There is a technique for promiscuous interface detection using ARP packets that is very interesting. This technique was presented at Blackhat by Daiji Sanai, from Securityfriday.com. They have a software called Promiscan that implements the technique. I don't now if the software have already been comercially released but the link for downloading the presentation is bellow.
http://www.blackhat.com/presentations/bh-usa-01/DaijiSanai/bh-usa-01-Sanai.ppt Alberto Cozer Security Analyst, Future Technologies Digital Security IBM Certified AIX System Specialist [EMAIL PROTECTED] http://www.fti.com.br "Dante Mercurio" <dmercurio@ccgsec To: "Christian Steinert" <[EMAIL PROTECTED]>, urity.com> <[EMAIL PROTECTED]> cc: 11/12/2001 03:31 Subject: RE: promiscuous Mode detection? Using a recieve only patch cable should make sniffers virtually undetectable. Also good for IDS systems, if you don't need to alert over the ethernet, or have a secondary one. http://personal.ie.cuhk.edu.hk/~msng0/sniffing_cable/index.htm M. Dante Mercurio, CCNA, MCSE+I, CCSA Consulting Group Manager [EMAIL PROTECTED] Continental Consulting Group, LLC www.ccgsecurity.com -----Original Message----- From: Christian Steinert [mailto:[EMAIL PROTECTED]] Sent: Wednesday, December 05, 2001 6:57 AM To: [EMAIL PROTECTED] Subject: promiscuous Mode detection? A question that came up to me was the following - How in the is it possible to detect if a machine's network adapter is in promiscuous mode? If the machine pays more attention on what is flooding around - how can this be noticed outside at all...? Well - i searched a little and found some points that got my thoughts running: I have read that OS behaviour differs when the adapter is in promiscuous mode. Why ist that necessary/why the case?... I found something about abnormal answers to crafted multicast packets... - but one could filter that out when combining sniffing with a VERY special firewall - even if the OS networking does bogus; couldn't one...? Additionally I found that some sniffers would produce lots of DNS requests to resolve the host names belonging to the recorded packets. - but one should be able to deactivate this, shouldn't one...? Maybe one could even archive foreign DNS query results...? - so the machine could remain passive while still gathering some DNS information... Well what remains is statistical attacks. Wouldn't it be able to priotitize answering to normal requests that are directed at the listening station? - Or to make the network adapter decode _these_ packets in hardware as normal? Couldn't one somehow decrease the time needed to answer statistical response time probes targeted at a promiscous mode host... ( - I mean without specially crafted hardware) Anything more you can use to remotely discover listening network stations? (It's obvious that it should be easy to discover promiscous mode from "inside" a machine - one probably couldn't guard against that without major OS patches that would fool a local scanner...) Found a lot of tools but little description. Surely one of you hotshots will know a little more than me... Thanks. Christian. ********************************************************* Future Technologies Seguranca Digital Esta mensagem e de responsabilidade de seu autor. Seu conteudo nao reflete necessariamente a opiniao da empresa. *********************************************************
