Re: Firewall and IDS, (the second way).

[Anthony Stevens <astevens () chaotic org>]

There is another way of detecting an interface in promiscuous mode..
However, it doesn't always work.

The basic idea is to spoof the destination mac address of the ip your
wanting to check. If the machine is in promiscuous mode, the ethernet card
should send your packet to the ip stack, even though the mac address
normally wouldn't get picked up by the card. The machine then sees that
the IP address is for itself, and responds appropriately.

For example:
Target machine's ip address is 10.1.0.5 .. it's real mac address is
33:ff:aa:f1:a1:bc .. We send a packet which is destined for 10.1.0.5, but
have the mac address destined for aa:aa:aa:aa:aa:aa (anything other that
broadcast, and it's actual mac address) .. If the machine replies, it
is probably in promiscuous mode. Of course, this really depends on the
network card, since I have seen some cards that forward everything to the
IP stack, even though it wasn't in promiscuous mode.

Btw, you don't really need any special tools to do this, since you could
just hardcode the ip to mac translation into your arp table.

Anthony
http://www.chaotic.org/guardian/index.html  Version 1.7!

On 16 Mar 2002, Timothy J. Miller wrote:

> On Fri, 2002-03-15 at 12:41, sekure () hadrion com br wrote:
>
> > I'm "walking" by the internet finding about paper/techniques that can be
> > used to detect systemn with IDS installed. Try to detect
> > snort/snort+aide/quinds/.../ somebody know something like it ??
>
> There's only two ways of detecting an IDS that I know.
>
> 1) Look for the data stream from a remote sensor (sniffer) to wherever
> it's stored and/or analyzed, or look for the alerts generated by the
> IDS.
>
> This isn't very useful, since it presupposes some measure of access to
> the network in question.  And if you've already got that, the IDS has
> probably already alerted on you unless you're very, very paranoid and
> very, very skilled.
>
> 2) Timing detection.  AntiSniff from l0pht uses this method.
>
> The theory goes like this:  a network card usually discards ethernet
> frames not destined for it, without passing those frames into software
> processing.  A card in promiscuous mode will process and forward up the
> stack *all* frames.
>
> So, you spend time pinging all systems on a network and collect the
> average timing.  Then you flood the network with garbage packets.  NICs
> not in promiscuous mode will ignore the trash, but any operating sniffer
> will process them all, slowing the system some (hopefully) measurable
> mount.  In the middle of the flood, you ping everything again.  Any
> system that shows a statistically significant deviation from previous
> timings is likely running a sniffer.
>
> This also isn't very useful for remote sniffer detection.  You need
> access to the local network to inject all the garbage packets, and it's
> noisy as hell.  (Attempting to do this from *outside* the local segment
> fails because normal variation in RTTs in the wild internet makes the
> collected ping timing statistics useless to begin with.)  Additionally,
> varying load on other non-sniffer systems can lead to false positives.
> This is primarily useful for a network admin to check a segment and see
> if any *un*authorized sniffers have been installed.
>
> Both methods are completely useless against sniffers that have no IP
> address, or have out-of-band monitoring/alerting.  Which is how they all
> should be installed anyway.  8)