digg

Facebook Connect Join Digg About

Sniffing On Ethernet Undetected

askapache.com All you need is a MAC and a device and you can sniff without sending any packets, making yourself invisible. I have been in some tight spots where I had to sniff a password or two off the wire, or sniff some packets off the wire undetected.. So I tried a few things and this is what worked..

Who dugg this? Made popular Dec 28, 2006

Digg DudeWhat is Digg?

Digg is a place for people to discover and share content from anywhere on the web. Digg surfaces the best stuff as submitted and voted on by the community. Take the Tour to learn more.

70 Comments

show profanity settings
expand all
  • KORGOTH, on 10/12/2007, -1/+27Last time I tried sniffing the Ethernet, I passed out.
  • ebob9, on 10/12/2007, -1/+25In the article, they mention that data is still being sent. In my experience, usually the data that is transmitted is stuff the PC still has running unknown to the user - Daemons, Ethereal/Wireshark doing reverse DNS lookups on IPs, etc.

    Forging your MAC and keeping hidden is not the hard part -- the hard part is actually seeing any useful data. Most modern switches only transmit unsolicited broadcast/multicast traffic down all ports, so you will only see traffic destined for your MAC address.

    To see useful data, you have a few methods:

    If you have physical access to the network equipment, this is easy. Best method is to put a passive tap (copper, fiber if you're made of money) on a trunk port between redundant switches. You can see everything then - but be sure and up your MTU so you can see any VLAN/802.1p tags that might be in use. You can use a hub instead of a tap if they are using 10/100 copper connections. (Netgear makes a sweet 4-port Dual-Speed that works great for this). You can also mirror ports on the switches, but that gets hairy and requires network configuration changes - leaving tracks.

    If you don't have physical access to the network equipment, (for example, you are a cube slave) it becomes a little trickier. If you can change your MAC address, then you should try a man-in-the-middle attack. You can try spoofing the MAC of the default gateway, then forwarding all traffic back on to that default gateway. Another method for a Man-in-the-Middle attack uses Gratuitous ARPs, you can issue a Gratuitous ARP for your default gateway's IP, pointing to any false MAC address.

    my $.02

    --ebob9
  • DeepDoo, on 10/12/2007, -2/+18All of us BOFHs really, really, really, hope all of you users try something like this on our networks. I love to get people fired for being dumb.
  • signal15, on 10/12/2007, -1/+16A more reliable way of doing this is to make a patch cable with the TX pair disconnected. That will ensure you don't accidentally send something over the wire.

    However, most companies use switches, and unless you do some arp spoofing, you will only see broadcast traffic, or traffic sent to your machine (of which there should be none if you don't have a MAC addy or you didn't connect the TX pair). ARP spoofing is easily detectable. Another method is to flood the switch port with random MAC addresses. Some switches will freak out and stop switching and go into a sort of "hub" mode. dsniff and ettercap both provide the functionality you need to do either one of these attacks.
  • zttrx, on 10/12/2007, -3/+13@ebob9: This is not slashdot...informative comments are buried here.
  • ebob9, on 10/12/2007, -2/+12@zttrx: Sorry, I'm new here. Let me try again: OMG, the article has funky green colours my eyes are burning!!
  • bunni, on 10/12/2007, -0/+10Zomg someone's poisoned the arp water hole. Only man in the middle can save us now!
  • zttrx, on 10/12/2007, -0/+9Indeed. Just as one should never assume one's network is unhackable, so must a hacker assume that their actions are never untracable.
  • DontSayFanboy, on 10/12/2007, -2/+10edit: BEATEN damn

    Bastard Operator From Hell. Do a google search, you'll find quite a few stories.

    I am a sysadmin, but I would never call myself a BOFH. I guess I'm lucky to work in academia where my I enjoy working with my users and educating them as opposed to being proud of being an ***** to them and trying to get everyone fired. Yes, we've caught students trying to hack things but we usually just embarrass them. If they are really good, we'll hire them.
  • EgoDemens, on 10/12/2007, -3/+10@bg_27

    Wong discussion to use that argument. Your argument is for wireless networks and white listing MAC addresses. What sekyuritei suggested is that if you have the same MAC on two ports of your physical switch, something funny is going on. Also don't regurgitate random ***** just because some of the words match.
  • sekyuritei, on 10/12/2007, -4/+11Of course, this wouldn't work if someone is monitoring when MACs switch ports, or when you use 802.1X. I would love to catch someone thinking they could get away with this at my job. Dugg because it's still a great article!
  • inactive, on 10/12/2007, -0/+7as tinman said, article is misleading, this would not normally net you anything on a switched network (and most people have switches nowadays, hubs are so eww) so you get a broadcast here and there, you won't have any passwords from that.
  • mindwarp, on 10/12/2007, -2/+8You sound pretty confident, but you are only secure as your switch firmware. If someone has the skills, and infiltrates your physical network, all bets are off.
  • inactive, on 10/12/2007, -1/+6uh, I would think that he is doing his job well. It's not like you run past a cop with a brand new TV/DVD player and he sits there and goes "oh, that was probably completely innocent"
  • pcgeek101, on 10/12/2007, -1/+5Lol ... well said. I've had to report suspicious activity on quite a few occasions recently :)

    Needless to say, I had plenty of data gathered from forensics (switch log, server logs, proxy logs, etc.) to back my statements .. oh, and did I mention my favorite feature of my HP core switch ... port mirroring? :)
  • inactive, on 10/12/2007, -1/+5MITM is never silent by nature, wtg.
  • DeepDoo, on 10/12/2007, -0/+4when you admin a big network at a big organization, you always assume someone will be trying stuff like this. All (good) admins have an overdeveloped sense of paranoia.
  • Apage43, on 10/12/2007, -0/+4Indeed, those are VERY suspicious looking addresses, and mean than someone is DEFINITELY spoofing their address
  • intenselygreen, on 10/12/2007, -1/+5FYI: Bastard Operator From Hell.

    See:

    http://www.bofh.com/
  • Goosemaster, on 10/12/2007, -0/+3kids these days with their sniffing...


    back in my day we used to get drunk off our asses and break into the data center like real men...good times.
  • cbreaker, on 10/12/2007, -0/+3"A more reliable way of doing this is to make a patch cable with the TX pair disconnected. That will ensure you don't accidentally send something over the wire."

    That only works if your hardware is a dumb switch/hub. For any managed switch, you won't get any traffic until you have a link and a visible MAC. At least not on any of our Extreme switches. That, and since most good switches now are L3, you won't get anything but broadcasts anyways, and I don't know of too many protocols that broadcast unencrypted passwords.
  • jwigum, on 10/12/2007, -0/+3"If an admin or IDS saw 12 packets (as in my example) originating from 00:00:00:00:00:00 or aa:bb:cc:dd:ee:ff do you think he would pull out all the stops and think there is someone eavedropping? Of course not."

    Unless he thought to himself "Someone is sniffing around on my network... Release the hounds!" If he's being security concious, I think he'd be more than a little concerned. Even more so if it was a "closed" network, that didn't allow anything other than what the company deployed.
  • t3hX, on 10/12/2007, -0/+2>Sad that you derive pleasure from ***** people rather than (apparently) doing your job well.

    Keeping "hackers" off the network IS part of your job as a BOFH.
  • cbreaker, on 10/12/2007, -0/+2Yea, you'll get 15-45 seconds of your switch acting like a hub when you're using a ***** Dell switch. Any respectable switch from Cisco or Extreme don't pass any traffic until everything is up. On the BlackDiamond 8810, the whole reboot process takes about 7 seconds. (it runs Linux, too.)

  • webcrumb, on 10/12/2007, -0/+2Unfortunately not good use of standard English...
  • senfo, on 10/12/2007, -1/+3You've probably been haxored by this 1337 haxor of a dude we know as apachehtaccess.
  • t3hX, on 10/12/2007, -0/+2The author of this article has no idea what he's talking about...
  • inactive, on 10/12/2007, -4/+6Pardon me for being ignorant, but ... BOFH?

    Bag Of Fat Hog?
    Barf On Fast Hyennas?
    Boof Or F*ck Horses?
  • Hindu_Wardrobe, on 10/12/2007, -2/+4Here come the silly Apple fanboys saying "lololol u cant do this on a pc only a MAC cuz see rite there it sayz MAC lololol"
  • macewan, on 10/12/2007, -0/+2It will also help if you bring up Ubuntu at some point.
  • Apage43, on 10/12/2007, -0/+2Undetected sniffing only works on non-switched networks. These days switches are cheap, and the only way to sniff a network that uses switches is ARP spoofing, which is quite -easily- detectable, but also easy to do with the right tools.
  • Jerk, on 10/12/2007, -1/+3Bastard Operator From Hell
  • apachehtaccess, on 10/12/2007, -0/+1Attackers can't rewrite your log files if they can't connect to the log server. Learn the ways of stealth.

    In a column about syslog I mentioned ``stealth logging''--by running your central log server without an IP address, you can hide your central log server from intruders. But log servers aren't the only type of system that can benefit from a little stealth. Network sniffers and network intrusion detection systems (NIDSes) probes can also function perfectly well without IP addresses, making them less vulnerable to network attacks than the systems they protect.
    This month I demonstrate three ways to use the versatile and powerful Snort--as a stealth sniffer, a stealth NIDS probe and a stealth logger--on a network interface with no IP address. If you're already familiar with Snort, I hope you'll see how easily it can be used stealthfully. If you're new to Snort, this article may be a useful crash course for you. All Snort commands and configurations in this article work equally well on interfaces with and without IP addresses.



    A "stealthed" machine - one with an interface "up" but not bound to IPV4 (or any other protocols) will be entirely invisible. It does not look for packets destined for its "supposed IP", as it has no "supposed IP". It looks for packets destined for other machines on the network with real IPs.

    Such machines will not respond to ARP packets (or indeed any other packets) - do not have IP addresses (hence can't be pinged), do not have IPX addresses etc, and do not respond to any type of broadcast or any other packet.

    AFAIK, promiscuous mode checkers only work with machines whose IP addresses are known, or which can be reached by broadcast. A stealthed machine has NO IP address and does not respond to ANY packet.

    I have personally run a stealthed machine and happily watched the "packets recieved" counter in /sbin/ifconfig go up while the "packets transmitted" stays bolted at zero.

    One thing that *might* give away the existence of such a machine would be outgoing DNS requests, but determining this would be very difficult. Also, most IDSs do not do realtime DNS resolution for performance reasons.

    If you run a stealth IDS and need it to do DNS requests, obviously those need to go via an an alternative interface, probably with a firewall and/or DNS cache between it and the network it's sniffing (if it even goes out via the same route at all)

    Nevertheless in theory, an attacker who has compromised a machine on the same segment as this IDS and also set it into promiscuous mode (so it sees the same traffic) could send an attack which is detected, then watch and outgoing reverse DNS request for his IP.

    That could make the IDS detectable, however the attacker could not possibly know the identity of this machine, as its other interface (i.e. the only one with a real private IP) is sitting behind another firewall and sending its DNS requests out via an intermediate DNS.
    slarty is offline Reply With Quote
  • Goosemaster, on 10/12/2007, -0/+1DeepDoo :


    Hence the massive amount of hookers in the IT trenches and the 12 o'clock (GMT -5) 1500ml shot of "Russian inspiration, Russian resilience, and downright Russian vengeance"
  • r121, on 10/12/2007, -0/+1ew.
  • justthisguyyano, on 10/12/2007, -0/+1First, I'm glad that people like you enjoy bragging. It makes my job that much easier.

    Second, you're dangerous. Turning off power to a building just to get a router/switch to reboot, dangerous.
    It also means you have some kind of special access to the physical locations of the data and electrical closets. Abuse of trust.

    Third, most of what you document will work but it will also leave a trail a mile wide to any decent network security professional.
  • diecastbeatdown, on 10/12/2007, -0/+1snort inline.
  • ebob9, on 10/12/2007, -1/+2From what I understand, promiscuous mode means that your ethernet card is no longer ignoring frames sent to MAC addresses other than your own. It instead processes these frames, which allows your sniffer (tcpdump, wireshark, etc) to read the frames not intended for the station off the wire.

    From my understanding, this shouldn't be detectable - however I remember a small .c program on rootshell.org (long time ago) that claimed to detect NICs in promiscuous mode. Anyone have an idea how this is/was done?
  • Yoshi39, on 10/12/2007, -1/+2Bastard operator from hell
    http://en.wikipedia.org/wiki/Bastard_Operator_From_Hell
  • DeusMachinae, on 10/12/2007, -0/+1This would work pretty well on a college network eh.. mwahahhaa
  • DeepDoo, on 10/12/2007, -5/+6@022A
    Eliminating people who are a security risk is my job as a BOFH. People should be doing the work for which they are hired. My job happens to be systems administrator or BOFH. A large part of that job is securing the network and eliminating threats from both outside threats and inside threats. If you work for my organization and you threaten the security of my network, you will be fired. And I will smile for having done my job well.
  • linnerd40, on 10/12/2007, -1/+2http://www.duggmirror.com
  • t3hX, on 10/12/2007, -0/+1Here come the silly Apple haters who say "lolol all the apple fanboys are going to say this..."

    Although, on a side note, a lot of the Windows network drivers (especially wireless drivers) don't support promiscuous mode, and definitely not monitor mode. So actually, you'd be better off on a Mac or a Linux machine.
  • kohlmannj, on 10/12/2007, -1/+2Hmm, whatever happened to, oh, you know, *not* secretly syphoning data off a network. Karma (points?), people, y'know what I'm sayin'?
  • apachehtaccess, on 09/12/2008, -0/+1The updated url is actually: http://www.askapache.com/security/sniffing-on-ethe ...
  • t3hX, on 10/12/2007, -0/+1It was done by sending an RARP request or maybe a ping (I can't remember) to the right IP address, but wrong MAC address, so that the computer gets the frame, only bothers checking the IP address (the MAC address got checked by the driver/card, right? and I wouldn't be getting the frame if it wasn't for me), and the computer responds.

    Doesn't work on all systems.
  • osbjmg, on 10/12/2007, -0/+1He doesn't mention the method he uses to see the passwords. Maybe that will help on a hub, but no worky on a switch (that isn't flooding at the time anyway). There are surely ways to grab other people's traffic in addition, but he doesn't go over this nor the way to defend against it... oh well. 4/10
  • cbreaker, on 10/12/2007, -0/+1Such as? I've always been able to run netmon on any NIC I've used, and there's been a lot of them. Including some really crappy "Ethernet on a chip" SMC cards and old ISA cards.
  • osbjmg, on 10/12/2007, -0/+1You ARE bragging, and you are incorrect:
    "No switch or router can stop you.. infinite ways to attack this.."

    There are many defenses for your methods:
    port security
    802.1x
    dhcp-snooping
    dynamic arp inspection
    IP source guard
    etc...
  • inactive, on 10/12/2007, -1/+2can't get article yet...arp poison I'm guessing?
  • Fetching more discussions...
    Show 51 - 70 of 70 discussions

  • Add a Comment

    Login or register to comment!
    Or, sign-in super fast with your Facebook account ...


© Digg Inc. 2009 — Content created and posted by Digg users is dedicated to the public domain | Terms of Use Updated | Privacy Policy
DIGG, DIGG IT, DUGG, DIGG THIS, Digg graphics, logos, designs, page headers, button icons, scripts, and other service names are the trademarks of Digg Inc.