OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
Bugtraq archives for 2nd quarter (Apr-Jun) 1995: Re: detecting sniffers is downright easy

Re: detecting sniffers is downright easy

Kenneth R. van Wyk (krvwassist.mil)
Wed, 10 May 95 09:45:49 -0400 

Dr. Cohen writes:
> ...I thought I would mention that detecting sniffers from a
> real-world point of view is downright easy in almost all cases.
> ...
> All current (2) programs can be detected by comparing the OS programs
> with their original distribution versions using MD5 or a similar
> cryptographic checksum technique.  This has been widely published for
> over 5 years.

I agree with the above to a point.  The assumption that you are
making is that you have _access_ to the system that has a sniffer
installed on it.  The vast majority of sniffed sessions that I am
aware of have involved sniffers running on machines that the victim
doesn't have access to.  Picture a sniffer running on your local
Internet service provider's backbone system(s).  Anyone connecting
into your site using a static password results in that person's
password being sniffed - with no requirement for a sniffer to be
running on any of the systems within your local domain.  Take a look
at a traceroute output from your site to <any other internet site>
sometime and see just how many systems and networks your packets
traverse that you have absolutely no control or authority over.  How
would you (legally) detect a sniffer on one of those?

I do agree, however, that it is easy to detect any of the currently
observed sniffers on a host that you have access to.

Cheers,

Ken van Wyk