7.9 Sniffing Detection Techniques
How to Detect Sniffing
- Promiscuous Mode:
- You will need to check which machines are running in the promiscuous mode.
- Promiscuous mode allows a network device to intercept and read each network packet that arrives in its entirety.
- Run IDS and notice if the MAC address of certain machines has changed (Example: router's MAC address)
- IDS can alert the administrator about suspicious activities.
- Network Tools:
- Run network tools such as Capsa Network Analyzer to monitor the network for strange packets.
- It enables you to collect, consolidate, centralize and analyze traffic data across different network resources and technologies.
nmap -sV --script=sniffer-detect <target>
- HP Performance Insight
Sniffer Detection Technique: Ping Method
- Send a ping request to the suspect machine with its IP address and incorrect MAC address. The Ethernet adapter reject it, as the MAC address does not match, whereas the suspect machine running the sniffer responds to it as it does not reject packets with a different MAC address.
Sniffer Detection Technique: ARP Method
- Only a machine in promiscuous mode (machine C) caches the ARP information (IP and MAC address mapping).
- A machine in promiscuous mode replies to the ping message as it has correct information about the host sending ping request in its cache; rest of the machines will send ARP probe to identify the source of ping request.
When the NIC is set to promiscuous mode, packets that are supposed to be filtered by the NIC are now passed to the system kernel. By using this mechanism, we come up with a new way to detect promiscuous nodes: if we configure an ARP packet such that it does not have broadcast address as the destination address, send it to every node on the network and discover that some nodes respond to it, then those nodes are in promiscuous mode.
Sniffer Detection Technique: DNS Method
- Most of the sniffers perform reverse DNS lookup to identify the machine from the IP address.
- A machine generating reverse DNS lookup traffic will be most likely running a sniffer.
Promiscuous Detection Tool: PromqryUI
- PromqryUI is a security tool from Microsoft that can be used to detect network interfaces that are running in promiscuous mode.
Promiscuous Detection Tool: Nmap
- Nmap's NSE script allows you to check if a target on a local Ethernet has its network card in promiscuous mode.
- Command to detect NIC in promiscuous mode:
nmap --script=sniffer-detect [Target IP Address/Range of IP addresses]