SNIFFER detection tools and Countermeasures

This article will discuss the tools and software for listening to network packets in the hybrid mode and the Countermeasures to reduce their destructiveness. To ensure network security and prevent unnecessary panic, system administrators should be familiar with the capabilities and limitations of these probe tools and take proper measures when encountering such problems.

The machine monitors computers of different operating systems using different detection tools. Most UNIX operating systems are used. The administrator can check whether the NIC is working in the hybrid mode. However, when an unauthorized sniffer is installed, the Trojan Horse program may be installed at the same time, and the output result may be completely untrusted. System Administrators can also choose other major tools to check whether the sniffers (sniffer) exists, such as and. However, the above problems may still occur.

Many popular Trojan Horse programs have their own ASCII files under the System Directory, which contains the configuration information of the Trojan program. In the security system, there should be no ASCII files in the directory, so the system administrator should regularly check the directory. If an ASCII file exists in the directory, it indicates that the system has been installed with sniffer ).

The ASCII configuration file of the Trojan horse generally includes the process information and the corresponding file information related to the output file, which is generally hidden from the system administrator. In most versions of UNIX, lsof can be used to detect the existence of sniffer (sniffer. The initial design of lsof is not designed to prevent sniffer intrusion, but because the sniffer (sniffer) will open its output file in a sniffer (SNIFFING) system, and constantly send information to the file, so that the content of the file will become larger and larger, so lsof will be useful. If we use lsof to find that the content of a file is constantly increasing, we have reason to suspect that the system has been installed with a sniffer (sniffer ).

Because most sniffers write the intercepted TCP/IP data to their output files, system administrators can output the lsof results to reduce the possibility of system corruption. For bsd unix, cpm can be used to detect the existence of sniffer.

Cpm is a tool software developed by CERT/CC. In 1994, many websites reported that legitimate user names, user passwords, and key data were maliciously stolen. cpm came into being at that time. For more information, see the following sites (http://www.cert.org/advisories/CA-1994-01.html ).

Cpm uses socket (2) and ioctl (2) to determine whether a NIC is in the hybrid mode and report the detection results to the system. Cpm only lists NICs in hybrid mode. For users who use SunOS 5.5 and 5.6, ifstatus can be used to detect the existence of sniffer. Users can log on from.

There is no well-known sniffer detection tool for NT systems. As far as I know, there is no practical tool on the NT platform to test the network card hybrid mode. The cause is that a tool that is part of the Microsoft system platform may have been installed with a Trojan horse. NT users who use the machine can consider using (www.rootkit.com ).

Few administrator-level security vulnerabilities can be exploited remotely on the Microsoft platform, which may be one of the reasons why the sniffer and detection tools on the Microsoft platform are relatively small.