| I l@ve RuBoard | |
URL: www.L0pht.com
Client OS: Windows NT
Target OS: TCP/IP networks
Description: AntiSniff is a tool used to combat unauthorized sniffers. As we discussed above, sniffers' network cards usually operate in promiscuous mode. AntiSniff uses several techniques to detect these network cards in promiscuous mode. AntiSniff operates on Windows NT and is an excellent tool for helping to secure networks. While AntiSniff is an excellent packet sniffer detection application, it is not foolproof. Detecting sniffers is a difficult task, and AntiSniff normally has to be deployed widely throughout a network to cover all critical network segments. In addition to using a packet sniffer detection application, organizations should follow other best practices to guard against sniffers. One of the most effective best practices for guarding against sniffers is to encrypt sensitive information as it travels across networks, even internally.
Use: AntiSniff uses three primary methods for detecting sniffers: network latency, DNS, and OS-specific tests. For network latency tests, AntiSniff sends a high volume of network traffic to a target system. If the system is operating in promiscuous mode it will attempt to capture each packet being sent. Under a high load of network traffic, the sniffer will experience performance degradation that will increase network latency. By calculating the changes in response time, AntiSniff may be able to detect a system being used as a sniffer.
Using the DNS method, AntiSniff sends a packet to a predetermined IP address. Many packet sniffers perform a reverse lookup on IP addresses they capture. AntiSniff capitalizes on this and looks for a sniffer performing the reverse lookup, thereby revealing itself.
For the OS-specific checks, AntiSniff sends to the target system packets to which certain systems operating in promiscuous mode will respond. For instance, for Windows NT systems AntiSniff sends a packet from MAC address FF:00:00:00:00:00 to the IP address of the suspected sniffer. A Windows NT system in promiscuous mode should respond to this packet, thereby revealing itself as a sniffer.
AntiSniff cannot test across network segments. Therefore, AntiSniff is needed on each network segment you are trying to protect.
AntiSniff is easy to use. First, enter the IP address range you wish to test for sniffers in the Network Configuration tab shown in Figure 14-2 . Next, use the Scanner Configuration tab (see Figure 14-3 ) to select which of the methods you wish to use for your scans. The DNS check box will enable the scanner to perform the DNS test, trying to get a sniffer to perform a lookup on the fake IP address supplied by the scanner. The ARP test performs a specific test in an attempt to identify Windows hosts in promiscuous mode. Ether Ping is a check designed for finding Linux and NetBSD sniffers. The ICMP Time Delta, Echo, and Ping Drop tests are network latency tests. You can specify the number of packets to be used in the ICMP Time Delta test. The default value of 20 packets is intended to test a Class C address in a reasonable amount of time. As you increase this value, you increase the accuracy of the test, as well as the time it takes to complete the test. Decreasing the number of packets decreases the amount of time the test takes but sacrifices accuracy. Similarly, the default values for Echo and Ping Drop tests are 20 and 200 packets, respectively. These values assume you are testing a Class C network in a reasonable amount of time (a few hours). As you increase the number of packets, you increase the time the scan takes and its accuracy. In contrast, as you decrease the number of packets, the scan finishes quicker, but accuracy begins to decrease.
In addition, the Scanner Configuration tab offers options for scheduling the scans and writing the output to a file. You can use the scheduling option to perform regular scans of the network and to enable alarms. If a potential sniffer is detected, AntiSniff will alert you.
After the scan has completed, use the Reports tab to view the results. For all the tests except network latency, AntiSniff indicates a positive or negative response for a system running as a sniffer. The network latency tests display time responses, and you have to determine whether the changes in time response indicate a sniffer may be present.
Benefits: AntiSniff is an excellent tool for trying to detect packet sniffers on a network. The tool is easy to use and configure.
Cons: Packet sniffers can be operated very stealthily and remain undetected. Even though AntiSniff uses effective methods for testing for sniffers, it probably will not detect a well-configured sniffer. In addition, AntiSniff can drain resources on its host system and the network. The network latency tests can create significant network traffic, causing degradation in network performance. Also, many of the scans can take significant time to run, especially on slow systems and networks. Given the significant resource drain AntiSniff can place on networks and hosts, you should schedule it for periodic use during hours that will not affect production operations. While AntiSniff and other packet detection applications have significant shortcomings, the tool is a worthwhile addition to a security tool kit.
| I l@ve RuBoard | |