Announcement

Collapse
No announcement yet.

IDS Evasion / Detecting a Passive Sniffer

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • skroo
    replied
    Originally posted by yankee
    IF one had access to a box (compromised or not), and, for whatever reason, one wanted to initiate network traffic to or from said box and not be noticed, one would be well advised to remember a few things: IDS devcies can run as an agent on the box itself, and IDS may not be in the same LAN broadcast domain as said box.
    Entirely possible. Also, if you want to log your IDS' activity without pointing fingers to it, there are plenty of non-IP options for doing so. Logging via serial, for example, or USB or FireWire if you generate tons of data. The data never touches ethernet so you never see it. No modification is required; virtually every IDS on the market supports an option like this.

    Leave a comment:


  • yankee
    replied
    Originally posted by baysick2k
    If I have compromised a box, and I want to move about the network undetected or as stelthy as possible. How can I detect if there is any sort of listening device on the same network as my jump off? And what would I need to do to obfusicate or blend into normal traffic.

    When I say 'passive' I mean driver firmware on the IDS/Sniffer interface has been modified so no bits go on the wire...Its completely invisable...a Hybrid IDS ;)
    IF one had access to a box (compromised or not), and, for whatever reason, one wanted to initiate network traffic to or from said box and not be noticed, one would be well advised to remember a few things: IDS devcies can run as an agent on the box itself, and IDS may not be in the same LAN broadcast domain as said box.

    That said, I find it difficult to believe that an IDS would be set up in the fashion you describe. They generally have to transfer log data and alarms to other machines, so unless it has two interfaces the above scenario is unlikely. And if it has an interface that isn't "passive"....

    Leave a comment:


  • baysick2k
    replied
    Question Refined

    Originally posted by skroo
    Not to be oblique, but there are a few points I'd like to raise here before replies start launching in.

    1) Sniffers != IDS.

    2) Define 'passive mode'.

    3) Each IDS has its own methodology of detection, and thus its own methodology of evasion. Also, see 1) above. I could be wrong, but I think there may be a terminology issue here.

    4) The l0pht released a tool a few years back to attempt to detect a NIC in promiscuous mode (which is what I think you may be referring to by 'passive' mode). Its name escapes me right now, though, unfortunately. Hopefully someone can fill this blank in for me.
    *******************************************
    Your right Im a bit vauge...

    Senario:
    If I have compromised a box, and I want to move about the network undetected or as stelthy as possible. How can I detect if there is any sort of listening device on the same network as my jump off? And what would I need to do to obfusicate or blend into normal traffic.

    When I say 'passive' I mean driver firmware on the IDS/Sniffer interface has been modified so no bits go on the wire...Its completely invisable...a Hybrid IDS ;)
    Yeah, I may have the terminology wrong. Heres a good IDS dictionary [URL=http://www.securityfocus.com/infocus/1728[/URL] (Part 1 of 2)
    I actually found Anti-sniff and played with it a bit, (usually find what you are looing for after you post) Nonetheless, is there any other tools that work in a *NIX environment...Im really interested in how DNS traffic and ICMP traffic would fair against an "Hybrid IDS." Thanks

    Leave a comment:


  • yankee
    replied
    Another excellent overview:

    http://www.securityfriday.com/promis...tection_01.pdf

    I've used packet excalibur and ethereal to do exactly what you asked about.

    Leave a comment:


  • highwizard
    Guest replied
    Originally posted by skroo
    Not to be oblique, but there are a few points I'd like to raise here before replies start launching in.

    1) Sniffers != IDS.

    2) Define 'passive mode'.

    3) Each IDS has its own methodology of detection, and thus its own methodology of evasion. Also, see 1) above. I could be wrong, but I think there may be a terminology issue here.

    4) The l0pht released a tool a few years back to attempt to detect a NIC in promiscuous mode (which is what I think you may be referring to by 'passive' mode). Its name escapes me right now, though, unfortunately. Hopefully someone can fill this blank in for me.

    It's called "Anti-Sniff"

    http://binaries.it-faq.pl/windows/se...tech-paper.htm

    Leave a comment:


  • skroo
    replied
    Originally posted by baysick2k
    Im looking for techniques or tools that can detect if there is a passive sniffer on the line. Other than finding a management port how can I find a system that is in a passive mode?
    Not to be oblique, but there are a few points I'd like to raise here before replies start launching in.

    1) Sniffers != IDS.

    2) Define 'passive mode'.

    3) Each IDS has its own methodology of detection, and thus its own methodology of evasion. Also, see 1) above. I could be wrong, but I think there may be a terminology issue here.

    4) The l0pht released a tool a few years back to attempt to detect a NIC in promiscuous mode (which is what I think you may be referring to by 'passive' mode). Its name escapes me right now, though, unfortunately. Hopefully someone can fill this blank in for me.

    Leave a comment:


  • baysick2k
    started a topic IDS Evasion / Detecting a Passive Sniffer

    IDS Evasion / Detecting a Passive Sniffer

    Im looking for techniques or tools that can detect if there is a passive sniffer on the line. Other than finding a management port how can I find a system that is in a passive mode?
Working...
X