Re: [Wireshark-users] Viability of detecting Wireshark with ARP-packets
Hi, results look consistent to me. No matter how the NIC is set to promiscuous mode, the result is the same. Thanx, Jaap On Mon, 16 Oct 2006, Hans Nilsson wrote: Ok, here are the results. I scanned a box running Linux 2.6.X with different NIC and Wireshark settings using Cain Abel from a box running Windows XP SP2. _B31B16__B8___Gr___M0___M1___M3 Wireshark_Off_-_NIC_Normal_mode___0_0000XX Wireshark_Off_-_NIC_Promiscuous_mode__X_XXXXXX Wireshark_On_-_NIC_Normal_mode_-_Promiscuous_mode_not_set_in_Options__0_0000XX Wireshark_On_-_NIC_Normal_mode_-_Promiscuous_mode_set_in_Options__X_XXXXXX Wireshark_On_-_NIC_Promiscuous_mode_-_Promiscuous_mode_not_set_in_Options_X_XXXXXX Wireshark_On_-_NIC_Promiscuous_mode_-_Promiscuous_mode_set_in_Options_X_XXXXXX If the formatting's screwed up, here's an image: http://i9.tinypic.com/2dhwbpc.png X = Got ARP Reply 0 = Did not get ARP Reply B31 = ARP destination FF:FF:FF:FF:FF:FE B16 = ARP destination FF:FF:00:00:00:00 B8 = ARP destination FF:00:00:00:00:00 Gr = ARP destination 01:00:00:00:00:00 M0 = ARP destination 01:00:5e:00:00:00 M1 = ARP destination 01:00:5e:00:00:01 M3 = ARP destination 01:00:5e:00:00:03 Read the PDF from my previous post for more clarification: http://www.securityfriday.com/promiscuous_detection_01.pdf So apparently you can quite easily detect if someone's running Wireshark on your network. (Assuming they haven't set up special rules to not reply to these revealing ARP-packets or something like that.) On Fri, 13 Oct 2006 07:19:17 -1100, Hans Nilsson [EMAIL PROTECTED] said: Hello, I recently read the document Promiscuous node detection using ARP packets [1] about detecting network cards in promiscuous mode and sniffers with custom-built ARP-packets. For example tools like Cain and Abel [2] has that capability. But I was wondering if this actually works against Wireshark? When I do ifconfig my network card is not listed as being in promiscuous mode but under options in Wireshark the card is in promiscuous mode and I can receive all the traffic on my LAN. So is this not a problem anymore since the NIC doesn't have to be manually set to promiscuous mode, Wireshark can do that on it's own and therefore won't be detected by the ARP-technique? [1] http://www.securityfriday.com/promiscuous_detection_01.pdf [2] http://www.oxid.it/ca_um/topics/promiscuous-mode_scanner.htm -- Hans Nilsson [EMAIL PROTECTED] -- http://www.fastmail.fm - A fast, anti-spam email service. ___ Wireshark-users mailing list Wireshark-users@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-users -- Hans Nilsson [EMAIL PROTECTED] -- http://www.fastmail.fm - Same, same, but different?? ___ Wireshark-users mailing list Wireshark-users@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-users ___ Wireshark-users mailing list Wireshark-users@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-users
Re: [Wireshark-users] Viability of detecting Wireshark with ARP-packets
Ok, here are the results. I scanned a box running Linux 2.6.X with different NIC and Wireshark settings using Cain Abel from a box running Windows XP SP2. _B31B16__B8___Gr___M0___M1___M3 Wireshark_Off_-_NIC_Normal_mode___0_0000XX Wireshark_Off_-_NIC_Promiscuous_mode__X_XXXXXX Wireshark_On_-_NIC_Normal_mode_-_Promiscuous_mode_not_set_in_Options__0_0000XX Wireshark_On_-_NIC_Normal_mode_-_Promiscuous_mode_set_in_Options__X_XXXXXX Wireshark_On_-_NIC_Promiscuous_mode_-_Promiscuous_mode_not_set_in_Options_X_XXXXXX Wireshark_On_-_NIC_Promiscuous_mode_-_Promiscuous_mode_set_in_Options_X_XXXXXX If the formatting's screwed up, here's an image: http://i9.tinypic.com/2dhwbpc.png X = Got ARP Reply 0 = Did not get ARP Reply B31 = ARP destination FF:FF:FF:FF:FF:FE B16 = ARP destination FF:FF:00:00:00:00 B8 = ARP destination FF:00:00:00:00:00 Gr = ARP destination 01:00:00:00:00:00 M0 = ARP destination 01:00:5e:00:00:00 M1 = ARP destination 01:00:5e:00:00:01 M3 = ARP destination 01:00:5e:00:00:03 Read the PDF from my previous post for more clarification: http://www.securityfriday.com/promiscuous_detection_01.pdf So apparently you can quite easily detect if someone's running Wireshark on your network. (Assuming they haven't set up special rules to not reply to these revealing ARP-packets or something like that.) On Fri, 13 Oct 2006 07:19:17 -1100, Hans Nilsson [EMAIL PROTECTED] said: Hello, I recently read the document Promiscuous node detection using ARP packets [1] about detecting network cards in promiscuous mode and sniffers with custom-built ARP-packets. For example tools like Cain and Abel [2] has that capability. But I was wondering if this actually works against Wireshark? When I do ifconfig my network card is not listed as being in promiscuous mode but under options in Wireshark the card is in promiscuous mode and I can receive all the traffic on my LAN. So is this not a problem anymore since the NIC doesn't have to be manually set to promiscuous mode, Wireshark can do that on it's own and therefore won't be detected by the ARP-technique? [1] http://www.securityfriday.com/promiscuous_detection_01.pdf [2] http://www.oxid.it/ca_um/topics/promiscuous-mode_scanner.htm -- Hans Nilsson [EMAIL PROTECTED] -- http://www.fastmail.fm - A fast, anti-spam email service. ___ Wireshark-users mailing list Wireshark-users@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-users -- Hans Nilsson [EMAIL PROTECTED] -- http://www.fastmail.fm - Same, same, but differentÂ… ___ Wireshark-users mailing list Wireshark-users@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-users
[Wireshark-users] Viability of detecting Wireshark with ARP-packets
Hello, I recently read the document Promiscuous node detection using ARP packets [1] about detecting network cards in promiscuous mode and sniffers with custom-built ARP-packets. For example tools like Cain and Abel [2] has that capability. But I was wondering if this actually works against Wireshark? When I do ifconfig my network card is not listed as being in promiscuous mode but under options in Wireshark the card is in promiscuous mode and I can receive all the traffic on my LAN. So is this not a problem anymore since the NIC doesn't have to be manually set to promiscuous mode, Wireshark can do that on it's own and therefore won't be detected by the ARP-technique? [1] http://www.securityfriday.com/promiscuous_detection_01.pdf [2] http://www.oxid.it/ca_um/topics/promiscuous-mode_scanner.htm -- Hans Nilsson [EMAIL PROTECTED] -- http://www.fastmail.fm - A fast, anti-spam email service. ___ Wireshark-users mailing list Wireshark-users@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-users
Re: [Wireshark-users] Viability of detecting Wireshark with ARP-packets
Hans Nilsson wrote: Hello, I recently read the document Promiscuous node detection using ARP packets [1] about detecting network cards in promiscuous mode and sniffers with custom-built ARP-packets. For example tools like Cain and Abel [2] has that capability. But I was wondering if this actually works against Wireshark? When I do ifconfig my network card is not listed as being in promiscuous mode but under options in Wireshark the card is in promiscuous mode and I can receive all the traffic on my LAN. So is this not a problem anymore since the NIC doesn't have to be manually set to promiscuous mode, Wireshark can do that on it's own and therefore won't be detected by the ARP-technique? [1] http://www.securityfriday.com/promiscuous_detection_01.pdf [2] http://www.oxid.it/ca_um/topics/promiscuous-mode_scanner.htm First of all, on todays switched networks, the promiscuous mode has a lot less effect than it has on shared networks (e.g. ancient coax Ethernet) - using promiscuous mode will often have no effect (but this depends on your setup, see: http://wiki.wireshark.org/CaptureSetup/Ethernet). Using promiscuous mode disables a hardware filter of the network interface. It's switched on/off by ifconfig or Wireshark (through libpcap/WinPcap) the same way, so it doesn't make *any difference* which software switched it. Wireshark capture options won't show you the current state of the promisc. mode, but what it will use for capturing. Regards, ULFL ___ Wireshark-users mailing list Wireshark-users@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-users
Re: [Wireshark-users] Viability of detecting Wireshark with ARP-packets
Ok, thanks for the information both of you. I think I'll have to do some testing to see what happens, trying some of the test packets in the PDF. I can post my results here later. On Fri, 13 Oct 2006 15:28:30 -0700, Guy Harris [EMAIL PROTECTED] said: On Oct 13, 2006, at 11:19 AM, Hans Nilsson wrote: Hello, I recently read the document Promiscuous node detection using ARP packets [1] about detecting network cards in promiscuous mode and sniffers with custom-built ARP-packets. For example tools like Cain and Abel [2] has that capability. But I was wondering if this actually works against Wireshark? When I do ifconfig my network card is not listed as being in promiscuous mode but under options in Wireshark the card is in promiscuous mode and I can receive all the traffic on my LAN. Ifconfig does not necessarily report whether a device is really in promiscuous mode. For example, on Linux, as I remember, in Linux 2.2 and later there's a promiscuous mode flag that can be set and cleared with ifconfig and the ioctls ifconfig uses, and another promiscuous mode flag that's set and cleared with different ioctls and that's not available to ifconfig. Libpcap's used the latter flag for quite a while. So is this not a problem anymore since the NIC doesn't have to be manually set to promiscuous mode, Wireshark can do that on it's own Wireshark has always put the card into promiscuous mode by calling libpcap; you never had to do it from the command line. and therefore won't be detected by the ARP-technique? The ARP technique depends on packets received by virtue of being in promiscuous mode (i.e., packets that the network adapter would not have supplied to the host if the adapter hadn't been in promiscuous mode) being supplied not only to whatever mechanism is used by sniffer applications but also to the main networking stack. If that happens, the ARP technique might work; if so, it works if the adapter is in promiscuous mode, regardless of how it's put into promiscuous mode. If that doesn't happen, the ARP technique wouldn't work. ___ Wireshark-users mailing list Wireshark-users@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-users -- Hans Nilsson [EMAIL PROTECTED] -- http://www.fastmail.fm - Choose from over 50 domains or use your own ___ Wireshark-users mailing list Wireshark-users@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-users