Thursday, December 18, 2008

Sniff the Sniffer in your Network !!!

Have you ever puzzled with question that how you are going to detect the network sniffer in your Network ?
Yes I did..
Till yesterday it was my assumption that to detect a sniffing device that only collects data and does not respond to any of the information, requires physically checking all your Ethernet connections by walking around and checking the ethernet connections individually. It is also impossible to remotely check by sending a packet or ping if a machine is sniffing.
Question is quite obvious but never strike in my mind. Because I always see sniffing tool as a helping hand for me to troubleshoot and detect the problem. But what about the bad guys mind. Tool is so powerful think what all different kind of damage it can make to business?
So as soon as someone strikes my mind how you can detect the network sniffer logical answer came on my mind is tune Honey pot or Tools of KNOPPIX to detect the sniffer in network.
I know you might be thinking How and why ?
Even though I was also not clear how I am going to do this but quite confident that ICMP packets analysis will do something for me ..

Yes I was correct and when I did the research on topic got following information. The first example is the method which strikes my mind immediately. Other method I learned while doing a research on subject. I got reference of some of the readymade tools too. Hope you are going use this information.

Determining Sniffer with the Help of ICMP
Their are various test can be performed on ICMP Packet to Identify the sniffing capability.
**ICMP Time Delta test
This test uses baseline results to determine network and machine latency. AntiSniff probes the host by sending ICMP echo request messages with microsecond timers to determine the average response time. After the baseline has been created, it floods the local network with non-legitimate traffic.During the flood of traffic, it sends another round of ICMP echo request probes to determine the average response time. Hosts in promiscuous mode have a much higher latency time.
**Echo test
This test is actually an option for the ICMP Time Delta test. The user has the option to use the ECHO service for time deltas, if it’s available on the remote host.
**Ping Drop test
This test is also run during the flood of traffic. It involves sending a large amount of ICMP echo request messages to the host. It keeps track of the number of dropped ping responses. When a host is in promiscuous mode it will have a much higher level of network traffic to process leading to network latency which causes the host to drop packets because it can’t keep up.
I found that apart from ICMP there are some other factors of machine which can help to detect the Sniffers.

##Network and machine latency tests
These last sets of tests are here because hosts in promiscuous mode don’t have low level hardware filtering. This dramatically increases network traffic not meant for the host leading to the OS kernel
to do the filtering. The increased filtering done by the kernel causes more latency. The following tests will be explained: ICMP Time Delta test, Echo test, and the Ping Drop test.

##Ether Ping test
In older Linux kernels there is a specific condition that allows users to determine whether a host is in promiscuous mode or not. When a network card is placed in promiscuous mode every packet is passed on to the OS. Some Linux kernels looked only at the IP address in the packets to determine whether they should be processed or not. To test for this flaw, AntiSniff machine sends a packet with a bogus
MAC address and a valid IP address. Vulnerable Linux kernels with their network cards in promiscuous mode only look at the valid IP address. To get a response, an ICMP echo request message is sent within the bogus packet leading to vulnerable hosts in promiscuous mode to respond.

##ARP test
This test is to exploit the flaw found in they way Microsoft operating systems analyze broadcast ARP packets. This is found in Microsoft Windows 95, 98, and NT. When in promiscuous mode the driver for the network card checks for the MAC address being that of the network card for unicast packets, but only checks the first octet of the MAC address against the value 0xff to determine if the packet is broadcast or not. Note that the address for a broadcast packet is ff:ff:ff:ff:ff:ff. To test for this flaw,AntiSniff sends a packet with a MAC address of ff:00:00:00:00:00 and the correct destination IP address of the host. After receiving a packet, the Microsoft OS using the flawed driver will respond while in promiscuous mode. It should be noted that this flaw is based on the default Microsoft driver shipped with the OS.

##DNS test
This test is here because many packet sniffing tools perform IP address to name lookups to provide DNS names in place of IP addresses. This information is useful to attackers because most of the time hosts are named for what they provide. An example would be a mail server being named Hosts not watching traffic destined to them will not attempt to resolve the IP addresses in the packets. To test this, AntiSniff places the network card into promiscuous mode and sends packets out onto the network aimed to bogus hosts. If any name lookups from the bogus hosts are seen, a sniffer might be in action on the host performing the lookups.

I know above detailing is kind of boring for lots of people because they believe in practical and some time does not have time to look on to the concepts. Because they are not interested to build such tool. So good news for all those people. There are ready made tools available and one of them is from Microsoft employee. Don't be septic with Microsoft Name.
It's a project by Tim Rains and he named it Promqry. According to Tim Rains many network sniffer detection tools rely on bugs in the operating system and sniffer behavior for their discovery work. Promqry is different in that it can query systems to learn if any have a network interface operating in promiscuous mode, which as you know is a mode commonly use by network sniffing software. A command line version and a version with a GUI of Promqry 1.0 is available at Microsoft’s site.

A command line version:

A version with a GUI:

No comments: