DiggJoin DiggAbout

Sniffing On Ethernet Undetected

askapache.com — All you need is a MAC and a device and you can sniff without sending any packets, making yourself invisible. I have been in some tight spots where I had to sniff a password or two off the wire, or sniff some packets off the wire undetected.. So I tried a few things and this is what worked..

made popular 2 years 10 days ago

Digg DudeWhat is Digg?

Digg is a place for people to discover and share content from anywhere on the web. Digg surfaces the best stuff as submitted and voted on by the community.Take the Tour to learn more.

Remove

Discover breaking news from Macworld 2009
Digg your favorite stories in Upcoming or check out the most popular ones in the Apple topic.

Related by Keyword BETA!

Coke-Sniffing Dogs and the Fourth Amendment

  • 545 diggs
  • Made popular 7 days ago
  • 51
  • arstechnica.com

CLI Magic: Kismet sniffs out Wi-Fi access

  • 385 diggs
  • Made popular 2 years 118 days ago
  • 29
  • applications.linux.com

Ubuntu Wire - Google Search Engine Tailored to Ubuntu

  • 574 diggs
  • Made popular 1 year 85 days ago
  • 60
  • www.ubuntuwire.com

How are these related stories? Tell us!

show profanity settings
expand all
  • sekyuritei, on 10/12/2007, -4/+11Of course, this wouldn't work if someone is monitoring when MACs switch ports, or when you use 802.1X. I would love to catch someone thinking they could get away with this at my job. Dugg because it's still a great article!
    • mindwarp, on 10/12/2007, -2/+8You sound pretty confident, but you are only secure as your switch firmware. If someone has the skills, and infiltrates your physical network, all bets are off.
    • signal15, on 10/12/2007, -1/+16A more reliable way of doing this is to make a patch cable with the TX pair disconnected. That will ensure you don't accidentally send something over the wire.

      However, most companies use switches, and unless you do some arp spoofing, you will only see broadcast traffic, or traffic sent to your machine (of which there should be none if you don't have a MAC addy or you didn't connect the TX pair). ARP spoofing is easily detectable. Another method is to flood the switch port with random MAC addresses. Some switches will freak out and stop switching and go into a sort of "hub" mode. dsniff and ettercap both provide the functionality you need to do either one of these attacks.
    • bg_27, on 10/12/2007, -15/+3Yah but someone can easily spoof their MAC address, my intel driver lets me specify a MAC address, so monitoring MAC addresses on ports just gives you a false sense of security.
    • EgoDemens, on 10/12/2007, -3/+10@bg_27

      Wong discussion to use that argument. Your argument is for wireless networks and white listing MAC addresses. What sekyuritei suggested is that if you have the same MAC on two ports of your physical switch, something funny is going on. Also don't regurgitate random ***** just because some of the words match.
    • TexMurphy, on 10/12/2007, -2/+1!!!!!!!!!!!!!!!Construction and Use of a Passive Ethernet Tap!!!!!!!!!!!

      @sekyuritei

      I would like to know were you work. So I can point and laugh........................................................

      http://gd.tuwien.ac.at/infosys/security/snort/docs/tap/
    • PRlME, on 10/12/2007, -18/+1its n00b jack ass with 2 zeros.
      and stop usein n00b its so played out.
    • radu79, on 10/12/2007, -6/+2This is so lame.. It's something any half literate network admin knows, and that's why you use a switch and encrypted protocols even on the local network (SFATP, SSH, etc.).
      When I read the title I thought this guy came up with some device to read the signal without phisically breaking into the network (by reading the radiation from the wire or something).
    • cbreaker, on 10/12/2007, -0/+3"A more reliable way of doing this is to make a patch cable with the TX pair disconnected. That will ensure you don't accidentally send something over the wire."

      That only works if your hardware is a dumb switch/hub. For any managed switch, you won't get any traffic until you have a link and a visible MAC. At least not on any of our Extreme switches. That, and since most good switches now are L3, you won't get anything but broadcasts anyways, and I don't know of too many protocols that broadcast unencrypted passwords.
    • DeusMachinae, on 10/12/2007, -0/+1This would work pretty well on a college network eh.. mwahahhaa
    • bradleyland, on 10/12/2007, -1/+0@TexMurphy

      You will still only get traffic that appears on the cable you're monitoring if switching equipment is used.
  • TinMan, on 10/12/2007, -14/+6It's called use a hub..
    • Phil246, on 10/12/2007, -4/+1or infact, use a switch if you want to prevent this sorta thing :)
  • DeepDoo, on 10/12/2007, -2/+19All of us BOFHs really, really, really, hope all of you users try something like this on our networks. I love to get people fired for being dumb.
    • pcgeek101, on 10/12/2007, -1/+6Lol ... well said. I've had to report suspicious activity on quite a few occasions recently :)

      Needless to say, I had plenty of data gathered from forensics (switch log, server logs, proxy logs, etc.) to back my statements .. oh, and did I mention my favorite feature of my HP core switch ... port mirroring? :)
    • zttrx, on 10/12/2007, -0/+9Indeed. Just as one should never assume one's network is unhackable, so must a hacker assume that their actions are never untracable.
    • 022A, on 10/12/2007, -17/+2Sad that you derive pleasure from ***** people rather than (apparently) doing your job well.
    • theBrink, on 10/12/2007, -1/+6uh, I would think that he is doing his job well. It's not like you run past a cop with a brand new TV/DVD player and he sits there and goes "oh, that was probably completely innocent"
    • DeepDoo, on 10/12/2007, -5/+7@022A
      Eliminating people who are a security risk is my job as a BOFH. People should be doing the work for which they are hired. My job happens to be systems administrator or BOFH. A large part of that job is securing the network and eliminating threats from both outside threats and inside threats. If you work for my organization and you threaten the security of my network, you will be fired. And I will smile for having done my job well.
    • skyshock21, on 10/12/2007, -4/+6Pardon me for being ignorant, but ... BOFH?

      Bag Of Fat Hog?
      Barf On Fast Hyennas?
      Boof Or F*ck Horses?
    • Jerk, on 10/12/2007, -1/+3Bastard Operator From Hell
    • intenselygreen, on 10/12/2007, -1/+5FYI: Bastard Operator From Hell.

      See:

      http://www.bofh.com/
    • DontSayFanboy, on 10/12/2007, -2/+10edit: BEATEN damn

      Bastard Operator From Hell. Do a google search, you'll find quite a few stories.

      I am a sysadmin, but I would never call myself a BOFH. I guess I'm lucky to work in academia where my I enjoy working with my users and educating them as opposed to being proud of being an ***** to them and trying to get everyone fired. Yes, we've caught students trying to hack things but we usually just embarrass them. If they are really good, we'll hire them.
    • Yoshi39, on 10/12/2007, -1/+2Bastard operator from hell
      http://en.wikipedia.org/wiki/Bastard_Operator_From_Hell
    • t3hX, on 10/12/2007, -0/+2>Sad that you derive pleasure from ***** people rather than (apparently) doing your job well.

      Keeping "hackers" off the network IS part of your job as a BOFH.
  • theBrink, on 10/12/2007, -1/+2can't get article yet...arp poison I'm guessing?
    • senfo, on 10/12/2007, -1/+3You've probably been haxored by this 1337 haxor of a dude we know as apachehtaccess.
  • theBrink, on 10/12/2007, -0/+7as tinman said, article is misleading, this would not normally net you anything on a switched network (and most people have switches nowadays, hubs are so eww) so you get a broadcast here and there, you won't have any passwords from that.
  • linnerd40, on 10/12/2007, -1/+2http://www.duggmirror.com
  • jwigum, on 10/12/2007, -0/+4"If an admin or IDS saw 12 packets (as in my example) originating from 00:00:00:00:00:00 or aa:bb:cc:dd:ee:ff do you think he would pull out all the stops and think there is someone eavedropping? Of course not."

    Unless he thought to himself "Someone is sniffing around on my network... Release the hounds!" If he's being security concious, I think he'd be more than a little concerned. Even more so if it was a "closed" network, that didn't allow anything other than what the company deployed.
    • Apage43, on 10/12/2007, -0/+5Indeed, those are VERY suspicious looking addresses, and mean than someone is DEFINITELY spoofing their address
  • ebob9, on 10/12/2007, -1/+26In the article, they mention that data is still being sent. In my experience, usually the data that is transmitted is stuff the PC still has running unknown to the user - Daemons, Ethereal/Wireshark doing reverse DNS lookups on IPs, etc.

    Forging your MAC and keeping hidden is not the hard part -- the hard part is actually seeing any useful data. Most modern switches only transmit unsolicited broadcast/multicast traffic down all ports, so you will only see traffic destined for your MAC address.

    To see useful data, you have a few methods:

    If you have physical access to the network equipment, this is easy. Best method is to put a passive tap (copper, fiber if you're made of money) on a trunk port between redundant switches. You can see everything then - but be sure and up your MTU so you can see any VLAN/802.1p tags that might be in use. You can use a hub instead of a tap if they are using 10/100 copper connections. (Netgear makes a sweet 4-port Dual-Speed that works great for this). You can also mirror ports on the switches, but that gets hairy and requires network configuration changes - leaving tracks.

    If you don't have physical access to the network equipment, (for example, you are a cube slave) it becomes a little trickier. If you can change your MAC address, then you should try a man-in-the-middle attack. You can try spoofing the MAC of the default gateway, then forwarding all traffic back on to that default gateway. Another method for a Man-in-the-Middle attack uses Gratuitous ARPs, you can issue a Gratuitous ARP for your default gateway's IP, pointing to any false MAC address.

    my $.02

    --ebob9
    • zttrx, on 10/12/2007, -3/+13@ebob9: This is not slashdot...informative comments are buried here.
    • ebob9, on 10/12/2007, -2/+12@zttrx: Sorry, I'm new here. Let me try again: OMG, the article has funky green colours my eyes are burning!!
    • zttrx, on 10/12/2007, -9/+3Pretty good, but you didnt say "*****" or "W00!!!". And weirdly, your comment was not buried!

      Boobs!
    • macewan, on 10/12/2007, -0/+2It will also help if you bring up Ubuntu at some point.
  • kohlmannj, on 10/12/2007, -1/+3Hmm, whatever happened to, oh, you know, *not* secretly syphoning data off a network. Karma (points?), people, y'know what I'm sayin'?
    • DeepDoo, on 10/12/2007, -0/+5when you admin a big network at a big organization, you always assume someone will be trying stuff like this. All (good) admins have an overdeveloped sense of paranoia.
    • Goosemaster, on 10/12/2007, -0/+1DeepDoo :


      Hence the massive amount of hookers in the IT trenches and the 12 o'clock (GMT -5) 1500ml shot of "Russian inspiration, Russian resilience, and downright Russian vengeance"
    • Goosemaster, on 10/12/2007, -0/+3kids these days with their sniffing...


      back in my day we used to get drunk off our asses and break into the data center like real men...good times.
  • smaragd, on 10/12/2007, -10/+0What is a "MAC"? Is that anything like a "Mac"? Or are you talking about "MACS"?
    • smaragd, on 10/12/2007, -9/+0Ah, I see. Yes, MACs, not Macs. Never mind me. :-p
  • bunni, on 10/12/2007, -0/+10Zomg someone's poisoned the arp water hole. Only man in the middle can save us now!
  • PRlME, on 10/12/2007, -5/+1good discussion and post...i learned alot from you guys 2day.
    • webcrumb, on 10/12/2007, -0/+2Unfortunately not good use of standard English...
  • KORGOTH, on 10/12/2007, -1/+27Last time I tried sniffing the Ethernet, I passed out.
  • Apage43, on 10/12/2007, -0/+3Undetected sniffing only works on non-switched networks. These days switches are cheap, and the only way to sniff a network that uses switches is ARP spoofing, which is quite -easily- detectable, but also easy to do with the right tools.
  • RobM, on 10/12/2007, -4/+2You need to be in promiscuous mode to sniff, and that's detectable.
    • ebob9, on 10/12/2007, -1/+3From what I understand, promiscuous mode means that your ethernet card is no longer ignoring frames sent to MAC addresses other than your own. It instead processes these frames, which allows your sniffer (tcpdump, wireshark, etc) to read the frames not intended for the station off the wire.

      From my understanding, this shouldn't be detectable - however I remember a small .c program on rootshell.org (long time ago) that claimed to detect NICs in promiscuous mode. Anyone have an idea how this is/was done?
    • t3hX, on 10/12/2007, -0/+2It was done by sending an RARP request or maybe a ping (I can't remember) to the right IP address, but wrong MAC address, so that the computer gets the frame, only bothers checking the IP address (the MAC address got checked by the driver/card, right? and I wouldn't be getting the frame if it wasn't for me), and the computer responds.

      Doesn't work on all systems.
  • Farticus, on 10/12/2007, -5/+2So you like to so a bit of sniffing in tight spots?
    Just as well your not a proctologist!
  • apachehtaccess, on 10/12/2007, -4/+0Guys why don't you read the entire article before posting "why it doesn't work"... I discuss many of these same caveats in the article, and if you want more info on port-stealing, and other switch attacks, read http://www.askapache.com/2006/security/arp-stuff.html
    • justthisguyyano, on 10/12/2007, -0/+2First, I'm glad that people like you enjoy bragging. It makes my job that much easier.

      Second, you're dangerous. Turning off power to a building just to get a router/switch to reboot, dangerous.
      It also means you have some kind of special access to the physical locations of the data and electrical closets. Abuse of trust.

      Third, most of what you document will work but it will also leave a trail a mile wide to any decent network security professional.
    • lpmusix, on 10/12/2007, -1/+1The only way you're gettin into my switch is with physical access. I'd like to see you get in the locked door to the building, up the secure elevator (or secured stairs), into the colo area, and finally into my colo room. All nice and locked. How do you expect to kill power there? Of course ignoring the UPS systems and generators that would prevent any such outage. Try again later. K-Thx
    • osbjmg, on 10/12/2007, -0/+1You ARE bragging, and you are incorrect:
      "No switch or router can stop you.. infinite ways to attack this.."

      There are many defenses for your methods:
      port security
      802.1x
      dhcp-snooping
      dynamic arp inspection
      IP source guard
      etc...
    • osbjmg, on 10/12/2007, -0/+1You can't single or double tag traffic on a non trunk port bra, all traffic will be dev-nulled.

      I gotta get off this site, it's making me angry :) In sort, you have done a bit of research but if someone were watching, they would probably find you since you are 80% of the way there. It sounds like you are just playing around with no objective for the network you are trying to compromise... get a goal and then maybe put your heart into it and you may succeed. The best way to hack anything is to trick dumb people into giving you the info anyway.
  • diecastbeatdown, on 10/12/2007, -0/+1snort inline.
  • Hindu_Wardrobe, on 10/12/2007, -2/+4Here come the silly Apple fanboys saying "lololol u cant do this on a pc only a MAC cuz see rite there it sayz MAC lololol"
    • t3hX, on 10/12/2007, -0/+1Here come the silly Apple haters who say "lolol all the apple fanboys are going to say this..."

      Although, on a side note, a lot of the Windows network drivers (especially wireless drivers) don't support promiscuous mode, and definitely not monitor mode. So actually, you'd be better off on a Mac or a Linux machine.
    • cbreaker, on 10/12/2007, -0/+1Such as? I've always been able to run netmon on any NIC I've used, and there's been a lot of them. Including some really crappy "Ethernet on a chip" SMC cards and old ISA cards.
  • t3hX, on 10/12/2007, -0/+2The author of this article has no idea what he's talking about...
  • apachehtaccess, on 10/12/2007, -0/+0Thanks for the good feedback guys!

    I don't see it as bragging at all! Its simply an article that documents what I learned for myself while doing some research.

    I wanted to document the steps and results from this intellectual exercise to get feedback and open discussion on the issue. I don't see why some posters are quick to assume mastery over this subject when it is obvious that they haven't actually sat down and tried it for themselves.


  • osbjmg, on 10/12/2007, -0/+1He doesn't mention the method he uses to see the passwords. Maybe that will help on a hub, but no worky on a switch (that isn't flooding at the time anyway). There are surely ways to grab other people's traffic in addition, but he doesn't go over this nor the way to defend against it... oh well. 4/10
  • apachehtaccess, on 10/12/2007, -0/+0Ahh, read the article..

    SNIP:
    -------------------------------
    "Yes I have overloaded several switches CAM tables adn turned it into “HUB” operating mode.. But man is that ever loud! The ISP called me up and asked me if I knew anything about 2 GIGs of data being sent out from my port on the switch.. (layer 2) ..

    Really the best way IM experience is arp poisoning. Ettercap has the basics included in their program. I have also had the experience of literally shutting down a switch from flooding the CAM.. you never really know what will happen. It’s usually not in your favor.

    Also, if you start arp poisoning RIGHT after a power-outage (whether you shut off the power or it just went out) a lot of times you have a 15-45 second window where the switches will be acting like HUBs.. If you can poison some key targets in different network segments before the switch starts switching, you can really drop the normal restrictions.

    Oh and you can also turn off your arp using ifconfig like
    $ ifconfig eth0 -arp

    But When you use the method outlined above, of course your NIC never sends out arp requests.. That is the whole point of NOT having an ipv6 or ip address.. and that is also why this method dictates NO ROUTES in the kernel or userland.

    Your NIC and ip stack just doenst’ have anybody to send the arps to! If you aren’t connected to any networks, how can it send a broadcast? And if you don’t have an IP address, where would the arp tell everyone to reply to? See what I mean?

    The MAC address being set to a non-suspicious looking address is just to slip by as a network anomololy instead of actually looking like a roque MAC.

    In general though, I was talking about using this technique to splice into the wire at an uplink spot.

    So If I wanted to capture the router passwords for my apartment complex, I would find the router and use a portable hub to connect my packet-sniffing computer in-between the router and the modem or uplink. Then I would call tech-support about something and watch them log into the router.. then I have the password and its almost detectionless because it is completely passive."
    -------------------------------
    • cbreaker, on 10/12/2007, -0/+2Yea, you'll get 15-45 seconds of your switch acting like a hub when you're using a ***** Dell switch. Any respectable switch from Cisco or Extreme don't pass any traffic until everything is up. On the BlackDiamond 8810, the whole reboot process takes about 7 seconds. (it runs Linux, too.)

  • apachehtaccess, on 10/12/2007, -0/+1Attackers can't rewrite your log files if they can't connect to the log server. Learn the ways of stealth.

    In a column about syslog I mentioned ``stealth logging''--by running your central log server without an IP address, you can hide your central log server from intruders. But log servers aren't the only type of system that can benefit from a little stealth. Network sniffers and network intrusion detection systems (NIDSes) probes can also function perfectly well without IP addresses, making them less vulnerable to network attacks than the systems they protect.
    This month I demonstrate three ways to use the versatile and powerful Snort--as a stealth sniffer, a stealth NIDS probe and a stealth logger--on a network interface with no IP address. If you're already familiar with Snort, I hope you'll see how easily it can be used stealthfully. If you're new to Snort, this article may be a useful crash course for you. All Snort commands and configurations in this article work equally well on interfaces with and without IP addresses.



    A "stealthed" machine - one with an interface "up" but not bound to IPV4 (or any other protocols) will be entirely invisible. It does not look for packets destined for its "supposed IP", as it has no "supposed IP". It looks for packets destined for other machines on the network with real IPs.

    Such machines will not respond to ARP packets (or indeed any other packets) - do not have IP addresses (hence can't be pinged), do not have IPX addresses etc, and do not respond to any type of broadcast or any other packet.

    AFAIK, promiscuous mode checkers only work with machines whose IP addresses are known, or which can be reached by broadcast. A stealthed machine has NO IP address and does not respond to ANY packet.

    I have personally run a stealthed machine and happily watched the "packets recieved" counter in /sbin/ifconfig go up while the "packets transmitted" stays bolted at zero.

    One thing that *might* give away the existence of such a machine would be outgoing DNS requests, but determining this would be very difficult. Also, most IDSs do not do realtime DNS resolution for performance reasons.

    If you run a stealth IDS and need it to do DNS requests, obviously those need to go via an an alternative interface, probably with a firewall and/or DNS cache between it and the network it's sniffing (if it even goes out via the same route at all)

    Nevertheless in theory, an attacker who has compromised a machine on the same segment as this IDS and also set it into promiscuous mode (so it sees the same traffic) could send an attack which is detected, then watch and outgoing reverse DNS request for his IP.

    That could make the IDS detectable, however the attacker could not possibly know the identity of this machine, as its other interface (i.e. the only one with a real private IP) is sitting behind another firewall and sending its DNS requests out via an intermediate DNS.
    slarty is offline Reply With Quote
  • apachehtaccess, on 09/12/2008, -0/+1The updated url is actually: http://www.askapache.com/security/sniffing-on-ethe ...
  •  

    Login or register to add a comment

    Create a new account or login to join in the conversation on Digg. You'll also be able to Digg stories to help promote things you like.


© Digg Inc. 2009 — Content posted by Digg users is dedicated to the public domain.
DIGG, DIGG IT, DUGG, DIGG THIS, Digg graphics, logos, designs, page headers, button icons, scripts, and other service names are the trademarks of Digg Inc.