From owner-freebsd-net Tue Jan 4 0:17: 3 2000 Delivered-To: freebsd-net@freebsd.org Received: from d12lmsgate-3.de.ibm.com (d12lmsgate-3.de.ibm.com [195.212.91.201]) by hub.freebsd.org (Postfix) with ESMTP id 0DFF614D85 for ; Tue, 4 Jan 2000 00:16:59 -0800 (PST) (envelope-from DRHAGER@de.ibm.com) Received: from d12relay01.de.ibm.com (d12relay01.de.ibm.com [9.165.215.22]) by d12lmsgate-3.de.ibm.com (1.0.0) with ESMTP id JAA110474; Tue, 4 Jan 2000 09:16:55 +0100 From: DRHAGER@de.ibm.com Received: from d12mta01.de.ibm.com (d12mta01_cs0 [9.165.222.237]) by d12relay01.de.ibm.com (8.8.8m2/NCO v2.06) with SMTP id JAA40254; Tue, 4 Jan 2000 09:16:53 +0100 Received: by d12mta01.de.ibm.com(Lotus SMTP MTA v4.6.5 (863.2 5-20-1999)) id C125685C.002D7CE9 ; Tue, 4 Jan 2000 09:16:50 +0100 X-Lotus-FromDomain: IBMDE To: Olaf Hoyer Cc: freebsd-net@FreeBSD.ORG Message-ID: Date: Tue, 4 Jan 2000 09:16:45 +0100 Subject: Re: sniffing networks Mime-Version: 1.0 Content-type: text/plain; charset=us-ascii Content-Disposition: inline Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hi! Just have the same problem in our students-home network... Peer-to-peer network, every OS present, of course no central administration... ;-( #Would not help anyway... 150 users conected... OK: How do you perform a search for cards in promiscuous mode? (Taking some expensive analyzer progs or some simple stuff under UN*X, Linsux or NT?) #There are a lot of possibilities. Check www.l0pht.com/antisniff/ for example. 2nd: are there any possibilities to think of, that a card is set to promiscous mode, with no TCP-IP stack behind it to handle requests the normal way, but a "special" stack written to behave like this: #Why bother for a special stack? To avoid being detected? #Nonetheless this can be done. Packets are sniffed/come in, as the card sees every packet on the wire/segment. some software written especially for this determines if some criteria match a defined pattern (like a range of IP or MAC numbers, from some other known machines on that network) #This is tcpdump, for example. But there are more. #You can get Linux on three floppy disks, boot a machine in the universities CIP pool #and start your adventure in the internet.. if a packet from/or for such a machine arrives, some action is taken, like dumping that segment to HDD or sending some counter-measures, like a POD attack or so... #What is a POD attack? That way you also could easily sniff out mail passworts, as they are not encrypted. What would one need (time and programming skills) to do such a beast? #You need some time searching the net. Try www.rootshell.com. Try yahoo and #search for hacking etc. #If you are eager do invent the wheel you will need a good grasp of networking, #(for example from the Stevens' books) and a good working knowledge of C. #(I have always been living in a VMS/Unix world, I cant say anything about NT..) #Its interesting leasure-time programming, a fairly skilled person can do this #in days or weeks. I'm very curious to that, since we already had a bad sniffer attack from inside, where some mail passwords were hacked. And as our university, where we are connected to with the entire students living block, does not care about that security, we have to figure out about security alone... #You should think about a firewall. #You should think about secure shell (SSH) for getting mail. #You should explain this very good to the students, make them understand #that they live on a insecure segment. Nobody wants everybody to read his mails. #I am out of this business, but out of personal ambitions I would try to set up #a Ipv6 network. 1) its fun. 2) you can use encrypted pakets. 3) you are a step #ahead of your students. 4) your students will develop ipv6 skills. #;-) Regards Olaf Hoyer To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message