Presentation is loading. Please wait.

Presentation is loading. Please wait.

COEN 252 Computer Forensics Remote Sniffer Detection.

Published byRalf Parrish Modified over 9 years ago

Similar presentations

Presentation on theme: "COEN 252 Computer Forensics Remote Sniffer Detection."— Presentation transcript:

1 COEN 252 Computer Forensics Remote Sniffer Detection

2 Sniffer Detection On the Host Look for capture files (typically big and growing). Look for a promiscuous card. Look for unauthorized connections or processes. Rootkits can prevent sniffers from being detected. On the Net Traffic analysis Traffic injection (probing) Much harder.

3 Network based Sniffer Detection Promiscuous mode detection DNS tests. Network latency tests. Trapping

4 Network based Sniffer Detection NIC hardware addresses NIC sets up different filters Broadcast: receive all broadcast addresses (with MAC ff:ff:ff:ff:ff:ff) Multicast based on multicast address All multicasts Promiscuous: receive all packets.

5 Promiscuous mode detection Each Network Interface Card (NIC) has a unique Medium Access Control (MAC) address. Card in non-promiscuous mode only catches packets with that MAC address.

6 MAC Promiscuous Mode Detection Send an echo request to the right IP address but with wrong MAC address. Only a NIC in promiscuous mode will pick up something with a wrong MAC address. The “Echo Request” package is passed up the stack to the IP layer. IP layer answers it.

7 MAC detection

8 ARP Detection Send an arp request with false MAC and correct IP address. Only promiscuous NIC will pick up package. Kernel sends ARP reply.

9 Software Filtering Based Detection Different OS implement filters differently. We can try: Fake broadcasting messages: FF:FF:FF:FF:FF:FF:FF:FE (Br47): Last bit missing FF:FF:00:00:00:00:00:00 (BR16) Only first 16 bits are the same as for broadcast. FF:00:00:00:00:00:00:00 (BR8) F0:00:00:00:00:00:00:00 (BR4)

10 Software Filtering Based Detection Different OS implement filters differently. We can try: Fake multicasting messages: 01:00:00:00:00:00:00:00 (Gr) Only group-bit set. 01:00:5E:00:00:00:00:00 (M0) Multicast address zero is usually not used 01:00:5E:00:00:00:00:01 (M1)(assigned to all) Multicast address one should be received by all in the test system 01:00:5E:00:00:00:00:02 (M2)(assigned to different set of nodes) Multicast address two should not be received by systems in the test group. 01:00:5E:00:00:00:00:03 (M3)(not registered)

11 Software Filtering Based Detection Windows XPWinME / 9xWin2K/NTLinux 2.4.xFree BSD 5.0 B47--X X X X X B16--X XXX X X B8-- X X X Gr-- X X M0-- X X M1OOOOOOOOOO M2-- X X M3-- X X Response to various ARP requests. Normal mode: left column, promiscuous mode: right column O legal response, X illegal response, -- no response

12 Software Filtering Based Detection ARP requests to fake MAC addresses can determine promiscuous cards in an OS dependent manner. Trabelsi, Rahmani, Kaouech, Frikha: Malicious Sniffing Systems Detection Platform, SAINT ’04.

13 DNS Detection Technique Password sniffers (or sniffers not in stealth mode) generate network traffic. Sniffers use reverse DNS lookup Because they think they found a password and want to know the system. Because they want to provide the user with the name of the machines.

14 DNS Detection Technique

15 Load Detection Technique Sniffers are hard on the machine resources. Sniffer degrades performance when there is a lot of network load. Hence, generate lots of network load and measure timing.

16 Load Detection Technique

17 Round Trip Time Measuring Technique Experiments show: Round Trip Times show OS dependent differences of 10% - 40% between normal mode and promiscuous mode. Allows reliable detection. Using ICMP messages is less network load dependent.

18 Bait Technique Create telnet for a fake telnet server. With lots of logins + passwords. Sniffer takes bait. Telnet attempts to non-existing server. Works like a honey-pot.

Download ppt "COEN 252 Computer Forensics Remote Sniffer Detection."

Similar presentations

Man in the Middle Attack

Man in the Middle Attack
Tactics to Discover “Passive” Monitoring Devices

Tactics to Discover “Passive” Monitoring Devices
WARNING ! The system is either busy or has been unstable. You can wait and See if it becomes available again, or you can restart your computer. *

WARNING ! The system is either busy or has been unstable. You can wait and See if it becomes available again, or you can restart your computer. *
ARP cache Poisoning For the Detection of Sniffers in an Ethernet Network Raoudha KHCHERIF Assistant Professor National School of Computer Science University.

ARP cache Poisoning For the Detection of Sniffers in an Ethernet Network Raoudha KHCHERIF Assistant Professor National School of Computer Science University.
1 Eastern Michigan University Asad Khailany, Eastern Michigan University Dmitri Bagatelia, Eastern Michigan University Wafa Khorsheed, Eastern Michigan.

1 Eastern Michigan University Asad Khailany, Eastern Michigan University Dmitri Bagatelia, Eastern Michigan University Wafa Khorsheed, Eastern Michigan.
Network Attacks Mark Shtern.

Network Attacks Mark Shtern.
MCDST 70-271: Supporting Users and Troubleshooting a Microsoft Windows XP Operating System Chapter 13: Troubleshoot TCP/IP.

MCDST : Supporting Users and Troubleshooting a Microsoft Windows XP Operating System Chapter 13: Troubleshoot TCP/IP.
1 Fall 2005 Hardware Addressing and Frame Identification Qutaibah Malluhi CSE Department Qatar University.

1 Fall 2005 Hardware Addressing and Frame Identification Qutaibah Malluhi CSE Department Qatar University.
Security Awareness: Applying Practical Security in Your World

Security Awareness: Applying Practical Security in Your World
Sniffing the sniffers - detecting passive protocol analysers John Baldock, Intel Corp Craig Duffy, Bristol UWE.

Sniffing the sniffers - detecting passive protocol analysers John Baldock, Intel Corp Craig Duffy, Bristol UWE.
Oct 21, 2004CS573: Network Protocols and Standards1 IP: Addressing, ARP, Routing Network Protocols and Standards Autumn 2004-2005.

Oct 21, 2004CS573: Network Protocols and Standards1 IP: Addressing, ARP, Routing Network Protocols and Standards Autumn
Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Information.

Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Information.
Chapter 2 Internet Protocol DoD Model Four layers: – Process/Application layer – Host-to-Host layer – Internet layer – Network Access layer.

Chapter 2 Internet Protocol DoD Model Four layers: – Process/Application layer – Host-to-Host layer – Internet layer – Network Access layer.
Analysis of Attack By Matt Kennedy. Different Type of Attacks o Access Attacks o Modification and Repudiation Attacks o DoS Attacks o DDoS Attacks o Attacks.

Analysis of Attack By Matt Kennedy. Different Type of Attacks o Access Attacks o Modification and Repudiation Attacks o DoS Attacks o DDoS Attacks o Attacks.
1 Reminding - ARP Two machines on a given network can communicate only if they know each other’s physical network address ARP (Address Resolution Protocol)

1 Reminding - ARP Two machines on a given network can communicate only if they know each other’s physical network address ARP (Address Resolution Protocol)
Chapter 23: ARP, ICMP, DHCP IS333 Spring 2015.

Chapter 23: ARP, ICMP, DHCP IS333 Spring 2015.
Detection of Promiscuous nodes Using Arp Packets By Engin Arslan.

Detection of Promiscuous nodes Using Arp Packets By Engin Arslan.
Attack Profiles CS-480b Dick Steflik Attack Categories Denial-of-Service Exploitation Attacks Information Gathering Attacks Disinformation Attacks.

Attack Profiles CS-480b Dick Steflik Attack Categories Denial-of-Service Exploitation Attacks Information Gathering Attacks Disinformation Attacks.
Introduction to InfoSec – Recitation 12 Nir Krakowski (nirkrako at post.tau.ac.il) Itamar Gilad (itamargi at post.tau.ac.il)

Introduction to InfoSec – Recitation 12 Nir Krakowski (nirkrako at post.tau.ac.il) Itamar Gilad (itamargi at post.tau.ac.il)
ARP Under Normal Conditions. The basics arp with reverse DNS lookup for each IP arp –a # Windows & linux Without reverse DNS lookup (runs faster) arp.

ARP Under Normal Conditions. The basics arp with reverse DNS lookup for each IP arp –a # Windows & linux Without reverse DNS lookup (runs faster) arp.

Similar presentations

Ads by Google