Honeypots mailing list archives
RE: [inbox] undetectable NIC in promiscuous mode
From: "Weaver, Woody" <woody.weaver () spcorp com>
Date: Fri, 5 Mar 2004 14:31:56 -0500
From: Curt Purdy [mailto:purdy () tecman com]
A sure way to avoid detection is to snip your TX lines 1&2.
<nit> ...except that even if you are not transmitting, you are still establishing carrier. In a *really strongly controlled* environment, a switch port that was live but was supposed to have no hosts attached would be a give-away. In a *paranoid* environment, the loss of carrier (while you attached a hub to the live port) without explanation would be a give-away. So what you would have to do is find a live cable, and do something like use inductance to reproduce the electrical signal in the cable, and then could monitor the connection at will. In a *dead paranoid, tempest filled environment* its all fiber, of course... </nit> --woody Woody Weaver cell: 301 524 8138 (best) Manager, GIT Security Planning mail: woody.weaver () spcorp com Schering-Plough, Madison NJ land: 908 298 4953
Attachment:
smime.p7s
Description:
Current thread:
- RE: [inbox] undetectable NIC in promiscuous mode Weaver, Woody (Mar 05)
- RE: [inbox] undetectable NIC in promiscuous mode Curt Purdy (Mar 05)
- Re: [inbox] undetectable NIC in promiscuous mode Valdis . Kletnieks (Mar 08)
- <Possible follow-ups>
- RE: [inbox] undetectable NIC in promiscuous mode Bement, Daniel (Mar 05)
- RE: [inbox] undetectable NIC in promiscuous mode Chris Brenton (Mar 07)
- RE: [inbox] undetectable NIC in promiscuous mode Roger A. Grimes (Mar 07)
- Re: [inbox] undetectable NIC in promiscuous mode Ian Baker (Mar 07)
- RE: [inbox] undetectable NIC in promiscuous mode Teicher, Mark (Mark) (Mar 08)