Re: [PEN-TEST] Promiscuous mode detection

["Dunker, Noah" <NDunker () FISHNETSECURITY COM>]

I've personally used AntiSniff (on NT and OpenBSD) and it works very well
if you're in a position to sniff THEIR connection, too... if you're on a
switch or a different segment, it becomes much harder.

I'd recommend picking up a copy of "Hack Proofing Your Network" (or
borrowing a copy) and read chapter 9... Heck, go to Borders and Read
chapter 9 while you sit there... it's not a long chapter, but it has
all sorts of good info on sniffers and their detection... I'll mention
a few here:

Contacting a bizarre host, and sniffing for another machine to DNS-lookup
        that host

Checking for latency (ping time).  compare it's current latency to it's
latency from a known clean state from the same network location (usually
on same segment, or errors are just too frequent)

I could easily recommend:
neped.c
AntiSniff

And some reading...


-----Original Message-----
From: Stefan Suurmeijer [mailto:stefan () SYMBOLICA NL]
Sent: Thursday, September 14, 2000 3:54 PM
To: PEN-TEST () SECURITYFOCUS COM
Subject: Promiscuous mode detection


Hi,

I was wondering if people on this list can point me to some good software
for detecting NIC's in promiscuous mode. Someone mentioned sentinel in
connection with the email sniffing thread. I found this at
http://www.subterrain.net/projects/sentinel/ but I don't know if this is
any good. Has anyone had good experiences with either this or
another package?

Thanks,

Stefan