URL Obscuring COEN 152/252 Computer Forensics Thomas Schwarz, S.J. 2004.
COEN 252 Computer Forensics Remote Sniffer Detection.
-
Upload
ralf-parrish -
Category
Documents
-
view
220 -
download
3
Transcript of COEN 252 Computer Forensics Remote Sniffer Detection.
![Page 1: COEN 252 Computer Forensics Remote Sniffer Detection.](https://reader037.fdocuments.us/reader037/viewer/2022102906/56649cef5503460f949bd65d/html5/thumbnails/1.jpg)
COEN 252 Computer Forensics
Remote Sniffer Detection
![Page 2: COEN 252 Computer Forensics Remote Sniffer Detection.](https://reader037.fdocuments.us/reader037/viewer/2022102906/56649cef5503460f949bd65d/html5/thumbnails/2.jpg)
Sniffer Detection On the Host
Look for capture files (typically big and growing).
Look for a promiscuous card. Look for unauthorized connections or
processes.Rootkits can prevent sniffers from being
detected. On the Net
Traffic analysis Traffic injection (probing)Much harder.
![Page 3: COEN 252 Computer Forensics Remote Sniffer Detection.](https://reader037.fdocuments.us/reader037/viewer/2022102906/56649cef5503460f949bd65d/html5/thumbnails/3.jpg)
Network based Sniffer Detection
Promiscuous mode detection DNS tests. Network latency tests. Trapping
![Page 4: COEN 252 Computer Forensics Remote Sniffer Detection.](https://reader037.fdocuments.us/reader037/viewer/2022102906/56649cef5503460f949bd65d/html5/thumbnails/4.jpg)
Network based Sniffer Detection
NIC hardware addresses NIC sets up different filters
Broadcast: receive all broadcast addresses (with MAC ff:ff:ff:ff:ff:ff)
Multicast based on multicast address All multicasts Promiscuous: receive all packets.
![Page 5: COEN 252 Computer Forensics Remote Sniffer Detection.](https://reader037.fdocuments.us/reader037/viewer/2022102906/56649cef5503460f949bd65d/html5/thumbnails/5.jpg)
Promiscuous mode detection
Each Network Interface Card (NIC) has a unique Medium Access Control (MAC) address.
Card in non-promiscuous mode only catches packets with that MAC address.
![Page 6: COEN 252 Computer Forensics Remote Sniffer Detection.](https://reader037.fdocuments.us/reader037/viewer/2022102906/56649cef5503460f949bd65d/html5/thumbnails/6.jpg)
MAC Promiscuous Mode Detection Send an echo request to the right IP
address but with wrong MAC address.
Only a NIC in promiscuous mode will pick up something with a wrong MAC address.
The “Echo Request” package is passed up the stack to the IP layer.
IP layer answers it.
![Page 7: COEN 252 Computer Forensics Remote Sniffer Detection.](https://reader037.fdocuments.us/reader037/viewer/2022102906/56649cef5503460f949bd65d/html5/thumbnails/7.jpg)
MAC detection
![Page 8: COEN 252 Computer Forensics Remote Sniffer Detection.](https://reader037.fdocuments.us/reader037/viewer/2022102906/56649cef5503460f949bd65d/html5/thumbnails/8.jpg)
ARP Detection
Send an arp request with false MAC and correct IP address.
Only promiscuous NIC will pick up package.
Kernel sends ARP reply.
![Page 9: COEN 252 Computer Forensics Remote Sniffer Detection.](https://reader037.fdocuments.us/reader037/viewer/2022102906/56649cef5503460f949bd65d/html5/thumbnails/9.jpg)
Software Filtering Based Detection Different OS implement filters
differently. We can try:
Fake broadcasting messages: FF:FF:FF:FF:FF:FF:FF:FE (Br47):
Last bit missing FF:FF:00:00:00:00:00:00 (BR16)
Only first 16 bits are the same as for broadcast.
FF:00:00:00:00:00:00:00 (BR8) F0:00:00:00:00:00:00:00 (BR4)
![Page 10: COEN 252 Computer Forensics Remote Sniffer Detection.](https://reader037.fdocuments.us/reader037/viewer/2022102906/56649cef5503460f949bd65d/html5/thumbnails/10.jpg)
Software Filtering Based Detection Different OS implement filters differently.
We can try: Fake multicasting messages:
01:00:00:00:00:00:00:00 (Gr) Only group-bit set.
01:00:5E:00:00:00:00:00 (M0) Multicast address zero is usually not used
01:00:5E:00:00:00:00:01 (M1)(assigned to all) Multicast address one should be received by all in the
test system 01:00:5E:00:00:00:00:02 (M2)(assigned to different set of
nodes) Multicast address two should not be received by
systems in the test group. 01:00:5E:00:00:00:00:03 (M3)(not registered)
![Page 11: COEN 252 Computer Forensics Remote Sniffer Detection.](https://reader037.fdocuments.us/reader037/viewer/2022102906/56649cef5503460f949bd65d/html5/thumbnails/11.jpg)
Software Filtering Based Detection
Windows XP WinME / 9x Win2K/NT Linux 2.4.x Free BSD 5.0
B47 -- X -- X -- X -- X -- X
B16 -- X -- X X X -- X -- X
B8 -- -- -- X -- -- -- X -- X
Gr -- -- -- -- -- -- -- X -- X
M0 -- -- -- -- -- -- -- X -- X
M1 O O O O O O O O O O
M2 -- -- -- -- -- -- -- X -- X
M3 -- -- -- -- -- -- -- X -- X
Response to various ARP requests.
Normal mode: left column, promiscuous mode: right column
O legal response, X illegal response, -- no response
![Page 12: COEN 252 Computer Forensics Remote Sniffer Detection.](https://reader037.fdocuments.us/reader037/viewer/2022102906/56649cef5503460f949bd65d/html5/thumbnails/12.jpg)
Software Filtering Based Detection
ARP requests to fake MAC addresses can determine promiscuous cards in an OS dependent manner.
Trabelsi, Rahmani, Kaouech, Frikha: Malicious Sniffing Systems Detection Platform, SAINT ’04.
![Page 13: COEN 252 Computer Forensics Remote Sniffer Detection.](https://reader037.fdocuments.us/reader037/viewer/2022102906/56649cef5503460f949bd65d/html5/thumbnails/13.jpg)
DNS Detection Technique
Password sniffers (or sniffers not in stealth mode) generate network traffic.
Sniffers use reverse DNS lookup Because they think they found a
password and want to know the system. Because they want to provide the user
with the name of the machines.
![Page 14: COEN 252 Computer Forensics Remote Sniffer Detection.](https://reader037.fdocuments.us/reader037/viewer/2022102906/56649cef5503460f949bd65d/html5/thumbnails/14.jpg)
DNS Detection Technique
![Page 15: COEN 252 Computer Forensics Remote Sniffer Detection.](https://reader037.fdocuments.us/reader037/viewer/2022102906/56649cef5503460f949bd65d/html5/thumbnails/15.jpg)
Load Detection Technique
Sniffers are hard on the machine resources.
Sniffer degrades performance when there is a lot of network load.
Hence, generate lots of network load and measure timing.
![Page 16: COEN 252 Computer Forensics Remote Sniffer Detection.](https://reader037.fdocuments.us/reader037/viewer/2022102906/56649cef5503460f949bd65d/html5/thumbnails/16.jpg)
Load Detection Technique
![Page 17: COEN 252 Computer Forensics Remote Sniffer Detection.](https://reader037.fdocuments.us/reader037/viewer/2022102906/56649cef5503460f949bd65d/html5/thumbnails/17.jpg)
Round Trip Time Measuring Technique
Experiments show: Round Trip Times show OS dependent
differences of 10% - 40% between normal mode and promiscuous mode.
Allows reliable detection. Using ICMP messages is less network
load dependent.
![Page 18: COEN 252 Computer Forensics Remote Sniffer Detection.](https://reader037.fdocuments.us/reader037/viewer/2022102906/56649cef5503460f949bd65d/html5/thumbnails/18.jpg)
Bait Technique
Create telnet for a fake telnet server. With lots of logins + passwords. Sniffer takes bait. Telnet attempts to non-existing
server.
Works like a honey-pot.