Thursday, October 18, 2007

My failed experiment to detect nodes in Promiscious mode.

Basic Prerequisites: Promiscuous mode,ARP, ICMP and Packet Injection.


Problem:
========
The decision to accept/drop the network packets is controlled by the Network Interface Card(NIC). NIC filters out the desired packets which system is entitled to recieve. However by setting the NIC to promiscuous mode the sniffing application receives packets regardless of the system being the intended destination. Sniffing is a difficult problem to acertain as it does not interfere with the network traffic, leaving no digital traces to track.


My Approach in theory
=====================
A “dynamic” protocol like Address Resolution Protocol (ARP) can be leveraged to detect the sniffing host. This protocol works alongside the Internet Protocol(IP) in Layer 3. On account of this ARP's operation occurs automatically in the background, without concern to the application user.

ARP works by sending an address request and collecting the response to create its mapping of addresses. The hardware addresses are only needed for hosts on the local network. At the lowest level, the Ethernet driver needs the hardware address of the remote system to which it will send a packet. When it does not have that address, it “broadcasts” a request for the missing address. This request, called an “ARP request”, contains the IP address of the host in question and is sent to all systems on the local network. A system may respond with a reply, called an “ARP reply”, which contains the host IP address and hardware address. The response received is used to build a table of IP addresses and hardware addresses.

Another feature of the protocol is called “gratuitous ARP”. This occurs when a host broadcasts an ARP request for its own hardware address. A Solaris system does this at boot time. It is used to detect if another system is using its IP address, indicating a misconfigured system. The other use of gratuitous ARP is to send updated
hardware address information. Systems that receive requests like this will automatically update the hardware address information for that host.

ARP by default uses BROADCAST method to get the destination MAC address. The idea here is to craft an ARP packet with the destination address being a non-BROADCAST address with a specific target IP address. If the NIC is in non-promiscuous mode, the packet is ignored and after the specified TTL no response is got back. However if the node with the corresponding IP address is in promiscuous mode, a prompt response is given by the sniffing host as the packet is percolated to the higher layers.

Using a handcrafted packet like ICMP with appropriate fields can induce the same effect.

References
----------
-Defeating Sniffers and Intrusion Detection Systems
http://www.phrack.com/issues.html?issue=54&id=10#article

-Plummer, Dave. An Ethernet Address Resolution Protocol, RFC 826, Network
Information Center, SRI International, Menlo Park, CA., November 1982.

- Interetworking with TCP/IP VolumeII Design,Implementation and Internals. Douglas E. Comer/David L. Stevens

-Solaris Operating Environment Network Settings for Security , By Alex Noordergraaf and KeithWatson
http://www.sun.com/blueprints/1299/network.pdf


The Reality ( Getting the hands dirty )
=======================================
Destination Machine
===================
@SOURCE-MACHINE>ping DESTINATION-MACHINE
DESTINATION-MACHINE is alive
@ SOURCE-MACHINE>arp -a | grep DESTINATION-MACHINE
eri0 DESTINATION-MACHINE 255.255.255.255 00:03:ba:5b:8f:5d
@SOURCE-MACHINE>ping -s !$
ping -s DESTINATION-MACHINE
PING DESTINATION-MACHINE: 56 data bytes
64 bytes from DESTINATION-MACHINE (129.158.224.182): icmp_seq=0. time=1.26 ms
64 bytes from DESTINATION-MACHINE (129.158.224.182): icmp_seq=1. time=0.920 ms
^C
----DESTINATION-MACHINE PING Statistics----
2 packets transmitted, 2 packets received, 0% packet loss
round-trip (ms) min/avg/max/stddev = 0.920/1.09/1.26/0.24
@SOURCE-MACHINE>

Source Machine
===================


@SOURCE-MACHINE>hostname
SOURCE-MACHINE
@SOURCE-MACHINE>ifconfig -a
lo0: flags=2001000849 mtu 8232 index 1
inet 127.0.0.1 netmask ff000000
eri0: flags=1000843 mtu 1500 index 2
inet 129.158.224.205 netmask ffffff00 broadcast 129.158.224.255
ether 0:3:ba:4e:40:44


Packet Injection
=================

@SOURCE-MACHINE>/usr/local/bin/nemesis icmp -S 129.158.224.205 -D 129.158.224.182 -H 0:3:ba:4e:40:44 -M 00:03:ba:5b:8f:5d

ICMP Packet Injected
@SOURCE-MACHINE>

@SOURCE-MACHINE>snoop icmp

SOURCE-MACHINE -> DESTINATION-MACHINE ICMP Echo request (ID: 15815 Sequence number: 46167)
DESTINATION-MACHINE -> SOURCE-MACHINE ICMP Echo reply (ID: 15815 Sequence number: 46167)

Now sending a wrong MAC address to Destination ( last letter changed from d to e )

@SOURCE-MACHINE>/usr/local/bin/nemesis icmp -S 129.158.224.205 -D 129.158.224.182 -H 0:3:ba:4e:40:44 -M 00:03:ba:5b:8f:5e

ICMP Packet Injected

@SOURCE-MACHINE>snoop icmp
Using device /dev/eri (promiscuous mode)
SOURCE-MACHINE -> DESTINATION-MACHINE ICMP Echo request (ID: 12112 Sequence number: 10553)


Interesting thing to note was that the Packet was seen in the snoop output on DESTINATION-MACHINE but was not replied.


There goes the failed experiment. Reality turns out to be different than the assumed theory. Digging further as to how snoop manages to get a snapshot of the packet and not process the packet.

5 comments:

Anonymous said...

somethings fishy here... will get bak as soon as i figure it out...

Anonymous said...
This comment has been removed by the author.
Anonymous said...

"http://www.securityfriday.com/
promiscuous_detection_01.pdf"

Anonymous said...

in short, there is a software filter too. so, since u r using solaris, we need to experiment to find out the software filter's functionality.
solaris is also open source now, u cud check the implementation (if u know where to find it :) )

Shantanu said...

I have been through this paper. The implementation does not talk of a presence of software filter.

One conjecture, one can draw from the above is that snoop captures a snapshot of the packet, without passing the Network stack [:)]