This FAQ will be broken down into:
Most popular way of connecting computers is through ethernet. Ethernet protocol works by sending packet information to all the hosts on the same circuit. The packet header contains the proper address of the destination machine. Only the machine with the matching address is suppose to accept the packet. A machine that is accepting all packets, no matter what the packet header says, is said to be in promiscuous mode.
Because, in a normal networking environment, account and password information is passed along ethernet in clear-text, it is not hard for an intruder once they obtain root to put a machine into promiscuous mode and by capturing packets, compromise all the machines on the net.
You may want to run Esniff.c on an authorized network to quickly see how effective it is in compromising local machines.
Other packet capture products that are widely available which are intended to debug network problems are:
Commercial packet capture applications are available at:
PacketView - Low cost network protocol analyzer
Network General produces a number of products. The most important are the Expert Sniffer, which not only sniffs on the wire, but also runs the packet through a high-performance expert system, diagnosing problems for you. There is an extension onto this called the "Distributed Sniffer System" that allows you to put the console to the expert sniffer on you Unix workstation and to distribute the collection agents at remote sites.
" My commercial site runs many protocols on one wire - NetBeui, IPX/SPX, TCP/IP, 802.3 protocols of various flavors, most notably SNA. This posed a big problem when trying to find a network packet capture utility to examine the network problems we were having, since I found that some sniffers that understood Ethernet II parse out some 802.3 traffic as bad packets, and vice versa. I found that the best protocol parser was in Microsoft's Net Monitor product, also known as Bloodhound in its earlier incarnations. It is able to correctly identify such oddities as NetWare control packets, NT NetBios name service broadcasts, etc, which etherfind on a Sun simply registered as type 0000 packet broadcasts. It requires MS Windows 3.1 and runs quite fast on a HP XP60 Pentium box. Top level monitoring provides network statistics and information on conversations by mac address (or hostname, if you bother with an ethers file). Looking at tcpdump style details is as simple as clicking on a conversation. The filter setup is also one of the easiest to implement that I've seen, just click in a dialog box on the hosts you want to monitor. The number of bad packets it reports on my network is a tiny fraction of that reported by other sniffers I've used. One of these other utilities in particular was reporting a large number of bad packets with src mac addresses of aa:aa:aa:aa:aa:aa but I don't see them at all using the MS product. - Anonymous
It is also impossible to remotely check by sending a packet or ping if a machine is capturing packets.
A packet capture utility running on a machine puts the interface into promiscuous mode, which accepts all the packets. On some Unix boxes, it is possible to detect a promiscuous interface. It is possible to run a capture utility in non-promiscuous mode, but it will only monitor sessions from the machine it is running on. It is also possible for the intruder to do similiar capture of sessions by trojaning many programs such as sh, telnet, rlogin, in.telnetd, and so on to write a log file of what the user did. They can easily watch the tty and kmem devices as well. These attacks will only compromise sessions coming from that one machine, while promiscuous packet capture compromises all sessions on the ethernet.
For SunOs, NetBSD, and other possible BSD derived Unix systems, there is a command
"ifconfig -a"that will tell you information about all the interfaces and if they are in promiscuous mode. DEC OSF/1 and IRIX and possible other OSes require the device to be specified. One way to find out what interface is on the system, you can execute:
Then you can test for each interface by doing the following command:# netstat -r Routing tables Internet: Destination Gateway Flags Refs Use Interface default iss.net UG 1 24949 le0 localhost localhost UH 2 83 lo0
Intruders often replace commands such as ifconfig to avoid detection. Make sure you verify its checksum.#ifconfig le0 le0: flags=8863<UP,BROADCAST,NOTRAILERS,RUNNING,PROMISC,MULTICAST> inet 127.0.0.1 netmask 0xffffff00 broadcast 255.0.0.1
There is a program called cpm available on ftp.cert.org:/pub/tools/cpm that only works on SunOS and is supposed to check the interface for promiscuous flag.
Ultrix can possibly detect someone running a packet capture utility by using the commands pfstat and pfconfig.
pfconfig allows you to set who can run a packet capture utility
pfstat shows you if the interface is in promiscuous mode.
These commands only work if packet capture is enabled by linking it into the kernel. By default, the utility is not linked into the kernel. Most other Unix systems, such as Irix, Solaris, SCO, etc, do not have any flags indication whether they are in promiscuous mode or not, therefore an intruder could be capturing your whole network and there is no way to detect it.
Often a capture utility log becomes so large that the file space is all used up. On a high volume network, a capture utility will create a large load on the machine. These sometimes trigger enough alarms that the administrator will discover the utility's presence. I highly suggest using lsof (LiSt Open Files) available from coast.cs.purdue.edu:/pub/Purdue/lsof for finding log files and finding programs that are accessing the packet device such as /dev/nit on SunOS.
There is no commands I know of to detect a promiscuous IBM PC compatible machine, but they at least usually do not allow command execution unless from the console, therefore remote intruders can not turn a PC machine into a packet capture device without inside assistance.
The following vendors have available active hubs:
Some packages available are:
The product is built by Hughes Aircraft and they can be reached at 800-825-LOCK or email at firstname.lastname@example.org.
Kerberos is another package that encrypts account information going over the network. Some of its draw backs are that all the account information is held on one host and if that machine is compromised, the whole network is vulnerable. It is has been reported a major difficulty to set up. Kerberos comes with a stream-encrypting rlogind, and stream-encrypting telnetd is available. This prevents intruders from capturing what you did after you logged in.
There is a Kerberos FAQ at ftp at rtfm.mit.edu in /pub/usenet/comp.protocols/kerberos/Kerberos_Users__Frequently_Asked_Questions_1.11 or try: ftp://aeneas.mit.edu/pub/kerberos/doc/KERBEROS.FAQ
S/key and other one time password technology makes capturing account information almost useless. S/key concept is having your remote host already know a password that is not going to go over insecure channels and when you connect, you get a challenge. You take the challenge information and password and plug it into an algorithm which generates the response that should get the same answer if the password is the same on the both sides. Therefore the password never goes over the network, nor is the same challenge used twice. Unlike SecurID or SNK, with S/key you do not share a secret with the host. S/key is available on ftp:thumper.bellcore.com:/pub/nmh/skey
OPIE is the successor of Skey and is available at ftp://ftp.nrl.navy.mil/pub/security/nrl-opie/
Other one time password technology is card systems where each user gets a card that generates numbers that allow access to their account. Without the card, it is improbable to guess the numbers.
The following are companies that offer solutions that are provide better password authenication (ie, handheld password devices):
OneTime Pass (OTP):
This program provides unrestricted one-time pass codes on a user by user basis without any need for cryptographic protocols or hardware devices. The user takes a list of usable pass codes and scratches out each one as it is used. The system tracks usage, removing each passcode from the available list when it is used. Comes with a very small and fast password tester and password and pass phrase generation systems.
This is the original Argued Key system that mutually authenticates users and systems to each other based on their common knowledge. No hardware necessary. Comes with a very small and fast password tester and password and pass phrase generation systems.
You can try to make sure that most IBM DOS compatible machines have interfaces that will not allow packet capture. Here is a list of cards that do not support promiscuous mode:
Test the interface for promiscuous mode by using the Gobbler. If you find a interface that does do promiscuous mode and it is listed here, please e-mail email@example.com so I can remove it ASAP.
IBM Token-Ring Network PC AdapterThe following cards are rumoured to be unable to go into promiscuous mode, but that the veracity of those rumours is doubtful.
IBM Token-Ring Network PC Adapter II (short card)
IBM Token-Ring Network PC Adapter II (long card)
IBM Token-Ring Network 16/4 Adapter
IBM Token-Ring Network PC Adapter/A
IBM Token-Ring Network 16/4 Adapter/A
IBM Token-Ring Network 16/4 Busmaster Server Adapter/A
Microdyne (Excelan) EXOS 205Adapters based upon the TROPIC chipset generally do not support promiscuous mode. The TROPIC chipset is used in IBM's Token Ring adapters such as the 16/4 adapter. Other vendors (notably 3Com) also supply TROPIC based adapters. TROPIC-based adapters do accept special EPROMs, however, that will allow them to go into promiscuous mode. However, when in promiscuous mode, these adapters will spit out a "Trace Tool Present" frame.
Microdyne (Excelan) EXOS 205T
Microdyne (Excelan) EXOS 205T/16
Hewlett-Packard 27250A EtherTwist PC LAN Adapter Card/8
Hewlett-Packard 27245A EtherTwist PC LAN Adapter Card/8
Hewlett-Packard 27247A EtherTwist PC LAN Adapter Card/16
Hewlett-Packard 27248A EtherTwist EISA PC LAN Adapter Card/32
HP 27247B EtherTwist Adapter Card/16 TP Plus
HP 27252A EtherTwist Adapter Card/16 TP Plus
HP J2405A EtherTwist PC LAN Adapter NC/16 TP