Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

SAINT 2.0 beta 1 now available

2 views
Skip to first unread message

kli...@my-deja.com

unread,
Mar 1, 2000, 3:00:00 AM3/1/00
to

SAINT 2.0 beta 1 is now available from http://www.wwdsi.com/saint

SAINT, which is based on SATAN, is a free network security
scanning tool which can be run from most UNIX platforms. This
version features CVE compatibility for easy
reference to other tools and resources, new layout, updated
documentation, SNMP checks, checks for
common passwords against accounts identified
by finger and rusers, improved command-line
output, new checks for Windows Trinoo and
Site Wizard Input Validation vulnerability.

Sam Kline
World Wide Digital Security, Inc.


Sent via Deja.com http://www.deja.com/
Before you buy.

Demotic

unread,
Mar 3, 2000, 3:00:00 AM3/3/00
to
kli...@my-deja.com wrote:


> SAINT 2.0 beta 1 is now available from http://www.wwdsi.com/saint

Why isn't it called "Satan" any more? Christians get to you?

> SAINT, which is based on SATAN, is a free network security
> scanning tool which can be run from most UNIX platforms. This
> version features CVE compatibility for easy
> reference to other tools and resources, new layout, updated
> documentation, SNMP checks, checks for
> common passwords against accounts identified
> by finger and rusers, improved command-line
> output, new checks for Windows Trinoo and
> Site Wizard Input Validation vulnerability.


--
support your local /"\
geek campaign \ / ASCII ribbon campaign
to return sanity X against HTML email
to mailboxen everywhere / \

Alan J Rosenthal

unread,
Mar 3, 2000, 3:00:00 AM3/3/00
to
Demotic <c...@flak.88mm.net> writes:
>Why isn't it called "Satan" any more? Christians get to you?

This is a would-be commercial outfit. Wietse Venema and Dan Farmer aren't
working on SATAN any more. These new folks changed the name as part of
adopting it. At first, that was all they changed. I don't know if the
situation is any different lately.

--
very frequently asked questions at
ftp://rtfm.mit.edu/pub/faqs/computer-security/most-common-qs

<lallali@þø²¾¶ð.com>

unread,
Mar 6, 2000, 3:00:00 AM3/6/00
to
kli...@my-deja.com wrote:
>
> SAINT 2.0 beta 1 is now available from http://www.wwdsi.com/saint
>...

"Nessus" is nice too...

kli...@my-deja.com

unread,
Mar 10, 2000, 3:00:00 AM3/10/00
to
In article <2000Mar3.0...@jarvis.cs.toronto.edu>,
fl...@dgp.toronto.edu (Alan J Rosenthal) wrote:

> At first, [the name] was all they changed. I don't know if the


> situation is any different lately.

It is -- there is a big difference between SATAN
and the latest version of SAINT. SATAN hasn't
been officially updated since 1995, whereas
SAINT is updated regularly to check for the
latest vulnerabilities.

Ing. Samuel Alexik

unread,
Mar 16, 2000, 3:00:00 AM3/16/00
to
i want to know , if exist some way to detect people who set his card in
promiscuit mode (sniff) in our LAN if my comp conected to this LAN. I
need som kind of software.
Thank's
SAx

Cédric Blancher

unread,
Mar 16, 2000, 3:00:00 AM3/16/00
to
"Ing. Samuel Alexik" <sa...@frtk.utc.sk> a écrit dans le message news:
38D0C9F3...@frtk.utc.sk...

Sniffing is a passive action : in that way, it is theoricaly impossible
to detect (aka with a well impemented network layer). Practicaly, some
network layers have bugs that can be exploited to detect promicuit mode
(kernel 2.0.36 network layer for example).
Nowadays, I do think that sniffing is rather impossible to detect.

bo...@mail.state.fl.us

unread,
Mar 16, 2000, 3:00:00 AM3/16/00
to
C dric Blancher <cbla...@cmc.fr> wrote:
> "Ing. Samuel Alexik" <sa...@frtk.utc.sk> a crit dans le message news:

There is some debate about this. One suggested (and there are claims
it has been implemented) way of detecting a promiscouos ethernet card
is as follows.

Get a baseline latency. IE, you ping machine X running OS Y and
it takes Z amount of time to come back. Then, you flood
ping an address that doesn't exist. While doing this you determine
latency to machine X again. If the machine is promiscuous it will
be looking at all the packets so the latency will shoot up.

That's the theory anyway. Take a look at dejanews, there was once
a long debate about this.

Roger Books

Cédric Blancher

unread,
Mar 16, 2000, 3:00:00 AM3/16/00
to
<bo...@mail.state.fl.us> a écrit dans le message news:
38d0f...@news.hcs.net...

> There is some debate about this. One suggested (and there are claims
> it has been implemented) way of detecting a promiscouos ethernet card
> is as follows.
>
> Get a baseline latency. IE, you ping machine X running OS Y and
> it takes Z amount of time to come back. Then, you flood
> ping an address that doesn't exist. While doing this you determine
> latency to machine X again. If the machine is promiscuous it will
> be looking at all the packets so the latency will shoot up.

I don't think it would be rather efficient like this, because I am not
sure it is easy to discover if latency increasing for machine X is only
due to ping flood or to a promisc mode.
I would rather ping machine X you know it is not in promisc mode while
flood pinging an address that doesn't exist to get a baseline latency.
Then ping suspected machine and compare latency.

> That's the theory anyway. Take a look at dejanews, there was once
> a long debate about this.

I'll do :) Thx a lot.


Urban A. Haas

unread,
Mar 16, 2000, 3:00:00 AM3/16/00
to
Token-Ring is supposed to set a bit where this can be detected. Ethernet is
rather transparent. I am not sure about FDDI, but I believe it would follow
Token-Ring's course.

"Ing. Samuel Alexik" wrote:

> i want to know , if exist some way to detect people who set his card in
> promiscuit mode (sniff) in our LAN if my comp conected to this LAN. I
> need som kind of software.

> Thank's
> SAx

--
Urban A. Haas
CEO - Urban Technology, Inc.
Minneapolis, MN USA
E-mail: uh...@urbantechnology.com (mailto:uh...@urbantechnology.com)
Phone: (612) 595-8810 Fax: (612) 595-8710

This e-mail was composed of 100% recycled bits.

Jeff

unread,
Mar 16, 2000, 3:00:00 AM3/16/00
to
L0pht came out with an anit sniffing tool, but I'm not too sure how well it
works..
For more information check out http://www.l0pht.com/antisniff/ but I've had
trouble getting to it in the past months..

Jeff

bo...@mail.state.fl.us wrote:

> C dric Blancher <cbla...@cmc.fr> wrote:
> > "Ing. Samuel Alexik" <sa...@frtk.utc.sk> a crit dans le message news:
> > 38D0C9F3...@frtk.utc.sk...

> >> i want to know , if exist some way to detect people who set his card
> > in
> >> promiscuit mode (sniff) in our LAN if my comp conected to this LAN. I
> >> need som kind of software.
>

> > Sniffing is a passive action : in that way, it is theoricaly impossible
> > to detect (aka with a well impemented network layer). Practicaly, some
> > network layers have bugs that can be exploited to detect promicuit mode
> > (kernel 2.0.36 network layer for example).
> > Nowadays, I do think that sniffing is rather impossible to detect.
>

> There is some debate about this. One suggested (and there are claims
> it has been implemented) way of detecting a promiscouos ethernet card
> is as follows.
>
> Get a baseline latency. IE, you ping machine X running OS Y and
> it takes Z amount of time to come back. Then, you flood
> ping an address that doesn't exist. While doing this you determine
> latency to machine X again. If the machine is promiscuous it will
> be looking at all the packets so the latency will shoot up.
>

> That's the theory anyway. Take a look at dejanews, there was once
> a long debate about this.
>

> Roger Books


Bill "Houdini" Weiss

unread,
Mar 16, 2000, 3:00:00 AM3/16/00
to
On Thu, 16 Mar 2000 12:48:03 +0100, Mara allowed "Ing. Samuel Alexik"
<sa...@frtk.utc.sk> to write:

>i want to know , if exist some way to detect people who set his card in
>promiscuit mode (sniff) in our LAN if my comp conected to this LAN. I
>need som kind of software.

>Thank's
>SAx

L0pht AntiSniff (I think that's what it's called) is supposed to do exactly
this.

Bill "Houdini" Weiss
---
The Cynic's Guide To Real Life

8. A handy telephone tip: Keep a small chalkboard near the phone. That way,
when a
salesman calls, you can hold the receiver up to it and run your fingernails
across it
until he hangs up.

jose

unread,
Mar 16, 2000, 3:00:00 AM3/16/00
to
Cédric Blancher wrote:

> > That's the theory anyway. Take a look at dejanews, there was once
> > a long debate about this.

> I'll do :) Thx a lot.

there was an excellent paper on the subject, which seems to be the
beginnings of what AntiSniff is/does.

http://www.cs.berkeley.edu/~daw/classes/cs261/projects/final-reports/fredwong-davidwu.ps

very good paper.

jose nazario jo...@biocserver.cwru.edu

Alan J Rosenthal

unread,
Mar 17, 2000, 3:00:00 AM3/17/00
to
bo...@mail.state.fl.us writes:
>C dric Blancher <cbla...@cmc.fr> wrote:
>> Sniffing is a passive action : in that way, it is theoricaly impossible
>> to detect (aka with a well impemented network layer).
>
>There is some debate about this. One suggested (and there are claims
>it has been implemented) way of detecting a promiscouos ethernet card
>is as follows.

I don't think that there can be rational debate about the following two
points:
1) Sniffing is passive. It is not theoretically possible to detect
it.
2) Sniffing from a particular operating system involves changes to its
behaviour which in some if not all cases are detectable.

The argument for #2 is obvious: some tools exist and they do detect sniffing
some of the time, based on the change in network behaviour of the computer
when it's sniffing (e.g. whether performance degrades on account of network
traffic it's not supposed to be processing).

The argument for #1 is that nothing *requires* this change in behaviour.
You suggest pinging the host while doing some other network traffic which
will increase the load on the host if and only if it is in promiscuous mode,
and seeing whether this degrades the ping response. But if the sniffing
host doesn't respond to pings at all (or any other network traffic, if you
like, such as with Bellovin's snipped transmit wire), this procedure can't
be performed.

Installing a sniffer can involve forgery-like modifications of the rest of the
network response of the machine as needed, such as purposefully introducing
delays in normal response to defeat your attempted baseline measure,
or ceasing all response altogether, or all sorts of other possibilities
not precluded by the definition of sniffing. Sniffing means recording
traffic not directed at the host in question. There is no theoretical
requirement that this change the other network behaviour of the system.
Use a blindingly-fast computer which waits for a fixed number of milliseconds
before responding, for example.

In practice, a sniffer is often detectable by these funny means. But there
is absolutely no guarantee, especially in the snipped transmit wire case.
That's the point #1 above. If I wanted to install an illicit sniffer,
I would get a little hub, plug it into my ethernet wall jack, and plug my
normal computer into it as well as a sniffing computer where the wire to the
sniffing computer had the transmit wire cut. You may or may not be able
to detect this extra hub hop; you won't be able to use any of the methods
you describe, and the hub hop won't come and go so any baselining is out.

Also note that we're using a somewhat restricted definition of sniffing here.
Recording network traffic which *is* supposed to be processed by the computer
in question (traffic either *to* the computer in question, or across it
if it is a router or switch) does not involve putting the ethernet card
in promiscuous mode and would not be detected by any of these means, but
would probably be called "sniffing" too.

bo...@mail.state.fl.us

unread,
Mar 17, 2000, 3:00:00 AM3/17/00
to
Alan J Rosenthal <fl...@dgp.toronto.edu> wrote:

<bunch of ways to stop sniffer detection snipped>

I'm not going to argue this with you. It's not my pet
project. Go look at dejanews, it's all been hashed out.

I will argue a slightly different point. You seem to
be of the assumption that if you can't detect the
intrusion in ALL cases it is pointless. By your logic
I should not be running tools to check for portscans
because if someone only hits one port a day my tools
won't pick it up. There is no way to be absolutely
certain you aren't being probed/attacked/sniffed short
of disconnecting your server AND turning it off. You
don't work security that way. If you can pick up
99% of the potential attackers you are in much better
shape than if you pick up none. If you can pick up
99.98% of the attackers there is a reasonable chance
even the other 0.02% will hit an easier target.

Roger Books

jose

unread,
Mar 17, 2000, 3:00:00 AM3/17/00
to
Alan J Rosenthal wrote:

> 1) Sniffing is passive. It is not theoretically possible to detect
> it.

not entirely. i just got chewed on by the network guys here for running
a sniffer (the dds tool from Dittrich et al). turns out it was arping
the crap out of the (very large, very flat) network here to map IP's.
similar problems with sniffing include hostname lookups and such.

but yes, it is a trivial task to set up a completely passive,
nondetectable sniffer. go to the BPF without initializing the IP layers,
whammo, all well known means go out the window. a firewall will work
very well, too, to block all outbound traffic (ie name lookups, arping),
blocking detection at all of the system (no initial ping, no ping under
load etc).

*shrug* soon this will become commonplace, i expect, on dedicated
sniffers or sniffing software for stealth (remove the name loopups,
forinstance).

but you're points are correct, just not blanketly true for all sniffers
or stacks.

jose nazario jo...@biocserver.cwru.edu

Alan J Rosenthal

unread,
Mar 18, 2000, 3:00:00 AM3/18/00
to
bo...@mail.state.fl.us writes:
>You seem to be of the assumption
>that if you can't detect the intrusion in ALL cases it is pointless.

No I am not, any more than when I say that a cryptosystem is not "unbreakable"
I am saying that using it is inadvisable.

>If you can pick up 99% of the potential attackers you are in much better
>shape than if you pick up none.

Yes, to start. But you have to consider the dynamic that with computers,
nearly anything like this can be automated. That 1% of sniffers undetectable
by your program will soon grow to 100% as the script kiddies learn which
sniffers are safer to use, without the script kiddies accidentally learning
anything.


jose <jo...@biochemistry.cwru.edu> writes:


>Alan J Rosenthal wrote:
>>Sniffing is passive. It is not theoretically possible to detect it.
>
>not entirely. i just got chewed on by the network guys here for running
>a sniffer (the dds tool from Dittrich et al). turns out it was arping
>the crap out of the (very large, very flat) network here to map IP's.

...
>but your points are correct, just not blanketly true for all sniffers
>or stacks.

My point is that the sniffing itself can't be detected. What your NOC
detected is "arping the crap out of the network". This is not sniffing; it is
a consequence of your sniffer; it is not a necessary consequence of sniffing.

If you consider indirect evidence a "detection", then I don't see how
anything can be considered undetectable... the perpetrator could always
confess, thus providing evidence. Your sniffer confessed, that's all.
Theoretically speaking. The pragmatics are, of course, quite important here.

Michael Erskine

unread,
Mar 18, 2000, 3:00:00 AM3/18/00
to
Guys;

ANYTHING is possible. Suppose you had access to hardware technology that was say
sixteen years more advanced than what we have today -- something that is as much
faster than an PIII 800 as an PIII800 is than an 8086. Suppose you had access to
the wire and a hardware device that could switch perhaps 2^16 times faster than
we can today.

Working at that level of advantage you could change traffic in real time right on
the wire and you can bet your sweet bippie nobody would detect it.

The solution is link level strong encryption. The technology has been in place
for decades but has been strongly discouraged by the vested interests of the
intelligence community. I don't care if someone sniffs a bunch of encrypted
data... and the only reason all the sniffers out there today are getting real
data is because NSA and the State Department want the advantage traffic in the
clear gives them. They are being lazy at their job by relying on artifical legal
tricks when they should have learned other techniques for collection the material
they need.

Theory is nice. Imagining is fun. Reality is much worse than either.

jose wrote:

> Alan J Rosenthal wrote:
>
> > 1) Sniffing is passive. It is not theoretically possible to detect


> > it.
>
> not entirely. i just got chewed on by the network guys here for running
> a sniffer (the dds tool from Dittrich et al). turns out it was arping
> the crap out of the (very large, very flat) network here to map IP's.

> similar problems with sniffing include hostname lookups and such.
>
> but yes, it is a trivial task to set up a completely passive,
> nondetectable sniffer. go to the BPF without initializing the IP layers,
> whammo, all well known means go out the window. a firewall will work
> very well, too, to block all outbound traffic (ie name lookups, arping),
> blocking detection at all of the system (no initial ping, no ping under
> load etc).
>
> *shrug* soon this will become commonplace, i expect, on dedicated
> sniffers or sniffing software for stealth (remove the name loopups,
> forinstance).
>

> but you're points are correct, just not blanketly true for all sniffers
> or stacks.
>
> jose nazario jo...@biocserver.cwru.edu


Sarah

unread,
Mar 18, 2000, 3:00:00 AM3/18/00
to
I'm sorry, I'm just learning about networks and security,
but none of my books have anything about "promiscuous"
network cards.

Can someone please explain?

bo...@mail.state.fl.us wrote:
>
> C dric Blancher <cbla...@cmc.fr> wrote:

> > "Ing. Samuel Alexik" <sa...@frtk.utc.sk> a crit dans le message news:
> > 38D0C9F3...@frtk.utc.sk...

Henry R. Linneweh

unread,
Mar 18, 2000, 3:00:00 AM3/18/00
to Alan J Rosenthal
actually there are anti IDS applications now written by some
famous hackerz that do exactly that and are available.


Alan J Rosenthal wrote:

> bo...@mail.state.fl.us writes:
> >You seem to be of the assumption
> >that if you can't detect the intrusion in ALL cases it is pointless.
>
> No I am not, any more than when I say that a cryptosystem is not "unbreakable"
> I am saying that using it is inadvisable.
>
> >If you can pick up 99% of the potential attackers you are in much better
> >shape than if you pick up none.
>
> Yes, to start. But you have to consider the dynamic that with computers,
> nearly anything like this can be automated. That 1% of sniffers undetectable
> by your program will soon grow to 100% as the script kiddies learn which
> sniffers are safer to use, without the script kiddies accidentally learning
> anything.
>
> jose <jo...@biochemistry.cwru.edu> writes:
> >Alan J Rosenthal wrote:

> >>Sniffing is passive. It is not theoretically possible to detect it.
> >
> >not entirely. i just got chewed on by the network guys here for running
> >a sniffer (the dds tool from Dittrich et al). turns out it was arping
> >the crap out of the (very large, very flat) network here to map IP's.

> ....
> >but your points are correct, just not blanketly true for all sniffers
> >or stacks.
>


> My point is that the sniffing itself can't be detected. What your NOC
> detected is "arping the crap out of the network". This is not sniffing; it is
> a consequence of your sniffer; it is not a necessary consequence of sniffing.
>
> If you consider indirect evidence a "detection", then I don't see how
> anything can be considered undetectable... the perpetrator could always
> confess, thus providing evidence. Your sniffer confessed, that's all.
> Theoretically speaking. The pragmatics are, of course, quite important here.
>
> --
> very frequently asked questions at
> ftp://rtfm.mit.edu/pub/faqs/computer-security/most-common-qs

--
Thank you;
|--------------------------------------------|
| Thinking is a learned process so is UNIX |
|--------------------------------------------|
Henry R. Linneweh

Ambo

unread,
Mar 18, 2000, 3:00:00 AM3/18/00
to
Sarah <soli...@earthling.net> wrote:
> I'm sorry, I'm just learning about networks and security,
> but none of my books have anything about "promiscuous"
> network cards.

> Can someone please explain?

Normal (ethernet) situation: your network card sits listening on the wire
and takes packets which are addressed to one MAC address, passing them on
to whatever layers are above the card - eventually reaching your client
e.g. an ftp client. (Actually the card will also listen out for
broadcasts and multicasts as well)

Put your card into promiscuous mode: The card picks up *all* packets,
regardless of destination address, and passes them on.

Barry Margolin

unread,
Mar 18, 2000, 3:00:00 AM3/18/00
to
In article <2000Mar17.2...@jarvis.cs.toronto.edu>,

Alan J Rosenthal <fl...@dgp.toronto.edu> wrote:
>My point is that the sniffing itself can't be detected. What your NOC
>detected is "arping the crap out of the network". This is not sniffing; it is
>a consequence of your sniffer; it is not a necessary consequence of sniffing.

Anything you detect is some consequence of the thing or activity being
detected. Some are just more direct and reliable than others.

--
Barry Margolin, bar...@bbnplanet.com
GTE Internetworking, Powered by BBN, Burlington, MA
*** DON'T SEND TECHNICAL QUESTIONS DIRECTLY TO ME, post them to newsgroups.
Please DON'T copy followups to me -- I'll assume it wasn't posted to the group.

Sarah

unread,
Mar 18, 2000, 3:00:00 AM3/18/00
to

So how do you change/reset mode?

jose

unread,
Mar 18, 2000, 3:00:00 AM3/18/00
to
Sarah wrote:

> Can someone please explain?

sure. promiscuous mode is called that because your interface listens and
passes to the system packets/frames that were not designated for it. let's
assume an ethernet network, so ethernet frames. within the frame is a MAC
address. within the IP layers are protocols, IP addresses, and source and
destination port information, yes, but what's really important here is the
ethernet frame and the MAC address. we will ignore broadcast and multicasts
for this discussion and focus instead on unicasts, also assuming a shared
segment, meaning you can see packets not intended for you.

your MAC address is, let's say, aa:aa:aa:aa:aa:aa, so your interface normally
would only respond to packets with that MAC address as the destination in
them. but, the interace has been configured to do some sniffing (via software)
and becomes "promiscuous". as such, if it sees a destination MAC address on
the network, say bb:bb:bb:bb:bb:bb, it will happily take it and begin passing
it to the system. the term promiscuous therefore refers to the fact that the
interface and system are happily working with data not intended for it. my
(admittedly terrible) copy of the Webster's Dictionary gives one definition of
"promiscuous" as "not restricted to one type or class", and that's exactly
what is going on here, you interface is no longer restricted to data destined
for it but will work with other people's data, too.

i hope this makes sense and is clear.

jose nazario jo...@biocserver.cwru.edu


Ambo

unread,
Mar 19, 2000, 3:00:00 AM3/19/00
to
Sarah <soli...@earthling.net> wrote:

> So how do you change/reset mode?

man ifconfig contains the information you are after (and more)

HTH

Alan J Rosenthal

unread,
Mar 20, 2000, 3:00:00 AM3/20/00
to
Barry Margolin <bar...@bbnplanet.com> writes:
>Alan J Rosenthal <fl...@dgp.toronto.edu> wrote:
>>My point is that the sniffing itself can't be detected. What your NOC
>>detected is "arping the crap out of the network". This is not sniffing; it is
>>a consequence of your sniffer; it is not a necessary consequence of sniffing.
>
>Anything you detect is some consequence of the thing or activity being
>detected. Some are just more direct and reliable than others.

Well, maybe. I still think there's a substantial distinction here which
greatly affects the question of whether or not sniffing is necessarily
detectable, which eventually *is* a practical question.

If an object moves and you detect this because of how its reflection of
various wavelengths of light changes and then these hit your eye (i.e. you see
the object move), sure, that is a consequence rather than the movement itself.

Still, the change in wavelength reflection is an intrinsic property of
the movement. An object which reflects certain wavelengths of light at a
certain location in space is moving and is not going to be there to perform
that function any more.

In the case of a sniffer, there is not some network transmission which is
being ceased, nor is there any reason for the sniffer to *generate* network
traffic. Most people claim that the behaviour of some TCP implementations,
where packets to the wrong IP address are processed when the ethernet hardware
is in promiscuous mode, is a bug, and I think it's been fixed in the current
version of linux. If the machine is sufficiently overloaded, this *does*
result in a cessation of some network traffic (i.e. a decrease in network
performance), but overloading is not intrinsic to promiscuous mode either.

It's quite easy to imagine an undetectable ethernet sniffer, because of
something I'm trying to touch upon with this distinction, which I agree
needs some work, between whether a certain consequence of the activity
you're trying to detect is intrinsic to the activity.

Barry Margolin

unread,
Mar 20, 2000, 3:00:00 AM3/20/00
to
In article <2000Mar20.1...@jarvis.cs.toronto.edu>,

Once upon a time I would have (and probably *did*) claim that sniffers were
practically undetectable. While it's true that it's possible to make an
undetectable sniffer, it's also true that it's difficult to do. The
detection is based on heuristics that depend on properties of various
operating systems and IP stacks. The web page that someone posted a
pointer to describes a system that makes use of several different
heuristics, so if someone has fixed one or two of them, the others may
still catch them.

Sure, it may be possible to commit the perfect crime, but most criminals
aren't that good, so they usually get caught. I realize this isn't a great
analogy, because even script kiddiez don't have to be very smart, they just
need one hacker who is and lets them download his kits. But I'll bet there
are still plenty of people who don't get the best kits, they use the same
tools that have been used for ages.

Casper H.S. Dik - Network Security Engineer

unread,
Mar 20, 2000, 3:00:00 AM3/20/00
to
[[ PLEASE DON'T SEND ME EMAIL COPIES OF POSTINGS ]]

Barry Margolin <bar...@bbnplanet.com> writes:

>Sure, it may be possible to commit the perfect crime, but most criminals
>aren't that good, so they usually get caught. I realize this isn't a great
>analogy, because even script kiddiez don't have to be very smart, they just
>need one hacker who is and lets them download his kits. But I'll bet there
>are still plenty of people who don't get the best kits, they use the same
>tools that have been used for ages.

There are two different cases; the sniffer installed by intruder coming
in over the wire and sniffer installed locally, either by the admin
or someone with access to the wiring.

In the first case, a machine needs to be borrowed that is visible on
the network and one that is likely to have other uses. In this case,
the sniffer will most likely be detectable.
In the second case, a dedicated machine can be used, brought in for
the purpose. It can be made undetectable.

Casper
--
Expressed in this posting are my opinions. They are in no way related
to opinions held by my employer, Sun Microsystems.
Statements on Sun products included here are not gospel and may
be fiction rather than truth.

Urban A. Haas

unread,
Mar 20, 2000, 3:00:00 AM3/20/00
to

bo...@mail.state.fl.us wrote:

>
> There is some debate about this. One suggested (and there are claims
> it has been implemented) way of detecting a promiscouos ethernet card
> is as follows.
>

> Get a baseline latency. IE, you ping machine X running OS Y and
> it takes Z amount of time to come back. Then, you flood
> ping an address that doesn't exist. While doing this you determine
> latency to machine X again. If the machine is promiscuous it will
> be looking at all the packets so the latency will shoot up.
>

> That's the theory anyway. Take a look at dejanews, there was once
> a long debate about this.
>

> Roger Books

This assumes that the sniffer has a valid IP address. Most of the sniffers
that I work with (dedicated sniffers, not iptrace UNIX boxes or PCs) do not
have a IP stack running that is pingable, or an IP address. So pinging would
be very difficult.

Jason Fortezzo

unread,
Apr 6, 2000, 3:00:00 AM4/6/00
to
On Thu, 16 Mar 2000 12:48:03 +0100, "Ing. Samuel Alexik"
<sa...@frtk.utc.sk> wrote:

>i want to know , if exist some way to detect people who set his card in
>promiscuit mode (sniff) in our LAN if my comp conected to this LAN. I
>need som kind of software.

>Thank's
>SAx

You can detect linux boxen in promiscuous on your subnet by running
neped (ftp://apostols.org/AposTools/snapshots/neped/).

YMMV.

Jason Fortezzo
E-Mail: fortezzo at directlink dot net

Ole Michaelsen

unread,
Apr 6, 2000, 3:00:00 AM4/6/00
to
re...@my.sig (Jason Fortezzo) writes:
>
> You can detect linux boxen in promiscuous on your subnet by running
> neped (ftp://apostols.org/AposTools/snapshots/neped/).

There's an excellent FAQ (I think) on sniffing - that also describes
various ways to detect nic's in promisc-mode at
'http://www.robertgraham.com/pubs/sniffing-faq.html'.

y0ni

unread,
Apr 8, 2000, 3:00:00 AM4/8/00
to
>>i want to know , if exist some way to detect people who set his card in
>>promiscuit mode (sniff) in our LAN if my comp conected to this LAN. I
>>need som kind of software.
>>Thank's
>>SAx
>
>You can detect linux boxen in promiscuous on your subnet by running
>neped (ftp://apostols.org/AposTools/snapshots/neped/).

too in http://packetstorm.securify.com/last50.shtml you
can download sentinel, i still have not probe it.

"The Sentinel project is designed to be a portable, accurate implementation of all publicly known
promiscuous detection techniques. Sentinel currently supports 3 methods of remote promiscuous
detection: The DNS test, Etherping test, and ARP test. Support for the ICMP Ping Latency test is
under development. Changes: Now works correctly under linux. Homepage here. By Bind"

0 new messages