[TriLUG] Promiscuous mode on open network (nc.rr.com)?

David R. Matusiak dave at matusiak.org
Wed Jul 2 10:13:00 EDT 2003 

what if there is no X running on the target system?

can you still pull up a remote xterm on your attack box?

On Wednesday, July 2, 2003, at 09:54  AM, Ryan Leathers wrote:

> I hate to always be the naysayer about this sort of thing, so I was
> holding off looking for someone else to comment thusly:
>
> The common wisdom is that the network based (not host based) IDS should
> be transparent.  When putting the NIC in promiscuous mode you will also
> be taking care to not bind an IP address, and obviously there will be 
> no
> listening services.  This sort of network based IDS is transparent 
> which
> makes it more powerful / dangerous depending on your perspective.
>
> Consider what could happen if you had an IP address bound to a NIC that
> was in promiscuous mode.  The host could be reached, and the NIC would
> accept everything on the wire.  This is a rootkit waiting to happen.  I
> have in my bag of tricks some binaries for those occasions when I
> discover an unauthorized IDS on my network.  One nifty example is a
> tcpdump exploit which returns an xterm from the target to my attack
> box.  Its accomplished through a buffer overflow of tcpdump.  This
> particular exploit is only possible because of the combination of three
> factors: tcpdump is running, the NIC is in promiscuous mode, an IP
> address is bound to this NIC. Also note that I generally get the xterm
> back as root.  (Yes, similar exploits exist for other applications 
> which
> use promiscuous mode... and yes the original tcpdump BO exploit was
> patched with 3.6.1 but the subsequent BO2 sploit is still zero day to 
> my
> knowledge)  The point is DON'T put interfaces you care about in
> promiscuous mode unless they are transparent.
>
>
> The matter of what will be seen on the wire (what a provider filters,
> what gets matched, what you care to see) is a separate concern
> altogether, but just as important.  This idea got some earlier 
> responses
> so I'll leave it alone.
>
> Ryan
>
> On Tue, 2003-07-01 at 10:56, lfwelty wrote:
>> Hi all,
>>
>> I'm setting up ntop and snort to watch what's coming at (and
>> through) my firewall. Their are options to run without enabling
>> promiscuous mode on the monitored NIC, but it would be interesting
>> to see what's floating by.
>>
>> Has anyone done this on their isp's net?
>> Or nc.rr.com in particular?
>>
>> Did you have any problems?
>> Has anyone's isp scanned for nic's in promiscuous mode?
>>
>> Thanks,
>>
>> F.
> -- 
> Ryan Leathers <ryan.leathers at globalknowledge.com>
> Global Knowledge
> <signature.asc>

More information about the TriLUG mailing list