Undetectable Sniffing, Invisible Data Capture On EthernetThis article is NOT about promisc network interfaces, it is about passively sniffing data off the wire without sending/transmitting any data out onto the wire. No transmitting, just receiving. I have been in some tight spots where I had to sniff data off the wire, like a password or username, or capture some packets off the wire and programmatically preform actions based on the captured packets.

Unexpectedly, I stumbled on a method to passively capture packets from the wire without transmitting packets. This is surprising because it is achieved using only software and not messing with the hardware, which is the normal way to passively sniff packets. I’ve only achieved this running various flavors of linux and BSD.

Note: You may be looking for ethernet capture implementations using the best open source network debugging tool ever created, WireShark

Commands to become undetectable on linux/BSD

Bring up the ethernet interface with no IP address and arp ignore mode (stealth mode).

$ ifconfig eth0 hw ether 00:00:00:00:00:00 promisc
$ ifconfig eth0 -arp up

Delete the inet and inet6 address, prevent stack routing.

$ route -nv // should produce nothing, same with netstat -r

what does this do?

  1. You can’t route packets to an interface without an entry in the routing table.
  2. You can’t create an entry in the routing table without an IP address assigned to the interface.

Packet Capture Software

Capture all the packets that pass the wire using Wireshark, the ONLY packet capturing tool I recommend.

I also like using tethereal in a shell script and egrep the output for something I’m looking for:

  • a basic authorization string
  • a certain bootfile being called using tftp
  • spanning trees and switch communication
  • etc.

Then based on the output I’ll have the shell script perform an action like append to a file or send me a text message to my cell. This could be called an inefficient or sloppy way to do this, but it works great when I’m booting from knoppix or I just need to grab some packets silently.

Caveats and Notes

I did notice that after I had received 490MB of data on my eth0 device, it actually did say that it had Transmitted 12bytes.. so this method is not 100% silent, but without a route or an address it can’t really write data anywhere, so I’m still wondering where those 12bytes went.

I suppose you could create a dummy device in a chroot or something and pass the output from your promisc NIC to the dummy which would route the packets along a GRE or a wireless device or something. I will try something like this for a syslog server.

NOTE: You should also check out the Arp stuff article for more in-depth info about this topic.

Q&A: from a forum discussion

i’m not that familar with linux, so i don’t know if you corrected this with one of these commands, but aren’t there many tools that simply check if the ethernet interface is in promisc. mode? so what’s undetected about this?

Those tools are very easily circumvented. The reason is that they rely on set patterns of behaviour that are common to programs like nmap, ettercap, etc.. This method circumvents every single one of them. Most of those progs rely on sending arbitrary data across the wire and looking for set patterns of replies that indicate a promisc eth. The simple thing about this method is that you are basically stripping the IP stack of its fallback or default settings.

If you understand the definition of promisc mode, and understand how the IP stack in all major OS’s use routeing, arp, MACs, and basic TCP/IP 101, the concept doesn’t seem special.

The key is really that the listening promisc interface has no address, has no routes to any networks or hosts. An ip stack set up this way is not a like a listening service. Its more like a logging host in a honeynet with the TX wires cut off.

Something about passive sniffing: etheral mailing list

If you sniff passive you dont send any data frames? All i know is that a switch only send data based on mac address (and recv port). Where a hub just sends it out to everyone. So how would you start sniffing (on a switch) without doing smth like arp poising (sending data frames)? Also, your MAC and ip gets sent out every x seconds by ARP requests right? Or did i misunderstood the question?

00:00:00:00:00:00 - this is not an invalid mac address? Are you sure you can sniff other computers with this configuration? (diferents computers like yours)

You definately could NOT use this method to use an active sniffing program like ettercap or perform an mitm or something, the whole goal of this method is to NOT transmit a single byte.

The reason you set the mac to 00:00:00:00:00:00 is the same reason you could also set the mac to aa:bb:cc:dd:ee:ff there are a lot of UPnP devices and other types of devices out there that use this mac address as a form of default. The point is just to change your mac to anything other than your real mac so that an IDS or system admin doesn’t see you. Thus, undetected sniffing.

If an admin or IDS saw 12 packets (as in my example) originating from 00:00:00:00:00:00 or aa:bb:cc:dd:ee:ff do you think he would pull out all the stops and think there is someone eavedropping? Of course not.

And yes, I have used this method on knoppix, archlinux, slackware, and FreeBSD. Of course, the differences in ifconfig in different distros need to be taken into account, and you can figure it out for yourself on your own distro by checking out your ifconfig man page.

man -a ifconfig

i would suggest plugging off pathc cord just before and do like that

ifconfig eth0 down
#UNPLUG CORD
ifconfig eth0 hw ether AA:BB:CC:DD:EE:FF
ifconfig eth0 <IP>
#PLUG IN CORD
ifconfig eth0 up

and then try to look for outgoing packets. Check for promisc: ifconfig

I would also suggest filling up switchs memory to make it act like a regural HUB so u will be able to sniff with normal oldstyle IP sniffers. You can sniff over switch by filling up its temporary MAC addr table. Then switch to work correctly (from its view its just overload) has to send data to every port just like HUB , and then u r at home. Also check out passive network scanning software: p0f by Lcamtuff, check it out

I haven’t used p0f for about 6 years.. When I used it was just a passive way to detect the OS/versions of a host. It was still pretty beta back then though.

Yes I have overloaded several switches CAM tables adn turned it into “HUB” operating mode.. But man is that ever loud! The ISP called me up and asked me if I knew anything about 2 GIGs of data being sent out from my port on the switch.. (layer 2) ..

Really the best way In my experience is arp poisoning. Ettercap has the basics included in their program. I have also had the experience of literally shutting down a switch from flooding the CAM.. you never really know what will happen. It’s usually not in your favor.

Also, if you start arp poisoning RIGHT after a power-outage (whether you shut off the power or it just went out) a lot of times you have a 15-45 second window where the switches will be acting like HUBs.. If you can poison some key targets in different network segments before the switch starts switching, you can really drop the normal restrictions.

Oh and you can also turn off your arp using ifconfig.

$ ifconfig eth0 -arp

But When you use the method outlined above, of course your NIC never sends out arp requests.. That is the whole point of NOT having an ipv6 or ip address.. and that is also why this method dictates NO ROUTES in the kernel or userland. Your NIC and ip stack just doesn’t have any body to send the arps to! If you aren’t connected to any networks, how can it send a broadcast? And if you don’t have an IP address, where would the arp tell everyone to reply to? See what I mean?

The MAC address being set to a non-suspicious looking address is just to slip by as a network anomololy instead of actually looking like a roque MAC.

In general though, I was talking about using this technique to splice into the wire at an uplink spot. So If I wanted to capture the router passwords for my apartment complex, I would find the router and use a portable hub to connect my packet-sniffing computer in-between the router and the modem or uplink. Then I would call tech-support about something and watch them log into the router.. then I have the password and its almost detectionless because it is completely passive.

I would say that my absolute favorite tool for hacking switches (we are basically just talking about layer-2’s) is hping. I also like nc, socat, vconfig, and dsniff was always fun but its really out of date now, ettercap is probably the king of automated switch hacking, its just not as much fun automated..

I’m sure you are also aware of the fun you can have with port-stealing. This is where you actually make the switch believe that you are coming in from a different port. Its pretty simple but a little harder than arp-poisoning. Most of my experience comes from circumventing vlans and hacking my way into switches on differnet network segments and on differnent vlans. Man talk about off-topic!

Now I got ur point, sorry I ,misunderstood at first totaly agree that ettercap is king nowadays and is most up to date. Anyways , I was always thinking in a little different way, I mean something like “fog cover”. IMO its better to spoof MAC and act as other regular user instead run all loud and silent techniques.
But your idea is very interesing.

Anywayz i think that there will be always something sent to the wire. As a first example that comes to my mind is link speed detection with NLP and FLP.

Thanks but its not an idea.. its a field-tested technique. Also, in my humble opinion, spoofing another host on the network is for newbies, unless you don’t mean just spoofing their MAC and IP. Because that is a really fast way to get caught where I come from. And it only takes 1 single command from a nix. Yes when I first started hacking into switches I was also operating under the assumption that if I spoofed a MAC address and mimicked an allowed machine that was somehow a good thing. First thing I realized was that before I could pretend to be a machine, I had to take that machine offline. If you are lucky and its running windows, that is no problem, you can run any number of techniques against a windows box and take it down. Of course, taking down a host, whether by exploits or DoS is an entirely differnet topic, and I won’t go there here.

The second thing I learned was about layer 2 and layer 3 switching.. and the huge differences between those and layer 1 switches. Mostly I deal with layer 2 switches. But pretending to be a machine is really an entirely different and lengthy topic, and I won’t go there now. It is relevant to the question about port stealing, since that is in essence where I turned after those realizations, and where I began finding more success.

First thing I realized was that before I could pretend to be a machine, I had to take that machine offline. If you are lucky and its running windows, that is no problem, you can run any number of techniques against a windows box and take it down.

True, but why just scan whole subnet for MAC & IP and few hours later just use one of these that are offline.

Actually you are right, good point. I guess the point I wanted to make was that attacking the switch directly, and not relying on spoofing another host, is the best way to go and where I found most of my success. It seems theoretically like a very logical way to attack a switch or even another host, but the fact is, when dealing with layer 2 or layer 3 switches, this will not give you any edge and will just waste your time and most likely tip off an admin to your attempts.

Of course, my experience is really pretty limited to switches that are using port security, which includes vlans, but really just basic port security, where each port on the switch is locked down to a particular mac address, and important routes are static. That is where my experience is at, hacking layer 2 switches with port security ON, and also hacking layer 2 switches with port security ON and VLANs active.

So for easier targets, spoofing another host could work quite well, especially where port security is OFF or the switch is not configured securely or layer 1 switching. I was referring to port security, vlans, trunking, CAM tables, etc.. but mostly just referring to the security mechanisms at play in layer 2 switches vs layer 1. And even layer 2 switches that are configured securely, vs those that are not.

Commands to become undetectable on Windows NT/W2K/XP

NOTE: You are at your own risk if you follow these instructions. Editing your registry is DANGEROUS and should be done with extreme caution. Follow these steps at your OWN risk.

  1. Get your device’s hex value. (’snort -W’ works for this)
  2. open Regedt32
  3. Navigate to: HKEY_LOCAL_MACHINE$\backslash$SYSTEM$\backslash$CurrentControlSet$\backslash$Services$\backslash$Tcpip$\backslash$Parameters$\backslash$
    Interfaces$\backslash${XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX}
  4. Select the network card you wish to setup as the monitoring interface (this will be the {XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX} value).
  5. Set IPAddress:REG_MULTI_SZ: to null (Double click on the string, delete data in the Multi-String Editor, then click OK)
  6. Set SubnetMask:REG_MULTI_SZ: to null (Double click on the string, delete data in the Multi-String Editor, then click OK)
  7. Set DefaultGateway:REG_MULTI_SZ: to null (Double click on the string, delete data in the Multi-String Editor, then click OK)
  8. Close the Registry Editor, your changes will be saved automatically.
  9. In a command prompt, run ‘ipconfig’ to verify the interface does not have an IP bound to it.

External Links

Related Articles