Penetration Testing mailing list archives

Re: Spyware assessment techniques - hub?

From: Packet Man <packetman () altsec info>
Date: Sun, 12 Feb 2006 13:11:30 -0600

Petr.Kazil () eap nl wrote:

If you are doing a host:
- interrupt the hosts uplink with a hub and plug your snort box in.
You could have this all setup on a laptop.
I have tried this but run into problems:
- Real hubs are (almost?) impossible to get nowadays. Even the cheapest"hub" is really a switch. If you know where I can find a hub-like networkcomponent, then I'll order it right away.- I was able to buy the last real hub from a PC-shop, but it was only10Mbps and it refused to work with my 100Mb cards and switches.


If you can't do port mirroring on the switch itself, you
could build a passive network tap for under US$30.00,
or so.  Or, the alternative is a commercial network tap
for around US$1,000.00.

I've been building and using them for several years
now, but only recently have started documenting their
finer points (NIC selection is critical).  For more
info on building and using a passive network tap, see
my paper at: http://www.altsec.info/passive-network-tap.html

I'm working on an updated paper right now regarding the
error rates.  I've been testing with combinations of NIC's
that produce ZERO errors on 100Mb connections.  I expect to
update the paper with the suggestions within the next week.

BTW... a must read for such things is "The TAO of Network
Security Monitoring" by Richard Bejtlich.  Check out his
site at:  http://www.taosecurity.com/books.html

BTW... since the technique really belongs in the IDS
list, I cross-posted this message there.

Good luck.

--
Excellence in InfoSec and Linux
http://www.altsec.info

------------------------------------------------------------------------------

Audit your website security with Acunetix Web Vulnerability Scanner:Hackers are concentrating their efforts on attacking applications on yourwebsite. Up to 75% of cyber attacks are launched on shopping carts, forms,login pages, dynamic content etc. Firewalls, SSL and locked-down servers arefutile against web application hacking. Check your website for vulnerabilitiesto SQL injection, Cross site scripting and other web attacks before hackers do!Download Trial at:


http://www.securityfocus.com/sponsor/pen-test_050831
-------------------------------------------------------------------------------

Current thread:

Spyware assessment techniques Derek Nash (Feb 10)
- Message not available
  - Re: Spyware assessment techniques Eric Schultze (Feb 10)
- Re: Spyware assessment techniques Packet Man (Feb 11)
- Re: Spyware assessment techniques Paul Halliday (Feb 11)
  - Message not available
    - Re: Spyware assessment techniques Ed Hotchkiss (Feb 11)
    - Re: Spyware assessment techniques Semper Securus (Feb 11)
  - Re: Spyware assessment techniques - hub? Petr . Kazil (Feb 12)
    - Re: Spyware assessment techniques - hub? Packet Man (Feb 12)
    - Re: Spyware assessment techniques - hub? offset (Feb 12)
    - RE: Spyware assessment techniques - hub? Richard Zaluski (Feb 13)
    - RE: Spyware assessment techniques - hub? Dan Tesch (Feb 13)
- RE: Spyware assessment techniques Paul Melson (Feb 13)
- <Possible follow-ups>
- RE: Spyware assessment techniques Butler, Theodore (Feb 10)
  - Re: Spyware assessment techniques Thorsten Holz (Feb 10)
    - RE: Spy ware assessment techniques Terry Vernon (Feb 10)
    - RE: Spy ware assessment techniques jseitz (Feb 11)
- RE: Spyware assessment techniques Cory . Bys (Feb 15)