RE: Counter detect Network Sniffer

["Fergus Brooks" <fergusb () evolve-online com>]

Great method, I hadn't thought of that - will get most but will only get
interfaces that aren't in stealth mode, interfaces without an IP address on
their sniffing interfaces will not respond to these requests.

Also if you are looking for sniffers on your network that may have been
placed there by slightly (or very) bent internal or external
network/security staff then go no further than checking for ports that are
configured as mirror/spanning ports on your switches that shouldn't be.

There has been some discussion on this thread about how switches suck for
sniffing, especially if they are unconfigurable. Do remember though that
locked down switches and no hubs is only part of it. Someone could run a
sniffer on one of your servers and get a lot of information regardless of
the way that machine connects to the network. I guess this is where HIDS can
help.

Rgds..



 

 

-----Original Message-----
From: M. Dodge Mumford [mailto:dodge () nfr net] 
Sent: Tuesday, 24 February 2004 11:05 PM
To: ald2003 () users sourceforge net
Cc: Bill Mok; focus-ids () securityfocus com
Subject: Re: Counter detect Network Sniffer

Aditya, ALD [Aditya Lalit Deshmukh] said:
> M. Dodge Mumford
> > - Send packets from bizarre network addresses, and look for DNS PTR
> >   requests. 
>
> how does this work ? guess i will have to look & search with google ... 

Pretty simply, really. If you run tcpdump without the -n option, it attempts
to resolve IP addresses into domain names. If you inject traffic from (say)
127.1.2.3 (or any other address you should _never_ see on a live network),
and then if you see a DNS PTR request for it, you know the host that sent
the PTR is sniffing traffic.

-- 

Dodge
--
This message has been scanned by AVMail


---------------------------------------------------------------------------
---------------------------------------------------------------------------