--k1lZvvs/B4yU6o8G Content-Type: text/plain; charset=us-ascii Hello once again folks. For those of you who didn't muck through the l0pht technical documentation, their AntiSniff product works in 3 ways: 1. OS dependant IP stack glitches which mostly revolve around ether frames that have a different hwaddr than your NIC not being dropped by a kernel when the interface is in promiscous mode, thus eliciting some sort of response from your kernel. 2. DNS lookups. When most sniffers are running, the resolve the IPs of the hosts they sniff, so all you have to to is send out some fake packets with fake IP headers, and listen for the sniffing host to try to resolve them via DNS. 3. Latency. When the interface is in promiscous mode, the device no longer drops eth frames not destined for it's hwaddr, so this dropping must be done in kernelspace or in userland (by the sniffer). The logging proccess and the context switch from kernel to userspace eat up a good amount of time, so all you have to do is send a lot of data to the network with bogus IP's, then ping all the machines. The sniffing machines will have to wade through all the bogus data, and thus their responses are much slower. I was most impressed with #3. It does work surprisingly well for detecting promiscous legitamate loggers. In fact, 3 days before this advisory, I was very surprised to see that when I ran icmplogger (from the jail package) my ping responses from myself dropped from 0.0 to 1.4ms, and to other machines from 0.3 to 1.5ms. That's well over the 4 fold increase reported in the l0pht paper. Ok, now how did I get around all these issues? Well, lets go one by one: 1. The Linux kernel is perfect (well, almost :). I checked the 2.2.10 source, and it in fact does always drop invalid eth frames destined for your machine when your are in promisc mode (see net/ipv4/ip_input.c). 2. All you have to do is use inet_ntoa() instead of gethostbyname() :) 3. This is where the REAL fun is. I designed a network load average evaluator that calculates a ms/packet rate. If the network falls below a user specified rate (ie LOTS of packets per ms), the sniffer does one of 3 things: 0. Will not trace more than a user specified number of conenctions (fall-back mode) a. Stopps queueing and logging connections to disk until the load average goes back up (LAZY mode) b. Drops the interface and goes to sleep if the load average for tcp connections only goes below a specified rate (PARANOID mode) c. Drops the interface and goes to sleep if the load average for ALL network packets goes below a specified rate (REALLY_PARANOID mode) Issues that I came across: 1. I randomized the sleep time so that we wouldn't be caught by a double scan that knows how long the default sleep time is for the sniffer. 2. The sniffer averages the load over a user specified number of packets. It may be possible to write a compact version of AntiSniff that gets the job done in a number of number of packets small enough to evade the default setting, but that can always be lowered :) 3. Some kernels don't like to work with the sniffer. In fact, I have a 486, a K6, and a dual PII 300 that I tested this thing on. It sniffs on the 486, but the kernel drops ALOT of packets, so the sniffer never sees the rate fall below the danger threshold. (I think this is because I set the CPU_IS_TO_SLOW option for the 486). The K6 works beautifully with the traffic detection, but will not sniff. Go figgure :) The only thing I can think of is that the K6 is configured no to use modules, perhaps this has some side effect in the socket PACKET code? The Dual PII 300 worked flawlessly. For more information, see the accomanied source file. I tired to make it as well commented as possible. It is based on the original LinSniffer by Mike Edulla. Linsniff666 (the modified version that uses linked lists) proved too unstable and looked too grossly ineffienct to use for something like this. My version does queue up connection in linked lists like linsniff666. I tried to make the sniffer as foolproof as possible to give the l0pht guys something to think about for revision 2.0. Remember, I did this all in only one night. I have no idea what a modivated hacker could do. Also, this is very beta. I know it will sniff. I haven't tested the linked list code very thouroghly, altho my brother and I did look over it for almost 2 hours, and it does seem to work pretty well. I have no idea about memory leaks, or extremely heavy loads. P.S. To all my friends, coworkers, and associates who thought I knew better than to do something like this, please understand that when I discovered I could call the program The AntiAntiSniffer Sniffer, I just couldn't resist :) --k1lZvvs/B4yU6o8G Content-Type: application/octet-stream Content-Disposition: attachment; filename="aass.c.gz" Content-Transfer-Encoding: base64 H4sICA5lmzcCA2Fhc3MuYwDFWntX20iW/9v+FJXkJCMTYzDppDO4YdYhJPFpB1hMtqc3yfgI qWTXIkselQTxdGc/+/7urSo9bNPpndk+yzmAVbfq1n2/5L2dthDiai7FMMkV/U4SFUUyE+7/ 9Uq8VzdSXMgsW7V5dyr8OBaLlYgyJZNQd0WQ3qXZjczw0U9C4WudBsrPpRZ381Tk87SYzXMx EjeJvBPXMs+BOJ/7CaHLUxGmQqcLmc9VMhMx3YaPwLWMpa+lKJIQqHPCjEM5cMoEyEKlg/RW ZjLEQ5AWcUjoAqItB0PLLJ1l/oI/38NcFwf/q9C5OZ38KReZ1ArPhx1CRb8XvUlPjOVM5WoB hkBtGmuhi2AOLoUKFss4nYk7hUvll7m6VjlfqP2FFGkGukUaEZ6FP0tUXoRSxECTBCuhkiBj 9tJELIlx3L1MEy11j8X8Ps38GKcNvjzNVoeiwHat53uxnpeSLnBTkop5CrqBapUWmUhkTgoR SoNgQnYNyjNwClmxNHF4JRbST3CZYfQVSAmB4JAexipxotrv7T8TH1+dXg0/M1WkndOwiGOf 2ZL88d9UEqXQeS9IF0z8UMNG7vwVlAg7WaZZrkAbmAlSiCCCjrQlhLh7ezEGGTt77fYjSCUm Kf2gV3ovXy0hjfnx2jIuupH55jpUJJurRQJths01yEbhd08lG+vh9RrSPINimmuxSooveypa 26lmiR+vnw5V2lzys6W/R7ffQ9Jy+3oe3ANQ0RReI7NNWag0yJme9qNQRtgsRmdXp5dvhien 4iHO7D9st/d2xKWEKqAgP/OTVIXkCEmuhYRb0SrJGYbKSopTH/YGgD+TPTGKykVozq3DmxZL 6PxOijBLl84PF/BUAdcwNqtjKZciSmGEIkI80DJIEUVI/47Wy9PhePzz9GJ4OTw7H71uPWNi LxyVaQKaLamGSG0jgxR35Mqga9agsSSQvHGHluFJfDTTTPS/TnNJ7AETO/b/sRJaIT6s4I4z GQcgMgJeom1G/g7yFRwc7soUJmm28GP1D1g8kw5HFn5G4YEFLDwSSge+Az9f+MGc7mSm4eRJ moPE9A4eHKZ3CQVtYgPcJTIWc/+W7qNACwYJmxMaQli6XKbk+XnKR1SC2Bz5gewyAQt/Je78 JOeAjL3sxh72+rekCDpB+N6NXp+ef7gCKbqAGKUOMnUNpNcSRHV6YsgxGRg4UGoog7FTeJpT ZCLtaEQ7o5uM0oVRHdzXKICe7jLFEZgi/40JGE744+F//txq9StrHw4nk1ZrzY5YMUNnCfgv /lqKAsgApEw4V7O5DUy3flxAEvQRWsciIhcZTqqRD24pUhPzkPstJRNl7O3sw/vpxY9XE2Lv 6vwcAT+bSbYvkuYMHhX4nA+vJQxKEgDnE2beD4JiUVCKEDJhMTj62PYAzQiGZJhDNCrQD8RE Sr7W6eAJI0IgXsjEnlvQNRSie02pOUqnk3ejN1fiuw2AeGaMmTBOZEDZBOaAHEdY6dJrGC7u ofUZjAIRn3Nn7Q5L1vT98K+tg33zI4DyYJ+cCCL5snX36Kz1vNr83OxFJOIkYTcjGoRzFUqv 0/rUbnkePXsd8Vh4tUvFbh1ppyOeNp6ZvQ/aVBxsWwY3p1FyJRCoFsXCRhEqPhRyPzZe++y9 ubWcD0jvmh0WSRqSWsJabAA1G04Ai4r4gfiZUDsPJpPgsFO6ZF533RiWEQsPlQFZF/kMnFmS Ok4uPkxHkykMbDoZn/8EAXGktpmf/N14qyZ1iDe1qKFLO/RjxA0k5TWrZu1G+RI1BVv2mtV8 gFSn4/Ph61b/uVFPv/d8Uee4J/bJ+EdJxPpiv8IzzB7VDbPnx7MU3jxfcNxBHZRD8BAwpXAu rCJEPCu+OzzDnMEScWJS06vh5HQ8Ojs1wu6RBiFbJpwj2EKhxqSwlflRpAInlkbAdjjY0NjK FgwXVPpRoIAy4Lyaq0JUMF3EVqoRgTO4MT5FNaw4IStDOkhkwAInFaZJIJtSo12tPt+z269L p9wwvBifnonn/YNy6Wr0nl362X61dHIxPn8rHqK2zk0KHwZ5QUm8a0w4lNeF0z3ymKIYQFZK BTaeUXuvSGgkLYoimo0qABtY5PCbsimVSmbr3RPu/tenrz68pTotwoJ9euSc5uISRcYbz+/1 eh1hLo+8R4/8TvuRhIVtbPxCGwFLQhW1222UW0WQk664rPiFNWEXyTAQjVkfAwYAueFg0P46 WD+M2HBH/wfr6yilzDrLrqo3Jufj/zidvjufIOhdFrEUjw56rB57nsssY5BNwgCYhxn9G9SX 1ZJW1bKxiMtpFf/McjD30WAVUfTxZf/PB5/BiJDLipdbSn9Td1+RUJEpqbaBc2s/DLPBFkC4 BaDnMF+hqQzfCgkrCEn1egXrmsIpQ7NGsp+ysDOQg4fGcqURZif0c/+jseWn/c8N9i0/YieR X3KjtTbdl5BHgZgjsT9Y493+n8uaKo1od0i2TbnusGDZLgbtN6PxqdiJSJxtrlVg1VNb13lM 6U4ob7vGjDpNnaook3+nvwPXBhIkWK48rPXwO03Q3yEeyNuO4ZD/RNbiI1STD0eukBKPNRWs MLNPycONMyryuFT3UDVPRucnb0dv3oyHbydd8QT3dMQPYp97UfFLuxXEqNQ8jeMtxNoszbyH Jz5FJIrltZL1wUPaIr+o3Nu3d321lxnqo9ifafHrkcBl04vL8/ejyclgKzmT3yCnSYP+nTRE UVzoOWTUGbTaX61uKAP+McrZVEw5B8COHCFbhj3xGvdzD+444EJd1VT4h+nOJP+a4NCJK1jL 7Pcp8cmR+O//Qy3+b6ip1MfMsYTv0x1i7U8odsysBT0RovFKsCVwA0RBo4uohPydFwkqXEBt Jm6YBiPWlgA9L3LqdojLA7tWifmriS3pUiZNyhxJBI1shIso+JixgncBYQ5Pfjy9guzOT34s H+Y5cru3/+Xl/n6n4+QsPBzdJs6AmibyyxoOe8N9iq0HKGY0Ci0cWbvIEqb2qwtnCvXmlFKZ t5bhduivYxIUUJhOo9BfeU8IsntMAbuLEn88tujNsqkGjsqyyNy1t0NFwVWjZFPcOEZpjOZO HwLO7QFqSlefijORFItr6q1N4QZqaQ8qX1tDmZ4yRSV6A8wJ6uYM53MaY8Xc7C14xqi4s7C9 O9+S8iVhysXOIUAzkOyd7dCHp/bWzt6ZIdqn0i0sAqkNGtpb37h3JqiropWjcsny86rgcQKz k6QCbYZP9TAoTlZlsc7tbECVlUq6RNwd3Tn3l7A67Sp2wsYRmkrJs7+In+Y1SVG5VVxTAsyJ EKIIkUk7NklWPKGkDCh4hBbZKu0pCkgygpUl+PSLT44FmvI52EatZHVwKKzkbH/KNXbI0z2J MhVcopLtHwjpU2OjKHb6EU1oX9aGK5LFZIYr1+hxlsKS0T/oErkQFQoP3kgz3hRFldc/2HvZ oaWkyePLEpRSUXHNUw9upel3nFKjbayRJpSm0iYb7QnPdFloWbju3zP0mYaT/BkNMk2Fvu0X a1VlfuscbYZyQ3ITIWTsL7W0EaLpSPltw4H4j61pHz6mUiPoiscvQqbS4fmUI4Pkt738dkqr u6LyRrvWbbe4ruI9xbZNtOiSGkLqe9+MypMZtyroeaB/Flc5TAq5J+KeCd66tR+yyKTW6JgU zwNJm8CiFc8iyIHLbsz0X8/Fguizp5FvKsaONxkTv/76La7EsWHeRZ8OQqSRWyMk0RZuJWrQ b2Cuxzju5o5Y3dTC2HYkpNHa6+Gr8WlHbARERAZ31V41F9lt7KkAA9vpbMHiOTSNsx1xfLw2 hxmUHVHdrCaMB0b1KX8t49y3HvI45MqkhrH7GzcZGTevszYMCxCXciEpZBA+54TmLYEbihlP KrVeZ/GHqmcss6Ej/mqOFppDu/wSSBlSzXVm31Ewyk02KEnel5haNiHSkK+eQe3yfpn9qXjw KF2WSR8ZWy13j5Fn8zRIY/HgSLzolAj71rc0giiCoZfk6Vx7aCt2j0M03B3HGJca9O7moH/Y arUgOxqXWLkYwDMLQC2TmBlQCev39y1wmS6fNUH7f65AB03Qdw6lWvhrsOd9B8vidGbGZDWc LyqcSEL6LmzAv3/hmLiRGbSf0lB9Y9fL7x1DOUKJSm4a0Bf4sfB32WLR6yHLpWJ0efIn/Rdx 2Fnf+/0hux/pTxwd8fS21EEjhj+x/XrHOpaonSqnui1Y4vZT0OwvxuarErV8D2IqSYYWPN/3 qoGiA5TlY3mKIF+dh7Yqi+NaVUZ+EeeHdXsy1lmWbdRVT0Ge1yiP7+YqpoRZOg44op1U2nqb Ewix0xFPJJoZjQifRp5cduDdos/s1gW7Pv9uWb9tSsvOSkha9vrWNnGxtFpbRdXaLifDu5OV vfsBOyVdZqXEAi3FZOp0epsZp+lNsfSa4w0Sm0rWW8JkSlMPoQZuMNUY6NitSGSBHbnE/vxj f//gu+Z8gi6loeHOXNo4oHraYD7CHWYvCpwjqgZo8/WKgJ7tLaATVaqkSVmnK4ZvpohdV7XO gTAdmTKi3bItLFFGrRNaAcQe31Ou1TBJr7FrLneP59zsNtsEgpY55B4u7Nb6RabeJ/lyt8wz F5k1omejj/6U7DZ/EMEtIY19jxG7jwWCe02nFIJ5gtW558THx+Fnzghrh0IrzY3APKg1o0hY hXUwNdtK+ym6L3qz2+tVRFetI283jzSmMPJ3/Zq7BnF2arzRWx9voTg0FkHvr+vtpjIjLveY m0dzH6o0z8CxDVnpdve4NocT6unTWnAQ3i3JIvc/qs9kRP1nVaRbU9JD54j2NvgaI1Ca99UQ de7B8TiAHmrbHL6nTytsOcLP988rBO6y+wj6Wp8INeEfH+vPm5aF0pmEWWuAZfL3Qk5vVYC6 3FsLCKUq7KDVThiJYhuF3Mzx+Ign8805zdY8sTXwbY17NdbSzFtCFE9qY0wBm6UBKCmZnB8L 2GEXIUFz3m06Ehvm1UFlH6eB14w0FuwcqoazRKhdEHCfS0hYg4RNCI2GqWR2rlZhq0N0WmSB LGGV5VYWv+RKzk6QDXWuHMeCV2unKt5ZPqXLaSlvphD/lOjI0tX9Wu/iN5O2qft9SqgmODhI 5NGkri5EysmVEGtSFE+e1GRYEyIBkOUqWTWE5Y41QBzMSi+qxRjyjTejs73LyVXp0U3ymNVM So8YsNbkNpYrlrGaT+zu2ufNZCys3JdZkcgpCe9fkrhl+J8Qe2UgaGmc3RyXr8fQXTZt7ti+ TLtXkgb8Bwiykp0Tnk78LJpS7PxWkCpfvQC3GTaSJeUpyjSZdHbLWq+nlvUn2E3nnzP0/2fr NjfW1PbUsk8x2enPFaROMPYt6W5T42Wtyf/QxFKVtDQpC2gbe7sCQqOXbrsHXXNhZyCsepvk HBnwvf7hMtHCT/zZmoOQ1bI0Vgkn6FLqzbRF1l6vthrZwzU8BlOmWZB9HqbQQqTWUG/Gx7JV bsyZaxZZdsoLXyVcMvnZLHD1yw4ebr8xMlPLWo6yr+Y6wvOadTv3K2S40Jyb1YOJ2lH3Du++ s2TmtcPmC3feZPT23YcLesvxdjp6e7YBRFruuopwA4iM/f5+6I+j8fh+6L9/GG1gjoifiEoC z7ymR6Txc1dfkvXeWy785nhR8xdbamOuv9H+paIvu/xNePTZPPzwg+i/6LgBIUwQEeHG61S2 13zpUL3DWFadiN3qijKdwywzMMIvNIh+iqW2ituGr4o9vUYSNxFObfb1awDXjA6qsngwKMkq 22cuyRqOh+e9HTHieegNOnqaWkJffuxnC03vLHg2v/DpK7gq0fQG8MWLF/QqPPevY8lT7JHw F/D2HTNzn6X2a3OcAMvZecjfp7Bf+NB2Vu7Td8UoV5qvCLTMV7D42y7m62w7e+TqVSIFubVX oZtDrD655v8ANNMNxZ8tAAA= --k1lZvvs/B4yU6o8G--
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:53:29 PDT