[gentoo-user] Stealth Ethernet testing

[gentoo-user] Stealth Ethernet testing

[James]

Hello,

(Stealth ethernet saga continues)
Well, after much ado, it seems quite easy (trivial) to hide an ethernet 
interface, while being able to collect reems of local ethernet traffic
based data, from both snort and ethereal.

Here's the normal ethernet interace on a portable:
 /sbin/ifconfig -a
eth0      Link encap:Ethernet  HWaddr 00:90:F5:0D:30:0E
          inet addr:192.168.2.15  Bcast:192.168.2.255  Mask:255.255.255.0
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1


issued:

route delete default
ifconfig eth0  inet 0.0.0.0

and voila:
/sbin/infconif -a
eth0      Link encap:Ethernet  HWaddr 00:90:F5:0D:30:0E
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1


On any system, 'ping 0.0.0.0' receives responses from the local
interface.

What I need is for folks to test and verify that an ethernet 
interface setup this way, is indeed invisible (undetectable)
by other systems.

If you find this is not true, please tell me what you did and 
what tool/syntax you used to discover/detect a system with an
ethernet interface set up this way....

James

-- 
gentoo-user@gentoo.org mailing list

Re: [gentoo-user] Stealth Ethernet testing

[Hans-Werner Hilse]

Hi,

On Fri, 21 Oct 2005 19:19:15 +0000 (UTC)
James <wireless@tampabay.rr.com> wrote:

> Well, after much ado, it seems quite easy (trivial) to hide an ethernet 
> interface, while being able to collect reems of local ethernet traffic
> based data, from both snort and ethereal.

No, it's not that easy - depending on your requirements on the "hiding".
 
> Here's the normal ethernet interace on a portable:
>  /sbin/ifconfig -a
> eth0      Link encap:Ethernet  HWaddr 00:90:F5:0D:30:0E
>           inet addr:192.168.2.15  Bcast:192.168.2.255  Mask:255.255.255.0
>           UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
> 
> 
> issued:
> 
> route delete default
> ifconfig eth0  inet 0.0.0.0
> 
> and voila:
> /sbin/infconif -a
> eth0      Link encap:Ethernet  HWaddr 00:90:F5:0D:30:0E
>           UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1

Yep, it's up and doesn't have an IP. If this is sufficient for you,
fine then.

> On any system, 'ping 0.0.0.0' receives responses from the local
> interface.

No, if you specify an interface for those packets, it most probably
won't receive anything. But that's nitpicking here...

> What I need is for folks to test and verify that an ethernet 
> interface setup this way, is indeed invisible (undetectable)
> by other systems.

It surely isn't. It's up, listening at least to broadcasts and
multicasts (well, it's written uppercase in the ipconfig output).

> If you find this is not true, please tell me what you did and 
> what tool/syntax you used to discover/detect a system with an
> ethernet interface set up this way....

emerge hping2, emerge arping. And then play a little bit. Note that
ethernet frames don't rely on IPs to get to their targets. In the above
described situation, I would try to send a bunch of different ethernet
frames to that machine and see what happenes. If I were you, I would
dedicate another machine for the testing stage that sniffs if the
machine answers anything. "ping" isn't really the tool of choice here.

If you really don't want to chose a hardware based solution and go the
software way, you should carefully inspect /proc/sys/net/... and have a
read in linux docs how to chose sysctls for not letting linux itself
spit out packages.

But using this way, it is scientifically impossible (well, nearly) to
100% negate the theory that a package might get through. I really
recommend the already mentioned way, cutting the Tx wires. After all,
this is simple and you can be sure that you didn't forget anything.

-hwh
-- 
gentoo-user@gentoo.org mailing list

[gentoo-user] Re: Stealth Ethernet testing

[James]

Hans-Werner Hilse <hilse <at> web.de> writes:

> 
> Hi,
> 
> On Fri, 21 Oct 2005 19:19:15 +0000 (UTC)
> James <wireless <at> tampabay.rr.com> wrote:
> 
> > Well, after much ado, it seems quite easy (trivial) to hide 
>> an ethernet  interface, while being able to collect reems 
>> of local ethernet traffic based data, from both snort and ethereal.

> Yep, it's up and doesn't have an IP. If this is sufficient for you,
> fine then.

Well, let me see how much *quieter* I can make the interface. I do
need to make the ethernet interface 100% undetectable.

> > On any system, 'ping 0.0.0.0' receives responses from the local
> > interface.
 
> No, if you specify an interface for those packets, it most probably
> won't receive anything. But that's nitpicking here...

Hmm you should try this and ping your local ip (before setting it
to 0.0.0.0). It has to be the local host, as the latencies for any
other hosts on the switch/hub are almost an order of magnitude
higher. Futhermore, you can disconnect any system from it's ethernet
cable, and 'ping 0.0.0.0' is the same thing and 'ping localhost'
and 'ping 127.0.0.1', while the interface is disconnected.

snort -dvi eth0   still runs great and the eth seems undetectable


> > What I need is for folks to test and verify that an ethernet 
> > interface setup this way, is indeed invisible (undetectable)
> > by other systems.

> It surely isn't. It's up, listening at least to broadcasts and
> multicasts (well, it's written uppercase in the ipconfig output).

Hmm,  none of the commands I tried with arp, arping or hping
discovered the passive ethernet interface configured to 0.0.0.0
on the same flat hub....

However, there is one thing I should point out. NONE of the
systems have any entry in the their hostname file except their
own name, nor is DNS  running on this test network. 
Only IP addresses, ethernet with MACs and not networked services 
so the arp tables are empty intil explicit communications occur. 
No NFS, no samba; natta.

It's a test network for machines and everything is
minimize. ON the gentoo systems there is no domain name,
they only query DNS servers as needed (if the machines
only access another machine via IP, then DNS resolution
is not necessary, and network chatter has been minimized.


So if you have syntax that will discover any of the 'listen
only interfaces' please send me a specific example. Nothing
I have tried with ping, arping, arp, arpscan, arpwatch,or hping*
discovers these ethernet interfaces. I'm not saying they are 
100% stealth, but, I have not found a method to discover the 
interfaces, for this, minimize network. Even the gentoo 
system configured to 0.0.0.0 is not discoverable, as of yet.

> > If you find this is not true, please tell me what you did and 
> > what tool/syntax you used to discover/detect a system with an
> > ethernet interface set up this way....

> emerge hping2, emerge arping. And then play a little bit. Note that
> ethernet frames don't rely on IPs to get to their targets. In the above
> described situation, I would try to send a bunch of different ethernet
> frames to that machine and see what happenes. If I were you, I would
> dedicate another machine for the testing stage that sniffs if the
> machine answers anything. "ping" isn't really the tool of choice here.

yes, as you have suggested, but the steath systems 
(ifconfig eth0 inet 0.0.0.0) are still not discoverable. If you disagree
(and hopefully you do) please send me explicit syntax.

> If you really don't want to chose a hardware based solution and go the
> software way, you should carefully inspect /proc/sys/net/... and have a
> read in linux docs how to chose sysctls for not letting linux itself
> spit out packages.

OK, after I fully explore the possibilities with the aforementioned
tools, I'll look into this. A systmems ability to resist responses 
(icmp, mac scans, etc) is really quite facinating and I'm sure also 
related to kernel configuration and low level ethernet drivers.

> But using this way, it is scientifically impossible (well, nearly) to
> 100% negate the theory that a package might get through. I really
> recommend the already mentioned way, cutting the Tx wires. After all,
> this is simple and you can be sure that you didn't forget anything.

Agreed. However, before I build a custom piece of hardware/cable that
open-circuits the transmit line from the desire stealth interface,
I need to fully characterize things available in software, and from which
tools these software/config tricks hid interfaces. Open-circuiting 
the stealth interface is not always an option, so fully characterizing
the efforts to minimize responses of the pseudo-stealth interface,
via configs, software, kernel and low level drivers, will go a long
way to approaching stealth behavior of an ethernet interaface. If 
only a few tools/hacks can discover the existence, then I can make
prepartions in the firewall and other upstream routing/interfaces
so as to prevent or alert such machinations.


Send me some explicit syntax scans with arpping, hping* ro whatever if
you can so I can verify that these specific scans/searchs/broadcast
successfully solict a response from stealth interface.

Thanks,

James




-- 
gentoo-user@gentoo.org mailing list