To expand on Mike Perry's comments and ideas on AntiSniff, DNS queries can still be made, because since we assume we're working on a non-switched LAN, the promisc. mode machine can do it's DNS queries using spoofed IP packets, because it can simply sniff the responses off of the network. I kind of do like having the hostname over the ip address anyway. Also, due to what is involved in using the DNS method, it's implied that AntiSniff would also need to be in promisc. mode. Simply set up a process that watches for illegitimate traffic on the network, such as false handshakes, and then halt sniffing activities and then use another AntiSniff-type program to detect such promisc. scanners as AntiSniff. Since AntiSniff uses a very noticeable '66' packet, that wont be hard to catch. Also, a fake mac address of 66:66:66:66:66:66 to detect old linux kernels, hmm not to obvious eth? A fake broadcast for BSD of MAC ff:00:00:00:00:00? Those are a few obvious examples of ways to detect AntiSniff. Upon further analysis of the falsified traffic generated by AntiSniff, more trace markings of it's operation will surely surface. Bind and I have been working out a program not un-similar, and actually having the exact same name as Mike's program AASS, but really haven't put too much effort into it, so possibly we'll look into his code and expand it. ( Ambient Empire ) Industrial Strength Brand http://www.thegrid.net/gravitino/ " As you retain your state and call it virtue, you are deteriorating the value of mankind. " ( aempirei )
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:53:54 PDT