Hello all :) I am trying to set up a NIC to run in "stealth" mode. Some folks call this "transparent" mode and I've heard it referred to as a NIC with an unbound IP stack. This NIC will act as a passive (and undetectable) packet capture hardware device for a commercial intrusion detection system. I am running SuSE 6.4 and the NIC will be one of two PCMCIA NICs in a Dell Inspiron 7000 laptop. I've been told a stealth NIC can be done in Solaris via its "plumb" argument to ifconfig, although I haven't tried it myself. I've also been told a similar operation can be done in RedHat by taking all the IP info out of the /etc/sysconfig/network-scripts/ifcfg-eth0 file and restarting the network (/etc/rc.d/init/g/network restart). Again, I have not done this personally. In Microsoft OS'es, unbinding the protocol stack from the NIC is trivial. I have looked for a solution like the RedHat procedure for SuSE 6.4 but have not been able to find one. Does anyone on the list have a method for creating a stealth NIC in SuSE? If so, please let me know. Many thanks in advance, Randy
Randy Taylor wrote:
Hello all :)
I am trying to set up a NIC to run in "stealth" mode. Some folks call this "transparent" mode and I've heard it referred to as a NIC with an unbound IP stack. ...
In the book "Firewalls and Internet Security" of W.R. Cheswick and S.M. Bellovin they described that you have only to cut the transmit wire of the twisted pair cable. andy -- ------------------------------- mailto:Andreas.Tirok@beusen.de fon: +49 30 549932-37 fax: +49 30 549932-21
On Sun, Oct 22, 2000 at 13:40 +0200, Andreas Tirok wrote:
In the book "Firewalls and Internet Security" of W.R. Cheswick and S.M. Bellovin they described that you have only to cut the transmit wire of the twisted pair cable.
... to interrupt the TP link beat and have the hub or switch turn this port off since it's "not in use". :) No, in modern times you need all the wires but have to keep the software from answering / producing traffic. And receiving all the data and processing it will make the machine react in some some different way compared to how it does "without reading all the net". So you can recognize workstations with sniffers running. Although dedicated hardware with no other job could be undiscovered long enough ... virtually yours 82D1 9B9C 01DC 4FB4 D7B4 61BE 3F49 4F77 72DE DA76 Gerhard Sittig true | mail -s "get gpg key" Gerhard.Sittig@gmx.net -- If you don't understand or are scared by any of the above ask your parents or an adult to help you.
... to interrupt the TP link beat and have the hub or switch turn this port off since it's "not in use". :)
No, in modern times you need all the wires but have to keep the software from answering / producing traffic. And receiving all the data and processing it will make the machine react in some some different way compared to how it does "without reading all the net". So you can recognize workstations with sniffers running. Although dedicated hardware with no other job could be undiscovered long enough ...
antisniff (the only reasonably succesful sniffer detector I know of) can easily be fooled. The only sure way to detect sniffers is: a) physically inspect cabling to make sure there isn't some rogue laptop b) make sure all the systems attached to the network are secure some other things to consider: switches will help a lot, although a savvy attacker can potentially flood the switch to make it "leak" or break into it a reprogram it. IPSec is an increasingly realistic solution, client software abounds and is cheap, and there are network cards with crypto accelerators that don't cost much ($100 US), alas as far as I know Linux doesn't support any of them.
virtually yours 82D1 9B9C 01DC 4FB4 D7B4 61BE 3F49 4F77 72DE DA76 Gerhard Sittig true | mail -s "get gpg key" Gerhard.Sittig@gmx.net -- If you don't understand or are scared by any of the above ask your parents or an adult to help you.
--------------------------------------------------------------------- To unsubscribe, e-mail: suse-security-unsubscribe@suse.com For additional commands, e-mail: suse-security-help@suse.com
There's a nice sniffing faq with in-depth information about sniffing and
certain methods of "counterintelligence" by Robert Graham
... to interrupt the TP link beat and have the hub or switch turn this port off since it's "not in use". :)
No, in modern times you need all the wires but have to keep the software from answering / producing traffic. And receiving all the data and processing it will make the machine react in some some different way compared to how it does "without reading all the net". So you can recognize workstations with sniffers running. Although dedicated hardware with no other job could be undiscovered long enough ...
antisniff (the only reasonably succesful sniffer detector I know of) can easily be fooled. The only sure way to detect sniffers is: a) physically inspect cabling to make sure there isn't some rogue laptop b) make sure all the systems attached to the network are secure
some other things to consider: switches will help a lot, although a savvy attacker can potentially flood the switch to make it "leak" or break into it a reprogram it. IPSec is an increasingly realistic solution, client software abounds and is cheap, and there are network cards with crypto accelerators that don't cost much ($100 US), alas as far as I know Linux doesn't support any of them.
virtually yours 82D1 9B9C 01DC 4FB4 D7B4 61BE 3F49 4F77 72DE DA76 Gerhard Sittig true | mail -s "get gpg key" Gerhard.Sittig@gmx.net
[...]
On Wed, 25 Oct 2000 02:17:04 -0600, you wrote:
switches will help a lot, although a savvy attacker can potentially flood the switch to make it "leak" or break into it a reprogram it.
Using VLANs feature on switches and turning off "learning"-mode will help on securing your network against this type of attack (sniffing). =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= ** RoMaN SoFt / LLFB ** roman@madrid.com http://pagina.de/romansoft ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
On Tue, 24 Oct 2000 21:23:56 +0200, you wrote:
software from answering / producing traffic. And receiving all the data and processing it will make the machine react in some some different way compared to how it does "without reading all the net". So you can recognize workstations with sniffers running. Although dedicated hardware with no other job could be undiscovered long enough ...
Have you got some more information (paper, doc, etc) about this type of recognition? (I'm referring to having the tx path firewalled, for example, so no data can be transmitted via the promiscuos interface). =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= ** RoMaN SoFt / LLFB ** roman@madrid.com http://pagina.de/romansoft ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
"RoMaN SoFt / LLFB!!" schrieb:
On Tue, 24 Oct 2000 21:23:56 +0200, you wrote:
software from answering / producing traffic. And receiving all the data and processing it will make the machine react in some some different way compared to how it does "without reading all the net". So you can recognize workstations with sniffers running. Although dedicated hardware with no other job could be undiscovered long enough ...
Have you got some more information (paper, doc, etc) about this type of recognition? (I'm referring to having the tx path firewalled, for example, so no data can be transmitted via the promiscuos interface).
You can use a NIC with AUI-Interface. On the AUI-Cable you can disconnect the wire for the TX-Signal and you have no problems.
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= ** RoMaN SoFt / LLFB ** roman@madrid.com http://pagina.de/romansoft ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Michael Wollschlaeger wollm@hk-zwenkau.de
I am trying to set up a NIC to run in "stealth" mode. Some folks call this "transparent" mode and I've heard it referred to as a NIC with an unbound IP stack.
Just assign it a non routable IP and optionally firewall it so it can't send any data out: -A output -s 0.0.0.0/0.0.0.0 -d 0.0.0.0/0.0.0.0 -i eth0 -j DENY -Kurt
participants (7)
-
Andreas Tirok
-
bolo@lupa.de
-
Gerhard Sittig
-
Kurt Seifried
-
Michael Wollschläger
-
Randy Taylor
-
RoMaN SoFt / LLFB!!