[OLUG] Promiscuous eth0

Vincent vraffensberger at home.com
Sun Apr 16 03:49:51 UTC 2000


You can manually turn on/off promiscuous mode like this:
/sbin/ifconfig eth# +promisc  (or -promisc), but the program which is trying to
start it can just turn it back on again.  I don't know of any "normal" programs
which would require promiscuous mode.  Root access is required for this.  A
program which is doing this would either have to be run by root or have root
suid.

I'll give an example of promiscuous mode.  Your computer and three others are
connected to a traditional hub.  This hub will broadcast all packets to all
ports whether the packet is destined for that node or not.  In normal mode, your
kernel will simply ignore/discard packets not destined for for your computer. 
In promiscuous mode, your kernel will pass the packets to your OS.  A program in
your OS can then process/log/filter these packets which were destined for
another computer on your hub.  This program can then see, in plain text,
passwords from or to the other computers.  Stuff like telnet, pop3, smtp, rsh,
rlogin, etc.. all pass passwords in plain text.  So, once access is gained to
your computer, access can then be found to many other computers on your network
and the systems they connect to.

For further examples, here's an excerpt from the dsniff (an entertaining program
which relies on promiscuous mode) man page:

arpredirect
        redirect packets from a target host (or all hosts) on the LAN
        intended for another host on the LAN by forging ARP replies.
        this is an extremely effective way of sniffing traffic on a
        switch. kernel IP forwarding (or a userland program which
        accomplishes the same, e.g. fragrouter :-) must be turned on
        ahead of time.
findgw
        determine the local gateway of an unknown network via passive
        sniffing.
macof
        flood the local network with random MAC addresses (causing
        some switches to fail open in repeating mode, facilitating
        sniffing). a straight C port of the original Perl Net::RawIP
        macof program.
tcpkill
        kill specified in-progress TCP connections (useful for
        libnids-based applications which require a full TCP 3-whs for
        TCB creation).
tcpnice
        slow down specified in-progress TCP connections via "active"
        traffic shaping (useful for sniffing fast networks). forges
        tiny TCP window advertisements, and optionally ICMP source
        quench replies.
dsniff
        simple password sniffer. handles FTP, Telnet, HTTP, POP, NNTP,
        IMAP, SNMP, Rlogin, NFS, X11 auth info. goes beyond most
        sniffers in that it minimally parses each application
        protocol, only saving the "interesting" bits. uses Berkeley DB
        as its output file format, logging only unique auth
        info. supports full TCP/IP reassembly, courtesy of libnids
        (all of the following tools do, as well).
mailsnarf
        a fast and easy way to violate the Electronic Communications
        Privacy Act of 1986 (18 USC 2701-2711), be careful. outputs
        all messages sniffed from SMTP traffic in Berkeley mbox
        format, suitable for offline browsing with your favorite mail
        reader (mail -f, pine, etc.).
urlsnarf
        output all requested URLs sniffed from HTTP traffic in CLF
        (Common Log Format, used by almost all web servers), suitable
        for offline post-processing with your favorite web log
        analysis tool (analog, wwwstat, etc.).
webspy
        sends URLs sniffed from a client to your local Netscape
        browser for display, updated in real-time (as the target
        surfs, your browser surfs along with them, automagically).
        a fun party trick. :-)

-------------------------------------------------------------------------
Sent by OLUG Mailing list Manager, run by ezmlm.  http://olug.bstc.net/ 
To unsubscribe: `echo unsubsribe | mail olug-unsubscribe at bstc.net` 



More information about the OLUG mailing list