Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here. |
Notices |
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
Are you new to LinuxQuestions.org? Visit the following links:
Site Howto |
Site FAQ |
Sitemap |
Register Now
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
|
|
05-23-2006, 08:50 AM
|
#1
|
Member
Registered: May 2003
Location: PA
Posts: 82
Rep:
|
Can you sniff without an IP?
In my department we are trying to monitor the LAN's traffic as stealthy as possible. Someone gave me the idea of setting up a linux box w/o any IP addresses assigned and run a sniffer such as ethereal. If this lan is running behind a hub, would this be a possible feat?
Thanks,
Stakhous
|
|
|
05-23-2006, 12:10 PM
|
#2
|
LQ Guru
Registered: Dec 2005
Location: Somewhere on the String
Distribution: Debian Wheezy (x86)
Posts: 6,094
|
Not sure what you mean by no IP address assigned, but I know that you can find out the range of DHCP leases allowed and just pick a static IP from outside that range (for example, if the LAN uses 192.168.0.1-192.168.0.40, use 192.168.0.50 as a static IP). Then you still have network access, but the DHCP server won't have a record of your IP assigned.
Unless I'm mistaken though, you'll still be able to be seen from the LAN. You'll probably have to do some fancy firewalling to try to make yourself unseen by the LAN. Also, anytime you access the gateway, you'll probably be logged as being on the network.
|
|
|
05-23-2006, 12:26 PM
|
#3
|
Member
Registered: May 2005
Location: Northern VA
Distribution: Slackware, Ubuntu, FreeBSD, OpenBSD, OS X
Posts: 782
Rep:
|
Quote:
Originally Posted by stakhous
In my department we are trying to monitor the LAN's traffic as stealthy as possible. Someone gave me the idea of setting up a linux box w/o any IP addresses assigned and run a sniffer such as ethereal. If this lan is running behind a hub, would this be a possible feat?
Thanks,
Stakhous
|
I'm not sure you can do that with Ethereal. Non-IP-assigned interfaces are the preferred method for dedicated sniffing devices, though. I'd pick something to use other than Ethereal.
Here's what my BSD box's interfaces look like:
Sniff interface:
vr0: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> mtu 1500
ether 00:90:fe:05:0c:ca
media: Ethernet autoselect (10baseT/UTP)
status: active
Management interface:
xl0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
options=9<RXCSUM,VLAN_MTU>
inet 10.150.1.103 netmask 0xffffff00 broadcast 10.150.1.255
ether 00:c0:4f:61:28:1f
media: Ethernet autoselect (100baseTX <full-duplex>)
status: active
|
|
|
05-23-2006, 12:42 PM
|
#4
|
Member
Registered: May 2005
Location: Northern VA
Distribution: Slackware, Ubuntu, FreeBSD, OpenBSD, OS X
Posts: 782
Rep:
|
Quote:
Originally Posted by pljvaldez
Not sure what you mean by no IP address assigned, but I know that you can find out the range of DHCP leases allowed and just pick a static IP from outside that range (for example, if the LAN uses 192.168.0.1-192.168.0.40, use 192.168.0.50 as a static IP). Then you still have network access, but the DHCP server won't have a record of your IP assigned.
Unless I'm mistaken though, you'll still be able to be seen from the LAN. You'll probably have to do some fancy firewalling to try to make yourself unseen by the LAN. Also, anytime you access the gateway, you'll probably be logged as being on the network.
|
Sniffing is *usually* totally passive in nature. Sniffing software usually doesn't send traffic (or receive, for that matter, as the sniffing is transparent).
Also, earlier, I mentioned that sniffing (usually in IDS mode) can be done without an assigned IP and is usually the preferred method of sniffing. The reason an IP is not preferred is to avoid direct attacks on the sniffer.
|
|
|
05-23-2006, 04:53 PM
|
#5
|
Member
Registered: May 2003
Location: PA
Posts: 82
Original Poster
Rep:
|
Unixfool if you dont mind that I ask, what sniffing software do you use? Or what software is capable of sniffing w/o an IP?
And if the computer is not assigned an IP, does this mean that the computer is in effect undetectable? Of course I have heard of ways to detect promiscuous nics on the network, not sure if this sounds accurate.
Thanks
|
|
|
05-23-2006, 04:59 PM
|
#6
|
LQ Guru
Registered: Dec 2005
Location: Somewhere on the String
Distribution: Debian Wheezy (x86)
Posts: 6,094
|
As you're no doubt aware by now I have no idea what I'm talking about... But google turned up this interesting article on IP-less sniffing that you might read while you wait for Unixfool.
|
|
|
05-23-2006, 07:46 PM
|
#7
|
Member
Registered: May 2005
Location: Northern VA
Distribution: Slackware, Ubuntu, FreeBSD, OpenBSD, OS X
Posts: 782
Rep:
|
Quote:
Originally Posted by stakhous
Unixfool if you dont mind that I ask, what sniffing software do you use? Or what software is capable of sniffing w/o an IP?
And if the computer is not assigned an IP, does this mean that the computer is in effect undetectable? Of course I have heard of ways to detect promiscuous nics on the network, not sure if this sounds accurate.
Thanks
|
I have used Snort in IDS mode in enterprise environments (and at home and on my public server). Snort also has a sniff mode, which is very similar to tcpdump (Snort is in fact derived from tcpdump). I'm usually using IDS mode when using Snort but I don't think it matters with Snort. Either way, you have to use an interface. Maybe I'll test using Snort in sniff mode without an assigned IP on the sniff interface.
And yes, the lack of an IP on the interface makes the interface pretty much invisible. There are tools that can search for promiscuous interfaces, as you've said, but if you use an interface with no IP assigned along with other security measures, you're pretty safe.
|
|
|
05-24-2006, 08:43 AM
|
#8
|
Member
Registered: May 2003
Location: PA
Posts: 82
Original Poster
Rep:
|
Great link pljvaldez, I read the entire article.
And thanks unixfool, I have experience with snort so after work I'm going to set it up and see what I can do w/ an IPless NIC. You have been much help.
Stakhous
|
|
|
05-24-2006, 09:29 AM
|
#9
|
Member
Registered: May 2004
Location: Atlanta, GA USA
Distribution: Redhat ES4, FC4, FC5, slax, ubuntu, knoppix
Posts: 155
Rep:
|
Ethereal is passive. If your nic is in passive permiscuous mode, you won't get an IP address. A good idea would be to have two NIC cards, one is your remote access into the box via SSH and the other is the passive sniffer on the targeted network.
|
|
|
All times are GMT -5. The time now is 10:41 AM.
|
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
|
Latest Threads
LQ News
|
|