|
Methods:
|
The DNS Test
Status: Completed
| In this method, we create numerous fake tcp connections on our
network segment, expecting a poorly written sniffer to pick up on
those connections and resolve the ip addresses of the nonexistent
hosts. When this occurs, Sentinel sniffs the dns request to see if
the target is the one requesting resolution of that nonexistent
host. |
The Etherping Test
Status: Completed
| This method relies on a problem in the target machine's kernel.
In this method we send an icmp echo packet to the target with the correct
destination ip address, but a bogus destination hardware address. Most
systems will disregard this packet since its hardware address information
is incorrect, but in some Linux, NetBSD and NT systems, will since
in promiscuous mode, grab this packet off the network as a legitimate packet
and respond accordingly. If the target in question replies to our request,
we know it is in promiscuous mode. |
The Arp Test
Status: Completed
This method involves sending out an ARP request to our target
with all valid information except a bogus destination hardware address.
A machine that is not in promiscuous mode would never see the packet, since
it wasn't destined to them, therefore it wouldn't reply. If a machine is
in promiscuous mode, the ARP request would be seen and the kernel
would process it and reply. By the machine replying, we
know it is in promiscuous mode.
|
The ICMP Ping Latency Test
Status: Under Development
| In this method, we ping the target and note the round trip time
(RTT), from there we create hundreds of fake tcp
connections on our network segment at a lighting rate. We expect
the sniffer to be processing those packets at a rate where the target machine's
network latency will increase. We then ping the target once again,
and compare the RTT this time to the first time. After a series of
tests and averages, we can conclude whether or not a sniffer is indeed
running on the target. |
|
