Sniff attack and traceroute

Sniffing packects is a bit different than ARP poisoning. Sniffers usually only capture packets that are sent through the network. Sniffing packets will place the computers NIC in promiscuous mode. If your trying to discover a sniffer in your network, and you use a Unix based system, use the command ifconfig -a and look for PROMISC. If your system is Windows based you can use a tool like promiscdetect.

http://www.ntsecurity.nu/toolbox/promiscdetect/

Poisoning of a target's arp cache to convince the target host to build ethernet frames with a destination address of the "sniffing host" so the switch passes those frames to the "sniffing host" which then re-packages the layer2 payload for the router to pass them on, is not sniffing in the conventional sense-- it is a non-passive (active) attack to allow for MiM processing. Such an attack would need to be applied to the logical next hop (like a router or host on the same subnet) in order to have both halves of any session.

If the packets are only forwarded on layer2 (802.* for those that match) then traceroute would not show the intermediate host, because "routing" happens at layer3 (IP) and "traceroute" (for the most part) operates at layer3/4. The arp information that is primarily for frame manufacturing in knowing what destination MAC address to include in the Layer2 header.

Assuming something about how the sniffing host works, the intermediate sniffing host is not actually a IP-based "hop" as Layer 3/4 is concerned, as it is not an IP address in the path of traffic, it is only a layer 2 host in the path. (Imagine a switch that does store and forward where it sends a frame only after it has received the complete frame. This switch would also not appear as a "hop" from traceroute for similar reasons.)

Any delay would likey be very, very small and similar to a burdened etherswitch.

Good idea, thinking about stuff like this, in this kinda way I think is what makes people a hacker. For being new to networking, your already ahead of the game on many people that think they know about networking....

The tool that is the most popular among 'arp poisoners' I think is ettercap. Cain for windows and Dsniff also support arp spoofing as do im sure a few other tools.
In the older versions, there was an option in the 'curses interface where you can check for other 'poisoners' ... This would send out a very noisey arp storm, and see if a MAC (layer2 address) responds twice, it lets you know.
As TheCotMan said excellently, your new spoofed gateway will slow you down...
It also will NOT show up on a traceroute...
If he is spoofing more than one machines gateway, or even the entire switch.. then all of the traffic will go through him, thus things will be quite slower.
The danger of ARP poisoning is VERY HIGH... this is a 'mmtm' (Man-in-the-middle) situation and if the end user is not very technical and/or the attacker is very resourceful, they can sniff all your traffic, they can present you with fake certs and then sniff your HTTPS traffic, she/he can even sniff your SSHv1 traffic. He/She can inject data into your outgoing or incoming frames, and they can drop whatever they want. He/She is in control. Ettercap has large support for filters, that is where the real scary shit starts....

Some cisco routers I believe will protect from arp poisoning, snort will give you alerts, but a vast majority of networks are quite vulnerable to this attack. If you run windows, even if you staticly assign a gateway, you can still be victimized. If you run *nix and have enough permission, you can set your route staticly, and thus be protected from ARP poisioning (but not much else, esp if they have control of the switch, physical access, etc).

I am thinking of a community college near where I live that uses SSN's for computer lab logins... this college also allows you to bring your laptop in for special occasions. (I can't think its that rare...)
The SSN box (program written in VB) sends the number in plaintxt form to a central Database, and gets a reply (that contains other student information and the name of the student). This is horrible, and even in the name of security and personal information discloser, they won't change the system. (I already used diff. number as my student ID, and i recommend anyone else that can switch to something else do so...)
ARP poisioning is very effective for an attacker, and can be hard to protect against.

Straight forward answer with a nice link there, thanks



Very informative, that's 11 out of 10 rating , thanks for your time TheCotMan.



My gosh, Defcon is just great

Its funny. When people can ask intelligent questions without any attitude, we can be downright helpful. Almost too helpful, I started to reply to this thread several times and both times found that everyone else gave you the same advice I was going to.

From what I've known so far, if you see PROMISC after typing the command ifconfig -a, it only tells you that you have a sniffer running on YOUR SYSTEM, not in any other computers on your network (i thought it is earlier). Unless you're the administrator of the network having access to all root account on every computers in your network, then it's possible to check which computer in the network may be running a sniffer.

Please let me know if there's any misconception, thanks.

Nope, you are correct. This just informs you that your local interface is running in promiscous mode, thus accepting all packets coming to it on the wire, not just the ones intended for it. This also will NOT work on a network switch, unless ARP poisioning has occured already.
But there's plenty of hubs out there... (what a great idea that was, (hubs))

OK. Here is where I can get tedious and be a PITA (Pain in the Ass):

Just because you see "PROMISC" does not mean that you have a sniffer on your machine.
Just because you *don't* see "PROMISC" does not mean you do not have a sniffer on your machine.

I believe that if you chose to install the netatalk suite of Apple Filesharing tools that support EtherTalk/AppleTalk in addition to the TCP/IP for Apple Filesharing, that you may still see "PROMISC" on your interface because of what netatalk needs (or needed) to do with network traffic to make EtherTalk/AppleTalk work over ethernet WRT FilesSharing and PrinterSharing.

You can use "ifconfig" to enable "PROMISC" even if you do not have a sniffer running on the box.

A common theme for rootkits that include sniffers is to alter the content ifconfig provides through altering PATH/making-a-wrapper/system-trojan/*, or provide an ifconfig that is modified to not show "PROMISC" even when it really has it.

There are also other methods to sniff on a machine even without the interface configured to show "PROMISC" when you run ifconfig.

This does not mean sighting "PROMISC" when conducting ifconfig is useless, but it is something that should not be equated to, "there is a sniffer here," and more importantly, lack of seeing "PROMISC" should not be equated to "The must NOT be a sniffer here."

There are tools that claim to be able to detect sniffers on networks, but IMO, the advantage to not being detected when using passive sniffing techniques favors the attacker. Active sniffing attacks are another story.