RE: Promiscuous mode detection

["Hickey, Matthew" <matt.hickey () lmco com>]

I heard ifstatus is a great tool to check if any systems are running in
promiscuous mode on your network.
The ifstatus program can be run on UNIX systems. Ifstatus checks all
network interfaces on the system and reports any that are in debug or
promiscuous mode, which may be a sign of unauthorized access to the
system. Ifstatus reports this information in a format suitable for
running the check from cron.

If the -v option is specified, ifstatus will print the name of each
interface and the hexadecimal representation of the interface's flags
word. Without the -v option, ifstatus only produces output for
problematic interfaces.

You can get it from this website:
http://www.edvz.univie.ac.at/security/cert/tools/ifstatus/


> -----Original Message-----
> From: Bruce Dennison [SMTP:dennis_b () popmail firn edu]
> Sent: Thursday, March 04, 1999 9:38 AM
> To:   nmap-hackers () insecure org
> Subject:      Promiscuous mode detection
>
>
> Greetings,
>
> I dont mean to change the subject or appear too terribly lame, but I
> am
> hoping that one of the members can point me in the right direction on
> something I have been unable to locate.
>
> I am a system administrator on a large private WAN.  I have also
> recently
> been made 'security officer' ... great.  I have installed Nmap, its
> wonderful ... I am sure you all know this.  I have installed Sentry to
> monitor my ports and it is also a great product.  My problem is this
> .... I
> at least try to keep my system secure (Redhat 5.2), but with Nmaps
> help I
> have discovered that the rest of the admins around here are as lame as
> they
> come.  I have been showing them the results of my scans and they
> havent a
> clue.  I suspect they are ripe for cracking.  I have also installed
> Sniffit
> and we also have a dedicated sniffer up.  I need to be able to find
> out if
> there are any other ether cards in promiscuous mode on our local net.
> The
> admins of the other machines here wouldnt know if it they had been
> assimilated by a Bourg Collective.  I gotta have a way to discover
> unauthorized sniffers installed on other equipment.
>
> I have searched for several days at every site on my
> hacker/cracker/underground bookmark list to no avail.  Its such a
> needed
> application I figure someone must have written one long ago.  
>
> Anyone know of a good tool/method/procedure for locating promiscuous
> NICs?
>
> I appologize for using this wonderful mailing list for something other
> than
> discussing Nmap ... forgive a poor frustrated lamer who is trying to
> improve other peoples poor security habits (and learn a bit in the
> process).
>
> Thanx
>
> Bruce
> ______________________________________________________________________
> ___
>
> Bruce Dennison                                Phone:     (850)
> 487-8672  
> Senior Systems Programmer             SunCom:    277-8672
> FIRN, Network Management              FAX:       (850) 922-1359
> Florida Education Center, B1-14       dennis_b () popmail firn edu
> 325 W. Gaines St.                             FSU Campus mail
> code:1620
> Tallahassee. FL  32399-0400
>
>       FIRN Network Maintenance Window: Daily 6:00AM - 7:30AM
>       To report network problems: 850.487.8657 or s/277.8657