Re: sniffer/promisc detector
Mine too. So nmap sucks if you want to quickly identify daemons running on strange ports. No big deal. This discussion wasn't about nmap to start with. The point of the discussion was wether it made sense to run services on non-standard ports to deter cr4x0rs. And I feel it doesn't. Actually, the point of the discussion was whether security through obscurity (A.K.A. camouflage techniques) is a legitimate tool in the security arsenal. As long as a sshd yells SSH-1.99 at you the moment you connect to it's port there's no hiding sshd. Like I said, ... camouflage ... It doesn't stop with port numbers. And if you do camouflage the real SSH and run a honeypot on port 22 that looks like SSH, where do you think the haxors will put their attention first? A well-tuned iptables or equivalent, on the other hand, might hide the presence of daemons completely for anyone except the designated users. How is that for obscurity? Great idea. The whole point of camouflage and obscurity techniques is to confuse observers/attackers and this fits the bill. I agree that security through obscurity should always be backed up with real hardening where possible, but I also believe that multiple techniques working in synergy is best. --Michael Dillon
Re: sniffer/promisc detector
Ruben van der Leij wrote: +++ Alexei Roudnev [22/01/04 09:05 -0800]: My results vary from 15 minuts to 1 hour. Mine too. So nmap sucks if you want to quickly identify daemons running on strange ports. No big deal. This discussion wasn't about nmap to start with. Point of interest: Dan Kaminsky's scanrand (part of Paketto Keiretsu - www.doxpara.com, which seems to be down right now, but the Google cache works) is a very fast bulk scanner: During an authorized test inside a multinational corporation's class B, scanrand detected 8300 web servers across 65,536 addresses. Time elapsed: approximately 4 seconds. http://www.pantek.com/library/general/lists/newsfeed.osdn.com/osdn-developer-txt-mm/msg1.html http://www.doxpara.com/ - down at present but Paketto is widely mirrored. There was also a scan the entire Internet project a few years back which used BASS, a bulk scanner. (grep the report for 'they're hre' for a tale of uber hacking that makes the hair stand up on the back of my neck even today...) BASS: http://www.securityfocus.com/data/tools/network/bass-1.0.7.tar.gz Report: http://www.viacorp.com/auditing.html \a The information contained in this message or any of its attachments may be privileged and confidential and intended for the exclusive use of the intended recipient. If you are not the intended recipient any disclosure, reproduction, distribution or other dissemination or use of this communications is strictly prohibited. The views expressed in this e-mail are those of the individual and not necessarily of MIS Corporate Defence Solutions Ltd. Any prices quoted are only valid if followed up by a formal written quote. If you have received this transmission in error, please contact our Security Manager on +44 (01622) 723410. This email is intended for the recipient only and contains confidential information, some or all of which may be legally privileged. If you are not the intended recipient, you must not use, save, disclose, distribute, copy, print or rely on this email or any information contained within it. Please notify the sender by return and delete it from your computer. Thank you.
Re: sniffer/promisc detector
I saw such scanners 6 years ago (amazingly, they could not determine very old OS and very oold services...). But, just again, no one use it in automated scans over the Internet. As I was saying, port camuphlaging works as a very first line of defense - it cuts 99% of all attacks and akllow you to deal with the rest 1%. I'll measure time tomorrow... Such tools are usually very slow (and lost 20 - 50% of all packets, so to have a reliable result, you must scan host 2 - 4 times). - Original Message - From: Crist Clark [EMAIL PROTECTED] To: Alexei Roudnev [EMAIL PROTECTED] Cc: Ruben van der Leij [EMAIL PROTECTED]; [EMAIL PROTECTED] Sent: Wednesday, January 21, 2004 11:26 AM Subject: Re: sniffer/promisc detector Alexei Roudnev wrote: Please, do it: time nmap -p 0-65535 $target You will be surprised (and nmap will not report applications; to test a response, multiply time at 5 ). Yes. It will, http://www.insecure.org/nmap/versionscan.html -- Crist J. Clark [EMAIL PROTECTED] Globalstar Communications(408) 933-4387
Re: sniffer/promisc detector
On Wed, Jan 21, 2004 at 09:04:40AM -0800, Alexei Roudnev wrote: Please, do it: time nmap -p 0-65535 $target You will be surprised (and nmap will not report applications; to test a response, multiply time at 5 ). And you will have approx. 40% of packets lost. Practically, nmap is useless for this purpose. Oh, really? I'll do a quick test of your theory that Nmap will be slow with a 65K port scan, miss 40% of the open ports due to packet loss, and not be able to report the application/services running on the port. I may be biased, but anyone who wants to can reproduce this test (at the risk of pissing off SCO, who admittedly are rather litigous). To be even more fair, I'll run the scan from a 128kbps-upstream aDSL line: # nmap -sSV -T4 -O -p0-65535 apollo.sco.com WARNING: Scanning port 0 is supported, but unusual. Starting nmap 3.50 ( http://www.insecure.org/nmap/ ) at 2004-01-22 00:49 PST Interesting ports on apollo.sco.com (216.250.128.35): (The 65524 ports scanned but not shown below are in state: closed) PORT STATESERVICEVERSION 0/tcp filtered unknown 21/tcpopen ftpWU-FTPD 2.1WU(1)+SCO-2.6.1+-sec 22/tcpopen sshSSH 1.2.22 (protocol 1.5) 199/tcp open smux? 457/tcp open http NCSA httpd 1.3 615/tcp open http NCSA httpd 1.5 1035/tcp filtered unknown 1521/tcp open oracle-tns Oracle DB Listener 2.3.4.0.0 (for SCO System V/386) 13722/tcp open inetd inetd (failed to exec /usr/openv/netbackup/bin/bpjava-msvc: No such file or directory) 13782/tcp open inetd inetd (failed to exec /usr/openv/netbackup/bin/bpcd: No such file or directory) 13783/tcp open inetd inetd (failed to exec /usr/openv/bin/vopied: No such file or directory) 64206/tcp open unknown Device type: general purpose Running: SCO UnixWare OS details: SCO UnixWare 7.0.0 or OpenServer 5.0.4-5.0.6 Nmap run completed -- 1 IP address (1 host up) scanned in 501.897 seconds # So the full 65K port scan, plus OS and version detection took a little over 8 minutes over a relatively slow connection. I ran it several times to ensure ports weren't being missed. A quick test from my colocated machine took 3 minutes. And it isn't like I had to watch the whole time -- I was surfing a porn site in another window while it ran. The services would have still been detected on different ports as the same probes are done. I don't think using nonstandard ports will help against any but the most marginal attackers and worms. But if those are a serious problem, perhaps more time should be spent patching rather than moving vulnerable services to unusual ports. I am not saying you won't get _any_ benefit at all from this obfuscation, but I seriously doubt it will be worth the headaches. If ports don't have to be reachable from the outside, filter them at your firewall/router. If outsiders do need to reach the ports, moving them around will just be a pain in the @#$ for those legitimate users. You'll find that your own users are the ones port scanning you in order to locate the services you've hidden. Cheers, Fyodor http://www.insecure.org PS: Yes, the scan would have been much slower if that host had a default deny policy, but would not have been outrageous. You are permitted to scan scanme.insecure.org to test that scenario. The time taken is not unreasonable, when I run 65K scans against large heavily filtered networks, I usually just let it run overnight.
Re: sniffer/promisc detector
I started such scan 10 - 20 minutes ago; it did not completed yet, so I do not have exact time (it is DSL - 100 Mbit link + firewall). But you results shows just what I am saying - 99% of all attacks was caused by automated tools, and non-standard ports effectively blocks all such attacks. I agree to spend some time and set up non-standard ports (and even explain them to customers), if I decrease rate of attacks 100 - 1000 times (what really happen if ports are non-standard). If you are not a bank, do not host IRC server, and are not SCO, attack rate decreases to absolute 0. If you run nmap -p1-65000 in automated tool (with 10 minutes / host, and usually much more), you will scan Internet forever. So, it pay off. - Original Message - From: Fyodor [EMAIL PROTECTED] To: Alexei Roudnev [EMAIL PROTECTED] Cc: Ruben van der Leij [EMAIL PROTECTED]; [EMAIL PROTECTED] Sent: Thursday, January 22, 2004 1:12 AM Subject: Re: sniffer/promisc detector On Wed, Jan 21, 2004 at 09:04:40AM -0800, Alexei Roudnev wrote: Please, do it: time nmap -p 0-65535 $target You will be surprised (and nmap will not report applications; to test a response, multiply time at 5 ). And you will have approx. 40% of packets lost. Practically, nmap is useless for this purpose. Oh, really? I'll do a quick test of your theory that Nmap will be slow with a 65K port scan, miss 40% of the open ports due to packet loss, and not be able to report the application/services running on the port. I may be biased, but anyone who wants to can reproduce this test (at the risk of pissing off SCO, who admittedly are rather litigous). To be even more fair, I'll run the scan from a 128kbps-upstream aDSL line: # nmap -sSV -T4 -O -p0-65535 apollo.sco.com WARNING: Scanning port 0 is supported, but unusual. Starting nmap 3.50 ( http://www.insecure.org/nmap/ ) at 2004-01-22 00:49 PST Interesting ports on apollo.sco.com (216.250.128.35): (The 65524 ports scanned but not shown below are in state: closed) PORT STATESERVICEVERSION 0/tcp filtered unknown 21/tcpopen ftpWU-FTPD 2.1WU(1)+SCO-2.6.1+-sec 22/tcpopen sshSSH 1.2.22 (protocol 1.5) 199/tcp open smux? 457/tcp open http NCSA httpd 1.3 615/tcp open http NCSA httpd 1.5 1035/tcp filtered unknown 1521/tcp open oracle-tns Oracle DB Listener 2.3.4.0.0 (for SCO System V/386) 13722/tcp open inetd inetd (failed to exec /usr/openv/netbackup/bin/bpjava-msvc: No such file or directory) 13782/tcp open inetd inetd (failed to exec /usr/openv/netbackup/bin/bpcd: No such file or directory) 13783/tcp open inetd inetd (failed to exec /usr/openv/bin/vopied: No such file or directory) 64206/tcp open unknown Device type: general purpose Running: SCO UnixWare OS details: SCO UnixWare 7.0.0 or OpenServer 5.0.4-5.0.6 Nmap run completed -- 1 IP address (1 host up) scanned in 501.897 seconds # So the full 65K port scan, plus OS and version detection took a little over 8 minutes over a relatively slow connection. I ran it several times to ensure ports weren't being missed. A quick test from my colocated machine took 3 minutes. And it isn't like I had to watch the whole time -- I was surfing a porn site in another window while it ran. The services would have still been detected on different ports as the same probes are done. I don't think using nonstandard ports will help against any but the most marginal attackers and worms. But if those are a serious problem, perhaps more time should be spent patching rather than moving vulnerable services to unusual ports. I am not saying you won't get _any_ benefit at all from this obfuscation, but I seriously doubt it will be worth the headaches. If ports don't have to be reachable from the outside, filter them at your firewall/router. If outsiders do need to reach the ports, moving them around will just be a pain in the @#$ for those legitimate users. You'll find that your own users are the ones port scanning you in order to locate the services you've hidden. Cheers, Fyodor http://www.insecure.org PS: Yes, the scan would have been much slower if that host had a default deny policy, but would not have been outrageous. You are permitted to scan scanme.insecure.org to test that scenario. The time taken is not unreasonable, when I run 65K scans against large heavily filtered networks, I usually just let it run overnight.
Re: sniffer/promisc detector
My results vary from 15 minuts to 1 hour.
Re: sniffer/promisc detector
+++ Alexei Roudnev [22/01/04 09:05 -0800]: My results vary from 15 minuts to 1 hour. Mine too. So nmap sucks if you want to quickly identify daemons running on strange ports. No big deal. This discussion wasn't about nmap to start with. The point of the discussion was wether it made sense to run services on non-standard ports to deter cr4x0rs. And I feel it doesn't. However: nmap can be tweaked, if you want to operate with an axe. The default timeout per port is 5 seconds. You could shorten that. You could pre-scan networks, to find only interesting ports, and version-scan those. You could scan large subnets in parallel. You could re-write parts of it, or start from scratch. As long as a sshd yells SSH-1.99 at you the moment you connect to it's port there's no hiding sshd. A well-tuned iptables or equivalent, on the other hand, might hide the presence of daemons completely for anyone except the designated users. How is that for obscurity? Unless you're coming from one of a very few permissible hosts, and connect to a specific IP on the machine you will get a normal RST, and think the port is unused. Even H4x0rsc4n Pr0 won't tell you that port is actually a way in, unless you happen to scan it from the right machine. -- Ruben van der Leij
Re: sniffer/promisc detector
Mine too. So nmap sucks if you want to quickly identify daemons running on strange ports. No big deal. This discussion wasn't about nmap to start with. The point of the discussion was wether it made sense to run services on non-standard ports to deter cr4x0rs. And I feel it doesn't. I've sat here and watched this discussion and kept my thoughts to myself because I'm thinking Maybe I'm missing something, but I don't think I am. I don't think the OP ever hinted at the fact that he runs VUNERABLE services on another port. He just states that running SERVICES on alternative ports makes the automated worms/etc miss you. This may give you the time you need to get patched. It's part of a whole group of defenses, not the only one. sshd exploit is known to the kiddies for 3 weeks before getting public. By the time it's public, a worm is out to own systems with it. The worm targets 22. If you are running there and don't upgrade before the worm hits you, you're infected. If you were on another port, you'd likely have a bit more time to upgrade. This isn't about hiding the safe and leaving it unlocked, it's about not putting it out in the middle of a busy intersection frequented by crooks. If they target your safe, you're in trouble anyways - having it out of the way makes it less likely the casual crook will go Oh that safe can be opened like this and walk away with your money. Jason -- Jason Slagle - CCNP - CCDP /\ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . \ / ASCII Ribbon Campaign . X - NO HTML/RTF in e-mail . / \ - NO Word docs in e-mail .
Re: sniffer/promisc detector
+++ Jason Slagle [22/01/04 19:13 -0500]: The point of the discussion was wether it made sense to run services on non-standard ports to deter cr4x0rs. And I feel it doesn't. I've sat here and watched this discussion and kept my thoughts to myself because I'm thinking Maybe I'm missing something, but I don't think I am. sshd exploit is known to the kiddies for 3 weeks before getting public. The k1dd13 isn't able to feed a single packet to my exploitable sshd. If I were to run that sshd on a non-standard port, and he wants my ass *and* knows his way around with nmap or such I would gain between minutes and an hour, as shown by others. Thanks to paranoid iptables I would gain days, weeks, months or more, depending on the luck he has with finding out which and 0wn1ng those boxes I use to gain access to the box he wants to cr4x0r. By the way: those boxes run other OSses on different architectures, just as a precaution. Hosted by others. Different networks, different accountnames and passwords. .bash_history linked to /dev/null, you know the works. That hours delay won't save my ass, as it takes three weeks for others to piece together the vulnerability. Those iptables *will* save my ass. More often than a non-standard port, at least. And now for running named on port 54 as a defense against buffer-overflows in bind.. :P -- Ruben van der Leij
Re: sniffer/promisc detector
My results vary from 15 minuts to 1 hour. Mine too. So nmap sucks if you want to quickly identify daemons running on strange ports. No big deal. This discussion wasn't about nmap to start with. The point of the discussion was wether it made sense to run services on non-standard ports to deter cr4x0rs. Right anser is _it depends_ - do not rule out such option and do not use it as a panacea.
Re: sniffer/promisc detector
(I did not rated firewalls etc). Actually, an automated script or manual scan can find it trivially. All you have to do is a quick port scan, looking for this: We can make an experiment: - I put such system (with ssh) on /26 network; - you scan it, find and report me time and bandwidth, used for this scan Do not forget - 1 host have 65,000 ports, and if I want to mislead you, I'll create 1,000 false sshd and 1 real sshd... 65000 ports means - approx 100,000 packets to scan... (in most cases, good firewall do not send negative response). Even if you send 1,000 packets / second (which is impossible on Internet), you wil spend 1 - 2 minute just to scan all ports (in our tests, it took 2 - 10 minutes on the LAN, depending of the tool, and armed all existing IDS systems), 2 minutes x 200 hosts == 6 hours. 2 - 6 hours to scan /24 network (just to scan all portss, without getting response). In real life, you can make some tricks, but the truth is that no any _full range_ port scans was detected on the Internet during 1 year (I had not more statistics). No one worm or virus was able to detect any non standard port. No one hacked host (with hackers tools installed), which I investigated, had any script, doing such scan. So, it is very good line 1 of defense. Just decreasing intensity of possible attacks 10 - 1000 times, and (again) for 0 cost. This does not eliminate possible attacks, of course. And I do not recommend it as _the only_ defense. But it is _effective_ precaution - do not use standard ports, if you can use nonstandard ones. 12:31 biohazard~telnet [somewhere] [port] Trying [ip_address]... Connected to localhost. Escape character is '^]'. SSH-1.99-OpenSSH_3.4p1c Plus, if you put it on a non-standard port, you tend to use the same one across the enterprise, so it is only really obscure once. Moving port numbers only protects you against idle vandalism; it is useless against people who truly wish you harm. Those people make a simpler trick - pretend to be a janiator -:). They will not scan your network. Just again - this defelse is against any automated tools. 99.99% harm in the last attacks was made by automated tools. PS. We used simple schema to correlate _IP_ and _port_ (it was 6 years ago). So, it was not the same port. Then, if you have sshd opened, it will be 1 - 2 sshd for the whole enterprise - no problem with port number. List of services is wide - qpopper, sshd, cvs server - all was hacked by automated tools during last few years. I know a real cases for sshd and qpopper. In all cases, non standard port could prevent intrusion. You really need a firewall, particularly one that can detect a port scan and shut off the scanner, for changing ports to have any real security. It is kind of like a 4-digit PIN being useless for a bank card without the 3-try limit. Yes, but firewall + non-standard port allows to see a scan in a very good advance; firewall + standard port allows undetected scan (use slow scan,no problems to scan all :22 ports for /16 network... much faster than to scan all ports for /24 network... Firewall + sshd on port 22 is worst, than no firewall and sshd on port 7765 (if no any other ports are opened). Firewall can not do much with ssl and ssh protocols, except if it terminates this protocols itself (which is the safest case). PS. Some automated responses make DOS attack easy, using this automated response. Just immitate an attack from address A - and firewalll wil block A instead of you... what a surprise... So, such tools are very sharp - for both, bad guys and good guys. -Dave
Re: sniffer/promisc detector
Uhm, that would be wrong. This is simply security through obscurity. Yes, it is wrong for the _smart books_. But it works in real life. Actually, an automated script or manual scan can find it trivially. If security through obscurity was useless then the USAF would never have developed the stealth bomber. The British forces in North Africa would never have employed Jasper Maskelyne and his magic gang and Rommel would have defeated the British at El Alamein. And the Serbs would not have been able to retrieve the vast majority of their tanks from Kosovo after NATO's bombing campaign. The fact is that camouflage is a legitimate defense technique and can be used in networks as well as in the real world. Nobody would suggest that camouflage is sufficient to protect something but war is a numbers game. If you can use obscurity and camouflage to divert a percentage of the attacks against you then you can pay more attention to the much tougher security issues which sometimes can only be resolved through constant vigilance. --Michael Dillon
Re: sniffer/promisc detector
+++ [EMAIL PROTECTED] [21/01/04 10:52 +]: Uhm, that would be wrong. This is simply security through obscurity. Yes, it is wrong for the _smart books_. But it works in real life. Actually, an automated script or manual scan can find it trivially. If security through obscurity was useless then the USAF would never have developed the stealth bomber. TINS (There is no Stealth) Stealth only works because of the limited number of frequencies used by military radar. Somebody using a (very) different frequency or a broadband radar would see your F117A just fine. The same applies for digging yourself into the sand. That works fine in a sandy desert, but is no practical methode for hiding yourself on a rocky desert or in the snow. The message is: stealth might work in a limited number of situations. Trusting on stealth will make you look silly in the end. You hiding in a clearly visible pile of snow with footsteps leading to it. Or running an outdated (and exploitable) sshd on port . Like said before: a scripted attack would trivially find your superstealth ssh-port. Connect to $port, wait for 'SSH-1.99*' or a timeout, and repeat for $port++. If you can use obscurity and camouflage to divert a percentage of the attacks against you Somebody who isn't smart enough to do 'nmap -p 0-65535 $target' isn't worth diverting. The 'security' gained with that is negliable. 'Camouflage' on the big bad internet is mainly a game of fooling yourself into feeling secure. The newest feature in H4x0rSh13ld Pr0 2003 SE, for the masses. I wouldn't waste time on matters to trivial to have any measurable effect. But. Just opinions. Mine, that is. -- Ruben van der Leij
Re: sniffer/promisc detector
On Wed, 21 Jan 2004 15:58:14 +0100, Ruben van der Leij [EMAIL PROTECTED] said: Somebody who isn't smart enough to do 'nmap -p 0-65535 $target' isn't worth diverting. I'm sure everybody who got whacked by Lion or CodeRed or Blaster or are glad to hear those attacks weren't worth diverting. The point is that if somebody is doing 'nmap -p 0-65535' at you, you are a *specific* target, and not one of the get a probe every 4 minutes targets that every machine on the wire is. pgp0.pgp Description: PGP signature
Re: sniffer/promisc detector
Please, do it: time nmap -p 0-65535 $target You will be surprised (and nmap will not report applications; to test a response, multiply time at 5 ). And you will have approx. 40% of packets lost. Practically, nmap is useless for this purpose. Somebody who isn't smart enough to do 'nmap -p 0-65535 $target' isn't worth
Re: sniffer/promisc detector
Alexei Roudnev wrote: Please, do it: time nmap -p 0-65535 $target You will be surprised (and nmap will not report applications; to test a response, multiply time at 5 ). Yes. It will, http://www.insecure.org/nmap/versionscan.html -- Crist J. Clark [EMAIL PROTECTED] Globalstar Communications(408) 933-4387
Re: sniffer/promisc detector
Clipped for brevity... On 1/21/2004 at 10:52:00 +, [EMAIL PROTECTED] said: Uhm, that would be wrong. This is simply security through obscurity. Yes, it is wrong for the _smart books_. But it works in real life. Actually, an automated script or manual scan can find it trivially. If security through obscurity was useless then the USAF would never have developed the stealth bomber. [...] Yes. But making a bomber stealth means designing it to be difficult to detect by an opponent. It doesn't mean painting I am Not a Bomber, I Am The Ice Cream Man on the side and hoping nobody takes a second glance at it. Somebody else pointed out that nmap in its basic mode isn't terribly fast. That's true. But redesigning for speed wouldn't be that hard. Scan lots of ports in parallel, checking just for an ACK back from a SYN, then go through those that responded in order of likelihood (22, then unassigned ports, then assigned ones), and having it stop when it finds ssh, and you reduce the time required by several orders of magnitude. And that's assuming you don't have the help of tons of zombies. If everybody tries to get obscure with their ports, then this will become common, and it will be the people who are legitimately trying to connect who get annoyed by the obscurity. And if you're only trying to provide services for members of your organization, a VPNish solution makes a lot more sense than complicated custom port juggling. So, okay, sure, like many other things, if a small number of clueful people are doing this, then they will reap benefits for it. If it becomes widely spread practice, there will be more harm than good from it, and people will start ignoring it, working around it, and/or taking direct action against it that will render it pointless or harmful to the user. Lots of things have hit this death and been forgotten or relegated back to the fringe. I'll risk the wrath of many and mention multicast. Somewhere out there, Randy Bush is probably thinking of his vision of the future of deaggregated /24s. -Dave
Re: sniffer/promisc detector
+++ [EMAIL PROTECTED] [21/01/04 11:40 -0500]: Somebody who isn't smart enough to do 'nmap -p 0-65535 $target' isn't worth diverting. I'm sure everybody who got whacked by Lion or CodeRed or Blaster or are glad to hear those attacks weren't worth diverting. I'm sure moving www.microsoft.com to port 81 would have helped a lot against CodeRed. But explaining that to the visitors would have been sheer hell, don't you think? Why would one have port 135 reachable from the big bad internet? Do you really expect to use netbios-over-ip over that same big bad net? Moving bind to port 54 would have stopped Lion. Along with the rest of the internet. Nice scenario's, but I still fail to see the advantage of having 'stealthy' hidden http and bind servers. Dns is a large part of my bread and butter, and http that of my customers. And, returning to the realm of realism, moving sshd to a different port *could* help, but other services cannot be moved. Those can't be 'obscured', and those can still present grave security-risks. Like I said: digging yourself in the sand might be useful, but digging in snow is a waste of time and effort which would have been better spend on securing that IIS-monster lurking in your POP. The point is that if somebody is doing 'nmap -p 0-65535' at you, you are a *specific* target, and not one of the get a probe every 4 minutes targets that every machine on the wire is. Given sufficient patience an attacker could pose like a random probe. Some can be very hardheaded. One German D00d has been trying to get me for the last six years. Every couple of weeks I see a pattern of probes which is quite distinct, comes from the east, and takes days to complete. If one has a gazillion hits a day one wouldn't notice such slow but persistant probing. -- Ruben van der Leij
Re: sniffer/promisc detector
Uhm, that would be wrong. This is simply security through obscurity. Yes, it is wrong for the _smart books_. But it works in real life. Of course, it should not be the last line of defense; but it works as a first line very effectively. If I rate safety as a number (10 is the best, 0 is the worst): - unpatched sshd on port 22 - safety is zero (will be hacked by automated script in a few weeks) - patched sshd on port 22 - safety is 5 (even patched sshd have a bugs, and I do not know, what happen first - I patch next bug or hacker's script find this sshd and hack it) - unpatched sshd on port 30013 - safety is 7 (higher) because no one automated script can find it, and no one manual scan find it in reality - patched sshd on port 30013 - safety is 9 - turn off power - safety is 10. Secure system, is a dark system. (I did not rated firewalls etc). Go grab nessus (www.nessus.org), modify the code a bit, and I guarantee you Yes, correct. Do it. Measure scan time, and you will be surprised. Open old logs, and you will found, that such things are not used, they are absolutely not effective for any wide scanning. And they are very easy to detect by IDS systems (it is useless to detect port 22 scan - every hacker is doing it). Scan 65000 ports by T1 link, using 'nessus', and see the time and traffic. It can be used by insider on 100,000 Mbit network only, and (just again) such scan will be 100% catched by any IDS. that your ssh daemon running on a non-standard port can still be found, identified, and exploited. Trivial. Can != WILL. It WILL NOT. And it is FIRST line of defense. But this line decreases attacks level at 10,000 times, And it costs 0 (zero). Do not read _smart books_ without some thinking. (There are many cases, where it is impossible. But if it is possible, use it). Second line of defense is patched system, host IDS etc etc - standard security. It shuld not be the first line. And it should not be the last line. Last line of defense is HoneyPot. PS. I worked as a RU-CERT expert, make a traps, found and told with hackers, investigated many cases, so I have some background. And, of course, I know _smart books theory_. -b
RE: sniffer/promisc detector
Alexei Roudnev wrote: - turn off power - safety is 10. Secure system, is a dark system. I have to disagree on this one; there is WOL (Wake-up On Lan), the system can be lit remotely. - turn off power - safety is 9 - Unplug all cords - safety is 10 Michel.
Re: sniffer/promisc detector
PS. Sniffer... there are not any way to detect sniffer in the non-switched network, and there is not much use for sniffer in switched network, if this network is configured properly and is watched for the unusial events. depends on brand and model of switch $ portinstall dsniff $ man macof -J (and yes, the thread topic is about ways for _watching_ the unusual events aka sniffing) The real smart ones - professionals - won't attack unless there's a chance of a serious payback. This excludes most businesses, and makes anything but a well-known script-based attack a very remote possibility. that's just not so. ask me about it in person and i might tell you stories. For most other people a trivial packet-filtering firewall, lack of Windoze, and a switch instead of a hub will do just fine. this part, i agree with. -- Paul Vixie -- James Jun (formerly Haesu) TowardEX Technologies, Inc. 1740 Massachusetts Ave. Boxborough, MA 01719 Consulting, IPv4 IPv6 colocation, web hosting, network design implementation http://www.towardex.com | [EMAIL PROTECTED] Cell: (978)394-2867 | Office: (978)263-3399 Ext. 170 Fax: (978)263-0033 | AIM: GigabitEthernet0 NOC: http://www.twdx.net | POC: HAESU-ARIN, HDJ1-6BONE
Re: sniffer/promisc detector
* [EMAIL PROTECTED] (Dave Israel) [Tue 20 Jan 2004, 18:48 CET]: On 1/20/2004 at 09:18:07 -0800, Alexei Roudnev said: [..] - unpatched sshd on port 30013 - safety is 7 (higher) because no one automated script can find it, and no one manual scan find it in reality Actually, an automated script or manual scan can find it trivially. All you have to do is a quick port scan, looking for this: [..] Indeed. And Alexei's point is that noone is looking for that. one across the enterprise, so it is only really obscure once. Moving port numbers only protects you against idle vandalism; it is useless against people who truly wish you harm. Alexei's point also was that you need additional measures against those people. You really need a firewall, particularly one that can detect a port scan and shut off the scanner, for changing ports to have any real security. It is kind of like a 4-digit PIN being useless for a bank card without the 3-try limit. Unless you like really, really sore fingers, and don't think a long line of people waiting behind you at the ATM will attract any attention from the bank employees. -- Niels.
Re: sniffer/promisc detector
In message [EMAIL PROTECTED], Alexei Roudnev writes: Uhm, that would be wrong. This is simply security through obscurity. Yes, it is wrong for the _smart books_. But it works in real life. Of course, it should not be the last line of defense; but it works as a first line very effectively. Precisely. Don't count on security through obscurity -- there are targeted attacks, if nothing else -- but *after* you've taken all due precautions against a knowledgeable adversary, throwing in some obscurity can help, too. (Want a worked example? Ask the NSA to publish the algorithm for one of their top secret encryption algorithms...) But there's another major caveat: this sort of obscurity doesn't scale very well. It's fine to put ssh on another port if you have a relatively small community of reasonably sophisticated users who can cope, or if you can hand out canned configurations to less sophisticated users. But you couldn't easily put SMTP elsewhere, or no one could find you. You'd also have support problems with your user base if you tried doing that as an anti-relay technique. Obscurity works in small, closed communities. Beyond that, operational considerations can kill you. --Steve Bellovin, http://www.research.att.com/~smb
Re: sniffer/promisc detector
Criminal hackers _are_ stupid (like most criminals) for purely economical reasons: those who are smart can make more money in various legal ways, like by holding a good job or running their own business. Hacking into other people's computers does not pay well (if at all). Those who aren't in that for money are either psychopaths or adolescents, pure and simple. Neither of those are smart. The real smart ones - professionals - won't attack unless there's a chance of a serious payback. This excludes most businesses, and makes anything but a well-known script-based attack a very remote possibility. Honeypots are indeed a good technique to catch those attacks, and may be quite adequate for the probable threat model for most people. Of course, if you're doing security for a bank, or a nuclear plant, then you may want to adjust your expectations of adversary's motivation and capabilities and upgrade your defenses accordingly. But, then, bribing an insider or some other form of social engineering is going to be more likely than any direct network-based attack. For most other people a trivial packet-filtering firewall, lack of Windoze, and a switch instead of a hub will do just fine. --vadim On Sat, 17 Jan 2004 [EMAIL PROTECTED] wrote: I think I'll pass this onto zen of Rob T. :) i think he said something along the lines of security industry is here for my amusement in the last nanog. so yea.. let's install bunch of honeypots and hope all those stupid hackers will get caught like the mouse. by the time you think your enemy is less capable than you, you've already lost the war. -J On Sat, Jan 17, 2004 at 02:31:06AM -0800, Alexei Roudnev wrote: The best anty-sniffer is HoneyPot (it is a method, not a tool). Create so many false information (and track it's usage) that hackers will be catched before they do something really wrong.
Re: sniffer/promisc detector
On Sat, 17 Jan 2004, Sam Stickland wrote: In an all switched network, sniffing can normally only be accomplished with MAC address spoofing (Man In The Middle). Watching for MAC address changes (from every machines perspective), along with scanning for seperate machines with the same ARP address, and using switches that can detect when a MAC address moves between ports will go a long way towards detecting sniffing. My machines all scream bloody murder when an IP address has more than one MAC or even if the IP changes MAC addresses. One of the suggestions mailed to me off list: http://sniffdet.sourceforge.net/ I haven't looked in to it yet, but figured I would keep all of the suggestions in public view. Gerald
Re: sniffer/promisc detector
On Sat, 17 Jan 2004, Scott McGrath wrote: The question here is what are you trying to defend against?. If that question was directed at me, I am just checking to make sure nothing is new on the packet sniffing / detecting scene that I haven't heard about. It also seemed to me to have been a long time since the subject of detecting packet sniffers was brought up. (not just on NANOG) I know there are ways to get around being detected, but I'm just trying to make sure I'm doing my best to catch the less than professional sniffers on my networks. Gerald
Re: sniffer/promisc detector
let's be careful out there: Criminal hackers _are_ stupid (like most criminals) for purely economical reasons: those who are smart can make more money in various legal ways, like by holding a good job or running their own business. Hacking into other people's computers does not pay well (if at all). that depends on how you look at hacking in. if bypassing spam filters and writing files (mail messages) on someone else's computer (inbox) is a form of hacking in, then unfortunately it pays pretty well. if writing and propagating worms that create open proxies inside other people's computers so that you or others can use them to bypass spam filters is a form of hacking in then this too seems to pay pretty well these days. Those who aren't in that for money are either psychopaths or adolescents, pure and simple. Neither of those are smart. i wish you were right. i wish you were even close to right. but we've been attacked many times over the years by some extremely smart adolescent psychopaths -- where adolescence is a state of mind in this case, rather than of years -- and i wish very much that they would either stop being so smart, or stop being so psychotic, or stop being so adolescent. The real smart ones - professionals - won't attack unless there's a chance of a serious payback. This excludes most businesses, and makes anything but a well-known script-based attack a very remote possibility. that's just not so. ask me about it in person and i might tell you stories. For most other people a trivial packet-filtering firewall, lack of Windoze, and a switch instead of a hub will do just fine. this part, i agree with. -- Paul Vixie
Re: sniffer/promisc detector
That's what I assumed but I asked the question anyhow just to confirm my assumption(s). Scott C. McGrath On Mon, 19 Jan 2004, Gerald wrote: On Sat, 17 Jan 2004, Scott McGrath wrote: The question here is what are you trying to defend against?. If that question was directed at me, I am just checking to make sure nothing is new on the packet sniffing / detecting scene that I haven't heard about. It also seemed to me to have been a long time since the subject of detecting packet sniffers was brought up. (not just on NANOG) I know there are ways to get around being detected, but I'm just trying to make sure I'm doing my best to catch the less than professional sniffers on my networks. Gerald
Re: sniffer/promisc detector
i wish you were right. i wish you were even close to right. but we've been attacked many times over the years by some extremely smart adolescent psychopaths -- where adolescence is a state of mind in this case, rather than of years -- and i wish very much that they would either stop being so smart, or stop being so psychotic, or stop being so adolescent. Hmm. It depends of, what is _attack_. For example, if I have old, unpatched sshd daemon (which is easy to hack), but run it at port 30022, how long do I need to expose it on Internet to be hacked? (Answer - you will never be hacked, if you use nonstandard port, except if you attracks someone by name, such as _SSH-DAEMOn.Rich-Bank-Of-America.Com_. Yes, all mass attacks are doing by the damb hackers. All smart attacks was doing only because there was some, very attractive, purpose for this attack, known _out if band_. But I mentioned another thing. If (if) you have a real concern about information leakage, attack, etc, do not wait until it happen, but create false information, leak it and track it's usage. If you got scam message _I am paypal. Yopu are expired. Please, send us your credit cand and pin code_, do not ignore it - send some numbers _like real__ and track, who and how will try to use them., Etc etc. This is 'honeypot' - to make a picture of the bear, do not roam the whole forest, bring a honey, expose it to the bears and wait... PS. Sniffer... there are not any way to detect sniffer in the non-switched network, and there is not much use for sniffer in switched network, if this network is configured properly and is watched for the unusial events. The real smart ones - professionals - won't attack unless there's a chance of a serious payback. This excludes most businesses, and makes anything but a well-known script-based attack a very remote possibility. that's just not so. ask me about it in person and i might tell you stories. For most other people a trivial packet-filtering firewall, lack of Windoze, and a switch instead of a hub will do just fine. this part, i agree with. -- Paul Vixie
Re: sniffer/promisc detector
i wish you were right. i wish you were even close to right. but we've been attacked many times over the years by some extremely smart adolescent psychopaths -- where adolescence is a state of mind in this case, rather than of years -- and i wish very much that they would either stop being so smart, or stop being so psychotic, or stop being so adolescent. Hmm. It depends of, what is _attack_. For example, if I have old, unpatched sshd daemon (which is easy to hack), but run it at port 30022, how long do I need to expose it on Internet to be hacked? (Answer - you will never be hacked, if you use nonstandard port, except if you attracks someone by name, such as _SSH-DAEMOn.Rich-Bank-Of-America.Com_. Uhm, that would be wrong. This is simply security through obscurity. Go grab nessus (www.nessus.org), modify the code a bit, and I guarantee you that your ssh daemon running on a non-standard port can still be found, identified, and exploited. Trivial. -b
Re: sniffer/promisc detector
On Mon, 19 Jan 2004 23:26:30 MST, Brett Watson [EMAIL PROTECTED] said: hacked? (Answer - you will never be hacked, if you use nonstandard port, except if you attracks someone by name, such as _SSH-DAEMOn.Rich-Bank-Of-America.Com_. Go grab nessus (www.nessus.org), modify the code a bit, and I guarantee you that your ssh daemon running on a non-standard port can still be found, identified, and exploited. Trivial. Alexei's point is that *yes*, things like Nessus *will* find a relocated SSH - but that if you're getting Nessus scanned, somebody has painted a bullseye target on YOUR site, not any site vulnerable to exploit du jour. The people looking for any vulnerable site will just go SSH-scanning on port 22 and be done with it, since it's simply NOT PRODUCTIVE to do an exhaustive test of each machine. One probe at port 22 will probably go under the radar, scanning all 65K ports is sure to peeve somebody off pgp0.pgp Description: PGP signature
Re: sniffer/promisc detector
DJ Date: Sat, 17 Jan 2004 14:57:19 -0500 DJ From: Deepak Jain DJ I know most people don't take the time to hard code their DJ MACs onto their switch ports, but it really only takes a few DJ seconds per switch with a little cutting pasting -- as DJ customer switches a network port, they just need to open a DJ ticket to have the address changed. In the same vein, hardcoded router ARP entries in router configs also help. Yes, spoofed gratuitous ARP packets are detectable, but they can still cause trouble. Eddy -- Brotsman Dreger, Inc. - EverQuick Internet Division Bandwidth, consulting, e-commerce, hosting, and network building Phone: +1 785 865 5885 Lawrence and [inter]national Phone: +1 316 794 8922 Wichita _ DO NOT send mail to the following addresses : [EMAIL PROTECTED] -or- [EMAIL PROTECTED] -or- [EMAIL PROTECTED] Sending mail to spambait addresses is a great way to get blocked.
Re: sniffer/promisc detector
The best anty-sniffer is HoneyPot (it is a method, not a tool). Create so many false information (and track it's usage) that hackers will be catched before they do something really wrong. Who do not know - look onto the standard, cage like, mouse - trap with a piece of cheese inside. -:) - Original Message - From: Rubens Kuhl Jr. [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Friday, January 16, 2004 3:18 PM Subject: Re: sniffer/promisc detector That is a battle that was lost at its beginning: the Ethernet 802.1d paradigm of don't know where to send the packet, send it to all ports, forget where to send packets every minute is the weak point. There are some common mistakes that sniffing kits do, that can be used to detect them (I think antisniff implements them all), but a better approach is to make to promisc mode of no gain unless the attacker compromises the switch also. In Cisco-world, the solution is called Private VLANs. Nortel/Bay used to have ports that could belong to more than one VLAN, probably every other swith vendor has its own non-IEEE 802 compliant way of making a switched network more secure. Rubens - Original Message - From: Gerald [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Friday, January 16, 2004 8:35 PM Subject: sniffer/promisc detector Subject says it all. Someone asked the other day here for sniffers. Any progress or suggestions for programs that detect cards in promisc mode or sniffing traffic? Gerald
Re: sniffer/promisc detector
- Original Message - From: Laurence F. Sheldon, Jr. [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Friday, January 16, 2004 10:49 PM Subject: Re: sniffer/promisc detector Gerald wrote: Subject says it all. Someone asked the other day here for sniffers. Any progress or suggestions for programs that detect cards in promisc mode or sniffing traffic? I can't even imagine how one might do that. Traditionally the only way to know that you have a mole is to encounter secrets that had to have been stolen. In an all switched network, sniffing can normally only be accomplished with MAC address spoofing (Man In The Middle). Watching for MAC address changes (from every machines perspective), along with scanning for seperate machines with the same ARP address, and using switches that can detect when a MAC address moves between ports will go a long way towards detecting sniffing. It can also be worthwhile setting up a machine on a switch to detect non-broadcast traffic that isn't for it - sometimes older switches get 'leaky' when they shouldn't be used. I'm not sure if it's still the case, but it used to be the case that when Linux is in promiscuous mode, it will answer to TCP/IP packets sent to its IP address even if the MAC address on that packet is wrong. Sending TCP/IP packets to all the IP addresses on the subnet, where the MAC address contains wrong information, will tell you which machines are Linux machines in promiscuous mode (the answer from those machines will be a RST packet). Some tools that google turned up (haven't tried them myself): http://www.securityfriday.com/ToolDownload/PromiScan/promiscan_doc.html http://www.packetstormsecurity.org/sniffers/antisniff/ Apparently Man In The Middle attacks can also be detected by measuring the latency under different traffic loads, but I haven't looked to much into that. Sam
Re: sniffer/promisc detector
I think I'll pass this onto zen of Rob T. :) i think he said something along the lines of security industry is here for my amusement in the last nanog. so yea.. let's install bunch of honeypots and hope all those stupid hackers will get caught like the mouse. by the time you think your enemy is less capable than you, you've already lost the war. -J On Sat, Jan 17, 2004 at 02:31:06AM -0800, Alexei Roudnev wrote: The best anty-sniffer is HoneyPot (it is a method, not a tool). Create so many false information (and track it's usage) that hackers will be catched before they do something really wrong. Who do not know - look onto the standard, cage like, mouse - trap with a piece of cheese inside. -:) - Original Message - From: Rubens Kuhl Jr. [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Friday, January 16, 2004 3:18 PM Subject: Re: sniffer/promisc detector That is a battle that was lost at its beginning: the Ethernet 802.1d paradigm of don't know where to send the packet, send it to all ports, forget where to send packets every minute is the weak point. There are some common mistakes that sniffing kits do, that can be used to detect them (I think antisniff implements them all), but a better approach is to make to promisc mode of no gain unless the attacker compromises the switch also. In Cisco-world, the solution is called Private VLANs. Nortel/Bay used to have ports that could belong to more than one VLAN, probably every other swith vendor has its own non-IEEE 802 compliant way of making a switched network more secure. Rubens - Original Message - From: Gerald [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Friday, January 16, 2004 8:35 PM Subject: sniffer/promisc detector Subject says it all. Someone asked the other day here for sniffers. Any progress or suggestions for programs that detect cards in promisc mode or sniffing traffic? Gerald -- James Jun (formerly Haesu) TowardEX Technologies, Inc. 1740 Massachusetts Ave. Boxborough, MA 01719 Consulting, IPv4 IPv6 colocation, web hosting, network design implementation http://www.towardex.com | [EMAIL PROTECTED] Cell: (978)394-2867 | Office: (978)263-3399 Ext. 170 Fax: (978)263-0033 | AIM: GigabitEthernet0 NOC: http://www.twdx.net | POC: HAESU-ARIN, HDJ1-6BONE
Re: sniffer/promisc detector
It is also possible to sniff a network using only the RX pair so most of the tools to detect cards in P mode will fail. The new Cisco 6548's have TDR functionality so you could detect unauthorized connections by their physical characteristics. But there are also tools like ettercap which exploit weaknesses within switched networks. See http://ettercap.sourceforge.net/ for more details (and gain some add'l grey hairs in the process). The question here is what are you trying to defend against?. Scott C. McGrath On Sat, 17 Jan 2004, Sam Stickland wrote: - Original Message - From: Laurence F. Sheldon, Jr. [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Friday, January 16, 2004 10:49 PM Subject: Re: sniffer/promisc detector Gerald wrote: Subject says it all. Someone asked the other day here for sniffers. Any progress or suggestions for programs that detect cards in promisc mode or sniffing traffic? I can't even imagine how one might do that. Traditionally the only way to know that you have a mole is to encounter secrets that had to have been stolen. In an all switched network, sniffing can normally only be accomplished with MAC address spoofing (Man In The Middle). Watching for MAC address changes (from every machines perspective), along with scanning for seperate machines with the same ARP address, and using switches that can detect when a MAC address moves between ports will go a long way towards detecting sniffing. It can also be worthwhile setting up a machine on a switch to detect non-broadcast traffic that isn't for it - sometimes older switches get 'leaky' when they shouldn't be used. I'm not sure if it's still the case, but it used to be the case that when Linux is in promiscuous mode, it will answer to TCP/IP packets sent to its IP address even if the MAC address on that packet is wrong. Sending TCP/IP packets to all the IP addresses on the subnet, where the MAC address contains wrong information, will tell you which machines are Linux machines in promiscuous mode (the answer from those machines will be a RST packet). Some tools that google turned up (haven't tried them myself): http://www.securityfriday.com/ToolDownload/PromiScan/promiscan_doc.html http://www.packetstormsecurity.org/sniffers/antisniff/ Apparently Man In The Middle attacks can also be detected by measuring the latency under different traffic loads, but I haven't looked to much into that. Sam
Re: sniffer/promisc detector
On Sat, 17 Jan 2004 12:55:17 EST, [EMAIL PROTECTED] said: by the time you think your enemy is less capable than you, you've already lost the war. On the other hand, does the fact that police usually only catch the stupid crooks mean that police forces are a bad idea? 1) How often is your site graced by the presence of a script kiddie who *would* fall for a honeypot, but who has enough exploits stashed to be a serious threat? (Remember, it only takes 1 unpatched 1U back there in row 17, rack 4, for him to get a foothold). 2) How often is your site visited by a talented Black Hat who's more capable than you, and who wouldn't be tricked by a honeypot? 3) How do you even know your answer to (2) is correct? Think long and hard about this one - when was the last time you took *everything* down and booted from known good media and checked for rootkits? And how do you know it was good media? (Go and re-read Ken Thompson's On Trusting Trust and Karger and Schell's paper on a Multics pen-test, and then take another REALLY close look at that boot CD.) I tend toward paranoia. However, I once received a box claiming to be from IBM Software Distribution, with the format of shipping labels that IBM SD had, and even sealed with IBM anti-tamper Q-tape the same way IBM SD does. There was a birthday card in it. Addressed to me. From a friend who wasn't an IBM employee at the time. I was most impressed. ;) pgp0.pgp Description: PGP signature
Re: sniffer/promisc detector
On Saturday 17 January 2004 11:18 am, Scott McGrath wrote: It is also possible to sniff a network using only the RX pair so most of the tools to detect cards in P mode will fail. The new Cisco 6548's have TDR functionality so you could detect unauthorized connections by their physical characteristics. But there are also tools like ettercap which exploit weaknesses within switched networks. See http://ettercap.sourceforge.net/ for more details (and gain some add'l grey hairs in the process). The question here is what are you trying to defend against?. Maybe this is just a stupid comment, but if the original poster is that concerned with their LAN being sniffed, then maybe they should consider using IPSec on their LAN. -- Donovan Hill Electronics Engineering Technologist, CCNA www.lazyeyez.net, www.gwsn.com
Re: sniffer/promisc detector
On Saturday 17 January 2004 11:18 am, Scott McGrath wrote: It is also possible to sniff a network using only the RX pair so most of the tools to detect cards in P mode will fail. The new Cisco 6548's have TDR functionality so you could detect unauthorized connections by their physical characteristics. But there are also tools like ettercap which exploit weaknesses within switched networks. See http://ettercap.sourceforge.net/ for more details (and gain some add'l grey hairs in the process). The question here is what are you trying to defend against?. Maybe this is just a stupid comment, but if the original poster is that concerned with their LAN being sniffed, then maybe they should consider using IPSec on their LAN. -- Donovan Hill Electronics Engineering Technologist, CCNA www.lazyeyez.net, www.gwsn.com
Re: sniffer/promisc detector
It is also possible to sniff a network using only the RX pair so most of the tools to detect cards in P mode will fail. The new Cisco 6548's have TDR functionality so you could detect unauthorized connections by their physical characteristics. But there are also tools like ettercap which exploit weaknesses within switched networks. See http://ettercap.sourceforge.net/ for more details (and gain some add'l grey hairs in the process). The question here is what are you trying to defend against?. Maybe this is just a stupid comment, but if the original poster is that concerned with their LAN being sniffed, then maybe they should consider using IPSec on their LAN. I read the ettercap service description, and still don't see how a rogue machine gets around this: Switched network of multiple switches, servers on each port have a hardcoded MAC on the switch port. (Ports will not work if the MAC is different than the one described). This prevents MAC flood and MAC poisoning. If you use VLAN to your router and give each server a /30 or /29 that you route its IPs down towards it, your router will only talk to each server in the IP block that has been described by the subnet mask. I know most people don't take the time to hard code their MACs onto their switch ports, but it really only takes a few seconds per switch with a little cutting pasting -- as customer switches a network port, they just need to open a ticket to have the address changed. Am I missing something? Thanks, DJ
Re: sniffer/promisc detector
On Sat, 17 Jan 2004 11:30:13 PST, Donovan Hill said: Maybe this is just a stupid comment, but if the original poster is that concerned with their LAN being sniffed, then maybe they should consider using IPSec on their LAN. Amen to that. It's actually easier to sleep at night if you start off with the assumption that every single packet is received by both the intended recipient and the entity you *least* want getting said packet, and then designing your communications accordingly.. Similarly for spoofed and MITM attacks - assume they WILL happen, and plan accordingly. Proper use of IPSec/OpenSSH/OpenSSL, with key/cert checking as appropriate, goes a LONG way to raising the bar WAY up on the attacker. Just don't forget about endpoint security - waay too many sites deploy OpenSSL so credit card info can't be sniffed, and then leave the suckers in plaintext on the web server. :) pgp0.pgp Description: PGP signature
Re: sniffer/promisc detector
Sorry, but this _honeypot etc_ is _the only_ reliable defence. And, when I mean honey pot, I do not mean _install ols linux with qpopper and wait_. I mean that, if trhere is concern about sniffering a network (which is a little strange, because it is not much use in sniffering switched network_, this means concern about leaking information. Usually, you do not get much from sniffering - you can not sniff SSL, can not sniff Win2K rdesktop, can not sniff 'ssh'. But you can sniff, for example, keyboard input (and the only protecting agaist such things is SecireID etc), can try to get some passwords and so on. So, having frauded account, even frauded computer, exposing this account into the network, and tracking any attempt to use it is a very effective line of defense. I told already - _do not trust to the smart books about security too much_, they misinterpret many things. For example, they treat _non standard port assigments_ as a very ineffective, while in real life such simple (0 cost) thing decrease a chance of breakage 10 - 1000 times (we investigated 3 month logs and found, that no one in the whole Internet scans wide range of ports, and no one in real life uses tools, reporting _real_ protocols, because they are dramatically slow and so useless). The same here - having frauded, 'labeled', information is a very effective 'complimentary' defense - it let you know, when thing got really wrong, when you have not other indications. And it have 0% of false positives (if this account is never used and someone opened it, he is 100% a hacker or intruder. No any other methods provides you 0 false positives). PS. Even if you are listening to MAC broadcasts, you got much more than you expect. In one poiint, we found , that we had all traffic to one of the servers 'broadcasted', reason was complicated - ARP timeout longer than CAM timeout + nonsimmetrical traffic . You have not any method to detect a passive sniffer (except a few tricks, which can work with particular OS but do not work with other systems), have not a good method to detect keyboard sniffer. So, if you are very serious about security, you must use active defence. - Original Message - From: [EMAIL PROTECTED] To: Alexei Roudnev [EMAIL PROTECTED] Cc: Rubens Kuhl Jr. [EMAIL PROTECTED]; [EMAIL PROTECTED] Sent: Saturday, January 17, 2004 9:55 AM Subject: Re: sniffer/promisc detector I think I'll pass this onto zen of Rob T. :) i think he said something along the lines of security industry is here for my amusement in the last nanog. so yea.. let's install bunch of honeypots and hope all those stupid hackers will get caught like the mouse. by the time you think your enemy is less capable than you, you've already lost the war. -J On Sat, Jan 17, 2004 at 02:31:06AM -0800, Alexei Roudnev wrote: The best anty-sniffer is HoneyPot (it is a method, not a tool). Create so many false information (and track it's usage) that hackers will be catched before they do something really wrong. Who do not know - look onto the standard, cage like, mouse - trap with a piece of cheese inside. -:) - Original Message - From: Rubens Kuhl Jr. [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Friday, January 16, 2004 3:18 PM Subject: Re: sniffer/promisc detector That is a battle that was lost at its beginning: the Ethernet 802.1d paradigm of don't know where to send the packet, send it to all ports, forget where to send packets every minute is the weak point. There are some common mistakes that sniffing kits do, that can be used to detect them (I think antisniff implements them all), but a better approach is to make to promisc mode of no gain unless the attacker compromises the switch also. In Cisco-world, the solution is called Private VLANs. Nortel/Bay used to have ports that could belong to more than one VLAN, probably every other swith vendor has its own non-IEEE 802 compliant way of making a switched network more secure. Rubens - Original Message - From: Gerald [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Friday, January 16, 2004 8:35 PM Subject: sniffer/promisc detector Subject says it all. Someone asked the other day here for sniffers. Any progress or suggestions for programs that detect cards in promisc mode or sniffing traffic? Gerald -- James Jun (formerly Haesu) TowardEX Technologies, Inc. 1740 Massachusetts Ave. Boxborough, MA 01719 Consulting, IPv4 IPv6 colocation, web hosting, network design implementation http://www.towardex.com | [EMAIL PROTECTED] Cell: (978)394-2867 | Office: (978)263-3399 Ext. 170 Fax: (978)263-0033 | AIM: GigabitEthernet0 NOC: http://www.twdx.net | POC: HAESU-ARIN, HDJ1-6BONE
Re: sniffer/promisc detector
Gerald wrote: Subject says it all. Someone asked the other day here for sniffers. Any progress or suggestions for programs that detect cards in promisc mode or sniffing traffic? I can't even imagine how one might do that. Traditionally the only way to know that you have a mole is to encounter secrets that had to have been stolen.
Re: sniffer/promisc detector
On Fri, 16 Jan 2004, Gerald wrote: Subject says it all. Someone asked the other day here for sniffers. Any progress or suggestions for programs that detect cards in promisc mode or sniffing traffic? I should probably mention that I've already started looking at antisniff. I was hoping to find something that was currently maintained and still free while I investigate antisniff's capabilities. Or if there is more than one commercial one best bang for buck suggestions. Thanks to those who pointed it out to me again though. Gerald
Re: sniffer/promisc detector
if you have multiple network interfaces you can insure that the one doing the snooping is undetectable by the tools that people wrote to detect promiscious ethernets... joelja On Fri, 16 Jan 2004, Laurence F. Sheldon, Jr. wrote: Gerald wrote: Subject says it all. Someone asked the other day here for sniffers. Any progress or suggestions for programs that detect cards in promisc mode or sniffing traffic? I can't even imagine how one might do that. Traditionally the only way to know that you have a mole is to encounter secrets that had to have been stolen. -- -- Joel Jaeggli Unix Consulting [EMAIL PROTECTED] GPG Key Fingerprint: 5C6E 0104 BAF0 40B0 5BD3 C38B F000 35AB B67F 56B2
RE: sniffer/promisc detector
Since all sniffers I know of are passive devices, there really shouldn't be a way to track one down. From a Cisco standpoint, if I were mirroring a port, and had a sniffer mirroring the sniffer port, I would see traffic of a unicast nature with multiple unicast MAC destinations destined at a swithport with only one MAC address cached. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Gerald Sent: Friday, January 16, 2004 5:35 PM To: [EMAIL PROTECTED] Subject: sniffer/promisc detector Subject says it all. Someone asked the other day here for sniffers. Any progress or suggestions for programs that detect cards in promisc mode or sniffing traffic? Gerald
Re: sniffer/promisc detector
That is a battle that was lost at its beginning: the Ethernet 802.1d paradigm of don't know where to send the packet, send it to all ports, forget where to send packets every minute is the weak point. There are some common mistakes that sniffing kits do, that can be used to detect them (I think antisniff implements them all), but a better approach is to make to promisc mode of no gain unless the attacker compromises the switch also. In Cisco-world, the solution is called Private VLANs. Nortel/Bay used to have ports that could belong to more than one VLAN, probably every other swith vendor has its own non-IEEE 802 compliant way of making a switched network more secure. Rubens - Original Message - From: Gerald [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Friday, January 16, 2004 8:35 PM Subject: sniffer/promisc detector Subject says it all. Someone asked the other day here for sniffers. Any progress or suggestions for programs that detect cards in promisc mode or sniffing traffic? Gerald
Re: sniffer/promisc detector
Thus spake Gerald ([EMAIL PROTECTED]) [16/01/04 18:32]: Subject says it all. Someone asked the other day here for sniffers. Any progress or suggestions for programs that detect cards in promisc mode or sniffing traffic? There's an art to detecting promiscuous devices.[1] A good starting point is Google, and the phrase 'promiscuous detect'. IIRC, L0pht once produced something that claimed to detect all promiscuous devices on a network, I never got it to work properly. - Damian [1] general consensus is that most well-written OSes are near impossible to detect, some older ones have various methods of detection, usually involving either broadcast traffic or timing.
Re: sniffer/promisc detector
In message [EMAIL PROTECTED], Laurence F. Sheldon, Jr. writes: Gerald wrote: Subject says it all. Someone asked the other day here for sniffers. Any progress or suggestions for programs that detect cards in promisc mode or sniffing traffic? I can't even imagine how one might do that. Traditionally the only way to know that you have a mole is to encounter secrets that had to have been stolen. There are a number of heuristics that *sometimes* work. For example, some platforms (older Linux kernels, I think; not sure about current ones; definitely not BSD) will respond if a packet sent to their IP address but with a wrong Ethernet address is received. That will only happen if they're in promiscuous mode. (BSD checks that the packet is addressed to the proper MAC address or is broadcast/multicast.) Another is to emit a packet with a distinctive IP source address, under the assumption that the recipient might look up the host name via a boobytrapped DNS server. In general, though, there's no way to tell. My general advice is to assume that any network is tapped, and to use crypto even locally. And no, switched networks won't protect you from certain kinds of sniffers, though you can detect anomalous ARP traffic. --Steve Bellovin, http://www.research.att.com/~smb
Re: sniffer/promisc detector
On Fri, 2004-01-16 at 18:00, Gerald wrote: I should probably mention that I've already started looking at antisniff. I was hoping to find something that was currently maintained and still free while I investigate antisniff's capabilities. Antisniff is still the best software based tool for the job. It has far more extensive testing that anything else I've looked at. Of course the one blind spot with antisniff is that it can only detect sniffers that have an IP address assigned to them. To detect these you have to look at your switch statistics. Dead giveaway is a host receiving traffic, but never transmitting. There is a false positive for this condition however which is a hub plugged in the switch with no hosts attached. HTH, C
