Section 17.4 Detecting Promiscuous Network Interface Cards
17.4 Detecting Promiscuous Network Interface CardsA simple script, presented here, will detect a system's network interface card (sometimes called a NIC or Ethernet card) in Promiscuous mode. An alternative would be to add appropriate entries in /etc/syslog.conf to log the kernel-generated messages that most NIC drivers generate when a card is placed into Promiscuous mode, watch the appropriate log file for this kernel message, and have yourself notified by e-mail and pager when this happens. See "Promiscuous Mode Kernel Messages" on page 403 for details on the messages, by driver, and "Paging the SysAdmin: Cracking in Progress!" on page 620 for details on how to arrange the e-mail and pager notification. The following csh script, called promisc, will scan the eth0 and eth1 cards every half hour and will generate e-mail if a card is in Promiscuous mode. It is usable from any shell. (The fpromisc script will be discussed shortly.) #!/bin/csh -f set devs=(eth0 eth1) loop: foreach i ( $devs ) if ( `ifconfig $i | grep PROMISC | wc -l` == 1 ) then (echo $i Promisc;fpromisc) |& Mail \ -s PROMISCUOUS sysadmin sysadmin@homesys.com endif end sleep 1800 goto loop For those that prefer bash, the following is offered: #!/bin/csh while true do for i in eth0 eth1 do if ifconfig $i | grep PROMISC > /dev/null then (echo $i Promisc;fpromisc) \ 2>&1 | Mail -s PROMISCUOUS \ sysadmin sysadmin@homesys.com fi done sleep 1800 done The following Perl script, called promisc1, scans all of the system's network interfaces a single time and generates e-mail if there are any Promiscuous cards: #!/usr/bin/perl # # promisc1 # # Parse the "ifconfig" data and email # the admins if any cards are Promiscuous # my $ifconfig = "/sbin/ifconfig"; my $recips = "sysadmin sysadmin\@homesys.com"; my %PROMISC = (); my $interface = ""; open(IFCONFIG, "$ifconfig|") || die("ERROR: cannot run ifconfig!"); while ( <IFCONFIG> ) { $interface = $1 if m/^(\S+)/; $PROMISC{$interface} = 1 if m/promisc/i; } close(IFCONFIG); if ( %PROMISC ) { open(MAIL, "|Mail -s 'Promisc mode' $recips") || die("ERROR: cannot send mail!"); print MAIL "Interfaces in Promisc mode: ", join(" ", sort keys %PROMISC), "\n"; close MAIL; } Please note that on Red Hat, ifconfig fails to indicate when an Ethernet card is in Promiscuous mode. I suspect that this is a problem with the kernel rather than the ifconfig program. My suspicion is because when I compiled a scaled-down version of ifconfig called cpm (on the CD-ROM) that just tests for Promiscuous mode, it too failed even though it should work over many Linux and UNIX platforms. This problem of failing to detect Promiscuous mode is not seen on Mandrake nor Slackware. Clearly, Red Hat administrators will want to investigate this problem. You certainly want to stop any wild packet orgies! Note that this simple script might be considered a starting point for development. You might want to invoke a similar script out of cron periodically or get the source to cpm from the Web site and tweak it to your needs. You do not need to be root to invoke the script or cpm. The script, copied from the companion CD-ROM, may be put in the file promisc, given execute permission via chmod 755 promisc or chmod 700 promisc and copied either to your own $HOME/bin or else copied to the system's local bin directory, /usr/local/bin. Alternatively, the following few lines work with shells derived from Steve Bourne's, including bash, though this example does not loop periodically to recheck nor does it test more than one network card. If the statements are joined into one line, with the statements separated with semicolons, it would be a fine addition to a SysAdmin's crontab for periodic invocation by cron. if [ "`ifconfig eth0 | grep PROMISC | wc -l`" -eq 1 ] then echo eth0 Promiscuous | Mail -s PROMISCUOUS \ sysadmin sysadmin@homesys.com fi This second example checks only for eth0 being Promiscuous. If a system has multiple Ethernet cards then, of course, they will be sequentially numbered and the Promiscuous flag may be set separately on each card. Thus, for your second card you will want to alter the script to check its status too. A third Ethernet card will have an interface name of eth2. PPP stands for point-to-point protocol, and almost always is used for computers to communicate with each other over serial lines, usually with a pair of modems. Because each of the two computers only sends data over this line that is destined to the other computer (possibly for a network beyond it) it really is a network segment of only two computers. Because there are only two computers on a PPP "network," each will receive all data on the network that it did not send. It does not get any more or less Promiscuous than that. Thus, on PPP there is no Promiscuous mode to be in or not to be in. Promiscuous mode is supported for token ring similarly to Ethernet. Unlike some versions of UNIX, modern Linux systems will allow multiple processes simultaneously to have sockets in Promiscuous mode receiving all network packets. This prevents you from starting a process to put the card in Promiscuous mode to prevent anyone else from doing it. See "Adaptive Firewalls: Raising the Drawbridge with the Cracker Trap" on page 559 for details on adding more sophisticated alarms such as paging and sound generation to these scripts. Putting a network interface into Promiscuous mode usually is for the purpose of sniffing the network for packets not addressed to your system. TFN2000 technically may not be doing that but the effect is the same. There is an AntiSniffing technique that was pioneered by L0pht Heavy Industries and they offer a tool to do it. It allows you to detect other systems on your network that have placed their network interface cards in Promiscuous mode. AntiSniffing works on the principle that most operating systems operate slightly differently when in Promiscuous mode. For example, some will respond to requests to access a service on another system when in Promiscuous mode. Almost all boxes in Promiscuous mode can be detected by sending a large number of junk packets to random addresses and then sending a packet addressed to the box suspected of being in Promiscuous mode. This should be a packet guaranteed to generate a reply. Because a box in Promiscuous mode must process each of these junk packets in software, there will be a delay before it "gets to" the packet addressed to it. A normal box (that is not in Promiscuous mode) will have these junk packets ignored by the Ethernet card's hardware in real time so that there will be no delay. The difference in response time indicates Promiscuous mode; you do not even need to be root to launch this antisniff capability. See also "Distributed Denial of Service (Coordinated) Attacks" on page 397. 17.4.1 L0pht AntiSniffL0pht Heavy Industries offers an AntiSniff program that sniffs for sniffers that crackers are using to sniff your network. They invented the technology that they use and it is rather clever. Its techniques are explained in "Detecting Promiscuous Network Interface Cards" on page 656. For more information, view www.l0pht.com/antisniff/ |
| Top |
EAN: N/A
Pages: 260