Log in / Register
Home arrow Computer Science arrow Understanding Network Hacks
< Prev   CONTENTS   Next >

5.5 Sniffer Detection

Malicious sniffer can be a real threat for the security of your network, thus it would be nice to have a technique to detect them. Locally it is an easy task. Just check all network interface to see if they are set into promisc mode. If you are lucky, and no rootkit got installed on the system so the kernel will hide information from you, you get a list of interfaces that run a sniffer.

ifconfig -a | grep PROMISC

The kernel logs if a network interface gets set into the promisc mode. This information can be found in /var/log/messages / syslog or kern.log depending on the syslog configuration of your system.

cat /var/log/messages |grep promisc

It would be more elegant to have a way to detect sniffers remotely. Fortunately, there are two techniques to do so. The first one is to overflow the network with traffic and continuously ping all connected hosts. In theory a host running a sniffer will respond slower due to more CPU usage for decoding the traffic. This variant is rude, because it wastes lot of resources and it is not very reliable as it will show up systems that have a high load for other reasons thus as a big database query or compiling a complex program.

The second method to find a sniffer from the distance is based on the trick that a system that is running in promisc mode won't reject any packet and react on all. Therefore we create an ARP packet with a random, unused MAC address other than broadcast and send it to every single host. Systems that are not running in promisc mode will discard the packet being not addressed for their MAC, but sniffing systems will send us an response.

This technique is described in more detail in the paper securityfriday. com/promiscuous_detection_01.pdf and implemented in the Scapy function promiscping() thus with Scapy its an easy one liner to detect sniffer remotely!

1 #!/usr/bin/python


3 import sys

4 from scapy.all import promiscping


6 if len(sys.argv) < 2:

7 print sys.argv[0] + " <net>"

8 sys.exit()


10 promiscping(sys.argv[1])

The network can be either defined with CIDR block ( or by using a wildcard (192.168.1.*).

5.6 IP-Spoofing

IP-Spoofing is the forgery of IP addresses. The source address is not the IP of the real network device the packet was sent over, but a manually inserted one. Attackers use this technique either to hide the source of the attack or to circumvent a packet-filter or other security layers like tcp wrapper that block or accept connections depending on their source ip address.

In the previous chapter we already used Scapy to sniff and create ARPand DTP packets. Now we expand our excursion into the wonderful world of Scapy by implementing a simple IP Spoofing program. It will send an ICMP-Echo-Request packet also known as Ping with a spoofed source IP to a remote host.

1 #!/usr/bin/python


3 import sys

4 from scapy.all import send, IP, ICMP


6 if len(sys.argv) < 3:

7 print sys.argv[0] + " <src_ip> <dst_ip>"

8 sys.exit(1)


10 packet = IP(src=sys.argv[1], dst=sys.argv[2]) / ICMP()

11 answer = send(packet)


13 if answer:


We create an IP packet that is included into an ICMP packet by defining IP() / ICMP(). This somewhat unusual but handy declaration syntax is made possible by Scapy by overriding the / operator with the help of the div method.

The IP packet gets the source and destination IP as a parameter. The resulting packet object is dumped on the screen by calling the show() method on it (show2() would only display layer 2). Afterwards we send it by calling send() (here too we could use sendp() for layer 2). Last but not least if we get any response packets it is being printed on the screen. Of course we can only receive a reply if it is sent to our network card. Therefore it could be necessary to implement a Mitm attack (Sect. 2.19) if our host is not connected to the same hub as the target system. In our case we do not have to care about a Mitm attack, because Scapy inserts our MAC address as source address and the destination MAC of the destination IP automatically. Thus we can be sure the reply packet is directly sent back to us.

You can protect against IP spoofing by signing and encrypting all IP packets. A common case would be the protocols AH or ESP of the IPSec protocol family.

Found a mistake? Please highlight the word and press Shift + Enter  
< Prev   CONTENTS   Next >
Business & Finance
Computer Science
Language & Literature
Political science