catkin |
07-30-2009 01:47 AM |
Quote:
Originally Posted by crackpipe
(Post 3625074)
What I don't understand is catkin's comment. It seems that if a host is granted DHCP interaction, some port has to be open to allow DHCP, and so it has to be detectable on the LAN. Further, it appears that a malicious squatter on the LAN that did not have an IP assigned by the router would seem to be unable to monitor traffic on the LAN. That is, could a stealth node attach itself to the LAN, not receive an IP, open its NIC to promiscuous mode, sniff all traffic, and take away information? If so, how do we detect such a squatting laptop, in addition to DHCP hosts? Does this make sense?
|
Of course it must open the necessary ports to get the DHCP lease but it could stealth all ports after that.
Edit:
The second scenario, of simply connecting to the LAN with network adapter in promiscuous mode and sniffing all packets would only be effective if it were not connected to a switch. A switch would only send IP packets associated with the computer's MAC address.
Thus network probes would not find a stealthed computer that had got an IP by DHCP and the stealthed computer would only be detectable by appearance in the DHCP servers lease list or by analysing all traffic looking for traffic to an IP that ought not be in use. To circumvent this, a malicious person could simply configure an IP address without using DHCP, hoping it is unused. Their chances of success would be <number of IP addresses on the LAN used> divided by <number of IP addresses in the LAN range>, probably a little better guessing that local conventions tend to use the top and bottom of the range for particular purposes, e.g servers at the bottom and network devices at the top.
|