Re: Is promiscuous mode bad?
On Mon, Aug 16, 2004 at 02:24:00PM +0200, Ruben de Groot wrote: On Sun, Aug 15, 2004 at 07:53:10PM -0700, Kevin Stevens typed: A lot of network scanners also trigger on NICS in promiscuous mode (there's a way to detect them, I forget the details at the moment) because admins want to know if any hosts are out there sniffing. How sure are you about that? AFAIK there's no way to detect a NIC in promiscuous mode *from the outside*. I would be very interested in a network scanner that could. IIRC, Linux has/had a bug in it's network stack which could reveal promisc. mode to the outside. It would reply to all icmp-packets with the correct ip, whatever mac-adress used. So if you'd ping a Linux box twice, but with different mac-adresses, and it replies to both, you'd know it's set in promisc. mode. I don't know whether this applies to FreeBSD. GH Ruben ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED] ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Is promiscuous mode bad?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 horio shoichi wrote: | On Mon, 16 Aug 2004 14:24:00 +0200 | Ruben de Groot [EMAIL PROTECTED] wrote: | |On Sun, Aug 15, 2004 at 07:53:10PM -0700, Kevin Stevens typed: | |A lot of network scanners also trigger on NICS in promiscuous mode |(there's a way to detect them, I forget the details at the moment) |because admins want to know if any hosts are out there sniffing. | |How sure are you about that? AFAIK there's no way to detect a NIC in |promiscuous mode *from the outside*. I would be very interested in a network |scanner that could. | |Ruben | |___ |[EMAIL PROTECTED] mailing list |http://lists.freebsd.org/mailman/listinfo/freebsd-questions |To unsubscribe, send any mail to [EMAIL PROTECTED] | | | | Ping it with wrong mac. | Don't you have to be on the same broadcast domain to do a MAC ping? I mean how would you do a MAC ping over the internet? - -- Siddhartha Jain (CISSP) Consulting Engineer Netmagic Solutions Pvt Ltd Bombay - 400063 Phone: +91-22-26850001 Ext.128 Fax : +91-22-26850002 http://www.netmagicsolutions.com -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.1 (MingW32) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQFBIdSMOGaxOP7knVwRAkUCAJ4m3u55mbVps9skAyr3OnMrMLxBBACffMDf blzs3L+y384dbZna0ZqCEwA= =dYSX -END PGP SIGNATURE- ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Is promiscuous mode bad?
On Sun, Aug 15, 2004 at 07:53:10PM -0700, Kevin Stevens typed: A lot of network scanners also trigger on NICS in promiscuous mode (there's a way to detect them, I forget the details at the moment) because admins want to know if any hosts are out there sniffing. How sure are you about that? AFAIK there's no way to detect a NIC in promiscuous mode *from the outside*. I would be very interested in a network scanner that could. Ruben ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
RE: Is promiscuous mode bad?
Promiscuous mode can also be enabled on most hardware routers. A hardware router in front of a private network with promiscuous mode enabled allows public internet users to access (sniff) all the traffic passing through the router as well as insert packets. This is major security leak and one that spoofers look for. ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Is promiscuous mode bad?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 JJB wrote: | Promiscuous mode can also be enabled on most hardware routers. A | hardware router in front of a private network with promiscuous mode | enabled allows public internet users to access (sniff) all the | traffic passing through the router as well as insert packets. This | is major security leak and one that spoofers look for. | I am curious, how do you do that? From what I understand, a promiscous mode allows someone on the box to see all packets that hit the interface. How does it allow an attacker (outside the box) to sniff packets hitting that interface? Thanks, - -- Siddhartha Jain (CISSP) Consulting Engineer Netmagic Solutions Pvt Ltd Bombay - 400063 Phone: +91-22-26850001 Ext.128 Fax : +91-22-26850002 http://www.netmagicsolutions.com -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.1 (MingW32) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQFBIMWrOGaxOP7knVwRAj1nAJ9Ae+5APNi4YgeSNwxMkrv7jwUbjQCeLftp 8BIhFJfN9b5S2xUTDctKcuI= =bt2X -END PGP SIGNATURE- ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Is promiscuous mode bad?
In the last episode (Aug 16), Ruben de Groot said: On Sun, Aug 15, 2004 at 07:53:10PM -0700, Kevin Stevens typed: A lot of network scanners also trigger on NICS in promiscuous mode (there's a way to detect them, I forget the details at the moment) because admins want to know if any hosts are out there sniffing. How sure are you about that? AFAIK there's no way to detect a NIC in promiscuous mode *from the outside*. I would be very interested in a network scanner that could. The basic points are that since the kernel sees packets it usually doesn't, there may be codepaths that incorrectly process certain packets and send replies. There's also a small delay in processing all those extra packets that might be seen as extra latency in pings etc. As CPUs get faster and kernel bugs get fixed, these become harder and harder to detect. Do a web or usenet search for detect promiscuous mode for lots and lots of links. -- Dan Nelson [EMAIL PROTECTED] ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Is promiscuous mode bad?
On Mon, 16 Aug 2004 14:24:00 +0200 Ruben de Groot [EMAIL PROTECTED] wrote: On Sun, Aug 15, 2004 at 07:53:10PM -0700, Kevin Stevens typed: A lot of network scanners also trigger on NICS in promiscuous mode (there's a way to detect them, I forget the details at the moment) because admins want to know if any hosts are out there sniffing. How sure are you about that? AFAIK there's no way to detect a NIC in promiscuous mode *from the outside*. I would be very interested in a network scanner that could. Ruben ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED] Ping it with wrong mac. horio shoichi ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Is promiscuous mode bad?
I was running security/rkhunter and it warns me about my network card being in promiscuous mode. I have a few questions: 1) What exactly is promiscuous mode? (I've done some googling but haven't found anything really clear) 2) Why might it be considered a bad thing? 3) How do I disable it if it really is bad? 4) What are the effects of disabling it? Thank you *so much* for your time! -- Aaron Dalton http://aaron.daltons.ca ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Is promiscuous mode bad?
Aaron Dalton [EMAIL PROTECTED] wrote: I was running security/rkhunter and it warns me about my network card being in promiscuous mode. I have a few questions: 1) What exactly is promiscuous mode? (I've done some googling but haven't found anything really clear) Promiscuous mode means the network card sends all traffic received to the kernel for processing, even if it wasn't destin for the MAC address of that card. In normal mode, traffic not destin for that card is dropped and the kernel never sees it. 2) Why might it be considered a bad thing? Once the card is placed in promiscuous mode, users on your system can use packet sniffers to sniff network traffic without needing root privs on your system. The NIC is promiscuous for the whole machine. 3) How do I disable it if it really is bad? ifconfig should allow you to do this. 4) What are the effects of disabling it? Pretty much the reverse of #2. If you're running may types of scanning software, or network sniffers, they will put the card in promisc mode. -- Bill Moran Potential Technologies http://www.potentialtech.com ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Is promiscuous mode bad?
Aaron Dalton wrote: I was running security/rkhunter and it warns me about my network card being in promiscuous mode. I have a few questions: 1) What exactly is promiscuous mode? (I've done some googling but haven't found anything really clear) 2) Why might it be considered a bad thing? 3) How do I disable it if it really is bad? 4) What are the effects of disabling it? Thank you *so much* for your time! Hi Aaron, 1) Promiscuous mode means that your network is dumping it packets somewhere, normally they get transported. Now the added feature is that a application like tcpdump can display the packets and with the correct options (tcpdump -X for example) you can even see what's inside the packets. If you do plain auth authorization it is possible with a 'sniffer' (which puts your network into promisc. mode) to see what the username and password of the user is, so using those credentials to do something evil. 2) see above 3) ifconfig -a (check which has PROMISC in it) ifconfig interfacename -promisc turns the promisc mode off 4) the application that enabled promisc probably not functioning correctly anymore, which is perhaps good thing. Are you running any IDS'es or something that you know? since they also put the network into promisc mode. Cheers! -- Kind regards, Remko Lodder |[EMAIL PROTECTED] Reporter DSINet|[EMAIL PROTECTED] Projectleader Mostly-Harmless |[EMAIL PROTECTED] ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Is promiscuous mode bad?
Thank you so much for your replies! This makes much more sense now. I am currently running Snort. I will examine its documentation to see if promiscuous mode is really necessary. In the meantime, am I correct in assuming the only threat is from local users? If so, currently all users are trusted so I shant panic just yet. Thank you again for your help! -- Aaron Dalton http://aaron.daltons.ca ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Is promiscuous mode bad?
Aaron Dalton wrote: Thank you so much for your replies! This makes much more sense now. I am currently running Snort. I will examine its documentation to see if promiscuous mode is really necessary. It is. In the meantime, am I correct in assuming the only threat is from local users? Yes. If so, currently all users are trusted so I shant panic just yet. Hmm, the human heart is a dangerous thing. ;-) Kevin Kinsey DaleCo, S.P. ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Is promiscuous mode bad?
Aaron Dalton wrote: Thank you so much for your replies! This makes much more sense now. I am currently running Snort. I will examine its documentation to see if promiscuous mode is really necessary. In the meantime, am I correct in assuming the only threat is from local users? If so, currently all users are trusted so I shant panic just yet. Thank you again for your help! Snort uses promisc to capture the packets off the line and examine them. So this needs to be turned on in able to do some productive things :) turning it off will disable snort actually. Reminder for bill: sniffing via bpf requires the same privileges whether promisc. is set or not, so you always need to be root for sniffing data of the line, that is when the permissions is not tampered with :). Thanks #bsddocs (simon ;)) -- Kind regards, Remko Lodder |[EMAIL PROTECTED] Reporter DSINet|[EMAIL PROTECTED] Projectleader Mostly-Harmless |[EMAIL PROTECTED] ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Is promiscuous mode bad?
Remko Lodder [EMAIL PROTECTED] wrote: Reminder for bill: sniffing via bpf requires the same privileges whether promisc. is set or not, so you always need to be root for sniffing data of the line, that is when the permissions is not tampered with :). Thanks #bsddocs (simon ;)) Really? Then I stand corrected. If that's the case, though, what _is_ the administrative danger of running in PROMISC mode? -- Bill Moran Potential Technologies http://www.potentialtech.com ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Is promiscuous mode bad?
On Aug 15, 2004, at 15:32, Bill Moran wrote: Remko Lodder [EMAIL PROTECTED] wrote: Reminder for bill: sniffing via bpf requires the same privileges whether promisc. is set or not, so you always need to be root for sniffing data of the line, that is when the permissions is not tampered with :). Thanks #bsddocs (simon ;)) Really? Then I stand corrected. If that's the case, though, what _is_ the administrative danger of running in PROMISC mode? I think, in general, it's the notion that if the NIC is listening to things it shouldn't, it may hear something it doesn't want to. ;) In other words, there would be concern over exploits targeted at services or daemons that don't screen inbound traffic for the destination address being that of the local host, because they assume that such traffic could never be delivered to them. That type of thing. A lot of network scanners also trigger on NICS in promiscuous mode (there's a way to detect them, I forget the details at the moment) because admins want to know if any hosts are out there sniffing. KeS ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
