Bugtraq mailing list archives
Re: Hidden sniffer on unplumb'ed interface on Solaris
From: "Chris St. Clair" <chris_stclair () HOTMAIL COM>
Date: Mon, 8 Jan 2001 16:28:39 -0000
After reading the following article (http://www.enteract.com/~robt/Docs/Howto/Sun/sniffer-trick.txt) by >Rob Thomas, it was brought to my attention that a sniffer can be >silently sitting on an unplumb'ed interface on Solaris. Not only is >this dangerous for large networks, it is often hard to find. Has >anyone ever contacted Sun about this potential problem...I'm fixing >to try this on Solaris 8 to determine if the problem still exists.
True, this could be a very bad thing. But you can do this with almost any OS and platform; worst case cut the transmit wires of the cable you're sniffing from. We've done this for quite some time with our IDS engines, and it has worked out very nicely. The interface is tremendously difficult to detect, but still sniffs very reliably. However, after reading Rob's paper I revisited the way I configure my stealth interfaces in Solaris 2.6 and found it was quite different. Using a null /etc/hostname.hme1 file: /usr/sbin/ifconfig hme1 plumb -arp up By bringing the interface up in this manner (actually plumb'ing it but not assigning it an address) you get the added functionality of being able to send forged packets out of it if you need to. -chris _________________________________________________________________ Get your FREE download of MSN Explorer at http://explorer.msn.com
Current thread:
- Hidden sniffer on unplumb'ed interface on Solaris Robert Banniza (Jan 05)
- Re: Hidden sniffer on unplumb'ed interface on Solaris Mike Bristow (Jan 08)
- Re: Hidden sniffer on unplumb'ed interface on Solaris George Ellenburg (Jan 08)
- Re: Hidden sniffer on unplumb'ed interface on Solaris Casper Dik (Jan 09)
- <Possible follow-ups>
- Re: Hidden sniffer on unplumb'ed interface on Solaris Darren Moffat (Jan 08)
- Re: Hidden sniffer on unplumb'ed interface on Solaris Chris St. Clair (Jan 08)