Detecting Sniffers

Remember earlier that we said sniffers are a form of passive attack. They don’t interact with any devices or transmit any information, thus making them very difficult to detect. Although tricky, detecting sniffers is possible. The easiest method is to check your network interfaces to see if they are in promiscuous mode. On UNIX-based systems the command ifconfig –a will list the network adapters on the system. Look for the PROMISC flag in the output, such as in the following example:

[root@localhost root]# ifconfig -a eth0      Link encap:Ethernet  HWaddr 00:02:B3:06:5F:5A           inet addr:192.168.1.2  Bcast:192.168.1.255  Mask:255.255.255.0           UP BROADCAST RUNNING PROMISC MULTICAST  MTU:1500  Metric:1           RX packets:204 errors:0 dropped:0 overruns:0 frame:0           TX packets:92 errors:0 dropped:0 overruns:0 carrier:0           collisions:0 txqueuelen:100           RX bytes:46113 (45.0 Kb)  TX bytes:5836 (5.6 Kb)           Interrupt:11 Base address:0x1800 Memory:e8120000-e8120038 

If ifconfig is not detecting a sniffer that you know is currently installed and in promiscuous mode, you can try using the ip link command, a handy TCP/IP interface configuration and routing utility. The following example shows the output from the ip command:

[root@localhost root]# ip link 1: lo: <LOOPBACK,UP> mtu 16436 qdisc noqueue     link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 2: eth0: <BROADCAST,MULTICAST,PROMISC,UP> mtu 1500 qdisc pfifo_fast qlen 100     link/ether 00:02:b3:06:5f:5a brd ff:ff:ff:ff:ff:ff

Detecting promiscuous mode on Windows systems is more difficult because there are no standard commands that will list that type of information. However, there is a free tool called PromiscDetect, developed by Arne Vidstrom, that will detect promiscuous mode network adapters for Windows NT, 2000, and XP. It can be downloaded from http://ntsecurity.nu/toolbox/promiscdetect. The following example shows the output of PromiscDetect, the D-link adapter is in normal operation mode, but the Intel adapter has Ethereal running on it:

C:\>promiscdetect PromiscDetect 1.0 - (c) 2002, Arne Vidstrom (arne.vidstrom@ntsecurity.nu)                   - http://ntsecurity.nu/toolbox/promiscdetect/ Adapter name:  - D-Link DWL-650 11Mbps WLAN Card Active filter for the adapter:  - Directed (capture packets directed to this computer)  - Multicast (capture multicast packets for groups the computer is a member of)  - Broadcast (capture broadcast packets) Adapter name:  - Intel(R) PRO/100 SP Mobile Combo Adapter Active filter for the adapter:  - Directed (capture packets directed to this computer)  - Multicast (capture multicast packets for groups the computer is a member of)  - Broadcast (capture broadcast packets)  - Promiscuous (capture all packets on the network) WARNING: Since this adapter is in promiscuous mode there could be a sniffer          running on this computer! 

Unfortunately some sniffers can cover their tracks by hiding the promiscuous flags. Also, if the sniffer was installed on a compromised system by using a rootkit, the intruder has most likely replaced commands like ifconfig. The following list describes several other methods that could be used to detect sniffers on the network:

• Monitor DNS reverse lookups. Some sniffers will perform DNS queries to resolve IP addresses to host names. Performing a network ping scan or pinging your entire network address space could trigger this activity.

• Send TCP/IP packets to all IP addresses on the same Ethernet segment, but with fake MAC addresses. Normally the network interface card will drop packets with the wrong MAC address. However, some systems, when in promiscuous mode, will answer with a reset packet (RST). This may also work in a switched environment since switches forward broadcast packets that they don’t have MAC addresses listed for. Many newer sniffers have build in defenses for this technique by altering the way they handle MAC addresses.

• Carefully monitor hub ports. Ideally you would have a network diagram and your cables would be labeled. Then, if something unusual appeared, such as a new device or a newly active hub port, you would recognize it. However, in reality, wiring closets and cabling can be a nightmare. If your hubs are being monitored with a protocol such as SNMP via a network management system, you may be able to use this information to detect any unusual connects and disconnects.

• Remember how ARP is used to link IP addresses to MAC addresses. Normally an ARP is sent out as a broadcast to everyone. However, you could send out an ARP to a non-broadcast address, followed by a broadcast ping. No one should have your information in his or her ARP table except the sniffer because it was listening to all traffic, even the non-broadcast traffic. Therefore the computer with the sniffer would respond.

• Use a honeypot. A honeypot is a server that is set up to monitor the activity of intruders. It contains fake data and services. In this case you could create fake administrator or user accounts on the honeypot and then create connections across the network to it using clear text protocols such as Telnet or FTP. If there are sniffers monitoring for user names and passwords they will see the honeypot and the intruder will eventually try to log into it. Honeypots run intrusion detection software to monitor activity, and special signatures can be added to trigger alerts when the fake accounts are used.

• Carefully monitor your hosts. This includes disk space, CPU utilization, and response times. Sniffers gradually consume disk space each day as they log traffic, and they can sometimes put a noticeable load on the CPU. When the infected computer’s resources become consumed it will respond more slowly than normal.

There are several tools that can be used to detect sniffers on your network. Many of them are outdated and no longer actively maintained, and sometimes just hard to find. Also, newer sniffers have been rewritten to evade their detection. However, we want to take a moment to mention some of them.

• PromiScan Ver 0.27 This is a free program by Security Friday that is up-to-date and actively maintained. It runs on Windows 2000 and XP and requires the WinPcap driver. It can scan the local network looking for remote promiscuous mode adapters, using ARP packets. It can be downloaded from www.securityfriday.com/ToolDownload/_PromiScan/promiscan_doc.html.

• AntiSniff This program was originally written by L0pht, but is no longer supported or maintained. Archived Windows and UNIX versions can be downloaded from http://packetstormsecurity.nl/sniffers/antisniff.

• Sentinel This free program performs remote promiscuous detection, and runs on various versions of BSD and Linux. It requires the libpcap and libnet libraries to operate. It can be downloaded from www.packetfactory.net/projects/sentinel.

• Neped Network Promiscuous Ethernet Detector is a free UNIX-based program originally written by the Apostols Group to remotely detect promiscuous mode network interface cards on Linux computers. It only detects on a subset of Linux systems with unpatched kernels before version 2.0.36. The Apostols website no longer exists and neped can be difficult to find. Currently there is a version located at www.dsinet.org/tools/network-sniffers/neped.c.

• Check Promiscuous Mode (CPM) This is a free UNIX-based program developed by CERT/CC in response to increased network sniffing. More information, including the program, can be obtained from www.cert.org/advisories/CA-1994-01.html.

• Ifstatus This is a free UNIX-based program to detect promiscuous mode interfaces on Solaris and AIX systems. It can be downloaded from ftp://ftp.cerias.purdue.edu/pub/tools/unix/sysutils/ifstatus.

• Promisc.c This is a free UNIX-based program to detect promiscuous mode interfaces on Linux and some SunOS systems. It can be downloaded from www.dsinet.org/tools/network-sniffers/promisc.c.