Hi folks. I hope I'm not becoming a 1970's detective movie, but how about 'framing' a machine? Suppose you're listening in on a network and AntiSniff begins an active bad packet storm / ping sweep to find the listeners. Your machine happily begins to increase the CPU utilization of machines around it (I dunno, say, a low-volume SYN flood or an ICMP redirect packet or maybe even just good old ping with large packets). AntiSniff will go machine after machine, and every machine (or a specific machine you choose) will look as if it's sniffing - since you're playing around with AntiSniff results by flooding the machine with something during AntiSniff's tests. While you're at it, take a look at the time it takes AntiSniff to finish a machine, and when your turn is up, just go un-promuscious* and smile broadly at the camera. Note that this will not work so well if AntiSniff scans hosts randomly, in which case you may need to listen very carefully (very carefully = don't do other stuff and get a higher process priority, so you'd be able to respond quickly) and start flooding a machine the moment AntiSniff begins to check it out. This way you can 'frame' a specific machine on the network, or maybe all the machines on the network, or the machine of a certain SysAdmin, or whatever. Remember to spoof the MAC address of your flood (whatever method you use), to mask the originating machine. Also, I do realize that it may be a little difficult to try and frame a machine by listening on the wire and checking if it's being checked. Can anyone do a dump to see if AntiSniff sniffs linearily? - Teo *: <femto-rant> Why does promiscuous have to be spelled in such a way?! Come on folks, a little consideration in non-native speakers! Why not "aware mode" instead of "promiscuous"?! :-) </femto-rant>
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:54:06 PDT