> > If AntiSniff becomes popular, I'd estimate only a few months grace > > before Black Hats have made a reduced-functionality sniffer which slips > > under AntiSniff's radar. I don't have any use for such a tool, but if > > I did I doubt I'd need more than a week or two to get it right. > > We've had the same discussion in the nmap-hackers list. > > ... > There is already a popular UN*X package that does promisc. detection. It > is called hunt. (http://www.cri.cz/kra/index.html). It also does MAC > spoofing, ARP collection, connection hijacking, etc ... Its interesting you brought up "hunt", but not in the context in which I was thinking about it. Here is where I think the real easy evasion mechanism is going to be. Unless I'm wrong (and no doubt I'll be corrected), suppose instead of promiscuous mode sniffing of any packets on the segment, you instead use "hunt" to do ARP cache poisoning and packet relaying to play "man in the middle" on TCP sessions between clients on/off the local network, with a juicy server on the same network (or vice-versa). The sniffing is then done without incurring the delays due to promiscuous mode, and the latency then shows up in the relaying of packets from bogus MAC address(es) to valid MAC address(es) (which AntiSniff is not looking for). Wouldn't this allow a fairly simple -- albeit directed attack that requires more packet handling power than the server has -- way to still capture passwords? If you ask me, the "solution" is still encrypted sessions, and AntiSniff is still a good way to raise the bar a bit higher so the kiddies whack their little faces on it. -- Dave Dittrich Client Services dittrichat_private Computing & Communications University of Washington <a href="http://www.washington.edu/People/dad/"> Dave Dittrich / dittrichat_private [PGP Key]</a>
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:54:10 PDT