RE: [inbox] undetectable NIC in promiscuous mode

["Roger A. Grimes" <roger () banneretcs com>]

In preparing my upcoming book on honeypots I played around with all
these ideas a bit.  And here's what I found:  

1.  Removing the IP address only works on some OS's and not others. For
example, in Windows you cannot have the IP stack installed and have no
IP address.  It wants something.  If you choose DHCP and don't let it
get one from a DCHP server, W2K and above will just grant itself an
APIPA address (168.254.x.x/16).  If you remove the IP stack, I found hit
and miss problems.  For example, Ethereal will give two start up errors
regarding the IP stack saying Winpcap needed IP running to work (not
true), but then capture all packets going by on the wire...and then
crash (losing all info) when you stop the capturing and try to see the
detail of the results.

2.  Cutting the transmit lines doesn't work on most of today's
intelligent devices (i.e. switches, etc.).  As others said, no link
light, port is inactivated.

3.  Inducing interference into the line to cause transmission problems
worked, but was spotty, and definitely not great looking.  There are a
few diagrams around on the Internet to do it, and it's simple enough (if
you don't mind a little soldering and funky looking cables).  But when I
was carrying the cables around from client site to client site, I often
broke them...or had to take special care of them.  And I could not
always find the parts I needed at Radio Shack.  Not ideal.

The next two options are better.

4.  Buy a Ethernet tap...works like charm.  

5.  Buy an intelligent switch and do port mirroring (aka port trunking,
port spanning, MIB management, remote management console, etc.).  The
key here is to find out ahead of time if the switch you are using does
port mirroring, and if so, how well the port mirroring works.  Some
switches only monitor one direction of traffic.  Others only let you
monitor one port at a time, others only capture limited information (not
full packet decodes), and some switches only let you capture the
information locally through a serial console port.  Do your research.
Generally, ask if the switch has an IP address first and can be
"managed".  This is geek-to-salesman code so they get you into the right
class of switches instead of all the cheap stuff that can't be managed
and doesn't have port mirroring.  The cheapest, new, managed switches I
could find were around $600, but I forget the brandname because I
usually go with name brand stuff.  If it doesn't have an IP address, but
can be "managed", then usually it's a serial management port or some
type management software of limited management capability and no port
mirroring.  On a good note, it's easy to pick up older switches with the
right capability for under $50 bucks.

I use port mirroring at home in my controlled environment and an
Ethernet tap for on the road stuff...where I don't want to be lugging
along a switch.  I could see a tap being easier in any enterprise
environment if I had to go location to location in my searches.

Roger

************************************************************************
***
*Roger A. Grimes, Computer Security Consultant 
*CPA, MCSE: Security (NT/2000/2003/MVP), CNE (3/4), A+
*email: roger () banneretcs com
*cell: 757-615-3355
*Author of Malicious Mobile Code:  Virus Protection for Windows by
O'Reilly
*http://www.oreilly.com/catalog/malmobcode
*Author of upcoming Honeypots for Windows (Apress)
************************************************************************
****

-----Original Message-----
From: Chris Brenton [mailto:cbrenton () chrisbrenton org] 
Sent: Friday, March 05, 2004 3:49 PM
To: Curt Purdy
Cc: Jose_Maria_Gonzalez () dell com; honeypots () securityfocus com
Subject: RE: [inbox] undetectable NIC in promiscuous mode

On Fri, 2004-03-05 at 12:29, Curt Purdy wrote:
> Yes, there are protocols that do not depend on ip such as arp, dhcp, 
> and others.

Humm, I've never seen this myself. Please describe a situation I can try
and duplicate were an interface that does not have IP bound to it would
start transmitting ARP or DHCP packets.

> A sure way to avoid
> detection is to snip your TX lines 1&2.

This _does not_ work. I have tried this with both switches and hubs from
3COM, Cisco, D-Link & Netgear. Cutting the TX lines means you can not
initial the port to establish link. No link means you will not see
traffic.

HTH,
C