Remote Sniffer Detection
Download
Report
Transcript Remote Sniffer Detection
COEN 252
Computer Forensics
Remote Sniffer Detection
Sniffer Detection
On the Host
Look for capture files (typically big and growing).
Look for a promiscuous card.
Look for unauthorized connections or processes.
Rootkits can prevent sniffers from being
detected.
On the Net
Traffic analysis
Traffic injection (probing)
Much harder.
Network based Sniffer
Detection
Promiscuous mode detection
DNS tests.
Network latency tests.
Trapping
Network based Sniffer
Detection
NIC hardware addresses
NIC sets up different filters
Broadcast: receive all broadcast addresses
(with MAC ff:ff:ff:ff:ff:ff)
Multicast based on multicast address
All multicasts
Promiscuous: receive all packets.
Promiscuous mode detection
Each Network Interface Card (NIC) has
a unique Medium Access Control (MAC)
address.
Card in non-promiscuous mode only
catches packets with that MAC address.
MAC Promiscuous Mode
Detection
Send an echo request to the right IP
address but with wrong MAC address.
Only a NIC in promiscuous mode will
pick up something with a wrong MAC
address.
The “Echo Request” package is passed
up the stack to the IP layer.
IP layer answers it.
MAC detection
ARP Detection
Send an arp request with false MAC and
correct IP address.
Only promiscuous NIC will pick up
package.
Kernel sends ARP reply.
Software Filtering Based
Detection
Different OS implement filters
differently.
We can try:
Fake broadcasting messages:
FF:FF:FF:FF:FF:FF:FF:FE (Br47):
Last bit missing
FF:FF:00:00:00:00:00:00 (BR16)
Only first 16 bits are the same as for broadcast.
FF:00:00:00:00:00:00:00 (BR8)
F0:00:00:00:00:00:00:00 (BR4)
Software Filtering Based
Detection
Different OS implement filters differently.
We can try:
Fake multicasting messages:
01:00:00:00:00:00:00:00 (Gr)
Only group-bit set.
01:00:5E:00:00:00:00:00 (M0)
Multicast address zero is usually not used
01:00:5E:00:00:00:00:01 (M1)(assigned to all)
Multicast address one should be received by all in the test
system
01:00:5E:00:00:00:00:02 (M2)(assigned to different set of nodes)
Multicast address two should not be received by systems in
the test group.
01:00:5E:00:00:00:00:03 (M3)(not registered)
Software Filtering Based
Detection
Windows XP
WinME / 9x
Win2K/NT
Linux 2.4.x
Free BSD 5.0
B47
--
X
--
X
--
X
--
X
--
X
B16
--
X
--
X
X
X
--
X
--
X
B8
--
--
--
X
--
--
--
X
--
X
Gr
--
--
--
--
--
--
--
X
--
X
M0
--
--
--
--
--
--
--
X
--
X
M1
O
O
O
O
O
O
O
O
O
O
M2
--
--
--
--
--
--
--
X
--
X
M3
--
--
--
--
--
--
--
X
--
X
Response to various ARP requests.
Normal mode: left column, promiscuous mode: right column
O legal response, X illegal response, -- no response
Software Filtering Based
Detection
ARP requests to fake MAC addresses
can determine promiscuous cards in an
OS dependent manner.
Trabelsi, Rahmani, Kaouech, Frikha: Malicious Sniffing Systems
Detection Platform, SAINT ’04.
DNS Detection Technique
Password sniffers (or sniffers not in
stealth mode) generate network traffic.
Sniffers use reverse DNS lookup
Because they think they found a password
and want to know the system.
Because they want to provide the user with
the name of the machines.
DNS Detection Technique
Load Detection Technique
Sniffers are hard on the machine
resources.
Sniffer degrades performance when
there is a lot of network load.
Hence, generate lots of network load
and measure timing.
Load Detection Technique
Round Trip Time Measuring
Technique
Experiments show:
Round Trip Times show OS dependent
differences of 10% - 40% between normal
mode and promiscuous mode.
Allows reliable detection.
Using ICMP messages is less network load
dependent.
Bait Technique
Create telnet for a fake telnet server.
With lots of logins + passwords.
Sniffer takes bait.
Telnet attempts to non-existing server.
Works like a honey-pot.