On Thu, 21 Feb 2002, Sumit Dhar wrote:
> Hello All, > > I was wondering the other day as to how one could go about detecting a > sniffer on the network. If it is a Shared Ethernet, I wouldn't even > try... but on a Switched Ethernet, I feel there still is a chance. Finding a sniffer on a switched or broadcast network carry about the same difficulty, and techniques for finding a sniffer on one can be used on the other provided it is not a physical compromise like gaining access to a wiring closet. However, the symptoms of sniffing on a switched network are different, and easier to spot. > 1. What would be the best method to see if someone is carrying > out ARP-Spoofing? The best way to detect it is by using port level security on your switch. Several vendors allow you to configure port level security on their switches to allow traffic from as few as one or a list of many MAC addresses that sit on that port. I have not worked with all of them personally, but a log entry should be generated when traffic from an unauthorized MAC or at the least the traffic should be dropped. So, let's say the CEO has a machine in his office, and his switched port allows his MAC address to talk on that port. Now, for some reaon, his machine is trying to talk on a port in the conference room and it's could be that the machine is a laptop and the CEO is giving a presentation in the conference room, or something fishy is going on. Either way, you know about it now and even if it is a false alarm the risk is mitigated. > 2. Would it be possible to locate a machine that is flooding > the network with fake MAC replies? The easiest way would once again be using port level security. Your switch reports that Port 7/1 of your ethernet switch is dropping traffic because unauthorized MAC addresses are trying to talk on that port. That port leads to an unused office in the back of the building, and you find someone claiming to be a telephone repairman plugged into your network. It could be that he's there on legitimate business and is just trying to get his e-mail from the telco network, but given that his laptop keeps changing MAC addresses and he's not running Windows you highly doubt it. Either way, it's time to call security and start verifying this guys credentials. If your switch doesn't support port level security, then you could always try tracing it back via the segment uplinks if you have them. If you don't and your topology is flat, then it's a bit harder. > Also, what would be the other methods that a person *MIGHT* be used to > sniff in a switched environment? My favorite way is gaining access to the switching uplinks. Put an ethernet tap in-line in the wiring closet and sniff away. They won't be able to detect your sniffer either whithout physically examining the wiring closet. And it's not hard to make your equipment blend in. > Also let me clarify, each user on this network controls his machine > completely as the root user, no user has access to every machine.. That is very bad. I'm currently working a contract with a large base of UNIX desktops, and no one but a small group of system administrators has access to the root account. Unless there is a very valid reason for each person to have total control of their own machine, I'd replace the setup with something like a secured NIS-type implementation and restricting user access. -- Joseph W. Shaw II - CCNA Former Sr. Security Specialist: Enron Broadband Services Please hire me before I resort to a life of crime, panhandling, or Amway.
