Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
if its switched then someones going to be sending out ARP storms to make your interface think its talking to something that its not, so perhaps get some sort of traffic analysis tool (ie. tcpdump) and see where all the faked ARP responses are comming from and go from there ...
Download Ettercap
configure and install,
then run.
#./configure
#make
#make install
#make complete_install
start ettercap, when ettercap loads (press "h" for help) you will see that by pressing "c" ettercap will look for any arp cache poiseners (switch sniffers) on your
network.
Distribution: OpenBSD 4.6, OS X 10.6.2, CentOS 4 & 5
Posts: 3,660
Rep:
By definition, sniffers are passive (they "sniff" the traffic as it passes by). There's no way to detect that. Now as has been mentioned, on a switched network traffic is not echo'd to every port normally, so in order to see any "good stuff" with a sniffer, you some how have to trick the switch into echo'ing traffic to all ports (or at least the port your sniffer is on). This is usually accomplished by ARP poisoning/flooding, which is pretty obvious if you're looking for it. Basically an ARP flooding attack will fill up the switches memory with too many ARP table entries, so it will revert to "dump" hub mode, i.e. all traffic echo'd to all ports.
A well configured IDS would probably give you the information you like.
One that seems good is snort, www.snort.org
I haven't setup snort my self yet so I can't help in that.
i don't really see how an IDS could help you to see if your traffic is being intercepted. is there some way that IDS can detect ARP poisoning? switched nets are more protected from sniffing than others, but it IS possible to sniff if you really want to.
Quote:
start ettercap, when ettercap loads (press "h" for help) you will see that by pressing "c" ettercap will look for any arp cache poiseners (switch sniffers) on your
network.
if you do this, and your still paranoid that you are being watched, use some encryption. PGP your email and SSH your network connections. most recreational sniffers are probably just filtering for hotmail passwords anyway.
Since it has not already been mentioned: you can also look for network interfaces that are running in promiscuous mode. Promiscuous mode interfaces are listening to everything on the network. They are fairly easy to spot, a search on Google will quite happily turn up the necessary tools.
EDIT: Also, before you have fun with Ettercap. Realise two things (that at least previously applied, if they do not now...): that Ettercap has to run as root and has previously had remotely exploitable vulnerabilities, and that Ettercap is one of those pieces of software that ``trigger-happy'' network admins will quite happily ban you for using on their network. As another point, if Ettercap still requires root privileges (it will for ARP manipulation, RAW sockets, etc) do you have root in the college lab?
Good points made by all,
Yes you do have to have root, or at least a properly configured sudo to use ettercap.
Lets remember this is a switched network, and so far, ARP manipulation/cache poisening is the only way that i am aware of sniffing accross a switched network.
However, the question was how to detect ettercap running on his lan.
Attacking/Sniffing a switched lan.
Yes you can overrun the cache on your switch which would send it into broadcast mode, althuogh i find this clunky and slow and it tends to ring alarm bells. As any basic TCP monitor such as say TCPDump would light up like a christmas tree.
A more subtle way is a MiM attack using arp poisening on the "bob and alice" machines. That way is subtle and does not get broadcast from the switch, in fact.It leaves the switch alone so unless the IDS was running on all the clients locally i dont see how it could pick it up. That would allow a mallicious user to monitor all connections, even manafacture packets or manipulate existing ones. (again providing they had root privilages)
Ettercap, and surely parts of the dsniff package, although i couldnt say for certain, are very good at dealing with ARP security in general. And in my very humble opinion i think that learning to use the tool that people will be using against you, to protect yourself, is valuble learning.
Originally posted by valve Lets remember this is a switched network, and so far, ARP manipulation/cache poisening is the only way that i am aware of sniffing accross a switched network.
That will teach me to read the thread with more focus =(.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.