'Re: (How) Does AntiSniff do what is claimed?'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       bugtraq
Subject:    Re: (How) Does AntiSniff do what is claimed?
From:       Dave Dittrich <dittrich () CAC ! WASHINGTON ! EDU>
Date:       1999-07-29 21:11:08
[Download RAW message or body]

> > If AntiSniff becomes popular, I'd estimate only a few months grace
> > before Black Hats have made a reduced-functionality sniffer which slips
> > under AntiSniff's radar. I don't have any use for such a tool, but if
> > I did I doubt I'd need more than a week or two to get it right.
>
> We've had the same discussion in the nmap-hackers list.
>
> ...
> There is already a popular UN*X package that does promisc. detection.  It
> is called hunt. (http://www.cri.cz/kra/index.html).  It also does MAC
> spoofing, ARP collection, connection hijacking, etc ...

Its interesting you brought up "hunt", but not in the context in which
I was thinking about it.  Here is where I think the real easy evasion
mechanism is going to be.

Unless I'm wrong (and no doubt I'll be corrected), suppose instead of
promiscuous mode sniffing of any packets on the segment, you instead use
"hunt" to do ARP cache poisoning and packet relaying to play "man in the
middle" on TCP sessions between clients on/off the local network, with a
juicy server on the same network (or vice-versa).

The sniffing is then done without incurring the delays due to
promiscuous mode, and the latency then shows up in the relaying of
packets from bogus MAC address(es) to valid MAC address(es) (which
AntiSniff is not looking for).  Wouldn't this allow a fairly simple --
albeit directed attack that requires more packet handling power than the
server has -- way to still capture passwords?

If you ask me, the "solution" is still encrypted sessions, and AntiSniff
is still a good way to raise the bar a bit higher so the kiddies whack
their little faces on it.

--
Dave Dittrich                 Client Services
dittrich@cac.washington.edu   Computing & Communications
                              University of Washington

<a href="http://www.washington.edu/People/dad/">
Dave Dittrich / dittrich@cac.washington.edu [PGP Key]</a>

[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic