Packet sniffers are valuable tools that can offer great insight into what's transpiring on your network. With a packet sniffer in action on a Windows NT network, you can easily watch all user authentication requests and capture that data for later analysis. By the same token, a network intruder can gather that information and use it to penetrate network security.
Packet sniffers operate in promiscuous mode and are difficult to detect without specialized tools. L0pht Heavy Industries' AntiSniff Beta 2 is just such a tool, a product that can detect packet sniffers listening on a network&$151;
a good addition to anyone's security toolkit.
How it Works
Packet sniffer detection isn't new, but AntiSniff is unique because it runs on NT. The product exploits a variety of idiosyncrasies in the way the OS handles TPC/IP packets, relying on three test categories: OS specific, DNS, and network latency.
With OS-specific tests, AntiSniff exploits the method NT uses to handle packets by sending a packet to the system using an Ethernet address of FF:00:00:00:00:00 and the IP destination address of the system you want to check. When a network card is operating in promiscuous mode in NT, it will respond to the packet that AntiSniff has sent, revealing that a packet sniffer might be active on the system.
For its DNS tests, AntiSniff puts itself in promiscuous mode and sends a packet out on the network using a predetermined IP address in the packet header. If a packet sniffer is listening on the network and configured—as some are—to perform reverse DNS lookups for the packets it captures, then the system running the packet sniffer will transmit a reverse DNS lookup request for the IP address in the packet AntiSniff sent. The product captures that particular action (the reverse DNS lookup), tricking the packet sniffer into revealing itself on the network.
AntiSniff's network-latency tests detect a system operating a network card in promiscuous mode by flooding a system with illegitimate traffic. When a system's network card is in promiscuous mode, the card captures every packet that travels across the network, so the system will experience a performance degradation when network traffic levels reach a certain point. During the packet flood, AntiSniff transmits timing packets that help gauge overall response times, which the product then uses to determine whether a machine is experiencing a heavy load and might, therefore, have a network card operating in promiscuous mode.
AntiSniff in Action
I tested AntiSniff on a PC running NT 4.0 Workstation using an Intel EtherExpress network card. Installation was easy. After downloading the package, unzipping the files into a directory, and creating a shortcut on the desktop, I was ready for action.
Screen 1 shows the product's tabbed user interface. The Network Configuration tab is where you define the IP address range to scan and specify the parameters AntiSniff should use to build the packets it transmits during its detection work. The Scanner Configuration tab lets you configure which of the three test categories to use during detection (I used all test categories for my review). The Scanner Configuration tab also provides options for scheduling regular scans and writing the output to logfiles. The Scan Progress tab reveals details about the scan while in progress. Once a scan completes, you can review the results on the Report tab's display. AntiSniff also lets you configure email and audio alerts, although the current product supports only Messaging API- (MAPI) based email.
After reading up on how the product works, performing a scan with AntiSniff wasn't difficult. The beta version I tested didn't have online help, but L0pht provides help in a text-based Readme file that comes with the package. And, the company provides ample documentation on its Web site.
One thing I noticed about AntiSniff was that it can place a significant burden both on the machine it runs on and the network itself. During packet-flooding tests, my NT workstaton slowed to a crawl. Another thing I noticed was that, as with general security scanners, packet-sniffer scans with AntiSniff take varying amounts of time, depending on the configuration settings. For example, AntiSniff let me adjust the number of packets I transmitted for ICMP Time Delta and Ping Drop tests, and I used the default settings of 10 and 200, respectively. With the default settings, scanning one machine with AntiSniff took approximately 4 minutes from my test workstation.
AntiSniff has some limitations. Because switched-network traffic isn't visible on all network segments, the product can't detect systems operating a network card in promiscuous mode on other switched segments. Also, you should be aware that the one-off network-latency tests are not 100 percent accurate in detecting sniffers. Any number of situations can cause a system to experience network latency, so tests of this type are more valuable when you compare results from several tests to determine average latency for a given machine.
There are ways of operating a packet sniffer undetectably, and you can rest assured that the best intruders are aware of these methods. You should assume that results you get from AntiSniff have identified rogue packet sniffers run by less-experienced intruders.
Good Stuff
AntiSniff is a pretty slick tool. It isn't a catch-all, but it is, as I mentioned, a great tool to have in your security toolkit. If you've never used a packet sniffer detection tool before, or if you want to get your hands on one designed specifically for NT, I recommend that you take a close look at AntiSniff.
Note: L0pht Heavy Industries released AntiSniff 1.01 after Mark Edwards wrote this review.
Register
yuki July 01, 2004