• Subject: Re: AS/400 on alt.hacker
  • From: Jim Langston <jlangston@xxxxxxxxxxxxxxxx>
  • Date: Wed, 22 Sep 1999 14:44:23 -0700
  • Organization: Conex Global Logistics Services, Inc.

Yes, but the main way it does it is by sending ping packets and waiting for
replies, then spamming the network and sending ping packets and waiting
for replies, and comparing the difference in times.

The theory being that if a machine is listening to all traffic, the spamming of
the network will slow it down enough to make a noticeable difference in the
ping replies, which I'm sure it does.

But, consider this, who says I have to have my machine reply to pings?
With a little hacking of winsock, or whichever TCP/IP stack you are using,
I can have my machine ignore all requests sent to it, just process them.
Ignore pings and don't do DNS lookups on the IP addresses and I'm
basically invisible on the wire.

The other steps involve looking at idiosycracies with Linux and Windows
on how they look at certain packets (specifically, broadcasts for windows
and ip packets for Linux), but if I am ignoring those too, you aren't going
to see me.

This will work, though, for a machine that must be "present" on the network,
a production machine, or what not.  This would detect someone who had
a sniffer on their machine and they didn't know about it.

But, another consideration, if I know this sniffer sniffer is out there, what 
I'm

going to do in any sniffer I write (which I wouldn't) is put a delay in any
PING requests I get. Make it so I'm always replying in 200 ms, or whatever
I choose as a good number.  When I start getting flooded, I don't wait as long
in my replies, so I'm still waiting 200 ms.

But, as I said, it would work for most of the sniffers currently in use today,
it's
just a matter of measure and counter measure.

Regards,

Jim Langston

Bob Crothers wrote:

> >From what I understood, they are searching the ethernet segment for
> cards that are in promiscuess mode.  Eg: cards that receive ALL
> traffic...not just what is being sent to that card.
>
> If the card is not in promiscues mode, then it wont see all of the
> traffic.  If it doesn't see all of the trafic, then it can't "sniff".
>
> Doesn't have much to do with the sophistication of the sniffer
> program.  Unless you are actualy going direct to the
> hardware...perhaps then, you could fool it.  But that would be a LOT
> of work.
>
> BTW, this only looks at stuff on your local network....not the rest of
> the Internet.
>
> Bob
>
> -----Original Message-----
> From:   Jim Langston [SMTP:jlangston@conexfreight.com]
> Sent:   Wednesday, September 22, 1999 1:34 PM
> To:     MIDRANGE-L@midrange.com
> Subject:        Re: AS/400 on alt.hacker
>
> Reading on the details, it seems that this program would work from
> "standard" packet sniffers.  That is, the ones written now.
>
> Could one be written to sniff and not be detected? Yes, I could think
> of two ways to do it, but both would take a little bit of knowledge.
>
> But I see how this would work on an unsophisticated packet sniffer
> program,
> which most are, it would seem.
>
> Regards,
>
> Jim Langston
>
> Jason Kleinemas wrote:
>
> > A packet sniffer it self is passive, but to sniff packets you
> network
> > interface card (NIC) has to be put into a promiscuous mode. Normally
> > your NIC is in passive mode, meaning it only accepts packets that
> are
> > for your computer. Putting the NIC in a promiscuous mode you get all
> the
> > packets that pass though that wire. Antisniff will query the NIC's
> in
> > the range you give it and tell you if their set promiscuous mode.
> >
> > Jim Langston wrote:
> > >
> > > Sounds surpassingly like a trojan to me.
> > >
> > > A packet sniffer is passive, isn't it?  It just listens for all
> packets and then
> > > it translates them.  I don't think it has to do anything on the
> network to do
> > > this, so I think it would be undetectable.
> > >
> > > Regards,
> > >
> > > Jim Langston
> > >
> > > Chuck Lewis wrote:
> > >
> > > > OK Mr. Tricky Guy :-) just kidding !
> > > >
> > > > What about Antisniff at  http://www.l0pht.com/ which says it can
> "detect
> > > > intruders who have installed "packet sniffers" on a network and
> are monitoring
> > > > network traffic" ???
> > > >
> > > > Chuck
> > > >
> > > > Ed Davidson wrote:
> > > >
> > > > > You forget, these are computers.  We can tell them to do
> something and leave
> > > > > them for days/months/years at a time to accomplish the task.
> > > > >
> > > > > You can have packet capture software capture what you specify.
>  Do I want a
> > > > > password for JoeBlow?  Tell the software to only capture
> packets with
> > > > > JoeBlow in them, and then capture all packets from/to JowBlows
> computer.
> > > > > Save the data to disk.  When I come back to my computer, do a
> find over the
> > > > > packets for the word JoeBlow.  You can kinda tell if the
> packet is a signon
> > > > > packet.   If it is, the password is in the same packet just
> under the signon
> > > > > code.
> > > > >
> > > > > Specify just to capture packets going to a specific IP
> address, at port 20,
> > > > > 21, 25, and 110.  Passwords are sent in the clear on these
> ports.
> > > > >
> > > > > The question isn't if you will be hacked, the question is will
> the hacker
> > > > > get in?   My site gets about 44k hits a week, about 1000
> unique visitors.
> > > > > Very small by internet standards.  About every other day there
> is someone
> > > > > trying to do something to my internet server that they
> shouldn't.
> > > > >
> > > > > This information is available all over the internet.  Anyone
> looking for a
> > > > > thrill can find it and cause damage to someone.
> > > > >
> > > > > +---
> > > > > | This is the Midrange System Mailing List!
> > > > > | To submit a new message, send your mail to
> MIDRANGE-L@midrange.com.
> > > > > | To subscribe to this list send email to
> MIDRANGE-L-SUB@midrange.com.
> > > > > | To unsubscribe from this list send email to MIDRANGE-L-UN
> SUB@midrange.com.
> > > > > | Questions should be directed to the list owner/operator:
> david@midrange.com
> > > > > +---
> > > >
> > > > +---
> > > > | This is the Midrange System Mailing List!
> > > > | To submit a new message, send your mail to
> MIDRANGE-L@midrange.com.
> > > > | To subscribe to this list send email to
> MIDRANGE-L-SUB@midrange.com.
> > > > | To unsubscribe from this list send email to
> MIDRANGE-L-UNSUB@midrange.com.
> > > > | Questions should be directed to the list owner/operator:
> david@midrange.com
> > > > +---
> > >
> > > +---
> > > | This is the Midrange System Mailing List!
> > > | To submit a new message, send your mail to
> MIDRANGE-L@midrange.com.
> > > | To subscribe to this list send email to
> MIDRANGE-L-SUB@midrange.com.
> > > | To unsubscribe from this list send email to
> MIDRANGE-L-UNSUB@midrange.com.
> > > | Questions should be directed to the list owner/operator:
> david@midrange.com
> > > +---
> >
> > --
> > Jason Kleinemas
> >
> > Programmer/Analyst
> >
> > Medcenter One
> > Information Services
> > 300 N 7th St. P.O. Box 5525
> > Bismarck ND 58506-5525  USA
> >
> > ICQ #: 7834507
> >  Work: 701-323-6862
> > +---
> > | This is the Midrange System Mailing List!
> > | To submit a new message, send your mail to
> MIDRANGE-L@midrange.com.
> > | To subscribe to this list send email to
> MIDRANGE-L-SUB@midrange.com.
> > | To unsubscribe from this list send email to
> MIDRANGE-L-UNSUB@midrange.com.
> > | Questions should be directed to the list owner/operator:
> david@midrange.com
> > +---
>
> +---
> | This is the Midrange System Mailing List!
> | To submit a new message, send your mail to MIDRANGE-L@midrange.com.
> | To subscribe to this list send email to MIDRANGE-L-SUB@midrange.com.
> | To unsubscribe from this list send email to
> MIDRANGE-L-UNSUB@midrange.com.
> | Questions should be directed to the list owner/operator:
> david@midrange.com
> +---
>
> +---
> | This is the Midrange System Mailing List!
> | To submit a new message, send your mail to MIDRANGE-L@midrange.com.
> | To subscribe to this list send email to MIDRANGE-L-SUB@midrange.com.
> | To unsubscribe from this list send email to MIDRANGE-L-UNSUB@midrange.com.
> | Questions should be directed to the list owner/operator: david@midrange.com
> +---

+---
| This is the Midrange System Mailing List!
| To submit a new message, send your mail to MIDRANGE-L@midrange.com.
| To subscribe to this list send email to MIDRANGE-L-SUB@midrange.com.
| To unsubscribe from this list send email to MIDRANGE-L-UNSUB@midrange.com.
| Questions should be directed to the list owner/operator: david@midrange.com
+---

This thread ...

Replies:

Follow On AppleNews
Return to Archive home page | Return to MIDRANGE.COM home page

This mailing list archive is Copyright 1997-2019 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].