1 / 18

COEN 252 Computer Forensics

COEN 252 Computer Forensics. Remote Sniffer Detection. Sniffer Detection. On the Host Look for capture files (typically big and growing). Look for a promiscuous card. Look for unauthorized connections or processes. Rootkits can prevent sniffers from being detected. On the Net

mikel
Download Presentation

COEN 252 Computer Forensics

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. COEN 252 Computer Forensics Remote Sniffer Detection

  2. Sniffer Detection • On the Host • Look for capture files (typically big and growing). • Look for a promiscuous card. • Look for unauthorized connections or processes. Rootkits can prevent sniffers from being detected. • On the Net • Traffic analysis • Traffic injection (probing) Much harder.

  3. Network based Sniffer Detection • Promiscuous mode detection • DNS tests. • Network latency tests. • Trapping

  4. Network based Sniffer Detection • NIC hardware addresses • NIC sets up different filters • Broadcast: receive all broadcast addresses (with MAC ff:ff:ff:ff:ff:ff) • Multicast based on multicast address • All multicasts • Promiscuous: receive all packets.

  5. Promiscuous mode detection • Each Network Interface Card (NIC) has a unique Medium Access Control (MAC) address. • Card in non-promiscuous mode only catches packets with that MAC address.

  6. MAC Promiscuous Mode Detection • Send an echo request to the right IP address but with wrong MAC address. • Only a NIC in promiscuous mode will pick up something with a wrong MAC address. • The “Echo Request” package is passed up the stack to the IP layer. • IP layer answers it.

  7. MAC detection

  8. ARP Detection • Send an arp request with false MAC and correct IP address. • Only promiscuous NIC will pick up package. • Kernel sends ARP reply.

  9. Software Filtering Based Detection • Different OS implement filters differently. • We can try: • Fake broadcasting messages: • FF:FF:FF:FF:FF:FF:FF:FE (Br47): • Last bit missing • FF:FF:00:00:00:00:00:00 (BR16) • Only first 16 bits are the same as for broadcast. • FF:00:00:00:00:00:00:00 (BR8) • F0:00:00:00:00:00:00:00 (BR4)

  10. Software Filtering Based Detection • Different OS implement filters differently. • We can try: • Fake multicasting messages: • 01:00:00:00:00:00:00:00 (Gr) • Only group-bit set. • 01:00:5E:00:00:00:00:00 (M0) • Multicast address zero is usually not used • 01:00:5E:00:00:00:00:01 (M1)(assigned to all) • Multicast address one should be received by all in the test system • 01:00:5E:00:00:00:00:02 (M2)(assigned to different set of nodes) • Multicast address two should not be received by systems in the test group. • 01:00:5E:00:00:00:00:03 (M3)(not registered)

  11. Software Filtering Based Detection Response to various ARP requests. Normal mode: left column, promiscuous mode: right column O legal response, X illegal response, -- no response

  12. Software Filtering Based Detection • ARP requests to fake MAC addresses can determine promiscuous cards in an OS dependent manner. Trabelsi, Rahmani, Kaouech, Frikha: Malicious Sniffing Systems Detection Platform, SAINT ’04.

  13. DNS Detection Technique • Password sniffers (or sniffers not in stealth mode) generate network traffic. • Sniffers use reverse DNS lookup • Because they think they found a password and want to know the system. • Because they want to provide the user with the name of the machines.

  14. DNS Detection Technique

  15. Load Detection Technique • Sniffers are hard on the machine resources. • Sniffer degrades performance when there is a lot of network load. • Hence, generate lots of network load and measure timing.

  16. Load Detection Technique

  17. Round Trip Time Measuring Technique • Experiments show: • Round Trip Times show OS dependent differences of 10% - 40% between normal mode and promiscuous mode. • Allows reliable detection. • Using ICMP messages is less network load dependent.

  18. Bait Technique • Create telnet for a fake telnet server. • With lots of logins + passwords. • Sniffer takes bait. • Telnet attempts to non-existing server. • Works like a honey-pot.

More Related