Educause Security Discussion mailing list archives

Previous By Date Next
Previous By Thread Next

Re: consequences for student hacking

From: "Halliday,Paul" <Paul.Halliday () NSCC CA>
Date: Tue, 19 Feb 2008 23:13:36 -0400
"Let's face it, there's zillions of tools that will snarf packets literally
out of thin air, without transmitting any themselves."
 
On most networks (switched and vlan'd) you should get very little w/o injecting something. The info you do get, while 
somewhat useful for leveraging other attacks, will not in itself give you any passwords. Well, maybe some SNMP1/2 
community strings - but that's not really a password.
 
If someone starts flooding CAM tables or they arp poison a gateway well, that's an entirely different story - and quite 
easy to trace.
 
________________________________

From: The EDUCAUSE Security Constituent Group Listserv on behalf of Valdis Kletnieks
Sent: Tue 2/19/2008 7:01 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] consequences for student hacking



On Tue, 19 Feb 2008 14:38:00 MST, Bob Henry said:


That's the theory.  I'm looking for a reality check.  What do your
institutions do when you catch a student sniffing the wired or wireless
network for userID's and passwords?


More realistically, how *do* you determine that somebody is "sniffing"?
Let's face it, there's zillions of tools that will snarf packets literally
out of thin air, without transmitting any themselves.  Many more will snarf
stuff up, even while the machine in question is doing totally innocuous other
things.

At one SANS-EDU a number of years ago, I was able to set up a 'tcpdump' that
determined who was using plaintext protocols (in order to specifically avoid
catching user/password pairs, I narrowed the capture to only those SYN packets
to ports that would have a userid/password in the clear in the next few packets
(ports 21, 109, and so on).  At the break, I announced "This is a class on
wireless security. We have about 300 people in this room, of which some 110
have logged into something using cleartext userid/password".  The room goes
nuts, as the guilty 110 realize what's happened. I then said "Don't worry, I
was specifically careful to only catch SYN packets".  The room quiets down. I
then add "But I have no idea what those 5 guys sitting out in the atrium are
doing..."  :)

The reality check:

You really don't know it happened until the perpetrator actually *uses*
one of the snarfed passwords - at which point you can string them up by
the whatziz for use of a stolen password.
Previous By Date Next
Previous By Thread Next

Current thread: