What's New!

Chat with
Hackers

How to Defend
Your Computer 

The Guides
to (mostly) 
Harmless Hacking

Happy Hacker 
Digests (old stuff) 

Hacker Links 

Hacker
Wargames 

Meet the 
Happy Hacksters 

Help for 
Beginners 

Hacker 
Bookstore 

Humor 

It Sucks 
to Be Me!

How to Commit
Computer Crime (not)! 

What Is a 
Hacker, Anyhow? 

Have a 
Great Life! 

News from the 
Hacker War Front

... more Überhacker II, Chapter 18: Ethernet Hacking: Wireless and Wired LANs

A Slightly Stealthy Way to Add Arp Entries

There's one big problem with broadcast pings. If you are trying to explore a LAN without alerting the sysadmin, those broadcast pings are easy to notice. Here's a way to add entries to the ARP table comparatively quietly -- by just pinging your own Ethernet interface. In the example below I am using an NT box at 10.0.0.4:

C:\>arp -a

No ARP Entries Found

C:\>ping 10.0.0.4

Pinging 10.0.0.4 with 32 bytes of data:

Reply from 10.0.0.4: bytes=32 time=1ms TTL=128

Reply from 10.0.0.4: bytes=32 time<10ms TTL=128

Reply from 10.0.0.4: bytes=32 time<10ms TTL=128

Reply from 10.0.0.4: bytes=32 time<10ms TTL=128

Ping statistics for 10.0.0.4:

Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

Minimum = 0ms, Maximum = 1ms, Average = 0ms

C:\>arp -a

Interface: 10.0.0.4 on Interface 0x1000002

Internet Address Physical Address Type

10.0.0.9 00-c0-f0-37-56-6a dynamic

The reason this often will work is because with some systems, even pinging your own box sends packets over the Ethernet. So this doesn't exactly hide yourself. However, a sysadmin might be less suspicious if he or she thinks the attack computer was just checking its own interface instead of trying to poll all computers on that LAN.

Sniffers

One of the first things an intruder will do after getting access to a LAN is install a sniffer. This is a program that sets a NIC on its computer into promiscuous mode. This means that the NIC will pick up all packets on the LAN and deliver them to the program, instead of only delivering those addressed to that computer.

Some sniffers are designed to only capture certain kinds of data. Many hacker-type sniffers will just capture passwords or password hashes that can be cracked at leisure. However, if you are serious about researching how to break into computers, you will do better with sniffers that allow you to analyze the packet traffic in any level of detail you choose.

Wildpackets, Inc. (http://www.wildpackets.com) offers sniffers for both on the wire and wireless LANs. Its AeroPeek WLAN sniffer includes 23 expert diagnoses that have been added in the areas of configuration, connectivity, intrusion detection, rogue access, denial of service, and man-in-the-middle attacks. Rogue access? That's right, WLAN admins who know a thing or two about security can detect intruders.

Many other of the commercial and free sniffers are now compatible with WNICs. Ethereal, WINDump and TCPDump all are able to decode at least some portion of the WLAN traffic.

Sniffers for both Windows and Unix-type operating systems, including some such as Ethereal that work on WNICs, are on the Überhacker! CD-ROM.

How to Hide or Find a Sniffer

In theory it can be possible to completely hide your sniffer. However, that is "in theory." In practice is different.

First, how can you hide? The basic problem is that to run a sniffer, you must first place it into promiscuous mode. Larsen explains that most NICs are set up to issue a broadcast packet to alert the sysadmins when they go into promiscuous mode. "This broadcast packet is not like an IP broadcast. It is an ethernet broadcast, which sets the destination MAC address in the ethernet packet to FF:FF:FF:FF:FF:FF. All IP headers, addresses and data are nothing more than data to the Ethernet packet." If you are trying to keep the existence of your sniffer secret, it's a good idea to run a second sniffer to see what your supposedly hidden sniffer may be doing that reveals itself.

The only way to be certain that you have bcome up with a fool-proof way to hide a sniffer is to use the OUI database to find out what Ethernet hardware is running on the victim LAN, and get the same hardware for your test LAN. Test to see whether the victim is running any interfaces that will keep absolutely quiet about going into promiscuous mode. If not, Larsen explains, "To keep out the broadcast when going to sniff mode, you can usually reverse engineer the driver and change it." Of course that's easy for Vincent to say, as writing device drivers and rewriting kernels is as easy for him as falling off a log. But then, that's part of being an überhacker

If you can clear this hurdle, then test your sniffer programs to see how stealthy they might be. For example, try putting a new box on your LAN, and then ping that box. Now watch to see if there is any funny traffic from your sniffer. Chances are that you will discover the box with the sniffer trying to query a DNS server in order to resolve the hostname of the new kid on the LAN.

Hobbit <hobbit@AVIAN.ORG>, writing for the Bugtraq mailing list, has proposed a number of ways to hide your sniffer. For example,

1. For a completely passive box, we set the interface to some bogus IP addr, or 0.0.0.0 if that works. Drawback: hard to retrieve logs remotely.

Workaround [to the problem of remotely accessing sniffer logs]: one interface as a normal address on a normal reachable net, and a second interface configured as above sniffing a *different* net. .

Workaround for a single interface: As the sniffer starts, reset the interface to bogus-IP/noarp, sniff for a while, quit sniffing, reset to the old parameters. Or perhaps dynamically flop modes back and forth depending on whether we saw traffic for the machine's real address arrive. A sniffer . should be able to go *non*promiscuous and still see if there's traffic to its own host, and lay low accordingly.

If you are thorough enough, you just might be able to perfectly hide a sniffer, Presumably the really serious guys, such as those at the National Security Agency (NSA) would reliably catch any sniffer on their LANs. But the average school, company or Internet Service Provider is relatively easy to sniff.

Next, how do you find those hidden sniffers?

Some hacker sniffers, which might otherwise be perfect, reveal themselves by causing IP stacks to behave differently.

Mike Orton suggests, "What about blocking everything going out with the firewall and looking at the log to see what is trying to phone home?" True, this could be disruptive. Perhaps you could do it at 2AM for a few minutes, and then give a possible sniffer something to call home about.

How do you get a sniffer to call home? You could try running a flood ping (pings that are sent out fast for a long time) to a nonexistent IP address on your LAN. The sniffer, because it is running in promiscuous mode, will be seeing all those pings. Then try pinging the suspected sniffer. If it delays longer than usual to answer the ping, you should suspect that is was slowed by whatever it was doing in response to the flood ping. If there were no sniffer on board, it would have ignored the flood ping.

Try sending a ping with a MAC address of a nonexistent host combined with the IP address of the suspect. If the sniffer suspect responds, its NIC is in promiscuous mode. (This will not work with Solaris.)

However, this approach might cause a false detection of a sniffer if you are running old network hardware.

Switched Ethernet avoids sniffers by only sending packets to the device for which they are intended instead of broadcasting all packets to all devices and letting each device decide which packets to accept. However, this can't be perfect as there will always be something for a sniffer to intercept.

A number of sniffer detection programs such as the many variants of AntiSniff, are available at http://www.packetstormsecurity.com. The program antisniff-1021.zip on the included CD-ROM is an example. To check for a NIC in promiscuous mode on a Windows NT/2000/XP box, try promiscdetect.exe from the CD-ROM.

For more help on how to catch hidden sniffers, see http://www.robertgraham.com/pubs/sniffing-faq.html.

More --->>


Carolyn's most
popular book,
in 4th edition now!
For advanced
hacker studies,
read Carolyn's
Google Groups
Subscribe to Happy Hacker
Email:
Visit this group

© 2013 Happy Hacker All rights reserved.