Detecting Computers in Promiscuous Mode
Sunday, March 1, 2009
I had a late night discussion on the L this weekend about detecting someone sniffing on your network. I think his question meant to be "how do you detect if someone is performing a man-in-the-middle attack" which is just too much of an open question to go into right now. But, if the question was how do you detect if someone is sniffing traffic on your network, that could be answered in a simpler more blogable way.
Promiscuous Mode
When most(all?) systems attempt to sniff network traffic, their network cards run in promiscuous mode. But what does this mean exactly? Wikipedia has a succinct explanation:
Promiscuous mode is a configuration of a network card that makes the card pass all traffic it receives to the central processing unit rather than just packets addressed to it — a feature normally used for packet sniffing.
Detecting Promiscuous Mode Network Cards
So if know that promiscuous mode is used for sniffing and if you're attempting to control your local network, you're going to want to know which systems are sniffing on the network so lets find out who's running in promiscuous mode. There are a ton of tools out there to just detect promiscuous mode (see External Links below) but once again it's Nmap ftw.
Development versions of NMap include a script called "sniffer-detect.nse" and in current/old versions this script is called "promiscuous.nse." You can run it like this:
If a system has been detected to be running in promiscuous mode, you'll see this:
We can see that the system has been detected to be running in promiscuous mode and the result is "11111111." Different operating systems report different combinations of 1's. Linux reports "11111111", Windows 2k, XP, Vista, and Windows 7 reports "111___1_", and Windows 98 reports "1111__1_". By default, the script will only report NICs in promiscuous mode so if you don't see get any results, that's because the scan returned false.
When This Doesn't Work
So that's neat, we can detect when systems are sniffing the network using wireshark or other sniffing tools but what about if someone installs a hub or network tap? These are devices that are designed to forward copies of packets to another interface without making any noise thereby sniffing traffic that goes through the device.
The short answer is you can't.
The longer answer is that it depends on the hub and how you've setup your network. As far as I know Cisco and other higher end network equipment give you some control but it's not perfect.
Detection vs Prevention
Of course I have to say that detecting a sniffer is not a good way of maintaining control of the network. Even if you automate this process, it most likely will be too late to protect from anything being stolen.
These are the preventative measures that I've compiled and if someone has other suggestions, please let me know.
- Host to host encryption (IPSEC)
- Force other encrypted protocols (SSL,FTPS,SSH)
- Have a switch only policy for your network
- Implement a NAC/NAP system
- Keep physical access to network closets/rooms restricted and controlled
- Perform regular physical inspection of all your network interfaces in the facility (offices, conference rooms, hidden in drop down ceilings - no seriously)
- Implement a secure proxy server for web traffic (Squid)
External Links
http://www.mnin.org/?page=promisc&left=off - good break down and detection script using perl and nemesis
http://www.securityfriday.com/promiscuous_detection_01.pdf - the original paper describing how to detect NICs in promiscuous mode using ARP packets
http://nmap.org/nsedoc/scripts/sniffer-detect.html - quick description of what sniffer-detect.nse does
http://www.microsoft.com/downloads/details.aspx?familyid=1a10d27a-4aa5-4e96-9645-aa121053e083&displaylang=en - Microsoft GUI tool that can scan for promiscuous mode NICs
http://www.securityfocus.com/tools/3333 - tool to run locally on a *NIX system to detect promiscuous mode enabled NICs
http://www.oxid.it/ca_um/topics/promiscuous-mode_scanner.htm - Cain and Abel have the ability to scan for promiscuous mode MAC's too. (wasn't able to get it to work though)
I had a late night discussion on the L this weekend about detecting someone sniffing on your network. I think his question meant to be "how do you detect if someone is performing a man-in-the-middle attack" which is just too much of an open question to go into right now. But, if the question was how do you detect if someone is sniffing traffic on your network, that could be answered in a simpler more blogable way.
Promiscuous Mode
When most(all?) systems attempt to sniff network traffic, their network cards run in promiscuous mode. But what does this mean exactly? Wikipedia has a succinct explanation:
Promiscuous mode is a configuration of a network card that makes the card pass all traffic it receives to the central processing unit rather than just packets addressed to it — a feature normally used for packet sniffing.
Detecting Promiscuous Mode Network Cards
So if know that promiscuous mode is used for sniffing and if you're attempting to control your local network, you're going to want to know which systems are sniffing on the network so lets find out who's running in promiscuous mode. There are a ton of tools out there to just detect promiscuous mode (see External Links below) but once again it's Nmap ftw.
Development versions of NMap include a script called "sniffer-detect.nse" and in current/old versions this script is called "promiscuous.nse." You can run it like this:
If a system has been detected to be running in promiscuous mode, you'll see this:
We can see that the system has been detected to be running in promiscuous mode and the result is "11111111." Different operating systems report different combinations of 1's. Linux reports "11111111", Windows 2k, XP, Vista, and Windows 7 reports "111___1_", and Windows 98 reports "1111__1_". By default, the script will only report NICs in promiscuous mode so if you don't see get any results, that's because the scan returned false.
When This Doesn't Work
So that's neat, we can detect when systems are sniffing the network using wireshark or other sniffing tools but what about if someone installs a hub or network tap? These are devices that are designed to forward copies of packets to another interface without making any noise thereby sniffing traffic that goes through the device.
The short answer is you can't.
The longer answer is that it depends on the hub and how you've setup your network. As far as I know Cisco and other higher end network equipment give you some control but it's not perfect.
Detection vs Prevention
Of course I have to say that detecting a sniffer is not a good way of maintaining control of the network. Even if you automate this process, it most likely will be too late to protect from anything being stolen.
These are the preventative measures that I've compiled and if someone has other suggestions, please let me know.
- Host to host encryption (IPSEC)
- Force other encrypted protocols (SSL,FTPS,SSH)
- Have a switch only policy for your network
- Implement a NAC/NAP system
- Keep physical access to network closets/rooms restricted and controlled
- Perform regular physical inspection of all your network interfaces in the facility (offices, conference rooms, hidden in drop down ceilings - no seriously)
- Implement a secure proxy server for web traffic (Squid)
External Links
http://www.mnin.org/?page=promisc&left=off - good break down and detection script using perl and nemesishttp://www.securityfriday.com/promiscuous_detection_01.pdf - the original paper describing how to detect NICs in promiscuous mode using ARP packets
http://nmap.org/nsedoc/scripts/sniffer-detect.html - quick description of what sniffer-detect.nse does
http://www.microsoft.com/downloads/details.aspx?familyid=1a10d27a-4aa5-4e96-9645-aa121053e083&displaylang=en - Microsoft GUI tool that can scan for promiscuous mode NICs http://www.securityfocus.com/tools/3333 - tool to run locally on a *NIX system to detect promiscuous mode enabled NICs
http://www.oxid.it/ca_um/topics/promiscuous-mode_scanner.htm - Cain and Abel have the ability to scan for promiscuous mode MAC's too. (wasn't able to get it to work though)
<< Home