking_training.html
----------------------------------------------------------------------------
Previous By Date Next
Previous By Thread Next

Current thread: