On Sun, Jul 25, 1999 at 12:37:11AM +0100, Nick Lamb wrote: > How does AntiSniff detect sniffing? > http://www.l0pht.com/antisniff/tech-paper.html > > will detect sniffing -- a green light from their product does NOT mean > you're not being sniffed. > > If AntiSniff becomes popular, I'd estimate only a few months grace > before Black Hats have made a reduced-functionality sniffer which slips > under AntiSniff's radar. I don't have any use for such a tool, but if > I did I doubt I'd need more than a week or two to get it right. We've had the same discussion in the nmap-hackers list. All you would need to do to prevent detection is cut the send pair on your Ethernet connection. That would make it completely passive. You could even do it as simple as a cable with only 1 pair. There is already a popular UN*X package that does promisc. detection. It is called hunt. (http://www.cri.cz/kra/index.html). It also does MAC spoofing, ARP collection, connection hijacking, etc ... Hunt will allow you to scan an entire range of IP addresses for "Sniffing". Here is a tcpdump -ne during a small promisc. scan : 15:48:09.785988 0:10:4b:7a:3d:32 ea:1a:de:ad:be:4 0800 106: 192.168.1.1 > 192.168.1.1: icmp: echo request (DF) 15:48:09.786088 0:10:4b:7a:3d:32 ea:1a:de:ad:be:4 0800 106: 192.168.1.1 > 192.168.1.2: icmp: echo request (DF) 15:48:09.786154 0:10:4b:7a:3d:32 ea:1a:de:ad:be:4 0800 106: 192.168.1.1 > 192.168.1.3: icmp: echo request (DF) There is a package for hunt that is part of the 'potato' distribution of Debian GNU/Linux. I'm not aware of any RPM's. Jon jmarlerat_private
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:53:34 PDT