... more Überhacker II, Chapter
18: Ethernet Hacking: Wireless and Wired LANs
A Slightly Stealthy Way to Add Arp Entries
There's one big problem with broadcast pings. If you are trying
to explore a LAN without alerting the sysadmin, those broadcast
pings are easy to notice. Here's a way to add entries to the ARP
table comparatively quietly -- by just pinging your own Ethernet
interface. In the example below I am using an NT box at 10.0.0.4:
C:\>arp -a
No ARP Entries Found
C:\>ping 10.0.0.4
Pinging 10.0.0.4 with 32 bytes of data:
Reply from 10.0.0.4: bytes=32 time=1ms
TTL=128
Reply from 10.0.0.4: bytes=32 time<10ms
TTL=128
Reply from 10.0.0.4: bytes=32 time<10ms
TTL=128
Reply from 10.0.0.4: bytes=32 time<10ms
TTL=128
Ping statistics for 10.0.0.4:
Packets: Sent = 4, Received = 4, Lost
= 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 0ms, Maximum = 1ms, Average
= 0ms
C:\>arp -a
Interface: 10.0.0.4 on Interface 0x1000002
Internet Address Physical Address Type
10.0.0.9 00-c0-f0-37-56-6a dynamic
The reason this often will work is because with some systems,
even pinging your own box sends packets over the Ethernet. So
this doesn't exactly hide yourself. However, a sysadmin might
be less suspicious if he or she thinks the attack computer was
just checking its own interface instead of trying to poll all
computers on that LAN.
Sniffers
One of the first things an intruder will do after getting access
to a LAN is install a sniffer. This is a program that sets a NIC
on its computer into promiscuous mode. This means that the NIC
will pick up all packets on the LAN and deliver them to the program,
instead of only delivering those addressed to that computer.
Some sniffers are designed to only capture certain kinds of data.
Many hacker-type sniffers will just capture passwords or password
hashes that can be cracked at leisure. However, if you are serious
about researching how to break into computers, you will do better
with sniffers that allow you to analyze the packet traffic in
any level of detail you choose.
Wildpackets, Inc. (http://www.wildpackets.com) offers
sniffers for both on the wire and wireless LANs. Its AeroPeek
WLAN sniffer includes 23 expert diagnoses that have been added
in the areas of configuration, connectivity, intrusion detection,
rogue access, denial of service, and man-in-the-middle attacks.
Rogue access? That's right, WLAN admins who know a thing or two
about security can detect intruders.
Many other of the commercial and free sniffers are now compatible
with WNICs. Ethereal, WINDump and TCPDump all are able to decode
at least some portion of the WLAN traffic.
Sniffers for both Windows and Unix-type operating systems, including
some such as Ethereal that work on WNICs, are on the Überhacker!
CD-ROM.
How to Hide or Find a Sniffer
In theory it can be possible to completely hide your sniffer.
However, that is "in theory." In practice is different.
First, how can you hide? The basic problem is that to run a sniffer,
you must first place it into promiscuous mode. Larsen explains
that most NICs are set up to issue a broadcast packet to alert
the sysadmins when they go into promiscuous mode. "This broadcast
packet is not like an IP broadcast. It is an ethernet broadcast,
which sets the destination MAC address in the ethernet packet
to FF:FF:FF:FF:FF:FF. All IP headers, addresses and data are nothing
more than data to the Ethernet packet." If you are trying to keep
the existence of your sniffer secret, it's a good idea to run
a second sniffer to see what your supposedly hidden sniffer may
be doing that reveals itself.
The only way to be certain that you have bcome up with a fool-proof
way to hide a sniffer is to use the OUI database to find out what
Ethernet hardware is running on the victim LAN, and get the same
hardware for your test LAN. Test to see whether the victim is
running any interfaces that will keep absolutely quiet about going
into promiscuous mode. If not, Larsen explains, "To keep out the
broadcast when going to sniff mode, you can usually reverse engineer
the driver and change it." Of course that's easy for Vincent to
say, as writing device drivers and rewriting kernels is as easy
for him as falling off a log. But then, that's part of being an
überhacker
If you can clear this hurdle, then test your sniffer programs
to see how stealthy they might be. For example, try putting a
new box on your LAN, and then ping that box. Now watch to see
if there is any funny traffic from your sniffer. Chances are that
you will discover the box with the sniffer trying to query a DNS
server in order to resolve the hostname of the new kid on the
LAN.
Hobbit <hobbit@AVIAN.ORG>, writing for the Bugtraq mailing
list, has proposed a number of ways to hide your sniffer. For
example,
1. For a completely passive box, we set the interface to
some bogus IP addr, or 0.0.0.0 if that works. Drawback: hard
to retrieve logs remotely.
Workaround [to the problem of remotely accessing sniffer
logs]: one interface as a normal address on a normal reachable
net, and a second interface configured as above sniffing a
*different* net. .
Workaround for a single interface: As the sniffer starts,
reset the interface to bogus-IP/noarp, sniff for a while,
quit sniffing, reset to the old parameters. Or perhaps dynamically
flop modes back and forth depending on whether we saw traffic
for the machine's real address arrive. A sniffer . should
be able to go *non*promiscuous and still see if there's traffic
to its own host, and lay low accordingly.
If you are thorough enough, you just might be able to perfectly
hide a sniffer, Presumably the really serious guys, such as those
at the National Security Agency (NSA) would reliably catch any
sniffer on their LANs. But the average school, company or Internet
Service Provider is relatively easy to sniff.
Next, how do you find those hidden sniffers?
Some hacker sniffers, which might otherwise be perfect, reveal
themselves by causing IP stacks to behave differently.
Mike Orton suggests, "What about blocking everything going out
with the firewall and looking at the log to see what is trying
to phone home?" True, this could be disruptive. Perhaps you could
do it at 2AM for a few minutes, and then give a possible sniffer
something to call home about.
How do you get a sniffer to call home? You could try running
a flood ping (pings that are sent out fast for a long time) to
a nonexistent IP address on your LAN. The sniffer, because it
is running in promiscuous mode, will be seeing all those pings.
Then try pinging the suspected sniffer. If it delays longer than
usual to answer the ping, you should suspect that is was slowed
by whatever it was doing in response to the flood ping. If there
were no sniffer on board, it would have ignored the flood ping.
Try sending a ping with a MAC address of a nonexistent host combined
with the IP address of the suspect. If the sniffer suspect responds,
its NIC is in promiscuous mode. (This will not work with Solaris.)
However, this approach might cause a false detection of a sniffer
if you are running old network hardware.
Switched Ethernet avoids sniffers by only sending packets to
the device for which they are intended instead of broadcasting
all packets to all devices and letting each device decide which
packets to accept. However, this can't be perfect as there will
always be something for a sniffer to intercept.
A number of sniffer detection programs such as the many variants
of AntiSniff, are available at http://www.packetstormsecurity.com.
The program antisniff-1021.zip on the included CD-ROM is an example.
To check for a NIC in promiscuous mode on a Windows NT/2000/XP
box, try promiscdetect.exe from the CD-ROM.
For more help on how to catch hidden sniffers, see http://www.robertgraham.com/pubs/sniffing-faq.html.
More --->>
