Ancora sullo stealth sniffing

[ Home | Liste | F.A.Q. | Risorse | Cerca... ]

[ Data: precedente | successivo | indice ] [ Argomento: precedente | successivo | indice ]

Archivio: Ottobre 2001 ml@sikurezza.org
Soggetto: Ancora sullo stealth sniffing
Mittente: Marco Ivaldi
Data: 30 Oct 2001 17:10:52 -0000

Salve a tutti,

Posto un link sull'argomento stealth sniffing fisico, che spiega gli
accorgimenti per creare un cavo UTP receive only ad hoc. Un piccolo snip
per farvi capire di che si parla:

--------------------------------------------------------------------------------
Ethernet hubs (or switches) checks the "link status" of the cable, which
is done by periodically detecting if any signal has ever been received. If
you simply disconnect the transmit pair of the cable, the hub will not
detect anything from the cable and therefore, report the cable as "not
connected".

The method here is tried to introduce large amount of errors in the
transmission path, so that signal can still be detected, but almost no packet
can pass the CRC error check.
--------------------------------------------------------------------------------

Il link in questione e':
http://personal.ie.cuhk.edu.hk/~msng0/sniffing_cable/index.htm


Un'altra interessante soluzione (HUB only) e' proposta nelle FAQ dello
stesso Snort:

--------------------------------------------------------------------------------
Q:  How do I setup snort on a 'stealth' interface?

A:  Bring up the interface without an IP address on it. See FAQ 3.2...
    http://www.geocrawler.com/archives/3/4890/2000/9/0/4399696/
A:  Use an ethernet tap, or build your own 'receive-only' ethernet cable.
    http://personal.ie.cuhk.edu.hk/~msng0/sniffing_cable/index.htm
A:  Anyway, here is the cable I use:

    LAN Sniffer
    1 -----\ /-- 1
    2 ---\ | \-- 2
    3 ---+-*------- 3
    4 - | - 4
    5 - | - 5
    6 ---*-------- 6
    7 - - 7
    8 - - 8

    Basically, 1 and 2 on the sniffer side are connected, 3 and 6
    straight through to the LAN. 1 and 2 on the LAN side connect to 3 and
    6 respectively. This fakes a link on both ends but only allows
    traffic from the LAN to the sniffer. It also causes the 'incoming'
    traffic to be sent back to the LAN, so this cable only works well on
    a hub. You can use it on a switch but you will get ...err...
    interesting results. Since the switch receives the packets back in on
    the port it sent them out, the MAC table gets confused and after a
    short while devices start to drop off the switch. Works like a charm
    on a hub though.
--------------------------------------------------------------------------------

Riassumendo: non basta tagliare il doppino TX di un cavo RJ-45 per creare
un cavo "stealth" funzionante: cio' creerebbe problemi di link alle
apparecchiature di rete (hubs, switches). Tale procedimento funziona
invece alla perfezione con cavi AUI, per chi fosse interessato.

Questo dovrebbe chiudere il thread "stealth sniffing":)

+------------------------------------------------------------+
|Marco Ivaldi                    Email:  mi@mediaservice.net
|Security Manager                Phone:  (+39)-011-32.72.100
|D.S.D. Data Security Division   Fax:    (+39)-011-32.46.497
|@ Mediaservice.net Srl          http://www.0xdeadbeef.eu.org
|Get my PGP pubkey at http://www.0xdeadbeef.eu.org/raptor.asc



________________________________________________________
http://www.sikurezza.org - Italian Security Mailing List

Data:
- precedente: Re: R: nuovo msn messenger, pbm
- successivo: Re: certificazioni di sicurezza sistemi operativi, Fabio Pedrazzoli
- indice

Argomento:
- precedente: Data scrubbing, Disk encryption e... Terrorismo?, Coppola Federico
- successivo: Full Virii Gateway/Proxy, Agostino Zanutto
- indice

[ Home | Liste | F.A.Q. | Risorse | Cerca... ]

www.sikurezza.org - Italian Security Mailing List
(c) 1999-2005